Analysts at the National Security Agency can gain access to the content of U.S. targets’ phone calls and email messages without court orders, NSA leaker Edward Snowden said, contradicting denials from U.S. government sources.

U.S. surveillance agencies have weak policy protections in place to protect U.S. residents, but “policy is a one-way ratchet that only loosens,” Snowden, the former NSA contractor, said in a chat on the Guardian’s website Monday.

The technology filter designed to protect U.S. communications is “constantly out of date, is set at what is euphemistically referred to as the ‘widest allowable aperture,’ and can be stripped out at any time,” Snowden wrote in the chat. “Even with the filter, US comms get ingested, and even more so as soon as they leave the border.”

To read this article in full or to leave a comment, please click here

U.S. law enforcement agencies have disrupted more than 50 terrorist plots in the United States and other countries with the help of controversial surveillance efforts at the U.S. National Security Agency, government officials said Tuesday.

NSA surveillance programs recently exposed by NSA contractor Edward Snowden have played a key role in disrupting terrorist activity in more than 20 countries, including 10 terrorist plots in the U.S., since the September 11, 2001, terrorist attacks on the U.S., NSA director General Keith Alexander told U.S. lawmakers.

“In the 12 years since the attacks on Sept. 11, we have lived in relative safety and security as a nation,” Alexander told the U.S. House of Representatives Intelligence Committee. “That security is a direct result of the intelligence community’s quiet efforts to better connect the dots and learn from the mistakes that permitted those attacks to occur on 9/11.”

Officials with the NSA and the U.S. Department of Justice defended the surveillance programs during Tuesday’s hearing, saying the programs are subject of rigorous oversight by the U.S. Foreign Intelligence Surveillance Court and Congress. Officials contradicted allegations by Snowden, who has said the few controls at the NSA are easily circumvented by NSA analysts.

To read this article in full or to leave a comment, please click here

Oracle addressed 40 security issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Another four affect both client and server deployments, one affects the Java installer and one the Javadoc tool that's used to create HTML documentation files.

Many of the client-only vulnerabilities received the maximum score on the vulnerability severity scale used by Oracle. These flaws can be exploited by attackers to take control of computers by hosting malicious Java applets—Java Web applications—on remote servers and tricking users to load them in their browsers.

The large number of Web-based attacks that targeted Java users this year by exploiting vulnerabilities in the Java browser plug-in prompted concern about the security worthiness of the Java platform among home users and in enterprise environments, where Java is also frequently used on servers.

To read this article in full or to leave a comment, please click here

Mgentry2 asked the Windows forum to recommend password managers that can " keep track of both online passwords and desktop application passwords (Outlook, Quicken, etc.)."

The safest passwords are long, seemingly random strings of letters, numbers, and punctuation--and you need a different one for each Web site and application. Unless you have a photographic memory, you need a program where you can securely store your passwords. That way, you only need to remember the one password that will give you access to all the others.

You need a password manager, which is essentially an encrypted password database. There's no reason why a good password manager it can't work for Web sites and applications.

[Email your tech questions to answer@pcworld.com or post them on the PCW Answer Line forum.]

To read this article in full or to leave a comment, please click here

If you’re like a lot of people, when it comes time to renew your security software, you may ask yourself, “Do I really need to upgrade to the latest version?” The answer is yes. Keeping up-to-date is generally a good idea, as new threats surface constantly. And if you value mobile security or use a social network, this year’s crop of security suites is worth paying attention to.

An increasing number of security suites now feature special tools to help protect you on social networks—a growing target for spammers, scammers, and other parties who want to get at your personal information. For example, Trend Micro’s Titanium Internet Security suite comes with a handy tool that highlights any possible areas of concern involving your Facebook privacy settings. Various suites also include tools that will scan links on social networks so that you aren’t duped into clicking a malicious link hidden behind a URL shortener.

