StopSign®

With over 400 million active members at the time of this post’s release, half of which log in at least once per day, Facebook is at the top of the web site food chain. With numbers like that, chances are that if you’re reading this post you’re also a Facebook member, and if you are, there have been a lot of changes in the last few months with regard to Facebook account settings that you may not have updated recently.

You may have updated a few settings when you first set up your Facebook account, but it’s a good time to review what your current settings are and make any changes necessary. We’d like to show you 3 things you can change, update, or do to make your Facebook profile safer and help ensure that only the information you want people to see can be seen.

1. Account Settings:

   It all starts with a good password. Since Facebook allows you to store a lot of personally-identifiable information, it’s even more important to ensure that the password you use to access Facebook is strong, unique, and known only by you. If you’re not sure how to create a strong password, check out our blog articles “12 Tips for Making a Good Password” and “Bionic Passwords: Better, Stronger, and Faster“.

   To change your Facebook password, click on Account > Account Settings > Password. You should then be prompted to type in your old password (as a safety precaution) and your new password.

2. Privacy Settings:

   The Facebook privacy settings page has 5 different sections that you can modify, each of which we’ll discuss separately below. For specific details on each section see the actual page itself.

   • Profile Information:

     This section allows you to determine who can see information like your birthday, photos, posts, comments, and information of that nature.

   • Contact Information:

     This section allows you to determine who can see information like your cell phone, home address, website URL, and IM screen names.

   • Applications and Websites:

     If you allow Facebook applications to access your account (including games such as Mafia Wars and 3rd party tools like Twitter), this section allows you to determine what, if any, information those applications can access. You can also select what information your friends can share about you, too.

   • Search:

     This section has 2 very important settings: who can see your search results, and whether or not your Facebook page can be accessed by search engines.

   • Block List:

     Have a virtual stalker on Facebook, or just really tired of someone? You can add them to your Block List and not have to deal with them any more (for the most part).

3. Watch what information you publish:

   Think twice before publishing anything that is personally identifiable to Facebook or any other web site. Phone numbers, addresses, work locations, and schools you or family members are attending are all examples of things that you might want to keep under wraps. And if you do publish them to your Facebook friends, be sure to double-check all of your Facebook settings (noted above) to make sure that only the people you want seeing them can have access to them.

   Please be especially careful with releasing any information regarding your home address online. Making your home address public isn’t something a lot of people do, but new tools, games, and features on many new phones, web services, etc. allow you to post geolocation data like GPS coordinates, and those can be just as dangerous to make public as your address. Read our blog post “Stranger Danger: Geolocation Features and Internet Safety” for more information.

For more information, check out the official Facebook safety page at http://www.facebook.com/safety/.

The StopSign Support staff fields a lot of different calls every day, and a common question heard by our techs is “How can I tell if my anti-virus software is working?“. With hundreds of new viruses and other kinds of malware being written or released every day, it’s natural to suspect that your anti-virus software isn’t up to snuff if you don’t see it catching anything.

Like most anti-virus vendors, the StopSign Research lab keeps a closed-off network of computers (i.e. not connected to the Internet or our internal networks) with live viruses to test our software before it goes out to our members. For us it’s easy to run our anti-virus software against live viruses in our “snakepit” of malware safely because we have a closed environment to test the StopSign Threat Scanner, but that’s not the case for everyone.

Luckily the European Institute for Computer Antivirus Research provides, free of charge, the EICAR Standard Anti-Virus Test File as a tool to test anti-virus software using different test files to see if your scanner takes the bait. The EICAR anti-malware test file is a safe (i.e. not truly infected; it only contains patterns and not any actual virus code), publically available anti-malware test file which contains code that should trigger detections by anti-virus and/or anti-malware software.

Testing your anti-virus software is as easy as 1-2-3:

1. Download:

   Go to EICAR’s web site and download an anti-malware test file on to your computer (and be sure to note where you downloaded it to). There are several versions of the test file available if you scroll to the bottom of the page. Feel free to choose any (or all) of them.

