Apparently, according the unmoderated Microsoft Answers website, there is a new color scheme for Microsoft Security Essentials and the new gray color is not an indication that MSE itself has been compromised.

If you want to be 100 percent sure, you’ll need to run a boot-time virus scan and / or download the Microsoft Malware Removal tool. You could also run one of the other anti-virus company’s online virus scans to get a second opinion, although if MSE were compromised in such a way that kept it from being detected by the Antimalware Service running on Windows 7, it is likely the same virus would be able to avoid detection by an online virus scanner.

See my latest Citibank rewards card review…

Security Essentials Updates

It would be nice if Microsoft had mentioned the new color scheme. After all, security software is the one thing that each user has to be very careful about monitoring and installing correctly. It does not inspire confidence when one goes online to Microsoft’s website or the Security Essentials help files and finds nothing but screenshots of MSE running with a blue color scheme instead of the new black and white looking gray color scheme.

The above is one of the support videos on Microsoft’s official Security Essentials website. Notice the familiar blue color scheme for the background and the tab colors.

A different background color might be just the sort of thing to clue a computer user into the fact that there was something wrong with their antivirus software. A little notice or heads up of some sort might have been nice.

Good day to you all.

New Color in Microsoft Security Essentials: Gray? is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

As a freelance writer I read a lot to stay current as well as for pleasure. Sometimes, I like to participate in a conversation or online community. Like many users, I consider the user accounts created for no purpose other than being able to comment on a website or participate in their forums unimportant. Thus, like many users I got lazy about the security of those accounts.

Often, I comment on only a handful of articles. Sometimes, I comment on just a single article. Creating, remembering, and using a strong password for these accounts is not worth the hassle. Fortunately, the LastPass plug-in has solved this issue for me by allowing me to generate a secure password, save that password, and most importantly, make said password available on any computer I use.

Unfortunately, there are many, many, websites and user accounts out there that I used prior to implementing LastPass. On many of those I used a strong password. However, that password was re-used on multiple accounts. That means that changing my Lifehacker.com password after the Gawker hack (Lifehacker is one of Gawker’s websites) isn’t enough. The same username and password combination may exist on other websites that I have used in the past. Those that were imported into LastPass were easy to track down. It’s too bad there are a lot of them. I’ll  have to waste time changing them all manually.

The thought of just leaving them since, as I said earlier, they are not "important" has occurred to me. However, there are two major problems with that strategy. First, and foremost, I don’t want someone impersonating me in such a way as to damage whatever reputation I have with a certain community. Second, while I fake info most of the fields required to sign up for user accounts like these, there might be some real data out there that I don’t want someone finding.

Staying Secure Online Gawker Lessons

The Gawker security breach provides some unpleasant lessons. The two biggest issues are not even being addressed by the media, tech bloggers, or anyone else. I find that more than a little disturbing. Unless we get details on how exactly the Gawker hack happened and find that it was a grossly incompetent security setup that was breached, we have to assume the following.

1. Any site can be hacked.
2. Even encrypted passwords can be unencrypted.

Which brings me to some very unfortunate requirements for online security for users.

1. Leave as much information blank as possible when signing up for anything online.
2. Fake as much information as possible when it is "required" by the site.
3. Change real information to fake information as soon as possible. (For example, you have to use your real address when something is being sent to you, but you can change it to 55 Baloney Way as soon as you receive it.)
4. Never use the same password more than once.
5. Never store your passwords online.

The last one is the one that really bothers me.

You see, LastPass stores all of my passwords and usernames online. Big websites try and make this less scary by calling it "the cloud". Either way, it’s a database that can be attacked, breached, and copied. Even though those passwords are encrypted, it’s only a matter of time to unencrypt them.

How juicy of a target would LastPass be for hackers? Once compromised, how many usernames and passwords would you have to change just to be safe?

The user accounts compromised by the Gawker breach are annoying to me. The ones stored on LastPass could ruin me.

I’ll do some research before doing anything hasty, but it would seem that unless I can store my LastPass passwords locally without online storage, I’ll have to go back to using KeePass and replicating the database to my computers instead of keeping my data "in the cloud."

Gawker Hack Proves Password Security Sucks is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

Actually, I usually just do a Google search for how to use the software feature. It’s faster.

That’s why it is a very important aspect of business strategy for successfully satisfying your user community to always ensure that your product manuals are not only available online, but easy to find, and most importantly, indexable by search engine spiders.

