Loading....

Heading To San Antonio for the NARTS Conference? Keep Your Connection Secure With Private Internet Access!

Private Internet Access

Are you heading to the NARTS conference in San Antonio, TX this year? If so, how you connect to the Internet while you travel, is something you should be aware of – i.e. your connection is likely not secure.

First and foremost, if you connect to a public/free WiFi hotspot, you need to know that all of your network traffic can be captured. There are a variety of things an attacker can do, when he or she has control of your network traffic:

[checklist]

  • Trick you into visiting fake, malicious sites.
  • Collect your sensitive passwords.
  • Collect credit card information.

[/checklist]

Even if you’re not on a public WiFi connection, your ISP or whoever manages the connection, can see any website you visit.

If you’re connecting to a network that is not your home or business network, or if you don’t want your browsing activity to be viewable by your ISP, we recommend utilizing a VPN (Virtual Private Network).

What the heck is a VPN? A VPN creates a secure, virtual ‘tunnel’ across the Internet, through which your network is transmitted. This prevents malicious attackers from seeing your network traffic as you connect to the Internet and other networks.

Which VPN do you recommend?

There are a variety of VPN options out there and a variety of situations to consider, but for a simple, easy, secure connection, we typically recommend Private Internet Access.  We’ve talked about PIA a few times before.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

PIA alone, is not enough to keep a device secure, but it does provide you with a secure connection when you have to connect to public networks.

What are some other security tips you recommend?

[checklist]

  • Prey – Locate your laptop, computers, phones, and tablets if they’re lost or stolen.
  • Device/Disk Encryption – If someone gets your laptop — it doesn’t matter if it’s a Mac or PC — all of your files, are fully accessible. It means absolutely nothing if you have a password — all of your files can be viewed and copied directly from your hard drive. There are a variety of disk encryption options out there and we could dedicate a post to just this topic. Newer versions of Android and iOS are encrypted by default. Many mobile OSes allow you to enable encryption, if it’s not enabled by default. There are also 3rd-party encryption programs, such as the final build of TrueCrypt.
  • Antivirus – I don’t care if you’re running Windows or Mac OS X, you should be running antivirus, period. If someone tells you otherwise, they’re being cocky and they likely are not personally responsible for your computer’s security. Not just any antivirus either. Stick with one of the top-performing antivirus solutions — we typically recommend ESET NOD32 Antivirus. Whatever you do, do NOT use Microsoft Security Essentials. It does not work and anyone who recommends it, well, they should stop doing that – they’re 100% incorrect.
  • Do Not Use Internet Explorer or Safari – Our first recommendation, is Firefox. Some people have been falsely told that “Chrome is the best, install it and you’re secure!” We hope to dissipate that notion. Chrome is definitely a better alternative to Internet Explorer and Safari, however, simply switching to either Chrome, or Firefox, is not enough. You need to be concerned with ad-blocking, Javascript blocking, and malicious changes to your browser, as well as click-jacking. This is why so many Mac users are getting their browser nailed with malware. Instead of letting a website just run whatever it wants in the background (and no, this isn’t stuff you have to enter a password for), you should stop all websites from running anything and only allow websites you truly trust. Right now, you’re letting any website you click, run wild. It’s much better to take the option of NO website can run wild, except for the ones you explicitly trust. This is why we typically recommend Firefox, as the NoScript + uBlock/AdBlock Plus/AdBlock Edge + Public Fox combo is hands-down, the most effective Web Browser configuration @ preventing unwanted downloads or changes in/to the browser itself.
  • Do Not Login As Admin/Root – Whether it’s a Mac or PC, it is better to log in as a ‘restricted’ account, instead of a user that has full access to do anything to your system.

[/checklist]

As always, if you have any questions, don’t hesitate to call us @ (888) 374-5422.

[hr]

Featured Image Source: Private Internet Access

The New Firefox ‘Quantum’ Update

Firefox Quantum Tagline

The new Firefox Quantum update is here!  I’m writing this post mainly with consignment and resale storeowners in mind.

