This has been the assumption within the IT security community ever since voice-response devices hit the market. I have long found the behavior of Apple’s Siri to be suspect. For example, I may provide Siri with a full paragraph of spoken content, and then watch as Siri enters text, removes some text, enters some more text, edits text, and then completes the paragraph. This is not the action of AI, but of a human translator.
In the case of Siri, it can be disabled on both iOS and macOS devices. It is different with Amazon Echo devices. Without voice response, they serve little purpose or value.
For me, personally, I’m leaving my Echo devices (8?!) unplugged until needed.
A: If you are talking about absolutes, no. However, you can dramatically reduce the chances of compromise when opening email:
Use an email provider that pre-scans your mail for malicious content. This is one reason I favor Google. All incoming email is scanned by over a dozen of the leading anti-malware software before it gets to you.
Install a quality anti-malware software, and keep it updated daily. I’m fond of Bitdefender GravityZone. It will automatically update hourly, and is consistently among the top 3 products in its category.
Enable application whitelisting. With this active, only applications you have approved can launch/execute/open. Since malware isn’t on your list, it simply cannot launch and cause problems.
As reported on TechCrunch January 29, 2019, it appears that as bad as we thought Facebook to be, it has the resources to be far worse.
has been secretly paying people to install a “Facebook Research” VPN
that lets the company suck in all of a user’s phone and web activity,
similar to Facebook’s Onavo Protect app that Apple banned in June and
that was removed in August. Facebook sidesteps the App Store and rewards
teenagers and adults to download the Research app and give it root
access to network traffic in what may be a violation of Apple policy so
the social network can decrypt and analyze their phone activity, a
TechCrunch investigation confirms.
Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.
When Guardian Mobile Firewall’s security expert Will Strafach was asked to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.
Read the original report for more information on all of the apps Facebook is using, and how it is in direct conflict with Apple’s developer rules.
As reported January 17, 2019 on ZDNET<https://www.zdnet.com/article/some-android-gps-apps-are-just-showing-ads-on-top-of-google-maps/>, 19 new Android apps have been found to be nothing more than junk getting in your way.
All of these apps do the same thing–add an advertising layer on top of Google Maps. At least one even has the gall to request payment to remove the ads in Google Maps–ads that wouldn’t exist except for that app itself!
If you have any of these apps installed on your Android device, remove them ASAP. The problem apps include:
Build and expand your network with Ubiquiti Networks® UniFi® Switch, part of the UniFi line of products. The UniFi Switch is a fully managed, PoE+ Gigabit switch, delivering robust performance and intelligent switching for growing networks.
Lucky you, Santa left some IT goodies under our tree!
Ubiquiti UniFi Switch 16 150W SN: 788A20FD84B9 New, in box. The UniFi® Switch delivers robust performance over its 18 independent switching ports. Two SFP ports offer optical connectivity, and 16 Gigabit Ethernet ports offer 802.3af/at PoE+ or 24V passive PoE sharing a total of 150W PoE.
A: An insecure network is an insecure network – regardless of the physical or geographical location.
As to how unsafe it may be, depends on your definition.
The biggest issue is the good possibility that your network traffic is watched. This means that any username, password, or other sensitive information you enter may be viewable by some creep in or near the library.
If you are using your own computer, the workaround is to use a vpn service. This will securely encrypt all of your internet traffic while on a network – unsecured or secured. I’m fond of NordVPN.
If you are using the library’s computer, you won’t be able to install software, so VPN and tor are not available to you. The only alternative is to ensure that whenever you may need to enter sensitive information, the webpage is encrypted. This displays differently in different browsers, but you may either have a lock icon in the address field, or the URL will start with https, instead of http.
A: Sorry, that is simply not possible. The current US Government recommendation for strong passwords is a minimum of 15 characters. Our brains would have a tough time remembering just five such passwords, much less a different password for every website.
