Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Just ask “Why?”

By

Today we’re constantly asked to make decisions that have security and privacy implications.  Most of the time these are individually innocuous, but collectively they present significant risk.  All too often, we simply click yes, plug in the cable, share the wifi password, or give up personal information.  Instead, before even asking if it’s secure, ask “Why?”

Here’s some examples:

  • Why does my refrigerator, dishwasher, vacuum cleaner, lightbulbs, or child’s teddy bear need an internet connection?
  • Why does the social media site need my real birthday or current location?
  • Why does the doctor’s office need my SSN (unless you use Medicare)?
  • Why does the retailer need my email address for a receipt?
  • Why does that website have 42 trackers (seriously, just saw that today)?
  • Why does that app need access to my microphone, contacts, or music library?
  • Why does my TV need an internet connection? Why does it have a microphone?
  • Why do I want that technology vendor listening/watching everything I do at home?
  • Why should I always use my primary email address for sites that aren’t important?
  • Why does my bank need my mother’s maiden name?

For many of those, the answer is: to provide some functionality I desire and in exchange the company can exploit and sell my personal information.  For others, it’s inertia (like the Doctor with SSN), or poor security question design (like mother’s maiden name).

 

We all have different tradeoff points – I essentially answer no to them all (or give false information – or a junk email address), others may say yes across the board.   Of course, once you decide it’s worth the tradefoff, before you actually do, then the ‘is it secure’ question needs to be answered.  One quick thought on that – if it can’t be patched, it’s not secure.

So the next time a waffle iron, toothbrush, or coffee maker asks for your wifi password, stop a moment and ask ‘why’, then make a conscious decision about the tradeoffs.

Rent Cars? Smartphone? Don’t Connect it

By

I travel for business and while Lyft is a growing part of my travel plans, I still frequently rent cars.  And I carry a cigarette adapter and mini-phono cable to connect to the car speakers.  Yep, Bluetooth and USB connections are something to avoid.

I’ve done this for years, both because pairing can be problematic, but more importantly because un-pairing and wiping the infotainment system is often beyond my knowledge and/or time available when I return it.  Privacy international just wrote a report on the situation – it’s worth a quick read:  https://privacyinternational.org/sites/default/files/cars_briefing.pdf.  Connecting to a car – either via Bluetooth or USB may be convenient, but you’re leaving a lot of digital breadcrumbs (and a few loaves) behind.

None of this is a surprise, and keep in mind that GDPR doesn’t protect us here in the US.  It’s never a good idea to connect your phone to a strange device with a USB port or Bluetooth connection.  Apple’s taken steps in recent iOS versions to give you more control over what information is transmitted, but it’s not perfect.  For example, if you have the app for your own car on the phone, then rent a car from the same manufacturer, the app already has all the permissions needed to share your data.

So the net is that dumb connections are the only safe option when connecting your phone to a strange car.  That means separate power (http://www.belkin.com/us/p/P-F7U013/ for example) and a mini-phono patch cable.    The latter means that if you have an iPhone, you’ll need a Y dongle to get power and audio at the same time.   Unfortunately, more and more models no longer have an audio jack, and only offer USB connections, so that won’t work.  At that point I pull out my Bluetooth speaker and connect to it instead.  The rental car privacy/security use case is one neither the phone or car manufacturers handle well at all.

Armor up! Personal Cyber Safety

By

A friend of mine recently lost their smart phone.  They did most of the right things – sent the wipe signal to it, and changed their passwords.  Unfortunately, they missed telling the cellular carrier, and it turns out that someone had simply moved the SIM card into another phone and used it to make hundreds of dollars in overseas calls (much like we used to see with calling card and conference call numbers).  It also meant that any inbound calls and SMS messages would have rung on that stolen phone – something to think about in the age of SMS-two factor authentication.

He asked me for an updated list of suggestions on how to get secure and stay safe online, and rather than doing a one-off, I thought I’d share here – feel free to add suggestions in the comments, and I’ll keep this current.  The first is the most important, and the rest are in no particular order.  Many of these are involved topics that deserve posts in their own right – this is just a quick summary.

[Updates at the end]

#1 – Keep Current

Make sure you’re on a current and supported operating system, and keep up with patches.  For Windows that means 7 or higher, for Mac El Capitan or higher, and for iOS it means 9 or higher.  For both Windows and Mac, that’ll change soon – Windows 10 and Sierra are better options.  Android is much harder unless you get updates directly from Google.  If you don’t, you’re behind – that’s one of the reasons I don’t recommend non-google Android devices.

This also means keeping your applications up to date.  If you still have Office 2003 because it’s all you need, unfortunately, you’ll have to pay the Microsoft tax and get a current version to get patches.  Ditto on the Adobe products, and pretty much everything else.

