Posted on

IMMEDIATE ACTION REQUIRED: Critical Vulnerability in Linksys, MikroTik, Netgear, and TP-Link Devices

IMMEDIATE ACTION REQUIRED: CRITICAL VULNERABILITY IN LINKSYS, MIKROTIK, NETGEAR, QNAP, AND TP-LINK DEVICES

When the Department of Homeland Security makes a public cybersecurity announcement, we should all wake up, listen, and pay heed. This is one of those times.

Update: Thursday, May 24, 2018.

As reported in The Beastthe FBI claims to have found the key server responsible for penetration and compromise of over 500,000 routers. The server is linked to the Russian criminal hacker group Fancy Bear. This is the same group that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.

With the seizure of the server by the FBI, the compromised routers are no longer being “controlled” by the server. As such, performing a power cycle (power off, wait a minute, and then power on) will clear the malicious code from memory (stage 2 and stage 3 of the malware). For those devices with stage 1 present (infection of the firmware), the power cycle will not clear the code. It is recommended to upgrade any machines that are on the compromised models’ list to remove the malware. However, as the server is no longer issuing instructions or harvesting data, the risk of data harvest is dramatically reduced. The risk of instability and unpredictable behavior is still present until the new firmware is installed, removing the malware.

Now, back to the original story…

First, I apologize. I wish with all my heart that my job was to deliver candy (or beer), flowers, and baby alpaca to each of my clients on a regular basis. But I tried running an alpaca ranch and lost my shirt. So now I just get to deliver harsh realities as part of my job to prevent even harsher realities from steamrolling my clients.

As reported in the Department of Homeland Security US-CERT report this morning (May, 23, 2018), a critical vulnerability has been found in network devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link (and very possibly many others).

The vulnerability has been named VPNFilter. It has three primary features:

  • It can install in any combination of stage 1, stage 2, and stage 3 implementations. Stage 1 resists removal by reboot or power cycle. This is highly unusual.
  • Harvest of all data passing over the network (this can include usernames, passwords, credit card information, proprietary and sensitive business data, etc.)
  • Catastrophically damaging the network device so as to render it unusable

Although the report is preliminary, it appears VPNFilter has been active for at least two years, with at least 500,000 devices in at least 54 countries impacted.

What is particularly malicious about this malware is that, unlike most of its kind, it will survive a power cycle or device reboot.

Talos, the organization that first discovered VPNFilter and continues to research it, has the following recommendations for everyone who has a Linksys, MikroTik, Netgear, QNAP, or TP-Link (and really, any network) device:

  • Users of SOHO routers and/or NAS devices reset to factory default and then reboot them to remove the potentially destructive, non-persistent stage 2 and stage 3 malware.
  • Internet service providers that provide SOHO routers to their users reboot the routers on their customers’ behalf. (To remove the potentially destructive, non-persistent stage 2 and stage 3 malware).
  • If you have any of the devices known or suspected to be affected by this threat, it is extremely important that you update the device to the most current patch version.
  • ISPs work aggressively with their customers to ensure their devices are patched to the most recent firmware/software versions.
  • Due to the potential for destructive action by the threat actor (suspected to be a state-actor), we recommend out of an abundance of caution that these actions be taken for all Soho or NAS devices, whether or not they are known to be affected by this threat.

More technical details may be found at here at Talos.

My Recommendations To All MintzIT Clients, And Everyone Else

  • The devices that currently appear to be impacted are those that do not have any antimalware protection between them and the internet.
  • Most devices with antimalware protection either built-in or between them and the internet appear to be protected.
  • If you have a router that either does not have built-in antimalware protection or is not protected by another device with antimalware between it and the internet, the smart money is to trash this router now (before another 2 years go by while your data is harvested without knowing), replacing it with a router that does have antimalware.
    • This is not a DIY project. Find a trusted cybersecurity professional to do this work for you. If you don’t have one, MintzIT can take the lead on this for you.
  • Even if your home or office were infected by VPNFilter, it would have little to no impact if all of your computers and mobile devices were using VPN (Virtual Private Network) to encrypt all data between the device and the internet.
  • If you are not currently using VPN, this event is a huge signpost alerting you that it is time to do so.
    • This is not a DIY project. Find a trusted cybersecurity professional to find the appropriate VPN solution, and then to install and properly configure the VPN. If you don’t have one, MintzIT can take the lead on this for you.