2. Scan:

   Using your anti-virus software (we, of course, recommend StopSign Internet Security software), scan the anti-malware test file you downloaded.

3. Review:

   When your security software is finished, it should have detected any of the anti-malware test files you downloaded as infected.

If for some reason your anti-virus software doesn’t pick up the “infection” it could just mean it’s time to update your software with the latest anti-malware definitions. Update your security software and try it again, and if it still doesn’t pick up the EICAR anti-malware test file then contact your security software vendor to see if there is a problem.

Location-aware features are becoming more and more prevalent in today’s online services and tech gadgets. From GPS in the latest smart phones to adding a geolocation tag on social networking sites like Twitter or even Google, its easier than ever to let people know where you are any time of day or night. But with the ability to publicly display your location lies an inherent risk for being a victim of cyber-stalking or worse.

When it comes to technology and online services in our digital world, it’s easy to forget how all the strings tie together. As we tweet, blog, or update our Facebook statuses during the day we’re supplying everyone who can see our profiles with sensitive data regarding our day-to-day activities. From what and where we had lunch to when we’re going to bed, every time we post anywhere we’re opening our lives a little more. This isn’t necessarily a bad thing, but basic precautions should be taken, especially with tools that can display our location on a map.

Thinking of geolocation data as sensitive information is important not only for your privacy, but for the safety of yourself and your possessions. Because of this we recommend that, if you add geolocation info with your online posts, you exclude certain places from being published. Examples of recommended sites to exclude are:

• Your house:

  GPS data these days is so accurate that if your geolocation data is posted online it can show you not only your general neighborhood, but the precise location of your house. With a good satellite image from Google maps it’s even possible to discover what kind of car you drive and where good hiding spots are around your home.

• Where you work:

  For most people a large part of the day is spent at work. Geo-tagging from work allows anyone wishing to follow you to easily track where you are when you’re on the job.

• Schools & daycare:

  Our children are our most precious gift, and showing the world where they go to school or daycare is just about as dangerous as doing it from your home. Resist the urge to post location information when you’re waiting at the school pick-up circle.

• Vacation spots:

  We already know that tweeting can potentially lead to a home burglary, and if you add your geolocation tags to your vacation posts when you’re out of town, you’ll not only let criminals know you’re gone, you’ll let them know how long your house will be empty.

It may seem far fetched at first, but here’s an all-too-possible scenario: Person A follows Person B on Twitter, and vice versa. Person A likes to tweet a lot about everything she does during a day. On her profile Person A has a profile picture of herself, her first and last name, and the latitude/longitude of her current location updated whenever she tweets. If Person B is an unscrupulous character, he can cyber-stalk Person A to his hearts content and begin to build up his own profile on her: Where she works, where she shops for groceries, who her friends are, what her neighborhood is like, and when she’s at home or running around town. Mix in real-time geolocation tagging and he can not only follow her online, he can take his stalking to the real world.

While geolocation tools and services can add a fun, new dimension to your virtual life, you need to understand the risks of opting-in to them. Just be sure to not share any location-based information that can put stalkers close to you.

OK, we can’t get your passwords to become faster, but certainly we can give you tips on how to make them better and stronger (read: harder to break). Our last post on passwords gave a lot of information on how good passwords can be easily created, and we’ve come up with more ideas for you to secure your passwords.

A strong password is the first line of defense against anyone who would want to break into your account, so the tougher you make it on them, the less likely it will be that they get what they want. Use these tips to create a bionic password that will make it tougher to crack.

• Get creative with words:

  You can get a lot of traction out of one word if you can figure out different ways to use it in your password. For example the word “crystal” is pretty clear (pun intended), but you can muddy it up a bit by doing things like removing all vowels, changing how it’s spelled, or reversing certain letters. Examples include “crstl”, “krYs+al”, and “ltsrc” (the first one, only backwards). Mix that up with another word to increase the length of the password and you’ll be good to go.

