Wed, 26 Oct 2016 00:00:00 +0700
(image) Browser security should be on the top of everyone’s mind these days, as it’s one of the most likely ways you’ll be compromised.
Cyber-thieves know we spend most of our time on the Internet, so they’ve shifted their focus from just exploiting your OS (Windows, MacOS, etc.) to exploiting browsers in conjunction with operating systems and utilities.
Computer security has definitely improved over the years, so hackers have had to implement a ‘blended attack’ approach to compromise users.
Instead of exploiting one program or utility, they use a combination of attacks on various known vulnerabilities in the most commonly used programs to improve their chances of success and to gain deeper access.
Your web browser is often the first item on the list in these blended threats.
Measuring Security in Browsers
There are a number of things to consider when evaluating browser security, but none of them points to the absolute best browser for everyone to use.
Security and usability can often be at odds; the most secure options can be more difficult to use and the easiest to use can often be the least secure.
With browsers, the most secure options are generally the ones that strip features out or employ tactics that results in noticeably slower performance.
There is no such thing as a 100% secure web browser, so you need to find the balance between security and usability that best suits your needs.
One measure of security you may want to consider is how often the browser is updated, since the update interval represents the amount time hackers can exploit a known vulnerability before it’s patched.
Here are the standard update intervals for the most popular browsers:
Microsoft Internet Explorer and Edge – 30 days
Google Chrome – 15 days
Mozilla Firefox – 28 days
Apple Safari – 54 days
Opera – 48 days
Security Through Obscurity
The term ‘security through obscurity’ is often used to describe how lesser used technology can be more secure only because they’re less targeted by hackers.
The most popular browsers have the largest number of known vulnerabilities because cyber-thieves are willing to spend more time trying to exploit a tool they know hundreds of millions of people are using.
One of the reasons that Safari and Opera have longer update intervals is that they have fewer vulnerabilities (and users) than the others, which many would suggest is a great example of ‘security through obscurity’.
Vulnerability counts by themselves don’t really say much as the severity and complexity required to exploit them means a lot more.
At a recent hacking contest called Pwn2Own, Google Chrome came out as the most difficult to exploit, while Apple Safari and Microsoft Edge didn’t fare as well (Opera and Firefox were not part of this competition).
What’s Really Important
Focusing on browser security is kind of pointless if you aren’t keeping everything else in your system updated as well.
Here’s the biggest problem we regularly see - risky online behavior can negate most anything you do from a security standpoint, so surfer beware!
Thu, 20 Oct 2016 00:00:00 +0700
(image) With all the exploding battery stories surrounding the Samsung Galaxy Note 7, there seems to be a heightened awareness of battery issues, which is actually a good thing.
Lithium Ion batteries are in just about every rechargeable device we own and there have been many instances of them catching on fire in everything from laptops to hover boards to Tesla cars and even Boeing’s 787 Dreamliner.
In fact, there have been over 40 recalls by the Consumer Product Safety Commission since 2002 for products with defective lithium ion batteries.
Despite all of the stories of exploding batteries, it’s actually quite rare when you take into consideration the number of devices we all have with lithium ion batteries.
Why Batteries Catch Fire
The very nature of how they work is also what subjects them to becoming a fire hazard.
There is a potential for a ‘thermal runaway’ chain reaction whenever the battery becomes overheated, so keeping any device as cool as possible is important.
Well made batteries have safety features built into the battery itself to prevent overcharging and overheating, which is why exploding batteries are relatively rare.
The biggest mistake that most people make when using or charging a device with a lithium ion battery is contributing to the overheating.
For example, using a laptop for extended periods on a soft surface, like a pillow or comforter usually blocks off any air vents and acts like an insulator, which keeps the heat from dissipating.
This scenario can be even more hazardous if you’re charging the laptop at the same time as charging always generates additional heat.
If your device has been exposed to direct sunlight and is hot to the touch, you should wait until it reaches room temperature before attempting to recharge it.
Using the wrong charger to recharge your battery is another major contributor to problems, especially when too much energy is passed during the charging process.
