Online Security Part 13 – Summary and Final Thoughts

After almost five months, we have arrived at the last part of this series and what a long, strange trip it has been. If you’ve made it this far, I hope you found this series interesting and useful. There are literally thousands of other suggestions for staying safer online, but the best seem to stay just short of paranoia while implementing reasonable security methods. For example, it’s worth providing one final reminder that ALL emails are insecure and links in them should be considered unsafe. Use bookmarks; type the site name; Google the site name (but don’t click on the ad please); etc. Think before you click! Never open attachments from unknown sources or click on suspicious looking pop up messages. Even if you recognize the name of the sender, if the email seems to come from “out of left field,” check the email address of the sender to see if it is real. You can protect yourself from many attacks by staying aware.

As far as anti-virus programs go, if good, layered security practices are used, the basic software that comes with a recent computer can be sufficient, i.e. Windows 10 Defender + Firewall and MacOS Internal Security + Firewall. The Wikipedia article on Anti-Virus software points out in the section “Issues of Concern” that anti-virus solutions can be as bad as the viruses they are supposed to be protecting against.

Where can you get help that isn’t a scam in itself? Malwarebytes seems to be one of “the good guys” and their forums are a VERY active source of support. Piriform also seems to be legit with good software for removing malware called CCleaner. When a strange message pops up, doing a Google image search for “fake virus warnings” can also be helpful.

Again, the key is to not be too paranoid or too complacent. People who write articles about security make money when others click on their links, so it literally pays to scare people into clicking and reading. Keep in mind that most people are not important enough to get hacked and if they were, a dedicated hacker, like a professional burglar, would be able to do it. The risks are in opportunistic hacking, i.e., leaving the back door open. The hacker thinks, “If I infect 1,000 computers and one person pays, great, that was a success.”

Finally, if you’re reading this and still don’t have a backup system in place, just remember “To go forward, you must backup!!!” $60 is a small price to pay or maybe you want to retake that photo of you with your dog from 20 years ago. You could borrow the neighbor’s dog and regrow those sideburns…

Online Security Part 12 – General Scams

If the wide variety of threats from malware, weak passwords, public Wifi, and mobile security weren’t enough, there are now scammers taking advantage of people by offering personalized service. For example, while ransomware was discussed in Part 2, some crooks distribute malware that includes a “tech support” number to call. Other criminals call users proactively, especially targeting the elderly and non-tech savvy, offering “free” support. This support includes stealing credit card numbers and installing additional malware at no extra charge. By the way, “Windows technical support” is never going to call with a warning about a virus!

“Social engineering” scams are not limited to malware. Here is a short list of the worst ones lately (and they’re changing all the time):

  • Job Offer Scams – A $75k / year job working from home based on an email interview! Wow! Oh, but they need $472 to cover the cost of (fill in the blank) or they need your banking information to setup direct deposit.
  • Reshipping Scams – Getting paid to reship products, but the goods are stolen and the payment never arrives.
  • Payment / Overpayment Scams – That ugly velvet painting of Elvis sold online for $50! But the stupid buyer accidentally sent you a check for $500… “Please refund the balance. Here’s my Western Union account.” When you refund the overpayment, they reverse the original payment.
  • Shipping Scams – A “valuable package” is stuck in customs, just send $100 to “release it.” PayPal has a whole page of their FAQ devoted to these crazy schemes.
  • Friend Help Scams – If a 90 year old relative is stuck in Venezuela and needs $500 to get home, that’s probably a hacked email account.
  • Mystery Shoppers, Free Vacations and All “Too Good to Be True” Scams – If it sounds too good to be true, then it is.
  • Technical Support Scams – Your browser cannot tell that you have a virus. It can however tell you that you have visited a “malicious site.” That is a legitimate warning.
  • App Store Scams – Signing up for a free trial of X triggers a prompt to subscribe. Tap the button to approve it by mistake and… “You will pay $99.99 for a 7-day subscription starting Jun 9, 2017.”

