As someone who has to keep tabs on several Windows servers, the best way to make sure everything is in order is through consistency and methodology. Basically, what you do to one, do to all (unless, of course, the needs are different for each machine).

One tool I have found to be very valuable is the Microsoft Baseline Security Analyzer. In a nutshell, this tool scans your computer for common security problems (settings) and checks installations of data applications (SQL, MDAC, etc.) for updates and vulnerabilities. From the article “How To: Use the Microsoft Baseline Security Analyzer“:

Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server. MBSA also scans a computer for insecure configuration settings. When MBSA checks for Windows service packs and patches, it includes in its scan Windows components, such as Internet Information Services (IIS) and COM+. MBSA uses Microsoft Update and Windows Server Update Services (WSUS) technologies to determine needed updates. This Microsoft Update data source is obtained either directly from the Microsoft Update Web site or, if offline or in a secure environment, from an offline catalog file named Wsusscn2.cab.

It is not feasible for me to be an expert on all things Windows security, so this tool is very helpful in making sure servers are reasonably secured. The utility works on all versions of Windows Server and Windows Vista and is recommended for any Windows system administrators.

For those of you who like the convenience of an all-in-one security package (typically anti-virus, anti-spyware, spam filtering and a firewall), PC World’s rating of the top packages would be a good read.

I know many people on the forums here prefer to use a combination of various free programs to accomplish the same tasks. However, I personally believe the all-in-one’s are a good purchase for novice computer users who don’t have a “geek” to fall back on. A restrictive computer is much safer for someone who has no concept of computer security compared to a wide open one.

This is a guest post authored by Monte Russel.

VPN (Virtual Personal Network) is very convent way to connect while you are away from your normal network. This is a network protocol that builds a private path or tunnel from your computer to the network you want to connect to. A lot of companies utilize this protocol for their employees to connect to the business network while traveling or working from home.

As with all network devices, once you leave the safety of the local area network (LAN) and connect to the Wide Area Network (WAN) or World Wide Web (WWW) your protocol is subject to attack by the unscrupulous that inhabit the WWW. Hackers, thieves, and criminals have tools to defeat a normal VPN’s security. To be safest, you or your company should invest in a commercial VPN package.

A commercial package will have encryption as part of the VPN. With the encryption you will have two keys, a private key and a public key. Only you know the password to the private key and only the company knows the public key. For a hacker to gain access to the encrypted data you are sending back and forth on the VPN they have to crack both keys the public and the private key. By the time they have cracked the key you will have ended your session and move away from their locality. That is unless you establish your VPN and leave it on for a long period of time, a very long time. At this time the best programs that can recover passwords take anywhere from two days to a week to get the password to a 16 bit encrypted key. Newer programs use 58 bit or 64 bit encryption keys.

So now you want to know if your VPN is encrypted? Well one way to know is ask your IT department. Another is when you installed your VPN did you have a ‘Certificate’ that you had to install and then create a password? If you have a certificate and had to create a password then type random characters on the key board to create the key you have encryption.

If you don’t have encryption I suggest you contact your IT Director or Manager and find out why your VPN is open to anyone who wants to connect while you are connected. An open VPN is an invitation not only to the data you are transferring back and forth but to the sending and receiving computers. It is like an open door on a hot summer day, any thing can and will come in to the house.

To read more about the VPN Protocol see this RFC:
Security Architecture for the Internet Protocol
http://www.diy-computer-repair.com/vpn.html

About The Author: Monte Russell is a certified Systems Engineer with a degree in Computer Electronics Technology, MCSE, CNA, A+, and many commercial hardware certificates. His web site www.diy-computer-repair.com offers insight in to self computer repair. His free monthly newsletter is always intriguing and full of insights about computing. Subscribe for free at http://www.diy-computer-repair.com/newsletter-signup.html

• … bad.
• … good.
• … safe to use.

This tip is just a simple reminder that free software is not always best or worst choice when trying to figure out the best tool for the job.

