Tame the FUD Factor!

Monday, May 6, 2019

Privacy does not exist with the Internet


Some may believe that if they restrict their personal use of the Internet they can limit what information about them can be stolen. After all, if we don’t post anything on social media or order anything online, we have nothing to worry about…right? While this might seem logical, unfortunately it is na├»ve and inaccurate. While judicious use of the ‘Net and following our top 3 things to do / not do will limit your potential direct losses (your mistakes), nothing will protect you from the carelessness of others.

The Equifax hack of 2017 remains the largest publicly known loss of US consumer personal information but there are many others that either do not make national news or more disconcertingly have yet to be discovered.  In late April 2019, independent security researchers discovered a treasure trove of personal information on 80 million Americans freely accessible on the Internet. No hacking skills were required, the information was easily accessible to anyone who wanted to look. (More details here.)

There are thousands of entities worldwide that have been gathering our personal data for decades, long before the World Wide Web (90s) and the value of this data is in the billion$. Information brokers buy, sell and rent this information and unfortunately, some do not protect it very well – or in some cases, at all. While governments may pass laws to try and control it, the reality is that the genie has been out of the bottle for so long, there is no legislation that will force it back in. 

We as consumers and US citizens need to accept that not only will we never know what type of information may have been collected on us (some of which may be inaccurate) we also have no way to know who has this information nor how it may be used. What, if anything can we do? Sadly, very little other than to take the initiative and proactively and regularly monitor what we can. For the average (non-celebrity) the most likely usage of personal information will be to try and steal from you, by either accessing your accounts directly or opening new accounts in your name- and then sticking you with the bill.  Since you cannot STOP them from attempting it nor a vendor from mistakenly allowing them to do so, it is up to you to catch and report it quickly to mitigate the possible loss and damage.

Our mobile devices and the apps on them can track not only what we do but where we do it (sometimes without our knowing it). Google maintains a rather detailed history of everywhere we go and how long we are there and until recently kept that data – forever. While you could manually delete this data, most were unaware of this feature or the extent of the tracking. If you have a Google account I suggest you familiarize yourself with these settings (more details here).  Personally, I do like the information and features provided by this service, but I do want to limit how long it is retained. As such, I welcome this new ability to auto-purge my data.

Recommendations:

  1. Create a FREE Credit Karma account OR sign up for one of the paid plans with any of the 3 credit bureaus that will help you monitor your credit. If anyone tries to open an account in your name, either of these should give you a heads up. I do NOT recommend LifeLock
  2. Turn on any and all notifications that are offered by the financial services you use (banks, credit cards, stock brokers, etc). If you see something unusual – follow-up. It’s your money and YOUR responsibility.
  3. Consider a Credit Freeze or a Credit lock (more information here)
  4. If you use Google, review the tracking data they have about you – you may be shocked (and a little freaked out). There are some benefits to it, but everyone should at least be aware of what is being tracked and make a personal decision if it is right for them.
We know our information is ‘out there’ what we don’t know is who has it now nor who will get in the future nor what they may do with it. Take control and responsibility for your digital data by monitoring your accounts.

Friday, March 29, 2019

Just say NO!


Another day, another few hundred million accounts compromised. Facebook is the most recent (as of this writing in late March). This problem has become so common place that it hardly qualifies as news. What is different about this one is that it wasn’t criminals who broke into Facebook and obtained the data, instead Facebook found that this information was left unprotected (unencrypted) and available to Facebook employees and ‘there is no evidence of date’, that the information was compromised. Which is a backhanded way of saying, “We don’t know what the heck happened, we just found these few hundred million accounts lying around and figured it probably wasn’t a good thing.” Do ya think? Oh, and it turns out, this info has apparently been ‘just lying around’ like this …. For YEARS! The only reason we know about it now is due to a whistle blower at Facebook.

The questions that immediately come to mind for me are:

  1. How did something like this happen? Several hundred MILLION accounts just ‘lying around’. I doubt Mr. Zuckerberg leaves a few hundred million dollars lying around. A leprechaun, he is not.
  2. What else is there just lying around- at Facebook and on other systems? Who is protecting our information?


