How to Stop Business Email Compromise (BEC) Attacks

How to Stop Business Email Compromise (BEC) Attacks

Business Email Compromise (BEC) is any type of cyber attack using email that in itself does not contain a malicious attachment. Although there are many different BEC attack vectors, the dominant one is spoofing, used in almost 50% of all BEC attacks. In a spoofing attack, the criminal sends an email that appears to be from a high-ranking member of the organization, requesting a transfer of funds.

A few statistics to act as a wake-up call:

  • In a recent survey, 71% of organizations acknowledged experiencing a BEC attack over the past year.
  • The FBI’s Internet Crime Complaint Center reports that in 2020 there were 19,369 BEC complaints, with losses of approximately $1.8 billion.
  • One of the largest BEC losses came to Nikkei, the Japanese media group, in the amount of $29 million.

A BEC attack generally works like this:

  1. The criminal acquires the name and email address of a senior-level executive within an organization.
  2. The criminal sends an email, spoofing the name and email address of this executive, to their executive assistant or the accounting department, requesting that monies be sent to some account outside of the organization.
  3. Because this email appears to be from a senior-level executive, there is often no expenditure authorization policy in place to limit amounts, and no requirement for secondary approvals.
  4. The monies are sent to the requested accounts, which are immediately cashed out by the criminal.

What Can I Do To Help Prevent an Attack

Expenditure Authorization Policies

Although it will likely result in a few bruised egos, and introduce some time delays, it is vital that expenditure authorization policies mandate that any significant financial request, from any member of the organization–even the owner, president, or CEO–must be cleared through a secondary approval process. Even something as simple as a required video call to the requestor could block most of these attacks.

Staff Education

As part of staff continuing cybersecurity and internet privacy training, all staff should be educated on how a BEC attack works, and what the new expenditure authorization policies are.

Technology

The corner stone of a BEC attack is the ability to send an email that appears to be from a legitimate source. We do have technology that can help stop this from occurring. These go by the terms Sender Policy Framework (SPF), Domain Keys Identified mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). 

If your eyes just rolled up to the back of your head, I understand, but stay with me.

SPF is an email validation system. It provides a mechanism to authorize servers and services to send email using your domain. This allows a receiving mail server to verify that incoming mail from a specific domain is coming from a host authorized to send that mail. If a criminal sends email to you with spoofed “from” information, your email server can validate or invalidate the authenticity of the incoming email. This prevents email from a forged or spoofed address from reaching an inbox.

DKIM accomplishes much the same as SPF, but from the opposite direction. It provides a mechanism for the receiver to verify that an email stating to have come from a server which has been authorized to send mail for a specific domain via SPF is indeed the server that is sending the email.

DMARC is a configurable policy that determines how to deal with email that has failed the SPF or DKIM validation.

In a nutshell, SPF authorizes a server to send email on behalf of a specific domain, DKIM authenticates the sending server, and DMARC determines what to do with the email if it fails authentication.

Configuring SPF, DKIM, and DMARC doesn’t require an IT professional. Your email service provider may be willing to set it all up for you. Better yet, do it yourself and be certain it is done properly! The entire step-by-step takes only four pages and less than an hour of your time. Where can you find the steps? They are assignments 13.11.1 through 13.11.4 in any of our current Practical Paranoia Security Essentials books.

Oh! I almost forgot… You can now become master of your cybersecurity and internet privacy even if you wouldn’t know an SSL from a TLS (ok, nerd humor isn’t even funny to other nerds). In just 1 hour a day over 10 days with our Practical Paranoia Online Workshops. If you can tap, double-tap, and save a file, you can quickly and easily secure your computer, tablet, phone, data, and communications using the same steps as used by governments, military, and big business. All you are missing is knowing the how. Lucky for you, we’ve got the know-how to spare, and we will share it all with you in the workshop.

Register by July 31, 2021 and receive 55% discount.

 

Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

Finally, Online, Instructor-Led, Cybersecurity Workshop for Non-IT Users

It doesn’t take an Apple Genius, Google Guru, or Microsoft Engineer to help secure your devices, data, and communications.

If you can tap, double-tap, and save a file, we can walk you step-by-step through ensuring your cybersecurity and internet privacy to industry standards.
 

Register NOW and receive a 55% discount – only $125 for any workshop in August.
https://thepracticalparanoid.com

How Often Should I Change Passwords

How Often Should I Change Passwords

There was a time, not so long ago, where most IT administrators mandated that every password for everything be changed every three months.

In my specific case, I currently have 940 passwords in my password vault. That means I would be changing at least 10 passwords every day. And getting very little else accomplished!

Thankfully, someone took a deep breath and gave some time to actual critical thinking about the whole password life span issue. The conclusion? Unless a password has been breached, or you think it could have been breached, no need to change it for…ever.

That is right. According to the current guidelines by most of the major US government IT overlords, you never need to change a password unless it may have been compromised.

But, that answer isn’t really quite that simple.

First, there are plenty of old-school IT administrators in the field who refuse to do their own critical thinking, and insist on mandating password changes every X months. Good luck getting these folks to wake up.

Second, this guideline assumes your password habits are healthy. What are healthy password habits?

  • Every website and service uses a unique password. No password is used more than once.
  • All passwords are strong. “Strong” is defined differently by different standards-setting organizations. But a good generalization is a minimum of 15 characters. A password of 123456789012345 is technically as strong as $g1A7^bY0&qX4%r.
  • No password uses a part of your name, address, phone number, social security number, pet name, or is otherwise guessible.

