Tame the FUD Factor!

Thursday, March 21, 2019

Who is watching whom?


With the advent of the ‘Internet of Things’ IoT (internet connected devices), the average consumer is likely to have multiple devices in their home, office or on their person that is capable of surreptitious surveillance and not be aware of it. One of the more high profile examples of this was the recent Apple FaceTime bug that would allow anyone to activate the microphone and camera in your iPhone or iPad without your permission. While Apple released a patch for this bug within a few days of it being made public, how long this bug existed and may have been exploited, is unknown. If you have an Apple device, please make sure you have installed this update and if you do not use FaceTime, disable it.

Unfortunately, the FaceTime bug is just one of the many exploits that we know about. Any internet connected OR wireless device (think baby monitor) in your office, home, car, coffee shop or on your person is vulnerable to be exploited. To make this problem worse, some of these devices come pre-configured for ease of installation with default settings that either cannot be changed or the user does not bother to change. This allows anyone with a very basic knowledge to gain access to and control those devices. Additionally, some of the older devices (3+ years) have very basic (if any) security and do not have the option to be upgraded (built in obsolescence).

So, what does the average consumer do? If you do a web search for ‘how to protect yourself from the internet of things’ you will find a LOT of articles. Unfortunately, most of them use terminology and give recommendations that can be daunting for many.  One of the better articles that gives some common sense advice is this one from Lifehack. While some of these may require enlisting the help of a family friend or local geek, at a minimum we suggest you make an inventory of your connected devices (tip #1), so that you at least know what is at risk and can potentially mitigate your exposure.
Did you know? If you have an Amazon Alexa or a Google Home device, then you have a built-in, always on, microphone (and possibly camera) listening/watching and recording everything within range, 24x7. George Orwell would be so proud! If you have an Alexa and want to really be freaked out, login to your Amazon account and you can review and listen to all of the recordings it has made – and fortunately, delete them. Perhaps Jeff Bezos should pay a bit more attention to his own personal internet security…?

I love technology and have many IoT devices (including Alexa -which I turn off when not in use and restrict to my office), but I always assume that any of these devices has the potential to ‘go rogue’. As such, I am cautious about not only what I use but where I install it, to help me manage the failure points.

Tuesday, February 26, 2019

Back(up) to the basics


While the primary focus of these articles to date has been on cybersecurity, there is another aspect of protecting your information that is of equal importance – the regular and secure backup of your ‘digital data’ (files, photos, etc).

While hacking gets the majority of the headlines, the average user is more likely to lose some of their important information due to something much more…banal, a simple equipment failure.  Think of those files and photos that are on your home computer and mobile devices – what would happen if they were stolen, damaged or your device simply failed? Do you have a recent backup of this information AND know how to restore it? If so, congratulations as you are in the 10% club. The vast majority of users do not regularly backup their important stuff and when tragedy strikes, they are faced with permanent loss or paying a data recovery service ‘big bucks’ to try and get their stuff back.

If you are using all Apple devices and have everything backed up to iCloud then congratulations, you are a step ahead of most. My only recommendation to you would be to: 
  1. Confirm everything important is truly being backed up
  2. If you have multiple devices, do a test restore of some random files
Odds are, your photos, music and phone numbers are being backed up as those are handled with minimal user intervention. But what about important files that may be on another device that isn’t connected to iCloud, or physical paper that exists only in a file cabinet in your home? Periodically, do a gut-check – assume your house is destroyed in a fire and all of your contents, including all of your smart devices are lost. Now what?  Not sure, then ask an expert so you know what options are available to you and have a recovery plan. Make sure you know your AppleID/login information so you can purchase a new iPhone, iPad or iMac and quickly begin the recovery process.

For all the myriad of non-Apple or mixed environment users, we (I’m one of you) must do something different for our other non-Apple stuff. If you are a mixed Apple/Windows user, you may want to consider using iCloud to backup your Windows data. While it’s not quite as simple as using it on your i-Devices, it is still pretty straight forward. The only downsides are: 1) it will only back-up files (not applications) and 2) the cost.  The price per GB of data for iCloud is on the high side when compared to other vendors.

