Q: What are the reasons my school and work track everything I do on the Internet?

by Marc Mintz | Dec 23, 2018

A: If someone came to you asking for $1000, the keys to your car, and your credit card, you would probably want to know what they were using them for. Not so different for your school and work.

When you are at school or work, you may be using their computers, software, hardware, network, or broadband. These are valuable resources that must be shared among all users.

Imagine if a few people decided to watch streaming 4K movies using these resources. These movies can take up to 15Mb/s bandwidth for each movie. If the school or work has a 50Mb/s Internet connection, 3 people streaming will choke out all other use.

There is a darker side to this issue as well. Schools and workplaces have a legal responsibility to ensure their resources are being used – for lack of better phrasing – for good, and not evil. If a student or employee is conducting illegal activities using the school or work resources, everyone gets caught up in the legal process.

Q: How often should I change my passwords?

by Marc Mintz | Dec 23, 2018

Q: What is NIST 800-171, and why is it so important?

by Marc Mintz | Nov 27, 2018

A: The NIST SP 800-171 is a best-practices form, something like a checklist on steroids. It is created and produced by NIST (National Institute of Standards and Technology), one of the two federal teams charged with helping to ensure cybersecurity. The other is US-CERT (United States Computer Emergency Readiness Team).

NIST is governed by the U.S. Department of Commerce. US-CERT is governed by the U.S. Department of Homeland Security.

There is a core problem with cybersecurity–how do you know you are doing the proper things, in the proper way, to the proper degree to help ensure (note this is not guarantee) you, your family, and your organization cybersecurity and privacy?

NIST has developed best-practices that help to standardize these questions, and have organized them as best practices into the SP 800-171 form. This form only asks the questions, but does not provide the answers. This may lead you to some head-scratching, but it makes sense because every IT environment is different. It now becomes your job (or the job of your IT or Security Department) to figure out how to answer and resolve those questions.

This best-practice document has become a standard for both cybersecurity and privacy. It is used as the basis of certifying HIPAA-covered entities (health care organizations), SEC-covered entities (finance organizations), Federal and military contractors, and many more. If your organization isn’t using this document, it is almost certain your cybersecurity and privacy are lacking, and may be held legally and financially liable in the event of client data leakage.

By following and answering the 800-171, your IT group has done due diligence to protect your IT infrastructure.

Which, since the document doesn’t provide any guidance to solutions/answers, is where MintzIT comes to the rescue! We have been providing full-service IT consulting to all of New Mexico for 32 years, and are authors of 13 best-selling cybersecurity books, making MintzIT the perfect solution to ensuring your cybersecurity and privacy.

Attached you will find a copy of the NIST SP 800-171. Listed below are a couple example resolutions to the questions.

How to Secure Your Web Browsing

by Marc Mintz | Nov 19, 2018

For most of us, almost all of our time on the computer is spent on a web browser. This time is so very valuable to advertisers, that Google paid Apple $9,000,000,000 (yes, 9 Billion dollars) a year just so that Google is the default search engine for Apple Safari.

Why is your web activity so incredibly valuable? Because by watching in literally microscopic detail what you search for, what you spend time looking at, and how you look at it creates a detailed profile of who you are. Google – as well as the other search engines – is able to predict your likes, dislikes, sexual preferences, and behaviors with far greater accuracy than anyone in your inner circle.

All of which allows advertisers to perform targeted marketing with laser precision.

Which by itself isn’t necessarily a bad thing. What may be a bad thing is that this data is for sale to those other than in advertising. The most glaring example is what was done with your Facebook data in 2015-2016 once it made it into the hands of Cambridge Analytica.

If you aren’t already thinking What can I do about it?, may I recommend skipping the rest of this article and go back to watching cat videos.

There are many strategies to anonymizing or cloaking your web activities. How much and what to do depends on what your idea of balance between security and PITA looks like.

EXTREME SECURITY

• TOR. For those requiring the very highest level of anonymizing and cloaking, changing your web browser to TOR is step 1. With TOR in use, your web traffic is bounced from TOR node to node a few times, stripping away identifiable information, before connecting with the target web site or service. The trade-off is a non-trivial performance hit. Because of this, TOR is not for everyone.
• VPN. Virtual Private Network is a web service that provides fully-encrypted communications between your computer/mobile device and the VPN server. From here the data is unencrypted and continued to the target web site or service. This blocks anyone from snooping on your local network and internet service provider from discovering what you are doing. It does, however, give your VPN provider the ability to see all. This is why it is vital to select a quality VPN provider. I’m fond of NordVPN and PerfectPrivacy.

