Sunday, August 28, 2016
I've said many times that Apple is the choice of people who are concerned about digital security and privacy. I've also said its the company for people who like an ecosphere of products that work together. But when push comes to shove, it appears most people want just a smart phone, and one that appears to be innovative. Never mind if the innovation is internal, or geared toward app developers.
So the rumors that usually pan out say the 7 now removes the audio jack, has the same dimensions, but no real clues as to what's really new. The Apple Watch is also rumored to have an upgrade at the same time. But so far this hasn't impacted iPhone sales noticeably.
So is Apple in trouble? Far from it. The Mac is still selling strongly, and even though down iPhone sales are good, and profits are good. But truly it is challenging to restore growth to their flagship product.
Tuesday, March 8, 2016
Yesterday, I got another text message on my phone, that my billing address had been changed. It had been changed to a Miami Beach address. At about that time, my wife called me from our kid's phone, saying that her phone no longer worked. Neither did one of our other phones. At that point, we realized that a new user had been authorized on the account, and that a new phone number had been added last week, and one of the phones (out of contract) had been used for an upgrade. AT&T showed that the new phones had been picked up at the Apple store on Broadway, in New York.
Apparently this is very common, for thieves to use stolen credit cards, pay online on a hacked account, and pick up a phone from the store. Once they do that, they sell the phone as quickly as they can, and pocket the cash.
Meanwhile, it took about 5 hours with AT&T Advanced Technical Support to get our phones restored, and with the Fraud department to get everything else straightened out.
The worst thing about all this was, it could have (and should have) been prevented! How? Let's look at the perfect storm of everything that went wrong:
- AT&T Account Security provides a phone number, e-mail address, and generated access ID to log in and manage your account. 3 different ways of logging in. Simplify it, give us 1!
- AT&T Account Security has the option of requiring a PIN that you specify, for "any and all account changes that will cost you money." Apparently that is misleading. We turned on that PIN feature last year and set the PIN, however it only works for in-store purchases. The web site does not require the PIN, and this is something they are aware of, and have not yet rectified. Shame on them! If they had required the PIN, then simply using the login stolen from somewhere else would have not been enough.
- Simple Password Login - my wife (who will remain unnamed to prevent embarrassment) used to use the same password for everything. Everywhere. This practice is still rampant, and I strongly discourage it. As I've recommended several times (1, 2), you should not know the vast majority of your passwords. You should have a super secret master password that you only use one place, for your password vault, and have all others be randomly generated long alphanumeric with punctuation marks. Thieves know that people like to use passwords that are easy to guess (by the way, if your password consists of a word, even if you change letters to numbers or add numbers at the end - it is extremely easy for computer software to guess), and use the same passwords everywhere. Software is specially designed to exploit the patterns we use ($ for S, 0 for O, 1 for L, etc.) and crack the passwords within minutes (average is 6 minutes or less). So even if thieves hack a system you logged into and steal encrypted passwords, they can decrypt it within minutes.
- Text Confirmation PIN - Apple and many other companies send text messages to known, pre-registered devices to confirm identity. For example, if I log into iCloud, it sends a PIN to my phone, which I then have to enter (after username and password) in order to access my cloud account. This is simple and very easy, and should be done by AT&T and all mobile carriers to confirm something as basic as adding, removing, or upgrading a line.
- Multifactor authentication - whenever this is available, turn it on and use it. This means, instead of just asking for username and password, some other thing is asked for to prove you are legit. For example, a lot of systems use Google Authenticator. This is like those RSA secure keys you may have seen, which generate a new number every 30 seconds. When you log in, you have to enter name, password, and the number - which follows a predictable pattern only known between your device and the site you are logging into. Another example, is not just asking for name and password, but some other random mix of questions that you define, and answers you set up. For example, "What was your first car?" "1981 DeLorean" - if you set up 3 to 5 Q&A, then it randomly selects one, and you have to answer that plus name and password to log in.
And whatever you do, don't believe it when a guy calls saying your PC has reported problems to their server!
Thursday, February 18, 2016
I got a call from a guy named Harry (yeah, right, this guy with a middle-eastern Indian-sounding accent's name is Harry), who claimed that he got my number because my Windows was reporting problems to his server, and he was calling to help me out. Good thing too, Harry! (Interesting choice of names - this was Peter Parker's friend who turned out to become a super villain...but that's a different universe.)
