Online Security Part 11 – To Go Forward You Must Backup

This silly quote used to be a trademark of the Dantz Corporation, the creators of one of the first backup solutions I used in the 1990’s called Retrospect. Those were the bad old days of tape backups costing thousands of dollars in hardware and software. Today it typically costs less than $60 to protect a computer’s priceless data such as photos, correspondence, and financial documents. That’s the price of a 1 TB portable USB external hard drive and the software is free with all modern computers. The process of setting up a backup system is also simple so if you’re not backing up your computer, stop what you are doing, visit your local office supply store or electronics store, and buy one.

Welcome back. If you are using an Apple laptop or desktop computer, plugging the drive into a free USB port should automatically pop-up a window asking something similar to, “Do you want to use My Backup (1 TB) to back up with Time Machine?” Time Machine is Apple’s name for their free, built-in backup solution and “My Backup” is the name of the drive you just plugged in (so it might be different). It takes a couple hours for the first full backup to complete, but after that Time Machine works invisibly behind the scenes making a copy of every changed file every hour. This is not only great for recovering from rare major issues like a hard drive crash, but also for more common issues like an inadvertently deleted file.

Amazingly, if you ever have to do a complete restore, it puts a computer back to the exact state it was in when the last snapshot was taken. It really is like a time machine! More details can be found on Apple’s support website (and the website 9to5Mac), but it is obviously super simple to setup and very powerful to use.

If you are using Windows 10, Microsoft has a similar option called “File History.” By default it only backs up files in a user’s home directory, but that is still very useful. To set it up, select the Start button, select Settings > Update & security > Backup > Add a drive, and then choose an external drive or network location for your backups. You can find more information on Microsoft’s website.

Unfortunately, a single backup is not sufficient to create a robust recovery system for digital and physical disasters. Most experts recommend using something called the 3-2-1 rule. This means three copies of all data are made on two different types of media with one copy stored “somewhere else” such as “in the cloud.” For example, to keep that wonderful photo of your kids with the family dog safe, one copy would be on your computer hard drive, a second copy would be on a backup drive, and a third copy would be stored “in the cloud” through a service like iCloud, Google Photos, Dropbox, or CrashPlan.

Personally, I use a combination of Dropbox to backup critical files, iCloud Photo Library to backup photos, and a series of three backup USB external drives that I swap weekly. Is this overkill? Maybe, but the few times I have had to restore a computer from a backup, it has been a godsend, saving a day of tedious work restoring files and settings. Also, while the extra security is nice, daily benefits include photos that automatically transfer from phone to computer and Dropbox files that can be accessed from a phone or tablet anytime, from anywhere.

Finally, while there are hundreds of options available to “recover” from malware, nothing beats reformatting a hard drive and restoring files from a known, good backup. Malware is devious and many malware removal companies are devious too. This last topic will be covered in the next part of this series on online scams, but if you are still reading this and haven’t backed up yet…

Online Security Part 10 – Is a Strong, Unique Password Enough?

Once you start down the rabbit hole of online security, it can seem endless. For example, as previously explained, strong passwords require a password manager to store them and then the password manager requires an even stronger password to keep those strong passwords secure. No less than three parts of this series of articles have been dedicated to passwords, but believe it or not, there is a growing movement toward something called “two factor authentication” that makes strong, unique passwords only one of the two things needed to login to critical accounts. It is so important that Apple even briefly considered making it mandatory for iCloud accounts so it is definitely worth understanding before deciding to use it.

Unfortunately, it is a bit of a complex topic so let’s break it down into smaller parts.

  • What is it called? – The most common names are: Two-factor authentication (2FA), Multi-factor authentication (MFA), and Two-step verification.
  • Why is it used? – Email is central to other security features of accounts and can be used to reset passwords for other accounts such as banking, shopping, etc. Cloud storage accounts contain valuable resources that are synchronized across devices. Deleting something “in the cloud” can delete it everywhere. 2FA makes these and other accounts like banking more secure.
  • What is it? – 2FA requires a second step (factor) to login. These factors typically include knowledge (of a password), possession (of a smartphone), and inherence (of a fingerprint). 95% of the time a 2FA login requires entering the password and the code from a text message sent to a cellphone, but backup methods include a voice call, a code from a smart phone app tied to the account, a text message to a backup cellphone, or responding to a prompt after unlocking a cellphone with a fingerprint.
  • How it protects? – Simply put 2FA increases safety by combining something you know, the password, with something you have, the smartphone.
  • What are some dangers associated with 2FA? – A lost, stolen, broken, or hacked phone can make getting the code impossible so all 2FA systems have backup methods such as specifying a backup phone, printing a list of backup codes (recovery keys) and storing them in a physically safe place (not in a file on your computer!), or answering detailed security questions.

