Link to Main Site

Click here to visit our main site

Wednesday 18 May 2011

How to generate and remember secure passwords

How many websites do you login into?....5...10....15....more?

Start counting, there's the supermarket (3 or 4 of them), your online clothes shops (lots), forums, tax returns, banks etc...

Some sources suggest that on average we have 20 passwords that we need to remember.  I'm betting that this is slightly out of date and that some of us (me included) have to remember many more.

So how do we do that?

Well, recent hacking activity has exposed some interesting data.  When analysis of leaked passwords posted to hacking sites is undertaken some shocking truths are uncovered.

Most of us use simple names, or worse passwords like "12345" or "password".  Others use names followed by a number.  There are dictionaries of these weak passwords that hackers can use to greatly speed up attacks.

The best passwords are those that are random, comprising upper and lower case letter, numbers and symbols !"£$%^&*():? etc.  The longer the password the better.  A good password might look like  !Whd%59doPS2mj.-K4G, but how on earth are you going to remember that!

Well there are some letter tricks that can be used and there are some technical solutions too.

The letter tricks first.

Obfuscate letters and numbers - transpose 5 for S 3 for E, 1 for L etc.  Using that technique the word password can become Pa55w0rd which reads easily and is quite straightforward to remember.  However, don't be tempted to try this one as it will be in the hackers dictionary already! 

Try choosing a location or memorable event, take the first one or two letters of a memorable sentence and use the obfuscation above.  So "Mum was born in London and Dad was born in Glasgow" can become MwbiLaDwbiG.  Adding the obfuscation it becomes Mwbi1aDwbiG.  It's still not long enough and doesn't contain symbols.  So add year of birth with the corresponding symbols above the numbers on the keyboard: "Mum was born in London in 64 and Dad was born in Glasgow in 62" becomes Mwbi1i^$aDwbiGi^" . Now, that is looking better.

Great, so we have ourselves a strong password, but should we use the same one on all our sites?  No, you don't want you banking passwords mixed up with forum passwords that are often stored unencrypted and sent over plain text links: did you know the default login on Facebook is over an unencrypted link that anyone can intercept.  Use the same email and password on that as your bank and you are asking for trouble.

So personlise each password to the website.  Perhaps take the first and last letter of the website and add them to you password as first and last characters: Facebook could be FMwbi1i^$aDwbiGi^"k, while the bank HBOS might be HMwbi1i^$aDwbiGi^"S.  You have to be careful with this technique, but it can be used effectively.

Now to the technical measures  - Password Managers.

There are several relatively cheap password managers that you can purchase.

The best ones are those that allow you to generate truly random passwords of variable length, that store these in an encrypted form on your system or over the internet.  For those on the move, look for programs that have natching apps for your smartphones.

Some suggestions in this category are iAccounts/iBackup for smartphone and PC, KeePass, LastPass and Roboform.

My personal choice is iAccounts backed up with iBackup.  With this very inexpensive app, I can have all my secure details in an encrypted database stored on the iPhone behind a very secure password.  If I get the login password of the app wrong 5 times in a row the database is destroyed.  Using iBackup, I can sync the database with my workstation over the air.  Opening iBackup, I can copy and paste from the database to login boxes on the workstation whenever I need to.  To further backup the database on the workstation, I export a csv copy of it every time I add a new password.  The csv is in plain text, but I export it to a TrueCrypt container file which is AES encrypted.  Better still that container file is in a folder that goes into the nightly backup of the entire system.  This way, if the phone is lost I can be safe in the knowledge my credentials are safe and if i have finger trouble with the PC, I can recover the database from any day over the past year.

More about TrueCrypt in another post.

Friday 22 April 2011

Shock revelation: Apple iPhone tracking your location!

So, the news-wires have been humming the last day or two with revelations about a tracking feature embedded in the Apple iPhone.  Reports suggest that the iPhone stores your location at regular intervals without using the in-built GPS receiver.

This data is stored in a file called consolidated.db and is sync'd to your PC or Mac using iTunes when you connect the iPhone.

Salacious stories abound of how Apple are collecting this data for their own purposes and how police officers can search the data if they stop you.

The blogosphere has been alight with the masses up in arms.

Well, I'm going to buck the trend and illuminate some critical facts that are overlooked by some of those media outlets.