This is far easier than the old-school rules of:

  • At least 1 upper-case letter
  • At least 1 lower-case letter
  • At least 1 number
  • At least 1 special character
  • At least 1 drop of unicorn blood

But now you have a trove of passwords, at least 15 characters in length, none of which are rememberable.

What to do?

Use a password manager to do the remembering for you.

If you are a Mac user, macOS, iOS, iPadOS, and Safari work together to remember and autofill your passwords.

If you are a Windows user, Edge will remember and autofill your passwords.

Brave, Firefox, and Chrome also have their own built-in password managers.

However, my recommendation is to use Bitwarden. Bitwarden is a third-party free/for-fee password manager and Multi-factor Authentication utility (free for password management, for-fee to access the MFA). It works with almost all browsers, all OS’s, and across all of your devices. So a password created on my iPhone is immediately available to my Chromebook, Windows PC, MacBook, and Android tablet. For less than what you will find in your couch cushions, you can have peace of mind in the password department.

World peace will take a bit more.

Enroll by July 31 and Save 55%

 

Can Law Enforcement Force You to Unlock Your Computer?

Can Law Enforcement Force You to Unlock Your Computer?

As of Thursday, July 21, 2021, the short answer is YES. As reported by CNN, a federal judge forced a January 6, 2021 US Capitol rioter Guy Refitt to sit in front of his computer to allow face recognition to unlock the computer. The prosecution stated that the computer most likely held video footage of the riot from the helmet cam worn by Refitt. Whatever your views and politics are regarding the Capitol riots, this is seen a blow for cybersecurity and internet privacy. Whether or not law enforcement could force a person to unlock their computer or mobile device has long been a hotly contested issue. This federal ruling will add weight to the debate over using face recognition. However, the question over having to enter a password is still in the balance.

What Does This Mean For Me?

I have long recommended to clients that they NOT use biometrics for computer or mobile device log in. My primary reason is that biometrics (Face ID, Touch ID) can be easily circumvented. It now looks like biometrics provide little protection against law enforcement penetration as well.

Stop Being the Victim of:

  • Data Loss

  • Ransomware

  • Malware

  • Hackers

  • Malicious Websites

  • Identity Theft

  • and Stolen Passwords

Take Control of Your Cybersecurity and Internet Privacy

  • Just 1 Hour a Day for 10 Days

  • The Easiest, Fastest, Step-By-Step DIY Course Available

  • Includes the Best Selling Practical Paranoia Security Essentials Workbook and Private Instructor Hours

Starts August 2, 2021

55% Early Registration Discount until September 31

Visit https://thepracticalparanoid.com

How to Have Secure Encrypted Voice, Video, and Text Communications

How to Have Secure Encrypted Voice, Video, and Text Communications

Surveillance technologies now available–
including the monitoring of virtually all digital information–
have advanced to the point where
much of the essential apparatus of a police state is already in place.
– Al Gore

The manufacturers or developers (such as Apple, Facebook, Google, etc.) and carriers (Verizon, AT&T, etc.) for each party can intercept any traffic that crosses their networks. This interception may extend to any third parties that work with your carrier, such as contractors or subsidiaries. In addition, your local, state, and federal government monitor data in dragnet-style snooping.

How can you communicate easily and securely?

If you are interested in cross-platform, end-to-end encrypted, text, voice and video conferencing solutions, a few options are available.

Wire and Signal are our choices for end-to-end encrypted voice, video, instant messaging, and group communications. Both provide end-to-end encrypted communications between Android, Chrome OS, iOS/iPadOS, macOS, and Windows.

Wire is a for-fee commercial service. It offers a free 30-day trial.

Signal is an independent nonprofit that provides its product and services for free. We use Signal for the rest of this blog.

HIPAA Considerations

HIPAA is concerned about securing Protected Health Information (PHI) from leakage, but at the same time, requires that instant messaging have an audit trail. This requires that all messaging be logged to a centralized server so the log can be reviewed. In addition, HIPAA requires that the vendor be willing to sign a Business Associate Agreement (BAA). As a BAA puts the vendor at a potential liability should their service or software be found responsible for leaking protected health information, you will not find free or inexpensive software that meets HIPAA compliance requirements.

Most readers of this blog want to leave no record of an encrypted conversation, and have no need of a BAA.

If your instant messaging needs include HIPAA compliance (this requires meeting Joint Commission guidelines), then the rest of this blog does not apply to you. I recommend you perform an internet search to find and assess the few options available. Then work with an IT expert to implement your HIPAA-compliant program.

Signal

Signal is a free platform for peer-to-peer (no centralization) and group secure, end-to-end encrypted communications using instant messaging, voice, and video.

Install Signal

In this assignment, you create a Signal account. This account allows you to make fully secure, encrypted instant messaging, voice calls, and video conferences with friends and business associates.

  • Prerequisite: If you wish to use Signal on a Chrome OS, macOS, or Windows computer, you will first need to create a Signal account registered on an Android or iOS mobile device (performed in this assignment).

Download and install Signal onto a mobile device

  1. On your iOS or Android mobile device, open a browser window to https://signal.org.
  2. Tap Get Signal. If using an iOS device, the App Store opens to Signal-Private Messenger. If using an Android device, the Google Play Store opens to Signal-Private Messenger.
  3. Download and Install Signal to your mobile device.
  4. On your mobile device, open the Signal
  5. Follow the onscreen instructions to complete the registration process.

