Well, this is embarrassing. For the first time in nine years, we have a quality control issue at The Practical Paranoid. At some point in the publishing process for Practical Paranoia macOS 13 Security Essentials, we released a version with a few old (macOS 12) assignments and screenshots.
The fully correct and updated Live! and Kindle book will be available by next Tuesday (December 27, 2022), with the print version available within a few weeks (simply can’t rush the printing press).
If you have purchased any Practical Paranoia macOS 13 Security Essentials book version, we are offering a free replacement!
Tear off the cover (verify it specifies a title for macOS 13) and the Proof of Purchase page.
Complete the Proof of Purchase page.
Mail both cover and Proof of Purchase page to:
The Practical Paranoid
1000 Cordova Pl
Santa Fe, N 87505
We will ship your free paperback book just as soon as we receive them from the print house.
(Wait until after December 27, 2022) Delete your copy of the book from your Kindle device.
Click the Play button below for the audio version of this posting.
On the Fourth of July, Americans celebrate independence, declaring we are no longer subject and subordinate to the monarch of Britain.
But today we are subject to greater tyranny through constant internet surveillance and breach of our online privacy. We are at the mercy of our government, Facebook, Google, cyber criminals, and other bad actors intent on knowing, seeing, and recording our every digital nanosecond.
Time for an updated Independence Day.
I’m Marc Mintz, Project Director for The Practical Paranoid (TPP).
TPP and I have worked to enlighten the public that it does not take an Apple Genius, Google Guru, or a Microsoft Engineer to secure your systems, data, and communications. Almost everything the government and big business do to ensure their cybersecurity and internet privacy can be done for you, by YOU, for less than what we spend on coffee. And in just a few hours.
Our Practical Paranoia Security Essentials books have been showing non-technical users how to do this for over eight years.
The number one comment we receive from buyers of Practical Paranoia Security Essentials books is how surprised they are at how fast and easy it was to secure their phone, text, email, browsing, and entire digital life.
The second most common comment from buyers is how intimidating Practical Paranoia books appear. Some buyers never jump into using a book after they purchase it.
With release of five new operating systems this year – Android 12, Chrome OS, iOS 15, macOS 12, and Windows 11 – we needed to remove the intimidation factor so that everyone could learn how to protect their data, communications, and privacy. And we did it.
Announcing five brand-new Practical Paranoia Security Essentials Online Workshops that cover all the new OS products.
Protecting your digital life is as important as locking your home and carrying a driver’s license.
There are three paths to cybersecurity and internet privacy:
You can pay a certified cybersecurity professional to do all the work that you will do in a TPP workshop. But pros cost $1,000-$4,000.
You can buy the Practical Paranoia book and DIY for only $64.95. But you would have done it already if it weren’t for that pesky intimidation factor.
Now you can do the work on your own–but with an industry leader guiding you in a workshop– the only workshop of its kind available anywhere at any price.
Think you don’t have the skills or background knowledge to do your own cybersecurity? We designed each workshop for the non-technical computer, tablet, and smartphone user. If you can tap, double-tap, and save a file, this course was made for you!
Each OS workshop consists of:
A series of 7 to 10 one-hour classes on Zoom
A copy of the latest best-selling TPP book, a $64.95 value
Our August beta workshops will be presented live by an industry expert who has taught technology courses internationally
Each class is recorded for students to access if they miss the live session
Easy hands-on assignments to harden your security and privacy to industry standards
AND Private Instructor Hours via Zoom to help you over any rough patches
The Practical Paranoia Security Essentials Online Workshops are only $275. And, it gets even better!
If you register for any of our first beta workshops in August 2021, your cost is only $125 for any workshop. Registration for beta workshops is limited and will close quickly.
Protecting you, your family, and your business cybersecurity and internet privacy is fast, easy, and inexpensive. You may even have fun doing it!
I just love it when with just a few mouse taps I can add a solid layer of security to all the devices under my roof. It’s just icing on the cake when it’s free!
All of the internet-connected devices under your roof need to communicate over the internet in order to function. This includes computers, tablets, smartphones, webcams, smartwatches, smart doorbells, smart thermostats, printers, and more.
With your computers, tablets, and smartphones, you can add a layer of protection against malware by installing quality antimalware software. But what about your printer, smartwatch, doorbell, thermostat… you get the picture. Each of these smart devices are open to a breach, and few offer any option to install or configure security.
