A few months ago, I wrote about Firefox encryption addons aimed to keep your outgoing browser data as safe from prying eyes as possible. Encryption is great but there are other considerations you need to make if you want to be as safe as you can be. The Internet can be an annoying – or even dangerous – place if you don’t watch yourself.

BetterPrivacy

A few years ago, something known as the “Flash cookie” came onto the scene (AKA “super cookie” or “long-term cookie” or “local shared object”) and still exists today. Basically, it’s a Flash-based cookie that never expires and can’t be deleted through conventional means, which allows the advertising industry to track you pretty much anywhere you go.

Browsers aren’t yet fully aware of these Flash cookies so they can’t do much against them. That’s why BetterPrivacy exists. It allows you to manage Flash cookies on your system with ease. You can even set it to automatically delete Flash cookies on startup, shutdown, or on a schedule.

Note: Not all Flash cookies are bad. Some browser-based games use them to store game settings, some interactive sites use them to store login data, etc. If you automatically delete your Flash cookies, make sure to set important Flash cookies as exempt.

Ghostery

Ghostery is a comprehensive web privacy addon for Firefox that lets you see who’s trying to track you and subsequently block them if you don’t trust them. Ghostery can detect much of the invisible web activity going on behind the scenes – especially the trackers deployed by ad agencies and web publishers.

When you have trackers on you, Ghostery presents you with the tracking company’s privacy policy and any opt-out actions you can take. If you don’t trust the company at all, you can flat-out block them – scripts, Flash cookies, and even images.

NoScript

NoScript is a strict security addon that only allows whitelisted sites from running scripts and executable content on your browser – Java, JavaScript, etc. It’s a preemptive safety method that minimizes the threat of accidentally stumbling upon a malicious website and having them do something shady on your computer.

With NoScript, you’ll be guarded against cross-site scripting vulnerabilities (XSS), cross-zone DNS rebinding and CSRF attacks (router hacking), and clickjacking attempts.

Keylogger Beater

Keyloggers can be a big problem. They’re a form of malware that sits quietly on your computer and traces every key you press and every click you make, then sends that data to whoever created the keylogger allowing them to read what you type and maybe even steal a few account name + password combinations. There are a few ways to guard against keyloggers - Keylogger Beater is one.

Keylogger Beater brings up a scrambled text inputter that randomly reassigns your keys. There are pairs of “real keys” and “shadow keys” where pressing the shadow key will input the real key. This will jumble up any key output in case you have a hidden keylogger on your system. If you don’t want to press keys at all, you can just hover over a key with your mouse for one second and Keylogger Beater will read that as an input.

Flashblock

Flash-based content is some of the most prolific content in the world. There are Flash games, Flash ads, Flash video players, and more. Unfortunately, while Flash is powerful, it is also slow and can be used for nefarious purposes. Flashblock assumes that all Flash content is malicious and preemptively blocks them from loading.

With Flashblock, when you load up a page, every instance of Flash will be replaced with a placeholder element. If you click on that element, that particular Flash content will be downloaded and viewed. For your convenience, you can set certain sites and domains to be whitelisted.

Note: Flashblock does not work if you have JavaScript disabled OR if you have NoScript enabled.

ShareMeNot

You know those Facebook “Like” buttons and Twitter “Tweet This” buttons that you see all across the Internet? They may be intrusive and distracting when poorly implemented, but they’re ultimately harmless, right? You may want to guess again. Facebook, Twitter, and other social networking sites that have embedded buttons can actually track you through those buttons even if you never click them.

One way to prevent button tracking is to prevent them from loading in the first place. ShareMeNot is an experimental Firefox addon that offers a different solution: it disables the tracking aspect of the button while loading it. If this is something that worries you, you should give ShareMeNot a run.

Conclusion

Security and privacy are important if you’re going to be involved in the Internet realm. You can stay safe with proper browsing habits and helpful web tools like Web of Trust, but once in a while you’re going to slip. When that happens, you’re going to wish you had a browser addon or two as a secondary layer of protection.

For maximum protection, use more than one of these addons simultaneously – as long as they are compatible, of course. If you know of any other great security and privacy addons for Firefox, please share them with us in the comments!

Image Credit: Social Media Signs Via Shutterstock

The post Everything You Need to Make Firefox Private & Secure appeared first on MakeUseOf.

There are simple steps you can take to protect yourself online. Using a firewall and antivirus software, creating secure passwords, not leaving your devices unattended; these are all absolute musts. Beyond that it comes down to keeping up with the latest news about spam, scams, phishing attempts, hacks, and malware.

This is where the following list of security experts on Twitter comes into play. They’re all dedicated to delivering updates, news, blog posts, and opinion pieces designed to keep you, the average Web user, informed about the latest online security threats.

AVG Free @AVGFree

Never Mind The Kids – Watch out for the Sexting Boomers! avgclick.me/12TNgMd #freeantivirus

— AVGFree (@AVGFree) May 1, 2013

This is the official Twitter account for AVG Free, a high-ranking piece of antivirus software that is free to download and available for Windows. The feed links to highlighted posts from AVG blogs, which includes regular updates regarding current threats.

Eugene Kaspersky @e_kaspersky

Dutch police would be able to hack into computers, install spyware, read emails and destroy files bbc.co.uk/news/world-eur…

— Eugene Kaspersky (@e_kaspersky) May 3, 2013

This is the Twitter account of Eugene Kaspersky, CEO and Chairman of the Kaspersky Lab, the developer of various security products, including Kaspersky Internet Security. Eugene is considered an expert in the field, and his Twitter feed is full of links to security news from around the world, sometimes with added commentary.

Avast! Antivirus @avast_antivirus

E! Online Twitterhackers claim Justin Bieber is Gay. Teenage girls cry with disbelief.sbks.co/pmldg4/ @eonline has been fixed.

— avast! Antivirus (@avast_antivirus) May 7, 2013

This is the official Twitter account for Avast!, an award-winning and immensely popular piece of antivirus software that is completely free and available on Windows from XP all the way up to Windows 8. The feed focuses on the latest security news, as well as updates regarding the Avast! software.

Graham Cluley @gcluley

The Onion is Twitter hacked by Syrian Electronic Army. Hardly anyone notices wp.me/p3qRGV-W3Q

— Graham Cluley (@gcluley) May 6, 2013

This is the Twitter account of Graham Cluley, the editor of Naked Security at Sophos, a company responsible for a mix of free and paid security software. Naked Security is the newsroom at Sophos, delivering updates and advice on the latest happenings. Cluley also tweets other security-related links.

McAfee Inc. @McAfee

Heard about the @ap Twitter account hack? @garyjdavis shares the phony news and tips to keep your account secure: bit.ly/13d8jdD

— McAfee Inc. (@McAfee) May 6, 2013

This is the official Twitter account for McAfee Security, a company dedicated to security solutions for computer users, both on a personal level and in the business world. The feed focuses on up-to-date security news, as well as updates directly related to McAfee products.

Mikko Hypponen @mikko

Play a game of Asteroids and disclose a list of websites you’ve visited:lcamtuf.blogspot.it/2013/05/some-h…Nice idea and a proof-of-concept by @lcamtuf

— Mikko Hypponen ? (@mikko) May 5, 2013

This is the Twitter account of Mikko Hypponen, the Chief Research Officer for F-Secure, a computer security company based in Finland. F-Secure offers a huge range of security products and services, and Hypponen has worked for the firm since 1991. His tweets flit between addressing security issues and personal news.

Symantec @symantec

Join Symantec & small business expert Rieva Lesonsky to learn how to protect and secure your business’s valuable data bit.ly/ZGGnxw

— Symantec (@symantec) May 2, 2013

This is the official Twitter account for Symantec, a company with a full complement of products designed to protect individual users and businesses when they connect to the Internet. The feed keeps followers updated on the latest happenings in the world of online security, as well as news related to Symantec products.

Jeremiah Grossman @jeremiahg

During 2012, 86% of all websites tested had at least 1 serious* vuln. serious = vulns leading to system breach, data loss. #WebsiteVulnStats

— Jeremiah Grossman (@jeremiahg) May 2, 2013

This is the Twitter account of Jeremiah Grossman, who is the Founder & CTO of WhiteHat Security, an Internet security expert, and public speaker on the subject. He tweets links to news updates about security issues, and personal views on the things happening in this space.

SANS ISC @sans_isc

[Diary] Report Fake Tech Support Calls submission form reminder, (Mon, Apr 29th): Previously we det… bit.ly/14JGsor #sansisc

— SANS ISC (@sans_isc) April 29, 2013

This is the official Twitter account for SANS ISC, which is the Internet Storm Center at the SANS Institute. Their job is to monitor the levels of malicious activity taking place on the InterWebs, and the feed links to the daily updates reporting on these levels as well as other news we should all be aware of.

Schneier Blog @schneierblog

Honeywords: Here is a simple but clever idea. Seed password files with dummy entries that will trigger an alar… bit.ly/18M4a00

— Schneier Blog (@schneierblog) May 6, 2013

This is the Twitter account of Bruce Schneier, an Internet security guru who has written several bestselling books on the subject. This feed auto-posts all of the blog content written by Schneier, which, as a whole, gives a detailed overview of the security issues the world faces.

Conclusions

My advice to those of you on Twitter — and you really should be using Twitter by now — is to follow these 10 accounts immediately and to start paying attention to what they’re tweeting. The trends, tips, and tricks they report could save you from suffering a security nightmare in the future, or help you recover from one you have already suffered.

Are there any other Twitter users you’d recommend everybody followed in order to keep on top of online security threats? Do you find any of those on this list particularly useful? What do you think of the need to stay secure online overall? Are the threats overplayed or is it a problem that is only going to get worse?

As always we’d love to hear your thoughts in the comments section below.

