Category Archives: Security

Securing Your Online Accounts – Is a Secure Password Enough?

account security with a stronger password policy

I manage at least a dozen WordPress sites. I recently logged in to one of them to find a message from WordPress telling me that my password was found on a list on the internet and that I would need to change my password before being allowed to log in.

Pretty scary stuff.

I don’t use common passwords like P@ssW0rd123 (Yes this is a commonly used password). I use more than 6 characters. My password is definitely not 12345678 (go ahead and try).

I thought my password was pretty secure since it was not a common word. In fact it was a word most people outside of my immediately family would not know exists, plus some random numbers and special characters.

I can almost guarantee that no one else is using this password.

Yet, the password somehow found it’s way to an online list somewhere.

My assumption is that an online account somewhere was brute-forced but I don’t know what account or where. It was likely not an account I care about. After you finish reading this you will understand why.

The Great Password Debate

There are lots of “theories” on what makes a good password. Most online communities and websites try to force you into using a combination of upper and lower case letters, numbers and special characters. They almost always require a password longer than 8 characters.

This theory would seem like a good policy but here’s where it becomes a problem. Password cracking software and the required computing resources have become increasingly more powerful. Meaning it is becoming easier to brute-force a password with the right software.

The right software is easily and freely available on the internet. I talk about some of it on this website.

Requiring such passwords also makes it more likely that the password will be written down somewhere, usually near the user’s computer.

If you knew how many times I visited someone who asked for computer help, and then took out a piece of paper or small notebook with all of their passwords and account information (including bank account information) written in it your eyes would jump out of their sockets.

And then they leave it in the open where I could easily read and/or take a picture of it. Lucky for them I am a nice guy.

Password Strength is important but let’s not over do it.

Password Suggestions

NIST (National Institute for Standards and Technology) recently changed their stance on passwords. After a study performed by NIST it was determined the complex procedures put in place by many online communities and employers was not accomplishing what they had hoped.

Longer passwords are more secure. The reason for this is it takes exponentially longer for password cracking software to brute-force passwords for each additional character. A 12 character password will take much longer than a 6 character password.

I don’t mean minutes longer. It can be measured in years or decades in some cases.


7 Tips for Better Account Security

  1. Use Song or Movie Titles, Quotes or Lyrics to make it easier for you to remember without having to write it down.
  2. For example I might use “ABronxTale2017#” as my password. I would not use this specifically (because some people know this is one of my favorite movies) but something similar.

    Some people use lyrics from their favorite song or a line from a poem.

    These are all good options as long as you don’t share that on the internet somewhere.

  3. Use a password manager like Keepass or Lastpass.
  4. It’s not hard to forget your password especially if you’re used to using the same one for multiple sites. Now you have different passwords for every site it’s nearly impossible to remember all of them.

    With a password manager you can store your passwords in the utility and retrieve them as needed. You can copy the password into the website or application that you need the password for. Certainly easier than typing.

    Lastpass has a Chrome plugin, smartphone apps and Windows App to allow for even easier access to your passwords. This comes with inherent risks of course. If someone gains access to one of those devices they may now have access to all your passwords. The key is to create a strong password for Lastpass and your device, and be able to remember them. Newer devices allow for facial recognition or thumb print scans thus eliminating the need for a password.

    I won’t get into how to bypass those types of security methods. You can do the math on your own.

  5. Do not share personal information (like a favorite movie or your children’s birthdays) on the internet
  6. You know those cute little quizzes on Facebook that ask you to list your favorite song and your favorite movies, etc..?

    What if I told you they’re designed to socially engineer you? I don’t know if they really are but I would bet that some of them are. Stop revealing information about yourself on Social Media. The more information you provide the more a potential hacker has to use to guess your password.

  7. Use a password generator.
  8. I use the Symantec Password Generator. I don’t know why but I like this one the best.

    At this point if I don’t have access to my password manager I am screwed because I don’t know any of my passwords. All I do is generate a 12 or more character password using the password generator and save the info to my password manager.

