Tech and life

Do you save passwords in your browser? Have you stored sensitive information on your PC or Mac? Want to track down what stuff you’ve saved and where? Well I’ve come across a program called Identity Finder which will help to track private information like passwords, and credit card and bank account numbers on your PC or Mac. There’s a free version with more limited capabilities which I’m trying out here. In essence, it will only scan your My Documents folder not the entire hard drive, it won’t look for bank account numbers, and won’t go through emails and attachments; you’ll have to buy a licence for the Home or Premium editions for that. The Free edition searches Firefox and IE for hidden passwords. It will also shred or secure your sensitive data by encryption. Here’s a list of comparisons between the different editions.

So I downloaded and ran the Free edition. The scan took 20 minutes to complete and identified a number of sensitive passwords stored away in some files which I had forgotten about. You can scroll down through the results window and even preview the results for certain file types like pdfs and doc files. Although I don’t use Firefox any more, my hidden passwords there were all visible to Identity Finder so I went into Firefox and removed them. It didn’t report anything for Chrome but I do store those passwords in there so I suspect it isn’t checking Chrome at all.

But it was the passwords stored around the My Documents folder which worried me most. I do use LastPass to store my passwords securely so these back up locations storing passwords on my PC should be dealt with securely just in case anyone accesses it – they’re clearly quite easily found.

Identity Finder allows you to shred the files, or more usefully encrypt them. However I was only interested in the list of sensitive files as I use and like the free Axcrypt for file encryption. I’ll use this to encrypt the sensitive files.

I recommend you give Identity Finder Free a try and see what you find on your PC or Mac. You might be surprised. If you store all your sensitive stuff within My Documents and aren’t interested in emails and bank account numbers, it may be right for you. If not, the paid editions search more deeply and have 1-year to 5 year licences with a 40% discount on the 5-year licence.

I seem to get more than my fair share of ‘junk’ phone calls usually wanting me to invest in stocks and shares but this week I got my first scam ‘tech’ phone call. Thankfully I’d heard about it already on some tech podcast, but I think I would have seen through it anyway and hung up before it went too far. Here’s what happened and why my alarm bells were ringing pretty much straight away and hopefully this heads-up will alert you if you haven’t experienced this type of call yet.

The phone rang in the evening. My phone has caller ID so it displays the incoming caller’s number; in this case, the number was ‘unavailable’. So the caller was hiding their ID – always a bad start for them. I picked up the phone and there was a 2 second delay where I could hear that the caller was in a call centre. She spoke with an Indian accent so probably an Indian call centre. I probably should have hung up at that point but she asked to speak to my wife calling her by her real name saying that my wife was a registered Microsoft user and she was calling from a tech support centre. The game was definitely up at this point as I’m the registered Microsoft user at home. When I challenged her on this, she just said she wanted to speak to whoever was the registered user. I guess she was working from a sales database of names and numbers freely available in India or she’d got hold of our local phone directory. I let her go on for a little while to see where it would go. She said she wanted to do a security check on my PC and asked me to click on the Start button…

And that was enough for me. I politely said I was a fairly experienced Windows user and I didn’t have any PC problems and hung up. Doubtless she then went on her way and phoned the next number on her list. I wondered if she was paid on a commission only basis with payment only on calls with a ‘result’ for them. But I guess it doesn’t take many results for this to be a worthwhile business proposition for the scammers.

Anyway, I knew from what I’d heard already that if I followed her instructions she would have taken me to Windows Event Viewer and shown me folders of (usually unimportant) errors which Windows logs while it proceeds on its merry way. It’s a great scam as many people are alarmed by these errors even though their PC is running fine and they follow the scammer’s instructions for their removal with both a financial cost and with security implications as they let the scammer gain remote access to their PC. There’s a good write up here on the Guardian website. Apparently, this scam has been doing the rounds since 2008. I mentioned it to my wife later and thankfully, she said she wouldn’t have fallen for it either. When she mentioned it at work the next day, two of her colleagues had also received scam calls like that and neither had been conned.