As an additional step, it might be a good idea to keep an encoded list of passwords on a sheet of paper in a safe place. For example:

  • Power Company – jdoe@gmail.com – *bhr18$
  • Cellphone – jdoe@gmail.com – #dcd22@

Where “*bhr18$” would stand for the real password “*beach-horse-ride18$” and “#dcd22@” would stand for “#desert-cat-drive22@” Creating strong passwords with a pattern like “place,” “animal,” and “action” can reduce confusion.

It may sound crazy to add yet another layer to the security of critical accounts, but once it is setup 2FA doesn’t add much effort to use. Both Google and Apple have excellent tutorials on setting up 2FA for their services.

Online Security Part 9 – Mobile Security

In 2016, a major anti-virus company reported that Android based malware packages had tripled in the past year to over 8.5 million. While this huge number is suspicious considering the source, i.e. a company that sells a subscription to their mobile security product for $15 a year, mobile malware is still an exploding issue. ArsTechnica is a good website for unbiased, in-depth analysis of mobile threats.

The biggest headlines from the past year have been concerning:

If you are not convinced yet, the website 9to5Google says that “A New Example of Android Malware is Discovered Every 10 Seconds.” Even an innocent game guide with cute graphics that your child downloaded can hide nasty malware called “Falseguide.”

In response, the security website Malwarebytes now has a section for mobile malware and the descriptions look like the traditional descriptions of malware with headings like: “Spyware, Potentially Unwanted Programs (PUPs), and Ransomware.”

Malwarebytes also provides some best practices for avoiding these dangers. In a recent blog post, they strongly recommend only installing apps from the Google Play Store and blocking other App Stores by turning off the setting in Android called “Unknown Sources” (Settings > Security).

They also recommend Checking Permissions of installed apps. If that “innocent” game guide mentioned above pops up a permission request screen asking for full device admin rights, that’s a subtle clue that something is very wrong.

Another suggestion is to be wary of something they call “You Get What You Pay For.” This is also known as, “If You’re Not Paying, You’re the Product.” For example, Gmail is free for a reason. Google is making a lot of money from (anonymous) access to your emails. Google might be a good tradeoff for the valuable services they provide, but free VPN providers that sacrifice privacy, free games filled with ads, and free utilities that can kill battery life and use data are not worth the savings of $0.99.

If you are using an iPhone, 95% of the comments above don’t apply to you. This was discussed in the recent post, “How Secure is an iPhone.” While this could change, it would be front page news. Still, be careful with the permissions you give iOS apps and beware of freebies.

Finally, don’t forget to backup your phone and use strong passcodes! More about that in future posts, but for now at least activate cloud based backup for your iPhone (Settings > iCloud > iCloud Backup) or Android (Settings > Backup & Reset).

Additional Resources:
Making Your iPhone Safer and Android Malware Video

Online Security Part 8 – Being Safe on Public WiFi with a VPN

Four years ago I wrote a post about the risks involved in using Public Wifi called “The Good, the Bad, and the Ugly.” While the information is still current, the suggestion to use a VPN has only recently reached mainstream awareness. This is due to Congress voting to allow Internet Service Providers (ISP) to sell users’ browsing data. Now the market for VPNs has exploded creating a confusing array of options. Even worse, most people don’t even know what VPN stands for much less how it provides security and protects privacy.

