Practical Paranoia macOS 11 Security Essentials Hits the Bookstores
We’re Baaaack!
The best-selling DIY cybersecurity book series is back, fully updated, and guaranteed to be the easiest, most comprehensive book to secure your home and office computers, tablets, and smartphones.
Available now in paperback and Kindle from Amazon, paperback from all fine booksellers, and Live! directly from the the publisher.
Visit The Practical Paranoid to order your copy, and secure your computer, data, and privacy now!
For years I have recommended the use of a password manager to help generate and store strong passwords. My go-to product has been LastPass. But now that LastPass has moved many of their features away from their free to their for-fee product, you may want to take a look at a competitor–Bitwarden.
I’ve been using Bitwarden for the past month on my Chromebook, iPhone, macOS 11 (Silicon), and Windows machines, and I’ve never been happier with a password manager.
If you aren’t familiar with a password manager, you are probably using one without even realizing it! Most browsers now have built-in password managers. So after you have been to a site once, your browser remembers your login credentials. On your subsequent visits, the browser will autofill these credentials so that you don’t have to remember them.
This browser-based password manager works well, but it can be much better. What Bitwarden brings to the table above and beyond the browser-based password managers includes:
Free and for-fee accounts, family accounts, and business accounts
Synchronize passwords across all devices
Synchronize passwords across Android, Chrome OS, iOS, iPadOS, macOS, and Windows devices
Strong password generator
Secure store of notes (such as Challenge Questions), and credit card information
It’s this 2-Factor Authenticator that really won me over. 2FA is currently the only method to effectively keep hackers out of your accounts. Every password can be cracked. But if you have 2FA enabled on an account, even if the bad agents know your username and password, they have no access to your account.
The problem with 2FA is that should your 2FA device (typically a smartphone) become damaged or lost, YOU will have a rough time gaining access to your own accounts.
Bitwarden solves this issue by sharing 2FA with your various devices that also have Bitwarden installed. It even automatically backs up your 2FA coding to the cloud (strongly encrypted, of course), so that it is easily accessible in case of loss.
Be forewarned, Bitwarden 2FA is not available on the free version. It will cost you $10/year to upgrade to their premium service.
Enough rambling. Time to upgrade your security and get Bitwarden running on your systems.
Install and Configure Bitwarden
To conserve space, my instructions will be based on macOS, but the process is almost identical on all platforms.
Although it looks like a lot of steps, I promise this is quick and easy. And once done, will save you a ton of time, and significantly hardens your security.
Select Create A Free Account. Follow the onscreen instructions to create your account. I recommend upgrading to Premium now so that you have immediate access to 2FA, but you can just go with the free account to test the waters.
Return to the Download page, and then select your OS–Linux, macOS, or Windows.
Download and install the app.
Launch the app, and register with the account you created.
Configure
Open Bitwarden Preferences. Configure to your taste. My recommendation is shown below. When complete, click Close.
Enable Two-Step Login
As the keys to your treasure are stored in this database, not only is a strong Bitwarden password important, but so is having Two-Step Login enabled.
Select your preferred method to get a verification code. In this example, I’m using Email.
At the prompt, enter your email address, and then click Sent Email.
Open your email to find the verification email.
Copy the verification code from the email, paste it into the Bitwarden verification field, and then select Enable.
At the confirmation dialog, select Close.
In the Bitwarden Two-Step Login page, select View Recovery Code.
Copy and then securely store your recovery code. This code will be vital if you lose access to your Bitwarden 2FA Authenticator. When done, select Close.
Install Browser Extensions
You are not set up with Bitwarden. The last step is to install a Bitwarden browser extension so that your database is accessible from your browser.
Open a browser to https://bitwarden.com > Download.
Select your desired browser. The extension will download to your system.
Open the downloaded extension to install it in your browser.
In your browser, select the extension icon in the toolbar > select Enable.
At the prompt, enter your Bitwarden credentials to enable the extension.
Configure Browser Extension
Select the browser extension to open it.
