Category: Security

Critical Password Practices

I had to deal with another security breach last week. It could happen to anyone.  Accounts get hacked.  Passwords are guessed.  Bad guys keep trying until they get it right.  These scammers will even try to make up fake email accounts and impersonate you if they have extra motivation to deceive.  In this one instance I got called out to deal with, the hacker was probably in China but they were clever enough to make it seem like they were hacking from the USA.   You don’t want this to happen to you right?


You cannot MUST NOT reuse passwords for multiple websites / services.   Each account needs a separate password.  A password should be easy for you to remember and hard for others to guess.  It should not contain family members’ names.  It should not contain your street name, street number, or year of birth.  Do a Google Search on yourself.  Your password should not contain any key words that come up in that search.  You could use a password manager like 1Password or Last Pass.  However, this requires learning a new tool and I know not all of you are prepared to do this.  You could use a random password generator tool, creating passwords of 12 characters or longer.   https://www.random.org/passwords/  is a tool I have used with clients repeatedly over the years.  If you are still saying this isn’t for you, OK, so at the very least you should do the following.  Create a memorable base that you will use over and over again, then put a unique ending that helps you identify each site.  Record everything in a password notebook at the very least.   For example, let’s say you attended Camp Redwoods as a child and no one else knows that.  Your password for Microsoft could be   — ILoveCampRedwoods20msft — and then you could repeat this formula  over and over again.  That would be a bare minimum, but acceptable strategy.   Each password should ideally be 12 to 14+ characters long.  Personally speaking, I have started making my passwords 25 – 30 characters long whenever possible. ( This is very easy with a password manager.) 

How to check for suspicious logins to Comcast Xfinity email account

I have now had 2 clients in the past year who’ve had their Comcast email accounts broken into.  Scams were attempted and some damage was done. 

They have now put out a tool so you can see all of the login attempts on your Comcast account with the past 30 days.  If you suspect anything or are just curious — you should sign into this website with your Comcast e-mail address and password.


https://security-console.identity.xfinity.com/

It worked very well for me with a client yesterday.  We determined that her account was hacked by someone accessing the internet through a server in Seattle, WA. 

One more tip — make sure that your Comcast email password is not the same as ANY OTHER password you use.

Your iPhone Records Everywhere You Go–How To Turn Off

Just wanted to give you all a mid-week blast. This came across my desk today and I thought some of you would want to flip the switch to turn it off.

I learned something new today — there is a fairly hidden setting in (Settings > Privacy> Location Services >>  then down to the bottom, System Services) — called Significant Locations.   It is a record of EVERYWHERE you have visited with your phone.    Kind of creepy!

Anyway, you can turn this off.   If you like the iPhone intelligently learning your patterns and making suggestions based on that — by all means leave it on. 

I think I’ll be turning Significant Locations off.

Microsoft–Do It To Me One More Time?

Unfortunately, this is not a Lionel Richie love song.

Here is the reading material — https://www.engadget.com/microsofts-windows-10-updates-printer-bugs-000112943.html

Unfortunately, June’s monthly Windows update (began rolling out 6/9) is messing up printing on what is likely a small but significant number of computers.  The same exact thing happened, including to several of you, back in October.

I remember all that I had to go through with my clients.  I had to come out for a bunch of appointments because of these printing woes caused by Updates.  In numerous instances, I had to delete and re-add your printer in Windows.   In one case, a client had to buy a new printer (which did solve the problem).  In the most extreme scenario, nothing was working for me.  I was ready to give up!   I literally had to back up all the files, erase the computer, and then “clean install” Windows 10 1909 which was the latest version of Windows in December 2019.  That fixed it.

These monthly updates are supposed to mitigate security concerns.   They should not break essential functions like printing.

I hope it doesn’t happen to you now — either again or for the first time.  If you purchased your Windows computer on your own, outside of my guidance, you probably have Windows 10 Home.  You are going to be forced to take the Updates when Microsoft dishes them out.

On all computers I had a hand in ordering — I made sure you have Windows 10 Pro.   With the Pro version — updates can be delayed.   I have likely delayed or instructed you to delay Feature Updates (new versions of Windows) by at least 3 months.  We have never touched Security Updates which are the monthly updates that are screwing with printing right now.   I think that Security Updates should be delayed by 7 days.  I could see doing 14 days, but I wouldn’t want you to go beyond that.  These monthly and “odd times” updates address pressing security matters. 

