Here’s something that might increase any feelings of paranoia that you experience around computing and cyberspace

Video conferenceResearchers in the USA (Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks) have shown that it is possible to analyse a recording of a video call (such as a Zoom, Teams, or Skype call) and use computer software to infer, with a fair degree of accuracy, what the person on the recording is typing. Neither the keyboard nor the user’s hands need to be visible on the recording. I confess that any paper whose introduction starts with ” Catalyzed by the ubiquity of the Internet..” is unlikely to capture my undivided attention through to the end, but I think I’ve got the gist of it from Tom’s Guide and a skim of the paper itself.

The basis of the method is that the program looks at reference points in the face of the person in the video and then infers what keys have been pressed from the movement of the arms and shoulders relative to those facial reference points. It sounds fantastic (in the sense of “fanciful” rather than “great!”) and no-one is claiming that it is anywhere near 100% accurate, but it is definitely capable of stealing information.

Zoom building

It’s not just Zoom calls that are potentially susceptible to this kind of attack.

If, for instance, it knows the email address of the person in the recording, then it can recognise that the email address has just been typed with about 90% accuracy. It then assumes that the next thing being typed is a password. If the password is a good, strong, unique, one then it’s going to struggle, but the supposed password that has just been typed can be compared against a database of the most common million passwords. If the person in the recording has been lazy and/or predictable in the password creation then they may now be in danger. Remember, there will also probably be an audio track to the recording so, depending on the context, it could be completely obvious what account the password just gleaned belongs to.

The paper’s authors do go on to offer advice as to how to mitigate the threat. This, naturally, revolves around reducing the accuracy of the analysis. So, wearing long sleeves reduces the accuracy of the measurement of arm movement, and reducing the frame rate or resolution of the video capture also reduces accuracy. Having long hair also affects the analysis, apparently (those were the days!). Some things you might think are relevant, but aren’t, include the make and size of the keyboard (but a “zwerty” keyboard instead of a normal “qwerty” one would probably complicate things). The researchers also acknowledge that they didn’t investigate differences in accuracy caused by the participant’s “error rate” when typing. My mind is now thinking of other potential tactics such as moving the keyboard by a few inches every now and then, or turning off the video when entering sensitive information.

When I first read about this, I thought that you’d have to be paranoid to be worried about it, but the more I think about it, the more realistic the threat appears to become (or the more paranoid I become). Clearly, if your video conference is with someone you trust (and you don’t fear anyone else getting hold of a recording of the session) then there’s probably not a lot to worry about. But what if you are on a conference call with 100 other people who you don’t know?

Will this be just a quirky bit of research that is soon forgotten, or might this become a major new threat to cyber security as the accuracy of the analysis improves? Dunno.

If you accept the defaults in Windows 10, Microsoft might be able to see everything you type

Windows 10 Start ButtonIf you install Windows 10 and accept its default settings (as you just try to get the job done in the shortest time possible), then you will be giving Microsoft permission to record every single keystroke you make on that computer. Windows 10 includes a keylogger – “a spy tool used to capture your keystrokes“.

When the keylogger was added to the Windows 10 “Technical Preview” there was justification. After all, the “technical preview” was meant to be just that. Microsoft advised against using the technical preview for purposes that included using “sensitive data”. In the meantime, the keylogger must have been a very useful tool to help Microsoft see exactly what the user was doing when problems occurred.

Spyware logoBut what possible justification could Microsoft have for spying on every keystroke of every “normal” user now that Windows 10 is being installed in its “consumer” version. With Windows 10 now installed on some 148 million computers (almost 10% of the entire market), that’s one massive amount of data Microsoft is sucking in (source).

The good news, however, is that you can turn off this keylogging. Well, let’s assume that the option to turn it off does do just that, and not dwell too much on just how far we trust them. Maybe I haven’t yet recovered my trust in the wake of Volkswagen and AVG (see last week’s blog: “AVG to sell browsing History“).