I asked him how he got my phone number. Harry told me that everyone who has a Windows computer has a unique computer license ID number (TRUE), which is automatically registered with them (FALSE - it is only registered with Microsoft, and they do not share their customer registration information with any third party companies). And that they receive reports at their technical server that goes to their R&D center, and notifies them of issues. (FALSE: Nobody would do this without a service contract that would bill you periodically.)
He then told me there were a bunch of problems with my Windows computer (I held off, not telling him I have Macs). I decided I would play the dumb user, so I went along with him.
First, he wanted me to run the Event Viewer. OK, harmless enough. Then, he showed me a log of errors that Windows keeps. He had me look at the count of errors, and whatever number I gave him, it was too much (it was 8,232). [FACT CHECK: During the normal operation of any computer system, it will log errors. This is fine - some non-essential part of the computer failed to do something the way it expected, it logs an error. Typically, this is nothing to be concerned about. If you are concerned, take it physically to someone you trust, not to some guy who calls up over the phone.] Then close that window, and run MSCONFIG. This tool shows startup jobs, as well as services. He had me look for any services by Microsoft Corporation that were stopped. There were a lot, and he said this is bad. [FACT CHECK: There are always some stopped, by the way - not every service is turned on. In fact, I had specifically gone through just a few months back and disabled some more non-essential services, to improve performance of my system, but he didn't know that.]
So, he said that the bad software I get from e-mails and browsing the web, disabled important Microsoft services. [FACT CHECK: This is typically the way bad software gets on your computer, but this is the way that the antivirus security software checks and protects most often.] Then, he wanted me to go to a web site, www.mypchelp.us. This one failed to come up, so I can only guess that the domain has been blocked by net monitoring.
So, he had me go to www.fastheal.net, and wanted me to click Connect to Technician. [FACT CHECK: This is the kind of attack that is harder to protect against. They get you to run something over the web browser, or install a program remotely with your permission, during a time when they have obtained your trust.]
This is where they get you. I had played dumb with Harry, stringing him along, and pretending I didn't understand ("how do I find the Control key? Oh, the CTRL key!"). After half an our of having this guy patiently explain to me how to minimize a window, find the CTRL key, and find the Windows key, let alone type in the commands he wanted (all the while I was Googling the stuff he told me, came across this warning by Microsoft), I asked him if the Connect to Technician will fix my problem. I said, because I have a big problem, I have too much money in my bank account, and wanted someone to steal it from me to help me with the problem.
The dude didn't know what to say. I told him I had been a Windows expert for 30 years, and now have Macs, so I don't even have Windows at home. And, that I would be reporting the phone number and web site to the FBI and FTC. Ah, so much fun making the guy squirm in his chair when I asked "Where is the Control key?" - if only I could see his face.
Friday, October 30, 2015
So, the other day, my daughter walked home from the bus stop - got home, did her normal thing, had dinner, and after dinner, said "Dad, have you seen my phone?" With an iPhone, the normal procedure is to log onto iCloud, and tap "Play Sound" on the lost device - which, it shows on a map where it is. (By the way, if the battery is dead or it is offline, it shows the last known location when it was still connected to the network.) The sound plays even if the phone is turned on silent, so they thought of that, of course. She couldn't hear it, and apparently can't read maps well either. It showed on the next street over, on the way home from the bus stop. Sure enough, it actually showed which side of the street it was on, to an accuracy of inches. I pulled the car over, at night, and walked to the spot on the neighbor's lawn, and voila. There it was. (By the way, the phone locations have been so accurate, that I have been able to look at the map, and determine if it is in the front or back side of my house.)
It occurred to me, if someone had an Android device, what would they do? Android enthusiasts claim you can do anything and more on an Android device that you can do on an iOS device. Is this true? Well, turns out, not quite. First of all, they do have a rudimentary location capability, but it has to be enabled, and it isn't by default. It doesn't prompt you to do so on a new device (at least, not yet). Once you enable it, you can locate it, but only if it's online, and that's all you can do. If it is on silent, you can't play a sound. Do you know how many times this has helped us find the iPhone or iPod that slide behind the couch cushion, or been hidden by the mischievous little brother?
Further, Android has very loose security - if someone does steal your device, they can easily root it, reinstall the OS, and voila, they have a phone or tablet they can sell or use as new. How's that for protecting your investment in their product? I find it disgusting.
And, what about computers? With a Mac, it becomes much more difficult to protect from theft, as the hardware is made to be swappable and replaceable. So a simple hard drive swap, and it's gone forever. But, at least barring that, you can locate and possibly recover your machine if it is connected to the Internet. Assuming the location services for IP address isn't spoofed, and works well.
