A mixed bag of cool

Let’s try something different. Posting the newsletter. This was the TalkBiz News issue for November 16, 2015.

Lots of cool tools, new courses, and useful tips in this one. New income streams, security notes, video schtuff, lead generation, and more.

And it’s not 10 pages long, like the last one. 😉

After that issue, the few folks who replied almost all said it would be better to have stuff like that one in PDF format. So, that’s how I’ll finish it. I’ll let you know when it’s ready.

I wasn’t surprised at the small response. That’s what you get when you drop a question at the end of a 5500-word email on a subject that only appeals to maybe 20% of your readers. (Another good reason to do those in PDF.)

First tip: One lady mentioned that her browser rendered the text in very small print. If you run into that online, hold down the CTRL key and tap the + sign. That enlarges the display, making it easier to read on-screen. To go back to normal, tap CTRL and 0 (zero).

Great for blogs and the like that use tiny type faces.

….

Alice Seba and Ron Douglas have another training system out. This one, called “Content Cash Flow,” is about turning your writing skills into a regular business by creating and selling PLR content.

Alice has over 20,000 customers for a site where she does this. So, there’s major clue behind the thing.

I’ve personally bought a ton of PLR graphics, templates, and software. There’s money in the PLR business if you can create good content.

This one is a definite “check it out” if you can write decently. It can be an extra income stream, or a whole business by itself. And the teacher really knows her stuff.

http://talkbiz.net/plrbiz

By the way… Don’t confuse that with my course with a similar name. Very different material.

….

Some of you know I’m a big fan of open source software. (I’ve never liked proprietary file formats.)

Open Office and the GIMP are pretty well known. The audio geeks have all heard about Audacity. This week, though, I was pointed to something I hadn’t seen before. A free, open source video editor that rocks.

It’s called Shotcut.

You can download it at http://talkbiz.net/opensourcevideo

Ray Dale, the guy who pointed it out to me, has a course on it, along with some extra graphics and audio that you can use with the program. The course is free, and contains 6 videos to walk you though the process of creating and editing your own videos.

That’s at http://talkbiz.net/shotcuttraining

Ray also hosts a Facebook group (also free) to help people get things going with Shotcut.

Definitely rates “Cool Tool” status.

….

One of the things that can cut into your responses from online content is the difficulty in getting people who like it to get in touch with you. Mostly because they don’t remember how once they’ve left the page.

Ray has a cool product to solve that problem. Called “Tube Caller,” it shows you how to put a ‘click to call’ button on your YouTube videos. When someone watches your video and wants to get in touch, all they have to do is tap a button on the screen and the phone dials you directly.

The applications for this are pretty broad. If you’d benefit from more phone leads, this one’s for you.

I’d probably use it a bit differently. I have a phone number that is used just for people to leave me messages, and it would be fun to post that link to videos or even blog posts. I can check the messages via the phone or online, and download them as audio files.

Cool way to collect testimonials or suggestions. Or funny stories.

Yes, it can be used on any page. Setting it up on YouTube isn’t a real obvious thing, which is why the course. Once you know how, it can be used on other types of pages. Like, for example, for restaurant reservations, consulting interviews, catalog sites, and more.

http://talkbiz.net/tubecaller

Classic “one problem, one solution” product. Nicely done.

….

WordPress Notes: If you use the BulletProof Security or Fast Secure Forms plug-ins on your blog, update them. There have been security flaws discovered – and fixed – in them recently.

While you’re at it, you should probably update all those other plug-ins that have been waiting. But do a back-up first. Just in case.

….

I got tired of all the bogus registrations and spam comments, so I went looking for something to stop them. Tried a few, and settled on “Anti-Spam by CleanTalk.” Made sure it didn’t conflict with anything on the blog, and signed up for the year’s membership.

Best $8 I’ll spend on WordPress this month, I think. Stopped them cold. Over 1000 attempts blocked in the first week.

….

