The more we use our smartphones and the more personal and sensitive data we keep on them you’d think the greater target they are for thieves and hackers, right?  Well, the fact is that mobile phones are already the number one target for thieves at the very least.  Your new phone could be valuable and while it could be blocked by networks in your own country, that’s not to stop the handset being sent abroad and used in a country where such blocking doesn’t exist.

But surely you don’t keep any sensitive information on your phone unless people really are interested in text messages from a loved one or emails from Groupon?  Here you’d be wrong again.  In this article I want to have a look through the different types of important information you keep on your smartphone, and look at ways you can keep it safe and secure.

So what information do you keep on your handset?

Contacts

You might not keep really sensitive details about yourself on your phones such as your Social Security number or bank details, but you do keep ever growing details about all your contacts.  These include their full names, address, email address and multiple phone numbers and, crucially information such their full date of birth (which is used in faking IDs and gaining access to accounts) and possibly family connections that are possibly giving up details such as their mother’s maiden name.  In short you are being entrusted with a huge amount of information on a huge number of people, all of which can be used for identity theft.

Email

It might not be possible for someone to discover your email password or to change it from your handset, though a good hacker might still find a way, but depending on what emails you store locally in your inbox they might reveal all manner of additional detail about you perhaps including at least partial credit card details if you’ve been shopping online.

Documents

More and more of us are keeping documents on our phones and with the inclusion of support for services such as Windows Live SkyDrive in Windows Phone, it’s becoming far easier to not know what important and sensitive documents you actually can access from your phone, maybe without even knowing the functionality is already there and switched on.  If you use DropBox on your phone for instance what documents are you storing in the cloud that can be easily and instantly accessed by someone who has physical access to your phone?

GPS Locations

As more and more of us use smartphones as GPS devices, what locations have you got stored in your phone?  Do you, for example have “Home” listed as a location?  If you do a thief could be directed straight to your home at the time when they know, if they’ve just stolen the handset, that you’re out.

How can you secure your handset?

Use a Password Lock

The most basic and simple way to lock your phone is to put a passcode on it, be this a physical numerical code or a swipe pattern.  Make it a good one though, definitely not an obvious pattern or the same code as you use for the PIN number on your bank card.  Having a code or pattern that’s a bit harder to do might be a little more inconvenient for you, but it comes with a great deal more peace of mind.

Write down your IMEI number

The phone’s unique identifier code, it’s 15 digit IMEI number can usually be found close to the SIM card slot and battery compartment in a phone.  Write down this IMEI number and keep it in a safe place at home in case you need to cancel the phone, it will make things quicker, or more important to report the phone as lost or stolen to the police.  Having the IMEI number will help make sure the handset can be quickly returned to you if it is found.  You can check the IMEI number on the phone itself by typing *#06# on the keypad.

Edit Your Lock Wallpaper to add an ICE number

An ICE (In Case of Emergency) number can quite possibly save your life if you are involved in an accident or incapacitated and the emergency services can’t unlock your phone to call a relative or friend.  Unfortunately modern smartphones still don’t include support for ICE numbers but if you manually edit in a graphics package onto the image you use for your lock screen, it can be a great help in having your phone returned to you if it is found.

Use Anti-Malware Software

Malware and viruses on smartphones are becoming ever more common and regardless of how secure the platform might be, or how much vetting all the apps might go through, there’s no guarantee that malware won’t slip through the net.  Check the reviews online to see if the anti-malware software you’re buying is actually any good and preferably go for one of the big name companies such as AVG or Kaspersky for added peace of mind.

Use a Remote Management Service

Some smartphone platforms, including Windows Phone, come with a remote management service you can access online.  These services can allow you to remotely lock the phone, track it (even when locked) or even wipe it altogether and perform a hard reset if you suspect it is gone for good.  These services are accessed through any web browser and if your smartphone comes with such a service it is well worth signing up for it.