The easy solution is to use a password manager to automatically create, store, retrieve, and enter these monsters. I’m fond of LastPass. Super easy, automated, integrates with Android, iOS, macOS, Windows, all major browsers, encrypts passwords at the device, shares the password database among all of your devices, and with the for-fee version, you can share designated passwords with family or staff.
A: This is a topic that books are written about (several by yours truly). Much depends on how high a value target you are (if the NSA is interested in you, good luck), and what you need to use the internet for.
But here is a list to get started:
Use a quality VPN service that also includes tor within their system. I’m fond of NordVPN. As you can see from this screenshot, from the hundreds of available NordVPN servers, they have some that provide Onion services over VPN. This is the industry-standard “belt-and-suspenders” strategy to anonymize your web activities.
Use a secure email system. I’m fond of ProtonMail. ProtonMail uses PGP/GPG to military-grade encrypt all of your email. Even ProtonMail administrators cannot access your email.
Run an unmodified version of the Tails operating system. This can be installed on and run from a thumb drive from any Linux, macOS, or Windows computer. When using Tails, you effectively hide your digital fingerprint, so that your computer cannot be identified. It includes secure versions of web browser, instant messenger, and email software.
With over 40 million malware waiting to harvest, corrupt, or encrypt your data, anti-malware software is an essential addition to the operating system of any and every operating system. The only anti-malware product we currently recommend is Bitdefender GravityZone for Business.
Starting January 1, 2019, computer users who have the MintzIT version of Bitdefender GravityZone installed will see some much anticipated changes. These can be seen when opening the application:
On-Access. This has always been active. This indicates your anti-malware (anti-virus, anti-trojan, anti-ransomware) is active and scanning every file that is opened.
Traffic Scan. This has been newly added this year. Traffic Scan examines all incoming and outgoing traffic for any malicious code. If it is found, it is blocked from taking any action.
Antiphishing. This has been newly added this year. This feature examines every website visited. It prevents users from inadvertently disclosing private or confidential information to online fraudsters. Instead of the phishing web page, a special warning page is displayed in the browser to inform the user that the requested web page is dangerous.
We have extended protection to other types of scams besides phishing. For example, websites representing fake companies, which do not directly request private information, but instead try to pose as legitimate businesses and make a profit by tricking people into doing business with them.
If you find that a legitimate website is being blocked by Bitdefender, please call our office 505.814.1413, and we can whitelist the site.
If you don’t currently have Bitdefender protecting your computers, this is a great time to do so. MintzIT will install Bitdefender GravityZone for a yearly subscription of $36 per computer, plus $37.50 installation labor fee. Call 505.814.1413 x 1 and we will perform the installation while you call!
It is privy to the front desk staff, management, leadership – almost all in unencrypted format.
Unless you are staying at some shady facility, the law requires a drivers license or other ID in order to reserve a room. With your state-issued ID in hand, your information is monetized when sent to the hotel ownership (some other multinational Corp) for sales and marketing.
It is likely sold to other advertisers.
Not to mention that local, state, and federal law enforcement have free access to this information.
All. That. Said…
one thinks they have to concern themself with security and privacy at
the level of hotels, it’s time to wake up! They are several blocks back
in the line of people and organizations sniffing through your data.
A: If someone came to you asking for $1000, the keys to your car, and your credit card, you would probably want to know what they were using them for. Not so different for your school and work.
When you are at school or work, you may be using their computers, software, hardware, network, or broadband. These are valuable resources that must be shared among all users.
Imagine if a few people decided to watch streaming 4K movies using these resources. These movies can take up to 15Mb/s bandwidth for each movie. If the school or work has a 50Mb/s Internet connection, 3 people streaming will choke out all other use.
There is a darker side to this issue as well. Schools and workplaces have a legal responsibility to ensure their resources are being used – for lack of better phrasing – for good, and not evil. If a student or employee is conducting illegal activities using the school or work resources, everyone gets caught up in the legal process.