After I moved my sites recently, I discovered the link tracker I’d been using wouldn’t work with their system. So, I looked into a few. Been trying out Pretty Link Lite for the past few days, and it’s working nicely. As soon as I’m sure it won’t conflict with the security stuff on my blog, I’ll be upgrading to Pro.

It’s the simplest WP plug-in I’ve installed in a long time. Upload it, activate it, and go. Video tutorials linked right in the dashboard.

Pretty Link is how I get those short links with sensible names, rather than long, ugly links, or using a public redirect service that hands my tracking data to some third party. Or, in the case of bit.ly, to any random stranger who’s curious.

Seriously. If you want to see the stats on a bit.ly redirect, just put a plus sign at the end and visit the link. All is revealed, to anyone who wants to see it.

And people wonder why I keep this stuff in-house.

You can find these in the WordPress plug-in collection. Or just search for them through the Install New Plugin page in your WordPress dashboard.

….

For you Android users… You may want to keep your phone “open” so you can make phone calls and get to your camera without needing to unlock the phone. Still, it’s likely you have some apps that you want to keep protected.

For this, you want an app locker. Be careful, though. The most popular, called simply “App Lock,” triggered all sorts of security alerts from my phone.

I found another one called “Smart App Lock.” This is handy. You set a code and then choose which apps you want to lock. You can use it “as is,” or set it up to look like the apps crashed when someone tries to access them. (Yes, there’s an easy way to get past that part, but you still need to unlock code.)

You can also set it to take a picture of anyone who tries to unlock it and gets the code wrong. Nice way to see who’s messing with your phone.

And, if you have your phone set to automatically upload photos to an online account, it’s a good way to get pictures if someone finds or steals your phone and tries to get into the things you want kept private. You know. Like banking or email or text messages. Or your social media accounts.

Whatever you want, it will lock.

That one’s free in the Google Play store.

….

Lots here to help you protect your online assets and build more of them.

If you want more leads from your sites and videos, check out Ray’s TubeCaller course, at http://talkbiz.net/tubecaller

And, if you write well and want to add a serious extra income stream or start a business based on that, don’t forget to grab a copy of Alice and Ron’s latest, “Content Cash Flow.”

You can get that here: http://talkbiz.net/plrbiz

Good stuff, all the way around.

Enjoy!

Paul

….

Find the newsletter handy? Stop by the Pub and buy me a beer. http://buy-paul-a-beer.com

Affiliate disclaimer: You should assume that the sender of this email has some sort of relationship with the sellers of products linked to from the email. This means they may receive compensation if you click on links and buy stuff, sign up for a list, or do other things once you get there.

Take any recommendations with whatever amount of salt you deem appropriate.

“Anyone who tells you you can succeed without work is probably trying to sell you something that won’t.”

So, that’s what a recent issue looked like. To subscribe and get them all as they come out, along with some cool welcome aboard gifts, go to http://talkbiz.com – and welcome aboard!

Big Brother’s little helper – Hacking Team

This is the (so far) 3-part TalkBiz News series on the recent explosive Hacking Team revelations.

Part 1 – “Who Hacks the Hackers?” – July 6

In what may be the scariest story on digital security since the hacking of systems to spy on the international community’s discussions with Iran over it’s nuclear program, a firm called “Hacking Team” has been hacked. In a big way.

The firm sells tools to governments to spy on their citizens, even when they’re using encrypted communications.

According to early reports, these tools allow anyone who has them to break into virtually any mobile device. There seems to be no country the firm won’t sell to, regardless of their record of abuses.

The 400 gigabytes of data stolen from the firm and released to the public includes source code.

Wired has a good summary of the story, at:

http://talkbiz.com/needtoknow/hackershacked

They don’t really get into the potential security issues down the road, as the story focuses more on the Snowden-like implications of the disclosure. It’s also difficult to know just how dangerous that source code might be in the wrong hands without knowing exactly what was released.

400 gigs is a lot to go through, and the leak only appears to have happened last evening (Sunday, July 5).

….

The worst case scenarios are pretty bad. As in, security nightmares for hundreds of millions of people. Depending on what’s in there, we could soon have random hackers gaining access to spy systems installed and operated by governments. Or the digital creeps could use that code to bring botnets and identity theft to a whole new level.