Other options:
Google – personally, I save all of my photos to Google, even those on my Apple devices (there’s an app for that!). Why? Because it is unlimited and totally FREE. (high resolution files are downsized but for everyone but photo buffs, this is probably ok. You do have the option to save files of any resolution, but it does count towards your file usage totals).  I also keep all of my regular files in Google Docs (Word, Excel, PDF) – and I can access them from anywhere on most any device.  I also scan all of my important ‘physical paper’ and upload those to Google docs as well.  Another benefit is I can share any of these files and photos with anyone at any time. Google gives you 5GB for free and additional storage is available at a reasonable cost.

What neither Google nor iCloud can do is backup my actual Windows operating system and all of its applications, settings, etc – all that stuff I’ve spent years installing and configuring. To lose that would be a major PITA, so I use a different option for that.

There are a number of cloud based back up options that are both inexpensive and very easy to use. Which one is ‘best’ depends on your particular needs. If you do not have a lot of installed applications on your computer and most of what is important is individual files, then iCloud or Google drive may be sufficient for your needs. If however, you want to backup EVERYTHING on your computer, then consider one of the following:
  1. Veeam FREE backup for Windows: https://www.veeam.com/windows-endpoint-server-backup-free.html   This is what I use personally and I have also used their enterprise product for many years. It is truly the best of the best. However, this does require that you create these backups on REMOVABLE media, which you periodically store somewhere else. Why? Because backing up your data onto the same computer doesn’t help you if the event of fire or theft. It is also possible to store this backup in the cloud, if it’s not too large and/or you have a fast internet connection.
  2. There are also several cloud based options that can automatically backup everything, even your operating system. The major drawback to this is recovery time. The more stuff you have on your computer the longer to back up and the longer to download/restore in the event of loss. Some also provide an option to send you a recovery device (for an extra fee). This is a recent review of some of the cloud based backup solutions: https://www.tomsguide.com/us/best-cloud-backup,review-2678.html
In summary:
  1. Do an audit – identify what you do not want to lose and how much space all of that ‘stuff’ requires.
  2. If what’s important to you is just files and photos, then iCloud, Google or any of the cloud based solutions will do a great job.
  3. IF you want to backup EVERYTHING on a computer (PC or Mac), then consider Veeam (if Windows) or those cloud based solutions that offer a ‘full system restore’. Don’t forget to review their recovery instructions and save that information somewhere you can find it, if needed.


Wednesday, February 6, 2019

Weapon of Mass Persuasion


In an October 2018 speech, Apple CEO Tim Cook spoke on what he believes are the wonders and dangers of technology. A summary of that speech was detailed in this INC online article and the one statement they identified as among the more significant was:
“Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.”

The entities utilizing and ‘weaponizing’ our personal data isn’t just ‘bad actors’, but legitimate companies and services we use every day. Every website you visit with an ordinary browser has the capability to track each and everything you do on that website – and most DO!. Additionally, your internet service provider also knows a lot about your internet behavior and many save and sell that information as well. While most of us are aware that websites track our usage, what we do not know is the specifics of that monitoring and what they do with it.

Some of the major companies (Google, Apple, Facebook) now provide methods for you to view and delete some of this data – emphasis on SOME. Without using tools like an anonymous browser and a Virtual Private Network (discussed in our Cybersecurity 102 seminar), we will always leave traces of our internet behavior for others to mine and potentially use. Information that is on the Internet, STAYS on the Internet, but unlike Las Vegas there is absolutely no guarantee of privacy.
Other than pulling the plug and living like it’s the pre-1990 once again, what can one do? [Once again, our Top 3…]

1.       Pay more attention to your online activity. Not only the websites that you visit, but what information you provide them. [ Did you know that if you type information into a web browser – even if you do not press a button, all of the information you type can be captured and saved? ] Avoid giving personal information whenever possible – be a passive viewer / reader vs a participant.

2.       Use a different email address for your non-personal contacts. It only takes a few minutes to create a free new email account in Gmail and you can forward all of them to your main email. Get a free Google Voice number that you use when a phone number is required. Most of us keep our cellphone numbers forever, don’t make it easy for the Robo callers to get yours.