If you own a smartphone or tablet, or both, the security class of 2013 has some new tools for you. And some security packages come with a mobile app that provides protection against mobile malware or includes other features such as GPS tracking to help you find your phone should it go missing. These apps often also include remote-wipe capabilities that let you delete the contents of a missing phone or tablet so your private data doesn’t end up falling into the wrong hands.

In addition, Windows 8 has changed the way security software makers design their programs. Many of the suites we looked at this year sport redesigned interfaces that include larger buttons and controls made to be more touch-friendly.

To read this article in full or to leave a comment, please click here

Symantec’s 2013 edition of Norton Internet Security ($50 for one year and three PCs, as of 12/19/12) is a solid performer with a polished, touch-optimized user interface. This security suite didn’t totally dominate its competitors, but it did completely block, detect, and disable all malware in our real-world tests, and it performed well enough overall to snag second place in our roundup.

Norton’s excellent showing in our real-world attack test indicates that it should be effective at blocking brand-new malware attacks as it encounters them in the wild. As noted in the F-Secure review, of the security suites we tested, four others were also successful at completely blocking 100 percent of attacks: Bitdefender, F-Secure, G Data, and Trend Micro.

Norton produced stellar—though not absolutely perfect—results in detecting known malware. In our malware-zoo detection test, the program successfully detected 99.8 percent of known malware samples. Norton Internet Security also put up a perfect score in our false-positive test: It didn’t mistakenly identify any safe files, out of more than 250,000, as being malicious.

Norton does an acceptable job of cleaning up a system that has already been infected, but it missed some infections completely in our evaluation. In our system cleanup test, the program detected and disabled 90 percent of infections, and completely cleaned up 60 percent of infections. This is a decent but not fantastic showing—seven of our tested suites detected and disabled 100 percent of infections, and six cleaned up all traces of infection at least 70 percent of the time.

To read this article in full or to leave a comment, please click here

Bitdefender Internet Security 2013 ($70 for one year and three PCs, as of 12/19/12) may just be everything that you’d want in a security suite. This program, which earned the highest rating in both our real-world attack test and our system cleanup test, has a user-friendly interface that will appeal to both regular and advanced users. It also comes with several extra services, such as antitheft protection for various mobile devices.

In our real-world attack test (which indicates how well a suite will be able to block new malware attacks as it encounters them), Bitdefender completely blocked 100 percent of attacks. (Four other tested security suites also put up perfect scores in this test: F-Secure, G Data, Norton, and Trend Micro.) Bitdefender was also able to detect 98.8 percent of known malware samples in our malware-zoo detection test. That’s not a bad detection rate, but five of the nine security suites in this year’s roundup had detection rates of 99.0 percent or higher.

Bitdefender managed to detect and disable 100 percent of the infections in our system cleanup test, and it successfully cleaned up all traces of infections 90 percent of the time. This result is the best full-cleanup rate of any of the suites we tested—only F-Secure Internet Security 2013 had a similar cleanup rate (90 percent). Bitdefender flagged just one file (out of over 250,000) as malicious, which gives it a very low false-positive percentage compared with its competition.

The program adds just a little extra weight to your system—in other words, its slowdowns are tolerable. It added 3.5 seconds to startup time (compared to a PC with no antivirus program installed), which puts it in the lower half of the suites we tested. It also added a second or so to shutdown time. Bitdefender has the longest on-demand scanning time (2 minutes, 1 second) of the programs we tested, and the fourth-longest on-access scanning time (5 minutes, 41 seconds).

To read this article in full or to leave a comment, please click here

AVG has given its Internet Security suite a makeover for the new year. AVG Internet Security 2013 ($55 for one year, as of 12/17/12) now has a pretty, Windows 8-style tiled interface, complete with large, colorful buttons that are optimized for a touchscreen. That said, it seems as if AVG has put most of its effort into improving its program’s looks, as the suite managed a respectable, but below-average, showing in our tests.

