Category: Security

Using A VPN–Privacy and Security Factors

I have previously written generally about why VPNs are important, even for consumers and small business owners.   Here I am going to get specific, covering two many reasons for use (privacy and security) and the scenarios where they come into play.

Rewind:  If I were to rewind just a step, a VPN is an application you run on your computer, smartphone and tablet to give you a private tunnel out to the internet.  I’m not going to endorse one over the others — but the three I like are Express VPN, Windscribe, and Private Internet Access (PIA).  Costs range from $2 to $10 per month.   I have explored Mozilla VPN (put out by the Firefox people) with some clients and it lacks a key feature at the moment so I am not going to put it on the same level as the other three. 

So today I am talking about “John the consumer” and “Jane the plumber.”   John uses computers and other devices at home.  Jane owns a plumbing company and has an office on Main Street that she controls.  (I’m going to leave working in an office under some big corporation out of the discussion because they often tell you what you can and can’t do with your computer).    John and Jane have two factors to consider when using a VPN — Privacy and Security depending on where they are using the internet

1.  At home or their office — Here the reason to use a VPN is PRIVACY.  John and Jane have routers with up to date firmware, computers with antivirus software, and computers and smartphones with the proper security updates.  Their internet connections are secure.   Speaking for myself, my home / home office Internet is totally secure even if I never use a VPN.  If you meet all of these parameters I laid out — there is like a 99% chance no one is going to infiltrate your internet connection.  John, Jane, and I use a VPN in the confines of our homes and offices because we don’t want our internet providers to know every website we visit.  We don’t want news or other shopping or informational websites recording our IP address (which ultimately links back to us).  It’s an issue of principle and privacy — not primarily for security. 

2. On Public WiFi –  I’m talking about the mall, the library, the hotel,and the coffee shop now.  People are going out a lot more and traveling.  You do not have control over these public internet connections.  It should not be presumed to be secure as in #1.   This is a different ballgame.   Here John and Jane use their VPNs for security.  Even though you are on that public WiFi connection, you are doing so through your VPN tunnel.  You will be protected from bad actors on that network.  Snoops on that network are not going to be able to do harm to your devices.   You are still getting that private connection,  but the security of the VPN is the biggest factor here. 

2a.  I should add this section here to say — I have found limited situations over the years where public WiFi connections refuse to play nicely with a VPN even after the settings are adjusted.   In these scenarios, if I am just using my smartphone, I turn WiFi off and just use the cellular connection.  At least I have a secure connection.  If I needed to use a laptop and couldn’t use a VPN, I would set up my smartphone as a hotspot. 

When Not To Use A VPN

– With Express VPN, Windscribe, and PIA — a split tunnel can be set up to allow certain apps to bypass the VPN.   Some bank websites do not work properly with a VPN on.  John, Jane, and I set up one browser to split off from our VPNs so that we can access any website that does not play nicely with the VPN.  This split tunnel feature does not work on iPhones.  It may work on some Android phones.

– When downloading operating system updates:  These happen outside of any browser and are typically very large files.  As long as John and Jane are on a secure connection in the home or the office, it wouldn’t be the end of the world to turn the VPN off solely for the purposes of the updates.

In conclusion, after digesting these two installments I’ve sent you, you may decide a VPN is not for you or it is right up your alley.  The choice is yours.  VPN use in on the rise among people like John and Jane.  They keep theirs on automatically, whenever their devices are in use.  Surfing the internet through a VPN tunnel is a pathway to freedom.

Important Security Update

For iPad and iPhone

If you have an iPhone or an iPad (even an Apple Watch) – there is an important security update that I just got notice of on Friday.   It is known as iOS / iPad OS 14.4.2.   This update fixes a critical flaw in Web Kit.   Web Kit is the engine that powers Safari (all the website browsing you do) on those devices, along with any apps that might render parts of websites.    Without Web Kit, the iPad / iPhone does not function. This update covers the iPhone 6s and later and iPad Air 2 and later.   Even though Apple is not updating the iPhone 6 and original iPad Air anymore, Apple did you a real favor.  They have issued an OS 12.x update for these 2 as well so that you have the Web Kit fix as well.

Settings >> General >> Software Update.    Get Updating!


Critical Password Practices

I had to deal with another security breach last week. It could happen to anyone.  Accounts get hacked.  Passwords are guessed.  Bad guys keep trying until they get it right.  These scammers will even try to make up fake email accounts and impersonate you if they have extra motivation to deceive.  In this one instance I got called out to deal with, the hacker was probably in China but they were clever enough to make it seem like they were hacking from the USA.   You don’t want this to happen to you right?


