Trails End Computer Club

Bulletin for the week of NOVEMBER 29, 2015

WEEKLY MEETINGS
EACH Wednesday 

Program or Lesson 9:00 - 10:00 AM
One on One Help 10:00-?
In the Library


SPECIAL INTEREST GROUPS:

If you would like to meet in a small group to discuss special computer related subjects or form a Special Interest Group lets discuss it.

Our bulletin is also available on line by visiting tecc.apcug.org and clicking on bulletin.


Our weekly program or lesson is intended
to be of interest to all computer users.
Following the program an allotment of time will
be available for one on one help to those
who want a better understanding of something done
 during the presentation.

Upcoming Events

Wednesday DECEMBER 2, 2015 Meeting at 9:00 AM
  Due to conditions beyond my control, I am unable to continue conducting TE Computer Club meetings.  Bill Cusitar has accepted to run the Computer Club. Come to his first meeting Wednesday!
Harold

IraSecure Your Online Accounts With Two Factor Authentication (FREE)

by Ira Wilsker

WEBSITES:

https://en.wikipedia.org/wiki/Two-factor_authentication

http://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/

http://www.cnet.com/how-to/how-to-enable-two-factor-authentication-on-popular-sites/

http://searchsecurity.techtarget.com/definition/two-factor-authentication

http://www.pcmag.com/article2/0,2817,2456400,00.asp

https://www.turnon2fa.com

https://www.turnon2fa.com/tutorials

http://splashdata.com/press/worst-passwords-of-2014.htm

https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-gmail-2/

https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-facebook/

https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-apple-itunes/


What does iTunes, Yahoo!, Gmail, Outlook, Twitter, Facebook, Bank of America, Chase, Discover, E*Trade, Vanguard, PayPal. eBay, and Etsy have in common with thousands of other secured online services? They all offer their users a secure supplementary method to prevent illicit access to their online accounts, with a level of protection much greater than the traditional password, that method known as "Two Factor Authentication". While it may increase the time necessary to logon to websites by a few seconds, it also greatly reduces the risk of an unauthorized person gaining access to those websites, even if the users' passwords have been compromised.

In recognition of "National Cyber Security Awareness Month", I recently presented two sessions on Password Security for the public event hosted by the city of Port Arthur, Texas. Judging from the questions and responses of those attending these sessions, too many people are still using insecure passwords. Several participants stated that their email accounts had been hacked, and unknown "hackers" had sent spam and other illicit emails from their email accounts. Others had mentioned that an assortment of shopping and financial websites, including online banking, had been accessed by unauthorized individuals, sometimes resulting in substantial financial losses. What many of the participants were blissfully unaware of is the fact that "crackers", people who can "crack" others' passwords, can easily crack simple passwords in just a few seconds, and moderately complex passwords may take several minutes or hours to crack. Cyber crooks can obtain passwords and usernames by compromising the servers of popular websites and servers, such as the "alleged" theft of five million Gmail passwords, over a million from CNet, and countless other successful hack attacks on servers all over the world. Often these usernames and passwords are posted online, many times on the "Dark Web", where illicit information and data is often bought, sold, traded, or given away.

While these cyber heists of millions of usernames and passwords sometimes get the attention of the media, the quiet work of thousands of crackers using simple guessing based on password tables, or a myriad of software utilities that can try hundreds of passwords a minute, continues to this day. The primary reason why the majority of victims who have had their passwords compromised and taken advantage of is their own doing, in that millions of people still use simple, easy to guess passwords to access secure websites and services. What is even more shocking is that most users who use these simple passwords also use the same simple password on multiple websites, meaning that if one is cracked, the cracker now has access to all of the user's online accounts. The number of Americans using the same password for all of their online access is a staggering 61%, according to a report published by CSID (csid.com) in September 2012, but still considered by many as a somewhat accurate reflection of the risks currently faced by the majority of computer (and smart phone or tablet) users.

According to the most recent surveys performed by several cyber security organizations, the majority of users still continue to use very common and easy to guess passwords. The security firm SplashData performs an annual study of the stolen password files published online by the hackers, and has found that over the past several years, there has been little change in the most widely used passwords, with the "Top 10" list of most widely used passwords in 2014 being (in rank order from 1 to 10) 123456, password (used by 4% of users), 12345, 12345678, qwerty, 123456789, 1234, baseball, dragon, and football. Among some of the next 15 most commonly used passwords, completing the "Top 25" list are 1234567, monkey, letmein, abc123, 111111, 123123, master, and access, along with the current crop of contemporary superheroes including superman and batman being in the top 25. My personal favorite, which was #25 in the list is "trustno1". In its report, SplashData urges that users follow three simple tips in order to make more secure passwords. Those three recommendations are: 1. Use passwords of eight characters or more with mixed types of characters; 2. Avoid using the same username/password combination for multiple websites; and 3. Use a password manager ... to organize and protect passwords, generate random passwords, and automatically log into websites."

