pixel
Microsoft Announces End of Windows 10 Support

Microsoft Announces End of Windows 10 Support

As per the Microsoft blog post of April 27, 2023, Windows 10 support is coming to an end.

  • Windows 10 support will end on October 14, 2025.
  • The current version, 22H2, is the final version of Windows 10.
  • Monthly security updates will continue until October 14, 2025, but no new features will be added to the current version.

Microsoft (and your humble cybersecurity consultant) “highly encourage you” (Microsoft’s words) to transition to Windows 11.

If you are using a computer that cannot be upgraded to Windows 11, that is an indicator that your device is too old to implement current security protocols. That by itself should be a motivator to upgrade to a newer device. In addition, your old device is very likely to be at best 1/2-1/4 the speed and capacity of a newer device, leading to productivity problems. I’ve lost track of how many clients proclaimed to me after finally getting a newer computer “WOW! I never knew how slow I was with my old computer.”

Replace Text

FOR SALE: COUNTRYMAN MICROPHONE

FOR SALE: COUNTRYMAN MICROPHONE

Countryman E6 Unidirectional EarSet Microphone.

Model E6DP5L2.

Full product description <https://www.bhphotovideo.com/c/product/511342-REG/Countryman_E6DP5L2_E6_Unidirectional_EarSet_Microphone.html/reviews>

Used only a few days for testing purposes.

Considered one of the best miniature microphones for broadcast audio and singing.

List price: $630 (if you can find one).

Sale Price: $300.00. Buyer pays for shipping.

 

FOR SALE: CENTER CAM

FOR SALE: CENTER CAM

FOR SALE: CENTER CAM WEBCAM.

Never used. Excellent condition.

Full manufacturers description: <https://thecentercam.com>

Excellent solution for podcasting, zoom meetings, anywhere you are broadcasting and need to appear to be looking directly at your viewers instead of staring at the camera.

Small (1/2 x 1/2″) camera that hangs down the monitor, allows reading from the monitor, but with eyes still straight at camera.

Very good image quality.

List Price: $119.99.

Sale Price: $75.00. Buyer pays shipping.

Contact: Marc Mintz, 505.453.0479, marc@thepracticalparanoid.com

Replace this with hook info

Replace Explanation

FOR SALE: AUDIO-TECHNICA BP40 MICROPHONE

FOR SALE: AUDIO-TECHNICA BP40 MICROPHONE

AUDIO-TECHNICAL BP40 PROFESSIONAL BROADCAST MICROPHONE FOR SALE.

Full manufacturers description <https://www.audio-technica.com/en-us/bp40>

Excellent professional large diaphragm microphone with condenser-like sound. Very rugged design, outstanding vocal presence, with switchable 100 Hz high-pass filter to help quell pops.

Used only a few days for testing purposes.

List price: $349.00

Sale price: $250.00. Buyer pays for shipping.

Contact: Marc Mintz, 505.453.0479, marc@thepracticalparanoid.com

FOR SALE: APOGEE HYPEMIC

FOR SALE: APOGEE HYPEMIC

Apogee HypeMIC.

The Only USB Microphone with Built-in Analog Compression. 

Full manufacturers description <https://apogeedigital.com/products/hypemic>.

Excellent condition. Used only 3 days for testing purposes. Includes original box and all contents.

PureDIGITAL connection for pristine sound quality up to 24-bit/96kHz

Premium cardioid condenser microphone capsule

Headphone output with Blend feature offers zero latency recording

Premium accessories kit includes tripod, pop filter and carrying case

No configuration required, just plug in and record with any audio app

Compatible with iOS, macOS and Windows 10

Optimized for GarageBand, Logic, and Core Audio compatible apps on Mac.

List price: $349.

Sale price: $250. Buyer pays for shipping.

 

 

Huge Security Update with macOS 13.3 Ventura Released

Huge Security Update with macOS 13.3 Ventura Released

WHAT

Apple has released a major security update for macOS Ventura today (March 27, 2023) with version 13.3.

Although all compatible Macintosh computers will eventually auto-update, the sheer number of updates and the significance of the vulnerabilities fixed demand that a manual update be done ASAP.

HOW

To manually update your compatible Macintosh computer:

  1. Open Apple menu > System Settings > General > General.
  2. In the Updates area, tap Update.
  3. Allow the update to download, then install.

DETAILS

Listed below are all of the security updates included:

macOS Ventura 13.3

Released March 27, 2023

AMD

  • Impact: An app may be able to cause unexpected system termination or write kernel memory
  • Description: A buffer overflow issue was addressed with improved memory handling.

Apple Neural Engine

  • Impact: An app may be able to break out of its sandbox
  • Description: This issue was addressed with improved checks.

AppleMobileFileIntegrity

  • Impact: A user may gain access to protected parts of the file system
  • Description: The issue was addressed with improved checks.

AppleMobileFileIntegrity

  • Impact: An app may be able to access user-sensitive data
  • Description: This issue was addressed by removing the vulnerable code.

Archive Utility

  • Impact: An archive may be able to bypass Gatekeeper
  • Description: The issue was addressed with improved checks.

Calendar

  • Impact: Importing a maliciously crafted calendar invitation may exfiltrate user information
  • Description: Multiple validation issues were addressed with improved input sanitization.

Camera

  • Impact: A sandboxed app may be able to determine which app is currently using the camera
  • Description: The issue was addressed with additional restrictions on the observability of app states.

Carbon Core

  • Impact: Processing a maliciously crafted image may result in disclosure of process memory
  • Description: The issue was addressed with improved checks

ColorSync

  • Impact: An app may be able to read arbitrary files
  • Description: The issue was addressed with improved checks.

CommCenter

  • Impact: An app may be able to cause unexpected system termination or write kernel memory
  • Description: An out-of-bounds write issue was addressed with improved input validation.