In our real-world attack test, AVG completely blocked 94.4 percent of attacks and partially blocked 5.6 percent of attacks. This indicates how well the program will block new malware attacks when it encounters them in the wild, and this is a good score, actually. However, since five of the nine security suites we tested completely blocked 100 percent of attacks, this score still puts AVG in the bottom half of the list.

AVG’s ability to detect 97.8 percent of known malware samples seems respectable at first glance, but it’s actually the worst detection rate of all the suites we tested. All of the other security suites were able to detect at least 98.8 percent of malware samples, while the top contender in this category, Trend Micro Titanium Internet Security 2013, was able to detect 100 percent of samples. AVG also flagged five safe files (out of a pool of over 250,000) as being dangerous; while this isn’t a bad false-positive rate, almost all of our other tested
suites posted lower rates.

In our system cleanup test, AVG detected 100 percent of infections, but only disabled 90 percent, and only managed to completely clean up 60 percent. This isn’t a great rate—F-Secure Internet Security 2013 managed to completely clean up 90 percent of malicious files—but it’s also not the worst of the suites we tested.

To read this article in full or to leave a comment, please click here

G Data InternetSecurity 2013 ($35 for one year, as of 12/19/12) is a comprehensive security suite with an excellent protection record: It blocked, detected, and disabled all of the malicious files we threw at it, and cleaned up 80 percent of infections in our system cleanup test. However, it’s not the most user-friendly suite, with a tedious installation process and an advanced-users-only settings panel. As a result, it ended up toward the bottom of our rankings.

In our real-world attack test, G Data completely blocked 100 percent of attacks. This indicates how well the product will successfully block brand new malware attacks when it encounters them in the wild. Of the nine security suites we tested, five completely blocked all attacks: G Data, F-Secure, Bitdefender, Norton, and Trend Micro.

G Data also has an excellent malware detection rate. In our malware-zoo detection test, the program detected 99.7 percent of known malware samples. This detection rate puts G Data in fourth place for malware detection. G Data did have a higher false positive percentage than other security suites—it flagged three safe files (out of over 250,000) as malicious. Although this is a very low false positive rate, seven of the suites we tested flagged fewer than two safe files as malicious.

In our system cleanup test, G Data detected and disabled 100 percent of infections. It also managed to completely clean up 80 percent of infections, which puts it in third place (alongside Kaspersky and Trend Micro). This test shows how well a product can find, disable, and remove every last trace of an infection, so you can rest assured that G Data will do a respectable job.

To read this article in full or to leave a comment, please click here

McAfee Internet Security 2013 ($40 for one year of protection on up to 3
computers, as of 12/19/12) didn’t manage top marks in our security suite tests,
but it’s still a fairly proficient antimalware program that will keep you relatively
well-protected. This security suite, which boasts a simple user interface and
a super quick installation process, scans your system quickly and efficiently.
However, McAfee’s uninspired design and average performance makes it a less
attractive choice compared to its competition.

In our real-world attack test, McAfee was able to completely block 94.4 percent
of attacks. Unfortunately, this means that it did let through 5.6 percent of
attacks, allowing our test system to get infected. This test indicates how well a
product will be able to block brand new malware attacks as it encounters them
in the wild—and of the nine security suites we tested, only two let such a large
percentage through.

That said, McAfee was competent at cleaning up malware infections once they
were already on the system. In our system cleanup test, the program detected
and disabled 100 percent of infections, and fully cleaned up 70 percent of
infections. Five of the nine security suites we tested performed better than
McAfee in this test, completely cleaning up at least 80 percent of infections.

McAfee had an excellent false positive percentage: It didn't flag a single safe file
(out of over 250,000 files) as malicious. It also did a very good job at detecting
known baddies: in our malware “zoo” detection test, it managed to detect 99.9
percent of known malware samples.