• The same word, only different:

  Maybe you like birds, and your favorite bird is the Pine Grosbeak bullfinch. Well, as we all know (sarcasm) the genus for those birds is “Pinicola”. Maybe you also happen to love Coca-Cola. You take out the “cola”, insert “Coke”, and now you have a 2-word password that’s easy to remember: “PiniCoke”. Substitute some of the characters to something like this: “p1niCok3″ and you’re good to go.

• Don’t use common number patterns:

  Your phone number, street address, even your jersey number from the high school football team… these are all very bad things to use in a password as they are. If you plan on using one of them, be sure to mix things up. If you live on 1313 Mockingbird Lane (Quick… what TV show is that address from? The first person to comment on the blog with the right answer gets a free year of StopSign.), you could use the street number like this: “+h1rT3en13″.

• Mix it up:

  Using only alpha-characters or only numbers isn’t a very good idea for a password at all. Your password is a digital cocktail. Mix. It. Up. If a decent password is made up of 8 or more characters, you should try to use at least 2 numbers and one non-alphanumeric character (a hash symbol “#”, an exclamation mark “!”, etc.).

• Use multiple passwords:

  Ideally you should have a unique password for every account that you have. Your home email, work email, computer login, bank account, Twitter… any account you have that requires a user name and password should have its own unique password.

These suggestions are not the end-all, be-all and we don’t necessarily advocate using every single password tip listed. But they can be food for thought when devising a new password. You’ve seen my repeated suggestion to mix things up, and that’s a big thing. Keep things fresh, get creative, and you’ll be far and away ahead of the pack when it comes to creating a strong (and difficult to crack) password.

There are reports coming in regarding Twitter forcing people to update their passwords. The reason: real or potential Twitter phishing attacks. Many people are talking about seeing an email from Twitter that reads:

Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset.

At this time there is no confirmed threat, but it appears that if nothing else, Twitter is taking a proactive role in helping to reduce and/or pre-emptively kill any phishing attempt that may be occuring. Even if Twitter hasn’t changed your password and/or you’re not affected by this possible phishing attack, we recommend the following course of action for increased security:

1. Change your password. Make sure to use a good mix of letter and numbers.

2. Review and rethink any third-party services you’ve allowed in your Twitter Connections setting.

3. It’s also a good time to go through your followers (and those you’re following) and check for spammy and/or suspect accounts. Things to look for in these types of accounts include, but aren’t limited to:

   • Very few, if any, tweets. Ever.
   • No tweets in the last
   • Following thousands but followed by few.
   • The same kinds of tweets sent out over and over and over.

We will report on this issue again as we find out more details. For more tips on staying secure on Twitter, check out our blog post “Six Secrets of a Safe Twitter Account.“.

UPDATE: Twitter addresses the password resets with their status update entitled Reason #4132 for Changing Your Password.

Steering clear of spyware can be a difficult thing to do, especially with all the clicking you have to do just to get the information you’re looking for. A single-click here, a double-click there, lather-rinse-repeat this process for a few months and generously sprinkle that time with a few instances of drive-by downloads and a couple of missed opt-ins and before you know it your once speedy computer is slower than molasses in January.

Spyware happens, but there are things you can do to help stem the flow of it on your computer. By making a few easy-to-adopt changes to the way you browse the Internet and taking an extra minute before you download something, the tips we’ve compiled below will help you stay spyware-free.

1. Watch where you’re browsing:

   Spyware (and malware in general) tends to get on your computer from a shady source. Staying away from untrusted or unknown websites is an easy way to fight spyware. If you need to download updates or specific software packages your best bet is to get it directly from the manufacturer’s website (i.e. go to adobe.com for Adobe Acrobat updates). If you’re looking for software in general (i.e. you’re looking for DVD burning software but don’t know of a specific maker) then try a major download site like tucows.com or download.com.

2. Download with caution:

   A popular tactic with spammers is to send you to a fake website that looks like a legitimate one. Spyware makers have taken that lead and run with it for their own purposes. Stay one step ahead of them both by making sure you’re looking at, and downloading from, the site you’re actually supposed to be on. You can learn more about detecting fake websites in one of our previous blog posts.