CoreCapture

  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: The issue was addressed with improved memory handling.

curl

  • Impact: Multiple issues in curl
  • Description: Multiple issues were addressed by updating curl.

dcerpc

  • Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
  • Description: A memory initialization issue was addressed.

dcerpc

  • Impact: A user in a privileged network position may be able to cause a denial-of-service
  • Description: A denial-of-service issue was addressed with improved memory handling.

dcerpc

  • Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
  • Description: The issue was addressed with improved bounds checks.

dcerpc

  • Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory
  • Description: The issue was addressed with improved memory handling.

Display

  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved state management.

FaceTime

  • Impact: An app may be able to access user-sensitive data
  • Description: A privacy issue was addressed by moving sensitive data to a more secure location.

Find My

  • Impact: An app may be able to read sensitive location information
  • Description: A privacy issue was addressed with improved private data redaction for log entries.

FontParser

  • Impact: Processing a maliciously crafted image may result in disclosure of process memory
  • Description: The issue was addressed with improved memory handling.

Foundation

  • Impact: Parsing a maliciously crafted plist may lead to an unexpected app termination or arbitrary code execution
  • Description: An integer overflow was addressed with improved input validation.

iCloud

  • Impact: A file from an iCloud shared-by-me folder may be able to bypass Gatekeeper
  • Description: This was addressed with additional checks by Gatekeeper on files downloaded from an iCloud shared-by-me folder.

Identity Services

  • Impact: An app may be able to access information about a user’s contacts
  • Description: A privacy issue was addressed with improved private data redaction for log entries.

ImageIO

  • Impact: Processing a maliciously crafted image may result in disclosure of process memory
  • Description: The issue was addressed with improved memory handling.

ImageIO

  • Impact: Processing a maliciously crafted image may result in disclosure of process memory
  • Description: An out-of-bounds read was addressed with improved input validation.

ImageIO

  • Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved bounds checking.

ImageIO

  • Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
  • Description: A buffer overflow issue was addressed with improved memory handling.

Kernel

  • Impact: An app may be able to execute arbitrary code with kernel privileges
  • Description: A use after free issue was addressed with improved memory management.

Kernel

  • Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges
  • Description: The issue was addressed with improved memory handling.

Kernel

  • Impact: An app may be able to disclose kernel memory
  • Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

Kernel

  • Impact: An app may be able to disclose kernel memory
  • Description: A validation issue was addressed with improved input sanitization.

LaunchServices

  • Impact: Files downloaded from the internet may not have the quarantine flag applied
  • Description: This issue was addressed with improved checks.

LaunchServices

  • Impact: An app may be able to gain root privileges
  • Description: This issue was addressed with improved checks.

Model I/O

  • Impact: Processing a maliciously crafted file may lead to unexpected app termination or arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.

NetworkExtension

  • Impact: A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device
  • Description: The issue was addressed with improved authentication.

PackageKit

  • Impact: An app may be able to modify protected parts of the file system
  • Description: A logic issue was addressed with improved checks.

Photos

  • Impact: Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
  • Description: A logic issue was addressed with improved restrictions.

Podcasts

  • Impact: An app may be able to access user-sensitive data
  • Description: The issue was addressed with improved checks.

Safari

  • Impact: An app may bypass Gatekeeper checks
  • Description: A race condition was addressed with improved locking.

Sandbox

  • Impact: An app may be able to modify protected parts of the file system
  • Description: A logic issue was addressed with improved checks.

Sandbox

  • Impact: An app may be able to bypass Privacy preferences
  • Description: A logic issue was addressed with improved validation.

Shortcuts

  • Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user
  • Description: The issue was addressed with additional permissions checks.

System Settings

  • Impact: An app may be able to access user-sensitive data
  • Description: A privacy issue was addressed with improved private data redaction for log entries.

System Settings

  • Impact: An app may be able to read sensitive location information
  • Description: A permissions issue was addressed with improved validation.

TCC

  • Impact: An app may be able to access user-sensitive data
  • Description: This issue was addressed by removing the vulnerable code.

Vim

  • Impact: Multiple issues in Vim
  • Description: Multiple issues were addressed by updating to Vim version 9.0.1191.

WebKit

  • Impact: Processing maliciously crafted web content may bypass Same Origin Policy
  • Description: This issue was addressed with improved state management.

WebKit

  • Impact: A website may be able to track sensitive user information
  • Description: The issue was addressed by removing origin information.

XPC

  • Impact: An app may be able to break out of its sandbox
  • Description: This issue was addressed with a new entitlement.

 

Practical Paranoia Windows 11 Security Essentials New Edition Released

Practical Paranoia Windows 11 Security Essentials New Edition Released

Practical Paranoia Windows 11 Security Essentials version 6 has just been released!

This is a complete rewrite of the best-selling, easiest, and most comprehensive guide to securing your data and communications on your home and office PC.

This update includes new security and privacy tricks and tips, as well as updates for all sections.

Official workbook for the Practical Paranoia: Security Essentials Workshop, STEM and college cybersecurity courses. Designed for instructor-led, self-study, and DIY. The entire course is contained within the book. Includes all instructor presentations, hands-on assignments, links to all software, and security checklist.

You don’t need to be paranoid to know they are out there to get your computer, data, and identity.

  • 2,000,000 laptops were stolen or lost in the US last year.
  • Only 3% of stolen computers are ever recovered.
  • Malware attacks on Windows computers have become commonplace.
  • Hundreds of eyes may be able to see your name and password, along with the contents of every email you send.
  • It may take the bad guy under one minute to bypass your password to gain access to all your data.
  • With a slight bit of social engineering, your Microsoft, Facebook, LinkedIn, Google, and other social media accounts, along with all your data, is freely accessible.
  • Through PRISM and other avenues, our government has access to your online browsing and email history.

You don’t need to be a Microsoft Systems Engineer to protect your system!

In this easy, step-by-step guide, CIO, Security Specialist, and Certified Information Technology Consultant Marc L. Mintz and Glenn Norman take any Windows user-from the novice with no technical skills, to experienced IT professional-through the process of fully encrypting and hardening the security of their computer, data, email, documents, network, instant messaging, storage devices, browsing, and entire Internet experience.

Guaranteed to be the easiest to follow and most comprehensive Windows cybersecurity book available.

