Jan 052018
 

Much in the media this week about an industry-wide problem with all devices using Intel processors — CPU chips, and perhaps those from other manufacturers as well. A security vulnerability: Meltdown and Spectre. It’s like Dorothy, the Tin Man and the Scarecrow walking through the dark forest in the 1939 classic The Wizard of OZ and chanting “Lions and tigers and bears, oh my!”

PC World’s been covering this situation with a bunch of articles. Here’re a few links:

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.1

Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs “immune” from the vulnerabilities is a first, though.

Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.

We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple ensures us there’s no reason to panic.

So, the bottom line is that this vulnerability is serious. Lots of manufacturers of the hardware and software that make your devices run are working on the fixes. Some patches already have been released. So, just be ready for the updates. It’ll take time for everything to settle down. The major concern is impact on performance. Ironically, the vulnerabilities were a result of long-standing techniques to improve performance. As PC World stated:

“We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.”

In summary:

  • Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active

 

[1] That PC World article notes that:

  • Microsoft pushed out an emergency Windows patch [Windows 10 ‘1709’ edition KB4056892 patch] late in the day on January 3.
  • Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. [Also iOS 11.2.]
  • Intel also released a detection tool that can help you determine whether you need a firmware update.
  • The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.
  • The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.

UPDATE: I haven’t tried Intel’s detection tool, but today (January 17, 2018) Senior Editor Brad Chacos at PC World published an article about a 3rd-party tool which checks whether your system has been patched to protect against the flaws: “Is your PC vulnerable to Meltdown and Spectre CPU exploits? InSpectre tells you.”

Gibson Research recently released InSpectre, a wonderfully named, dead simple tool that detects if your PC is vulnerable to Meltdown and Spectre.

InSpectre is a small 122 KB program that doesn’t need a formal install and scans your computer for Meltdown and Spectre susceptibility in mere milliseconds. When it’s done, the program pops up with clear, easy-to-read information about the security status of your system.

This is the sort of software Microsoft or Intel should have released to help clarify the murky, convoluted patching situation around this devastating duo of CPU exploits.

Personally, I’ll wait for these tools to evolve further.

Oct 162017
 

“Fortify your PC against all manner of attacks—for free!”

This PC World article “How to build the best free PC security software suite” (October 16, 2017) is one of the best digests of the topic that I’ve encountered. The article offers a ready summary of what you need to cover various security risks on your PC. For those not wanting to purchase an annual computer security subscription (with auto renew, eh) — but not go potluck — and willing to blend together a solution, the recommendations agree with my research and experience.

Antivirus software is the key component of any security suite, and for good reason—it’s going to be your primary defense against malware. Windows offers its own built-in anti-virus program called Windows Defender for Windows 8.1 and up—Windows 7 users can download and install Security Essentials. Windows’ solution offers fairly good basic security, but most third-party testing firms find that it falls short of third-party security suites. The upshot is: If you’re a security-aware user who’s willing to occasionally run a scan with Malwarebytes (see below) then Defender may be enough.

Avira Antivirus Free Edition and Bitdefender Antivirus Free Edition are two free products worth your attention. According to recent benchmarks published by the German antivirus testing firm AV-Test, paid products for both Avira and Bitdefender won top marks on all three of the firm’s major testing categories including protection, performance, and usability; both did a perfect or near-perfect job at stopping malware and other threats. Avira did score one false positive from AV-Test when it identified legitimate software as malware during a system scan.

And, as for any free PC app, there’s a caution:

… free products can include browser toolbars, extensions, or other desktop programs that you might not want. Freebies can also have ads that help their makers pay the bills. Be mindful while you’re installing free programs to avoid also installing bloatware you don’t want, which is often flagged for installation by default.

Read the full article for recommendations to safeguard your PC in other ways.

Yahoo breach — things to do

 Computer  Comments Off on Yahoo breach — things to do
Dec 152016
 

Well, Yahoo’s much in the news again. Once again, as noted by the New York Times, “Yahoo Says 1 Billion User Accounts Were Hacked.”

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

See also:

How Yahoo’s 1 billion account breach stacks up with the biggest hacks ever

What you should do if you were hit by the Yahoo hack

What to do? In summary: Check that you can access your account and email. Login into your Yahoo account. Make sure there’s nothing strange. Check your account / personal info. Change your password. Choose a strong password. Don’t use the same password as for other accounts.

And if you’re no longer using the account, then delete or deactivate it. Get a free Google account and use Gmail.

National Cyber Security Awareness Month

 Computer  Comments Off on National Cyber Security Awareness Month
Oct 192016
 

As noted by the Department of Homeland Security:

October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about cybersecurity. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.