So, this is how we turn off keylogging in Windows 10:

  • Left-click or tap on the Start button (you know the Start button, it’s the one we all whinged about losing in Windows 8).
  • Left-click or tap on “Settings”.
  • Left-click on “Privacy, Location, Camera”.
  • Left-click on “Speech, inking and typing”.
  • Left-click on “Stop getting to know me”.
  • Left-click on “Turn off”
  • Close the “Settings” window and start to get a grip on your righteous indignation.
Turn Off Windows 10 Keylogger

The steps to take to turn off the Windows 10 keylogger

For any of my computer support clients that I helped to install Windows 10, I hope that I turned off this spying as part of the installation. Nevertheless, it will only take you a minute to check and I advise that you do so if you care at all about your privacy. If you have bought a machine with Windows 10 already installed, or installed it yourself but didn’t over-ride the “express settings”, then I most certainly advise checking it.

Mobile wifi has been around for a while, but has its time now come?

WiFi LogoDo you remember the days before laptops had in-built wifi adaptors? It used to be quite common to buy a mobile data plan, with its own SIM, that worked by connecting a “dongle” (containing the SIM card) into a USB port of a laptop. I seem to remember that this used to work reasonably well. Somewhere along the way, though, these seem to have lost favour. When I asked my mobile provider (EE) about it recently, they said that they no longer support such devices.

In large part, they probably went out of popular use as laptops began to be supplied with their own wifi adaptor. These could easily be connected to one’s own wifi router or to the wifi supplied in ever-increasing numbers of public locations. However, I have now found that some mobile providers do still offer “data dongles”. See the one illustrated from Vodafone.

EE Osprey Mobile WiFi

EE Osprey Mobile WiFi

So why do I mention this now? Well, when iPads first came out, I advised buying a version that included the ability to take a SIM card for a dedicated mobile data plan. This would give the same facility as plugging in a USB dongle with a SIM card (which can’t, of course, be done with an iPad as there’s no USB connectivity). My reasoning was that it is probably worth the ridculous £100 extra on the price of the iPad just to be able to connect to the internet wherever there is a 3G (or, now, 4G) signal. That’s what I bought for myself and it worked well. Move on a while, and I now have a Microsoft Surface that I carry with me for work. It is essential that I am self-sufficient with a wifi connection, so I asked EE if I could buy a USB dongle so as to put the SIM from my iPad into my Surface (the Surface can’t directly take a SIM).

EE said they don’t support the dongles any more but I could buy a “mobile wifi”. This takes a mobile data SIM and trasnsmits a wifi signal that can be connected to by up to 10 devices in the area. This is great because there are no physical connections (so it’s not taking up the only USB slot on a Microsoft Surface, for example) and it means that ANY device or computer that can connect to a wifi signal can access it without any software or setting up (other than knowing the name (SSID) of the mobile wifi and its password). I know that these devices have been around for quite a while but they’ve never been anything like widespread.

Vodafone Data Dongle

Vodafone Data Dongle

So I bought one and I’m well pleased with it. I’ve been getting speeds of up to 15mbit/sec on mine. This is twice as fast as at least half of the standard domestic ADSL broadband connections that I see among my computer support clients. The connection is usually stable and it produces a good enough signal that I don’t even take it out of my bag: I just turn it on and connect to it wirelessly in the normal way.

It also means that I’m not having to choose between my iPad and Surface for internet connectivity. In fact, up to 10 devices can typically connect to one mobile wifi at a time. I just need to make sure I’ve got the mobile wifi with me and that it’s charged. It is charged via a standard micro USB connection in about an hour or so.

There’s another use I put it to, and that is that I now routinely connect to the internet in cafes and other public places via my mobile wifi and not via the “free” wifi provided in those establishments. And there are two very good reasons why I think it’s a good idea to get away from unsecured public wifi connections:

  • With public wifi. you can’t be sure that the innocent-looking person on the next table to you isn’t stealing every bit and byte that’s passing between you and the internet.
  • With public wifi, you can’t be certain that the provider isn’t stealing information about you as well. A few weeks ago I connected to Costa Coffee’s wifi for some reason and was really hacked off when a message came up saying their terms and conditions have changed and that I now have to tell them my gender! No way. If they are giving me free wifi then it’s not free if they are gathering (and selling?) information about me and my use of their service. Having a distinctly childish and petulant streak in me, I told them I am female.

So, if you have several mobile devices and want more-or-less permanent access to a secure wifi connection, then mobile wifi is versatile in that it allows any device capable of a wifi connection to connect to it, and it also lets you get away from the security-challenged environment of public wifi.

But, oh yes, it’s one more thing to forget to put in your bag when you go out, and one more thing to forget to charge.

Have you ever downloaded a new program onto your Mac, only to be told by the operating system that it can’t be opened because it’s from an unidentified developer?