So, Apple at least has a basic protection on their computers, while they have an awesome well-rounded solution on their mobile devices. If you are angsting betwixt the fruit or the dessert brand of devices, I'd say the fruit is much healthier.
Tuesday, September 29, 2015
Why is this bad? Let's say a hacker knows this, and sets up a network called that, or called "AT&T WiFi" or "Starbucks" or any myriad of commonly-used SSID names. Many devices will connect to it automatically, and voila, he can watch the traffic going across his network, and possibly even hack into that device (computer, phone, etc.).
Are you worried yet? You should be. There are things you can do, however, to help limit the chances of this happening.
- Pay close attention when you are joining a new network. Some devices show a different icon if the network is a normal WiFi router, versus a mobile hotspot (in other words, using someone's cell phone to set up a WiFi hotspot would show as a different icon). If this is the case, and you didn't intend it to be a personal hotspot, then don't join it.
- Verify with the store or hotel you are at, what their WiFi name is. Maybe there are several listed that are spelled similarly.
- Frequently review the list of saved WiFi connections you used in the past, and delete any one you think you will never use again. Below are instructions for how to do this in various devices.
WindowsIn Windows 7, 8, or 10, go to Control Panel, Network and Sharing Center, and click Manage wireless networks (one way to get there is to click on the network icon in the tray, and pick "Network and Sharing Center" from the pop-up menu):
Then, select the network from the list, and pick the Remove button:
AndroidFor Android devices, go to the Settings app, go to WiFi, and simply tap the network in the list, you will have a Forget button to remove it from your list:
Apple Mobile (iOS)For iOS devices, go to Settings, WiFi, and tap the little Info "i" button next to the network name. There will be a "Forget this Network" option
Apple Macintosh (OS X)For a Mac, go to Network Preferences (you can get there easily from the WiFi logo on the system menu). Make sure to unlock the preferences for changes, and then click Advanced:
Finally, don't forget to click Apply to save your changes.
Note that you will have a similar thing for Apple TV, Roku, or any various TV devices, although you may not travel with them, and therefore probably don't join networks. But if you do, think about it.
Friday, September 18, 2015
In a recent Credit.com blog article, a Canadian analyst firm released a study that showed hackers are more and more looking to hack into online accounts, and not as much for credit cards. This is because online accounts are more persistent - that is, your credit card may change, but the updated card (as a new one is issued) will be registered to an account. (Yet another reason to use a service like Apple Pay or Samsung Pay that does not give your card to the merchant.)
And, in an earlier news article, NPR indicated that you are probably doing your online security all wrong - that IT and security experts place top priority on using a password manager to manage very long, randomly-generated passwords.
So, how do you manage your passwords? Do you have a handful that you can remember, that you use everywhere? If so, as the ZDNet Ashley Madison password analysis shows, you are doing it wrong! Chances are, your password is very easily guessable, even if they don't have access to an unencrypted copy of it.
Why should you care?
- America is the single biggest target in the world of cyber attacks. Why? We have the money, we are the most known country, and there is a lot of ill will against us for many political or economic reasons.
- Each year, about 100 million American identities are hacked and stolen - from online purchase sites, from big stores (you swipe your card at the register, it gets stored in the database, and the database is hacked), and even from the Federal and State governments. (Do you trust anyone to manage their systems for your security?) To make matters worse, it may be months or years before a hacked institution even discovers the breach.
- As the cost of stolen identities and fraud mount, the brunt of those costs are initially borne by the companies or governments that are hacked - but those costs get baked into the cost of the goods and services, and we end up paying more for them. Credit cards already have a percentage of fraud built into them - that is going up, and we pay in terms of fees and interest rates.
- If your own identity is stolen, the thieves can do a large variety of things. They can open up accounts as you (cases have emerged where people suddenly got bills for houses they never bought, phone lines they never ordered, and credit cards they never opened). They can use your card without even physically stealing it - they can create a duplicate. Your credit history can be ruined, and indeed you may have to spend countless hours, months, or even years fighting in court to fight charges and clear your credit.
If you don't care about these 4 points, then stop reading now. If you do, then what can you do about it? Use a password manager. DO NOT use a spreadsheet or some document, either electronic or written, to store your passwords. Use an encrypted manager software, like MasterLock's vault, 1Password, or LastPass. Personally, I prefer the last 2, because they have apps that integrate with Windows, Mac, iOS, and Android - so when you are in an app, you can use the password vault to enter your password. A few other tips:
- Constantly keep up to date on any OS updates. This is true for your computer, as well as all your devices.