3. Read the Fine Print:

   There are 2 common places to look for the tell-tale signs of spyware on a website you aren’t familiar with:

   1. The download or info page:

      Some software or websites, by their very nature, need to contact the mothership every now and again. Anonymous usage statistics, passing along pertinent information such as items in a shopping cart before you purchase, and things of that nature are part and parcel of getting things done online. What you don’t want, however, is to have things like your social security number, credit card, or email address passed around without it being absolutely necessary. Entering your Visa number in a shopping cart is one thing, but there’s no real reason for that cart to ask for your SSN. Keep an eye out for oddities like that when you’re browsing, and make sure what they’re asking for makes sense.

   2. The EULA:

      “What’s a EULA”, you ask? A EULA is an acronym for “End User License Agreement”. It’s where all the technical and legal mumbo-jumbo is put in (or before) a download (or install). Most people consider reading the EULA a nuisance and click on “yes” without having read a word. Keep in mind that acceptance of the EULA is a legal agreement you’re entering into with a software vendor, and if you don’t read it you won’t know what you’re agreeing to. Give a EULA the once-over before you install anything and make sure that everything is on the up-and-up.

4. Get protected, stay protected:

   Your antivirus software, in all likelihood, won’t do anything for you about spyware. It’ll work viruses all day long, but spyware is a different beast, and you need special antispyware software to deal with it. To make sure you’re completely protected you need to make sure your computer is protected with both antivirus and antispyware software. The one-two punch of antivirus and antispyware software will go a long way in keeping your computer as free from infection as possible.

Pretty simple stuff, actually. A lot of it is common sense, but keeping those things in mind when you’re browsing the Internet will help keep your computer protected from spyware.

As 2009 comes to a close and all of the holiday decorations begin to come down (you are taking down those lights before Valentine’s Day, aren’t you?), many people choose to make New Years Resolutions. Some people choose to promise themselves to lose weight, others to spend their money more wisely, but we’re asking you to make a different change: the way you use your computer and the Internet.

Making a change is never easy (most people don’t seem to like change at all); but change can be good if it’s done for the right reasons. Meet the New Year head-on by resolving to make the tech-related aspects of your life a little safer and a little more secure by following our 5 simple suggestions for changes to your computer and Internet use:

1. Change your passwords

   It’s a simple enough change, and possibly one of the most important. By not letting a password live for too long, you help to reduce the chances of it being captured by spyware or a keylogger and sent out on the web to someone with mischief on their mind. Read the StopSign blog post on creating a good password and update all of your passwords in 2010.

2. Update Privacy Settings

   Crack open your browser(s) and review your current privacy settings. It’s probably not a set of options that you look at all the time, and you might have accidentally set some of the settings too low for certain things, or maybe even added certain web sites to a white list that you didn’t mean to. Now’s the time to clean all of that up. And while you’re at it you may as well clear out your cookies, browser cache, and all that jazz. Start the New Year as fresh as possible.

3. Update Vital Information Online

   From the address and phone number on your online banking profile to dusting off that Facebook or Twitter account and removing any personally identifying information that anyone can see, there’s no time like the present to update your information online. We can help you to stay safe online with some tips on things to look out for when putting your info online.

4. Back up Important Files

   If you’re like us, you probably do a lot on your computer: your taxes, edit family photos, post videos online, and more. Don’t be caught without a backup: Burn your important files and other data to a CD or DVD, buy an external hard drive and copy everything over, or even use an online service to keep a copy of it all off-site. Between hardware failure (something a friend who didn’t have backups of wedding photos recently went through) and data corruption, much less any other calamity, keeping a backup of the things that are important to you should be a top priority in the coming year.

5. Patch it up

   Check your operating system, installed applications (web browsers and plugins, document editors, PDF viewers, spreadsheets, etc.), and antivirus/security software for updates. Without the latest version of software you leave yourself open to out-of-date problems at best, and security-related and/or data-loss problems at worst. Most software apps have a simple method of updating themselves anyhow, so it shouldn’t be too difficult to figure out.

