11/30/2015
Apple / Mac Antivirus Software
Since we began the site in 2006 the marketshare of the Mac / OS X has grown steadily.
In terms of both competition and reducing the amount of homogeneity in the computing ecosystem. This is a good thing.
In contrast, if every computer in the world were the same, it would be easier to find "The Flaw," that will make everything grind to a halt. Increase diversity (i.e. reducing homogeneity) means it's harder to find one flaw that affects everyone.
In a round about way, you could even say the success of the Mac and OSX actually makes PC's safer.
Which leads us to:
What's the Best Mac Antivirus Software?
Even though we've been testing PC antivirus software for nearly ten years and we have an embarrassingly large database of viruses, rootkits, bootkits, trojans, worms, adware, keyloggers, spyware, and every other kind of malware imaginable, for a long time it has been primarily for the PC.
That doesn't mean the need hasn't been there (or that our readers haven't been asking for it for some time now.)
So, without further ado, here's our first list of best Apple / Mac OS X antivirus software.
11/28/2015
Emsisoft Tool to Decrypt DecryptorMax
Softpedia has a nice write up on the new Emsisoft tool to decrypt the DecryptorMax ransomware (aka CryptInfinite).
This tool is great news for the good guys and for the consumers who've been affected by this scumware.
If your PC is infected with this malware, you can download decrypt_cryptinfinite.exe (the decryption tool) from Emsisoft here:
http://emsi.at/DecryptCryptInfinite
And, as to how to use it, the fine folks at BleepingComputer.com have a tutorial on using the ryptInfinite / DecryptorMax decryption tool.
11/13/2015
Is Online Shopping Really Safe?
Although it may seem strange to some people, to others the very thought of using a credit card online seems pretty crazy.
In fact, we talk to someone by phone at least once a week with this concern.
Pam, a New Hampshire resident, called this week asking,
"I want to buy one of the antivirus programs you review, but I'm uncomfortable buying online.
"I just don't like putting my credit card information in some website. I'd rather do it in person or by phone.
"Is there a way I can buy the software in a store, instead?"
In my view buying software online (and in fact all transactions online) are actually safer than those you do in a store.
(As the former CTO of a sizable credit card processing company, I can answer this question with some authority.)
Read on for the answer...
Why online transactions are actually safer
First, let's take a look at what really happens when you buy something in a store.
The fact is almost all credit card transactions, even those done in a store, happen entirely on the Internet. (We'll cover this more in a second.)
Second, when you buy software in a store, you have the huge hassle of going back to the store and dealing with that store's return policy for software.
Since nearly all stores prohibit customers from returning software once it's opened, your only recourse is to go back to the manufacturer and wait for them to issue a refund. (Oh, joy!)
In contrast, if you buy software online, the license key and a link to download are emailed to you. If you need a refund, you just get in touch with the company directly since they're the ones that sold you the software. Schlepping to the store involved? Zero.
Third, when you buy antivirus software in a box, what you're getting is weeks—maybe even months—old. Yes, the software will update itself automatically, but a heck of a lot of new viruses are developed between when the software was boxed up and when you bought it.
On the other hand, antivirus software purchased online is often the manufacturer's latest, greatest release.
Did you know...
Some companies use prison inmates to staff their customer support and answer lines?Of course, they don't tell you that.
How does that make you feel about ordering by phone?
Before we get back to buying software in a store, let's talk about buying by phone. The problem with phone purchases is you're trusting the person to be honest on the other end of the line.
For the most part, they are. Other times, not so much.
The fact is, you're giving that person all your card details, even the security code from the back, so they've got everything--even your billing address. If they want to go on a seven state shopping spree or sell your info on the black market, you couldn't make it any easier.
OK, let's get back to what happens when you buy something in a store.
What Really Happens?
The super simple version of what happens goes something like this:
- Your card is swiped in a credit card terminal or cash register, and then
- The credit card number is immediately encrypted, and then
- Shot to a "front end" processor, who then
- Talks the store's bank, who then
- Talks to your bank to get authorization to charge your card.
Later, a "back end" processor enters the picture, too, who also gets handed your card number via the Internet. [This is a simplified version of what happens, too.]
