Online Security Part 10 – Is a Strong, Unique Password Enough?

Once you start down the rabbit hole of online security, it can seem endless. For example, as previously explained, strong passwords require a password manager to store them and then the password manager requires an even stronger password to keep those strong passwords secure. No less than three parts of this series of articles have been dedicated to passwords, but believe it or not, there is a growing movement toward something called “two factor authentication” that makes strong, unique passwords only one of the two things needed to login to critical accounts. It is so important that Apple even briefly considered making it mandatory for iCloud accounts so it is definitely worth understanding before deciding to use it.

Unfortunately, it is a bit of a complex topic so let’s break it down into smaller parts.

  • What is it called? – The most common names are: Two-factor authentication (2FA), Multi-factor authentication (MFA), and Two-step verification.
  • Why is it used? – Email is central to other security features of accounts and can be used to reset passwords for other accounts such as banking, shopping, etc. Cloud storage accounts contain valuable resources that are synchronized across devices. Deleting something “in the cloud” can delete it everywhere. 2FA makes these and other accounts like banking more secure.
  • What is it? – 2FA requires a second step (factor) to login. These factors typically include knowledge (of a password), possession (of a smartphone), and inherence (of a fingerprint). 95% of the time a 2FA login requires entering the password and the code from a text message sent to a cellphone, but backup methods include a voice call, a code from a smart phone app tied to the account, a text message to a backup cellphone, or responding to a prompt after unlocking a cellphone with a fingerprint.
  • How it protects? – Simply put 2FA increases safety by combining something you know, the password, with something you have, the smartphone.
  • What are some dangers associated with 2FA? – A lost, stolen, broken, or hacked phone can make getting the code impossible so all 2FA systems have backup methods such as specifying a backup phone, printing a list of backup codes (recovery keys) and storing them in a physically safe place (not in a file on your computer!), or answering detailed security questions.

As an additional step, it might be a good idea to keep an encoded list of passwords on a sheet of paper in a safe place. For example:

  • Power Company – jdoe@gmail.com – *bhr18$
  • Cellphone – jdoe@gmail.com – #dcd22@

Where “*bhr18$” would stand for the real password “*beach-horse-ride18$” and “#dcd22@” would stand for “#desert-cat-drive22@” Creating strong passwords with a pattern like “place,” “animal,” and “action” can reduce confusion.

It may sound crazy to add yet another layer to the security of critical accounts, but once it is setup 2FA doesn’t add much effort to use. Both Google and Apple have excellent tutorials on setting up 2FA for their services.

Online Security Part 9 – Mobile Security

In 2016, a major anti-virus company reported that Android based malware packages had tripled in the past year to over 8.5 million. While this huge number is suspicious considering the source, i.e. a company that sells a subscription to their mobile security product for $15 a year, mobile malware is still an exploding issue. ArsTechnica is a good website for unbiased, in-depth analysis of mobile threats.

The biggest headlines from the past year have been concerning:

If you are not convinced yet, the website 9to5Google says that “A New Example of Android Malware is Discovered Every 10 Seconds.” Even an innocent game guide with cute graphics that your child downloaded can hide nasty malware called “Falseguide.”

In response, the security website Malwarebytes now has a section for mobile malware and the descriptions look like the traditional descriptions of malware with headings like: “Spyware, Potentially Unwanted Programs (PUPs), and Ransomware.”

Malwarebytes also provides some best practices for avoiding these dangers. In a recent blog post, they strongly recommend only installing apps from the Google Play Store and blocking other App Stores by turning off the setting in Android called “Unknown Sources” (Settings > Security).

They also recommend Checking Permissions of installed apps. If that “innocent” game guide mentioned above pops up a permission request screen asking for full device admin rights, that’s a subtle clue that something is very wrong.

Another suggestion is to be wary of something they call “You Get What You Pay For.” This is also known as, “If You’re Not Paying, You’re the Product.” For example, Gmail is free for a reason. Google is making a lot of money from (anonymous) access to your emails. Google might be a good tradeoff for the valuable services they provide, but free VPN providers that sacrifice privacy, free games filled with ads, and free utilities that can kill battery life and use data are not worth the savings of $0.99.

If you are using an iPhone, 95% of the comments above don’t apply to you. This was discussed in the recent post, “How Secure is an iPhone.” While this could change, it would be front page news. Still, be careful with the permissions you give iOS apps and beware of freebies.

Finally, don’t forget to backup your phone and use strong passcodes! More about that in future posts, but for now at least activate cloud based backup for your iPhone (Settings > iCloud > iCloud Backup) or Android (Settings > Backup & Reset).

Additional Resources:
Making Your iPhone Safer and Android Malware Video

Online Security Part 8 – Being Safe on Public WiFi with a VPN

Four years ago I wrote a post about the risks involved in using Public Wifi called “The Good, the Bad, and the Ugly.” While the information is still current, the suggestion to use a VPN has only recently reached mainstream awareness. This is due to Congress voting to allow Internet Service Providers (ISP) to sell users’ browsing data. Now the market for VPNs has exploded creating a confusing array of options. Even worse, most people don’t even know what VPN stands for much less how it provides security and protects privacy.

VPN stands for Virtual Private Network and it means that when you connect, your data is encrypted (i.e., safe and private). However beyond the basic definition, even a Google search is a bit misleading on how to use one. As the graphic shows, the first suggestion is “VPN Free” and experts agree that completely free VPN is worth what you pay for it… nothing! These search results point to companies that sell your private browsing information to make money. So a VPN not only has to work technically, but it has to be backed by an ethical company. Remember, poor Dan from the last post of this series would have been safe from hackers if he had used a reputable VPN. After connecting, his next step would have been to activate the VPN (some “persistent” VPNs even do this automatically). A hacker cannot intercept data encrypted by a VPN, it just looks like random characters.