So what are your additional tips for keeping your smartphone, and its sensitive data safe and secure?  Write them in the comments here as we’d love to hear them.

Passwords are important, very important in fact as they’re usually the only thing preventing criminals from stealing your personal and credit card information, and using your email account for sending spam (and having your account closed shortly afterwards as a result!)  In short it’s critical to have secure and unique passwords for everything these days.

Now SplashData have compiled the list of the top 25 most common passwords.  They have compiled the list by examining the password dumps that have been posted online by hackers.

The list, which unsurprisingly comes with the password “password” as the most common doesn’t come with any great surprises.  The most common threads running through these are that they are all very short and most are common dictionary words or proper names.  These are all things to be avoided when creating a new password.

You will notice though that the password “qazwsx” is in the list and why shouldn’t this be secure.  If you look at your keyboard you will see why, as password cracking software looks at common patterns that can be typed on your keyboard.

The list of the top 25 most common passwords is…

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It’s not actually difficult to create a strong password and I have put a posted I created below (click to view it full size) that you can print out and put on your wall in your home office or workplace.

A strong password should be absolute minimum of 8 characters in length, preferably a minimum of 10 characters and contain a mixture of numbers, symbols and upper and lower case letters.  You can use numbers and symbols to replace letters they are similar to, for example using an “&” instead of the letter “a” and using the number “1″ instead of an “i” or an “l”.

You can also mix things in a way that makes sense when remembering the code you have used to create the password.  For example, you could have a password made up of two words of different lengths, where the third letter of each word is capitalised and the fifth character in each word is replaced by a symbol.

Finally you can also, for added security, append to the end of the password, or preferably mix into it the first three letters (or a three or four letter identifier) for the website or service the password is for.  For example Amazon could mean the letters AMZ are mixed into your password.

By following these rules it’s very easy to create long, super-secure and above all memorable passwords that will help your data and financial information stay safe online.

There are also other things you can do keep your passwords safe.  One way is to use randomly generated passwords and password storage software on your PC (with it’s own secure password) to auto-fill these in on the websites you use.

Having a super-strong password is so important so I really urge you to tweet, blog and share this post and the poster as far and wide as possible so your friends, family and colleagues can see if their own passwords are in the list.

One of the best ways to improve security when you’re online is to use Windows’ onscreen keyboard to enter details into banking and other financial websites.  It might be slower than using a traditional keyboard but it’s far more effective at protecting what you type as keyloggers and other malware that might be present on your PC can’t detect your keypresses.

Unless you have a tablet computer though you’re restricted to pinning the onscreen keyboard to your Windows 7 taskbar.  This is fine, but it lacks the cool features that come with tablets such as spell-checking, word prediction and having a pop out keyboard available on your screen all of the time.

It is possible to get these features though even if you don’t have a tablet computer or a touchscreen, and here I’ll talk you through how to add these features to your Windows 7 desktop.

The first step is to type the word services into the search box in the Windows 7 Start Menu and run the Services program that appears.  You need the specific tablet PC functionality running to access these features, and they’re disabled by default if Windows doesn’t detect a touch screen on your computer.

With the Services panel open you need to find the Tablet PC Input Service.  Right click on this service and select it’s Properties from the context menu that appears.

Now a new panel will appear with the properties for the Service.  The next job is to change its startup type to either Automatic where it will start every time Windows 7 boots up, or Manual where it will start whenever you call it.

Finally we need to go back into the Start Menu and type the word tablet pc into the search box.  When the Tablet PC Input Panel appears in the search results, click on it to run it.

There’s just one more step now and that is to activate the two ways to easily access the on-screen keyboard.  In these options you can either turn on the option to Show the icon on the taskbar (this will be essential if you have set the service to start manually), activate the option to Use the Input Panel tab or, as I have done here, tick both options.  If you want to use the input panel tab you will also want to Show [the] Input Panel sliding open from the tab which you can set for either the left or the right of your screen.