Any guess were all this happens? Online.
All of it.
And in any event, when those transactions come back to Earth, they, too, then make a journey across the Internet when the banks and credit card processors all talk to one another.
What's all this mean?
It means in-person purchases are ultimately no different than those that happen entirely online.
What's the real risk?
First, in most countries for there to be any liability, the bank has to prove you were at fault for the theft. If you're not at fault, the liability is usually $0.
What's more if you're in the U.S. your maximum liability is $50. (It's the law.)
And, in Canada, Australia, and most countries in Europe, liability is legally limited there, too. Usually, it's between $0 and $50/£50/€50.
The bottom line:
- All credit card transactions ultimately end up online
- Your credit card number and other info about the purchase is encrypted as it moves across the Internet
- Laws in most countries limit your liability to between $0 and $50/£50/€50.
Lastly, because of the encryption in use and the layer upon layer of security in place, in many ways it's MUCH safer to use your card online than it is to use a card in person in person in a lot of places.
How's that?
Consider: a restaurant.
When you're done with dinner, a waiter or waitress takes your card and disappears with it. For minutes at a time they're out of sight.
Sure, they return with your bill, and that* much you can make sure is correct, but what else they did with your card while they had it is anyone's guess.
So, if you're reluctant to use your credit card online, knock it off. Save the trip to the store and buy online. And, if you don't like the software, make the refund process easier on yourself.
11/11/2015
The Night I Was Nearly Robbed: Situational Awareness & Safety Online (and Offline, too)
We've been getting such tremendous feedback from this story from our newsletter subscribers, I've decided to turn it into a blog, too.
This "Ask the Experts" deals with a personal story from my college days and situational awareness.
It's a short story. Every word is true.
I hope it helps keep you safe online, too.
The story goes like this, I put myself through college managing car washes.
It was a lot of fun, and unlike a lot of my friends, I got to work outside and got priceless experience in ways you'd never imagine: scheduling, managing staff, handling customers, negotiating with vendors, bookkeeping, even welding.
One night after locking up the safe, I'd just turned out the lights inside and as I was walking down the long hallway, ready to head out for the evening, out of the corner of my eye I spotted movement in the bushes outside.
Because of the one remaining light outside, I could see outside, but you couldn't easily see inside the completely dark building.
I was sure someone was there.
At 11:00PM, no one had any business being on a dark car wash parking lot, much less skulking around in the bushes.
As stealthily as I could, I dialed 911 and as quietly as possible explained the situation.
In no time, an officer showed up; we immediately recognized one another as his department routinely brought their cars in.
As he stepped out, he reiterated the situation as I'd explained it to the 911 operator.
Seeing the situation for what it was and my (extreme) concern, and knowing me pretty well personally, he unholstered his weapon. Together we walked the perimeter of the lot.
We found nothing.
I felt silly, but I know what I saw, so I chalked it up to, "Oh well..."
Still shaken, I thanked the officer, and apologized for the wild goose chase.
His words, "Better to feel silly than to be dead."
The words stuck with me.
I nodded, got into my car, and went home.
The next day...
The next day when I came in for my shift, the morning manager said, "Hey, Kevin... did you hear about the Shell station down the street last night?!"
"No, why?"
"They got robbed. Shot and killed the night manager. Just after 11 o'clock. You're lucky they didn't come here instead."
I got lucky.
I got lucky that night. Very lucky. But I was also aware of my surroundings and willing to look stupid.
Online, it's harder.
The bad guys are smarter than ever, and like the crooks at the car wash that night, they want your money.
Today's bad guys online make phony bank sites and phishing emails. They make 'em seem so legit it's nearly impossible to tell they're not real.
Even professionals have a hard time telling good from bad.
And, while antivirus and Internet security software can be a big help, your own situational awareness is just as important.
If you get an email, no matter who it's from, if it's got a link: be wary of it.
If you click the link, do not, under any circumstance fill out any kind of form on the site. No usernames. No passwords. Nothing.
If it's legit, you can always go back to the site by typing the _real_ website name into your web browser by hand.
The bottom line...
Be aware of your surroundings online just like you are in the real world.
