Category: Security

Updated Thoughts On Last Pass Breach

I just want to let you know my updated thoughts on this — now that I am more fully aware of what is going on.   Some of you I have helped move to another password manager 1Password or Bit Warden.  It’s entirely possible that you may want to stay with Last Pass and while they are not a company I would continue paying $36 a year to — it’s not the stupidest thing I’ve ever heard of (better then keeping passwords in an unprotected Word document on the computer, as some of my clients do.) 

If I were to give this situation a score I’m giving it a 5.5 out of 10, with 0 being nothing doing – walking to the sidewalk is a risk and 10 being nuclear disaster, call the lawyers. (However, I’m sure Last pass will be sued.)

Up until Thursday 12/22, Last Pass was a very respected commercial password manager, seen as an industry leader and widely praised among security experts — FOR YEARS.  Other competitors include 1Password, Dashlane, and Bit Warden.  In addition to personal use, Last Pass had a lot of corporate customers as well.  It’s estimated that there were as many as 37 million Last Pass accounts, just to give you an idea of their reach.  I had been a paying Last Pass customer since 2013. I think I first got started with formal password managers with 1Password back in 2010.  Back then I was primarily a Mac user.  I wanted to become fluent in both systems, so what I did for several years was keep my personal and business passwords in 1Password but keep all passwords related to my Master’s degree and the industry I was exploring in Last Pass.  Eventually around 2016-2017, I moved all of my passwords into Last Pass.  It wasn’t a better or worse situation, but since I was already paying for a Last Pass subscription and 1Password moved to a subscription model — I didn’t want to pay for a subscription to both.   The way I used to see things, I would recommend 1Password if a client was all Apple and and I would recommend Last Pass if there was a Windows device involved.  However, out in the wild there were plenty of Apple-only geeks out there that used Last Pass.  Today, it really doesn’t matter — both managers work fine on Windows and Mac interchangeably. 

Ending my story and back to the matter at hand — about a month ago Last Pass revealed that they discovered a minor security breach from back in August where no sensitive (ie. un-encrypted) data was revealed.   Companies are attacked all the time — insurance companies, the state government, etc, etc.  We never hear about it.  It’s like a vandal who breaks glass in a store but doesn’t steal locked goods.  It happens all the time.  Technically under the GDPR (European privacy laws, which are stricter than US), I believe notification is not required if ENCRYPTED data is stolen.  In general if data is truly well encrypted, it could take hackers multiple lifetimes — 1000s of years — to crack the data.  No one thought much of Last Pass’ previous announcement.  It’s nice that they let everyone know.

Then they made an announcement on 12/22.  Now that I have clarity on the breach, I want to be very specific.  These evil hackers did not have an active intrusion into Last Pass servers where they were running amok through customer data at the present time — like active shooters running through a mall — pardon the analogy.  The hackers breached a backup of Last Pass customer data that was connected to an employee’s computer in August 2022.  It all goes back to that breach.  It was an incident more than 4 months ago isolated to that point in time.

BUT BUT BUT — Last Pass’ claim to fame all these years was its ZERO KNOWLEDGE policy.   All customer data is locked with the Master Password right?  So the hackers got a big lump of coal, right?   Sadly — not true!!

While customers’ Master passwords and password data and secure notes WERE encrypted – customer names, email addresses and URL’s (meaning each website address they had a password for) WERE NOT encrypted.  Last Pass never let customers know this.  They certainly implied otherwise with that Zero Knowledge policy. 

It has not been revealed how many of the 37 million accounts’ data was stolen.  Logic would lead one to believe that this one employee did not have a backup of all of these accounts, but conservative estimates are perilous.  All customers should assume they were in the batch of stolen data.  The other key thing to remember is that this breach happened over 4 months ago and there haven’t been massive, widespread attacks against Last Pass customers.  According to experienced IT security professionals that I have interacted with over the past few days, this would indicate some sort of nation-state actor, likely looking to target specific individuals, such as their citizens or enemies. 