Download and install Signal onto a PC 

  1. Open a browser and go to https://signal.org, then tap the Get Signal
  2. Open the downloaded installer file and follow the prompts to install the app.
  3. Launch Signal.
  4. Signal displays a QR code.
  5. If using an iOS mobile device, open Signal.app > Signal Settings > Linked devices > Link New Device. If using an Android mobile device, tap the + button.
  6. Use your mobile device to scan the QR code.
  7. Assign a name for your Linked Device, then tap Finish.

Your Signal desktop app is now ready to use!

Invite People to Signal

Before you can communicate with someone else using Signal they must also have a Signal account.

In this assignment, you invite someone to install Signal and create an account.

  • Prerequisite: Access to your mobile device with Signal installed.
  1. Open Signal on your phone (invitations do not yet work with Signal Desktop.)
  2. Tap your profile picture in the top left corner > Invite Your Friends.
  3. Select to send either a Message or
  4. A list of all your phone contacts appears. Select the target contact(s), then tap
  5. A new emailmessage is created with each of your target contacts listed in the Bcc field, with a link to downloadSignal on their phone.
  6. Customize the emailto your taste, then tap the Send
  7. Once your target contacts have installed Signalon their phone, you receive a text from Signal they have joined, and their name appears in your Signal Contacts

Secure Instant Message with Signal

In this assignment, you instant message your new Signal friend.

  1. Open Signal (for this assignment, on your computer.)
  2. From the sidebar, select the desired Contact.
  3. In the main body area of the Signalwindow, at the bottom in the Send A Message, enter a text message for your contact, then tap the Return The message is sent to your contact and received in seconds.

Secure Voice or Video Call with Signal

In this assignment, you make a secure, encrypted voice call to a Signal friend.

  1. Open Signal.
  2. Select a Signalcontact to call.
  3. In the top right corner of the Signalwindow tap either the phone or the video
  4. Tap the Start Call
  5. On your friends Signaldevice, they hear their device ringing, and an Incoming Call message in if they wish to answer, they tap the Signal Phone icon.
  6. The two of you can now speak in complete privacy (even better than Maxwell Smart’s Cone of Silence).

 

How to Run Windows 11 on Apple silicon Mac

How to Run Windows 11 on Apple silicon Mac

If you are a Mac user, but also need to run Windows, there are several easy ways to do it all on one machine.

However, if you are on Apple silicon (M1) Mac, and want to run Windows 11? So far the path has hit a brick wall. Parallels promises to have a version out when they have mastered how to do it. But what if you just… can’t… wait?!

I may just have to magical codes to deliver.

My thanks to ytechb.com for most of the pointers.

WARNING: Windows 11 is still in beta/preview development. This is not stable software (oh, hell. When is Windows all that stable anyhow?)

WARNING: These steps require making changes to your registry. This is not something to be taken lightly. However, the changes are minor.

PREREQUISITES:

  • An Apple silicon Mac with all current updates.
  • At least 22 GB free space on your boot drive.
  • Parallels (current version).
  • Internet connection.
  1. Download and install Parallels from https://parallels.com.
  2. Download and install Windows 10 Insider Preview from https://insider.windows.com/en-us/
  3. From Parallels, install the Windows 10 Insider Preview.
  4. Run Windows Update to verify you have the latest version of Window 10 Insider Preview installed.Normally, this is as far as you can currently go with updates, as Windows 11 Insider Preview will not install on an Apple silicon Mac. But there are two brick walls we are going to go through like they were butter.
  5. Open the Windows Registry Editor, then go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > WindowsSelfHost > UI > Selection.
  6. Double-tap on UIBranch, then change the value to Dev.
  7. In Registry Editor, go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > WindowsSelfHost > Applicability.
  8. Double-tap on BranchName, then change the value to Dev.
  9. Close Registry Editor.
  10. Restart Windows.
  11. Go to Windows Update Settings > Check for Updates.
  12. The Windows 11 Insider Preview will be seen as available.
  13. Tap the button to download the Windows 11 Insider Preview.
  14. The download will start, but will soon pop-up an error message that Windows 11 cannot be installed as there is no TPM 2 chip found (Macs do not have a TPM chip, although they have their own hardware security chip in use).
  15. Don’t close the error message.
  16. Open File Explorer, then search for AppraiserRes.dll.
  17. When AppraiserRes.dll is found, open the parent folder, drag AppraiserRes.dll to the desktop, then delete the found AppraiserRes.dll. KEEP THIS PARENT FOLDER OPEN.
  18. Go back to the error message and click Continue.
  19. In the Windows Update window, tap the Fix issues button. The Windows 11 installer will continue downloading.
  20. An Almost Ready message will appear. You can close it.
  21. Once the download has progressed past the point it had stopped earlier (probably around 10%), you can drag and drop the AppraiserRes.dll back into the folder in which it was found.
  22. When download has completed, an alert will prompt to Restart Now. Tap this button to restart.
  23. Once restarted, Windows 11 will continue to install.
  24. When back to the desktop, return to Windows Update Settings > Check for Updates, and check for additional updates.
  25. When the updates download, you are done, and have Windows 11 Insider Preview waiting to be used.

 

July 4th – Biggest Announcement EVER from The Practical Paranoid

July 4th – Biggest Announcement EVER from The Practical Paranoid

Click the Play button below for the audio version of this posting.

On the Fourth of July, Americans celebrate independence, declaring we are no longer subject and subordinate to the monarch of Britain.

But today we are subject to greater tyranny through constant internet surveillance and breach of our online privacy. We are at the mercy of our government, Facebook, Google, cyber criminals, and other bad actors intent on knowing, seeing, and recording our every digital nanosecond.