The other possible problem is adult content. Should you be a parent that would prefer little Jane and Johnny to not have access to adult content, it can be a full-time job playing content cop.
All of your home and business devices must connect to the internet through your router. Inside of each router is a setting specifying which Domain Name Server (DNS) the router will use to learn where to direct this internet traffic. If a DNS server was knowledgeable about which web addresses held malware or adult content, the DNS could pass this info along to the router, blocking access to these sites.
Lucky you! There are DNS servers with this knowledge, and Cloudflare offers them at no charge.
The How To
If you would like to block known malicious and adult content sites from all of your home and business devices, you just have to change your router DNS settings. By default, most routers use your internet provider’s DNS servers. You will change this IP address to those of Cloudflare.
Every router has a unique interface. In the example below I’m using a CenturyLink Actiontec C3000A.
Log in to the modem. If you aren’t familiar with the process, call your internet provider for instructions.
From the menu bar, select Advanced Setup.
From the sidebar, select DHCP Settings.
In the main area of the page, scroll down to 5. Set the DNS servers allocated with DHCP requests.
From this area, select Custom Servers.
For malware only protection, set the Primary DNS to 18.104.22.168, and Secondary DNS to 22.214.171.124. For malware and adult content protection, set the Primary DNS to 126.96.36.199, and Secondary DNS to 188.8.131.52
Tap the Apply button.
Your modem may reboot. The protection will be in place immediately.
It’s Your Data… Protect It
Most people ignore their cybersecurity and internet privacy because they think it is too difficult or expensive. But what if it was fast, easy, and (almost) free? Our guides have been written by certified experts, with step-by-step illustrated instructions so that even a child can harden your security like a pro.
Visit https://thepracticalparanoid.com for the easiest, most comprehensive cybersecurity and internet privacy guides you can buy. Guaranteed!
Amazon Set to Share Your Internet With Neighbors – How to Opt-Out
Come this Tuesday, June 8, 2021, Amazon will launch the Amazon Sidewalk service. This service for Echo and Ring devices automatically opts-in to share your internet bandwidth with other Amazon devices in the neighborhood.
At first glance, this service is a great idea. Share a small slice of your internet bandwidth – 80Kb/s and a 500Mb monthly cap – with other Echo and Ring devices that have lost connection with their home wi-fi. For example, if your next door neighbors’ Ring doorbell loses connection with the home wi-fi, the Ring doorbell will automatically connect with the neighbor’s home wi-fi for uninterrupted service. Or if a dog wearing a Tile escapes from their yard, as long as the dog is within range of a network using Amazon Sidewalk, the Tile will accurately report the location of the dog.
Add on to this service that it is free to Echo and Ring customers (well, at least initially), and it is a great deal.
However, there are only a few big-tech companies that have proven to handle internet privacy responsibly, and Amazon is not one of them.
The Amazon Sidewalk white paper states that any sensitive data transmitted through Sidewalk is encrypted and that Amazon does not have a way to decrypt the packets. If that is true, they need to start hiring better engineers. Even if it is true, very serious hacks of secure systems is a daily news item.
Perhaps my biggest gripe is that the system is set to automatically opt-in. I’ll take this as tacit acknowledgement by Amazon the many/most of it’s customers would choose to opt-out instead.
What You Can Do – Opt-Out
If you have an eligible Echo or Ring device and do nothing, you are automatically part of the Amazon Sidewalk system.
If you prefer to not be a part of the Amazon Sidewalk system, follow these steps:
For Amazon Echo Device Owners
Open your Amazon Alexa App.
Select the More option in the bottom right corner of your screen.
Hiding in Plain Sight: Office 365 Email Encryption and Prevent Forwarding
Although over 1,200,000,000 people use Office 365, very few have discovered the pair of hidden gems. Well, not really hidden, just that very few people ever discover them!
The gems? Built-in email encryption and built-in block of forwarding.
That’s right, instead of spending time researching for an email encryption program, then figuring out how it works, if you have an Office 365 account with Outlook.com, you have both these features available with just a tap or two.
