Today, May 5th 2016, is World Password Day. A global celebration to promote better password habits. A day when we can take a look at our password security and make changes to improve it.
Password Security – How secure are your passwords?
Do you use a simple password and use that same password for multiple accounts? You will be surprised how many people do. The image at the top of this post shows you the password security of the password “snowman12” which would take 42 minutes to crack. You can try it yourself at https://howsecureismypassword.net/
Which is why step number one of improving password habits is:
Create strong passwords
The key to a strong password is length. Your passwords should be 8 characters long at the very least, and difficult for someone to guess. Avoid using personal information, especially if someone can find the answer on social media, or by searching your name online.
In addition to length, secure passwords also use a mix of uppercase, lowercase, numbers and symbols.
Okay so I will update my password to “Sno%wm”An12” and check the password security now… Brilliant it now says it will take 4 hundred years to crack the password. It is a lot more difficult to remember but I will just write it down and use it for all my accounts.
It is better than using a simple password for all your accounts but it brings us on to step number two:
Use a different password for each account
If someone has access to your one. key password, they have access to everything.
Cyber criminals know people reuse passwords, and after a major password leak, they’ll try using this passwords and email addresses to get into all kinds if sites. Often, it works.
The solution is simple: have different passwords for every online account. That way if one account is compromised you can rest easy knowing your other accounts are still safe.
How are you going to remember all those different, complicated passwords though?
Get a password manager
A good password manager safely stores all your passwords, remembers them and can generate strong passwords for you. This makes it incredibly easy to use different, hard to remember passwords for every account, so you only have to remember the one master password to get in.
We use and recommend LastPass to our customers.
And to make sure our password security is as good as it gets:
Turn on multi-factor authentication
Multi-factor authentication adds another step before authorizing a user. For example, a code can be text to your mobile which has to be entered before you can continue. This means that someone would have to know your username, password and also have access to your phone before they could access your account.
Sounds like too much work?
It is a lot less hassle than changing everything after your accounts have been compromised and you’ve cancelled your credit and debit cards and persuaded your bank that you never made those purchases on your latest statement.
Why should I uninstall QuickTime?
On the 14th April 2016 it was announced that there are two new, critical vulnerabilities affecting QuickTime for Windows. Apple were informed of these vulnerabilities in November 2015 and Apple later advised that QuickTime would be deprecated on Windows.
Deprecated means that it should not be used because there is (or there will be) a better alternative, that should be used instead.
In other words Apple is no longer providing security updates for QuickTime on Windows. These vulnerabilities are never going to be patched.
So what’s the risk?
In order for these vulnerabilities to be exploited you would have to visit a malicious web page or open a malicious file. There are no active attacks against these vulnerabilities currently but that may change now that the announcements have been made. There will also be ever increasing risk as more and more unpatched vulnerabilities are found in the software. The only way to be protected against all current and future vulnerabilities is to uninstall QuickTime for Windows.
Details of the vulnerabilities can be seen on the following links:
Okay, so how do I uninstall QuickTime?
You need to open the Control Panel. If you are using Windows Vista or Windows 7 click on the start button, you should see the Control Panel option in the menu. Windows 8.1 users can open Control Panel by pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search. Type Control Panel in the search box and then click Control Panel. Windows 10 users can right-click on the start button and click Control Panel.
When in the Control Panel click Programs then Uninstall a Program. Scroll through the list that appears and click on QuickTime. An uninstall option will appear at the top, select this option and follow the prompts.
Laptop screen repair is the second most common repair we carry out on laptops. Due to their portability they are more likely to be dropped. Normally this is off the edge of the sofa when that momentary lapse of concentration sees your laptop nose dive to the floor. Falling off a bed is also a good bet for a broken laptop screen. Getting comfortable or actually dropping off yourself are the normal explanations.
Leaving something on the laptop keyboard, commonly a pen, and closing the lid is another favourite for breaking screens as is actually sitting on them.
However you manage to break the screen, it does not have be the end of life for the laptop. Laptop screen repair is a relatively quick process and can cost as little as £80 with the repaired laptop back with the customer within 24 hours.
Can I carry out my own laptop screen repair?
If you can source a replacement screen and feel confident in your own abilities then, like any repair, yes you can carry out the laptop screen repair yourself.
My number one tip would be, plug an external monitor into the laptop to make sure it is only the screen that needs replacing before you start.
The bezel round the screen is normally secured with 2 or 4 screws and clips that hold it in place. Sometimes double sided tape is used. Take care as any damage caused attempting your own repair will result in more expensive repair costs if you cannot complete it yourself.
We aim to have your laptop screen repair complete and ready to collect as quickly as possible. We will try to do this within 24 hours. Due to screen ordering times and deliveries this may not always be possible.
We will first check to make sure that the screen is at fault. If a replacement screen is required we will open up the laptop to get the correct part number. Once we have the correct part number we can give you an accurate price for the repair. The total cost of the repair will be £30 labour + price of the screen + courier charges.
