Online Security Part 6 – A Few Words About Online Privacy

A recent podcast on Recode, “How do I protect my privacy online?” featured digital security expert Tony Gambacorta answering questions about online security and privacy. He said, “The greatest threat is our own ignorance.” In terms of security, on the top of his list were many of the topics that are already in this series of posts, but the part about privacy was particularly interesting. In terms of privacy, his biggest concerns focus on the so-called Internet of Things (IoT) devices such as Amazon Echo, Google Home, and “smart home” cameras, thermostats, light controllers, security systems, Smart TVs, etc.

These are devices that provide useful features in return for legal access to what most consider their private world such as conversations and activities in their home. For example, some people cover their laptop webcam with tape when their Smart TV has an embedded camera and microphone controlled by much less secure software. Many WiFi cameras that are used to monitor a home fall into this insecure category. Gambacorta also explains that a $20 device can be used in a coffee shop to anonymously eavesdrop on unencrypted web searches, emails, etc. For these reasons, a VPN service is critical when using public WiFi and will be explained in detail in a future post, but in general avoid free VPNs, they are often free because they are not private.

His privacy suggestions for people who aren’t tech-literate?

  • Don’t put something like a WiFi camera or Smart TV in a sensitive area of your house (or put tape on the lens).
  • Buy from people you know and trust. Buying a $70 Android phone from a user called “ThePhoneBoss” on eBay might not be the best choice for security or privacy.
  • Email is never private (unless you’re an expert).
  • Use your browser’s “Incognito” feature if you are searching for anything you wouldn’t want somebody else to know about (or something that you don’t want to see ads about in the future). This is also known as a “Private” or “InPrivate” window. As the graphic below shows, it is shocking how little privacy is involved when web surfing.

Well, that’s more than a few words, but let’s just keep that between you and me…

Cuba Is NOT Covered in Your T-Mobile Data Plan!

But over 140 other countries are included at no charge and wow, thank you T-Mobile for this honest and useful text message!

It is amazing how mobile communication has unified the world. A T-Mobile customer can take their phone from Argentina to Venezuela in South America and from Bahrain to Zambia in the Middle East / Africa enjoying free 2G data and texting at no charge. Voice calls are only $0.20 a minute.

To be fair, T-Mobile has its share of problems. Some truly terrible customer service, overloaded networks, a lack of coverage outside of major cities, and a load of salespeople in stores that could benefit from adult supervision top the list, but overall they are pushing the industry toward more open and fair access for all. They have also forced the duopoly of AT&T and Verizon into cleaning up some of their horrible business practices.

Some people think the world gets worse and worse every year, but in truth some of the changes brought about by technology are for the better. Global communication is one area that is critical to creating a better world. On a side note, one of our fellow travelers pre-paid AT&T $5,000 for unlimited voice / data service in Cuba. Ouch!

Part 5 – How Secure is an iPhone? Really, Really, Really Secure!

Today many people carry their entire digital life around in their smartphones. Emails, text messages, address books, calendars, to do lists, banking apps, music, and photos are just a few of the valuable items found on these small slabs of metal and glass. This makes the humble cell phone an attractive target for hackers. Recently, the news has been filled with stories about smartphone security. This is a result of the fact that the president was known to have been using an ancient, insecure Android phone from 2012 (Samsung Galaxy S3). He finally upgraded to an iPhone this week.

Why was an iPhone chosen for the President of the United States? Probably because it’s the most secure phone on the market today. It is amazing the lengths Apple goes to and they do it without much fanfare. Buried toward the end of the iOS webpage is a section called “Privacy and Security” with a short paragraph on security:

iOS offers the most advanced security of any mobile operating system. For starters, hardware and firmware features are designed to protect against malware and viruses, while iOS features help to secure your personal information. Touch ID lets you use your fingerprint as an easy alternative to entering your passcode each time, preventing unauthorized access to your device. And we give developers tools to make the safest apps possible, including top-notch encryption, app transport security, and more. The point is, security runs throughout the entire system — everything from the hardware to iOS to the App Store.

Deep down though, iOS security is hidden universe of its own. The IOS Security Guide explains the details in 63 pages and there is an interesting lecture on Apple’s Developer website that covers the highlights in 25 minutes. To make a long story short, since Apple has control of both the iPhone hardware and iOS software, they can insure security from the moment the iPhone is turned on and even when it is turned off. They don’t even allow downgrading iOS software since that would make a secure iPhone insecure. Also, each iPhone has a completely separate security microprocessor called the “Secure Enclave Processor”(SEP) that includes a unique code burned into it. This means that only your iPhone can decrypt your data. Finally, Apple enforces its commitment to security on its App developers as well as on how a device securely communicates with the outside world.