Send an Encrypted Email from Outlook.com
These gems are only available if you have an Office 365 account and use Outlook.com to send your mail with that account. It won’t work with your Outlook application, nor will it work with other email accounts (such as Gmail) that are linked to your Outlook account.
With those prerequisites out of the way, here is the answer you have been waiting for:
Create an email. Address the recipient to one of your other email addresses, or if performing this in class, to one of your study partners.
From the toolbar, tap the Encrypt button > Encrypt, or Encrypt & Prevent Forwarding.
Send the email.
When creating an outgoing email with Outlook.com, the user has the option to Encrypt the outgoing email.
On the recipient’s end, any attachments may be downloaded if using Outlook.com, Outlook application for Windows 10, the Outlook mobile app, or the Mail app in Windows 10. If using a different email client, a temporary passcode can be used to download the attachments from the 365 Message Encryption portal. The email itself remains encrypted on Microsoft servers and cannot be downloaded.
Encrypt & Prevent Forwarding
As with Encrypt option, when selecting Encrypt & Prevent Forwarding, the email remains encrypted on Microsoft servers and cannot be downloaded, copied, or forwarded. MS Office file attachments (Excel, PowerPoint, Word) remain encrypted after being downloaded. If these Office files are forwarded to someone else, the other person will not be able to open the encrypted files. Non-MS Office files can be downloaded without encryption and therefore forwarded without issue.
Read an Encrypted Email from Outlook.com
If Using Outlook.com to Read the Email
Open a browser to https://outlook.com, then log in with the account set as the recipient in the previous assignment.
Open the encrypted email. Note that you can open, read, and reply to this encrypted email as you can with unencrypted messages.
If Using Something Other than Outlook.com to Read the Email
Open the email software to the account set as the recipient in the previous assignment.
Open the encrypted email.
You will see a message with instructions for how to read the encrypted message.
Practical Paranoia macOS 11 Security Essentials Version 5.0.2 Released
The best-selling, easiest, and most comprehensive cybersecurity and internet privacy DIY book series for home and business have just released version 5.0.2 for macOS 11.
This includes all updates relevant to macOS 11.4 plus the major changes for performing encrypted bootable clone backups.
How to Update
As with all Practical Paranoia books, the Live! version (pdf) is available immediately. If you have purchased the Live! version, it will automatically open to the new version.
The paperback and Kindle versions will be available on June 5, 2021. To receive your free Kindle update, delete the currently installed version of the book from your Kindle device, and then download it from your Kindle library.
How to Purchase
if you don’t already have a copy of Practical Paranoia Security Essentials for Android, Chromebook, iOS, macOS, or Windows, you can purchase from:
Paperback is available from Amazon and all fine booksellers.
Kindle is available from Amazon. Updates are always free.
Live!is available direct from The Practical Paranoid, LLC. Updates are always free and automatic.
New macOS Malware Breaks Apple Security to take Photos
New spyware has been discovered that can bypass built-in macOS security and privacy feature called Transparency Consent and Control. This is the feature that alerts the user when an app tries to do something that may impact the users’ privacy–such as recording keystrokes or taking a photo–asking for user permission before the action can take place. This malware is able to hijack other apps’ permissions to be used as its own authorization.
As an example, the malware could hook into Zoom, which had previously been granted permission to perform screen recording, to then allow the malware to record the users’ screen, and then send the recording to the malware developer.
What You Can Do About This Issue
This vulnerability has been fixed in macOS 11.4.
On your Mac, open Apple menu > About This Mac.
If your macOS version is11.4, you are safe from this vulnerability and can stop here. If your macOS version is NOT 11.4, continue…
On your Mac, open Apple menu > System Preferences > Software Update.
Tap the Update Now button.
Follow the onscreen instructions to download and install macOS 11.4.
Practical Paranoia Security Essentials version 5.0.1 released
WAHOO!!! We have reached a new milestone with Practical Paranoia. All five books (Android 11, Chromebook, iOS 14, macOS 11, and Windows 10) have been updated to version 5.0.1. With this update, all books now have:
Synchronized chapters, sections, and assignments. This means if you want to lock down your security and privacy on both your Windows laptop and Android phone, and perhaps your mother’s Chromebook and iPhone, each chapter for each book will be identical with the exception of the specifics of the device being worked on.