To read this article in full or to leave a comment, please click here

Avira Internet Security 2013 ($60 for a one-year, one-PC license; 30-day free trial) is an acceptable antivirus program—if you happen to be an expert in security jargon and working your way through a somewhat unfriendly user interface. This particular security suite passed our tests (though, not with flying colors) and even managed to come out on top a couple of times, but it’s not for the average user.

In our real-world attack test, Avira managed to completely block 94.4 percent
of attacks, and partially block 5.6 percent of attacks. This indicates how well
the product will block new malware threats when it encounters them in the wild.
While this result is solid, it’s not good enough compared to the top competitors:
Five out of the 10 security suites we tested managed to completely block all
attacks.

In our malware-zoo detection test, which determines how well a product can
detect f known malware, Avira detected 98.8 percent of samples. Although
respectable, this percentage still puts Avira in the bottom half of the suites we
tested—six suites managed 99 percent or higher detection.

Avira was able to detect and disable 100 percent of malware infections in our
system cleanup test, but was only able to purge them completely about 50
percent of the time: That’s the worst cleanup rate of the suites we tested. Avira
did perform impressively well in our false positives test; it didn't flag a single safe
file as malicious.

To read this article in full or to leave a comment, please click here

Trend Micro Titanium Internet Security 2013 ($50 for one year and three PCs, as of 12/19/12) certainly lives up to its name. This “titanium” security suite doesn’t let anything get through—in our tests, it earned excellent marks in just about every category. It also has a fairly user-friendly interface and a quick installation process, which makes it an all-around great pick.

In our real-world attack tests, which indicate how well an antivirus program will be able to block new malware attacks as it encounters them in the wild, Trend Micro’s suite completely blocked every threat that it faced. Needless to say, this means that the program will likely be able to keep you very secure, even when new malware programs are introduced in the future.

Trend Micro nabbed high marks in most of our other security tests. In our malware-zoo detection test, which exposes the program to a collection of malware that had been introduced in the preceding four months, Trend Micro’s package detected 100 percent of known malware samples. In our false-positive test, which checks to see whether a product mistakenly flags a known safe file as being dangerous, Trend Micro identified just one safe file (out of over 250,000) as malicious.

In addition, the suite did very well in our system cleanup test: It detected and disabled 100 percent of infections, and it managed to fully purge the system of 80 percent of those infections. This result puts it in second place, tied with G Data and Kaspersky, for total cleanup rate.

To read this article in full or to leave a comment, please click here

Kaspersky Internet Security 2013 ($60 for one year and three PCs, as of 12/19/12) is a solid antimalware suite that provides admirable protection and an excellent settings interface. This program looks a little different from the other suites we tested, mainly because of its teal-and-white colors, in contrast to the green-is-good/red-is-bad user interface that most other security packages use. But once you get past the fact that teal is sort of the same as green (trust us, this takes a moment), it’s a good program that will keep you safe from most incoming attacks.

In our real-world attack test, Kaspersky completely blocked 94.4 percent of attacks. Unfortunately, the 5.6 percent of attacks that it failed to block completely were not blocked at all—in other words, our test system got infected 5.6 percent of the time. The real-world attack test demonstrates how well a suite will be able to block brand-new malware attacks as it encounters them in the wild, so this is not a great sign.

Kaspersky’s suite was able to detect 98.1 percent of known malware samples in our malware-zoo detection test. This detection rate is fairly good, but seven of the nine suites we tested had higher rates (98.8 percent or more). Kaspersky did have an excellent false-positive rate, as it didn’t flag any safe files as malicious; that puts Kaspersky in the top four of the suites we tested for that measure.

In our system cleanup test, the Kaspersky software did an excellent job of detecting, disabling, and fully cleaning up infections. It detected and disabled all infections on our test PC, and fully cleaned up all traces of malware 80 percent of the time. Of the suites we tested, only two packages (Bitdefender and F-Secure) cleaned up more infections (90 percent), while three suites, including Kaspersky’s, cleaned up 80 percent.

To read this article in full or to leave a comment, please click here

Google has asked the court overseeing terrorism-related surveillance programs at the National Security Agency to allow the company to publish information on the number of surveillance requests it receives.

