Practical Paranoia Windows 11 Security Essentials version 6 has just been released!

This is a complete rewrite of the best-selling, easiest, and most comprehensive guide to securing your data and communications on your home and office PC.

This update includes new security and privacy tricks and tips, as well as updates for all sections.

Official workbook for the Practical Paranoia: Security Essentials Workshop, STEM and college cybersecurity courses. Designed for instructor-led, self-study, and DIY. The entire course is contained within the book. Includes all instructor presentations, hands-on assignments, links to all software, and security checklist.

You don’t need to be paranoid to know they are out there to get your computer, data, and identity.

• 2,000,000 laptops were stolen or lost in the US last year.
• Only 3% of stolen computers are ever recovered.
• Malware attacks on Windows computers have become commonplace.
• Hundreds of eyes may be able to see your name and password, along with the contents of every email you send.
• It may take the bad guy under one minute to bypass your password to gain access to all your data.
• With a slight bit of social engineering, your Microsoft, Facebook, LinkedIn, Google, and other social media accounts, along with all your data, is freely accessible.
• Through PRISM and other avenues, our government has access to your online browsing and email history.

You don’t need to be a Microsoft Systems Engineer to protect your system!

In this easy, step-by-step guide, CIO, Security Specialist, and Certified Information Technology Consultant Marc L. Mintz and Glenn Norman take any Windows user-from the novice with no technical skills, to experienced IT professional-through the process of fully encrypting and hardening the security of their computer, data, email, documents, network, instant messaging, storage devices, browsing, and entire Internet experience.

Guaranteed to be the easiest to follow and most comprehensive Windows cybersecurity book available.

Readers with our Live! edition (available exclusively from https://thepracticalparanoid.com will automatically receive the update when next opening the book.

Readers of the Kindle edition will need to delete their current copy from their Kindle device, then visit their Kindle library to download the update.

Readers of the paperback edition can receive the update for either the Live! or paperback edition by following the instructions in their current book.

​

As reported in the Wall Street Journal March 14, 2023, the FBI has just announced that in 2022, Americans lost $10.3 billion to online scammers. This is up from $6.9 billion in 2021, although the total number of complaints in 2022 was slightly less than in 2021.

The FBI’s Internet Crime Complaint Center (IC3) received more than 800,000 complaints. The largest number of complaints – 300,000 – were for phishing expeditions. Phishing is typically unsolicited email, texts, or phone calls, claiming to be from a legitimate company, requesting your personal or financial information.

HOW TO PROTECT YOURSELF

SIGNS OF A SCAMMER

• Claim to be from an organization you know, government agency or commercial business.
  • Suspect call: Current technology makes it easy for a scammer to fake a caller ID, so don’t trust what you see on your phone. Instead, ask for the full name of the caller, and what office they are located. Then visit the website for the main number, call it, and ask to be transferred to that local office to speak with the caller.
  • Suspect email: Current technology makes it easy for a scammer to fake their “sender” email name. Same rules apply as for suspect phone calls.
  • Suspect text. Ok, I don’t care to repeat myself (too much), Same as above!
• Claim there is a problem or reward/prize.
  • This always requires that you provide some personal information so you can be sent the refund, or to resolve the “problem” with your account. Don’t buy it. Instead, look up the organizations main phone number, call, an inquire if there is actually an issue that needs to be addressed.
• Claim that the issue requires IMMEDIATE attention.
  • This is perhaps THE indicator of a scam.
• Claim that you must pay in a specific way.
  • This is almost always via cryptocurrency. RUN from this.

HOW TO AVOID A SCAM

It may be impossible to completely avoid being scammed, but you can make yourself a more difficult target.

• Block or filter unknown callers and texts.
  • If there is a real issue, they will find an alternate avenue to communicate with you, such as a letter.
• Don’t give out personal or financial information.
  • This includes your address, social security number, banking information, mothers maiden name, credit card information, etc.
• Take a breather.
  • There will not be a situation where you just must respond immediately. You always have the option to call the main office to verify the issue, or to discuss the situation with a friend or loved one.
• If you suspect a scammer, contact the Federal Trade Commission at ReportFraud.ftc.gov.

A: Browsers don’t get “hacked”. But your browser can release information regarding your internet travels.

