Clickjacking

They can't be seen, they can't be reasoned with, and they want to jack your clicks. Clickjackers have been around since about 2008 but they are getting a lot more press lately thanks to a new wave of clickjacking attacks perpetrated against Facebook users.

What is Clickjacking?

Clickjacking may sound like the latest underground dance craze, but it's far from it. Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see).

The innocent web page might have a button which reads: "Click here to see a video of a fluffy kitty being cute and adorable", but hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that:

Tricks you into changing privacy settings on your Facebook accountTricks you into "liking" something you wouldn't normally like (a.k.a Likejacking)Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve youTricks you into enabling something on your computer (such as a microphone or camera)Tricks you into running into a crowded theater and shouting "Shih Tzu" at the top of your lungs.

Many times the clickjacker will load up a legitimate website in a frame and then overlay their invisible buttons on top of the real site.

How can you prevent your clicks from being clickjacked?

1. Update your Internet browser and plug-ins such as Flash

If you haven't updated your browser to the latest and greatest version available, then you are not only missing out on an upgrade that might possibly prevent you from getting clickjacked, but you are also not taking advantage of the other security updates that are part of newer versions of Firefox, IE, Chrome and other Internet browsers.

You should also update browser plug-ins such as Flash because some older versions may be vulnerable to clickjacking attacks.

2. Download Clickjacking Detection / Prevention Software

While some Internet browsers offer limited built-in clickjacking protection, there are several robust clickjacking detection/prevention plug-ins that are available for browsers such as Firefox. Several of them are even free. Here are a couple of the more widely known and respected ones:

Clickjacking prevention is not only the responsibility of the user. Websites and web application developers also have a role in preventing their content from being exploited by clickjackers. The Code Secure Blog has some excellent suggestions on how to write code to assist in the detection and prevention of clickjacking.

View the original article here

Erase iPhone

So the new iPhone just came out and you're ready to sell or trade your old one for the latest shiny version. Wait a second, your whole life is on that phone. You wouldn't want to just hand over your phone with all your e-mails, contacts, music, photos, videos, and other personal stuff on it would you? Probably not.

Before you start camping out in the mile long line at the store you're going to buy your new one from, follow these simple steps to make sure that every trace of you and your life has been wiped from the phone:

1. Make a Backup of your iPhone's data

You may not have synced your iPhone to your computer for awhile so you may not have a current back up. If your getting a new iphone you will want to make sure that your old one is backed up so that when you restore the data to your new phone, everything will be current, and you won't have to start from scratch.

Depending on which version of iOS your using and your sync preference settings, you will either backup to your computer or the iCloud service.

Currently the iCloud service will backup almost everything that you need to restore your iPhone, but it is possible that some apps may not support backup to the iCloud. Also, some older phones such as the original iPhone and iPhone 3G don't have access to the iCloud service so we'll backup using the iPhone's docking cable. For more information about the iCloud method checkout About.com's iPod / iPhone site.

1. Connect your iPhone to the computer you normally sync it with.

2. Open iTunes and click on your iPhone from the left-hand navigation pane.

3. From the iPhone's page on the right side of the screen, click the "Back up to this computer" check box.

4. Right-click the iPhone from the window pane on the left side of the screen and click "Back Up" from the pop-up menu.

Note: If you have purchased some items on your phone and haven't transferred these purchases to your computer yet, right-click the iPhone and choose "Transfer Purchases" to transfer the purchases prior to backup.

Make sure the back up process succeeds before performing the following steps:

2. Erase all your iPhone's data and settings

Since you don't want whomever gets your phone to have access to your personal data you'll need to wipe the phone clean of all of your personal data. Follow these instructions to clear the data off of your phone.

1. Tap the settings (gear icon) from the home screen (or whatever page it happens to be located on your iPhone).

2. Tap the "General" settings menu item.

3. Choose the "Reset" menu item.

4. Tap on the "Erase All Content and Settings" menu item.

The process can take anywhere from a few minutes to several hours, so it's probably something that you don't want to do while your waiting in line to trade your phone in.

I found the hard way that just because you wiped your iPhone's data doesn't mean that everything linking you to the phone has been removed. There are some apps that may still be linked based on your phone's unique hardware ID. I sold an old iPhone to a friend of mine and completely wiped my data using the method above, however, he informed me that my Pandora account was still linked as he was seeing all of the Pandora channels I had created. He said that the same was true for several other apps as well.

