Another Super Fun Family Utopia Movie Night

Many thanks to the Utopia board members Jo-Ann Forster and
Sean Reichert, who sponsored the Utopia Movie Night including 
the snow cone truck and piles of pizza.
We are all grateful to them for making this night possible.
Many families joined us in the park for an evening of socializing,
movie watching, laughs and just plain fun.

Utopia Park at La Playa and Ventura has been restored


Finally the tree in the park has established roots sufficient to support itself after being nearly destroyed by hurricane over a year ago. With the help of Ken Daniels and Suzanne Goldstein, the unsightly orange fence has been removed. Many thanks to our neighbors for their help saving the tree and restoring the park to its natural beauty.

Notice: Miami Vehicle Protection Registration Opens


The city of Miami offers free emergency parking for vehicles during hurricanes. One vehicle per household can be registered in advance to receive a free pass for parking in city garages when a hurricane event is announced.

Every year residents are allowed to preregister for the hurricane season. The registration period starts tomorrow, May 1, and ends June 29. Passes are issued on a first come basis while they last.

Many Coconut Grove residents do not have a garage to protect their vehicle and most others need to use their garage to shelter all their yardware (yard art, yard furniture, bicycles, potted plants, etc.). Once a storm warning is announced south Florida begins its race to protect property and tie down all potential projectiles. Put your plan into action early. Register soon. Its a great program.

Learn more on the Miami Parking website.

Visit the Registration page [here].

How to Protect Against Identity Theft by Using Unique Passwords


So here you are sitting at the beach on the French Riveria, its June and you have hardly a worry on your mind when your cell phone rings. Your financial advisor asks you if you really want to sell $1.2M worth of stocks which would cause you to have a huge tax liability. You say what? I’m not selling any stocks. And then you realize your online investment account has been compromised. Someone is selling your assets and transferring cash overseas where you will never be able to retrieve it. Your vacation comes to an immediate end as you start damage control. The good news is you had someone watching your account. But what if you didn’t? This happens more than people realize and much more than banks want you to know. How do you protect yourself?

The path that leads to theft of your identity and your money is a complex web of deceptions. In this article, I will explain some of those vulnerabilities, how evil players compromise your identity, and some steps you can take to protect yourself.

Let me begin by saying that I am not an expert in security nor do I offer professional advice on the subject; but I have responsibility to protect numerous websites from exploitation. That responsibility has exposed me to many of the best practices in the information technology industry. I see the websites I manage being attacked hundreds of times each day from Russia and China based operators. I watch these operators, after getting blocked, change their IP address dozens of times to retry the same exploits.

Most people don’t realize how dangerous the Internet is. It feels safe sitting in your living room typing away on your computer; but it isn’t! There are a lot of bad players out there. They are professional thieves. They are experts at circumventing law enforcement. They operate where US laws have no jurisdiction and everyone is vulnerable. Once you become a victim, there is no magic bullet to restoring your identity or retrieving your money. In actuality, you may find yourself in a multi year lawsuit against your bank or their insurance company rather than capturing the criminals. I hope you find this article helpful to protect yourself and your family in a world of unchecked cyber criminals.

Exploits and Vulnerabilities

New exploits and vulnerabilities emerge every day and information security is a moving target. Read on to learn some common ways that your personal information gets revealed and exploited by hackers and cyber-criminals.

Your passwords are already floating around on the dark web

That may sound preposterous but it is true. Most people reuse userids and passwords, especially on low risk sites and “throw away” accounts. Some popular sites are infact vulnerable themselves to hacking. Forbes magazine reported that numerous popular websites including Netflix, Last.FM, LinkedIn, MySpace, dating site Zoosk, adult website YouPorn, as well as popular games like Minecraft and Runescape have been hacked and over 1.4 billion user names and passwords are available for hackers to use in brute force attacks.

Most people get careless with using the throw away logins and expose their personal information. The best protection from this type of exploit is to use unique passwords. I will explain how to implement a system of unique passwords that is easy to use and difficult to crack later in this article.

Brute Force Attacks

Brute force attacks use software to perform thousands of login attempts to websites, social media, and non-financial services. Two approaches are used: (1) decryptors – computer generated combinations of every possible combination of characters like you see in the movies, or (2) database credentials – exploitation of hacked userid/password combinations that are in use on multiple websites. The brute force attack software keeps trying until a login is successful. At that time personal information is harvested. It can include things like your mother’s maiden name, your best friend’s name, your pets names, your date of birth, etc. That information goes into the database and the search continues until they get into your email account and bank account. With access to email criminals can reset passwords on your more sensitive sites, harvest bank information, tax information, and potentially hack your phone. Many times the exploits are made without doing anything to alert the user. The hacker just continues to harvest information until they can get to your bank account and lock you out.

Longer complex passwords slow down the computer generated decryptor attack. Database attacks are prevented by using sufficiently complex, website-specific unique passwords. Website administrators can take aggressive approaches to locking out users who make too many wrong login attempts. At Utopia, we lock out a user immediately for using the wrong user id. This gives hackers no practical chance of ever getting access to the members only site without a correct user id and only a few chances to login with the wrong password.

Phishing

Phishing is one of the most prevalent attacks. It is the means by which the Russians were able to hack the Democratic National Convention and John Podesta’s emails. It begins with an email or text message that asks the user to click on a link which installs malware on the host computer. From there personal information such as passwords and bank information is gathered and sent to the hacker.