The first thing you’ll likely notice is, the ‘tabs’ have changed.  They’re square-ish and by default, the tabs you’re not currently viewing are darker:

[hr]

https://thecomputerpeeps.com/images/snaps/dean/15/2017-11-22_1243.png

[hr]

You’ll also probably notice the ‘bouncing dot’ page loading indicator:

[hr]

https://thecomputerpeeps.com/images/gifs/firefox_quantum_bouncing_dot.gif

[hr]

Also, by default there’s a bit of blank space — a.k.a. Flexible Space:

[hr]

https://thecomputerpeeps.com/images/snaps/dean/15/2017-11-22_1243_001.png

[hr]

The NoScript plugin (that little ‘allow’ icon) was not immediately available when Quantum launched, as it hadn’t been ported to a WebExtension.

In addition to the cosmetic changes, you should notice Firefox is much-faster and consumes less resources (less RAM/Memory, fewer CPU cycles, etc.)

Some of the post-update maintenance tasks Peeps perform on our clients systems:

[checklist]

  • ‘Prune’ the toolbar — e.g. remove the Flexible space, position the uBlock Origin icon directly to the right of the Address Bar, etc.
  • ‘Prune’ the default New Tab page — e.g. remove Snippets, Highlights, and Recommended By Pocket clutter.
  • Disable Privacy & Security > Firefox Data Collection and Use user telemetry.

[checklist]

Firefox Quantum also now includes a Deceptive Content and Dangerous Software Protection security setting (on by default):

[hr]

https://thecomputerpeeps.com/images/snaps/dean/15/2017-11-25_1052.png

[hr]

It’s a welcomed addition, especially for consignment & resale storeowners who search the web all day long for item information, brand information, etc.  While this alone isn’t as effective as NoScript + uBlock Origin @ blocking JavaScript, redirects, etc. it’s better than nothing — I just can’t say I’d rely on it solely.

In summary, there are both cosmetic as well as performance differences, which are the key items I wanted consignment & resale store owners to be aware of.  Even a slight cosmetic change can throw someone for a curve and we get that, so I’d rather stores know it was a change that came with a reason vs. “Is something wrong with my computer/Internet!?”  🙂

Protect Yourself from ISPs Selling Your Personal Information

Private Internet Access - How It Works

Everything you do on your Internet connection, can be seen by your ISP.  That information, while you might not care who sees it, is about to become a commodity to be sold and utilized in ways you might not approve of.

We discussed VPNs and keeping your connection private while online, but many think that’s only when you’re on public networks, such as WiFi hotspots.  With your personal and business Internet browsing being fully accessible and up for sale, keeping any/all Internet activity private is something many might be interested in doing.

We still recommend Private Internet Access.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

So don’t think a VPN is just for when you’re traveling.  Whether you’re at home or your consignment store, toggle that VPN on and keep your personal browsing habits, just that.

Liberty’s SMTP Relay Doesn’t Meet Modern Security Standards

Liberty SMTP Relay Doesn't Meet Modern Security Standards

We’ve been through this once before @ Liberty not being compatible with secure email systems such as Google:

[hr]

http://thecomputerpeeps.com/2013/02/consignpro-and-liberty-are-incompatible-with-gmail/

[hr]

We’re here again.  Liberty is still incompatible with modern, secure email systems so RSW released the SMTP Relay utility — a stand-alone utility you install on each of your computers, which sends emails on behalf of Liberty.  It too, doesn’t utilize modern security standards.

If you try to utilize Liberty’s SMTP Relay utility along with Google/Gmail, it will fail to send emails:

[hr]

Liberty SMTP Relay Fails to Send Emails through Google
Liberty SMTP Relay Fails to Send Emails through Google | Click to Enlarge

[hr]

In your Google inbox, you’ll see a handy message telling you why:

[hr]

Liberty SMTP Relay Doesn't Meet Modern Security Standards
Liberty SMTP Relay Doesn’t Meet Modern Security Standards | Click to Enlarge

[hr]

From an app that doesn’t meet modern security standards.