Gatekeeper LogoMac OSX computers are more protective than Windows computers when it comes to what’s allowed on your computer and that has obvious security benefits. Nevertheless, it looks rather over-protective when it won’t let you start a program that you want to run!

This situation comes about when you try to run a program (or “app” or “application”) that hasn’t been vetted by Apple and checked to be malware-free. I don’t understand why Apple choose to offer you the misleading information that the “app can’t be opened” because it can. All you need to do is to have the control key pressed as you click on the program to open it.

Here is an example of the “error” message:

Gatekeeper Message

Once you have opened a program this way, the operating system will add it to the list of approved programs on that computer, so it shouldn’t happen again for that program.

If you encounter this situation often, and/or can never remember how to over-ride the veto on opening a program, then you can change the settings so that the message is not displayed at all. This is probably not a particularly good idea as it would be much easier to install software that has malware in it if your system is not even asking you to think about whether the program is safe.

However, if you do want to go ahead and change the settings for ever:

  • Click on the Apple logo (top left of any screen)
  • Click on “System Preferences”
  • Click on “Security & Privacy”
  • If the padlock at the bottom left of the window is locked, click on it and enter the administrator’s password for the logged on user
  • Click on either the second or third “radio button” in the list headed “allow apps downloaded from:”
  • Click on the padlock again to lock it
  • Close all dialog boxes

This security feature in Mac OSX is called Gatekeeper. It has been around in Macs since the Mountain Lion version. You can learn more about it by clicking on the link to Gatekeeper.

By the way, there was a time when I was naive enough to think I may be able to offer any instructions like those above for all the different versions of operating systems. I can’t. There are far too many versions. So, whether we are talking about Macs or PCs, I will only offer details for the current version. At the moment, that is Windows 10 or Mac OSX El Capitan.

TeamViewer logoIt used to be that I tried to keep old laptops around that were loaded with different operating systems so that I could check on differences and offer telephone support to clients using older systems. Luckily, that requirement has almost completely disappeared since I started using Teamviewer to remotely support clients by actually seeing what they can see on their own computers. This is much, much less stressful than providing computer support and advice by a phone call alone and trying to keep track of what the client is looking at.

Like a spare key for your Microsoft account?

Key in lockMicrosoft accounts are becoming more important. All downloads of purchases from Microsoft require us to have an account, access to the Microsoft OneDrive cloud storage requires one and, if we do as Microsoft would like us to do, every time we turn on a Windows 8 or Windows 10 computer we sign into our Microsoft account.

What happens if you suddenly can’t access your account? There are several ways this could happen, including someone having hacked into your account and changing the security information. As I’ve written before, (see, for instance, this blog about Gmail passwords) it can be very difficult to prove an account is yours if you’ve been locked out of it.

At the cost of just five minutes of your time
, you can create yourself a “spare master key” that will over-ride all other access methods to your account. This means you can get into the account even if it’s been hacked and the sign-on information changed. This “spare key” is not to be used lightly, though. If you do use it then all your other security information will need to be re-entered into your account (mobile phone number, secondary email account etc).

So, how do you create a Microsoft Recovery Code?

Click on this link:

sign into your account in the normal way, and enter any security information that is required. Yes, that does, of course, mean that you can only create a recovery code when you already know your security information. You can’t (for obvious reasons) create a recovery code if you’ve already lost access to your account.

Once you have convinced Microsoft that you are genuine, you will be presented with a page showing various aspects of your security information. Just scroll down until you see the section headed (natch) “Recovery Code”.

Click on the link that says “Set up recovery code”

You will then be presented with a screen showing your new, 25 character, recovery code. Record this information in the same place that you have recorded the username and password for your Microsoft account.

Close the browser window.

Make cup of tea.

Using A Microsoft Account Recovery Code

If the day comes when you need to use the recovery code, proceed as follows:

Click on this link:

Click on the link that says “Can’t access your account?”

Click in the circle next to the reason that most closely matches your situation and click “next”.

Identify the account you are going to recover by entering the email address associated with the account and enter the information that matches the “captcha”.

Key in lockThe next screen will ask you to choose how you want to receive your security code. Answer by choosing “I don’t have any of these”.

The next screen will then invite you to enter your recovery code. Just do so, and then click on the button that says “use recovery code”.