It’s likely we’ll see companies using the code and/or the contacts to expand their industrial espionage systems.

Small-scale tools could easily come out of this, too. It may well be another source for “spy on your spouse/ex/kids/employees” malware.

Given the degree of control over remote devices that are implied in the stories I’ve read so far on it, this is way beyond just tracking locations.

….

Of course, sunshine doesn’t always mean a burn. As Justice Brandeis remarked, “Sunlight is said to be the best of disinfectants.”

It is possible that security firms like Kaspersky could use that code to find ways to remove or block Hacking Team’s tools, and governments which are responsive to their citizens could face huge backlash against this level of spying. Given the timing, that seems to be the likely goal of the release.

The political fallout is almost guaranteed to be significant. As for the implications for individuals and companies, a lot will depend on that code.

I’ll be keeping an eye on this story, and will update you as more information makes its way out from security analysts and bleary-eyed coders.

This could become very interesting.

Part 2 – “Freaking Team” – July 8

Hacking Team, the company that sells the literal spyware that I mentioned last issue, is freaking out. I suspect their customers are, too.

According to Motherboard, they’re telling all the countries and spy agencies they’ve sold it to that they need to shut the software down, completely.

It also appears the various entities who bought the product, called Galileo, got “watermarked” copies. That could make it possible to tell which agencies were tracking which people or groups.

This has the potential to be more politically and diplomatically explosive than Edward Snowden’s leaked documents.

….

Digital spying and crippled encryption is among the most important civil rights issues facing people throughout the world right now. Hopefully, this kind of leak will create enough backlash to get things moving back in the right direction for a while.

I can imagine the chaos in some spy circles at the moment. And as far as Hacking Team… As Bruce Schneier put it, “It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads.”

Or, to paraphrase Jerry Lee Lewis, “There’s a whole lotta freaking going on.”

Further bulletins as events warrant.

Part 3 – “More on Hacking Team” – July 15

There’s bad news and good news on the fallout from the release of all those files stolen from surveillance software form Hacking Team.

The bad news: So far, the discoveries include 3 zero day exploits in Adobe’s Flash software, 1 in Windows Internet Explorer, and 1 in the Windows kernel. These were previously unpublished, which means they were exploitable until after these files were stolen and released.

Of those, fixes have been rolled out for all but the 3rd Flash exploit, as of this writing. One assumes that last one will be patched soon. So, update Flash and install any Windows updates that may be waiting. The relevant Windows patch was released July 14th.

The IE bug was nasty. It allowed for remote code execution, which opens vulnerable machines to all sorts of nasty abuses, including drive-by downloading and installation of malware.

The Flash bugs were the last straw for some folks. Firefox and Chrome both changed their default settings to disable the Flash plugins. You have to explicitly change those to make it work without intervention on a case-by-case basis. Alternatively, you can leave it off, and allow individual Flash elements (like videos) to play when you’re confident of the source.

I’ve left it turned off and found very little that I really wanted to see enough to enable it even on a one-time basis. It’s interesting to see how many ads use Flash, though.

The new security chief at Facebook wants Adobe to set a date to kill Flash once and for all. He, like many people in the field of digital security, has gotten tired of the incessant flow of critical vulnerabilities in the software.

I can’t disagree. I’ve had to update Flash for security reasons more than any software I’ve ever used. Well, except for Windows, but that’s a lot more complex than just Flash.

….

That kind of industry pressure is part of the good news, as is the patching of all those gaps.

More good news comes in the fact that anti-virus/security software companies are said to be modifying their products to detect and remove the Hacking Team code. Nothing definitive yet, but that’s not surprising. Lots of stuff to go through.

Back on the bad news front, it seems HT also developed and sold a BIOS-based root kit. It is said to require physical access to a device to install it, but once it’s there, it stays. You can’t even get rid of it by swapping in a brand new blank hard drive.

You’d have to re-flash the BIOS to remove it. And how many people are going to know that’s an option, much less understand how to do it? (Added: It’s also not uncommon to brick a machine in the process of flashing the bios.)