For both OS and apps, apply patches and updates on a regular basis.  For Windows machines, makes sure you watch for ‘Patch Tuesday’ and apply patches right away – often the bad guys release new malware shortly afterwards that attacks unpatched machines.   We all find it hard to keep up with patches (Window takes far more care than Mac), so when possible, turn on automatic updates.  Which brings us to the importance of the next item:

 

Backups

Things will go wrong.  Consumer cloud has no guarantee of backup or restoration of data, so don’t trust Google, Apple, Microsoft, DropBox, or any other service as the sole place your information lives: any critical information (i.e. family photos) should live in at least two physical places, one of which should be in your personal controls.  For example, one of the first things I disabled in Sierra was the ‘automatic migration of data to iCloud’.  Aside from not controlling what’s uploaded, the last thing I’d trust a consumer-grade service to do is delete anything off my machine automatically.

Backups should be encrypted (see below), and at least one stored offsite – either a cloud-based backup like CrashPlan, or a drive in a safety deposit box or at a friend’s house.  If you use cloud backup, remember that they don’t work for things like virtual machines, and can blow out your data charges.

So I backup my iOS devices to my local computer (not iCloud), then backup the Mac using Time Machine (for the oops I deleted it situations), and Carbon Copy Cloner (www.bombich.com) for my disaster backups.  CCC has saved my bacon more times than I can count, and I highly recommend it for Mac users.

I also strongly recommend that at least one of your backups be physically disconnected from your computer when not actively backing up.  That’s the single best defense against ransomware.

 

Securing the browser

Absolutely run a current browser version.  I recommend using uBlock Origin and Privacy Badger to cut down on the worst of the tracking and funky sites.  Don’t use shady extensions like video downloaders.  To be extra safe, use two browsers – one for general browsing, and one for sensitive sites.  Be careful of typo-squatting sites.  That’s one reason I like 1Password – it validates the URL before pasting in credentials.  Stick with one of the big three – Edge, Firefox, or Chrome.  Retire Internet Explorer.

 

Trust the cloud – sort of

There are three kinds of cloud services:  free/consumer, and enterprise.  Free services monetize you in some fashion (more below), usually by selling your data to advertising – and I recommend avoiding them.  This includes services like Gmail, Facebook, Twitter, and such – if you’re not paying for it, you’re the product, not the customer.

iCloud is paid for as part of buying Apple products, and while Apple uses the data for marketing and product development, they don’t sell it to third parties, so it’s somewhat better.  One thing that all consumer services have in common is that they disavow any responsibility for data loss or disclosure.

So, for backups and email, I recommend paying for the service.  You’ll get much better responsiveness and much less privacy compromise.  And make darn sure the data is encrypted before uploading.

 

Passwords & Password Managers

That’s especially true of Password Managers.    I’m not a fan of cloud-storage for my password vault – it’s too inviting a target.  That’s one of the reasons I use 1Password from www.agilebits.com – they offer a local sync option.  But using one with the cloud is far better than not using one, and I have a number of family and friends using the 1Password cloud options.  I’ve written recently about 1Passwords migration to the cloud, and while I have concerns, it’s still the best option out there.

Your password manager password needs to be a good one – a passphrase is best.   The new advice is to pick four or five words:  cheetah shark Saturn smiley mayonnaise.  You’ll remember it much easier than a random set of characters, and most good cracking tools now easily bypass backwards words, replacing letters with numbers, and all the other tricks.

All this implies, yes, use a password manager that generates unique random passwords for each site.  That way you only need to remember one single password (hence 1Password) that’s really good and strong, then it does the rest for you.

Note:  Do not use the web-version of a password manager.  Use the application on a device that you control.

 

Lie

That brings me to one of the toughest ones – lying to sites by intent.   This falls into two categories – lying for protection, and lying because it’s none of their business.  For the former, when a site asks you to create a secret question and answer, lie – use a random word, and then store that in your password manager.

More importantly, when a site asks you for information it doesn’t need – your birthday for a shopping site for example, make something up that’s completely random.  I started getting retirement spam after using a 1940’s date…interesting.

This is also true for sites or companies that ask for ‘mother’s maiden name’.  Go change all those and record the new random answers in your password manager.  For companies that continue to insist on the single worst authentication mechanism (last 4 of SSN), pester them to see if you can get it changed.  If not, then we should all shame them on social media.

 

Use two-factor

When offered, use two-factor authentication.  It’s not perfect, but it’s better than just a password.  Do not use just device-based authentication though, always use both factors.

 

Disk/device encryption – backup and machines

Turn on whole disk encryption on your system.  For mac: https://support.apple.com/en-us/HT204837 and for Windows: https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

 

Set mobile devices to lock and wipe

If you have options to disable biometrics, and force a passcode after a handful of attempts turn it on, and then turn on the options to wipe the device after 10 failed attempts.

And use something stronger than a 4 digit PIN – at least 6.  Alpha numeric is better.  Pick one that’s not your, your spouse, your kids or any other date, address, phone number, or anything else that’s easy to guess or on social media.

While you’re at it, set airdrop to ‘contacts only’.  Better to stay off the grid.

 

Biometrics

Biometrics are a mixed bag.  Right now there’s tons of snake oil out there.  The only one that I trust for regular use is the fingerprint reader on the iPhone – and that’s because of the lock/wipe options.  I do not use it on a computer – type the passphrase instead.  Facial recognition, swipe patterns, and such can be spoofed trivially, and many consumer grade fingerprint readers can be as well.
Stay off public (and other) computers.

