Alexander’s Blog

AVG AntiVirus is a free and popular antivirus application that people have been using on their desktop computers for years to protect their desktop operating system, such as Windows XP or Windows 7. Did you know that AVG also has an Anti-Theft Service for Android devices? Here’s how it works.

1. Download and install the AVG AntiVirus software from the Play Store on your Android device.
2. Once you have configured the software for protection, performance and privacy, click on the Anti-Theft icon to activate the service.
3. You will receive an e-mail from AVG that your service is activated, along with the instructions on how to use this service.
4. Go to any computer and visit AVG’s Anti-Theft Web page at http://www.avgmobilation.com/anti-theft.
5. Login with your Google account. Select the appropriate option, such as Shout, Locate, Lock, Unlock, Wipe, or Scan.
6. You can use the Shout option to make the device sound an alarm. Essentially, this will play a ringtone on the device. This can come handy if you can’t find your smart phone in your house and there is no other phone in the house to dial your number.
7. When you use the Locate option, it can take several minutes to locate the phone and will give you its proximity in a Google map.
8. The Lock option can be used to lock the device remotely so others can’t use it. This will require someone to enter the password that you will enter. This password is a temporary password and has nothing to do with any other password on your device or Gmail account.
9. You can use the Unlock option to send the unlock command to the device but it can’t actually unlock your device remotely. You must enter the password you provided when you used the Lock option to unlock the device
10. Using the Wipe option will wipe your Android device remotely. Needless to say, I didn’t try this feature and will have to trust AVG that it works.
11. If you select the Scan option from a desktop computer, within seconds your Android device will start scanning your computer for security threats. This is the same action that you can take from the AVG mobile application on your Android device.

Does the Service Work?

So what about security and does this Anti-Theft service really work? In my tests, I found that the application works for the most part and can be useful to lock a stolen device remotely (and potentially wipe out the device, which I didn’t try). The features work, except that the first time I used the Locate feature, it didn’t even come close to the actual location of the device. While my smart phone was in my had, it showed that my device was located in a different zip code about 10 miles away from me. After a while it did show the exact location, so decide for yourself if this is good, bad, or ugly.

Another weak point that I discovered is that the application itself doesn’t use Secure Socket Layer (SSL) to encrypt the pages on the Web site. This surprised me. A company that makes AntiVirus software should be securing pages where customers are entering passwords and working on Anti-Theft software. In other words, you are using AVG’s unsecure page to secure your Android device. Really? This makes no sense.

Not only the Web site is unsecure, the password that you provide to lock the device can only be 4-6 characters. In other words, the password you provide is going to be very weak. While this may be good enough to keep an average “Joe” out, it won’t be good enough to keep a serious hacker out.

Hopefully, over time AVG will improve this application. It’s a good start but in my opinion the application appears to be more for fun and games than to offer a serious anti-theft service……mainly due to the quality of service and the fact that AVG doesn’t offer encryption to use a security software on their Web site. As I mentioned already, it does seem to get the job done for the most part so I am not ruling it out as a totally useless application. I believe it needs work to offer better reliability for locating the device and also needs some security improvements. After all it is a security application.

---

Copyright ©2013 Zubair Alexander. All rights reserved.

By now you may have heard of all the warnings and bad things that can happen if you have Java installed on your computer, like having your credit card or other personal data stolen, identity theft, and spyware installed on your computer after you are redirected to certain sites. Even Department of Homeland Security (DHS) issued a warning in January to disable Java. This is rather unusual because DHS doesn’t usually go around telling people what they should remove from their computers.

Before I tell you how to disable Java, I want to make it clear that Java is not the same thing as JavaScript. They may sound similar but they are two different things.

Difference Between Java & JavaScript

Oracle’s Java is a programming language while JavaScript is a scripting language developed by Netscape and is not part of the Java platform. JavaScript is used inside HTML pages to enhance its functionality and can make your Web pages do things that HTML code won’t let you do by itself.

According to Java.com here are the key differences between Java and JavaScript.

Java is an OOP programming language while Java Script is an OOP scripting language.

Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.

Java code needs to be compiled while JavaScript code are all in text.

They require different plug-ins.

Disabling Java

So now you know that we are concerned about Java, and not JavaScript.You can disable Java on individual browsers, or you can disable Java for all the browsers. I personally prefer to disable them on all the browsers. I use Firefox, Internet Explorer and Chrome on a daily basis on the same computer. If you want to disable Java on an individual browser, for example, Chrome, you can type chrome://plugins, click Disable and then restart the browser. In Firefox go to Add-ons, locate Java platform, disable it and restart the browser. In Internet Explorer it is not easy to disable Java. In fact, even if you go to Java Web site and check if you have Java installed in Internet Explorer, don’t believe it as gospel truth. You can read this InfoWorld article for more information: Disabling Java in Internet Explorer: No easy task. Frankly, besides Internet Explorer, other browsers can also lie and tell you that Java is not installed, when it is.