Image Credit: Surian Soosay

The post Stay Safe Online: Follow 10 Computer Security Experts On Twitter appeared first on MakeUseOf.

Sticky Password Pro 6.0 is an application that acts as a master database for all of your username/password combinations. It keeps all of them locked behind a master password, so you only need to memorize one super-strong password in order to secure a vast array of account credentials.

Sticky Password Pro 6.0 is available for USD $29.99 on Windows XP, Vista, 7, and 8 as well as iOS 4 and higher. There is a free version with limited features — you’ll only be able to create 1 profile and it will only store up to 15 username/password combinations. But here’s the good news: this time, we’re giving away 25 copies of Sticky Password Pro 6.0 worth a total of $750 for FREE!

If you want a chance at winning a copy, all you have to do is read through this review and respond according to the instructions at the bottom of the post.

Review of Sticky Password Pro 6.0

When you first load up Sticky Password Pro after installation, it’ll ask you for a master password. This master password is crucial because it’s the one and only way for you to access all of your stored username/password details. The best piece of advice for the master password is to make it long, use letters and numbers and special characters, and make it unique.

If you suspect that you have a keylogger on your system or you’re just paranoid that someone may be able to track your keypresses, Sticky Password offers you a virtual keyboard where you can click the keys of your password for additional safety.

Not only does Sticky Password keep track of all of your different username/password combinations, it comes with a browser plugin that will automatically enter your username/password credentials on sites that you have saved. This is such a convenient feature that this feature itself might be worth the purchase.

Depending on how many times you find yourself filling in login details each day, you could end up saving a lot of time. In addition, since Sticky Password can automatically enter these details for you, you’ll be less likely to use the “Remember Me” option on account-based websites, offering an additional layer of security.

This is what the main Sticky Password dashboard looks like. It’s quite modern and well-designed – not too cluttered, not too minimal, not ugly or overly flashy. Everything is organized in a smart and intuitive way.

We’ve gone over the main features of Sticky Password in previous reviews, but for those of you who are just learning about Sticky Password for the first time, here’s a brief overview of what this great application can do:

• Individual Identities so you can have multiple users or profiles with different username/password combinations.
• Multiple Accounts where each account is tied to an application or a website.
• Imported passwords for easy password transfers from your browsers and programs to Sticky Password.
• Ignored and Trusted websites to which Sticky Password will react differently.
• Password generator that will create some of the strongest passwords for you.
• Database encryption (military-grade AES) so your passwords remain safe even when accessed.
• Phishing protection so that Sticky Password won’t send your sensitive details to imposter websites.
• Secure Memos to store other sensitive data: software licenses, credit cards, bank accounts, etc.

The latest version of Sticky Password implemented a few cool features that you may find useful:

• Portable version that lets you take Sticky Password with you on-the-go without the need to install. Combine it with the iOS app and you can keep your passwords sync’d with you no matter where you are.
• Account grouping allows you to keep your password accounts organized by sorting them under various categories that you create and control.

• Bluetooth unlocking allows you to set one of your own Bluetooth-enabled devices as the “switch” for gaining access to Sticky Password. Without that device nearby, the Sticky Password dashboard won’t open up.

Again, we’re giving away 25 free copies of Sticky Password Pro 6.0 to all of our beloved MakeUseOf fans and readers. Please be reminded that Sticky Password Pro 6.0 is only available for Windows XP, Vista, 7, and 8 as well as iOS 4 and higher.

How do I win a copy of Sticky Password Pro 6.0?

We have a new giveaway procedure in place, which will hopefully make participating much easier. You may enter using your Facebook credentials (which will require you to sign into Facebook) or by submitting your name and email address. You’ll receive one entry simply by doing so.

After that, you’ll also be offered various methods to earn additional entries. They range from sharing a link to this giveaway on social networks; to commenting or visiting a specific page. The more you participate, the higher your chances of winning!

This giveaway begins now and ends Friday, May 17th. The winners will be selected at random and informed via email.

The post Sticky Password Pro 6.0: Keep Your Passwords Safe and Organized [Giveaway] appeared first on MakeUseOf.

Perhaps most importantly, a lot of people don’t know what constitutes a DDoS attack. Despite its rising frequency, looking at the paper’s headlines, DDoS attacks can be anything from digital vandalism to fully-fledged cyber-terrorism.

So what does a DDoS, or Distributed Denial of Service attack entail? How does it work, and how does it affect the intended target and its users? These are important questions, and  this is what we’re going to be focusing on in this instance of MakeUseOf Explains.

Denial Of Service

Before we tackle the issue of DDoS, or Distributed Denial of Service attacks, let’s look at the larger group of Denial of Service (DoS) issues.

Denial of Service is a broad issue. Simply put, a website experiences DoS issues when it is no longer able to service its regular users. When too many people flock to Twitter, the Fail Whale pops up, indicating that the website has reached and passed maximum capacity. In essence, Twitter experiences DoS.

Most of the time, these issues are instigated without malicious intent. A large website links to a small website, which isn’t built for the same level of traffic.

A Denial of Service Attack, then, indicates malicious intent. The attacker spends effort trying to instigate DoS issues. The techniques used here vary wildly – a DoS attack refers to the intended result of the attack, not the way it is executed. Generally, by hogging the system’s resources, it can render the system unavailable to its regular users, ultimately even crashing the system and taking it down entirely.

Distributed (DDoS) Attacks

The difference between Distributed Denial of Service (DDoS) and regular DoS attacks is the scope of the attack. Where a DoS is carried out by a single attacker using a single system, a Distributed attack is carried out across multiple attacking systems.

Voluntarily Participating Agents

Sometimes multiple attackers join up, each willingly participating in the attack. Software that’s used to stress-test systems, or software specifically designed to wreck havoc is installed on each system. For the attack to work, it needs to be coordinated. Coordinated through IRC chat rooms, forums, or even Twitter feeds, the attackers throw themselves en-masse on a single target, trying to flood it with activity to disrupt usage, or crash the system.

When PayPal, Visa and MasterCard started boycotting WikiLeaks near the end of 2010, WikiLeaks supporters carried out a coordinated DDoS, temporarily taking down the homepage of multiple websites. Similar attacks have targeted other banks and even national security agencies.

What’s important to remember here is that the website storefront is flooded and crashed, whereas the bank’s and security agencies’ internal networks are usually left untouched, as explained in XKCD comic 932, shown above.

Zombie Systems Or Botnets

A Distributed Denial of Service attack requires multiple attack systems. It doesn’t usually require multiple attackers. Often, large-scale attacks are not carried out through the attacker’s own computer, but through a large number of infected zombie systems. Attackers can abuse a zero day vulnerability and use a worm or a trojan horse to gain control over a large number of compromised systems. The attacker then uses these infected systems to mount an attack against its target. Infected systems used this way are often called bots or zombie systems. A collection of bots is called a botnet.

Although the website targeted by the DDoS attack is usually portrayed as the sole victim, users with infected systems that are part of the botnet are similarly affected. Not only are their computers used in illicit attacks, their computer’s and Internet connection’s resources are consumed by the botnet.

Attack Types

As mentioned before, a DDoS attack only states the intent of the attack – robbing a system of its resources and making it unable to perform its intended service. There are several ways to achieve this goal. The attacker can hog the system’s resources, or even push the system over the brink and make it crash. In severe cases, a Permanent Denial of Service (PDoS) attack, also known as phlashing, wreaks so much havoc on its target that hardware components need to be entirely replaced before being able to recommence normal operation.

We’ll take a look at two important attack methods. This list is by no means comprehensive. A bigger list can be found on Wikipedia’s DoS article.

ICMP Flood

The ICMP (or Internet Control Message Protocol, but that’s less important) is an integral part of the Internet Protocol. An ICMP flood attack is carried out by bombarding a network with network packages, using up resources and crashing it. One type of attack is a Ping Flood, a simple DoS attack where the attacker effectively overwhelms its target with ‘ping’ packets. The idea here is that the attacker’s bandwidth is larger than its target’s.

A Smurf attack is a smarter way of ICMP flooding. Some networks let network clients broadcast messages to all other clients by sending it to a single broadcast address. A Smurf attack targets this broadcast address and makes its packages look as if they came from within the target. The target broadcasts these packages to all network clients, effectively serving as an amplifier for the attack.

(S)SYN Flood

A (S)SYN Flood relies on the essential operating principles of network communication. During normal operations, a client starts communication by sending the server a TCP/SYN package, essentially telling the server it wishes to communicate. The server, upon receiving the package, creates a connection to communicate with the client and sends back acknowledgement and a reference to the communication channel.

The client sends back an acknowledgement in turn, and starts its communication with the server. However, if the client does not answer with that second acknowledgement, the server asumes it didn’t arrive properly (as happens reasonably often) and resends it.

A (S)SYN Flood abuses this mechanic by sending countless of TCP/SYN packages (each with a different, fake origination specified). Each package prompts the server to create a connection and keep sending acknowledgements. Before long, the server has used up its own resources with half-open connections. This principle is illustrated in the comic above, drawn and posted by Redditor verisimilarity.

As explained above, DDoS attacks are varied but have a singular purpose: (temporarily) keeping authentic users from using the target system. Does this agree with your initial ideas on DDoS attacks? Let us know in the comments section.

Image credit: Shutterstock

The post What Is a DDoS Attack? [MakeUseOf Explains] appeared first on MakeUseOf.

If you read our password management guide you will know the importance of having diverse passwords. Sure, using one password for all of your online services is simple…until someone compromises one of your accounts. If all of your passwords are identical your online life is a house of cards.

KeePass Password Safe is a completely offline approach to password management, though you can combine it with cloud services like Dropbox if you want.

Using KeePass

Before you can use KeePass you need to create a database. You’ll be prompted to do so the first time you run the program, and the main thing you need to do is specify a password.