The network-savvy will find it scary that Hacking Team, in conjunction with the Italian government, also used a BGP hijack to recover access to some of the targets they lost when their spammer-friendly hosting service went down.

That’s dangerous in all sorts of ways.

….

The political issues involved in having the kind of surreptitious access to someone’s computers that this stuff allows are serious. Those are fodder for a later discussion, though. They boil down to how far you trust a given government.

On a more practical note, you need to stay aware of these things as you go through your digital routines. This software allows tracking someone through pretty much any sort of security. As an example, the FBI wanted to use it to identify someone through a TOR connection, and were told that, with certain conditions being met, they could do so. (One hopes they had a warrant for that…)

And these kinds of exploits allow for planting files on remote machines. Yep, just like in the movies, where the target’s computer is seeded with phony evidence, and all traces of the real source eliminated.

Can you say phr4m3d?

….

Governments aren’t the only ones who might want to use this kind of “feature.” If you operate a WordPress site, you know, as you’ve probably had hackers drop files on your server without permission already. Or if you’ve ever had a computer infected with malware.

The worst is the stuff that turns your machine into a torrent node. You have no clue what kind of illegal trash might be getting routed through your system when that happens, and you may well be legally responsible for all of it.

An interesting aspect of this story is the degree to which these folks rely on social engineering to get their software onto the targets’ machines. The approaches range from blunt tactics like crude spams to more long-term trust development through fake personas.

In the end, though, it seems to most productive methods involved exploiting the end user, rather than just technological weaknesses.

Apparently, their customer in Azerbaijan had a hard time wrapping his head around that concept. 😉

….

On the good news front, it seems each governmental customer got a copy of the software that was traceable to them. So, with the spreadsheets in the released file dump and a copy of the software, you can see a lot about who’s tracking whom.

Well, that’s not good news if you’re a legitimate LEO going after a genuine terrorist. It is if you’re a reporter or political activist who’s being tracked by a government hostile to free speech or dissent, though.

….

Now, let’s shift gears for a minute. We’ve been talking about governments having this kind of ability. What about private entities?

What if someone could track every move you make, listen in to all of your phone conversations and much of the chatter in your home or office, and turn on your webcam or the camera on your phone any time they wanted?

Let’s call the main “secret agents” in this trend Siri, Cortana, Alexa, and … Google.

No, I’m not suggesting that Apple, Microsoft, Amazon, or Google are eavesdropping on everything you say. Just that they could. Those voice-activated helper apps have to be listening all the time to know when to activate, after all.

And they’re only one good hack away from being hijacked by not-so-benevolent critters. A much more serious concern, I think.

Some of the apps that are available for phones and tablets can do all of what I just described and much more. And I don’t give them anywhere near the benefit of the doubt I’d give Apple or Amazon. Some of them are pure malware in games’ clothing.

Look at the permissions before you install anything. And, if you’re using an Android system, install DCentral1 and check the permissions of apps you’ve already installed.

If you use Apple products and only download from the iTunes store you’re probably okay, as far as that end of things goes.

Android is a whole other kettle of fish.

….

Back to the Hacking Team stuff.

The really good news is that this has helped push more attention to the use of digital espionage by governments. Hitting at the same time as the push by various western spy agencies to cripple encryption, this may help make folks more aware of just how widespread data surveillance has become.

The UK is on the verge of simply criminalizing the use of strong encryption by private citizens. Prime Minister Cameron seems to have no clue the damage his policies would do to legitimate businesses and individuals.

The US agencies are taking a more nuanced tack. They’re trying to get the various services involved to leave them back doors and access to encryption keys. Same damage potential as the Cameron approach, just less clumsy.

These folks should look into the encryption wars of the 90s. This fight has already been done, and the “no secrets” crowd lost. And that’s back when there were a whole lot fewer people involved, and a lot less at stake.

And it’s not just the Good Guys who’re watching.