Chapter timings have been added. For those taking the live or prerecorded Practical Paranoia workshops, you now know going in how long it will take to complete a chapter, and approximately how long the homework will take.
Synchronization is huge. To accomplish it, we started from scratch to rewrite each book. But the results are amazing. For someone wanting to learn about more than one platform, this literally cuts learning time by 50-75%.
This makes Practical Paranoia Security Essentials not only the easiest and most comprehensive cybersecurity and internet privacy guide available for a regular end-user, but it is now the fastest available.
Download the Look Inside preview of Practical Paranoia Security Essentials v5.0.1, and discover why this is the easiest, most comprehensive, fun, and fastest way to harden your cybersecurity and internet privacy.
For years I have recommended the use of a password manager to help generate and store strong passwords. My go-to product has been LastPass. But now that LastPass has moved many of their features away from their free to their for-fee product, you may want to take a look at a competitor–Bitwarden.
I’ve been using Bitwarden for the past month on my Chromebook, iPhone, macOS 11 (Silicon), and Windows machines, and I’ve never been happier with a password manager.
If you aren’t familiar with a password manager, you are probably using one without even realizing it! Most browsers now have built-in password managers. So after you have been to a site once, your browser remembers your login credentials. On your subsequent visits, the browser will autofill these credentials so that you don’t have to remember them.
This browser-based password manager works well, but it can be much better. What Bitwarden brings to the table above and beyond the browser-based password managers includes:
Free and for-fee accounts, family accounts, and business accounts
Synchronize passwords across all devices
Synchronize passwords across Android, Chrome OS, iOS, iPadOS, macOS, and Windows devices
Strong password generator
Secure store of notes (such as Challenge Questions), and credit card information
It’s this 2-Factor Authenticator that really won me over. 2FA is currently the only method to effectively keep hackers out of your accounts. Every password can be cracked. But if you have 2FA enabled on an account, even if the bad agents know your username and password, they have no access to your account.
The problem with 2FA is that should your 2FA device (typically a smartphone) become damaged or lost, YOU will have a rough time gaining access to your own accounts.
Bitwarden solves this issue by sharing 2FA with your various devices that also have Bitwarden installed. It even automatically backs up your 2FA coding to the cloud (strongly encrypted, of course), so that it is easily accessible in case of loss.
Be forewarned, Bitwarden 2FA is not available on the free version. It will cost you $10/year to upgrade to their premium service.
Enough rambling. Time to upgrade your security and get Bitwarden running on your systems.
Install and Configure Bitwarden
To conserve space, my instructions will be based on macOS, but the process is almost identical on all platforms.
Although it looks like a lot of steps, I promise this is quick and easy. And once done, will save you a ton of time, and significantly hardens your security.
Select Create A Free Account. Follow the onscreen instructions to create your account. I recommend upgrading to Premium now so that you have immediate access to 2FA, but you can just go with the free account to test the waters.
Return to the Download page, and then select your OS–Linux, macOS, or Windows.
Download and install the app.
Launch the app, and register with the account you created.
Open Bitwarden Preferences. Configure to your taste. My recommendation is shown below. When complete, click Close.
Enable Two-Step Login
As the keys to your treasure are stored in this database, not only is a strong Bitwarden password important, but so is having Two-Step Login enabled.
Select your preferred method to get a verification code. In this example, I’m using Email.
At the prompt, enter your email address, and then click Sent Email.
Open your email to find the verification email.
Copy the verification code from the email, paste it into the Bitwarden verification field, and then select Enable.
At the confirmation dialog, select Close.
In the Bitwarden Two-Step Login page, select View Recovery Code.
Copy and then securely store your recovery code. This code will be vital if you lose access to your Bitwarden 2FA Authenticator. When done, select Close.
Install Browser Extensions
You are not set up with Bitwarden. The last step is to install a Bitwarden browser extension so that your database is accessible from your browser.
Open a browser to https://bitwarden.com > Download.
Select your desired browser. The extension will download to your system.
Open the downloaded extension to install it in your browser.
In your browser, select the extension icon in the toolbar > select Enable.
At the prompt, enter your Bitwarden credentials to enable the extension.
Configure Browser Extension
Select the browser extension to open it.
Select Sync > Sync Vault Now to synchronize any stored data.
Configure Vault Timeout to On Browser Restart, and Vault Timeout Action to Lock.