LastPass Extension Won’t AutoLogin

I have been using LastPass, which has both a Firefox plugin, as well as a LastPass extension for Chrome, and even a LastPass Toolbar for Internet Explorer. Basically, LastPass is a cross-platform password manager for anyone who spends a lot of time online and needs usernames and passwords on more than a handful of accounts. I’ve tried LastPass before, but came back while looking for a means to improve online security for my small business as a freelance writer.

One annoying glitch I ran into is that LastPass won’t autologin to some of my websites. I checked the LastPass vault and checked the autologon box, but LastPass did not autologon to many websites, especially my own freelance writing projects, like my personal finance blog.

As I tried to troubleshoot LastPass and find out what the error was logging in automatically, it occurred to me that I might be making an assumption about how the LastPass autologin feature works.

You see, it isn’t that the auto-login from LastPass wasn’t working at all, it’s that it would not work on certain websites even after I turned the auto-logon on. What I couldn’t figure out was what it was about some websites that made them work with LastPass and what it was about other websites that broke LastPass autologin. The problem was that I was trying to learn what the issue was with the websites. Turns out that is not the bug.

I finally noticed the issue when I went to set a new autologin account for a website and crossed my fingers to hope that this was one of the websites that the autologon would work for. It did, and I was happy. Then, I added a new account for the same website and suddenly my LastPass auto-login was broken. And, the light bulb went on.

Fix LastPass AutoLogin Feature

Obviously, you can only log-on to a website with one username and password at a time. There are ways around this, of course, but at the time you load a website with a login screen, you can only enter one username and one matching password. If you have more than one user account on that website, you have to pick which one to login with. In the case of LastPass, you would have to let it know which account to use to autologin.

I thought I was doing that by only checking the AutoLogin box on one username and password. Any other accounts for that web address were not set to autologin.

That is one way for the user interface to work, but it isn’t the only way. Another user might say that if there is more than one account, then the software should default to asking which account to use, which is how Last Pass does work today. If you have more than one account, it will not autologin, no matter how you have the boxes checked.

For my WordPress blogs, fixing LastPass’ autologin was easy enough. For security purposes (Wow, security really permeates everything these days, doesn’t it?) I do not use “admin” as my user account on my blogs. However, since I set up an Admin account in the first place, LastPass duitifully remembered the username and password. Actually, LastPass imported the username and password that were saved in Firefox, but the effect is the same.

For each of my websites, from how to make money writing online to my blog about adult ADHD tips, there were two user accounts. One was my “real” account, and one was the “admin” account. Since there were two accounts defined, neither one would autologin when I asked it to. After deleting the admin account from the LastPass vault, the other account does autologin without any trouble.

It’s one of those things that no matter how you design your software, someone will think of another way it could, or should, work. I’d like to see a button or checkbox that allows the user to set an autologin with a specific account regardless of the existence of any other accounts for that website. That way, the other usernames and passwords could be saved in the LastPass vault, even if they are never used for autofill or anything. Even better, would be a way to load a webpage while pressing the SHIFT key, or something, and in that case NOT auto-logging on, which would then allow the user to choose an autofill option.

Regardless, now that I understand how this nuance of the Last Pass password manager works, I can make it do what I want it to do, and that is the most important thing about good software design.

Now, if only I could get Microsoft to implement a way to restore the last session in Internet Explorer automatically the next time the browser is started instead of them insisting that they know better than the user, that would be great.

LastPass Firefox Add-On Autologin Problem Solved is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

However, as anyone who earns money working from home as an entrepreneur will tell you, sooner or later you need to get out of the “office” no matter how great your setup is. I love my little basement home office, but there are no other people there but me, and sometimes I look up and realize that I haven’t seen the sun from a different angle in days. This is especially true in the fall and winter when the days get shorter and my workday can go from before the sun comes up to after the sun goes down. That means working from Starbucks or another coffee place.

For many people accessing the Internet from an insecure wireless hotspot like the ones they have at Starbucks, bookstores, and coffee shops is no big deal. Most banks and financial institutions use encryption on anything important, and certainly when logging on with a username and password. Even online email accounts like Google Gmail or Microsoft Hotmail use SSL when you are logging in. But, when you are talking about a full work day and accessing client-provided information, networks, data banks, or archives you can’t always be sure that the encryption is already there. And, when you are a freelance writer working on a deadline, you can’t always remember to check before you type away at the keyboard, potentially exposing sensitive data or giving away usernames or passwords in the clear.

Recent news about attorneys mass subpoena names and address from IP addresses also makes me nervous. I don’t do a lot of P2P type stuff, and almost none of it would attract a copyright attorney’s attention, but if they can do it for that, they can do it for anything. More to the point, current U.S. case law seems to suggest that a law firm can subpoena user data from ISPs and Internet providers based upon suspicion that something may or may not have been done by the IP address in question and, by extension, whoever was using it. I’m not interested in getting caught up in any “widely cast nets.”

