Posted on

Ferndale Library Talks on Computer Security and Privacy

Last Saturday, 2/1/20, I gave a presentation on Personal Cybersecurity to a full house in the Ferndale Library main meeting room. The librarians had to chase us out because my grandson Christopher and I were still answering questions at five pm when the library closed. If you missed the first presentation, or want a chance to ask more questions, Chris and I are scheduled to give the same presentation at the Lynden Public Library on Saturday, March 7 2020 at three pm. (Notice that the Lynden presentation will be a half hour earlier than Ferndale.)

See the slides from the presentation and links to resources.

This Saturday (2/8/20 3:30p) I will be talking about a closely related subject, Online Privacy, again in the Ferndale Meeting Room. Online security and privacy are closely related subjects that sometimes overlap, but privacy is often harder to understand and the legal boundaries are less clear. Computer security is mostly about traditional criminal activities like fraud and theft in the computing environment. Online privacy, on the other hand, often involves activities that were legal before computing began to amplify the effects of these activities, which have now taken on sinister implications. As a result, current privacy legalities are less clear. Instead of criminals, privacy issues often involve legitimate businesses and disturbing situations where no current law is broken. In this presentation, I will clarify what is recorded today when you go online and live your daily life, what is done with the record, and what you can do to exercise some control. This presentation will be repeated in Lynden at three pm on Saturday, March 14 2020.

Posted on

Six Rules For Online Security

It’s all a numbers game. Nothing ever will guarantee that you will never be victimized online but following a fairly simple set of rules will drastically reduce the chances that you will be a victim.

Rule One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way that could have happened anywhere and required no computer skills or knowledge. For example, some clever hacker writes an email that looks like it came from your boss and asks you to send him the payroll list with usernames and bank account deposit numbers. Or someone claiming to be your favorite niece calls from Uzbekistan asking you to send a five-hundred-dollar Amazon gift card to her at a post office box in Tashkent because she’s in a jam. Or you get a phone call from Microsoft asking for your account password.

These and similar debacles have all resulted in substantial losses to the victims. Never be rushed. Take time to think it through. Find a way to verify that the request is real. Call your boss, your niece’s mother. Check with Microsoft’s published support number. Do the sensible thing.

Almost everyone knows not to respond to fabulous offers from Nigerian princes, but online criminals are clever, and they know how to play on your emotions and fears. Even the largest and most sophisticated online attacks start with social trickery.

Rule Two

Avoid dodgy websites. You know the sites I mean. The ones that appeal to base instincts or offer something too good to be true. Military super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Some of you remember the ads for spark plugs that triple your gas mileage in the back of men’s magazines, or the ads for miraculous youth-rejuvenating serums on after hours television. Or x-ray vision glasses in comic books. In the old days, you sent in your money and got nothing in return.

Today, click on one of those kind of web sites and you are likely not just to waste your money; you can also infect your computer with nasty malware that will hurt for months to come if the infection is not detected and removed.

Rule Three

Be careful with downloads and installs. Downloading and installing an app is a lot like surgery. When you start an install, you are a patient on the operating table whose life is in the hands of a surgeon. You are completely vulnerable. If your surgeon is a crook, your goose is cooked and laid out on the platter for carving.

Most developers honestly offer useful software and services, but the simplest and most effective way to compromise your computer, laptop, tablet, or phone is to get you to install an application that appears to entertain you or perform useful work, but also opens your device to exploitation.

To protect yourself, get your installs from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. An app that has been downloaded many times with tons of good reviews is more likely to be safe.

Before you install, check the reviews and the reputation of the developer on the network. Always download from secure (HTTPS) sites. Get your drivers directly from operating system and device manufacturer sites. Third party comprehensive driver sites may be convenient, but the risks are higher.

Rule Four

Scan regularly for malware. There are many anti-malware tools available and almost all are quite effective when used properly. Computer virus is a technical classification of types of nasty stuff that can land on a computer. Malware is more general. A tool that only scans for viruses is old school and ineffective.

Anti-malware tools are very competitive, and the malware landscape changes quickly. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans. Windows Defender, which is automatically installed and activated with Windows 10 is a good choice because it is updated regularly and scans automatically. It may not be the best on a given day, but it’s probably better than a competitor without the latest updates. If you prefer not to think much about malware scans, it is a good choice.

A note about Apple devices. Contrary to the marketing stories, they too are vulnerable to hacking. Regular, updated, malware scans will help.

Rule Five

Keep your operating system and apps patched. Hackers are industrious devils, always on the prowl for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Malware scans spot and thwart attacks after they occur but stopping the invaders before they get in is better. Automatic updates may seem like a hassle, but the benefits outweigh the annoyance. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that is happening less and less as the sources get better at patching, and a botched patch is far less damaging that a successful attack.