I think Last Pass failed on the communication front.  What did they know and when did they know it?   I do believe them that password data is secure if those passwords were protected with a secure Master Password. HOWEVER, some customers may have had WEAK master passwords. Uh-oh. Last Pass also failed in not having ALL data in a customer profile be encrypted. 

In conclusion, whether you are staying with Last Pass or moving to another password manager — you need a new master password and also the specific password for ALL SITES (all logins) need to be changed.  This will take you some time.  Do it deliberately and patiently.  Password managers like 1Password and Last Pass have a random password generator if you do not want to create your own.  I believe in also keeping a hard copy in a notebook as well.   I also like this tool for creating random passwords  https://www.random.org/passwords/  — your new passwords should be at the very bare minimum 12 characters long and ideally 14 to 16 characters plus, compliant with the website itself.  Some sites will not let you do 20 character passwords.

If there is any more help I can provide on this  — please let me know.

PS.  In case you are wondering — what password manager do your clients use the most?   They use the very limited password managers built into Safari, Firefox, or Chrome.  They are fraught with their own peril, in my opinion.  Frankly, many of my customers have dozens and dozens of insecure passwords.  So they have their passwords stored in a “manager” they don’t really use or maintain. 

Done With Last Pass and Two Holiday Gifts

Before I get to the holiday cheer — i need to tell you about a serious SECURITY INCIDENT.  I’m just going to get to the point.  I can no longer faithfully recommend Last Pass as a password manager.  Never putting all the eggs in one basket, I have recommended Last Pass and 1Password over the years as paid password managers to manage your treasured credentials.  Last Pass has now suffered its 2nd security breach in about a month.  The first one was minor, however in the latest incident customer credentials were accessed.  I can’t sugar coat this.  As of right now your passwords were not breached but user names, e-mail addresses,  billing addresses were.  So if the bad guy has  your user name and e-mail address — while they can’t get into your accounts necessarily just yet — they are a lot closer.  Last Pass was a great company when Joe Siegrest ran it.  He sold it about 7 years ago to Log Me In.  They were still good for a while.  It’s gone really off track.

I really haven’t publicized it, but since February I have used a password manager called Bit Warden.   If you are using Last Pass, your credentials can be exported to either  1Password ($36 per year) or Bit Warden ($10 per year).  Don’t make the decision based on price either.  You will want to choose one of these and then delete your info off of Last Pass as soon as possible.  I am available over the weekend, Monday or Tuesday to help you with this.

Happy Holidays Everyone!!!

Here Are My Holiday Gifts For you

#1 Alternative Electric Supplier — Look at your last Eversource electric bill.  If you are using 400 + kwh (kilowatt hours) per month right now, you will save money by changing electric suppliers  via the website energizect.com  .  You will still only get one Eversource bill per month.  

– Effective Jan. 1 — the Generation charge portion of your bill will double.  No joke  12 to 24 cents per kwh.

– Eversource does not profit off of generation.  They don’t care if you use an alternate generation company. 

– Unlike the “bad news” you might have heard about alternative suppliers 3 to 4 years ago, it’s a totally different ballgame now after laws were changed in 2020.  We the consumers are in control

-Best rates I was able to find right now are in the 16 to 17 range per kwh with 2 to 3 year guarantees on pricing.   It’s really a 1 way contract with the supplier guaranteeing you.   6 month, 12, or 18 months from now — if you want to change to another supplier or back to Eversource as your supplier — NO PROBLEM.  No penalty.

Examples of savings:

* I’m going to be saving $38 per month (use gas heat) by choosing Xoom as my supplier.

*My brother is going to be saving $50 per month (gas heat) by choosing Direct Energy as his supplier

*A client with electric heat in her condo (yikes!) is going to be saving $120 to $140 a month by choosing Xoom

*Just today – I saved a client $41 a month (oil heat) by choosing Xoom as his electric supplier.  This client’s annualized savings today paid for his Apple Watch. 🙂

And if Eversource’s new rate stays the same or goes up starting on July 1st — you could save even more in the summer months with that AC blasting.