The Internet company, in a Tuesday filing with the U.S. Foreign Intelligence Surveillance Court , asked the court to allow it to publish the number of surveillance requests it gets from the NSA and other federal agencies and the number of users or accounts affected by those requests. The U.S. Department of Justice contends that publishing the information would be illegal.

Google’s lawyers argued the company has the right, under free speech guarantees in the First Amendment to the U.S. Constitution, to publish aggregate data about surveillance requests.

Google’s request comes in the wake of allegations by former NSA contractor Edward Snowden that Google and eight other Internet companies have given the NSA direct access to their servers, allowing the spy agency to read email and other Internet communications.

To read this article in full or to leave a comment, please click here

Both Facebook and Microsoft said late Friday that they had been given permission from the U.S. government to disclose how many times the two companies had been asked to turn over user information to the Feds as part of a national security order.

However, the data comes with so many caveats that little information can be gleaned from it. For their part, Google and Twitter opted out of similar disclosures, precisely for those reasons.

For the six months ended December 31, 2012, Microsoft received between 6000 and 7000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities, the company said in a blog post. For its part, Facebook said that it had received 9,000 requests of the same nature during the same period.

Both Facebook and Microsoft have been named in reports by the Guardian and The Washington Post alleging that many of the Web's top companies have actively participated in a program, dubbed Prism, that supplied information on Web searches, emails, and other user communications whenever the government requested. AOL, Facebook, Microsoft, Google, and the other companies named in the report denied the allegations, with both Facebook and Google doing so vociferously. Edward Snowden, a former employee of the National Security Agency, later outed himself as the source of the information.

To read this article in full or to leave a comment, please click here

Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service attacks they've experienced in recent months. They're not going to tell you anything.

Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.

But many companies are finding themselves under attack for the first time, and their security chiefs need answers if they're going to fight back. So despite knowing CSOs are reluctant to talk, we tried to get answers anyway. We offered several CSOs anonymity to tell their stories, a tactic that always worked before.

Not this time.

To read this article in full or to leave a comment, please click here

A telephone records surveillance program run by the Federal Bureau of Investigation and National Security Agency raises serious privacy concerns and should be reined in, some U.S. senators said Wednesday.

Some members of the Senate Judiciary Committee pushed for changes to the surveillance program that allows the two agencies to broadly collect telephone call records from U.S. carriers, with some lawmakers calling for the records to remain with carriers until the agencies have a suspicion of a telephone number’s ties to terrorist activity.

“I remain concerned that, as a country, we’ve yet to strike the right balance between intelligence gathering into the FBI and the civil liberties and privacy rights of Americans,” said Senator Patrick Leahy, a Vermont Democrat, during a hearing on oversight of the FBI. “The American people deserve to know how broad investigative laws ... are being interpreted and used to conduct electronic surveillance.”

FBI Director Robert Mueller defended the recently exposed phone records collection program, saying it was a critical piece of antiterrorism investigations. The phone records collection program authorized by the Patriot Act has been a key tool in disrupting 10 to 12 terrorist plots since Sept. 11, 2001, he told lawmakers. NSA officials said Tuesday that the two surveillance programs have helped disrupt more than 50 terrorist plots since then.

To read this article in full or to leave a comment, please click here

Microsoft will pay security researchers for finding and reporting vulnerabilities in the preview version of its Internet Explorer 11 (IE 11) browser, for finding novel techniques to bypass exploit mitigations present in Windows 8.1 or later versions, and for coming up with new ideas to defend against exploits.

The monetary rewards will be paid through three bounty programs the company launched Wednesday.

The payouts will range between $500 and $11,000 for vulnerabilities found in IE 11 Preview, depending on the type of vulnerability and quality of the report, and up to $100,000 for mitigation bypasses in Windows 8.1 and later versions.