Rule Six

Use strong passwords. Password cracking has become much more sophisticated. Long (sixteen characters or more) random passwords are still very difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the most egregious breaches in recent years have been based on duplicated passwords.

When available, use multi-factor authentication (MFA) in addition to a password. MFA is much more difficult to hack into than even the strongest password. For example, sites and devices that request a finger print or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low. The strongest multi-factor systems use an app generated token, like a 5 character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

If you follow these rules, I can’t guarantee that you will not suffer from an attack, but the chances that you will be a victim will be far less.

I’ve been brief in this post. If you need more information, I am available from 3pm-4pm the first and third Wednesdays of each month at the Ferndale Public Library, or you can read my book Personal Cybersecurity. It is available from the library, or you can buy it on Amazon here.

I gave a talk on these rules at the Whatcom County Library System North Fork Community Library on October 19, 2019. The fall colors were stunning. I’ll be giving the same talk at the Ferndale and Lynden Public Libraries in February and March. I’ll also be giving talks on online privacy at Ferndale and Lynden.

Posted on

Browser Wars and Privacy

A new round of the perennial browser wars has begun. Google Chrome is the current hands-down victor, but don’t be surprised if that changes. The new battleground is privacy. Google will have to fight hard to retain its majority market share. But will our privacy increase? I doubt it. The reason is a long story.

Current Standings

The main browser contenders are Google Chrome, Mozilla Firefox, and Apple Safari. In May 2019, the worldwide standings on all platforms were Chrome 63%, Safari 16% and Firefox 5%. To a certain extent, those numbers represent the distribution of smartphones. Google Android is the most prevalent and the default browser on Android is Chrome. Safari is the default on Apple iPhones. Firefox trails in part because it is not the default anywhere and users have to take the time and trouble to install it. On desktops and laptops in the US, Chrome still runs laps on Firefox and Safari at 64%. Microsoft Internet Explorer and Edge combined, the defaults on Windows computers, come in around 20%, Firefox and Safari trail at around 8%.

Depending on how much consumers value their privacy, these standings may change in months to come.

Last week, the Washington Post lambasted Google Chrome on privacy. Mozilla Firefox has been touting its security and privacy features regularly for the past few months and they have steadily improved their performance to keep up with Chrome.

History

The war used to be the world vs. Microsoft Internet Explorer (IE). The old battle was fought over performance, features, and standards compatibility. Microsoft in the late 90s and early 2000s was feeling safe in its control of the personal computer market; they took an indifferent stance toward emerging browser standards and chose to go their own way with IE, forcing web site developers to write different codes for IE, while following widely accepted standards for the rest. Most consumers were unaware, but it drove engineers crazy.

Eventually, Chrome, Firefox, and Safari moved ahead of IE. Microsoft, in those days, was complacent on web performance, behind the curve on web security, and fighting anti-monopoly suits. Google, Mozilla, and Apple were striving hard to improve performance, security, and adding features while conforming to standards. As a longtime competitor and partner, I can say that Microsoft engineers are second to none, but they floundered in the browser wars and eventually lost to the contenders. Chrome came off as the big winner by concentrating on performance.

Chrome is still the browser performance champion, but their lead is so small, it’s hard for most users to distinguish between the performance of any of the browsers today. I suspect Microsoft struggles because old IE special features are still required by some important customers, which puts constraints on IE that the other browsers don’t face.

The Privacy Battle

In this battle, Firefox appears to have the high ground. Most of Google’s revenue comes from selling ads that are targeted by the information it collects on the habits of the users of its free services like Google search, Gmail, and Chrome. When Chrome ups its privacy game, Google’s potential corporate revenue goes down. This places Google on a razor edge: abuse privacy and the public will quit using its services; increase privacy and ad-targeting gets fuzzy, which will cause revenues to drop.

Mozilla, as a non-profit, has no direct stake in targeting ads and therefore appears to be free to pursue privacy for its users, but it’s complicated.

Even Non-Profits Need Revenue

Mozilla’s 2017 audit states that a large share of its revenue comes from search engines, which pay Mozilla a small amount for each search directed to the search engine. Mozilla has had contracts with Google, Bing, and Yahoo at various times to default searches to these engines. Their current contract default search engine is Google. The auditors note that cancellation of these default search contracts is a substantial risk to Mozilla. Google pays Mozilla with money made from targeted advertising. Therefore, if browsing gets too private, Mozilla still stands to lose revenue. Not as directly as Google, but they are still at risk.

Google, as a public corporation, must keep their revenues up to satisfy their stockholders. Mozilla is a non-profit, but their engineers and other employees do not work for free. To continue to thrive, Mozilla must compete with public corporations for these employees with adequate facilities and wages.

Caution

What does this mean for the public? The high-tech network world is subtly connected and intertwined. TANSTAAFL. There ain’t no such thing as a free lunch. Most free services today are either loss-leaders for paid services, or they are bankrolled by selling data on the habits of the service users. Even when it appears that they are not. Until that basic fact changes, your privacy is on the market.