Some users try to outsmart crackers by thinking that they are creating complex passwords by using a simple alpha numeric substitution for some letters that appear similar, such as replacing the letter "E' with a "3", the letter "O (oh)" with a "0 (zero)", the lower case "l (el)" with a "1 (one)", and the letter "S" with a "5". In reality, this simple substitution will not slow down even the most juvenile and inexperienced password cracker, as almost all of the readily available password cracking tools that utilize a "brute force dictionary attack" automatically make those substitutions when cracking passwords. I have one old and very primitive password cracking utility that incorporates the top 100 most widely used passwords as its first line of attack, followed by those same 100 passwords substituting numbers for letters, and then using an open source dictionary to crack passwords; this utility can try 1200 logons per minute (20 per second), and I can crack most users' passwords in a matter of seconds, my personal best being under five seconds, and the longest it ever took me to crack a non-complex password was about six minutes; good complex passwords are difficult (but not impossible) to crack using the most readily available cracker tools. Since a reported 25% of users in aggregate use the "Top 20" passwords to access their accounts, just manually entering each of the top 20 in order will give access to about one in four accounts, unless the website detects an attempted intrusion and locks the user out.

According to a study done by the password manager publisher LastPass (lastpass.com), 42.5% of users use passwords consisting of lowercase letters and numbers only; 39.8% use lower case letters only; 15.7% user numbers only; and only 1% use a reasonably secure and hard to crack combination of upper case and lower case letters, numbers, and characters (such as !, @, #, $, %, &). The same survey found that the average password is only six characters in length, and all lower case letters, which is an open invitation for a cracker to access that user's accounts. In creating complex passwords, users should never use family member or pets' names, birthdates, anniversaries, addresses, or other readily available personal information, as crackers often "data mine" social networking services such as Facebook profiles, gathering such information. Likewise, users should not use complete words as these are easy to crack with a simple "dictionary attack", and should never record passwords in an insecure way such as on a "Post It Note" on the monitor, unencrypted spreadsheet, text file on a phone or computer, or any other mode that can be easily purloined. Likewise, keep passwords absolutely private, and do not share them with anyone. Passwords can be easily captured by cyber crooks when the users access public Wi-Fi in coffee shops, airports, and other public places, with the same cyber thieves often setting up bogus but official looking hotspots in public places (airports are a favorite for this ruse) in order to steal login information including usernames and passwords for the explicit purpose of committing identity theft.

Fortunately for us users, there is an easy way to provide an additional layer of security which will make it nearly impossible for a hacker or cracker to access our most important online accounts, regardless of the complexity of our passwords, and even if our passwords had been compromised in a previous hack. This method of security is referred to in the industry as "Two Factor Authentication", and is offered as an additional, free level of security by thousands of financial institutions, online retailers, email services, online gaming sites, government agencies, and other web based services that have password based access. The process itself is very simple, takes a few seconds to set up once on each participating website visited, and then a few more seconds when actually implemented. The website turnon2fa.com/tutorials offers simple but site specific instructions on how to implement Two Factor Authentication on hundreds of participating websites; generally it is as easy as checking a "Two Factor Authentication" or similar box on the target website's user configuration or profile page, and then entering a preferred method of contact, preferably a mobile phone number. That website will now display a third line for a key code, following the traditional username and password boxes.

I have Two Factor Authentication implemented on several of my most sensitive and personal web accounts; if I access those websites from a computer, smart phone, or other device not previously recognized and confirmed as mine, the website will send a verification code as a text message to my phone. Even if I entered a valid username and password (which could have been stolen by a hacker or cracker), the website will also require that the validation code sent to my phone also be entered in a finite number of seconds in order to access the account. Unless the cyber crook also has my smart phone, they will be unable to access my account even if they have my valid user name and password. Many people are unaware that each device on the internet has a unique code number attached to it, which is also sent to websites to help verify the source of an inquiry; if the website does not recognize the unique hardware code previously verified for my computer, smart phone, or tablet, it will demand that I also promptly enter the unique access code that the website sends to my phone; no code, no access, it is that simple.

While there are many websites that explain how to implement Two Factor Authentication on their particular websites, and the process is inheritably simple, as well as similar on most participating websites, my personal favorite is still the directory at turnon2fa.com/tutorials. All of the information that anyone might need, including a 90 second video explaining the process, is available from the "Turn It On" website at www.turnon2fa.com. If you are worried about someone accessing your accounts or hacking into your email (and you should be!), you need to enable the Two Factor Authentication offered for free by many of the websites that we access.

If offered by online services, such as your email provider, and you do not implement Two Factor Authentication (or some similar technology such as the uncommon digital dongles), please do not come running to me if your email or other account is accessed by disreputable individuals. I would hate to say it, but, "I told you so!".