Firstly, the storage of you location is required by certain apps, such as geo-location services, the camera, shopping etc.  The method used is a triangulation approximation using GSM radio towers that your phone can detect.  Note, this is an approximation and nowhere near as accurate as the GPS receiver.

Secondly, there is no great conspiracy or cover-up in the capture or storage of this data.  Rather like the mass hysteria regarding Google intercepting unencrypted data from wifi channels as their StreetView cars pass by, the capturing of this data is not being hovered up into a central Apple database to be used against you in some future point in time.  Yes, it is sync'd to your computer, but it is not transferred to Apple - it is against California State Law for them to do so.  Before people say "when did the law make any difference", consider the hundreds of millions of iPhones in use and think about it for one moment: would Apple really risk a law suit that could bankrupt them due to the scale of products sold if they were tracking users locations?

Thirdly, the storage of this data is in fact not new!  It has only been recently re-discovered, but was publicized in 2010 and discussed in several papers at the time.  The data file has been moved to a more readily accessible location, but that is only to allow apps to access the data more easily.

To put all this in context, some years ago, I happened to be first on the scene of an accident between a car full of young lads and a tractor on a rural road in Southern Scotland.  Grabbing my mobile (it was not a iPhone, in fact it was not even a smartphone - just a first generation GSM phone), I dialed 999. Being distracted for a moment by the occupants of the car, I could not think clearly if I was on the A70 or A71.  On calling the emergency services, I said, I'm on the A71, to which the operator said, "I think sir you are on the A70, is that right?"

The point being, the emergency services were geo-locating my position based on GSM radio signals and were able to confirm my location.  No big brother, no paranoia, just a straightforward use of technology for a useful purpose.  I'm sure the young driver of the car was thankful the ambulance arrived at the right location rather than 20 miles away on the A71!

Now, I'm no Apple "fanboi".  I use some of their products for business because they help me get my job done.  I do have concerns about some of their business practices, tying users into using iTunes and the App Store, but that is another story for another time.  In this case Apple are being hounded for being a successful company and there may well be an element on those who complain the loudest being just a tiny wee bit jealous of a successful product.

Wednesday 6 April 2011

Facebook scams and all that glitters is not gold

A cautionary tale of how not to get scammed on Facebook.

If you use Facebook (it's quite likely that you do), how many times have you seen messages from friends that claim to know how many times their profiles have been viewed?  Quite a few probably.  As many as you get from friends who have recently subscribed to the newest purveyor of little blue pills, or those who use services to predict the future or other rather odd applications.

Needless to say, these are all scams, stealing your personal information while spamming your friends with their poison.

So, how do they work.  Simple really.  A so called viral link is generated by the scammer to entice the victim (for that's what they are - a victim) into clicking on a like button.  When that happens, the victim is taken to a genuine looking site that requests access to personal information - usually in a round about manner.  Before displaying the information that the victim was seeking in the first place, they are then taken to an online questionnaire to fill out.  Frequently this reveals even more information about the victim to the scammer.  Not only that, but the scammer most often actually gets paid for the completion of the questionnaire!

Finally the victim is shown a page that perhaps indicates he or she was "liked" so many times, or their page was visited by a particular demographic etc.  These are all fake and not worth your time.

Moreover, while the victim was entering all their personal preferences into the questionnaire, all their contacts and friends were receiving messages from the rogue app inviting them to fall victim too.

If you find yourself being spammed by such apps, simply block them in you profile.  If you have completed a questionnaire online for one of these scammers, be very careful to check your personal information and make sure it is not being used for criminal purposes.

Thursday 24 March 2011

The click of death and how to backup your data to avoid getting caught out.

Monday morning, 8:15am, the kids are getting ready for school, the dog has been fed and you sit down in front of the PC to check emails before going to work.

You press the power button, then it happens......click!


A message appears on screen: "Operating System Not Found"

You think to yourself "Hmmm, that's odd." and try again.  click!

What has just happened is a hard disk fail and they are surprisingly common.  Inside the hard drive casing the platters are spinning, but the pick-up heads have slammed into the stop and will not move.  The disk is effectively dead and all your precious data, including photos of Great Auntie Mable are lost.