If you use any apps that allow you to authenticate based on your iPhone's unique hardware ID, you should visit the apps websites to unlink the phone to your account. You can link your new phone to your account after you install the apps on your new iPhone.

View the original article here

5 Steps To Block Spyware

If its not one thing, its another. That is one of those ridiculous phrases that pretty much goes without saying. Like "wherever you go, there you are." But, in this case it seems appropriate.

Allow me to elaborate. Computers on the Internet are almost constantly bombarded with viruses and other malware- so users employ antivirus software to protect themselves. Email inboxes are constantly flooded with pathetically useless spam- so users employ anti-spam programs and techniques to protect themselves. As soon as you think you have things under control you find out your system has a myriad of spyware and adware programs silently running in the background monitoring and reporting on your computer activity. Hence, "if its not one thing, its another."

The more benign spyware and adware simply monitors and tracks your the sites you visit on the web so that companies can determine the web-surfing habits of their users and try to pinpoint their marketing efforts. However, many forms of spyware go beyond simple tracking and actually monitor keystrokes and capture passwords and other functions which cross the line and pose a definite security risk.

How can you protect yourself from these insidious little programs? Ironically, many users unwittingly agree to install these programs. In fact, removing some spyware and adware might render some freeware or shareware programs useless. Below are 5 easy steps you can follow to try to avoid and, if not avoid, at least detect and remove these programs from your computer system: Be Careful Where You Download: Unscrupulous programs often come from unscrupulous sites. If you are looking for a freeware or shareware program for a specific purpose try searching reputable sites like tucows.com or download.com. Read the EULA: What is an EULA you ask? End User License Agreement. It's all of the technical and legal gibberish in that box above the radio buttons that say "No, I do not accept" or "Yes, I have read and accept these terms". Most people consider this a nuisance and click on "yes" without having read a word. The EULA is a legal agreement you are making with the software vendor. Without reading it you may be unwittingly agreeing to install spyware or a variety of other questionable actions that may not be worth it to you. Sometimes the better answer is "No, I do not accept." Read Before You Click: Sometimes when you visit a web site a text box might pop up. Like the EULA, many users simply consider these a nuisance and will just click away to make the box disappear. Users will click "yes" or "ok" without stopping to see that the box said "would you like to install our spyware program?" Ok, admittedly they don't generally come out and say it that directly, but that is all the more reason you should stop to read those messages before you click "ok". Protect Your System: Antivirus software is somewhat misnamed these days. Viruses are but a small part of the malicious code these programs protect you from. Antivirus has expanded to include worms, trojans, vulnerability exploits, jokes and hoaxes and even spyware and adware. If your antivirus product doesn't detect and block spyware you can try a product like AdAware Pro which will protect your system from spyware or adware in real time. Scan Your System: Even with antivirus software, firewalls and other protective measures some spyware or adware may eventually make it through to your system. While a product like AdAware Pro mentioned in step #4 will monitor your system in real time to protect it, AdAware Pro costs money. The makers of AdAware Pro, Lavasoft, also have a version available for free for personal use. AdAware will not monitor in real time, but you can manually scan your system periodically to detect and remove any spyware. Another excellent choice is Spybot Search & Destroy which is also available for free.

If you follow these five steps you can keep your system protected from spyware proactively and detect and remove any that does manage to get into your system. Good luck!

View the original article here

Siri Security

If you're lucky enough to have landed a new iPhone 4S, then chances are you have been playing around with the new Siri virtual assistant. You've probably been asking it all sorts of important questions like "What's the meaning of life?", or "why do my Shi Tzu dogs keep treating the cat's litter box like it's an all you can eat buffet?"

As Siri's knowledge and user base grows, there may be potential security issues. I don't think that Siri is going turn into Skynet from the Terminator movies or anything, but there are likely hackers out there who are already working on how to hack Siri and exploit any newly discovered Siri-related vulnerabilities they find.

Fortunately the hackers don't have to work very hard because it appears that there is already a potential Siri-reared security risk that is present on your iPhone 4S with it's out-of-the-box default configuration settings.

