Q: What is the best way to back up your data and keep it safe?

Q: What is the best way to back up your data and keep it safe?

A: It is vital to back up all of your data in case the original becomes damaged, corrupt, or deleted. To protect your data you must have AT LEAST one local and one remote backup.

A local backup is typically saved to an external hard disk drive or flash drive. You will need a drive with at least four times the capacity of the data to be backed up. This is to allow for growth as your files are edited and additional files are created. The drive needs to be encrypted. This can be done with Time Machine or Disk Utility (macOS), or Bitlocker (Windows).

The remote backup can be a drive like the local backup, but stored off-site. In many cases a better alternative is to use online backup. This can be done with Google Drive, Microsoft OneDrive, or one of the dozens of commercial internet backup tools.

Q: How Do I Know if My Personal Information Has Been Hacked?

Q: How Do I Know if My Personal Information Has Been Hacked?

ANSWER: A bit of background information is probably in order.

  1. It is almost certain that much of what you think of as personal information is already “out there” and readily available to marketing groups, criminal hackers, advertisers, and other miscreants. Organizations such as social media, Google, your Internet Service Provider, and all major websites track your online activities. Over time, this accumulation of data creates a near perfect personal profile. This profile is sold to marketing groups and others. There isn’t a thing you can do about this – other than to be wise with how you interact with social media, and to operate with as much anonymity and security as you can whenever connected to the internet.
  2. Some of your personal information comes from breaches of websites where you have freely provided your information. For example, health providers, banks, credit card companies, social media, etc. You can check for such breaches at https://haveibeenpwned.com. If you find a breach, again, not much you can do about it, but it is time to change your password for the site.
  3. Almost nobody practices wise cybersecurity and internet privacy. A recent study found that the majority of adults use the same one or two passwords for everything. 85% of high school kids use the same password for everything, with almost 50% freely sharing their passwords with friends. There are some standards to put into practice:
    1. Use a different password for EVERY site and service.
    2. Passwords should be a minimum of 15 characters in length. Complexity doesn’t matter – length matters.
    3. Don’t write down passwords. Instead, use a quality password manager (I’m fond of Bitwarden) to store passwords in an encrypted database.
    4. Use multi-factor or two-factor authentication whenever it is available. For sites such as health care, banking, credit card, financials – if they don’t offer multi-factor authentication, change to another provider that does. This indicates they don’t care about security and privacy.
    5. Don’t share your passwords with anyone.
    6. Don’t use a non-private domain email. For example mary@google.com. Instead, spend a few dollars to set up your own private domain email, for example marc@maryxsmith.com, and make sure you have a quality email provider as your host. I recommend Proton Mail, Google, and Microsoft. Once you have this, ask your provide for help setting up your SPF, DKIM, and DMARC records. This will help prevent getting spam and help prevent your account being used to spam others.
    7. Contact the three major credit reporting organizations to get copies of your credit at least yearly. Review for any errors, and then get them resolved.

Oh, did I mention to be smart about your cybersecurity and internet privacy? Did your eyes roll to the back of your head when you read that? It is actually quite quick and easy, once you know the How! Interested in the how? Have I got a book or two for you: Practical Paranoia Security Essentials.

Q: How Vulnerable Are My Children To a Cybersecurity Or Internet Privacy Breach?

Q: How Vulnerable Are My Children To a Cybersecurity Or Internet Privacy Breach?

A: It is almost a sure bet your child has been knowingly or unknowingly a victim of cybersecurity or internet privacy breach (if they have internet accounts).

According to a report released today (August 11, 2021) by NIST (National Institute of Standards and Technology), 87% of high schoolers use the same password for everything45% of high schoolers share passwords with their friends. According to the research, teens don’t see password sharing as risky behavior, but a way to build friendships and trust.

Apparently, this is not an issue with not knowing cyber best practices. Children as young as third grade know and understand why passwords are needed, and why to use and how to create strong passwords.

So, with almost 90% of children using the same password for everything (my head almost explodes just writing  that), and almost half sharing that singular password with friends, is it any wonder you can bet they have been breached?

Unfortunately, if they have freely shared their password(s) with friends, there isn’t a viable way to determine if this password has been used by friends to access their other accounts. But the doors are wide open for friendly fire upon their social media, email, banking, and school accounts to haunt them for years.

This might be a great time to spend five minutes with your child to review password best practices. For those whose own memory may be a bit dusty 😉 …

  • Use a different password for every website and service.
  • Passwords should be a minimum of 15 characters.
  • Password complexity isn’t important. Better to have an easy to enter passphrase.
  • Whenever possible, enable two-factor authentication (also called multi-factor authentication). This prevents someone who knows your password from accessing your account.
  • Do not share passwords with anyone.
  • Do not write passwords. Instead, store passwords in a password manager utility, which encrypts your data. My preference is Bitwarden for all OS’s.

While you are at it, check all family member accounts for breaches by visiting https://haveibeenpwned.comAlthough this site won’t tell if you have been a victim of friendly fire, it will tell if your account has been attacked.

Q: What’s the Big Deal Over Two-Factor Authentication?

No matter how “great” or “strong” your password, it can be broken, hijacked, or bypassed. Perhaps the most common method to usurp your password is by breaching the user database of a major vendor. For example, recent attacks include:

  • Audi: 2.7 million accounts
  • Guntrader: 112,000 accounts
  • University of California: 547,000 accounts

Once a major site has been breached, the criminal gains access to all of the user accounts and passwords. If the passwords are strongly encrypted, it is simply a matter of time before automated cracking software resolves that bump in the road. More typically, however, is the passwords were either not encrypted at all, or used weak encryption that can be quickly and easily broken.