You will then be back into your account. Note that you will then need to re-enter your security information (mobile number, secondary email address etc). Also note that your recovery code can only be used once, so, now that you are convinced of how worthwhile it was to set up a recovery code, go back to the start of this blog post and create yourself a new one ready for the next time that you need it.

We can make a stab at reducing the information we give away in our web browsing

Private - Keep Out!When my computer support clients ask me which internet browser I prefer I say “Firefox“. The main reason is that there is a wide range of “add-ons” to tweak how it works. In particular, I am interested in add-ons that tend to help with online privacy. When someone then asks “what are the add-ons that you use”, I can’t remember. Hence, this blog post.

I can’t be certain how effective these add-ons are, or be certain that there aren’t better alternatives out there. It’s also quite possible that there’s an overlap between some of these add-ons. Be that as it may, this is the list of privacy and security add-ons that currently live in my own Firefox browser:

Adblock Plus v2.6.7

Adblock Plus removes online advertising so that you usually see blank space where the ads used to appear. There are some websites that won’t allow you to visit their site unless you disable this add-on. No doubt this is because they generate income from people clicking on the ads that this add-on hides.

Blur (formerly “DoNotTrackMe”) v4.5.1334

Protects passwords, payments and privacy online.

Flagfox v5.0.6

Displays a country flag in the address bar depicting the location of the current website’s server. It also provides a multitude of tools such as site safety checks, whois, translation, similar sites, validation, URL shortening,

The main use of this add-on is that it displays (in the address bar) a small flag of the country in which the current website resides. This can act as a warning when a website’s address is somewhere other than you might expect it to be. This is just one of those little indicators that help you build up some sort of a picture as to whether you think you can trust the site. If you think a website isn’t what it purports to be then it could be trying to exploit you – eg by trying to get malware onto your computer. A website calling itself “” might seem a bit suspicious if you see that it is based in Russia!

Huffington Post Trackers

Ghostery found these trackers on the home page of Huffington Post and blocked them all.

Ghostery v5.4.3

Blocks tracking technology on websites. It can display all the tracking technology found on a web page and display a list of it so you can get some idea of just how much tracking technology websites use. I have sometimes seen up to 30 different tracking technologies being used on a single web page. See the illustration for Ghostery’s findings of the tracking technology on the home page of the UK version of Huffington Post. Note that the line through each item acts as confirmation that Ghostery has blocked that item from sucking data from my visit.

TrackMeNot v0.8.16

This is designed to foil search engines’ attempts to build a profile of your web surfing habits. I like the way this one works. Instead of disabling anything, TrackMeNot does just the opposite: it sends random requests to the search engine so that your real surfing habits are hidden amongst all the bogus searches generated by the add-on. This is quite invisible, of course. You don’t see your browser searching for seemingly random websites!

Firefox Privacy Settings

Firefox Privacy Settings

Online privacy is also helped, of course, if you configure Firefox options to help protect your privacy and security (see illustration).

You might ask why I don’t use “Private Browsing Mode”. The answer to that is simple – it is of no use at all in stopping websites from sucking information from your visit. Private Browsing mode is there purely to remove the evidence on your own computer of your browsing history. It does nothing whatever to protect your privacy and security online. Click this link for more information on Firefox Private Browsing.

You might also ask why I’m only covering add-ons for Firefox. There are two simple reasons – (a) it’s the browser I use (partly because there are so many add-ons available) and (b) it would take the rest of my Saturday to check whether these add-ons are available for Internet Explorer, Chrome, Opera, etc. However, if you’d like to know more about any of these add-ons, just click on the link contained in the name for each add-on in the listing above. It won’t be difficult to track down whether any particular add-on is available for your own favourite browser.

We all know that passwords are a nuisance – but necessary

Multi Factor Authentication - eyes and fingerprintsI’m not going to bang on again that you shouldn’t use the same password for more than one account. And we all know that recommended passwords are getting longer and more complicated. It seems to me that there’s a general “average” of what is currently considered to be a good (or, at least, reasonable) password:

  • At least eight characters long and possibly up to twenty
  • At least two of the following types of character should be included – upper case letters, lower case letters, numbers, special characters (eg $<*! etc.)
  • No word that is to be found in a dictionary should ever be used on its own as a password
  • Avoid easily-guessed proper nouns (ESPECIALLY your cat’s, children’s, partner’s names!)