All screens have a 90 day warranty.
Adobe Flash Player is one of those items of software that many people are unsure about updating. A window will appear on the desktop offering an update and it will be closed because people are not sure what Adobe Flash Player is or what it does.
Adobe Flash Player is software used to stream and view video, audio and multimedia and rich internet applications on your computer. Without it some websites you visit may not function as intended. Like all software on your computer it needs to be kept up-to-date to keep it secure.
Adobe delivers updates on the second Tuesday of every month. When critical vulnerabilities in the software are discovered though, further updates are released. These subsequent updates are often ignored as people think they have already updated and sometimes are annoyed at repeated updates. These updates are an essential part of helping to keep your machine secure.
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.
Adobe recommends users update their product installations to the latest versions
How can I check Adobe Flash Player is up-to-date?
Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 22.214.171.124 (the latest version as of 01 July 2015). If in any doubt, visit Adobe Flash Player help and click the “Check Now” button.
Windows 10 – should I upgrade?
This week many users saw an extra icon appear in the system tray of their Windows computer inviting them to reserve a copy of Windows 10 for free.
This offer is open to those users who have a genuine copy of Windows 7 or Windows 8.1 installed, and the offer lasts until 29 July 2016. After this date, if you want a copy of Windows 10, you will have to pay for it.
Since the announcement I have had a number of customers ask me a similar question to the one below.
I have seen in the press that Windows 10 will be a free upgrade to customers that are running Windows 7 or 8.1 from July 29 2015. Would you recommend that we should take up this offer?
First of all, if you are running Windows 7 (with Service Pack 1 installed) you will continue to receive security updates for the operating system up until 14 January 2020. Windows 8.1 will continue to be supported until 10 January 2023, so there is no hurry to make the decision. The offer lasts until 29 July 2016 and you can decide to accept the upgrade at any time in this period.
If you are currently running Windows 8.1 I would accept the free upgrade. One of the reasons many people are reluctant to upgrade or replace their computers is that they are used to the operating system they currently use and don’t like the idea of ‘learning’ to use another one. The move from Windows 8.1 to Windows 10 is not going to be a big change for Windows 8.1 users, they are already used to the look and feel and Windows 10 will not require ‘learning’ again. Of course there will be changes but nothing like the changes from earlier versions of Windows to Windows 8.
To Windows 7 users I would say wait a little bit but don’t disregard the upgrade. Take the opportunity to have a look at computers running Windows 10 once the upgrade is out and don’t be afraid to ask for help. Many of my customers who have moved from Windows XP or Vista to Windows 8.1, after a brief explanation of how to use the new operating system, have taken to it like a duck to water and couldn’t understand what the fuss was about.
If you are going to upgrade, make sure you use the compatibility check in the Get Windows 10 app to see if there are any issues and what solutions are recommended.
Windows XP support ended on April 08 2014 and the following statement is taken from Microsoft’s website.
What happens if I continue to use Windows XP?
If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. […] Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.
Well, this week those Windows XP users who are running iTunes on their out of date machines certainly found out the hard way.
When logging on to iTunes, Windows XP users get the following message ‘An unknown error occurred (error 0x80090326).’ This means they can’t buy content, watch purchased movies and TV shows, play DRM-protected content, backup, update or sync.
Many users have wasted time and effort troubleshooting their machines but it is thought that Apple changed something to do with the secure connection iTunes uses to connect to the iTunes store and did not test the changes on Windows XP.
It has been speculated that an update adding support for two new ciphers (both of which work on the RC4 algorithm and are not supported by Windows XP) is connected to the problem and only time will tell if Apple will makes changes to rectify the problem.
Towards the end of 2014 TalkTalk customer details were accessed following a data breach against a third party contractor that had legitimate access to the customer accounts. The data that was accessed was names, home addresses, phone numbers and TalkTalk account numbers. No financial data such as bank or credit card details, or dates of birth were taken.
Scammers may be using the information they have illegally obtained to trick people into thinking they are genuine TalkTalk callers, and encouraging them to hand over more detailed information, such as their bank details.
With scams of all kinds on the rise, it is so important for us all to remain aware and alert, especially when asked for personal banking details or to remote access your computer.
If you are in any doubt about the legitimacy of a caller, HANG UP and call the company on a trusted number.
- Never reveal personal or financial data including usernames, passwords, PINs, or ID numbers.
- Be very careful that people or organisations you are supplying payment card information are genuine, and then never reveal passwords. Remember that a bank or other reputable organisation will never ask you for your password via email or phone call.
- When calling any company, ensure you get the number from a trusted source – such as the official website or your latest bill or statement.
- If you get a call that feels suspicious, hang up and call back on the official number.
- You should always ensure the fraudster has hung up before you dial as sometimes they keep the line open to try to trick you. If you are in any doubt you should phone a friend or a trusted number first to make sure it goes through correctly.