• Google has access to all of the sites you visit through Chrome.
• Google has access to all of the searches you perform through Google Searches.
• Browser plug-ins/extensions have access to your internet travel and searches.
• Some (many/most?) browser plug-ins/extensions will forward this information to the plug-in/extension developer.
• Some browser plug-ins/extensions are designed solely to forward this information to the developer – although they are marketed as though they are designed for another function.
• Your Internet Service Provider – if your devices are configured to use them as your DNS service – has a record of all of your internet travel.
• Your router may have a record of all your internet travel.

So it is not so much an issue of hacking your browser, it is more an issue of understanding where information regarding your searches and travels can be accessed.

Although there are many solutions, I find these are the simplest and least expensive:

• Use Brave browser. It is configured by default to avoid leaking of your travels.
  • If you feel the need to take this up a level, use Tor browser instead. However, this additional security comes at the cost of significantly slower performance.
• Use DuckDuckGo as your default search engine. DDG does not record your searches, and does not monetize your search history.
• Use Cloudflare for your DNS. This can be done by manually setting your DNS to 1.1.1.1 and 1.0.0.1 (both Cloudflare servers). Cloudflare does not maintain a record of your DNS.
  • If you choose to use my recommended VPN service, NordVPN, it will automatically use their own secure DNS servers.
• Do not install additional plug-ins/extensions to Brave. If you must install them, research to verify they are not reporting your activity to the developer.
  • One of the few plug-ins/extensions that I do recommend using is Trafficlight from Bitdefender. It prevents accessing malicious websites.
• Use a quality Virtual Private Network (VPN) service. I’m fond of NordVPN. This will prevent anyone (other than NordVPN) from seeing your internet travels or DNS use.

A: Well, before I answer, let us take a step back to discover what a firewall does.

WHAT

A firewall may be a hardware box located on your network, or software installed on your device. The purpose of a firewall is to block unwanted traffic from entering the network or device, while allowing wanted traffic to pass in both directions.

The advantage of a hardware firewall is performance. It is able to manage vastly greater traffic than a software firewall, which is usually needed to protect a network of devices as is found in a home or business. However, it is also vastly more expensive with prices starting at around $500. Most internet modems and routers include a hardware firewall.

The advantages of a software firewall is cost and ease of use. They often are included with the device, and if they have a user interface, it usually is simple enough for even an untrained user to configure. macOS and Windows include a software firewall.

WHY

By “unwanted traffic” I mean traffic that has no reason to be present on your network or device. If it is present, at best the additional traffic will slow down your network or device, and at worst may be spying on the existing traffic (including usernames and passwords).

HOW

There are fundamentally two types of firewalls (for the pedantic amongst us, yes, I know there are many other types of firewalls, but let’s not get lost in the weeds).

The older type is rule-based. The network administrator manually configures settings based on the type of traffic (such as TCP or UDP–don’t sweat the details here), and the ports the traffic may or may not be granted access to. As there are 65,535 logical ports available, this can be a daunting task for any but highly trained administrators.

The newer type is a bit intelligent, usually called a Stateful Packet Inspection Firewall. It generally blocks any incoming traffic except for that which the user or device has already extended a welcome. For example, if the user opens a browser to Facebook, the Facebook servers can stream FB data back to the browser.

BACK TO THE ANSWER

For macOS, perhaps the best firewall for the device comes free with the operating system. macOS uses a stateful packet inspection firewall that requires minimal (if any) configuration. In fact, for most users, the only thing that need be done is to turn the firewall on! In my 37 years of IT consulting, I haven’t seen a need for another device firewall.

How to Enable the macOS 13 Firewall

1. Open Apple menu > System Settings > Network > Firewall.
2. Tap the switch to Enable the Firewall.
3. Exit the System Settings.

WHAT

According to a Mozilla research paper released February 23, 2023, almost 80% of the apps reviewed on Google Play Store have false or misleading Data Privacy labels.

Highlighting the absurdity, both TikTok and Twitter Data Safety labels state they do not share your personal data with 3rd-parties. BUT… both apps explicitly state they share user info with advertisers, ISPs and other companies.

WHY

Remember that if you are not paying for it, you are the product! The #1 strategy companies use to deliver free services is to monetize the data they can harvest from you.

