”Do not leave a voicemail if you do not reach your sales target. Connections are only made with real people. Your message will be deleted anyway.”

I don’t follow. I leave voicemails. I don’t expect that my voicemail will close the sale, but to not leave a message when someone has put up a facility just for that seems silly to me. I’d also supplement a call with an email, or vice versa, because some people are more responsive to some media than they are to others.

So, I agree on 9 out of 10 points. Keep up the good work, @smallbizlady.

The diNovo Mini is small, only about 6″ wide by 3″ high with the cover closed – about the size of a Hewlett Packard financial calculator, with keys sized a bit larger than a Blackberry or a Sidekick. It has all of the standard keys of a QWERTY keyboard, plus Ctrl, Shift, Alt, and Super (Windows) keys. It also has standard media controls, including volume, pause/play, previous, next, and stop buttons for controlling apps like iTunes, Windows Media Player, or VLC. Although it lists Windows operating systems under system requirements, the unit works perfectly with Mac OS 10.6, and, while I haven’t tested it, I bet it would be fine with most Linux distros as well.

What I found most useful about the unit was the combination trackpad/arrow keys in the upper left of the device. A toggle switch allows you to turn the circular trackpad (like the rectangular ones you find on notebook PCs) into a cursor pad not unlike what you find on video game controllers (instead of the traditional four directional arrow keys). It takes a little getting used to, but is fairly easy to grasp after a few minutes of playing with the device. While I certainly won’t be composing any long audit responses, doing graphics manipulation or programming with this for any significant length of time, it’s ideal for controlling a media center PC, light web surfing, or replying to a quick email – anything you might do on a smartphone or even a netbook.

The unit has excellent range, allowing me to control my PC via its Bluetooth connection from anywhere in the living room. It also has a built in rechargeable battery, and a 3 year hardware warranty, so no more wasting disposable batteries for the remote control.

The diNovo Mini retails for $149, but can can be found cheaper at various online retailers.

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above
Answer:  (d) – The more complex a password is, the harder it is for a
person to guess it.  Some systems and websites may not allow you to use
all of the punctuation symbols, but most allow some of them.

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter
Answer: It depends! For technical reasons, a minimum length of 8
characters is recommended. But not all eight-character passwords are
equally strong. For example, “football” wouldn’t be hard to guess, but
guessing the 8 characters of 7xkM*vh$ presents a real challenge.

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle
Answer: (d) – (a) is obviously easy to guess, even though it’s long
enough; (b) is “hacker-speak” for Mickey Mouse – a bad idea; (c)
contains no letters – and it’s the approximate value of Pi; and (e) is
a proper name.

Strong password checklist

• at least 8 characters
• at least one number
• at least one uppercase and one lowercase letter
• at least one symbol (examples: &, !, @, #, $, ^, *)
• no proper names or words (English or otherwise)
• no personal information, like your SSN, phone number, or date of birth
• no repeating characters
• no easy-to-guess patterns like 123qwerty
• no well-known mathematical values (like Pi) or equations (E=mc2)

Tips

• Treat passwords like your toothbrush: Choose a good one and replace it regularly.
• Change your passwords at least every 30 days.
• Use a passphrase. Choose an easily remembered phrase like “Liberty and Justice Forever” and use the first one or two letters of each word with some punctuation and numbers in between. Example: Li.an1Ju*Fo.
• Use a password pattern. Pick a starting point on the keyboard, trace out an easily remembered pattern, and add some twists. Example: The eight-character pattern 1qscvhU* describes a “V” on your keyboard starting with the number 1 key, with the added twists of an uppercase U and an asterisk.
• Use a password manager.  If you use Firefox, for example, you can have your browser remember your passwords. Then be sure to set a strong master password in Firefox to protect your “remembered” passwords.
• Other versatile, no-cost or low-cost password managers include Roboform and KeePass.

This material is reprinted, with permission, from the February edition of the SANS Ouch! newsletter.

I’m reprinting the questions (with permission) in this post, and will post the answers in a subsequent post to let you rate your own password knowledge.

What’s your Password IQ?

1. How often should you change your password?
a) Every 30 days
b) Every 60 days
c) Every 90 days
d) When IT tells you to

2.  One of your co-workers is working on a critical report this weekend
and needs access to some of your files.  How should you give her your
password?
a) Send it in an email message
b) Call her on the phone and tell her the password
c) Don’t give it to her or anybody else
d) Write it on a piece of paper, seal it in an envelope, and mail it to
her

3.  What is the most common (and so the weakest) password used in 2009?
a) password
b) 123456
c) qwerty
d) abc123

4. What characters should you use in a password to make it strong?
a) Letters only
b) Numbers only
c) Letters and punctuation
d) All of the above

5. How long should a strong password be?
a) Five characters
b) Eight characters
c) As long as possible
d) Size doesn’t matter

6.  Now that you are an expert, choose the strongest password from this list:
a) Mickey.Mouse
b) M1ck3y.m0u53
c) 3.1416**
d) Ad@46-Hiz
e) Aristotle

The full SANS Ouch! newsletter, and others, are available at the SANS website.

In order to continue to improve our products and deliver more sophisticated features and performance… we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

It’s about time, and not just for those reasons.

Internet Explorer is arguably the most insecure web browser in current use today. It’s very old, in Internet terms, and really needs to be replaced. If you are still using Internet Explorer, you need to upgrade to IE 7 or IE 8, or switch to another browser like Mozilla Firefox (currently at version 3.6), Google Chrome, Opera, or Safari.

If you are one of those unfortunate folks who are required to use Internet Explorer 6 for a legacy web application, contact your vendor immediately and tell them that they need to change their application to support newer browsers. There is no excuse for continuing to use Internet Explorer when Microsoft itself has recommended that people discontinue its use.

