by Marc Mintz | Aug 10, 2018
A recently released DHS-sponsored study by Kryptowire has found that millions of Android devices are vulnerable to remote data harvesting, factory reset, and monitoring, all right out of the box–no need to accidentally download a malicious app or visit a compromised website.
Fundamentally, millions of Android devices have security broken from before it reaches the user. The vulnerabilities are baked in by either the manufacturer or the carrier, or perhaps both. It appears most everyone associated with Android wants to jump on the monitize user information wagon, and there are currently no laws to prevent this.
The full story may be found on wired at https://www.wired.com/story/android-smartphones-vulnerable-out-of-the-box/.
What can you do as an Android owner to fix the problem? Currently, nothing–other than voting with your dollars. The only real alternative to Android is iOS (Apple products). Being a closed architecture and a company committed to making its money from product sales and not selling user information, iOS has proven to be far more secure overall than Android.
by Marc Mintz | Aug 5, 2018
I tip my Stetson to Dan Piraro of Bizarro Comics. Genius moment of the day.
by Marc Mintz | Aug 2, 2018
Domain Name System (DNS)
Most activities on the Internet require pointing to a specific device by use of an address. For example, to use my email, the email software must be able to locate my email server. It does this by looking for mail.mintzit.com.
While such human-readable names (called a Fully Qualified Domain Name, or FQDN) work well for you and me, not so much for computers. Computers expect to use a TCP-IP address. In the case of this server, that is 172.217.3.39.
The translation from FQDN to TCP-IP address is done by way of the Domain Name System (DNS). The process works like this:
- The user, software, or setting enters the FQDN. For this example, I may enter it in a web browser so that I may view my email.
- The browser has no idea how to find the FQDN, so it sends the request to the designated DNS
- The DNS server maintains a database of all registered FQDN and their TCP-IP address. It sends the search result back to my computer, the browser then takes me to my email.
The system works amazingly fast and is highly stable. The concern is that your Internet provider is also likely your DNS provider. This allows them to monitor and log most of your Internet activity without your consent or knowledge.
If you use VPN, and your VPN provider has DNS Leak Protection, your Internet provider cannot see your DNS queries. But you probably aren’t using VPN all of the time.
To protect your Internet activity from being logged by your Internet provider, manually configure your DNS server to be one that ensures your privacy. I recommend the 1.1.1.1 and 1.0.0.1 servers hosted by Cloudflare[1].
Assignment: Secure DNS Traffic (Windows)
In this assignment, you manually configure your DNS settings to use Cloudflare instead of the default (typically your Internet provider) DNS.
- Open Control Panel.
- Click Network and Internet.
- Click Network and Sharing Center.
- Click Change adapter settings.
- Right-click the network interface currently connected to the Internet, and then select
- Select Internet Protocol Version 4 (TCP/IPv4).
- Click the Properties
- Select Use the following DNSserver addresses.
- Enter 1.1.1 as the Preferred DNSserver.
- Enter 0.0.1 as the Alternate DNSserver.
- Click the OK
- Exit the Control Panel
From now on, all of your DNS searches will be performed securely by Cloudflare.
Assignment: Secure DNS Traffic (macOS)
In this assignment, you manually configure your DNS settings to use Cloudflare instead of the default (typically your Internet provider) DNS.
- Open Apple menu > System Preferences > Network.
- Click the lock icon, and then authenticate as an administrator.
- Click Advanced
- Click DNS.
- Click the + button. The existing DNS entries should disappear.
- Enter 1.1.1 as the first entry.
- Click the + button.
- Enter 0.0.1 as the second entry.
- Click the OK
- Click the Apply
From now on, all of your DNS searches will be performed securely by Cloudflare.
Assignment: Secure DNS Traffic (iOS)
In this assignment, you manually configure your DNS settings to use Cloudflare instead of the default (typically your Internet provider) DNS.
- Open Settings > Wi-Fi > current Wi-Fi SSID Info icon > Configure DNS.