Readers with our Live! edition (available exclusively from https://thepracticalparanoid.com will automatically receive the update when next opening the book.

Readers of the Kindle edition will need to delete their current copy from their Kindle device, then visit their Kindle library to download the update.

Readers of the paperback edition can receive the update for either the Live! or paperback edition by following the instructions in their current book.

 

FBI Says Americans Lost a Record $10.3 Billion to Online Scammers in 2022

FBI Says Americans Lost a Record $10.3 Billion to Online Scammers in 2022

As reported in the Wall Street Journal March 14, 2023, the FBI has just announced that in 2022, Americans lost $10.3 billion to online scammers. This is up from $6.9 billion in 2021, although the total number of complaints in 2022 was slightly less than in 2021.

The FBI’s Internet Crime Complaint Center (IC3) received more than 800,000 complaints. The largest number of complaints – 300,000 – were for phishing expeditions. Phishing is typically unsolicited email, texts, or phone calls, claiming to be from a legitimate company, requesting your personal or financial information.

HOW TO PROTECT YOURSELF

SIGNS OF A SCAMMER

  • Claim to be from an organization you know, government agency or commercial business.
    • Suspect call: Current technology makes it easy for a scammer to fake a caller ID, so don’t trust what you see on your phone. Instead, ask for the full name of the caller, and what office they are located. Then visit the website for the main number, call it, and ask to be transferred to that local office to speak with the caller.
    • Suspect email: Current technology makes it easy for a scammer to fake their “sender” email name. Same rules apply as for suspect phone calls.
    • Suspect text. Ok, I don’t care to repeat myself (too much), Same as above!
  • Claim there is a problem or reward/prize.
    • This always requires that you provide some personal information so you can be sent the refund, or to resolve the “problem” with your account. Don’t buy it. Instead, look up the organizations main phone number, call, an inquire if there is actually an issue that needs to be addressed.
  • Claim that the issue requires IMMEDIATE attention.
    • This is perhaps THE indicator of a scam.
  • Claim that you must pay in a specific way.
    • This is almost always via cryptocurrency. RUN from this.

HOW TO AVOID A SCAM

It may be impossible to completely avoid being scammed, but you can make yourself a more difficult target.

  • Block or filter unknown callers and texts.
    • If there is a real issue, they will find an alternate avenue to communicate with you, such as a letter.
  • Don’t give out personal or financial information.
    • This includes your address, social security number, banking information, mothers maiden name, credit card information, etc.
  • Take a breather.
    • There will not be a situation where you just must respond immediately. You always have the option to call the main office to verify the issue, or to discuss the situation with a friend or loved one.
  • If you suspect a scammer, contact the Federal Trade Commission at ReportFraud.ftc.gov.

Q: What is the Most Secure Browser App?

Q: What is the Most Secure Browser App?

A: Browsers don’t get “hacked”. But your browser can release information regarding your internet travels.

  • Google has access to all of the sites you visit through Chrome.
  • Google has access to all of the searches you perform through Google Searches.
  • Browser plug-ins/extensions have access to your internet travel and searches.
  • Some (many/most?) browser plug-ins/extensions will forward this information to the plug-in/extension developer.
  • Some browser plug-ins/extensions are designed solely to forward this information to the developer – although they are marketed as though they are designed for another function.
  • Your Internet Service Provider – if your devices are configured to use them as your DNS service – has a record of all of your internet travel.
  • Your router may have a record of all your internet travel.

So it is not so much an issue of hacking your browser, it is more an issue of understanding where information regarding your searches and travels can be accessed.

Although there are many solutions, I find these are the simplest and least expensive:

  • Use Brave browser. It is configured by default to avoid leaking of your travels.
    • If you feel the need to take this up a level, use Tor browser instead. However, this additional security comes at the cost of significantly slower performance.
  • Use DuckDuckGo as your default search engine. DDG does not record your searches, and does not monetize your search history.
  • Use Cloudflare for your DNS. This can be done by manually setting your DNS to 1.1.1.1 and 1.0.0.1 (both Cloudflare servers). Cloudflare does not maintain a record of your DNS.
    • If you choose to use my recommended VPN service, NordVPN, it will automatically use their own secure DNS servers.
  • Do not install additional plug-ins/extensions to Brave. If you must install them, research to verify they are not reporting your activity to the developer.
    • One of the few plug-ins/extensions that I do recommend using is Trafficlight from Bitdefender. It prevents accessing malicious websites.
  • Use a quality Virtual Private Network (VPN) service. I’m fond of NordVPN. This will prevent anyone (other than NordVPN) from seeing your internet travels or DNS use.
Q: What Is the Best Firewall for macOS?

Q: What Is the Best Firewall for macOS?

A: Well, before I answer, let us take a step back to discover what a firewall does.

WHAT

A firewall may be a hardware box located on your network, or software installed on your device. The purpose of a firewall is to block unwanted traffic from entering the network or device, while allowing wanted traffic to pass in both directions.

The advantage of a hardware firewall is performance. It is able to manage vastly greater traffic than a software firewall, which is usually needed to protect a network of devices as is found in a home or business. However, it is also vastly more expensive with prices starting at around $500. Most internet modems and routers include a hardware firewall.

The advantages of a software firewall is cost and ease of use. They often are included with the device, and if they have a user interface, it usually is simple enough for even an untrained user to configure. macOS and Windows include a software firewall.

WHY

By “unwanted traffic” I mean traffic that has no reason to be present on your network or device. If it is present, at best the additional traffic will slow down your network or device, and at worst may be spying on the existing traffic (including usernames and passwords).

HOW

There are fundamentally two types of firewalls (for the pedantic amongst us, yes, I know there are many other types of firewalls, but let’s not get lost in the weeds).

The older type is rule-based. The network administrator manually configures settings based on the type of traffic (such as TCP or UDP–don’t sweat the details here), and the ports the traffic may or may not be granted access to. As there are 65,535 logical ports available, this can be a daunting task for any but highly trained administrators.

The newer type is a bit intelligent, usually called a Stateful Packet Inspection Firewall. It generally blocks any incoming traffic except for that which the user or device has already extended a welcome. For example, if the user opens a browser to Facebook, the Facebook servers can stream FB data back to the browser.