A: According to NIST (one of the federal groups tasked with creating best practices for cybersecurity), there is no longer any recommendation on password aging. That doesn’t mean it’s not a bright idea to do so, just that there are no recommendations.
The recommendations for passwords are:
Use a different password for every site and service.
Use only strong passwords – defined as 15 characters or more.
Use 2-Factor Authentication whenever it is available.
If an account has been compromised, change the password.
I can hear that voice in the back of your head screaming A different password for every site, and a minimum of 15 characters? No way I can remember these!
Life is far too precious to waste any time remembering passwords. Instead, let technology do it for you with a Password Manager. I’m fond of https://www.lastpass.com. Let the Password Manager create your passwords, remember your passwords, and auto-enter your passwords.
As reported in the December 4, 2018 SpreadPrivacy.com article, when performing internet searches using Google, the results were personalized for the user even when logged out of the user’s Google account, and when in Incognito Mode.
The bottom line is that Google is using identifiers other than Google account login to identify users when searching. This can be easily done using the digital fingerprint of the device.
To be fair, Google will tell you that personalizing search results is a feature of using Google search. That based on each users search and browsing history, Google will filter and prioritize search results to best meet the world view and preferences of the user. For example, if you browse politically conservative websites, when performing searches of a political nature, you are likely to see links to articles more favorable to the conservative perspective than would someone who browses liberal websites.
Up until now, it was assumed such search filters were in effect only when logged in to ones Google account. But that is now known to be incorrect.
If, as Google believes to be true, you prefer having your internet searches filtered so they better align with your world view, then you need do nothing!
However, if you would prefer to have a more accurate view of the world through internet searches, there are a few steps to take:
Stop using Chrome as your web browser. Replace it with Firefox, Brave, or Safari. These three browsers do not monitor or record your browsing history.
Replace your default search engine with DuckDuckGo (DDG). DDG doesn’t monitor or record your search or browser history. It submits your search request to dozens of search engines, takes the results, eliminates duplicates, and presents an accurate search result.
Firefox: Visit https://duckduckgo.com, and then follow the on-screen instructions.
Safari: In Safari Preferences, set the default search engine to DuckDuckGo.
Brave: In Brave Settings, set the default search engine to DuckDuckGo.
Replace your default DNS provider. DNS is what translates https://websitexyz.com to an IP address your computer knows how to find. Most DNS services monitor and record your internet traffic, and make it available for sale. Use a DNS provider that does not do this. There two most popular are Cloudflare (188.8.131.52, 184.108.40.206) and OpenDNS.
Cloudflare: Cloudflare may be the world’s fastest DNS service. Until recently it had been our go-to solution. I still consider it excellent. However (gotta hate those “howevers” in live), it appears to be going through some growing pains at the moment, resulting in occasional failed service). Go to your Network Settings, delete the current entry for DNS, and replace with 220.127.116.11 and 18.104.22.168.
OpenDNS: OpenDNS is the great granddaddy of anonymized DNS services. In addition to their free service, their for-fee services allow filtering of content. Go to https://www.opendns.com, sign up for a free account, and then go to your Network Settings, delete the current entry for DNS, and replace with 22.214.171.124 and 126.96.36.199.
Block Web Trackers. Most commercial websites use web trackers. These monitor all of your activity on the site. This information may be used exclusively by the website, but is more likely to be sold to advertisers (including Google). It is best to block web trackers. My preferences is to use the Ghostery browser extension.
Brave, Firefox, and Safari: Open your browser to https://www.ghostery.com. Follow the on-screen instructions to download and install the Ghostery extension. Once installed, select the Ghostery icon to configure settings.
Obfuscate Digital Fingerprint. By continuously changing your digital fingerprint, or by forcing your digital fingerprint to look generic, it becomes difficult or impossible for websites and web trackers to know who you are or to follow your browsing history.
Safari: Safari (macOS 10.14) automatically generates a generic digital fingerprint. Nothing you need to do.