If you ever lose your charger, it’s always safest to replace it with the original manufacturers replacement instead of a third-party charger.
To date, I’m not aware of any portable chargers that have been recalled because of a battery defect, but knowing that the design of the unit is a critical factor, I’d suggest you stick to name brand chargers.
Choosing a Charger
A portable battery’s capacity is rated in milliamps hours or mAh and amperage (A) with the higher the numbers, the more capacity it has to charge your devices.
Generally speaking, the higher the capacity, the larger the battery as well so finding the right combination of size and capacity is key.
Start by determining the battery capacity of the item(s) you want to charge and then divide the capacity of the portable charger by that number to determine how many charges you can expect.
If you plan on charging larger devices, like a tablet, you’ll also need to make sure the amperage is high enough to get the job done (usually 2A).
Wed, 12 Oct 2016 00:00:00 +0700In my more than 20 years providing data recovery services, it’s obvious that there’s as much confusion about backing up critical data as there has ever been.Our data recovery division sees the results of this confusion on a daily basis as most of the conversations start with ‘I thought…’The concept of backing up isn’t the confusing part, it’s the implementation where most people end up failing to protect themselves.External Drive: Pros and ConsOne of the most common backup methods is to connect an external hard drive to your computer and setup a backup program to make copies.Unfortunately, far too many people buy what is labeled a backup drive, connect it to their computer and start saving their important files directly to the drive.Backup implies that there is more than one copy, which isn’t the case when files are saved directly to the external drive.Another mistake with external drives we see is that no automatic scheduling is setup, so it’s on the user to remember to manually run a backup every time. As time goes on, the ‘I’ll get around to it tomorrow’ behavior takes over and it gets forgotten.‘My computer was brand new, so I didn't think the hard drive would crash’ is another common statement we hear.Another potential issue with the external drive configuration, especially with laptops is that it needs to be plugged in when the automated backup tries to run.External backups aren’t great at protecting against theft, fire, flood or the growing threat of ransomware because what impacts your computer also impacts your backup drive.Online Backup: Pros and ConsWhen high-speed always-on Internet connections became commonplace, pushing your critical data to the cloud become practical.Unlike most external hard drive backups, online backups are automatically encrypted so that even if someone gains access to your data, it’s not directly readable.More: (Are online backup services safe? https://goo.gl/O6Y63o) Online backup companies are also in the cyber-security business, so they’re more likely to be aware of emerging threats than the average user trying to protect themselves at home.With external backups, there is a one-time cost, while online backup services have annual fees, so over time, it’ll will cost more to use an online backup.Online backup services provide superior protection against ransomware because they aren’t directly attached to your computer, which doesn’t allow the malware to infect your backup files.Most online services also include file ‘versioning’ meaning it keeps multiple copies of changed files, which can be really helpful when you accidentally over-write a file and don’t realize it for a while.3-2-1 Backup StrategyThe very best backup strategy incorporates 3 copies of your data on at least 2 different devices with at least 1 of them off-site.If you’re really interested in protecting your critical data, your best bet is to use both an external hard drive and online backup service, like Carbonite (https://goo.gl/ckDEQJ).Data recovery services can get really expensive and sophisticated ransomware encryption is unbreakable forcing many to pay the ransom, so having extra layers of protection can save you a lot of money and heartache.[...]
Wed, 5 Oct 2016 00:00:00 +0700
(image) With the recent story about FBI Director James Comey admitting to having tape over the top of his webcams at home, this question is making the rounds once again.
Comey isn’t the only one that has tape over his webcams. Another story that took the Internet by storm was a picture of Facebook Founder Mark Zuckerberg showing that he has tape over both the webcam and the microphone jack on his laptop.
How Possible Is A Webcam Hack?
The technical capability for a remote hacker to gain access to your webcam is absolutely a possibility, so putting tape over your webcam will keep them from being able to see or record anything if they do get in.
But I’ve always contended that just putting tape over your webcam is a little like sticking your head in the sand, if that’s all you do.
In order for a remote hacker to make use of your webcam, they generally start by gaining access to your computer, which gives them complete access to EVERYTHING on your computer.