Select Sync > Sync Vault Now to synchronize any stored data.
Configure Vault Timeout to On Browser Restart, and Vault Timeout Action to Lock.
Scroll down to select Options. Configure to your taste. When done, click outside of the Bitwarden window to close. My recommendation is shown below:
Adding Credentials to Bitwarden
You are now set and ready to go. You can manually enter credentials from the browser extension or the app. You can also visit a site, enter your credentials, and then reply Yes when Bitwarden prompts if you want to store the password (you could almost miss the prompt – it will be at the top of the window).
Configure Bitwarden Two-Step Authentication
2FA is absolutely vital to help ensure the security of your accounts. If a site offers 2FA (sometimes called Multi-Factor Authentication and 2-Step Verification), go for it.
Once 2FA is active on a site, you will need to provide a code provided by the 2FA source (in this case, Bitwarden) the first time you login to a new device or new browser. Some sites are configured to prompt for 2FA on every visit, once a week, or once a year. Let’s walk through getting your first 2FA configured in Bitwarden.
Open a browser to your target site. In my example that will be Google. Their security page is https://security.google.com.
In the main body area, scroll down to select 2-Step Verification.
At the prompt, enter your Google credentials, and then select Next.
Scroll down to the Authenticator app section, and then select SET UP.
At the Get codes from the Authenticator app, select the type of smartphone you use (Android or iPhone), and then select Next.
In the Set up Authenticator window, it is designed to be captured with a smartphone camera. As we are using a computer, select CAN’T SCAN IT?
In the Can’t scan the barcode? dialog, select and then copy the 32-character code.
Open Bitwarden, select your Google account, and then select the Edit (pencil) icon.
Paste the code copied in step 7 into the Authenticator Key (TOTP) field, and then click the Save (disk) icon.
In the ITEM INFORMATION area of your Bitwarden Google record, you will now see a Verification Code (TOTP) field. This is the one-time only authenticator code that can be used when prompted by Google. If you have other devices with Bitwarden, they will now also have this new field.
As reported in Venture Beat on August 3, 2019, Amazon has almost silently announced that Alexa users are now able to choose to block human reviewers from listening to their recordings. Although this human listening is intended to provide quality assurance that the AI is performing as instructed, it does introduce creepy Big Brother Is Always Listening into our lives.
In a statement provided to VentureBeat about the change, Amazon spokesperson said:
We take customer privacy seriously and continuously review our practices and procedures. For Alexa, we already offer customers the ability to opt-out of having their voice recordings used to help develop new Alexa features. The voice recordings from customers who use this opt-out are also excluded from our supervised learning workflows that involve manual review of an extremely small sample of Alexa requests. We’ll also be updating information we provide to customers to make our practices more clear.
To disable the ability for humans to hear your recordings taken by Alexa:
A: Let’s start with this: Federal cybersecurity guidelines are that any portable external storage (USB drive, thumb drive, flash drive, SD card, etc.) are not to be permitted. This is a mandate for government systems, government contractors, health care providers, and financial organizations. It should be a mandate within your organization.
There is a reason for this madness.
One of the common methods of infecting computers with malware or allowing a hacker to access a computer is through portable external storage devices. This can be done in dozens of ways. But just to name a few:
The storage device is compromised at the factory (this has happened numerous times).
The storage device is left on the ground by the criminal, knowing that around 1/3 of people will pick it up and try to see what is on it.
The storage device may have been attached to another computer, and that computer is compromised, and therefore infected the external storage device.
The storage device may hold an electrical charge or be wired to short out your system.
HOW TO WORK WITHOUT PORTABLE EXTERNAL STORAGE
Use cloud storage to share data – Google Drive, Dropbox, Box, etc. are excellent options.
Your IT department should have an air-gaped computer specifically just for dealing with portable external storage devices. They can take the device, plug it into this sacrificial computer and scan it for problems. If it passes, you may now use the device.