If you remember how to change these options — you go to — Start Menu >> Settings >> Update & Security   > Advanced Options.   The delay for Feature Updates should be 90 to 120 days.  The delay for quality (aka security) updates should be 7 to 14 days.      If you don’t see these choices in Advanced Options — you have Windows 10 Home.

One good thing is — if you have Windows 10 Home — you can upgrade to Pro for a one time cost of $99.  It’s pretty painless.

Microsoft Defender Good Enough For Most

1. Windows 10 — version 2004 is beginning to roll out.  I hate the naming scheme on this because it makes one think that this is Windows 2004.  The 20 and the 04 refer to the year and month that this version was finalized.   Anyway, there is no rush to install it now on day one.   It will be pushed out to your computer in due time.  If you want my help with a professional install, we can look into that down the road. 

2.  For nearly all clients that I work with, I don’t think you have to pay for a separate anti-virus for your Windows computer.  The built in Microsoft Defender is quite adequate.  Only pay for anti-virus if it offers you something really special for what you are paying.   I used to recommend one particular anti-virus because they offer phone support. I thought when dealing with an older client base, that would mean something. Over the years it really didn’t.  Clients would still call me first if they had an issue.  I don’t want to toot my horn but I haven’t had a client with a Windows security issue in a couple of years.   So what I am saying is that I think the free built in Microsoft Defender is probably just fine.  (If I were going to pay for an anti-virus, the only two that come to mind that I would probably pay for are PC Matic — $50 / yr for up to 5 devices for home use or Malware Bytes $40 /yr 1 device / $80 / yr 5 devices.   This is NOT an endorsement, but I will support you in using either. )   If you are paying for an anti-virus as a home based consumer, I think you can stop at your renewal, but please take #3 below to heart. 

3.  So how do you keep yourself safe?

-Don’t install something you didn’t go looking for

-Treat links in e-mails and attachments skeptically

-Have multiple backups of your data. Carbonite and Backblaze are good online backup services.  If you have a locally attached hard external hard drive, disconnect it from time to time. Macrium Reflect is my favorite Windows backup software.  The built in Windows 10 File History is not terrible either.

-Use an ad-blocker in your browser – preferably uBlock Origin. 

-Keep up to date with Windows Updates.  I rarely shut my computer down and let the updates occur automatically.  If you regularly shut your computer down / disconnect from the internet.  You should be checking for Windows updates weekly or biweekly. 

Watch Out For Google Search Results

Learning About New (to me) Old Technologies During the Pandemic

I will never own a Rolex, or a Tudor, or an Omega.  However, I was given a Seiko — made in Japan — watch for my big birthday last month that was roughly $160.  It sparked an intense period of learning for me.  I became fascinated in these tools for our wrists that are able to keep time and produce 21,000 + vibrations per hour WITHOUT a battery.  I am referring to watches with a mechanical movement, whether they be automatic, hand wound or both.  (Of course, there are wonderful quartz watches out there with batteries too.)  Over the past 6 weeks, I think I have become quite knowledgeable on the sub-$500 watch market.  There are awesome watches you can get out there for under $300 and in some cases under $200 as well.  I haven’t found a way to incorporate this newfound love into my business as some kind of formal proposition, but I would definitely be willing to discuss this arena with you informally by e-mail or perhaps at the back end of an appointment. 

Some insights I would be able to share with you include… There are many fine watches out there with Japanese movements.  It is possible to get affordable Swiss made watches.  I can help you understand the difference between a grey market watch and one from an authorized seller. (My Seiko came from a grey market store in NYC that also has an authorized division as well.)  Sometimes the right strap can make all the difference on a watch, especially a nylon “NATO” strap.  I don’t think we should think of watches by traditional gender distinctions.  A lot of so-called ladies watches are very stylish but not functional.  Why can’t a lady wear a nice man’s watch?  Of course she can!  There are so many possibilities if we think outside the watch box.  There are a lot of garbage watches coming out of China, but I can let you know about the one Chinese made watch that “watch people” really admire.