Time for an updated Independence Day.

I’m Marc Mintz, Project Director for The Practical Paranoid (TPP).

TPP and I have worked to enlighten the public that it does not take an Apple Genius, Google Guru, or a Microsoft Engineer to secure your systems, data, and communications. Almost everything the government and big business do to ensure their cybersecurity and internet privacy can be done for you, by YOU, for less than what we spend on coffee. And in just a few hours.

Our Practical Paranoia Security Essentials books have been showing non-technical users how to do this for over eight years.

The number one comment we receive from buyers of Practical Paranoia Security Essentials books is how surprised they are at how fast and easy it was to secure their phone, text, email, browsing, and entire digital life.

Yay!

The second most common comment from buyers is how intimidating Practical Paranoia books appear. Some buyers never jump into using a book after they purchase it.

Ouch!

With release of five new operating systems this year – Android 12, Chrome OS, iOS 15, macOS 12, and Windows 11 – we needed to remove the intimidation factor so that everyone could learn how to protect their data, communications, and privacy. And we did it. 

Announcing five brand-new Practical Paranoia Security Essentials Online Workshops that cover all the new OS products.

Protecting your digital life is as important as locking your home and carrying a driver’s license.

There are three paths to cybersecurity and internet privacy:

  1. You can pay a certified cybersecurity professional to do all the work that you will do in a TPP workshop. But pros cost $1,000-$4,000.
  2. You can buy the Practical Paranoia book and DIY for only $64.95. But you would have done it already if it weren’t for that pesky intimidation factor.
  3. Now you can do the work on your own–but with an industry leader guiding you in a workshop– the only workshop of its kind available anywhere at any price.

Think you don’t have the skills or background knowledge to do your own cybersecurity? We designed each workshop for the non-technical computer, tablet, and smartphone user. If you can tap, double-tap, and save a file, this course was made for you!

Each OS workshop consists of:

  • A series of 7 to 10 one-hour classes on Zoom
  • A copy of the latest best-selling TPP book, a $64.95 value
  • Our August beta workshops will be presented live by an industry expert who has taught technology courses internationally
  • Each class is recorded for students to access if they miss the live session
  • Easy hands-on assignments to harden your security and privacy to industry standards
  • AND Private Instructor Hours via Zoom to help you over any rough patches

The Practical Paranoia Security Essentials Online Workshops are only $275. And, it gets even better!

If you register for any of our first beta workshops in August 2021, your cost is only $125 for any workshop. Registration for beta workshops is limited and will close quickly.

Protecting you, your family, and your business cybersecurity and internet privacy is fast, easy, and inexpensive. You may even have fun doing it!

Visit https://thepracticalparanoid.com
for more information and to register for a one of a kind experience.

online course
5.8 Million Android Apps Installed Steal Users’ Facebook Credentials

5.8 Million Android Apps Installed Steal Users’ Facebook Credentials

Nine Android apps with a combined downloaded of over 5.8 million have been removed from the Google Play Store for stealing users’ Facebook credentials.

The apps are:

  • PIP Photo
  • Processing Photo
  • Rubbish Cleaner
  • Horoscope Daily
  • Inwell Fitness
  • App Lock Keep
  • Lockit Master
  • Horoscope Pi
  • App Lock Manager

These fully functional apps performed their theft by requesting users to log into their Facebook account in order to disable in-app ads.

As a general cybersecurity and internet privacy guideline, never log in to one account in order to access another account or features of another account. The most common example of this is when a newly installed app requires creating a user account, and gives the option of creating an account on the app site, or using your existing Google account to log in.

What To Do If I’ve Installed One of These Apps?

  1. Uninstall the app.
  2. Change your Facebook password.
  3. If you do not already have it, enable two-factor authentication with Facebook.

You Know You Need Cybersecurity and Internet Privacy for Yourself, Your Family, and Your Business, But:

  • I can’t afford to hire a qualified cybersecurity professional.
  • I’ve bought the DIY books, but they are too intimidating.
  • I don’t have the time to DIY, and besides, even if I did find the time, who would help guide me when I get confused.

Announcing Practical Paranoia Security Essentials Online Workshops

  • Designed for the new to average user
  • Workshops available for Android, Chrome OS, iOS/iPadOS, macOS, and Windows
  • Each Zoom workshop is presented by a certified industry leader
  • Quick and easy one-hour classes cover the entire best-selling Practical Paranoia Security Essentials book
  • Includes private one-on-one instructor time should you have questions
  • Includes the Practical Paranoia Security Essentials book ($64.95 value)
  • If you can tap, double-tap, and save a file, this course is made for you!
  • New beta workshops with limited seating available at over 50% discount–only $125

For more information and to register, visit https://thepracticalparanoid.com/

Netgear Router Bug Allows Full Remote Access

Netgear Router Bug Allows Full Remote Access

Unless you have been living in an ice cave (hmmm, perhaps I’ve been using that phrase just a tad too often), you already know how vital it is to keep your operating system and applications fully up to date. This is because most updates include security enhancements and patches to vulnerabilities.

But few people give thought to updating the firmware of their routers and modems–and this is perhaps even more important. Because if there is a vulnerability in your router or modem, a bad actor can have full access to your network and all the data that travels along it.

And that has just happened, again.

Microsoft discovered a bug in Netgear router firmware that could give the bad actor access.

But this article is not to point the finger at Netgear. These vulnerabilities crop up on almost all software and firmware. This article is about pointing the finger at your modem or router, and question when was the last time you verified the firmware is up to date?

