All posts by Jerry Stern

Computer Security Errors 101

Newsletter Reprints

A reprint from the PC410 Security Newsletter:

password isn't a password

I’m asked “is this safe?” over and over again. Usually, it’s a link in an email. And congratulations to those of you who stopped long enough to recognize a suspicious link, or asked before clicking your way to the web site of some Nigerian Prince with millions in oil money to give you, but who also wants to encrypt your hard drive for ransom and steal your bitcoins while capturing your email passwords so that he can send out a few million more Nigerian Prince letters from your email account.

OK, it’s usually not that obvious. Here are the security errors I see most often.

Passwords in plain sight.

No, don’t write your passwords on the monitor, or a Post-it note, or a label on the bottom of your keyboard. And don’t leave a file called ‘Passwords’ on the desktop, either. It’s really not the Windows login password that’s at risk here: anyone with physical access to your computer can read all the data without the password, by erasing the passwords with a program loaded from a bootable USB stick, or by removing the drive and connecting it to any other computer.

The passwords that should never be visible are banking passwords, email account passwords, QuickBooks passwords, any account that has payment information stored. That includes logins at Amazon and iTunes. Security issues at online merchants have occurred because, well, “someone contacted us, with your password, so we shipped them what they wanted, where they wanted it. And then they reset the password. Wasn’t that you?”

Re-using Passwords

Passwords should be unique. If you have a “usual password” for everything online, stop it. Change it everywhere. When online merchants and service companies have security issues, they invalidate millions of passwords, and make you reset your password, by making it look like you forgot it. You didn’t, they gave it away, so now they’re asking for a new one, because they couldn’t take care of the last one.

So all those sets of millions of hacked passwords from the recent online “We were hacked” events, containing both login names and emails, is ‘out there’, where other hackers will assume that if your password at Amazon was ‘i-want-it-now’, then your password at any of a hundred other sites is likely the same. So they try it, in bulk, and take over some percentage of those accounts. Worse, they take over accounts at multiple web sites from the same victim at once; that’s havoc multiplied into identity theft.

Now, if your password is the same everywhere, when one site says something that means, in real life, “we lost it, give us another,” that means that you have to reset it everywhere you used it. If each site had a unique password to start with, that risk is avoided.

Only One User Account in Windows

So what’s the risk of only one Windows login account? There are two:

1) When there’s just one Windows user, that user is an administrator, with full install rights, and any malware that arrives on the computer can run an install program without any need to enter a password–sometimes, there is no on-screen indication of new software at all. The account used to surf the web and open email should be a ‘limited’ or ‘standard’ account, which can’t install software. In addition, there should be an account with administrator rights, used for installing software and updates, and nothing else; it’s not for web surfing.

2) With only one account on the computer, it’s harder to repair that account if it’s damaged. This is a problem that didn’t happen much until Windows Vista came along, but since then, user profiles, also known as Windows user accounts, can become corrupted, and after login, there’s one of these messages on-screen:

  • The User Profile Service service failed the logon. (That error message is courtesy of Microsoft’s Department of Redundancy Department.)
  • You have been logged on with a temporary profile.

In both cases, you can’t reach your desktop or your files. If there is a second account to log into, a remote fix is usually possible. If not, especially with the “Service service” message, the repair can’t be done remotely.

Jerry Stern
Chief Technology Officer, PC410.com

Caution: Your Computer is in a Bad Neighborhood

Newsletter Reprints, ,

A reprint from the PC410 Security Newsletter:

Fake tech support popup

Here’s what that bad neighborhood looks like. there’s a scary message on your screen. it is designed to make you panic. There’s a hardware error message starting with a blue screen of death, but the blue screen message isn’t full-screen. It’s a fake. There is a urgent message to call a toll free number to have a Microsoft certified technician fix the problem immediately.

Microsoft does not, ever, place phone numbers in error messages. Most big technology companies don’t want phone calls, and their phone numbers are only on their support and stock holder pages. There may be an exception for sales and training events, but not much else. Every other phone call is an expense, and they will do everything that they can do to prevent you from calling them.

Next , Microsoft does not give away technical Consulting Services, or free computer repairs. They provide lots of reference materials on their websites, and free training for partners in various categories. For example, I am a Microsoft partner in their OEM and Refurbisher and Technical Sales programs, and have been through training in those areas. But even I can’t just call Microsoft and ask for a free diagnostic of a system, most of which consists of other companies’ hardware. If you actually reach them, don’ t expect more than a link to: http://support.microsoft.com/en-us

Beyond this point, there is malware. (And dragons)

But enough about Microsoft. Amazon is involved here. If the web address is visible on the popup, there’s a good chance that it includes aws.com, or Amazon web services, which is basically a web host with massive and scalable computing power, online and for rent. To anyone, anywhere, with computer approval based on the validity of your payment. In other words, gun for hire. Yes, they have terms of service that prohibit use for anything illegal or tasteless, but they are applied retroactively, and there is no approval process for new pages going up. You pay your money and you put up your page, and if someone complains, then a human being will look at it and if it doesn’t comply with their terms of service, it will go down until the authors create a new account and start again.