- Select Manual.
- Delete the existing DNS entries.
- Tap Add Server.
- Enter 1.1.1 as the first entry.
- Tap Add Server.
- Enter 0.0.1 as the second entry.
- Tap Save.
- Exit Settings.
From now on, all of your DNS searches will be performed securely by Cloudflare
[1] https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
by Marc Mintz | Aug 1, 2018
Ubiquiti UniFi Switch 24 Port 250w Power over Ethernet
New. In box.
Currently selling on Amazon for $397.
Specs
MintzIT Price: $300 plus $25 shipping.
Contact:
Marc Mintz
505.453.0479
by Marc Mintz | Aug 1, 2018
Best-in-class network hardware
Ubiquiti UniFi Security Gateway
A great solution for business
New, In box.
Currently selling on Amazon for $108.
Specs
MintzIT Price: $65 plus $15 shipping.
Contact:
Marc Mintz
505.814.1413
by Marc Mintz | Aug 1, 2018
Best-in-class network hardware.
Ubiquiti UniFi AP AC Pro Access Point
New. In box.
2 available.
Currently selling on Amazon for $176.
Specs
MintzIT Price: $125 plus $20 shipping.
Contact:
Marc Mintz
505.814.1413
by Marc Mintz | Aug 1, 2018
MintzIT is clearing out our stock of new, best-in-class network equipment at great discounts.
Asus RP-AC68U AC1900 Wireless Access Point
New, never opened.
2 available.
Currently selling on Amazon for $223 plus $21 shipping.
Specs
MintzIT Price: $175 plus $20 shipping.
Contact:
Marc Mintz
505.814.1413
by Marc Mintz | Aug 1, 2018
We the people are the rightful masters of both Congress and the courts, not to overthrow the Constitution but to overthrow the men who pervert the Constitution.
– Abraham Lincoln
If you think your security and privacy are dependent upon only bits and bytes, think again. Our ability to access those bits and bytes, and to view them without compromise, is now entirely in the hands of those with pathologies I’ve no words for.
by Marc Mintz | Jul 28, 2018
True, full security and privacy for any of us will not be achieved until there is justice for all of us.
by Marc Mintz | Jul 26, 2018
Update Release
Version 3.1.1 of Practical Paranoia Windows 10 Security Essentials was released today. The Live! version is available immediately. Kindle updates will appear tomorrow, with print versions appears on store shelves in the next 2 weeks.
Download sample book.
by Marc Mintz | Jul 26, 2018
I receive at least one question every day regarding how to secure email communications. People are legitimately concerned that their email may be seen by crazy ex-boyfriend/girlfriend/gender-neutral lover, boss, rivals, or government.
Let me put your minds at rest. There is no doubt your email is being seen by others, and most likely the exact people you don’t want to see your emails.
Email technology was built when information wanted to be free. No security safeguards were built into email To this day, any email to offers hardened, end-to-end encryption is more Frankenstein the well-crafted code.
The solution is to grow away from email for secure communications. Sure, email is still useful in the same sense that postcards are useful. But for anything that is sensitive, proprietary, secretive, use a technology that is free, easy to use, and built from the ground up to be secure.
There are several Instant Message tool availalble that fit this criteria perfectly. The two leaders are Signal and Wire. I use both, but am partial to Wire because:
- Free (for-fee for business)
- Military-grade end-to-end encryption
- Voice, instant message, and video conferencing all available in one app.
- Messages can self-destruct after a user-specified time frame.
- Group IM’s and calls.
Give Wire a try. In less than 15 minutes you will have a most powerful communications tool that knows how to keep its mouth shut.
by Marc Mintz | Jul 25, 2018
by Marc Mintz | Jul 25, 2018
Q: Why can’t you trust people with your phone?
A: Your phone contains your private data, possibly sensitive business information, passwords, credit card information, banking information, a record of all calls, website visits, very possibly a map of your movement/travels over the past x months.