3.       Use your browser in anonymous mode.  All of the major products have an option to run in a mode that will limit some of the activity that can be tracked by the websites you visit. However, this does nothing to prevent your internet service provider from knowing which websites you visit.  If you want to take this to the next level, get the free Brave browser for your desktop and mobile devices. Brave has a number of interesting features that work to protect you and your privacy, including the ability to use TOR (the Onion Router). [ See this article for more information on TOR.]  If you really want to take it to next level, then use Brave along with a VPN (we recommend Nord VPN). Those two together, will give you a much higher degree of online security – but only if you also avoid freely giving your personal information when you visit websites.

Remember that nothing is 100% secure on the internet so always remember to monitor your accounts on a regular basis. Security is inconvenient, but the alternative is much worse.

Thursday, December 6, 2018

Monitoring your Credit – Should you Lock or Freeze?

In my Cybersecurity 101 post I discussed the top 3½ things you should do to improve your security online. One of these was to regularly monitor your credit using Credit Karma so you would know if your credit score was changing and more importantly if someone had queried the credit agencies outside your knowledge. One of the first indications that your identity has been compromised may come from inquiries against your credit.
Earlier this year, the U.S. Congress modified consumer protection laws requiring all three of the major credit reporting agencies to allow all consumers to freeze and thaw their credit for FREE. While this is a good thing, it is important to understand the benefits and limitations that come with freezing your credit. The benefit is easy: Once your credit is frozen at all three agencies, NO ONE (see exceptions at end)—not even you (or Credit Karma)—can access your credit in any form or fashion, and this protection is enforced by federal law, meaning should someone gain access, then the credit agency would have some explaining to do.
On the surface, one might think it’s a no-brainer, I will just freeze my credit until I need it, thinking they don’t plan on applying for a loan or refinancing their mortgage (especially with rates going back up). Just freeze it and forget it, right? Unfortunately, our credit information is being accessed more than we might think. If you apply for insurance, even a new quote on your homeowners or auto, many insurance companies will first query your credit and base your rate on that score. If they cannot access your credit, they may or may not tell you that. They may simply quote you a higher rate. The online instant quotes many times do this (I’ve tested it). You may be shopping in a new store and they have a great offer if you sign up for one of their credit cards. You fill out the form and the associate comes back in a few minutes and whispers to you, “I’m sorry but your credit was denied.” (Been there done that.) They don’t know that your credit is frozen, only that the automated process they use denied it. Employers many times will make a credit check part of their pre-employment as well as ongoing employment checks, and there are many more.
Even if you are very internet savvy and think you can just hop online whenever you need and quickly thaw your report, you should know that you must do this for all three agencies, each time and they do not make this an easy process. I personally used to believe this and locked our credit for three years. During that time, I had to thaw it no less than seven times and each time it was painfully frustrating—and I’m a geek! During this freeze/thaw process, I had the distinct impression they purposefully make it difficult and frustrating on purpose, because if your credit is frozen, they cannot sell it. After three years of irritation, I stopped freezing our credit and just monitored it with Credit Karma.
However, they do make locks very easy to use, they even have smartphone apps that allow you to lock and unlock with a simple “push of a button.” Great you say, “I will just lock my credit and unlock on demand.”  But, what exactly is a credit lock? Well, none of the agencies make this really clear.  What is clear is that when your credit is locked (not frozen), it is not protected by federal law so if someone does access your information and steals your identity, you have no recourse with the credit agency. Another major difference is it appears that when you lock your credit, the agencies can still sell your information to third parties (credit card companies), but all three do state that hard pulls, the type of inquiry performed when applying for credit are not allowed.
So, which, if either, is right for you? This recent article on Nerd Wallet gives some good examples that we would recommend you use as guidelines. [Note, this article states the Experian lock option is only part of a paid plan, but I have found that no longer to be the case. They do have a free option.]
Regardless of which option you choose, I do recommend that you sign up for a free account on all three services and go through at least the lock/unlock process so you will know how to do it quickly, should the need arise. If you are feeling industrious, go through the freeze/thaw process once as well. Make sure you save your PIN (currently only required on Experian) in your password manager as you cannot thaw or remove the freeze online without it. All of the credit agencies currently require additional steps to freeze/thaw that are not required with locks, and the processes are separate, meaning you cannot perform the lock and freeze on the same website/login, which is what can make this process even more frustrating.
Hopefully, Congress will go one step further and make this a one-step process where you can lock or freeze your report with one agency and they are required to report it to the other three, like they do with the fraud report. Until then, I’m hoping some industrious third party (Credit Karma are you listening?) will provide that option in an easy to use app. THAT is something I would pay a small monthly fee to use.
Following is from the Equifax site as of October 2018. My experience has been different from this, so your mileage may vary.
If my Equifax credit report is locked or frozen, who can access it:
Freezing or locking your Equifax credit report will not prevent access to your credit file at any other credit reporting agency. Freezing or locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:
  • Companies like Equifax Global Consumer Solutions, which provide you with access to your credit report or credit score, or monitor your credit report as part of a subscription or similar service;
  • Companies that provide you with a copy of your credit report or credit score, upon your request;
  • Federal, state, and local government agencies and courts in certain circumstances;
  • Companies using the information in connection with the underwriting of insurance, or for employment, tenant or background screening purposes;
  • Companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe;
  • Companies that authenticate a consumer's identity for purposes other than granting credit, or for investigating or preventing actual or potential fraud; and
  • Companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.