Given there are currently over 11 BILLION hacked accounts sitting on the dark web waiting for criminals to scoop them up, what can you and I do?

This is where two-factor authentication (2FA) (also called multi-factor authentication) rides in to rescue the day.

With 2FA in place, even if the criminal gains access to your password, they still need the second authentication factor in order to access your account – and only you have it!

What Is Two-Factor Authentication

2FA is just a second way that you can provide proof you are authenticated to access an account. The first way is knowing the password.

The second method can be:

  • Knowing a one-time-use code that is sent to your email.
  • Knowing a one-time-use code that is sent to your smartphone via text or voice.
  • Knowing a one-time use code that is randomly generated every 30 seconds via software or a hardware key.
  • Knowing a one-time use code that was given to you when you registered for 2FA on the site.

Best Practices currently recommends against codes sent to your smartphone, as they are easily intercepted.

How to Stop Business Email Compromise (BEC) Attacks

How to Stop Business Email Compromise (BEC) Attacks

Business Email Compromise (BEC) is any type of cyber attack using email that in itself does not contain a malicious attachment. Although there are many different BEC attack vectors, the dominant one is spoofing, used in almost 50% of all BEC attacks. In a spoofing attack, the criminal sends an email that appears to be from a high-ranking member of the organization, requesting a transfer of funds.

A few statistics to act as a wake-up call:

  • In a recent survey, 71% of organizations acknowledged experiencing a BEC attack over the past year.
  • The FBI’s Internet Crime Complaint Center reports that in 2020 there were 19,369 BEC complaints, with losses of approximately $1.8 billion.
  • One of the largest BEC losses came to Nikkei, the Japanese media group, in the amount of $29 million.

A BEC attack generally works like this:

  1. The criminal acquires the name and email address of a senior-level executive within an organization.
  2. The criminal sends an email, spoofing the name and email address of this executive, to their executive assistant or the accounting department, requesting that monies be sent to some account outside of the organization.
  3. Because this email appears to be from a senior-level executive, there is often no expenditure authorization policy in place to limit amounts, and no requirement for secondary approvals.
  4. The monies are sent to the requested accounts, which are immediately cashed out by the criminal.

What Can I Do To Help Prevent an Attack

Expenditure Authorization Policies

Although it will likely result in a few bruised egos, and introduce some time delays, it is vital that expenditure authorization policies mandate that any significant financial request, from any member of the organization–even the owner, president, or CEO–must be cleared through a secondary approval process. Even something as simple as a required video call to the requestor could block most of these attacks.

Staff Education

As part of staff continuing cybersecurity and internet privacy training, all staff should be educated on how a BEC attack works, and what the new expenditure authorization policies are.


The corner stone of a BEC attack is the ability to send an email that appears to be from a legitimate source. We do have technology that can help stop this from occurring. These go by the terms Sender Policy Framework (SPF), Domain Keys Identified mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). 

If your eyes just rolled up to the back of your head, I understand, but stay with me.

SPF is an email validation system. It provides a mechanism to authorize servers and services to send email using your domain. This allows a receiving mail server to verify that incoming mail from a specific domain is coming from a host authorized to send that mail. If a criminal sends email to you with spoofed “from” information, your email server can validate or invalidate the authenticity of the incoming email. This prevents email from a forged or spoofed address from reaching an inbox.

DKIM accomplishes much the same as SPF, but from the opposite direction. It provides a mechanism for the receiver to verify that an email stating to have come from a server which has been authorized to send mail for a specific domain via SPF is indeed the server that is sending the email.

DMARC is a configurable policy that determines how to deal with email that has failed the SPF or DKIM validation.

In a nutshell, SPF authorizes a server to send email on behalf of a specific domain, DKIM authenticates the sending server, and DMARC determines what to do with the email if it fails authentication.

Configuring SPF, DKIM, and DMARC doesn’t require an IT professional. Your email service provider may be willing to set it all up for you. Better yet, do it yourself and be certain it is done properly! The entire step-by-step takes only four pages and less than an hour of your time. Where can you find the steps? They are assignments 13.11.1 through 13.11.4 in any of our current Practical Paranoia Security Essentials books.

Oh! I almost forgot… You can now become master of your cybersecurity and internet privacy even if you wouldn’t know an SSL from a TLS (ok, nerd humor isn’t even funny to other nerds). In just 1 hour a day over 10 days with our Practical Paranoia Online Workshops. If you can tap, double-tap, and save a file, you can quickly and easily secure your computer, tablet, phone, data, and communications using the same steps as used by governments, military, and big business. All you are missing is knowing the how. Lucky for you, we’ve got the know-how to spare, and we will share it all with you in the workshop.

Register by July 31, 2021 and receive 55% discount.


Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

It doesn’t take an Apple Genius, Google Guru, or Microsoft Engineer to help secure your devices, data, and communications.

If you can tap, double-tap, and save a file, we can walk you step-by-step through ensuring your cybersecurity and internet privacy to industry standards.

Register NOW and receive a 55% discount – only $125 for any workshop in August.

How Often Should I Change Passwords

How Often Should I Change Passwords

There was a time, not so long ago, where most IT administrators mandated that every password for everything be changed every three months.

In my specific case, I currently have 940 passwords in my password vault. That means I would be changing at least 10 passwords every day. And getting very little else accomplished!

Thankfully, someone took a deep breath and gave some time to actual critical thinking about the whole password life span issue. The conclusion? Unless a password has been breached, or you think it could have been breached, no need to change it for…ever.

That is right. According to the current guidelines by most of the major US government IT overlords, you never need to change a password unless it may have been compromised.

But, that answer isn’t really quite that simple.

First, there are plenty of old-school IT administrators in the field who refuse to do their own critical thinking, and insist on mandating password changes every X months. Good luck getting these folks to wake up.