Apple has decided that users would prefer quick access over device security for the Siri feature which is why that it's default settings have been set to allow Siri to bypass the passcode lock. This makes sense for Apple as they are all about creating a great user experience. Unfortunately, allowing the Siri feature to bypass the passcode lock has the consequence of providing a thief or hacker with the ability to make phone calls, send texts, send e-mails, and access other personal information without having to enter the security code first.

There is always a balance that must be struck between security and usability. Users and software developers must make the choice on how much perceived security feature-related inconvenience they are willing to endure to keep their devices safe versus how quickly and easily they want to be able to use them.

Some people use a iPhone lock screen with a simple 4-digit code while some opt for a more complex iPhone passcode. Other people have no passcode at all because they want instant access to their phone. It's a user choice based on individual risk tolerance.

To block Siri from being able to bypass the screen lock passcode perform the following:

1. Tap on the "Settings" icon from the home screen (Grey icon with gears in it)

2. From the "Settings" menu, tap the "General" option.

3. Choose the "Passcode lock" option in the "General" menu.

4. Turn the "Allow access to Siri when locked with a passcode" option to the "OFF" position.

5. Close the "Settings" menu.

Again, whether you prefer instant access to Siri without the need to have to look at the screen to enter a passcode is completely up to you. In some cases, while you're in the car for instance, driving safetly would trump data security. So if you use your iPhone in hands-free mode a lot, then you would probably want to keep the default option, allowing the Siri passcode bypass.

As the Siri feature becomes further advanced and the amount of data sources she is tapped into increases, the data security risk for the screen lock bypass may also increase. For example, if developers tie Siri into their apps in the future, Siri could unwittingly provide a hacker with your financial information if a Siri-enabled banking app is running and logged in via cached credentials and a hacker asks Siri the right questions.

Brace yourselves folks, as this technology improves and becomes more widespread, a whole new category of virtual assistant social engineering hacks and attacks will be born.

View the original article here

Intro to Vulnerability Scans

Similar to packet sniffing, port scanning and other "security tools", vulnerability scanning can help you to secure your own network or it can be used by the bad guys to identify weaknesses in your system to mount an attack against. The idea is for you to use these tools to identify and fix these weaknesses before the bad guys use them against you.

The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Different scanners accomplish this goal through different means. Some work better than others.

Some may look for signs such as registry entries in Microsoft Windows operating systems to identify that a specific patch or update has been implemented. Others, in particular Nessus, actually attempt to exploit the vulnerability on each target device rather than relying on registry information.

Kevin Novak did a review of commercial vulnerability scanners for Network Computing Magazine in June of 2003. While one of the products, Tenable Lightning, was reviewed as a front-end for Nessus, Nessus itself was not tested directly against the commercial products. Click here for the complete details and results of the review: VA Scanners Pinpoint Your Weak Spots.

One issue with vulnerability scanners is their impact on the devices they are scanning. On the one hand you want the scan to be able to be performed in the background without affecting the device. On the other hand, you want to be sure that the scan is thorough. Often, in the interest of being thorough and depending on how the scanner gathers its information or verifies that the device is vulnerable, the scan can be intrusive and cause adverse affects and even system crashes on the device being scanned.

There are a number of highly rated commercial vulnerability scanning packages including Foundstone Professional, eEye Retina and SAINT. These products also carry a fairly hefty price tag. It is easy to justify the expense given the added network security and peace of mind, but many companies simply don't have the sort of budget needed for these products.

While not a true vulnerability scanner, companies that rely primarily on Microsoft Windows products can use the freely available Microsoft Baseline Security Analyzer (MBSA). MBSA will scan your system and identify if there are any patches missing for products such as the Windows operating systems, Internet Information Server (IIS), SQL Server, Exchange Server, Internet Explorer, Windows Media Player and Microsoft Office products. It has had some issues in the past and there are occasionally errors with the results of MBSA- but the tool is free and is generally helpful for ensuring that these products and applications are patched against known vulnerabilities. MBSA will also identify and alert you to missing or weak passwords and other common security issues.

Nessus is an open-source product and is also freely available. While there is a Windows graphical front-end available, the core Nessus product requires Linux / Unix to run. The up side to that is that Linux can be obtained for free and many versions of Linux have relatively low system requirements so it would not be too difficult to take an old PC and set it up as a Linux server. For administrators used to operating in the Microsoft world there will be a learning curve to get used to Linux conventions and get the Nessus product installed.

