pixel
Practical Paranoia Windows 11 Security Essentials New Edition Released

Practical Paranoia Windows 11 Security Essentials New Edition Released

Practical Paranoia Windows 11 Security Essentials version 6 has just been released!

This is a complete rewrite of the best-selling, easiest, and most comprehensive guide to securing your data and communications on your home and office PC.

This update includes new security and privacy tricks and tips, as well as updates for all sections.

Official workbook for the Practical Paranoia: Security Essentials Workshop, STEM and college cybersecurity courses. Designed for instructor-led, self-study, and DIY. The entire course is contained within the book. Includes all instructor presentations, hands-on assignments, links to all software, and security checklist.

You don’t need to be paranoid to know they are out there to get your computer, data, and identity.

  • 2,000,000 laptops were stolen or lost in the US last year.
  • Only 3% of stolen computers are ever recovered.
  • Malware attacks on Windows computers have become commonplace.
  • Hundreds of eyes may be able to see your name and password, along with the contents of every email you send.
  • It may take the bad guy under one minute to bypass your password to gain access to all your data.
  • With a slight bit of social engineering, your Microsoft, Facebook, LinkedIn, Google, and other social media accounts, along with all your data, is freely accessible.
  • Through PRISM and other avenues, our government has access to your online browsing and email history.

You don’t need to be a Microsoft Systems Engineer to protect your system!

In this easy, step-by-step guide, CIO, Security Specialist, and Certified Information Technology Consultant Marc L. Mintz and Glenn Norman take any Windows user-from the novice with no technical skills, to experienced IT professional-through the process of fully encrypting and hardening the security of their computer, data, email, documents, network, instant messaging, storage devices, browsing, and entire Internet experience.

Guaranteed to be the easiest to follow and most comprehensive Windows cybersecurity book available.

Readers with our Live! edition (available exclusively from https://thepracticalparanoid.com will automatically receive the update when next opening the book.

Readers of the Kindle edition will need to delete their current copy from their Kindle device, then visit their Kindle library to download the update.

Readers of the paperback edition can receive the update for either the Live! or paperback edition by following the instructions in their current book.

 

FBI Says Americans Lost a Record $10.3 Billion to Online Scammers in 2022

FBI Says Americans Lost a Record $10.3 Billion to Online Scammers in 2022

As reported in the Wall Street Journal March 14, 2023, the FBI has just announced that in 2022, Americans lost $10.3 billion to online scammers. This is up from $6.9 billion in 2021, although the total number of complaints in 2022 was slightly less than in 2021.

The FBI’s Internet Crime Complaint Center (IC3) received more than 800,000 complaints. The largest number of complaints – 300,000 – were for phishing expeditions. Phishing is typically unsolicited email, texts, or phone calls, claiming to be from a legitimate company, requesting your personal or financial information.

HOW TO PROTECT YOURSELF

SIGNS OF A SCAMMER

  • Claim to be from an organization you know, government agency or commercial business.
    • Suspect call: Current technology makes it easy for a scammer to fake a caller ID, so don’t trust what you see on your phone. Instead, ask for the full name of the caller, and what office they are located. Then visit the website for the main number, call it, and ask to be transferred to that local office to speak with the caller.
    • Suspect email: Current technology makes it easy for a scammer to fake their “sender” email name. Same rules apply as for suspect phone calls.
    • Suspect text. Ok, I don’t care to repeat myself (too much), Same as above!
  • Claim there is a problem or reward/prize.
    • This always requires that you provide some personal information so you can be sent the refund, or to resolve the “problem” with your account. Don’t buy it. Instead, look up the organizations main phone number, call, an inquire if there is actually an issue that needs to be addressed.
  • Claim that the issue requires IMMEDIATE attention.
    • This is perhaps THE indicator of a scam.
  • Claim that you must pay in a specific way.
    • This is almost always via cryptocurrency. RUN from this.

HOW TO AVOID A SCAM

It may be impossible to completely avoid being scammed, but you can make yourself a more difficult target.

  • Block or filter unknown callers and texts.
    • If there is a real issue, they will find an alternate avenue to communicate with you, such as a letter.
  • Don’t give out personal or financial information.
    • This includes your address, social security number, banking information, mothers maiden name, credit card information, etc.
  • Take a breather.
    • There will not be a situation where you just must respond immediately. You always have the option to call the main office to verify the issue, or to discuss the situation with a friend or loved one.
  • If you suspect a scammer, contact the Federal Trade Commission at ReportFraud.ftc.gov.

Q: What is the Most Secure Browser App?

Q: What is the Most Secure Browser App?

A: Browsers don’t get “hacked”. But your browser can release information regarding your internet travels.

  • Google has access to all of the sites you visit through Chrome.
  • Google has access to all of the searches you perform through Google Searches.
  • Browser plug-ins/extensions have access to your internet travel and searches.
  • Some (many/most?) browser plug-ins/extensions will forward this information to the plug-in/extension developer.
  • Some browser plug-ins/extensions are designed solely to forward this information to the developer – although they are marketed as though they are designed for another function.
  • Your Internet Service Provider – if your devices are configured to use them as your DNS service – has a record of all of your internet travel.
  • Your router may have a record of all your internet travel.

So it is not so much an issue of hacking your browser, it is more an issue of understanding where information regarding your searches and travels can be accessed.

Although there are many solutions, I find these are the simplest and least expensive:

  • Use Brave browser. It is configured by default to avoid leaking of your travels.
    • If you feel the need to take this up a level, use Tor browser instead. However, this additional security comes at the cost of significantly slower performance.
  • Use DuckDuckGo as your default search engine. DDG does not record your searches, and does not monetize your search history.
  • Use Cloudflare for your DNS. This can be done by manually setting your DNS to 1.1.1.1 and 1.0.0.1 (both Cloudflare servers). Cloudflare does not maintain a record of your DNS.
    • If you choose to use my recommended VPN service, NordVPN, it will automatically use their own secure DNS servers.
  • Do not install additional plug-ins/extensions to Brave. If you must install them, research to verify they are not reporting your activity to the developer.
    • One of the few plug-ins/extensions that I do recommend using is Trafficlight from Bitdefender. It prevents accessing malicious websites.
  • Use a quality Virtual Private Network (VPN) service. I’m fond of NordVPN. This will prevent anyone (other than NordVPN) from seeing your internet travels or DNS use.
Q: What Is the Best Firewall for macOS?