Some of you may be reading this after it’s already happened and are searching for information about it.  If it’s happened to you, warn your family and friends. The scammers may be working from a local phone book so you may all get these calls in the same period. And don’t think that because you use Linux or a Mac you won’t get the call. Despite what they say, they only have a list of names and numbers and don’t know if you have a Windows PC. Best advice is to politely hang up or if you have the time, waste their time so they won’t be scamming someone else when you’re on the line.

Have you come across this phone scam or anything like it? How did you deal with the caller? Drop a comment below.

So you’ve uploaded all your photos to a social network and they’ve been tagged. Your profile picture is on Facebook, Twitter and now Google+ and your picture avatar follows you everywhere online from forums to blog comments. That’s okay isn’t it? There’s nothing to worry about, everyone else is doing it so it must be fine… I’d rather this than a cartoon or clip art for my avatar.

And it may well be okay, but there have been recent developments which may just start the alarm bells ringing. But first, can I take you back to a time before Facebook and social networking. In the early days online it was fine to have a cool username and cartoon avatar as part of your online persona. I came across this post on identity management in cyberspace (written in 2002 – pre-social networking) which brought that home nicely. It wasn’t necessary to bring your real personal identity online in those days. In fact there are even a bunch of terms used to describe your online persona: handle, alias, nickname, moniker, alter ego. But with the rise and rise of Facebook, Twitter  and now Google+, they want real names, with profile pictures encouraging real identity aggregated between online services. It seems now it’s time to be real online – real names and real tagged photos to identify us. But as I’ve said before on several occasions, we’re still breaking new ground with online social networking. We’re only about 5 years into this fledgling phenomenon. It’s not been done before and it remains to be seen whether being so open with our real names and photos will have a scary downside in say 10 to 15 years time when so much information has been released by us and gathered by… who knows who? So I’ve always been a little reluctant to put too much personal information out there. But not so for my business – online directories with real names and business details is surely okay. But hear me out, particularly on online photos of yourself.

Facial recognition

It’s not very hard to imagine that in the next few years our mobile devices will feature facial recognition technology – software to put names to faces in photos. Trial facial recognition software, PittPatt,  developed at Carnegie Mellon University can take a photo of a stranger and, using information from the cloud (Facebook, etc), can track down their real identity in minutes. It’s only a short hop from there to search and dig out other information like address, email and mobile phone numbers linked to the photo and identity and we surely have the scary possibility of some stranger snapping you with their mobile phone and fairly quickly getting hold of a lot of useful personal information about you.

Pseudonymity

But then I could be totally wrong, and judging by the millions  of people quite happy to put so much information online, I probably am. But at least spare a thought for those of us who continue to operate under pseudonyms and don’t want to put up photos of ourselves. It’s not because we want to hide behind a front and dish out stuff without fear of recrimination. There may just be a good reason now for trying to preserve our anonymity.

Have you every googled your name and been surprised at how much detail comes up? Even though some of it is out of date and quite misleading, it’s all virtually impossible to remove once it’s out there. But people are making judgements of you based on what they find. You could also try googling your phone number + city/town and see if that brings up other aspects of your identity for all to see.

You don’t have to go the real name route online. After a lot of pressure, Google has finally backtracked on the real name requirement for Google+ and soon you will be able to sign up under a pseudonym. So perhaps it’s time to think again about online photos and online identity before it’s too late. Or am I just being way too paranoid? Drop a comment below.

Sites like for example Ge.tt make file sharing real easy but if you’re sharing an important file (e.g. sensitive financial data), just passing a shared file’s URL to your recipient isn’t very secure – anyone can get at your data if there’s no password protection or encryption at the sharing site. If you’ve emailed the link to your recipient, that can have security issues as Lifehacker explained in a post today. You have no control over the recipient’s server and they may download your attachment from an unencrypted HTTP connection (i.e. not HTTPS). Clearly for the most sensitive data there’s no substitute to passing it on in person if possible, but failing that there’s a couple of options you can try to improve security during file sharing.

