Are you one of the 70 million PlayStation Network users who were impacted by the Sony data breach.  I was.  So were my kids.  We’re avid gamers in our household, and we spend most of our play time signed into online multiplayer matches.  We trusted Sony to keep our private data secure, but the reality is that even organizations as large as Sony aren’t always to keep user data safe.

So what are gamers supposed to do?  Stop gaming?  Sure.  That’ll happen.  While we’re at it, let’s tell fish to stop swimming, and tell birds to stop flying.

My mantra, my credo, is that security concerns aren’t supposed to keep us from enjoying life.  On the contrary, we need to know how to do the things we want to do SECURELY, whether we’re a multibillion dollar international corporation or a household of video game enthusiasts.

If you’re a gamer (or the parent, sibling, grandparent, spouse, partner, or next door neighbor of a gamer), here are a few tips you need to consider in order to enjoy gaming securely. 

• Anonymize your online gaming profile.  If your gamer tag is a combination of your name and birthdate, then you’re one step away from handing over your identity to someone else.  Choose a more creative gamer tag that represents your interests without revealing any private information.  Say you're a huge Douglas Adams fan who always wanted to be an astronaut as a kid.  Is stargazer42 taken?
 
• Register with a throwaway email account.  Gmail is free.  Yahoo mail is free.  Hotmail is free.  With so many options for free email accounts, consider using a throwaway email account for services like PSN and Xbox Live.  Not only will you sleep better in the wake of data breaches, you’ll avoid any of the spam that ends up in that account in the meantime.
   
• NEVER register with a debit card or high limit credit card.  This is true for both gaming security and mobile device security.  If, for whatever reason, you store a credit card with any online service, use a prepaid credit card.  If (when?) that card is compromised, you’ve limited your risk to the remaining balance on that card, and not the remaining balance in your checking account.
   
• Only friend people you know.  You don’t need to accept every friend request you receive.  We have a strict rule in our house that our kids are only allowed to friend people they know IRL (in real life).  Not only do they keep their friends list manageable, their online interactions are more enjoyable.  If you don’t believe me, maybe I’ll upload a video of my oldest playing Call of Duty: Black Ops – Zombies with his two best buds.  It's a riot.

Specific to the Sony incident, there are three things you should do as soon as possible:

• Change your email password.  This info was almost certainly compromised, and it will be abused by whoever stole the data.  Login RIGHT NOW to the email account that you used to register for PSN and change your password before someone else does.


• Contact your credit card company.  If you have a credit card on file with Sony, it's safe to assume that someone else now has that credit card number.  You should report the card compromised and request a replacement as soon as possible.


• Begin monitoring your credit.  Give Sony's blog post another read to learn how you can have credit bureaus place place a fraud alert on your file (as well as the impacts of doing so).  You can also enroll in a credit monitoring service, but they're costly and, in my opinion, Sony should be picking up this cost, but you'll have to take that up with Sony PlayStation Customer Support.

Online gaming is ridiculously entertaining, and incidents like the Sony data breach shouldn’t discourage you from taking part in that fun.  If anything, this incident should serve as a reminder that you can still enjoy the things that make you happy.

Be careful out there.

The average Facebook user:

• has 130 friends.
• creates 90 pieces of content each month.
• is connected to 80 community pages, groups and events.

As interesting as these stats might be, they trigger an even more interesting question: Who has access to your information?

Sure, you want to tell your friends how your day was, but do you want to share those comments with your boss?  Does your college admissions councilor really need to see the pics from last weekend’s party?  And does an application developer in Romania really need to know your home address?

If you’re going to maintain a Facebook profile, you should follow these four steps to secure your information.

Step 1: Edit Your Friends

This link will take you to your Friends list.

Is there anyone in this list that you never interact with?  If so, then click the x on the far right to remove them.  You should do this at least twice a year to keep your friends list current.  (Don’t worry.  Facebook won’t post a status update that you’re no longer friends with anyone you remove.  It’ll be our little secret.)

If you’re like me, you probably have people in your Friends list that you network with for work or creative projects.  These are the people you want to stay connected with, but you don’t want to grant them the same access to your profile that your Friends have.  You can add these Friends to your Limited Profile list by using the Edit List function on this page.

Step 2: Update Your Security Information

Unless you’re using a password vault, there’s always the chance that you’ll forget your Facebook password.  And what if someone compromises your Facebook account and changes the password?  What will you do to take control of your account?