Simple as that.

When software attempts to send emails, it has to follow certain rules, especially when it comes to SSL/TLS.  Certain techniques simply aren’t considered ‘modern’ and will be blocked by secure email providers such as Google.

Google offers a workaround for this though — i.e enable the ‘Access for Less Secure Apps‘ (https://www.google.com/settings/security/lesssecureapps) feature:

[hr]

Google's 'Allow Less Secure Apps' Setting
Google’s ‘Allow Less Secure Apps’ Setting | Click to Enlarge

[hr]

ConsignPro suffers from this too.

Both vendors could easily fix this issue and any outside consultant or developer can verify what I’ve outlined above.

USPS Directing Customers To A Fake Website

USPS Hijacked Domain

So, I went to the USPS the other day to drop-off a few packages.  While I was there, I inquired about PO Boxes.  The clerk handed me a pamphlet with details about how to apply for a PO Box.  The pamphlet didn’t list any prices though and instead, tells customers to visit a website for pricing info.:

[hr]

USPS Hijacked Domain
USPS Hijacked Domain

[hr]

Seems like a nifty little domain name someone involved in marketing came up with.  I first visited the site on my mobile device and got this:

[hr]

Fake Website
Fake Website

[hr]

That’s weird, why is the website calling me a ‘UPS Customer’, when I’m visiting a website the USPS told me to visit?  While I use Firefox with uBlock Origin ‘locked-down’ pretty tightly @ ads, redirects, etc. uBlock Origin still allowed that fake site through and the redirect to take place.  Also, look at the address bar — I’m not at ‘yourotheraddress dot com’ anymore, I’m at some ‘survey’ website.  Neat!

When I try visiting that page on an actual computer, using Firefox with NoScript and uBlock Origin, I get the following:

[hr]

Fake Shipping Website
Fake Shipping Website

[hr]

Someone’s clearly tried to make the page look like an ‘official’ shipping website, but that’s a pretty janky looking website — and definitely not the USPS’.

Keeping Javascript blocked, the site still redirects to the following landing/parked page:

[hr]

'yourotheraddress' Landing Page
‘yourotheraddress’ Landing Page

[hr]

And finally, if I enable Javascript, the site is able to load its remaining content, which uBlock Origin then detects the ad site doubleclick dot net:

[hr]

USPS Redirecting to Ad Sites
USPS Redirecting to Ad Sites

[hr]

So who owns this domain name?  Not the USPS.  If I do a whois lookup on the domain, it’s registered at a domain registrar in Shanghai and the server is located in Australia:

[hr]

USPS Domain Lost & Re-Registered in Shanghai
USPS Domain Lost & Re-Registered in Shanghai

[hr]

While I didn’t detect any immediate malware from these redirects, this is a pretty serious issue.  The USPS registered a domain name to use for advertising purposes.  In 2011, they forgot to (or just didn’t) renew the domain.  Someone else came along and bought it, taking over ownership.  That new owner has created a fake shipping website to try and make it look like what visitors expect, when they’re told to go there by the USPS.  Ads lead to malware, but more importantly, the owner of this domain can redirect visitors to anywhere they’d like.

So due to the USPS neglecting to keep hold of a domain  name they used in advertising, they’ve created a bit of a security hole and are putting customers at risk.

I contacted the USPS directly by phone and they referred me to a customer service department.  I was told this new department would be able to look into this and get to the bottom of it.  That wasn’t the case though.  When I spoke with customer service, they were a bit confused as to what I was explaining and simply asked that I go back to the USPS office where I was first handed the pamphlet, to let them know about the issue.

I tweeted USPS about this as well, but never heard back:

[hr]

[hr]

Since the USPS isn’t taking ownership of this issue and since they’re relying on me, a customer, to go around to each of the local post offices to tell them about this, there’s really nothing I can do other than bring this to the attention of those who utilize the USPS — specifically, anyone who inquires about a PO Box and wants to find out how much one costs.