To give you a hint of the kinds of problems all this digital tracking can create without you knowing, consider…

“An Apple a Day Keeps No-one Away”

According to Virgin Radio Toronto, your iPhone may be a serious threat to your safety and privacy. Nifty feature called “Frequent locations” that most people don’t know about.

They give the following instructions to find it:

“Go to Settings, Privacy, and Location Services. Then go to System Services and find the Frequent Locations menu. There, you will see your home address and basically anywhere you’ve been recently, from malls to restaurants to your friends’ houses.”

Click on one of those items. It shows your home address, when you arrived at the specific location, and how long you stayed. And, if you use some geo-tracking systems on your phone, the person holding it could even tell how you travelled to get there.

For some folks this won’t matter. For others, it might be a huge deal. And some of us object purely on the principle of the thing.

If you don’t want anyone being able to see your every move just by getting hold of your phone, here’s how you fix that.

Under the frequent locations menu, clear the history and just turn the option off.

Simple, no?

Another landmine in the digital terrain avoided.

….

I may get into some of the reasons law-abiding people should care about this in an upcoming issue. In the mean time, just be more aware of what’s going on with your portable devices, eh?

And don’t make public posts on Facebook announcing when you’re going to be on vacation away from home.

Just sayin’.


This series originally appeared in TalkBiz News. To subscribe (it’s free) visit http://talkbiz.com

Think like a creep

One of the regulars at Paul’s Pub (my little Facebook group for marketers) read the post here from the other day, titled “How scared should you be?” It’s about taking a common sense view of online security, and mentioned an article from the Times which stated that Russian hackers had collected 1.2 billion username/password combinations.

The poster looked at the huge number of credentials the thieves had gathered and suggested “you’d have more chance of catching aids off a nun than anything happening to your website.”

Apparently our colorful correspondent has not yet learned to think like a creep.


First, let’s keep in mind that the guys who stole those log-in pairs have access to a botnet. That’s a large group of computers that belong to other people, which are infected with malware that lets the crooks use their systems without the owners knowing it.

Your machine might be one of them.

Even a modest network of 10,000 zombied machines gives them a lot of computing power and distributed IPs. According to the article in the Times, they managed to grab credentials from 420,000 sites, so dismissing a task as being too large seems a bit hasty.

1.2 billion log-in pairs. In that, they have 500 million email addresses. One assumes the rest are username/password combos, or a combination of all three.

Let’s look at the records that include email addresses, and think like a creep. How could we use that info?

To start with, there are probably duplicate addresses in the list. If I were the kind of person to play this game, I’d sort on those and look for duplicate addresses that used the same password at more than one site. They probably use the same password everywhere. So, that’s a good bet for checking out possible financial and shopping accounts. Paypal, Amazon, banks local to them, etc.

If the SQL dumps they got all this data from include IPs, it wouldn’t be hard to find the most likely local banks. And they probably have bots in the network that are in the same geographic areas.

No need to be tripping alarms, eh?


Next, I’d generate a list of the most commonly used passwords. With over a billion in hand, they’ve probably got an authoritative sample. To do this step, you’d really only need to start with a few million records, which a fast computer could do in a lot less time than you might think. We’re talking hours, if that. Possibly minutes.

Then you just run through the master list in batches.

I’d look for accounts that used one of the top 20 or 50 passwords (depending on how simple they are) and sort them to a separate file. People who use simple passwords are reasonably likely to use the same one at many places.

Same potential for criminal joy as above.

Note that none of this is rocket science. You don’t need to be an evil genius to do it. Just evil.


The previous scenarios are only of concern to people who use weak passwords, or re-use them at multiple sites. Now we get into the more annoying “everyone’s a target” stuff.

I’d get a list of the 500 or 1000 most commonly visited sites in the database (same simple process as above) and look through that. Might be some gems in there for an enterprising villain.

Hard to guess what, since we don’t know which sites were compromised in this attack, but the Times did say they included “household names” and “Fortune 500 companies.”

I’d also search the domains and usernames based on high-value keywords. More potential gold in them thar ills.

Come to think of it, I’d start by sorting out every record with the username “admin.” Gotta be a few thousand of those, right?