You cannot MUST NOT reuse passwords for multiple websites / services.   Each account needs a separate password.  A password should be easy for you to remember and hard for others to guess.  It should not contain family members’ names.  It should not contain your street name, street number, or year of birth.  Do a Google Search on yourself.  Your password should not contain any key words that come up in that search.  You could use a password manager like 1Password or Last Pass.  However, this requires learning a new tool and I know not all of you are prepared to do this.  You could use a random password generator tool, creating passwords of 12 characters or longer.   https://www.random.org/passwords/  is a tool I have used with clients repeatedly over the years.  If you are still saying this isn’t for you, OK, so at the very least you should do the following.  Create a memorable base that you will use over and over again, then put a unique ending that helps you identify each site.  Record everything in a password notebook at the very least.   For example, let’s say you attended Camp Redwoods as a child and no one else knows that.  Your password for Microsoft could be   — ILoveCampRedwoods20msft — and then you could repeat this formula  over and over again.  That would be a bare minimum, but acceptable strategy.   Each password should ideally be 12 to 14+ characters long.  Personally speaking, I have started making my passwords 25 – 30 characters long whenever possible. ( This is very easy with a password manager.) 

How to check for suspicious logins to Comcast Xfinity email account

I have now had 2 clients in the past year who’ve had their Comcast email accounts broken into.  Scams were attempted and some damage was done. 

They have now put out a tool so you can see all of the login attempts on your Comcast account with the past 30 days.  If you suspect anything or are just curious — you should sign into this website with your Comcast e-mail address and password.


https://security-console.identity.xfinity.com/

It worked very well for me with a client yesterday.  We determined that her account was hacked by someone accessing the internet through a server in Seattle, WA. 

One more tip — make sure that your Comcast email password is not the same as ANY OTHER password you use.

Your iPhone Records Everywhere You Go–How To Turn Off

Just wanted to give you all a mid-week blast. This came across my desk today and I thought some of you would want to flip the switch to turn it off.

I learned something new today — there is a fairly hidden setting in (Settings > Privacy> Location Services >>  then down to the bottom, System Services) — called Significant Locations.   It is a record of EVERYWHERE you have visited with your phone.    Kind of creepy!

Anyway, you can turn this off.   If you like the iPhone intelligently learning your patterns and making suggestions based on that — by all means leave it on. 

I think I’ll be turning Significant Locations off.

Microsoft–Do It To Me One More Time?

Unfortunately, this is not a Lionel Richie love song.

Here is the reading material — https://www.engadget.com/microsofts-windows-10-updates-printer-bugs-000112943.html

Unfortunately, June’s monthly Windows update (began rolling out 6/9) is messing up printing on what is likely a small but significant number of computers.  The same exact thing happened, including to several of you, back in October.

I remember all that I had to go through with my clients.  I had to come out for a bunch of appointments because of these printing woes caused by Updates.  In numerous instances, I had to delete and re-add your printer in Windows.   In one case, a client had to buy a new printer (which did solve the problem).  In the most extreme scenario, nothing was working for me.  I was ready to give up!   I literally had to back up all the files, erase the computer, and then “clean install” Windows 10 1909 which was the latest version of Windows in December 2019.  That fixed it.

These monthly updates are supposed to mitigate security concerns.   They should not break essential functions like printing.

I hope it doesn’t happen to you now — either again or for the first time.  If you purchased your Windows computer on your own, outside of my guidance, you probably have Windows 10 Home.  You are going to be forced to take the Updates when Microsoft dishes them out.

On all computers I had a hand in ordering — I made sure you have Windows 10 Pro.   With the Pro version — updates can be delayed.   I have likely delayed or instructed you to delay Feature Updates (new versions of Windows) by at least 3 months.  We have never touched Security Updates which are the monthly updates that are screwing with printing right now.   I think that Security Updates should be delayed by 7 days.  I could see doing 14 days, but I wouldn’t want you to go beyond that.  These monthly and “odd times” updates address pressing security matters. 

If you remember how to change these options — you go to — Start Menu >> Settings >> Update & Security   > Advanced Options.   The delay for Feature Updates should be 90 to 120 days.  The delay for quality (aka security) updates should be 7 to 14 days.      If you don’t see these choices in Advanced Options — you have Windows 10 Home.

One good thing is — if you have Windows 10 Home — you can upgrade to Pro for a one time cost of $99.  It’s pretty painless.

Microsoft Defender Good Enough For Most

1. Windows 10 — version 2004 is beginning to roll out.  I hate the naming scheme on this because it makes one think that this is Windows 2004.  The 20 and the 04 refer to the year and month that this version was finalized.   Anyway, there is no rush to install it now on day one.   It will be pushed out to your computer in due time.  If you want my help with a professional install, we can look into that down the road. 

