Seveny five percent of all users use the same password for email and social network sites, according to a story in Security Week magazine, citing a study by Bit Defender.  Want to bet a good number also use the same password for their bank accounts, credit cards, Starbucks card, and every other web site?   

We all probably trust the security of our bank, but what about that website where you had to register, then take a survey to get a chance to win an iPod? Who's running that site?  Did they ask you to pick a user ID, enter your email, and select a password?  And did you use your "usual" ones?

When you say it out loud, does it seem like a good idea?

The French National Commission on Computing and Liberty is shocked to find that Google's street view vans have recorded snippets of wirless traffic, including email content, user ids and passwords. Apparently, the French are easily shocked.  What many people seem to forget is that wifi is radio and they're running a radio station, starring all of the computers in the network.  Like any radio station, anyone with the right type of radio can listen and record your shows.

There are two things that everyone using wifi should do.

• First, encrypt your wifi using WPA2.  It's not foolproof, but defeating WPA2 is difficult and time consuming.  Anyone who's after you, in particular, may want to invest the time, but the drive-by vans will skip you and read your neighbor's unencrypted signal. 
• Second, whenever possible, login to websites using SSL.  SSL provides secure encryption from your computer to the server at the other end of the connection.  If you visit websites using "https" instead of "http", you're using SSL encryption. 

Using SSL is for all data exchanges is critical when you're on a shared, public wifi network.  Anyone at Starbucks, or the library, or your favorite place to park yourself with your notebook or phone could be recording network traffic.  On such networks, you should have absolutely no expectation of privacy.  It's critical to encrypt your data before it goes out over the air.

Check with your email provider to find out if they support POPS or IMAPS and Secure SMTP.  The "S" at the end of POP and IMAP means that the connection between your computer and the mail server is encrypted via SSL, too.  All major mail clients support the protocol. If your mail provider doesn't, it's time to find a new mail provider.

If you use Gmail, click "Settings", then "Always use https".  Gmail will then enforce an SSL connection whenver you access it on the web.

Thoughts about strategic IT problems come from all sorts of places.

TiVo picked up an episode of MI-5 that I got around to watching at 2 AM today.  The episode opens with the tech wizard guy explaining to the lead character how he's set up a security system for the lead's house that "makes it a fortress."  Oh, damnable foreshadowing.  You just know it's not going to go well.  And it doesn't. At the end of the episode, the sophisticated entry control system is brought down by some cake frosting in the card reader.  Our hero is stuck outside, while his girlfriend and her daughter are stuck inside with a ticking time bomb.  Neither our hero nor the bomb squad can get in, and the people inside cannot get out.

What's the IT aspect?  We focus more on cost and performance issues when establishing a relationship with a vendor or jumping into a new technology.  How will it be billed? What are the service levels and remedies?  It's easy to overlook what happens when the contract ends, the application becomes obsolete, or the vendor disappears or drops the product.  At the end of the relationship, you may find yourself outside, your data locked in, and the clock is ticking.

It's hard to figure out the exit strategies for SaaS and cloud-based applications.  And if recent events have taught us anything, it's that no vendor or service is too big to fail.  Don't walk in unless you know how to get out, and get out very fast if necessary.

The job ain't done until you know how to run.

A couple of weeks ago, Sarah Silverman was on Bill Maher's Friday night show on HBO, where she showed her latest video.  The next morning, I hopped on to Google to find it and forward it to some friends who had probably missed the show. The first 10 links on Google were sites that informed me my computer was infected by a virus, then downloaded a setup.exe file to the system to "clean" the viral infection.  Continue reading for more about how these links came to be.

I had a Firefox crash yesterday that seems to have corrupted the form completion database and/or some saved cookies.  It's been no big deal; I just generally have to re-login to a lot of web sites. It was going OK until I got to my bank's site today to pay some bills.  I know exactly what my password is, because I have to type it in every time I visit, but I've long since forgotten my user ID.  It wasn't in the document in which I record user IDs and password hints.

I tried three or four times with each possible user ID, and after the 3rd or 4th time, I got the "your account has been locked" notice. After doing this for about 20 minutes, I folded and called customer service.  After the usual set of identification questions, I got my user ID.  (Darn!  Yeah, now I remember it).  I asked the person at the other end, a very nice person, what happened to the folks whose IDs I'd been trying.  He said that they're locked out until they, too, call customer service.

So, if you try to login to your bank and your account is locked, my sincere apologies. 

The bigger issue, of course, is the possibility for someone to do this maliciously.  If I know your bank account user ID, I can lock you out of it by writing a script that tries (and fails) to login and running it every 10 minutes.  Similarly, if your network as a terminal server available, I can lock out any number of users, including the admnistrator, by doing the same thing.  That would be annoying. 

Consider the case,however, if I have access to your system and want to do somethign bad to it.  While I'm in, it would  be a good idea for me to lock the doors behind me, to keep out any admins who might be notified if/when I set offf an alarm.  When setting up access policies, its important to remember that setting a time lock can lock you out while someone else is within, doing something nasty to your system.  Make sure you have a secure back door, and make sure it uses its own key.

Network protection should not rely on a single magic bullet solution, but on layers of overlapping security.  Mail should go through a couple of virus checkers and spam filters before it ever hits your inbox.  A firewall keeps unwanted network traffic out and blocks unexpected outgoing traffic.  Layered firewalls -- at the Internet connection and on each computer -- provide better security.  Managing outgoing traffic via DNS filtering is another layer of protection for both home and corporate networks.