The moral of this story — big companies, even the government, make major mistakes and let simple things fall through the cracks, putting individuals at risk.

Heading To Scottsdale for the NARTS Conference? Keep Your Connection Secure With Private Internet Access

Private Internet Access - How It Works

Are you heading to the NARTS conference in Scottsdale, AZ this year?  If so, how you connect to the Internet while you travel, is something you should be aware of – i.e. your connection is likely not secure.

First and foremost, if you connect to a public/free WiFi hotspot, you need to know that all of your network traffic can be captured.  There are a variety of things an attacker can do, when he or she has control of your network traffic:

[checklist]

  • Trick you into visiting fake, malicious sites.
  • Collect your sensitive passwords.
  • Collect credit card information.

[/checklist]

Even if you’re not on a public WiFi connection, your ISP or whoever manages the connection, can see any website you visit.

If you’re connecting to a network that is not your home or business network, or if you don’t want your browsing activity to be viewable by your ISP, we recommend utilizing a VPN (Virtual Private Network).

What the heck is a VPN?  A VPN creates a secure, virtual ‘tunnel’ across the Internet, through which your network is transmitted.  This prevents malicious attackers from seeing your network traffic as you connect to the Internet and other networks.

Which VPN do you recommend?

There are a variety of VPN options out there and a variety of situations to consider, but for a simple, easy, secure connection, we typically recommend Private Internet Access.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

PIA alone, is not enough to keep a device secure, but it does provide you with a secure connection when you have to connect to public networks.

What are some other security tips you recommend?

[checklist]

  • Prey – Locate your laptop, computers, phones, and tablets if they’re lost or stolen.
  • Device/Disk Encryption – If someone gets your laptop — it doesn’t matter if it’s a Mac or PC — all of your files, are fully accessible.  It means absolutely nothing if you have a password — all of your files can be viewed and copied directly from your hard drive.  There are a variety of disk encryption options out there and we could dedicate a post to just this topic.  Newer versions of Android and iOS are encrypted by default.  Many mobile OSes allow you to enable encryption, if it’s not enabled by default.  There are also 3rd-party encryption programs, such as the final build of TrueCrypt.
  • Antivirus – I don’t care if you’re running Windows or Mac OS X, you should be running antivirus, period.  If someone tells you otherwise, they’re being cocky and they likely are not personally responsible for your computer’s security.  Not just any antivirus either.  Stick with one of the top-performing antivirus solutions — we typically recommend ESET NOD32 Antivirus.  Whatever you do, do NOT use Microsoft Security Essentials.  It does not work and anyone who recommends it, well, they should stop doing that – they’re 100% incorrect.
  • Do Not Use Internet Explorer or Safari – Our first recommendation, is Firefox.  Some people have been falsely told that “Chrome is the best, install it and you’re secure!”  We hope to dissipate that notion.  Chrome is definitely a better alternative to Internet Explorer and Safari, however, simply switching to either Chrome, or Firefox, is not enough.  You need to be concerned with ad-blocking, Javascript blocking, and malicious changes to your browser, as well as click-jacking.  This is why so many Mac users are getting their browser nailed with malware.  Instead of letting a website just run whatever it wants in the background (and no, this isn’t stuff you have to enter a password for), you should stop all websites from running anything and only allow websites you truly trust.  Right now, you’re letting any website you click, run wild.  It’s much better to take the option of NO website can run wild, except for the ones you explicitly trust.  This is why we typically recommend Firefox, as the NoScript + uBlock/AdBlock Plus/AdBlock Edge + Public Fox combo is hands-down, the most effective Web Browser configuration @ preventing unwanted downloads or changes in/to the browser itself.
  • Do Not Login As Admin/Root – Whether it’s a Mac or PC, it is better to log in as a ‘restricted’ account, instead of a user that has full access to do anything to your system.