HIGH SECURITY

• DNS. Domain Name System is the internet service that translates English names for a site to the actual server address. But DNS most likely tracks and records every site your device visits. To prevent this, use a DNS service that respects your privacy. I’m fond of CloudFlare. to do this, simply change whatever your current DNS settings are to use the CloudFlare servers – 1.1.1.1 and 1.0.0.1.
• Search Engine. By default, 90% of us use Google as the search engine. And in case you have been sleeping in class, Google has become one of the world’s most profitable corporations by selling your search information. No worries! Just change your search engine to DuckDuckGo. Not only does DDG not track or record your searches, but it is also the best search engine available. This is because when using DDG, it submits your search criteria – anonymously – to all of the major search engines, and then compiles the results for you. To make DDG your search engine, open your browser to https://duckduckgo.com.
• Browser. DDG takes care of your searches, but if you are using Google Chrome or Microsoft Edge, they are reporting on your travels as well. Best to use a browser that doesn’t tattle on you. Brave is excellent, as are Firefox and Safari.
• Trackers and Fingerprinting. Most commercial sites now use trackers. Trackers watch your every move on a site, and then continue to follow you to each subsequent site. You can stop trackers by installing an anti-tracker browser plug-in such as Ghostery. Just visit https://ghostery.com and then follow the on-screen instructions. In addition to blocking trackers, Ghostery also hides your digital fingerprint. This prevents websites from pinpointing your device as it travels the internet.
• Malicious Sites. As more computers have anti-virus software installed, criminal hackers are turning to compromising websites, which will inturn send the data they harvest from you to the criminal. To help block such sites, install a browser plug-in from the anti-virus developer Bitdefender called TrafficLight. Once installed, when visiting a known malicious site, TrafficLight will block the site from loading, and present a warning message to you. You then have the option to continue to the site, or back away.
• Up-To-Date Browser. Browsers play the cat-and-mouse game with criminal hackers, trackers, and advertisers by continually updating their software. Although most browsers are designed to auto-update, that process fails more often than developers admit. If using Chrome or Firefox, you can force an update by opening the browser’s About… menu. Brave is updated from its Check for Updates… menu. Edge and Safari are updated as part of routine OS updates.
• https. When connecting with a website using http://xyz.com, all communication between your device and the site is sent in clear text. Any snoop between your computer and the site is able to see everything. When connecting with a website using https://xyz.com, all communication is encrypted. Snoops can see the site connected with, but cannot see the data. Not all sites have upgraded to use https. For those who have, installing the HTTPSEverywere plug-in will force the https, even if you have entered http.

Q: Why does my IT support not want me to run updates?

by Marc Mintz | Nov 5, 2018

A: Although I can’t speak specifically as to why your IT support doesn’t want you to run updates, I can give reasons why MintzIT restricts clients from doing so. Spoiler alert… It’s not because we are power-mad admins trying to keep the end-user under our boot!

Having an authorized, qualified IT technician or consultant be the only one who runs updates, installs applications, and performs maintenance on your computer and other IT equipment is so important, it is actually a requirement of the NIST 800-171 (the gold-standard checklist for cybersecurity practices), and HIPAA and SEC covered entities. In point of fact, all of these best-practices prohibit the end-user from even knowing an administrative password!

• Best practices include everyone – even admins – to log in with a non-admin account.
  • The primary reason is that both malware and hackers take on the power of the currently logged in user. If the user is logged in with an administrator account, the malware or hacker can assume full control over the computer. If the user is logged in with a non-admin account, the malware or hacker is usually limited to controlling the user data.
  • Another issue with knowing the admin password is that it is almost impossible to know when malware or a hacker are attempting to take over a computer. The best and most common example is when visiting a website and an alert pops up stating your Adobe Flash is out of date – click here to download. It is almost guaranteed this is malware and not the real Flash. But how does an end-user know?
• Most cybersecurity experts go further with mandating all non-admin users log in with Parental Control (macOS) or Child (Windows) accounts. The reasoning behind this is that even the very best antivirus software can only catch 99.9% of known malware. It is estimated there are up to 40,000,000 malware variants in the wild, leaving up to 40,000 known malware that won’t be caught. This number doesn’t include unknown malware, which is almost certain to get through to your system. Some malware has been in the wild for up to 9 years before being found! With a Parental Control or Child account, it is possible to implement Application Whitelisting. This specifies which applications are permitted to launch, anything not on the list cannot launch. Malware, known or unknown would not be on the list, and therefore presents no security issue – unless the user has access to the administrator password to bypass the Whitelist.
• Most security settings on a computer cannot be modified by any other than an administrator account. Every day I see users who know the administrator password bypassing or removing these settings–usually because they see no reason for having them. What they don’t know is that with a click of a button and entering an administrator password, they have taken their computer from fully hardened to fully vulnerable.
• Even in the case of installing updates, there are issues of stability, compatibility, and security that must be researched prior to performing the update. When a user blindly updates something, they run very real risks. It is assumed that their IT professional will be aware of current risk parameters and know how to work around or with them.