After performing an initial vulnerability scan you will need to implement a process for addressing the identified vulnerabilities. In most cases there will be patches or updates available to cure the problem. Sometimes though there may be operational or business reasons why you can't apply the patch in your environment or the vendor of your product may not yet have released an update or patch. In those cases you will need to consider alternative means to mitigate the threat. You can refer to details from sources such as Secunia or Bugtraq or US-CERT to identify any ports to block or services to shut down that might help protect you from the identified vulnerability.

Above and beyond performing regular updates of antivirus software and applying the necessary patches for any new critical vulnerabilities, it is wise to implement a schedule for periodic vulnerability scans to make sure nothing has been missed. Quarterly or semi-annual vulnerability scanning can go a long way to helping you make sure you catch any weaknesses in your network before the bad guys do.

View the original article here

How do I Report Internet Scams

Have you become a victim of an internet scam or fraud? Should you report it? The answer is yes. There are organizations out there that want to help you. Just because a crime is perpetrated via the net doesn't make it any less of a crime.

Let's look at some resources you can use to report internet-based crimes and fraud.

Answer:

The Internet Crime Complaint Center is a partnership between the US Federal Bureau of Investigations and the National White Collar Crime Center. The ICCC is a good place to report more serious crimes involving: online extortion, identity theft, Computer Intrusion (hacking), Economic Espionage (Theft of Trade Secrets), and other major cyber crimes. If you don't feel the crime committed against you falls into these categories, but you still feel the crime is serious enough to report, then you can still report it to the ICCC. If it doesn't fall under one of their categories, they might be able to direct you to an agency that does handles it.

The Online Better Business Bureau of the US and Canada has a site for consumers that will aid you in making complaints against internet-based retailers and other businesses. You can also search their database to see if a merchant has other complaints against them and whether they have been resolved or not.

The USA.gov's Internet Fraud Information page is a jumping off point for the reporting of crimes including phishing attacks, Internet investment fraud, consumer complains regarding internet marketing, scam e-mails, and much more. The site will link you to the appropriate agency's who handles crime reporting for each specific type of crime.

The eBay Security Center: General Marketplace Safety site can assist you with reporting auction related fraud / and scams to the proper authorities and also provides a way for law enforcement to find out if someone is trying to auction merchandise stolen from you if you have been the victim of a property theft.

The Facebook's Security site will allow you to report account hacks, fraud, spam, scams, rogue applications and other facebook-borne threats.

View the original article here

Myths of MP3's

There seems to be a great deal of confusion about what is, or is not, legal regarding music these days. People don’t seem to know where the line is between enjoying music from an artist or band that they like, or violating the copyright protection of that same music. Below is a list of common myths associated with buying, sharing and listening to digital music and what the realities are. Downloading songs for free from the Internet is fine.

Unfortunately, with very few exceptions, this is untrue. The songs are copyright protected and the owner of the copyright is owed compensation for the song. If you find music on the Internet for free, the individual or business sharing the music is most likely violating the law and if you download the song without paying for it you will be stealing.

Any song you get from the Internet is illegal

This is false. While downloading songs for free from P2P (peer-to-peer networking) services or other individual computers is illegal, selling music by the song in digital format is a perfectly viable and legal way of purchasing music. There are many great sites to purchase songs from, most notably the Apple iTunes web site. The music industry has a list of legal online digital music sites you can purchase from.

I can share my music with friends because I own the CD

The fact that you purchased a CD entitles you to listen to the music all you want, but not to share that privilege with others. You can make a copy of the CD for yourself in case you damage or lose the original. You can rip the music from the CD onto your computer or laptop and convert the music to MP3 or WMA or other formats and listen to it on portable MP3 players or other devices. Your purchase of the music entitles you to listen to it pretty much any way you want, but you can’t give copies of it to friends or family. I am not suggesting that you can't *play* the music when other people are around, but that you can't give them a copy of the music, in any format, to take with them when they leave.

Its OK though, because I gave my friend the original CD

You can sell or give away the original CD, but only as long as you no longer have any copies of the music in any format (unless of course you have another copy that has been legitimately paid for). You can not copy the CD onto your computer and load MP3’s of it onto your portable MP3 player, and then give the original CD to your best friend because you don’t need it any more.

Think of it like you bought a couch. You can use the couch in your living room if you want. You can move it to a bedroom if it works better for you there. You can remove the throw pillows and use them in a different room than the couch. But, when you give the couch to your friend, the couch is gone. You can’t *both* give the couch away *and* keep the couch at the same time, and the music that you buy should be treated the same way.