Note here that if clicking this brings up the actual keyboard rather than the options for you, clicking the Tools button on the keyboard will display the options link.

With this done you will now have quick and easy access to the in-screen keyboard in Windows.  You’ll see in the image below that we now have an icon on the Windows 7 taskbar for activating the on-screen keyboard and that the keyboard itself is also docked at the side of the screen for when you need it.

This docked keyboard can be dragged around and put wherever you want it to be.

The on-screen keyboard in Windows really is a way to make your online banking and finance much more secure.  This is a very small change to Windows but one that, I’m sure you’ll agree, will be well worth doing for a great many people.

Microsoft have good reason to take viruses and malware seriously, more than ten years of complaints about Windows being insecure and prone to attack.  In truth though the company has made great strides in recent years protecting the latest versions of Windows against rootkits and all manner of other attack.

Windows still needs to be protected with anti-virus software however and, while Microsoft’s own free anti-virus package does a good job, the company’s past failures still maintain a multi-million dollar worldwide industry in third-party solutions.

Microsoft are good at responding to malware and viruses too, their operating systems include Windows Defender and once a month a Malicious Software Removal Tool will come down to those with automatic updates enabled.  The company always publicise details of threats on their websites and works closely with third-party security companies to minimise the risk to its customers.

With Windows Phone, their new smartphone OS, things are even better.  Because every app for the platform must be vetted before going into the official app store (the only way to get apps on the phones) then viruses and malware simply don’t get through.  This is an essential ingredient with smartphones which are linked far more closely than our home PCs will ever be to direct payment methods.

Apple too maintain tight control over their smartphone app store, which helps keep malware off the platform but it’s on their own desktop operating system that things begin to fall down.  Google are even worse and I feel that both companies are heading for a disaster.  So why is it that Apple and Google aren’t taking malware seriously?

To justify my point we’ll start with Google.  This company has a free and open smartphone OS with an app store devoid of the diligent scrutiny that Apple and Microsoft show.  Consequently in just one week last month, no fewer than 26 malware apps were found in, and removed from the Android app store with no word on how long they’d already been there.

These malware apps don’t just affect Android smartphones, where they can run up bills on people’s tarriff’s, access their email, contacts and more, but they’re also present on Android tablets.  These are devices on which we do banking and online purchasing.

Google’s response to malware is almost completely absent.  They’ll scour their app store for the stuff every month and remove it when they find it, but none of this helps the people who get infected by it.

I also have concerns about their new Chromebooks as there’s similarly no virus and malware protection for these.  Just a browser that people will use for banking and shopping.

Now you’ll probably point out here that every criminal is attacking Windows.  Well this is no longer the case any more as the ever-increasing proliferation of Android malware demonstrates.

Apple also has its own problems with OS X.  A recent malware attack by “Mac Defender” has left many people out of pocket when they were defrauded out of their credit card details.  Worse a new DIY Crimeware kit is now available through forums for Mac malware and virus writers.

It’s clear then that Google and Apple platforms are coming under increasing attack from criminals and this is a situation that’s only ever going to get worse.

To compound matters even further, a recent leaked memo from Apple to it’s support staff instructed that “AppleCare does not provide support for removal of the malware.  You should not confirm or deny whether the customer’s Mac is infected or not.” and an Apple helpline worker recently told PC Pro magazine “We don’t recommend installing security software,”

Clearly Apple and Google are going to have to raise their game if they’re not going to lose the trust and support of their very loyal customers.  It’s astonishing to me that they’ve never learned lessons from Microsoft’s past mistakes and that they still believe that anything Unix is immune and doesn’t need protecting.  These two companies need to wake up quickly before the really bad news begins.

In light of Sony’s security breach last week it’s clear that Internet security is a major issue and work clearly needs to be done, and done quickly, on implementing new web security standards, for instance the authentication of email which people have been talking about for years. Not to mention the fairly obvious increase that’s required in the protection of web servers and the distribution of information across those servers to help secure it from hackers.