The security warning issued by DHS was related to all versions of Java 7 through Update 10. Java 7 Update 11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets. The latest version is of today is Java 7 Update 13. With all the issues with Java I believe it is best to disable Java altogether on all the browsers. Period!

NOTE: Even after Oracle claimed that they have fixed the problem that prompted DHS to issue a security warning, DHS still insisted that we should disable Java.

Disabling Java in Internet Explorer

1. If you don’t already have Java installed, install the latest version of Java. I know, I am asking you to install Java but you can’t kill the beast if it doesn’t exist. So first you need to install it and then disable it. This will be good for you in the long run. As of today, the latest version of Java is Java 7, Update 13.
2. Windows 8/7/Vista: Go to Control Panel and search for Java. Double-click to open the Java Control Panel.

   NOTE: On 64-bit Windows computers you can also get to the Java Control Panel by using this command at Start, Run: c:\Program Files (x86)\Java\jre7\bin\javacpl.exe. On 32-bit Windows computers, use the following command: c:\Program Files\Java\jre7\bin\javacpl.exe.

   Windows XP: Go to Control Panel and double-click to open the Java Control Panel.

3. On the Security tab, uncheck the box Enable Java content in the browser. This should disable Java on ALL your browsers, even though it doesn’t say that on the screen. This will provide the highest level of security and none of the Java apps (singed or unsigned) will run in your browser. This is the method I prefer.

   

4. Restart your browser, or as a best practice I recommend you restart your computer.
5. To verify that Java is disabled, go to the Java verification site in each browser and verify that you don’t have Java running.

Disabling Java on Macs

For instructions on how to disable Java on Macs, visit JavaTester.org. You will find some very useful information on this site. Among other things, you can also check whether JavaScripting is working in your browser. Remember, you want to disable Java, not JavaScript.

Possible Consequences of Disabling Java

The potential drawback of disabling Java can be that some Web sites won’t display menus properly, or you may not be able to see the stock prices, weather updates or some ads. Frankly, most of us don’t care about this stuff. Even if you do, in my opinion disabling Java far outweighs the benefits of seeing ads or weather updates on different sites.

TIP: If you must use Java because you feel your life is completely miserable without Java and you had some great luck skiing in the avalanche season and skating on thin ice then enable Java in the latest version of Chrome or Firefox, rather than Internet Explorer, because they give you more control on when to run Java on specific pages.

Have I experienced any negative consequences by disabling Java in all three of my browsers (Firefox, Internet Explorer, and Chrome)?

No.

There are some major differences between Microsoft Threat Management Gateway (TMG) and Microsoft Unified Access Gateway (UAG). The two products are completely distinct and do not share any code. However, if you install UAG, it will automatically install TMG and if you remove UAG it will automatically uninstall TMG. So they are definitely linked in certain ways. TMG can be installed on Standard, Enterprise or Datacenter editions of Windows Server 2008 SP2 or R2. UAG can be installed on Windows Server 2008 R2 (Standard or Enterprise).

TMG is a software firewall. Unfortunately, it will go away in future as Microsoft doesn’t seem to have any plans for its renewal. However, it will be supported until April 14, 2015 and won’t completely disappear from the scene until April 14, 2020. UAG is also going to be a dead duck. I would love to see Microsoft sell these Forefront products to another company that can turn them into a more useful solution, rather than making them disappear altogether.

The following are some highlights to give you some insight on both these products. This is not a comprehensive list by any means. It’s just something to help you figure out which product might be the right choice for you.

For more information check out this article on TechNet.

Facebook is facing yet another class action lawsuit for tracking people even when they have completely logged out of their Facebook account. This new lawsuit alleges that Facebook violated the federal wiretap laws.

As if facing lawsuit in several states wasn’t bad enough, Facebook is now facing a federal lawsuit. The lawsuit filed in the U.S. District Court for the Northern District of California accuses Facebook of violating it’s own privacy policy. According to Facebook’s privacy policy they are not supposed to track people’s post-log-out activity. People have argued that even after constant complaints Facebook continues to ignore this issue.

Facebook is notorious for not only privacy violations but also security-related issues. The term “Facebook privacy” is considered an oxymoron and Facebook security has been a joke for many years. Did you know that Facebook’s CEO Mark Zuckerberg’s fan page was hacked in January 2011? Because social networking is currently a fad, people will continue to use Web sites, such as Facebook, Twitter, and MySpace and unfortunately suffer the consequences if they believe anything they post can be kept confidential. It can’t. Using a social networking site and expecting to be safe and secure is like taking a shower and expecting to stay dry. It’s not going to happen. The only sure way to keep your privacy is to not post confidential information on any social networking site. Period!