From a cybersecurity and IT professional viewpoint, this indicates an egregious lack of basic security protocols and – RESPECT for the privacy and confidentiality of your clients. While I would not be surprised to see Mr. Zuckerberg making another trip to Washington for yet another Congressional hearing, let’s be honest – that doesn’t do squat but give some politicians facetime and help them think they are doing something.  One would hope that after the last high profile pillorying, Facebook would have realized their internal systems might just need a bit of an overhaul. Hopefully, the FTC will fine them a few billion after the Cambridge Analytica mess, but even that won’t be enough to move the needle.

What can we do? The only thing that the average individual can do - anyone that has a Facebook account should give serious consideration to deleting their account and just say NO to Facebook. They can only sell, exploit and LOSE what we give them.

Fool me once…

Thursday, March 21, 2019

Who is watching whom?


With the advent of the ‘Internet of Things’ IoT (internet connected devices), the average consumer is likely to have multiple devices in their home, office or on their person that is capable of surreptitious surveillance and not be aware of it. One of the more high profile examples of this was the recent Apple FaceTime bug that would allow anyone to activate the microphone and camera in your iPhone or iPad without your permission. While Apple released a patch for this bug within a few days of it being made public, how long this bug existed and may have been exploited, is unknown. If you have an Apple device, please make sure you have installed this update and if you do not use FaceTime, disable it.

Unfortunately, the FaceTime bug is just one of the many exploits that we know about. Any internet connected OR wireless device (think baby monitor) in your office, home, car, coffee shop or on your person is vulnerable to be exploited. To make this problem worse, some of these devices come pre-configured for ease of installation with default settings that either cannot be changed or the user does not bother to change. This allows anyone with a very basic knowledge to gain access to and control those devices. Additionally, some of the older devices (3+ years) have very basic (if any) security and do not have the option to be upgraded (built in obsolescence).

So, what does the average consumer do? If you do a web search for ‘how to protect yourself from the internet of things’ you will find a LOT of articles. Unfortunately, most of them use terminology and give recommendations that can be daunting for many.  One of the better articles that gives some common sense advice is this one from Lifehack. While some of these may require enlisting the help of a family friend or local geek, at a minimum we suggest you make an inventory of your connected devices (tip #1), so that you at least know what is at risk and can potentially mitigate your exposure.
Did you know? If you have an Amazon Alexa or a Google Home device, then you have a built-in, always on, microphone (and possibly camera) listening/watching and recording everything within range, 24x7. George Orwell would be so proud! If you have an Alexa and want to really be freaked out, login to your Amazon account and you can review and listen to all of the recordings it has made – and fortunately, delete them. Perhaps Jeff Bezos should pay a bit more attention to his own personal internet security…?

I love technology and have many IoT devices (including Alexa -which I turn off when not in use and restrict to my office), but I always assume that any of these devices has the potential to ‘go rogue’. As such, I am cautious about not only what I use but where I install it, to help me manage the failure points.

Tuesday, February 26, 2019

Back(up) to the basics


While the primary focus of these articles to date has been on cybersecurity, there is another aspect of protecting your information that is of equal importance – the regular and secure backup of your ‘digital data’ (files, photos, etc).

While hacking gets the majority of the headlines, the average user is more likely to lose some of their important information due to something much more…banal, a simple equipment failure.  Think of those files and photos that are on your home computer and mobile devices – what would happen if they were stolen, damaged or your device simply failed? Do you have a recent backup of this information AND know how to restore it? If so, congratulations as you are in the 10% club. The vast majority of users do not regularly backup their important stuff and when tragedy strikes, they are faced with permanent loss or paying a data recovery service ‘big bucks’ to try and get their stuff back.

If you are using all Apple devices and have everything backed up to iCloud then congratulations, you are a step ahead of most. My only recommendation to you would be to: 
  1. Confirm everything important is truly being backed up
  2. If you have multiple devices, do a test restore of some random files
Odds are, your photos, music and phone numbers are being backed up as those are handled with minimal user intervention. But what about important files that may be on another device that isn’t connected to iCloud, or physical paper that exists only in a file cabinet in your home? Periodically, do a gut-check – assume your house is destroyed in a fire and all of your contents, including all of your smart devices are lost. Now what?  Not sure, then ask an expert so you know what options are available to you and have a recovery plan. Make sure you know your AppleID/login information so you can purchase a new iPhone, iPad or iMac and quickly begin the recovery process.