That said, it’s done now and a massive 77 million people have had their personal information exposed. We still don’t know how much information this includes and what it could be used for. One thing is for certain, people such as the ‘security expert’ who went on the BBC this week and said if you haven’t seen fraudulent transactions on your credit card yet you’re probably safe, are just idiots. How quickly do these people think criminals can get through 77 million records?

I thought I’d write up some strategies here to help keep you and your personal information safe online. Some of these you will be able to implement and some you won’t, but in conjunction they ought to make you safer.

Keep your email and online files password safest

This isn’t just to do with Spam, it’s something I wrote about here a few days ago. Create yourself a super-strong password (see below for advice on how to do this) that you use only for your email, contacts and anywhere that you store documents online, such as SkyDrive or DropBox. It’s essential to keep this information safe. You are being trusted by others with valuable contact information attached to your email account for, sometimes, several hundred other people including their full addresses, mobile phone numbers, dates of birth and more. This isn’t to mention any personal financial or other sensitive data you’re storing in your online files.

Use different passwords in different places

This isn’t always easy to do as people have trouble remembering passwords so tend to have just one or two. There’s nothing to stop you writing down a list of passwords in a file on your phone (if you have a code lock on the handset) or at home if you have them in code. For instance you could have the letter s appended to the beginning of the password. To any glancing eye it just looks like an extra letter on the code. You will know that is the password you use for shopping websites. A g could signify gaming websites and so on. While remembering passwords might be a pain when away from home and on new computers, your own computer equipment will usually remember the passwords for you.

Create a strong password

The strongest and most secure password follow the same rules…

• Make it at least 10 characters in length
• Use a mixture of Lower and Upper-case letters
• Use numbers (you can substitute some for letters too, 0/o, 1/i/l, 5/s and so on)
• Use symbols (which you can also substitute for letters, $/s, _/L, #/o for instance)
• Do not ever use the following (common words, names, date of birth, the word password)

One thing to note with this is that many websites still won’t allow you to use certain characters (usually *) in passwords.

Never use your banking passwords or PIN

Your banking password and card PIN number are for your banking ONLY. Do not ever use them on any other service or website!

Minimise the information you share

This can be difficult. On websites such as social networking it’s easier to do and you should never share…

• Address
• Phone numbers
• Date of Birth

But sometimes, especially in the case of a website you’ll have financial dealings with this is unavoidable as they need your date of birth and address for security. Go back to my previous rule about different passwords for different websites for this situation then.

If a web service is hacked though any and all information that you share is vulnerable. If you must give away this information to validate yourself on a website can you remove or change it afterwards? Will the website’s service still work for you if you later log into your account and either remove the information completely or change it, perhaps by changing the phone number to 12345?

Be careful with usernames and email addresses

You can inadvertantly share useful information in your email address and usernames. It’s common for someone to append their date or year of birth to these. Always avoid doing so!

Use online banking

If you use online banking you can keep a much closer eye on transactions on your accounts. Rather than have to wait up to 30 days for your statement to arrive, online banking will usually show you the most recent transactions whenever you log in. This is an excellent way to see if someone is fraudulently using your credit or debit cards so that you can inform the bank promptly and have those cards cancelled, minimising the economic effect on you. Remember it can take the banks a while to refund money to you.

Reduce the surface area for attack

Again this is something I wrote about at the beginning of the week. Try not to sign up for every website and web service going. Don’t spread yourself out on the web so far that you’ll never remember where you have accounts. Keep and eye on your email and junk folder. Occasionally these websites will send you an email and you can use this as a reminder to go back there and either remove or replace any personal and sensitive information, or preferably, just close the account completely.