Second, this guideline assumes your password habits are healthy. What are healthy password habits?

  • Every website and service uses a unique password. No password is used more than once.
  • All passwords are strong. “Strong” is defined differently by different standards-setting organizations. But a good generalization is a minimum of 15 characters. A password of 123456789012345 is technically as strong as $g1A7^bY0&qX4%r.
  • No password uses a part of your name, address, phone number, social security number, pet name, or is otherwise guessible.

This is far easier than the old-school rules of:

  • At least 1 upper-case letter
  • At least 1 lower-case letter
  • At least 1 number
  • At least 1 special character
  • At least 1 drop of unicorn blood

But now you have a trove of passwords, at least 15 characters in length, none of which are rememberable.

What to do?

Use a password manager to do the remembering for you.

If you are a Mac user, macOS, iOS, iPadOS, and Safari work together to remember and autofill your passwords.

If you are a Windows user, Edge will remember and autofill your passwords.

Brave, Firefox, and Chrome also have their own built-in password managers.

However, my recommendation is to use Bitwarden. Bitwarden is a third-party free/for-fee password manager and Multi-factor Authentication utility (free for password management, for-fee to access the MFA). It works with almost all browsers, all OS’s, and across all of your devices. So a password created on my iPhone is immediately available to my Chromebook, Windows PC, MacBook, and Android tablet. For less than what you will find in your couch cushions, you can have peace of mind in the password department.

World peace will take a bit more.

Enroll by July 31 and Save 55%


Can Law Enforcement Force You to Unlock Your Computer?

Can Law Enforcement Force You to Unlock Your Computer?

As of Thursday, July 21, 2021, the short answer is YES. As reported by CNN, a federal judge forced a January 6, 2021 US Capitol rioter Guy Refitt to sit in front of his computer to allow face recognition to unlock the computer. The prosecution stated that the computer most likely held video footage of the riot from the helmet cam worn by Refitt. Whatever your views and politics are regarding the Capitol riots, this is seen a blow for cybersecurity and internet privacy. Whether or not law enforcement could force a person to unlock their computer or mobile device has long been a hotly contested issue. This federal ruling will add weight to the debate over using face recognition. However, the question over having to enter a password is still in the balance.

What Does This Mean For Me?

I have long recommended to clients that they NOT use biometrics for computer or mobile device log in. My primary reason is that biometrics (Face ID, Touch ID) can be easily circumvented. It now looks like biometrics provide little protection against law enforcement penetration as well.

Stop Being the Victim of:

  • Data Loss

  • Ransomware

  • Malware

  • Hackers

  • Malicious Websites

  • Identity Theft

  • and Stolen Passwords

Take Control of Your Cybersecurity and Internet Privacy

  • Just 1 Hour a Day for 10 Days

  • The Easiest, Fastest, Step-By-Step DIY Course Available

  • Includes the Best Selling Practical Paranoia Security Essentials Workbook and Private Instructor Hours

Starts August 2, 2021

55% Early Registration Discount until September 31

Visit https://thepracticalparanoid.com

How to Have Secure Encrypted Voice, Video, and Text Communications

How to Have Secure Encrypted Voice, Video, and Text Communications

Surveillance technologies now available–
including the monitoring of virtually all digital information–
have advanced to the point where
much of the essential apparatus of a police state is already in place.
– Al Gore

The manufacturers or developers (such as Apple, Facebook, Google, etc.) and carriers (Verizon, AT&T, etc.) for each party can intercept any traffic that crosses their networks. This interception may extend to any third parties that work with your carrier, such as contractors or subsidiaries. In addition, your local, state, and federal government monitor data in dragnet-style snooping.

How can you communicate easily and securely?

If you are interested in cross-platform, end-to-end encrypted, text, voice and video conferencing solutions, a few options are available.

Wire and Signal are our choices for end-to-end encrypted voice, video, instant messaging, and group communications. Both provide end-to-end encrypted communications between Android, Chrome OS, iOS/iPadOS, macOS, and Windows.

Wire is a for-fee commercial service. It offers a free 30-day trial.

Signal is an independent nonprofit that provides its product and services for free. We use Signal for the rest of this blog.

HIPAA Considerations

HIPAA is concerned about securing Protected Health Information (PHI) from leakage, but at the same time, requires that instant messaging have an audit trail. This requires that all messaging be logged to a centralized server so the log can be reviewed. In addition, HIPAA requires that the vendor be willing to sign a Business Associate Agreement (BAA). As a BAA puts the vendor at a potential liability should their service or software be found responsible for leaking protected health information, you will not find free or inexpensive software that meets HIPAA compliance requirements.

Most readers of this blog want to leave no record of an encrypted conversation, and have no need of a BAA.

If your instant messaging needs include HIPAA compliance (this requires meeting Joint Commission guidelines), then the rest of this blog does not apply to you. I recommend you perform an internet search to find and assess the few options available. Then work with an IT expert to implement your HIPAA-compliant program.


Signal is a free platform for peer-to-peer (no centralization) and group secure, end-to-end encrypted communications using instant messaging, voice, and video.

Install Signal

In this assignment, you create a Signal account. This account allows you to make fully secure, encrypted instant messaging, voice calls, and video conferences with friends and business associates.

  • Prerequisite: If you wish to use Signal on a Chrome OS, macOS, or Windows computer, you will first need to create a Signal account registered on an Android or iOS mobile device (performed in this assignment).

Download and install Signal onto a mobile device

  1. On your iOS or Android mobile device, open a browser window to https://signal.org.
  2. Tap Get Signal. If using an iOS device, the App Store opens to Signal-Private Messenger. If using an Android device, the Google Play Store opens to Signal-Private Messenger.
  3. Download and Install Signal to your mobile device.
  4. On your mobile device, open the Signal
  5. Follow the onscreen instructions to complete the registration process.