[/checklist]

As always, if you have any questions, don’t hesitate to call us @ (888) 374-5422.

[hr]

Featured Image Source: Private Internet Access

Apple ID Phishing Email

Apple ID Phishing Email

A client of ours received an email warning her that someone had used her Apple ID to download an app:

[hr]

Apple Phishing Email
Apple Phishing Email

[hr]

This email did not come from Apple.  This is a fake email, known as a phishing email, and they’re trying to bait the recipient into clicking on the links in the message.  The message tries to trick the recipient into thinking their Apple account has been compromised, when in fact, the message itself, is attempting to do just that.

The links do not lead to Apple’s website.  Instead, the links lead to a malicious website:

[hr]

Apple ID Phishing Link
Apple ID Phishing Link

[hr]

This is the first place your Web Browser makes a difference.

If you use Internet Explorer and click that link, it does nothing to stop it (and that’s with Smart Filter protection enabled).

If you use Firefox, it detects it is a malicious link:

[hr]

Firefox Phishing Protection
Firefox Phishing Protection

[hr]

If you use Chrome, it detects it is a malicious link:

[hr]

Chrome Phishing Protection
Chrome Phishing Protection

[hr]

By no means should you rely on your browser as your sole point of Web security, but you can see how Internet Explorer compares to Firefox and Chrome when it comes to ‘safe browsing’.

Next, you get to see how well your antivirus holds-up.  For you Microsoft Security Essentials users out there, it does nothing to detect, nor prevent this phishing attack.  If you’re utilizing ESET NOD32, you’re in better shape:

[hr]

ESET NOD32 Antivirus Phishing Protection
ESET NOD32 Antivirus Phishing Protection

[hr]

[info_box style=”notice”]The Computer Peeps recommend a layered approach to Web Security, including OpenDNS Web Filter, Firefox w/ NoScript, AdBlock Plus, and Public Fox, as well as logging-in to your system as a non-admin + utilizing ESET NOD32 Antivirus (or one of the top performing antivirus solutions).[/info_box]

[hr]

The takeaways from this post:

[hr]

[checklist]

  • Be cautious and aware of emails that are trying to get you ‘riled up’, so you click on something without thinking.
  • Utilize an email service that does a good job of filtering out fake/fraudulent emails – e.g. Gmail/Google Apps for Business.
  • Switch to Firefox or Chrome.
  • Implement additional security in your Web browser – e.g. ad-blocker, Javascript/Flash blocker, password-protection for downloads/changes, etc.
  • Utilize a proper antivirus solution, such as ESET NOD32 Antivirus.
  • Do NOT use Microsoft Security Essentials.
  • Utilize a Web Filter, such as OpenDNS.
  • For daily-use, do not log in to your computer as an administrator.

[/checklist]

[hr]

If you have any questions, don’t hesitate to comment below or give us a buzz!

5 Reasons Why Consignment Stores Should Not Use Microsoft Security Essentials

Consignment Stores Should Not Use Microsoft Security Essentials

We’ve compiled five very specific reasons why consignment and resale stores (or any business) should not use Microsoft Security Essentials (MSE).

First and foremost, what is Microsoft Security Essentials?  Microsoft Security Essentials is free security software provided via Microsoft.  On Windows 7, Microsoft Security Essentials is automatically downloaded via Windows Update, if an antivirus product is not detected on the system.  On Windows 8/8.1, it’s known as Windows Defender and is included out of the box.

#1 – AV Comparatives Considers MSE “Non-Competitive”

AV Comparatives regularly tests the major antivirus/security products and publishes their findings.  They recently published their October 2014 Real-Word Protection Test results.

See the white, dashed-line?  That represents Microsoft Security Essentials:

[box]

AV Comparatives October 2014
AV Comparatives October 2014 | Click to Enlarge

[/box]

Now, no antivirus solution is 100% effective, 100% of the time, nor should antivirus be your sole point of system security/malware prevention.  However, MSE can’t even compete @ only 83.3% protection.