No matter which browser you choose, it is up to you to select privacy options that correspond to the level of privacy you want.

Posted on

Be Careful With Remote Access

Connected devices on the Internet of Things are cool. I have a friend who looks in on his cats on Whidbey Island with his phone from our house in Ferndale. I love my Bluetooth mouse and being able to start the oven preheating from my office upstairs with my phone. But I wouldn’t want a stranger to have the same access.


To be safe, you must take precautions.

Today, or very soon, most of the electric appliances and many other devices that people interact with will be connected to computer networks. At our house, my wife’s car (not my old truck), our kitchen range and its hood, the dishwasher and the microwave are all set up to connect wirelessly to a computer network (the Internet). We can expect more connected appliances to appear on the market soon. In fact, some claim that it will soon be difficult to acquire any electrical appliances that are not connected to computer networks. Why? Because remote wireless computer control has become a cheap feature for manufacturers to add these days. Unfortunately, connectivity has become less safe in the process.

What has changed

In olden times, say 2010, when a refrigerator manufacturer decided to add remote wireless computer monitoring or control to a new model, they would hire a team of electrical and software engineers to design a chip, circuitry, and control software to embed. The team would come up with a tidy little system that would do exactly what the manufacturer intended. No more, no less.

That’s not how it’s done today. Instead, they buy standard, off-the-shelf components and snap them together. One of those components is likely to be the equivalent of an entire personal computer, complete with a wireless interface and capabilities similar to a typical desktop of a couple decades ago. A complete computer is now cheaper to embed than a custom designed minimal component. Unfortunately, these embedded computers are as easy, sometimes easier, to hack as any desktop, laptop, or phone today.

In my book, Personal Cybersecurity, available at the Ferndale Public Library, I cited the case of an electric teakettle that was easily hacked into by “war drivers” cruising the neighborhood looking for open wireless networks to exploit. That was two years ago. Those kind of exploits are more plentiful and easier today.

Using a cheap little circuit board with an entire PC on board, manufacturers can build the device cheaply and figure out how to use the computing and connectivity later. They can add new features after the device has been manufactured using standard programming. This has a downside. Hacking a refrigerator used to require specialized knowledge of custom controllers and software written in assembler for processors that only a few engineers ever heard of. Now, the code is in high level languages on hardware that is taught in high schools.

For example, Amazon has published simple methods for placing a devices with embedded computers under voice control through their Alexa product. I expect projects like Alexa controlled electric whoozits are showing up at high school science fairs. If Alexa can easily be made to control something, there is a good chance that a hacker can too.

On top of that, a small manufacturer has little or no incentive or expertise to build security into their network-controlled toasters. Companies like Microsoft, Apple, Google, and Facebook have regulators, reputations, and stockholders to hold them accountable to public opinion. A rash of house fires from hacked Apple toasters would send Apple stock into a tailspin, the lights would burn all night in Cupertino, and fixes would be issued in days. You might not even realize that a fix was made. Companies like Apple work that way.

But for a small, no-brand appliance manufacturer, odds are great that nothing would happen. These companies, often located in China or southeast Asia, manufacture a batch of appliances, sell no-brand batches to secondary vendors who label the devices and sell them to the consumer. The department store that sold the hacked toasters and the company that designed and manufactured them may only be loosely and temporarily connected. The manufacturer retains no knowledge of what happened to the vulnerable devices or how to contact the final owners. The seller may be accountable but that’s little comfort after the house burns down.

What can you do to be safe?

•    Read the specifications and manuals for electrical appliances carefully. Be aware of the device’s networking capabilities, especially wireless connections. The FCC requires all radio transmitting and receiving devices to register. An FCC id number is a clue that the device can connect to a computer network, including the Internet.

•    If you don’t have a good use for remote connection of a device, turn the remote connection facility off. If you can’t turn remote access off, consider replacing the item. Chalk the expense up to lessons learned and sleep a little more soundly.

•     You may have a good use for connectivity. Surveillance cameras that you can access from your phone are an example. When properly secured, the risk of being hacked can be managed.

•    Before you buy, research. You can often find security-oriented reviews. Read the documentation on the device. If secure access to the device is not documented, don’t buy it. Find an equivalent device that is secured. Follow the security recommendations.

•    Many of these devices come with a default username like “admin” and a password like “password.” You must change these. The password is most important. Use a strong password. A long random sequence of upper- and lower-case letters, numbers, and symbols is best. The easier a password is to remember, the easier for a determined hacker to crack. Record the password safely. I use a password manager. Writing it down in a safe place is good too. If you lose the password, you may “brick” (permanently disable) the device.

•    Use caution with Bluetooth devices. Most are easy to eavesdrop on. Bluetooth can be secure, but it is often a hassle and manufacturers often skip security over convenience. I’ve written about Bluetooth security here.