Q: What Is the Best Firewall for macOS?

A: Well, before I answer, let us take a step back to discover what a firewall does.

WHAT

A firewall may be a hardware box located on your network, or software installed on your device. The purpose of a firewall is to block unwanted traffic from entering the network or device, while allowing wanted traffic to pass in both directions.

The advantage of a hardware firewall is performance. It is able to manage vastly greater traffic than a software firewall, which is usually needed to protect a network of devices as is found in a home or business. However, it is also vastly more expensive with prices starting at around $500. Most internet modems and routers include a hardware firewall.

The advantages of a software firewall is cost and ease of use. They often are included with the device, and if they have a user interface, it usually is simple enough for even an untrained user to configure. macOS and Windows include a software firewall.

WHY

By “unwanted traffic” I mean traffic that has no reason to be present on your network or device. If it is present, at best the additional traffic will slow down your network or device, and at worst may be spying on the existing traffic (including usernames and passwords).

HOW

There are fundamentally two types of firewalls (for the pedantic amongst us, yes, I know there are many other types of firewalls, but let’s not get lost in the weeds).

The older type is rule-based. The network administrator manually configures settings based on the type of traffic (such as TCP or UDP–don’t sweat the details here), and the ports the traffic may or may not be granted access to. As there are 65,535 logical ports available, this can be a daunting task for any but highly trained administrators.

The newer type is a bit intelligent, usually called a Stateful Packet Inspection Firewall. It generally blocks any incoming traffic except for that which the user or device has already extended a welcome. For example, if the user opens a browser to Facebook, the Facebook servers can stream FB data back to the browser.

BACK TO THE ANSWER

For macOS, perhaps the best firewall for the device comes free with the operating system. macOS uses a stateful packet inspection firewall that requires minimal (if any) configuration. In fact, for most users, the only thing that need be done is to turn the firewall on! In my 37 years of IT consulting, I haven’t seen a need for another device firewall.

How to Enable the macOS 13 Firewall

  1. Open Apple menu > System Settings > Network > Firewall.
  2. Tap the switch to Enable the Firewall.
  3. Exit the System Settings.

 

 

80% of Google Play Store apps Data Privacy Labels are False or Misleading

80% of Google Play Store apps Data Privacy Labels are False or Misleading

WHAT

According to a Mozilla research paper released February 23, 2023, almost 80% of the apps reviewed on Google Play Store have false or misleading Data Privacy labels.

Highlighting the absurdity, both TikTok and Twitter Data Safety labels state they do not share your personal data with 3rd-parties. BUT… both apps explicitly state they share user info with advertisers, ISPs and other companies.

WHY

Remember that if you are not paying for it, you are the product! The #1 strategy companies use to deliver free services is to monetize the data they can harvest from you.

HOW To Protect Yourself

Ok, here we get into sensitive areas. I don’t think there are any angels within any billion (or trillion) dollar tech company. But there are some who make a measurable degree of effort to not be evil. To avoid my next lawsuit, I will not say Google isn’t one of them, but Apple may be.

If you are concerned over cybersecurity, internet privacy, and keeping big tech out of your private life, one way is to avoid doing business with those whose business model explicitly details how to harvest as much data from their consumers as is possible. THAT will require giving thought to if you wish to remain on the Android environment.

For me, personally and for my family and business, we have migrated to Apple. Does the hardware cost more? Sometimes (compare a high-end Samsung, Asus, or Lenovo computer, tablet, or phone to a similar Apple device, and any difference in purchase cost isn’t much more than a rounding error. But what you get back in terms of privacy and security is priceless

Why You Should Be Using a USB Data Blocker

Why You Should Be Using a USB Data Blocker

In preparing for a business trip to Boston in the coming weeks I realized a serious cybersecurity vulnerability that is becoming more common at airports, coffee shops, and other locations people tend to congregate and charge their phones and computers. And lucky you, I’ve never discussed it before.

The vulnerability is often called juice jacking, and works like this:

  1. The potential victim is running low on power for their electronic device, and is in need of finding a charging port. These are typically USB A ports found at or near an AC power outlet.
  2. Unbeknown to the potential victim, the USB charging port has been modified such that it pulls data from the device while it is charging the device. 
  3. So in the process of charging, all of your data stored on the device is being sent to the criminal over the USB cable.

How This Works

The USB A connector typically used as a charging port has four wires. Two are for power, and two are for data. The criminal only has to route the two data wires to their own device (wired or wireless), and the victim is none the wiser.

The situation with juice jacking has become prevalent enough that the Los Angeles District Attorney issued a travel advisor in 2019 warning travelers about the threat.

How To Take Action

There are several options to effectively prevent being juice jacked:

  • Use your own USB power adapter to plug into an AC outlet, and then use a USB cable to connect the power adapter and your device.
  • Use a small hand-held charging battery with a USB cable connecting it to your device.
  • Use a USB Data Blocker plugged into the USB charging port, with a USB cable to connect between the Data Blocker and your device.

USB Data Blocker

A USB data blocker is not much more than a device that looks something like a USB flash drive, that has a male end to plug into a USB charging port, a female end into which you plug your USB cable, which then connects to your device.

The USB data blocker does its work by only having the two power wires, while missing the two data wires.This makes it impossible for any data to be pulled from your device.

Data blockers typically sell for under $10 each and may be purchased from Amazon and many other electronics retailers.

And They Lived Happily Ever After

So splurge on the $10, order yourself a USB data blocker, and keep it in your pocket for the next time you need to charge your device outside of your home.

Practical Paranoia macOS 13 Online Workshop Now Only $75

Practical Paranoia macOS 13 Online Workshop Now Only $75

Practical Paranoia Online Workshops

Our online workshops provide the same Award-Winning Best-In-Class learning experience we have delivered to government, businesses, IT support staff, colleges, and thousands of non-technical users.

