by Marc Mintz | Dec 30, 2022
Answer:
Were you my client, my first question would be “how do you know?” Because under normal conditions, there is no need to know an employee password.
But no matter how you were to answer my question, the answer is to assign a Password Policy to the computer. Heck, while you are at it, assign a Password Policy to all company computers.
A Password Policy can be applied to Chrome OS, macOS and Windows computers. The process is a bit involved to give a detailed description here on Quora, but an internet search will provide you with the step-by-step.
With a Password Policy, you can specify a minimum number of characters, minimum complexity (upper case, lower case, numbers, and special characters), password lifespan, and prohibit the reuse of previous passwords.
Or, you could be the brightest one in the room and read one of my Practical Paranoia Security Essentials books, which do provide the illustrated step-by-step instructions.
You may also consider including a password policy compliance statement in your employee handbook. This way, the employee is provided very clear notice that the intent of the policy is to help ensure the security of proprietary company data as well as the privacy of the employee… And that a violation of the policy can lead ultimately to termination.
There are a few other items you may want to look at:
- Verify if the employees’ password has been compromised on the web. This is as easy as visiting https://haveibeenpwned.com, then entering the employee email address. Anywhere the password has been compromised, the employee must then change the password, as well as every other site where that same password is in use.
- I’d be tempted to have your IT person work with your employee to view all stored passwords. This will give you a good idea of what sites are using the same passwords, and then where to change the passwords.
by Marc Mintz | Oct 1, 2021
A: If you use a credit card to pay for the service, and have forgotten your password, it is routine to use your credit card number to validate your identity.
To help secure your online activities:
- Use strong passwords, with 15 or more characters.
- Use unique passwords, a different password for every site and service.
- Use a password manager to create strong passwords and to store your passwords. I’m fond of Bitwarden.
- Whenever possible, enable two-factor authentication, sometimes called multi-factor authentication. One of the reasons I recommend Bitwarden is that it can act as your 2FA utility.
by Marc Mintz | Oct 1, 2021
A: If we are talking state actors, like CIA? Sure it can and has been done. The Pegasus malware has been in the news lately for doing just that. if you are talking hackers or high-level organized crime? There has been no evidence of it ever done.
But, now that we have proof of concept (Pegasus), it is sure to happen sooner rather than later.
The good news is that, at least as of now, it is extraordinarily expensive to design such a tool. This is what has limited release to only very high value targets. And as soon as it was discovered, OS updates were released to block it.
by Marc Mintz | Oct 1, 2021
A: Just an educated guess here…
Every business, to be successful, must differentiate themselves from the competition.
An obvious differentiator to use is security and privacy. MS has a long history of paying little attention to security and privacy. This makes it easy for a competitor – particularly one with a history of having better security and privacy (Apple) to fill that niche.
Now with that differentiator in place, a potential buyer needs to make a decision as to what product to buy. They can weigh price, features, availability, stability, appearance, performance, compatibility, AND security and privacy.
If security and privacy are more important to the buyer than other issues, they will likely go with Apple.
by Marc Mintz | Oct 1, 2021
A: Antivirus software typically works with your operating system. But there are a few that are specifically designed for use with browsers. As such, they are browser plug-ins or extensions. Such antivirus tools can block access to malicious websites or downloading malicious files.
My favorite is Bitdefender Trafficlight.
Keep in mind that you still need an antivirus for system protection. Again, my preference is Bitdefender antivirus.
by Marc Mintz | Oct 1, 2021
A: You don’t. That is why they are the administrator and you are not! In any organization I support, attempting such action would be considered a breach of computer policy, with termination as the likely result.
If the user enables private browsing mode on their browser, there will be no browsing history on the computer. However, this doesn’t stop browsing history from being recorded by the office router. This cannot be bypassed. The Internet Service Provider will maintain a browsing log. This can be bypassed by using Virtual Private Network (VPN). The DNS provider will also maintain a log. This can be bypassed by switching to a DNS provider that does not maintain logs.
Keep in mind that using VPN or switching DNS provider is very easy for the administrator to spot.
by Marc Mintz | Oct 1, 2021
A: Physically, easy. I suspect the majority of computers can physically outlive their owner.
Realistically, no. Apple (as well as Microsoft and other vendors) will continue to provide system updates for 5–7 years. Once your computer is too old to receive system and application updates, it is HIGHLY vulnerable to malware and breach.
This puts useful lifespan to around 5–7 years.
An unasked question is is it worth it to keep a computer 10 years?