But it doesn’t matter how long a password is, or how many billions of years it would take to crack it by brute force if the person trying to get into your account can read the password on the post-it note on your monitor!

So, a lot of websites and organisations (especially financial ones) are bringing in ever more complicated systems of security that require more than one factor to be correct. In these systems, knowing the password is not enough to gain access.

Multi-factor authentication requires the user to satisfy the system that they are genuine by providing at least two from the following three factors:

  • a knowledge factor – something the user knows
  • a possession factor – something the user has
  • an inherence factor – something the user is

Passwords are, of course, an example of the first criterion.

A debit/credit/bank card is an example of something that the user may have. So, getting cash from the hole in the wall entails multi-factor authentication in that you need to have your card (something you have) and you need to know your PIN (something you know – in effect, a password). This is probably the most prevalent form of multi-factor authentication.

Multi Factor Authentication - fingerprintsExamples of “something you are” include fingerprints (ie you are a person with that unique set of fingerprints) and other biometric measures such as retinal and iris scans. These return results unique to one individual, but there could be complications if you cut your finger off or someone pokes you in the eye with a sharp stick. Just in case you wonder whether someone could present a photograph of an eye for authentications purposes, it won’t work. The machine that “reads” the eye looks for the spontaneous contraction and dilation of the pupil that is present in all “real” eyes.

The theory, of course, is that requiring you to satisfy at least two factors is far more secure than asking you to satisfy just one. Far more secure, too, than just asking you to provide two different pieces of information (known as two-step authentication. It is not multi-factor authentication). Two-step authentication is as useful as a chocolate teapot if you write both pieces of information on the post-it note on your monitor.

Multi Factor Authentication - key fobs

Key fobs generate a unique code for that user at that moment. An example of “something you have”.

I don’t think that anyone is claiming that multi-factor authentication is any kind of panacea. There are still plenty of ways that it can be subverted. Stealing someone’s cash card and forcing them to give up their PIN using threats is just one way that two-factor authentication can be fooled by the person seeking access. So, I’m not about to tell you that you long, complicated, passwords are going to become a thing of the past any time soon.

If anything, life is set to become even more complicated as more and more situations will demand two – or even three – factor authentication.

By the way: I keep meaning to point out that my links to Wikipedia pages in these blogs are only meant for anyone with a faint interest in finding out a bit more about the subject. I really wouldn’t try to suggest that any blog with Wikipedia links has any claims to academic respectability!

Is the NCA trying to panic us into action?

Trojan horse

GameOver Zeus is actually a “Trojan Horse” – malware that tricks you into installing it. It then attacks your system from the inside

Last week the National Crime Agency (NCA) claimed a huge victory over cyber criminals after they had managed to take control of a massive network of “bots”. Bots are anyone’s computers that have been infected with malware that allows the criminals to use them to further their aims. It appears that the main purposes of this bot ring were to attack people’s computers to steal financial information (using, for example, The GameOver Zeus virus) and/or to infect the computer with Cryptolocker. This encrypts the contents of the hard drive and a ransom is then demanded for the decryption. I wrote about Cryptolocker on 02/11/2013.

You can read the news item in several places, including here:

Mail Online
ITV News

My points are twofold:

FBI Wanted Poster

The FBI would like a word with this gent about GameOver Zeus and Cryptolocker

1) It appears to me that this story is being spun so that a success story about putting criminals out of action (even only temporarily) is being turned around so as to frighten everyone by saying, in effect, “they’ll be back in action in a couple of weeks. You’ve got just two weeks to make your computer safe before something terrible happens”. In fact, nothing bad has just happened and nothing bad will happen in two weeks that wouldn’t have happened anyway. Instead of crowing about their recent success, the powers that be have chosen instead to grab the publicity opportunity to frighten us about what may happen if we don’t pull our socks up, security-wise.

2) The steps that we are recommended to take are just the sensible, manageable, precautions that I have always recommended. That’s not to say that I’m such a clever clogs. It just means that we are not expected to perform Herculean tasks to keep the criminals out of our systems. We just need to be sensible and take our computer security seriously.