Sunday, December 2, 2018

Mobile Device Security

The vast majority of mobile devices today are either from Apple (iPhone and iPad), which all run Apple’s proprietary iOS, or they are running a version of Android from Google. Most security researchers consider the Apple iOS to be far more secure than Android for the following primary reason*:
Apple strictly controls their operating system, and only Apple-approved apps can be installed on their devices. Every vendor that uses Android can, and typically does, modify it. As a result, there are hundreds of different versions and varieties of Android on millions of devices. Security updates are typically the responsibility of the different vendors, and newer versions from Google may never be available for your device.
*In all cases, we are assuming that you have NOT “jailbroken” your device (opened a backdoor to its built-in security to allow you (and others) to install software from outside the vendor approved methods) and you apply all patches as they become available.
For this reason, I use and recommend only Apple devices as I consider them the most secure mobile devices currently available.
While there have been some bugs and exploits of Apple devices, Apple has been quick to fix them. The number of instances where devices have actually been compromised is believed to be very small and typically a result of user error and/or carelessness. You can decrease the likelihood of exposing your devices to problems by doing the following:
  1. Keep the device updated.
  2. Be very selective on the apps that you install. If you let your children/grandchildren play games on your iPad, then you may not want to use that device for banking.
  3. Don’t connect your mobile device to any computers you do not own and control.
  4. Avoid public Wi-Fi or use a VPN if you must.
If you already own an Android device and cannot or will not switch to Apple, then you may want to consider installing security software from one of the major vendors. Webroot, our first choice for your desktop/laptop, also has software for Apple and Android.  If you use an Android device to do anything other than basic email, we recommend you install security software to help protect that device. Before purchasing the security software, make sure it works with the version of Android on your device.
Amazon Kindle
I have owned Kindles since Amazon first released them and love it. The Kindle runs a customized version of Android, but it cannot run a lot of the apps in the Google Play store. While Amazon updates the Kindle software periodically, and I think it is a wonderful device, I do not and would not use it for doing anything sensitive (i.e., banking). I use my Kindles for reading books, streaming video and ordering stuff from Amazon. If your email provider supports multi-factor authentication (Google) then I would consider it likely safe for email purposes. While I have tested Gmail on the Kindle and my wife uses it for that purpose, I still prefer the iPhone/iPad for that purpose as they are more secure.
Travel
Finally, if you are traveling and find it necessary to use public Wi-Fi (and of course always with a VPN), then I would recommend you install Webroot on those devices, even Apple devices. You simply cannot be certain of what is going on “under the covers” when using public Wi-Fi.