BACK TO THE ANSWER

For macOS, perhaps the best firewall for the device comes free with the operating system. macOS uses a stateful packet inspection firewall that requires minimal (if any) configuration. In fact, for most users, the only thing that need be done is to turn the firewall on! In my 37 years of IT consulting, I haven’t seen a need for another device firewall.

How to Enable the macOS 13 Firewall

  1. Open Apple menu > System Settings > Network > Firewall.
  2. Tap the switch to Enable the Firewall.
  3. Exit the System Settings.

 

 

80% of Google Play Store apps Data Privacy Labels are False or Misleading

80% of Google Play Store apps Data Privacy Labels are False or Misleading

WHAT

According to a Mozilla research paper released February 23, 2023, almost 80% of the apps reviewed on Google Play Store have false or misleading Data Privacy labels.

Highlighting the absurdity, both TikTok and Twitter Data Safety labels state they do not share your personal data with 3rd-parties. BUT… both apps explicitly state they share user info with advertisers, ISPs and other companies.

WHY

Remember that if you are not paying for it, you are the product! The #1 strategy companies use to deliver free services is to monetize the data they can harvest from you.

HOW To Protect Yourself

Ok, here we get into sensitive areas. I don’t think there are any angels within any billion (or trillion) dollar tech company. But there are some who make a measurable degree of effort to not be evil. To avoid my next lawsuit, I will not say Google isn’t one of them, but Apple may be.

If you are concerned over cybersecurity, internet privacy, and keeping big tech out of your private life, one way is to avoid doing business with those whose business model explicitly details how to harvest as much data from their consumers as is possible. THAT will require giving thought to if you wish to remain on the Android environment.

For me, personally and for my family and business, we have migrated to Apple. Does the hardware cost more? Sometimes (compare a high-end Samsung, Asus, or Lenovo computer, tablet, or phone to a similar Apple device, and any difference in purchase cost isn’t much more than a rounding error. But what you get back in terms of privacy and security is priceless

Why You Should Be Using a USB Data Blocker

Why You Should Be Using a USB Data Blocker

In preparing for a business trip to Boston in the coming weeks I realized a serious cybersecurity vulnerability that is becoming more common at airports, coffee shops, and other locations people tend to congregate and charge their phones and computers. And lucky you, I’ve never discussed it before.

The vulnerability is often called juice jacking, and works like this:

  1. The potential victim is running low on power for their electronic device, and is in need of finding a charging port. These are typically USB A ports found at or near an AC power outlet.
  2. Unbeknown to the potential victim, the USB charging port has been modified such that it pulls data from the device while it is charging the device. 
  3. So in the process of charging, all of your data stored on the device is being sent to the criminal over the USB cable.

How This Works

The USB A connector typically used as a charging port has four wires. Two are for power, and two are for data. The criminal only has to route the two data wires to their own device (wired or wireless), and the victim is none the wiser.

The situation with juice jacking has become prevalent enough that the Los Angeles District Attorney issued a travel advisor in 2019 warning travelers about the threat.

How To Take Action

There are several options to effectively prevent being juice jacked:

  • Use your own USB power adapter to plug into an AC outlet, and then use a USB cable to connect the power adapter and your device.
  • Use a small hand-held charging battery with a USB cable connecting it to your device.
  • Use a USB Data Blocker plugged into the USB charging port, with a USB cable to connect between the Data Blocker and your device.

USB Data Blocker

A USB data blocker is not much more than a device that looks something like a USB flash drive, that has a male end to plug into a USB charging port, a female end into which you plug your USB cable, which then connects to your device.

The USB data blocker does its work by only having the two power wires, while missing the two data wires.This makes it impossible for any data to be pulled from your device.

Data blockers typically sell for under $10 each and may be purchased from Amazon and many other electronics retailers.

And They Lived Happily Ever After

So splurge on the $10, order yourself a USB data blocker, and keep it in your pocket for the next time you need to charge your device outside of your home.

Practical Paranoia macOS 13 Online Workshop Now Only $75

Practical Paranoia macOS 13 Online Workshop Now Only $75

Practical Paranoia Online Workshops

Our online workshops provide the same Award-Winning Best-In-Class learning experience we have delivered to government, businesses, IT support staff, colleges, and thousands of non-technical users.

  • Do you think learning cyber hygiene is above your pay grade? Our workshops have been enjoyed by participants as young as 12 and as old as 91. If you can use your device for every day tasks, you will successfully complete the workshop!
  • Are you overwhelmed by fears of hacking, malware, and ransomware? Trust us, we get it. Ever since Edward Snowden opened our eyes with the release of how the NSA and others spy on our every digital step, the media overwhelms us with new stories of the demise of internet privacy. But YOU don’t need to be a passive victim. With the easy step-by-step process learned in this workshop, you take an active roll in protecting your own, your family, and your business security.
  • Do you believe you aren’t vulnerable? Every single digital device that has a connection to the internet or local network is vulnerable.

Cyber Hygiene Statistics

  • Cyber perils are the biggest concern for companies globally. (Allianz Risk Barometer)
  • 93% of company networks can be penetrated. (From a study of pen testing projects from Positive Technologies)
    • Home networks are far more vulnerable.
  • Cyber attacks increased 50% year over year. (cybersecurityintelligence.com).
  • Ransomware cost the world $20 billion in 2021, and is expected to rise to $265 billion by 2031. (cloud wards.net)
  • Average time to identify a breach is 212 days. (IBM)
  • Average time from breach identification to containment is 286 days. (IBM)
    • That is an average of 498 days from data breach to containment. It only takes a few minutes to drain all of your bank accounts, run up all your credit cards, a day to purchase a car in your name, and a month to complete the purchase of a home in your name–all to be enjoyed by the criminal.
  • Personal data is involved in 45% of breaches. (Verizon)
  • 64% of Americans have never checked to see if they are affected by a data breach. (Varonis)
  • 56% of Americans don’t know what steps to take in the event of a breach. (Varonis)

What You Will Learn

In your workshop you will not only learn how cyber attacks impact you, but how to take over 80 quick, easy, and effective countermeasures.