So the bottom line is that your IT support is probably trying to keep your computer running smoothly and securely (if you are talking about your own personal computer), or is trying to follow Federal cybersecurity guidelines or legal requirements (if you are talking about a company computer).

If you simply can’t resist clicking that Install Now button, it wouldn’t hurt to call your IT professional first.

New Macs prevent hackers from eavesdropping on your microphone

by Marc Mintz | Oct 30, 2018

Apple released documentation today on their T2 chip, included with the new Macs released today, as well as the MacBook Pros released earlier this year. The T2 security chip helps to protect encryption keys, encrypted storage, fingerprint data, and secure boot features.

But a vital feature that was unknown until today is that it also provides hardware-level protection of the device’s microphone. When the lid is closed on the new laptops, the internal microphone is disconnected at the hardware level. This means it is impossible for a hacker to eavesdrop on your audio as long as the lid is closed. To the best of my knowledge, no other computer offers this level of audio security.

Of note is that the T2 does not cut off the internal webcam when the lid is closed, because, well, the lid is closed!

Q: What can I do if I have someone’s Gmail account username?

by Marc Mintz | Oct 29, 2018

A: Nothing. Fundamentally all you have is an email address.

If you were interested in committing a felony, you could attempt to hack into their Google account. But assuming the user has a strong password and has enabled Two-Factor Authentication, it would be a futile attempt at state-funded housing.

Q: Do malware immediately affect computers when installed?

by Marc Mintz | Oct 29, 2018

A: Some malware do nothing until a triggering effect (specific time, amount of time since install, application launched, website visited, etc.)

Q: How can I prevent my Yahoo e-mail from being hacked?

by Marc Mintz | Oct 29, 2018

A: There are a number of standard steps to take regardless of your email provider:

1. Use a strong password. The current recommendation is a minimum of 15 characters, in a password that is unique and not used with any other of your websites or services.
2. Add 2-Factor Authentication. This significantly adds to the difficulty of accessing your account even if your password is compromised.
3. Never allow anyone else to use your computer without first creating a user account for them.
4. Install and use a quality antivirus software.

Lastly, as you asked specifically about Yahoo, give some consideration as to why one would continue to do business with a company that was directly responsible for not one, but TWO of the worst cybersecurity breaches in history.

Homeland Security Notice: Before You Connect a New Computer to the Internet

by Marc Mintz | Oct 29, 2018

The US Department of Homeland Security has released an update to their ST15-003: Before You Connect a New Computer to the Internet documentation. With the holiday season approaching (along with all of the new IT systems to unwrap), it’s a good time to review some cybersecurity best practices to help avoid hacking of your credit cards, bank account, personal information, and help support smooth operations. I have outlined the document below:

• Secure your router. A popular method of harvesting all data on your network is for a criminal hacker to infect your router. This security process should include:
  • Power-cycle to remove any RAM-resident malware
  • Update router firmware.
  • Eliminate any unwanted DMZ settings.
  • Eliminate any unwanted port forwarding.
• Enable and configure your firewall. Older-style firewalls rely on configuring ports and what type of traffic is allowed. This is quite complex and time-consuming. If you have this type of firewall built into your router, time to upgrade to a new router with Stateful Packet Inspection. These require little more than turning on.
• Install and use antivirus software. I currently recommend using Bitdefender antivirus for every macOS and Windows computer.
• Remove unnecessary software. Every piece of software has some vulnerability. If you don’t use it, remove it.
• Operate under the principle of least privilege. Most malware and criminal hackers take on the power of the currently logged-in user. If your user account is an administrator, they have full control over your computer. Always log in with a non-administrator account. Better yet, log in with a Parental Control (macOS) or Child (Windows) user account to further restrict the damage a criminal can do. I’m hard-pressed to come up with a reason that a computer user ever needs to log in as an administrator.
• Secure your web browser. By default, most browsers have insecure settings. Before surfing the web, verify that all settings and preferences are configured for security.
  • NOTE: Better yet, check out the Brave browser. It is built for security.
• Apply software updates and enable automatic updates. The #1 reason for updates are as security patches. It is vital to ensure the timely installation of system and application updates.
• Use caution with email attachments and untrusted links. Criminal hackers commonly use email to infect computers and to harvest information. If you don’t know who sent you an email, don’t open any of its attachments. Before clicking on a link, hover the cursor over it to view the full URL.
• Use strong passwords. The Department of Homeland Security is in charge of all things cybersecurity within the US. Their current guidelines for strong passwords is “Use the strongest, longest password or passphrase permitted”. The NIST 800-171 is a Federal cybersecurity best practices document which most organizations should follow. The current minimum recommended password length is 15 or more characters. I suspect this number will soon be increased to 24 or more. Use a password manager such as LastPass to create, remember, and automatically enter passwords. Your memory is best used for other things.