VPN stands for Virtual Private Network and it means that when you connect, your data is encrypted (i.e., safe and private). However beyond the basic definition, even a Google search is a bit misleading on how to use one. As the graphic shows, the first suggestion is “VPN Free” and experts agree that completely free VPN is worth what you pay for it… nothing! These search results point to companies that sell your private browsing information to make money. So a VPN not only has to work technically, but it has to be backed by an ethical company. Remember, poor Dan from the last post of this series would have been safe from hackers if he had used a reputable VPN. After connecting, his next step would have been to activate the VPN (some “persistent” VPNs even do this automatically). A hacker cannot intercept data encrypted by a VPN, it just looks like random characters.

But finding a reputable VPN company is tough because the VPN world has become a little like the anti-virus world, a confusing mess of spammy advertising posing as reviews. Also, certain VPNs are better for certain applications (privacy or security), usage levels, devices (Windows, Mac, Android, iOS, etc.), speed, and ease of use.

After considerable research, the options below are a good starting point, especially the website “The Best VPN.” I didn’t believe this was a legit website at first either, but it has a very well written article on Public WiFi with an excellent infographic about a quarter of the way down. The first three suggestions (out of ten) are the best:

  • Be mindful and proactive – Hackers can quickly plug in a flash drive with malware into an unattended computer or easily record video of keystrokes.
  • Turn off “Sharing” – A complex topic, but the article outlines the steps
  • Use a VPN – Of course! (don’t worry about Tor, that’s an advanced topic)

Finally, keep in mind that the VPN world is changing quickly: websites with honest reviews can change hands and become biased, VPN providers can merge, and new options are appearing everyday. Do a little research and don’t signup for “lifetime” VPN subscriptions.

Additional Resources:

Online Security Part 7 – Techniques for Layered Security

Before we start on what sounds like a boring topic, here’s a story that should help make it more interesting.

After work, Dan decides to indulge in a quiet cup of coffee in his favorite local shop with free Wifi. Opening his laptop, he notices a guy nearby hunched over working intently on a laptop. He must be a hardcore techie because his computer is covered with stickers and has a small antenna attached to it. The heavy metal band logo on his hoodie confirms Dan’s suspicions. A moment later, a beep from Dan’s phone reminds him that he has at least a dozen personal messages to read so he connects to the first network on the list “Free Coffee Shop WiFi.”

As he waits for the webpage to load, he thinks, “How strange, yesterday it was just called Coffee Shop WiFi, maybe they want people to know that it’s really free?” Soon he sees the familiar login page and signs into Gmail. It rejects his password. That’s also strange, he was so careful to type it correctly. He enters it again and it works. Annoyed now, he chalks it up to his new crazy complex password that he is using for his most valuable accounts. “Oh well, can’t be too safe these days.” Somebody at work suggested a password manager, but who has time for that nonsense. Besides, typing it once a month is no big deal.

You probably know where this story is going. Dan has just been hacked and his Gmail login and password stolen. As soon as he leaves, the hacker will change it to prevent Dan from getting back in and try to access his bank, social media, etc. Dan won’t get the warning emails because he can’t access his account anymore. The hacker has reported his phone lost and erased it remotely.

Hopefully, this story demonstrates the need for something security professionals call “layered security.” It’s actually not that hard to implement. Earlier parts of this series have already discussed parts of the technique such as confirming the website address in the browser, HTTPS security, strong/unique passwords, and using a password manager. In this case, a password manager would have prevented the hacker from stealing Dan’s password. How? Since it wouldn’t have entered the password because the hacker’s fake login screen wouldn’t have matched the website used when the password was stored. A password manager can also prevent a hacker from video recording Dan’s fingers typing his password. Oh, those clever hackers!

To wrap up this post, below is a summary of the layers of security involved in Dan’s sad story and the associated parts of this series of posts.

  • Part 8 – The next post will explain why a Virtual Private Network (VPN) should always be used on public Wifi to avoid others eavesdropping. Remember, most of the time hackers are not looking to hack you personally, they are looking for easy targets.
  • Part 3 – Never reuse passwords across sensitive accounts.
  • Part 2 – Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done.
  • Part 4 – Use a password manager and secure it with a unique, very strong password. Below is a comic strip that explains how and why courtesy of XKCD.
  • Part 10 – Use something called two factor authentication (2FA) to secure your most sensitive accounts. 2FA stops hackers by requiring “two factors” to login, typically something you know (such as a password) and something you have such as your cellphone (a code received as a text message).