Wednesday, November 28, 2018

Cybersecurity 102: The top 3 things you should NOT do to enhance your online security

Nothing is 100% safe—and the sooner you understand that when it comes to all things on the Internet, the safer you’ll be. In Cybersecurity 101, we discussed the 3 ½ things you must do for personal cybersecurity: using a password manager, protecting your email, monitoring your accounts and auto-updating devices. To review the Cybersecurity 101 education module visit: http://www.henssler.com/cybersecurity-101
However, vigilant cybersecurity doesn’t end there. There are several things you should try to avoid, limit your exposure to or at least be aware of to protect your computer and networks, regardless if you’re at home or at work.  
Bottom Line: While there are bad things and bad people using the internet, by following these two set of guidelines, you can use the Internet in (relative) safety. Don’t let the FUD factor (Fear, Uncertainty, and Doubt) keep you from using and enjoying the world of technology. 

Definitions

Phishing: the fraudulent practice of sending emails claiming to be from someone you know or reputable company to induce you to click on a link that will take you to a website asking you to reveal personal information, such as passwords and credit card numbers.
Smishing: a form of criminal activity using social engineering techniques via a text or SMS message when someone tries to trick you into clicking a link that leads you to giving them your private information.
Vishing: the telephone equivalent of phishing. It is described as the act of using voice calls to scam the user into surrendering money or private information that will be used for identity theft.