If the computer is used in a business or otherwise make money, I don’t see a way for an older computer to be profitable, or “worth” keeping around. Around 15 years back I created a program that calculated the cost/benefit of a computer versus purchasing a new computer. I used this to provide hard numbers to clients. In almost every case, if the current computer was two years or older, it was the more responsible choice to replace it with a new computer. In addition to getting a new sparkly, the company almost completely eliminates technical support costs, has little to no support-related downtime, no need to pay for extended warranty, and the user can be more productive.
If the computer is not used for business or make money, and the user doesn’t mind operating in the slow lane, as long as the computer receives OS and app updates, go for it.
by Marc Mintz | Oct 1, 2021
A: A google doc is just an html file, like a web page. Primary protection is in the form of permissions protection. Be specific who has access, and what permissions they have.
Second, having a viable backup is critical to protect against corruption, change, or deletion. For this, you need a cloud backup of your document. There are several internet providers that specialize in this, such as Backupify and SpinBackup. Yup, you will be using an internet service to backup your internet files! A local backup will be of little use.
Another option is to download your Google docs in either .pdf or Microsoft Office format.
by Marc Mintz | Oct 1, 2021
A: It is vital to back up all of your data in case the original becomes damaged, corrupt, or deleted. To protect your data you must have AT LEAST one local and one remote backup.
A local backup is typically saved to an external hard disk drive or flash drive. You will need a drive with at least four times the capacity of the data to be backed up. This is to allow for growth as your files are edited and additional files are created. The drive needs to be encrypted. This can be done with Time Machine or Disk Utility (macOS), or Bitlocker (Windows).
The remote backup can be a drive like the local backup, but stored off-site. In many cases a better alternative is to use online backup. This can be done with Google Drive, Microsoft OneDrive, or one of the dozens of commercial internet backup tools.
by Marc Mintz | Jul 26, 2018
I receive at least one question every day regarding how to secure email communications. People are legitimately concerned that their email may be seen by crazy ex-boyfriend/girlfriend/gender-neutral lover, boss, rivals, or government.
Let me put your minds at rest. There is no doubt your email is being seen by others, and most likely the exact people you don’t want to see your emails.
Email technology was built when information wanted to be free. No security safeguards were built into email To this day, any email to offers hardened, end-to-end encryption is more Frankenstein the well-crafted code.
The solution is to grow away from email for secure communications. Sure, email is still useful in the same sense that postcards are useful. But for anything that is sensitive, proprietary, secretive, use a technology that is free, easy to use, and built from the ground up to be secure.
There are several Instant Message tool availalble that fit this criteria perfectly. The two leaders are Signal and Wire. I use both, but am partial to Wire because:
- Free (for-fee for business)
- Military-grade end-to-end encryption
- Voice, instant message, and video conferencing all available in one app.
- Messages can self-destruct after a user-specified time frame.
- Group IM’s and calls.
Give Wire a try. In less than 15 minutes you will have a most powerful communications tool that knows how to keep its mouth shut.
by Marc Mintz | Jul 25, 2018
Q: Why can’t you trust people with your phone?
A: Your phone contains your private data, possibly sensitive business information, passwords, credit card information, banking information, a record of all calls, website visits, very possibly a map of your movement/travels over the past x months.
Do you want this information freely available to someone? Even if trustworthy?
Then there is the problem with trustworthiness. How many times have you seen people who appear to be good, do bad things? I’ve seen good friends prank other friends putting malware on their systems. And then there is the occasional sociopath.
You may not have any incriminating data on your phone, but there are things that are better left private. Think using the bathroom – nothing going on there that everyone else isn’t doing. But do you want a webcam pointed at your toilet?
Ok. For some of my readers that isn’t a good example…
by Marc Mintz | Jul 25, 2018
Q: How can I make a home wireless network that only I can detect? I don’t want my close neighbors to see it’s there.
A: Although you can disable SSID (the name of your network) visibility, any 8-year-old with 5 minutes of free time will figure out how to view invisible networks.
The only real way to do so is to turn your living space/apt/home into a faraday cage. Not as hard as you may think. There is wall paint available that creates a Faraday cage – blocking electromagnetic waves from penetrating your walls. You will need to shield your windows as well. A bit of web search will find how to do both.
Another option that may be easier – do away with the wifi. Instead, use ethernet throughout your home. Although the ethernet cable puts out a readable electromagnetic wave, it takes more sophistication than the average neighbor to read it. And if that is a concern, add a RADIUS server to your network. This will strongly encrypt all network traffic.
by Marc Mintz | Jul 25, 2018
Q: What other options do I have in protecting my network if I remove my firewall because my firewall is slowing down my entire network?
A: A firewall can be located on your computer (part of the OS), or between your local area network and the internet. It is typically built into the modem/router provided by your broadband provider.