  • Prevent data loss
  • Create strong passwords–without having to remember them!
  • Automate system and application updates and security patches
  • Root, Administrator, Standard User, Managed User–choose the right type of account
  • Full drive encryption for both the boot storage and external storage
  • How to choose the best antivirus utility
  • How to configure your device firewall
  • Find a lost or stolen device
  • Secure your local network and Bluetooth
  • Secure your internet browsing from government, advertisers, Internet Service Provider, and employer
  • How to automatically encrypt your email
  • How to encrypt any file
  • Enable secure encrypted voice, video, and text communications
  • Protect your social media from identity theft
  • How to use your smartphone for health and safety emergencies
  • How to securely prepare your device for sale, giveaway, or disposal

Guaranteed to be the Best Workshop

We guarantee the Practical Paranoia Online Workshops to be the easiest and most comprehensive programs of their kind. Each course is lead by Marc Louis Mintz, TPP Program Director, or one of our senior authors, and includes:

  • One copy of Practical Paranoia Security Essentials Live! edition (a $64.95 value).
  • The full course presented online, viewable on any internet-connected computer, tablet, smartphone, or smart TV.
  • Live Instructor Hours with a course leader to help answer course-related cybersecurity and internet privacy questions.
  • Final exam.
  • Certificate of Completion signed by Marc L. Mintz.

Course length: 15 hours.

Workshop prerequisites: Basic end-user knowledge and skills for the platform of choice. If you know how to tap, double-tap, and save a file, we will guide you the rest of the way.

Hours: The next workshop (focusing on macOS 13) will be taught live starting Monday, March 6, 2023, 12pm mt. After each session is completed, the recording of the session will be available within 48 hours.

Register now: Visit https://thepracticalparanoid.com/product/online-courses/ to register for this workshop. Register before March 1, 2023 to receive a $200 discount and participate in our live sessions.

Q: How Can I Prevent My Email ID From Being Compromised in a Data Breach?

Q: How Can I Prevent My Email ID From Being Compromised in a Data Breach?

Hacked Account

A: Ok, this question wins the “Thoughtful Question of the Week” award. Please forgive my more thoughtful (ie: long-winded) answer.

Although you and I may be able to dedicate tremendous time and energy to securing our devices and internet travels, we cannot do much about what happens to a web server that is out of our control and is involved in a data breach.

For example, let’s say we do online business with shoestringsrus.com (one can never have too many shoestrings). Then this weekend hackers somehow gain access to the shoestringsrus.com web server, including a dump of all 37 user accounts that have completed purchases on the site. The company webmaster maintained all user accounts data on the one device. This includes the user email address, password, credit card, purchase history, shipping address.

Even if the database is encrypted, the hackers have the time and resources to brute force the database password, and eventually gain full access to all of the data contained within.

Most people, once notified of the breach, would be concerned about their password getting out. But not you and me. Nope! That’s because we took the Practical Paranoia Security Essentials Online Course where we learned to create a unique password for every site and service just in case something like this happened. You see, if one uses the same password for most sites, then once one of those sites is breached, the hackers have software to use your email address and password to automatically attempt access to all banks, credit cards, and retailers in just seconds.

But if using the same password on many sites is dangerous, isn’t using the same username (almost always your email address) also a potential danger?

Yes, it can be. Not so much because of the automated attempts to access banks, etc., but because of social engineering and phishing. The hackers could use knowledge of your email address to target your email address and you with a tailored email.

Getting back to the question, no. You can’t prevent your email ID from being compromised any more than you can prevent your password from the breach. BUT… There is something you can do to help lessen the impact. This is done using a strategy similar to that used with passwords. Use a different email address for each site and service.

You don’t have to sign up for dozens or hundreds of email addresses. Instead, you can create aliases of your existing email. When using an alias, all email sent to the alias ends up in your normal inbox. Then by using your email app filters or rules, you can automate how these accounts are handled.

I visit and know such sites tend to fill up your inbox with junk. I will give this alias the name junk.marc@thepracticalparanoid.com. I can then create a rule or filter that says “if an email addressed to junk.marc@thepracticalparanoid.com is in the inbox, send it to the Trash”.

As another example, say I use the alias shoestringsrus.marc@thepracticalparanoid.com as my username/email address for my valued shoestringsrus.com account. If I get an email addressed to this alias that has nothing to do with shoestringsrus, I can be pretty sure they either sold my  data or were compromised. This would be a good time to change my password with them.

HOW TO CREATE AN ALIAS

There are different ways to create an alias depending on where the email is hosted.

GOOGLE

In the case of a Google email which I use for marcmintz@gmail.com, periods are not recognized. So while marcmintz@gmail.com is the actual email, but I can make an instant alias simply by adding periods, such as: marc.mintz@gmail.com, m.a.r.c.m.i.n.t.z@gmail.com, etc. Note this does not work with personalized domains, such as marc@thepracticalparanoid.com.

Google also allows instant alias creation by using the + sign immediately after your name, and before the @ sign. So marc+mintz@thepracticalparanoid.com will come to my inbox with no further effort. This works for both @gmail.com and personalized domains.

OUTLOOK.COM

If you have an Outlook.com account, open a browser to https://account.live.com/names/Manage to add aliases to your existing account.

APPLE

If you have an @mac.com or @icloud.com email, you can use the + in the same way as with a Gmail account. But Apple includes an even better option they have named Hide My Email.

If you are running macOS 12 or iOS/iPadOS 15 or higher, Hide My Email can be found in Settings > Apple ID > iCloud > Hide My Email. If you are running an earlier OS, Hide My Email may be a great reason to upgrade.

With Hide My Email, you can have an unlimited number of randomly generated aliases, all pointing back to your @mac.com or @icloud.com inbox. But  it does take a few minutes of preparation.

