New York State Unemployment Insurance Help

Noun insurance 2093990Guest Post:

Pat G, a long-time friend of mine and all around wonder-woman who takes photos of BIRDS OF FREAKIN PREY, was furloughed along with many of her co-workers. After the living nightmare of trying to file for unemployment insurance here in New York State, she documented her trials and asked me to post the resulting info here so that others don’t have to go through what she went through:

Pat’s message starts here:

Please, pass this info to anyone you know in NYC trying to collect unemployment insurance.  Despite the Dept. of Labor’s efforts, the system is still backlogged and getting through is nearly impossible for many.  I was able to get through and am shocked that not one media outlet has mentioned that there IS a way to do it. 

With so many people throughout New York State filing for unemployment, the system is overwhelmed and getting through to a real life human being is near impossible.  However, this IS away to get a claim processed and eventually get a person.  Here is my story:

My last day working was Sunday, March 15th.  Once I was let go, I immediately attempted to file for unemployment.  The last time I actually collected from them was in 2011, so I figured that all my info (including direct deposit) would still be on their website.  After numerous attempts to set it up on the Dept. of Labor website, I was prompted to call which I did.  I was eventually able to give all my info using their automated voice system.  It took about 15 minutes.  The system then informed me that it was going to transfer me to someone who will complete the last step which is the interview.  The phone cut off.  When I would get through it would keep hanging up.  This went on for three days.  Finally, I clicked on the contact us link and noticed they had a twitter feed.  There were complaints from fellow New Yorkers who had equally bad experiences.  I saw that one was actually answered that said to direct message them.  As I already have a twitter account, I subscribed to their feed, then clicked the direct message box and left a brief explanation of my dilemma.   I got a reply a few minutes later asking for my name and telephone number which I gave.  Less than five minutes later I got a reply saying that someone would call me.  

Lo and behold, 45 minutes later, a very helpful woman did call. She patiently listened to my tale than asked for my social security number for verification.  Apparently, the system worked and it did record all my info.  She said that someone would call me back in two hours.  90 minutes later, I got the call and completed the interview.  I was given a number to file my first claim which I did on Sunday, March 22nd.  As the State has temporarily waived the 7 day wait, the money was in my checking account on Tuesday, March 22nd.  I have not had a problem since. 

Please pass this on to anyone filing for Unemployment.  Let them know the following:

1.  Do NOT file your claim online, do it over the phone.

2.  Once the automated system records all your info, a voice will tell you to hold for an agent to finish your claim.  One of two things will happen.  Either you WILL be cut off, or a voice will tell you to call back and THEN you will be cut off.

3.  When this happens, go to the NYS Department of Labor Twitter feed and leave a direct message (click the tiny envelope) [Note from Mike: It may look different in your Twitter client, so look for “Send a Private Message” or “Send a Direct Message”]

4.  When they call you back, be prepared to answer questions regarding employment, etc.  Have your bank account number ready if you choose direct deposit (which is the fastest way to get it).

Good luck.

Religion Expects, but Lives Matter More

Noun Religion 2207552

The SARS-Cov-2 pandemic has changed how we live our lives. We’re being physically distant from one another, virtually working, checking in on relatives and friends more often; doing a thousand little things differently in order to not do the hundreds of big things we can’t do right now. One of the biggest things for many is ways in which we can live our faiths. As we approach some of the holiest days of both the Christian and Jewish calendars; many are concerned that they will not be able to attend Passover Seder and Easter Mass. As a lapsed Catholic, and the child of both Christian and Jewish parents, I know how critical and important these very social gatherings are to members of the faithful. For most of us, we’ll celebrate while remaining distant from each other because we want to ensure that we can do everything we can each do to make sure this deadly virus doesn’t spread further and faster than it already is.

What is disheartening is that many in the United States (and elsewhere in the world, the US is not alone) are defying the public and government recommendations and even outright orders to not gather in large numbers to celebrate mass and attend Seder and other religious celebrations. Beyond disheartening, this is outright terrifying to many of us, as dozens and even hundreds of people gathering in close proximity can create an outbreak situation if any one of them is infected – even if they’re not yet showing any symptoms of COVID-19 at all.