Sincerely,

Marc L. Mintz, MBA-IT, ACTC
888.479.0690
marc@mintzit.com

Posted on

Knowledge Is Power: Oath: AOL, Yahoo, and Verizon Privacy Agreement

Knowledge Is Power: Oath: AOL, Yahoo, and Verizon Privacy Agreement

Thanks in part to the recent Facebook role in Russian-financed election meddling, and to the General Data Protection Regulation (GDPR) going into full effect in a week, websites and organizations are having their arms twisted to provide at least some level of transparency into how they collect and use your data.

Most of us use the internet with free abandon–never giving thought as to how this site or the next provide such wonderful conveniences and benefits without asking anything in return. But this is a Faustian bargain. In many cases, everything you do before, during, and after your site visit is logged. Many of these sites truly do know more about you than your mother.

To give just one example (more to come in the following weeks), let us look at the Privacy Agreement for Yahoo and AOL, now part of Verizon and the Oath. The full text of the agreement may be found at <https://policies.oath.com/us/en/oath/privacy/index.html>.

Understand that:

A) If you have an existing Yahoo or AOL account, you need to agree to this policy.

B) If you haven’t agreed to this policy, it will go into effect May 25, 2018 regardless of your agreement status.

C) In otherwords, we don’t give a damn about what you think, say, or do. This agreement applies to you.

I feel all warm and fuzzy inside knowing that they “put users first”. Well, not really. If they put users first, you and I would have had opt-in options long ago, instead of being automatically opted in. Somewhat contradicting the draconian first paragraph.

If they believed you should have tools to control your information, why did it take so freakin’ long for them to let us know they even existed? Why no opt-in options, just automatic opt-in.

When you create an account with Yahoo, AOL, Verizon, or any one of the many other Oath brands, you are giving them permission to track your online activities, giving access to your device, ID, cookies, even data available from non-Oath services.

The next two paragraphs get even better:

You read this correctly, you have willingly or unwillingly (they really don’t care. Remember the first paragraph?) agreed to allow them to read, analyze, log, and sell information regarding your PRIVATE photos, voice, video, emails, texts, and attachments.

They are just telling us again (remember, this is about transparency) that they will track you by your device, harvest whatever they can not only from the device, but also third-parties. All to provide you with “personalized experiences and advertising across the devices you use.”

Not only are all of your online activities monitored, recorded, analyzed, and sold, but you have given permission to track your location. Remember, your cell phone is nothing if not a location beacon.

The Privacy Agreement goes on for another few pages, pretty much just repeating itself over and over. I suspect the real purpose is to put the reader into a trance-like state so that ramifications of the agreement simply cannot sink in.

As A Side Note…

It may bear remembering that one of the Oath companies that you have just given away all your privacy rights is the same company that had not 1, but 2 of the largest security breaches in history. Yahoo. Yeah. That’s who I want to continue harvesting my data.

What To Do About It?

Understand that the only thing the enterprise is concerned about is money. Not you, not me, not doing good, not serving society. Money.

The Oath brands can be found at <https://www.oath.com/our-brands/>, and include: AOL, Autoblog, BrightRoll, Build, Built By Girls, Engadget, Flurry, Huffpost, Kanvas, Makers, Rivals, Ryot, TechCrunch, Tumblr., Verizon, Yahoo,

Have a heart-to-heart with yourself as to whether or not you want to give money to an organization that treats you like this. And if you decide it is not such a good trade, stop doing business with those who do not have your best interest in mind. There is a competitor available. Always.