Source: http://www.av-comparatives.org/wp-content/uploads/2014/11/avc_factsheet2014_10.pdf

[hr]

#2 – AV-Test Revoked MSE’s Antivirus Certification

Two years ago, AV-Test revoked Microsoft Security Essentials antivirus certification.

[box]

MSE No AV-Test Cert
MSE No AV-Test Cert | Click to Enlarge

[/box]

Again, no antivirus solution is 100% effective and ratings from one testing firm should not be the sole reference point for selecting a security product.

MSE flunking though, is right in-line with real-world experience, as well as other testing firms’ results.

Source: http://www.maximumpc.com/article/news/microsoft_security_essentials_flunks_av-test_loses_certification419

[hr]

#3 – Microsoft Does Not Recommend Utilizing MSE

[hr]

Even Microsoft, does not recommend utilizing MSE:

[box]

Microsoft Does Not Recommend MSE
Microsoft Does Not Recommend MSE | Click to Enlarge

[/box]

Source: http://www.howtogeek.com/173291/goodbye-microsoft-security-essentials-microsoft-now-recommends-you-use-a-third-party-antivirus/

[hr]

#4 – Computer Peeps Have Found MSE Does Not Work

The Computer Peeps manage hundreds of systems for consignment and resale stores all across North America.  We are directly responsible for keeping computers clean, protected, and available; computers which store employees utilize to search the Web for pricing, browse Facebook, sell on eBay, check email, etc.  i.e. Computers that are a high-risk for getting infected.

We regularly work on systems that are utilizing the all-too-common (yet ineffective) Chrome + MSE combo:

[box]

[hr]

[/box]

In five years of managing, maintaining, and securing systems for consignment and resale store owners, The Computer Peeps have not seen a worse or less-effective antivirus solution than Microsoft Security Essentials.

[hr]

#5 – MSE Is Not PCI Compliant

Last but not least, MSE is not PCI Compliant.  First, it’s simply not considered antivirus by multiple, independent testing authorities.

Second, Microsoft recommends utilizing an actual antivirus product, further reinforcing that MSE is not antivirus.

Third, MSE does not have the ability to retain its log files for 365 days (required as per the PCI DSS, Requirements 5.2d and 10.7):

[box]

ESET NOD32 Logging
ESET NOD32 Logging | Click to Enlarge

[/box]

Source: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

[hr]

This isn’t a matter of opinion or “We like pepperoni pizza vs. cheese pizza – so should you!”  It’s just really simple – MSE doesn’t work, it is not considered antivirus, Microsoft recommends not utilizing it, and multiple antivirus testing firms have found MSE cannot compete against even the worst antivirus program.

So please, if your tech or vendor recommends or implements MSE, stop them and ask them to remove it.  Then, ask them to install and configure a viable antivirus solution.  MSE is free and it helps avoid the topic of money – yes, viable antivirus costs money + time to configure.  Would you rather avoid the topic, or would you rather spend $57 for a viable antivirus solution?

AOL Data Breach, User Data Stolen

AOL Logo

AOL is reporting a massive data breach which affects a “significant amount of users”.  AOL is recommending users change their passwords immediately.

According to AOL’s Security Team:

This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

If you utilize AOL for your consignment software’s email functionality, or for your personal email, please be sure to change your password right away.

Windows XP Users, This One Could Get Messy…

Windows XP

A very common browser hijack/search redirect, Conduit, has a little bug in its uninstaller.  If you attempt to remove Conduit via Add or Remove Programs, it is rendering Windows XP machines unbootable.

For those interested in the technical details, Bleeping Computer has a great write-up.

This could get messy, since many will try to remove Conduit and other unwanted applications via Add or Remove Programs.  A little piece of adware could quickly render your consignment shop’s systems unusable.

The goal should be prevention, not removal.  See our recent blog post on how to better protect you system from this sort of infection.

Back To Top