Paid VPN Service Versus Free VPN Service

There are some free VPN services out there. The most popular one is HotShield. It offers free encrypted VPN connections, but it comes at the cost of having advertising. Ads are not a big deal when they are kept out of the user experience on a full-size monitor, but try working on your 10-inch ultra-portable netbook with an ad banner across the top. In some cases, it can take up a quarter of the screen.

Most free VPN services are also slower thanks both to the need to keep costs for a free service offering down, and in order to entice some users to upgrade to their faster paid VPN service.

Add it all up and it makes using free VPN a hassle for serious networking and Internet connectivity. I find myself weighing the burden of firing up the VPN client versus the odds that I can keep myself safe without it. That’s not a good way to run a railroad, so to speak.

Premium VPN Services

I did some preliminary research and it appears that getting unlimited secure VPN access with encrypted network connections to the Internet and beyond is realatively innexpensive.

I’ll be looking into various VPN providers over the next couple of weeks and trying several of them out. There are reviews out there, but it so hard to distinguish fake reviews from real reviews that I don’t know which ones to trust. The only reviews to speak of from respected publications review VPN services as they pertain to the computing or IT industry and not how they work for the entrepreneur trying to keep his small business safe while working remotely from the road or the local coffee shop. Hopefully, I can help fill this gap by reviewing VPN connection providers from the viewpoint of a small business owner networking on the go.

Grab the Best Hubris RSS feed so you don’t miss any of the upcoming VPN provider reviews here on BestHubris.com. While you are at it, you can check out my recent review of WiFi Guardian hotspot security software.

If you offer a premium VPN service and want me to include your product in my review, please contact me and I will test out your product. Please let me know whether I will need to download and install software or not, and let me know how to access the reviewer’s account username and password.

Network Security VPN Internet Services is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

Unfortunately, that does nothing to secure all of those applications on laptops that log-in automatically by remembering usernames and passwords. It is also all too common to be in the middle of something, get in the flow, and end up entering a username and password before even thinking about whether or not there was a HTTPS in the URL.

The only reasonable solution is to setup an encrypted connection that captures all incoming and outgoing network traffic from the laptop so that there can be no mistakes or slips in security. Unfortunately, there are not a lot of options available in this arena. This is especially true for WiFi hotspot security protection that can be setup on the fly without pre-configuring a server somewhere to be waiting for your call.

Hotspot Shield by Anchor Free offers a free VPN connection that provides the fully encrypted security solution needed to safely use WiFi hotspots. However, it is “ad supported” which means that not only will part of your precious laptop screen real estate be eaten up by ads, thereby making your viewable monitor area even smaller, but it also means that your connection ends up being slower because those advertisements are given first priority by the VPN application.

WiFi Guardian Wireless HotSpot Security

I was excited to find WiFi Guardian, a free wireless hotspot VPN encryption program that connects to its own third-party servers to provide network security. Like HotSpot Shield, WiFi Guardian provides complete network interception making by web surfing and email secure as well as closing off the ability to hack in via installed software programs that automatically update.

The best part is that WiFi Guardian comes with a free 3-day trial. After three days, you have to pay $49.95 per year, but even a one-day free trial is good enough to secure your laptop for an impromptu coffee shop office setup. Most other VPN software comes with a specific data limit trial instead. That means that you have to make sure your computer isn’t doing anything behind the scenes that could be eating up your free trial period like downloading CD covers or synchronizing your bookmarks or files.

There is one bizarre thing that concerns me. The VPN application requires you to register a username and password to create an account. No problem there. However, the password field can only contain letters, no numbers or symbols.

What kind of security is that?

The most basic of all security is using strong passwords. Anyone setting up special software for security purposes would already be very familiar with using strong passwords. It begs the question about how seriously the WiFi Guardian developers take security when they not only allow, but require users to setup weak passwords on their accounts.

Needless to say, I will be uninstalling the software after my free trial period is up.

Has anyone else used WiFi Guardian? What have your experiences been like? Would you trust a security company that uses weak passwords?

Leave your answers in the comments, or shoot me an email.

Wi-Fi HotSpot Security Wireless Guardian Secure is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

It is like your username and password are your ATM card, and the numbers on the security key are your PIN number. Only, it’s even better because your PIN is constantly changing. Basically, in order to do anything, a thief would have to get your card and your keys. (Now imagine a similar security key device that requires a code to unlock the display and you are getting to security that is pretty much unbeatable except by government agencies.)