Week 1: October 3-7, 2016 – Every Day Steps Towards Online Safety with Stop.Think.Connect.™

Week 2: October 10-14, 2016 – Cyber from the Break Room to the Board Room

Week 3: October 17-21, 2016 – Recognizing and Combating Cybercrime

Week 4: October 24-28, 2016 – Our Continuously Connected Lives: What’s Your ‘App’-titude?

Week 5: October 31, 2016 –Building Resilience in Critical Infrastructure

Check out the “Stop.Think.Connect. Toolkit” for tips regarding social media, the Internet of Things, Traveling, Public Wi-Fi, online banking, etc.

Biggest data breach ever — Yahoo + some AT&T accounts

 Computer  Comments Off on Biggest data breach ever — Yahoo + some AT&T accounts
Sep 242016
 

Big news this week regarding data breaches. Yahoo revealed that account information for at least 500 million users was stolen by state-sponsored hackers two years ago. PC World’s article “Here’s what you should know, and do, about the Yahoo breach” discusses the breach and reviews best security practices.

An email compromise is one of the worst data breaches that a person could experience online, so here’s what you should know … there’s no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible. … Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

Here’s Yahoo’s official September 22 statement on the breach: “An Important Message About Yahoo User Security.” Their statement includes recommended actions.

UPDATE 9-27-2016: A CNET article today reminded me that some of my clients have AT&T high-speed Internet service (sometimes phone service as well) and their email service uses Yahoo.

Many AT&T customers use Yahoo accounts to manage their services and could be at risk. … It’s the outgrowth of a partnership formed 15 years ago between Yahoo and AT&T (then called SBC Communications), bringing AT&T broadband customers to Yahoo’s search engine and media services, including Yahoo Mail. … The hack puts AT&T in an uncomfortable position. The company is still waiting for data from Yahoo on the specific customers who may have been affected, according to a person familiar with their dealings. … For now, AT&T is offering little advice to its customers beyond the standard line: regularly change your passwords.

Prevent malware infection — best practices review

 Computer  Comments Off on Prevent malware infection — best practices review
Sep 092016
 

The Malwarebytes Blog recently discussed “10 easy ways to prevent malware infection” — for your PC, Mac, or mobile device. Read the article for the complete text. Here’s the summary below.

Protect vulnerabilities: Update your operating system, browsers, and plugins; Enable click-to-play plugins; Remove software you don’t use (especially legacy programs).

Watch out for social engineering: Read emails with an eagle eye; Do not call fake tech support numbers; Do not believe the cold callers.

Practice safe browsing: Use strong passwords and/or password managers; Make sure you’re on a secure connection; Log out of websites after you’re done.

Layer your security: Use firewall, antivirus, anti-malware, and anti-exploit technology.

Trading away personal info — twilight of privacy?

 Computer  Comments Off on Trading away personal info — twilight of privacy?
Jan 142016
 

Imagine you’re visiting a mall and occasionally someone stops you and asks for some personal information: Your favorite places to shop? Things you like to purchase? Brands you like? … You’re told that as a reward for providing that information you’ll get a gift certificate. What if that happens to you on the street, just walking around your city. Any difference in your reaction?

Imagine you’re at home and setting up some new gadgets (maybe home automation modules or some Internet of Things smart devices) and you get to the step where you need to agree to some Terms and Conditions, including a Privacy Policy, which covers collection of personal data. If you agree to all the terms, you’ll get a monthly credit or rewards points. Do you say okay?

Imagine you’ve been given an in-home robotic butler or artificially intelligent personal assistant. The proviso is that you need to share your habits, likes, contacts, and personal schedule with the device. Maybe you do not even share all of that with family members and friends, eh. Creepy? A fair trade?

And imagine that in all these scenarios that some or all of your personal information is sold to marketing companies.

Do you draw the line somewhere? That’s the question addressed in a recent Pew Research report, as noted in a Washington Post article called “When is it worth giving up your data? Americans aren’t quite sure.

Would you trade information about when you’re in your house — and in what rooms — for the promise of cheaper energy bills, even if that means you’re sending this data to a distant tech company?

Often, the benefits to giving up personal information are obvious: Cheaper energy bills or a convenient way to swipe into a transit system. The potential pitfalls can be more abstract. For example, it’s hard to tell what the consequences could be down the road if a company is tracking your web browsing today.

Read the full article for more details about the scenarios which were explored and participants’ responses.

Apple’s updated privacy policy — plainly different than others’ policies?