It isn’t “stealing” because I wasn’t going to pay for it anyway

Some people feel that because they would never actually spend the money to buy the CD, illegally copying or downloading it from somewhere else really isn’t costing the artist or the industry any money.

Along these same lines, some people may copy or download music to try and decide if they like it enough to buy it, and just never get around to buying it. However, sites like Amazon.com now have clips or samples available to listen to of virtually every song on every CD available. Rather than crossing the ethical line, you should just visit a site like this and play the clips to help you make your purchasing decision. In the end, you may very well find that you would rather buy just one or two songs for $1 each rather than spending $15 for a CD filled mostly with music you don’t care for.

View the original article here

Wireless Hack

You're using a wireless access point that has encryption so you're safe, right? Wrong! Hackers want you to believe that you are protected so you will remain vulnerable to their attacks. Here are 4 things that wireless hackers hope you won't find out, otherwise they might not be able to break into your network and/or computer:

1. WEP encryption is useless for protecting your wireless network. WEP is easily cracked within minutes and only provides users with a false sense of security.

Even a mediocre hacker can defeat Wired Equivalent Privacy (WEP)-based security in a matter of minutes, making it essentially useless as a protection mechanism. Many people set their wireless routers up years ago and have never bothered to change their wireless encryption from WEP to the newer and stronger WPA2 security. Updating your router to WPA2 is a fairly simple process. Visit your wireless router manufacturer's website for instructions.

2. Using your wireless router's MAC filter to prevent unauthorized devices from joining your network is ineffective and easily defeated.

Every piece of IP-based hardware, whether it's a computer, game system, printer, etc, has a unique hard-coded MAC address in its network interface. Many routers will allow you to permit or deny network access based on a device's MAC address. The wireless router inspects the MAC address of the network device requesting access and compares it your list of permitted or denied MACs. This sounds like a great security mechanism but the problem is that hackers can "spoof" or forge a fake MAC address that matches an approved one. All they need to do is use a wireless packet capture program to sniff (eavesdrop) on the wireless traffic and see which MAC addresses are traversing the network. They can then set their MAC address to match one of that is allowed and join the network.

3. Disabling your wireless router's remote administration feature can be a very effective measure to prevent a hacker from taking over your wireless network.

Many wireless routers have a setting that allows you to administer the router via a wireless connection. This means that you can access all of the routers security settings and other features without having to be on a computer that is plugged into the router using an Ethernet cable. While this is convenient for being able to administer the router remotely, it also provides another point of entry for the hacker to get to your security settings and change them to something a little more hacker friendly. Many people never change the factory default admin passwords to their wireless router which makes things even easier for the hacker. I recommend turning the "allow admin via wireless" feature off so only someone with a physical connection to the network can attempt to administer the wireless router settings.

4. If you use public hotspots you are an easy target for man-in-the-middle and session hijacking attacks.

Hackers can use tools like Firesheep and AirJack to perform "man-in-the-middle" attacks where they insert themselves into the wireless conversation between sender and receiver. Once they have successfully inserted themselves into the line of communications, they can harvest your account passwords, read your e-mail, view your IMs, etc. They can even use tools such as SSL Strip to obtain passwords for secure websites that you visit. I recommend using a commercial VPN service provider to protect all of your traffic when you are using wi-fi networks. Costs range from $7 and up per month. A secure VPN provides an additional layer of security that is extremely difficult to defeat. Unless the hacker is extremely determined they will most likely move on and try an easier target.

View the original article here

Prevent Identity Theft

How much information does someone really need to know in order to impersonate you to a 3rd-party? Your name? Birth date? Address? Armed with easily found information such as this, and maybe a couple other key pieces of information such as the high school you went to, your dog’s name or your mother’s maiden name, an individual might be able to access your existing accounts or establish new loans or credit in your name.

Recently, reports of security breaches in which customer data and personally identifiable information (PII) were somehow compromised seem to appear almost daily. Choicepoint, Lexis Nexis, DSW Shoe Warehouse, Ralph Lauren / HSBC, Bank of America and more have all reported massive amounts of compromised or ill-gotten customer information just in the past couple of months.