Password protected file sharing

There are a number of sites which offer password protected file sharing and I’ve just picked out a couple. For example Wikisend

The service is free and you can share a file up to 100MB with password protection. Obviously sharing the link and the password in the same email is not the smartest idea so you should really try to send the password to your recipient by a separate route for security.

Another service is divShare

With their free account, they offer up to 5GB of storage and 10GB downloads/month.

File encryption

Another route to secure file sharing is to email the encrypted file to the recipient but again sending the password separately. The encryption plus the need for a (strong) password to decrypt it should deter any snoopers on hosting servers.  I use the free utility AxCrypt to encrypt all sensitive files on my computer. And when you right click on a file to encrypt it, you get the option to Encrypt a copy to a EXE. This creates a password protected self-decrypting exe file which you can email to your recipient. They don’t need to have AxCrypt installed to decrypt the file, just the password. Again, send the password separately. Another possibility would be to use the archiving utility 7-Zip to create a password protected encrypted archive with your file or files.

Dropbox

The Lifehacker article mentioned above notes that Dropbox offers encrypted transmission for file storage and sharing. You and your recipient can set up a shared Dropbox folder. Anything you put in that folder would travel encrypted from your Dropbox folder to Dropbox’s servers to your recipient’s Dropbox folder. In a blog post today on Download Squad, they note that Views.fm can let you create public or private shares of your Dropbox folders. Private shares are only accessible to people you invite via email, and you can see and edit who has access right from your Views.fm shares list.

So there’s some thoughts on secure file sharing… or at least securer file sharing. It’s clearly not perfect with distribution of passwords to access shared file an area of concern. So do you secure your shared files in any way? Drop a comment below with your thoughts.

If you carry your data on a USB drive, I’m sure you’re always worried about losing it. Of course you should always take the necessary precautions about protecting the data on it like making sure it’s backed up somewhere safe and encrypting the data on it if necessary. But we don’t always do this and so we might end up losing some valuable information.

You could use Flash Drive Reminder which pops up a reminder when you try and log off Windows without removing your USB drive. Putting the drive on a car key ring might also help you to remember it but if you haven’t done this, what about getting the stick back? Doubtless if lost, some finders would just keep it, look at the data, or delete the encrypted data and reuse the stick, but I’m sure many with good intentions would return it if given the chance.

Well you could use LostDrive and edit the contact details. Or just put a text file in the root directory of the stick with your contact details. You could call the file ‘Read-me-if-you-find-this-USB-stick.txt’. But you mightn’t be happy about putting contact details in there in case the drive falls into the wrong hands.

Well I’ve come across a free service called whspr! which allows you to be contacted by email without giving away any personal details in the text file.

If you fill out the form there they give you a URL which you could put in the text file. Anyone who finds your USB stick hopefully will open the text file. You could put a message thanking them for opening the file and that you’d be most grateful if you could get in touch with the owner by clicking the URL. This would send them to a form at whspr where they can send you an email message. whspr forwards the message to your email address and now you can get in touch with the finder whose email is on the form. The URL lasts for up to 365 days so you have to remember to renew it before then. So set up an email or text reminder with your reminder app, for example Task.fm, to remind you say a week before the URL expires and get a new URL from whspr.

Hopefully, these tips should help you minimize the loss of a USB stick. Have you any tips? Drop a comment below.

Image credit: jatop

So how do you save your passwords? On a sheet of paper? In your head? In your browser? Or in a password safe? Given the risks of losing the sheet of paper, or forgetting memorized passwords, or someone else accessing your browser, the password safe is probably the best choice. We all know how important it is to have long passwords which are a combination of upper case and lower case letters, numbers and symbols so I won’t go into that here. But we must have a secure way of storing them.

When Lee Mathews of Download Squad wrote a post on LastPass back in August last year, I decided to give it a try. I’ve always found him to give excellent software recommendations on Download Squad. I was using KeePass at the time, another password manager which was being warmly recommended on tech blogs and tech podcasts. It’s a great password safe, but the problem is that to get passwords from KeePass to your browser, you have to launch the program, enter your password then copy and paste the stored password to wherever you need it – which all takes time. There is a plugin for KeePass called KeeForm which is designed to open and scan a website for input fields and fill them accordingly with a user name and password but it only works with Internet Explorer. I use Firefox so I decided to try LastPass. I found it really easy to install and liked the way everything was explained during installation.