Making sure you have solid security software installed and paying attention to changes in the performance and startup times of your computer are also critical to sniffing out hidden malware.
Both Mac and Windows users are potential victims of the many social engineering tricks used by malware creators to gain access to your system.
One of the more common tricks is to convince you that you need to update your video playback software in order to see a video, which often presents itself as a convincing but fake pop-up with a link.
If you’re serious about protecting access to your computer’s webcam, you can install special software that monitors, blocks and alerts you whenever a program is attempting to use your webcam.
Windows users can look into using Phrozen Software’s Who Stalks My Cam (https://goo.gl/W5DwIa) which offers free threat detection as well as the ability to setup automatic responses to detected threats.
It also offers the ability to create ‘Whitelists’ of approved programs so applications like Skype that you do want to use won’t be stopped in their tracks.
Mac users can install a free program called OverSight (https://goo.gl/TvcWb1) from the R&D Director at Synack, an information security firm.
The OverSight program will monitor both your Mac's mic and webcam, alerting you whenever the internal mic is activated or whenever a program is attempting to access your webcam.
Patrick Wardle, the author of the program and former NSA staffer recently discussed new ways malware could piggy-back on legitimate webcam sessions, so Mac users shouldn’t shrug off the threat as a Windows-only problem.
Most webcams have an LED that indicates that it’s in use, but some of the more sophisticated attacks can turn off the visual indicator or in the case of the recent proof-of-concept attack on the Mac, simply piggy-back onto legitimate sessions.
Remember, if a remote user can access your webcam, they can generally access everything on your computer, so don’t limit your concerns to the webcam.
Wed, 28 Sep 2016 00:00:00 +0700
(image) Since water damage is one of the most common problems experienced by so many, getting a phone that can protect itself makes sense.
The technical definition of water resistant is that it’s able to resist the penetration of water to a certain degree but not entirely.
Waterproof technically means that it’s impermeable to water, no matter how much time it spends in water.
Unfortunately, these terms are thrown around as if they were interchangeable by so many.
With Apple throwing it’s ‘water-resistant’ hat in the ring with the iPhone 7, joining others like Samsung, Sony, Motorola and Kyocera, understanding the technical differences is helpful.
What the ‘IP’ Rating Means
Today’s smartphones generally have certifications published when it comes to resisting the elements signified by ratings such as IP67 or IP68.
The IP marking for International Protection or Ingress Protection (depending upon who you ask) is followed by two numbers.
The first number designates its ingress protection against solids, such as dust with numbers ranging from 0 to 6 (the higher the number, the better the protection).
When you see a 6 for the first number, then the smartphone is ‘Dust Tight’ which means it’s completely protected against contact with dust.
Having this rating an be important for hikers, mountain bikers or anyone that wants to use their smartphone in dusty environments.
The second number refers to the ingress protection against liquids, with numbers that can range from 0-9 (again, higher is better).
Can I Swin With My Smartphone?
Apple’s recent iPhone 7 announcement included news that it was water-resistant with a certification of IP67.
This means that it’s completely dust-proof and it can technically be submersed in water of up to 1 meter (@3 feet) for a duration of up to 30 minutes.
Many Samsung and Sony smartphones have an IP68 rating, which technically means that they are completely dust-proof and water-resistant in depths ranging from 1 to 3 meters for a duration as determined by the manufacturer (usually 30 minutes).
These descriptions may make it sound like you can use your smartphone in the pool to take underwater pictures, but none of the manufacturers will recommend it.
The actual laboratory tests are done with smartphones in standby mode, meaning they aren’t being used in any way during the tests.
What it does tell you is that with either an IP67 or IP68 rating, if you get pushed into the pool with your smartphone, the chances of its survival are very high.
I’ve actually owned a Sony Xperia Z3 for years, which was one of the first consumer handsets designed to be water-resistant and the few times that it has been in water, it’s done just fine.
If water gets on the screen while it’s active, it’s not going to respond like it normally would because water conducts electricity just like your finger which is why using it underwater isn’t recommended.