Download and install Signal onto a PC 

  1. Open a browser and go to https://signal.org, then tap the Get Signal
  2. Open the downloaded installer file and follow the prompts to install the app.
  3. Launch Signal.
  4. Signal displays a QR code.
  5. If using an iOS mobile device, open Signal.app > Signal Settings > Linked devices > Link New Device. If using an Android mobile device, tap the + button.
  6. Use your mobile device to scan the QR code.
  7. Assign a name for your Linked Device, then tap Finish.

Your Signal desktop app is now ready to use!

Invite People to Signal

Before you can communicate with someone else using Signal they must also have a Signal account.

In this assignment, you invite someone to install Signal and create an account.

  • Prerequisite: Access to your mobile device with Signal installed.
  1. Open Signal on your phone (invitations do not yet work with Signal Desktop.)
  2. Tap your profile picture in the top left corner > Invite Your Friends.
  3. Select to send either a Message or
  4. A list of all your phone contacts appears. Select the target contact(s), then tap
  5. A new emailmessage is created with each of your target contacts listed in the Bcc field, with a link to downloadSignal on their phone.
  6. Customize the emailto your taste, then tap the Send
  7. Once your target contacts have installed Signalon their phone, you receive a text from Signal they have joined, and their name appears in your Signal Contacts

Secure Instant Message with Signal

In this assignment, you instant message your new Signal friend.

  1. Open Signal (for this assignment, on your computer.)
  2. From the sidebar, select the desired Contact.
  3. In the main body area of the Signalwindow, at the bottom in the Send A Message, enter a text message for your contact, then tap the Return The message is sent to your contact and received in seconds.

Secure Voice or Video Call with Signal

In this assignment, you make a secure, encrypted voice call to a Signal friend.

  1. Open Signal.
  2. Select a Signalcontact to call.
  3. In the top right corner of the Signalwindow tap either the phone or the video
  4. Tap the Start Call
  5. On your friends Signaldevice, they hear their device ringing, and an Incoming Call message in if they wish to answer, they tap the Signal Phone icon.
  6. The two of you can now speak in complete privacy (even better than Maxwell Smart’s Cone of Silence).


How to Run Windows 11 on Apple silicon Mac

How to Run Windows 11 on Apple silicon Mac

If you are a Mac user, but also need to run Windows, there are several easy ways to do it all on one machine.

However, if you are on Apple silicon (M1) Mac, and want to run Windows 11? So far the path has hit a brick wall. Parallels promises to have a version out when they have mastered how to do it. But what if you just… can’t… wait?!

I may just have to magical codes to deliver.

My thanks to ytechb.com for most of the pointers.

WARNING: Windows 11 is still in beta/preview development. This is not stable software (oh, hell. When is Windows all that stable anyhow?)

WARNING: These steps require making changes to your registry. This is not something to be taken lightly. However, the changes are minor.


  • An Apple silicon Mac with all current updates.
  • At least 22 GB free space on your boot drive.
  • Parallels (current version).
  • Internet connection.
  1. Download and install Parallels from https://parallels.com.
  2. Download and install Windows 10 Insider Preview from https://insider.windows.com/en-us/
  3. From Parallels, install the Windows 10 Insider Preview.
  4. Run Windows Update to verify you have the latest version of Window 10 Insider Preview installed.Normally, this is as far as you can currently go with updates, as Windows 11 Insider Preview will not install on an Apple silicon Mac. But there are two brick walls we are going to go through like they were butter.
  5. Open the Windows Registry Editor, then go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > WindowsSelfHost > UI > Selection.
  6. Double-tap on UIBranch, then change the value to Dev.
  7. In Registry Editor, go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > WindowsSelfHost > Applicability.
  8. Double-tap on BranchName, then change the value to Dev.
  9. Close Registry Editor.
  10. Restart Windows.
  11. Go to Windows Update Settings > Check for Updates.
  12. The Windows 11 Insider Preview will be seen as available.
  13. Tap the button to download the Windows 11 Insider Preview.
  14. The download will start, but will soon pop-up an error message that Windows 11 cannot be installed as there is no TPM 2 chip found (Macs do not have a TPM chip, although they have their own hardware security chip in use).
  15. Don’t close the error message.
  16. Open File Explorer, then search for AppraiserRes.dll.
  17. When AppraiserRes.dll is found, open the parent folder, drag AppraiserRes.dll to the desktop, then delete the found AppraiserRes.dll. KEEP THIS PARENT FOLDER OPEN.
  18. Go back to the error message and click Continue.
  19. In the Windows Update window, tap the Fix issues button. The Windows 11 installer will continue downloading.
  20. An Almost Ready message will appear. You can close it.
  21. Once the download has progressed past the point it had stopped earlier (probably around 10%), you can drag and drop the AppraiserRes.dll back into the folder in which it was found.
  22. When download has completed, an alert will prompt to Restart Now. Tap this button to restart.
  23. Once restarted, Windows 11 will continue to install.
  24. When back to the desktop, return to Windows Update Settings > Check for Updates, and check for additional updates.
  25. When the updates download, you are done, and have Windows 11 Insider Preview waiting to be used.


July 4th – Biggest Announcement EVER from The Practical Paranoid

July 4th – Biggest Announcement EVER from The Practical Paranoid

Click the Play button below for the audio version of this posting.

On the Fourth of July, Americans celebrate independence, declaring we are no longer subject and subordinate to the monarch of Britain.

But today we are subject to greater tyranny through constant internet surveillance and breach of our online privacy. We are at the mercy of our government, Facebook, Google, cyber criminals, and other bad actors intent on knowing, seeing, and recording our every digital nanosecond.

