PayPal has recently introduced the new PayPal Security Key service and that's what I'd like to talk to you about today! The PayPal Security Key service is essentially designed to add an additional layer of security to the existing PayPal authentication, which uses a username and password. If a user signs up with the PayPal Security Key service, they'll be authenticated by using not only their username and password, but also by the additional security key generated by the service. The service is being offered in association with VeriSign ID Protection. VeriSign is an industry leader in online security and protection services. They're bringing their expertise and experience into play. The PayPal Security Key will be usable on the PayPal Web site, on the eBay Web site and on any other site that displays the VIP (VeriSign ID Protection) logo.

Why a PayPal Security Key?

As you know, authentication on most Web sites is done through a unique username and password combination, but since that information is stored on the site’s server, it becomes susceptible to online security threats. For example, somebody may hack into the Web site’s server, access the username and password information and then use it to authenticate themselves onto the site. However, such breaches are rare and Web sites of large companies usually have very strong security measures to defend against such attacks. A much more common scenario is the log in information for a user can actually be stolen or overheard by a malicious user. That malicious user can then use it to log in to the Web site. The additional layer of security that the PayPal Security Key provides is a way to combat that problem.

With the PayPal Security Key, even if a malicious user does gain access to your unique log in information, they still can't get ahold of the security key this service provides you. Therefore, it's quite impossible for them to be able to log in to your account.

How Does the PayPal Security Key Work?

The best feature of the security key is it's literally unique every time you use it. Each time you need to log in, a new key is used. Even if a malicious user was lucky enough to get one such key, it doesn’t matter, because the next time you log in, the key will no longer be valid. Cool, huh?!

The way a user gets the unique key each time works in two different ways:

1.) Security Key Token: PayPal sends you an electronic device called the Security Key Token, which generates a unique six digit number every 30 seconds. When you need to log in, you simply buy tadalafil cialis turn on the Security Key Token and use the number it generates for you.

2.) Mobile Phone Security Key: When you need to log in, you request a key on the PayPal (or eBay) Web site. A security code or key is then sent to your mobile phone via a text message.

How Much Does the Service Cost?

The Security Key Token has a one time cost to receive the electronic device, which is $5 at present. Of course, if you were to lose the key, a request for a replacement is required and that would cost $5 as well. The Mobile Phone Security Key has no cost whatsoever. Bear in mind, however, that your cellular provider will charge you for the SMS text message. You'll simply be charged whatever your provider normally charges for a text message.

Are There Any Potential Issues with the Service?

Of course, there are potential issues with any new service. The problem in this case is, for some reason, you may not have access to the Security Key Token device or to your cell phone at all times. But if that ever happens, you'll still be able to log in using a set of security questions.

Fortunately, it's hard to have your username and password, as well as, your security key compromised. For one thing, as I mentioned before, the key changes every time you have to log in, so getting a single key or security code is useless to a malicious user. Alternatively, even if a malicious user was to find a Security Key Token device, they'll still be unable to use it, because they don't know what account it's linked to.

Note that you'll need to have either the Security Key Token or a mobile phone (with a plan that allows you to receive text messages) in order to use the PayPal Security Key service. Additional information is available here if you'd like to know more. I hope you find this tip to be most useful!

Q:
What exactly is keystroke logging? I've heard it mentioned in your tips before, but I'm not quite sure what it is. Please explain!

A:
Oh, sure, I can do that! You're right, we have mentioned keystroke logging in many of our security tips before, but we've never really gone over what it is by itself. It's very important for all computer users to understand what all is involved with keystroke logging, so I'm glad you asked. I'm sure you're not the only one who has been wondering about it either. So, without further ado, let's have a discussion about keystroke logging!

Basically, keystroke logging (also known as keylogging) is a method used to capture and record user keystrokes. It's often thought of in a negative sense, but it can be used for good as well. For example, keylogging can be used to track down certain computer system errors, to research how users what is cialis professional interact with certain systems and it can even be used to check on employee productivity for certain tasks. Keylogging is also useful in law enforcement, as it provides a way to unlock passwords and encryption keys.

Of course, keystroke logging is also a method used by hackers to get into another user's computer and steal information. That's the type we talk about the most in our computer tips, because we want to keep you safe at all times. There's really not that much to it though. If you have an antivirus program, a good firewall and some type of anti-spyware software on your computer, you'll be safe from keystroke loggers. Those types of applications can stop keystroke loggers in their tracks so that your information stays protected.

Back on the other side, there are two types of keystroke logging: hardware and software based. Hardware loggers come in three different types. First, there are the devices that are attached to the keyboard cable. They're inline devices and they're very easy to install, but they're also easily detected. Secondly, there are the devices that can be installed inside an actual keyboard. They're rather difficult to install, but once they're in, they're almost impossible to detect. Thirdly, there are replacement keyboards that already have the key logger built in. Those are obviously the easiest to work with and the logger is very hard to detect.

The software loggers are basically set up to see how users interact with different software programs on a computer. Like I said before, they can be used to keep track of how an employee is performing and so on. There are several different types of software keylogging, including local machine software keyloggers, remote access software keyloggers, wireless keylogger sniffers and acoustic keyloggers. They're all used for different tasks and they all provide different results.

