Password Rotation

Written on Sunday, June 17th, 2007 by Jeremy Steele

This post is day 7 of the A Week Of Staying Safe series.

Padlock One of the easiest ways for a malicious user to get into one of your online accounts is if you choose weak passwords, e.g. “Monkey”. Although it seems pretty obvious “monkey” is a stupid password, I bet a lot of users use it. This article isn’t about choosing a secure password, instead it takes a look at a little security technique called Password Rotation tha will keep your accounts secure even if you use weak passwords.

What Is Password Rotation?

I look at it like this: instead of choosing new passwords all the time why not rotate them? Even if you use weak passwords, this is still a very good technique for keeping yourself safe, and it doesn’t take much time to do. In fact, I probably have over 150 online accounts and it only takes a few minutes to swap all of the passwords around.

Why Not Make New Passwords?

Because it is easier to use existing ones instead of memorizing new ones? In a way this is making a “new password” for your account, even though it was already used on another account.

Yes, It Works With Weak Passwords

Think about it for a second. Even if you use “password” and “monkey” as your passwords there are still some great benefits to swapping them every once in a while.

Just a fre quick notes: You should really use passwords that are quite a bit different. This won’t work as well if you use “money1″ and “money2″ as your main passwords. And your really important stuff like online bank accounts should always use their own distinct passwords.

How Often Should I Switch Them?

Even though I make up new passwords every 2-3 months I tend to swap them around a bit every 1-2 months. After I swap them that’ll restart the “cycle” and it’ll be another few months before I decide to swap them again or make entirely new ones.

A Week Of Staying Safe Articles:
Day 1 - The Ultimate Guide To Detecting E-Mail Scams
Day 2 - Huh? Who Sent That? - How To Find Out What Server Really Sent That E-Mail And How To Deal With Spam
Day 3 - Having A Good Host Can Sure Save Your Sanity
Day 4 - Top 3 Ways To Secure MySQL
Day 5 - Avoiding Make Fast Money Affiliate Scams
Day 6 - 17 Ways To Avoid Spyware Forever
Day 7 - Password Rotation

Posted In Internet Safety | 2 Comments »

17 Ways To Avoid Spyware Forever

Written on Saturday, June 16th, 2007 by Jeremy Steele

This post is day 6 of the A Week Of Staying Safe series.

Spyware is everywhere and I doubt it will be going away anytime soon (if ever). Even if you install all the latest and greatest anti-spyware software to keep your computer safe, it is still ultimately your responsibility for making sure none of that crap gets on there in the first place.

Here are 17 tips for avoiding spyware altogether:

Stop downloading porn - seriously porn-addicts, get a life!!!
Stop downloading pirated software/music - that stuff is just filled with all sorts of nasty little things that go thump in the night
Downloading from a mysterious site? Use SiteAdvisor!
Don’t always trust the “from:” field on e-mails
Set your browser to always ask you where to save downloaded files (usually found in Preferences), that way you know if some site is doing something naughty
Be weary of mysterious e-cards from Greetings.com and Postcard.com
Never open links in e-mails by clicking them, instead copy the URL (via right-click) to your browser and check it. A good way to also prevent identity theft
Don’t use Outlook or Outlook Express, use an alternative like Thunderbird instead
Ditch IE for something like Firefox or Opera
Trust our Google overlords
Advertisements can link to pages with spyware - you have been warned (I wonder how many webmaster are going to scream at me for saying that?)
Never piss off a computer nerd, they might just send you a nice gift-wrapped package
Don’t use BitTorrent, Limewire, Kazaa, or anything inbetween
When updating any software wait a few days to make sure no users have any problems with the update, then update everything.
Be careful with public hotspots, it is incredibly easy for a malicious user to intercept your connection and do whatever the hell they want with it
Use a non-Windows OS (seriously, how often does spyware infect Linux or Mac OS X?)
Only download software from Nusuni.com - really… everything here is spyware free. If there is something missing that you think would make a nice program just let me know and I may make it real quick.

