ShouldIChangeMyPassword.com has been created to help the average person check if their password(s) may have been compromised and need to be changed.

This site uses a number of databases that have been released by hackers to the public. No passwords are stored in the ShouldIChangeMyPassword.com database.

This website is made available as a public service.

After doing some very simple Google searching, the author of this site decided to do a genuine public service by making it known if your email address has been compromised. He did this by looking at plain, unencrypted database files which contained email addresses and their passwords. You should check this site immediately and see if yours is listed. Then, regardless of the results, change your email password. (Admit it – you haven’t changed it in a long time, have you?)

As reported on the Cyberjungle Podcast and Webroot’s Blog, these fake shipping confirmation documents are nothing more than malware designed to hijack your computer. A few years ago, these emails were very easy to spot because of their typos and obvious content problems. Have you ever heard of the “United Postal Service?” Neither have I. However, they seem to be refining the content using real company names now, e.g., FedEx, DHL, and the United Parcel (as opposed to Postal) Service.

Bear in mind the following:

• Do not open attachments in email unless you are explicitly expecting them. This does not mean “sometimes they send me something so I open it.” It means “John P. is sending me the spreadsheet right now, so I will open it.”
• Do not click links in emails. Links in emails are trivial to forge. See one of our first posts on the subject for an explanation.
• These companies do not email attachments with your shipping confirmations. They may send you a tracking number. If this is the case, and you receive a tracking number, do the following:

1. Copy the tracking number out of the email
2. Open a web browser and manually type in the website address of the shipping company, e.g., www.UPS.com, www.DHL.com, www.FedEx.com.
3. Find the box to track your shipment and paste the tracking number into the box.

To enable this service, you have to have a smartphone, such as an Android, Blackberry, or iPhone. Google uses your phone and either an app for your device, or an SMS message to send you your login code, without which, you cannot access your account. Note that this means if you lose your phone or have no cell service, you can’t receive your one-time code and you cannot log in. However, Google has provided a method for you to pre-generate passwords or access them via the app for your smartphone so that you can access your Google account without cellular service.

Note that this may cause some hiccups with other apps which access your Gmail account.

To enable 2-factor authentication on your Google account, visit https://www.google.com/accounts/ManageAccount.

Note: Google is rolling this service out in waves, so if you don’t see it today, check again soon.

On two occasions, I received what I consider to be junk email from otherwise legitimate senders. One was from a local political candidate. I’m not sure how he received my email, but he felt obligated to share with me his recent track record in the state House. As I’m not in his district, I wasn’t terribly interested in what he had to say. Also, I recently signed up to be a mentor for a high school student’s senior project. I was asked for my email, which I voluntarily gave and, this week, I received an email from the teacher coordinating these projects.

The problem is that, in both instances, the messages were sent to everyone on their respective lists in the “To” field of the email. Effectively, my private email address was broadcast to dozens of other people whom I did not want to have it. This is the equivalent of making dozens of telephone calls to different people, and telling everyone everyone else’s unlisted phone numbers along the way. Within one day, I was receiving multiple messages on conversation threads that held absolutely no interest to me because of my inclusion on one of these lists.

Unfortunately, you cannot count on the people who have your email address to respect your desire for privacy, so you must take matters into your own hands. What can you do?

• Don’t give out your email address in the first place. If they don’t have it, they can’t abuse it.
• Have a “throw-away” email account (Gmail, Yahoo!, Hotmail, etc.) which you use just for “junk” or potential junk correspondence. This means you have another account to check periodically, but it’s not that big a deal to do, and if it starts to be overwhelmed with spam, you can simply deactivate the account and forget about it. Also, if you have your own “vanity domain,” you can make up your own addresses, such as “junk@example.com” or “buyingstuff@example.com.”
• Politely try to educate other people who abuse the privacy of your email address by letting them know you do not want to be on their lists, and don’t want your email address shared.
• If you must send a bulk email message to a group of unrelated parties, do not simply send it with all recipients in the To or CC fields. Email the message to yourself or an address you do not mind becoming public, and then BCC the rest of the list.
• Better yet, use a mail merge function or a bulk email service, which will send separate, individual messages to every recipient.

Do you have any common-sense spam-fighting techniques? Let us know!

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



All of your email in one inbox

As for new features, the first thing I noticed was the option to display all of your accounts’ inboxes in one location, just as recent versions of Apple’s Mail have. For instance, if you have a work email address and a home email address, and you check them both with the same email client, you can now view all new messages in a single inbox. I’m sure that fans of GTD will applaud this move. As for me, I wasn’t totally sold on this feature, but after experimenting with it for a day or so, I started to like it. If the goal is to be notified of new email from various sources, this definitely meets it. However, if you like keeping things separated (for example, not getting distracted with personal emails while at work, or bothered with work while at home), this isn’t necessarily for you.

Tabbed emails

While setting up Thunderbird, you are presented with the option to synchronize IMAP accounts onto your local hard drive. This is a great feature if you travel and don’t have an Internet connection, but still want to be able to read your email while offline. I did note that it took a very long time to synchronize my Gmail account, which has gigabytes of saved email on it, but that’s to be expected. I was able to use Thunderbird while the sync was going on, so it did not bother me.

The first thing I noticed was that the user interface has been simplified, with some of the button clutter removed. Also, by default messages open in new tabs, as opposed to new windows. While I am very used to this method of presenting information in web browsers (as Firefox has had this feature for years), I haven’t quite gotten used to it in email. However, I’m starting to like it more as I use it.