Whew! That is what needs to be done before connecting to the Internet. For everything that needs to be done after connecting, we have some great books.

Perhaps The Most Important Day Of Your Life–November 6, 2018

by Marc Mintz | Oct 25, 2018

Election Day, November 6, 2018, is just around the corner. Take part in the most important election of your lifetime.

1. Not sure if you are registered to vote? Visit https://vote.org.
2. Not registered? Register to Vote at https://vote.org.
3. Just get it done! Vote early by visiting https://vote.org.
4. Out of town November 6? Get an absentee ballot at https://vote.org.
5. Find your polling place at https://vote.org.
6. Can’t drive to your polling place? Both Uber and Lyft are offering free rides to and from your polling place.

Android App Data Harvesting “Out of Control”

by Marc Mintz | Oct 25, 2018

A new report from The Department of Computer Science, University of Oxford, released 20101018, finds that data harvesting by Android apps is epidemic.

Almost 1,000,000 Android apps from the US and UK Google Play stores were analyzed. It was found that 88.4% shared your data with Alphabet (parent of Google), 42.5% shared with Facebook, 33.8% shared with Twitter, 26.27% shared with Verizon, 22.75 shared with Microsoft, and 17.91 shared with Amazon.

Personally, I’m going to be pulling this stat out at the next cybersecurity cocktail social hour when some Android fan-boy insults the iPhone for being too expensive. Because, precisely what value do you place on your personal data and identity?

Danger Awaits Your Computer, Hiding In That Thumb Drive

by Marc Mintz | Oct 21, 2018

THE HIDDEN DANGER

You know that thumb drive sitting by your computer? That one a friend handed to you, or a client shipped to you, or maybe you found it in the parking lot. Yes, that one. The one you probably already connected to your computer–without realizing the danger.

Perhaps the better way to look at this is, would you put it in your mouth?! You and I don’t know where that memory card has been, nor what malware may have been intentionally or unknowingly acquired.

If the card was given by a friend or business associate, it is quite possible that their computer is compromised with malware. And if that card had been attached to their computer, the card has likely been infected.

Also, a common method of criminally hacking a computer is to place compromised memory cards in a business parking lot, or near a desk. It’s been found that the majority of people will pick up the card, and then insert it into their computer to find what is on it. Of course, all it takes is a millisecond for the compromised card to transfer its malicious payload onto your computer.

WHAT TO DO?

1. if you are in a company, NO external storage device should ever be connected to the network or computer without first passing a security audit by the IT department. This is so critically important, it is a Federal cybersecurity guideline.
2. This also applies to any external storage device that has passed a security audit, but has since connected to another network or computer.
3. If you are a home user you probably have no IT department to perform a security audit. Instead, have your computer technician or consultant perform the security audit. If you have no computer support person, at the very least ensure you have a quality antivirus utility installed on your computer, and that it is fully up-to-date, prior to connecting the memory card. Then run a malware scan on the device prior to accessing the device.

New Google Chrome 70 will break 1000+ sites

by Marc Mintz | Oct 9, 2018

On or around October 16, 2018, the new Chrome 70 will arrive. if you currently have Chrome installed, it will automatically update.

Core to the new Chrome is an upgrade to security. Specifically, Chrome will no longer trust HTTPS certificates issues by Symantec prior to June 2016. This includes Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates. Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few.

HTTPS certificates encrypt the data between your computer and the website or app you’re using, making it near-impossible for anyone — even on your public Wi-Fi hotspot — to intercept your data. Not only that, HTTPS certificates prove the integrity of the site you’re visiting by ensuring the pages haven’t been modified in some way by an attacker. Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers. If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority. For these reasons, Google stopped supporting Symantec certificates last year after it was found to be issuing misleading and wrong certificates, as well as allowing non-trusted organizations to issue certificates without the proper oversight.

WILL THIS BE AN ISSUE FOR YOU?