I can speak to the Christian message on this topic, and it is very clear. Stay home, socially distance, and protect yourself and others. I was raised Catholic, but have even now retained a strong sense of Christian identity, and I can find nothing that demands we risk the lives of others in order to attend formal worship. Yes, there are many verses that talk about us worshiping no matter the personal cost to ourselves, but they specifically speak to political ramifications of celebrating mass when governments and armies might arrest us for doing so. On the contrary – Matthew 6 verses 5-6 even clearly state that going to worship because we believe we must be seen to be doing it is explicitly not important:

“5 “And when you pray, do not be like the hypocrites, for they love to pray standing in the synagogues and on the street corners to be seen by others. Truly I tell you, they have received their reward in full. 6 But when you pray, go into your room, close the door and pray to your Father, who is unseen. Then your Father, who sees what is done in secret, will reward you.”

The idea of a Eucharistic Fast – a period of time where one does not celebrate by the taking of communion – isn’t unknown to the Christian faith, and is called for during the pandemic. Celebrate with the congregation by live-streamed services, pray and seek wisdom, but do not attend communal events. Even if you believe (and there is biblical wisdom on both sides of this one) that you should not be concerned with your own safety in order to take the eucharist, you must be concerned for the safety and well-being of everyone else as per Matthew 22, 35-40 which speaks to us of Jesus’ own words:

“Then one of them, which was a lawyer, asked him a question, tempting him, and saying, Master, which is the great commandment in the law? Jesus said unto him, Thou shalt love the Lord thy God with all thy heart, and with all thy soul, and with all thy mind. This is the first and great commandment. And the second is like unto it, Thou shalt love thy neighbor as thyself. On these two commandments hang all the law and the prophets.”

The second highest commandment is to love your neighbor as yourself – and risking their health if you are infected but not showing any symptoms goes against this in every possible sense.

While I was shown some of the faith of Judaism over the years from that half of my family, I feel significantly less able to give advice on missing the Seder for SARS-CoV-2. Thankfully, I do have many friends who are practicing and religious Jews, and a couple who are even Rabbis. Their thoughts about what the Torah has to say on the subject were even more direct than the Christians’ were.

Simply put, life is more important than anything else.

The idea of “Pikuach Nefesh” – saving a life – outweighs all other obligations of the faith. This is true to the point that otherwise outright outlawed actions and even failure to properly celebrate Shabbat are acceptable if a life will be saved. Celebration of Passover is one of the most important occurrences of the Jewish calendar, but even an occasion as critical and important as Passover and the Seder must come second to the preservation of life. Gathering with others when you may be infected (even when not symptomatic), endangers the lives of others in direct opposition to Jewish law.

And there you have it. Celebrations of faith – in both Christian and Jewish families – are critical to our understanding and practice of that faith. That being said, both religions are quite clear that endangering the lives of others in order to celebrate your faith is simply unacceptable at best – and a defiance of the tenants of that faith at worst.

Please, stay home. Celebrate in your heart, live your faith in your deeds.

 

A note on comments: I have allowed comments on all of my blog posts, and will do so with this one as well, but will allow no intolerance or attacks.  Please do comment, but remember that you are speaking to a community of many people, many faiths, and many countries.  Remain respectful in your comments and they will be posted – even if they are not in agreement with me.

Chinese APT Group Weaponizes COVID-19 Fears

While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest.  According to CheckPoint Research (https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/), this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.

 

Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart.  Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.

 

The attack itself is straight-forward.  An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine.  In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.

 

The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.

 

As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not.  Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices.  Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself.  It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.

 

While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected.  Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.

 

Leveraging the COVID-19 fears of the world is despicable.  Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief.  That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing.  I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.

 

It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events.  As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses.  This example, though, is extraordinarily despicable for two reasons:  First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives.  Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse.  People who might have lived will die, and their blood will be directly on the hands of these threat actors.  Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling.  After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.

 

Remote Working for Newbies

Noun remote work 1350970

 

When even the Federal Government is sending workers to work from home, there’s a lot folks in municipal and private organizations and companies working from outside their office for the first time. In my career, I have been rather lucky in that I have nearly always worked remotely. Companies I have worked for based in California or Israel often found it more economical to just cover my home Internet expenses than set up a physical office near me and the few other folks who worked in the area.