No fees to switch  — one Eversource bill  — energizect.com  – you can do this!!

#2 Gift:  Some of you guys think this is funny or do not cut this page into strips to put on your fridge, near your phone and on your computer.  Please do.  I had several clients  get ripped off this year or near ripped off with infected computers.    Do you think you are so smart that you wouldn’t fall for a scam e-mail or phone call?  Think again.   I am an expert in helping older adults learn.  Older adults need reminders and reinforcement.    I have attached a 1 sheet document to print out — my $1000 Holiday Gift.   Use it  — pass it on.  It’s been updated for 2022 with some newer scams that I’ve dealt with.

In closing….

This may be my last update of the year — so I’ll close with this.   We need to take a lesson from Actor Tim Robbins and simply be kinder to each other.   The past 3 years have been a hyped up, hopped up time with a lot of division and demonization.  We do business together, we shop together, we exercise together, and attend events together.  I don’t exclude clients because of medical choices, politics, signs in the yard or whatever.  Co-existence does not confer agreement, but what I am really saying is everyone around here should do a better job of tolerating others.   Paraphrasing health guru Max Lugavere — eat more protein, less sugar, exercise more, and turn off the news.

Those are my new year’s resolutions!!

Have a joyful Christmas and Hanukkah!

Make Sure Your System Works

Make Sure Your (Password) System Works

Some clients along with yours truly use a sophisticated password manager. At the bare minimum you should have a paper notebook.  And then you should start new notebooks when they get all messed up and full of cross-outs.  However, whether manual or electronic, your system of password keeping is not good unless you regularly test that it works.  It’s just bad data if it doesn’t work.  So I’m suggesting that quarterly (if not more often, with banking and sites you frequent) — you should log into every website you have a password for.   Make sure you have WORKING PASSWORDS.

Common websites you need to check are —

https://my.xfinity.com/

Gmail.com

mail.yahoo.com

ATT Yahoo / att.net, sbcglobal, snet e-mail  https://currently.att.yahoo.com/

You should also try

-Microsoft Office subscription / Microsoft account  https://account.microsoft.com

iCloud.com 

-Your banking / investment websites

-Shopping websites

-Newspapers and publications

**It’s really really bad form to keep passwords in an unencrypted Word or Excel file stored on the computer.  You are setting yourselves up for theft.   Modern versions of Microsoft Office will allow you to save PASSWORD PROTECTED Word and Excel files.  These are somewhat encrypted and the encryption improved in Office 2016 and later.   Still not my favorite – but better than naked files.

Best Tip I Could Give On AOL Mail

(The 1990s is calling and they want their e-mail back.  HA HA.)

All kidding aside for some reason — you may still be using AOL for email.  I had a client last week who got scammed by a bogus e-mail that got through to his AOL account.  3/4 of his messages are SPAM.   His computer ended up being taken over by hackers.  It required a 3 hour appointment with me (and 1 hour follow up today), a complete erasing of the computer and setting it up again.

AOL Mail does not have customizable Spam settings where you could tell it for example to be Stricter about filtering spam.   However…….. we discovered there is a VERY powerful feature in the Options / Mail Settings.    If you are highly bothered by Spam in your AOL account — I strongly suggest turning it on. 

The name of this feature is

Block All Senders Except Contacts

It does exactly that.  Senders who are not in your Contacts will not be able to email you.   If you want to receive email from a particular person — add them to the Contacts.  People whom you’ve previously e-mailed are already in your contacts. 

This feature is in

Options  >> Mail Settings>> Block Senders

*My client is thrilled now as his Spam volume will be cut down by 90% or more.  This will save him from costly mistakes and the hassle of having to close his checking account and re-open a new one. 

The Value Of Anti Virus and Defensive Computing Strategies

(A couple of definitions before we start. I have talked about VPN’s before, with the VPN being a piece of software that runs on your computer (or computing device) that runs your internet traffic through a private tunnel. This can be done for privacy, security or both. DNS is the “phone book” through which you look things up on the internet (domain name system). By default you use the DNS of your internet service provider. If you own your own router, you can set a custom DNS (free option) that blocks most malware.)