HOW To Protect Yourself

Ok, here we get into sensitive areas. I don’t think there are any angels within any billion (or trillion) dollar tech company. But there are some who make a measurable degree of effort to not be evil. To avoid my next lawsuit, I will not say Google isn’t one of them, but Apple may be.

If you are concerned over cybersecurity, internet privacy, and keeping big tech out of your private life, one way is to avoid doing business with those whose business model explicitly details how to harvest as much data from their consumers as is possible. THAT will require giving thought to if you wish to remain on the Android environment.

For me, personally and for my family and business, we have migrated to Apple. Does the hardware cost more? Sometimes (compare a high-end Samsung, Asus, or Lenovo computer, tablet, or phone to a similar Apple device, and any difference in purchase cost isn’t much more than a rounding error. But what you get back in terms of privacy and security is priceless

In preparing for a business trip to Boston in the coming weeks I realized a serious cybersecurity vulnerability that is becoming more common at airports, coffee shops, and other locations people tend to congregate and charge their phones and computers. And lucky you, I’ve never discussed it before.

The vulnerability is often called juice jacking, and works like this:

1. The potential victim is running low on power for their electronic device, and is in need of finding a charging port. These are typically USB A ports found at or near an AC power outlet.
2. Unbeknown to the potential victim, the USB charging port has been modified such that it pulls data from the device while it is charging the device. 
3. So in the process of charging, all of your data stored on the device is being sent to the criminal over the USB cable.

How This Works

The USB A connector typically used as a charging port has four wires. Two are for power, and two are for data. The criminal only has to route the two data wires to their own device (wired or wireless), and the victim is none the wiser.

The situation with juice jacking has become prevalent enough that the Los Angeles District Attorney issued a travel advisor in 2019 warning travelers about the threat.

How To Take Action

There are several options to effectively prevent being juice jacked:

• Use your own USB power adapter to plug into an AC outlet, and then use a USB cable to connect the power adapter and your device.
• Use a small hand-held charging battery with a USB cable connecting it to your device.
• Use a USB Data Blocker plugged into the USB charging port, with a USB cable to connect between the Data Blocker and your device.

USB Data Blocker

A USB data blocker is not much more than a device that looks something like a USB flash drive, that has a male end to plug into a USB charging port, a female end into which you plug your USB cable, which then connects to your device.

The USB data blocker does its work by only having the two power wires, while missing the two data wires.This makes it impossible for any data to be pulled from your device.

Data blockers typically sell for under $10 each and may be purchased from Amazon and many other electronics retailers.

And They Lived Happily Ever After

So splurge on the $10, order yourself a USB data blocker, and keep it in your pocket for the next time you need to charge your device outside of your home.

Practical Paranoia Online Workshops

Our online workshops provide the same Award-Winning Best-In-Class learning experience we have delivered to government, businesses, IT support staff, colleges, and thousands of non-technical users.

• Do you think learning cyber hygiene is above your pay grade? Our workshops have been enjoyed by participants as young as 12 and as old as 91. If you can use your device for every day tasks, you will successfully complete the workshop!
• Are you overwhelmed by fears of hacking, malware, and ransomware? Trust us, we get it. Ever since Edward Snowden opened our eyes with the release of how the NSA and others spy on our every digital step, the media overwhelms us with new stories of the demise of internet privacy. But YOU don’t need to be a passive victim. With the easy step-by-step process learned in this workshop, you take an active roll in protecting your own, your family, and your business security.
• Do you believe you aren’t vulnerable? Every single digital device that has a connection to the internet or local network is vulnerable.

Cyber Hygiene Statistics

• Cyber perils are the biggest concern for companies globally. (Allianz Risk Barometer)
• 93% of company networks can be penetrated. (From a study of pen testing projects from Positive Technologies)
  • Home networks are far more vulnerable.
• Cyber attacks increased 50% year over year. (cybersecurityintelligence.com).
• Ransomware cost the world $20 billion in 2021, and is expected to rise to $265 billion by 2031. (cloud wards.net)
• Average time to identify a breach is 212 days. (IBM)
• Average time from breach identification to containment is 286 days. (IBM)
  • That is an average of 498 days from data breach to containment. It only takes a few minutes to drain all of your bank accounts, run up all your credit cards, a day to purchase a car in your name, and a month to complete the purchase of a home in your name–all to be enjoyed by the criminal.
• Personal data is involved in 45% of breaches. (Verizon)
• 64% of Americans have never checked to see if they are affected by a data breach. (Varonis)
• 56% of Americans don’t know what steps to take in the event of a breach. (Varonis)

What You Will Learn

In your workshop you will not only learn how cyber attacks impact you, but how to take over 80 quick, easy, and effective countermeasures.