For those new to remote work, here’s a few tips I’ve had good experiences with over the years:

Set aside space: Even though you’re not in the office, you’re still at work. Claim some space in your home or apartment that will be used as exclusively as possible for work. While most (including me) won’t have the luxury of being able to set up a formal home office, you can designate a part of your living space that you will use when you’re working. The purely mental differentiation can help you focus on work when it’s working hours.

Don’t ignore your family, but know that you are at work: Even though you’re at home, during the workday your time still “belongs” to your employer. In much the same way as you will absolutely deal with emergency family matters when in the office, you should limit family time during working hours to just necessary events. Don’t ignore family members who are at home with you by any means, but do let them know that when you’re working, you’re working. If it can wait for 5pm, it should. If it cannot, you will deal with it immediately just like you would if you were still in the office. This gets significantly harder when you’re physically in the same space with the family members in question, but you must firmly hold the line.

Defend the company (and yourself): If you’ve been issued company equipment to work remotely, use that – and only that – equipment to do work. This will allow you to work on a device that the company IT team is still keeping patched and updated with anti-malware tools. If not, ensure that you keep your own devices updated with patches and fixes (don’t ignore the “you need some updates” messages), and make sure you have at least basic anti-malware/antivirus tools installed and kept up-to-date. If the company supplies a virtual private network (VPN) tool, be sure that you use it any time you have to work on company applications and data. Finally, make sure everyone knows that the company laptop is only to be used by you, and for work. Even if it’s more powerful than your home PC, the kids, your significant other, or anyone else who’s there can’t use it to play games or watch videos.

Digitally separate work and personal life: If you are using your own PC or laptop for remote work, take some steps to keep work data and personal data independent of each other. For example, use one email client for your own email accounts, and Outlook for company accounts (if Outlook is provided for you as part of your company’s email system). Use one browser (like Chrome) for personal use and a different one (like Edge or FireFox) for work use. Alternately, make liberal use of “Private” or “Incognito” modes in a browser when doing work tasks. Create a new folder in your My Documents folder, and keep your work stuff only in that folder. Little things like this – which are both free and easy to do – can help maintain the boundaries between work and home data and applications; avoiding both risks to company data and potentially embarrassing situations if someone sees your bookmarks on a web conference.

Use defensive web conferencing techniques: Speaking of Zoom, Webex, Teams, and other web conferencing tools, there are definitely ways to use them that keep your privacy intact. First, invest in a camera cover. These stickers or sliders cost only a buck or two, and can avoid a lot of embarrassment if the web conferencing software turns your webcam on automatically without warning. Next, never share your entire desktop. Just about every web conferencing system will let you share a specific application or upload a powerpoint or other document. This way, if you get an unexpected private pop-up alert, it isn’t broadcast to everyone watching the conference itself. If possible, buy a low-end gaming headset that works with your laptop/desktop (or a higher-end one, but they can get quite expensive). Gaming headsets have uni-directional microphones; which means they help filter out the background noise of anything going on around you. Using a headset also helps avoid the feedback loops and squelching that using built-in audio systems can cause. Finally, if you feel up to it, you can go into the settings of the web conference tool and turn off video connectivity and set the application itself to not start automatically on a reboot. As a side-note, a shower curtain with a nice pattern or flat color suspended from mug hooks in the ceiling makes a great backdrop if you do wish to use your camera during calls and web conferences.

Leave the house when you can: This one is critical. Remote work can be very isolating, and the tendency to just stay in the house can be overwhelming. Granted, right now we’re all trying to enforce social distancing, but you can still go visit a local business during not-so-busy hours (when less people will be there) or take a brief walk. Calling friends and family can also help keep you connected to the world outside your apartment. Stay safe, but remember that you are not chained to your desk, and can step outside for some air whenever you need to.

Remote work can be an incredibly positive experience. Clearly delineating work from home – digitally, physically, and mentally – can make the process easier to manage and much more rewarding for you. If you find you hate remote work, this crisis will end; hopefully soon. If you find you love it, then proving that you can be just as effective and productive when remote will give you a better chance at making it permanent.