    No one can ever beat a password out of me, that’s for sure.

  9. Never share your password with anyone.
  10. Do I really need to explain this one?

  11. Never write your passwords down on paper
  12. That’s pretty self explanatory as well, right?

  13. 2FA or MFA
  14. 2FA is short for Two Factor Authentication. MFA is short for Multi-factor Authentication. They are essentially the same thing. 2FA and MFA just means that the application or device you’re trying to log in to requires a second form of authentication, usually in the form of a time based token.

    Almost every social media site has this option available now. Set it up and use it. It might seem like a pain in the ass but it’s better than trying to recover your hacked account.

    If you can avoid the SMS second factor then do so. It’s not hard to clone your SIM card. Once a hacker does this they now have access to all your texts. Get it?

    This website uses 2FA. I have my password that was auto-generated using Symantec’s Password Generator. The password is saved to a password manager. I need this plus a time based token generated using Google Authenticator on my phone.

    On the website I use a plug in called miniOrange 2-Factor. It’s pretty easy to set up and I talked about it on the blog post about WordPress Security.

Hacked accounts are on the rise. There are lists of passwords freely available on the internet. “Hackers” can use these lists to brute force an account. Once your password makes this list you better make sure to change it on every account you own.

Social Engineering is more common than you think. Look at your Facebook profile and tell me what shows and movies it says you watch, what groups you are in, most people have their birthday listed, pictures of themselves and their kids as well as names. So much info is readily available on Facebook alone.

Make sure your list of friends is just that, friends.

Go secure those passwords!

account security with a stronger password policy

Don’t Get Fooled by the Phone [Microsoft and the IRS Do Not Call]

dont get fooled by the phone

As I sit down to write this I got a phone call. It was a local number but no indication of who it was.

Like most reasonable people I figured I would answer it. I do run a business and often need to speak to new or existing clients.

You can almost always tell when it’s a telemarketer or a scam because there’s a delay in someone responding to you answering the phone.

This time it was someone representing a chimney cleaning company. Another telemarketer or worse, a possible scam.

My response “I don’t have a chimney” to which he hung up. They clearly did zero research before calling me. Another turn-off.

How Is a Chimney Cleaning Telemarketer a Scam?

That’s an easy one. I worked with a local chimney cleaner and his business before. He told me about how his industry has taken a turn for the worse because of these scams.
There are a few ways it can go.

1. They get you to agree to clean your chimney at a very reasonable price. You agree, pay a deposit and never hear from anyone again.
2. They get you to agree to clean your chimney at a very reasonable price. You agree, pay a deposit and they send someone who has no idea what they’re doing. This is probably worse because of the potential damage to your home.
3. They get you to agree to clean your chimney at a very reasonable price. You agree, pay a deposit. Someone shows up to your home claiming to be there to clean your chimney. You become the victim of a home invasion.

None of these scenarios are ideal. They all hurt the real chimney cleaners. Now people are hesitant to hire anyone to clean their chimney.

What Are Some of the Other Potential Phone Scams?

Let’s start with the more prevalent and obvious ones.

The IRS is Going to Arrest You

Well, they might if you are defrauding them.

But they’re not going to call you to warn you about it.

The IRS does not call people. They send letters.

Let me type it again. The IRS does not call people.

If you get a call from John with an Indian accent calling you from what sounds like the boiler room just hang up. Or do like I do and toy with them.

dont get scammed over the phone

Microsoft Detected a Virus on Your Computer

Microsoft does not proactively monitor people’s computers.

Even if you use Windows Defender for your anti-virus they will not call you to let you know you have a virus.

I see this a lot. A computer user has allowed someone to remotely connect to take a look at their computer because they called and said their computer was infected with a virus.

DO NOT ALLOW ANYONE WHO CALLS YOU OUT OF THE BLUE TO ACCESS YOUR COMPUTER REMOTELY.

What they’re really after is a backdoor into your computer. They will likely install something that will give them access to your computer whenever they want.

Antivirus Software for your Windows Computer on Amazon>>>

Why Do They Do This?