By the way, Robocallers are at the core of many of the scams above. I’ve started using Nomorobo, which is a great service to prevent Robocallers from getting through (there are many other options though).

Despite the length of this post, almost all of these scams boil down to using common sense: please send $500 to this Western Union account and you too can own the Brooklyn Bridge! LOL

Online Security Part 11 – To Go Forward You Must Backup

This silly quote used to be a trademark of the Dantz Corporation, the creators of one of the first backup solutions I used in the 1990’s called Retrospect. Those were the bad old days of tape backups costing thousands of dollars in hardware and software. Today it typically costs less than $60 to protect a computer’s priceless data such as photos, correspondence, and financial documents. That’s the price of a 1 TB portable USB external hard drive and the software is free with all modern computers. The process of setting up a backup system is also simple so if you’re not backing up your computer, stop what you are doing, visit your local office supply store or electronics store, and buy one.

Welcome back. If you are using an Apple laptop or desktop computer, plugging the drive into a free USB port should automatically pop-up a window asking something similar to, “Do you want to use My Backup (1 TB) to back up with Time Machine?” Time Machine is Apple’s name for their free, built-in backup solution and “My Backup” is the name of the drive you just plugged in (so it might be different). It takes a couple hours for the first full backup to complete, but after that Time Machine works invisibly behind the scenes making a copy of every changed file every hour. This is not only great for recovering from rare major issues like a hard drive crash, but also for more common issues like an inadvertently deleted file.

Amazingly, if you ever have to do a complete restore, it puts a computer back to the exact state it was in when the last snapshot was taken. It really is like a time machine! More details can be found on Apple’s support website (and the website 9to5Mac), but it is obviously super simple to setup and very powerful to use.

If you are using Windows 10, Microsoft has a similar option called “File History.” By default it only backs up files in a user’s home directory, but that is still very useful. To set it up, select the Start button, select Settings > Update & security > Backup > Add a drive, and then choose an external drive or network location for your backups. You can find more information on Microsoft’s website.

Unfortunately, a single backup is not sufficient to create a robust recovery system for digital and physical disasters. Most experts recommend using something called the 3-2-1 rule. This means three copies of all data are made on two different types of media with one copy stored “somewhere else” such as “in the cloud.” For example, to keep that wonderful photo of your kids with the family dog safe, one copy would be on your computer hard drive, a second copy would be on a backup drive, and a third copy would be stored “in the cloud” through a service like iCloud, Google Photos, Dropbox, or CrashPlan.

Personally, I use a combination of Dropbox to backup critical files, iCloud Photo Library to backup photos, and a series of three backup USB external drives that I swap weekly. Is this overkill? Maybe, but the few times I have had to restore a computer from a backup, it has been a godsend, saving a day of tedious work restoring files and settings. Also, while the extra security is nice, daily benefits include photos that automatically transfer from phone to computer and Dropbox files that can be accessed from a phone or tablet anytime, from anywhere.

Finally, while there are hundreds of options available to “recover” from malware, nothing beats reformatting a hard drive and restoring files from a known, good backup. Malware is devious and many malware removal companies are devious too. This last topic will be covered in the next part of this series on online scams, but if you are still reading this and haven’t backed up yet…

Online Security Part 10 – Is a Strong, Unique Password Enough?

Once you start down the rabbit hole of online security, it can seem endless. For example, as previously explained, strong passwords require a password manager to store them and then the password manager requires an even stronger password to keep those strong passwords secure. No less than three parts of this series of articles have been dedicated to passwords, but believe it or not, there is a growing movement toward something called “two factor authentication” that makes strong, unique passwords only one of the two things needed to login to critical accounts. It is so important that Apple even briefly considered making it mandatory for iCloud accounts so it is definitely worth understanding before deciding to use it.

Unfortunately, it is a bit of a complex topic so let’s break it down into smaller parts.