The one on your computer would not impact network performance for anyone – including yourself. It simply filters what is allowed into your computer.
I’ll assume you mean that your network firewall is slowing down internet speeds. Older style network firewalls can have an impact on internet speeds, but not on local area network speeds.
There are a few fixes:
- If you have an older firewall, replace it with a new stateful packet unit. These do not slow down internet access like the older rule-based firewalls can.
- You may be using an inexpensive, low-speed firewall. Same story – replace with a new stateful packet unit.
- If your firewall includes intrusion detection or intrusion protection systems, these may need to have their settings modified so that they don’t have as many rules to filter by. This would best be done by an IT professional to ensure the security of the network isn’t degraded in the process.
by Marc Mintz | Jul 25, 2018
Q: How is ProtonMail encrypted?
A: ProtonMail uses PGP encryption. This end-to-end encryption protocol is highly secure, and prevents even ProtonMail from reading your mail.
ProtonMail is one of the very best solutions for those demanding the highest security for their email communications.
by Marc Mintz | Jul 25, 2018
Q: Is my ISP spying on me? If yes, how can I prevent them?
A: It is almost certain that they are.
Not like they have a person on the payroll to spy on your activities specifically, but virtually all ISP’s (ALL in the USA) log your activity, and most (if not all) sell this to marketing firms, so that the marketing firm can better target advertising to you. In the US it is a requirement so that government authorities can monitor the activities of criminals, suspected criminals, ex-spouses, current lovers, and anyone else they care to harass.
What to do about it? Get a quality (not a free or inexpensive) VPN service with DNS Leak Protection, and then use it full time while on the internet. My current recommendation is NordVPN.
by Marc Mintz | Jul 25, 2018
A: There are services available that can do this. Virtru is one we use.
However, standard email and email software don’t permit this.
by Marc Mintz | Jul 25, 2018
Q: How effective is a ClamAV as a malware removal tool?
A: There isn’t a good way to answer this question. To do so would require analysis by an independent antivirus testing facility.
The ones we monitor do not include ClamAV in testing. Perhaps there is one, but haven’t ever seen it.
So, without testing and validation, it’s not possible to know how well it works, and what performance degradation it introduces. why would one use something so important to security and privacy?
Instead, I recommend only using Bitdefender (Bitdefender Gravity Zone for business use).
by Marc Mintz | Jul 25, 2018
Q: How do I know if the primary person on my iPhone account is hacking into my phone?
A: Can they “hack” your phone? Not unless they have a spare $15,000-$1M US hanging around, or they know your PIN. However, if you have jailbroken the iPhone, all bets are off. By definition, you have removed all security from your device.
But… you state “the primary person on my iPhone account”. Normally, the “primary person” is the owner of the account, and possibly the phone itself. If this is the case, it is not “your” phone or account, it is theirs. This may give them access to the Find My iPhone feature in iCloud to track the location of the phone. In the case of a business phone, they may have the legal right to full access.
by Marc Mintz | Jul 25, 2018
Q: How can I tell if my Mac has been compromised if my firewall was not turned on?
A: A firewall is only a small part of an overall penetration/compromise prevention program.
In the case of macOS, the firewall isn’t terribly vital. With the firewall off, you would still require an active process (application) waiting for and responding to commands coming in from outside the computer. If you have file sharing, screen sharing, remote login, remote management turned off in the Sharing System Preference, you probably don’t have any apps that can respond to criminal attempts to gain access.
But back to the question how can I tell if my MacBookPro has been compromised? Someone who does quality hacking won’t be seen. You would need to pour over the system logs to even have a chance of noting their work. Someone who is not highly skilled will usually leave your system unstable, or visibly changed.
by Marc Mintz | Jul 25, 2018
Q: Is it possible to hack a large number of adult sites hosted all over the world and take them down?
A: In order for this to be possible, all of the sites would need to be running on the same operating system, using the same web server software, so that they would all be subject to the same vulnerability. In addition, the vulnerability would need to be a zero-day attack – a vulnerability that the software developer did not know existed. And even if all the stars lined up to allow this to happen, a patch for the vulnerability would be crafted in hours, if not minutes, and the sites would be back up and running within hours using backups.
All that being said, not only is this cybercrime, but for most of the developed countries, and most certainly in the USA, it is cyberterrorism. The criminal hacker would most certainly be put away in a very unpleasant place for a non-trivial amount of time, their life savings vaporized in a failed attempt to defend against the legitimate charges, and should they ever be released from that dark place, would likely never be allowed to use a computer again.
All because of their questionalble moral high ground.