You break out in a sweat, the children are arguing, the dog is barking and you are stressed.  A nice way to start the working week.

There are three mantras that the IT industry follows.  In order of importance they are as follows:

1. Backup,
2. Backup,

and in case you missed it,

3. Backup.

OK, enough of the jokes, data loss is an incredibly stressful time for anyone.  If you run a business, it could be the difference between profit and loss.

There are several ways to backup your data, ranging from simple manual methods copying data onto a USB memory stick to fully automated system backups both on and offsite.

Let's take an example of each in turn:

Simple USB memory stick backup


Put you memory stick in, copy you data over and unplug.  Easy as pie (to get wrong that is).   It's just as easy to accidentally "Cut" rather than "Copy" and if you do, your data is only on the USB stick, not on your PC.  The memory stick is not infallible and many sticks fail on removal from the machine resulting in data loss just as easily.

USB memory sticks are versatile and useful methods for transporting small amounts of data around, but they are not the solution for long term or secure data backup.

CD and/or DVD


Grab yourself a stack of writable CD's or DVD's and burn you data onto them. An excellent idea and this method can produce permanent (i.e. longer than you probably have to worry about) data backup.  However, it is still a manual process and you need to select the files that you wish to backup.  It is difficult to add data onto the disk without risking the data already backed up and there is a danger that using read-write disks you end up with a corrupt backup archive.

If you choose this method, you should set yourself a regime that ensures a new backup is periodically take and that the data is verified after writing onto the disks.  This is often where manual processes fall over. the vast majority of manual processes start of with good intentions, but other priorities take over and the manual backups are not run periodically or they are not tested.  when you need your data you can come unstuck and end up in the same situation as if you had not taken a backup at all.

Nonetheless, burning data onto a CD or DVD archive is a useful method of producing permanent data backup and it is worthwhile considering if you can attend to the manual processes required.

Automated data backup and recovery


Using tools such as Norton Ghost or Acronis can significantly improve the robustness of you data backup.  For business use, this type of data backup is essential.  Once configured, automated tools are fit and forget.  They run to a pre-defined schedule and with defined criteria that enable you to ensure your data is securely backed up.

Data can be stored one site on CD/DVD's (see above for risks), or on additional media such as external hard drives (even better additional internal hard drives).  Better still, connect a Network Attached Store to you router/switch and you have fully automated backups running independent of machine.

Using these and similar tools you can encrypt the data backup so it is protected from prying eyes and you can configure it to store some or all of the backup data on in offsite repository via cloud or ftp location.  If the worst was to happen you can recover data from the offsite store.

The best backup systems implement a layered approach.  Local backups are stored on internal or external hard drives (or on some server installations on tape drives), or on a central network attached store, One time system images are burnt onto DVD and stored on site for quick reaction and offsite for disaster recover.  Finally critical data is mirrored at an off site location allowing quick access if you main operating premises becomes inaccessible (through fire or flood etc.).

Tinto PC's has a worked with all of these backup methods and is uniquely placed to advise on the best choice for any individual circumstances

Wednesday 23 February 2011

Scam virus warnings

Computer viruses - we all loathe them.  Some are designed to steal our bank details, some are designed to damage our systems others are just a plain nuisance.

One thing in common is that we all want to get rid of them if we are unfortunate to fall victim.

And that opens a door for social engineering that is being actively exploited by scammers and virus writers.

Standing back for one moment, there are two variants of scam virus warning circulating at present the first based on fake pop-up messages warning you of an infection, the second and even more brazen, is cold calling from the scammers informing you that you are infected.

Lets take each variant on its own for now:

The fake phone call


"Hello, this is Bob from Microsoft.  Your registration number is 123/864/3EF.  I'm calling today to let you know that your computer has been reporting a virus infection to our central monitoring servers.  I can help clean your PC and prevent future infections!"

Should you receive a call like this, just hang up.  It's fake, it's fraud and it's dangerous.

If you continue, the scammer will ask you to log into a website such as Logmein, TeamViewer or similar .  By doing so, you will give full remote access to the scammer who will be able to control you computer, move your mouse and do anything you can while you site in front of the screen.


It should at this point be noted that most of these remote access sites are completely legitimate offering genuine remote access services  The scammer is simply exploiting these companies to gain access to your PC.