  • Do you think learning cyber hygiene is above your pay grade? Our workshops have been enjoyed by participants as young as 12 and as old as 91. If you can use your device for every day tasks, you will successfully complete the workshop!
  • Are you overwhelmed by fears of hacking, malware, and ransomware? Trust us, we get it. Ever since Edward Snowden opened our eyes with the release of how the NSA and others spy on our every digital step, the media overwhelms us with new stories of the demise of internet privacy. But YOU don’t need to be a passive victim. With the easy step-by-step process learned in this workshop, you take an active roll in protecting your own, your family, and your business security.
  • Do you believe you aren’t vulnerable? Every single digital device that has a connection to the internet or local network is vulnerable.

Cyber Hygiene Statistics

  • Cyber perils are the biggest concern for companies globally. (Allianz Risk Barometer)
  • 93% of company networks can be penetrated. (From a study of pen testing projects from Positive Technologies)
    • Home networks are far more vulnerable.
  • Cyber attacks increased 50% year over year. (cybersecurityintelligence.com).
  • Ransomware cost the world $20 billion in 2021, and is expected to rise to $265 billion by 2031. (cloud wards.net)
  • Average time to identify a breach is 212 days. (IBM)
  • Average time from breach identification to containment is 286 days. (IBM)
    • That is an average of 498 days from data breach to containment. It only takes a few minutes to drain all of your bank accounts, run up all your credit cards, a day to purchase a car in your name, and a month to complete the purchase of a home in your name–all to be enjoyed by the criminal.
  • Personal data is involved in 45% of breaches. (Verizon)
  • 64% of Americans have never checked to see if they are affected by a data breach. (Varonis)
  • 56% of Americans don’t know what steps to take in the event of a breach. (Varonis)

What You Will Learn

In your workshop you will not only learn how cyber attacks impact you, but how to take over 80 quick, easy, and effective countermeasures.

  • Prevent data loss
  • Create strong passwords–without having to remember them!
  • Automate system and application updates and security patches
  • Root, Administrator, Standard User, Managed User–choose the right type of account
  • Full drive encryption for both the boot storage and external storage
  • How to choose the best antivirus utility
  • How to configure your device firewall
  • Find a lost or stolen device
  • Secure your local network and Bluetooth
  • Secure your internet browsing from government, advertisers, Internet Service Provider, and employer
  • How to automatically encrypt your email
  • How to encrypt any file
  • Enable secure encrypted voice, video, and text communications
  • Protect your social media from identity theft
  • How to use your smartphone for health and safety emergencies
  • How to securely prepare your device for sale, giveaway, or disposal

Guaranteed to be the Best Workshop

We guarantee the Practical Paranoia Online Workshops to be the easiest and most comprehensive programs of their kind. Each course is lead by Marc Louis Mintz, TPP Program Director, or one of our senior authors, and includes:

  • One copy of Practical Paranoia Security Essentials Live! edition (a $64.95 value).
  • The full course presented online, viewable on any internet-connected computer, tablet, smartphone, or smart TV.
  • Live Instructor Hours with a course leader to help answer course-related cybersecurity and internet privacy questions.
  • Final exam.
  • Certificate of Completion signed by Marc L. Mintz.

Course length: 15 hours.

Workshop prerequisites: Basic end-user knowledge and skills for the platform of choice. If you know how to tap, double-tap, and save a file, we will guide you the rest of the way.

Hours: The next workshop (focusing on macOS 13) will be taught live starting Monday, March 6, 2023, 12pm mt. After each session is completed, the recording of the session will be available within 48 hours.

Register now: Visit https://thepracticalparanoid.com/product/online-courses/ to register for this workshop. Register before March 1, 2023 to receive a $200 discount and participate in our live sessions.

Q: How Can I Prevent My Email ID From Being Compromised in a Data Breach?

Q: How Can I Prevent My Email ID From Being Compromised in a Data Breach?

Hacked Account

A: Ok, this question wins the “Thoughtful Question of the Week” award. Please forgive my more thoughtful (ie: long-winded) answer.

Although you and I may be able to dedicate tremendous time and energy to securing our devices and internet travels, we cannot do much about what happens to a web server that is out of our control and is involved in a data breach.

For example, let’s say we do online business with shoestringsrus.com (one can never have too many shoestrings). Then this weekend hackers somehow gain access to the shoestringsrus.com web server, including a dump of all 37 user accounts that have completed purchases on the site. The company webmaster maintained all user accounts data on the one device. This includes the user email address, password, credit card, purchase history, shipping address.

Even if the database is encrypted, the hackers have the time and resources to brute force the database password, and eventually gain full access to all of the data contained within.

Most people, once notified of the breach, would be concerned about their password getting out. But not you and me. Nope! That’s because we took the Practical Paranoia Security Essentials Online Course where we learned to create a unique password for every site and service just in case something like this happened. You see, if one uses the same password for most sites, then once one of those sites is breached, the hackers have software to use your email address and password to automatically attempt access to all banks, credit cards, and retailers in just seconds.

But if using the same password on many sites is dangerous, isn’t using the same username (almost always your email address) also a potential danger?

Yes, it can be. Not so much because of the automated attempts to access banks, etc., but because of social engineering and phishing. The hackers could use knowledge of your email address to target your email address and you with a tailored email.

Getting back to the question, no. You can’t prevent your email ID from being compromised any more than you can prevent your password from the breach. BUT… There is something you can do to help lessen the impact. This is done using a strategy similar to that used with passwords. Use a different email address for each site and service.

You don’t have to sign up for dozens or hundreds of email addresses. Instead, you can create aliases of your existing email. When using an alias, all email sent to the alias ends up in your normal inbox. Then by using your email app filters or rules, you can automate how these accounts are handled.

I visit and know such sites tend to fill up your inbox with junk. I will give this alias the name junk.marc@thepracticalparanoid.com. I can then create a rule or filter that says “if an email addressed to junk.marc@thepracticalparanoid.com is in the inbox, send it to the Trash”.

As another example, say I use the alias shoestringsrus.marc@thepracticalparanoid.com as my username/email address for my valued shoestringsrus.com account. If I get an email addressed to this alias that has nothing to do with shoestringsrus, I can be pretty sure they either sold my  data or were compromised. This would be a good time to change my password with them.

HOW TO CREATE AN ALIAS

There are different ways to create an alias depending on where the email is hosted.

GOOGLE

In the case of a Google email which I use for marcmintz@gmail.com, periods are not recognized. So while marcmintz@gmail.com is the actual email, but I can make an instant alias simply by adding periods, such as: marc.mintz@gmail.com, m.a.r.c.m.i.n.t.z@gmail.com, etc. Note this does not work with personalized domains, such as marc@thepracticalparanoid.com.