Facebook lets you add security information in case you ever lose access to your account.  I strongly recommend that you add two email addresses and a mobile number.  Trust me on this one.

Step 3: Update Your Privacy Settings

Facebook has been in the news on multiple occasions for privacy concerns.  As a result, they continue to refine their privacy settings, granting users more and more control over their information.  The Privacy Settings page has four (4) key elements:

1. Connecting on Facebook
2. Sharing on Facebook
3. Apps and Websites
4. Block Lists

Below are my recommendations for updating your privacy settings.  Your mileage may vary, but I think this is a solid starting point.

The one point that I refuse to budge on: NEVER grant Everyone access to your Facebook information.  The risks far outweigh the benefits.

Connecting

• Search for you on Facebook – Friends of Friends
• Send you messages – Friends Only
• See your Friends list – Friends Only
• See your education and work – Friends Only
• See your current city and hometown – Friends Only
• See your likes, activities, and other connections – Friends Only

Sharing

• Set everything to Friends Only

If you click on Customize Settings , you can lock down your information even further by listing specific Friends who you want to share information with.  Likewise, you can list specific Friends who are never permitted to see that information.

You might consider applying those settings to things like:

• Your birthday
• Permission to comment on your posts
• Places you check into
• Your contact information

Apps and Websites

Remember that app that you tried out back when you first joined Facebook?  Yeah, it still has access to your information.

Click on Edit Settings to remove the apps that you don’t use anymore.  If you want to start with a clean slate, you can click Turn off all platform apps.

Other Apps, Games and Websites settings recommendations:

• Info accessible through your friends – Uncheck everything
• Game and app activity – Friends only
• Instant personalization – My preference is Disabled, but again: your mileage may vary
• Public search – Disabled

Block Lists

Maybe it’s an ex.  Maybe it’s a stalker.  Maybe it’s a spammer who refuses to leave you alone.  It doesn’t matter who you want to block or why.  The important this is that Facebook lets you use this page to Block Users.

Facebook also lets you use this page block app invites, event invites, and apps.  Instead of constantly declining invitations to mind your neighbor’s farm, join their Mafia, or play Phrases with them, all you have to do is tell Facebook which apps you don’t want to play.  Simple as that.

Step 4: Tweak Your Account Settings

There are a TON of options on the Edit Account page, but I’m only going to touch on the ones that you absolutely need to update.

This link will take you to the Edit Account page.

• Settings
  • Make sure your password is strong (letters + numbers + special characters) and hard to guess.  Again, I recommend using a password vault to store your passwords.
  • Linked Accounts – If you’re logged into another site, your browser will automatically log you into Facebook.  Keep this list as short as you can.
  • Account Security – Set this to https.  Otherwise, that shady character at Starbucks will hijack your account.
  • Download Your Information – If you want to backup your entire profile to your local computer, this is where you do it.
• Notifications
  • Visit this page and start unchecking boxes.  Not so much a security setting as a “leave me the heck alone” setting.  You’re welcome. ;]
• Mobile
  • If you choose to send updates to your mobile phone, NEVER set Limit my daily texts to Unlimited.
• Payments
  • The fewer places your credit card information is stored online, the better.  It’s up to you whether you want to pay Facebook to watch The Dark Knight.
• Facebook Ads
  • My recommendation is to set both dropdown boxes to No one.

As Facebook continues to improve their privacy policy, I’m sure these options will change.  In the meantime, these steps should be enough to keep you safe for now.

If you want to dig deeper into Facebook security, make sure to check out these links:

• Facebook Safety Center
• Facebook Guide to Privacy
• Facebook Login and Password FAQ's
• Compromised and Hacked Accounts

Over the years, I’ve put together my own bag of tricks for removing malware.

I recently wrote my Ounce of Prevention post to help you harden your Windows system to protect it from malware infection.  Once you complete these cleanup steps, I STRONGLY recommend that you give that post a read and complete the steps that apply to your system.

If you ever find yourself troubleshooting an infected system, these steps should help you get the system back up and running in no time.

Step 1: The Basics

Before installing or running any new security software, there are a few preliminary steps you need to take.

1. Boot into Safe Mode
   1. Reboot your computer
   2. Before the Windows logo pops up, hit F8
   3. Select Safe Mode from the list and hit Enter
2. Clean out the Startup folder
   1. Go to Start > All Programs > Startup
   2. Right-click on anything you don’t want there and click Delete
3. Run the Microsoft System Configuration Utility
   1. Go to Start > Run
   2. Type msconfig
   3. Go to the Startup tab
   4. Uncheck items that you want to disable

Warning: Disabling legitimate apps and processes can do more harm than good.  Check ProcessLibrary.com before making any changes using this utility.