Detailed Information

1. Be Wary of all Links
The primary way the average person gets into trouble on the Internet is by clicking on links within emails. Security researchers say that ‘phishing’ accounts for over 80% of all problems. Some of the most devastating Internet attacks started with nothing more than a simple email containing a link that someone clicked on. When you click on a link it may appear that nothing happened, or it can open a seemingly harmless page on a website. However, ‘under the covers’ and unseen, malware has taken over your computer.
The best advice is to be selective in your clicking. Links are common on web pages, emails and even text messages. They’re a convenience, not a necessity. You simply click the link and it takes you to exactly where you want to go. That’s so much easier than typing in http://www.henssler.com/cybersecurity-101 —that is true. However, you cannot trust every link you come across. That’s not to say you should never trust links. You just need to be aware of who sent you the link and where it really goes.
Most every major website pulls in advertising, and a lot of the time that advertising is specific to you. If you searched for motorcycle boots on one shoe website, chances are next time you’re on Google, MSN or Yahoo, you’ll see an ad for those same boots. However, you may also see ads for other things related to those boots—perhaps a matching leather jacket or maybe an ad for low-cost motorcycle insurance. These “related” ads have identified you as someone who would be interested in their products or services based on something you’ve confirmed you are interested in. Before you go clicking on these ads, take a moment and really think about why you are seeing them and where they may take you on the Internet.
The link for leather motorcycle jacket may take you to the same website as the boots you were looking at, but the link for the cheap motorcycle insurance may take you somewhere else. And then, the site may ask you to enter your address to help find you a quote; maybe even ask your household income. Stop and realize that’s a lot of personal information you’re potentially giving up without even researching this company. While many legitimate sites operate this way, there are also plenty that are less than ethical. At best, some will sell that information at the first chance they get, and at worst, it is a complete scam to get you to enter detailed financial information. Unless you directly typed in the link to the insurance company and are applying online for low-cost insurance, you should think twice about readily giving up personal information. If the ad sounds like something you want to check out, make sure your security software is up-to-date and includes a site checker that scans the URLs and determines if the site is safe. We recommend Webroot. Your best bet is to type in the URL of the company listed on the ad and visit the site directly, bypassing the link shortcut.
If you’re going to click on links, look closely at the link. If the link starts with https:// that S indicates you’re on a secure site and the info you transmit to that site is encrypted. If a website’s security certificate doesn’t match the company’s domain name or is invalid, your web browser may give you a warning that your connection is not private. We recommend you do not visit that site or send any information to that site.
Links in emails need to be treated with the same scrutiny. Just because the email says it is from your mom, your boss, or your bank doesn’t mean it actually is. Spoofing an email address is one of the easiest things to do online. The use of fraudulent emails to induce you to reveal personal information and/or click on links, also known as phishing, is the primary way crooks exploit the average user.
If you are not expecting a link from your boss—don’t click on it! If your bank is emailing to tell you “there is a problem with your account…click here to verify”—don’t click on it! Assume all links are dangerous until proven otherwise. You can call your mom or your boss to verify they sent you an email with a link. If you use a password manager, you can use that to log into your bank account to see if there is indeed a problem. You can also use a third-party site like BrightCloud or Virus Total to check the links sent to you. If you insist on using the link, first hover your mouse over the link. The mouse cursor should change to a hand and show what domain the link is actually taking you to. "https://www.secure.firstbank.com" is a different site than "https://www.secure.com/firstbank."
Notice how both go to secure websites. You can see that because of the https://. You need to pay close attention to the word that is before the final domain extension. The first link in that example goes to firstbank.com the second goes to secure.com, which may not be a legitimate site.
Finally, you should avoid shortened URLs like "www.bit.ly.24Xp3" or "www.tiny.url.xYp33r." These are common on social media or in text messages. You have no way of knowing where those links lead to, even if you hover over them. A URL shortener uses redirects to forward a user from the short link location to the destination URL location. Even third-party sites like BrightCloud or Virus Total cannot generally see past the redirects.
2. Avoid Downloading Files
Again, just because your mom, boss or bank sent you a file to download doesn’t mean the file is safe. Files with .exe, .app, .inf, and .osx extensions are examples of executable files that instruct a computer to carry out a command. While your anti-virus, internet protection, or spam filtering software should flag these files as high risk, some may still make it through to your email. And if they are on a website, there is no filter to prevent you from downloading them. For example, you receive an email from your Uncle Lou that simply directs you to download a file from Dropbox. You may likely have an Uncle Lou. Dropbox is a site you recognize. However, if you are not expecting shared files, be safe and skip the download. If it is important, Uncle Lou will call you to ask if you received the files.
Furthermore, many common file formats like, .doc, .zip, or .pdf, can hide malicious code that can infect your computer with programs that will log your keystrokes, lock your hard drive or hijack your email to replicate itself. If you are not expecting a file attachment, you should call whoever sent you the file to verify they actually sent it. Unless you are purchasing software from a reputable company, never download executable files from the Internet.
To make matters even more complicated, the shortened URLs, which you cannot discern where they will take you, may automatically download an executable file from the Internet. And if the shortened URL comes from a spoofed email address claiming to be your mom, you have a prime opportunity for disaster.
Make sure your operating system, browsers, and plug-ins are up to date. Software vendors often provide patches to rectify any security vulnerabilities that can be exploited. Consider turning off your web browser plugins like Flash or Java or setting them to ask before playing. This may prevent malicious ads found on reputable websites from exploiting an autorun environment. Finally, close your browser once you are finished using a secure website, like your bank or email.
3. Say no to Public Wi-Fi
Using public Wi-Fi is the high tech equivalent to having unprotected sex. You do not know who has been there, what kind of protection they’ve used (if any), and while it may look clean, it may not be. Sure, it’s very easy and convenient to go to Starbucks and use the free Wi-Fi to check your email. It’s tempting to stay and work on your computer when there is the lure of a scone and a latte a few feet away from your table. This is why crooks scope out these places. They know the convenience and comfortable atmosphere will draw people in. You don’t know who is sitting next to you watching what you are doing on a public Wi-Fi network.
Disable the “auto-connect” option on your tablets, laptops, and phones. Make sure your electronic devices are set to “Ask to Join” networks. Especially when traveling, disable Wi-Fi and Bluetooth on your devices. Instead, opt to use your cellular connection. Many of the cellular plans offer unlimited data packages, which can allow you to turn your phone into a Wi-Fi hotspot for your other devices.
If you must use a public Wi-Fi, use a virtual private network (VPN). A VPN creates a secure tunnel between your device and the website you are visiting. VPN software encrypts your data, even before Starbucks’ Wi-Fi provider sees it. The data then goes to the VPN, and from the VPN server to wherever you’re visiting online. The websites you visit see your data coming from the VPN server and its location, not from your computer and your location. We recommend Nord VPN.
Furthermore, when traveling, avoid using computer kiosks or open computers in business centers. While libraries, hotels, convention centers, and airports offer these stations as a convenience for the business emergency, the reality is you don’t know who was there before you. Even the Wi-Fi at a five-star hotel is risky because you’re sharing that network with every other guest in the hotel—so when we compare public Wi-Fi to unprotected sex, we’re not that far off!

USPS Informed Delivery

This service has been available to most of us in the US starting in October 2017, but few seem to know of it or use it. However, some crooks are taking advantage of it to order then steal credit cards.