The best anti virus is a strategy built around defensive computing practices defensive computing practices

– If I could only choose 2 of the following 3:  (#1) VPN that has a malware block option, (#2) using Quad 9 or similar as the alternate DNS in my router (which blocks about 99 % of known malware domains) for those situations when I don’t have my VPN on or I have browser bypassing my VPN, or (#3) traditional anti virus software…..

…. I would choose the first 2. 

however since it seems like many clients want to have the additional protection of antivirus software…..  you have to remember that the typical clients I serve are older adults either at home or in their businesses who are not very technologically savvy and like a lot of customer service and handholding.   I don’t necessarily put a lot of weight on antivirus rankings and publications that claim to do those rankings because a lot of them are just paid advertisements.

Traditionally — my go to recommendation for Mac AV has been Intego.  They are a French company with local phone support based in Texas. They’ve actually removed viruses from my clients’ computers so that’s why I trust them. The phone support has been excellent when my clients have needed them.

I’ve had good experiences with ESET on the Windows side – and based on my dealings their customer support was located in Southern California even though they are also a European company. I’ve never tried them out on the Mac but I wouldn’t doubt that they are an outstanding product.

Bit Defender has a legendary reputation but I don’t have a lot of real world experience with them. However, it should be known that they provide support by chat, E-mail and phone – so another senior friendly option.   Another Mac Anti-virus that I have found valuable in the past — though they are not necessarily known for providing great customer support for seniors is Avast antivirus. I don’t know if they still do this but they had a habit of scanning websites before you visited them which I thought was great. One time a Mac client was going to upload some sensitive information to his accountants website and avast detected that it was compromised. It led to a startling revelation for the accounting firm.

An antivirus that I would like to try out but haven’t is PC Matic. You may have seen a lot of their ads on TV. They’ve recently expanded to support the Mac and they use a very different strategy than traditional antivirus by blocking you from ever accessing tons of harmful websites.

In conclusion…

1.  Use defensive computing practices, do not click on links or open attachments from people you did not expect to receive them from. Do not re-use passwords. Use an ad blocker in your browsers.

2.  If desired, use a VPN that offers malware blocking meaning they block malware domains as one of the filter options. Personally, I use Windscribe VPN but there are others that do this as well.

3.  It’s impractical to use the VPN 100% of the time. Frankly, some of my clients just won’t use one period. I actually keep mine on pretty much 100% of the time but I’m allowed to exempt certain browsers so I always exempt one browser and therefore my activity in it is outside the VPN. For those situations that is why I have Quad 9 as the DNS in my router because it blocks 99% of malware domains.  Quad 9 is free to use.

4.   Antivirus is great for when strategies one through three fail or when you’re dealing with attachments or files on the computer. I would just make sure that the antivirus that you’re using scans all files opened, and ideally that they do a little scan of websites before you visit them. If customer support matters to you, I have given you a couple options that are better in that area. 90% of my Windows clients just use the built in Microsoft Defender. This anti-virus also features Smart Screen but it really only works if you are using the Edge browser. If you are on Windows and you are not paying for a 3rd party anti-virus – consider making Edge your primary browser. It is Chrome based these days and works very much like Google Chrome.

Comcast Gems and Basket of Tips

I hope it’s not a mundane Monday for you.

Going to the Movies – Thurs Apr 28 545 PM

For the first time in 2 years, I’m going to the movies.  WOW.  The great thing is that I don’t have to leave my home.  There is going to be an in person premiere of “Keeper of Time” at the SVA Theater in NYC on Thursday.  However, unlike typical theaters, viewers can watch virtually anywhere in the world at the same time.  This 90 minute documentary looks at why we measure time and why we care.  It also profiles four of the highest level watchmakers in the world.  You can find out more and see a 2 minute preview at https://www.keeperoftimemovie.com/home#about .  Tickets are $20 + $4 service fee.  I’ve got my virtual ticket and will be watching on my computer.  Hope to see you there.  Feel free to text me during or after the film if you want to discuss.

