mysecurepc.com blog

It doesn’t surprise me. Microsoft is calling it quits on Windows Live OneCare. Its replacement will be a basic antimalware program which will be distributed at no cost (called Morro). OneCare’s market share is very small. I, for one, do not use it. Reason? I think Microsoft’s decision to go into the antivirus arena is an example of deworsification. I think a company that specializes in antimalware will have a better product than a general-purpose company…apparently I’m not alone in this view.

It IS in the best interests of Windows, and everyone online, that every computer has up-to-date antivirus/antispyware programs. Unfortunately, almost 50% of users do not have up-to-date antivirus software (see previous post) which causes vast problems for everyone. Hopefully Morro will help.

My credit card company is offering a new and free security feature: virtual account numbers.

The idea behind virtual account numbers is they are used only at one online store. Thus if the number is stolen it is useless anywhere else. Some virtual account number issuers have a time limit can be set so the virtual account number expires (of course not past the card’s expiration date). Also another nice feature is a dollar limit can be set.

The process is pretty painless:
1. Logon to your virtual number account
2. Generate the disguised number
3. Use it at the specified merchant

Another way of generating an account number is using a tool which can be downloaded. The tool would have to communicate with the bank over Internet to send its generated number…hopefully this transaction is highly encrypted.

Transactions appear on your regular credit card statement.

Overall, the process is pretty easy and offers another way to mitigate stolen credit card numbers.

Doug

We are fans of McAfee’s SiteAdvisor program. It gives a good indication whether a website is trustworthy or not. Or if it generates spammy downloads or worse. The SiteAdvisor plugin works fine on Firefox but is a problem with Internet Explorer 7. Installing it generated a C++ runtime error. Searching the McAfee website for a solution resulted in nothing. The download from CNET generated the same error.

Doug

If you have not noticed by now, most banks, credit unions, and credit card companies do not have secure logins easily available. The login page is on an unsecured web page which means there is no simple way of verifying the login page is real or spoofed. We have written about this in a previous article. But there may be a way around this.

Go to your bank or credit card company login page. If the URL starts with https:// you are in luck - you can check the security information to make sure the web page belongs to the right entity. If the URL begins with http:// you are treading on dangerous ground. Enter a phony login id and password and try to login. Most likely an error will occur and now the login page URL begins with https:// - your lucky day. At least now the login page can be verified for correct ownership and the sensitive information sent to your bank/credit card company is secure and going to the right place.

I have tried this trick on several unsecure banking and credit card sites - and it worked every time!

Doug

If you use Skype’s chat feature you may get an urgent message to download a file named sp.exe and run the program. Once the program is run it installs other programs that can steal passwords and other personal information. The Trojan horse looks like it comes from the Asia region of the world. It also connects to a server and downloads additional code.

As we all know, downloading and executing a program by someone we do not know, it not a good idea without investigation. No legitimate company would do this.

Doug

We have used the active security monitor (ASM) for a few months. The current product version is 2.0.0.18. Over time ASM has gotten better at detecting whether a particular product is up-to-date. Sometimes it has said a critical update was available for Windows but it turned out to be an update for Windows Defender.
We turned off the antivirus monitoring in our firewall; no reason to have two monitors.
One thing that needs to be corrected is the detection of optimization programs. I have one computer that uses an older version of Diskeeper which is not detected. What ASM should do is have an option that you will monitor your optimization program and not penalize you for it.
ASM has caught a few times where the virus scanner was out-of-date. One time the scanner was turned off!

Doug

I found out a little nuance in the way you login to PayPal: securely and not securely. Unfortunately, the default is not secure.

When presented to PayPal.com there is a member login and password area. If you login through this, it is *not* secure. Notice http instead of https. If you click on ‘Log In’ it will take you to a secure login web page. https shows up along with the security lock (which shows that the site credentials are for www.paypal.com

Doug

If you want to create a secure section of your site like this, an online web design program could be helpful. You can even work towards getting an online Bachelors degree from the comfort of your home! Since online courses have become so popular, it’s easier than ever to get training or even a degree online.

The scams never go away. The PIN block fraud involves your debit card. When a debit card is swiped, say at a gas station, the information on it is sent to a server. Included in this information is your debit card number, the data from the magnetic strip, and the encrypted PIN code. When you enter a PIN number it is sent to the server, too. The server unencrypts the PIN number (residing from the magnetic strip) and compares it to the one you entered. Of course they must match in order to complete the transaction.

Here lies the problem: some retailers save your debit card information (including the PIN number) on their server. There is *no* reason to save it - it should be erased after it is used for the current transaction. A hacker then breaks into the retailer’s computer system and steals the debit card number, the encrypted PIN, and the key to unencrypt the PIN. Then counterfeit debit cards are made and it’s off to the nearest ATM machine.

How do you fight it?

A few ways.

1. Use a signature instead of a PIN number when using the debit card.

2. Do not use a debit card; use cash. Especially with no name gas stations, stores, etc. I only use the debit card at one grocery chain and I use cash for other transactions.

Doug

Red, yellow, green: that is how the site advisor rates websites. Green is for good sites, yellow for questionable ones, and red for avoid. Gray means the site has not been reviewed.

What is measured? The safety, not the content of the site. Adult sites may get the green light if there is no safety problem such as spyware, phishing, exploits, scams, viruses, or spam. Cookies are not considered spyware or adware but are classified as tracking or nontracking which is more benign than spyware or adware.

Once installed, the SiteAdvisor shows up in the status bar. When a site is visited, one of the aforementioned colors show up. SiteAdvisor also shows up on search result pages: a colored rating checkmark shows up next to each search result, making it easy to see if the site is nefarious or not. Currently google, ask, aol, yahoo, and msn search engines are supported.

To keep bias out of the picture, payment is not accepted by SiteAdvisor.

Sites are rated by several methods: an automatic safety analysis using a database of prescreened sites, user feedback, and manual analysis. You can join the SiteAdvisor group as a reviewer and submit your own site analysis and comments.
McAfee Site Advisor is currently available for Internet Explorer and Firefox.

Doug

I have spent several days trying to convince my business bank that its login is unsecure. Of course they do not believe me (or they do and choose not to do anything to rectify the situation since they did at one time have a secure login page).

The bank login page URL starts with http:. Why is this unsecure? Because there is no way to verify that the web page I am looking at is the bank’s login page. Someone could have intercepted the request for the bank login page and replaced it with their own (called spoofing or man-in-the-middle attack) - then when the login ID and password are entered, the bad guy gets it rather than the bank.

When you type in (or use a bookmark) http://www.my-unsecure-bank.com this request is sent to the my-unsecure-bank.com server, the web page constructed then sent back to your browser (in HTML) so it is displayed. As you can see, someone can intercept the request and return their own login page. This is easily done in wireless environments such as coffee houses or airports.

My bank tells me that the login/password information is sent securely to the bank. After looking at the HTML code (look for: … form .. action=https:// …) I agreed the login form did use a secure connection to send the login information…but how do I know the web page I’m looking at is the banks? That is when they decided to end the conversation.

BTW, if the login page starts with https:// you can verify the page is your banks by clicking on the yellow padlock and seeing that the bank is indeed listed.Which brings up another point - even if the login page URL starts with https:// (which only tells you the web page being viewed is from your bank) the login data sent to the bank may not be secured. Unfortunately, to verify the data being sent is secured involves looking at the web page’s HTML code and making sure the login form has, as it’s action, a secure URL (i.e. starting with https://)). To date, there is no visual way to ensure the web page AND the login form are both secure - and you cannot rely on your bank to help you.

Doug