Posted on

Practical Paranoia iOS 11 Update: Chapters 4, 13, 14, 15, 16, 20, 21

ios 11 security essentials

Practical Paranoia iOS 11 Update: Chapters 4, 13, 14, 15, 16, 20, 21

Practical Paranoia iOS 11 Security Essentials version 2 has just been published. All of the changes since version 1.0.1 are included in the attached pdf. Changes are from chapters on Passwords, Lost or Stolen Device, Local Network, Web, Email, Internet Activity, and Social Media.

Posted on

Why Are You Still Using Email?

Cybersecurity is everyones business

Why Are You Still Using Email?

Over the past 30 days, more than 20,000,000–that’s right, 20 MILLION–email accounts have been hacked.

Only around 80% of email providers support TLS. TLS is what allows your email be sent encrypted, received encrypted. Even if the email provider supports TLS, there is no way to know if the recipient is using an email application that supports TLS.

Simply dealing with email encryption is beyond most users. Heck, it is beyond most IT consultants.

Not only is email encryption beyond the skillset of most consultants, it is beyond those of Phil Zimmermann, the cryptographer who invented PGP! PGP is the granddaddy of all email encryption. In a recent interview, he said he himself has stopped using PGP because of difficulties with it.

Email is a wonderful, but legacy, technology. As such, it brings all of the legacy shortcomings along for the ride. Email was never designed for security, so any security option has to be bolted on. And this introduces bugs, conflicts, costs, and migraines.

So I have to ask you, Why are you still using email?

My guess is inertia. It’s what you have used to communicate for so long, it has become a boat anchor that feels like an old friend.

The younger the user, the less they use email. In fact, it is unusual to find teens using email at all. Instead, they use instant messaging.

The great thing about instant messaging (when it is done right) is it can be created from scratch with security in mind. This eliminates all of the problems associated with encrypting email.

At the moment there are two leaders in the end-to-end military-grade encrypted instant messaging area: Signal (https://signal.org), and Wire (https://wire.com). One is as secure as the other.

My personal preference is Wire, because it is available on Android, iOS, macOS, Windows and anything that can open a web browser. Wire allows fully secure instant messaging, voice calling, and video calling. You can encrypt attachments, and even schedule when a message self-destructs.

Wire is free for personal use, for-fee for business team use.

Signal is free for everyone.

The only reason I can see for not using Signal or Wire is an organization that has a compliance requirement to maintain a record of all communications. This is typically only the healthcare (HIPAA) and financial (SEC) industries. For everyone else, Give up your phone, turn off your email, get a Wire account. Save some money, secure your communications, and sleep better at night.

Warmly,

Marc L. Mintz, MBA-IT, ACTC, CWT
President & CIO
Mintz InfoTech, Inc.
505.814.1413 x 1
Wire: @marclmintz
Signal: 505.453.0479

Posted on

TAKE ACTION NOW: PGP, GPG, S/MIME Broken

Email Security

TAKE ACTION NOW: PGP, GPG, S/MIME Broken

As reported by the Electronic Frontier Foundation (EFF) this morning <https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now>, a group of security researchers found a set of vulnerabilities impacting users of PGP, GPG, and S/MIME. These are the considered the cornerstones of encryption security for email. The vulnerabilities pose an immediate risk of exposure not only of any email sent going forward, but also to all those encrypted emails in storage.

The EFF is recommending that all users of PGP, GPG, and S/MIME “immediately disable and/or uninstall tools that automatically decrypt PGP-email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels…”. MintzIT is recommending the use of Wire <https://www.wire.com> or Signal <https://www.signal.org> for secure end-to-end messaging.

Posted on

Practical Paranoia macOS 10.13 Update: Chapters 13, 14, 15, 16

Practical Paranoia macOS 10.13

Practical Paranoia macOS 10.13 Update: Chapters 13, 14, 15, 16

Practical Paranoia macOS 10.13 Security Essentials has just been updated with many additions. So many, we have combined them into a single update for chapters 13, 14, 15, and 16.