Take this password seriously – it’s going to be the one thing protecting your various passwords from anyone who gains physical access to your computer. It’s the key that will encrypt your database, so the longer – and the harder to crack – the better.

Once you’ve set up your account you’ll see the main interface of KeePass – essentially, a list of user accounts.

Creating a new entry is simple – just click the new entry button in the toolbar (I, after years of using this, frequently hit the button that creates a new database, but whatever). When you do, you can enter everything you need to know in order to access a particular account:

Give the account whatever “title” you want – that’s there for your purposes. You’ll obviously want to include the Username and password, but including the URL can also be helpful – especially if you plan to use browser plugins. More on that later.

Your password will be rated for security, and if you’re having trouble thinking up a secure password there’s a generator. Relying on such services is sometimes not recommended – no such software is perfectly random, meaning hackers could potentially exploit a pattern – but the optional entropy option can help.

If you currently use one password for every online account…stop. While you’re setting up KeePass, it is a good time to lock things down, and the password generator can help you make secure passwords. Adding your accounts, one at a time, while changing your passwords, can take a while – but real security takes work.

KeePass doesn’t just store your passwords – it also makes it easy for you to retrieve them. Right-click any entry and you’ll see the option to copy your username, password or URL immediately:

Learn the keyboard shortcuts indicated here for quick access – you’ll like it.

It’s also worth noting that there’s a search function. If you only use KeePass to store a few passwords this isn’t a big deal, but believe me, when your collection grows to 200 or 1,000 you’ll be thankful this feature is here.

KeePass Plugins

Do you like the idea of offline, encrypted password management, but also want browser integration? KeePass has you covered. A large collection of plugins allows you to automatically fill in forms on Firefox, Chrome and even Internet Explorer – and do a lot more.

Check out the KeePass plugins here. There’s a lot to explore here, and it goes well beyond browser integration. Be sure to explore if you want additional functionality.

Download KeePass

Ready to check out KeePass Password Safe for Windows? Head to the download page at KeePass.info. You’ll find both an installer (EXE) and a portable version (ZIP). You can also download a portable version at PortableApps.com, if you want.

Other Operating Systems

Are you not a Windows user? Then you should check out KeePassX, which works on Linux and OS X. There are some incompatibilities, so be sure to check out our KeePassX review to work all of that out.

There are other versions of KeePass, including KeePass Android. Check out the download page at KeePass.info for a complete list.

More Tips

Do you love the idea, but wish you could sync your database to other devices? You can easily use Dropbox to sync your database, and because it’s encrypted you’re protected from vulnerability. Any syncing service will do, too – you’re not limited to Dropbox.

Do you know of any other good KeePass Password Safe tips? Share them below, so everyone can benefit. I’m looking forward to reading your ideas.

The post KeePass Password Safe – The Ultimate Encrypted Password System [Windows, Portable] appeared first on MakeUseOf.

Sites like Twitter are not soft targets. They are protected by firewalls and other safeguards. Twitter has even implemented security protocols like DMARC for stronger phishing protection. But even as I write this, news has come in of a hijacked Associated Press Twitter account being used to broadcast false update of an attack on the White House. The Stock Market nosedived.  Twitter will beef up its defenses. We, the users are part of those fortifications. Usually, we are its weakest link too.

The Ground Covered So Far…

My friend Chris gave us the absolute basics you need to know to secure your Twitter account. Let’s rehash them again quickly:

1. Beware Phishing
2. Don’t Reuse Passwords
3. Manage Third-Party Apps
4. Improve Your Browser & Computer Security
5. Restrict Password Resets
6. Use a URL Expander
7. Lend a Helping Hand

I strongly urge you to read his popular article to grasp the first things you need to do. Here are a few more Twitter tips that should be useful to protect yourself against hackers.

Deal With Spam

An attack could come disguised in the form of a spam message on Twitter. Spam attacks take many different forms. Twitter recognizes aggressive following; exploiting @reply or @mention to post unwanted messages; and even creating multiple accounts as spam behavior. It could also be something as innocuous as posting unrelated links. The trick is to recognize spam early and take action to report it. Here’s how…

1. Click through to the spam account’s profile page.
2. Click the little silhouette icon next to the follow button to reveal the dropdown.
3. You can use the options (see screenshot) to report an offending account for spam. Alternatively, you can also block the account.

Twitter does not automatically suspend the suspected spam account. Though it prevents the user from following you or replying to you. You can also file a more direct violation report. Twitter has a support page which tells you all about how to report violations and any other suspicious activity.

Benefits of Protected Twitter Accounts

A Twitter timeline is public by default. You can exercise the option to set your tweets as ‘protected’. Protected Tweets are visible to your approved Twitter followers. A protected Twitter account gives you more hands-on control over who follows you. Each follow request will need your express approval. Your tweets will only be visible to your followers. Your protected tweets will also not show up on Google results.

Protecting your Twitter account is a more secure strategy, but it may come at the cost of open interaction. The Twitter support page goes into the nitty-gritty of protecting and unprotecting your tweets.

Do Not Share Your Location

Though sharing your location information may not lead to your account being hacked, no one can promise that it won’t happen to your home…which is even worse.  PleaseRobMe is an interesting website that tries to highlight this danger of over-sharing information on social media. For instance, sharing your location information could lead a burglar to your house when you are somewhere else.

The Settings page on Twitter takes you to the option of turning off your location information and also deleting all past references to it with a single click. You can also go into the location settings of your smartphone and disable the sharing.

Do Not Blindly Allow Third Party Apps

Third-party apps connected via your Twitter account have two levels of authorizations - read-only, or read-and-write. In effect, an app can access all the information in your Twitter account. An app with read and write permission can also post updates on your behalf. Also, your tweets may be protected, but images accessible through services like Instagram may not be. This represents a potential risk if an app in question is not legitimate. This brings us back to the moot point of carefully vetting each third-party app we grant access to, and periodically revoking access to apps we no longer need.

Be Cautious With ‘Out of The Blue’ Direct Messages

I just have to reiterate this again. There have been spates of direct message and email malware attacks. Direct Messages (DM) are supposed to be one-to-one interactions between two parties and is supposed to be private. In reality, DMs may be tapped by third-party apps which have access to your Twitter account. Phishing scams and backdoor Trojans also rely on links within messages sent to an unsuspecting account. Twitter advices against following ‘hundreds or thousands of accounts without having a look first.’

Stock market briefly drops then recovers after @ap‘s hacked Twitter account sends a fake tweet: yhoo.it/11hORt6

— Yahoo! News (@YahooNews) April 23, 2013

It is actually easy to detect phishing attacks with a bit of care. For instance: check the text and substance of the message. Also, be extra careful on mobile devices because smaller screens may make it that much more difficult to decipher a fraudulent screen. So, wait to check it out on a larger screen before you click it.

Here’s an excellent read on phishing at Fraud.org.

Sign Out Of Public Computers

This precaution sounds so obvious, but you would be surprised how many forget to do it. If you are on a shared computer, remember to sign-out of Twitter to prevent someone from getting access to your open account. In a similar vein, always use a passcode to lock your smartphone and prevent snooping eyes.

Disable Java

Java is unsafe say security experts. The U.S. Department of Homeland Security has actually issued a public advisory on disabling Java if not needed in your browser. It is always a good idea to continually update Java, though disabling it could be a cautionary tale in closing the backdoor before someone sneaks their way in.

A final note: If your Twitter account has been breached, you can reset your password. Follow this Twitter support page to secure your account and stop further unusual behaviors

The ease of tweeting sometimes lulls us into a false sense of security. We forget that Twitter is arguably the most open of all social sharing sites. That’s the fruit as well as the peel we can slip on. If you spend a better part of the day on social media, you will appreciate that Twitter’s security settings are far easier to understand and set than those of Facebook. Now, we just have to give it some thought and a few minutes so that we don’t fall prey to hackers. What other Twitter security tips would you like to suggest? Did you learn it from bitter experience or are you among the wise ‘n cautious folks who play safe rather than be sorry?

Image Credit: Shutterstock

The post Don’t Get Hacked On Twitter – What To Do To Stay Safe appeared first on MakeUseOf.

This is the holy grail for how hackers hack, so it’s important to understand how it can occur and what you can do to protect yourself.

Social Engineering

This is the most common attack method, and we’ve given a full account of one such process before, involving a scam technical support call that goes something like this:

• “Hi, I’m from the security team at Microsoft and we’ve detected a virus warning from your Windows PC”
• They instruct you to open the event viewer, where there are lots of warning messages awaiting you, proving there must be something wrong!
• They offer to fix it for you, you just need to go to this remote support site and download the remote control software.
• They gain control of your PC, and proceed to do meaningless fixes, like opening file property dialogs.
• The login details are passed onto a criminal network who now have full access to your PC anytime they wish, and a tidy commission is paid to the guy who made the call.

The fake technical support scam isn’t the only way this can occur of course – if you leave your computer in the hands of someone you can’t completely trust, there’s always a chance backdoor software could be installed. Although there’s no cases recorded, a Best Buy employee was found stealing raunchy pictures from a user’s PC – so there’s nothing to stop rogue repair technicians installing trojan software either.

While rogue technicians are certainly rare – the fake technical support scam is all too prevalent, and I’ve personally had to deal with the aftermath on family machines where they’ve fallen for it. The key to protecting yourself and your family is education – explain to less technically capable friends and family that these support calls are fake and they should simply hang up.

For single user computers, it’s also quite likely they’re using the administrator account by default. The safest thing to do would be to set up a restricted user account for them to use on a daily basis, and ask them to never use the administrator account without talking to you first.

Also, note that while Microsoft will never call you personally, they do sometimes contact home users – but only via their ISP so that they can confirm they are an existing customer, and charges will never be made.  This happened recently in 2010, when Microsoft set about cleaning 6.5 million computers of the botnet they were a part of.