If you enjoyed this post or any of our other StopSign Blog posts from 2009, just wait until 2010! We’re going to keep posting online safety and security-related topics here on our blog. You can also follow the StopSign Blog on Twitter to get the whole scoop on what we’re doing, what we think you might find interesting online (and sometimes offline), and more.

Happy New Year! We look forward to hearing from you in 2010. :)

“I’ve been hacked. Now what?”

Maybe it was a keylogger. Perhaps it was a simple virus, or even a trojan. Spyware took over your computer? It doesn’t matter, really. Something happened, you’re back to being clean, but your confidence in the security of your computer is shaken; and now you’re sitting there wondering what to do next.

First off, you’re not alone. With an estimated 300 new viruses or malware variants coming out every month, most people at one time or another are going to be the victims of malicious software. And depending on the severity of the attack you suffered, it’s not unlike the feeling you get when your home is robbed or your car is broken into. There’s a sense of fear, mistrust, and possibly even anxiety about being hit by malware in the future. Again, you’re not alone.

While we can’t speak to the emotions you may be feeling about what happened, what we can do is help you fix what happened and maybe even help you avoid the problem in the first place. What you’ll find below is a list of suggestions we have to recover from a malware attack.

• Change your passwords

  All of them. Especially if you had some kind of spyware or a keylogger on your machine. There’s no telling what passwords, if any, the crooks who authored your malware were privy to, but why take a chance? Make good use of our blog post on how to create a good password and come up with a new one for each and every site you use.

• Reconsider minor apps

  Now’s as good a time as any to go to your Add/Remove Programs and look at what software you have installed that you don’t use or might be suspect. Not only will this (possibly) help make your computer a bit more peppy, but it’ll also reduce the chances having of a piece of software on your computer that may be vulnerable to attack (vis-a-vis the bad guys).

  • While you’re at it, you may as well clean up and optimize your hard disk to help fix things up. That’s not going to prevent viruses or spyware from infecting your machine, but it is good general maintenance. :)

• Consider canceling those cards

  If you used a particular credit or debit card with your computer, consider calling up the issuing bank, explaining what happened, and have them cancel the card and get a brand new one issued. That is, admittedly, a pain in the behind; but if your card data was compromised then you could be looking at an even bigger pain trying to recover from a bank account being open to the whim of crooks.

• Report any crime

  It’s one thing to have some passwords compromised; it’s another to actually have sensitive data leaked or have money stolen a bank account whose information was on your computer due to malware. If you were a victim of a crime please contact the authorities.

• Be careful what you open

  Emails, IMs, downloads… Not to make you paranoid, but pretty much anything you can click on has the potential to deliver malware right to your computer’s doorstep. Only open files or click on links from trusted sources. You should also keep an eye open on those, too, since spammers and hackers can forge email addresses to make them seem like they come from a friend or co-worker. Read the subject and content of emails and IMs before clicking on any link or downloading any attachments.

• Practice safe computing

  Help yourself out by steering clear from traditionally virus and spyware-laden web sites: iffy download sites, adult sites, gambling sites, and movie/mp3/torrent/etc. sites. They’re not all bad, but they have a bad rap for a reason.

An ounce of prevention is worth a pound of cure.

While we can’t say that doing any, or all, of the aforementioned steps will keep you 100% protected against future infections, we can say that every bit of pre-emptive caution that you can take will pay off in the long run.

Twitter is like a giant party in a community of over 18 million people, and there’s bound to be a few apples in the bunch who want to cause trouble. You can get around some of those problems by locking down your Twitter account and being aware of some of the potential problems you might run into when you’re tweeting. Just follow these simple Twitter tips and use your common sense, and you’ll be much ahead of the “safe twittering” curve.

1. Good, strong passwords.

   The creation of a good password cannot be stressed enough! Make sure to create a password that’s difficult for others to figure out and contains a mix of letters and numbers. Also try to use a different password than you use on other social networking sites in case one of the passwords gets cracked or is leaked out. Read more about how to create a strong password on our blog.