For all the myriad of non-Apple or mixed environment users, we (I’m one of you) must do something different for our other non-Apple stuff. If you are a mixed Apple/Windows user, you may want to consider using iCloud to backup your Windows data. While it’s not quite as simple as using it on your i-Devices, it is still pretty straight forward. The only downsides are: 1) it will only back-up files (not applications) and 2) the cost.  The price per GB of data for iCloud is on the high side when compared to other vendors.

Other options:
Google – personally, I save all of my photos to Google, even those on my Apple devices (there’s an app for that!). Why? Because it is unlimited and totally FREE. (high resolution files are downsized but for everyone but photo buffs, this is probably ok. You do have the option to save files of any resolution, but it does count towards your file usage totals).  I also keep all of my regular files in Google Docs (Word, Excel, PDF) – and I can access them from anywhere on most any device.  I also scan all of my important ‘physical paper’ and upload those to Google docs as well.  Another benefit is I can share any of these files and photos with anyone at any time. Google gives you 5GB for free and additional storage is available at a reasonable cost.

What neither Google nor iCloud can do is backup my actual Windows operating system and all of its applications, settings, etc – all that stuff I’ve spent years installing and configuring. To lose that would be a major PITA, so I use a different option for that.

There are a number of cloud based back up options that are both inexpensive and very easy to use. Which one is ‘best’ depends on your particular needs. If you do not have a lot of installed applications on your computer and most of what is important is individual files, then iCloud or Google drive may be sufficient for your needs. If however, you want to backup EVERYTHING on your computer, then consider one of the following:
  1. Veeam FREE backup for Windows: https://www.veeam.com/windows-endpoint-server-backup-free.html   This is what I use personally and I have also used their enterprise product for many years. It is truly the best of the best. However, this does require that you create these backups on REMOVABLE media, which you periodically store somewhere else. Why? Because backing up your data onto the same computer doesn’t help you if the event of fire or theft. It is also possible to store this backup in the cloud, if it’s not too large and/or you have a fast internet connection.
  2. There are also several cloud based options that can automatically backup everything, even your operating system. The major drawback to this is recovery time. The more stuff you have on your computer the longer to back up and the longer to download/restore in the event of loss. Some also provide an option to send you a recovery device (for an extra fee). This is a recent review of some of the cloud based backup solutions: https://www.tomsguide.com/us/best-cloud-backup,review-2678.html
In summary:
  1. Do an audit – identify what you do not want to lose and how much space all of that ‘stuff’ requires.
  2. If what’s important to you is just files and photos, then iCloud, Google or any of the cloud based solutions will do a great job.
  3. IF you want to backup EVERYTHING on a computer (PC or Mac), then consider Veeam (if Windows) or those cloud based solutions that offer a ‘full system restore’. Don’t forget to review their recovery instructions and save that information somewhere you can find it, if needed.


Wednesday, February 6, 2019

Weapon of Mass Persuasion


In an October 2018 speech, Apple CEO Tim Cook spoke on what he believes are the wonders and dangers of technology. A summary of that speech was detailed in this INC online article and the one statement they identified as among the more significant was:
“Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency.”

The entities utilizing and ‘weaponizing’ our personal data isn’t just ‘bad actors’, but legitimate companies and services we use every day. Every website you visit with an ordinary browser has the capability to track each and everything you do on that website – and most DO!. Additionally, your internet service provider also knows a lot about your internet behavior and many save and sell that information as well. While most of us are aware that websites track our usage, what we do not know is the specifics of that monitoring and what they do with it.

Some of the major companies (Google, Apple, Facebook) now provide methods for you to view and delete some of this data – emphasis on SOME. Without using tools like an anonymous browser and a Virtual Private Network (discussed in our Cybersecurity 102 seminar), we will always leave traces of our internet behavior for others to mine and potentially use. Information that is on the Internet, STAYS on the Internet, but unlike Las Vegas there is absolutely no guarantee of privacy.
Other than pulling the plug and living like it’s the pre-1990 once again, what can one do? [Once again, our Top 3…]

1.       Pay more attention to your online activity. Not only the websites that you visit, but what information you provide them. [ Did you know that if you type information into a web browser – even if you do not press a button, all of the information you type can be captured and saved? ] Avoid giving personal information whenever possible – be a passive viewer / reader vs a participant.