Google also allows instant alias creation by using the + sign immediately after your name, and before the @ sign. So marc+mintz@thepracticalparanoid.com will come to my inbox with no further effort. This works for both @gmail.com and personalized domains.

OUTLOOK.COM

If you have an Outlook.com account, open a browser to https://account.live.com/names/Manage to add aliases to your existing account.

APPLE

If you have an @mac.com or @icloud.com email, you can use the + in the same way as with a Gmail account. But Apple includes an even better option they have named Hide My Email.

If you are running macOS 12 or iOS/iPadOS 15 or higher, Hide My Email can be found in Settings > Apple ID > iCloud > Hide My Email. If you are running an earlier OS, Hide My Email may be a great reason to upgrade.

With Hide My Email, you can have an unlimited number of randomly generated aliases, all pointing back to your @mac.com or @icloud.com inbox. But  it does take a few minutes of preparation.

To set up Hide My Email:

  1. Open System Settings > Apple ID > iCloud > Hide My Email.
  2. Select the Options button.
  3. In the Hide My Email window, select + (Create New Address).
  4. A window opens with a new randomly generated address.
  5. Tap the Continue button.
  6. In the Label Your Address window, assign a Label and a Note to help remember how you are using the alias.
  7. From now on, this alias can be used anywhere an email address is requested, but you don’t want to reveal your real address.

OTHER EMAIL

If you use email from another hosting service, contact their technical support. Most do offer aliases, but each has a slightly different take on the process.

Practical Paranoia
Security Essentials Online Course
Starts March 6, 2023

The field of cybersecurity and internet privacy has for too long been the domain of the Information Technology elite. This has served to make their hourly rates beyond the reach of most of us mortals. And because almost everyone outside of the Fortune 500 lacks access to an IT Security Consultant, we pay another type of price:

  • Only 5% of Companies’ Folder are Properly Protected (Forbes).
  • Cyber Attacks are More Likely to Bring Down a Fighter Jet than Missiles (interestingengineering.com).
  • Over 90% of all Healthcare Organizations Reported at Lease One Security Breach in the Last Three Years (beckershospitalreview.com).
  • Cybercrime is Projected to Cost the World $10.5 Trillion Annually by 2025 (cybersecurctyventures.com).
  • The Average Cost of a Data Breach was $3.86 Million in 2020.
  • 95% of Cybersecurity Breaches are caused by Human Error (World Economic Forum).
  • Data Breaches Exposed 22 Billion Records in 2021 (RiskBased Security).
  • In 2021, 40% of Breaches Were Due to Phishing, 11% From Malware, and 22% From Hacking (Verizon).
  • The Average Cost of a Data Breach to a Business is $4.24 Million in 2021 (IBM).
  • The Average Time to Identify a Breach in 2021 was 212 Days (IBM).
  • Personal Data is Involved in 45% of Data Breaches (Verizon).
  • 56% of Americans Don’t Know What Steps to Take in the Event of a Data Breach (Varnish).

Cybersecurity and Internet Privacy impact each of us, often without even knowing it has happened!

For over nine years The Practical Paranoid has published the best-selling, easiest, and most comprehensive guides to securing data and communications for both home and business users.

And now we are offering the same quick, easy, and accessible training we have provided to government, hospitals, businesses, and IT professionals to YOU! Our Practical Paranoia Security Essentials Online Course will take any user with basic computer skills, and give them the knowledge and skills to secure their device, data, and communications.

Our exclusive online course includes:

  • A copy of Practical Paranoia macOS 13 Security Essentials book ($64.95 value) in LIVE! Format.
    • LIVE! books are continuously updated until the next OS version is announced. They also allow the user to send the instructor questions directly from the book.
  • The entire course in live Zoom format, accessible from your computer, smartphone, tablet, or Smart TV.
  • Miss a live session? A recorded replay of each live session is available within 48 hours.
  • Instructor available to answer your questions via Zoom.
  • Certificate of Completion mailed to you at the completion of your course.

This course is normally offered at $275 per participant. But, if you order before March 1, 2023 a $200 discount will be applied making your total cost just $75!

GUARANTEE

After completing this course if you do not agree that this is the easiest and most comprehensive program of its kind, we will issue a full refund.

Visit https://thepracticalparanoid.com for more information and to register.

Q: How Do I Make a Password That Can’t be Easily Guessed?

Q: How Do I Make a Password That Can’t be Easily Guessed?

1Password

A: As with so many things in life, the trick is to craft a proper question! 

In the distant past (well, distant in IT terms) hackers would crack passwords by knowing a bit about the user. Things like birthdays, names of loved ones and pets, phone number, character names from Star Wars and Star Trek could be used to quickly crack around 90% of passwords. And although many users still use such passwords, hackers no longer need to know you. 

Instead, modern account hacking uses software to automate entry of potential passwords. At a fundamental level, the software starts with a, then b, then c, eventually going to z. If these don’t open the account it tries again with aa, then ab, then ac, and so forth until the combination of uppercase, lowercase, numerals, and special characters is found that opens the account.

This may look like it would take a very long time to be effective. Even with an off-the-shelf computer it is possible to try upwards of 80,000,000 attempts per second, But keep in mind the ability to scale the process. By upgrading to using a server farm or a botnet, the hacker may be able to increase throughput 10,000-100,000 fold. This makes cracking a typical 8-character password possible in just minutes.

This is the reason I strongly recommend that every password be a minimum of 16 characters in length, with many industry professionals saying that should be a minimum of 24 characters. With each additional character in length, a password becomes logarithmically more difficult to hack. Eventually the hacker will give up on your account and move on to an easier target.

The Bigger Problem

In my 30+ years dealing with cybersecurity, the second hardest thing for me to convince clients to do is create long passwords (or passphrases). However the #1 problem has been to convince clients to use a different password for everything.

Trust me, I understand how impossible it is to remember more than a few passwords. But that isn’t a reasonable excuse–because you have much better and bigger things to do with your mind than to remember hundreds of passwords. Instead, use a password manager utility to create and remember all of your passwords. 