These are the steps that we should incorporate into our daily computing lives:

  • Always have antivirus software installed, running, and updated (unless you use a Mac)
  • Always install the latest operating system security updates. With modern versions of Windows these are completely automatic if your Windows is set up correctly.
  • Install any updates that are offered by Adobe Reader or Adobe FlashPlayer.
  • If you have Java installed, then always install any offered updates (but Java is falling out of favour as it is considered too much of a security risk. I’ve just un-installed it from my laptop and will see if that causes any problems in using any websites)
  • Take regular backups of any data that you wouldn’t want to lose (including photos, home movies, and emails if they are stored on your computer)
  • Do not open email attachments from people that you do not know or trust
  • Do not download anything from any website if you are at all suspicious
  • Do not download anything that seems to be too good to be true. If it seems too good to be true then it probably is too good to be true
  • Do not believe anyone phoning you up and claiming to be from Microsoft or any other organisation if they tell you that you have a virus and they’d like to help you remove it
  • Be very careful downloading any free software. Do you really want it? Do you really trust it? Moreover, take care when installing any free software. Never accept the “default” installation. Always choose the “custom” installation as this will probably give you a chance to reject other, unwanted, items that would otherwise be installed.
  • Do not – ever – use the same password for more than one account. Really. I mean it.
  • All passwords should be eight characters long (at the very least) and consist of at least two of the following four types of characters – uppercase letters, lowercase letters, numbers, symbols.

Another cartoon robber stealing away from laptopIf you can go through that list and tick every item then you are taking reasonable steps to safeguard your computer. I can’t guarantee that you won’t be attacked by something online, but it’s a bit like driving a car. You may be the best driver in the world and still be involved in an accident. Nevertheless, you’re certainly going to be a lot safer than someone who has never even learned any roadsense.

And you Mac owners shouldn’t be complacent, either. A lot of the traps that Windows users fall into are just as easy for Mac owners to fall into. Just because Macs don’t normally get viruses that doesn’t make it safe for you to re-use passwords, or open dodgy emails. A Mac owner can fall for a phishing scam just as easily as a Windows PC owner. And if Apple offer you system updates, then take them.

I’m having serious doubts about whether it’s a good idea to keep a LinkedIn account

Linked-In LogoRegular readers will know that I’m no great fan of social networking sites. I think they are devious, manipulative, insecure, and can not be trusted with a tenth of the personal data that people entrust to them.

Nevertheless, for about five years I have had an account at LinkedIn. I thought that as long as I only give them the minimum amount of information (about my professional self) then it should be ok. To be honest, the real reason for joining was to increase my credibility as a self-employed person advertising via his website. If I have “x” number of connections on LinkedIn then at least “x” people are saying that they know I exist and that they are not ashamed to be associated with me (at least as far as LinkedIn is concerned).

But a number of things have started happening that I don’t like. These include;

LinkedIn - you may know

This person has suddenly appeared at the top of the list of “people you may know” in my LinkedIn account – just days after I started an email exchange with her.

People showing up on LinkedIn as being “people I may know” that LinkedIn could not possibly have deduced from my current connections. Indeed, LinkedIn don’t suggest they are first, second, or third degree “connections”. I have always scrupulously denied LinkedIn access to my contact lists. And yet, the only thing that a lot of these “people I may know” have in common is that they are, in fact, in my address book. If LinkedIn has obtained my contacts legally then I can only think that they must have bought another service – of which I am a member, and to which I have inadvertently revealed my address book. In any event, I don’t like it. Online services taking over other services and then pooling information about their users is one of the most insidious mis-uses of data online that I can think of.

More and more emails being received from people I don’t know, asking me to “connect with them” on LinkedIn. LinkedIn is not supposed to be like some stupid social networking sites where the aim is to get as many “followers” or “friends” as you can – irrespective of whether you actually know them. It’s supposed to be about business networking. There’s going to be no point in it at all if you can’t trust that the relationships are genuine.

There has been a lot of press about LinkedIn being hacked and about LinkedIn allegedly misusing information gleaned from users’ email accounts. If you suspect that people in your address book have been receiving invitations to join LinkedIn – apparently instigated by you – then do have a look at this link:

LinkedIn customers say Company hacked their email address books

And these pages don’t exactly inspire trust, either:

Your leaked LinkedIn password is now hanging in an art gallery
LinkedIn hack
LinkedIn passwords hacked

A Leaky BucketPerhaps It was one of these episodes that gave rise to a client phoning me last week with the news that her Gmail account had been hacked and her contacts were receiving some very strange email messages that were supposed to have come from her. She said that she had just been exploring LinkedIn (where she has an account) and that this hacking happened just afterwards. I realise that there is no proven connection with LinkedIn, but that doesn’t stop my uneasy feeling about them.