Time for an updated Independence Day.

I’m Marc Mintz, Project Director for The Practical Paranoid (TPP).

TPP and I have worked to enlighten the public that it does not take an Apple Genius, Google Guru, or a Microsoft Engineer to secure your systems, data, and communications. Almost everything the government and big business do to ensure their cybersecurity and internet privacy can be done for you, by YOU, for less than what we spend on coffee. And in just a few hours.

Our Practical Paranoia Security Essentials books have been showing non-technical users how to do this for over eight years.

The number one comment we receive from buyers of Practical Paranoia Security Essentials books is how surprised they are at how fast and easy it was to secure their phone, text, email, browsing, and entire digital life.


The second most common comment from buyers is how intimidating Practical Paranoia books appear. Some buyers never jump into using a book after they purchase it.


With release of five new operating systems this year – Android 12, Chrome OS, iOS 15, macOS 12, and Windows 11 – we needed to remove the intimidation factor so that everyone could learn how to protect their data, communications, and privacy. And we did it. 

Announcing five brand-new Practical Paranoia Security Essentials Online Workshops that cover all the new OS products.

Protecting your digital life is as important as locking your home and carrying a driver’s license.

There are three paths to cybersecurity and internet privacy:

  1. You can pay a certified cybersecurity professional to do all the work that you will do in a TPP workshop. But pros cost $1,000-$4,000.
  2. You can buy the Practical Paranoia book and DIY for only $64.95. But you would have done it already if it weren’t for that pesky intimidation factor.
  3. Now you can do the work on your own–but with an industry leader guiding you in a workshop– the only workshop of its kind available anywhere at any price.

Think you don’t have the skills or background knowledge to do your own cybersecurity? We designed each workshop for the non-technical computer, tablet, and smartphone user. If you can tap, double-tap, and save a file, this course was made for you!

Each OS workshop consists of:

  • A series of 7 to 10 one-hour classes on Zoom
  • A copy of the latest best-selling TPP book, a $64.95 value
  • Our August beta workshops will be presented live by an industry expert who has taught technology courses internationally
  • Each class is recorded for students to access if they miss the live session
  • Easy hands-on assignments to harden your security and privacy to industry standards
  • AND Private Instructor Hours via Zoom to help you over any rough patches

The Practical Paranoia Security Essentials Online Workshops are only $275. And, it gets even better!

If you register for any of our first beta workshops in August 2021, your cost is only $125 for any workshop. Registration for beta workshops is limited and will close quickly.

Protecting you, your family, and your business cybersecurity and internet privacy is fast, easy, and inexpensive. You may even have fun doing it!

Visit https://thepracticalparanoid.com
for more information and to register for a one of a kind experience.

online course
5.8 Million Android Apps Installed Steal Users’ Facebook Credentials

5.8 Million Android Apps Installed Steal Users’ Facebook Credentials

Nine Android apps with a combined downloaded of over 5.8 million have been removed from the Google Play Store for stealing users’ Facebook credentials.

The apps are:

  • PIP Photo
  • Processing Photo
  • Rubbish Cleaner
  • Horoscope Daily
  • Inwell Fitness
  • App Lock Keep
  • Lockit Master
  • Horoscope Pi
  • App Lock Manager

These fully functional apps performed their theft by requesting users to log into their Facebook account in order to disable in-app ads.

As a general cybersecurity and internet privacy guideline, never log in to one account in order to access another account or features of another account. The most common example of this is when a newly installed app requires creating a user account, and gives the option of creating an account on the app site, or using your existing Google account to log in.

What To Do If I’ve Installed One of These Apps?

  1. Uninstall the app.
  2. Change your Facebook password.
  3. If you do not already have it, enable two-factor authentication with Facebook.

You Know You Need Cybersecurity and Internet Privacy for Yourself, Your Family, and Your Business, But:

  • I can’t afford to hire a qualified cybersecurity professional.
  • I’ve bought the DIY books, but they are too intimidating.
  • I don’t have the time to DIY, and besides, even if I did find the time, who would help guide me when I get confused.

Announcing Practical Paranoia Security Essentials Online Workshops

  • Designed for the new to average user
  • Workshops available for Android, Chrome OS, iOS/iPadOS, macOS, and Windows
  • Each Zoom workshop is presented by a certified industry leader
  • Quick and easy one-hour classes cover the entire best-selling Practical Paranoia Security Essentials book
  • Includes private one-on-one instructor time should you have questions
  • Includes the Practical Paranoia Security Essentials book ($64.95 value)
  • If you can tap, double-tap, and save a file, this course is made for you!
  • New beta workshops with limited seating available at over 50% discount–only $125

For more information and to register, visit https://thepracticalparanoid.com/

Netgear Router Bug Allows Full Remote Access

Netgear Router Bug Allows Full Remote Access

Unless you have been living in an ice cave (hmmm, perhaps I’ve been using that phrase just a tad too often), you already know how vital it is to keep your operating system and applications fully up to date. This is because most updates include security enhancements and patches to vulnerabilities.

But few people give thought to updating the firmware of their routers and modems–and this is perhaps even more important. Because if there is a vulnerability in your router or modem, a bad actor can have full access to your network and all the data that travels along it.

And that has just happened, again.

Microsoft discovered a bug in Netgear router firmware that could give the bad actor access.

But this article is not to point the finger at Netgear. These vulnerabilities crop up on almost all software and firmware. This article is about pointing the finger at your modem or router, and question when was the last time you verified the firmware is up to date?

Every modem and router – even from the same manufacturer – may have wildly different interfaces to check and update firmware. Because I have a CenturyLink ActionTec modem and an ASUS router on my network, I’ll use them as examples.