Gems of Comcast Services

Continuing with the streaming theme…..

If you need help with any other kinds of streaming such as Amazon Prime, Apple TV Plus, especially for the baseball games, let me know.  I’m finding that many of my clients that have Comcast / Xfinity for their cable TV provider are finding it especially easy to play services like Amazon Prime, Netflix, and others.  The Xfinity X1 remote has a microphone.  Holding down the phone will easily allow you to bring up those services by  name.  If you give the cable box permission (which I think is fine), you can also allow it to display results from the streaming services within the results of other On Demand programming.  My typical senior clients LOVE that microphone button on the remote.  It opens up a whole world of possibilities and usability.  It’s one of the gems of their increasingly expensive service.    Correct me if I am wrong, but I believe Cox cable has a similar remote that you can talk to. 

Roku Is the Best

If you don’t pay for TV or even if you do, having a separate streaming box might be a good idea.  I tend to prefer the Roku.  I have been a Roku user since 2011 or 2012.   It connects to all the major streaming services.  Modern Roku’s are also capable of Apple Air Play (direct beaming from iPhones, iPads, and Macs).  And in a room, like my bedroom, with no cable outlet — I can use the Roku as a virtual cable box for Comcast / Xfinity.

Basket of Tips

1)  I can’t stream?  Can I? Do you think I am capable? Am I too old?  I think you can!!  If you can master these 5 or 6 basic buttons on a remote, you will be streaming like a pro in no time

* The Directional Arrows*

Up — Down — Left — Right

OK,  Back, Exit, Home

>>>You’ve got this!!

2) There are TVs with the Roku platform actually built into it.  As long as is a current year model or last year — it may be a good deal if you need a new TV.  3 years old would be terrible.  I am a bit old school and I still like a separate Roku box or stick with my TV I am not a huge fan of built in Smart TV platforms but my wife uses built in You Tube all the time

3)  By the way — if you watch You Tube all the time — you probably want  You Tube Premium (which is not the same as You Tube TV).  You Tube is getting more aggressive about showing ads.  You either need an ad blocker on the computer or phone (which I use religiously) or sign up for You Tube Premium at $12.99 a month.  No Ads!!  It also gets you unlimited You Tube Music (formerly called Google Play Music.

Tips From Others — Tips 4 and 5 come from what I have learned out in the field

4) In an ongoing discrimination case involving a local police department one officer was asked if he had made a pact or an agreement with another party.   He was ordered to turn over his phone.  “No problem your honor — but I delete my text messages every night.”   Wow!!  As your digital privacy advocate — I love that!!  If you are concerned about this type of thing, you have my permission to erase your tracks like this.

5)  Want to prevent digital intruders or from that computer being ONLINE all night?  You can turn off WiFi or put your device in Airplane Mode every once in a while.  I don’t do this all the time.  I wouldn’t recommend doing it every night as updates are important but I would be OK with doing this some of the time or most of the time as some of my clients do. 

TMobile Improves Customer Security

https://tmo.report/2022/03/exclusive-t-mobile-adding-number-transfer-pin-for-port-outs/

According to the article — they will be implementing the NUMBER TRANSFER PIN  (NTP) soon.   This will require one to go onto the T-Mobile website or app to obtain a PIN number to transfer their number to another carrier.  Bravo!!!

There has been so much number transfer fraud — especially with this company.  It’s about time.

Weekend Technology Notes

Big Kid Macs

I was basically right in the email that I sent out to my Mac clients early Monday morning about Apple’s new Mac Book Pros. I knew the pricing would be higher.  The new Mac Book Pro 14 inch starts at $1999 and the 16 inch (which I don’t expect a lot of my clients will be buying), starts at $2499.  These are not rip offs by any means.  They are high powered professional machines.  Unless the “best” is desired out of principle rather than practicality, I think the Mac Book Air is going to suit the vast majority of my Mac clients seeking a laptop.  The 512 GB model @ $1249 would be the one I steer you toward.