2. URL shorteners.

   Sites like bit.ly, ow.ly, and cli.gs are great URL shortening services, especially when someone wants to link to websites in 140 characters or less. But if you don’t know the person who tweeted with a shortened URL, you’re never quite sure what you’re going to get. (OK, that’s not 100% true*) Be careful what you click on!

3. Are you (literally) on Twitter.com?

   Scammers and spammers love to build lookalike sites to try and trick you into submitting your user names and passwords to them instead of the real thing. Before you log in, check the address bar to make sure you’re actually on Twitter.com and not some scam website. Learn more about how to figure out if you’re on a fake website or a real one on the StopSign blog.

4. Third party access.

   There are some really neat services out there like We Follow and Twitter Grader that help enhance your Twitter experience and learn more about your tweeting habits; but there are also some fishy ones too. Make sure to regularly check your Connections settings in Twitter to clear out any unexpected or suspect applications that have been given access to your account. And if they offer it, connect using OAuth, as it’s much safer than supplying your user name and password to a strange website.

5. Phishy phish.

   You’ve got to be diligent about reading DM’s and @ mentions (there’s a particularly nasty trick going around now where a scammer will @ mention you regarding something you’ve tweeted about and there’s a shortened URL to a spam site in the mention – do NOT click on it!). There always seems to be a phishing scams of some kind happening on Twitter, so make sure you know what you’re clicking on or responding to.

6. Don’t get too personal.

   It’s really important that you don’t expose too much information about yourself or your family online. The wrong tweet can get you on a spammers list, or at worst, can lead crazies on the Internet right to your front door. We’ve got tips on how to stay safe online and offline.

For more information on Twitter security, check out the official Twitter help article on safe tweeting.

*OK, technically you can preview any bit.ly URL by adding a “+” to the end of the URL. Other sites and/or services may do the same; but the main issue is that URL shorteners, by default and by design, do not natively display the destination URL. Back to the top

Spam, much like the Monty Python skit which inspired the digital definition of spam, is in everything. It’s on your mobile phone, in your emails, and on websites all over the internet. It’s pretty much an impossibility to be completely spam-free, but you can get pretty close if you take a few precautions.

Here are 6 easy to use tips you can use to keep your email Inbox as spam-free as possible.

1. Read sign up details:

   When you sign up for a product, service, newsletter, etc., most decent websites will give you a link to details about what the sign up entails (usually a privacy policy or the like). Take a few moments to read this information, because details on what they plan on doing with your information will more than likely be listed there. Some things to look out for include:

   • Do they sell or share your information with third parties?

   • How often do they send out emails?

   • Are the emails and/or other contact methods relevant to what you’re signing up for?

2. Opt out:

   Read check boxes carefully during sign ups. Sometimes you have to check a box to opt out of a mailing list, or sometimes you have to uncheck it to opt out. There’s no standard, per se, and companies often do what makes the most sense to them. Read carefully to make sure you do what’s right for you.

3. Keep it under wraps:

   If information is optional, don’t give it up. There may be a field for your mailing address, but if it’s not required for a sign up then why do it?

4. Get to know them:

   Take some time to find out more about a website before giving them any information about yourself. Read their online privacy policies, check out their blog if they have one, and try to get a sense of who they are before you start typing in details about yourself.

5. Step away from the computer:

   For really detailed information requested online such as home addresses, phone numbers, and any sensitive information, you should try to find a verified phone number for them (i.e. one found in the phone book) or a local office (if possible) to sign up instead of doing it online.

6. Get a new address:

   No, we’re not telling you to move. :) We’re suggesting getting an email address that you can use to sign up for newsletters, etc. that you won’t mind getting clogged up with spam instead of your real email address. This way you can keep your personal email address clear for the things that really matter like family and friends.

This list is by no means exhaustive. There are always new methods being created to find out your contact information, and you need to be vigilant about keeping your info under wraps. Be sure to read what you’re signing up and stay on top of what you’re agreeing to online.

Oh, and if you’ve never seen the Monty Python spam sketch, you can see it on YouTube. Enjoy.