Another thing to keep in mind is if the screen on a water-resistant phone gets cracked, replacing it will likely break the factory seal that protected it, so it will no longer be water-resistant.
Wed, 21 Sep 2016 00:00:00 +0700
(image) This question illustrates the ongoing challenge we all have to face when it comes to balancing convenience with security.
Having your passwords stored in your browser is certainly a big convenience, but no matter how you look at it, the price you’ll pay is some level of security.
If you never save a password in your browser, technically speaking it’s certainly safer, but what you really need to do is weigh the actual risks against the convenience.
How and where you use your computer should also be a consideration as a laptop, smartphone or tablet is much more likely to be lost or stolen then a desktop computer in your home or office.
Saving passwords on your home computer that only you use is far safer than saving passwords on a mobile laptop that you’re whole family shares.
Saving passwords on benign sites that contain very little personal information is also less of an issue than saving passwords for any of your financial institutions.
Every major browser offers some form of encryption that securely stores the saved passwords on your computer, but we don’t really know exactly how ‘hackable’ their security may be.
The reality for most of us is that we're a lot less likely to be the victim of a hacker that’s specifically targeting saved browser passwords then we are to be the victim of theft or a lost device.
A stolen device loaded with a plethora of saved passwords is a cyber-thief’s dream, so it’s imperative that you setup some form of access code and auto-locking feature to reduce the potential damage should it go missing.
Installing some form of remote tracking and deletion software, such as https://preyproject.com on all your mobile devices is also a good idea, whether you’re saving passwords on them or not.
To Sync or Not to Sync
Another ‘convenience’ feature you’ll have to decide whether to use or not is the browser ‘syncing’ option.
Syncing allows you to share your browsing history and passwords across all your different devices, but in order for it to work, your information has to be stored by the browser company on their servers.
Once again, they offer various levels of encryption and with the exception of one company, Opera, we’ve yet to hear of any breaches of this particular secured data, but you’ve technically added another way to be exploited.
For its part, Google has created a central place that allows you to manage what passwords the Chrome browser saves which you can also password protect separately with a sync passphrase at https://passwords.google.com.
A Better Way
Security experts all tend to agree that if you’re going to use software to store your passwords, using a dedicated password storage tool such as LastPass, KeePass or RoboForm is more secure than using your browser to store your passwords.
Products that focus solely on protecting passwords instead of relying on browser developers that have to focus on many other things besides security should provide you with a better layer of security.
Wed, 14 Sep 2016 00:00:00 +0700
(image) If you only had one or two to remember, creating long, complex passwords that you could easily remember wouldn’t be too difficult, but estimates are that most people average between 25-30 distinct online accounts.
This has led to the common, but unsafe practice of using the same password on multiple online accounts, which the security community has warned against ad nauseam.
All Security Eggs In One Basket?
Companies like LastPass, RoboForm. 1Password and Dashlane offer a solution that may seem a bit counter-intuitive: put all your security eggs in one basket.
On its face and from a purely technical standpoint, storing everything in one place seems a bit risky, but you need to compare it to what you’re currently doing.
No process is 100% secure, but if you’re using the same password everywhere, you’re in about the highest risk category that exists.
Password managers allow you to use strong unique passwords for every account, but only require you to remember a single master password.
Encryption Is The Key
Every password manager uses some form of encryption to secure your basket of passwords. This doesn’t make them impossible to compromise, it just makes it more difficult and a less desirable target.
Even when a breach occurs at an online password management service, the stolen data is encrypted, which means the thieves still have to spend the time to crack the security. By the time they can actually crack the encryption, you’ll have been notified to change your passwords by the breached service, rendering the stolen info useless.
Online vs Offline Managers
There are generally two ways that password managers store your encrypted passwords; in the cloud or on your computer.
Online password managers tend to trade a bit of security for convenience, because there is nothing to download or install and you aren’t limited to using the service on specific devices. Any device that has an Internet connection can potentially be used to access your accounts, but that also means that it’s potentially accessible by others.