Revisions include:

  • Chapter 13.4 Routers: An Overview. Added information regarding Intrusion Detection Systems and Intrusion Prevention Systems.
  • Chapter 14.2.1 Assignment: Secure Browsing With Brave. New assignment.
  • Chapter 14.8 Do Not Track. Edited to include browser fingerprinting.
  • Chapter 14.8.6 Assignment: View Your Device Fingerprint. New assignment.
  • Chapter 15.11 Email Validation With SPF, DKIM, and DMARC. New section.
  • Chapter 16.1.5 Assignment: Remove A Device From Two-Factor Authentication. New assignment.

Download the updated chapters here: Practical Paranoia macOS 10.13 v2.1b 20180513 Chapters 13, 14, 15, 16

Posted on

It’s Time To Upgrade Your Email Security

Email Security

It’s Time To Upgrade Your Email Security

Your communications through email have become one of the most highly prized targets of criminal hackers. Your email contains literal keys to your kingdom:

  • Security codes, passwords, email addresses, social security, income–pretty much anything and everything that it takes to steal your identity.
  • Business plans, banking communications, upcoming corporate changes–information that your competitors, and sometimes regulators, would love to get their hands on.
  • There are backdoor settings that allow others (the criminal hackers) to pretend to be you so they may perform crimes in your name.

Changes in the technical management of email now give us the tools to help fight back, and protect your email security and privacy. It is now time to make use of these tools because the bad guys pick on the vulnerable.

PLANNING PHASE

Gather the following information:

  1. DNS Host, login URL, administrator username, and password.
  2. Email Host, Administrator login URL, username, and password.
  3. Administrator login URL, username, and password for any services linked to your email, such as: newsletters produced by you or your organization, mass email and CMS providers such as MailChimp, etc.
  4. If this is your first time, give yourself 3-4 hours to complete for an individual, 10-14 hours to complete for an organization, including study, testing, and 2-week and 4-week adjustments.

STEP 1: CREATE AN SPF FOR YOUR DOMAIN

SPF (Sender Policy Framework) is an email-validation system. Its job is to detect spoofed email. When a criminal hacker sends email to you with fake “from” information (say perhaps, a Nigerian Prince? Or a vendor submitting an invoice for payment? How about an attorney threatening to sue unless they receive payment?), your email server is able to validate or invalidate the sender.

If the sender of an email is validated, the email comes on through as it always has. If the sender is invalidated, the spoofed/fake/junk email simply never makes it to your inbox.

Not only does this help prevent fake email from making it into your inbox, it also helps to prevent anyone from sending fake email using your email address or an email address with your domain.

Implementing SPF for your domain email is usually quick and easy, but it does require modification to your DNS records, and the record values are different for each email host. For this example, we will use Google.

  1. In a web browser, go to your DNS records, and select to EDIT.
  2. Create a new TXT record with the following values:
    1. Name/Host/Alias enter @.
    2. Time to Live enter 3600.
    3. Value/Answer/Destination enter v-spf1 include:_spf.google.com ~all.
  3. Save the DNS changes
  4. Verify the changes. For Google this is done through  https://toolbox.googleapps.com/apps/checkmx/
  5. Enter your domain name, and then select Run Checks!
  6. When the test completes, select Effective SPF Address Ranges.
  7. The results should include:
    _spf.google.com
    _netblocks.google.com followed by several IP addresses
    _netblocks2.google.com followed by several IP addresses
    _netblocks3.google.com followed by several IP addresses

STEP 2: CREATE A DKIM RECORD FOR YOUR DOMAIN

DKIM (Domain Keys Identified Mail) is another email authentication protocol designed to detect email spoofing. DKIM verifies that email that claims to have come from a domain is authorized by the owner of that domain. It is able to prevent the criminal from forging your email address, as is often done in phishing and email spam.