To set up Hide My Email:

  1. Open System Settings > Apple ID > iCloud > Hide My Email.
  2. Select the Options button.
  3. In the Hide My Email window, select + (Create New Address).
  4. A window opens with a new randomly generated address.
  5. Tap the Continue button.
  6. In the Label Your Address window, assign a Label and a Note to help remember how you are using the alias.
  7. From now on, this alias can be used anywhere an email address is requested, but you don’t want to reveal your real address.

OTHER EMAIL

If you use email from another hosting service, contact their technical support. Most do offer aliases, but each has a slightly different take on the process.

Practical Paranoia
Security Essentials Online Course
Starts March 6, 2023

The field of cybersecurity and internet privacy has for too long been the domain of the Information Technology elite. This has served to make their hourly rates beyond the reach of most of us mortals. And because almost everyone outside of the Fortune 500 lacks access to an IT Security Consultant, we pay another type of price:

  • Only 5% of Companies’ Folder are Properly Protected (Forbes).
  • Cyber Attacks are More Likely to Bring Down a Fighter Jet than Missiles (interestingengineering.com).
  • Over 90% of all Healthcare Organizations Reported at Lease One Security Breach in the Last Three Years (beckershospitalreview.com).
  • Cybercrime is Projected to Cost the World $10.5 Trillion Annually by 2025 (cybersecurctyventures.com).
  • The Average Cost of a Data Breach was $3.86 Million in 2020.
  • 95% of Cybersecurity Breaches are caused by Human Error (World Economic Forum).
  • Data Breaches Exposed 22 Billion Records in 2021 (RiskBased Security).
  • In 2021, 40% of Breaches Were Due to Phishing, 11% From Malware, and 22% From Hacking (Verizon).
  • The Average Cost of a Data Breach to a Business is $4.24 Million in 2021 (IBM).
  • The Average Time to Identify a Breach in 2021 was 212 Days (IBM).
  • Personal Data is Involved in 45% of Data Breaches (Verizon).
  • 56% of Americans Don’t Know What Steps to Take in the Event of a Data Breach (Varnish).

Cybersecurity and Internet Privacy impact each of us, often without even knowing it has happened!

For over nine years The Practical Paranoid has published the best-selling, easiest, and most comprehensive guides to securing data and communications for both home and business users.

And now we are offering the same quick, easy, and accessible training we have provided to government, hospitals, businesses, and IT professionals to YOU! Our Practical Paranoia Security Essentials Online Course will take any user with basic computer skills, and give them the knowledge and skills to secure their device, data, and communications.

Our exclusive online course includes:

  • A copy of Practical Paranoia macOS 13 Security Essentials book ($64.95 value) in LIVE! Format.
    • LIVE! books are continuously updated until the next OS version is announced. They also allow the user to send the instructor questions directly from the book.
  • The entire course in live Zoom format, accessible from your computer, smartphone, tablet, or Smart TV.
  • Miss a live session? A recorded replay of each live session is available within 48 hours.
  • Instructor available to answer your questions via Zoom.
  • Certificate of Completion mailed to you at the completion of your course.

This course is normally offered at $275 per participant. But, if you order before March 1, 2023 a $200 discount will be applied making your total cost just $75!

GUARANTEE

After completing this course if you do not agree that this is the easiest and most comprehensive program of its kind, we will issue a full refund.

Visit https://thepracticalparanoid.com for more information and to register.

Q: How Do I Make a Password That Can’t be Easily Guessed?

Q: How Do I Make a Password That Can’t be Easily Guessed?

1Password

A: As with so many things in life, the trick is to craft a proper question! 

In the distant past (well, distant in IT terms) hackers would crack passwords by knowing a bit about the user. Things like birthdays, names of loved ones and pets, phone number, character names from Star Wars and Star Trek could be used to quickly crack around 90% of passwords. And although many users still use such passwords, hackers no longer need to know you. 

Instead, modern account hacking uses software to automate entry of potential passwords. At a fundamental level, the software starts with a, then b, then c, eventually going to z. If these don’t open the account it tries again with aa, then ab, then ac, and so forth until the combination of uppercase, lowercase, numerals, and special characters is found that opens the account.

This may look like it would take a very long time to be effective. Even with an off-the-shelf computer it is possible to try upwards of 80,000,000 attempts per second, But keep in mind the ability to scale the process. By upgrading to using a server farm or a botnet, the hacker may be able to increase throughput 10,000-100,000 fold. This makes cracking a typical 8-character password possible in just minutes.

This is the reason I strongly recommend that every password be a minimum of 16 characters in length, with many industry professionals saying that should be a minimum of 24 characters. With each additional character in length, a password becomes logarithmically more difficult to hack. Eventually the hacker will give up on your account and move on to an easier target.

The Bigger Problem

In my 30+ years dealing with cybersecurity, the second hardest thing for me to convince clients to do is create long passwords (or passphrases). However the #1 problem has been to convince clients to use a different password for everything.

Trust me, I understand how impossible it is to remember more than a few passwords. But that isn’t a reasonable excuse–because you have much better and bigger things to do with your mind than to remember hundreds of passwords. Instead, use a password manager utility to create and remember all of your passwords. 

If you follow the path of “most people”, you will have just a few passwords that are used repeatedly for all of your visited sites. If so, then when one of these sites is hacked, and the hackers take all 100,000,000 user account credentials with them, they have all the time in the world to break these passwords offline. Once they have your password, they have software to automate using your username and password on every banking, credit card, and retail site on the internet. Often within minutes they will successfully access many of your accounts and most of your money.

So the answer to your question is:

  • Use a password manager utility to create and remember your passwords.
  • Passwords should be at least 16 characters in length, the longer the better.
  • Use a different password for every site and service.

 

GoodRx “Leaked” Your Data to Facebook and Google

GoodRx “Leaked” Your Data to Facebook and Google

As reported in the New York Times on February 1, 2023, GoodRx, the drug discount apps used by millions Americans was found by the Federal Trade Commission of “sharing sensitive personal data on millions of users’ prescription medications and illnesses with companies like Facebook and Google without authorization.”

By sharing your personal information without authorization, GoodRx violated a federal rule requiring such apps and fitness trackers to notify the consumer of data breaches.

