TOR, AKA “The Onion Router”, is described on their web site as follows:

Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

But several security issues have been raised recently with the TOR, and a number of security professionals believe TOR should not be relied upon to provide secure communications or anonymous web browsing.

In fact, TOR provides this warning on their download page:

Warning: Want Tor to really work?
…then please don’t just install it and go on. You need to change some of your habits, and reconfigure your software! Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for.

Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn’t magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension.

Browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe’s PDF plugin, and others can be manipulated into revealing your IP address. You should probably uninstall your plugins (go to “about:plugins” to see what is installed), or investigate QuickJava, FlashBlock, and NoScript if you really need them. Consider removing extensions that look up more information about the websites you type in (like Google toolbar), as they may bypass Tor and/or broadcast sensitive information. Some people prefer using two browsers (one for Tor, one for unsafe browsing).

Beware of cookies: if you ever browse without Tor and Privoxy and a site gives you a cookie, that cookie could identify you even when you start using Tor again. You should clear your cookies frequently. CookieCuller can help protect any cookies you do not want to lose.

Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can’t encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use SSL or other end-to-end encryption and authentication.

While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or mis-configured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust.

Also, the ‘exit servers’ on the TOR network can easily be compromised, and all traffic through an exit router can be misused, as evidenced in the following article:
http://www.securityfocus.com/news/11486?ref=rss

In other words, even if you use TOR, secure communications requires careful configuration and the use of encryption and a secure pipe, such as SSL or VPN. And, as evident in the above article, you may indeed be less secure using the TOR network than when using other means of secure communications because TOR may give users a false sense of anonymity or security.

For secure email, we recommend using an email service that allows full SSL encryption for the entire session, not just the login page. And if you use email through a hosted web site, we recommend that you contact the host and ask if their email is secure or can be made secure. Many cannot.

We recommend any of the following options:

• HushMail, is one of the best.
• Alternatively, Gmail can be made secure if you log in using SSL, as in “https://gmail.google.com”.
• Or set up an Exchange Server account. We recommend Mailstreet, and use it locally or online.
• Or use a secure email installation on your computer. We recommend Ciphire Mail. (for maximum protection, both sender and reciever must be using Ciphire.) Ciphire can secure email using most any email client, such as Outlook.

Computers that have been compromised and turned into remote control attack machines, otherwise known as Zombies, are becoming a significant problem.

These compromised computers are being used to attack a variety of Internet servers in a number of countries. These attacks can shut down web sites by overloading their servers with traffic.

For more information:

CypherTrust.com is a good source of information about Zombies and other security threats.

The title of this blog pretty much says it all.

Don’t Fall for the Old IRS Refund Email Scam.

The IRS does NOT contact taxpayers this way.

For more info: PCmag

We highly recommend Spybot Search and Destroy to our readers.

Not because it is the best anti-spyware on the market, but because of it’s Immunize function, which uses practically no computer resources to effectively prevent the installation of thousands of malicious items. (We do also recommend periodically using the scanner, but here is so much spyware out there that it seems that no program is able to get it all, and therefore we recommend using a variety of anti-spyware applications.)

And believe us, when it comes to malware, an ounce of prevention is worth a pound of cure.

Therefore we strongly recommend installing the new and improved version of Spybot, version 1.5.

We recommend downloading this program from the creator via the download options provided:

http://www.safer-networking.org

Do you help friends and/or customers with their computer problems?

Tired of spending hours on the phone trying to fix some complex software issue?

There is no substitute to seeing what they see, first hand. You can work faster, and they can watch and maybe learn a thing or two.

To see things first hand, you either have to physically be at their computer, or you have to use a “remote access” utility. For this, you have several options, including Microsoft’s “Remote Assistance” utility. Unfortunately, “Remote Assistance” has problems connecting through some firewalls, and requires either a functional email program or Windows Live Messenger. Once the connectionis established, Remote Assistance works quite well.

We recommend two “free” alternatives. Perhaps one of these will fit your needs.

#1 - LogMeIn, found at logmein.com

LogMeIn has the advantage, once the client is installed, of being able to access remote computers (or your computer) without user intervention. It has the disadvantage of not being able to do two-way file transfers.

#2 - CrossLoop, found at crossloop.com

CrossLoop has the advantage of being able to do file transfers, but is has the disadvantage of requiring user intervention at the other end. (For some users, this may be an advantage if they don’t want to allow unlimited access, and therefore CrossLoop may be more suitable to customer support). It makes it kind of tough if you want to access your own computer.

Security:
Both use a secure connection. But both require a very secure password or pass phrase in order to prevent unauthorized access. Plus CrossLoop requires the user at the other end to accept assistance, and they have the option of only allowing viewing access, or full remote control access.