Every modem and router – even from the same manufacturer – may have wildly different interfaces to check and update firmware. Because I have a CenturyLink ActionTec modem and an ASUS router on my network, I’ll use them as examples.

CenturyLink Modem

  1. Log on to the modem. In most cases, this is done by opening a browser, then entering the modem IP address. This is often 192.168.0.1.
  2. Select Utilities, or sometimes Advanced  or Administration.
  3. In the case of this modem, then select Upgrade Firmware  from the sidebar:
  4. Tap Download to download the firmware from the manufacturer to your computer.
  5. Tap Choose File to locate and select the downloaded file.
  6. Tap Upgrade Firmware to upgrade your modem.
  7. In a few minutes, the modem will reboot with the latest and greatest firmware installed.

ASUS Router

  1. As with the CenturyLink modem, open a browser to the IP address of the router. This is often 192.168.0.1.
  2. Log in to the router.
  3. Tap Administration.
  4. Tap Firmware Upgrade. In the case of modern ASUS devices, they have the option to automatically check daily for updates. You can see that I have my Auto Firmware Upgrade switch set to On.

  5. To manually check or to verify, next to the Check Update text, tap Check.
  6. If there is a new firmware available, tap Download.
  7. Once the download completes, tap Upload.
  8. In a few minutes the router will reboot with the latest and greatest firmware.

How Often Do I Need to Check for Firmware Updates?

Your operating system can be configured to auto-check daily. The macOS App Store can be configured to check for application updates constantly. Although Windows doesn’t have a built-in updater for app acquired from other than the Microsoft Store, there are free automatic updaters available. But your modem and router will require manual checks (unless you have one of the few that automatically updates).

I recommend putting this on your monthly tickler file, so that your firmware is never more than a month out of date. Of course, more often wouldn’t hurt 😉


Automatically Protect All Devices From Internet Malware and Adult Content

Automatically Protect All Devices From Internet Malware and Adult Content

I just love it when with just a few mouse taps I can add a solid layer of security to all the devices under my roof. It’s just icing on the cake when it’s free!

The Problem

All of the internet-connected devices under your roof need to communicate over the internet in order to function. This includes computers, tablets, smartphones, webcams, smartwatches, smart doorbells, smart thermostats, printers, and more.

With your computers, tablets, and smartphones, you can add a layer of protection against malware by installing quality antimalware software. But what about your printer, smartwatch, doorbell, thermostat… you get the picture. Each of these smart devices are open to a breach, and few offer any option to install or configure security.

The other possible problem is adult content. Should you be a parent that would prefer little Jane and Johnny to not have access to adult content, it can be a full-time job playing content cop.

The Solution

All of your home and business devices must connect to the internet through your router. Inside of each router is a setting specifying which Domain Name Server (DNS) the router will use to learn where to direct this internet traffic. If a DNS server was knowledgeable about which web addresses held malware or adult content, the DNS could pass this info along to the router, blocking access to these sites.

Lucky you! There are DNS servers with this knowledge, and Cloudflare offers them at no charge.

The How To

If you would like to block known malicious and adult content sites from all of your home and business devices, you just have to change your router DNS settings. By default, most routers use your internet provider’s DNS servers. You will change this IP address to those of Cloudflare.

CenturyLink Modem

Every router has a unique interface. In the example below I’m using a CenturyLink Actiontec C3000A.

  1. Log in to the modem. If you aren’t familiar with the process, call your internet provider for instructions.
  2. From the menu bar, select Advanced Setup.
  3. From the sidebar, select DHCP Settings.
  4. In the main area of the page, scroll down to 5. Set the DNS servers allocated with DHCP requests.
  5. From this area, select Custom Servers.
  6. For malware only protection, set the Primary DNS to 1.1.1.2, and Secondary DNS to 1.0.0.2. For malware and adult content protection, set the Primary DNS to 1.1.1.3, and Secondary DNS to 1.0.0.3
  7. Tap the Apply button.
  8. Your modem may reboot. The protection will be in place immediately.

It’s Your Data… Protect It

Most people ignore their cybersecurity and internet privacy because they think it is too difficult or expensive. But what if it was fast, easy, and (almost) free? Our guides have been written by certified experts, with step-by-step illustrated instructions so that even a child can harden your security like a pro.

Visit https://thepracticalparanoid.com for the easiest, most comprehensive cybersecurity and internet privacy guides you can buy. Guaranteed!

80% of Orgs That Paid Ransom Were Hit Again

80% of Orgs That Paid Ransom Were Hit Again

A new study by Cyberreason has found that 80% of organizations that were hit with ransomware and paid to get the decryption key, were then hit once again with another ransomware.

Approximately 50% of the new attacks were from the original criminals, and 50% were from new criminals.

The study also found that the top two solutions to help prevent a successful attack are security awareness training and security operations.

From my 30+ years of experience, those organizations and individuals that do not implement security awareness training and security operations do so primarily because they believe it is too difficult, time-consuming, or expensive to do so.

That may be true if you have to meet HIPAA, SEC, or Federal Contractor compliance. But the individual, household, and business can successfully implement ransomware, hacking, cybersecurity, and internet privacy defenses in just one day!

The Practical Paranoid Security Essentials DIY books have been walking users with no technical background through securing their computers, tablets, phones, networks, data, and privacy for over eight years. Easy enough for junior high students and my 86 years old aunt Rose, and comprehensive enough for IT professionals.

The easiest, most comprehensive work of its kind. We even guarantee your satisfaction!

Visit ThePracticalParanoid.com to get your copy of the best-selling cybersecurity guide available.