My family and I use GoodRx, and have found that the discounts on prescription medication is often better than what our paid-for medical insurance can deliver.

I’ve wondered from day one with GoodRx how they were able to provide such deep discounts, or put another way, how are they monetizing the discounted medication game? I must be getting old, after all, I’m the guy who continuously spouts “If you aren’t paying for it, YOU are the product.”

And apparently this was the case with GoodRx.

Between 2017 and 2020 GoodRx uploaded their user contact information to Facebook so GoodRx could identify their users’ social media profiles.

GoodRx would then use that personal information to target users for medication ads on Facebook and Instagram. The FTC stated that this personal information was then available to Facebook (as is any and all information shared on Facebook).

ahhh… Capitalism at its finest.

Free Practical Paranoia Security Essentials Books

Free Practical Paranoia Security Essentials Books

WHAT

All of our Practical Paranoia Security Essentials books are guaranteed to be the easiest and most comprehensive cybersecurity and internet privacy books available for Android, ChromeOS, iOS and iPadOS, macOS, and Windows users. And now the first 50 people who respond can get a free copy of our EPUB version downloadable from Apple Books.

And now we can guarantee that we are also the most affordable. It doesn’t get any better than FREE! All we ask in return is to take a few minutes to write an honest review of your book on Apple Books.

WHO

This giveaway is available to the first 50 respondents. As this giveaway is for EPUB books on Apple Books, you will need an iPhone, iPad, or macOS computer with the free Apple Books app to access your free book. In exchange for your free book, we ask only that you leave a book review on Apple Books.

Although all of our books are based on industry best practices from Apple, Google, Microsoft, NSA, DoD, and NIST, each is designed and written with the non-technical user in mind. Our workshops have included students as young as 12 years old, and yes they were both having fun and mastering the skills with ease.

WHEN

Respond between January 28 and February 14, 2023  to receive your free copy of any of our Practical Paranoia Security Essentials booksYou must download your free copy on or before February 14, 2023.

WHERE

We are partnering with Apple Books to bring you the very best cybersecurity and internet privacy books available. You must have a (free) Apple Books account (if you use an Apple iPhone, iPad, or macOS computer, you already have an account under your Apple ID).

HOW

To receive your personal code for a free EPUB copy of Practical Paranoia ChromeOS Security Essentials:

  1. Send an email to: info@thepracticalparanoid.com, with the Subject Line of “Free Book”, with your full name, email address, and phone number in the body of the message.
  2. Your personal redemption code will be emailed to you within 24 hours.
  3. Once you have received your personal redemption code, open the Books app on your iPhone, iPad, or macOS computer, search for “Practical Paranoia” to locate your target book.
  4. Select the Download option, then enter your personal redemption code at checkout.
  5. The book will download to your device. If you have other Apple devices, you can use the Books app on those devices to download a copy of your book to them as well.
  6. After reading your book, open the Books app to leave a book review for Practical Paranoia ChromeOS Security Essentials.
  7. NOTE: We continuously update all of our books as new OS security features become available. You can update your copy to the latest version at any time by deleting the copy on your device, then opening the Books app to download the most recent version. All for free!

WHY

Although the Practical Paranoia Security Essentials books have been the #1 consumer DIY cybersecurity book series for over 9 years, they have never before been available in EPUB format or on Apple Books. To help boost awareness of our latest book store we are offering our books to a limited number of reviewers for free.

FOR MORE INFORMATION

Please visit our website at https://thepracticalparanoid.com, or email us at info@thepracticalparanoid.com.

 

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

WHAT

Practical Paranoia ChromeOS Security Essentials is guaranteed to be the easiest and most comprehensive cybersecurity and internet privacy book available for Chromebook users. And now the first 50 people who respond can get a free copy of our EPUB version downloadable from Apple Books.

WHO

This giveaway is available to the first 50 respondents. As this giveaway is for EPUB books on Apple Books, you will need an iPhone, iPad, or macOS computer with the free Apple Books app in order to access your free book. In exchange for your free book, we ask only that you leave a book review on Apple Books.

WHEN

Respond between January 28 and February 14, 2023  to receive your free copy of Practical Paranoia ChromeOS Security Essentials. Your must download your free copy on or before February 14, 2023.

WHERE

We are partnering with Apple Books to bring you the very best ChromeOS cybersecurity and internet privacy book available. You must have a (free) Apple Books account (if you use an Apple iPhone, iPad, or macOS computer, you already have an account under your Apple ID).

HOW

To receive your personal code for a free EPUB copy of Practical Paranoia ChromeOS Security Essentials:

  1. Send an email to: info@thepracticalparanoid.com, with the Subject Line of “ChromeOS Giveaway”, with your full name and phone number in the body of the message.
  2. Your personal redemption code will be emailed to you within 24 hours.
  3. Once you have received your personal redemption code, open the Books app on your iPhone, iPad, or macOS computer, search for “Practical Paranoia ChromeOS Security Essentials” to locate your target book.
  4. Select the Download option, then enter your personal redemption code at checkout.
  5. The book will download to your device. If you have other Apple devices, you can use the Books app on those devices to download a copy of your book to them as well.
  6. After reading your book, open the Books app to leave a book review for Practical Paranoia ChromeOS Security Essentials.
  7. NOTE: We continuously update all of our books as new OS security features become available. You can update your copy to the latest version at any time by deleting the copy on your device, then opening the Books app to download the most recent version. All for free!

WHY

Although the Practical Paranoia Security Essentials books have been the #1 consumer DIY cybersecurity book series for over 9 years, they have never before been available in EPUB format or on Apple Books. To help boost awareness of our latest book store we are offering our books to a limited number of reviewers for free. Our other books (Android 13, iOS 16, macOS 13, and Windows 11) will also have the same offer available.

FOR MORE INFORMATION

Please visit our website at https://thepracticalparanoid.com, or email us at info@thepracticalparanoid.com.

Social Media in the After Life

Social Media in the After Life

What Happens to Us After Our Death?

