|
Stanford/Palo Alto Macintosh User Group Newsletter February 26, 2010
|
|
|
|
|
|
|
Dear Steve,
|
 I hope everyone was able to visit and enjoy MacWorld this year - despite the absence of Apple and other big names, there was still an enthusiastic crowd looking to sample Mac-based products. My personal highligh=ts were LeVar Burton channeling Steve Jobs/Jimmy Stewart at David Pogue's opening show (you had to be there!), Kevin Smith's two-hour tour-de-force and the many cool iPhone apps (inexplicably crowded into a tiny area of the floor). Personal spending high - our old SMUG presenter friends' FastMac booth (you need backup batteries!) Anyway, I trust we'll have time to discuss these and much more at our next meeting, which owing to ongoing conferences at SLAC will be on March 8 - that's right, March 8, in the Redwood Room.   |
|
|
|
| March SMUG Meeting Agenda |
 Bill Atkinson, Apple Computer software legend and world renowned nature photographer, is back with an innovative product that redefines the way people create and send postcards.
With Bill Atkinson PhotoCard you can easily make dazzling, high resolution postcards on your iPhone or iPod touch, and send them on-the-spot, either through e-mail, or through the US Postal Service. The application is amazingly easy to use. To create a PhotoCard, select one of Bill Atkinson's exquisite nature photographs or use one of your own personal photos. Then, flip the PhotoCard over to type your custom message on the back. For a fun touch, jazz up your PhotoCard with your choice of decorative stickers and stamps. If you're e-mailing your message, it can even include an audible greeting in a voice note.
You can get more details on Bill's website.
Software Giveaway!
 At the last meeting, we ran out of time to demonstrate a Mac-based app called Pixelmator aimed squarely at Adobe Photoshop but at a fraction of the price of that bloated program. And once again, we have a download to give away to a lucky raffle winner.
Plus Q & A and the latest shareware offerings from Owen Saxton
|
February Meeting Report: Computer & Internet Security with Lynda Gousha
|
Following Dave Aston's timely presentation on privacy issues with Java & Adobe's ubiquitous Flash software, Lynda Gousha gave an overview of security issues that even perhaps-too-smug Mac users might consider. Lynda Gousha is from the Silicon Valley
Macintosh User Group. She has expertise in internet security & does research of
security threats.
Lynda's talk was about security for Macintosh
users. What do you need to know to stay safe? She did not get into the
technical aspects of the topic, though she was open to contributions from SMUG
people.
Lynda played a bank theft video, an interview on
60 Minutes with Shawn Henry, FBI Cyber Division, in November 2009. You can
watch this on the Internet.
Thieves made copies of bankcards in 49 cities
throughout the world, and they stole about $100 million in 24 hours using
stolen pin numbers and account information. The bad guys added a device to ATMs
that collect your data form your bankcard: if you see something weird at ATM,
trust your gut!
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565_page3.shtml
http://www.cbsnews.com/video/watch/?id=5578986n&tag=related;photovideo
Voices.washingtonpost.com/securityfix/victfin.htm
The above website lists businesses that have
been robbed, the date of theft, the amount stolen, and amount recovered.
Bullitt County, KY is an especially famous case.
Most banks require notice within 24 hours for
businesses, if your money is stolen; consumers are usually allowed 30 days, but
check with your bank so you know specific policies.
Some businesses are suing saying bank should have caught
fraudulent withdrawal of their funds.
Victims: Banks of Germany August 2009
Changes were made to web site as seen by victims
so that the victims did not see the removal of funds from their accounts.
Stole Euro 193,606 (via Trojan on the PC) from
Aug 11-26, 2009.
Money Mules are people who transfer money stolen
in one country to another country. You might see an advertisement for a job
where you set your own hours, be your own boss, and so on. You sign up, and
your job is to withdraw from an account and wire transfer the money offshore.
People are usually not aware this is is an illegal operation.
Conficker is a computer worm that surfaced in
November 2008. Over 7 million PCs are infected. This worm has done nothing yet,
it just spreads. Some PCs have autorun, which has been vector of the conflicker
infections. : Autorun has since been patched, but many PCs have not been
patched, and many were infected before being patched. Conficker has shown up in
hospital computers.
Adobe has vulnerabilities, such as in Flash,
Acrobat Reader, and more. These vulnerabilities have been patched; it is
important that you run your Adobe software updates!
There are anti-virus scams to beware of.
Anti-malware pop-up windows appear, on a Mac or PC. This is called scareware.
It says your PC is infected, and we have just the fix! Just give us your credit
card number! Some of these exploits prevent running the applications on the PC
until and unless you pay.
Let's discuss Macintosh OS X.
Vulnerabilities vs. Exploits
There are few exploits in the Mac OS, unlike
Windows. But there are vulnerabilities. Microsoft Office, Adobe Reader, Flash,
Shockwave are among the most vulnerable kinds of software.
Phishing emails are emails that claim to be from
someone that you trust UPS, FedEx, for example, but are fraudulent. They ask you to give them your
information.
Attack websites, all you need to do is go to website,
and it downloads malware onto your machine. So far, the malware that is
downloaded only runs on Windows, but Mac users should stay diligent. If you see
something downloading without your permission and/or request, shut down your
browser, or, if needed, even restart your computer!
If you are using Safari, you can go to
Preferences, Security, and set for more security. Now, remember that houses
have bigger locks in Chicago that in Sunnyvale, CA. We are running Mac OS X, so
we are less vulnerable since crooks go for easier marks. But it is still smart
to adjust security preferences to not download stuff automatically.
There are web exploits. You can get a warning in
Google searches that a website may harm your computer. Google, Firefox, Bing
has such warnings about these sites, you can decide if you want to risk going
to those websites.