If you follow the path of “most people”, you will have just a few passwords that are used repeatedly for all of your visited sites. If so, then when one of these sites is hacked, and the hackers take all 100,000,000 user account credentials with them, they have all the time in the world to break these passwords offline. Once they have your password, they have software to automate using your username and password on every banking, credit card, and retail site on the internet. Often within minutes they will successfully access many of your accounts and most of your money.

So the answer to your question is:

  • Use a password manager utility to create and remember your passwords.
  • Passwords should be at least 16 characters in length, the longer the better.
  • Use a different password for every site and service.

 

GoodRx “Leaked” Your Data to Facebook and Google

GoodRx “Leaked” Your Data to Facebook and Google

As reported in the New York Times on February 1, 2023, GoodRx, the drug discount apps used by millions Americans was found by the Federal Trade Commission of “sharing sensitive personal data on millions of users’ prescription medications and illnesses with companies like Facebook and Google without authorization.”

By sharing your personal information without authorization, GoodRx violated a federal rule requiring such apps and fitness trackers to notify the consumer of data breaches.

My family and I use GoodRx, and have found that the discounts on prescription medication is often better than what our paid-for medical insurance can deliver.

I’ve wondered from day one with GoodRx how they were able to provide such deep discounts, or put another way, how are they monetizing the discounted medication game? I must be getting old, after all, I’m the guy who continuously spouts “If you aren’t paying for it, YOU are the product.”

And apparently this was the case with GoodRx.

Between 2017 and 2020 GoodRx uploaded their user contact information to Facebook so GoodRx could identify their users’ social media profiles.

GoodRx would then use that personal information to target users for medication ads on Facebook and Instagram. The FTC stated that this personal information was then available to Facebook (as is any and all information shared on Facebook).

ahhh… Capitalism at its finest.

Free Practical Paranoia Security Essentials Books

Free Practical Paranoia Security Essentials Books

WHAT

All of our Practical Paranoia Security Essentials books are guaranteed to be the easiest and most comprehensive cybersecurity and internet privacy books available for Android, ChromeOS, iOS and iPadOS, macOS, and Windows users. And now the first 50 people who respond can get a free copy of our EPUB version downloadable from Apple Books.

And now we can guarantee that we are also the most affordable. It doesn’t get any better than FREE! All we ask in return is to take a few minutes to write an honest review of your book on Apple Books.

WHO

This giveaway is available to the first 50 respondents. As this giveaway is for EPUB books on Apple Books, you will need an iPhone, iPad, or macOS computer with the free Apple Books app to access your free book. In exchange for your free book, we ask only that you leave a book review on Apple Books.

Although all of our books are based on industry best practices from Apple, Google, Microsoft, NSA, DoD, and NIST, each is designed and written with the non-technical user in mind. Our workshops have included students as young as 12 years old, and yes they were both having fun and mastering the skills with ease.

WHEN

Respond between January 28 and February 14, 2023  to receive your free copy of any of our Practical Paranoia Security Essentials booksYou must download your free copy on or before February 14, 2023.

WHERE

We are partnering with Apple Books to bring you the very best cybersecurity and internet privacy books available. You must have a (free) Apple Books account (if you use an Apple iPhone, iPad, or macOS computer, you already have an account under your Apple ID).

HOW

To receive your personal code for a free EPUB copy of Practical Paranoia ChromeOS Security Essentials:

  1. Send an email to: info@thepracticalparanoid.com, with the Subject Line of “Free Book”, with your full name, email address, and phone number in the body of the message.
  2. Your personal redemption code will be emailed to you within 24 hours.
  3. Once you have received your personal redemption code, open the Books app on your iPhone, iPad, or macOS computer, search for “Practical Paranoia” to locate your target book.
  4. Select the Download option, then enter your personal redemption code at checkout.
  5. The book will download to your device. If you have other Apple devices, you can use the Books app on those devices to download a copy of your book to them as well.
  6. After reading your book, open the Books app to leave a book review for Practical Paranoia ChromeOS Security Essentials.
  7. NOTE: We continuously update all of our books as new OS security features become available. You can update your copy to the latest version at any time by deleting the copy on your device, then opening the Books app to download the most recent version. All for free!

WHY

Although the Practical Paranoia Security Essentials books have been the #1 consumer DIY cybersecurity book series for over 9 years, they have never before been available in EPUB format or on Apple Books. To help boost awareness of our latest book store we are offering our books to a limited number of reviewers for free.

FOR MORE INFORMATION

Please visit our website at https://thepracticalparanoid.com, or email us at info@thepracticalparanoid.com.

 

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

WHAT

Practical Paranoia ChromeOS Security Essentials is guaranteed to be the easiest and most comprehensive cybersecurity and internet privacy book available for Chromebook users. And now the first 50 people who respond can get a free copy of our EPUB version downloadable from Apple Books.

WHO

This giveaway is available to the first 50 respondents. As this giveaway is for EPUB books on Apple Books, you will need an iPhone, iPad, or macOS computer with the free Apple Books app in order to access your free book. In exchange for your free book, we ask only that you leave a book review on Apple Books.

WHEN

Respond between January 28 and February 14, 2023  to receive your free copy of Practical Paranoia ChromeOS Security Essentials. Your must download your free copy on or before February 14, 2023.

WHERE

We are partnering with Apple Books to bring you the very best ChromeOS cybersecurity and internet privacy book available. You must have a (free) Apple Books account (if you use an Apple iPhone, iPad, or macOS computer, you already have an account under your Apple ID).

HOW

To receive your personal code for a free EPUB copy of Practical Paranoia ChromeOS Security Essentials:

  1. Send an email to: info@thepracticalparanoid.com, with the Subject Line of “ChromeOS Giveaway”, with your full name and phone number in the body of the message.
  2. Your personal redemption code will be emailed to you within 24 hours.
  3. Once you have received your personal redemption code, open the Books app on your iPhone, iPad, or macOS computer, search for “Practical Paranoia ChromeOS Security Essentials” to locate your target book.
  4. Select the Download option, then enter your personal redemption code at checkout.
  5. The book will download to your device. If you have other Apple devices, you can use the Books app on those devices to download a copy of your book to them as well.
  6. After reading your book, open the Books app to leave a book review for Practical Paranoia ChromeOS Security Essentials.
  7. NOTE: We continuously update all of our books as new OS security features become available. You can update your copy to the latest version at any time by deleting the copy on your device, then opening the Books app to download the most recent version. All for free!