Offline password managers are technically more secure because the only place that your information exists is on your computer or mobile devices, but that also means you’ll only be able to access your accounts from those specific devices.
This can become problematic if your computer goes down or you’re using a computer that you don’t own to try to access your accounts.
If you decide to use a password management system, the single most important password you’ll create is the master password.
Making sure it’s long (at least 12 characters) and complex as well as activating 2-factor authentication (https://twofactorauth.org) is critical to keeping everything secured.
Keep in mind, if you lose your master password, most of the services can’t help you recover it because they generally don’t store it anywhere as a security precaution.
Making Your Decision
If you’re not tech savvy, using an online password manager is likely more secure then what you’re currently doing and it’s a lot less complicated.
If not, you can always use my low-tech password management suggestion: https://goo.gl/v8Rvjo
Wed, 7 Sep 2016 00:00:00 +0700
(image) With the unveiling of the iPhone 7, the usual chatter about the latest features seems to be dominated by this seemingly odd design decision.
It would appear that Apple will eliminate the traditional 3.5mm analog headphone jack on all of its new devices in favor of the Lightning connector or their new proprietary wireless technology.
They actually aren’t the first smartphone maker to make this decision as Chinese manufacturer LeEco and the Moto Z line from Lenovo (formerly Motorola) have already eliminated the headphone jack.
The iPhone 7 will ship with Lightning earbuds and a special ‘dongle’ that converts the lighting connector at the bottom to a standard headphone jack so you can still use older headphones.
Apple wants to get away from analog technology that was created in the 1960’s and use a more advanced digital audio output.
The Lightning connector at the bottom of the phone is capable of providing more than just a way to charge the iPhone and digital audio is just one option.
While the new Lightning headphones are certainly capable of delivering higher fidelity audio, I’m not sure the average listener will hear the difference, especially if the quality of the audio file isn’t all that great.
Many companies, including Apple, are trying to roll out higher fidelity music services, so having higher fidelity headphones is a natural part of their strategy.
More Room Inside
Another benefit of getting rid of the headphone jack is that it frees up space inside the phone itself. Space is extremely tight in all smartphones, so every millimeter counts, especially when it comes to something as large as a 3.5 mm headphone jack.
That extra space can be devoted to larger screens, bigger batteries, better antennas or a slimmer form factor.
The Wireless Future
We must remember that Apple was the first computer company to get rid of floppy disk drives and CD/DVD drives in their computers and in the name of innovation, the headphone jack had to go.
Unveiled along with the iPhone 7 were the new AirPod wireless earbuds, which uses proprietary wireless technology and will sell for $159.
Apple knew that relying on the current Bluetooth standard for wireless audio would be too problematic, so they chose to create their own wireless connectivity technology to make thing easier and more reliable.
3 Billion More Reasons
Many analysts scratched their heads when Apple agreed to pay $3 billion to acquire headphone maker Beats, but it’s now a little clearer how they plan to leverage that acquisition.
Whether you end up using Lightning headphones or the wireless earbuds, they’re both going to be more expensive than traditional headphones which plays right into Apple’s ‘premium products’ strategy.
Some of the initial concerns being voiced over this radical change include the inability to listen to music while charging the phone, owning headphones that only work on Apple devices, losing the special dongle or if you opt for the expensive wireless earbuds, losing them (they aren’t much bigger than traditional hearing aids) and having yet another thing to remember to recharge.
Wed, 31 Aug 2016 00:00:00 +0700
(image) Since its humble beginnings in the 1950’s, voice recognition technology has made great strides over the years, but there are still many challenges to making it work the way most people envision is should work.
Managing your expectations about what it can and can’t do will have as much impact on your success as the technology itself.
If you’re looking for the kind of perfection portrayed in sci-fi movies, don’t bother looking at anything that’s commercially available just yet. Frankly, I’m not sure we’ll ever see an error free speech-to-text recognition system any time soon.
Understanding Accuracy Claims
You’ll likely see various claims being made about the accuracy rate of today’s technology, but keep in mind, a 90% accuracy rate means that every 10th word could be wrong. Even at 95% accuracy every 20th word could be wrong.