CenturyLink Modem

  1. Log on to the modem. In most cases, this is done by opening a browser, then entering the modem IP address. This is often
  2. Select Utilities, or sometimes Advanced  or Administration.
  3. In the case of this modem, then select Upgrade Firmware  from the sidebar:
  4. Tap Download to download the firmware from the manufacturer to your computer.
  5. Tap Choose File to locate and select the downloaded file.
  6. Tap Upgrade Firmware to upgrade your modem.
  7. In a few minutes, the modem will reboot with the latest and greatest firmware installed.

ASUS Router

  1. As with the CenturyLink modem, open a browser to the IP address of the router. This is often
  2. Log in to the router.
  3. Tap Administration.
  4. Tap Firmware Upgrade. In the case of modern ASUS devices, they have the option to automatically check daily for updates. You can see that I have my Auto Firmware Upgrade switch set to On.

  5. To manually check or to verify, next to the Check Update text, tap Check.
  6. If there is a new firmware available, tap Download.
  7. Once the download completes, tap Upload.
  8. In a few minutes the router will reboot with the latest and greatest firmware.

How Often Do I Need to Check for Firmware Updates?

Your operating system can be configured to auto-check daily. The macOS App Store can be configured to check for application updates constantly. Although Windows doesn’t have a built-in updater for app acquired from other than the Microsoft Store, there are free automatic updaters available. But your modem and router will require manual checks (unless you have one of the few that automatically updates).

I recommend putting this on your monthly tickler file, so that your firmware is never more than a month out of date. Of course, more often wouldn’t hurt 😉

Automatically Protect All Devices From Internet Malware and Adult Content

Automatically Protect All Devices From Internet Malware and Adult Content

I just love it when with just a few mouse taps I can add a solid layer of security to all the devices under my roof. It’s just icing on the cake when it’s free!

The Problem

All of the internet-connected devices under your roof need to communicate over the internet in order to function. This includes computers, tablets, smartphones, webcams, smartwatches, smart doorbells, smart thermostats, printers, and more.

With your computers, tablets, and smartphones, you can add a layer of protection against malware by installing quality antimalware software. But what about your printer, smartwatch, doorbell, thermostat… you get the picture. Each of these smart devices are open to a breach, and few offer any option to install or configure security.

The other possible problem is adult content. Should you be a parent that would prefer little Jane and Johnny to not have access to adult content, it can be a full-time job playing content cop.

The Solution

All of your home and business devices must connect to the internet through your router. Inside of each router is a setting specifying which Domain Name Server (DNS) the router will use to learn where to direct this internet traffic. If a DNS server was knowledgeable about which web addresses held malware or adult content, the DNS could pass this info along to the router, blocking access to these sites.

Lucky you! There are DNS servers with this knowledge, and Cloudflare offers them at no charge.

The How To

If you would like to block known malicious and adult content sites from all of your home and business devices, you just have to change your router DNS settings. By default, most routers use your internet provider’s DNS servers. You will change this IP address to those of Cloudflare.

CenturyLink Modem

Every router has a unique interface. In the example below I’m using a CenturyLink Actiontec C3000A.

  1. Log in to the modem. If you aren’t familiar with the process, call your internet provider for instructions.
  2. From the menu bar, select Advanced Setup.
  3. From the sidebar, select DHCP Settings.
  4. In the main area of the page, scroll down to 5. Set the DNS servers allocated with DHCP requests.
  5. From this area, select Custom Servers.
  6. For malware only protection, set the Primary DNS to, and Secondary DNS to For malware and adult content protection, set the Primary DNS to, and Secondary DNS to
  7. Tap the Apply button.
  8. Your modem may reboot. The protection will be in place immediately.

It’s Your Data… Protect It

Most people ignore their cybersecurity and internet privacy because they think it is too difficult or expensive. But what if it was fast, easy, and (almost) free? Our guides have been written by certified experts, with step-by-step illustrated instructions so that even a child can harden your security like a pro.

Visit https://thepracticalparanoid.com for the easiest, most comprehensive cybersecurity and internet privacy guides you can buy. Guaranteed!

80% of Orgs That Paid Ransom Were Hit Again

80% of Orgs That Paid Ransom Were Hit Again

A new study by Cyberreason has found that 80% of organizations that were hit with ransomware and paid to get the decryption key, were then hit once again with another ransomware.

Approximately 50% of the new attacks were from the original criminals, and 50% were from new criminals.

The study also found that the top two solutions to help prevent a successful attack are security awareness training and security operations.

From my 30+ years of experience, those organizations and individuals that do not implement security awareness training and security operations do so primarily because they believe it is too difficult, time-consuming, or expensive to do so.

That may be true if you have to meet HIPAA, SEC, or Federal Contractor compliance. But the individual, household, and business can successfully implement ransomware, hacking, cybersecurity, and internet privacy defenses in just one day!

The Practical Paranoid Security Essentials DIY books have been walking users with no technical background through securing their computers, tablets, phones, networks, data, and privacy for over eight years. Easy enough for junior high students and my 86 years old aunt Rose, and comprehensive enough for IT professionals.

The easiest, most comprehensive work of its kind. We even guarantee your satisfaction!

Visit ThePracticalParanoid.com to get your copy of the best-selling cybersecurity guide available.

Automatically Protect All Devices From Internet Malware and Adult Content

Secure ALL Your Internet of Things with VPN

Secure ALL Your Internet of Things with VPN

Unless you have been living in an ice cave the past few years, you are sure to have heard the term “IoT” or “Internet of Things”. Given all the catastrophes each of us has had to deal with, you would be excused if you haven’t given this topic your attention. After all, we have been in survival mode.