TVTropes had a breach – passwords stolen

Noun shocked 320301

About a month and a half ago, I started receiving “porn extortion” emails with my TVTropes password in them. For those who haven’t gotten on of these yet, consider yourself lucky.

About 4-6 months back millions of people started seeing emails that basically said “We infected your computer with a virus, turned on your webcam and recorded your screen. We saw the adult sites you visited, and what you were doing through your webcam when you were there.” Of course, for a small amount of BitCoin, they can keep that info to themselves.

In case you haven’t guessed, it’s a total scam. I know this because my machine is a Mac, and every single one of these emails I’ve gotten over the months specifically detailed how a WINDOWS machine was infected with their virus.

More recently, these emails started including passwords from websites that I had used in the past. That’s not hard to explain, sites do get hacked and password databases do get stolen. Then the passwords get sold for fractions of a penny each, and anyone – including these scammers – can use them for whatever they want. As nearly all of these passwords are now no longer valid; they’re rarely used for attacking other websites. But using them for this kind of email scam is a great way to recycle no-longer-usable data that’s already out on the web since so many users re-use passwords on so many sites that the likelihood that at least one victim you email still has that password in active use is pretty good indeed.

In this case, for the last month and a half I have been getting these scam emails that specifically mentioned my TVTropes email address and UNIQUE password. Of course I immediately changed my password for that website, and alerted the site administrators through their bug tracking forum. I know it had to have come from that website, because the password has never been used at any other website or for any other login (using a password manager has given me the luxury of having this benefit available to me). It could only have come from that one, specific site.

Over 30 days later, and there has been no response from TVTropes, forcing me to now go public. If you have an account on TVTropes.org, you need to immediately change your password on that site, and on any other sites you have re-used that same password.

I’m much more disappointed in TVTropes. While I wouldn’t expect them to have the same level of security as financial or commerce websites, I would expect that when evidence of a breach is found they immediately investigate and force password changes for all users that were subject to having their passwords stolen. This is standard response behavior.

Also, with no response at all from the site in over 30 days of repeated attempts to contact them, I’m horrifically disappointed in the site administrators. Someone is literally telling you, privately and quietly, that your users are at absolute risk; and your response is… nothing?

So, long story short, there is evidence that TVTropes.org has been breached and their password database has been stolen and decrypted. Change your password there, and on every other site you use that same password immediately.

Response to Encrypt.me

Encrypt.me was recently purchased by j2 Global and when I heard about this I immediately posted to Twitter that people should be very concerned.

Terry Meyers, General Manager for Encrypt.me, kindly reached out to me via email to ask what my concerns were. As I have come to expect from Encrypt.me, Terry was courteous and professional, and I’m sure my opinions will be looked at by the team.

Several followers have asked me to go into a bit more detail about my concerns. I’ve therefore decided to post them here so that they can be found easily, as anyone considering using the service may benefit from my opinions. Below is an excerpt from my email to Terry, outlining why I was cancelling my Encrypt.me subscription out of concern for both security and privacy.

PLEASE: Note the last paragraph. Neither Encrypt.me or j2 Global have ever done anything that appears illegal or purposely harmful, and the company should not – under ANY circumstances – be the subject of harassment or other unwarranted attentions. Speaking your mind about concerns stemming from a product or company is good; harassment is never either good or acceptable behavior.

Excerpt from my email to the Encrypt.me Team:
Essentially, I will not trust any form of security or privacy to a company that is known throughout the technology industry as a buyer and seller of user information. To advertisers, to bulk-mail providers, and to who else knows. The advertisers and spammers (and I’m sorry I have to call them that, but they are) are known to be the case since direct portfolio companies of j2 make their money from advertisers – ZDNet – and bulk unsolicited mailers – direct response email houses. EFax is another factor I have to consider, as a large portion of their revenue is derived from a “free-to-use” system, which means j2 makes money by bartering user data since they don’t make money from the users.

I do wish you the best. I hope that j2 isolates and shelters Encrypt.me so that none of the incredibly sensitive information that a VPN has access to will ever be misused, but with the track record and history of the parent and portfolio companies I cannot be sure of that.