Scroll down to select Options. Configure to your taste. When done, click outside of the Bitwarden window to close. My recommendation is shown below:
Adding Credentials to Bitwarden
You are now set and ready to go. You can manually enter credentials from the browser extension or the app. You can also visit a site, enter your credentials, and then reply Yes when Bitwarden prompts if you want to store the password (you could almost miss the prompt – it will be at the top of the window).
Configure Bitwarden Two-Step Authentication
2FA is absolutely vital to help ensure the security of your accounts. If a site offers 2FA (sometimes called Multi-Factor Authentication and 2-Step Verification), go for it.
Once 2FA is active on a site, you will need to provide a code provided by the 2FA source (in this case, Bitwarden) the first time you login to a new device or new browser. Some sites are configured to prompt for 2FA on every visit, once a week, or once a year. Let’s walk through getting your first 2FA configured in Bitwarden.
In the main body area, scroll down to select 2-Step Verification.
At the prompt, enter your Google credentials, and then select Next.
Scroll down to the Authenticator app section, and then select SET UP.
At the Get codes from the Authenticator app, select the type of smartphone you use (Android or iPhone), and then select Next.
In the Set up Authenticator window, it is designed to be captured with a smartphone camera. As we are using a computer, select CAN’T SCAN IT?
In the Can’t scan the barcode? dialog, select and then copy the 32-character code.
Open Bitwarden, select your Google account, and then select the Edit (pencil) icon.
Paste the code copied in step 7 into the Authenticator Key (TOTP) field, and then click the Save (disk) icon.
In the ITEM INFORMATION area of your Bitwarden Google record, you will now see a Verification Code (TOTP) field. This is the one-time only authenticator code that can be used when prompted by Google. If you have other devices with Bitwarden, they will now also have this new field.
As reported in the December 4, 2018 SpreadPrivacy.com article, when performing internet searches using Google, the results were personalized for the user even when logged out of the user’s Google account, and when in Incognito Mode.
The bottom line is that Google is using identifiers other than Google account login to identify users when searching. This can be easily done using the digital fingerprint of the device.
To be fair, Google will tell you that personalizing search results is a feature of using Google search. That based on each users search and browsing history, Google will filter and prioritize search results to best meet the world view and preferences of the user. For example, if you browse politically conservative websites, when performing searches of a political nature, you are likely to see links to articles more favorable to the conservative perspective than would someone who browses liberal websites.
Up until now, it was assumed such search filters were in effect only when logged in to ones Google account. But that is now known to be incorrect.
If, as Google believes to be true, you prefer having your internet searches filtered so they better align with your world view, then you need do nothing!
However, if you would prefer to have a more accurate view of the world through internet searches, there are a few steps to take:
Stop using Chrome as your web browser. Replace it with Firefox, Brave, or Safari. These three browsers do not monitor or record your browsing history.
Replace your default search engine with DuckDuckGo (DDG). DDG doesn’t monitor or record your search or browser history. It submits your search request to dozens of search engines, takes the results, eliminates duplicates, and presents an accurate search result.
Firefox: Visit https://duckduckgo.com, and then follow the on-screen instructions.
Safari: In Safari Preferences, set the default search engine to DuckDuckGo.
Brave: In Brave Settings, set the default search engine to DuckDuckGo.
Replace your default DNS provider. DNS is what translates https://websitexyz.com to an IP address your computer knows how to find. Most DNS services monitor and record your internet traffic, and make it available for sale. Use a DNS provider that does not do this. There two most popular are Cloudflare (184.108.40.206, 220.127.116.11) and OpenDNS.
Cloudflare: Cloudflare may be the world’s fastest DNS service. Until recently it had been our go-to solution. I still consider it excellent. However (gotta hate those “howevers” in live), it appears to be going through some growing pains at the moment, resulting in occasional failed service). Go to your Network Settings, delete the current entry for DNS, and replace with 18.104.22.168 and 22.214.171.124.
OpenDNS: OpenDNS is the great granddaddy of anonymized DNS services. In addition to their free service, their for-fee services allow filtering of content. Go to https://www.opendns.com, sign up for a free account, and then go to your Network Settings, delete the current entry for DNS, and replace with 126.96.36.199 and 188.8.131.52.