Browser Vulnerabilities – Flash & Java

Modern browsers are themselves rather secure. Chrome and more recently others run website tabs in their own sandboxed environment, where no changes can be made to the local filesystem. However, plugins such as Java operate outside of this sandbox, so these remain a concern.

If these plugins are enabled and not blocked by the browser, malicious Java or Flash code can be run as soon as you visit an infected site, or even loaded through the untrusted ad-network of a trusted site.

Thankfully, most of these problems are mitigated by simply :

• running the latest version of a browser.
• keeping up to date.
• enabling “click to play” (so code doesn’t run automatically).
• uninstalling the Java plugin completely.

Really, no decent website uses Java anymore (note: Java and Javascript are completely different), and the average home user does not run Java applications.

Chris has explained the problem of browser plugin security before, so I’ll point you there for ways of either disabling or checking your particular browser and setup.

Port Scanning

I’m listing this last as it’s the least likely to affect home computers that are connected via a router. If you’ve read our explanation of what port forwarding is, you’ll understand that any application that needs to receive information over the network is required to open a port. Sometimes these are predetermined – such as a web server on port 80 – and other times they’re just random. By default, unused ports are closed, so that’s where the difficulties around port forwarding arise.

If you want to run a web server from your home PC, you’ll need to configure the router specifically to take incoming traffic for port 80 and forward it to your PC. Some applications and devices use uPnP, which handles this configuration of opening ports as and when required. If you have an Xbox 360 for instance and regularly play online, it’s using this to configure ports dynamically.

Port mapping involves a hacker scanning your router from the outside and systematically talking to every single port number, looking for open services. Once the services are found, the hacker is able to check certain characteristics that identify the version of software being run (“software footprints”). The version is then cross-checked against a database of known vulnerabilities, and if a match is found they can proceed with the exploit. Although this sounds laborious, in practice it’s a single tool to scan, cross-check and deliver the exploit.

Unless you’re doing things like setting up your own network servers and performing manual port forwarding, it’s unlikely you’re vulnerable to simple port scanning. However, if you’re curious about what ports are open on your home network, there’s a quick Internet-based tool available here, though you’re limited to the standard ports and 500 others. If you run Linux, check out the nmap tool for a more full test.

The exception to being protected by a router is when you’re connected to public Wifi. You’re placed on the same network as everyone else, and any one of them could be running a port scanner looking for vulnerable services.

Finally, Matt wrote a great PDF guide - HackerProof, Your Guide to PC Security - which should be considered essential reading on the topic.

Have you ever had your computer hijacked, and if so, what happened? Do you know how they got in?

The post How Can Hackers Hijack My PC? [MakeUseOf Explains] appeared first on MakeUseOf.

Installing such software on Android or BlackBerry devices is morally reprehensible but not quite as damaging as doing so on an iPhone. This is due to the walled garden approach that Apple takes, something the majority of iPhone users take at face value.

Installing iPhone spy software requires you breach this fortress-like security – and that’s just the start of the problems.

A Legitimate Use?

Spy software, by its very nature, is designed to snoop on people. It is for this reason that anyone reading this who is contemplating installing such software probably doesn’t care what I have to say about any aspect of doing so. Clearly if you’re thinking of doing this, morals are not your strongpoint and you’ve probably already ethically justified it in your head. I’d urge you to reconsider this standpoint, but it’s probably a battle I’m going to lose.

Much of this software is marketed in a very broad way. Not only is it advertised to snoopers who want to track the location of an individual or spy on someone’s smartphone usage but it’s also marketed as a legitimate security tool. This is complete rubbish, and will form the backbone of this article. If I can’t change the minds of those who deem such a practice necessary in the first place then I can try to redress the balance for those drawn in by dishonest marketers.

Parents – do not use this software to trace your children. There are free and safe ways of doing this which I will come to at the end of the article. Some marketers even try to target employers and so I must say employers – do not use this software to spy on your workforce. If you’re an employer who feels they need to be concerned about smartphone security then you shouldn’t be allowing non-company devices in the workplace. Period.

Warranty, We Hardly Knew Ye

There is no spy software on the market that will be able to do all it promises – i.e. spy on any activity, trace any location or upload any camera images – without voiding the device’s warranty. Parents installing such software will be voiding their children’s warranty on that device. Paranoid other-halves will be voiding their spouse’s warranties also, and this goes for employers too. Why? Jailbreaking.

Apple takes a hardline approach to security. The iPhone is not designed to run non-App Store software, this is seen as a security violation by Apple, as a restriction by some users and a safety net by others. Android does things differently – unchecking a box in settings allows the installation of non-Google Play apps, and it’s just as easily reversible.

Not so for iOS devices. These devices must go through what is known as a jailbreak, which involves loading custom firmware onto the device which provides greater freedom, allowing users to run all sorts of unsigned software on the device. Spy software is always unsigned for two reasons – it would never be able to perform its spying duties as a standard app due to iOS permissions and Apple would never allow it in the App Store in the first place. Many people don’t realise it but with some preparation a jailbreak can take a matter of minutes to complete.

When you choose to jailbreak an iPhone you are voiding your warranty by running modified firmware on the device. It will also void any AppleCare after-sales packages you have taken on. This is fine if it’s your own iPhone, and you understand the risks involved in doing so. Jailbreaking your device is generally a very safe operation, and even a jailbreak gone wrong is unlikely to “brick” your iPhone. It’s the jailbroken firmware you’re left with that poses the biggest security risk.

Jailbroken phones are able to run unsigned apps and this includes potential malware. If the root SSH password remains unchanged once the jailbreak is complete, malware could run riot on your phone and with no Apple guardians to oversee software, you have to rely on third-party developers to be the judge and jury. If you think about it, spy software is malware by design but marketed as valid software.

iPhones and other iOS devices that have been jailbroken are also often unable to run some genuine App Store apps. Developers have ways of detecting a jailbreak and can now prevent jailbroken devices from using their services. One example would be DIRECTV which delivers streaming video and another reported app is Skype for iOS. Many banking apps are also restricted for obvious reasons, two examples being CommBank and Kaching from Australia’s Commonwealth Bank. Getting these apps working again involves playing a game of cat and mouse between developers and the jailbreak community.

For the unsuspecting jailbroken victim, apps like these will flatly refuse to run as they won’t be installing the latest exploits to circumvent the restriction.

Detecting Spy Software

There’s actually no guarantee you’ll be able to find evidence of the spy software itself, as such software is designed to be hidden from view. Instead there may be a few left over telltale signs of a jailbreak, and if you find them and but have not performed a jailbreak yourself then you can pretty much guarantee someone’s designated you as a mark. If your partner or parent has jailbroken your device for you then it doesn’t mean you’re being spied upon, but it will be difficult to prove otherwise without reverting to stock firmware.

One sign of a jailbreak is the Cydia app. Even if this app has been hidden from the home screen, searching for it (swipe left-to-right on your first home screen) should still find it. First go to Settings > General > Spotlight and ensure that Applications is ticked. Then search for Cydia from your homescreen and if the application is there, your phone is jailbroken.

There is no guarantee of finding Cydia, and the careful snooper will probably try all they can to hide any signs of a jailbreak. Other apps to search for that might suggest a jailbreak include “Installer”, “Icy”, “SBSettings” and “Installous”. Similarly, installing an app like those mentioned above might reveal something is up if they refuse to run.

Removing The Software

Because jailbreaking is a game of cat and mouse played between Apple and those who choose to jailbreak, the latest and greatest iOS firmware won’t always be jailbreak compatible. Keeping your phone up to date and performing all iOS updates as and when your iPhone notifies you about them is the best way to remain secure. Eventually iOS versions will be jailbroken and at this stage removal is surprisingly easy.

According to many jailbreaking communities, reverting your phone back to stock Apple firmware does the trick. Myself I’m not so sure Apple isn’t noting down the unique identification numbers (UDIDs) of jailbroken devices via the App Store, but it would seem restoring your phone “as new” will remove all traces of a jailbreak.

For those of you convinced you’re being traced this is as simple as plugging your phone into iTunes and choosing Restore. If you choose to revert to a backup, there’s a chance some evidence of the jailbreak will be retained and if your phone needs attention from Apple (either as part of a 12-month warranty or the extended AppleCare package) then you will be denied service. For this reason, be sure to back up everything you want separately and transfer purchases within iTunes.

Parents Listen Up

There is a free alternative to spy software for parents who are concerned about the whereabouts of their children. Find My Friends works across Apple devices and uses Apple IDs to connect friends and family. By authorising a friend or family member to view your location in Find My Friends, they will be able to see where you are whenever they like. Creepy? You bet.

Find My Friends can be customised to prevent the location being displayed on the transmitting device. This is due to the fact that it is not spy software, but a tool for staying in touch. It gives the user a choice over whether to reveal their location at all times and it does none of the snooping on text messages, phone calls or camera photos. Using Find My Friends doesn’t teach your children that spying on people is the right thing to do, and instead pressures you to enforce basic smartphone safety and talk to your children about why you want to use such a service.

If you’re worried about your children’s uncanny ability to lose things then remember to enable Find My iPhone, a similar service accessible via iCloud. For as long as the phone is left in the same state it was when it was lost it will be traceable using Apple’s own plan B.

This isn’t a lesson in parenting, but a lesson in ethics and trust. It’s also a lesson in not being ripped-off by marketers trying to sell you a wolf in sheep’s clothing. Take a close look at the FAQs and you’ll see the requirement for a jailbreak quietly mentioned, behind advertising phrases like “completely undetectable”.

Finally

All software that promises to spy on an iPhone requires a jailbreak. Some do not mention it in their marketing speak, but it’s a requirement and for as long as Apple maintains its iron grip it always will be. Many of these packages are not one-off payments but subscription models that require a minimum term, which quickly adds up.