As with SPF, implementing DKIM requires access to your DNS records. The process is a bit different with each email host. In this example, we will use Google.

  1. Generate the public domain key for your domain.
    1. Open a browser to admin.google.com.
    2. Select Apps > G Suite > Gmail > Authenticate email.
    3. Select the target domain for which you want to generate a domain key.
    4. Click Generate new Record.
    5. Click Generate.
    6. A text box displays a 2048-bit key.
    7. Select and then copy this key.
  2. Open a new web page, and then go to your DNS management page.
    1. Create a new TXT record.
    2. Paste in the key created in step 1.7 above.
    3. Enter the other fields generated in 1.6 above.
    4. Save the changes made to your DNS records.

STEP 3: ENABLE SIGNING EMAIL MESSAGES WITH THE DOMAIN KEY

Now that the DKIM is in place, we need to automate the process of including it with each email sent from your domain. In this example, we will use Google.

  1. Open a browser to admin.google.com.
  2. Select Apps > G Suite > Gmail > Authenticate email.
  3. Select the target domain for which you want to generate a domain key.
  4. Select Start authentication.

STEP 4: CONFIGURE DMARC

DMARC (Domain-based Message, Authentication, Reporting & Conformance) is the configurable policy for how to handle email that fails DKIM validation. The options are to take no action, quarantine the email, or reject the email.

For DMARC  and DKIM to work, all of your email must be sent through your own domain, not through a different domain, or forwarded through a different domain.

  1. Open a browser to your DNS records.
  2. Create a new TXT record with the following attributes:
    1. Record Name/Host is _dmarc.your_domain.com
    2. Value (to take no action) is v=DMARC1; p=none; rua=mailto:administrator_email_address
    3. Value (to quarantine) is v=DMARC1; p=quarantine; rua=mailto:administrator_email_address
    4. Value (to reject) is v=DMARC1; p=reject; rua=mailto:administrator_email_address
  3. Save your changes
  4. There are many more variables and options available. All of which may be found at the DMARC Tag Registry.

STEP 5: IMPLEMENT 2-FACTOR AUTHENTICATION

Although 2-Factor Authentication (sometimes called 2-Step Verification or Multi-Factor Authentication) is a completely separate security protocol, this is a great time to finally get to this honey-do item. In todays IT environment, having 2-Factor Authentication is the only thing stopping the criminal from taking control of your email.

Not every email provider makes 2-Factor Authentication available. If yours does not, RUN to a different provider–one that takes your security and privacy seriously. If your email provider does make 2-Factor Authentication available, find their help page for how to configure. Each provider will have a different authentication process.

OR, HAVE MINTZIT DO IT FOR YOU!

MintzIT holds higher IT certification, more certifications, more years of experience, and more customer commendations than any other IT consultant in New Mexico. We will make this a quick and painless process for you and your organization. Please feel free to call for a quote.

Warmly,

Marc L. Mintz
President & CIO
Mintz InfoTech, Inc.
505.814.1413 x 1
marc@mintzit.com

 

Additional reading:

 

Posted on

Court Rules Suspicionless Searches of Electronic Devices at the Border Are Unconstitutional

Court Rules Suspicionless Searches of Electronic Devices at the Border Are Unconstitutional

As reported in the Electronic Frontier Foundation May 9, 2018 article, the U.S. Court of Appeals for the Fourth Circuit ruled today that forensic searches of electronic devices by border agents without any suspicion that the traveler has committed a crime violate the U.S. Constitution (emphasis mine).

This ruling only applies to forensic, not manual, searches of electronic devices at the border.

The legal ruling of U.S. v. Kolsuz (4th Cir. 2018) may be found in its entirety here.

Posted on

Q: What are the current industry-standards for IT password policies?

Q: What are the current industry-standards for IT password policies?

A: The great thing about standards is there are so many to choose from 😉

The industry-standard that most businesses and individuals can pay attention to is the NIST SP-800-171. This details IT security standards for non-federal organizations. This is what federal contractors, health-care providers, law firms, and pretty much everyone else can use to meet compliance.