Before the new Chrome arrives, check out the sites of importance to you. For example, if you use www.pantone.com:

1. Visit this site in Chrome.
2. Click the Lock icon in the address bar.
   
3. From the drop-down menu, select Certificate. 
   
4. In the bottom text field, look for the Issued by: text. If issued by Thawte, VeriSign, Equifax, GeoTrust, RapidSSL, or Symantec prior to June 2016, you will have problems accessing the site using Chrome 70.

WHAT TO DO

If an important site hasn’t updated it’s HTTPS certificate after Chrome 70 installs, you should still be able to access the site using other browsers (unless they take the same security stance as Google–none have so stated). Quality alternative browsers include Brave, Edge, Firefox, and Safari.

Q: Is an up-to-date Mac computer immune to hacking?

by Marc Mintz | Sep 24, 2018

A: The operating system (I’m assuming this is what you are updating) is only one small piece of the cybersecurity puzzle. Yes, OS updates are primarily about patching vulnerabilities within the OS, but focusing only on this is like locking only your front door when leaving for vacation, while leaving the back door, side door, all windows unlocked, the alarm system off, and taking the dog with you!

Q: What are the safest, the easiest, and the most balanced way to send encrypted email?

by Marc Mintz | Sep 24, 2018

A: We first need to define your parameters for “encrypted”, and from what/who are you attempting to protect your communications.

VULNERABILITIES

Common points where email is vulnerable to penetration, hijacking, or otherwise accessed by unauthorized personnel:

• Unencrypted storage device. Your email may be end-to-end encrypted, but if either the sender or recipient have a computer or mobile device with an unencrypted storage device, it is child’s’ play to access the data. In the case of macOS, the boot drive should have FileVault 2 full disk encryption enabled. In the case of Windows, BitLocker full disk encryption. iOS devices have built-in hardware encryption. Android, well, good luck with that. Newer Android phones allow you to manually enable encryption. Most older phones do not.
• Weak email passwords. If the sender or recipient email accounts have weak passwords, it is easy to access the email.
• Weak computer passwords. If the sender or recipient computers have weak passwords, it is easy to access the computer, and then instantly access email.
• Weak mobile device passwords. Many people don’t even put a password on their mobile device. Turn your back, the device is taken, and all data is accessible.
• 2-Factor Authentication (2FA). 2FA is the only way we have to secure your email account. Should someone gain access to your email password, with 2FA active, they still will be unable to access your email.

TLS

At the most basic of encryption levels is the communication between the sender and their email server, and the recipient and their email server. The current standard is TLS. If either the sender or recipient do not have a TLS connection to their email servers, the email may be sent in clear text on at least one leg of the journey. You can verify if TLS is active for both sender and recipient at https://checktls.com.

Paubox.com is an inexpensive commercial service that can enforce TLS encryption between computers.

If you are only relying on TLS, beware the email is readable at the sender and recipient email servers. Granted, normally only the email host staff and government personnel have access to this data, but this may include hundreds of unwanted eyes.

ENCRYPTION AT REST

TLS takes care of the encryption in transit, but full security means that your communications are also encrypted at rest – while on the email server. This prevents the email host from accessing your communications, as well as criminals and government personnel. you will need to talk with your email provider and that of the other party to determine if the email is stored encrypted at rest.

END-TO-END ENCRYPTION

The ultimate email standard is end-to-end encryption. This means that the email is encrypted at the sender’s device, all the way through to the recipient’s device. In this way, even the email hosts have no access to the communications. There are several ways to accomplish this:

• PGP/GPG encryption
• S/MIME encryption
• Use a secure server
• Use encrypted attachments

PGP/GPG is free, but is technically challenging to implement.

S/MIME is less technically challenging but requires both sender and recipient pay for S/MIME certificates ( $10-$200/year/account).

Using a secure server is inexpensive ($0-$100/year/account), and very easy to implement. Not much more than signing up for an account. I recommend ProtonMail.com for their long-standing commitment to security and privacy, and offering both free and for-fee services.

Another alternative is to just use the same email service you currently use, but when needing security and privacy, craft your communication as a document, securely encrypt the document, attach the encrypted document to an email, and then send. This has the advantages of keeping the email service you are comfortable with, using applications you are comfortable using, and using strong encryption. The options include (but are not limited to):

• Microsoft Office products. As long as you are using current versions, Word, Excel, and Powerpoint allow you to encrypt their files using AES 256 bit encryption – an industry standard and best practice.
• If using an application that does not include built-in encryption, you can use a commercial or freeware utility that performs 7Z encryption with AES 256. For Windows, WinZip is the most popular. For macOS, Keka does a great job.

Which is the best compromise? I think that is a bit like asking what is a good compromise between chocolate ice cream and vanilla cake. It all comes down to your pain thresholds for cost, ease of use, level of security, and need for the other party to have the same setup.