2.  For nearly all clients that I work with, I don’t think you have to pay for a separate anti-virus for your Windows computer.  The built in Microsoft Defender is quite adequate.  Only pay for anti-virus if it offers you something really special for what you are paying.   I used to recommend one particular anti-virus because they offer phone support. I thought when dealing with an older client base, that would mean something. Over the years it really didn’t.  Clients would still call me first if they had an issue.  I don’t want to toot my horn but I haven’t had a client with a Windows security issue in a couple of years.   So what I am saying is that I think the free built in Microsoft Defender is probably just fine.  (If I were going to pay for an anti-virus, the only two that come to mind that I would probably pay for are PC Matic — $50 / yr for up to 5 devices for home use or Malware Bytes $40 /yr 1 device / $80 / yr 5 devices.   This is NOT an endorsement, but I will support you in using either. )   If you are paying for an anti-virus as a home based consumer, I think you can stop at your renewal, but please take #3 below to heart. 

3.  So how do you keep yourself safe?

-Don’t install something you didn’t go looking for

-Treat links in e-mails and attachments skeptically

-Have multiple backups of your data. Carbonite and Backblaze are good online backup services.  If you have a locally attached hard external hard drive, disconnect it from time to time. Macrium Reflect is my favorite Windows backup software.  The built in Windows 10 File History is not terrible either.

-Use an ad-blocker in your browser – preferably uBlock Origin. 

-Keep up to date with Windows Updates.  I rarely shut my computer down and let the updates occur automatically.  If you regularly shut your computer down / disconnect from the internet.  You should be checking for Windows updates weekly or biweekly. 

Watch Out For Google Search Results

Learning About New (to me) Old Technologies During the Pandemic

I will never own a Rolex, or a Tudor, or an Omega.  However, I was given a Seiko — made in Japan — watch for my big birthday last month that was roughly $160.  It sparked an intense period of learning for me.  I became fascinated in these tools for our wrists that are able to keep time and produce 21,000 + vibrations per hour WITHOUT a battery.  I am referring to watches with a mechanical movement, whether they be automatic, hand wound or both.  (Of course, there are wonderful quartz watches out there with batteries too.)  Over the past 6 weeks, I think I have become quite knowledgeable on the sub-$500 watch market.  There are awesome watches you can get out there for under $300 and in some cases under $200 as well.  I haven’t found a way to incorporate this newfound love into my business as some kind of formal proposition, but I would definitely be willing to discuss this arena with you informally by e-mail or perhaps at the back end of an appointment. 

Some insights I would be able to share with you include… There are many fine watches out there with Japanese movements.  It is possible to get affordable Swiss made watches.  I can help you understand the difference between a grey market watch and one from an authorized seller. (My Seiko came from a grey market store in NYC that also has an authorized division as well.)  Sometimes the right strap can make all the difference on a watch, especially a nylon “NATO” strap.  I don’t think we should think of watches by traditional gender distinctions.  A lot of so-called ladies watches are very stylish but not functional.  Why can’t a lady wear a nice man’s watch?  Of course she can!  There are so many possibilities if we think outside the watch box.  There are a lot of garbage watches coming out of China, but I can let you know about the one Chinese made watch that “watch people” really admire.

Watch Out For Google Search Results

Over the past couple years, I have seen some clients come up with bad luck on Google search results.  It often starts with Googling for a phone number for customer service for a particular company.  While Google has improved this type of searching and can often provide you with an obvious and legitimate number, you have to deal with paid search listings.  I have tried to install ad blockers for all of you on your browsers and shown you how to turn that ad blocker on and off.  However, if you do not have an ad blocker installed you are going to see at least 3 search results from Google that are ads.  They should be clearly identified.  However, you may not notice what you are looking at.  Please be careful.  Unfortunately, scam companies have been buying up key word ads from Google.  So that when you search for XYZ bank customer service or Frontier customer service (for example), those first few results may not be what you are looking for.  You will have to scroll beyond the sponsored listings to truly find what you want.  Goggler beware!

Not The Password Boy Who Cried Wolf–Part 127

I hear the birds chirping outside my window, but then again it’s unlike any other May Day in my lifetime.  My cherry blossom tree already bloomed for the year. Hope you’re starting to see those signs of spring as well.