Oh, the places you’d go.


I’d also look into categorizing those top sites by interest and segmenting them into separate lists for “targeted bulk email deployment.” (read: spam.)

No need to send the stuff yourself, of course. There are plenty of spammers happy to buy that kind of tinsel.

Then there’s the potential in selling the log-ins to link spammers.  How would you feel if you went to a favorite site and discovered your account had been used to spam porn links or some other NSFW nonsense in a parenting forum?

Why yes. Yes, they would.


According to Hold Security, the firm that discovered this, the folks who assembled this access goldmine are currently only using it to send contract spam on social networks. Even if that’s all they ever plan to do with it themselves, there’s a good chance they won’t ignore the extra dosh to be made in selling it. And there are people out there who would do everything I’ve outlined here, and things I probably haven’t even heard of, without a moment’s hesitation.

There is a market for all that data. If the people who stole it decide to push the cash flow, it will end up being sold at least once. Some of it a lot more.

And, being the upright citizens you’d expect buyers of this sort of information to be, they’ll sell it on again. As often as they can get people to pay.

Feelin’ all warm and fuzzy yet?


So, why hasn’t Hold Security announced the list of sites that were hacked?

Well, for starters, that would create chaos. Chaos is usually not a helpful thing to add to a security snafu. That starts rumors and misinformation, and all manner of other Bad Stuff.

As a rule, it’s better to notify the affected companies, toward which it appears an effort is under way. They can take measures to pre-empt further breaches and misuse of the data without panicking people unduly.

Again, it’s just social network spam at this point. A nuisance, but generally not all that devastating. (There are exceptions, but that’s a story for another time.)

That being the case, I believe a quiet heads up where possible is the most responsible course of action.

Edited Sept 2, 2014, to add: This is no longer true. Some collection of creeps is currently trying to use these credential pairs to get access to hosting and/or domain registration accounts at Namecheap.

Namecheap is the only one publicly mentioning this and warning their customers. If they aren’t already hitting other hosts and/or registrars, they will be soon.

For the sites they can’t contact the owners of, I might think about sending emails warning people that their passwords had been compromised. That’s a course fraught with its own perils, though. Especially since a villainous critter who has that data could be sending their own emails and using a man in the middle attack to be sure they had the new access info. For some sites, that might be a profitable approach.

And you can be pretty sure a lot of people would accuse the person warning them of being the ones who stole the data in the first place.

They might also face significant liability if people reacted badly in ways that affected the firms from which the data was stolen. You can bet a lot of lawyers have made good coin advising on this sort of situation.


Back to you.

Bottom line is, there’s a pretty good chance one or more of your log-ins is included in that archive. If you use simple passwords or re-use them at more than one site, I’d do a couple of things, really quick. First, I’d do as complete a scan of my computer as possible, to reduce the odds that the creeps aren’t already on your system. Then I’d start changing the important passwords. Now.

Third, I would be absolutely certain none of my email addresses used the same password I used anywhere else. If thieves get the password to an email address you have linked to any important accounts, they can get into all of them.

Password reminder is not always your friend.


The point of this isn’t really to be a security tutorial, though. It’s to suggest that dismissing the risks in situations you aren’t familiar with isn’t generally a good idea. Advising others to ignore them is even less good, as plans go.

Especially if you haven’t learned to think like a creep.

How scared should you be?

There’s no question about it. The Internet has more than its share of scumbags, lowlifes, and general miscreants. And boy, do they get press.

The New York Times recently ran a story about a small Russian group that has collected the log-in credentials for 1.2 billion accounts at various sites and services online. There’s an app running around that promises to let you change the colors on your Facebook page, but really just loads malware onto your phone if you enable it. Target was hacked to the tune of 40 million customer credit cards. And Coco the WarKitteh is mapping vulnerable wifi systems in people’s homes.

We’ll get to that last one soon enough.


Some of these scares are exaggerated to attract media coverage. Others are highlighted to sell products.

For example, while I was writing this, I got an email with the subject line, “Malware Has Been Found on Your Site.”