Posted In General Tips, Internet Safety | 1 Comment »

Avoiding Make Fast Money Affiliate Scams

Written on Friday, June 15th, 2007 by Jeremy Steele

This post is day 5 of the A Week Of Staying Safe series.

Affiliate scams are all over the place. Perhaps you have seen one of those “Make Fast Money” sites. They really aren’t that hard to spot, and some simple research can help you avoid problems you may have with unethical affiliate marketers failing to deliver what they promise:

Who Is The Affiliate “Expert”?

Personally, I would never buy anything that promises “money” unless I know who the person is that is selling it. Are they a huge affiliate marketer known all over the world for their great work, or are they just a scam artist? Have they written a book, or is this “make money” ebook their first? And most importantly, do you trust them? Take note of any controversy surrounding them.

Does The Creator And The Product Have A Clean Record?

If they are well known and have a clean record (run some Google/Yahoo searches) then they probably aren’t a scam artist. One thing that I have found helpful is to look on blogs that give reviews of the product and read the comments. If the product is bad there will be some negative comments, especially if you wait a few weeks after the post appears. Don’t forget to check forums as well.

Just a tip: when you run a search type in their name plus “scam” and see what comes up.

Testimonials Are Crap - Don’t Trust Them

A general rule of thumb is any testimonial for any “make money” products are crap. Don’t trust them. Even if the creator of the product is well known, it isn’t that hard to find random pictures of people and put fake testimonials next to their name. Many people do just that.

Count The Number Of Times They Say “Money”

Excessive use of the word “money” is a sure-fire sign that they are offering a bogus product. If they offer a voice recording of themselves also take note of how they sound and how many times they say “money”.

Don’t Trust Positive Reviews By Other Bloggers

Nowadays anyone can order a review of their product on many blogs. Also, many affiliate marketers are either A) friends with bloggers who show off their “make fast money” product, or B) convinced the blogger to get in early to steal money and join in on the pyramid scheme. Just like with testimonials, never ever trust positive reviews of “make money” schemes by bloggers.

Wait A Few Weeks Before Trying A New “Make Money” Product

Let other people buy the product first and check up on popular blogs to see if they talk about it and read any comments that result from the post. After a month or two run a search in Google for the product name plus “scam” and see what comes up.

Read The Terms Of Use 10 Times

Read and memorize the terms of use, that is the contract you agree to when you buy/use the product. Memorize the hell out of it and mention it if you have to report the person as a scam artist. If it seems a bit “odd” be weary.

Call Your Credit Card Company And Report The Product To The FTC If You Get Scammed

If you recently bought the product and found out it is nothing more than a big hoax and you payed with your credit card, contact your credit card company immediately (they may get your money back). If it really is a hoax chances are they have heard of it before, and if it is a big enough problem they could very well report them to the authorities. Don’t forget to report them to the FTC yourself.

Even if the business is out of the country the FTC can really cause some huge damage. Plus if a business out of the country and sells stuff to consumers in the U.S. they are still subject to many of the laws of the land, especially international laws. The FTC won’t get your money back, but if they get enough reports of illegal activity they could very well make sure noone else gets scammed.

Most Importantly… Don’t Buy The Product

To be 100% honest you can find the information in most “make money” ebooks online for free. Actually that’s pretty much true with any ebook.

Posted In Internet Safety, Money | 5 Comments »

Top 3 Ways To Secure MySQL

Written on Thursday, June 14th, 2007 by Jeremy Steele

This post is day 4 of the A Week Of Staying Safe series.

MySQL security is really surprisingly easy. There are basically 3 things you should focus on: preventing MySQL injections, running MySQL as a non-root user, and using a different user for each database.

Preventing MySQL Injections

MySQL injections happen when a malicious user inserts SQL code into a form element or some other variable that does not get verified or secured by your scripting language (PHP, Perl, etc).