The idea is that even if a hacker or phisher were able to get your username and password, they would be useless without the numbers on the electronic key. If they managed to get the username, password, and numbers, they would only be good for 30 seconds.

On the one hand, this is great security. In fact, some method of combining this type of technology with something like OpenID so that it could be used on every website, would pretty much shut down phishing and password theft and cracking as we know it.

On the other hand, the PayPal security key is basically designed to stop phishing attacks where the hacker tricks the user into divulging their username and password. Not surprisingly, these methods work best on those who are the least security aware, or those who have the least understanding of website security. While those who are most concerned with security are likely to be vigilant and thus only fooled by the most sophisticated techniques.

In other words, this security device would best protect the people who are the least likely to get one, and do the least to protect the people who are most likely to get one.

And, while we’re at it, what about people with multiple PayPal accounts (a personal, and a business one, for example)? What about business accounts? If the guy with the number key device is out sick or on vacation, what then?

The bizarre part is the number of security improvements that could be made without requiring someone to order, buy, and keep track of another piece of hardware. ING’s online banking at ING Direct, for example, requires a user to choose an image and a phrase that validates that they are indeed looking at the REAL ING Direct login page before entering a password.

The image and passphrase display over a graphical numeric keypad where the user enters their PIN. Any phishing attempt would fail immediately when the user noticed that the picture and words that are always there are suddenly missing or different.

Even better, entering the password PIN requires clicking the numbers on the screen, so not even a keylogger can capture the password.

PayPal doesn’t even offer this basic security and its next move is an electronic security key?

I know I would feel much more comfortable if when I clicked a button to pay with PayPal if I could see some sort of validation that this isn’t an elaborate deception that looks like I’m entering my PayPal username and password into my PayPal account when I am actually entering it into a form designed to look exactly like the original.  All you have to do to pull of the scam on even the security savvy is a way to make the address in the URL bar say "PayPal" since that is the only means of validation PayPal currently offers.

Maybe PayPal should start by implementing some of the basics, and THEN worry about taking it to the next level.

New PayPal Security Key – Extra Security For People Who Are Probably Safe is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

First, Microsoft is no longer accepting beta participants for its Security Essentials program.  Security Essentials is a multi-dimensional securities application, but for the average home user, it is a free virus scanner with free virus definition updates.  While there are other utilities like this out there, this one would presumably come with technical support from Microsoft which could make it a viable option for businesses.  No word on how this would, or would not, impact the other major security vendors out there.

Next, I found out that Dell is offering the same kind of migration assistance and upgrade tools as pretty much every other first-tier PC manufacturer, but for some reason, they get a pretty extensive and flowery write-up in the Windows Blog.  Wonder if there is a marketing deal there, or if Microsoft is just showing some love, or if the Windows team is handing out a little payback for what appears to be some pretty hefty testing work done by Dell during the Windows 7 beta and Windows 7 RC periods.

And lastly, the same Windows Blog apparently is reading my thoughts while I’m laying in bed.  Last night I was going through what the differences are between XP Mode and Med-V , other than that Med-V only is available to business clients with Software Assurance licenses or other enterprise licensing.  Looks like I can use this post as the jumping off point for a nice freelance computer article.

This isn’t news, but I was using Internet Explorer a bit this morning and was thinking that it would be really great if I could customize this page that opens whenever you open a new tab in IE 8.  Not that I can change what page appears when you open a new tab, I know I can do that, but rather that I could change / add to what links are information are displayed on this page:

I’ll haven’t done much with IE 8 other than upgrade to it so that I have the least insecure Internet browser Microsoft makes, so with a little digging, maybe I’ll find that I can do exactly what I want.

Cheers.

News From Microsoft is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC

Deleting the admin account removes it as a target for hackers.  They can try all day long with automated or non-automated attacks to hack the admin account, but if it isn’t there, they’ll never get in that way.

There is a small glitch that most people fail to mention.

If you have already setup your WordPress blog before deciding to remove the admin account, chance are that WordPress won’t let you delete the admin account when you try and click delete.

Why won’t WordPress let you delete the admin account?

Because under Settings –> General there is a field where you enter an email address.  That email address is the administrative email address contact.  You cannot delete the account that the administrator email account is assigned to.

So, take one more step and switch the admin email address to match the one you setup with the new admin account.  Then, you can go back to the Users screen and delete the admin account without any trouble.

FYI – If you have not created another User account and assigned it administrator rights, you won’t be able to delete the default admin account either.  In WordPress, there always has to be at least one admin account, so you have to create the new admin account first, and then delete the old default administrator account.

Cannot Delete Admin Account in WordPress is a post from Best Hubris. All content exclusively written by Freelance Writing Business of ArcticLlama, LLC