• Prevent data loss
• Create strong passwords–without having to remember them!
• Automate system and application updates and security patches
• Root, Administrator, Standard User, Managed User–choose the right type of account
• Full drive encryption for both the boot storage and external storage
• How to choose the best antivirus utility
• How to configure your device firewall
• Find a lost or stolen device
• Secure your local network and Bluetooth
• Secure your internet browsing from government, advertisers, Internet Service Provider, and employer
• How to automatically encrypt your email
• How to encrypt any file
• Enable secure encrypted voice, video, and text communications
• Protect your social media from identity theft
• How to use your smartphone for health and safety emergencies
• How to securely prepare your device for sale, giveaway, or disposal

Guaranteed to be the Best Workshop

We guarantee the Practical Paranoia Online Workshops to be the easiest and most comprehensive programs of their kind. Each course is lead by Marc Louis Mintz, TPP Program Director, or one of our senior authors, and includes:

• One copy of Practical Paranoia Security Essentials Live! edition (a $64.95 value).
• The full course presented online, viewable on any internet-connected computer, tablet, smartphone, or smart TV.
• Live Instructor Hours with a course leader to help answer course-related cybersecurity and internet privacy questions.
• Final exam.
• Certificate of Completion signed by Marc L. Mintz.

Course length: 15 hours.

Workshop prerequisites: Basic end-user knowledge and skills for the platform of choice. If you know how to tap, double-tap, and save a file, we will guide you the rest of the way.

Hours: The next workshop (focusing on macOS 13) will be taught live starting Monday, March 6, 2023, 12pm mt. After each session is completed, the recording of the session will be available within 48 hours.

Register now: Visit https://thepracticalparanoid.com/product/online-courses/ to register for this workshop. Register before March 1, 2023 to receive a $200 discount and participate in our live sessions.

A: Ok, this question wins the “Thoughtful Question of the Week” award. Please forgive my more thoughtful (ie: long-winded) answer.

Although you and I may be able to dedicate tremendous time and energy to securing our devices and internet travels, we cannot do much about what happens to a web server that is out of our control and is involved in a data breach.

For example, let’s say we do online business with shoestringsrus.com (one can never have too many shoestrings). Then this weekend hackers somehow gain access to the shoestringsrus.com web server, including a dump of all 37 user accounts that have completed purchases on the site. The company webmaster maintained all user accounts data on the one device. This includes the user email address, password, credit card, purchase history, shipping address.

Even if the database is encrypted, the hackers have the time and resources to brute force the database password, and eventually gain full access to all of the data contained within.

Most people, once notified of the breach, would be concerned about their password getting out. But not you and me. Nope! That’s because we took the Practical Paranoia Security Essentials Online Course where we learned to create a unique password for every site and service just in case something like this happened. You see, if one uses the same password for most sites, then once one of those sites is breached, the hackers have software to use your email address and password to automatically attempt access to all banks, credit cards, and retailers in just seconds.

But if using the same password on many sites is dangerous, isn’t using the same username (almost always your email address) also a potential danger?

Yes, it can be. Not so much because of the automated attempts to access banks, etc., but because of social engineering and phishing. The hackers could use knowledge of your email address to target your email address and you with a tailored email.

Getting back to the question, no. You can’t prevent your email ID from being compromised any more than you can prevent your password from the breach. BUT… There is something you can do to help lessen the impact. This is done using a strategy similar to that used with passwords. Use a different email address for each site and service.

You don’t have to sign up for dozens or hundreds of email addresses. Instead, you can create aliases of your existing email. When using an alias, all email sent to the alias ends up in your normal inbox. Then by using your email app filters or rules, you can automate how these accounts are handled.