However, most identity theft or compromises of PII, including a couple of the major breaches mentioned above, have nothing to do with the Internet or lax computer or network security. Unpatched operating system vulnerabilities or hacking wizardy are involved in a relatively small number of the total cases. The Choicepoint breach resulted from poor processes to identify that the business asking for consumer information had a legitimate reason. The Bank of America breach resulted from a data backup tape being lost in transit.

Information can be pulled from your trash can. Waiters can swipe or simply write down your credit card number when you make a purchase at a restaurant. There are a variety of laws related to securing customer information including Sarbanes-Oxley, HIPAA, GLBA and others. Congress is currently investigating the breaches at Choicepoint and Lexis Nexis and considering further legislation aimed at allegedly protecting customer data. But, social engineering and good, old-fashioned theft still pose a larger threat than network security and it is up to you to monitor and protect your personal information and your credit.

Below are some tips you can follow to help secure and protect your personally identifiable information and ensure that your identity or your credit have not been compromised.

1. Watch for shoulder-surfers. When entering a PIN number or a credit card number in an ATM machine, at a phone booth, or even on a computer at work, be aware of who is nearby and make sure nobody is peering over your shoulder to make a note of the keys you’re pressing.

2. Require photo ID verification. Rather than signing the backs of your credit cards, you can write “See Photo ID”. In many cases, store clerks don’t even look at the signature block on the credit card, and a thief could just as easily use your credit card to make online or telephone purchases which don’t require signature verification, but for those rare cases where they do actually verify the signature, you may get some added security by directing them to also make sure you match the picture on the photo ID.

3. Shred everything. One of the ways that would-be identity thieves acquire information is through “dumpster-diving”, aka trash-picking. If you are throwing out bills and credit card statements, old credit card or ATM receipts, medical statements or even junk-mail solicitations for credit cards and mortgages, you may be leaving too much information laying about. Buy a personal shredder and shred all papers with PII on them before disposing of them.

4. Destroy digital data. When you sell, trade or otherwise dispose of a computer system, or a hard drive, or even a recordable CD, DVD or backup tape, you need to take extra steps to ensure the data is completely, utterly and irrevocably destroyed. Simply deleting the data or reformatting the hard drive is nowhere near enough. Anyone with a little tech skill can undelete files or recover data from a formatted drive. Use a product like ShredXP to make sure that data on hard drives is completely destroyed. For CD, DVD or tape media you should physically destroy it by breaking or shattering it before disposing of it. There are shredders designed specifically to shred CD / DVD media.

View the original article here

I've been hacked now what.

You opened an e-mail attachment that you probably shouldn't have and now your computer has slowed to a crawl and other strange things are happening. Your bank called you saying there has been some strange activity on your account and your ISP has just "null routed" all traffic from your computer because they claim it is now part of a zombie botnet. All this and it's only Monday.

If your computer has been compromised and infected with a virus or other malware you need to take action to keep your files from being destroyed and also to prevent your computer from being used to attack other computers. Here are the basic steps you need to perform to get back to normal after you've been hacked.

1. Isolate Your Computer

In order to cut the connection that the hacker is using to "pull the strings" on your computer, you need to isolate it so that it can't communicate on a network. Isolation will prevent it from being used to attack other computers as well as preventing the hacker from continuing to be able to obtain files and other information. Pull the network cable out of your PC and turn off the Wi-Fi connection. If you have a laptop, there is often a switch to turn the Wi-Fi off. Don't rely on doing this through software, as the hacker's malware may tell you something is turned off when it is really still connected.

2. Shutdown and remove the hard drive and connect it to another computer as a non-bootable drive

If your computer is compromised you need to shut it down to prevent further damage to your files. After you have powered it down, you will need to pull the hard drive out and connect it to another computer as a secondary non-bootable drive. Make sure the other computer has up-to-date anti-virus and anti-spyware. You should probably also download a free rootkit detection scanner from a reputable source like Sophos.

To make things a little easier, consider purchasing a USB drive caddy to put your hard drive in to make it easier to connect to another PC. If you don't use a USB caddy and opt to connect the drive internally instead, make sure the dip switches on the back of your drive are set as a secondary "slave" drive. If it is set to "master" it may try to boot the other PC to your operating system and all hell could break loose again.

If you don't feel comfortable removing a hard drive yourself or you don't have a spare computer then you may want to take your computer to a reputable local PC repair shop.