Once the scammer has gained access to your PC, they run through a script with you to further prove their credentials.  This usually involves showing you some Windows Logs know as the Event Viewer.  The Event Viewer records all program and system activity on the PC.  It will show which services have started and crucially if there are any errors.  There will always be errors in your Event Viewer - every computer will encounter some issue which will be flagged as Red in the Event Viewer.  The key thing is to put into context those errors.  The scammer will tell you that the errors indicate a virus infection that is endangering your data.

If you get this far with the scammer, turn off the computer and put the phone down.  Then call a reputable IT service company (Tinto PC's comes to mind!) to remove any infection that the scammer has already loaded onto your machine.

If you choose to continue, the scammer will take you to a fake antivirus website where he will ask you to submit your credit or debit card details to pay for a one off fix and a subscription to an ongoing service plan.  This really should be sounding alarm bells by now.

Should you agree and submit your details, you will have given the crown jewels away.  The scammer will have your name, address, telephone number, bank details and full remote control of your computer.

Job done as far as the scam artist is concerned.

If you are the victim of this fraud, immediately contact your bank who will offer professional advice on preventing any further financial damage.  If advised to do so by your bank, consider contacting your local police.  Although more often than not, the scammer is located in a far away country, there is a small possibility that they may be located where the law can reach and in any case, you are the victim of a crime which should be reported.

Finally, if the police do not require your machine for evidential purposes, get in contact with with a reputable IT service company to clean any back doors or infections loaded during the scam.

Now let's turn to the other variant.



The fake virus alert.

You are browsing the web, perhaps using Facebook, or clicking through emails, reading pdf documents or your children are playing online games.

All of a sudden, you see a pop-up message saying your computer is infected with dozens of viruses.  The screen shows a scan running which confirms the message and indicates that you should clean the machine immediately for fear of loosing bank details and passwords.

Firstly, you should confirm which antivirus program you use.  It may be Macafee, Norton, AVG, Avast, NOD32 or others, but take 5 minutes to check which one, because the fake alert will not be one of those.  Most likely, it will be a variant on Windows Antivirus Pro, or System Cleaner 2011, or Advanced Antivrus or some other overly officious sounding name.  All of these and similar names are fake.  They can however be very convincing which is why you should be clear which antivirus program is installed on your PC.

Second, you should understand a short technical difference between a Virus and a Trojan Horse.  A Virus will attempt to self replicate, a Trojan will open a door to let in bad things.  Both are dangerous, but in this case you have been infected by a drive by Trojan Horse, which has delivered a payload designed to trick you into thinking you are infected by lots of nasties.

The language used by the fake alert is alarming enough to convince some people to follow the instructions.  In the industry, such fake alerts are often known as scareware.

If you do follow the on screen instructions, you are taken to a fake website similar to the fake phone call above, you pay your money to be cleaned, but unfortunately, it's not you PC that is cleaned, much more likely your bank account.

If you fall victim of this fraud and follow the instructions - giving the scammers your bank details, follow the advice above for the fake phone call: contact your bank, the police and a reputable IT services company to remove the infections.

Many people ask why they get these pop-ups, if they have pop-up blocking software.  Good question - the answer lies in terminology.  Technically these "pop-ups" are dialog boxes.  Dialog boxes are not blocked by your pop-up blockers because they are system messages that provide system information and prompts.  Examples of genuine dialog boxes are messages asking for permission to install something or messages informing you that your antivirus has been updated etc.  So dialog boxes are not blocked and the virus writers target these to inject their own messages.

"OK, I get it" you say, "my pop-up blocker won't stop the messages. So how did it get in past my own antivirus?"  Unfortunately, there are many routes for infection.  Currently the most prevalent route is through exploiting security weaknesses in third party software such as Java (for online games), Flash (for online animations and video, PDF readers used to read online documents.  All of these technologies have been and are currently being exploited to infect PC's.  It is always recommended to update to the latest versions of these technologies to protect yourself from threats.  Similarly, always update Windows when offered, many holes and weaknesses are patched each month.

Now for the hard part - cleaning it up.  Many of these fake antivirus alerts are injected via a device known as a rootkit.  A rootkit is techno-babble for something that can install itself without your permission and run with full access to the PC even if you ask it not to.  That makes it very difficult to remove.  Often the rootkit and Trojan Horse will offer up sacrificial lambs that can be found by your genuine antivirus software.  Even more devious the names of these offerings match the names flagged by the scareware.