The best way to prevent this in PHP is to not use magic_quotes_runtime (get a new host if they have that turned on!) and to strip any slashes if magic_quotes_gpc is on. Magic_quotes_gpc will “secure” all POST/GET variables, but that protection isn’t very good, MySQL’s is much better. When you script is first run you should do the following:


//remove slashes added by magic_quote_gpc
function stripslashes_nested($str) {
	if(is_array($str)) {
		return array_map('stripslashes_nested', $str);
	} 
	else {
		return stripslashes($str);
	}
}

if(get_magic_quotes_gpc()) { //removed slashes from all GET/POST/SESSION vars if magic_quote gpc is on
	$_GET = stripslashes_nested($_GET);
	$_POST = stripslashes_nested($_POST);
		
	if(isset($_SESSION)) { //session may not always be set
		$_SESSION = stripslashes_nested($_SESSION);
	}
}

That code will remove PHP’s horrible “magic-quotes” protection. You just have to remember to run mysql_real_escape_string() before inserting ANY data into a MySQL database. Mysql_real_escape_string() is much more secure than magic-quotes.

Run MySQL As A Non-Root User

This is really only applicable if you manage your own server or have a dedicated one:

MySQL should never be run as a root user. If some exploit were to occur your entire system could be taken down if it is run as root.

To have MySQL use a non-root user follow these directions on MySQL’s site.

Different User For Each Database

Probably one of the best ways to protect your MySQL data (besides preventing injection) is to make a new user for each database. You should never, under any circumstance, use a user to connect to your server that has all privileges for every database. That is a disaster waiting to happen.

If your host uses a control panel that is pretty easy, all you have to do is make a new database, a new user, and attach the user to that database.

If they don’t use one, I would highly recommend downloading the MySQL Administrator, enabling remote access to your server from your IP, and managing everything that way. That software suite is really nice and can save you lots of time.

Posted In General Tips, Internet Safety, Programming | 3 Comments »

Having A Good Host Can Sure Save Your Sanity

Written on Wednesday, June 13th, 2007 by Jeremy Steele

This post is day 3 of the A Week Of Staying Safe series.

I’ve used about 5 different web hosts. All of them shared (don’t make enough to pay for dedicated, nor do I need that) and most of them sucked. And I mean they absolutely SUCKED. Probably one of the best things I’ve ever done was to sign up with my current host.

Over the past many years I have learned one important lesson, having a good web host can absolutely save your sanity. I can’t even recall how many hours of lost sleep resulted from poor customer service. If you have ever had to chat with a host at midnight to complain about 20% downtime you probably know what I mean. But for those of you who haven’t, it’s hell.

What is even worse is when your site gets attacked late at night. Luckily I’ve never had to experience that, but I know many people who have. A hack attack is probably the #1 way to find out if your host is actually good. Did they treat you well and get the problem fixed, or did they simply tell your it’s your own problem?

I am not here to try and evangelize a certain host (although I love mine), nor am I hear to tell you how to find a good host (I’ve written many guides on it before, here, here, and here). I am here to tell you that you should never under any circumstance go for the cheapest host you can find.

Cheap does not equal better, it never has and it never will, yet people insist on choosing “Cheapo Host Inc.” just because they cost $2 less. Pay the extra $2 and get the better host, just truth me on that. That $2 will save your life. You’ll sleep better, your site will be more secure, and your site will run faster.

And yes, cheap web hosts tend to use cheap security. In fact, I suspect one of my old hosts is the reason why one of my e-mail addresses got bombarded with spam. I signed up with their service, and within a few weeks I was getting hundreds of spam e-mails a day. A little odd, wouldn’t you agree?

And lets not forget, better hosts will kick users off a server who pose a security risk. If their scripts are really crappy they may even get the boot all-together. Cheap hosts do not do that. They will let spammers and idiots run free and wreak all sorts of havoc among their servers. They don’t care, they are getting their $2 a month.

Posted In General Tips, Internet Safety | 8 Comments »

Password Rotation

17 Ways To Avoid Spyware Forever

Avoiding Make Fast Money Affiliate Scams

Top 3 Ways To Secure MySQL

Having A Good Host Can Sure Save Your Sanity

Subscribe

Categories

Friendly Blogs

Misc