3. Scan your drive for infection and malware

Use the other host PC's anti-virus ,anti-spyware, and anti-rootkit scanners to ensure detection and removal of any infection from the file system on your hard drive.

4. Backup your important files from the previously infected drive

You'll want to get all your personal data off of the previously infected drive. Copy your photos, documents, media, and other personal files to DVD, CD, or another clean hard drive.

5. Move your drive back to your PC

Once you have verified that your file backup has succeeded, you can move the drive back to your old PC and prepare for the next part of the recovery process. Set your drive's dip switches back to "Master" as well.

6. Completely wipe your old hard drive (repartition, and format)

Even if virus and spyware scanning reveals that the threat is gone, you should still not trust that your PC is malware free. The only way to ensure that the drive is completely clean is to use a hard drive wipe utility to completely blank the drive and then reload your operating system from trusted media.

After your have backed up all your data and put the hard drive back in your computer, use a secure disk erase utility to completely wipe the drive. There are many free and commercial disk erase utilities available. The disk wipe utilities may take several hours to completely wipe a drive because they overwrite every sector of the hard drive, even the empty ones, and they often make several passes to ensure they didn't miss anything. It may seem time-consuming but it ensures that no stone is left unturned and it's the only way to be sure that you have eliminated the threat.

7. Reload the operating system from trusted media and install updates

Use your original OS disks that you purchased or that came with your computer, do not use any that were copied from somewhere else or are of unknown origin. Using trusted media helps to ensure that a virus present on tainted operating system disks doesn't reinfect your PC.

Make sure to download all updates and patches for your operating system before installing anything else.

8. Reinstall anti-virus, anti-spyware, and other security software prior to any other programs.

Before loading any other applications, you should load and patch all your security related software. You need to ensure your anti-virus software is up-to-date prior to loading other applications in case those apps are harboring malware that might go undetected if your virus signatures aren't current

9. Scan your data backup disks for viruses before your copy them back to your computer

Even though you are fairly certain that everything is clean, always scan your data files prior to reintroducing them back into your system.

10. Make a complete backup of your system

Once everything is in pristine condition you should do a complete backup so that if this ever happens again you won't spend as much time reloading your system. Using a backup tool that creates a bootable hard drive image as a backup will help speed up future recoveries immensely.

View the original article here

Wi-Fi Password Change

Whether you think the neighbor kid has finally hacked your wireless password and is now stealing your bandwidth, or you just feel like it's time for a change, changing your wireless network password is an easy endeavor.

You might not have messed with your wireless network's password since you setup your router years ago. Let's walk through the basic steps it takes to change / reset your wireless network router's password.

1. Determine the admin interface for your router and enter it in your browser

Most modern wireless internet routers on the market today are administered via a web browser. You simply need to find out what your wireless router's admin interface is and connect to it. You may have written the password down somewhere, if not then you will have to reset your router to its factory default password by resetting the router. This is usually accomplished by holding down the router's reset button for several seconds. Check your wireless router manufactures website or manual for detailed instructions for your specific router.

Most manufactures have a default IP sub net set at the factory. The default sub net will help you determine the router's IP address so that you can connect to it and access the administrator interface. You may need to consult your specific router's manual for the correct address. The following list contains default router IP addresses based on my research and may not be accurate for your specific make or model:

Linksys - 192.168.1.1 or 192.168.0.1
DLink - 192.168.0.1 or 10.0.0.1
Apple - 10.0.1.1
ASUS - 192.168.1.1
Buffalo - 192.168.11.1
Netgear - 192.168.0.1 or 192.168.0.227

In addition to the default router address, you may have to specify the port that the admin interface is running on by placing a ":" at the end of the IP address followed by the admin port number (i.e. :8080) if the manufacturer requires this.

2. Log in to the administrative console on the router

If you've never changed the default administrator name you can locate the default admin name (and usually the admin password as well)by visiting your router manufacturer's website or by Googling "Default Admin Password" followed by your router's brand name and model.

3. Under the wireless security configuration section, ensure that you are using the latest encryption available

If you haven't already done so you will want to change the wireless encryption from the easily hackable WEP to the much stronger WPA2 encryption. WPA2 is currently the most secure method of wireless encryption available at the time this article was published.