(Ooops. Got a second copy – both spam – minutes later.)

As someone who’s seen a fair number of those about a server with domains I host for friends, I take that seriously. Turns out, it was a pitch for a piece of security software for websites.

I have no problem with pitching security software. It’s a valuable type of product, when it works. Certainly a good hedge against the damage a hack can do. I don’t object to scary subject lines, either, if they’re legit.

That one crossed over into deceptive, though. Hardly surprising for a spam, but still…

I have no doubt it got a lot of people to open the email. This is an area people are justly concerned about. And there are plenty of folks who are willing to exploit that.

Sometimes, though, the threat is less real than the fear.


The Target breach got plenty of press. Based on what I’ve read, they used “less than adequate” systems for protecting customer data. Fortunately, there are already safeguards in place to deal with that kind of problem. Gonna cost Target a bunch, but hey, when you’re that big, you need to always consider yourself a … well … a target.

Since no other personal info was involved, the damage per individual is mostly limited to $50 or less. The 1.2 billion username/password collection is much less clear.

The credentials were supposedly collected by hitting a ton of websites using a hack called SQL injection. It causes vulnerable systems to spit out the entire contents of the database being attacked. Out there in front of Dog and everybody, ripe for the picking.

The attacks appear to have been carried out by zombied machines. That is, computers used by innocent people who weren’t aware their hardware had turned criminal.

Maybe even yours.

The firm that discovered this database hasn’t revealed which sites were compromised. Seems they ran the gamut from very small systems to big companies. It’s also not clear what percentage of the passwords involved were unencrypted or easily decrypted.

The interesting question that should really concern you is, why would hackers bother with credentials for tiny mom-and-pop websites?

Two words: Password re-use.

It’s fairly common for people to use the same password for multiple log-ins. If the virtual snakes get hold of one, they’ve got them all. And believe it, it doesn’t take a lot of fancy programming to test those combos at banks, Paypal, Amazon, and other places you don’t want them getting into.

Even more of a problem… If they test the password on the email account you use for other accounts and it works, they can access anything connected to it by using the password reminder system.

At the moment, the crew that stole that batch is only known to be using them for spamming. That could change at any time. There’s a huge black market out there for that kind of data.

There is no way to guarantee you won’t be affected by something like this, but you can reduce the odds and the risk significantly. Try not to use the same email address for every account, and don’t ever use the same password for more than one site.

And use strong passwords.

This doesn’t have to be as big a problem as most people make it out to be. It can be easy to create strong passwords that are easily remembered. Consider the following sentence:

This blog is dedicated to my 1958 Chevy!

As a password, that translates into Tbidtm1958C!

12 characters, mixed case letters, numbers, and a punctuation mark. Very strong. And you could keep a file of those (or just handwritten notes), and no-one would be likely to guess the purpose.

Simple. And it works.


The phony Facebook app is no joke, either. That’s a straight out scam. Avoiding that one is largely a matter of not approving apps when you don’t know the source. Sort of like “Don’t download pirated software, since it’s often got hidden nasties buried in the code.”

But what about scares from known sources?

There was one hell of a hullabaloo recently about the permissions you need to give Facebook messenger. FB requires people on cellphones to download and use their new app in order to use FB messages from their phones, and that got a lot of people angry. The suggestion that the permissions could be used for spying made that a hotter topic than it already was.

The fact is, the permissions for that app are no different than any other app that lets you take and upload video, chat via text, or any of the other things Facebook Messenger does. They are required in order to give people the functions they want.

The scare was due in large part to one news source alleging potential government involvement.

Now, it’s not surprising a lot of folks don’t trust Facebook. Their reputation on privacy issues isn’t enviable. Yes, there are risks with anything that gives an app access to the camera, microphone, and GPS service on your phone. And obviously Facebook’s app would be the most attractive target, simply because of the number of people using it.

Still, there’s no reason to blast them for offering something that requires permissions that have to be there to do what you want.

There’s an opportunity there for an encrypted social chat app. Or you could switch to some other app, just to spread the data around. Or you could do what I do…

Don’t use Facebook from your phone.