1. Cleanup the hosts file (C:\Windows\System32\drivers\etc\hosts)
   1. The hosts file is a legitimate system file that can be used to override a websites location. Unfortunately, some malware variants change the hosts file to prevent you from getting to antivirus vendor sites.
   2. Use this Microsoft utility to automatically reset the hosts file to its default state

Step 2: Removal

Now you’re ready to remove some malware.  Install and run all three of these tools.

1. Microsoft Malicious Software Removal Tool
   1. Download the MSRT and install it (next > next > finish)
   2. This tool cleans up a small list of known baddies.  It’s not going to catch everything, but it will do a great job of eradicating some of the most common malware variants.
2. Malwarebytes
   1. Download Malwarebytes and run the installer
   2. Select the Update option before launching the program
   3. On the Scanner tab, choose Full Scan
   4. Once the scan completes, choose Show Results
   5. Review the results list to make sure it doesn’t contain any files you need to keep.
   6. Choose Remove Selected to have Malwarebytes remove the infected files automatically
3. HijackThis
   1. Download HijackThis and run the installer
   2. Do a System Scan with the Save a Logfile option selected
   3. HijackThis is arguably more powerful than msconfig, which means there’s a higher risk of unintentionally damaging your system.
   •  
     • If you’re absolutely certain that you want to remove the items returned by the HijackThis scan, check the items you want to remove and select Fix Checked.
     • If you want a second set of eyes to review that list, you can upload the logfile to the HijackThis forums and ask the online community for a hand.

On a side note, VirusTotal is a terrific resource for analyzing specific files.  If you locate a file that you believe might be infected, you can upload that total to VirusTotal and they’ll scan the file for you.

Step 3: Validation

By now, you should have caught the nastiest malware on your system, but you’re not out of the woods yet.  You need to install and run an antivirus program AND an antispyware program to clean up anything the previous tools might have missed.

Below are my top picks from each category for home users.

1. Antivirus programs
   1. Microsoft Security Essentials
   2. Avast
   3. AVG
2. Antispyware Programs
   1. Microsoft Windows Defender
   2. Spybot Search & Destro
   3. AdAware

Step 4: Prevention

With the malware removed and antivirus & antimalware agents running, you might want to consider running a few online vulnerability scanners to determine whether or not your machine is still at risk.

Below are a few of the more well-known scanners that you might want to check out.

1. Online Vulnerability Scanners
   1. ShieldsUP!
   2. Norton Security Scan (choose Continue to Symantec Security Check)
   3. TrendMicro HouseCall
   4. BitDefender Online Scanner

You might also consider installing the Secunia Personal Software Inspector.  This cool little utility checks your system for outdated software, software that might contain vulnerabilities that malware exploits to infect your system.

Hopefully, these steps have helped you get your system back in working order.  If not, you might want to consider running RootkitRevealer.

But that’s a post for another day…

If you’re not the proud owner of one of the 10 million iPads sold last year, no worries.  With projections of 65 million iPads shipping this year, chances are you could be the owner (or user) of an iPad sooner rather than later.

But maybe you’re not ready for a tablet device.  You're still content with your smartphone.  If you picked up one of the 47 million iPhones sold last year, this article still applies to you.

You’ll find that the more you rely on your iDevice, the more sensitive data you’ll begin storing on it.  Before long, your iDevice will contain access to your email accounts, your Facebook account, your Mint account… the list goes on and on.

As long as your new iDevice remains at home, locked up in a fireproof safe, it’s all good.  But where’s the fun in that?

What you may not know is that you can SIGNIFICANTLY increase your iDevice’s security in just a few minutes.  Apple doesn’t enable these settings by default (shame on you, Apple!), but these five simple changes will go a LONG way toward keeping your private data private.