Now I’m going to pick on Google and Bing and all the other search engines. Not every page you find on a search engine result is a safe page. There are poisonous results all over the place. The worst web results are for this search: “tech support phone number (company name).”

Nearly all searches for tech phone numbers lead to scam companies that will want to log into your computer, show you the event logs, and claim that the lengthy list of routine messages means that you need $249 to $399 of repairs and an annual service contract. Never search for tech support phone numbers: Go to the company web site, and follow the menu links for support, or call me for help–I have additional resources for many tech companies.

But how do these bad phone numbers end up at the top of a Google page? Google can be fooled, temporarily, by a black hat SEO campaign (basically, evil search engine optimization). When a search engine sees a thousand links to a site means it is popular, and it isn’t recognized as good or bad; that happens later after Gooogle has found and indexed what appears to be a keyword-heavy page, with ‘tech support phone” used repeatedly, which will never be the case of a real technology company web site. Later, Google will see that the links were identical and planted in web sites by malware, and will remove the search result, but it’s a numbers game, and it all starts again.

The bad guys do more things. They buy up expired domains that previously had moderate traffic, and they put their fraudulent sites up. The search engines mostly fail to remove the old site descriptions and search results because they’re not always checking to see if the web page is suddenly on a new server somewhere else than where it started. They catch up eventually. The bad guys are also buying up bulk misspellings of popular web sites, so typing in any popular site with an extra letter is probably going to land you on random and dangerous garbage.

Now do I blame Microsoft/Bing, Google, and Amazon? Well, it’s an arms race, largely based in parts of the world where there are no internet laws. They could say, “We want you to trust us, but first be sure that what you are visiting is really us. Here’s is how to tell the difference.” They don’t.

Years ago, Google’s official policy was to index all of the web without any commentary or analysis, ranked as best they could to guess the intent of the searcher. Now, of course, they block criminal activity in a few categories, but they’ll still show blatantly illegal content, scams, fake news, and so on.

In all fairness, the search engines want a way to decide if a site is illegal, without any risk of being sued for de-listing sites that retain lawyers. Yes, the larger illegal sites have legal counsel. So if there is any chance that a site that looks like a service company is legit, and can only be proven as a scam by doing business with them, that site remains in search results.

And you need to stay far, far away. Stay suspicious. When it’s too good to be true, it’s a scam. And when it looks like a company with no history of phone support is giving it away for free on random web pages but not on their own pages, it’s not them.

Jerry Stern
Chief Technology Officer, PC410.com

How to start a software company?

microISV How-To's

Another software developer question:

I have a good product in my mind and want to invest more time and money in it.
So far whatever small software I have created are for few people and with only me developing that software. Now I have some software in mind that will be for more users and big enough to include other people, and I will be the first customer of it (manufacturing is my prime business). How & where should I start ? ( people, office, location, software developing, release, sales ) ?
Any first hand experience is also welcome.

First, understand the difference between a program and a product. A program works for you. A product makes sense to other people. So you have to add error trapping, fix all possible input errors automatically and give a non-techie error message on anything else. That requires testers who don’t know anything about your product, and the best type are the ones who you can watch trying out the product. (While you don’t help, but do take notes.)

You have to make it look good. It has to be visually striking, while immediately understandable. You have to write documentation, and that, depending on the product, could be an old-fashioned instruction manual, or a video demo, or a set of slideshow tutorials.

People, office, location? There’s no short answer. Like any other business, your staff will have to be able to communicate skillfully with your potential customers. Being near those customers, or some of them, will give them a big advantage in learning what’s needed, and in beta testing, and perhaps give you leads for hiring sales staff.

Sales used to be all web downloads, and before that, mail order. Now, unless this product will be highly specialized within the manufacturing industry, your choices are web sales of a downloadable and installable product, or SAAS/software as a service/cloud. The difference will be the answer to this question: Where will it be used? On the manufacturing floor, where network access is likely to be internal only? Or in the manufacturer’s offices, which will have outside access? IOW, there’s a big difference in how you sell manufacturing control software, versus purchasing department software, because one needs tight security and the other needs access to outside product specifications and availability in real time.

Jerry Stern
Chief Technology Officer, PC410.com