  • What is it called? – The most common names are: Two-factor authentication (2FA), Multi-factor authentication (MFA), and Two-step verification.
  • Why is it used? – Email is central to other security features of accounts and can be used to reset passwords for other accounts such as banking, shopping, etc. Cloud storage accounts contain valuable resources that are synchronized across devices. Deleting something “in the cloud” can delete it everywhere. 2FA makes these and other accounts like banking more secure.
  • What is it? – 2FA requires a second step (factor) to login. These factors typically include knowledge (of a password), possession (of a smartphone), and inherence (of a fingerprint). 95% of the time a 2FA login requires entering the password and the code from a text message sent to a cellphone, but backup methods include a voice call, a code from a smart phone app tied to the account, a text message to a backup cellphone, or responding to a prompt after unlocking a cellphone with a fingerprint.
  • How it protects? – Simply put 2FA increases safety by combining something you know, the password, with something you have, the smartphone.
  • What are some dangers associated with 2FA? – A lost, stolen, broken, or hacked phone can make getting the code impossible so all 2FA systems have backup methods such as specifying a backup phone, printing a list of backup codes (recovery keys) and storing them in a physically safe place (not in a file on your computer!), or answering detailed security questions.

As an additional step, it might be a good idea to keep an encoded list of passwords on a sheet of paper in a safe place. For example:

  • Power Company – – *bhr18$
  • Cellphone – – #dcd22@

Where “*bhr18$” would stand for the real password “*beach-horse-ride18$” and “#dcd22@” would stand for “#desert-cat-drive22@” Creating strong passwords with a pattern like “place,” “animal,” and “action” can reduce confusion.

It may sound crazy to add yet another layer to the security of critical accounts, but once it is setup 2FA doesn’t add much effort to use. Both Google and Apple have excellent tutorials on setting up 2FA for their services.

Online Security Part 9 – Mobile Security

In 2016, a major anti-virus company reported that Android based malware packages had tripled in the past year to over 8.5 million. While this huge number is suspicious considering the source, i.e. a company that sells a subscription to their mobile security product for $15 a year, mobile malware is still an exploding issue. ArsTechnica is a good website for unbiased, in-depth analysis of mobile threats.

The biggest headlines from the past year have been concerning:

If you are not convinced yet, the website 9to5Google says that “A New Example of Android Malware is Discovered Every 10 Seconds.” Even an innocent game guide with cute graphics that your child downloaded can hide nasty malware called “Falseguide.”

In response, the security website Malwarebytes now has a section for mobile malware and the descriptions look like the traditional descriptions of malware with headings like: “Spyware, Potentially Unwanted Programs (PUPs), and Ransomware.”

Malwarebytes also provides some best practices for avoiding these dangers. In a recent blog post, they strongly recommend only installing apps from the Google Play Store and blocking other App Stores by turning off the setting in Android called “Unknown Sources” (Settings > Security).

They also recommend Checking Permissions of installed apps. If that “innocent” game guide mentioned above pops up a permission request screen asking for full device admin rights, that’s a subtle clue that something is very wrong.

Another suggestion is to be wary of something they call “You Get What You Pay For.” This is also known as, “If You’re Not Paying, You’re the Product.” For example, Gmail is free for a reason. Google is making a lot of money from (anonymous) access to your emails. Google might be a good tradeoff for the valuable services they provide, but free VPN providers that sacrifice privacy, free games filled with ads, and free utilities that can kill battery life and use data are not worth the savings of $0.99.

If you are using an iPhone, 95% of the comments above don’t apply to you. This was discussed in the recent post, “How Secure is an iPhone.” While this could change, it would be front page news. Still, be careful with the permissions you give iOS apps and beware of freebies.

Finally, don’t forget to backup your phone and use strong passcodes! More about that in future posts, but for now at least activate cloud based backup for your iPhone (Settings > iCloud > iCloud Backup) or Android (Settings > Backup & Reset).

Additional Resources:
Making Your iPhone Safer and Android Malware Video