Please understand, I firmly believe that the portfolio companies absolutely have the right to operate exactly the way they do. They’re not breaking the law in any way, and to the best of my knowledge have never done anything to directly harm consumers. They are, however, not firms that I would be willing to trust VPN traffic to, or that I could in good conscience recommend that anyone else trust VPN traffic to.

Simply Security: Don’t Cut Users Out of the Security Team

Noun group security


Simply Security is a regular column sponsored by SkOUT Secure Intelligence, Find Trouble Before Trouble Finds You

When creating and updating a security policy for your organization/company; it’s important to remember one group of people who absolutely must be part of that plan – your end users. Even the very best of desktop anti-malware, VPN technologies, and email filtering tools will miss some things, and that means the user has to be the one to shield themselves against those sneaky threats.

For many security professionals, the end-user is the one person who they want to be totally excluded from the security protocols and policies of the company, but that means a critical component of your security immune system starts off out of the loop. Excluding users causes confusion when policies are created and changed, as the users may be forced to adapt to new procedures that didn’t take into account how they actually perform their job responsibilities. Documentation may be confusing to end-users, leading to mistakes in using new software and tools; or worse, users actively trying to get around these policies and procedures.

I’ve always been fond of a saying that I can never remember the source of (and if anyone knows, I’d love to give proper attribution): “Users, when faced with inconvenience, become some of the most innovative and ingenious technology experts in order to get around it.” Basically, if the user is not on-board with new security tools; they most definitely will try to find ways around them in order to do what they need to.

Personally, I’ve seen a high-level executive disable a VPN client because he couldn’t reach a website that he needed to use for his work. In other words, the entire security protocol for that laptop was undermined because the security team did not take into account that users might need to visit business-related websites. If the security team had involved end-users, they would have known that sites such as that one were required, and could have made sure the VPN did not prohibit users from visiting them.

Spam and phishing is another area where leaving users out of the equation is a recipe for disaster. No filtering system is 100% effective, and many will mis-categorize emails – both false-positive and false-negative – under a wide variety of circumstances. New threats can be used to create email messages that don’t trigger filtering rules, and crafty phishers can alter their approach to overcome software review. If the users are part of the organization’s immune system, they can become an active part of finding fraudulent and malicious messages before they wreak havoc on the company itself.

As a perfect example, doing something as simple as flagging emails based on if they are internal or external, and if they appear to be malicious in some way even when they’re not positively one way or the other, can allow users to be on their guard. This – combined with basic Security Awareness Training – allows them to look at flagged and external emails with a critical eye to determine if they’re legitimate or not when the filter just cannot be certain. Maybe they will call Accounts Payable when a slightly suspicious wire transfer request is sent to them, instead of just heading to the bank website because the email looked like it came from a legitimate sender.

In the end, exclusion of the actual users of a system from the discussions about the security of that system and involvement in those policies and procedures is asking for a security incident. Users need training, but they can be an impactful and critical part of the companies immune system – protecting the organization from point exposures on the front lines as the security team works to limit exposures on a company-wide level.

Hold off on updating to Mojave – a good rule of thumb for any new OS

MacOS Mojave has been released to the public, and everyone wants the shiny new toy, but hang on before you click update.  As with any OS, you should always wait for the first round of bugs and flaws to be fixed.

Mojave brings a lot of great security features to MacOS – like locking down Documents and other user folders most often targeted by malware and ransomware.  It also brings some cool features to MacOS outside the security realm, like Dark Mode.  In time, this OS will no doubt become the new standard for Apple’s desktops and laptops; just like High Sierra and Sierra before it.  But that doesn’t mean you should run out and immediately upgrade to the new OS today, or even in the next few weeks.