Now that the election is over and you’ve gotten your shots, maybe you can take a few minutes to learn why IoT is vital to your cybersecurity and internet privacy.

What Is IoT?

The Internet of Things (IoT) is anything and everything that has an embedded sensor, software, or other technology for the purpose of connecting and exchanging data with other devices and systems over the internet.

Although you may not know it, you probably have a lot of IoT in your home and office. Items like:

  • Medical equipment (think heart monitors, CPAP machines, even the Help! I’ve fallen and can’t get up alerts.
  • Home automation, perhaps a water leak detector, smart thermostat, remote control lighting.
  • Smartwatch
  • iPhone or Android phone
  • Amazon Echo, Google Home, Apple HomePod, Samsung SmartThings Hub

… And Why Should I Care?

If you are like me, you may be just about cared-out by now. Between politics, climate collapse, pandemics, and discovering a few of my relatives are bat $#!* crazy, it’s getting more difficult by the day to care about new things.

But – you have to trust me on this – giving just a bit of thought to IoT is going to save you an armload of grief down the road.


Because even though you may do your best to secure your computers and mobile devices to help ensure your cybersecurity and internet privacy, few people give thought to securing their IoT. I mean, it’s only a doorbell (or thermostat, or voice-controlled TV, or, or, or…)

All these out-of-sight, out-of-mind devices are connected to your network. And if a criminal gains access to an IoT device, they gain access to your network, and may be able to view all of the data that travels through it – including usernames and passwords – and therefore have access to the keys to your kingdom.

Criminals are focusing attention on your IoT devices because they are often far easier to penetrate than servers, computers, and mobile devices. In fact, many of the older IoT devices (when it comes to technology, older may mean three years old) have no functional security at all!

Give Me an Example

How about:

  • A casino experienced a major data breach when criminals gained access to the network through a smart thermostat used in an aquarium.
  • A United Airlines flight was commandeered by a passenger who hacked the flight control system through the entertainment system.
  • Smart toasters were remotely hacked so they wouldn’t toast any bread the hacker considered unhealthy.
  • Freezers were remotely hacked to automatically shut down when ice cream was detected.
  • The Mirai malware takes over IoT devices such as cameras and monitors, turning the device into a bot.
  • A car was remotely hacked over the internet giving the hacker full access to the A/C, steering, and turning the engine off.
  • The FDA recalled almost 500,000 pacemakers over fears they could be remotely hacked.

As I’ve said far too often, the list goes on and on, but we both have a life to lead.

But What Can I Do About It?

PLENTY! In fact, so much that I’m writing a book on the subject.

But until that is released, one of the most important things you can do is to connect your IoT devices to the internet via a Virtual Private Network (VPN).

If you have been following me, you already know I think your computer, phone, and tablet should always and only connect to the internet via VPN. This encrypts data between your device and the internet.

Few people do the same for their IoT devices. But that is no different than locking the front door as you leave for vacation, but leaving the backdoor open.

Very few IoT devices have the ability to do VPN by themselves. No worries! You can configure your router to do the work for you.

Some Background on VPN for Routers

Not all routers have the ability to work with VPN. So if yours cannot, it is definitely time to replace it. Routers are a relatively low-cost item, and certainly far less costly than a data breach. Think draining your bank account, identity theft, someone buying a home using your ID, unauthorized credit card charges, and more.

I’m fond of ASUS routers. They are a high-quality prosumer product. For my example, I’m using their latest & greatest router, the GT-AXE11000. But they have several less expensive models that work exactly the same.

What needs to be done to secure your home and office IoT is to enable VPN on your router, then configure the router to connect your target devices to that VPN. In the case of my router, I can create up to 16 different concurrent VPN configurations, allowing me to balance security, performance, and apparent geo-location on a device-by-device basis.


  • A VPN account. There are literally thousands of VPN providers available. Most of them throw red flags for me. Many are criminals. I recommend NordVPN. Reasonable cost, allows multiple devices, consistently ethical, and they provide detailed instructions how to configure many routers to work with their service.
  • A router that can be configured to work with your VPN provider.

Step-By-Step Configure a Router For VPN

  1. Get a VPN account. For this example, I’m using NordVPN.
  2. Get a router that can be configured to work with your VPN provider. for this example, I’m using the ASUS GT-AXE11000.
  3. Open a new browser window to your VPN provider support page. They will have a VPN configuration file to be downloaded for upload to your router. Download the file.
  4. Connect and log in to the router control panel.
  5. In the router control panel, select the VPN tab or section. For my router, VPN is selected from the sidebar.
  6. Select the type of VPN to be used. For my router, the options are VPN Server, VPN Fusion, and Instant Guard. VPN Fusion is what is needed. Most other routers call this VPN Client.
  7. Scroll down to the Server List area. This is where you configure your various VPN setups.
  8. Tap the + button to create a new server.
  9. Tap the VPN protocol you want to use. In most cases this is OpenVPN.
  10. Enter your VPN account credentials.
  11. Tap the Choose File button, then navigate to select the VPN configuration file downloaded from your VPN provider earlier in step 3.
  12. Tap the Upload button to install the VPN configuration file.
  13. Tap the OK button.
  14. Back to the router VPN page, you will see your new configuration listed. Tap the Activate button to enable the use of the configuration.
  15. Scroll down to the Exception List. This is where you assign devices. to use VPN.
  16. Tap the + button. The Create a New Policy window opens. From here you select the target device(s).
  17. Tap the Client Name field. A list of all devices currently connected to the router appears. Select your target device. It will show in the Client Name field, and its IP address shows in the IP Address field.
  18. Tap the Connection Name field, then select the VPN configuration you created earlier.
  19. Tap OK.
  20. The device appears in the Exception List.
  21. Tap the Activate button to enable the device to use VPN.
  22. If you have additional devices you want to be connected to VPN, repeat steps 16-21.
  23. Tap the Apply button to save your work.
  24. The router will save the settings, then reboot.
  25. Once the router is back online, the target device(s) will be connected via VPN, secure from prying eyes.