Devices Update

-The new iPhone SE is a winning release for Apple. I will be doing my first remote setups for clients over the next week or so.  You could also buy it to hold for later.  At $399 it is more powerful than almost any Android phone on the market.  Whether you order directly from Apple or from your carrier, you can ask me which is best for you.  In many instances there are interest free payments available.  I think a lot of buyers will just purchase it outright.  Drawbacks?  I thought of one since last week and while it certainly isn’t a minus for me, it may be for some people.  The iPhone SE does not have 5G cellular technology.  Of course, no iPhone on the market has 5G right now.  The new more expensive “iPhone 12” models released in the fall will almost certainly have 5G.  Don’t let that stop you from taking advantage of this extreme value.

– 2020 Mac Book Air — I mentioned a few weeks ago that Apple has finally brought back the old keyboard design on their consumer focused Mac Books and that if you need a Mac Book, you can go ahead and strongly consider the new Air.  https://www.apple.com/macbook-air/   When you choose the base model at $999 ($899 with education discount), you will want to make 1 upgrade during the checkout.  PLEASE – choose the i5 processor for a $100 upgrade.  It’s well worth it.  So for $1099, you have an awesome Mac. 

Not The Password Boy Who Cried Wolf – Part 127

I’ve sent out e-mails like this before.  That is why I am calling it Part 127.  I get these sad stories from clients every so often.   An e-mail account has been compromised.  Requests for payment or money were sent out.  Someone didn’t screen the request properly and actually sent the money.  During this time of Covid19, the scammers have not rested.  This is peak season for them.   Some hackers have software that just keeps guessing at e-mail passwords until they can “crack” them.  The easier your password is, the better the chance that they will crack it quickly.  However, major e-mail providers like Gmail, Yahoo and Microsoft do have systems in place that lock the account after an excessive number of tries.   Yet, if your password is super easy to guess — it’s not going to help you anyway. 

One thing I have noticed during this “stay safe, stay at home” period is that many of you have terrible passwords.  You don’t take this seriously at all.  Think of all of the services you have that can be broken into if a bad actor were to get into your e-mail account.   Here are a few BEST PRACTICES that I have tried to teach to clients over the past 5 years or so.  Unfortunately, I don’t think many are making the grade on this topic. 

3 Ways to Create Better Passwords — Choose 1

-use a professional password manager — like Last Pass, 1Password, or Dashlane. (of course this involves learning a new piece of software and not everyone wants to do this).

– Use a random password generator.  Set length to 12 or greater — and you will get totally randomized passwords to PRINT OUT.  This is a tool I frequently use with clients   https://www.random.org/passwords/

-Finally — a client can come up with their own if they use a good formula  — secure base plus specific ending for each site.   Again, it should be something easy for you to remember, hard for others to guess.    Let’s say for example not many people know I like John Denver music.

My base might be — “Leavingonajetplane”

My password for Microsoft might be Leavingonajetplane20msft

My password for Google might be Leavingonajetplane19goog

And so on.

Again, those would be good passwords, if no one could associate me with that base.


Extra Credit:   And while you have some time — if you do online banking — why don’t you call your bank’s help # and ask them this question.  It’s a very simple one.  What are you doing — beyond my user name and password — to protect my account?   Is there a 2nd factor?  Is there some other security measure? What do they offer beyond user name and password?

Thoughts On Zoom Controversy

Over the past few days, I have read all the bad news about Zoom.  Between updates they put out from Thursday until today, they have corrected all of the issues.  It is alarming some of the flaws they had which are nicely detailed in this WSJ article  https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-security-as-coronavirus-drove-video-tools-appeal-11586031129?shareToken=stf921d7c733df40db8c49d2a934d7ada2

However, I also think that as the fresh new kid on the block — Zoom’s success irritated established players that would benefit even from a 10% to 20% downfall from Zoom — Microsoft (with Teams and Skype) and Cisco with Web Ex.   One of the interesting facts about all of this is that one of the lead engineers at the original Web Ex, prior to Cisco’s $3 billion purchase in 2007 was Eric Yuan.  He is the founder of Zoom.     Zoom’s goal was to make live conferencing easy, even without an account.  Unfortunately — when conference rooms were created without passwords (no longer the default as of 4/5/20) anyone could enter them and harass people.   However, a heckler could walk into an AA meeting or a meeting between students and professors in a lecture hall.  Zoom in some ways mimicked real life. 

Joining a Web Ex meeting is really not that much different than joining a Zoom meeting.  It often involves opening a link and an application launching.  The controls and options are laid out in different places.  New life is being breathed into Skype as they have a now have an account-less meeting option.   The online meeting / conference space will see shifts in preferences as companies respond to potential threats.  I hope Zoom can rebound from this.  However, there is no doubt that stumbling by one entity creates opportunities for others.