Couldn’t Stop This Scam

I had a sad phone conversation with a client today about their friend.  Sadly this friend had been given my name before but had never joined my business family and the system of services and education that I provide.  This person got a  call from “Amazon” saying that someone had tried to purchase an iPhone Pro Max with their card but they had “stopped” it.   Sound real?  Think again.  The representative was granted access to the victim’s computer and had them log into online banking.  There the refund was “issued.” However it wasn’t.  The scammer simply adjusted the text code on the banking website.  Instead of a $1400 refund, the victim was “credited” $14,000 – by “mistake” of course.   The scammer said they would lose their job and demanded the difference back as a wire transfer.   Hint:  If it was $1000 involved, the scammer would have asked for gift cards.  However, the scammer saw that there was more than $14,000 in the victim’s bank account.  Only a wire transfer would do!  Their bank actually allowed the victim to send out the transfer, which went to Hanoi. 

UNBELIEVABLE!!   It really happened.  And the victim still believed it was real.  I told my client to tell this guy to go to his bank immediately.  Explain he is the victim of a crime.   Maybe — it can be reversed — but it’s doubtful in my opinion.  It’s hard to claw back a wire transfer, especially an international one. 

Update On T-Mobile Breach

Here is the most updated info from T-Mobile

https://www.t-mobile.com/brand/data-breach-2021

It turns out 47.8 million customers were affected (which is about 1/2 their US customer base).  It breaks down to 8 million cellular accounts and 40 million prospective customers that applied for credit.  Keep in mind credit was pulled in the past whenever new customers signed up or financed a phone.  (T-Mobile and Sprint now are one company.  I don’t know how many of these records pertain to old Sprint customers or if they are pre-merger T-Mobile accounts).    T-Mobile CLAIMS that no financial data, like Social Security #’s were accessed. 

Here is what they are doing however.  They are going to offer two years of ID theft protection through McAfee.   I’m going to skip that.  McAfee hasn’t done anything good for computer security since the 1990s.  The late, great company founder John McAfee despised what his old company had become before his death.  You can sign up for it if you wish, but I would prefer that  you obtain all of your credit reports from annualcreditreport.com, then sign up for a credit freezes or at the very least fraud alerts.

Secondly — here is something you can take action on today.  T-Mobile is asking you to change your account PIN.  This is also known as a billing passcode.  You can do it online or you can call 611 from your phone and talk to customer service.  If that billing passcode is in the wrong hands — someone can port your number out — steal it and take it to a different company. 

T-Mobile Data Breach

I don’t know all of my clients that have T-Mobile so I am going to make a general announcement in the weekly newsletter later.  However, I know you have T-Mobile.

Per reports I read in multiple sources like this Bloomberg article….

https://www.msn.com/en-us/money/companies/t-mobile-investigating-claims-of-data-breach-on-online-forum/ar-AANlDJU

TMobile’s entire customer database has been breached by hackers!! 100 million people.  The data discovered included full names, social security numbers and driver’s license numbers.    This is disgusting.  This information should have been stored in an encrypted fashion. 

My Thoughts

– I don’t think I’m going to leave T-Mobile tomorrow.   This could have happened to Verizon or AT&T as well, in theory.   They could have better security, but I don’t know.

– I don’t apply for credit all the time, so more often than not, I keep my credit reports frozen.  No one can open up accounts with the freeze in place.   If you do have your credit run often, you may want to consider a FRAUD ALERT instead, which will require your permission before lines of credit are opened.

– I assume T-Mobile will be providing its customers with a couple of years of some credit monitoring service.  That may be worth using, but keep in mind that during this pandemic annualcreditreport.com is offering all 3 credit reports free on a weekly basis.  https://www.annualcreditreport.com/index.action  — this website is the only one authorized by the federal government for obtaining free credit reports.   (The one on TV with that hideous jingle is NOT the same website.)

Websites for setting up credit freezes

https://www.transunion.com/credit-freeze

https://www.equifax.com/personal/credit-report-services/credit-freeze/

https://www.experian.com/freeze/center.html