Not meaning to be a hard-ass about it, but really, truly, DO NOT HAVE A PORTABLE EXTERNAL STORAGE TOUCH YOUR COMPUTER (unless it has passed a security audit by your IT staff). Doing so places your computer and the integrity of your company data at high risk. And depending on your organization, may subject the organization to very hefty compliance violation fines.
Encrypted: The process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
Chat: A specific form of electronic communication. Originally containing only text, but in recent years has been upgraded to allow inclusion of images, video, and sound.
Client: The application used by the end-user of the computer or mobile device.
So, and encrypted chat client is an application that allows two or more people to share text and possibly images, sound, and video among themselves, and prevents others from access by way of encoding the communication.
Examples include Apple Messages, Wire, and Signal.
This has been the assumption within the IT security community ever since voice-response devices hit the market. I have long found the behavior of Apple’s Siri to be suspect. For example, I may provide Siri with a full paragraph of spoken content, and then watch as Siri enters text, removes some text, enters some more text, edits text, and then completes the paragraph. This is not the action of AI, but of a human translator.
In the case of Siri, it can be disabled on both iOS and macOS devices. It is different with Amazon Echo devices. Without voice response, they serve little purpose or value.
For me, personally, I’m leaving my Echo devices (8?!) unplugged until needed.
A: If you are talking about absolutes, no. However, you can dramatically reduce the chances of compromise when opening email:
Use an email provider that pre-scans your mail for malicious content. This is one reason I favor Google. All incoming email is scanned by over a dozen of the leading anti-malware software before it gets to you.
Install a quality anti-malware software, and keep it updated daily. I’m fond of Bitdefender GravityZone. It will automatically update hourly, and is consistently among the top 3 products in its category.
Enable application whitelisting. With this active, only applications you have approved can launch/execute/open. Since malware isn’t on your list, it simply cannot launch and cause problems.
As reported on TechCrunch January 29, 2019, it appears that as bad as we thought Facebook to be, it has the resources to be far worse.
Facebook
has been secretly paying people to install a “Facebook Research” VPN
that lets the company suck in all of a user’s phone and web activity,
similar to Facebook’s Onavo Protect app that Apple banned in June and
that was removed in August. Facebook sidesteps the App Store and rewards
teenagers and adults to download the Research app and give it root
access to network traffic in what may be a violation of Apple policy so
the social network can decrypt and analyze their phone activity, a
TechCrunch investigation confirms.
Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.
When Guardian Mobile Firewall’s security expert Will Strafach was asked to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.
Read the original report for more information on all of the apps Facebook is using, and how it is in direct conflict with Apple’s developer rules.
As reported January 17, 2019 on ZDNET<https://www.zdnet.com/article/some-android-gps-apps-are-just-showing-ads-on-top-of-google-maps/>, 19 new Android apps have been found to be nothing more than junk getting in your way.
All of these apps do the same thing–add an advertising layer on top of Google Maps. At least one even has the gall to request payment to remove the ads in Google Maps–ads that wouldn’t exist except for that app itself!
If you have any of these apps installed on your Android device, remove them ASAP. The problem apps include:
The UniFi AC Pro AP features the latest Wi-Fi 802.11ac, 3×3 MIMO technology in a refined industrial design and is ideal for deployment of maximum‑performance wireless networks.
Manage Your Networks from a Single Control Plane
Intuitive and Robust Configuration, Control and Monitoring
Build and expand your network with Ubiquiti Networks® UniFi® Switch, part of the UniFi line of products. The UniFi Switch is a fully managed, PoE+ Gigabit switch, delivering robust performance and intelligent switching for growing networks.
Lucky you, Santa left some IT goodies under our tree!
Ubiquiti UniFi Switch 16 150W SN: 788A20FD84B9 New, in box. The UniFi® Switch delivers robust performance over its 18 independent switching ports. Two SFP ports offer optical connectivity, and 16 Gigabit Ethernet ports offer 802.3af/at PoE+ or 24V passive PoE sharing a total of 150W PoE.
A: An insecure network is an insecure network – regardless of the physical or geographical location.
As to how unsafe it may be, depends on your definition.