LastPass keeps all your web logins securely synchronized across multiple computers. It stores your passwords in encrypted form on your PC, and there is a Firefox browser extension and Internet Explorer add-on for LastPass which recognises and fills password boxes from your encrypted password data. Not only this, but it will also fill online forms much like RoboForm.

Another feature I like is that it will store multiple usernames and passwords for a site. For example, I have personal and business usernames and passwords for Delicious. When I go to log in to Delicious, the Firefox LastPass extension gives a drop-down set of buttons one of which is AutoLogin. Clicking on this allows me to choose which of my two Delicious accounts I log in to. The buttons appear below the Firefox tabs near the top right corner of the browser window.

LastPass also syncs passwords over the net, so all your saved passwords on your work computer, for example, will always be synced to your home computer. It’s also cross-platform, so you can sync your password data to Windows, Mac, and Linux PCs. There’s also a portable version of LastPass called LastPass Pocket so you can keep your encrypted passwords and usernames on a thumbdrive. Pocket is designed to provide you with access to your passwords on any computer.

There’s actually a lot more to LastPass than I can go into here so please check out their website for all the details. Or have a look at their FAQ. The big question with all these password managers is: Are my passwords safe or can anyone else access them? Many of the security questions have actually been addressed by LastPass in the comments below a LifeHacker feature on the program in August last year and also on their website here. They assure us that the passwords are only stored on your PC. They’re encrypted locally on your PC and the result of that encryption is uploaded to LastPass. LastPass never has a way to decrypt your data so it’s important to remember just one password – your LastPass password!

So if you’re storing passwords on paper, in your browser or in your head, give LastPass a try. I’ve been using it since last September without problems. In fact, I’ve just checked though my list of essential software on my About page and LastPass would rate as my best find of 2008. Oh, and it’s free.

Added on 15th January:

Further reading: Securely Synchronize all your Browser Passwords with LastPass

Added on 20th January:

Further reading: LastPass now handles logins and form filling in any browser

I haven’t really blogged about PC security yet because there are so many sites out there doing a great job informing how to keep your machine free from viruses, spyware and bots. I’ll mention one great site later, but first just a brief outline of my favourite antimalware and security applications. Over the years, these programs have been generally highly recommended on forums and blogs and I find them all excellent.

My firewall is ZoneAlarm Free and for anti-virus I use AVG Free. Both these products have served me well for years. For antimalware, I use SUPERAntiSpyware Free edition. This has been recommended for some time by the experts on the Motley Fool forum ‘Help with this Blasted Computer’, a forum I really like and trust for tech help. More recently, the program has also been picked up and recommended on the Podnutz computer repair podcast as the product which identifies and eliminates spyware which many other antispyware programs miss.

I route all my incoming email through Gmail as I find it’s excellent at eliminating the spam emails which my ISP and web host let slip through.

I use a product called RUBotted from TrendMicro to identify behaviour associated with bots.

As a password manager, I’ve just started using LastPass and so far I’ve found it excellent for managing my online passwords. One feature I really like is that you can quickly log into different online accounts at the same site very easily. For example, I have different Delicious accounts for personal and blog bookmarks and I can move between them very easily. I’ll be doing a separate post on LastPass later.

All the programs I’ve mentioned are free and I recommend them all. However, if you want real-time antispyware protection, then check out SUPERAntiSpyware Professional edition.

As has been said many times before, the best form of PC security is the person behind the keyboard. Don’t go to dodgy sites, and don’t click on attachments in email unless you are absolutely sure you trust the sender.

But if you really want the lowdown on PC security, great advice on free apps and how to keep your system out of danger, read and subscribe to Bill Mullins’ Weblog.

I’ve been subscribing to his blog for several months now and Bill’s advice on computer security and products is second to none. Here’s just one post from his archive that will give you an idea what security software you need.

Related articles by Zemanta

• Burning Question: How Much Computer Security Is Enough?