Be very careful to examine the URL of any links sent to you before opening them. Never install software or open executable objects in an email attachment.

Website exploitation

There are a variety of mechanisms where a hacker can exploit a trusted website and inject malicious code that compromises the users computer or personal information. One method of compromising a website is to use upload functions on forms to inject code that then executes on the server. Once a backdoor is installed, the hacker can do many bad things including corrupting the page banner with malware. Website malware can cause visitors to unknowingly install malware on their computers. It can redirect pages to a malware site, install spyware, harvest cookies from ecommerce sites, and much more. Hijacking a trusted website has become a very sophisticated method of spreading malware and infecting client machines.

Antivirus software on your individual computer can protect you from inadvertently installing malware, adware, and spyware on your device. It should be kept up to date as new attacks are released into the wild daily. Website administrators run anti-malware software to continuously scan for and prevent the exploitation of their websites. The Utopia website uses a robust real time scanning system to block malware and exploits.

Phone Port Exploit

Your cell phone is a key device to gaining access to your most secure information. Most banks will grant access to someone with a little personal information who who can retrieve a one-time use PIN sent to your cell phone. One of the latest exploits being perpetrated is the “phone port” exploit. The phone port exploit involves someone calling your telecom provider and having your phone number ported over to their “new phone” using information hacked from your exploited websites. Your phone stops working and within minutes, all your websites and email are attacked. Especially those with mobile phone two-factor authentication.

You can protect yourself from the phone port exploit by contacting your cell phone provider and setting up a secret passcode that must be provided before your phone can be ported. This protects if your phone is lost or maliciously hijacked. Using a screen lock on your phone is also key to preventing a lost phone from being compromised. Several anti-virus companies also provide the ability to remotely take control of your phone from a trusted computer and execute a full wipe of data in the event of a lost or stolen phone.

Password Security – Best Practices

Best practices on password security is constantly evolving. The latest thinking on password security involves pass phrases and password managers. Longer passwords are considered much better than complex passwords (special characters, numbers, and upper/lower case letter combinations). Also changing passwords frequently is considered a vulnerability threat as the new passwords tend to be minor modifications of the old ones making them easier to guess if compromised. So here is what you can do.

Password Manager

Password managers are great for creating a unique password for every website but they are subject to being hacked on the “managing device”. Additionally, if you need to access a website from a new computer you will never be able to guess the password to logon without accessing your password manager. Your password manager should never be used on a public computer. So it is necessary to consider how often and where you will need to access your secured websites before deciding on a password manager. Most browsers now have built in password managers that can be synchronized across several devices you may use. The key here is to make sure the password to the password manager is very secure. A password manager will ask you for the master password when you start your online session. It will then generate long, complex random passwords when ever you sign up for a new site and it will provide that password to the login whenever you visit the site using the browser with the password manager activated. The benefit is very secure passwords you don’t have to remember. It works well when you only use a limited number of trusted computers.

Pass Phrases

Pass phrases help you remember long, non-dictionary passwords that others will not easily remember. Pass phrase passwords (PPPs) are created by using a base pass code and then making it unique based on the website. Here is one example. You create a phrase that is easy to remember like “the sun will always rise in the morning”. The base pass code is created by the first letter in each word of the pass phrase “tswaritm”. This is now a non-dictionary text string that forms the base of your passwords. It is easy for you to remember. Make it more complex by adding a special character and a number. The special character can be anything you like. For this example I’ll use an asterisk “*” and the number will be last number in my birth year “5”. So this is my complex base pass code “tswaritm*5”. Now to make it unique to the website lets try picking some letters out of the URL. Lets choose to capitalize the second, third, and fourth letters. So here goes the unique password for amazon.com “twaritm*5MAZ”, or the code for cnn.com “tswaritm*5NNC”. Now you have a scheme to create and remember a UNIQUE, complex password for every website you visit. Its not as easy as a password manager but you’re not tied to a specific device.

Other Best Practices to Safeguard Your Identity

  • Use two-factor authentication on sensitive websites but protect your phone from the phone port exploit (above)
  • Create a strong passphrase based password and change it occasionally or if it gets compromised
  • As a precaution, change your passphrase and passwords anytime one of your credit cards is compromised
  • Never write down your password or pass phrase
  • Never speak the password or pass phrase
  • Never share passwords or pass phrases
  • Use anti virus and anti-malware software on all your devices
  • Set up a remote wipe capability if your phone is ever lost
  • Do not use dictionary words, names, or pet/child names in your password
  • Use screen locks on your phone and consider the finger print lock to prevent someone from seeing your unlock pattern
  • Never enter your password while someone is watching
  • Physically cover the lens to any camera attached to your computer when not in use. Disconnect the microphone.
  • Always use a secured, password protected, router with anti-hacking firewall behind your Internet modem
  • Do not click on suspicious links in email or text messages
  • If you find yourself on a website that locks your computer or demands money unplug your computer immediately, disconnect from the Internet and run a full anti-virus scan on startup. Restart and scan twice before reconnecting to the Internet.
  • Do not put bill payments with a signed check in your mailbox, put them in a secure mail drop.
  • Shred bank statements, credit card statements, brokerage statement, and other financial documents with account numbers or social security numbers.
  • Check your credit report at least once a year from each credit reporting service, stagger the requests throughout the year
  • Never send money based on a strange email from a friend or relative
  • Never give anyone information to access your bank accounts
  • Never respond to threatening calls from the IRS demanding payment. The IRS will write you a letter long before they call

Happy and safe computing…