- Use AVG Privacy Fix app on your mobile devices to review and tighten your privacy and security settings throughout your social networking apps. Stop giving games any access to your Facebook or other profile - this is just asking for trouble.
- Switch to the password managers (e.g. LastPass or OnePassword), and generate new, random 16-digit or longer passwords for all your accounts. LastPass has a security challenge analyzer, that analyzes all the stored passwords, and lets you know which ones are used for more than one site (a big no-no), and gives you an overall score you can use to increase your security.
- Be very very aware (and wary) of joining WiFi networks
- Many hackers set up fake WiFi networks that look like real ones.
- Hackers can also join public WiFi networks, and "sniff" the traffic going across it, to steal wide-open passwords (passwords transmitted as plain text, instead of being encrypted), or even financial data.
- Typically, many devices show a different icon for a mobile hot spot vs. a permanent WiFi router. Pay attention to small details like icons.
- Set your devices to not ask to join available networks. You should only join if and when you need to, and only the networks that you choose at the time.
- Review your device and computer joined networks, and delete the ones you think you should never use again. I will provide a future post showing how to do this. Meanwhile, e-mail me if you have questions, or post in the comments below.
- In Windows, you can use the security profiles Home, Work, or Public, to set some sharing options that may help keep you safer.
- Apple computers and mobile devices, un-jailbroken, are agreed upon by security experts to be the most secure platforms. As many recent exposures have shown, Android is the least secure, and Windows has long been known as the biggest target (and therefore least secure) laptop/desktop platform. The unified operating system across desktop/laptop/tablet/phone for Windows and others, means you increase your exposure to a virus, malware, or exploit because one that targets one device type, makes all vulnerable. Apple notoriously produces a separate Operating System for each type of device: computer, mobile, automotive, watch, and set-top-box.
- Apple has the most comprehensive offering across devices, that safely and securely integrates your data and operations across their ecosphere (and many other compatible devices, such as HomeKit-compatible home automation appliances).
- I cannot recommend any other platform for mobile devices, as I have not yet seen any that measure up. Unless you want to get Blackberry, but I wouldn't recommend that nowadays.
- Linux provides an excellent platform for desktop/laptop/server computing, although you may find a lack of support for many end-user software packages, and mobile devices. For general computing, if you are looking at a Chromebook, then I'd say where do you put your trust - in an Advertising company whose primary income is generated from targeted ads (who develops ChromeOS for free)? Or in open-source Operating Systems from a reputable company who makes their money from services and premium offerings (ala Canonical)? Personally, if I were not inclined to get Apple, I would put Linux on a home or business machine.
First, let's take a look at what it is they do that is so special. Basically, it is a way for people to ask questions, and have the community answer them. There is nothing new about this, in fact it has been going on (electronically) since the 1980's with Newsgroups on the Internet. When the World Wide Web hit in the early 1990's, Newsgroups morphed to become fora (forums). People post a question, and a discussion ensues.
What makes StackExchange so groundbreaking, is:
- Involvement from the community. Many people get instantly involved in the discussion, Q&A, to evolve or produce an answer.
- Credibility - StackExchange has developed a system of self-management, where users gain reputation for their various activities. If you ask a question that someone else votes up (likes), you get +5 reputation. If someone else dislikes it (votes down), you get -5 reputation. Same for your answers - likes and dislikes. For various other things you do, you also may earn badges. All add up to a reputation score, and as your reputation builds, you obtain more privileges.
- Self-Managing - the reputation score arises as a result of your interaction with the community. As you develop, you gain more privileges - you become able to help moderate. So as you earn badges for activity (my favorite badge is Necromancer - you answer a question that has been sitting around for more than 6 months), you gain the ability to review and approve other peoples' edits, make your own edits on other peoples' posts, and so on - all self-managed by other users with abilities similar to or above yours. The community wisdom emerges.
- Topics - StackExchange is divided up into communities (you can join multiple, and your reputation is separate in each). Communities are also websites - so StackOverflow deals with computer programming, SuperUser with all things computer (admin and usage), AskDifferent with all kinds of questions on Apple products, Academia for all types of professional academic topics, Android Enthusiasts...you get the point. There are literally hundreds, maybe thousands, of communities.
- Immediate Gratification - I have asked many different questions on many different topics, and almost always get an answer the same day. The communities are very active, and not trolled by people who just love to get angry at some perceived slight and go off on a rant. It works, and it works very well. In fact, anyone who does behave like that, I would imagine, would be losing lots of reputation.
Try it! Join any community you are interested in, and see how quickly it will become an invaluable resource.