Amazon Set to Share Your Internet With Neighbors – How to Opt Out

Amazon Set to Share Your Internet With Neighbors – How to Opt Out

Amazon Set to Share Your Internet With Neighbors – How to Opt-Out

Come this Tuesday, June 8, 2021, Amazon will launch the Amazon Sidewalk service. This service for Echo and Ring devices automatically opts-in to share your internet bandwidth with other Amazon devices in the neighborhood.

At first glance, this service is a great idea. Share a small slice of your internet bandwidth – 80Kb/s and a 500Mb monthly cap – with other Echo and Ring devices that have lost connection with their home wi-fi. For example, if your next door neighbors’ Ring doorbell loses connection with the home wi-fi, the Ring doorbell will automatically connect with the neighbor’s home wi-fi for uninterrupted service. Or if a dog wearing a Tile escapes from their yard, as long as the dog is within range of a network using Amazon Sidewalk, the Tile will accurately report the location of the dog.

Add on to this service that it is free to Echo and Ring customers (well, at least initially), and it is a great deal.

However, there are only a few big-tech companies that have proven to handle internet privacy responsibly, and Amazon is not one of them.

The Amazon Sidewalk white paper states that any sensitive data transmitted through Sidewalk is encrypted and that Amazon does not have a way to decrypt the packets. If that is true, they need to start hiring better engineers. Even if it is true, very serious hacks of secure systems is a daily news item.

Perhaps my biggest gripe is that the system is set to automatically opt-in. I’ll take this as tacit acknowledgement by Amazon the many/most of it’s customers would choose to opt-out instead.

What You Can Do – Opt-Out

If you have an eligible Echo or Ring device and do nothing, you are automatically part of the Amazon Sidewalk system.

If you prefer to not be a part of the Amazon Sidewalk system, follow these steps:

For Amazon Echo Device Owners

  1. Open your Amazon Alexa App.
  2. Select the More option in the bottom right corner of your screen.
  3. Select Settings > Account Settings > Amazon Sidewalk.
  4. Toggle the Amazon Sidewalk to Disabled.
  5. Close the Amazon Alexa app.

For Amazon Ring Device Owners

  1. Open your Ring app.
  2. Select the 3-line icon to open the menu, then go to Control Center > Amazon Sidewalk.
  3. Toggle the Amazon Sidewalk to Disabled.
  4. Close the Ring app.

Apple’s MagSafe Devices May Affect Pacemakers

Apple’s MagSafe Devices May Affect Pacemakers

Apple’s MagSafe Devices May Affect Pacemakers

As reported in the Journal of the American Heart Associationthe MagSafe wireless charging technology used in Apple’s latest iPhone 12 phones may interfere with cardiac pacemakers.

It was found that the additional magnet used in the new iPhones could cause interference when placed on the skin directly above the pacemaker, or approximately within 0.6″ of the pacemaker. Apple has an advisory stating the iPhone 12 does not pose a greater risk for magnet interference when compared to older generation iPhones.

If you have a pacemaker and use an iPhone 12, discuss the implications with your doctor.


Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Although over 1,200,000,000 people use Office 365, very few have discovered the pair of hidden gems. Well, not really hidden, just that very few people ever discover them!

The gems? Built-in email encryption and built-in block of forwarding.

That’s right, instead of spending time researching for an email encryption program, then figuring out how it works, if you have an Office 365 account with Outlook.com, you have both these features available with just a tap or two.

Send an Encrypted Email from Outlook.com

These gems are only available if you have an Office 365 account and use Outlook.com to send your mail with that account. It won’t work with your Outlook application, nor will it work with other email accounts (such as Gmail) that are linked to your Outlook account.

With those prerequisites out of the way, here is the answer you have been waiting for:

  1. Open a browser to https://outlook.com, then log in with your account.
  2. Create an email. Address the recipient to one of your other email addresses, or if performing this in class, to one of your study partners.
  3. From the toolbar, tap the Encrypt button > Encrypt, or Encrypt & Prevent Forwarding.

  4. Send the email.


When creating an outgoing email with Outlook.com, the user has the option to Encrypt the outgoing email.

On the recipient’s end, any attachments may be downloaded if using Outlook.com, Outlook application for Windows 10, the Outlook mobile app, or the Mail app in Windows 10. If using a different email client, a temporary passcode can be used to download the attachments from the 365 Message Encryption portal. The email itself remains encrypted on Microsoft servers and cannot be downloaded.

Encrypt & Prevent Forwarding

As with Encrypt option, when selecting Encrypt & Prevent Forwarding, the email remains encrypted on Microsoft servers and cannot be downloaded, copied, or forwarded. MS Office file attachments (Excel, PowerPoint, Word) remain encrypted after being downloaded. If these Office files are forwarded to someone else, the other person will not be able to open the encrypted files. Non-MS Office files can be downloaded without encryption and therefore forwarded without issue.

Read an Encrypted Email from Outlook.com

If Using Outlook.com to Read the Email

  1. Open a browser to https://outlook.com, then log in with the account set as the recipient in the previous assignment.
  2. Open the encrypted email. Note that you can open, read, and reply to this encrypted email as you can with unencrypted messages.

If Using Something Other than Outlook.com to Read the Email

  1. Open the email software to the account set as the recipient in the previous assignment.
  2. Open the encrypted email.
  3. You will see a message with instructions for how to read the encrypted message.