All posts by drambo

Securing Safari for OSX

If you have a Mac, one of the reasons you either a) originally got your Mac, and/or b) really enjoy your Mac is because the much lower chance of being infected by a random virus, malware or Trojan.

While this is essentially true, Macs are vulnerable.

This article goes over ways to secure Safari (your web browser) under Mac OSX. It’s probably a good read for anyone that wants to take a few extra steps to ensure security.

To Cloud or Not To Cloud

I get a lot of questions about “the cloud.” Many of them are, basically, “Can I trust the cloud?”

My first response is always, “What do you think ‘the cloud’ is?”

I usually get some knitted brows and a shrug.

My customers know that the cloud has something to do with their computers and phones and tablets all being able to talk to each other. That’s a nice feature, I will admit.

First off, click here to see a picture of ‘the cloud.’

That’s right, the cloud is…just another computer. Usually several dozen to several hundred of them in a server room somewhere. It’s not magic. It’s, obviously, not LITERALLY a cloud.

To the question of “Can I trust the cloud?” my answer has been:

“Don’t put anything in the cloud you wouldn’t be 100% comfortable seeing published on the front page of the New York Times.”

Here’s the logic: While your password may be the most secure and complex password in the history of time itself, there are other ways into the cloud than directly through YOUR account.

Think of it like this: When you create a really safe, complex password that you’ve never used anywhere before, it’s like changing the locks on the front door of a house. You have the only key. But there are dozens of way into that house, and you can’t control them all. It’s possible that someone left the back door wide open, and so anyone can come in and take your stuff.

The Cloud is good for storing pictures, contacts, bookmarks, stuff like that.

It’s not good for storing things that you don’t want other people to know about. Like your bank password. Or other personal details.

Also, for professionals (attorneys, doctors, therapists, etc.) that are bound by certain industry privacy standards like HIPAA, few cloud-service providers have security that is considered up to those requirements.

Passwords

Passwords need to be complex. “Complex” in this case means:

  • At least 8 characters; preferably 10 at a minimum
  • Not be a word in the English dictionary
  • Have at least one upper-case (capital) letter
  • Have at least one lower-case letter
  • Have at least one special character (!#$%^&)
  • Have at least one numeral (0-9)

I have heard a lot of questions and complaints about these new requirements, and the first question is usually “WHY?”

I’ll make this as simple as I can: Well-programmed websites (Amazon, Netflix, etc.) have no idea WHAT your password is.

To be specific, they don’t know what you typed when you created your account password ‘lo those many years ago.

What happens is that when you create your password, the web page does some weird-ass one-way math on it and scrambles it all up into something we propeller-heads call a “hash.” So, you may type “hello123” as your password, but after the one-way math on it, that becomes $%xpp6& and that hash value is what the website stores as “your” password.

The next time you log in, it does the math again on whatever password you provide, and then compares that to the stored value. If they match, you typed the same password, and are allowed in. If they don’t match, you didn’t type the right password, and you’re denied access.

I said ‘one-way math’ because it’s impossible to take the stored hash value, do some reverse-fancy-math on it and get your original password. That’s the entire point of using one-way-math.

However, those nefarious folks what want to steal your identity (and money!) have powerful computers at their disposal. What they learned to do a long time ago is pre-compute the hash values of every word in the English dictionary. So if your password is, say, “peanut63”, then they probably already have a hash value for that.

By using a “complex” password, you thwart an attempt to figure out your password through brute force.

“6^1froGb#!!” isn’t in anyone’s dictionary.

And the raw computer power required to compute every possible hash value for a 10-character password that uses the rules above will take, literally, billions of years. We’ll all be loooong gone before someone cracks THAT code.

Some password questions I get:

Q: Can I use the same complex password for all my accounts, (mail, Amazon, brokerage account, bank, retirement account, etc.)?

A: You CAN, obviously, if it fits all those different websites’ password rules. SHOULD you? I say no, because on the off chance someone manages to obtain the password (you wrote it down on a Post-It and then lost the Post-It, for example) your entire online life is now open to that person. You should use a different complex password for every important account.

Q: But I can’t remember all those different passwords?
A: No problem. Here’s what you do:

1. Create a six to eight character complex password, say 4a!#BcD.
2. That is your “base” password. You can use the BASE to create other passwords.
3. Then, you use prefixes or suffixes to indicate which site or account uses that password:

AM4a!#BcD    – Bank of America
AZ4a!#BcD    – Amazon
SH4a!#BcD    – Charles Schwab
KS4a!#BcD    – Kaiser Medical

….etc. So you only have to really remember the one complex password BASE that you create, and then just modify the first characters as needed, and that gives you a unique yet complex password individually tailored for each website.

About Us & a Mac/OSX Security Warning

This is the Security Updates and Tech Blog for Your Nerdy Friends. From time to time, I will be adding posts either about security warnings for my customers, and/or interesting tech updates. I will try to cover as many different topics as possible.

Apple users for years have enjoyed the “security through obscurity” protection of not being as popular as Windows Computers. While it’s true that the overwhelming majority of viruses and other malware are aimed strictly at Windows computers, Macs are vulnerable to virus and malware attacks.

A new one is making the rounds, disguised as a Microsoft Word attachment. The attachment contains Macros (small sections of executable programming) and if opened by an unsuspecting user, can immediately infect your computer.

Read more about it here.

Security Tip: Do not open attachments from an email sent by a person unknown to you. For any reason. Do not open unexpected attachments from people you do know. Attachments should always be suspect.

If you get an attachment, email the person who sent it in a separate email. DO NOT REPLY to the original email for several reasons.

As always, if you think you might have been affected by any kind of virus or malware, and need some help, please give us a call so we can help! Contact nerdy@sonic.net or call 707.478.9601!