Luckily, the hackers used her Gmail account to send all these strange messages, but they didn’t change her password. The only reason I could think of for this was that they’d got access to so many accounts that they were content with a “one-time use” of her account. We were very, very, lucky. I have tried to recover Gmail accounts from Google before (see this blog on Gmail Passwords) and it can be very difficult. When trying to prove ownership of your hacked account, Google will ask some impossible questions – such as “on what date did you open the account”!

Anyway, in this instance we were able to access the account and change the Gmail password. I’d like to take this opportunity to remind you not to use the same password several times (or similar ones such as mydog1, mydog2, mydog99 etc), as any human being that has hacked one site containing your email address and a password may well try the same combination (or similar ones) on other sites – see this blog on re-using passwords.

Add all these things together and I’m now teetering on the edge of closing my LinkedIn account. Certainly, I changed my own LinkedIn password as soon as possible after the above incident. I would advise you to do the same.

There has been much publicity in the last few days about the Heartbleed Bug

Heartbleed logoWhat is it?

It’s not a virus or malware that can affect your computer. Rather, it is a vulnerability in the coding used by many websites that are meant to be secure as they encrypt the data passing in and out (the web page address of supposedly secure web pages begins with https and not just http. Also, depending on your browser, you will probably see a padlock somewhere on the browser indicating that you are accessing a secure page).

The Result

The result of this vulnerability is that hackers can learn the usernames and passwords of people logging into the site as well as the content of the data passing between that user and the compromised website.

The Implications

The biggest implication that seems (rightly) to be getting most coverage is not the fact that you should change your password on sites that are known to have been hacked (such as Mumsnet), but that you should also change the password on any other logins that you have that use the same combination of username and password.

Think about it

If someone has just learned that you use a particular combination of username (that is probably also your email address) and password on one website, then they might try the same combination on other sites that you might use. They might try your bank, but I don’t think that your username and password will be enough credentials to do your online banking any harm. They could try your username and password on Amazon or they could see if you use those combinations for webmail (Gmail or Hotmail, for instance). If they can get into your email then they can try the old trick of sending emails to all your contacts, saying you’re in Spain and have been mugged and please send some money. If they’ve got into your email then that could give them access to goodness knows how much other information about you. They can then change the password on your account, locking you out.

PadlockSo, it’s not just a case of changing your password on one website when that website has been compromised by Heartbleed. To protect yourself as much as you can, you need to change that password on every account that uses it with that username. This is one very good reason why you shouldn’t use the same password on different websites. Some websites and blogs are advising that you change ALL of your online passwords, irrespective of whether you have been advised that the site may have been hacked and irrespective of whether you use the same password on many sites. Personally, I think it unrealistic to think that anyone’s going to follow that advice, but I would definitely advise my computer support clients to change all instances of any password that has been used on a site known to have been compromised by Heartbleed.

Since this bug was discovered, vulnerable sites have of course, been applying the necessary patches to close the vulnerability so, by the time you read this, it’s not likely that very many major websites will still be vulnerable. That does not mean we are all safe and can forget about it! How many sites have been attacked but the owners haven’t advised their members? How many sites have been attacked but the owners haven’t yet realised? How long before the bad guys find another, similar, vulnerability?

Like anyone else who writes – or talks – about the subject of passwords, I have always warned people not to use the same password wherever they go. I’m not going to repeat what I’ve said in previous blogs on the subject, but here are the links:

Personally, I manage passwords with a program called eWallet Go. It is available for Android, IOS, Windows, and Mac. This solution won’t suit everyone as not everyone is prepared to use The Cloud to store a datafile of passwords (encrypted, of course).

Lastpass logoAnother program that’s been around for a long time is Last Pass. This is so-called because the publishers say that your password for accessing your password data will be the “last password” that you’ll ever need. This program does other things as well – including generating strong, safe passwords for you.

If you really don’t want to commit your password information to a digital file (whether held in the cloud or not), then I do urge you to write down your passwords manually – all in the same place and where you can find them. Apart from anything else, that will make it easier to go through your passwords systematically, changing any repetitions so as to minimise the vulnerability to the Heartbleed bug and anything similar that might crop up in the future.

Here is everything you need to know about Heartbleed from the BBC and from Codenomicon (who discovered the bug).

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha