IT Trends Milwaukee

How Safe Are Your Online Passwords?

Hey Happy Monday everyone! I'm sure you've heard about the Yahoo security breach (full article listed below).  If you have a Yahoo account, I highly recommend that you change your password just to be safe. 

It was about a month or so ago, that I made this same suggestion for your LinkedIn account when they were hacked. As a best practice, you should change your online passwords often and you shouldn't use the same password for every site. Create a password that is STRONG.  Some sites offer guidance to let you know how STRONG your password is, but if you use a site that doesn't offer that you can use Microsofts' quick password checker.

here are a few password suggestions from Microsoft.

Create STRONG passwords

A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:

• Length. Make your passwords long with eight or more characters.

• Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."

• Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

• Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

Yahoo Security Breach Shocks Experts

Company failed to take even basic precautions to stop 450,000 usernames and passwords from being exposed.

By Antone Gonsalves Jul 12, 2012 3:29 PM

A Yahoo security breach that exposed 450,000 usernames and passwordsfrom a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.

"It is definitely poor security," Marcus Carey, a security researcher at Rapid7, said. "It's not even security 101. It's basic application development 101."

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an "older file" containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo's massive network of Web sites.

Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo's 2010 acquisition of Associated Content.

Less than 5 percent of the stolen data had valid passwords, Yahoo said. "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the statement said.

The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google's Gmail, Microsoft's Hotmail, AOL, Comcast and Verizon.

A hacker group called D33Ds Companytook credit for the breach, and posted a statement on its website saying the attack was a warning. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the group said, according to media reports. "There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site.

Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo's overall security lapses were a disservice to its users. "It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what's the probability of that also occurring in their other properties?"

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that 6.5 million usernames and passwords were stolen and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.

3 Ways Mobile Devices Become Infected with Malware

Social engineers have been using various dirty tricks to fool people for centuries. Social engineering, the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques, is as old as crime itself and has been used in many ways for decades.

For the past several years online, social engineers have been trying to fool unsuspecting users into clicking on malicious links and giving up sensitive information by pretending to be old friends or trusted authorities on email and social networks.
And now that mobile devices have taken over our lives, social engineering is an attack method of choice to gain access to a person's smartphone or tablet.

Here are three examples of current cons being used by criminals to get inside your mobile device.

Malicious apps that look like legitimate apps

One example is the case of a popular and legitimate application Android users were purchasing that caused a virtual "steam" to appear on the screen of a smartphone. You could move your finger to scrape the virtual steam off, people love this sort of thing, although it served no real purpose.

But a malicious application that looked exactly like the virtual-steam application was created and many were conned into purchasing that one, instead of the authentic application. From a users perspective it is very hard to distinguish between an app that is legitimate with an app that turns out to be malicious.
What users ended up with was an application with unwanted things behind it. In some cases, the malicious application activated an SMS message from the victim's phone that was sent to request premium services and the user was charged. The attacker, meanwhile, would delete any return SMS messages acknowledging the charges so the victims had no idea they were being billed.

The best advice, don't install applications that come from un-trusted sources.
 
Malicious mobile apps that come from ads

In some cases, legitimate applications on a smartphone run bad advertisements. If the user clicked on the ad, they are taken to a web site that tricks the victim into thinking their battery is inefficient. The person is then asked to install an application to optimize the battery consumption, which is instead a malicious application.

Our advice is the same as with PC’s, be leery of any advertisement that is asking you to install an application.

Apps that claim to be for "security"

Another new mobile attack vector is a ZeuS malware variant that actually originates with an infected PC. When a user visits a banking site from an infected computer, they are prompted to download an authentication or security component onto their mobile device in order to complete the login process.

The attackers realize that users are using two-factor authentication. In many cases that second factor is implemented as a one-time password sent to the user's phone by the banking provider. Attackers were thinking: 'How can we get access to those credentials?' Their answer is: 'Attack the user's phone.'
The way this ruse works is once the PC is infected, the person logs onto their bank account and is told to download an application onto their phone in order to receive security messages, such as login credentials. But it is actually a malicious application from the same entity that is controlling the user's PC. Now they have access to not only the user's regular banking logon credentials, but also the second authentication factor sent to the victim via SMS. In many cases, people thought they simply were installing security applications, or in some cases, a security certificate.

Mobile devices, pure and simple, are hand-held computers and should be treated as such. The best way to protect yourself is to be cautious of not only the applications you install, but the links you click on in the web browser. If asked to download a file, application or security certificate, be leery and only download from trusted sources.

20 Things I Learned About Browsers and the Web by Google

If you have some less tech-savvy friends that are a bit confused about what cloud computing, HTML5, DNS, or the other ins and outs of the internet, a new web site created by Google explains it clearly for non-techies.



The creative team that gave us Google Chrome has released an online book titled "20 Things I learned About Browsers and the Web". The book is not an eBook, think of it as more of an interactive online guidebook built in HTML5.  It’s a clever overview of things many people may not know. Well illustrated and written with humor, the book covers a cross section of items and is designed to explain some of the finer points of the internet to those of us that don't understand it.

This online guide was written for everyday users who are curious about the basics of how browsers and the web work, and how their evolution has changed the way we work and play online.  It has quite a few long-standing basics, like DNS, IP addresses, and cookies, while also explaining some of the more recent trends, like webapps, HTML5, cloud computing, and more.

The site is well designed and one can it read like a real book. You can flip through pages cover-to-cover, or jump to specific sections from any point in the book. It's a good resource when something like Wikipedia might get too technical, so it's a nice companion to Google's latest video how-tos for parents initiative.  
I expect we will only see more and more of this sort of stuff as the years (and technology) move forward. The full experience (ideally in Google Chrome) can be viewed here.

Mozilla To Release Firefox 4 on March 22nd

Mozilla is confident enough about the state of its Firefox 4 Release Candidate (RC)  to announce a launch date for the
final version of Firefox 4.The company targets March 22 as the release date at this time, according to a developer post by Mozilla's Damien Sicore.

So far it seems as if the RC is holding its own quite well. I’ve been using it as my default browser since the early beta stages and have found no significant bugs. There has been only one major (Java) bug has been found by some users, which Mozilla did not qualify as a blocking bug. If all goes according to plan, Mozilla will publish Firefox 4 in its final version next week. If Mozilla discovers any additional bugs, there will be a second RC and the final release date will be delayed.



At this time, Mozilla is about five months behind schedule. Before the end of June, Firefox 5 is scheduled to be rolled out. That date has been pushed back indefinitely. Microsoft released IE9 late Monday, which increases the pressure on Mozilla to release its next-generation browser.

Stay tuned, later this week I’ll explain the new features and what you will need to know!

Firefox 4 To Debut Next Month

Get ready Firefox fans, because Firefox 4 is on the way. PCWorld writes that the next version of the second most popular browser worldwide is "nearly ready for release" and should be available starting next month.

Mozilla's senior director, Damon Sicore, wrote on a developer mailing list that "We have to reach Release Candidate status as quickly as possible"  but until the launch "we need *everyone* to help in testing."

Mozilla had planned to ship the latest version of its popular browser by November, 2010, but too many bugs remained to release a final candidate. According to Sicore, Flash, Silverlight and "other major plug-ins" were continuing to cause problems, with users "affected by hardware acceleration causing crashes or other issues." According to PCWorld, Sicore said that "about 160 'hard blockers'--or significant bugs--remain in the project."

Hardware acceleration is one of the key features boasted by Microsoft to boost Internet Explorer 9 ahead of other browsers. Currently, Firefox is second in popularity worldwide only to Internet Explorer, with Chrome and Safari following behind.

For a full look at what to expect in the latest version of Firefox, take a look at this in-depth review from Make Tech Easier, earlier this year. The long and short of it is that the next version will be faster, sleeker, with "do not track" capabilities to enhance user privacy.

If you want to help Firefox along, you can take part in beta testing the product by downloading the latest version and reporting any bugs you come across.

I have been a Firefox fan for quite some time and have been on the beta for months now, yet I still have Chrome as my default browser due to some of the early bugs that hopefully Mozilla has addressed. What do you think? Will you try out Firefox 4? Is that your browser of choice or will Chrome keep your attention? Or has IE9 brought you back to the Microsoft side? 

River Run Tech Blog: 60% of Windows Users Could Switch to Chrome OS

Linus Upson, Google's vice president for engineering in charge of Chrome, recently made some bold comments about his company's upcoming operating system. Google has apparently done some research and found that 60 percent of Windows PCs used in the corporate world are exclusively used for tasks that can be handled in a browser environment. Google wants to hit Microsoft where it hurts.

"Mr. Upson says that 60 percent of businesses could immediately replace their Windows machines with computers running Chrome OS," according to The New York Times. "He also says he hopes it will put corporate systems administrators out of work because software updates will be made automatically over the Web. But the vast majority of businesses still use desktop Microsoft Office products and cannot imagine moving entirely to Web-based software or storing sensitive documents online — at least not yet." 



Corporate IT departments aren't going to immediately jump on Chrome OS, and it's not simply because they tend to do things slowly. Upson hopes the OS will put corporate system administrators out of work because software updates will be made automatically over the Web. The system administrators who decide whether to move to Chrome OS or stay on Windows are obviously going to stick with the latter if their jobs are at stake. They will come up with every reason and excuse not to ditch Windows. At the same time, CFOs and CEOs will be eager to move to Chrome OS if it means streamlining IT operations.

Google is planning on releasing Chrome OS on netbooks in the first half of 2011. As part of the "consumer launch," Acer and HP will push out various hardware offerings but none of them will be for businesses. A Google-branded Chrome OS netbook (think Nexus One) will reportedly launch for "friends and family" in December. The search giant says that the main way to differentiate between its two OS offerings is form factor: Android is for touch, Chrome OS is for keyboards.
 
So what do you think? Would you dump your Windows computer in favor of one running Chrome OS?

River Run Tech Blog: RockMelt - The Newest "Social" Web Browser

With Internet Explorer, Firefox, Chrome, Safari, and Opera all duking it out for browser market share, some might think the world doesn’t need another Web browser. However, a group of developers led by Tim Howes and Eric Vishria have taken the wraps off of RockMelt, a new Web browser that builds on the notion of a social Web by building Facebook and Twitter directly into the browser. RockMelt will also include integrated sharing tools and an enhanced way to navigate through Google search results via the keyboard to find exactly what you want. Additionally, if you happen to be using a public computer or someone else’s system, no problem: RockMelt is the first browser to be “fully backed by the cloud.” Just run RockMelt, and your personalized browsing experience is waiting for you.

“RockMelt does more than just navigate Web pages,” RockMelt wrote on their just-launched company blog. “It makes it easy for you to do the things you do every single day on the Web: share and keep up with your friends, stay up-to-date on news and information, and search.”

RockMelt also keeps track of users favorite sites, informing users of new posts or updates automatically so users don’t have to constantly check for new posts. Taking it one step further, RockMelt proactively fetches that content so users don’t have to wait for it to download once they notice it’s available. RockMelt also integrates a sharing tool to make it easy to share a page or a link with friends: clicking a Share button next to the browser’s URL field automatically shares the link with Facebook or Twitter, with no fuss. RockMelt also claims to be the first browser “backed by the cloud,” meaning that users can run RockMelt from anywhere, after you log in, you can tap directly into your personalized Web experience. RockMelt also aims to make searching easier my enabling users to flip through Google search results from the keyboard like flipping through a magazine.

RockMelt is available for Mac and Windows (Linux support not available) by invitation only—and, for the moment, interested users can only get an invitation via Facebook. The initial RockMelt release is a beta and has many rough spots, but the developers seem eager for feedback and thoughts on how to enhance the browser. Folks who spend a good portion of their online time using Facebook and Twitter then sharing interesting items with their friends may find a lot to like in RockMelt.

If RockMelt’s features resonate with social Internet users, expect mainstream browsers to quickly take notice…or maybe RockMelt could become a mainstream browser itself.

River Run Tech Blog: Microsoft Releases Internet Explorer 9 Beta

If you’re like me, you spend most of your time on the computer using your web browser than just about any other program on your machine. What matters to me are the pictures, words, music and people I connect with and not so much the software I use to get there. Sure my browser of choice is Firefox, but that may soon change. 

Last week Microsoft released the beta version of Internet Explorer 9, which promises “a more beautiful web.” It is, without question, the most ambitious browser release Microsoft has ever undertaken, and despite the beta label it is an impressive product. According to Microsoft, IE9 Beta had been downloaded over two million times by the end of the second day. Internet Explorer 8 Beta, which was launched in August of 2008, pales in comparison as it could only garner 1.3 million downloads in the first five days.  For years, Internet Explorer has been the top browser as far use, but lately its market share has been steadily sliding as computer users flocked to rivals such as Mozilla's Firefox, Google's Chrome and Apple's Safari. So Microsoft has a lot riding on IE9.

Microsoft has pulled it off, IE9 represents a big step forward. The underpinnings of IE9 are no secret. Microsoft has been talking since last fall about its determined effort to adhere to Web standards and embrace HTML5. It has also detailed its efforts to improve IE9’s performance compared to previous versions.  IE9 comes with a streamlined interface, simpler navigation, faster speeds, superior graphics and websites that behave more like apps that are loaded on your PC. Microsoft is teaming with partners to produce sites that take advantage of the graphics chips and other components inside your computer. Among them; Facebook, Twitter, Amazon, eBay, CNN, and USA TODAY. 

One drawback to IE9 is the operating systems it will work on, at least in this beta version. If you’re running XP as your OS, you’re kind of…well stuck on IE8. Internet Explorer 9 will only run on Windows7. Even if you have Vista, you won’t be able to use all of IE9’s new features. 

For a closer look at IE9 or to download the beta version for yourself, visit Microsoft’s new site www.beatutyoftheweb.com. For an in depth review from Ed Bott at ZDNet visit his Microsoft Report.