Brave and Firefox: You’ve already solved the problem by completing step 4 above. Ghostery also continously modifies your digital fingerprint.
These are just the tip of the iceberg for online privacy. Want to fully secure your computer, data, and identity? The Practical Paranoia Security Essentials books have been the #1 best-selling and easiest to follow DIY cybersecurity series for over 5 years! Available now at 50% discount for our online Live! edition.
A: The NIST SP 800-171 is a best-practices form, something like a checklist on steroids. It is created and produced by NIST (National Institute of Standards and Technology), one of the two federal teams charged with helping to ensure cybersecurity. The other is US-CERT (United States Computer Emergency Readiness Team).
NIST is governed by the U.S. Department of Commerce. US-CERT is governed by the U.S. Department of Homeland Security.
There is a core problem with cybersecurity–how do you know you are doing the proper things, in the proper way, to the proper degree to help ensure (note this is not guarantee) you, your family, and your organization cybersecurity and privacy?
NIST has developed best-practices that help to standardize these questions, and have organized them as best practices into the SP 800-171 form. This form only asks the questions, but does not provide the answers. This may lead you to some head-scratching, but it makes sense because every IT environment is different. It now becomes your job (or the job of your IT or Security Department) to figure out how to answer and resolve those questions.
This best-practice document has become a standard for both cybersecurity and privacy. It is used as the basis of certifying HIPAA-covered entities (health care organizations), SEC-covered entities (finance organizations), Federal and military contractors, and many more. If your organization isn’t using this document, it is almost certain your cybersecurity and privacy are lacking, and may be held legally and financially liable in the event of client data leakage.
By following and answering the 800-171, your IT group has done due diligence to protect your IT infrastructure.
Which, since the document doesn’t provide any guidance to solutions/answers, is where MintzIT comes to the rescue! We have been providing full-service IT consulting to all of New Mexico for 32 years, and are authors of 13 best-selling cybersecurity books, making MintzIT the perfect solution to ensuring your cybersecurity and privacy.
Attached you will find a copy of the NIST SP 800-171. Listed below are a couple example resolutions to the questions.
3.1 ACCESS CONTROL
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
All data stored on Google G-Suite, with access restricted to authorized users using strong passwords and 2-Factor Authentication.
Accessing company data permitted only on company computers that have passed monthly security audit.
Access to local computers and data restricted to authorized users using strong passwords and 2-Factor Authentication.
Local computers are hardware encrypted (Filevault2 on macOS, Bitlocker on Windows 10 Pro).
Local computer security protected with ASAP OS and application updates.
Local Area Networks secured with Stateful Packet Inspection firewall at both the router and local computer.
Local Area Network security protected with ASAP firmware updates for modem, router, switches, and wireless access points.
Mobile Device access to data on Google G-Suite restricted to authorized users via minimum 6-digit PIN.
Mobile Device access protected with erase after 10 failed PIN attempts.
Mobile Devices with access to data are protected with hardware encryption.
Mobile Device security protected with ASAP OS and app updates.
Mobile Device security is locked down with Mobile Device Management, preventing end-user from performing any system or application modifications.
3.3 AUDIT AND ACCOUNTABILITY
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Google G-Suite for Enterprise is used for all data, it provides audit records.
Google G-Suite for Enterprise is used for all data, it provides for data loss prevention.
Spinbackup is used, it provides for 3rd-party data loss prevention, giving a snapshot-based backup for all G-Suite-based data (email, calendar, contacts, data).
For most of us, almost all of our time on the computer is spent on a web browser. This time is so very valuable to advertisers, that Google paid Apple $9,000,000,000 (yes, 9 Billion dollars) a year just so that Google is the default search engine for Apple Safari.
Why is your web activity so incredibly valuable? Because by watching in literally microscopic detail what you search for, what you spend time looking at, and how you look at it creates a detailed profile of who you are. Google – as well as the other search engines – is able to predict your likes, dislikes, sexual preferences, and behaviors with far greater accuracy than anyone in your inner circle.