 Computer  Comments Off on Apple’s updated privacy policy — plainly different than others’ policies?
Oct 012015
 

As noted in previous posts, the privacy policies of major tech companies, especially those with products and services that we interact with on a daily basis using our mobile devices, are getting a lot of media attention. And rightfully so. What’s moot? What’s not? Just because “it can be collected” begs the question of whether it should be collected. Just because “it makes us money” begs the question of whether it’s ethical or sustainable.

It’s all about trust. And secure handling and storage of personal data. As our mouse cursors or fingers hover over the “I agree” buttons for these long policies, who really ponders saying no? How many people check whether their personal data is shared reasonably — without arbitrary or capricious or nebulous intent?

The mobility and convenience of our digital mixes requires more and more personal data be collected, stored, and shared. Not just account information. Privacy policies evolve to address those expanding shares (as well as sometimes to clarify such policies).

So, as discussed in this MacWorld “Apple throws down the gauntlet with overhauled privacy policy” article, Apple wants not only to be clear about things but also stand out in an industry prone to buccaneer-like marketing.

The company isn’t just issuing platitudes about how great its privacy protections are—it dives into real detail about how its various services use and protect your data.

I find this article’s summary of how Apple handles data for their new News app particularly interesting:

The articles you read in iOS 9’s News app aren’t linked to you specifically, but to an anonymous News-specific identifier that you can reset at any time. News does use iCloud to offer you recommendations across all the devices you read News on, but those are stored on the device and not seen by Apple.

Apple does put ads in the News app and uses your reading activity to determine which ads to show you, but that information cannot be used outside of News to show you ads in any other app—not by Apple, and not by the publishers you read in News. You can also turn on Limit Ad Tracking so Apple can’t target ads to you based on your activity in News.

Evidently Apple’s iOS 9 security white paper is 60 pages long. Sigh.

Security vs. convenience — who wins?

 Computer  Comments Off on Security vs. convenience — who wins?
Sep 292015
 

I’ve discussed this topic with many of my clients, especially those who complain about remembering or keeping track of passwords — the trade-off between security and convenience for consumer products and services.

We recognize this trade-off everyday with different keys for physical locks and passwords for different digital services. Password managers can help with “one password to rule them all.” And some envision a future where biometrics just require your presence to gain access. How convenient.

Mobile devices pose a particular challenge for manufacturers. Consumers expect ease of use and convenience. Yet, these are complex devices, real computers, subject to the same security risks as traditional desktop and notebook PCs. As designers craft a more personal and natural way to interact with these devices (through gesture, voice, etc.), concerns about safety and security remain.

Elsewhere I’ve discussed the issue of privacy posed by increasingly convenient digital services, whether mobile or not. We’re faced with trusting butler-like personal digital assistants with all types of personal information so that things go smoothly — like a fine-tuned relationship where small facial expressions substitute for verbal sentences, actions are anticipated, and events always remembered. And we trust that our butlers communicate discreetly with others as they do jobs for us.

Generally I’ve felt that Apple balances security and convenience well. And that Microsoft keeps up to date with security patches. National news about security breaches keeps everyone alert. I tell my clients that none of these companies’ products and services are perfect, however.

So, I found this The Verge “In iOS 9, Apple is still trading security for convenience” article about Apple’s mobile devices interesting.

Siri is integrated deeper, pulling more data from more sources and making many recommendations before you’ve even asked for them. But this week, security researchers discovered a downside to Siri’s new intelligence. iOS 9 lets users access Siri from the lock screen, and if you work that access right, you can use it as a way to add contacts or even access the camera roll.

As with Microsoft’s Cortana, privacy or security concerns with Siri can easily be addressed by disabling features. But where’s the convenience in that, eh?

Best Practices — Personal Computer Configuration

 Computer  Comments Off on Best Practices — Personal Computer Configuration
Aug 192014
 

Here’re some standard recommendations that I discuss with my clients:

1. Use a password for your computer account. In other words, when you start up your computer, you’ll need to enter a password to access your desktop. While you may be able to change settings so this step is not required, remember that such a decision is a trade-off between convenience and security.

Sure, an expert may be able to view your personal files anyway, but some protection is better than none. (And if you’re really worried, then consider encrypting your files.)

2. Keep your files where they belong. Your User folder (or “Home” folder or personal “sandbox”) predefines folders (or directories) for Documents, Pictures, Music, and Video / Movies (as well as Desktop and Downloads). While you can store other types of files in the Documents folder, generally photos should go in the Pictures folder, Music in the Music folder, and Movies in the Video folder. What you download in your Web browsers should (at least initially) go in the Downloads folder.

Occasionally I’ve had clients store files outside the standard folder structure, knowingly for some reason or because a special program placed them there. Such a practice can make managing those files awkward and backup problematical, since standard backup programs do not recognize those locations.