Automatically Protect All Devices From Internet Malware and Adult Content

Secure ALL Your Internet of Things with VPN

Secure ALL Your Internet of Things with VPN

Unless you have been living in an ice cave the past few years, you are sure to have heard the term “IoT” or “Internet of Things”. Given all the catastrophes each of us has had to deal with, you would be excused if you haven’t given this topic your attention. After all, we have been in survival mode.

Now that the election is over and you’ve gotten your shots, maybe you can take a few minutes to learn why IoT is vital to your cybersecurity and internet privacy.

What Is IoT?

The Internet of Things (IoT) is anything and everything that has an embedded sensor, software, or other technology for the purpose of connecting and exchanging data with other devices and systems over the internet.

Although you may not know it, you probably have a lot of IoT in your home and office. Items like:

  • Medical equipment (think heart monitors, CPAP machines, even the Help! I’ve fallen and can’t get up alerts.
  • Home automation, perhaps a water leak detector, smart thermostat, remote control lighting.
  • Smartwatch
  • iPhone or Android phone
  • Amazon Echo, Google Home, Apple HomePod, Samsung SmartThings Hub

… And Why Should I Care?

If you are like me, you may be just about cared-out by now. Between politics, climate collapse, pandemics, and discovering a few of my relatives are bat $#!* crazy, it’s getting more difficult by the day to care about new things.

But – you have to trust me on this – giving just a bit of thought to IoT is going to save you an armload of grief down the road.

Why?

Because even though you may do your best to secure your computers and mobile devices to help ensure your cybersecurity and internet privacy, few people give thought to securing their IoT. I mean, it’s only a doorbell (or thermostat, or voice-controlled TV, or, or, or…)

All these out-of-sight, out-of-mind devices are connected to your network. And if a criminal gains access to an IoT device, they gain access to your network, and may be able to view all of the data that travels through it – including usernames and passwords – and therefore have access to the keys to your kingdom.

Criminals are focusing attention on your IoT devices because they are often far easier to penetrate than servers, computers, and mobile devices. In fact, many of the older IoT devices (when it comes to technology, older may mean three years old) have no functional security at all!

Give Me an Example

How about:

  • A casino experienced a major data breach when criminals gained access to the network through a smart thermostat used in an aquarium.
  • A United Airlines flight was commandeered by a passenger who hacked the flight control system through the entertainment system.
  • Smart toasters were remotely hacked so they wouldn’t toast any bread the hacker considered unhealthy.
  • Freezers were remotely hacked to automatically shut down when ice cream was detected.
  • The Mirai malware takes over IoT devices such as cameras and monitors, turning the device into a bot.
  • A car was remotely hacked over the internet giving the hacker full access to the A/C, steering, and turning the engine off.
  • The FDA recalled almost 500,000 pacemakers over fears they could be remotely hacked.

As I’ve said far too often, the list goes on and on, but we both have a life to lead.

But What Can I Do About It?

PLENTY! In fact, so much that I’m writing a book on the subject.

But until that is released, one of the most important things you can do is to connect your IoT devices to the internet via a Virtual Private Network (VPN).

If you have been following me, you already know I think your computer, phone, and tablet should always and only connect to the internet via VPN. This encrypts data between your device and the internet.

Few people do the same for their IoT devices. But that is no different than locking the front door as you leave for vacation, but leaving the backdoor open.

Very few IoT devices have the ability to do VPN by themselves. No worries! You can configure your router to do the work for you.

Some Background on VPN for Routers

Not all routers have the ability to work with VPN. So if yours cannot, it is definitely time to replace it. Routers are a relatively low-cost item, and certainly far less costly than a data breach. Think draining your bank account, identity theft, someone buying a home using your ID, unauthorized credit card charges, and more.

I’m fond of ASUS routers. They are a high-quality prosumer product. For my example, I’m using their latest & greatest router, the GT-AXE11000. But they have several less expensive models that work exactly the same.

What needs to be done to secure your home and office IoT is to enable VPN on your router, then configure the router to connect your target devices to that VPN. In the case of my router, I can create up to 16 different concurrent VPN configurations, allowing me to balance security, performance, and apparent geo-location on a device-by-device basis.

Prerequisites:

  • A VPN account. There are literally thousands of VPN providers available. Most of them throw red flags for me. Many are criminals. I recommend NordVPN. Reasonable cost, allows multiple devices, consistently ethical, and they provide detailed instructions how to configure many routers to work with their service.
  • A router that can be configured to work with your VPN provider.

Step-By-Step Configure a Router For VPN

  1. Get a VPN account. For this example, I’m using NordVPN.
  2. Get a router that can be configured to work with your VPN provider. for this example, I’m using the ASUS GT-AXE11000.
  3. Open a new browser window to your VPN provider support page. They will have a VPN configuration file to be downloaded for upload to your router. Download the file.
  4. Connect and log in to the router control panel.
  5. In the router control panel, select the VPN tab or section. For my router, VPN is selected from the sidebar.
  6. Select the type of VPN to be used. For my router, the options are VPN Server, VPN Fusion, and Instant Guard. VPN Fusion is what is needed. Most other routers call this VPN Client.
  7. Scroll down to the Server List area. This is where you configure your various VPN setups.
  8. Tap the + button to create a new server.
  9. Tap the VPN protocol you want to use. In most cases this is OpenVPN.
  10. Enter your VPN account credentials.
  11. Tap the Choose File button, then navigate to select the VPN configuration file downloaded from your VPN provider earlier in step 3.
  12. Tap the Upload button to install the VPN configuration file.
  13. Tap the OK button.
  14. Back to the router VPN page, you will see your new configuration listed. Tap the Activate button to enable the use of the configuration.
  15. Scroll down to the Exception List. This is where you assign devices. to use VPN.
  16. Tap the + button. The Create a New Policy window opens. From here you select the target device(s).
  17. Tap the Client Name field. A list of all devices currently connected to the router appears. Select your target device. It will show in the Client Name field, and its IP address shows in the IP Address field.
  18. Tap the Connection Name field, then select the VPN configuration you created earlier.
  19. Tap OK.
  20. The device appears in the Exception List.
  21. Tap the Activate button to enable the device to use VPN.
  22. If you have additional devices you want to be connected to VPN, repeat steps 16-21.
  23. Tap the Apply button to save your work.
  24. The router will save the settings, then reboot.
  25. Once the router is back online, the target device(s) will be connected via VPN, secure from prying eyes.