All of which allows advertisers to perform targeted marketing with laser precision.
Which by itself isn’t necessarily a bad thing. What may be a bad thing is that this data is for sale to those other than in advertising. The most glaring example is what was done with your Facebook data in 2015-2016 once it made it into the hands of Cambridge Analytica.
If you aren’t already thinking What can I do about it?, may I recommend skipping the rest of this article and go back to watching cat videos.
There are many strategies to anonymizing or cloaking your web activities. How much and what to do depends on what your idea of balance between security and PITA looks like.
TOR. For those requiring the very highest level of anonymizing and cloaking, changing your web browser to TOR is step 1. With TOR in use, your web traffic is bounced from TOR node to node a few times, stripping away identifiable information, before connecting with the target web site or service. The trade-off is a non-trivial performance hit. Because of this, TOR is not for everyone.
VPN. Virtual Private Network is a web service that provides fully-encrypted communications between your computer/mobile device and the VPN server. From here the data is unencrypted and continued to the target web site or service. This blocks anyone from snooping on your local network and internet service provider from discovering what you are doing. It does, however, give your VPN provider the ability to see all. This is why it is vital to select a quality VPN provider. I’m fond of NordVPN and PerfectPrivacy.
DNS. Domain Name System is the internet service that translates English names for a site to the actual server address. But DNS most likely tracks and records every site your device visits. To prevent this, use a DNS service that respects your privacy. I’m fond of CloudFlare. to do this, simply change whatever your current DNS settings are to use the CloudFlare servers – 188.8.131.52 and 184.108.40.206.
Search Engine. By default, 90% of us use Google as the search engine. And in case you have been sleeping in class, Google has become one of the world’s most profitable corporations by selling your search information. No worries! Just change your search engine to DuckDuckGo. Not only does DDG not track or record your searches, but it is also the best search engine available. This is because when using DDG, it submits your search criteria – anonymously – to all of the major search engines, and then compiles the results for you. To make DDG your search engine, open your browser to https://duckduckgo.com.
Browser. DDG takes care of your searches, but if you are using Google Chrome or Microsoft Edge, they are reporting on your travels as well. Best to use a browser that doesn’t tattle on you. Brave is excellent, as are Firefox and Safari.
Trackers and Fingerprinting. Most commercial sites now use trackers. Trackers watch your every move on a site, and then continue to follow you to each subsequent site. You can stop trackers by installing an anti-tracker browser plug-in such as Ghostery. Just visit https://ghostery.com and then follow the on-screen instructions. In addition to blocking trackers, Ghostery also hides your digital fingerprint. This prevents websites from pinpointing your device as it travels the internet.
Malicious Sites. As more computers have anti-virus software installed, criminal hackers are turning to compromising websites, which will inturn send the data they harvest from you to the criminal. To help block such sites, install a browser plug-in from the anti-virus developer Bitdefender called TrafficLight. Once installed, when visiting a known malicious site, TrafficLight will block the site from loading, and present a warning message to you. You then have the option to continue to the site, or back away.
Up-To-Date Browser. Browsers play the cat-and-mouse game with criminal hackers, trackers, and advertisers by continually updating their software. Although most browsers are designed to auto-update, that process fails more often than developers admit. If using Chrome or Firefox, you can force an update by opening the browser’s About… menu. Brave is updated from its Check for Updates… menu. Edge and Safari are updated as part of routine OS updates.
https. When connecting with a website using http://xyz.com, all communication between your device and the site is sent in clear text. Any snoop between your computer and the site is able to see everything. When connecting with a website using https://xyz.com, all communication is encrypted. Snoops can see the site connected with, but cannot see the data. Not all sites have upgraded to use https. For those who have, installing the HTTPSEverywere plug-in will force the https, even if you have entered http.