The advice is to have a PC dedicated to online banking. If you weigh the convenience and cost savings of having access to online banking, versus time spent on the phone or traveling to and from a bank to conduct your business, the expense of a PC dedicated to this task, to continue to enable online banking, will likely be recouped within a matter of weeks, if not days.

The three arguments I’ve heard against this are:

• We don’t have enough money in the bank for anyone to want to hack it. (Or, “no one is interested in us because we’re too small.“)
  Then it sounds like you have everything to lose! Isn’t it more important to protect what assets you have, regardless of size?
• We’re protected by our bank’s security.
  No, you’re not. Bank websites get hacked frequently. Don’t believe me? Just do a Google search on the subject. Furthermore, the banks are not required to refund your money! You do not have the same protections as you do with credit cards on bank accounts. Finally, it’s not usually the bank that gets hacked – it’s your computer.
• We can’t afford the expense.
  The cost of a lightweight PC dedicated to this task is most likely lower than most of my clients’ electric bill, heating bill, or liability insurance for one month. You can afford the cost. But can you afford getting hacked and having your assets drained?

This is the same advice we gave on this blog last year. It’s sound. It’s simple. It’s cheap. Get a new netbook for a couple hundred dollars and use that for online banking. Is this not worth the risk of your business losing tens of thousands of dollars from its bank account? Please, if you do online banking at home or at work, at the very least, practice it from a non-Windows computer not running Internet Explorer. Better yet, prove me wrong and get a cheap PC and dedicate it to your online banking needs. Never go to any website other than your bank’s with it. Another alternative would be to boot from a live CD of your favorite Linux distribution, such as my favorite, Ubuntu.

References:

• http://lastwatchdog.com/american-bankers-associations-small-business-warning/
• http://itknowledgeexchange.techtarget.com/security-corner/aba-recommends-using-dedicated-pc-for-online-banking/
• http://news.softpedia.com/news/Small-Businesses-Should-Conduct-Online-Banking-from-Dedicated-Computers-131086.shtml
• http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=1#sID200
• http://content.usatoday.com/communities/technologylive/post/2010/01/online-banki
  ng-precaution-for-small-and-mid-sized-businesses-draws-attention-/1
• http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking
  /UPI-81761262329630/

Let’s assume, for argument’s sake, that Google does abide by its own code of conduct and isn’t evil. They’re still amassing a staggering amount of data about nearly every Internet user. Now, with more and more companies “Going Google,” Google has access to data that it wouldn’t in the past. Now, they aren’t just indexing your website, blogs, or even chats and emails. Now they’re indexing your corporate documents – you know, the sensitive things you’re “not supposed to send via email?”

While I am quite confident in Google’s security capabilities, no one is perfect. And like my aikido instructor used to say, there’s always someone stronger, or quicker than you. Last week, Google met its security match when their servers were hacked.

While I won’t delve into the economic and political issues which revolve around this hack (see footnotes for plenty of reference links), there are plenty of lessons we can take away from this:

• By most accounts, Google’s servers were hacked by good, old-fashioned social engineering:
  

  “Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees…”

  This means that the attackers were not hammering through firewalls or reprogramming routers – they had people click links on what they thought were legitimate emails and exploited security flaws in common desktop software to gain access.

• Users accounts which were hacked were most likely running with administrative privileges over their desktop systems.
• If Google can be hacked, anyone can. By extension, if your data is with Google, you can be hacked as well.
• Trusting Google does not just mean “trusting that Google won’t do anything evil with my data.” It also means “trusting Google will never make a mistake which accidentally opens my data up to anyone else.”
• Substitute the word “Google” with any popular online service or enterprise firm that has a lot of (your) data (e.g. Facebook, Salesforce, Amazon). This is not a problem just with Google.

References:

• Researchers identify command servers behind Google attack
• Adobe Reader vuln hit with unusually advanced attack • The Register
• IE zero-day used in Chinese cyber assault on 34 firms • The Register
• Google may exit China after ‘highly targeted’ attack • The Register
• Google May Pull Out of China After Cyber Attack
• NY Times Article on Google/China Hack
• Official Google Blog: A new approach to China
• China Defends Internet Censorship
• Ballmer doesn’t get why Google is upset about attacks | Googling Google | ZDNet.com
• US will complain to China about Google hacking • The Register
• SANS Internet Storm Center Diary



While the content is good, it is rather elementary, so if you are already familiar with Facebook, you’ll probably be better served by something else. I bought the book to see what sort of insight it would give for business applications, but I found the chapter on this topic to be short and not very enlightening. Also, I found the topics of privacy and security to be a bit lacking. The best advice they have is to not post anything that you wouldn’t want your grandma to see, because it may come back to haunt you. However, they also recommend you install lots of applications, without stressing that installing Facebook apps (of dubious nature) is a quick and easy way to get your account hacked.

While it was published nearly two years ago, the majority of the book is still up to date and current. However, some things have changed recently, especially with respect to default privacy settings, covered in the privacy chapter.

Also, the book is a little expensive, given its size. However, if you are just getting into social networking and Facebook, it does provide a good overall view of the service to newcomers.

If you have not yet looked at one of these other browsers, I strongly recommend you do. If you are wedded to Internet Explorer, then you should at least be on version 7, if not 8. Also, several of our clients have been told that they must use Internet Explorer for an application that they use which requires it. What’s shocking is that several of my clients have vendors who insist that they continue to use IE 6! This, despite the fact that it’s easily the least secure mainstream browser still available today. If you are unlucky enough to be in this group, I strongly recommend you put pressure on your vendors who are requiring IE 6, and tell them to support current versions, or better yet, make their application less browser-specific so that it works with other platforms like Firefox, Chrome, Opera, and Safari.