Do you want this information freely available to someone? Even if trustworthy?
Then there is the problem with trustworthiness. How many times have you seen people who appear to be good, do bad things? I’ve seen good friends prank other friends putting malware on their systems. And then there is the occasional sociopath.
You may not have any incriminating data on your phone, but there are things that are better left private. Think using the bathroom – nothing going on there that everyone else isn’t doing. But do you want a webcam pointed at your toilet?
Ok. For some of my readers that isn’t a good example…
by Marc Mintz | Jul 25, 2018
Q: How can I make a home wireless network that only I can detect? I don’t want my close neighbors to see it’s there.
A: Although you can disable SSID (the name of your network) visibility, any 8-year-old with 5 minutes of free time will figure out how to view invisible networks.
The only real way to do so is to turn your living space/apt/home into a faraday cage. Not as hard as you may think. There is wall paint available that creates a Faraday cage – blocking electromagnetic waves from penetrating your walls. You will need to shield your windows as well. A bit of web search will find how to do both.
Another option that may be easier – do away with the wifi. Instead, use ethernet throughout your home. Although the ethernet cable puts out a readable electromagnetic wave, it takes more sophistication than the average neighbor to read it. And if that is a concern, add a RADIUS server to your network. This will strongly encrypt all network traffic.
by Marc Mintz | Jul 25, 2018
Q: What other options do I have in protecting my network if I remove my firewall because my firewall is slowing down my entire network?
A: A firewall can be located on your computer (part of the OS), or between your local area network and the internet. It is typically built into the modem/router provided by your broadband provider.
The one on your computer would not impact network performance for anyone – including yourself. It simply filters what is allowed into your computer.
I’ll assume you mean that your network firewall is slowing down internet speeds. Older style network firewalls can have an impact on internet speeds, but not on local area network speeds.
There are a few fixes:
- If you have an older firewall, replace it with a new stateful packet unit. These do not slow down internet access like the older rule-based firewalls can.
- You may be using an inexpensive, low-speed firewall. Same story – replace with a new stateful packet unit.
- If your firewall includes intrusion detection or intrusion protection systems, these may need to have their settings modified so that they don’t have as many rules to filter by. This would best be done by an IT professional to ensure the security of the network isn’t degraded in the process.
by Marc Mintz | Jul 25, 2018
Q: How is ProtonMail encrypted?
A: ProtonMail uses PGP encryption. This end-to-end encryption protocol is highly secure, and prevents even ProtonMail from reading your mail.
ProtonMail is one of the very best solutions for those demanding the highest security for their email communications.
by Marc Mintz | Jul 25, 2018
Q: Is my ISP spying on me? If yes, how can I prevent them?
A: It is almost certain that they are.
Not like they have a person on the payroll to spy on your activities specifically, but virtually all ISP’s (ALL in the USA) log your activity, and most (if not all) sell this to marketing firms, so that the marketing firm can better target advertising to you. In the US it is a requirement so that government authorities can monitor the activities of criminals, suspected criminals, ex-spouses, current lovers, and anyone else they care to harass.
What to do about it? Get a quality (not a free or inexpensive) VPN service with DNS Leak Protection, and then use it full time while on the internet. My current recommendation is NordVPN.
by Marc Mintz | Jul 25, 2018
by Marc Mintz | Jul 25, 2018
A: There are services available that can do this. Virtru is one we use.
However, standard email and email software don’t permit this.
by Marc Mintz | Jul 25, 2018
Q: How effective is a ClamAV as a malware removal tool?
A: There isn’t a good way to answer this question. To do so would require analysis by an independent antivirus testing facility.
The ones we monitor do not include ClamAV in testing. Perhaps there is one, but haven’t ever seen it.
So, without testing and validation, it’s not possible to know how well it works, and what performance degradation it introduces. why would one use something so important to security and privacy?
Instead, I recommend only using Bitdefender (Bitdefender Gravity Zone for business use).