There is also a defense bonus of up to $50,000, the BlueHat Bonus for Defense. Participants must submit a technical paper that describes an idea that could be used to block an exploitation technique that bypasses the latest Windows platform mitigations. The reward will depend on the quality and uniqueness of the idea, Microsoft said in the program’s guidelines.

To read this article in full or to leave a comment, please click here

Europe's top privacy watchdog and the digital agenda commissioner both said Monday that more transparency and trust is needed between the European Union and the U.S. following reports of widespread data collection by the U.S. National Security Agency.

Cybersecurity is not an excuse for the unlimited monitoring and analysis of the personal information of individuals, said Peter Hustinx, the European data protection supervisor.

"If the E.U. wants to cooperate with other countries, including the U.S.A., on cyber security, it must necessarily be on the basis of mutual trust and respect for fundamental rights, a foundation which currently appears compromised," said Hustinx in a statement, released along with his formal Opinion on the Cyber Security Strategy. His formal opinion must be considered by the European Commission in drawing up legislation.

He went on to criticize the E.U.'s Cyber Security Strategy, which was put forward by the European Commission in February. Hustinx said the strategy is not clear on how data protection principles will be applied in practice and that it fails to take due account of the proposed Data Protection Regulation and the eTrust Regulation.

To read this article in full or to leave a comment, please click here

Yahoo has received between 12,000 to 13,000 requests for user data from law enforcement agencies in the U.S. between Dec. 1 and May 31 this year, the company said Monday.

The most common of these requests concerned fraud, homicides, kidnappings, and other criminal investigations, Yahoo CEO Marissa Mayer and General Counsel Ron Bell wrote in a blog post.

The company did not disclose how many of the requests for customer data were under the Foreign Intelligence Surveillance Act (FISA), which has been at the center of a controversy after reports surfaced that the government was collecting data from a large number of users under the Act, including call metadata from telephone customers of Verizon.

“Like all companies, Yahoo! cannot lawfully break out FISA request numbers at this time because those numbers are classified; however, we strongly urge the federal government to reconsider its stance on this issue,” the executives wrote.

To read this article in full or to leave a comment, please click here

Security monitoring—the type involving traditional security information and event management (SIEM)—can be done in some public cloud environments, according to Gartner. And businesses using public cloud services, it's time to think about doing it.

Security monitoring of assets that the enterprise has placed in cloud is still not a common practice, but it really should be, said Gartner analyst Anton Chuvakin during his presentation last week at the Gartner Security and Risk Management Summit in National Harbor, Maryland. There is always a "loss of control" when turning corporate data assets over to the cloud, Chuvakin says, but "you can compensate by increasing the visibility that comes with collection of logs and network traffic."

Most security monitoring today is done on-premises within the enterprise network using SIEM, intrusion-prevention systems (IPS) and data-loss prevention tools. In Amazon Web Services, he said, it's possible to collect logs and copy them back to the on-premises SIEM.The benefits are that familiar tools are in use and you can obtain a unified view of both the cloud and the traditional environment, he said. On the other hand, there might be bandwidth restraints that make this hard or that the SIEM tools present "conflicts and incompatibilities" in the cloud environment. Chuvakin said enterprise security managers have to ask the question whether their SIEM tool is "cloud-ready" to collect data, which may be presented in unfamiliar form as instances and dynamic provisioning.

Some SIEM tools are able to make use of specific software-as-a-service APIs as well to collect logs from public cloud services. Tools from IBM and HP ArcSight, for example, can now monitor Salesforce, Chuvakin noted.  

To read this article in full or to leave a comment, please click here

Rommel asked the Utilities forum for advice on cleaning files off a hard drive so that they can never be restored.

When you delete a file, it doesn't actually go away--even after you've emptied the Recycle Bin. The actual bits remain written on the drive until some other disk activity writes over them. Even when you format a drive, the files are still there for those who want and know how to read them.