Be smart, be safe, be honest and don’t get ripped off. If you have any questions about your iPhone’s safety, spy software or alternative apps for other platforms then don’t forget to ask MakeUseOf Answers.

Have you had any experience with such iPhone spy software? Have you been on the receiving end? Have you ever installed or trialled a service? Is Find My Friends good enough? Get out the soapbox and have your say in the comments, below.

Intro image: Man in Hat Vector (Shutterstock)

The post The Dangers of iPhone Spy Software & How To Detect It [iOS] appeared first on MakeUseOf.

BitLocker is a feature of Windows 7 and 8 that is extremely useful, included in the operating system, and not nearly as many people know about it as they should. If you’re curious about what other cool stuff your Windows operating system might have, check out Christian Cawley’s, “The Top 5 Cool Hidden Features In Windows 8” and Yaara Lancet’s article, “8 Hidden Tools In Windows 7 You Still Might Not Know About“. Here, though, I’ll be focusing on Windows’ military-grade privacy tool called BitLocker.

What Is BitLocker?

Not all Windows’ operating systems have BitLocker bundled with them. At this point, it is just in the Ultimate and Enterprise editions of Vista, and Windows 7, and with Pro and Enterprise editions of Windows 8. You can also find it in Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. What BitLocker is, it’s a drive encryption tool. A drive encryption tool is something that takes all your data on any particular drive and make it completely unreadable to anyone but you. If you don’t have one of these operating systems, I suggest you take a look at TrueCrypt and our TrueCrypt User’s Guide: Secure Your Private Files.

There are two meanings for ‘drive’ in this case. One is any volume or partition on a single hard drive. You need at least two volumes on the drive to use BitLocker – a main volume that you probably will do your day to day work in, and another volume that is at least 100MB in size that will be your system’s volume. Your computer will boot from this volume. This volume can NOT be encrypted. That would make booting your computer very difficult.

The other ‘drive’ is any removable drive like your USB drive. This type of drive does NOT require a boot volume. Which is really cool, because if you encrypt your USB flash drive and you have sensitive information on it, you don’t really have to worry about anyone getting that information if you lose the drive.

How Does It Encrypt My Drive?

BitLocker drive encryption takes all the data on your drive and applies a bunch of fancy math to that data. Remember, all data can be boiled down to just numbers so it can be manipulated with math. Officially, this math comes in the form of algorithms, or sets of instructions, such as AES – 128-bit or 256-bit encryption, and Diffuser.

Let’s go through a very simplified process of encrypting the word ‘USE’.

Diffuser takes those three letters and scrambles them. It could come out as ESU, SUE, SEU and so on. Then BitLocker creates the key, which is the way to unscramble that word, and holds on to it for you.

Now BitLocker applies AES. AES is the Advanced Encryption Standard adopted by the US Government as a standard in 2001 – hence the military-grade designation in the title. 128-bit or 256-bit encryption defines how many bits a single bit of your original data may be represented by. Now, a bit is just one piece of data, like a letter or a number. Then, the math makes that particular bit into a ‘combination’ or key that is either 128 or 256 bits long. It’s like slapping a combination lock with a 256-numbers-long combination on a locker holding the letter ‘U’. Think about that.

Let’s go back to encrypting the word ‘USE’. You have to open three different lockers with three different combination locks, each with a combination that is 256 numbers long. Now, you can see how this would be a pain to anybody but the most dedicated cracker.

This is where it gets military-grade, I mean tank tough! Remember AES? Well that application puts each combination lock through the math 14 times for 256-bit encryption! Now, you have to know 14 different 256-bit-long combinations to get at your letter ‘U’. Forget it. Go home, cracker. Of course, BitLocker creates a key that will unlock, or decrypt that word for you.

At the end of it, there are two keys now needed to start the process of decrypting your data. If someone doesn’t have access to both of those keys, they are going to have to be very patient, very smart, and very dedicated to get at your information.

These keys aren’t physical keys of course, and they don’t resemble passwords either. By themselves, they would look like gobledy-gook to ordinary folk like you and me. But what Windows does is allow BitLocker to use those two keys to get at your data, as long as you can prove to the computer that you are who you say you are. These keys are held by the Trusted Platform Module.

What is a Trusted Platform Module?

The Trusted Platform Module is another key piece in the BitLocker set of tools to protect you. This is a bit of hardware that can be found on most computers.

What it does is check out your computer each time it boots to make sure no one has been trying to mess with the start-up procedures to get around your encryption. What it also does is prevent someone from just slipping the hard drive out of your computer and popping it into their computer to get at the files.

Depending how you set up your BitLocker, your TPM may just let you log on to your computer. Or, you might set it up so that it requires a PIN number to continue to logging in. Or, you can create a USB key that has to be plugged into your computer when you boot, to get you to the login stage. Or you can go hardcore and set it up to require that you have a PIN AND a USB key. The TPM applies only to volumes that are physically on your computer. USB drives don’t need a TPM, but they may need a PIN or USB key for verification.
There are computers without TPM’s, but for most computers manufactured after 2006, the TPM module is already on the motherboard.

Is BitLocker Totally Safe?

Well, no, nothing really is. But it’s as safe as you’re going to get without having the budget of the CIA or MI-5. Speaking of government spying, the UK’s Home Office has asked Microsoft to put a backdoor in BitLocker to allow them to have easy access to your data. Microsoft has flat out refused to do so. Score one for Microsoft.

So, How Do I Use BitLocker?

It’s surprisingly easy to use if you are just going to encrypt your main volume on the hard drive in your computer. Check out this short video on how easy it is.

If you want to get into the guts of BitLocker and use it on external drives or set up the different TPM validation methods, it can get a bit more complicated. Microsoft does have a Step-By-Step Guide for BitLocker on Windows 7. I haven’t seen any real documentation on Windows 8 yet. If you have, let us know in the comments, please.

Should I Use BitLocker Drive Encryptiong?

BitLocker is the best protection for your data that you are going to get just by buying a Windows computer. If you are concerned about data theft and the security of your information, why wouldn’t you make this military-grade tool a part of your computer security arsenal? It just makes sense. BitLocker is a serious tool developed for you by a company so many people think of as being evil at different times. I think this application is a redeeming quality for Microsoft and makes me feel less disgruntled about the cost of getting Windows.

What do you think? Do you currently use BitLocker drive encryption? I’d like to hear about your experiences with it. Do you feel safer knowing BitLocker is out there and may be a part of your Windows computer? Let’s hear about it in the comments. No encrypting please.

Image Credit: TPM on Asus Motherboard via WikiCommons, BitLocker Icon via WikiCommons, UK Home Office via WikiCommons, Lockers via Shutterstock

The post Free Military-Grade Privacy For Your Files: How Bitlocker Works [Windows] appeared first on MakeUseOf.

Having a different password for each service is a must in today’s online world, but there’s a terrible weakness to randomly generated passwords: it’s impossible to remember them all. But how can you possibly remember hundreds of passwords? The human brain is only capable of so much, isn’t it?

Three years ago, Tina wrote a fantastic post about creating good, secure passwords that are easy to remember. The post includes some excellent tips, and I highly recommend that you read it too. Today, I’m going to re-visit this important subject, and fill you in on some priceless tips and tricks on creating strong, solid passwords that are impossible to guess, but will nonetheless be easy to remember.

What Makes A Password Safe?

This should be obvious to most by now, but no article about passwords is complete without it. Read these criteria even if you think you already know them, it never hurts to make sure!

• It must be at least 8 characters long.
• It must not contain easily guessed information such your birth date, phone number, spouse’s name, pet’s name, kid’s name, login name, etc.
• It shouldn’t contain words found in the dictionary.
• It should contain special characters such as @#$%^& and/or numbers.
• It should use a variation of upper and lower case letters.

The Base Password

The trick to remembering a large number of passwords is having a base password you change according to the service you’re signing up to. The idea of the base password is by no means a new one, and I’m sure most of you already know all about it. To me, the real challenge is finding a good base password I can actually remember. While most suggestions for a strong base secure password include changing letters to numbers and symbols (i changes to 1 or !, s changes to $ or 5, etc.) and changing the spelling of known words (love becomes luv, to becomes 2), I find these methods confusing. This way of writing doesn’t come naturally to everyone, and you may forget what you replaced your letters with.

If this method works for you, by all means, go ahead. Choosing a strong base password like “spooner”, changing it around to become $p0on3r, and attaching the service’s name to it will work great. If you’re looking for other original ways to generate a strong base password, here are some great ones.

Use A Favorite Book

This is probably my favorite method of all, and can be really fun if you like books. Choose a book you own in paper format, open it on a random page, or find a paragraph you especially like, and locate a word you can use as the base for your password.

For example, I used Charles Dickens’s Oliver Twist. I turned to page 109 at random, and found the word “jocularity”. This is the 4th word on line 33 on this page, and therefore my base password can be 109jocularity334. You can use a paragraph number instead of line number, if you wish, and play around with the numbers to place them in a way that’s easier for you to remember. For good measure, you can add some symbols in strategic place.

You can even go ahead an mark the word in the book with a pencil, to make sure you can find it again if you happen to forget the password. Just don’t keep the book next to your computer!

Example for full password: 109$jocluarity33#4MUO

Play Around With Vowels

This is a method you can use for the base password and the way you append the service’s name. There are many ways to do this creatively, one of which is taking a favorite phrase or activity and removing the vowels from it. You can also use the vowels again at the end of the password, to make it really hard to guess.

For example, I like to ride horses, so I can take the phrase “Ride A Horse”, remove the vowels, and get this: “RdHrs”. I can now choose to append the vowels at the beginning or end of the password, like this: “RdHrsieAoe”. This looks completely random, but it’s actually not, and if you know what phrase you used, you can be typing it quickly in no time. If you want to make it more secure by replacing some letters with numbers or symbols, go right ahead. You can also attach a number or symbols you know you’ll remember, but don’t use something too obvious like your postal code or date of birth.

