Since the last time we mentioned Zoom, it seems there have been alerts put out there asking people to stop using it. There are numerous problems with it. Sure, it is probably the easiest meeting software for non-technical people to use but the security is what has people up in arms.
So what is the problem? There are a few. Even last summer they found there was software used to bypass security to be able to launch it in a few clicks. This also makes it easy for hackers to start webcams and watch users without them knowing. The other bad thing is this bug remained even after the user uninstalls Zoom. Apple has removed this component by issuing a force-deployed update to every Mac in the world.
There are other things. Zoom can use your private video calls and sell ads. What if you are using Zoom to speak with your therapist? What kind of ads will they be marketing?
Another thing that was “fixed” was the fact that Zoom was sending user info to Facebook. That has since been fixed in an update.
To see more about this:
Here is a light-hearted parody of the Zoom security issues:
We talked about Malwarebytes a few years ago. Back then, it was mostly PC users that worried about malware and exploits. Well, in their latest reports–surprise, surprise–Malwarebytes reports that in 2019, they saw a 400% rise in MAC exploits! That is a significant change from previous years.
Many of the malware items are called PUPs-Potentially Unwanted Programs. Many of them need to be quarantined. Malwarebytes scans for those as well as PUMs-Potentially Unwanted Modifications. For a PC, PUMs could be found either in the registry or in a browser setting.
Read the report (PDF)
The Victor crew found this article about passwords. There have been so many breaches in recent history. There have been 13 big data breaches this year alone (so far).
This article breaks down why passwords really don’t matter in light of the way hackers are performing their breaches. It is from a Microsoft tech using stats collected from Azure Active Directory connected accounts. The data is broken down by type of attack and how they are performed.
Once you cut through all the techese, the bottom line is to choose passwords with at least 8 characters, use a password manager and let it generate the password for you, try using multi-factor authentication for that extra step.
Google services on Android or iPhones can store your location data, even when you try to prevent it through your device settings.
Google Maps can make a timeline of your movements, for example. It works so well that last year a warrant was served by police in North Carolina to Google to find devices near a murder scene. You can turn off your location history so the places you go will not be stored.
If you are logged into Google, go to https://www.google.com/maps/timeline?pb to see your timeline or whether it is even on. You can turn the tracking of your history on or off here: https://myaccount.google.com/activitycontrols/location?hl=en&gl=US
This may not keep Google from tracking your movements through nearby towers but it is something more you can do to make it a little more difficult for them.
There is a Chrome extension to help you pick better passwords. It is called PassProtect by okta. It will tell you right away if your password is in a list of data breaches. It doesn’t necessarily mean your username/email and password combination are in that list but if your password is already in a list of compromised passwords, you might want to rethink that password. You can add it to your Chrome browser.
They do not store or collect any information from you, they simply use the HaveIBeenPwned.com API to check against the list of known breaches. If you want to check a password on your own, you can check it here as well manually to see if it is in the list of breached passwords, because it is the same list. Hackers that have collected passwords will often use them to breach a site and try to guess people’s logins and if you are using a password from a breached list, and they know your email or username, you may find yourself hacked.
If you are a Prime member or already shop with Amazon, you know your packages will come via UPS, FedEx, or even USPS. Amazon is going to launch their own package delivery service called Shipping with Amazon (SWA) as reported Friday. They will roll out in Los Angeles first over the next few weeks then to other cities across the U.S.
They plan to start with third-party Amazon vendors who are already registered. They may also open up to other businesses eventually to directly compete with the other shippers.
To keep your delivery safe from porch pirates, Amazon already has a program called Amazon Key In-Home Delivery. You have to purchase the Amazon Key In-Home Kit, the necessary equipment for $249.99. It includes an indoor security camera and compatible smart lock. They will come and install these for you if you want. When a delivery is made, you will an alert on your smart phone and you can watch the entire delivery.
Recently a family member told me about an encrypted messaging app called Signal. It not only encrypts your text messages but also conversations. There are a few nice things about it: it is free, it is open source, and it works on both iPhone and Android phones. You can also send documents and images.
There is also a desktop app for your Windows, Mac, or Linux computer.
We’ve talked about passwords before and yet it is such an important thing because of all the breaches we see. Some people say they don’t have anything that important so it doesn’t matter or they say they need to use the same password for everything.
This is a totally bad practice and attitude to have about this. Think about all your accounts where you have purchased items, or your banking or credit card accounts. Do you really want to use the same password for everything? Once they breach one account, say your email, they can look through that to find what other accounts you are subscribed to and have a field day. This is even how identities are stolen.
Here are some things you can do:
Go to HaveIBeenPwned.com and check your email for pwnage.
Also click on their password tab and check to see if your passwords are on any common lists.
Use a password manager like LastPass.
Use 2 step verification. Use an authenticator, too.