The biggest issue is the good possibility that your network traffic is watched. This means that any username, password, or other sensitive information you enter may be viewable by some creep in or near the library.
If you are using your own computer, the workaround is to use a vpn service. This will securely encrypt all of your internet traffic while on a network – unsecured or secured. I’m fond of NordVPN.
If you are using the library’s computer, you won’t be able to install software, so VPN and tor are not available to you. The only alternative is to ensure that whenever you may need to enter sensitive information, the webpage is encrypted. This displays differently in different browsers, but you may either have a lock icon in the address field, or the URL will start with https, instead of http.
A: Sorry, that is simply not possible. The current US Government recommendation for strong passwords is a minimum of 15 characters. Our brains would have a tough time remembering just five such passwords, much less a different password for every website.
The easy solution is to use a password manager to automatically create, store, retrieve, and enter these monsters. I’m fond of LastPass. Super easy, automated, integrates with Android, iOS, macOS, Windows, all major browsers, encrypts passwords at the device, shares the password database among all of your devices, and with the for-fee version, you can share designated passwords with family or staff.
A: This is a topic that books are written about (several by yours truly). Much depends on how high a value target you are (if the NSA is interested in you, good luck), and what you need to use the internet for.
But here is a list to get started:
Use a quality VPN service that also includes tor within their system. I’m fond of NordVPN. As you can see from this screenshot, from the hundreds of available NordVPN servers, they have some that provide Onion services over VPN. This is the industry-standard “belt-and-suspenders” strategy to anonymize your web activities.
Use a secure email system. I’m fond of ProtonMail. ProtonMail uses PGP/GPG to military-grade encrypt all of your email. Even ProtonMail administrators cannot access your email.
Run an unmodified version of the Tails operating system. This can be installed on and run from a thumb drive from any Linux, macOS, or Windows computer. When using Tails, you effectively hide your digital fingerprint, so that your computer cannot be identified. It includes secure versions of web browser, instant messenger, and email software.
With over 40 million malware waiting to harvest, corrupt, or encrypt your data, anti-malware software is an essential addition to the operating system of any and every operating system. The only anti-malware product we currently recommend is Bitdefender GravityZone for Business.
Starting January 1, 2019, computer users who have the MintzIT version of Bitdefender GravityZone installed will see some much anticipated changes. These can be seen when opening the application:
On-Access. This has always been active. This indicates your anti-malware (anti-virus, anti-trojan, anti-ransomware) is active and scanning every file that is opened.
Traffic Scan. This has been newly added this year. Traffic Scan examines all incoming and outgoing traffic for any malicious code. If it is found, it is blocked from taking any action.
Antiphishing. This has been newly added this year. This feature examines every website visited. It prevents users from inadvertently disclosing private or confidential information to online fraudsters. Instead of the phishing web page, a special warning page is displayed in the browser to inform the user that the requested web page is dangerous.
We have extended protection to other types of scams besides phishing. For example, websites representing fake companies, which do not directly request private information, but instead try to pose as legitimate businesses and make a profit by tricking people into doing business with them.
If you find that a legitimate website is being blocked by Bitdefender, please call our office 505.814.1413, and we can whitelist the site.
Get Bitdefender
If you don’t currently have Bitdefender protecting your computers, this is a great time to do so. MintzIT will install Bitdefender GravityZone for a yearly subscription of $36 per computer, plus $37.50 installation labor fee. Call 505.814.1413 x 1 and we will perform the installation while you call!
It is privy to the front desk staff, management, leadership – almost all in unencrypted format.
Unless you are staying at some shady facility, the law requires a drivers license or other ID in order to reserve a room. With your state-issued ID in hand, your information is monetized when sent to the hotel ownership (some other multinational Corp) for sales and marketing.
It is likely sold to other advertisers.
Not to mention that local, state, and federal law enforcement have free access to this information.
All. That. Said…
If
one thinks they have to concern themself with security and privacy at
the level of hotels, it’s time to wake up! They are several blocks back
in the line of people and organizations sniffing through your data.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.