An import thing to remember is just because it is free, does not mean it is free of malware. Think about it for a second… what better way to distribute spyware/viruses than through something people will willingly download? Do you remember the G-Archiver fiasco? On the other hand, these cases are pretty rare and if you have your system properly protected, you should be Ok.

Don’t let the appealing price of “free” make the decision for you, there are many software packages out there well worth their price.

It sounds like something straight out of Hollywood. A horde of merciless souls invading our world and wreaking havoc where ever they go. They are everywhere, and they are seemingly unstoppable. As far-fetched as this may sound, in a way, it is true.

Zombie BotNets are real, are everywhere and pose a real threat. What are they and what can be done to stop them? Continued

If you share a computer with others, you probably have several files which you don’t want anyone else to see. While you could make the folder hidden, it will be displayed as long as the Windows Explorer preferences are set to display them. Instead, to completely hide the folder, try Free Hide Folder.

Basically, Free Hide Folder allows you to complete hide a folder from view (regardless of Windows settings) so they do not appear in Windows Explorer at all. The program can be password protected to protect you from others going in and showing the folders.

As the name suggests, this program is free and is ideal for hiding any files you don’t anyone else to find.

We’re all users of the Internet. We pay bills online. We have our identity out there online. We also have credit cards - usually several of them. All of this adds up into one thing…

Your identity is digital. It is portable. And it is in other people’s hands.

And this means it is a matter of a few keystrokes to steal your identity. What if somebody got ahold of your social security number? Perhaps a site you work with somehow leaked it - even by accident. Perhaps somebody sifted through your trash and got it. Perhaps somebody just saw the number on somebody’s computer terminal in the company headquarters of your bank. What could they do with it?

A lot. And you’re basically depending on the honesty of the folks you work with to not abuse your information. There is one solution I want to tell you about, but first let me tell you a little more about the problem.

How ID Theft Works

The problem begins when somebody, somehow, gets ahold of your personally identifying information (name, social security, credit card number, etc) without your permission. This person then decides they want to try to USE your information to commit fraud. Perhaps they apply for more credit cards using your name and social security number, for instance.

The FTC estimates that as many as 9 million Americans annually have their identities stolen in this fashion.

Sometimes you will not know if somebody is out there using your information. In really bad cases, it can lead to lost job opportunities, lowered credit record, being denied a loan. This is serious stuff. In other cases, you might not know it is happening unless you routinely check your credit history and look for anything you don’t recognize.

How Do They Get Your Information?

There are multiple ways to get your information. I mean, just look for a second at all of the bills, credit card invitations, websites that you deal with. It adds up to the following, fairly trivial ways that somebody could steal your information:

• Dumpster Diving. Yep, all somebody has to do is dig through your trash or even the dumpster at the office or at your apartment complex.
• Phishing. They can pretend to be a legitimate company and, in reality, be somebody only looking to get your private information. It happens all the time online.
• Change of Address. Yes, how easy would it be to simply intercept one of your bills, fill out a change-of-address form, send it in and thereafter get all the bills sent somewhere else. That’s right. VERY easy.
• Stealing. Got your wallet or purse stolen? They now have EVERYTHING. Case closed.
• Social Engineering. They can call into companies and obtain your private information by convincing them they are you. Most companies employ some way to fight this, but it is not fool proof.

What Can Happen To You?

There are TONS of creative things a dishonest person could do with your identity, including but not limited to:

• Open credit cards in your name, charge them up, not pay the bill and it then goes on YOUR credit record.
• Create and use counterfeit checks using your information. I used to work in retail…this is REAL.
• Clone your debit card and make purchases, thereby draining your checking account. All you know is you see purchases you didn’t make.
• As mentioned above, they might change the billing address on your credit cards or bills. And, if you’re like me, you use your bills as reminder to pay. If you weren’t getting statements, you might not notice and, all of a sudden, your credit is affected by late payments.

I used to sell a piece of software online and I regularly got people repeatedly trying different credit card numbers. Often times these attempts were made by computers in countries like Malaysia, Pakistan, and China. Each one of these credit card numbers was STOLEN. I had to battle this, on the merchant side, constantly. If one ever got through, I would have to refund it. Sometimes, I’d have somebody dispute the charge saying they never made the purchase. Duh! Its because somebody else made the purchase using YOUR credit card!