Amazon Set to Share Your Internet With Neighbors – How to Opt Out

Amazon Set to Share Your Internet With Neighbors – How to Opt Out

Amazon Set to Share Your Internet With Neighbors – How to Opt-Out

Come this Tuesday, June 8, 2021, Amazon will launch the Amazon Sidewalk service. This service for Echo and Ring devices automatically opts-in to share your internet bandwidth with other Amazon devices in the neighborhood.

At first glance, this service is a great idea. Share a small slice of your internet bandwidth – 80Kb/s and a 500Mb monthly cap – with other Echo and Ring devices that have lost connection with their home wi-fi. For example, if your next door neighbors’ Ring doorbell loses connection with the home wi-fi, the Ring doorbell will automatically connect with the neighbor’s home wi-fi for uninterrupted service. Or if a dog wearing a Tile escapes from their yard, as long as the dog is within range of a network using Amazon Sidewalk, the Tile will accurately report the location of the dog.

Add on to this service that it is free to Echo and Ring customers (well, at least initially), and it is a great deal.

However, there are only a few big-tech companies that have proven to handle internet privacy responsibly, and Amazon is not one of them.

The Amazon Sidewalk white paper states that any sensitive data transmitted through Sidewalk is encrypted and that Amazon does not have a way to decrypt the packets. If that is true, they need to start hiring better engineers. Even if it is true, very serious hacks of secure systems is a daily news item.

Perhaps my biggest gripe is that the system is set to automatically opt-in. I’ll take this as tacit acknowledgement by Amazon the many/most of it’s customers would choose to opt-out instead.

What You Can Do – Opt-Out

If you have an eligible Echo or Ring device and do nothing, you are automatically part of the Amazon Sidewalk system.

If you prefer to not be a part of the Amazon Sidewalk system, follow these steps:

For Amazon Echo Device Owners

  1. Open your Amazon Alexa App.
  2. Select the More option in the bottom right corner of your screen.
  3. Select Settings > Account Settings > Amazon Sidewalk.
  4. Toggle the Amazon Sidewalk to Disabled.
  5. Close the Amazon Alexa app.

For Amazon Ring Device Owners

  1. Open your Ring app.
  2. Select the 3-line icon to open the menu, then go to Control Center > Amazon Sidewalk.
  3. Toggle the Amazon Sidewalk to Disabled.
  4. Close the Ring app.

Apple’s MagSafe Devices May Affect Pacemakers

Apple’s MagSafe Devices May Affect Pacemakers

Apple’s MagSafe Devices May Affect Pacemakers

As reported in the Journal of the American Heart Associationthe MagSafe wireless charging technology used in Apple’s latest iPhone 12 phones may interfere with cardiac pacemakers.

It was found that the additional magnet used in the new iPhones could cause interference when placed on the skin directly above the pacemaker, or approximately within 0.6″ of the pacemaker. Apple has an advisory stating the iPhone 12 does not pose a greater risk for magnet interference when compared to older generation iPhones.

If you have a pacemaker and use an iPhone 12, discuss the implications with your doctor.

 

Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding

Although over 1,200,000,000 people use Office 365, very few have discovered the pair of hidden gems. Well, not really hidden, just that very few people ever discover them!

The gems? Built-in email encryption and built-in block of forwarding.

That’s right, instead of spending time researching for an email encryption program, then figuring out how it works, if you have an Office 365 account with Outlook.com, you have both these features available with just a tap or two.

Send an Encrypted Email from Outlook.com

These gems are only available if you have an Office 365 account and use Outlook.com to send your mail with that account. It won’t work with your Outlook application, nor will it work with other email accounts (such as Gmail) that are linked to your Outlook account.

With those prerequisites out of the way, here is the answer you have been waiting for:

  1. Open a browser to https://outlook.com, then log in with your account.
  2. Create an email. Address the recipient to one of your other email addresses, or if performing this in class, to one of your study partners.
  3. From the toolbar, tap the Encrypt button > Encrypt, or Encrypt & Prevent Forwarding.


  4. Send the email.

Encrypt

When creating an outgoing email with Outlook.com, the user has the option to Encrypt the outgoing email.

On the recipient’s end, any attachments may be downloaded if using Outlook.com, Outlook application for Windows 10, the Outlook mobile app, or the Mail app in Windows 10. If using a different email client, a temporary passcode can be used to download the attachments from the 365 Message Encryption portal. The email itself remains encrypted on Microsoft servers and cannot be downloaded.