Be vigilant

To be honest there’s absolutely nothing you can do to prevent a hacking attack such as the one that recently hit Sony. It could happen to any company at any time, no matter how big or small they are. The trick is to not have the information that can be exploited avillable to begin with but this is rarely easy in today’s Internet age. The best advice I can give is simply to be vigilant and aware of what’s going on with your banking and your accounts. With these simple rules you won’t be completely protected, but you can at least minimise the damage if something does go wrong.

Choosing a secure password to use online is second only in difficulty to knowing if that password is really secure or not.  I thought I’d share with you two tools that can make choosing a secure password easy, and that would help you find out just how secure the password(s) you use at the moment really are.

How Secure is My Password

A great, simple little site that checks your current password and reports back on how long it might take an average modern desktop computer to crack it.  There’s nothing on this site to identify you.  There’s no log-in or account needed so there’s no way for the site to ever be able to associate your password with any username or email address.

To use the site all you need to do is type your password into the white box on the screen and it will immediately report back on how long it would take to secure your password.

Simple dictionary words and names can be cracked in a matter of seconds using brute-force methods.  Adding a year or date of birth will make it more secure but it’s still something that a password cracker will check for early on.

Adding random characters such as * or & and subst1tuting numb3rs for letters can make the password more secure still but there’s no substitute for having a really long password, ten characters or more if you can do so.

You can find the site here www.howsecureismypassword.net

PasswordCard

This is a site for people who really do want a secure password and don’t mind a little inconvenience to get it.  The site will auto generate an image (one example is seen here) with completely random characters and two keys.

The first key is again random images along the top, the latter is a more conventional numbering up the side of the card.

You can print out your card (my advice would also be to save a copy or two in case you lose it).  You then choose a random character along the top, a number down the side and decide how long your password should be.

You now have a super-secure password and even if somebody gets hold of your password card, they’d never find your password hidden within it.

I’d always recommend having a secure password and these two sites can help keep you safe and secure on your computer and on-line.

You can find the website here www.passwordcard.org

Thanks to James Lidster for the tip

Is it possible, is there such a thing as an attack that can tell a hacker where you live?  The BBC has revealed that a specially booby-trapped website can tell a hacker where you are to only a few metres.

The attack was dreamt up by security expert Sam Kamkar who demonstrated at the Black Hat hackers conference a website exploiting common shortcomings in a router to reveal it’s real-world location.

He tricked the router into believing the request for it’s ID information was coming from the connected PC, not from the Internet.  He then used the revealed MAC address with a geo-location feature in Firefox to interrogate the database Google gathered when it made its Street View photographs.

The data, which was controversially gathered, linked the MAC addresses of routers to GPS co-ordinates.  “This is geo-location gone terrible,” said Mr Kamkar during his presentation. “Privacy is dead people. I’m sorry.”

Mikko Hyponnen, senior researcher at F Secure called the demonstration “very interesting” adding that such a technique could be used for “stalking or targeted attacks against an individual”.

“The fact that databases like Google Streetview’s Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly.” said Mr Hypponen

In 2005, Mr Kamkar created a work that helped him gain more than 1 million MySpace friends in a single day.

In what will be seen as very bad news for Adobe, given recent attacks on the company’s software by Apple supremo Steve Jobs, they’ve today had to admit that there is a serious flaw that affects both the company’s Acrobat and Flash platforms.

The vulnerability potentially enables hackers to take remote-control of a PC and isn’t limited to Windows.  Apple Macs and PC’s running Linux are also apparently open to attack!  Even the excellent UAC security system in Windows 7 is apparently not enough.

In a security announcement the company said…

There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat

It’s long been known that Adobe Acrobat files are excellent carriers for viruses, they carry at least as many viruses worldwide as Microsoft’s Office documents, and Adobe a rushing to provide patches for the software.

In the interim, the company says that users could rename or delete the affected “authplay.dll” file on their computer to prevent their computer from becoming compromised.  They do say though that doing this will result in…

users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF [Adobe Flash] content.