• Enable the passcode lock.  You use a four-digit PIN to keep other people from using your debit card, so why not do the same with your iDevice?  To enable the passcode lock:
  • Go to Settings > General > Passcode Lock
  •  Switch it to On
  • Select your PIN
  • While you're on this screen, make sure to go to Require Passcode and choose how often your passcode is required.  Mine is set to Immediately.
• Enable auto-lock.  Separate from the passcode lock, you can configure your iDevice to auto-lock after a period of inactivity.
  • Go to Settings > General > Auto-Lock
  • Choose the length of time between when you set your iDevice down and when the auto-lock function takes effect (between 1 and 5 minutes).
• Enable local memory wipe.  A very patient thief could figure out your four-digit PIN in time, unless you configure your iDevice to automatically delete its data after 10 failed login attempts.  Since your data is already backed up in iTunes, the only thing you've lost is your hardware.  To enable local memory wipe:
  • Go to Settings > General > Passcode Lock
  • Switch Erase Data to On
     
• Enable confirmation of Wi-Fi connections.  Chances are you’ll use your iDevice to login to a number of different websites.  That's a lot of usernames and passwords floating around in the air.  To make sure you always know which network your phone is connected to, enable confirmation of Wi-Fi connections by doing the following:
  • Go to Settings > Wi-Fi > Ask to Join Network Connections
  • Switch it to On
• Disable Bluetooth.  Do you use Bluetooth?  If not, there's no reason to leave your phone open to connections from other devices.  Disable Bluetooth by doing the following:
  • Go to Settings > General > Bluetooth
  • Switch it to Off

If you’re using an iPhone 4 or and iPad, you can also install Find My iPhone or Find My iPad, a FREE app that helps you recover your device in the event that it’s lost or stolen.  Me?  I’m still using an iPhone 3GS, so I can’t take advantage of this feature. L

All told, applying these settings will take all of 5 minutes.  Considering the amount of time it would take to recover from a compromised email password or bank account login, it’s well worth the effort.

With Microsoft’s recent announcement of a new zero-day vulnerability in Internet Explorer, I thought it might be a good idea to post a few simple tips on how to protect your computer from becoming infected with malware as a result of this new vulnerability.

A zero-day vulnerability is a security hole in an application that was announced publicly, before the vendor had a chance to fix it.  Many security researchers practice responsible disclosure, sending vulnerability details to vendors so that vendors have time to patch the application.  Unfortunately, this information sometimes makes it into the wrong hands before those patches can be developed.

Microsoft is working on a fix for this specific vulnerability.  In the meantime, though, the vulnerability allows malicious software to run on your computer without your permission.  Your computer could get infected just by visiting a webpage that designed to take advantage of this vulnerability.

The good news is that you can protect your computer by following a few simple steps:

1. Always run antivirus software.  If a webpage does try to install malware on your machine, antivirus software will delete the malware before it can do any damage.
2. Always keep your computer fully patched.  While this won't *technically* protect you against zero-days, this step will protect your computer from other known vulnerabilities. However, configuring your computer to automatically download patches daily will ensure that your computer is patched against this new vulnerability as soon as Microsoft makes that patch available.
3. Use a different web browser.  Chrome, Firefox, Opera, Safari… there are a number of alternatives to Internet Explorer.  Chrome will even go so far as to warn you when it thinks a site might be infected with malware before you visit the site.

[You can check out my Ounce of Prevention post for details on how to perform each of these steps, along with recommendations for free software to help keep your computer secure.]

These three steps are INCREDIBLY simple and EXTREMELY effective.  The best part is that you only have to follow them once, setting them on autopilot, and they do all the work for you from that point on.

Stay safe!

If you’re the recipient of a new Windows desktop or laptop this holiday season, chances are you’d rather spend time enjoying your gift instead of battling pop-ups or slow-downs from malware and spyware.

If you’re the IT Support person in your extended family (like me), then I’m sure you’d rather spend time with your friends, your family, maybe even your gifts... anything other than fixing someone else's computer.

Either way, this article’s for you.

Below is a checklist of all the basic security-related apps I install when I fire up a new Windows box.  Ben Franklin's saying, “An ounce of prevention is worth a pound of cure,” couldn’t be more true when it comes to basic computer security.  The checklist below represents my recommended ounce of prevention.

If you plan on giving (or receiving) a new Windows box this holiday season, then please consider this my gift to you and yours.

Happy Holidays!