Cloud Computing - An Ephemeral Concept

By Phil Sorrentino, Member of The Computer Club, Florida

http://scccomputerclub.org        Philsorr.wordpress.com          philsorr (at) yahoo.com

Cloud computing has been around for quite some time. It just wasn’t called Cloud computing until recently. Although, the term “Cloud Computing” is relatively new, references to “Cloud Computing” can be found as early as the mid-90s. But the term seems to have become popularized sometime in the mid-2000s. In 2008, Steve Jobs of Apple fame, developed his vision of the cloud as a “digital hub for all your digital content”. His idea was that a person’s digital content (pictures, documents, videos, music) would be stored on a remote server, managed by a trusted company, making that content available for that person to use on any device, anywhere, anytime.

The “cloud” is really just a metaphor for the Internet. It goes back to the days when engineers made presentations that referred to the internet, they pictured the large amorphous infrastructure of the Internet as a puffy, white cloud. This cloud would accept requests for data and provide information and answers. If you are wondering if you ever use Cloud Computing, think about this. If you have ever searched for a gift on-line, ordered it from Amazon, and tracked its progress using the supplied tracking information, you were doing Cloud Computing. You were using applications hosted on someone else’s server to accomplish your task.

In the simplest terms, cloud computing just means storing and accessing data and programs over the Internet instead of using only your computer's hard drive or local storage. When you run programs from your local hard drive and store the data on your local hard drive you are doing local computing. Everything you need is physically close by. Local computing is how we have functioned for many years and it has some obvious benefits, like speed, but cloud computing expands your computing reach beyond your local resources.

So, if the cloud is really the internet, let’s look at a brief history of the internet. The internet had its beginnings in the development the ARPAnet network that was funded, in the late 1960s, by an agency of the Department of Defense, Defense Advanced Research Projects Agency. DARPA is responsible for the development of new technologies for use by the military, but in this case non-military commerce has greatly benefited. Some brief technical considerations shows that the internet has no real structure, there are no plans or schematics that define the internet, only the implementation of packet switching and an agreed-upon set of communications protocols, called TCP/IP. Packet switching is a digital networking communications method that groups all data messages, regardless of content, type, or structure, into uniformly sized packages or packets. TCP/IP provides the protocols that specify how data should be formatted, addressed, transmitted, routed and received at the destination. Packet switching and the use of TCP/IP is what makes the internet so amorphous and yet extremely resilient. Amorphous in that you do not know what path a packet will take to get to its destination, and resilient in that if part of the network is unusable, the packets will go via alternate routes. A complete message will consist of from one to many packets. A complete message can be reconstructed when all the packets are received because the packets include the address of the intended receiver, the address of the sender, the body of information, and a set of check characters used to prove the correctness of the received data.

So because the cloud is really the internet, we all have been doing cloud computing for quite some time and we didn’t even know it. Google searches, email, Netflix movie streaming, Carbonite backup, Pandora music, YouTube videos, Facebook sharing, Twitter tweeting, and Google Earth mapping, are all examples of cloud computing.

Once the internet was established as a communications pathway to anyone who could operate a personal computer, commerce began to take advantage of its reach. Think about the reach of the highway system in the 60s and 70s. The highway system brought people and commerce together. Shopping malls were easy to get to and they became the place to purchase goods. Now with the internet, people can visit (cyber) stores without even having to use the transportation highways (though the products do have to be delivered and that must be done over the highways). Commercial establishments have built large websites to accommodate the large number of people attempting to use the internet for these commercial activities. Some websites were set up just to search out information that was available from other websites. Does Google come to mind? Other websites were developed to provide the communications capability that has become email. What would we do without email? Still others like Facebook and Twitter provide a forum for social interactions. Many websites were developed to provide the news that would normally be sent to people by the newspapers, and so news websites and news readers became available. Financial institutions realized that they could interact with their customers via the internet and so they created financial websites. Financial websites give the user instant access to their financial information and allow them to buy and sell financial instruments from their home computer. I’m sure you could come up with many more types of internet websites. The last time I looked, there were over 800 million websites connected to the internet. That’s a pretty big cloud.

The point of all this is that websites are hosted on computers.

Website computers provide the Server portion of the Client –Server operation. (Your browser provides the “Client” side.) Large websites are not hosted by a single computer. Large websites may employ a network of hundreds of computers. So the bigger the website, the more computers are needed to host that website. The need for these networks of computer servers has evolved into website companies building large “Server Farms”. These server farms may have hundreds, if not thousands, of computers networked to act as website servers. Many of the companies with large server farms have set aside a portion, of their cloud, for use by the public. Typically, the first small amount of storage (3 – 7 GB) is free, with larger amounts at a cost. Think, iCloud, OneDrive, Google Drive, and Dropbox.


Submit Your article; deadline for next bulletin is Tuesday noon each week. Only what you write may be published. We cannot publish other peoples work without written permission. Simply click here EDITOR AT TECC and paste your write-up to submit it.
Share your computer experiences with other members. We need articles to publish in the TECC Bulletin each week.

UPDATE YOUR MEMBERSHIP INFORMATION Change your e-mail address, unsubscribe to this bulletin, etc.  Use link below.
UPDATE YOUR MEMBERSHIP