Today, as it’s usual in the second Tuesday of every month, Microsoft is releasing the monthly updates for Windows. This month 7 updates are being published, 6 rated important and 1 rated critical. Microsoft Office and the Windows operating system are the main components affected by these updates.

As always, it is recommended you download and install these updates. If you have Windows Update configured to download and install automatically, no user intervention is required, except perhaps a computer restart at the end of the installations.

An up-to-date computer can be the difference between a clean one and an infected one.

You might have gotten wind of this, there is an unpatched vulnerability that affects the Internet Explorer web browser, versions 6 through 9, affecting Windows XP, Vista and 7, being exploited in the wild. Unpatched meaning there is no resolution made available to remedy the weakness, therefore it can be used by malware creators and other hackers to take control of users’ computers if and when websites set up to exploit the vulnerability are visited.

Although Microsoft releases updates and patches on the second Tuesday of every month, due to the severity of this one it is releasing an out-of-band update tomorrow Friday the 21st. It will be available through Windows Update. If you use Internet Explorer, it behooves you to apply that patch as soon as it’s released tomorrow.

On a related note, I personally don’t know why people still use Internet Explorer. Perhaps out of habit, having used it for years. But Internet Explorer is from my point of view, the worst browser available. Any of the competition ones, Firefox, Google Chrome, Apple Safari, Opera, is preferable and more secure, faster and more stable. I’d recommend ditching Internet Explorer after test driving several browsers to find the one you like the most.

I’ll be glad to answer any questions on Windows Updates or different web browsers.

(See this recent article for what to do if your email gets hacked). When helping yet another client get his hacked email account back, I came across two distinct hacker tricks that I thought are worth mentioning.

One is forwarding. This particular hacker had changed a setting in the hacked email account (a Yahoo account) so that all emails received would be automatically forwarded to another email address, which was in possession of the hacker, of course. Thus, if the hacker sent any emails out from the hacked account to the contacts in that account, with one of those famous Nigerian scams (by the way, the hacker was literally in Somolu, Nigeria) and got any replies, the replies would be forwarded to the email account of his choice, which by the way was VERY similar in wording to the original hacked email account so only a very careful eye would notice the difference if the hacker now replied from the second account.

The second one, err, let me backtrack for a moment. There is a setting that can be, well, set, in all emails. It’s called “Reply-to”. User A sends an email to user B, but in that email it’s specified that if user B hits the reply button, the reply will be sent to user C. This setting can be useful sometimes, but in this case, it was a second hidden time-bomb the hacker was using. All the emails sent from the hacked account had a reply-to setting that would send any replies to the hacker’s own account. The only reason I noticed is because I was looking very closely. I mean, who checks that one’s email is going to the right email address when one hits the reply button? Exactly. Very sneaky.

So you see, even if the hacked email account got recovered and back to its rightful owner, with the first trick above he would still not be in control of the emails received, and with the second trick, any emails already sent out would end up, if replied to, in the hacker’s own email account.

The above are two tricks to be aware of, if your email account gets hacked or if you’re at the receiving end of a spam/scam looking email from a known contact.

11/20/13: In handling the most recent email account hijacked, I became aware of yet two more tricks used by the hackers:

A) Use of filters. Often email accounts will have the ability to set filters that perform certain functions on incoming emails, i.e. put them in specific folders as they come in, or perhaps delete them (for unwanted contacts). In this case the hacker had set a filter so that any email sent to the recipient was sent straight to trash. That way nobody emailing the actual account owner would be able to get in touch with him/her.

B) Changing the signature. In this case the hacker had changed the phone # in the signature. In earlier cases they had included a malicious link in the signature, so that whenever in the future an email was sent from that account, it would be sent with a malicious link in it.

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs.

Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may enable a  remote attacker to execute arbitrary code on a vulnerable system. This is done  by convincing a user to visit a specially crafted HTML document (many websites use HTML as the language to display web pages).

This vulnerability is being actively exploited in the wild, and exploit code is publicly available. One of the most popular hacker tools in use, Blackhole, has added this vulnerability to its toolkit. Blackhole bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer.

Oracle’s next scheduled update to patch this vulnerability is in October, which makes it temporarily impossible to resort to an update to handle the situation.

What to do

Disable the Java plug-in:

Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability. There are different methods for disabling the Java plug-in, depending on the web browser you use:

Microsoft Internet Explorer: Due to the complexity and impracticality of disabling Java in Internet Explorer, you may wish to uninstall Java to protect against this vulnerability, until a patched update is published.

Mozilla Firefox: How to turn off Java applets

Apple Safari: How to disable the Java web plug-in in Safari

Google Chrome: See the “Disable specific plug-ins” section of the Chrome documentation for how to disable Java in Chrome.

I’ll be glad to answer any questions you might have on the subject.

The United States Computer Emergency Readiness Team (US-CERT) has warned of multiple malware campaigns impersonating multiple U.S. government agencies, including the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI).

Once installed on a system, the malware displays a screen claiming that a Federal Government agency has identified the user’s computer as being associated with one or more crimes. The user is told to pay a fine to regain the use of the computer, usually through prepaid money card services.

Affected users should not follow the payment instructions. Instead, the computer should be scanned for malware with an appropriate antivirus program, and then measures taken to avoid the infection from re-occurring.

Note: This covers PAID antivirus programs. There are free antivirus programs that, because they are not under a time license, basically don’t expire.

What happens when your paid antivirus subscription expires? In a nutshell: Your antivirus program stops updating itself. But what does that mean and what are the ramifications?

To understand this, first you have to understand how traditional antivirus programs work. I’ve explained this before, but here’s the gist of it: Your antivirus program protects you from malware trying to infect your computer by keeping a list of all known malware. It then compares every file you open, every file you download, every email you get, and so on, to its master list of  “bad guys”.