2.       Use a different email address for your non-personal contacts. It only takes a few minutes to create a free new email account in Gmail and you can forward all of them to your main email. Get a free Google Voice number that you use when a phone number is required. Most of us keep our cellphone numbers forever, don’t make it easy for the Robo callers to get yours.

3.       Use your browser in anonymous mode.  All of the major products have an option to run in a mode that will limit some of the activity that can be tracked by the websites you visit. However, this does nothing to prevent your internet service provider from knowing which websites you visit.  If you want to take this to the next level, get the free Brave browser for your desktop and mobile devices. Brave has a number of interesting features that work to protect you and your privacy, including the ability to use TOR (the Onion Router). [ See this article for more information on TOR.]  If you really want to take it to next level, then use Brave along with a VPN (we recommend Nord VPN). Those two together, will give you a much higher degree of online security – but only if you also avoid freely giving your personal information when you visit websites.

Remember that nothing is 100% secure on the internet so always remember to monitor your accounts on a regular basis. Security is inconvenient, but the alternative is much worse.

Thursday, December 6, 2018

Monitoring your Credit – Should you Lock or Freeze?

In my Cybersecurity 101 post I discussed the top 3½ things you should do to improve your security online. One of these was to regularly monitor your credit using Credit Karma so you would know if your credit score was changing and more importantly if someone had queried the credit agencies outside your knowledge. One of the first indications that your identity has been compromised may come from inquiries against your credit.
Earlier this year, the U.S. Congress modified consumer protection laws requiring all three of the major credit reporting agencies to allow all consumers to freeze and thaw their credit for FREE. While this is a good thing, it is important to understand the benefits and limitations that come with freezing your credit. The benefit is easy: Once your credit is frozen at all three agencies, NO ONE (see exceptions at end)—not even you (or Credit Karma)—can access your credit in any form or fashion, and this protection is enforced by federal law, meaning should someone gain access, then the credit agency would have some explaining to do.
On the surface, one might think it’s a no-brainer, I will just freeze my credit until I need it, thinking they don’t plan on applying for a loan or refinancing their mortgage (especially with rates going back up). Just freeze it and forget it, right? Unfortunately, our credit information is being accessed more than we might think. If you apply for insurance, even a new quote on your homeowners or auto, many insurance companies will first query your credit and base your rate on that score. If they cannot access your credit, they may or may not tell you that. They may simply quote you a higher rate. The online instant quotes many times do this (I’ve tested it). You may be shopping in a new store and they have a great offer if you sign up for one of their credit cards. You fill out the form and the associate comes back in a few minutes and whispers to you, “I’m sorry but your credit was denied.” (Been there done that.) They don’t know that your credit is frozen, only that the automated process they use denied it. Employers many times will make a credit check part of their pre-employment as well as ongoing employment checks, and there are many more.
Even if you are very internet savvy and think you can just hop online whenever you need and quickly thaw your report, you should know that you must do this for all three agencies, each time and they do not make this an easy process. I personally used to believe this and locked our credit for three years. During that time, I had to thaw it no less than seven times and each time it was painfully frustrating—and I’m a geek! During this freeze/thaw process, I had the distinct impression they purposefully make it difficult and frustrating on purpose, because if your credit is frozen, they cannot sell it. After three years of irritation, I stopped freezing our credit and just monitored it with Credit Karma.
However, they do make locks very easy to use, they even have smartphone apps that allow you to lock and unlock with a simple “push of a button.” Great you say, “I will just lock my credit and unlock on demand.”  But, what exactly is a credit lock? Well, none of the agencies make this really clear.  What is clear is that when your credit is locked (not frozen), it is not protected by federal law so if someone does access your information and steals your identity, you have no recourse with the credit agency. Another major difference is it appears that when you lock your credit, the agencies can still sell your information to third parties (credit card companies), but all three do state that hard pulls, the type of inquiry performed when applying for credit are not allowed.
So, which, if either, is right for you? This recent article on Nerd Wallet gives some good examples that we would recommend you use as guidelines. [Note, this article states the Experian lock option is only part of a paid plan, but I have found that no longer to be the case. They do have a free option.]
Regardless of which option you choose, I do recommend that you sign up for a free account on all three services and go through at least the lock/unlock process so you will know how to do it quickly, should the need arise. If you are feeling industrious, go through the freeze/thaw process once as well. Make sure you save your PIN (currently only required on Experian) in your password manager as you cannot thaw or remove the freeze online without it. All of the credit agencies currently require additional steps to freeze/thaw that are not required with locks, and the processes are separate, meaning you cannot perform the lock and freeze on the same website/login, which is what can make this process even more frustrating.
Hopefully, Congress will go one step further and make this a one-step process where you can lock or freeze your report with one agency and they are required to report it to the other three, like they do with the fraud report. Until then, I’m hoping some industrious third party (Credit Karma are you listening?) will provide that option in an easy to use app. THAT is something I would pay a small monthly fee to use.
Following is from the Equifax site as of October 2018. My experience has been different from this, so your mileage may vary.
If my Equifax credit report is locked or frozen, who can access it:
Freezing or locking your Equifax credit report will not prevent access to your credit file at any other credit reporting agency. Freezing or locking your Equifax credit report prevents access by potential creditors and lenders, but there are exceptions. These exceptions may include:
  • Companies like Equifax Global Consumer Solutions, which provide you with access to your credit report or credit score, or monitor your credit report as part of a subscription or similar service;
  • Companies that provide you with a copy of your credit report or credit score, upon your request;
  • Federal, state, and local government agencies and courts in certain circumstances;
  • Companies using the information in connection with the underwriting of insurance, or for employment, tenant or background screening purposes;
  • Companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe;
  • Companies that authenticate a consumer's identity for purposes other than granting credit, or for investigating or preventing actual or potential fraud; and
  • Companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.