Once you download LastPass, set it up with a hard to hack easy to remember password (the first video below gives some suggestions on how to find one.) You can then import all the passwords saved to your browsers. Once you have LastPass you can also run a kind of audit check for recommendations on which passwords to change – it will show you duplicates or not so secure passwords you already have.
It is important to keep all software you use up to date. There are updates for a reason – most likely some of the code used was found to be vulnerable to attacks.
This past week, a popular extension was hijacked. The developer of the Web Developer for Chrome extension had his own account hijacked. The hijackers phished his Google account, then modified the code in his account and pushed it out to users. The version of Web Developer for Chrome that was pushed out is 0.4.9. You need to make sure you have the updated version 0.5 installed NOW!
The version the hijackers uploaded can force ads on pages, capture passwords, or other unreported problems. Consider changing passwords to pages visited during the time of the compromise. The date was August 2. The developer himself admits he fell for a phishing attack that started this. This effected over one million users.
The developer details the events in his blog. The bottom line is anyone can click on a bad link and it is important to have two-factor verification in place.
If you are looking for a password, you can check to see if the password you want to use has ever been used. Just go to the Have I Been Pwned website and look at the Passwords link. They now have a list of the passwords that have been breached. You can test your password against it and it will tell you if it’s been breached but it will also tell you it may not be a good password even if it’s not been breached.
Here is what you get if your password has been used before and found on a breach list:
Here is what it looks like if it hasn’t:
When the Victor crew was notified of the Windows 10 Creators Update, we scratched our heads. What in the world is that? Why would I need it?
There is a new Gaming category in Settings. When in game mode it will make the experience smoother.
You can use the new Paint 3D app to make 3D drawings along with 360 degree view.
There is feature that allows you keep open tabs by setting them aside so you don’t have to favorite them but put them aside for small projects you may be working on.
Microsoft Edge becomes the default eBook reader. You can customize the eBook as you are reading it, highlight parts, set bookmarks. You can also change the screen for night use.
There is a setting for Mixed Reality that works with HoloLens VR headsets.
Plan and measure trips on Maps. You can share them with others.
There’s a new privacy dashboard to allow you to set your own security settings.
Mini View allows you to keep a video in a small window.
The first of these updates were rolled out April 11, 2017.
The Victor crew has heard a lot of news lately about a cyber attack nicknamed WannaCry using ransomware. Ransomware is holds an infected computer hostage until a ransom is paid, usually in bitcoin, money that is virtually untraceable. This latest attack has caused global problems. In the UK, hospitals have been attacked. In the US, FedEx fell victim. If you use a Macintosh computer you are most likely safe as these attacks are targeted at PC users. If you are still running Windows XP you are even more vulnerable as there are no more patches being made for these systems.
Here are some things you can to do to prevent this from happening to you:
Keep your computer up to date. Do the patches for your operating system.
Make sure to do security updates for your security service.
Only open attachments from the person you know and trust.
Be careful of programs or other items you may want to download.
Back up your computer to an external hard drive.
Keep copies of your files on cloud services.
If you do get infected and don’t want to pay the ransom, which has been about $300-$600, you will have to flatten your machine (reinstall your OS). If you have kept your files on a cloud service or on an external hard drive, you will have defeated them. You will need to reinstall all your programs if you haven’t backed up the entire system.
The predictions are that today there will be even more as people turn on their computers if they haven’t been kept up to date.
The Victor crew came across an urgent matter. If your browser is Chrome or Firefox, be aware of a new phishing attack. An attacker can send you an email with a link to a malicious website. You could visit a site that will either infect your computer or make you think you are signing in with your credentials as they trick you into thinking you are accessing the correct site.
The people from Wordfence, a security plugin for WordPress found this last Friday, April 14, 2017. They set up a demo site to show what is happening. It is well worth it to check their article and see if you are affected and what to do. They have set up a demo using a medical site, epic.com, so you can test your browser and browser settings. You can visit their demo site here in Chrome or Firefox. To compare the demo site with the real site they faked for comparison, you can click here to visit the real site here.
This does not affect Windows or Safari browsers. Currently there is a fix for Firefox browsers. Here is what you do:
Open your Firefox browser
Type about:config in the address bar
Search for ‘puny’ (without quotes)
You should see network.IDN_show_punycode set for ‘false’
Double click it to make it ‘true’
Chrome currently does not have a fix for it.
Yahoo has recently been in the news again lately due to yet another problem with data breaches. Having a Yahoo account, this Victor crew member has received an email from Yahoo about it.
In this message, they tell me that they are investigating the creation of forged cookies. They say they are taking steps to secure accounts. They say this forged cookie may have been created in 2015 or 2016 and they believe it to be connected to the September 22, 2016 data theft. They also give some actions you can take.
They suggest using a Yahoo Account Key which is something we will investigate ourselves at a later time. This user is on the verge of dismissing this account altogether although it was my first email created back in the 90s. I have added 2-step verification as well as changed the password.
Another email as a reminder from Yahoo states a reminder to secure to secure the account. They suggest updating to the Yahoo Mail app on android or iOS. They suggest to turn off insecure apps.