Obviously I’m not going to suggest that people uninstall Acrobat and Flash from their computers, as they’re both too useful.  I would recommend that you make sure your anti-virus and anti-malware software is up to date, and that you have the Adobe Updater software running too.

The software affected by this bug is…

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris

Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Security company Trusteer has today warned that the Zeus virus, a trojan that steals online banking details from infected machines, is back and apparently stronger than before.

The company said it had spotted the virus in the wild on 3,000 out of the 5½ million computers it monitors in the UK and the USA.

Zeus, which can infect users through either the Internet Explorer or Firefox web browsers steals login information by recording keystrokes from its list of target websites.  This data is then sold on to criminals.

“We expect this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox and the infection is growing faster than we have ever seen before,” said Amit Klein, chief technology officer at Trusteer.

Zeus was dealt a heavy blow back in March when the Kazakhstani ISP, the host for the Zeus botnet, was cut off.  However internet fraudsters and criminals are usually quick to respond and it doesn’t take long for new hosting to be found.

My advice at www.thelongclimb.com as always is to keep your anti-virus and anti-spyware up to date.  Windows XP, Vista and Windows 7 also include as standard an on-screen keyboard.  This can be used when logging into websites, especially banking sites, to make the process much more secure.

Source : BBC

Security firm Symantec have done research that indicates that malware and virus attacks by criminals have risen to record highs.  Their survey suggests that they are racking up an incredible 100 attacks every second on computers worldwide.

On PCs there’s one attack every 4½ seconds and the overall levels of malware are 71% higher than in 2008.

Symantec say that this means that 51% of all the viruses, trojans and malware they have ever seen first appeared during 2009, with almost 2.9 million new malicious items detected during the period.

The company also reported a large rise in cyber-attack toolkits available to buy online…

Some of the kits were available for free, said Mr Osborne but others cost a lot of money. One, called Zeus, was available for around $700 (£458) and many had become so successful that their creators now offer telephone support for those who cannot get them to work.

New trends are appearing too including a sharp increase in attacks on the developing world, as internet infrastructure and PC usage becomes more commonplace there.

We can also expect in the coming year to see a great many more attacks aimed specifically at devices such as smart phones and apple’s iPad, none of which come with anti-virus or anti-malware detection, so their users wouldn’t necessarily know there’s an attack there.

Click on the images to view them full-size.

The chart above, taken from Symantec’s report, also shows that the USA is still by far the origin of the vast majority of malware, despite that figure falling slightly from 2008 to 2009, with more than double the amount of malware and spam originating there as from the next country on the list, China.  Malware originating from Brazil in south America grew by 50% in the same period.

It’s also very interesting to see that up to 35% of identity theft cases are down to insecure security policies on the affected computers.  This most commonly means a lack of anti-virus and anti-malware software, or having software that’s out of date.

Looking at the origins of these attacks in the table below also tells an interesting story with a whopping 49% now coming from viruses hidden within Adobe’s PDF file format.

It’s long been known that the PDF (Portable Document Format) was open to attack and was vulnerable, and that Adobe has in the past been slow to respond to security concerns.  It’s unsurprising to see Internet Explorer listed in most of the rest of the top ten attacks.  As the most popular browser with over 60% of the market it’s the biggest target, and it’s the browser most likely to be used by people with inadequate security on their computer.

As always my advice here at www.thelongclimb.com is to make sure you have adequate protection which you can get, sometimes free of charge, from the links below…

www.avg.com
www.norton.com
www.microsoft.com/security_essentials
www.spywareterminator.com
www.malwarebytes.org

And there’s excellent advice on keeping safe with your PC and online at www.getsafeonline.org

Remember that no matter how safe your PC or operating system might be, be it up to date virus protection, User Account Control or the security afforded by the Mac OS X operating system, criminals are always one step ahead and will exploit not the computer, but the soft squidgy thing behind the keyboard.  Be careful what you click!

Source : Symantec via BBC