To be fair, Google / Android does care about security and implements many of the same measures in the most recent versions, but only 3% of Android users have upgraded compared to 80% of iOS users. Apple’s security philosophy is a great example of something called “layered security” which professionals recommend as the best practice to stay safe online. The next post in this series will explore layered security in detail.

 

Online Security Part 4 – Even More About Passwords

As explained in the last post in this series, a good password manager is critical to staying safe online. It is also the key to working efficiently. With more and more websites requiring a new login each time they are used, the lowly username screen has become a source of stress for many.

Luckily, there are many options and here is a summary of the best of them.

1Password is definitely at the top of the list and well worth the small cost of $3 a month. It works on MacOS, iOS, Android, and Windows devices and can synchronize passwords between them. It even has a family plan for $5 a month that can organize shared passwords while still allowing each member to store private ones in the same account. As a bonus, it can store much more than passwords, including WiFi logins, credit card information, drivers license, and secure notes. Finally, it has a well written tutorial for new users that can be found here.

The next option is for MacOS / iOS users and is called iCloud Keychain. Apple’s free solution is great due to the integration with their default browser Safari. Once turned on, it fills in passwords automatically, suggests strong passwords for new websites, offers to save existing passwords, and synchronizes passwords between devices logged into the same iCloud account. It can also securely store and fill in credit card information to making online shopping quicker. The website 9to5Mac recently published a post on iCloud Keychain that is worth reading, “iCloud Keychain and Answering Your Common Password Management Concerns.”

For Windows users, Microsoft’s Edge browser built-in password management is fine too. For complex reasons, it is a little less secure than professional solutions, but better than nothing. The biggest drawback is that it cannot synchronize passwords between Windows and a mobile device like an iOS or Android phone.

Finally, KeePass is a free and open source password manager, but more complex to install and use. You can find it at http://keepass.info/.

There is a constant stream of online articles on the best practices for password management. The 9to5Mac posts, “How to Approach and Manage Passwords” and “How to Implement and Benefit From Password Management Software” dive deep into the subject. For people short on time, they both end with an excellent summary simply called, “Do This.” So what are you waiting for? Do This!!!

Online Security Part 3 – More About Passwords

(This post is part of an ongoing series on Online Security. The other parts can be found here.)

These days, almost everybody has dozens of online accounts most of which are tied to their email address. It is tempting to reuse the same ‘easy to remember’ password but securing online accounts such as banking, email, Facebook, App Stores, and others with strong, unique passwords is critical to staying safe online. Email accounts are especially tempting targets for hackers because they not only provide the usernames for other accounts, but they also can be used to reset passwords and spread malware to other users.

For example, as reported in the news last December, hackers currently have data on over 1.5 billion Yahoo accounts. The Wikipedia article (https://en.wikipedia.org/wiki/Yahoo!_data_breaches) states that in the first part of the attack “The hackers had obtained data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.” Hashed passwords can be translated as encrypted passwords, but to make a long story short, easy to guess passwords such as ‘123456 or qwerty’ are so common that hackers don’t even need to break the encryption.

Since user names are known by many other terms such as account name, user, user ID, email, login, login id, and screen name, this Yahoo data is an excellent starting point for more serious hacking. However, finding the time to change passwords is a daunting task. Each website’s password change option is in a different place and requires entering the old and new passwords. Then the new password has to be recorded somewhere safe. In a family, some of these new passwords also have to be available to others.

The good news is that the change doesn’t have to be done all at once. It is easier to start with the most critical accounts such as email, banking, computer locking, and cell phone passcodes. Next other accounts can be updated such as social media, utilities, games, etc. little by little as they are used. The problem then becomes how to safely store those passwords. Many people store them in a small notebook next to their computer or in a text file on the desktop named PASSWORD.TXT. Please do not do that! The next post will provide several options for storing and automatically entering safe, strong passwords. As a teaser, if you don’t mind paying less than the cost of a latte a month, try 1Password from AgileBits. It can automatically securely store, enter, and share passwords. Ahhh, finally a world where only ‘1Password’ has to be remembered! (https://agilebits.com).