But finding a reputable VPN company is tough because the VPN world has become a little like the anti-virus world, a confusing mess of spammy advertising posing as reviews. Also, certain VPNs are better for certain applications (privacy or security), usage levels, devices (Windows, Mac, Android, iOS, etc.), speed, and ease of use.

After considerable research, the options below are a good starting point, especially the website “The Best VPN.” I didn’t believe this was a legit website at first either, but it has a very well written article on Public WiFi with an excellent infographic about a quarter of the way down. The first three suggestions (out of ten) are the best:

  • Be mindful and proactive – Hackers can quickly plug in a flash drive with malware into an unattended computer or easily record video of keystrokes.
  • Turn off “Sharing” – A complex topic, but the article outlines the steps
  • Use a VPN – Of course! (don’t worry about Tor, that’s an advanced topic)

Finally, keep in mind that the VPN world is changing quickly: websites with honest reviews can change hands and become biased, VPN providers can merge, and new options are appearing everyday. Do a little research and don’t signup for “lifetime” VPN subscriptions.

Additional Resources:

Online Security Part 7 – Techniques for Layered Security

Before we start on what sounds like a boring topic, here’s a story that should help make it more interesting.

After work, Dan decides to indulge in a quiet cup of coffee in his favorite local shop with free Wifi. Opening his laptop, he notices a guy nearby hunched over working intently on a laptop. He must be a hardcore techie because his computer is covered with stickers and has a small antenna attached to it. The heavy metal band logo on his hoodie confirms Dan’s suspicions. A moment later, a beep from Dan’s phone reminds him that he has at least a dozen personal messages to read so he connects to the first network on the list “Free Coffee Shop WiFi.”

As he waits for the webpage to load, he thinks, “How strange, yesterday it was just called Coffee Shop WiFi, maybe they want people to know that it’s really free?” Soon he sees the familiar login page and signs into Gmail. It rejects his password. That’s also strange, he was so careful to type it correctly. He enters it again and it works. Annoyed now, he chalks it up to his new crazy complex password that he is using for his most valuable accounts. “Oh well, can’t be too safe these days.” Somebody at work suggested a password manager, but who has time for that nonsense. Besides, typing it once a month is no big deal.

You probably know where this story is going. Dan has just been hacked and his Gmail login and password stolen. As soon as he leaves, the hacker will change it to prevent Dan from getting back in and try to access his bank, social media, etc. Dan won’t get the warning emails because he can’t access his account anymore. The hacker has reported his phone lost and erased it remotely.

Hopefully, this story demonstrates the need for something security professionals call “layered security.” It’s actually not that hard to implement. Earlier parts of this series have already discussed parts of the technique such as confirming the website address in the browser, HTTPS security, strong/unique passwords, and using a password manager. In this case, a password manager would have prevented the hacker from stealing Dan’s password. How? Since it wouldn’t have entered the password because the hacker’s fake login screen wouldn’t have matched the website used when the password was stored. A password manager can also prevent a hacker from video recording Dan’s fingers typing his password. Oh, those clever hackers!

To wrap up this post, below is a summary of the layers of security involved in Dan’s sad story and the associated parts of this series of posts.

  • Part 8 – The next post will explain why a Virtual Private Network (VPN) should always be used on public Wifi to avoid others eavesdropping. Remember, most of the time hackers are not looking to hack you personally, they are looking for easy targets.
  • Part 3 – Never reuse passwords across sensitive accounts.
  • Part 2 – Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done.
  • Part 4 – Use a password manager and secure it with a unique, very strong password. Below is a comic strip that explains how and why courtesy of XKCD.
  • Part 10 – Use something called two factor authentication (2FA) to secure your most sensitive accounts. 2FA stops hackers by requiring “two factors” to login, typically something you know (such as a password) and something you have such as your cellphone (a code received as a text message).

Online Security Part 6 – A Few Words About Online Privacy

A recent podcast on Recode, “How do I protect my privacy online?” featured digital security expert Tony Gambacorta answering questions about online security and privacy. He said, “The greatest threat is our own ignorance.” In terms of security, on the top of his list were many of the topics that are already in this series of posts, but the part about privacy was particularly interesting. In terms of privacy, his biggest concerns focus on the so-called Internet of Things (IoT) devices such as Amazon Echo, Google Home, and “smart home” cameras, thermostats, light controllers, security systems, Smart TVs, etc.

These are devices that provide useful features in return for legal access to what most consider their private world such as conversations and activities in their home. For example, some people cover their laptop webcam with tape when their Smart TV has an embedded camera and microphone controlled by much less secure software. Many WiFi cameras that are used to monitor a home fall into this insecure category. Gambacorta also explains that a $20 device can be used in a coffee shop to anonymously eavesdrop on unencrypted web searches, emails, etc. For these reasons, a VPN service is critical when using public WiFi and will be explained in detail in a future post, but in general avoid free VPNs, they are often free because they are not private.

His privacy suggestions for people who aren’t tech-literate?

  • Don’t put something like a WiFi camera or Smart TV in a sensitive area of your house (or put tape on the lens).
  • Buy from people you know and trust. Buying a $70 Android phone from a user called “ThePhoneBoss” on eBay might not be the best choice for security or privacy.
  • Email is never private (unless you’re an expert).
  • Use your browser’s “Incognito” feature if you are searching for anything you wouldn’t want somebody else to know about (or something that you don’t want to see ads about in the future). This is also known as a “Private” or “InPrivate” window. As the graphic below shows, it is shocking how little privacy is involved when web surfing.

Well, that’s more than a few words, but let’s just keep that between you and me…