Because they can

Because they want to watch you on the webcam

Because they want to steal private or sensitive information

Because they want to use your computer as a bot

The reasons are numerous. And many times, you may not even know they have control of your computer. Just do not allow this to happen.

You Won a Vacation or a Cruise.

And all they want is a deposit to your hold your spot. Why would you ever give money to someone you have never spoken to over the phone and without a piece of paper clearly stating what it’s for and who is delivering it?

This really can be applied to almost anything. If you receive a call out of the blue stating you won something just hang up.

They’re going to ask you for a deposit. My response is always, take it out of the winnings. They always have some excuse why they cannot do that.

We Have a Refund for You or Here’s $300 to go Shopping

This one has gotten some people close to me.

The caller states that they have a refund check or a check for some other reason.

In one instance that I am aware of a friend got a phone call saying they would get a $300 check to use at Walmart. All they had to do was report back on how the shopping experience was.

There are legitimate jobs for mystery shoppers, but they don’t give you $300 to spend. They will give you maybe $10 and you get reimbursed for it, not paid in advance.
What Are They After?

They want you to deposit the check. They then use the deposited check to gain access to your account. Then your account gets wiped out.

Up to $250,000 in Funding for Your Business

I own a business. The business does not make $250,000/year. Not even close. Why would anyone want to offer that kind of money?

I have not figured this one out yet, but I do know I am not falling for it. They call me every day. Different numbers, different “lenders”. It’s an obvious scam.

The one thing I know for sure is they will ask for access to my invoices which I am not comfortable with for various reasons.

Business owners get scammed too. They get scammed at an alarming rate.

These are just a few of the more common phone scenarios that I have come across. I also get calls about back and shoulder pain, dentist and health insurance. I don’t even bother wasting my time listening to their pitch at this point.

These are only phone scams. These and other scams happen on Facebook, email and the internet in general as well. I have seen text message scams too.

The one thing they all have in common is preying on people’s emotions. More (or less) money, computer issues, vacations, and health.

All issues that can be very emotional, primarily fear, cause people to react with their emotions rather than logic.

When you think with emotion you make rash decisions. When receiving a call (or email, facebook message or text) from a complete stranger put emotions to the side to avoid being scammed.

How to Avoid Phone Scams

Don’t Get Skimmed at the Gas Station [or Anywhere Else]

dont get skimmed at the gas pump fb

Another fairly easy and low-risk scam for would be criminals is the credit card skimmer. There’s a good chance you or someone you know has been victimized by this.

It’s really simple. Take a credit card skimmer and attach it to the credit card reader on a gas pump, or an ATM, or even the reader inside a retail store. Then wait for the skimmer to do its job.

By the time anyone realizes there is a card skimmer attached to the credit card reader the scammer probably has multiple credit card numbers at his disposal.

The reason this is so low risk is the card readers are easy to install, and the people getting the card info don’t usually use it. They usually sell the info online.

Often your stolen credit card information is not used for months. I had a conversation with a fraud specialist at a large bank about this very topic. They told me that more often than not the credit card numbers are sold on the dark web. A new credit card is created with the information and the new card is used wherever in the world the purchaser of your credit card number is.

To prevent detection they often wait a while before selling and/or using the stolen credit card numbers.

There are ways to protect yourself from being skimmed.

4 WAYS TO NOT GET SCAMMED BY THE SKIMMER

It happened to me once. It was over 5 years ago. My bank called me on a Monday morning while I was at work and asked if I was in France.

Needless to say, I was not. Someone had made repeated attempts (some successful) to use my card in France. Fortunately for me, the bank refunded all the money.

1. Use 24 Hour Gas Stations

There’s really no way to avoid having to get gas for your car unless you’re fortunate enough to own an electric car.

That means there is no way to 100% prevent from being skimmed if you plan to use your debit or credit card.

You could, of course, use cash. Realistically most of us do not carry cash around anymore.

I have found that using gas stations that are well lit and open 24 hours decreases the chances that I will get skimmed.