Sunday, December 2, 2018

Mobile Device Security

The vast majority of mobile devices today are either from Apple (iPhone and iPad), which all run Apple’s proprietary iOS, or they are running a version of Android from Google. Most security researchers consider the Apple iOS to be far more secure than Android for the following primary reason*:
Apple strictly controls their operating system, and only Apple-approved apps can be installed on their devices. Every vendor that uses Android can, and typically does, modify it. As a result, there are hundreds of different versions and varieties of Android on millions of devices. Security updates are typically the responsibility of the different vendors, and newer versions from Google may never be available for your device.
*In all cases, we are assuming that you have NOT “jailbroken” your device (opened a backdoor to its built-in security to allow you (and others) to install software from outside the vendor approved methods) and you apply all patches as they become available.
For this reason, I use and recommend only Apple devices as I consider them the most secure mobile devices currently available.
While there have been some bugs and exploits of Apple devices, Apple has been quick to fix them. The number of instances where devices have actually been compromised is believed to be very small and typically a result of user error and/or carelessness. You can decrease the likelihood of exposing your devices to problems by doing the following:
  1. Keep the device updated.
  2. Be very selective on the apps that you install. If you let your children/grandchildren play games on your iPad, then you may not want to use that device for banking.
  3. Don’t connect your mobile device to any computers you do not own and control.
  4. Avoid public Wi-Fi or use a VPN if you must.
If you already own an Android device and cannot or will not switch to Apple, then you may want to consider installing security software from one of the major vendors. Webroot, our first choice for your desktop/laptop, also has software for Apple and Android.  If you use an Android device to do anything other than basic email, we recommend you install security software to help protect that device. Before purchasing the security software, make sure it works with the version of Android on your device.
Amazon Kindle
I have owned Kindles since Amazon first released them and love it. The Kindle runs a customized version of Android, but it cannot run a lot of the apps in the Google Play store. While Amazon updates the Kindle software periodically, and I think it is a wonderful device, I do not and would not use it for doing anything sensitive (i.e., banking). I use my Kindles for reading books, streaming video and ordering stuff from Amazon. If your email provider supports multi-factor authentication (Google) then I would consider it likely safe for email purposes. While I have tested Gmail on the Kindle and my wife uses it for that purpose, I still prefer the iPhone/iPad for that purpose as they are more secure.
Travel
Finally, if you are traveling and find it necessary to use public Wi-Fi (and of course always with a VPN), then I would recommend you install Webroot on those devices, even Apple devices. You simply cannot be certain of what is going on “under the covers” when using public Wi-Fi.