This would also be a good time to change your wireless network name (SSID) if you want. It's best to change it to something other than the default as hackers have precomputed cracking tables for the top 1000 most common SSIDs. Get creative and don't use any dictionary words as SSIDs with dictionary words are more likely to be cracked than an SSID with non-dictionary words..

4. Create a strong password for the Pre Shared Key (wireless network password)

After you have settled on an SSID you will need to enter in the Pre-shared Key (the wireless network password). You'll want to make this password as complex and random as possible to discourage wireless hackers. Follow our guide to creating strong passwords for some best security practices.

It's also a good idea to turn off the "allow admin via wireless" setting off so that only someone connected to the router via an Ethernet cable can administer the routers. If you turn off this feature you remove the ability to connect to the router as an administrator via wireless, which may be a slight hassle, but you gain the piece of mind that no one can mess with the admin settings of your router unless they are physically plugged into it.

View the original article here

iPhone Self Destruct

Every time Tom Cruise received his mission briefing in the Mission Impossible movies, the briefing message, and often times whatever was playing it, would self-destruct to prevent anyone else from viewing it. In real life this would be a great (albeit dangerous) data protection mechanism. Wouldn't it be great if your iPhone could self-destruct to keep thieves from getting to your personal data if they happened to steal your phone?

The folks at Apple must have been Mission Impossible fans because they have already provided a similar feature for iOS devices such as the iPhone and iPad, minus the explosives of course.

Your mission, should you choose to accept it, is to learn how to turn this feature on so that you can make the data on your iPhone go bye bye if someone enters the wrong passcode too many times or steals your phone.

Here's how to self-destruct (wipe) your iPhone's data in a couple of different situations:

METHOD 1: Remote Data Wipe via Find My iPhone

If you want to remotely wipe out the data on your iPhone in the event that it becomes lost or stolen:

1. Backup your iPhone's data

You should regularly backup your iPhone's data either via USB connection to iTunes or via wireless if supported by your iOS version.

2. Setup the Find My iPhone feature on your iPhone

You must first turn on the 'Find my iPhone' feature on your phone. You must also have an active iCloud account on your device for Find My iPhone to work. iCloud accounts are available for free from Apple.

In iOS 5.x or above, go to the Settings app, choose "iCloud" and turn "Find My iPhone" to "ON" if it is not already set as such. If your firmware is pre-iOS 5 then you will need to follow these instructions instead.

3. Lock access to your iPhone's Location Services settings

Savvy bad guys will know how to quickly turn the Find My iPhone feature off so you need to disable their ability to turn off locations services. This is done by enabling the iPhone's "restrictions" feature and restricting the ability to modify the "Location Services" settings.

In the iPhone "Settings" app, go to the "General" menu and turn "Restrictions" on. Set a passcode (don't pick and easy one). Scroll down to the "Allow Changes" section and touch the "Location" setting. Make sure the "Find My iPhone" option is set to "ON" and then scroll to the top of the page and choose "Don't Allow Changes".

Setting the "Don't Allow Changes" ensures that thieves can't turn off your iPhone's ability to know its location. The extra time the thief would have to take to try and crack your passcode might make him decide to ditch the phone making its recovery more likely.

In the event that you are sure you aren't going to get your phone back, use the "Remote Data Wipe" feature.

IMPORTANT NOTE:

Once you remote wipe the data on your device you will no longer be able to locate it using Find My iPhone. Remote wipe should be used only when you're convinced that you are never going to get your device back. Consider it dead to you once you remote wipe it.

METHOD 2: Self Destruct After Too Many Failed Passcode Attempts

If you want your iPhone to wipe it's data should the wrong passcode be attempted more than 10 times:

1. In the Settings App, choose the "General" menu and then select the "Passcode Lock" option.

2. Choose "Turn Passcode On", set a passcode and confirm it. You may want to consider setting a stronger passcode than the default 4-digit one.

3. At the bottom of the "Passcode Lock" settings page, turn the "Erase Data" option to "ON". Read the warning and choose the "Enable" button.

YET ANOTHER IMPORTANT NOTE:

If you have kids or someone else that uses your phone, the Erase Data on 10 failed passcode tries may not be a good idea. Your 2-year old child might try to guess the code one too many times and BOOM, your iPhone's data is wiped out. The remote wipe feature, while not as secure as the failed passcode wipe option, might make more sense in situations where you have others regularly using (or playing with) your iPhone.

View the original article here