Avoid gas stations that do not have security cameras. I also avoid gas stations that look run down or are not part of a large chain.

The process of installing a skimmer is pretty quick so it can happen within a matter of minutes but criminals are less likely to try this somewhere that is well lit and constantly being monitored.

A gas station with lots of foot traffic also decreases the opportunities a card skimmer will be installed.

The gas station I usually use is open 24 hours, always well lit and always very busy.

It helps that they also have some of the lowest gas prices in my area.

Some gas stations have started to add a security sticker to gas pumps. The sticker covers the panel where the card reader is installed. This is actually very easy to circumvent with a box cutter and some creativity.

credit card skimmer

2. Avoid Stand Alone ATMs Like the Plague

You have all seen the ATM standing there on the side of a building, outside, with nothing else around it.

This is a big no-no. First of all, you’re probably going to get charged somewhere between $3 and $5 to use this ATM.

Even more importantly there is a good chance that this ATM has a card skimmer attached to it.

I almost never use a stand-alone ATM. If I do it’s going to be inside a business where a real person is within eyesight of it.

For the most part, I go to my bank’s ATM. Almost all of them are inside the bank and require your ATM card to get in.

There are always cameras on the ATM at the bank, and it always well lit.

Again, I cannot stress this enough. Cameras and well-lit areas discourage criminal activity, but they don’t prevent it 100%.

If you can withdraw money while the bank is open this is an even better option.

Here’s another option that I use sometimes because it’s a great way to avoid ATM fees. Go to a pharmacy or grocery store and make a small purchase like a pack of gum or a bottle of water. You can then ask for cash back when you purchase the item.

A chain like Walgreens or CVS is not going to have card skimmers installed at their cash registers. This is a great segway to my next point.

3. Be Very Diligent at Mom & Pop Shops

I love to shop locally. I believe local businesses should get all the support possible. If I have to choose between Walmart and a local mom and pop store I am going local every time.

The problem is the local stores don’t have the level of security and knowledge that a large chain has.

If the card reader is not in the direct line of sight of the cashier then I would use cash. Card skimmers are crafty at distracting cashiers and store clerks while a partner installs the skimmer.

credit card terminal

The one time I was the victim of a skimmer it was determined that the skimmer was installed on the card reader at the cash register at a bodega in New York.

Be very careful when using the card reader at a local store, especially one you are not familiar with. If you can use cash or a check this is better.

Of course, checks come with another set of problems that I won’t even get into.

4. Bonus Suggestion

A lot of people don’t know this but your debit card can also be used as a credit card. If you have ever used your debit card and asked if you want to use it as a US Debit or a Visa Card then the establishment you are at allows this.

Selecting Visa means you are using it as a credit card, and you will not be asked to enter your pin.

Most of the time a signature and a photo ID are not required either.

This makes it easier for anyone with your card or card information to use it. Without being asked for a pin or ID it becomes very easy to make purchases without your knowledge.

Turn this feature off. You can ask your bank to set it up so that your debit card cannot be used as a credit card. I would encourage you to do just that.

I hope this helps you avoid being skimmed. It is an unfortunate crime that can cause a lot of heartache. Using these 4 steps will help decrease the likelihood you become a victim of credit card skimming.

WordPress Security 101 – Protect Your Blog from Evil Hackers

WordPressSecurity 101

WordPress Security 101 – Protect Your Blog from Evil Hackers

I am going to be honest with you. It’s not hard to hack a WordPress site if the owner doesn’t do his/her due diligence. Once a WordPress Hack has been identified it’s only a matter of time before the script kiddies try to compromise your site.

WordPressSecurity 101

I bring this up because of a discussion I had recently with a blog owner about why he is receiving A LOT of traffic from Russia.

After speaking with other blog owners and so-called experts he decided to just ignore it. I pointed out there is a chance that a vulnerability has been identified on his site and wannabe hackers are trying to exploit it.

I did not hear back from him. He must think I am crazy.