As I logged into the account after the above emails, there was a link to update security settings to block apps with less secure login. I am not sure what this entails yet, but will let you know when I find out.
We’ve written a few times about password security. But what if your phone number gets hijacked? This is not having your phone stolen but rather having your phone number taken from you. You no longer can use the two-step verification because someone else has the number they have on file for it. So how does a phone number get hijacked in the first place? The Victor crew wanted to learn more.
It can start with a text that looks like it came from your carrier. It may have a number or a login page for you to enter some information. All they need is your call-in pin and they can start the process of porting your number over to their phone. You actually think you are talking to a representative of your carrier. Once they have your number, they can use the “forgot password” function of all your apps and get a code sent to them to reset the passwords. Think of all the apps you have – your bank, your email, your wallet. So what can you do?
Here are some ideas from Forbes:
- Put a passcode on your account with your carrier. Make sure whoever you are talking to uses that passcode with you. If a hacker tries to use it, hopefully the representative is on the ball and asks for the passcode.
- Use the mobile carrier specific email address to access the account. Forbes suggests you have an address as your current primary one, one just for a mobile carrier, and one for all your sensitive accounts like banking. This way your primary account can’t be used to steal your phone number.
- Disable online access to your wireless account. You will have to go the store to make changes but it won’t get hacked.
- Ask your carrier to make changes with photo ID required.
Some other thoughts:
- Use a password manager and let it generate passwords.
- Don’t have the same security questions on all sites and don’t answer them truthfully.
- Do not connect your mobile number to sensitive accounts. Create a new Gmail email address and don’t connect a phone number to it. Use Google Authenticator with one-time passcode generator to use it. They suggest using a Google Voice number.
- Use a security key. Yubikey is a physical security key device. There are also devices you use a USB port for.
- Use biometric authentication – fingerprint for example.
Don’t throw away items such as boarding passes, driver’s licenses, credit cards, or anything that has a bar code, QR code, data matrix, or postal code. They should be shredded. There are all kinds of shredders available, even those that will shred credit cards. They may hold more information than you realize. So what? Someone could use this website to decode the information and learn more about you.
This article tell about the information someone found from his boarding pass. It showed his name, frequent flyer number, other personal info, and his record locator. Using this, the account with the airline can be accessed. Future flights were seen as well. Seats can be changed, a PIN number reset. If someone really wanted to get into it they can figure out more of your information. They would have your address and know of a future flight so your home could be robbed.
The Victor crew has written about passwords several times in the past. Here is an older article that can stand the test of time regarding security and passwords: http://www.wired.com/2012/11/ff-mat-honan-password-hacker/. Even though this was about 3 1/2 years ago, the knowledge and wisdom Mat imparts is timeless.
Through these years, there hasn’t been much more change to secure passwords. You should probably consider what is called 2-step or 2-factor verification to secure your most used sites like Apple or Google. You can also get it for Facebook, twitter and other sites.
What you will need to do is make sure they have a phone number that they can send a verification code to. Then you will put use this code to register this device. You won’t be asked for this code again once the device is registered.
Strong passwords are not easy to come up with and even harder to remember. Komando.com has some suggestions.
Don’t make passwords easy to guess. People are still using passwords like 123456 or other easy passwords.
Make passwords 8 characters or more. They should be different types of characters and include upper case, lower case, numbers, and symbols.
Don’t use the same passwords everywhere. Use a unique password for every account.
Consider a password manager like LastPass, KeePass, Dashlane, or 1Password. You can even have your password manager generate a strong password for you. As long as you make your main password for the manager complex, you won’t even have to know your passwords.
In 2015, smartphones will start coming equipped with a “kill switch.” This will allow users to remotely disable their smartphones and wipe the data. Apple, Google, Samsung, and Microsoft with the five largest cellular carriers in the US have signed on voluntarily to the program.
All smartphones manufactured for sale after July 2015 must have this technology. This would deter thieves from taking mobile devices as they are rendered useless. HTC, Motorola, Nokia are among other makers who have signed up.
Users can erase contacts, photos, email and other personal information and lock the phone so it can’t be used without a password. The data will be retrievable if the owner recovers the phone.
Critics have accused cell phone carriers of being reluctant to do this as they would lose revenue from replacing and activating stolen phones.
If you are using Chrome and haven’t signed out of the browser, and you share your computer or your computer is stolen, then you have shared any passwords you have saved in the browser. Anyone can simply go to chrome://settings/passwords to view the passwords you have saved. There is no other security applied.
Unlike Firefox. You can set a master password that you have to enter before you can see the saved password. This adds a layer in Firefox’s security.
IE encrypts passwords and you can’t easily view them. You can download IE Passview to see them.
The bottom line is, if you share a computer or travel with your laptop, make sure you are logged out of all your browsers and logged out of the operating system. Make sure all user accounts are password protected.
~ Jody Victor