When appending the service’s name, you can also play around with vowels. For example, let’s say you’re creating a password for Amazon. You can use the first two vowels and first two consonants of the service, and end up with “mzAa”. You can get really creative with this, and find the way that’s easiest for you to remember, but as long as you stick with the same method all the time, you should be in the clear.

Example for full password: RdHrsieAoe#285$Mkae

Use Motor Patterns

This is a cool tip I found over at lifehack.org, and one I’ve been using for codes and such all my life without even realizing. Motor patterns are not about remembering actual passwords. Rather, you remember the pattern your fingers take when typing that password on your keyboard. Have you ever remembered a code you have to punch in or a phone number by the pattern you use to dial it? This is the same thing, and can be used to generate passwords that look completely random, but are easy for you to remember.

There are many ways you can go about creating such a password, but my favorite way is to base it on a number you know you’ll remember (again, nothing too obvious!). Let’s take 285, for example. The easiest way to create a pattern out of it would be to use the letters that are directly below these numbers on my keyboard. For example, 2wsd8ikl5tgh. Looks completely meaningless, doesn’t it? You can spruce it up with more complex patterns, upper case letters and symbols, but don’t go too far, or you might forget your password!

If you really want to play safe, you can continue with motor patterns when appending the service’s name as well. For example, by using the letters to the left of each key, MUO can turn to MnUyOi.

Example for full password: 2wsd8ikl5tghMnUyOi

Connect The First Letters Of A Passphrase

This s a fun way to create passwords that are really easy to remember. Pick a phrase you love, such as “Love Makes The World Go Round”, and use the first letter of each word to create a new word: LMTWGR. You can now use this base password in any number of creative ways. Some ideas are: reverse it, add numbers and/or symbols you’ll remember, or use first and last letters of each word (LeMsTeWdGoRd).

Now all you have to do is append the service’s name, and you’re done.

Example for full password: Le2Ms8Te5Wd#Go$RdMUO

Mix Words

This a great way to create secure passwords, but I find it a bit harder to use and remember without getting confused. Nevertheless, it’s still a very useful method, and since our brains don’t all work the same, I’m sure some of you will love it.

Take a phrase, activity, etc. with two or three words, and mix the letters up so all first letters come first, all second letters come second, and so on. For example, if my phrase is “chocolate milkshake“, my password will look like this: cmhiolckoslhaatkee. You don’t have to choose such long words, of course, you can always go for something like “eat cake” – ecaatke. It all depends on how secure you want to be.

If you want to take it a step further, use capital letters for one word and lower-case letters for the other. You can also insert your favorite number/symbol combination, as I’ve been doing with my other examples. The final step is to append your service name, and you’re done.

Example for full password: cMhIoLcLoLlHaAtKeE285MUO

Reverse

Reversing words is an obvious yet effective way to create secure passwords. Although I love black cats, my password can never be or include the phrase “Black Cat”. By reversing this phrase to taCkcalB or kcalBtaC, I get something that looks pretty much random, and is a much better fit for a base password. Some symbols and numbers could make it even more secure.

You can also use the reverse method on the service name. If you’re creating a password for eBay, try appending yaBe instead.

Example for full password: kcalB#$taC285OUM

Add Spaces

You may not be aware of this, but many services allow spaces in the passwords you create for them. I would not rely on spaces for your base password, as some services will not allow you to use them and you’ll be stuck, but you can try adding a space between your base password and service name, and see if that works. If it does, it’s another layer of security for your password.

Check Your Password

Now that you’ve devised a base password you can remember, it’s time to check how secure it really is. HowSecureIsMyPassword will tell you how long it would take a desktop PC to crack your secure password, and also provide you with tips on how you can improve it.

The Password Meter is also a great place to check your password, and gives your password a score from 1 to 100. It provides detailed feedback and suggestions on how you can improve your password.

These Are Just Some Suggestions

There are endless ways to create memorable and strong passwords. Remember that even the methods mentioned above are only examples, each of them can be used in slightly different ways to create completely different results. Go with what you think would be the easiest for you to remember, and build your password around that. As long as you follow the basic guidelines, and use the same rules for all your passwords, you shouldn’t have problems.

If you’re not convinced, and would rather continue with random ones, find the best ways to manage your passwords. If you need further help in managing your huge password collection, head over to our password management guide for some priceless information.

How do you create secure passwords that are easy to remember? Have some tips to share? Tell us in the comments!

Image credit: Lock image via Shutterstock, Password image via Shutterstock, Woman search book image via Shutterstock, Keyboard image via Shutterstock, Turn back sign image via Shutterstock

The post 7 Ways To Make Up Passwords That Are Both Secure & Memorable appeared first on MakeUseOf.

The scam needs a few things to be successful. First, the problem must be real. Whether the crook is putting mice in your crawlspace or malware on your computer, there is a real and verifiable threat. Second, they have to make themselves look like credible experts to make you think they can solve the problem. This could be an exterminator truck and coveralls, or the illegal use of an official logo like the RCMP. Third, they need to get your cash in hand quick before you can realize what’s going on. The exterminator might do this by saying something like, “Just give us $100 cash and we don’t have to charge you for a service call because we were already in the neighbourhood.” The online crook will take your credit card or a gift card.

Where things really take two different tracks between the real-life con and the online con is what can happen after you’ve paid them off. The real-life scum generally disappear, never to be heard from again. The online scum may leave behind malware that opens you up to them again and again. Or if they got your credit card and other personal information, they may just ruin your life as you know it.

First Things First

Yes, you’re going to get the whole “an ounce of prevention is worth a pound of cure” speech. Why? Because it is true.

Make sure that you are using a full gamut of security software – anti-virus, firewall, anti-phishing software, what have you. There are plenty of freeware versions out there that are very good. Make sure that all of your security software is up-to-date, and all the important security updates for your operating system are installed. Make sure that you are using your computers System Restore utility or back-up software. Try to stick only to reputable websites, don’t download pirated materials, and only open attachments that you are expecting to receive.

But, unfortunately, if you’re reading this, you probably missed a link in that chain somewhere. So what now?

Is It Ransomware?

So how do you know you’re being taken? Here’s a few clues:

• Microsoft does NOT make house calls.
• The police DO make house calls.
• The software that the ransomware claims to be is NOT the security software that you installed.
• Helpful people don’t disable the rest of your computer until you pay them.

If any of the above apply to your situation, you just might have ransomware.

Now What?

Force your computer to power down. Most often this can be done just by holding the power button down for a few seconds. Before you get ready to power your computer up again, be ready to hit the F8 button. What I normally do is hit the power button and start tapping the F8 key about once a second until I get a text screen like the one below.

Now, chose Safe Mode with Command Prompt. You’ll see some text go flying by and eventually you’ll just see a line of text with a cursor blinking at you. At this point, type this in and hit Enter:

C:\windows\system32\rstrui.exe

Why do you have to do this from the command line? You might not have to, but the most recent and virulent police/RCMP/ukash ransomware only seems to be able to be defeated in this manner. The command line mode of Windows only loads the MOST essential services and does not connect you to your network  or Internet connection.

Once the System Restore utility opens, hopefully you’ll have a few restore points to choose from. Choose one that is definitely a time before you got the ransomware. Follow the prompts to restore your Windows installation to that point in time. The restoration process might take a little time, so relax.

Reboot your computer and allow it to go into Windows normal mode. That’s done by just sitting back and letting the computer do its thing. The ransomware should now be gone.

Run your antivirus software and perform as thorough a scan of all your hard drives as possible. This might take a little while so relax and have a fine beverage.

Once this is all done, you may want to scan your computer with another antivirus program. Let’s face it, yours missed it the first time.  ClamWin is a decent one that can be run from a USB drive.

I Disabled System Restore

Why? I bet you feel a little silly now, don’t you? Fret not, there are still ways to remove this ransomware. You’ll need the following:

• An empty USB drive or CD to which you can burn files.
• A computer with an Internet connection that is not infected.
• A little patience and courage.

Get on the Internet and look for Windows Live Repair CD’s. There are a bunch of them out there, but any of the ones that Justin mentions in his article, Three Live CD Antivirus Scanners You Can Try When Windows Won’t Start. They are all EXCELLENT choices. I keep all three in my IT toolkit.

If you’re looking for bootable USB tools, you can try Dave’s article The PC Repair Toolkit in your Pocket: Boot CD on a USB Stick. Sure the article is from 2008, but the method and software are still valid and works like a charm.

How Do I Use The CD Or USB Drive?

Before you power down your computer, you want to put the CD into your CD drive. If you are using the USB drive option, wait until the computer is powered down to insert it.

Now restart the computer. As it is restarting you’ll need to tap the button that will give you the Boot Menu. On my Acer, it’s F12. It may be different on your computer. Once you get the boot menu, choose to boot from the CD/DVD drive or the USB drive – whichever applies to you.

Your computer is going to use the USB or CD drive as its operating system, so don’t expect to see anything like Windows. Use the antivirus software that is on the USB/CD to give a complete and thorough scanning and cleaning of your computer. Follow the antivirus software’s recommendations, which will usually be to delete the offending files. This process may take anywhere from 20 minutes to a few hours depending on the size of your hard-drive and the boot CD/USB that you are using. You can’t wander away though, stay there to respond to the alerts.

Once the process is done, log out of the USB/CD boot software, remove the USB/CD, and reboot your computer. You should now be ransomware free. If you are confident in your abilities, you may want to clean your registry once the computer reboots to remove any lingering bits and annoyances. Piriform’s CCleaner registry cleaning function is pretty good for this.