Block Web Trackers. Most commercial websites use web trackers. These monitor all of your activity on the site. This information may be used exclusively by the website, but is more likely to be sold to advertisers (including Google). It is best to block web trackers. My preferences is to use the Ghostery browser extension.
Brave, Firefox, and Safari: Open your browser to https://www.ghostery.com. Follow the on-screen instructions to download and install the Ghostery extension. Once installed, select the Ghostery icon to configure settings.
Obfuscate Digital Fingerprint. By continuously changing your digital fingerprint, or by forcing your digital fingerprint to look generic, it becomes difficult or impossible for websites and web trackers to know who you are or to follow your browsing history.
Safari: Safari (macOS 10.14) automatically generates a generic digital fingerprint. Nothing you need to do.
Brave and Firefox: You’ve already solved the problem by completing step 4 above. Ghostery also continously modifies your digital fingerprint.
These are just the tip of the iceberg for online privacy. Want to fully secure your computer, data, and identity? The Practical Paranoia Security Essentials books have been the #1 best-selling and easiest to follow DIY cybersecurity series for over 5 years! Available now at 50% discount for our online Live! edition.
Official workbook for the Practical Paranoia: Security Essentials Workshop, STEM and college cybersecurity courses. Designed for instructor-led and self-study. The entire course is contained within the book. Includes all instructor presentations, hands-on assignments, links to all software, and security checklist.
You don’t need to be paranoid to know they are out there to get your computer, data, and identity.
2,000,000 laptops were stolen or lost in the US last year.
Only 3% of stolen computers are ever recovered.
Malware attacks on macOS have become commonplace.
Hundreds of eyes may be able to see your name and password, along with the contents of every email you send.
Once the bad guy has his hands on your Mac, it takes under one minute to bypass your password to gain access to all your data.
With a slight bit of social engineering, your iCloud, Facebook, LinkedIn, Google, and other social media accounts, along with all your data, is freely accessible.
Through PRISM and other avenues, our government has access to your online browsing and email history.
You don’t need to be an Apple Genius to protect your system!
In this easy, step-by-step guide, CIO, Security Specialist, and Certified Apple Consultant Marc L. Mintz takes any macOS user–from the novice with no technical skills, to experienced IT professional–through the process of fully encrypting and hardening the security of their computer, data, email, documents, network, instant messaging, storage devices, iCloud, browsing, and entire Internet experience.
It’s your information. Protect it.
Guaranteed to be the easiest to follow and most comprehensive macOS cybersecurity book available.
Version 3.1.1 of Practical Paranoia Windows 10 Security Essentials was released today. The Live! version is available immediately. Kindle updates will appear tomorrow, with print versions appears on store shelves in the next 2 weeks.
I receive at least one question every day regarding how to secure email communications. People are legitimately concerned that their email may be seen by crazy ex-boyfriend/girlfriend/gender-neutral lover, boss, rivals, or government.
Let me put your minds at rest. There is no doubt your email is being seen by others, and most likely the exact people you don’t want to see your emails.
Email technology was built when information wanted to be free. No security safeguards were built into email To this day, any email to offers hardened, end-to-end encryption is more Frankenstein the well-crafted code.
The solution is to grow away from email for secure communications. Sure, email is still useful in the same sense that postcards are useful. But for anything that is sensitive, proprietary, secretive, use a technology that is free, easy to use, and built from the ground up to be secure.
There are several Instant Message tool availalble that fit this criteria perfectly. The two leaders are Signal and Wire. I use both, but am partial to Wire because:
Free (for-fee for business)
Military-grade end-to-end encryption
Voice, instant message, and video conferencing all available in one app.
Messages can self-destruct after a user-specified time frame.
Group IM’s and calls.
Give Wire a try. In less than 15 minutes you will have a most powerful communications tool that knows how to keep its mouth shut.
IMMEDIATE ACTION REQUIRED: CRITICAL VULNERABILITY IN LINKSYS, MIKROTIK, NETGEAR, QNAP, AND TP-LINK DEVICES
When the Department of Homeland Security makes a public cybersecurity announcement, we should all wake up, listen, and pay heed. This is one of those times.
Update: Thursday, May 24, 2018.
As reported in The Beast, the FBI claims to have found the key server responsible for penetration and compromise of over 500,000 routers. The server is linked to the Russian criminal hacker group Fancy Bear. This is the same group that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.