If you want to truly and securely delete a file, or the contents of an entire drive, you need software that will overwrite the space where the file(s) once sat. Fortunately, several free programs can do this.

[Email your tech questions to answer@pcworld.com or post them on the PCW Answer Line forum.]

To read this article in full or to leave a comment, please click here

Thursday afternoon, a bombshell dropped: Two leading reports claimed that the U.S. government has been spying on emails, searches, Skype calls, and other electronic communications used by Americans for the last several years, via a program known as Prism.

According to the reports, the Web’s largest names—AOL, Apple, Facebook, Google, Microsoft, Skype, PalTalk, Yahoo, and YouTube—participated, perhaps unwittingly. (Dropbox will reportedly be added as well.) The report claims that the National Security Agency had “direct access” to servers owned by those companies. Most, if not all, of those companies have denied participating in Prism, although it’s unclear whether they were unaware of the NSA’s spying, or simply turned a blind eye.

According to The Guardian and The Washington Post, the data covered included: “email, video and voice chat, videos, photos, voice-over-IP chats, file transfers, social networking details, and more.”

If nothing else, however, the Prism disclosure is worrying and deeply shocking. If the report is accurate, the government may simply listen in on virtually any electronic communication you’ve made, in the interests of national security. Is this something that should be encouraged to fight domestic terrorism, or is this sort of government intrusion something that should be deeply distrusted? For the purposes of this story, we’re going to err on the side of the latter; whether you take advantage of our advice is up to you.

To read this article in full or to leave a comment, please click here

You work hard to protect your PC from the malicious thugs of our digital world. You keep your antivirus program up to date. You avoid questionable Web sites. You don’t open suspicious email attachments. You keep Java, Flash, and Adobe Reader up-to-date—or better yet, you learn to live without them.

But against all odds, a clever new Trojan horse slipped through the cracks, and now you’re the unhappy owner of an infected PC. Or perhaps a less-vigilant friend has begged you to clean up a plague-ridden mess.

Obviously, you need to scan the computer and remove the malware. Here’s a methodical approach that you can use to determine what the problem is, how to scan, and what to do afterward to protect the PC from future invasions.

1. Verify the infection

Is the PC in question really infected? I’ve seen people blame “another damn virus” for everything from a bad sound card to their own stupidity. The first step in restoring the system’s health is to determine whether what you’re dealing with is a virus rather than a problem with hardware, software, or user error.

To read this article in full or to leave a comment, please click here

Over the years, many have touted Mozilla’s Firefox as one of the most secure Web browsers. But as with other browsers, the security level offered depends on the settings. Some security features need to be manually enabled. Those turned on by default should still be double-checked.

Follow these five steps to lock down Firefox. Start with the essentials in the browser’s own settings, then choose some useful add-ons. Finally, keep track of your plug-ins so you can patch the inevitable security holes.

Enable a master password

Like other browsers, Firefox by default allows anyone who accesses your computer to log in to sites where you’ve saved the password. And as with Google Chrome, a list of the saved usernames and passwords can be viewed via the Options menu of Firefox.

Eric Geier

Fortunately, Firefox offers a master password feature that encrypts and password-protects the saved password list. When enabled, you must enter the master password the first time you use a saved password, once per browser session. Additionally, even though you enter the master password the first time, you must always enter it before you can view saved passwords via the Options menu. This is a great feature to help prevent casual snooping of your passwords. It even prevents most third-party utilities from recovering them.

To read this article in full or to leave a comment, please click here

Russell Caplan still uses Office 2003, which Microsoft will stop supporting next year. He asked if he will need to upgrade to a more current version.

You probably should upgrade before next April. After that month, Microsoft will no longer provide security updates for Office 2003 (or, for that matter, Windows XP). If someone finds a new vulnerability in one of the programs, Microsoft won't make and release a patch for it. Your copy of Office will remain vulnerable.

[Email your tech questions to answer@pcworld.com or post them on the PCW Answer Line forum.]