I visit and know such sites tend to fill up your inbox with junk. I will give this alias the name junk.marc@thepracticalparanoid.com. I can then create a rule or filter that says “if an email addressed to junk.marc@thepracticalparanoid.com is in the inbox, send it to the Trash”.

As another example, say I use the alias shoestringsrus.marc@thepracticalparanoid.com as my username/email address for my valued shoestringsrus.com account. If I get an email addressed to this alias that has nothing to do with shoestringsrus, I can be pretty sure they either sold my  data or were compromised. This would be a good time to change my password with them.

HOW TO CREATE AN ALIAS

There are different ways to create an alias depending on where the email is hosted.

GOOGLE

In the case of a Google email which I use for marcmintz@gmail.com, periods are not recognized. So while marcmintz@gmail.com is the actual email, but I can make an instant alias simply by adding periods, such as: marc.mintz@gmail.com, m.a.r.c.m.i.n.t.z@gmail.com, etc. Note this does not work with personalized domains, such as marc@thepracticalparanoid.com.

Google also allows instant alias creation by using the + sign immediately after your name, and before the @ sign. So marc+mintz@thepracticalparanoid.com will come to my inbox with no further effort. This works for both @gmail.com and personalized domains.

OUTLOOK.COM

If you have an Outlook.com account, open a browser to https://account.live.com/names/Manage to add aliases to your existing account.

APPLE

If you have an @mac.com or @icloud.com email, you can use the + in the same way as with a Gmail account. But Apple includes an even better option they have named Hide My Email.

If you are running macOS 12 or iOS/iPadOS 15 or higher, Hide My Email can be found in Settings > Apple ID > iCloud > Hide My Email. If you are running an earlier OS, Hide My Email may be a great reason to upgrade.

With Hide My Email, you can have an unlimited number of randomly generated aliases, all pointing back to your @mac.com or @icloud.com inbox. But  it does take a few minutes of preparation.

To set up Hide My Email:

1. Open System Settings > Apple ID > iCloud > Hide My Email.
2. Select the Options button.
3. In the Hide My Email window, select + (Create New Address).
4. A window opens with a new randomly generated address.
5. Tap the Continue button.
6. In the Label Your Address window, assign a Label and a Note to help remember how you are using the alias.
7. From now on, this alias can be used anywhere an email address is requested, but you don’t want to reveal your real address.

OTHER EMAIL

If you use email from another hosting service, contact their technical support. Most do offer aliases, but each has a slightly different take on the process.

Practical Paranoia
Security Essentials Online Course
Starts March 6, 2023

The field of cybersecurity and internet privacy has for too long been the domain of the Information Technology elite. This has served to make their hourly rates beyond the reach of most of us mortals. And because almost everyone outside of the Fortune 500 lacks access to an IT Security Consultant, we pay another type of price:

• Only 5% of Companies’ Folder are Properly Protected (Forbes).
• Cyber Attacks are More Likely to Bring Down a Fighter Jet than Missiles (interestingengineering.com).
• Over 90% of all Healthcare Organizations Reported at Lease One Security Breach in the Last Three Years (beckershospitalreview.com).
• Cybercrime is Projected to Cost the World $10.5 Trillion Annually by 2025 (cybersecurctyventures.com).
• The Average Cost of a Data Breach was $3.86 Million in 2020.
• 95% of Cybersecurity Breaches are caused by Human Error (World Economic Forum).
• Data Breaches Exposed 22 Billion Records in 2021 (RiskBased Security).
• In 2021, 40% of Breaches Were Due to Phishing, 11% From Malware, and 22% From Hacking (Verizon).
• The Average Cost of a Data Breach to a Business is $4.24 Million in 2021 (IBM).
• The Average Time to Identify a Breach in 2021 was 212 Days (IBM).
• Personal Data is Involved in 45% of Data Breaches (Verizon).
• 56% of Americans Don’t Know What Steps to Take in the Event of a Data Breach (Varnish).

Cybersecurity and Internet Privacy impact each of us, often without even knowing it has happened!

For over nine years The Practical Paranoid has published the best-selling, easiest, and most comprehensive guides to securing data and communications for both home and business users.

And now we are offering the same quick, easy, and accessible training we have provided to government, hospitals, businesses, and IT professionals to YOU! Our Practical Paranoia Security Essentials Online Course will take any user with basic computer skills, and give them the knowledge and skills to secure their device, data, and communications.