With the seizure of the server by the FBI, the compromised routers are no longer being “controlled” by the server. As such, performing a power cycle (power off, wait a minute, and then power on) will clear the malicious code from memory (stage 2 and stage 3 of the malware). For those devices with stage 1 present (infection of the firmware), the power cycle will not clear the code. It is recommended to upgrade any machines that are on the compromised models’ list to remove the malware. However, as the server is no longer issuing instructions or harvesting data, the risk of data harvest is dramatically reduced. The risk of instability and unpredictable behavior is still present until the new firmware is installed, removing the malware.
Now, back to the original story…
First, I apologize. I wish with all my heart that my job was to deliver candy (or beer), flowers, and baby alpaca to each of my clients on a regular basis. But I tried running an alpaca ranch and lost my shirt. So now I just get to deliver harsh realities as part of my job to prevent even harsher realities from steamrolling my clients.
As reported in the Department of Homeland Security US-CERT report this morning (May, 23, 2018), a critical vulnerability has been found in network devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link (and very possibly many others).
The vulnerability has been named VPNFilter. It has three primary features:
It can install in any combination of stage 1, stage 2, and stage 3 implementations. Stage 1 resists removal by reboot or power cycle. This is highly unusual.
Harvest of all data passing over the network (this can include usernames, passwords, credit card information, proprietary and sensitive business data, etc.)
Catastrophically damaging the network device so as to render it unusable
Although the report is preliminary, it appears VPNFilter has been active for at least two years, with at least 500,000 devices in at least 54 countries impacted.
What is particularly malicious about this malware is that, unlike most of its kind, it will survive a power cycle or device reboot.
Talos, the organization that first discovered VPNFilter and continues to research it, has the following recommendations for everyone who has a Linksys, MikroTik, Netgear, QNAP, or TP-Link (and really, any network) device:
Users of SOHO routers and/or NAS devices reset to factory default and then reboot them to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf. (To remove the potentially destructive, non-persistent stage 2 and stage 3 malware).
If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you update the device to the most current patch version.
ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
Due to the potential for destructive action by the threat actor (suspected to be a state-actor), we recommend out of an abundance of caution that these actions be taken for all Soho or NAS devices, whether or not they are known to be affected by this threat.
More technical details may be found at here at Talos.
My Recommendations To All MintzIT Clients, And Everyone Else
The devices that currently appear to be impacted are those that do not have any antimalware protection between them and the internet.
Most devices with antimalware protection either built-in or between them and the internet appear to be protected.
If you have a router that either does not have built-in antimalware protection or is not protected by another device with antimalware between it and the internet, the smart money is to trash this router now (before another 2 years go by while your data is harvested without knowing), replacing it with a router that does have antimalware.
This is not a DIY project. Find a trusted cybersecurity professional to do this work for you. If you don’t have one, MintzIT can take the lead on this for you.
Even if your home or office were infected by VPNFilter, it would have little to no impact if all of your computers and mobile devices were using VPN (Virtual Private Network) to encrypt all data between the device and the internet.
If you are not currently using VPN, this event is a huge signpost alerting you that it is time to do so.
This is not a DIY project. Find a trusted cybersecurity professional to find the appropriate VPN solution, and then to install and properly configure the VPN. If you don’t have one, MintzIT can take the lead on this for you.
Marc L. Mintz, MBA-IT, ACTC
Practical Paranoia iOS 11 Security Essentials version 2 has just been published. All of the changes since version 1.0.1 are included in the attached pdf. Changes are from chapters on Passwords, Lost or Stolen Device, Local Network, Web, Email, Internet Activity, and Social Media.
The EFF is recommending that all users of PGP, GPG, and S/MIME “immediately disable and/or uninstall tools that automatically decrypt PGP-email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels…”. MintzIT is recommending the use of Wire <https://www.wire.com> or Signal <https://www.signal.org> for secure end-to-end messaging.
Practical Paranoia macOS 10.13 Security Essentials Update: Chapter 20 Social Media
As of April 21, 2018, The Practical Paranoia macOS 10.13 Security Essentials workbook has been substantially updated. Included is a rewrite of chapter 20 Social Media to reflect changes in Facebook and Google security.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.