Using a public computer is like licking the seat in an outhouse.  Just don’t.  Ever.  Your friend’s computer isn’t quite as bad, but unless you know that they have good hygiene, it’s best to only use your own devices.

 

Uninstall Flash and Java 

It’s time to get rid of these two applications from your personal machines.  Corporate machines should too, but that’s a whole more involved story.

Flash:

Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Java:

Mac: https://www.java.com/en/download/help/mac_uninstall_java.xml

Windows: https://www.java.com/en/download/help/uninstall_java.xml

If you have to use Flash, use Chrome (but disable all the tracking first).

 

Get accounts before the bad guys do

As Brian Krebs recommends, get accounts on https://www.ssa.gov/ and IRS.gov https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ before someone does it first.

 

Credit Freeze

And again a shout-out to Brian, for his information on getting credit freezes from all four agencies.  Credit monitoring is useful for telling you it’s been compromised – a freeze protects it up front.  https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

If your homeowners insurance offers identity theft protection as a rider, that’s not a bad investment for the price.

Note:  If you have kids, freeze their credit too.

 

eMail security

Email is not private.  If you have a standalone email application, using SSL only keeps it secure between your machine and the server.  If you do it in the browser, same situation – and you’re also exposed if the browser is compromised.  Never email any sensitive information like bank account numbers, social security number, credit card numbers, and so on.  If you’re emailed a new password after a reset, immediately go change it on the site itself.

Note:  Yes, there are ways to technically encrypt email end-to-end.  It’s not clean or easy, and pretty fiddly.  If you absolutely positively must email something sensitive, my recommendation is to encrypt the document itself then attach that to a regular email.  That’s beyond the scope of this post.

Because password resets are done via email, this is the most important account you have.  It must be used with a robust random password, and you should never login from any device that you don’t own and control.  If the bad guys get your email, they get all your other accounts.

 

Have a throwaway email

So that means having more than one might make sense.  Ever have a site that you might want to get information from, but don’t want them to have your details?  Get and use a throwaway email account – or a junk mail account to use for all of them.

 

Never click links

And never, ever, click on any link in anything on that junk account.  That’s good practice for all email and all links.  Go manually to their site, and login by hand.  Related – stop sending emails with links in them (internal corporate communications I’m looking at you).

 

Stay off the seedy side of the internet

It goes without saying, stay off the seedy side of the internet.  Get legal software and content, avoid torrents, and naughty sites.

 

VPN/Public Hotspots/Cellular Data

I avoid using any public hotspots – it’s far too easy for someone to sniff what you’re doing, Use your cellular hotspot when you can.  For better protection, use a personal VPN like www.getcloak.com to prevent traffic monitoring and cellular carrier supercookies.  This includes hotel internet.

 

Never respond to inbound phone calls

If you get a call allegedly from your credit card company, bank, insurance company, or similar company, don’t give any information or acknowledge that you even have an account.  Politely thank them, and call the number on your credit card or statement (not the one they give you over the phone).  Hiring a fake call center is trivial.

 

Firewalls & Antivirus

Turn on the Firewall on a Mac https://support.apple.com/en-us/HT201642 and Windows https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off

As a minimum, turn on Xprotect on the Mac https://support.apple.com/en-us/HT201940 and Windows Defender on Windows: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer

On both Mac and Windows use www.malwarebytes.com to scan and remove malware, including adware.

On Windows, seriously consider paying for antimalware software.  At this point I’d probably recommend Symantec over the alternatives – the free solutions aren’t worth it.  If your bank offers Trusteer Rapport, download and install it.

Oh, and disable file sharing if you haven’t already.

Don’t tweak the bad guys

I know folks who will keep the ‘tech support’ spoofers on the line, or text with the thieves who stole a phone, or respond to phishing emails with ‘nice try’.  Don’t.  These folks are very good at what they do, and most of the time you’re just a drive by as they conduct a massive campaign.  But if you get them mad and they target you, it’s a whole different ball game.   Respect their skills.

In the end

Be skeptical, be wary, and be prepared to be hacked.  I had a bank ask me to send mortgage paperwork via email.  I said no.  I’ve had calls to my phone that spoof my own callerID.  I hung up.   I’ve also had really clever phishing emails that I almost clicked.  I did – to delete.  We’ve had our credit card stolen several times – caught it by watching my bills weekly.

As one of the characters in Harry Potter was fond of proclaiming, ‘Constant Vigilance’.

 

[Update]

Shred it

Shred anything and everything that has your information on it.  That includes envelopes from bills (they identify targets for the bad guys to hit), junk mail, receipts, boarding passes, hotel room cards, credit cards (unless metal – cut those with tin snips), conference badges (I punch out the RFID chip as soon as I get one), old business cards, and so on.  Bar codes are the most insidious as they can hide a lot of personal information, as Brian Krebs points out in the link about boarding passes.