WHY

Although the Practical Paranoia Security Essentials books have been the #1 consumer DIY cybersecurity book series for over 9 years, they have never before been available in EPUB format or on Apple Books. To help boost awareness of our latest book store we are offering our books to a limited number of reviewers for free. Our other books (Android 13, iOS 16, macOS 13, and Windows 11) will also have the same offer available.

FOR MORE INFORMATION

Please visit our website at https://thepracticalparanoid.com, or email us at info@thepracticalparanoid.com.

Social Media in the After Life

Social Media in the After Life

What Happens to Us After Our Death?

Ok, perhaps I’ve bitten off more than I can chew with that question. So how about an easier one…

What Happens to Our Social Media After Our Death?

THIS I can deal with!

Most social media sites have some mechanism in place to deal with your data or account in the event of your death. If you do not configure these ahead of time, it is possible that nobody will be able to either access your data or take your account down. As configuring how social media should deal with your accounts takes only a minute or two, now is. a great time to do so.

Apple and iCloud Account Recovery and Legacy Contact

Apple recently introduced Account Recovery and Legacy Contact with iOS 15 and macOS 12. These features work together to ensure that a trusted loved one or friend has the ability to manager your Apple ID and iCloud accounts. To configure this:

Trusted Phone Numbers

  1. Open System Settings > Apple ID > Password & Security. The Password & Security widow opens.
  2. In the Trusted Phone Numbers area, add the phone number(s) that can be used to verify your identity when signing in on a different device.

Account Recovery

  1. Tap the Account Recovery Manage… The Account Recovery window opens:
  2. Tap the + button, then follow the onscreen instructions to add contact information for someone you trust.
  3. Select the Recovery Key Manage button, then follow the onscreen instructions to create a recovery key.
  4. When complete, tap the Done

Legacy Contact

  1. Select the Legacy Contact Manage button, then follow the onscreen instructions to add contact information for someone to access your account after your death.
  2. When complete, tap the Done button.

Automatic Verification

  1. Enable Automatic Verification to help bypass CAPTCHA’s.
  2. Close System Settings.

Trusted Phone Numbers

Used to verify your identity when signing in on a different device or browser.

  1. In the Trusted phone numbers field, tap Edit.
  2. Enter at least one phone number that can send you text or voice messages, then tap Done.

Facebook Memorialization Settings

When you are no longer around to look after your Facebook site, what happens to your data? Facebook has you covered with its Memorialization Settings.

  1. Open a browser to your Facebook page.
  2. Tap on your avatar in the upper right corner > Settings & Privacy > Settings. Verify the heading is General profile settings.
  3. In the Memorialization settings area, tap Edit.
  4. Configure to your taste, then Save.

Google Digital Legacy

Perhaps Google makes the process the easiest of all.

  1. Open a browser to Google Inactive Account Manager at https://myaccount.google.com/u/2/inactive, then follow the on-screen instructions to complete this section detailing what happens to your account should it become inactive.

LinkedIn Memorialize Account

LinkedIn takes a more “legalized’ approach, more akin to providing bank account access.

If You Are Not Authorized to Act on Behalf of the Deceased LinkedIn Member

  1. Open a browser to https://www.linkedin.com/help/linkedin/ask/TS-RDMLP
  2. Complete the online form, then tap the Submit button.

If You Are Authorized to Act on Behalf of the Deceased LinkedIn Member

  1. Gather the required forms and information:
  • Deceased member’s full name
  • URL to their LinkedIn profile
  • Deceased member’s email address
  • Date of deceased member’s passing
  • Copy of death certificate

You will need one of the following to show you have the authority to act on behalf of the deceased member:

  • Letters of Administration issued by a court
  • Letters of Testamentary issued by a court
  • Letters of Representation issued by a court
  • Other court order appointing the requestor as an authorized representative for the deceased member’s estate
  1. Open a browser to https://www.linkedin.com/help/linkedin/ask/ts-rmdmlp
  2. Complete the online form, then tap the Submit button.

Access Microsoft Accounts After Death

It is far easier to allow a trusted loved one or friend to access your Microsoft accounts (Outlook.com, OneDrive, etc.) if they have your account credentials. For security and privacy concerns, you don’t need to provide the credentials during your life. Instead, your credentials can be provided to them as part of your Last Will and Testament.

However, Microsoft has mechanisms in place should that information not be available.

Time Frame Concerns

If your Microsoft account has not been accessed in two years, it will be automatically closed, and all data deleted.

Access to Microsoft Accounts Without Knowledge of Credentials

This is where the lawyers and courts come in. Microsoft must be formally served with a subpoena or court order to consider if account access will be granted. For more information, please visit https://support.microsoft.com/en-us/office/accessing-outlook-com-onedrive-and-other-microsoft-services-when-someone-has-died-ebbd2860-917e-4b39-9913-212362da6b2f

Even More Importantly, Secure Your Data and Communications NOW!

The Practical Paranoid, LLC. has been the industry leader in providing the easiest, step-by-step, and most comprehensive DIY guides to secure your data and communications on your home and office computers, phones, and tablets for over nine years.

Our books are so easy that even our students as young as twelve years old master security and privacy. Our books are so comprehensive they are used in high school STEM courses and college and trade-school computer security courses.

We are so confident that we offer all of our books with a 100% satisfaction guarantee!

Visit https://thepracticalparanoid.com today to peruse and buy any of our books.

Practical Paranoia ChromeOS Security Essentials Book Giveaway!

NEW Practical Paranoia ChromeOS Security Essentials Released!

Welcome the newest member to our family–Practical Paranoia ChromeOS Security Essentials!

One of the strongest features of ChromeOS and Chromebooks is the baked-in security. And while this is true (at least relative to Windows), there are still many areas of vulnerability that most Chromebook users (and even IT professionals) don’t know about. For example:

  • Data corruption and loss.
  • Lack of encryption for external storage devices.
  • Easily cracked passwords.
  • App vulnerabilities.
  • Browser vulnerabilities.
  • ISP and administrator ability to track your web activity–even in real time!
  • Unencrypted text, audio, and video communications.
  • Sensitive metadata contained in PDF’s, office files, images, even audio files easily viewed by others.
  • The list goes on.