This document contains over 100 line items regarding IT security, and I won’t attempt to put you to sleep repeating all of them here. The ones relevant to passwords include:

  1. Passwords should be a minimum of 15 characters in length. Note there is no mandate for complexity (mixing upper and lower case, numbers, and special characters). Best to use an easy to remember, easy to enter phrase.
  2. Use a unique password for each service.
  3. Use a secure, encrypted method of storing your passwords. This can be a password manager such as LastPass, or a password-protected spreadsheet.
  4. Do not share your password with anyone. In most cases, this means even your boss.
  5. Use 2-Factor Authentication or Multi-Factor Authentication whenever it is available.
  6. If you suspect someone has gained knowledge of your password, change it immediately.
  7. The debate over how often to change passwords is still raging, but at the moment, there is no NIST standard for doing so. I recommend changing once per year.
  8. Although not a NIST standard, I recommend checking https://haveibeenpwned.com and https://hacked-emails.com monthly to see if any of your accounts has been compromised. If so, immediately change the passwords for those accounts.
Posted on

Q: How do I know who’s monitoring my calls on iOS? I keep hearing beeping sounds in calls

Q: How do I know who’s monitoring my calls on iOS? I keep hearing beeping sounds in calls.

A: It is almost inconceivable that the sound you are hearing has any association with possible monitoring of your phone. The reasons is there isn’t any reason for a penetration device or process to introduce noice on the line.

The overwhelming probability is you are hearing normal line noise.

That said, calls are monitored or devices penetrated all the time by your phone company, the government, criminals, kids, and there is always that whackadoodle ex. Because there isn’t a good way to know if you or your device is a target, the solution is to use encryption tools.

I like both Signal or Wire for voice calls, and Wire for instant messaging. Both offer point to point military grade encryption – the gold standard. Once you start to use quality encryption tools, you can sleep a bit better at night.

Posted on

Q: MAC addresses are coming up on my network. How do I block them?

Q: MAC addresses are coming up on my network. How do I block them?

A: Every device that is able to access either ethernet or wi-fi has a unique MAC (Media Access Control) address. Although the MAC address is hard-coded into the network chip, it can be spoofed.

Any quality router will include the ability to turn on MAC Address Filtering. Once activated, enter the MAC addresses of your own devices as “allowed”, and then disallow any other MAC address from the network.

Now retrace your network security:

  1. Are your WiFi passwords strong?
  2. Have you changed your WiFi passwords recently?
  3. Are your network communications encrypted using WPA2 AES?
  4. Are your storage devices encrypted?
  5. Are there ethernet jacks that can be accessed by others without notice?
Posted on

Q: What are the limitations of an antivirus in protecting a PC?

Q: What are the limitations of an antivirus in protecting a PC?

A: First and foremost is an antivirus (anti-malware) is limited to protecting against only malware. Malware is just a minor player in the cybersecurity arena.

They are limited to protecting only against the malware they have been designed to recognize. Even the very best protect against perhaps 99.9% of known malware. Depending on whose numbers you believe, there may be more than 100,000,000 malware in the wild. That leaves at least 10,000 known malware even the very best don’t protect against.

As to how many unknown malware are in the wild? Nobody knows.

And then when they come up against malware they know about, they are limited in how well they eliminate the threat, and limited in saving any damaged data – or preventing data from being harvested.

A solution that works more reliably than antivirus is application whitelisting – specifying which applications may run. Then, should malicious code find its way into your device and attempt to run, it is automatically blocked as unauthorized.

Once the malware issue is dealt with, then you can turn your attention to the other security and privacy issues your device faces; email hacking, instant message hacking, phone call monitoring, man in the middle attacks (notice women rarely get in the middle of this) (sorry, it had to be said and I was just standing around), social media (it’s own kind of malware), storage device encryption, Multi-Factor Authentication, Disaster Recovery and Business Continuity Planning, etc.