Applications to Install

• Firewall – Enabling and configuring your Windows Firewall is as a simple as clicking Start > Control Panel > Windows Firewall.  Comodo makes a pretty slick firewall for more advanced home users, if you’re feeling adventurous.
• Anti-Malware – It’s hard to beat Microsoft Security Essentials when it comes to protecting a Windows box.  MSE is free, efficient, and effective.  You might consider AVG or avast! as third party alternatives, but MSE has my vote.
• Anti-Spyware – Windows Defender is a great app for preventing spyware from clogging up your machine.  I’m a huge fan of Spybot Search & Destroy also, although I tend to use Spybot more for cleanup than prevention.
• Web Browser – Although Microsoft continues to improve the security of Internet Explorer, web browsers like Mozilla Firefox and Google Chrome tend to be patched more quickly and more frequently.  Opera and Safari are also worth considering.
• Privacy – CCleaner from Piriform is a TERRIFIC tool for clearing private data from your Windows box. By selecting the Run & Open to Recycle Bin options during installation, you can remove all of your private web browsing data and temp data by right-clicking on the Recycle Bin icon.  You can also configure CCleaner to run each time Windows starts, automating the process.
• Encrypted Storage – TrueCrypt enables you to create an encrypted drive on your computer, a secure location where you can securely store your most sensitive data.  For laptop users, TrueCrypt is an absolute must, protecting that sensitive data in the event that your laptop is lost or stolen.
• Password Manager – I’m a huge fan of LastPass, namely because I like it’s multi-browser / multi-platform support.  If you want to dig into your other options for password managers, though, feel free to give my previous post a read.
• Location Tracking – Adeona is an open source location tracking app for lost or stolen laptops.  You can even combine Adeona with an app like iSight to take screenshots of the person currently using your lost/stolen laptop.  Cool stuff!

Other Critical Steps

• Apply ALL service packs and patches as soon as you can.  You can configure Windows to automatically download and install patches daily (say, 3am?) by clicking Start > Control Panel > Windows Update > Change Settings.
• Rename the Administrator account, and create a new account for you to use.  Applying a password to both accounts is a must.  You can manage user accounts by clicking Start > Control Panel > User Accounts.
• Disable the Guest account.  Again, Start > Control Panel > User Accounts.
• Make sure your applications are patched.  While most malware used to target the Windows operating system itself, it’s more common for malware to target commonly installed applications like Microsoft Office, Quicktime, and Adobe Reader.  For a list of applications to definitely patch, check out this article.

One Last Step

·         If you’ve done everything else, but you want to verify that you haven’t missed anything, you could always run Microsoft Baseline Security Analyzer.  This tool will scan your computer for security holes, as well as provide you instructions on how to fix them.

Information security incidents are going to happen.

Laptops are going to be lost (or stolen).  Emails containing sensitive data are going to be sent to the wrong recipient.  Systems are going to be infected with malware.

Passwords are going to be compromised.

Usernames and passwords are the proverbial keys to the kingdom.  That combination of two simple data elements is all that stands between your most sensitive data and the people who aren’t authorized to access that data.

Securing your password almost always involves trusting a third party to secure that password for you, and I can promise you that an international bank is going to take more steps to secure their data (and yours) than an Internet startup.  It’s an economic reality.

To prevent your password-protected data (or your online identity) from being compromised, you should consider compartmentalizing your passwords.  To put it another way, the username and password you use for your online banking should be different from the username and password you use to post comments to an online gossip site.

Trying to remember a different password for every site you visit would be overwhelming, but you can remember four (4) passwords, right?  To get to a four password system, however, you first need to group the types of websites that where you maintain accounts.

Here’s one compartmentalization model you might consider:

• Money – Banking and trading sites.  A compromise would mean financial loss.
• Shopping – Contains contact info + credit card data.  A compromise here would be less painful than a compromise to your online banking site, but only slightly.
• Social Media – Personal and private data.  This category includes email and instant messaging accounts.  A compromise could lead to reputation damage.
• Forums – Disposable data.  Who cares if this password gets compromised?

By using different passwords for each category, you limit how much damage a malicious individual could do by compromising any one of your accounts.  In other words, a compromised forum account that you created four years ago (and forgot about) won’t result in unauthorized withdrawals from your checking account.

Different categories can also mean different password rules.  You might create an online banking password is a 20 character string of random characters that you change every three months, while only creating an 8 character alphanumeric password for your Twitter account.

To further simplify the process, you can use a password manager to help you remember your more complicated passwords.  Here a few of the better-known password managers

• KeePass
• LastPass
• Xmarks
• RoboForm
• 1Password
• Password Safe

Realize that some accounts are more valuable than others, and the steps you take to protect those accounts needs to align with each account’s value.  The security benefit of these additional controls, not to mention the resulting peace of mind, far outweighs the effort required to make these changes.