Practical Paranoia ChromeOS Security Essentials shows you how to quickly and easily fix these and over 90 more vulnerabilities without any technical knowledge or skills!

All Practical Paranoia book are available in three formats:

  • Paperback. Available from Amazon and all fine booksellers.
  • Kindle. Available from Amazon.
  • Live! Available from The Practical Paranoid. We recommend the Live! version, as it is continuously updated with the latest version available on any computer, smartphone, and tablet.

Visit The Practical Paranoid (https://thepracticalparanoid.com) now to view a sample of all our books, and to purchase your own copy.

Should You Update Router and Modem Firmware?

Should You Update Router and Modem Firmware?

Why

Many of us know how vital it is to ensure our computers, phones, and software are updated on a regular basis. But very few give the same thought to our routers and modems.

But perhaps I’ve gotten ahead of myself. The big question is “What is all the fuss about updates? After all, I’ve got the features I need”.

There are three reasons developers release updates:

  • Monitization. At some point the developer often charges for updates. This is a reality of being in the type of economy we in most developed states.
  • Bug fixes and new features. There are always bugs and features to be added.
  • Security fixes. Ok, this technically falls under “Bug fixes”, but it is important enough to have its own bullet point. Bullet points are cheap!

Security fixes are my focus for updates.

Security fixes typically result from a breach. Once it has been discovered and the appropriate developer notified, they eventually get around to fixing it. There will always be someone who is the first to be hacked by a vulnerability. But you can certainly avoid being a future victim by installing the security fix.

Back to routers and modems.

The majority of users never check their network equipment for software or firmware updates. It is common for me to see a five year old router that not only has never been updated, but the default administrator, admin password, and wifi password are all still at defaults.

This is understandable. Unlike your computer or phone, updating network equipment is not a one-click operation, and it involves dealing with a device that is alien to all but IT professionals.

But like most everything else in life, it’s easy when you know how.

How

The easiest option is if your network device is leased or was purchased from your ISP–like Xfiniti, Qwest, AT&T, etc. In that case, just give customer support a call and ask them to ensure the device is updated. They can do this remotely, often in under five minutes.

If your device doesn’t fall under this condition, it is still easy. As every device is different, let me outline the process instead of giving device-specific detailed step-by-step instructions:

  1. As updating a network device will break a network connection temporarily, ensure that nobody and no device is actively working on either the Internet or local network.
  2. Pull out or download the manual for the device. What you are looking for is the default administrator username and password. If you have changed these, you should already have the. credentials at hand.
  3. Figure out the IP address of the device. Most network devices have an IP address of 192.168.0.1 or 192.168.1.1. You can find your device address by opening up your network settings or preferences on any device connected to your network. The specific field within the network settings may be called “router” or “gateway”.
  4. Most network devices can be accessed using a web browser. Open a browser, then instead of entering a website name into the URL or address bar, enter the router IP address, then tap the. Enter or Return key.
  5. The network device will present an authentication window. Enter the administrator username and password, then tap the Enter button.
  6. Once into the device, look around for the firmware update area. The manual becomes your friend here.
  7. Tap the Update button. The download and update typically takes 5 minutes. During this time the device is offline–even to you.
  8. When the device comes back online, try to update again. Some devices can only update incrementally. I just finished with a device that had to be manually updated 4 times.
  9. Exit your browser and you are done! See, it really was easy!
Q: What are alternatives for password protection that are more secure than traditional passwords?

Q: What are alternatives for password protection that are more secure than traditional passwords?

A: First, let us review the problems with traditional passwords.

  • The overwhelming majority (perhaps up to 90%) of users use the same password(s) for everything. Although this is great for remembering your passwords (you only have one or two passwords you have to remember), it is terrible for security. In the event one of your sites becomes compromised and your credentials stolen, all the criminal need do is launch a script that will try the same credentials on thousands of other sites. Within a few minutes all of your data – and often savings and credit cards – are owned by someone else.
  • For the minority of users that actually do use a variety of passwords, they will almost always use weak passwords which can be cracked in just a few minutes. Although “weak password” definition will vary among system admins, as a broad generality any password with fewer than 15 characters is weak.
  • Most users do not use a password manager, making for very insecure storage of passwords. This forces them to write their passwords down. As I’ve been in the industry for over 30 years, I’ve seen it all – including passwords taped to the bottom of keyboards, the password to the server posted above the receptionist station, and even a 3-ring binder with 72 point type on the cover saying “Office Passwords” left out in the open in the waiting room.

So, back to the question of what is more secure than traditional passwords?

  • Strong passwords, unique to every site and service, stored as encrypted within a password manager. I’m very fond of Bitwarden and use it as my own password manager. Bitwarden encrypts each password on the device, with an option to synchronize the encrypted database with your other devices. It also serves as a One Time Use Password generator (authenticator). More on that next.
  • Use One Time Use Passwords along with your strong password. Most people know these as authenticator codes. When you enter your credentials to a site, you will be prompted for an authenticator code. These are random numeric codes generated every 30 seconds by an authenticator application. Although all sites don’t yet make use of these, all of the major ones do.
  • FIDO key. A FIDO key is a device that looks like a thumb drive that you carry on your person. To access a site you must first attach (via USB or Bluetooth) the key to your device. It will provide strong credentials. FIDO keys work great, but haven’t taken the industry by storm and few users are willing to deal with one more piece of equipment they have to carry.
  • Biometrics. You’ve used these. Fingerprint scanners, retina scanners, facial scanners, voice recognition scanners. I even watched a presentation to the military for the implementation of a body odor scanner! And while these work great to provide credentials to access your device, they haven’t been integrated for use with many websites to date.

So, what’s a conscious technology user to do? My recommendation is to stick with strong passwords, using a different one for every site and service. Use your credentials along with a quality password manager and one-time-use-passwords.

Massive WTF?! for 500M Crypto Investors

Massive WTF?! for 500M Crypto Investors

Although many people have jumped onto the cryptocurrency bandwagon, only a few actually understand how crypto works (and I’m using the term “works” very loosely).

My personal take from day one has been that crypto is the second grandest-scale hoodwinking in the history of humankind. A judge, Martin Glenn, in the legal case of crypto lender Celsius Network has redefined outrageous behavior by declaring that the monies deposited by investors in Celsius does not belong to the investors. Instead, it belongs to Celsius!