This means you’ll always have to spend time reviewing and correcting anything you generate, especially when it comes to things like homonyms and punctuation.
If you’re okay with that, then you’re ready for the next step.
Hardware Is Crucial
Everything starts with the microphone that generates the sound patterns that the software will attempt to recognize, so trying to use the built-in mic on a laptop or webcam isn’t going to cut it.
Ambient noise can make recognition even tougher than it already is, so you’ll need to invest in a decent headset mic so you’re providing the program with the cleanest audio possible.
Cadence Is Key
To get started with any voice recognition program, you always have to go through a training process so the software can get to know your voice and, more importantly, you train yourself on how to talk to the program.
Your cadence is the first thing you’ll need to change, because speaking to the program like you would to another human being is going to generate more errors.
This one area is where I’ve seen most people give up, because they aren’t willing to go through the learning/training curve in order to make the system provide a reasonable level of productivity.
Let’s face it, if you’re spending as much time cleaning up errors as it would have taken to type it out in the first place, it’s pointless.
Start With What You Already Have
You most likely already have voice recognition capabilities in your computer if the OS is reasonably recent.
Mac users can follow these instructions http://goo.gl/vQu4x2 to try using the Dictation tool that’s built in, while Windows 7, 8 and 10 users can go to the Control Panel and click on Ease of Access then Speech Recognition to turn it on.
None of these built-in technologies will compare with what most consider the industry leading software from Nuance called Dragon Naturally Speaking (http://goo.gl/yU6IbJ) which can range from $75 to $500.
Nuance also offers a smartphone app called Dragon Anywhere that you can try out for free to see if using your mobile devices works better for you.
Wed, 24 Aug 2016 00:00:00 +0700
(image) A recent decision issued by the Ninth Circuit Court of Appeals is just the latest story to take on a life of its own because of the incessant need to create ‘clickbait’ across the Internet these days.
Headlines claiming that “’sharing your Netflix password is now a federal crime” seem to be lingering thanks to social media.
What the court ruled on was that sharing your passwords can be grounds for prosecution under the Computer Fraud and Abuse Act, but the case was specifically ruling on unauthorized access by a former employee after the company had revoked his access to a protected system.
The former employee left the company to start a competing business and got a current employee to share her password so he could continue to access company records himself.
The majority opinion stated that the case was about stealing intellectual property and not about password sharing, but a dissenting judge disagreed.
This is apparently where the rumor mill started that evolved into the salacious headlines that you may have seen shared on Facebook or Twitter.
No part of this ruling directly addresses password sharing of your streaming services, although one of the judges did try to address the unintended consequences of the ruling because it was so broad.
What it does signal is that it’s now easier for businesses to go after current and former employees for sharing access credentials to protected systems with this ruling.
Most companies like Netflix, Hulu Plus and HBO have viewed password sharing as a viral marketing tool and wouldn’t be likely to ‘go after users’ even if this ruling does get interpreted in that way.
What can get you in trouble is if you sell your credentials to others, but simply sharing your credentials with a friend or family member isn’t suddenly a federal crime.
Netflix provided Snopes.com with this response to their inquiry into password sharing: “Netflix members can create up to five profiles on each account and the only limit is on how many devices that can be used to access Netflix at the same time, which is by plans. The $11.99 plan allows four devices to stream at the same time; the $9.99 plan allows two. As long as they aren't selling them, members can use their passwords however they please.”
Other services like Amazon have guidelines for sharing Prime Benefits by creating an Amazon Household posted here: http://goo.gl/jahmbg.
Cord cutting millennials that are no longer at home use their parent’s password so they can watch popular shows like Game of Thrones and HBO is well aware of that.
HBO’s CEO Richard Plepler told Buzzfeed last year ““It’s not that we’re unmindful of it, it just has no impact on the business.” In many ways it’s a “terrific marketing vehicle for the next generation of viewers,” he said, noting that it could potentially lead to more subscribers in the future.
You can expect things to change as streaming services grow in popularity, but for now, you don’t have to worry about the Feds knocking down your door because you shared your Netflix password.