Because malware creation is such a dynamic subject, the list of known malware grows daily. In order to be effective, your antivirus must have the latest additions to the list of “bad guys” to recognize them. To the degree that it doesn’t have the most recent additions, it won’t be able to detect the most recent infections.

So, a typical antivirus program updates its list at least once a day. Some are configurable and can be set so they update themselves several times a day.

Now, let’s say you have a yearly license in your antivirus and it’s about to expire. Typically you get warnings and pop-up windows that alert you to the fact that your license is about to expire. So what happens if it does? Does the program stop functioning?

No. Typically, your antivirus program still works even if your license has expired. BUT, your vendor will probably not allow updates to happen. So, as days, weeks go by, your antivirus program’s list become more and more outdated. To that degree it won’t be able to detect the latest infections. The more outdated, the less effective. You get the idea.

The above is so true, that an up-to-date,  free antivirus program is probably more effective than a paid expired one. Even if the paid one is fancier and has more features etc., it’s somewhat useless without an up-to-date definitions list.

Normally when your expired antivirus license is renewed, your antivirus will resume updating itself and you will stop getting warnings about it. Sometimes it requires asking the antivirus program to perform an update in order to bring the list up-to-date, and then it resumes doing it automatically from that point on.

Last article covered in what ways your email account can be hacked. Since it is related to the password strength your email account has, I thought we should now cover how to create a strong password.

A strong password is one that is hard to guess. Oversimplifying some might say, yet it’s the basic definition of it. Therefore having your password be ” joe” when your email account is “joeblow@yahoo.com” is not very hard to guess. That would be at the extreme end of weak. So what’s at the other end?

A good, strong password:

1. Contains uppercase and lowercase characters,

2. Contains at least one number,

3. Contains at least one of the characters over the numbers in your keyboard ( !@#$%^&*() ),

4. Does not contain a word that can be found in the dictionary, and

5. Is at least 8 characters long.

OK so now we know what a strong password is, but we have a problem. How do we craft one that can ALSO be remembered? I mean, “g5OmCU)k” might be a strong password by definition, but who the hell is going to remember it? This is where mnemonics – a memory tool, any device or technique that aids information retention –  comes in handy.

Rather than going on a lengthy written explanation of how this all works, let me give you a link to a video that explains it all very well in under 4 minutes. Watch it and then come back to finish reading this article. Here’s the link to the video:

http://www.youtube.com/watch?v=VYzguTdOmmU

As you might have noticed, the last problem posed in the video, how to remember multiple passwords when you use one per each different authentication required, is solved by the use of a password manager. I personally use RoboForm to keep my 90+ passwords secure, and it even has a feature that will generate random strong passwords for me when required, which can then be stored and thus does not need to be remembered.

May your email account remain secure.

Concerns over hacked email accounts seem to have increased as of late, mostly because, well, the number of hacked emails seem to have increased as of late.

Recently I covered how to proceed when you receive an email from a contact who obviously did not send it and might be the victim of a hack attack. But how do these attacks succeed and how many ways are there to perpetrate them? Knowing the answer would give you an understanding of what to do to stay safe.

So, I’m glad you asked. I’ll try to keep the answers simple. First, it wouldn’t hurt to understand how email works.

When you look at the simplest way to break it down, an email account’s password can only be hacked at two different points: 1) At the point where the user handles emails (his/her computer, phone, tablet, etc) and at the server, where all the information on usernames and passwords are kept.

The common user does not have control over his/her email server, so if a hack attack occurs at the server, there’s not much he/she can do about it. Pray maybe, or be careful as to what email provider he/she chooses. A definite measure he/she can take is change his/her password periodically, and of course make sure they’re all strong passwords.

Unfortunately, much too often a) Users don’t change their passwords periodically, b) The passwords are weak and c) The same password is used for many things, including their online banking identity and whatnot! The reason for these three factors is the basic drive of the user to remember his password. a) Changing it periodically makes it hard to remember which is your current one b) Using familiar words or numbers make a password weak but easy to remember and c) Who wants to remember 10 passwords when using the same password for everything is so much easier?

We’ll circle back to that. The point is, the server-side aspects of things is not much under the control of the normal user, and that’s a potential hack attack point. How those attacks occur become irrelevant, so we’ll leave it at that.

The second point at which the password can be hacked is more under the control of the user, mostly because is within arm’s lengths and he/she is for the most part in control of it. This is of course  his/her computer/phone/tablet.

So now, how many ways are there to figure out a password? Exactly two:

The first one is under the category of guessing. A specific type of a “brute force attack”. This consists mainly of feeding passwords from a list, often a dictionary. A computer program can do this very fast, so if the password is weak, the probabilities of guessing it that way are not too bad.

the second one is under the category of stealing/sniffing/recording. Basically a tool is installed in your computer that will record key strokes, or steal your password from known stored locations and transmit it over the internet to a place the hacker has access to. So in this case, changing your password, making it complex and unique will not accomplish anything, since the moment you use your computer to change it, it will be stolen/sniffed/recorded again.

Therefore when one’s email account has been hacked, one should

a) Change the password to a strong, TEMPORARY one. This is just in case the way it was figured out was a brute force attack and not just stolen. Then

b) You have to make sure there is no malicious software in your computer that is stealing/sniffing/recording your passwords. That is, of course, easier said than done. But it must be done. Ask an expert for help as needed. Finally,

c) Once there’s an assurance that there is no data leak active, the password should be changed again to a strong, more permanent one. Even if there is no malicious software found, it never hurts to change the password again, so it should be done regardless.

Hope I’ve been able to increase your understanding of the subject.