In terms that we can all understand, this means that for the 500,000 people who invested in Celsius, they simply gave their money to Celsius and will now get nothing in return!

Unfortunately, this ruling is based on the terms specified in the lengthy contract an investor signs when joining Celsius. Worse yet, it appears these same terms are used in many other contracts within the financial community. Which begs the question: When was the last time you took the time to fully review a contract of import that you were to sign?

Q: What are alternatives for password protection that are more secure than traditional passwords?

Q: One of my employees keeps using the same weak password for everything. How can I get them to change it and make it stronger?

Answer:

Were you my client, my first question would be “how do you know?” Because under normal conditions, there is no need to know an employee password.

But no matter how you were to answer my question, the answer is to assign a Password Policy to the computer. Heck, while you are at it, assign a Password Policy to all company computers.

A Password Policy can be applied to Chrome OS, macOS and Windows computers. The process is a bit involved to give a detailed description here on Quora, but an internet search will provide you with the step-by-step.

With a Password Policy, you can specify a minimum number of characters, minimum complexity (upper case, lower case, numbers, and special characters), password lifespan, and prohibit the reuse of previous passwords.

Or, you could be the brightest one in the room and read one of my Practical Paranoia Security Essentials books, which do provide the illustrated step-by-step instructions.

You may also consider including a password policy compliance statement in your employee handbook. This way, the employee is provided very clear notice that the intent of the policy is to help ensure the security of proprietary company data as well as the privacy of the employee… And that a violation of the policy can lead ultimately to termination.

There are a few other items you may want to look at:

  • Verify if the employees’ password has been compromised on the web. This is as easy as visiting https://haveibeenpwned.com, then entering the employee email address. Anywhere the password has been compromised, the employee must then change the password, as well as every other site where that same password is in use.
  • I’d be tempted to have your IT person work with your employee to view all stored passwords. This will give you a good idea of what sites are using the same passwords, and then where to change the passwords.
FREE PRACTICAL PARANOIA MACOS 13 UPDATE BOOK

FREE PRACTICAL PARANOIA MACOS 13 UPDATE BOOK

Well, this is embarrassing. For the first time in nine years, we have a quality control issue at The Practical Paranoid. At some point in the publishing process for Practical Paranoia macOS 13 Security Essentials, we released a version with a few old (macOS 12) assignments and screenshots.

The fully correct and updated Live! and Kindle book will be available by next Tuesday (December 27, 2022), with the print version available within a few weeks (simply can’t rush the printing press).

If you have purchased any Practical Paranoia macOS 13 Security Essentials book version, we are offering a free replacement!

Paperback

  1. Tear off the cover (verify it specifies a title for macOS 13) and the Proof of Purchase page.
  2. Complete the Proof of Purchase page.
  3. Mail both cover and Proof of Purchase page to:
    Marc Mintz
    The Practical Paranoid
    1000 Cordova Pl
    #842
    Santa Fe, N 87505
  4. We will ship your free paperback book just as soon as we receive them from the print house.

Kindle

  1. (Wait until after December 27, 2022) Delete your copy of the book from your Kindle device.
  2. Go to your Kindle library.
  3. Select Practical Paranoia macOS 13 Security Essentials.
  4. The updated book will download to your device.

Live!

  1. (Wait until after December 27, 2022)
  2. Open your browser to your Google Drive > Shared with me > Practical Paranoia macOS 13 Textbook folder.
  3. The new version is waiting for you!

Questions? Please contact our office at info@thepracticalparanoid.com

New Credit Card Fraud Operating in the Wild

New Credit Card Fraud Operating in the Wild

Just when you thought it was safe to go back into the water.

Oh, wait. Wrong movie!

Do you have a credit card? Do you have a cell phone? Of course you do! And if a bad actor gains access to both of these, they have found an effortless way to gain full control over your credit card account.

The Hack

This hack was discovered when the bad actor was caught in the act at in the locker room of a gym. The process works like this:

  1. The bad actor (BA) opens lockers (at least at the gym) to gain physical access to then victims phone a credit card.
  2. BA uses their phone to attempt log in to your credit card account, tapping the “Forgot my password” or “Reset my password” button.
  3. An authorization code is sent to the victims cell phone.
  4. IF (big if) the victim has configured their phone to display messages while in Lock Screen mode, the authorization code is clearly visible to BA.
  5. BA enters the authorization code on their phone. This gives BA the opportunity to change your password, phone number, email address, and all other vital information.
  6. At this point, BA has full control over victims credit card account.

The Fix

Fortunately, the fix is straightforward and simple. All that need be done is to prevent messages from displaying on your Lock Screen. If you have followed me for any time, you know I’m a fan of not allowing ANYTHING to display on the Lock Screen.

For those of you who have just upgraded to iOS 16, this can be done from Settings > Notifications > Messages > disable the Lock Screen option. It is OK to leave Notification Center and Banner notification enabled.

For Android users, open Settings > Privacy > Notifications on Lock Screen > enable Don’t show notifications at all.

 

50% DISCOUNT ON ALL PRACTICAL PARANOIA BOOKS
IOS 16 AND IPAD 16 ARE NOW AVAILABLE
And so are the vulnerabilities to your device, data, and communications!

iOS 16 is the MUST HAVE upgrade for your iPhone and iPad. In addition to dozens of new features, iOS 16 has dramatically improved the options for your cybersecurity and internet privacy.
But you need to know HOW to properly configure your device to ensure your security.

Practical Paranoia Security Essentials has been doing just that for over 8 years at the best-selling, easiest, most comprehensive guid to securing data and communications on your home and office devices.

And from now until September 30, 2022, ALL Practical Paranoia Live! Edition books are 50% off!
Visit https://thepracticalparanoid.com to order at half price today. Just enter discount code “50” at check-out.

All Practical Paranoia Security Essentials books are available in paperback, kindle, and Live! editions.

Live! editions are exact replicas of the paperback and kindle editions, made available through Google Drive. This is the version used by Universities, trade schools, and high schools, and is now available to everyone. Its advantages include: Always available on any device with a browser and internet connection, and automatically and constantly updated as the OS, applications, and best practices evolve.

Questions, call +1.505.453.0479