Our exclusive online course includes:

• A copy of Practical Paranoia macOS 13 Security Essentials book ($64.95 value) in LIVE! Format.
  • LIVE! books are continuously updated until the next OS version is announced. They also allow the user to send the instructor questions directly from the book.
• The entire course in live Zoom format, accessible from your computer, smartphone, tablet, or Smart TV.
• Miss a live session? A recorded replay of each live session is available within 48 hours.
• Instructor available to answer your questions via Zoom.
• Certificate of Completion mailed to you at the completion of your course.

This course is normally offered at $275 per participant. But, if you order before March 1, 2023 a $200 discount will be applied making your total cost just $75!

GUARANTEE

After completing this course if you do not agree that this is the easiest and most comprehensive program of its kind, we will issue a full refund.

Visit https://thepracticalparanoid.com for more information and to register.

A: As with so many things in life, the trick is to craft a proper question! 

In the distant past (well, distant in IT terms) hackers would crack passwords by knowing a bit about the user. Things like birthdays, names of loved ones and pets, phone number, character names from Star Wars and Star Trek could be used to quickly crack around 90% of passwords. And although many users still use such passwords, hackers no longer need to know you. 

Instead, modern account hacking uses software to automate entry of potential passwords. At a fundamental level, the software starts with a, then b, then c, eventually going to z. If these don’t open the account it tries again with aa, then ab, then ac, and so forth until the combination of uppercase, lowercase, numerals, and special characters is found that opens the account.

This may look like it would take a very long time to be effective. Even with an off-the-shelf computer it is possible to try upwards of 80,000,000 attempts per second, But keep in mind the ability to scale the process. By upgrading to using a server farm or a botnet, the hacker may be able to increase throughput 10,000-100,000 fold. This makes cracking a typical 8-character password possible in just minutes.

This is the reason I strongly recommend that every password be a minimum of 16 characters in length, with many industry professionals saying that should be a minimum of 24 characters. With each additional character in length, a password becomes logarithmically more difficult to hack. Eventually the hacker will give up on your account and move on to an easier target.

The Bigger Problem

In my 30+ years dealing with cybersecurity, the second hardest thing for me to convince clients to do is create long passwords (or passphrases). However the #1 problem has been to convince clients to use a different password for everything.

Trust me, I understand how impossible it is to remember more than a few passwords. But that isn’t a reasonable excuse–because you have much better and bigger things to do with your mind than to remember hundreds of passwords. Instead, use a password manager utility to create and remember all of your passwords. 

If you follow the path of “most people”, you will have just a few passwords that are used repeatedly for all of your visited sites. If so, then when one of these sites is hacked, and the hackers take all 100,000,000 user account credentials with them, they have all the time in the world to break these passwords offline. Once they have your password, they have software to automate using your username and password on every banking, credit card, and retail site on the internet. Often within minutes they will successfully access many of your accounts and most of your money.

So the answer to your question is:

• Use a password manager utility to create and remember your passwords.
• Passwords should be at least 16 characters in length, the longer the better.
• Use a different password for every site and service.

As reported in the New York Times on February 1, 2023, GoodRx, the drug discount apps used by millions Americans was found by the Federal Trade Commission of “sharing sensitive personal data on millions of users’ prescription medications and illnesses with companies like Facebook and Google without authorization.”

By sharing your personal information without authorization, GoodRx violated a federal rule requiring such apps and fitness trackers to notify the consumer of data breaches.

My family and I use GoodRx, and have found that the discounts on prescription medication is often better than what our paid-for medical insurance can deliver.

I’ve wondered from day one with GoodRx how they were able to provide such deep discounts, or put another way, how are they monetizing the discounted medication game? I must be getting old, after all, I’m the guy who continuously spouts “If you aren’t paying for it, YOU are the product.”

And apparently this was the case with GoodRx.

Between 2017 and 2020 GoodRx uploaded their user contact information to Facebook so GoodRx could identify their users’ social media profiles.

GoodRx would then use that personal information to target users for medication ads on Facebook and Instagram. The FTC stated that this personal information was then available to Facebook (as is any and all information shared on Facebook).

ahhh… Capitalism at its finest.