Social Engineering is the act of manipulating people into certain actions. Criminals use social engineering tactics because it is easier to exploit your natural inclination to trust than exploit your computers security.
The technical support phone call is a very common way criminals use this tactic to persuade you to pay for a service you didn’t actually need. I posted on this subject back in April 2013 and you can read the article at http://www.sig-ma.co.uk/phone-scam/
The reason I am posting about the subject again is, the criminals have not stopped using this form of social engineering and unfortunately people are still falling for their very persuasive tactics.
I receive a number of calls throughout the year from people wanting advice after being phoned by ‘Tech Support’ or ‘Windows’, ‘Microsoft’ etc. Last week a customer phoned me after receiving a phone call from someone claiming to be from ‘TalkTalk’. They managed to persuade her to allow them remote access to her computer and whilst she was unwilling to part with any payment details the damage was already done. The caller had applied a password to her Security Account Manager (known as SAM). This is a database that stores user account and security information and runs automatically when you start your computer. Without access to this your computer is not going to boot beyond asking for a password.
If you receive a phone call from anyone claiming to be aware of problems on your computer
Even if they ask for you by name or can give other information that might relate to you.
If you are having problems with your computer or have given remote access to someone who phoned up then I suggest you contact a local computer repair company to have your computer checked.
It is extremely important in our technology led world that the security on the computers you use is kept up to date. This week the National Crime Agency (NCA) has announced it has taken temporary control of communications used to connect with infected computers that could steal your financial information or hold your computer to ransom. The NCA expects only a very limited window of opportunity for you to ensure you are protected.
The threat that is causing most concern is one that uses two different types of malware to infect your computer.
Also known as GOZeus or P2PZeus, is malware used to infect computers so that they can be ‘taken over’ by the criminals. This can then be used to download and install additional malware, view your files, monitor your bank accounts, send emails in your name and even use your webcam to spy on you. This type of malware will normally go unnoticed as it does not make visible changes to your computer. If the criminals are unable to make a profit in this way CryptoLocker is downloaded.
This type of infection is known as ‘ransomware’. Your files are encrypted, which prevents you from opening them, and you are issued with a ransom demand. If you pay the ransom there is no guarantee that your files will be unlocked. Once any files are encrypted they are effectively useless to you, there is no way to get them back without the encryption key.
Computers normally get infected by email attachments being opened or links clicked to go to bogus websites. If you are not sure of an email you have been sent, delete it, do not open it. Do not open attachments that you are not expecting and be wary of clicking on links in emails to access your accounts or reset passwords etc. Phishing emails can be very convincing and you may see even more connected with this threat claiming to be from your broadband provider, law enforcement agencies or even friends and family. If in doubt, delete it!
Many of you will have heard about the Heartbleed Bug by now. It has been on various programmes over the last week and many ‘experts’ have been giving advice about changing passwords and methods of remembering different passwords for different websites.
First of all let me explain what the Heartbleed Bug is.
When you are on a secure website (websites that start with https and have padlocks showing in the address bar) your data is safeguarded using a method of encryption.
Many websites have been using OpenSSL to take care of the encryption processes.
One of the functions used within OpenSSL is known as a heartbeat option. To make sure your computer is still connected to the server a message is sent and the server responds with the same message. For example, your computer sends the message ‘private’ and confirms that the message is 7 characters long, the server will then respond with the same message to ensure they are still communicating.
The Heartbleed Bug allows an attacker to send the same message but claim it is 64,000 characters long, the server will respond with the message but with an additional 63,993 characters of random data from the servers random access memory (RAM). This is where the potential for attackers to grab sensitive data lies.
So, should you be changing all your passwords for the websites you use?
Yes and no. Some secure websites have been using different methods of encryption and these are not effected by the Heartbleed Bug. Many websites will have been patched in the last week and it would be wise to change the passwords you use for these sites. There will be a lot of websites that have not been patched and changing your passwords on these websites will make no difference as attackers will still have the potential to grab sensitive data.
The best thing to do at this point is to rethink the way you use passwords. Many people use the same passwords for everything: emails, banking, shopping, forums, gaming etc. If your password is compromised on one of the websites you use, attackers will use the same details on lots of different websites to hopefully gain access to other services you use.
I recommend you use a unique password for each website you use. Use the secure password generator in this link secure password generator and create a list of random passwords. Print it out and keep it somewhere safe. Every time you need to make a new password for a website, pick one from the list and make a note of which website you use it for. This way you can use a different password, which is also very difficult to guess and not have to worry about remembering complicated passwords.
Have two copies and keep them separate (just to be safe).
Also, as the Heartbleed Bug has had a lot of coverage, people will start to see a lot of phishing emails (emails claiming to be from a service you use, like a bank, but are actually criminals after your usernames and passwords).
They will ask you to change your details and give you links to click on to do this. DO NOT click on the links in emails to change your usernames and passwords, always go directly to the website by typing the website address in the address bar of your web browser.