There it is. That’s as hard as it gets. I hope you don’t have to experience this issue, but if you do, I hope that I’ve been able to help you out. Worst case scenario, you shut the computer down and take it to your trusted IT person. Yes, you might be a little embarrassed that you got the ransomware in the first place – it usually comes from doing things you shouldn’t or those entertainment sites that aren’t for minors. But you’ll get the problem dealt with and enjoy a lesson learned. Plus your IT person has probably been to some of the same sites anyway – we’re all human.

If you’ve got any questions about what else you can do to remove or prevent ransomware, let us know in the comments. Our writers and fans are some of the best on the web, and can probably help you out – for free.

Image credit: Locked and chained computer via Shutterstock

The post Don’t Pay Up – How To Beat Ransomware! appeared first on MakeUseOf.

The ubiquity of the USB drive has made us overly trusting of the technology. We plug them in, pull them out, and plug them in again without a second thought to issues of security and protection. And I’m not just talking about “safe ejection” to prevent data corruption. I’m talking about viruses, malware, and all of those pesky nuisances that love to infect every corner of our systems.

Unfortunately for us all, we need to be diligent about USB security just as much as we are about hard drive and network security. Keep reading to learn more about this problem and how you can adequately guard yourself against it.

USB Drives Are Like Mosquitoes

When we hear about network and computer safety, we often hear tips and tricks that are somehow related to the Internet. Don’t click random email links. Don’t visit shady websites. Keep your firewalls up and your antivirus databases updated. Use safe passwords and stay vigilant against keylogger infections.

Now consider this scenario: a high-security headquarters where lots of confidential work with sensitive data is being done. Places like this are often isolated from the Internet, instead relying on a closed-circuit intranet for data sharing and communication. And when you consider a place that’s completely severed from the malice of Internet hackers, you’d think the security would be top-notch.

And in reality, the security is good. It’s near impossible to hack or corrupt an internal network like that without performing the kind of impressive stunts that you’d see in the next Mission Impossible. Yet even so, hackers were clever enough to find ways to infiltrate secure compounds from a distance: by infecting the very USB drives that employees would use to transfer files from outside to inside the building.

There are plenty of cases where viruses piggybacked onto USB devices in order to spread like wildfire across the world. Remember the dreaded Conficker worm? The United States military ended up having some trouble with the agent.btz worm that was brought in through an infected USB drive. And more recently, there was the cyber-weapon Stuxnet worm.

And so, USB drives are like mosquitoes. They have the potential to pick up infections when plugged into an infected computer and they can spread those infections almost instantaneously as they’re plugged into other devices. This is why it’s so important that you keep not only your computers clean but your USB devices as well using regular scans and antivirus programs.

USB Disk Security

USB Disk Security is a tool from Zbshareware Lab that is as close to an all-in-one USB protection suite as you can get. It provides a whole host of features and safety options to keep you as protected as you can be in all things related to USB drives. Most USB security tools will focus on the USB drives themselves, but USB Disk Security goes way beyond that.

USB Disk Security has the following features:

• USB Shield, which protects you in real-time against connected USB devices.
• USB Scan, which scans connected USB devices for malicious software.
• USB Access Control, which prevents your computer data from being copied to USB devices.
• USB Drive Control, which prevents USB devices from even connecting to your computer in the first place.

USB Disk Security supports Windows XP, 2003, 2008, Vista, and 7, but it may interfere with other antivirus programs already installed on your system. It’s free with limited features. A lifetime license will cost you $55 USD which unlocks all features and includes all future updates to the software.

BitDefender USB Immunizer

As you might have surmised from the description of USB’s dangers, most viruses depend on automatically running when the USB drive is plugged into a computer. This is in large part determined by the presence of an autorun.inf file which, as the name suggestions, automatically runs upon connection.

BitDefender, a security software company that I’ve praised in the past, has a free tool called the USB Immunizer that immunizes your chosen USB device against malicious autorun.inf files by creating its own special autorun.inf file that cannot be deleted or replaced.

BitDefender USB Immunizer works on Windows XP, Vista, and 7 on USB devices that are formatted with FAT, FAT32, and NTFS file systems.

USB Dummy Protect

The USB Dummy Protect program has an interesting theory behind the way it protects your USB devices. Long story short: viruses and malware require available memory space in order to exist on a USB drive, therefore, if you fill up a USB drive entirely and leave no space whatsoever, then viruses and malware can’t get on no matter what.

So that’s what USB Dummy Protect does. It creates a dummy.file file on your USB device that takes up every last bit of free space. When you want to remove that protection, you just delete the file. Easy. If you tend to transfer files to and from your USB drive frequently, this may not be the most elegant solution, but if you have a USB drive whose contents rarely ever change then this could be fantastic for you.

However, due to the way that FAT file systems are designed, this method will not work if your USB device has more than 4GB of free space (since file sizes in FAT systems have a maximum of 4GB). For NTFS drives, you shouldn’t experience any problems.

Conclusion

USB drive dangers require constant vigilance. You might use the same USB drive for years without a hitch, then one day you could grab a file off of your friend’s computer and end up infecting your home network with something serious. USB security is not often on the minds of computer users, even the tech-savvy ones, but as long as you are aware and take proactive steps against the potential spread of viruses that piggyback on USB devices, you’ll be all right.

If you have any other suggestions for software aimed at USB-related security, please share them with us in the comments.

Image Credits: Virus USB Via Shutterstock, Secure USB Via Shutterstock

The post Why USB Sticks Are Dangerous & How To Protect Yourself appeared first on MakeUseOf.

We’ve covered a variety of ways to encrypt everything on your computer, encrypt files you store in the cloud, have encrypted online conversations, and do lots of other things with encryption. Now we’ll get back to basics and explain the many threats encryption can help protect you from.

Protect Your Data From Thieves

Encrypting your storage protects the data on it from thieves. If someone steals your laptop, smartphone, or tablet, encryption can prevent them from accessing the sensitive data on your hard drive. The media is full of reports from business employees who lose laptops containing sensitive customer information, including credit card numbers – if only they had used encryption, they wouldn’t have embarrassed their employers and given their customers’ information over to identity thieves.

This is a dramatic example, but it’s true even for the average person. If you store financial data, business plans, or other sensitive documents, such as scans of tax returns with your social security number and other sensitive data on them, you should ensure your computer’s hard drive – or at least the sensitive files – are stored in an encrypted form. Encryption can also help protect any other type of private data that you don’t want someone else seeing.

Store Files Securely in the Cloud

Cloud storage gives us a great way to keep our files in sync across all our devices, storing a backup copy on the cloud storage corporation’s servers so we won’t lose it. It’s also a great way to share files with other people.

However, storing sensitive data – like financial documents and other personal information – in a cloud storage account could be a mistake. Dropbox once allowed anyone to log into any account without a password for four hours, and this would have allowed anyone to access your Dropbox account and view your files. Your files could also be accessed if someone gained access to your account through other means, such as using a leaked password that you re-used on several website

Encrypting sensitive files prevents them from ever being accessed without the encryption key, even in a worst case scenario when your cloud storage provider’s security fails or someone else gains access to your account. Encrypthion also allows you to securely share sensitive data with other people – just agree on an encryption key ahead of time (you could even do this in person) and then use that key to share sensitive files over email or a cloud-storage service without others being able to access it.

There are even cloud storage services that automatically encrypt your data before uploading it, decrypting it locally when you access it. Not even the cloud storage provider’s employees could access your

Prevent Others From Viewing Your Private Browsing and Conversations

Your bank and online-shopping websites like Amazon all use encrypted connections (the HTTPS URL with a lock in your browser indicates a secure, “encrypted” connection). When you access an HTTP website, your browsing activity is viewable in plaintext form. For example, if you’re sitting in a café using public Wi-Fi and performing Google searches while not logged in, anyone on the Wi-Fi network could monitor your Google searches and any other website activity taking place over HTTP. Even if you used HTTPS to access websites, people could still see the HTTPS website you access.

To avoid having your browsing activity tracked on public Wi-Fi, you could use a VPN or Tor to “tunnel” your browsing activity through an encrypted connection.

Encryption can also be used to protect emails and instant messages against prying eyes. Email is sent over the wire in plain text form, so particularly sensitive data should be sent in encrypted emails – or not over email at all. If you’re sending an important file via email, you can encrypt the file before emailing it.

Battle Over-Reaching Government Surveillance

The government is watching you. This may seem a bit paranoid, but it’s the reality of the world we live in. Our digital lives are being increasingly picked over by our governments, often without warrants or other typical legal protections. We’re not lawyers, but here are a few anecdotes that can give you an idea of the scope of what’s going on:

• In the USA, your emails are considered “abandoned” after you open them or after 180 days if they remain unopened. This allows the US government to view your personal emails without a warrant. If you encrypted your emails, the government would require a warrant to compel you to disclose the encryption key. (Wherever you are in the world, your emails may be stored in the USA and be subject to such access, too.) (Source)
• California’s Supreme Court has ruled that police can search through your smartphone without a warrant after arresting you. If you encrypted your smartphone’s storage, the police would require a warrant to compel you to tell them the encryption key. (Source)
• According to the EFF, the US government and major telecom carriers have “engaged in a massive program of illegal dragnet surveillance of domestic communications and communications records of millions of ordinary Americans since at least 2001.” Your emails, phone calls, and other communications are available to the government without a warrant thanks to this warrantless wiretapping. (Source)
• The version of Skype distributed in China has a backdoor allowing the Chinese government to snoop on their citizens’ conversations. Microsoft has refused to answer whether the version of Skype distributed elsewhere contains similar backdoors. (Source 1, Source 2)

This is just the USA – the situation is even worse in countries like China or Iran, where repressive governments will monitor all the unencrypted communications they can get their hands on.

It’s not paranoid to realize that governments are building massive databases of our communications and personal data. Encryption can be a way to help prevent your data from being accessed without a warrant or automatically logged in a database.