According to a study 40% of all Facebook profiles are fake. In fact, Facebook removes 20,000 profiles every day. Researchers at VeriSign’s iDefense group discovered that a hacker stole 1.5 million Facebook accounts and was selling usernames and passwords in an underground hacker forum for $25-$45. Imagine how many of those 1.5 million posted their full name, business (or personal) address, phone number, hours of operation, and of course pictures on Facebook. Obviously, identity theft is a serious concern for Facebook users.

Facebook is expected to reach 1 billion user profiles in August of 2012. That sounds pretty impressive. Never mind the fact that 400,000 million of those user profiles are likely to be fake. Chances are Faceboo0k will continue to face class action lawsuits and people will continue to use Facebook, even though according to a survey 60% of Facebook members threaten to quit in 2010 over privacy concerns.

It’s always a challenge to find the right anti-malware tool that you can proudly recommend. Besides anti-virus software, over the years I have used tons of anti-spyware tools. There were times when I used 4 different tools because no single tool was good enough to protect my PC from every spyware. At one point Windows Defender proved to be a very reliable tool but it only protected my PC from viruses, not spyware.

Microsoft then came out with Microsoft Security Essentials (MSE), which is a free tool. It includes protection from viruses, spyware, and other malicious software. You can download MSE at no cost here.

Mandatory Joining of SpyNet Removed (Great! Right? Not really)

When Microsoft Security Essentials (MSE) came out, a lot of experts were really impressed by the product. MSE protects your PC from antivirus as well as anti-spyware. However, the thing I didn’t like about MSE was that Microsoft decided to make it mandatory for people to send their personal information to them if they chose to install MSE. Microsoft legal department must have taken the day off when Microsoft released MSE, or else they would have something to say. Believe it or not, Microsoft forced everyone to join SpyNet and gave us only the following two choices.

Choice #1: You must agree to have information automatically collected and sent to Microsoft, including your personal information.
Choice #2: You must agree to have information automatically collected and sent to Microsoft, including your personal information.

That’s right. Those were the only two choices. You could either send “some” information to Microsoft or you could send “a lot” of information to Microsoft. The two choices included:

Basic Membership: You agree to send some information to Microsoft.
Advanced Membership: You agree to send a lot of information to Microsoft.

In either case Microsoft warned us that we might be risking our privacy because our personal information might be unintentionally sent to Microsoft, as I pointed out in this article. I also said at that time that “I believe if enough people complain then Microsoft will add the third option of opting out of Microsoft SpyNet.”

During that time I refused to recommend MSE to my clients and removed MSE from my PCs. Then finally someone at Microsoft realized that “force feeding” of personal information to Microsoft may not be a good idea. Or perhaps enough people complained that Microsoft decided to change their policy.

Below you will find the old and the new screenshots showing the option for joining SpyNet.

Old Screen:

New Screen

The Penalty for Not Joining SpyNet

If you think you are forgiven by Microsoft for not joining SpyNet, think again. Now if you decide to opt out Microsoft will penalize you by not alerting you if unclassified software is detected running on your computer. While giving us the option to opt-out is great but penalizing us for not joining SpyNet is not. I will say the same thing I said back in 2010 that if enough people complain then Microsoft might change its mind and remove the penalty imposed on the consumers. But for now, if you like the software, you have to agree to suffer the consequences. I guess there is no such thing as a free lunch.

A Good Overall Anti-Malware Solution

When Microsoft removed the forced joining of SpyNet, I started to recommend MSE to everyone and have installed it on all my clients. I know, I agree to the penalty because I didn’t join the SpyNet but I love this product. I prefer MSE over the competitors, such as AVG, Avira, and Avast. The MSE reviews have always been great. Check out Fred Langa’s recent review of MSE. He did a great job of running various tests on antivirus software packages and came up with the conclusion that MSE was once again one of the best overall anti-malware tool out there (see screenshot below). Okay, I won’t speak for him but that’s my own conclusion. I encourage you to read his complete Windows Secrets article here and decide what you think.

MSE is supported on Windows 7, Windows Vista (SP1 or SP2), and Windows XP (SP3).

Microsoft Security Essential free download link

Free Antivirus Tool Recommendation

Currently I prefer the following free antivirus tools. Keep in mind that MSE is more than an antivirus, it protects you from viruses, spyware and other malware, while ClamWin is strictly an antivirus solution.

1. Windows client operating systems (Windows 7/Vista/XP): Microsoft Security Essentials
2. Windows Server (2008/2003): ClamWin
   (ClamWin is also supported on Windows 7/Vista/XP/Me/2000/98)