Encrypt & Prevent Forwarding

As with Encrypt option, when selecting Encrypt & Prevent Forwarding, the email remains encrypted on Microsoft servers and cannot be downloaded, copied, or forwarded. MS Office file attachments (Excel, PowerPoint, Word) remain encrypted after being downloaded. If these Office files are forwarded to someone else, the other person will not be able to open the encrypted files. Non-MS Office files can be downloaded without encryption and therefore forwarded without issue.

Read an Encrypted Email from Outlook.com

If Using Outlook.com to Read the Email

  1. Open a browser to https://outlook.com, then log in with the account set as the recipient in the previous assignment.
  2. Open the encrypted email. Note that you can open, read, and reply to this encrypted email as you can with unencrypted messages.

If Using Something Other than Outlook.com to Read the Email

  1. Open the email software to the account set as the recipient in the previous assignment.
  2. Open the encrypted email.
  3. You will see a message with instructions for how to read the encrypted message.

5.8 Million Android Apps Installed Steal Users’ Facebook Credentials

Google (Finally) Blocking Access to Android Advertising IDs

Google (Finally) Blocking Access to Android Advertising IDs

Well, maybe not Finally, but sometime in late 2021…

As reported in The Verge, Advertising ID’s are associated with every Android and iOS device. They are a unique identifier that links that device to web activity. It is primarily used to track your likes and dislikes and build a trusted profile of who you are.

Not something you or I ever agreed to or want.

Although Android devices have long been able to opt-out of personalized ads, (Settings > Google > Ads >Opt-Out), it doesn’t really stop developers from accessing and using your advertising ID (thank you for the transparency, Google).

Google support now states true opt-out will arrive in late 2021 for new Android 12 devices, and then roll out to all devices with Google Play in early 2022.

Apple iOS and iPadOS have a similar setting, but instead of being an option to opt-out, it is set to automatically opt-out, with the option to opt-in.

What You Can Do

For over eight years Practical Paranoia Security Essentials have been the best-selling, easiest, and most comprehensive DIY guides to ensuring your, your family, and your business cybersecurity and internet privacy. With illustrated step-by-step instructions for every aspect of security.

Paperback available from Amazon and all fine booksellers.

Kindle available from Amazon.

Live! pdf version available from The Practical Paranoid.

Practical Paranoia macOS 11 Security Essentials Version 5.0.2 Released

Practical Paranoia macOS 11 Security Essentials Version 5.0.2 Released

Practical Paranoia macOS 11 Security Essentials Version 5.0.2 Released

The best-selling, easiest, and most comprehensive cybersecurity and internet privacy DIY book series for home and business have just released version 5.0.2 for macOS 11.

This includes all updates relevant to macOS 11.4 plus the major changes for performing encrypted bootable clone backups.

How to Update

As with all Practical Paranoia books, the Live! version (pdf) is available immediately. If you have purchased the Live! version, it will automatically open to the new version.

The paperback and Kindle versions will be available on June 5, 2021. To receive your free Kindle update, delete the currently installed version of the book from your Kindle device, and then download it from your Kindle library.

How to Purchase

if you don’t already have a copy of Practical Paranoia Security Essentials for Android, Chromebook, iOS, macOS, or Windows, you can purchase from:

Paperback is available from Amazon and all fine booksellers.

Kindle is available from Amazon. Updates are always free.

Live! is available direct from The Practical Paranoid, LLC. Updates are always free and automatic.

 

 

New macOS Malware Breaks Apple Security To Take Photos

New macOS Malware Breaks Apple Security To Take Photos

New macOS Malware Breaks Apple Security to take Photos

New spyware has been discovered that can bypass built-in macOS security and privacy feature called Transparency Consent and Control. This is the feature that alerts the user when an app tries to do something that may impact the users’ privacy–such as recording keystrokes or taking a photo–asking for user permission before the action can take place. This malware is able to hijack other apps’ permissions to be used as its own authorization.

As an example, the malware could hook into Zoom, which had previously been granted permission to perform screen recording, to then allow the malware to record the users’ screen, and then send the recording to the malware developer.

What You Can Do About This Issue

This vulnerability has been fixed in macOS 11.4.

  1. On your Mac, open Apple menu > About This Mac.
  2. If your macOS version is 11.4, you are safe from this vulnerability and can stop here. If your macOS version is NOT 11.4, continue…
  3. On your Mac, open Apple menu > System Preferences > Software Update.
  4. Tap the Update Now button.
  5. Follow the onscreen instructions to download and install macOS 11.4.

More Reasons to Ditch Your Browser Extensions

More Reasons to Ditch Your Browser Extensions

More Reasons to Ditch Your Browser Extensions

As reported today, May 26, 2021 in the Record, a paper presented at the MADWeb workshop at the NDSS 2021 security conference, researchers from the CISPA Helmholtz Center for Information Security analyzed 186,434 Chrome browser extensions, finding 2,485 that disabled at least one security header used by the top 100 most popular websites.

Security headers are a server response to the browser request that allows site administrators to enable security features inside the browser or other client applications. the most common security headers include the ability to have a site work via an encrypted HTTPS connection, protecting users from cross-site scripting attacks, and that code running inside iframes can’t steal browser data.

What We Can Do About The Issue

Unfortunately, the list of culprit extensions is not included in the report, nor was any significant work performed on Firefox extensions. However, this serves as a solid reminder to keep browser extensions to the bare minimum.

  1. Open your browser to the Extensions page.
  2. Research each found extension.
  3. If the extension is from a suspect developer or does not provide essential services to you, delete the extension.
  4. Repeat for each browser in use.

The research paper titled First, Do No Harm: Studying the manipulation of security headers in browser extensions is available here.