So, don’t be stupid. It is easier than ever to have your identity stolen these days. What can you do about it?

Invest In Identity Protection

PCMech.com is partnering with a company called LifeLock that offers first-class identity protection.

Now, I’ll be the first to tell you that some of what LifeLock does you can do on your own. For example, LifeLock will contact all credit bureaus and set up free fraud alerts on your accounts. You can do the same thing on your own. But, LifeLock goes a LOT further than this. Here’s what they’ll do:

• As said, they’ll activate fraud alerts on all credit bureaus.
• Every 90 days, they’ll recall all bureaus and re-activate fraud alerts (because sometimes it simply stops for no reason)
• They will get your mailing address OFF of all pre-approved credit card and junk mailing lists. That right there will reduce all kinds of annoyance. I get multiple credit card offers DAILY!
• LifeLock will, yearly, request your credit report from all credit bureaus and have them sent directly to you. No need to remember to do it.
• If your wallet or purse ever gets stolen, LifeLock will assist in contacting all banks and document issuing companies to arrange cancellation and replacement. And, because it is LifeLock, they have the connections to ensure it is done quickly.
• This one is my favorite…they will insure your identity up to $1 million! If, at any time, somebody manages to get past LifeLock and steal your identity while active with LifeLock, they will go after the thief with a vengeance, unleashing lawyers, accountants, whatever. They will spend up to $1 million to recover your good name.

So, basically, they got your back! This company is owned by that guy who does the commercials where he drives around town in a truck with his social security number on a huge sign. Gotta love that.

So, here’s the deal. If you sign up for LifeLock through PCMech and use the promo code “mph10″, you will get an additional $10 off a yearly plan. The normal yearly plan will run you $120/year. They are already running a $10/off special. Using this special promotional code from PCMech, you can save an additional $10, making your yearly plan only $99. If you choose to go monthly instead, it will run you $9/month.

So, right now, through PCMech, you can save $21 on a yearly LifeLock plan.

I have seen identity theft at work. I have had to help people who had purchases made with my company using their credit card and it wasn’t them. It happens! So, don’t be stupid and act like it won’t happen you. It may never happen, but again, if 9 million Americans fall victim to identity theft per year, that isn’t good odds, my friend.

If you do any form of communication over the Internet, online frauds and scams are something you always have to be wary of. I have been fortunate enough to avoid such scams as I keep my email reasonably locked down, have a relatively good “BS detector” and am overall a tad bit on the cynical side (only slightly though!… maybe…). That said, I have never been an actual singled out target for a scammer until recently.

I thought it would be fun to do a writeup dissecting exactly how the scam worked (in a both a real world/average user approach as well as in a technical sense) and also point out how, with a careful eye alone, you can spot a fake (or spoofed) email. Sit back and enjoy.

The Scam - A Real World Perspective

A couple of months ago I decided to post a couple of old laptops (one of which was advertised for parts only) I had laying around the house on eBay. I go through the usual motions, of taking a picture, setting a price, etc. One of the stipulations I clearly put in my terms of sale was I would only ship to the United States. So the week of the auction goes by and my “for parts” laptop sells, but of course to someone in Nigeria.

The “buyer” (interpreted loosely in this case) in Nigeria sends me an eBay request for an invoice, to which I reply with an eBay message telling them:

I’m sorry, but as stated in my auction, I only ship to the United States.

Of course, the buyer sends me a few more messages as they must have been checking their email at the same time as me, one of which says (none of the emails are edited):

Have already transfer the moeny..so i have paid the sum of $100.00 for the shipment fof the item through USPS Global express mail…so i want you to get the item posted as sson as possible..

Now, from the email image above, my item sold for $56 with a $10 shipping fee, so the buyer was going to “pay” me $100 to ship a for parts only laptop to them overseas. I was scratching my head at this point and then I receive an email from eBay:

No sooner did I finish reading this, I received “another” email from “eBay” contradicting what the previous message said. I only had to read first paragraph to tell this second email was a fake. I took a look at the email headers which clearly proved this was a fraudulent email. I have highlighted everything in the email below which is evidence support the email is garbage.