Watch Out For Google Search Results

Over the past couple years, I have seen some clients come up with bad luck on Google search results.  It often starts with Googling for a phone number for customer service for a particular company.  While Google has improved this type of searching and can often provide you with an obvious and legitimate number, you have to deal with paid search listings.  I have tried to install ad blockers for all of you on your browsers and shown you how to turn that ad blocker on and off.  However, if you do not have an ad blocker installed you are going to see at least 3 search results from Google that are ads.  They should be clearly identified.  However, you may not notice what you are looking at.  Please be careful.  Unfortunately, scam companies have been buying up key word ads from Google.  So that when you search for XYZ bank customer service or Frontier customer service (for example), those first few results may not be what you are looking for.  You will have to scroll beyond the sponsored listings to truly find what you want.  Goggler beware!

Not The Password Boy Who Cried Wolf–Part 127

I hear the birds chirping outside my window, but then again it’s unlike any other May Day in my lifetime.  My cherry blossom tree already bloomed for the year. Hope you’re starting to see those signs of spring as well.


Devices Update

-The new iPhone SE is a winning release for Apple. I will be doing my first remote setups for clients over the next week or so.  You could also buy it to hold for later.  At $399 it is more powerful than almost any Android phone on the market.  Whether you order directly from Apple or from your carrier, you can ask me which is best for you.  In many instances there are interest free payments available.  I think a lot of buyers will just purchase it outright.  Drawbacks?  I thought of one since last week and while it certainly isn’t a minus for me, it may be for some people.  The iPhone SE does not have 5G cellular technology.  Of course, no iPhone on the market has 5G right now.  The new more expensive “iPhone 12” models released in the fall will almost certainly have 5G.  Don’t let that stop you from taking advantage of this extreme value.

– 2020 Mac Book Air — I mentioned a few weeks ago that Apple has finally brought back the old keyboard design on their consumer focused Mac Books and that if you need a Mac Book, you can go ahead and strongly consider the new Air.  https://www.apple.com/macbook-air/   When you choose the base model at $999 ($899 with education discount), you will want to make 1 upgrade during the checkout.  PLEASE – choose the i5 processor for a $100 upgrade.  It’s well worth it.  So for $1099, you have an awesome Mac. 

Not The Password Boy Who Cried Wolf – Part 127

I’ve sent out e-mails like this before.  That is why I am calling it Part 127.  I get these sad stories from clients every so often.   An e-mail account has been compromised.  Requests for payment or money were sent out.  Someone didn’t screen the request properly and actually sent the money.  During this time of Covid19, the scammers have not rested.  This is peak season for them.   Some hackers have software that just keeps guessing at e-mail passwords until they can “crack” them.  The easier your password is, the better the chance that they will crack it quickly.  However, major e-mail providers like Gmail, Yahoo and Microsoft do have systems in place that lock the account after an excessive number of tries.   Yet, if your password is super easy to guess — it’s not going to help you anyway. 

One thing I have noticed during this “stay safe, stay at home” period is that many of you have terrible passwords.  You don’t take this seriously at all.  Think of all of the services you have that can be broken into if a bad actor were to get into your e-mail account.   Here are a few BEST PRACTICES that I have tried to teach to clients over the past 5 years or so.  Unfortunately, I don’t think many are making the grade on this topic. 

3 Ways to Create Better Passwords — Choose 1

-use a professional password manager — like Last Pass, 1Password, or Dashlane. (of course this involves learning a new piece of software and not everyone wants to do this).

– Use a random password generator.  Set length to 12 or greater — and you will get totally randomized passwords to PRINT OUT.  This is a tool I frequently use with clients   https://www.random.org/passwords/

-Finally — a client can come up with their own if they use a good formula  — secure base plus specific ending for each site.   Again, it should be something easy for you to remember, hard for others to guess.    Let’s say for example not many people know I like John Denver music.

My base might be — “Leavingonajetplane”

My password for Microsoft might be Leavingonajetplane20msft

My password for Google might be Leavingonajetplane19goog

And so on.

Again, those would be good passwords, if no one could associate me with that base.


Extra Credit:   And while you have some time — if you do online banking — why don’t you call your bank’s help # and ask them this question.  It’s a very simple one.  What are you doing — beyond my user name and password — to protect my account?   Is there a 2nd factor?  Is there some other security measure? What do they offer beyond user name and password?