Ok, perhaps I’ve bitten off more than I can chew with that question. So how about an easier one…

What Happens to Our Social Media After Our Death?

THIS I can deal with!

Most social media sites have some mechanism in place to deal with your data or account in the event of your death. If you do not configure these ahead of time, it is possible that nobody will be able to either access your data or take your account down. As configuring how social media should deal with your accounts takes only a minute or two, now is. a great time to do so.

Apple and iCloud Account Recovery and Legacy Contact

Apple recently introduced Account Recovery and Legacy Contact with iOS 15 and macOS 12. These features work together to ensure that a trusted loved one or friend has the ability to manager your Apple ID and iCloud accounts. To configure this:

Trusted Phone Numbers

  1. Open System Settings > Apple ID > Password & Security. The Password & Security widow opens.
  2. In the Trusted Phone Numbers area, add the phone number(s) that can be used to verify your identity when signing in on a different device.

Account Recovery

  1. Tap the Account Recovery Manage… The Account Recovery window opens:
  2. Tap the + button, then follow the onscreen instructions to add contact information for someone you trust.
  3. Select the Recovery Key Manage button, then follow the onscreen instructions to create a recovery key.
  4. When complete, tap the Done

Legacy Contact

  1. Select the Legacy Contact Manage button, then follow the onscreen instructions to add contact information for someone to access your account after your death.
  2. When complete, tap the Done button.

Automatic Verification

  1. Enable Automatic Verification to help bypass CAPTCHA’s.
  2. Close System Settings.

Trusted Phone Numbers

Used to verify your identity when signing in on a different device or browser.

  1. In the Trusted phone numbers field, tap Edit.
  2. Enter at least one phone number that can send you text or voice messages, then tap Done.

Facebook Memorialization Settings

When you are no longer around to look after your Facebook site, what happens to your data? Facebook has you covered with its Memorialization Settings.

  1. Open a browser to your Facebook page.
  2. Tap on your avatar in the upper right corner > Settings & Privacy > Settings. Verify the heading is General profile settings.
  3. In the Memorialization settings area, tap Edit.
  4. Configure to your taste, then Save.

Google Digital Legacy

Perhaps Google makes the process the easiest of all.

  1. Open a browser to Google Inactive Account Manager at https://myaccount.google.com/u/2/inactive, then follow the on-screen instructions to complete this section detailing what happens to your account should it become inactive.

LinkedIn Memorialize Account

LinkedIn takes a more “legalized’ approach, more akin to providing bank account access.

If You Are Not Authorized to Act on Behalf of the Deceased LinkedIn Member

  1. Open a browser to https://www.linkedin.com/help/linkedin/ask/TS-RDMLP
  2. Complete the online form, then tap the Submit button.

If You Are Authorized to Act on Behalf of the Deceased LinkedIn Member

  1. Gather the required forms and information:
  • Deceased member’s full name
  • URL to their LinkedIn profile
  • Deceased member’s email address
  • Date of deceased member’s passing
  • Copy of death certificate

You will need one of the following to show you have the authority to act on behalf of the deceased member:

  • Letters of Administration issued by a court
  • Letters of Testamentary issued by a court
  • Letters of Representation issued by a court
  • Other court order appointing the requestor as an authorized representative for the deceased member’s estate
  1. Open a browser to https://www.linkedin.com/help/linkedin/ask/ts-rmdmlp
  2. Complete the online form, then tap the Submit button.

Access Microsoft Accounts After Death

It is far easier to allow a trusted loved one or friend to access your Microsoft accounts (Outlook.com, OneDrive, etc.) if they have your account credentials. For security and privacy concerns, you don’t need to provide the credentials during your life. Instead, your credentials can be provided to them as part of your Last Will and Testament.

However, Microsoft has mechanisms in place should that information not be available.

Time Frame Concerns

If your Microsoft account has not been accessed in two years, it will be automatically closed, and all data deleted.

Access to Microsoft Accounts Without Knowledge of Credentials

This is where the lawyers and courts come in. Microsoft must be formally served with a subpoena or court order to consider if account access will be granted. For more information, please visit https://support.microsoft.com/en-us/office/accessing-outlook-com-onedrive-and-other-microsoft-services-when-someone-has-died-ebbd2860-917e-4b39-9913-212362da6b2f

Even More Importantly, Secure Your Data and Communications NOW!

The Practical Paranoid, LLC. has been the industry leader in providing the easiest, step-by-step, and most comprehensive DIY guides to secure your data and communications on your home and office computers, phones, and tablets for over nine years.

Our books are so easy that even our students as young as twelve years old master security and privacy. Our books are so comprehensive they are used in high school STEM courses and college and trade-school computer security courses.

We are so confident that we offer all of our books with a 100% satisfaction guarantee!

Visit https://thepracticalparanoid.com today to peruse and buy any of our books.

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

NEW Practical Paranoia ChromeOS Security Essentials Released!

Welcome the newest member to our family–Practical Paranoia ChromeOS Security Essentials!

One of the strongest features of ChromeOS and Chromebooks is the baked-in security. And while this is true (at least relative to Windows), there are still many areas of vulnerability that most Chromebook users (and even IT professionals) don’t know about. For example:

  • Data corruption and loss.
  • Lack of encryption for external storage devices.
  • Easily cracked passwords.
  • App vulnerabilities.
  • Browser vulnerabilities.
  • ISP and administrator ability to track your web activity–even in real time!
  • Unencrypted text, audio, and video communications.
  • Sensitive metadata contained in PDF’s, office files, images, even audio files easily viewed by others.
  • The list goes on.

Practical Paranoia ChromeOS Security Essentials shows you how to quickly and easily fix these and over 90 more vulnerabilities without any technical knowledge or skills!

All Practical Paranoia book are available in three formats:

  • Paperback. Available from Amazon and all fine booksellers.
  • Kindle. Available from Amazon.
  • Live! Available from The Practical Paranoid. We recommend the Live! version, as it is continuously updated with the latest version available on any computer, smartphone, and tablet.

Visit The Practical Paranoid (https://thepracticalparanoid.com) now to view a sample of all our books, and to purchase your own copy.