Reading the text is actually quite humorous as the text is so poorly written. Combine that with the fact of the reply to addressing being an @instruction.com email.

It doesn’t stop there, about 45 minutes later I get a “payment confirmation” from “Paypal”. Not only had payment been made, but this this generous individual “payed” a total of $300 for a $66 item. They must have really wanted the parts. Of course, the Paypal email was a fake in the same fashion as the eBay spoofs.

I will say this for fake emails sent, at a quick glance they do appear legit. A respectable job was done in replicating the fine print at the bottom (not showing in the “Paypal” email). All the images (when shown) resemble their authentic counterparts and (most of the) links in the emails took you to the correct locations.

After I received the first fake eBay email telling me the item was reinstated “and you can go ahead with the transaction”, I did not send a another email to the scammer. Here are all the emails they sent me after this, each getting a bit more threatening:

2 days later:

Payment made for your ebay item.

i have transfered the payment for your item and the money for your item as been deducted from my paypal account.and i have not head anything from you since then.so i want you to get the item shipped to my store’s address and send the shipment tracking number to paypal at their customer care link given to you in order for the money i transfered to be credited to your account.
get back to me as soon as possible so that we can dialog and complete this transaction.

1 day later (this one from “Paypal”):

PayPal Shipment Reminder for Transaction ID: 92S849286985130M

PayPal Postage Verification Center is using this message to remind you of the transaction between you and [fake name] about an eBay item paid for by the Buyer who also is our Client .We are yet to receive the shipment details of the transaction,the buyer has paid and your money is still in our Account Database ready to be credited into your account once we verify the shipment of the item.
The buyers shipping address has been confirmed by us:

[... address information ...]

This PayPal payment has been Confirmed and Approved by us,but due to that its International Transaction all we need from you is the shipment proof for the verification of your money.Once this as been received and verify by us,You will receive a CONFIRMATION E-MAIL from us informing you that the money transfered to your account as been credited.

1 day later:

Why can’t you just reply !!!!!!!!!!!

I have transfred the payment for your ebay item and the money for the item as been deducted from my account.and i receive a mail from paypal informing me that to protect bot parties that you need to send to the the shipment deatils for the item so that thye can creditmthe money to your acount so i want you to get the item shipped and get back to paypal at thier customer care link given to you….
N:B :
I want you to get back to me or else i will report….!!!!

3 days later:

Confirmation of payment…get item shipped!!!!!!!!!!

i have Already contacted pay pal on your behalf about your fund and the explain that they are taking new procedure for international transaction in order to secure but buyer and seller against fraud and they just introduce the new system for international transaction only and your have been deducted from my account already and i await you to complete the transaction.I hope you would have been contacted by pay pal now for confirmation of payment.
thank you and pls reply if you have any question

3 hours later (this one from “Paypal”):

*** Message From PayPal Postage Verification Department ***

Dear Customer,
PayPal is using this time to remind you about the transaction between you and [fake name]. The money transfered to your paypal account by [fake name] for your ebay item as been deducted from her account and its here in our Data Base side for security purpose. so we want you to get the item shipped to the buyers address and get back to us for verification of your money to your account once we have the shipment details for the items from you, your money will get credited to your paypal account immediately. Now get this done as soon as possible and get back to us with the shipment details so that your money been PENDING days ago can be release and credited to your paypal acount.

Thanks for contacting us.
We hope to serve you better till Future.

After the last reminder from “Paypal” I didn’t hear anything else. The timing was such that they waited a week with no response from me before giving up and moving on. This having been the first scam I was singled out on and looking at it from an average user’s perspective, I can understand how someone would fall for this scam. In general the emails are convincing enough (although, the scammers spending 30 seconds to spell check and proof read their emails would make it more convincing) to lure in someone who is relatively new to eBay or somewhat naive/trusting. It is a real shame these are the ones which get taken advantage of.