FREE SOFTWARE
Watch out for ads to get software for free,
because along with it can be a Trojan! If someone offers free Mac OX 10.6, or
any software for your Mac that usually costs money, it is likely malware.
In web searches, bad guys set up for big news to
try to make their website be the first one that comes up in Google. Like with
Haiti donations, Michael Jackson dying, etc. Double-check the URL before you go
there! This is called poisoning
search engine optimization
IPHONE
Very little nasty stuff on the iPhone, so far.
But jailbroken iPhones in Australia have been "Rick Rolled" in that
they were infected with a worm that pointed to a pop star named Rick Astley, but
that did not seem to do any real harm. Then, jailbroken iPhones were exploited
in the Netherlands. In that case the 'bad guys' did get into some peoples' bank
accounts. This was an SSH exploit using the default password. If you jailbreak
(or don't jailbreak) your iPhone, change the SSH password, and/or disable SSH!
There is phishing and spear phishing. With
phishing, you get an email claiming to be from your bank or from the IRS, or
some other 'trusted' source. It requests you to click on a link, usually asks
for your account information, and your password. The phishing email claiming to
be from the IRS says you are due a refund, or you are being audited. Remember
the IRS will NEVER contact you about matters like this from an email.
With spear phishing, the email is sent to a
targeted person, such as a business executive. One case of spear phishing was
pointed against a guy at a particular company, and told him to fill out a form
for the Better Business Bureau or be sued. This email looks real! Remember to
always contact companies or organizations by phone - using a phone number you
look up.
Then there is the usual Nigerian Scam, these
days being modified to appear to be from your friend! Call and see if your
friend is really in Nigeria.... it's not very likely.
You might get "See this link!" from
your Facebook friend! Check to see if that message really is really from your
Facebook friend.
Lynda showed an email: Notification from
Discover Bank Account, Dear American Express Member. Um, when the email says it
is from Discover card, and it says dear American Express member, THIS IS A
FAKE! This email showed a warning across the top saying this is likely not
where it claims to be from. The
warning came from google, as this was sent to a gmail account. Often, scam
emails will contain obvious errors like this, but some are very well done, and
look professional.
NEVER click on an email claiming to be from your
bank, since very few banks work that way. If you think the email might be
legitimate, pick up the phone and call.
NETWORK SECURITY
As for your home network security, check to see
that you do not use WEP for your WiFi security, WEP is very easy to crack. Use WPA or WPA2, and a good password.
If you don't know what WEP or WPA is, contact someone who does, and get them to
change your network settings. In some cases, you may need to update equipment -
some older routers are only capable of WEP; but routers these days can be
inexpensive, and the safety is worth the money.
Change the name of your network, rather than leaving it at
the default name (i.e. NOT lynksys, or Netgear). If you do not take these precautions, it is easier for
someone to crack into your WiFi, network and use it for their purposes - which
could be criminal, or not. But
it's best not to take the chance.
Now for a few passwords do's and don'ts. Do NOT
use dictionary words. Try using Mac OS X Password Generator. Long passwords are
good! Lots of people use short ones: computers take longer to crack long
passwords. TWITTER has banned passwords (you are not allowed to use them):
11111, 1234567, aaaaaa, access, computer, and so on. Passwords like password or
password1 are TOO EASY TO CRACK!
1password is an application that generates
passwords for you. (Note from Dave: Lynda told me that everyone who uses it
loves it.) PasswordWallet stores all your passwords. Freeware: Lastpass, and
for Windows, Roboform.
Use a different password for each website, or
for a bare minimum, use more complex passwords for your banking and other most
important sites.
Facebook is a BIG target now.
WHAT DO YOU DO?
Keep your Mac up to date: do your security
updates. With Microsoft and Adobe software: run their software updates, or use
alternate software such as Preview, iWork, on the Mac. With emails and tweets
claiming to be from a bank or the IRS: check that, do not click and fill it
out!
Do you want to see where a short URL is really
from? Expand those URLS by going to longurl.org/expand.
Do not use Windows for online banking. Linux is
a good alternative, as is Mac OS X.
Force quit your browser if something unwanted is
downloading. Delete all spam email, preferably without opening it.
Check your bank, credit, and debit card
statements.
For businesses, find out your bank's policies.
GOOD SOURCES
The podcast named Security Now. Also Brain
Krebs, www.krebsonsecurity.com. Brian is a former reporter from the Washington
Post.
SANS - computer security email newsletter.
www.sans.org/newsletters/
Security reality check is Lynda's website.
www.securityrealitycheck.com
As for your Macintosh password, you can go to
the Keychain Access application (other places it shows up). The password shows
a key, and asks what type of password you want: Manual, memorable, others. It
tells you about password: might say this word is in the dictionary, will show a
quality bar for that password (colors red, yellow, etc.).
Yes, it is good to change your passwords; one
recent podcast suggested changing bank passwords when we change from and to,
Daylight Savings Time.
If you are DEEP SIXED, you should have your
passwords written down where friends/relatives can find them.
The 1password application integrates with all
known browsers. It goes beyond keychain. There is also an iPhone app for
1password. Everyone Lynda has talked to likes it. (Note from Dave: Hmm, I think
I said that!)
Data Guardian is an application to encrypt your
data.
You can use a non-administrative user account,
especially with a Windows machine.
People visiting adult websites sites can get
infected. (Note from Dave: Well, their computers can. Naughty naughty, be
careful with that stuff!) The website might say, see our naughty pictures or
videos, but you need to download a certain codec to see them! Don't do that if
you want your computer to stay healthy.
//Dave Strom, VP/Director
|
|
See you all on Monday March 8th (remember - that's a week late than usual!)
Sincerely,
|
|
Steve Bellamy
SMUG President
|
|
|
|
|