As you can see, keystroke logging is used in a variety of ways and while it's used for both positive and negative aspects, it's a useful procedure. There's probably a lot more technical jargon I could bog you down with in terms of keystroke logging, but I think you get the gist. Everything you really need to know about keystroke logging is discussed above. I hope you now have a better understanding of what keystroke logging is and you can go out and tell your friends all about it. It's a great dinner table topic, don't you think?!

January 27th, 2009

Posted by Jason D. O'Grady

In case you missed it, your Mac may be under attack. Especially if you have a taste for downloading Mac software that isn’t exactly, ahem, legal.

Last week I reported that a trojan horse called “iWorkServices” has was found in a pirated version of iWork ‘09 floating around on BitTorrent. Yesterday it came to light that another trojan has been found in a pirated version of Photoshop CS4.

Whether you play fast and loose with your software licenses is on your conscience (I certainly don’t recommend it) but one way to keep tabs on software that likes to call home is with cialis wholesale Objective Development’s Little Snitch 2.0 ($29.95). I hadn’t used it since version 1 and the recent rash of Mac trojans gave me a prefect excuse to try v.2.

Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection, or define a rule how to handle similar, future connection attempts. This reliably prevents private data from being sent out without your knowledge. Little Snitch runs inconspicuously in the background and it can also detect network related activity of viruses, trojans and other malware.

Once installed you’ll be amazed at all the things on your Mac that connect to the Internet in the background. Most of them probably have your approval, like all the apps that you allowed to “check for updates at startup?” and things like Software Update, dotmacsyncclient and Bonjour’s mDNSresponder. Those ones are safe to “allow” but if Little Snitch asks for approval for something unknown, deny the request then Google the name to see if it’s kosher.

Be warned though, the first time you install Little Snitch, you’ll be inundated with allow/deny requests and it can be exhaustive. (Hint: you can confirm an alert with Command-Return, Control-Return and Return-Escape). Clicking the Forever button helps you ignore approved outbound connections and it’s a small price to pay to be able to keep tabs on potentially malicious code.

A new Network Monitor feature (pictured) has been added in version 2 which alone is worth the price of admission. The beautifully designed window displays detailed information about all of the incoming and outgoing network traffic on your Mac. It only pops up when connections are active unless you check the small “stay visible” box at the top of the window. I find myself leaving the Network Monitor window visible and watching in awe as the packets flow by. If you decide to close it a subtle menu bar item will also keep you apprised.

Nice, tight bit of code. Highly recommended.

January 27th, 2009

Posted by David Morgenstern

With the arrival of yet another trojan targeting the Mac, antispyware vendor MacScan on Tuesday updated and renamed its trojan removal tool.

The previous version was called the iWorkServices Trojan Removal Tool, and SecureMac changed the program’s name to the iServices Trojan Removal Tool.  The company said the updated tool is also a free download and detects and removes the new variant trojan found on pirated versions of Adobe Photoshop CS 4 for Mac OS X.

This trojan is working its way around various P2P networks and with various packages as the vector for infections. The first version was discovered in copies of iWork 09, which was introduced at Macworld Expo earlier this month.

According to MacScan:

Like its predecessor, variant B obtains root privileges, and notifies the remote host of the infected computer’s location on the Internet. It is recommended users avoid downloading pirated copies of these programs. What’s more, it is anticipated that new variants will be discovered in the coming months in other software cialis weekend pill packages distributed by third parties over the Internet.

January 26th, 2009

Posted by Adam O'Donnell

Two Mac trojan outbreaks were spotted in the past week leaving several people, including myself, to wonder if the tipping point for the Mac malware epidemic has arrived. Frankly, I don’t know, but I tend not to think so. I do think, however, that Mac malware will now become endemic amongst the high-risk groups such as file-swappers.

This past week a trojan claiming to be the latest iWork release was spotted on file sharing networks. Shortly thereafter, a similar trojan was sighted that masquerading as a crack for Photoshop CS4. Both events are making some people question whether or not the Mac’s long tenure as being a malware-free system is coming to a close and to face facts and install AV software.

The short answer is if you are a relatively well-behaved computer user, probably not. Mac malware is not endemic amongst the general population due to these events. The trojans of the past week is not self-propagating beyond the high-risk population, namely file swappers, and is relatively easy to find, analyze, and remediate. This is in stark contrast to PC users who have been hit with the Downadup/Conficker worm, which propagates via three orthogonal vectors and includes one remote exploit, and actively prevents you from visiting websites that contain remediation tools.

I do think cialis vs generic cialis the relative halcyon days of malware-free Macs are coming to an end. Anyone who is currently infected by the new malware will remain infected without direct human interaction due to the lack of any automatic mechanism for the identification and removal of malware. That means there is a non-zero population of Mac users who are now compromised and will remain compromised unless they either clean their machine or they buy a new system. Sounds familiar, right?

The question I want answered is whether or not the monetization rate of compromised Macs is sufficient for the malware authors to continue to pursue the platform. If not, these events will be a blip on the radar; otherwise, Mac owners better keep their Time Machine backups up to date.