Posted on

Q: What Wi-Fi system is recommended to cover 1,000 users per month

Q: What Wi-Fi system is recommended to cover 1,000 users per month.

A: It’s not so much the users/month, but the maximum number of concurrent users, and the bandwidth of your internet connection that are limiting factors. Your available budget is also a factor.

For example, let’s say your internet bandwidth is 100Mb/s. If you have 100 concurrent users, that is 100Mb/s divided by 100 users, or 1Mb/s/user. That is barely adequate to maintain a connection.

So the first challenge is to have adequate internet bandwidth, based on the maximum number of concurrent connections, and how much minimum bandwidth you wish to allocate per connection. A good number to start with is 5Mb/s. This will allow a stable connection and tolerable browsing speed.

The next challenge is the maximum number of users connected to an access point. Consumer-level access points can typically manage from 10-50 concurrent connections. At some point, they will refuse any additional connections. Professional/Enterprise-level devices will be able to manage up to 250 concurrent connections.

However, even if you purchase a high-end unit capable of 250 concurrent connections, if the access-point is capable of a maximum of 1,300Mb/s throughput, that is 1,300/250 or 5.2Mb/s per connection. And that 1,300Mb/s rate is only available when the connected device is within a few feet. As the distance between the access point and the connected device increases, the available connection speed drops quickly. At an average distance of 100′, the average connection speed may drop to 1Mb/s.

The solution used for large conference halls, sports stadiums, (even Apple Stores) is to have many access points spread around the area, all connected via ethernet to a centralized router, each using the same SSID (Wi-Fi network name), operating as a wired mesh network. Have an adequate number of access points so that none are ever pushed near 50% capacity.

As an example, An Apple Store may have 20-30 Wi-Fi channels running on high-end Cisco Access Points to cover just one store.

Posted on

Q: How can I stop other people from seeing what I’m doing on my tablet when using their WiFi?

Q: How can I stop other people from seeing what I’m doing on my tablet when using their WiFi?

A: The same easy answer to many cybersecurity questions – install and use a Virtual Private Network (VPN).

When using VPN all of your communications are encrypted between your device and the VPN server in the cloud. This makes it (almost) impossible for anyone (but the VPN host) to view your online activity.

There are thousands of VPN providers available. Many, if not most, or not ethical–particularly those that offer services for free. There are several dozen factors to consider when choosing a VPN provider, these are the ones I believe are most important:

  • Operate in a country that supports cyber security, and is outside the reach of government intrusion.
  • They keep no logs of your activities.
  • They offer IKEv2 protocol (the most current, and perhaps most secure), or OpenVPN ( and open source protocol that has proven itself to be secure).
  • Offers at least a one-day free trial to test if their product is fully compatible with your device.
  • Is priced within your budget.

You will likely be paying between $30 and $80 per year for 2–6 devices that can connect to this one account.

Among my personal favorites are: NordVPN.com, Perfect-Privacy.com, and VPNarea.com

Posted on

Q: Is Hard Drive the best data archival option?

Q: Is Hard Drive the best data archival option?

A: With few exceptions, acid-free paper is by far the best archival storage.

A few years back Ziff-Davis did a study on the archival options for IT. This was before solid state drives.

Pretty much everything (HD’s, floppy, cd, dvd) lasted less than 5 years before some corruption was found.

There is some consensus that today Hard Disk Drive (HDD) and Solid State Drive (SSD) last around the same as each other–five years before corruption sneaks in.

That said, there are new Blueray disc formats which promise 1000+ year archival quality.

Even if these devices lasted 10, 100, 1,000 years, good luck of then finding a computer and drive that will have the drivers and ports to read the device.

The best practices is to:

  1. Have 3 copies of your data. At least 1 copy on-site, at least 1 copy off site.
  2. Run diagnostics/repairs on storage device at least yearly.
  3. Copy data from a storage device to a fresh device at least every 5 years.