Do you use encryption for your hard drive, cloud storage, smartphone, emails, or any other type of communications? Leave a comment and tell us why.

Image Credit: Lock Icon via Shutterstock, Car theft via Shutterstock, Tor diagram via Electronic Frontier Foundation, CCTV cameras via Shutterstock

The post Not Just For Paranoids: 4 Reasons To Encrypt Your Digital Life appeared first on MakeUseOf.

Fortunately for us all, there are actually a few measures we can take to protect ourselves against phone spammers and telemarketers. Some of these measures are more serious than others (e.g., inflicting financial fines against the perpetrators) and others are just for our own sanity and peace of mind. Check them out and use the ones that work best for you.

Forward to 7726 (SPAM)

If you’re suffering from text spam, this solution might help you out (and others as well). Text spam can come from a lot of sources, though usually the spammers get your number from online contact forms and public profiles. If you truly want to stop all future text spam, don’t ever give your number away. Ever.

But when you do receive text spam, forward it to 7726 (the keypad combo for the word SPAM). Your wireless carrier will send you a reply asking you for the phone number that sourced the text. Text them back and your carrier will block that number from sending out any more unsolicited spam.

I’m not sure how many mobile carriers utilize this service, but it definitely works for Verizon and AT&T. If you want to make sure that your carrier has something similar, search Google for your carrier’s name and the phrase “text spam.” This works in the US, but your mileage may vary in other countries.

Report to a Phone Spam Service

Text spam may not be your biggest problem; what about phone call spam? Most phone call spam arrives in the form of telemarketers, and they usually call when you’re about to sit down for a hearty meal of dinner. Other forms of phone spam can occur all throughout the day and they’re all equally annoying. How can you hit them where it hurts?

If you live in the US, the Federal Communications Commission (FCC) has a form that you can fill out. It’s the 1088G complaint form and I’ve heard that it’s quite effective on a personal level. It’s not even inconvenient since you can just fill out the 1088G form online, never having to leave the comfort of your desk chair.

If you live outside the US, you may be able to find a similar complaint service to report spam callers. In the UK, for example, you could try complaining to the ICO.

Register for DoNotCall

If you want to be more proactive about not receiving spam calls, there are services that will place you on a “do not call me” list. Conveniently, the service is called DoNotCall by the FCC. Register your number and you’ll stop receiving calls after a month. If you do receive a call after a month, you can report the number to the FCC and the spammer will suffer some serious fines.

If you’ve been badgered to sign up for a “do not call” listing, then there’s a good chance it was a fake service that actually farmed your phone number. Here’s a notice by the official DoNotCall service:

Scammers have been making phone calls claiming to represent the National Do Not Call Registry. The calls claim to provide an opportunity to sign up for the Registry. These calls are not coming from the Registry or the Federal Trade Commission, and you should not respond to these calls.

Of course, the DoNotCall registry is only for the US. If you live outside the US, you may be able to find a similar spam-call-blocker service to keep yourself protected from unsolicited calls. In the UK, you might try Ofcom’s TPS service. For other countries, you’ll need to do some Google searching of your own.

Create a SPAM Contact

If you don’t want to mess with call registries and complaints, you could go the passive route by creating a SPAM contact on your phone. With this SPAM contact, you just pick up calls as normal when they come in. If the caller happens to be spam, then you add that number under the SPAM contact.

Now, every time a previous spammer calls you again, you’ll see it come up as SPAM and you can ignore it. You can even set a custom ringtone for the SPAM contact as 30 seconds of silence and you won’t even be bothered when they call. Of course, with this method, you’ll have to deal with a spammer before you can block them AND it only works if your phone allows multiple phone numbers per contact.

Conclusion

And now you have four methods of dealing with telephone spam under different circumstances. Be wary that even when you take measures against spam callers, they’re always trying to engineer new ways to spam their messages to innocent phone owners… just like with email spam. But if you follow the suggestions above, you can at least reduce their impact on your life for now.

Have any other ideas and suggestions for dealing with phone spammers? Please share them with us in the comments!

Image Credits: Stop Spam Via Shutterstock, Texting Via Shutterstock, Frustrated Caller Via Shutterstock, Spam Contact Via Shutterstock

The post How To Deal With Telephone Spam appeared first on MakeUseOf.

Take for instance RFID chips. These are Radio Frequency IDentification chips. You’ll probably be most familiar with them by seeing them on your bank cards or credit cards. These chips are being used as a replacement for the once ubiquitous magnetic stripe. By using RFID on these cards instead of the stripe, the convenience we gain is that they are less susceptible to damage, and don’t need to be run through a strip reader which has its own problems. How often have you had to run a card through three or four times per transaction? It’s a pain compared to just tapping the card reader. The RFID chips can also store more information and have that information encrypted, supposedly for your safety.

Like every new technology that comes along, intended to keep us and our information safer, there are legions of people out there willing to show is that it isn’t always safe. Really though, what is 100% safe? Nothing – we just have to have an acceptable level of security and, for all intents and purposes, RFID tags are reasonably secure. Yet, they can still be surreptitiously read, decoded, and used in crimes against you.

You may have seen videos of people using card readers bought online to brush up against a purse or wallet, thus harvesting the information from the RFID tags inside. In fact, what you see below is an RFID reader kit, called RFIDuino. Then the person takes that harvested information to their lair of evil and decrypts information to literally make copies of your bank or credit cards. At which point the Rolex shopping spree begins and you get stuck with the tab.

It doesn’t have to be this way. The odds of it actually happening to you in the first place are extremely slim. However if you want to protect yourself a little further, there are some very easy things you can do. Remember, the R stands for Radio, so anything that louses up your music radio’s reception is going to have a similar effect on these little things. If you want to understand how RFID chips work, check out this article.

Where Did It Go?

For people who carry a wallet in the back pocket of your pants, you can easily switch to putting it in your front pocket. This has two positive outcomes. One is that it makes it harder for someone to brush up against you with a reader. Most people react very differently when getting bumped in the groin area than getting bumped on the bum. This may be enough deterrent for most would-be thieves.

The other benefit is that it’s better for your back to not have lumpy wallets  throwing off the alignment of your spine when sitting. There are even commercially available front-pocket wallets with RFID blocking built in, like the one below.

If you carry a purse or handbag, you may consider not keeping your bank cards in it, but perhaps in something that is going to be on your body where you will naturally have higher vigilance against contact. If you need to keep it in the handbag, keep it in the innermost compartment of your handbag, in a wallet. All the other stuff in your bag could create enough interference to stymie the card reader.

Keep in mind neither of these methods is a 100% foolproof. They only make the likelihood of the card being read much less.

What’s IN Your Wallet?

No, really, what is in your wallet? Is it just a leather or fabric wallet? These don’t lend much stopping power against radio waves. There are commercially available wallets that are lined with aluminum or other metallic foils that help interrupt radio waves. But you can get a similar effect by lining your wallet with foil. There are dozens of ways you can do this and dozens of sites that show you how. If you have a wallet that has a billfold slot, the easiest thing you can do is to insert a sheet of foil there. Once the wallet is closed everything inside is protected by the foil.

You could also get a similar effect by using an anti-static bag – you know the kind that some computer hardware is shipped in. Those are somewhat similar to a Faraday Cage. All the other methods are simply fancier variations on this.

What IS Your Wallet?

You can step it up a notch and find a metal container to store your cards in. Again, there are various manufactured ones specifically designed for this purpose, or you can re-use some other item for the job. The always-popular Altoids tin works. Some people also use cigarette tins for this purpose. You might even use a tin that was used to hold playing cards. All of those introduce a metal shell that helps defeat radio signals.

Why Bother With RFID?

“Couldn’t I just pry the darn thing off the card? I mean, I’ve already got the magnetic strip there, that should suffice.” Oh if only it was that easy.

The card is not your property. If you read your contract, I’m sure you’ll find that the cards remains the property of the bank or company that issued it. So you’d be damaging someone else’s property. You may find that doing so invalidates your card completely. However, you might want to call the card issuer and see if they will issue you a stripe-only card. They might or they might not. You won’t know until you ask.

What Will Work 100%?

Forgo the convenience of having a bank or credit card to pay for things and only carry cash. Of course, that introduces its own set of problems. But if you feel strongly enough about it, it’s not a bad way to go. Carrying only cash has a nice benefit of limiting what you spend to what you have on you and cuts back on impulse purchases.

The next closest thing is to have an actual Faraday Cage for your cards, not just some tinfoil. Faraday Cages are specifically designed mesh-like metal holders that essentially filter out certain electromagnetic frequencies and siphons them off to the ground. This means that you’d have to know what specific frequency your RFID tags operated on and have the appropriate cage for that.

You would also need a grounding strip going from the cage to the ground. It doesn’t sound very practical now does it? You’d be like one of those cars with the motion-sickness strip coming off the bumper and hitting the road. Maybe that’ll be the new fashion trend someday.

In short, nothing will work 100% to eliminate the possibility of your RFID cards being scanned. All you can do is use or or more of the techniques above to limit the risk a little more. Also use your situational awareness. Keep an eye out for someone who just keeps bumping into people. Look for card readers that seem to have more things attached to them than they should. Don’t just hand your card over to a waiter and let them walk to the card machine with it. Treat your card like you would with cold hard cash – because it is.

I hope you feel more empowered now about the safety of your credit and debit cards. Maybe you feel  a little wiser but don’t be disheartened. People are essentially good.

If you got something from this, I’d sure like to hear about it in the comments below. It’s also a great place to share any additional stories or tips that you might have. Remember, we’re all in this together.

Image Credit: Client Card Sample via WikiCommons, RFIDuino via illustir on Flickr, Altoid tin via WikiCommons, Faraday Cage via WikiCommons

The post Don’t Let Them Scan You: Blocking RFID Chips appeared first on MakeUseOf.