I Am Not Crazy

Statistics show that a large number of “hackers” come from the eastern part of the world. Russia, China, India, Korea…you get the idea.

I am not ignorant to the fact that the US has a large number of hackers as well. Generally speaking though if you are a US-based website you should expect to receive most of your traffic from the US.

When I first began using WordPress many years ago I launched a website that just reposted content from an RSS feed. Ironically the site was called HackersDelite. It just shared content from other resources around the internet. The content was exclusively about Information Security.

That site was the first time a website that I owned or managed was hacked. It was also the last time.

I really did not do anything to manage it. It was basically on autopilot with the sole purpose of making money off of ads. I seldomly updated WordPress, the plugins or the theme. This was the way in for a hacker.

Not All Hackers Are Equal

You probably noticed I placed quotations around Hacker a few times. I also referred to hackers as wannabes and script kiddies. That’s because most of the people who are hacking WordPress sites do not represent the hacking community.

The true definition of a hacker is someone who takes things apart to learn how they work and then puts them back together again. Somewhere along the way, the word Hacker developed a negative connotation.

6 tips to securing your wordpress website or blog

There are 3 types of hackers generally speaking. I talk about this here.

Prevention and Education Are Your Best Defense

There are websites dedicated to listing vulnerabilities on nearly every platform that exists. If a “Hacker” were to learn about a WordPress vulnerability and then do a simple Google search they would find possibly hundreds or thousands of sites with said vulnerability. It will partially depend on how new the vulnerability is.

You can do the same thing. I do understand that this would require a lot of time, research, learning and more research on your part. I’ll just give you a few pointers on how to avoid having your WordPress site hacked.

6 Tips to Secure Your WordPress Blog/Website

1. Updates: I know updating your site can be scary. I mentioned above that I have only been hacked once in all my years of web work (over 20 years). In that same time span, I have had sites get destroyed by updates more times than I can remember.

Using a WordPress backup plugin and ensuring you have a new backup before doing updates will help alleviate some of that stress.

Whenever there is an update available to the WordPress core files, plugins or your theme install them. Many times updates are provided because of an identified vulnerability.

2. Get Rid Of It: If you have a plugin or a theme not being used, get rid of it. Remove it from your site. If you’re not using it then it probably is not being updated. If it’s not being updated then it is by definition vulnerable.

Uninstall any plugins that are not active. Also get rid of any plugins that have not been updated by the developer in a long time.

One note here. I always keep the default WordPress theme just in case the theme I am using breaks.

3. WordFence: WordFence helps protect your site. There is a free version and a paid version. Among other things, WordFence blocks known spam IP addresses and alerts you if your WordPress site has been logged into. They also have an email subscription. This newsletter is full of great tips for securing your site as well as the latest threats

4. TFA: TFA is short for Two Factor Authentication. Sometimes this is referred to as MFA or Multifactor Authentication. What that means is you need a second item to log in to your website.

wordpress security

For all of my sites, I use mini-orange and Google Authenticator. This works with a timecoded token that’s only good for 30 seconds. To log in to my site I use my username, password, and code that Google Authenticator gives me. You can set Google Authenticator up on your smartphone.

5. Complex Passwords: I used to use a password that was a combination of my wife’s nickname (that only close family and friends knew), a few random numbers and a special character. I recently discovered that this password is on a list of passwords somewhere on the internet.

All of my passwords are complex letters (upper and lower case), numbers and special characters now. They are generated by LastPass and stored in LastPass. I do not know any of my passwords. Sounds scary but it really isn’t that bad.

6. Spend $50: Everyone wants everything free. Spend $50 and purchase the theme you want. So many people use WordPress themes that have been modified by a hacker just to save a few dollars. In the long run, it will cost you a lot more.

Today lots of sites on the internet have been compromised and are being used to mine bitcoin. Most of those sites have been compromised by someone using a theme that was downloaded from a not so credible resource just to avoid spending $50.

If Google identifies that your site is compromised they will deindex it if it is not corrected immediately. No one will ever see your website.

WordPressSecurity 101 Pinterest