Keep in mind, too, it's not just bank websites being phished. Be wary of any email claiming to be from anywhere where you use a username and password.
If you think you've got something in the bushes of your PC, feel free to contact Josh and me.
We may not be peace officers, but we do know a thing or two about online safety and security.
After all, it's better to feel a little silly asking for help than the alternative.
11/10/2015
Ask the Experts: What's a Spear Phishing Attack?
Alexandra from Delaware called in asking, "I heard something on the radio about new threats from online 'spearphishing' attacks, and I'm looking for antivirus software that protects against them.
"What software does that?"
It's no surprise that people are starting to hear stories like the one Alexandra heard because even the FBI has been writing about spear phishing for some time now.
Since there are a couple of questions here, let's take 'em one at a time.
What's a "phishing" attack?
Before we look at spear phishing, let's look at garden variety phishing attacks.
Phishing attacks come typically (though not always) as email. In some, though not all cases, they're flagged as spam.
Regardless of whether or not they're flagged as spam, the goal of the email is for the scammers to trick you.
They want you to reveal your bank, credit card, social security, or other personal info so they can steal your cash or your identity.
Now, what's a spear phishing attack?
Thus far spear phishing mainly happens to people at their workplace. A devious criminal gets ahold of YOUR specific information or your company's.
Often, they'll take their time carefully learning about your company, the employees, who's who in it and such so they can craft a perfect email.
Who's the CFO or comptroller? Who's the CEO? Who's the Chief Marketing Officer? And so on.
Then they forge an email from one person with authority to another. Usually there's nothing outwardly fishy about it.
Sometimes, if you're observant, one little thing will fail to pass muster.
For instance, Joe in accounts payable gets a forged spear-phished email that's supposedly from the CFO saying,
'Please send a wire immediately to XYZ Bank, account 1234-5678-90 for $74,092.23 for the initial payment on our contract with the new consultants we're working with.
'They won't start work until they receive the deposit, so please make sure it goes out immediately.
'I'm heading out early today, so please contact: Joe Jones at ABC Consulting (555) 555-5555 if you have questions.
'Mary'
What the spear-phisher does is a couple of things:
- They give urgency. "They won't start work until..."
- Mary probably isn't even leaving early, but by telling Jane she is leaving early, it makes it so Joe isn't supposed to contact Mary with questions.
Instead, Joe is instructed BY the spear phisher to contact the spear phisher(!) with questions.
In some cases, Internet security software can help prevent these attacks. These are rare and only happen if the phisher has sent Joe a link to a bogus bank or other website.
So, in most cases, your antivirus software can't protect you.
What can? Knowledge.
In most cases, the only way to prevent these attacks is *thinking* about things and questioning the validity of the content of emails.
Here's a (very) quick how-to:
STEP 1:
Does everything look legit in the email? Sometimes a spear phisher will fail because of tiny, tiny details like how Mary signs her name. Maybe she usually signs emails as --M. Maybe she always includes a certain signature file.
If one comes in now signed "Mary," or with no sig file, you need to start questioning more deeply.
STEP 2:
Check the email "from" and "reply-to" addresses. Are they legit?
STEP 3:
Even if Mary *is* leaving early, surely anyone sane wouldn't mind getting a call from Joe to confirm an outgoing wire for $74K. If Mary gets upset, she has no business being CFO.
BONUS STEP 1:
Put in place an set-in-stone absolutely iron-clad system for outgoing expenditures.
In one firm where I was CTO, requests for wires HAD to be done IN person ON paper and had to be signed by two people, the requestor and a C-level executive, typically that person's boss. Wires were sent twice weekly, no exceptions.
Yes, this created (rare) problems, but they were far smaller than the problems created having money stolen.
Doing it this way meant: we had a process. We had a clear chain of responsibility. And, we were never, ever victims.
BONUS STEP 2:
Setup and enforce the use of digital signatures, like those from OpenPGP or GnuPG. It will take work to setup an email signature system like one of these. It will. Aside from the work involved in initial setup, they're not a silver bullet. Incredibly helpful, yes. A silver bullet no.
Even still, they help, and no matter what it's still less work—and less expensive—than trying to recover lost funds, which seldom works.