How dangerous is it to use old, no-longer-supported software? If the program is obscure, probably not too dangerous. But if it's something that millions use, it can become a tempting target.

To read this article in full or to leave a comment, please click here

There’s nothing you can do if hackers get into a database with your password in it, but you can still protect yourself for all the other worst-case scenarios involving hacking. In this video, we go over ways to make your passwords harder to crack.

First, don’t make it easy on hackers by choosing a common password. Splashdata uses security breaches to gather 'most popular passwords' lists each year. The word 'password', number sequences, and other simplistic phrases or numbers fill the top spots. Also, don’t use your name, a password related to another one you might have on a different site, or a login name.

Instead, experts recommend using 15 characters, upper-case letters, better yet nonsensical words with special characters and numbers inside them.

Need help? Check out some free websites, like Strong Password Generator. This Macworld article on security in the iCloud age also has some suggestions on strong password creation.

To read this article in full or to leave a comment, please click here

For years now I've harangued relatives about their shoddy password practices. Either they use easily-hacked passwords or forget the passwords they've created—sometimes both.

If you won't take it from me, beloved family, consider this Password Day (yes, apparently it's a thing) statement from McAfee's Robert Siciliano: "74% of Internet users use the same password across multiple websites, so if a hacker gets your password, they now have access to all your accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft and financial loss."

What's the fix? It's easier than you might think. For starters, head to Intel's Password Grader to see just how easily cracked your current password is. (The site promises not to retain any information, though still recommends that you not use your actual password—so maybe just use somethings similar.)

From there you can scroll down to see a simple step-by-step process for making your "hackable" password "uncrackable." (There's a longer and more informative version of this infographic on Sicilian's blog—and it doesn't require you to use the Password Grader if you'd prefer not to.)

To read this article in full or to leave a comment, please click here

We lead rich virtual lives on social networking sites like Google+, Facebook, and Twitter. So what happens when real life catches up, and our flesh-and-blood bodies succumb to mortality? For our virtual selves, at least, some concrete answers are available—ways to settle our digital affairs after death, while minimizing hassle and heartache for loved ones.

Google sets the standard by building a dead man’s switch (one with a gentler name) into your Google account features. Facebook and Twitter also have processes in place for handling accounts of the recently deceased, though they’re somewhat more cumbersome. A few good Web services can help for all other online cases, passing along login information based on triggers you can set yourself.

Google’s dead man switch

Google’s new Inactive Account Manager system is simple to understand and set up. Accessible from your Google account settings page, it helps you set up a time-out period for your account—the length of time you can go without logging in before Google assumes that you’re never coming back. The default is three months, but you can dial it up in increments of 90 days until it tops out at a year and a half. I recommend setting it to at least six months, though you could vary this period based on how often you log in.

A fail-safe is built into the service: One month before the timeout period, Google will send you an e-mail reminder (and an optional SMS message, if you give them a phone number) to make sure you're not coming back. Once your account is inactive long enough to trigger the Inactive Account Manager, Google will send a message to up to ten people notifying them that your account is now inactive.

To read this article in full or to leave a comment, please click here

Two-factor authentication may not be as sexy as the latest Android phone, but the technology is capturing news headlines, and deservedly so. Last week, Microsoft began rolling out this security tool for its some 700 million Microsoft Account users. Tuesday Wired reported Twitter is working on two-factor authentication as well.

It's a security feature that could have stopped hackers at the gate before they seized control of the Associated Press Twitter account, and it's something you should be using to protect your own online accounts, wherever it's available.

So how does two-factor authentication work? In a nutshell, it requires not one but two pieces of privileged information before granting access to an online account.

Let's say you've already set up two-factor authentication for your Google account, and now a hacker halfway around the world is trying to break into your Gmail. He has your email address and even your password, but he doesn't have the second element of the authentication process. In the case of Google accounts, the second element is a unique security code that's sent directly to your cell phone via text messaging.

To read this article in full or to leave a comment, please click here