The Anatomy - Breaking Down The Scam Technically

In this section, I am going to do a quick breakdown of some of the technical elements which definitely prove the emails are fake. You do not have to be a “geek” to follow as I will explain in plain English.

Since the scammer sent me several fraudulent emails, they must have gotten my email somewhere. My eBay user name is not my email address and I have nothing in my eBay profile to indicate my email. So the first place I started looking was in the emails eBay sent to me and, indeed, they got it on the invoice request email.

As you can see, the email was sent to me but additionally to the scammer via the carbon copy (the scammer’s email is blurred out). I can only guess when the scammer was sending the email through the eBay system, they selected the option to have a copy of the email sent to them. If this is the case, I cannot believe eBay would be so careless as to let this happen as they are adamant about warning you to only send and respond to messages using the eBay system. Supplying such a simple vehicle for unscrupulous people to subvert this safety measure is a big time failure on eBay’s part. Again, I stress the emphasized “if this is the case” above.

So once they had my email address, the barrage of spoofed emails ensued. From here, producing their cleverly replicated eBay and Paypal emails was, probably, just a matter of copying and pasting a template email where the scammers reproduced a legit email, modified the text and “filled in the blanks” with my information. In the case of this scam, the email format was replicated reasonably well, but the wording of their text was so poor you could recognize the email as a fake right away.

Suppose the scammers did take a few minutes to actually read their email before sending it and the result was an email which is the spitting image of a legit message with flawlessly worded text. How do you recognize it then? You have to use the full email headers to find out where the message originated. To demonstrate the dissection of the headers, take a look at the image below where I have headers from a legit email sent from eBay on top of the headers from a fake email.

When you take a look at the information indicating where the email was sent from (look at the “Received:” values above), you can immediately see the domain name for valid emails end with “ebay.com” where the fake ones end with “yahoo.com”. Why would eBay send messages from Yahoo’s servers? They wouldn’t. The scammer was clearly using Yahoo Mail to send their fake emails.

By doing simple things like changing the ‘friendly name’ on their Yahoo Mail preferences to something like “service@ebay.com” or “notification@paypal.com” in place of where you would usually put your actual name and changing the ’send replies to’ setting to an equally crafty email address can make an email appear to be legit when only quickly glanced at.

Taking Action: Protecting Yourself And Reporting Scams

The most effective weapon you have for protecting yourself against scammers is common sense. Scammers make a living by playing to people’s naivety, trust, greed, ego or all of these. In my case, why would someone voluntarily pay me $300 for an item which went for $66 total? This is way to good to be true as nobody is that generous. Combine this with the incessant fraudulent emails calling for immediate action “or else”, the scammer was counting on me being naive, trusting or greedy. Another interesting observation is they used a female name, for all of their correspondence. Perhaps there is more perceived trust when you are dealing with a woman? I have no evidence to support this, just a thought I am throwing out.

As an extra measure, and to help others thwart these types of scams in the future, pretty much all major online sites have methods to report suspected fake emails. In the case of eBay and Paypal, this involved just forwarding the unmodified email to “spoof@ebay.com” or “spoof@paypal.com”. I did this for each of the fake messages and got a response back in no later than 30 minutes. Any time you suspect a email to be fraudulent but are not totally sure, be sure to do this before responding to the suspect email.

If you have already fallen victim to a scam or want to report the attempt, you can report them to the Internet Crime Complaint Center. Here you fill out a somewhat detailed form regarding the scam (i.e. how did they solicit you?, how did they want you to send money to them?, where did they want you to send money?, etc.). I filled out one to report this scam attempt. Every little bit helps.

Stay smart.

The battle to protect your computer and network against treats is essentially never ending. While there are a lot of simple and effective things you can do, another trick to add to your arsenal is keeping tabs on your network and the connected devices. A simple (and free) utility to help you with this is RogueScanner.

RogueScanner scours your network for connected machines as well as devices connected to those machines. You can then view the findings of the scan to make sure what was detected is indeed what you have. If you find any differences, you might have something going on.

There is a RogueScanner tour available for you to view in order to get a better understanding of the process. This is worth looking into if you have an entire network to keep track of.