3. When transferring photos from a digital camera (rather than a smartphone) to your computer, remove the camera’s storage card and insert that into the media slot on your computer. In fact, I recommend only using cameras that use the SD / SDHC card format, which is mostly the case anyway. Just ignore any cable (and typically any software as well) that came with your camera to connect it to your computer.

If your computer does not have a media slot, you may use a USB adapter.

4. Install at least two Web browsers. PCs come with Microsoft’s Interent Explorer. Mac’s come with Apple’s Safari. So, install another one at least, such as Google’s Chrome or Mozilla’s Firefox. It’s like having two forms of transportation. In this case, two options for “driving” on the Internet.

In general, you want options, so that a problem with a particular program or application doesn’t stop you completely.

5. Install at least one anti-malware / anti-virus program and also Malwarebytes Anti-Malware on a Windows PC. Many PCs come with a computer security product pre-installed at the factory. (If nothing else, Windows 8 includes Microsoft’s Windows Defender.) Perhaps a trial version. From Norton (Symantec) or McAfee or Trend Micro. Any of these are good products, but remember that their inclusion is no endorsement of “best in class” or “best for you.” The manufacturers and vendors merely made a financial deal.

So, at the very least, install the free version of Malwarebytes Anti-Malware (MWB). Generally it’s not good practice to have “two cooks in the kitchen,” but MWB won’t interfere with your other anti-virus program.

6. Set up at least two email accounts with different email service providers. Most of my clients use the email account which comes with their Internet Service Provider (ISP). If they have Time Warner high-speed Internet, for example, they use a Roadrunner account. Similarly for Verizon or ATT.

Some clients still use an AOL account, an AOL email address, which is fine. (And if you have high-speed Internet from another company, hopefully you’re already using free AOL, eh.)

ATT has had a deal with Yahoo, so some clients use a Yahoo email address.

So, at the very least, if you still need another address, sign up for a free Google account.

And, remember, each email account should have a different password.

7. Use at least two forms of backup for your personal files. For example, you may use a Flash drive to backup really important files whenever that’s appropriate; and a program to schedule backups of all your files to other Flash drives or portable hard drives.

While sometimes more technical, for disaster recovery it’s also best to use a program to make a complete image or clone of your boot drive — of all your personal files, programs, and system files.

Remember, the most common problem is not to backup at all.

8. Adjust computer settings appropriately to your vision, hearing, dexterity, etc. Generally such features are available via Accessibility options or preferences.

I’ve seen too many clients squinting at their computer screens or complaining of eye strain. (Even my vision suffers after working on a computer for hours a day.) There are settings to adjust text size and mouse or touchpad performance.

Do you use a special phone (like offered at http://www.californiaphones.org)? Then maybe consider a better keyboard. Or consider speech recognition programs.

And, remember good ergonomics as well. Monitor distance and height. Arm and hand position. Chair support and height. Frequent breaks for your eyes and neck and back as well.

9. Spend some time learning about all the built-in Search and Help features for your computer. Whether you followed the best practices for file organization or not, modern computers have easy ways to quickly find items. Standard Help features have improved as well.

Security Risk Outlook 2014

 Computer  Comments Off on Security Risk Outlook 2014
Jan 272014
 

A recent PC World article “Threat forecast for 2014: Ransomware, scams, snoops” summarized security firm AVG’s outlook for 2014:

AVG Technologies Australia security advisor, Michael McKinnon, said the emergence of ransomware such as Cryptlocker shows the increasing sophistication of modern malware, and should be a concern for individual users and business.

Here’s an excerpt from AVG’s blog post, “2014 – a year of escalating Ransomware, Bitcoin, Privacy and Digital Vagrants:”

We know that protection is best achieved with an equal combination of the right technology, up to date systems and the highest level of awareness and education in the face of the latest scams and tactics; it remains a constant battle to ensure that new users are provided with enough knowledge to remain safe and secure.

UPDATE: PC World also outlined “The top 5 security threats to watch for in 2014” — mobile malware, Internet-connected devices, virtual currencies, Windows XP, data breaches.

Holiday Cyber Risks

 Computer, News  Comments Off on Holiday Cyber Risks
Dec 152013
 

IDG’s CSO* recently posted an article titled “5 risks to avoid for the holidays” summarizing scams and risks to beware of for the holidays. In particular, watch out for spoofed emails purportedly from shippers and payment processing agents. Also fake e-cards.

Fake messages frequently include instructions to open an attachment or click on a link. Ignore the message completely, don’t open anything or follow any links. Head to the company’s website directly, or call them if needed.

* CSO provides news, analysis and research on a broad range of security and risk management topics.