There are many different routes to cleaning up a scareware infection.  I recommend you call a reputable IT services company in your area (like this one!) to ask for assistance.

Monday 14 February 2011

IPv4, IPv6, what's all that about and why should I care?

IPv4 and IPv6 - hmmm, sounds about as interesting as reading the yellow pages, doesn't it?  Well, yes, I guess so, but looking forward it will has as much impact as the change from analogue to digital TV.  In a way, it's kinda similar too.

Let's start with a quick explanation of what IPv4 is and why it's changing to IPv6.

Every computer, smartphone, tablet or Internet connected device has an Internet address, or (IP address as they are more often known).  This uniquely identifies it over the internet.

Wowsers, I hear you say that's a humongous number of IP addresses - well yes and no.  The vast majority of computers attached to commercial networks re-use IP addresses from a limited pool that are not exposed to the outside world, greatly reducing the IP addresses hoovered up by such organisations.  Chances are that if you have more than one computer, smartphone or tablet device at home, you will have the same technology that uses internal routed IP addresses, but only one external address.

So, what does an IPv4 address look like?  They are a series of 4 numbers separated by a point.  For example, your home broadband router will likely have an IP address of 192.168.1.254, or 192.168.1.1 or similar.  The range 192.168.xxx.xxx is reserved for non-routable addresses, i.e. addresses that are not publicly exposed.  So your PC might be 192.168.1.2 and your neighbour might also have the same IP address for his PC too.  You will both have different external IP addresses however, using the same format and allocated by your ISP.

Now a quick inspection of the IPv4 format shows that the number of addresses available is 4,294,967,296 - which is a very big number.

Unfortunately, not big enough.

Even allowing for the hoards of corporate machines hiding behind their internal IP addresses, the range of IPv4 addresses recently ran out.

Did you notice the sky falling in?  No?  Well neither did anyone else, because although the last 5 blocks of numbers were allocated on 3rd February 2011, these allocations, together with myriads of others have not been fully taken up by end users.  But time will come when they will and the world as we know it will come grinding to a halt.

Well, not exactly.  This is where IPv6 comes riding like the 7th Cavalry over the horizon to save us all.

IPv6 (don't ask what happened to IPv5!), is the successor to IPv4 and generates  an astronomic number of addresses - it has 128 bits, as opposed to 32 bits of IPv4.  This gives it approximately 340 Undecillion combinations (look it up if you are interested).  Suffice to say it's hugely bigger than IPv4.  It has a format similar to 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Great, all is fine and dandy in the world.  Errr, not exactly.  You see, IPv4 and IPv6 are not interchangeable and not compatible with each other.

Yikes, does that mean when the big IPv4 switch is pulled my computer will come crashing down.  Probably not.  Most modern computers are able to understand both IPV4 and IPv6 and many routers are too.  Also, it is very likely that your service provider may support a period of changeover of both IPv4 and IPv6 addresses allowing you to surf away without worrying about all those bit and bytes.  Some service providers may even go far enough to provide upgrade routers that are compatible with IPv6 if your current router isn't already, though whether they give them away free or charge for the upgrade remains to be seen.

For those really interested there is a world IPv6 day on 8th June 2011 when major service providers and some website companies will be testing their readiness for IPv6.  You can also find more information about IPv6 readiness here but remember that it will almost certainly fail as of now since IPv6 is not actively being rolled out to end users in most circumstances.

Thursday 10 February 2011

New Website, New Blog!

The old Tinto PC's website was looking a bit tired, so it was time for a quck re-vamp and a re-focus on customer needs.

There is still the link to the remote desktop session "helpdesk" software and I encourage anyone with problems with this to get in touch.

Also, I've streamlined the look and feel of the main site.  No more waffle about this and that, simple, clean and to the point.

Well, now that's done, I decided to resurrect the Tinto PC's blog and re-define its use.  From now on I intend to post articles regularly on IT issues affecting customers from Internet problems, security, hints and tips and maybe the odd fun item too.

So check back regularly or subscribe to the feed and keep up to date with what's happening.