Thunderbird 3's new search

Thunderbird’s new search engine is immediately noticeable the first time you search your inbox for something. The results are presented in a new fashion, but more importantly, Thunderbird indexes all of your messages for faster search results, and you don’t have to search folder by folder for messages, as it will go through all of them for you. While I use Gmail for most of my email, I still like using Thunderbird as the client. However I frequently have found myself going back to the Gmail web interface when I need to search for a lost message. Hopefully this will no longer be necessary with Thunderbird’s new search capabilities.

Also, taking another page from the Gmail book, Thunderbird now lets you archive your email by pressing ‘A’ while reading any message. While I generally file all of my emails away (in folders in Thunderbird or with a label, then archiving in Gmail) sometimes I don’t have a particular folder or label to apply to an email. I know I don’t want to delete it, but I also don’t want to stick it in a file. I just want it gone… until I want it back again. That’s what archiving is for. This is another feature I’ve found myself logging in to the Gmail interface for. Unfortunately, Thunderbird’s archive feature is different from Gmail’s, so when I archive an email in Thunderbird, I still need to sign in to Gmail’s web interface to archive it there. However, if I never used the Gmail interface, this would not be an issue.

It is worth noting that I did have some stability problems with the beta and release candidates in late November, however they all seem to have been sorted out and the release version is rock-solid on Mac OS X and Linux. I have not yet tested the Windows versions, but I have high hopes. This is a noteworthy improvement to Thunderbird which I am grateful to have. In short, if you do not require connectivity to a Microsoft Exchange server (for calendar, contacts, and other non-email data) I recommend you try Thunderbird 3.

Oh, did I mention that it’s free?

“Between March 19 and March 28 the spyware sent more than 1,000 screen captures … via e-mail. They included details of medical procedures, diagnostic notes and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well…”

This incident goes a long way to show that the biggest threat can often come from inside. Yes, while the boyfriend was the root cause, had the hospital employee not been allowed to access her personal email from work, her system would not have been infected in the first place.

In a separate news article, Panda Security reports that a hacker site is offering to crack Facebook accounts for the low low price of $100. Setting aside the question of whether the site is a “legitimate” hacking site (who’s to say they won’t just take your $100 and walk away?), I found it interesting that a Facebook account is now worth 3 times the street price of a social security or bank account number, which my sources say are going for $20-35 a piece.

We first chose the Astaro Security Gateway for a client who needed a reliable web content filter, and an email spam filter. They had previously used various patchwork solutions which were not meeting their needs. The Astaro product did everything they required, replacing their aging firewall, providing secure remote access, a web content filter to keep users from accessing websites they shouldn’t, and blocking junk email. When I asked the director how he liked it, as compared to their previous solution, he said he was “Very, very, very satisfied.” That’s the kind of feedback we like.

Usually when we put a UTM in place, clients have one security device in place, but not others. The nice thing is that the Astaro combines multiple services into a single unit. While this does place all of the proverbial eggs in one basket and can lead to a single point of failure for network traffic and security, for small businesses on a tight budget, it does provide an affordable way to get services you might not normally have in place.

The first line of defense offered by the Astaro is its firewall. The ASG can act as your network’s router and firewall, whether your Internet connection is a T1 line, DSL modem, or Cable modem. The device provided by your ISP plugs directly into the ASG, which then connects to the rest of your network.

By default, the Astaro Security Gateway is a “default deny” firewall. This is to say that initially, unless you tell it otherwise, it allows no traffic in or out of your network, which is the most secure, best practice configuration for a firewall. This prevents not only unwanted intrusions from outside sources, but also unwanted extrusions from your system. Whether it’s people running instant messaging or voice chat clients, the hobbyist who’s running his own web server on your company network, or the latest malware which has turned your desktop into a spam sending zombie, the ASG won’t allow it out unless you say so.

If you have remote workers who require access to your system from the road, home, or remote branch office, the Astaro supports just about every type of virtual private network (VPN) out there. Popular choices such as PPTP, L2TP, IPSec, and SSL are all available, and the clients work with Windows, Macintosh, and Linux stations.

The ASG also includes a powerful, flexible web content filter, which can be used to protect your network from malicious websites, as well as to keep users from websites that they should not be using the company network for.

Astaro also includes email security features, including two anti-virus scanners and a powerful anti-spam and anti-phishing filter to keep your inbox free of the needless clutter that comes from these annoyances and threats. Email encryption can also be configured so that if servers you communicate support this feature, your messages can’t be read by anyone in between if intercepted.

Finally, Astaro offers a free trial of their Astaro Security Gateway product, so you can evaluate it without commitment. They even pay the shipping.

Note: Paradigm Consulting Co. is an Astaro reseller. Please contact us if you are interested and we can arrange a demo for you and your network.

1. Greeting cards are a waste of time and resources. I can think of no reason that these are required in a business setting, as they just waste time and other resources.
2. In order to send an electronic greeting card, you normally are asked for the recipient’s email address, and possibly your own. By supplying this information to XYZ greeting card site, you’ve just opened up an avenue for junk email (spam) to yourself and the recipient.
3. Fake electronic greeting cards are a prime vector for email attacks and the spreading of malware. By getting people to click on a link that claims to be a greeting card, the user is likely to want the program to run, not knowing what it really is. I’ve personally had clients ask, repeatedly, that I install Adobe Flash Player on their systems so they could open a greeting card, despite my repeated protests. Sure enough, a few weeks later, their system was infected by malware as a result.

In summary, stop sending electronic greeting cards. If you absolutely must open one that you’ve received, then you can… wait… No, scratch that. There’s no reason for them.

I highly recommend that your company’s acceptable use policy prohibits the sending or viewing of electronic greeting cards, and that your content filtering system be tuned to prohibit these sites whenever possible.