Don’t kid yourself, kids. You aren’t going to become a social pariah if you stick to text messages and stop broadcasting everything you do to the whole world.

If that’s a problem, you need new friends.


Then there’s the ongoing concern about WordPress security. Given the number of blogs that get auto-hacked every day, it’s a valid issue.

Yes, added security is good. Yes, automated backups are good.

Here’s a simple 5-step formula that will eliminate most of the potential problems.

1. Back up your files and database regularly.

2. Keep text file backups of your posts.

3. Give your admin user a name that is unlikely to be guessed (NOT admin), and a strong password. Then never post using that account.

4. Create a separate account with Author or Contributor status, and only post using that account.

5. Install the Wordfence plugin.

Bang. Twenty minutes, tops. It ain’t bulletproof, but it’ll keep out most random roving hackers and the like. Unless you are specifically targeted by someone with skillz, it’s probably more than enough.

There’s a lot more you can do to protect a WP blog, but much of it needs to be done when the blog is being installed. These, you can do pretty much any time.


Oh yeah. If you’ve already been making public posts using your admin username, create another user and give that one admin privileges. Then demote the existing account to Editor.

And change the password.


And we come at last to Coco the Siamese WarKitteh.

Yes, that one is real. Dude put together a little gizmo with some common chips and hand-rolled code, and attached it to a family cat’s collar. As cute little Coco wandered the neighborhood, the unremarkable device collected data on wifi connections within range. Including 4 that used the easily hacked WEP protocol, and 4 more that were completely open.

Now, people could easily be suspicious of some guy sitting in a car with a wifi amplifier on the dashboard. Or even just a stranger walking around the neighborhood.

Who would suspect a stray cat of being a cyber-spy?

The potential problems from having strangers sending who-knows-what out over your connection are obvious. The real issue is the ease with which it can be done.

Attach a widget like that to a mail truck and pick it up the next day. Or spend a few more bucks making it possible to read the thing remotely. Hide it on the neighbor kid’s bike. Or just keep it in your pocket for your daily stroll.

Again, it’s easy to avoid most of this.

Make sure your wifi modem has a strong password (not the default, and not your address). If it doesn’t support at least WPA, get a new one. WPA2 is better. Your provider should have them available, or you can buy one at reasonable prices from any decent electronics store or local superstore.

Not rocket science.


These incursions aren’t limited to scary criminal strangers.

A friend of mine constantly complained about his Internet connection getting very slow at the same time every evening. It messed with his gaming, and he said some very unpleasant things about (and to) the customer service folks at his ISP.

I suggested he get a newer modem (WPA2 capable) and change his wifi password. Solved the problem. He later found out one of his neighbors was using a cheap wifi antenna to leech off his connection.

My buddy is lucky the guy wasn’t doing anything illegal on his evening surf…


So, should you be worried?

Maybe. You should certainly be careful. But the extreme levels of fear and paranoia that some people associate with the online world are not useful. Fear doesn’t stop bad things from happening.

Get good security software, and don’t let it lull you into a false sense of security. It won’t protect you from innocent mistakes like enabling a malicious app, or brilliant moves like sending money to a “Nigerian Prince.”

Do the basic things I just outlined, and you’ll eliminate, or at least minimize, a lot of the issues.

Worried about buying things online? See if your bank offers separate accounts for online use, so you can make sure you’re only at risk for what you knew you’d be spending. Most do, and the fees can be as low as $3 or $4 a month. A small price to pay for peace of mind. Or use pre-paid debit cards and only add what you need.

Don’t log in to online financial or shopping accounts by clicking on links in emails.

Simple stuff. Common sense.

The problem is, many people think they’re insulated from problems because they’re the only one in the room. They forget they’re sending data out into a world that’s rife with would-be spies.

Think of these steps as installing curtains on your digital windows.

Make no mistake, nothing is 100% protection against bad stuff happening. But, like looking both ways before crossing the street, a little attention can go a very long way.

Don’t be afraid. Be aware.