Thoughts On Zoom Controversy

Over the past few days, I have read all the bad news about Zoom.  Between updates they put out from Thursday until today, they have corrected all of the issues.  It is alarming some of the flaws they had which are nicely detailed in this WSJ article  https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-security-as-coronavirus-drove-video-tools-appeal-11586031129?shareToken=stf921d7c733df40db8c49d2a934d7ada2

However, I also think that as the fresh new kid on the block — Zoom’s success irritated established players that would benefit even from a 10% to 20% downfall from Zoom — Microsoft (with Teams and Skype) and Cisco with Web Ex.   One of the interesting facts about all of this is that one of the lead engineers at the original Web Ex, prior to Cisco’s $3 billion purchase in 2007 was Eric Yuan.  He is the founder of Zoom.     Zoom’s goal was to make live conferencing easy, even without an account.  Unfortunately — when conference rooms were created without passwords (no longer the default as of 4/5/20) anyone could enter them and harass people.   However, a heckler could walk into an AA meeting or a meeting between students and professors in a lecture hall.  Zoom in some ways mimicked real life. 

Joining a Web Ex meeting is really not that much different than joining a Zoom meeting.  It often involves opening a link and an application launching.  The controls and options are laid out in different places.  New life is being breathed into Skype as they have a now have an account-less meeting option.   The online meeting / conference space will see shifts in preferences as companies respond to potential threats.  I hope Zoom can rebound from this.  However, there is no doubt that stumbling by one entity creates opportunities for others. 

Corona Contingencies and Compromised Accounts

Getting Ready for Remote Sessions

I know that the coronavirus and its potential impact on our lives must be on your mind.   I’ve been reading stories like people in Milan going through a “psychosis,” to people stocking up on dry foods, to toilet paper being sold out.  I’m trying to stand on sensible ground and not join a feeding frenzy.  I think it’s important to look for teachable moments in history too.  Let’s look back to how we responded to the H1N1 swine flu in 2009.  1,000 people in this country died.  I don’t remember the mood being quite like it is now.  Nevertheless, I acknowledge that if there comes a time when we won’t be going out as much and resort to working and handling other business from home — reliable technology will be more important than ever.    I think most people know that I have provided remote consultations for years.  I don’t really see text message as effective for this purpose, but I have been known to provide consultations by email such as answering a list of questions you may have or giving some analysis. Phone based consultations will also come into play. Commonly, I will tap into your computers via software that allows you to share your screen with me.  For this, I use Quick Assist an application that is already built into Windows 10.  With my Mac clients, I use Skype (preferred) or also the free version of Team Viewer.   If you are a Mac client of mine, and you do not have Skype or Team Viewer installed, you can install them from Skype.com or TeamViewer.com .   However, I know that installing software is not a comfortable spot for some of you.  And, installing software on the Mac has gotten a little more complicated as of late.  Therefore, if you are a Mac client and need one of these applications installed for our remote sessions — even if we don’t have an upcoming appointment scheduled — I will come and do it for you at no charge when I am in your area.  It will take me all of 5 to 10 minutes.  Please ask.   For remote sessions, I bill by the half hour on a per incident basis.  So when you have a concern that is worth it to you, don’t hesitate to reach out for remote assistance whether by necessity or by choice.  Also for these remote sessions, there is no need to send me a check.  I can take your credit card over the phone or send you a digital invoice. 

Compromised Accounts

It has come to my knowledge that many credit cards and banks are now offering “dark web monitoring” or some type of scanning where they can detect if your credentials have been compromised on the internet. Services like Life Lock do this on a paid basis. Some clients have shared information they were given with me and it seemed hard to decipher.  One of them was simply told that an email address was compromised on a couple of occasions in recent months.  It was not immediately clear whether there was an intrusion on the email account itself or a website that the address was used to sign up for.  I have access to a well known database where I can look up where your identity (based on email addresses) has been compromised and tell you what sites and services were breached.  It does not take long to look up this information.  Some of the information found may be actionable and other bits may not, but at least you will be informed.  Knowledge is power.  A “compromised account search” would be a great activity for a future appointment that we have. Let me know.

Three Cheers for Firefox

You can feel good about using the Firefox browser today!

Not many of my clients use the Firefox browser — as their primary way of reaching the internet but since you do — I want to let you know that you can feel very good about them today

They turned on an encryption feature that makes you browsing even more private than before.

https://www.theverge.com/2020/2/25/21152335/mozilla-firefox-dns-over-https-web-privacy-security-encryption

You know it’s a good thing when the politicians are ticked off about this feature. 

Just about every other browser out there (except Safari) is based some way off of Google Chrome — including Microsoft Edge, Brave, and others.

Firefox is a truly independent and unique browser.   How does Firefox make money?   They make money through ads shown in Google searches.  They have a huge contract with Google.