Unlike iOS, which is a much more limited (from a technical perspective) platform, MacOS is much more open.  I say this because a desktop or laptop running any OS can load and run software from thousands of sources – where an iPhone or iPad can only run software that has been at least somewhat vetted by Apple themselves before it is available in the app store.  The system isn’t perfect, but for the most part updating to iOS 12 is safe because attackers have to first find a way to execute their code on the device, and they have a really hard time doing that through a downloaded app.  iOS vendors (those that are still in business, anyway) also tend to update their stuff for the new iOS way ahead of time – since iOS typically allows for more backwards compatibility.  MacOS, on the other hand, can run Chrome, Firefox, and other 3rd-party browsers alongside Safari – all of which can easily download malware.  Since MacOS does allow non-signed applications to run, that means that a Mac-specific payload can easily find its way onto your machine.  MacOS software developers also seem to require a few weeks to update their apps to either take advantage of new features, or to just plain work on the new version of MacOS – this is even more of a problem since Mojave is starting the process of ending 32-bit applications, making many apps that rely on 32-bit components rendered semi- or totally-non-functional until the vendor moves off those bits.  So while iOS security and updating isn’t bulletproof by any stretch of the imagination, it’s far easier for a malware developer to get a Mac infected when compared to an iPhone or iPad, and for some reason more likely that your apps will be ready for a new version if iOS than MacOS.

What does this have to do with Mojave?  Simple; both security researchers and malware developers have been pouring over the betas of the new desktop/laptop OS for months.  There have already been several security holes found – and that’s before the OS officially even launched.  Since malware makers can find many more ways to trick you into launching their code on MacOS, that’s where they will focus their time and effort, and most likely already have.  A brand new OS will always have flaws that take some time to find.  This is mostly because what happens in the lab isn’t always representative of what happens on hundreds of thousands of computers out in the real world.  Developers can only check for so many things, and often they don’t even think of some of the ways that users and attackers find to break things.

Software developers have also been working with Mojave betas, but major software packages like Zoom web conferencing and others still haven’t ditched all the 32-bit code and are already experiencing major problems.  Since Apple doesn’t test these apps, it’s up to the developers – who may often be focused on Windows or other platforms – to correct any conflicts with the new MacOS, and that takes time.  In many cases, especially with enterprise apps, developers themselves may not have a full contingent of MacOS testers; and may not even realize how big the problem is until users start screaming.

When a new version of any OS (Windows, Linux, MacOS, etc.) is released, you should always wait until at least the first major patch.  That means waiting for TWO “patch Tuesdays” on Windows (the first usually squashes bugs, while the second will include more security fixes); and until the 10.x.1 update for MacOS.  It only takes 2-3 weeks, and you’re not missing out on much in the meantime.  In fact, since there are always at least a few major non-security bugs and tons of application issues in the first few weeks of a new OS, waiting will make life a lot easier for you on many different levels beyond just safety and security.

So hang in there, and stick to High Sierra for a few more weeks.  Everything still works just fine, and you don’t need Dark Mode today.  Your frustration levels will be lower, and overall security will be higher, if you hold off for just a little time now.

Newbie2Security: Passwords

A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site.  How do I make sure my passwords are good enough for security, but not forget them continuously?”

Well, passwords are a tough nut to crack these days.  Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords.  Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack.  There’s good news, though, so let’s talk about passwords:

Passwords should be:

1 – Difficult for an attacker to guess

2 – Easy for you to remember

3 – Never re-used

4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)

Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password.  Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.

Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords.  They might be able to manage 1, 2, and 4; but only at the expense of 3.  If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.

The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:

1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected.  This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps.  You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords.  Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself.  1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.

2 – Use a Pass Phrase Instead:  Who says a password has to only be one word?  Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use.  How about “ThisIsMySecureGooglePassword!” for your Google account?  It’s the right length, has upper and lowercase letters, has a special character, etc.  It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.

NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords.  PLEASE think up a passphrase or sentence of your own.

4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever.  If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.

5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone.  It is never necessary for them to do so.  They can access your information via their own methods, and don’t need you to tell them your password in order to do it.  So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info.  Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured.  So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.

Defending yourself with strong, non-reused, passwords is a critical part of online security.  These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of.  Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.

Newbie2Security: What Your Browser can Tell Sites About You

Here’s a great reader-submitted question, “I heard that if I connect to a site from a web browser, they can tell a lot about me.  Is that true? What can they see?”

It’s absolutely true, and your browser can tell a website or service a tremendous amount of information about you.  This can happen even if you haven’t specifically given the site, service, or app any privileges beyond just connecting to it in your browser.  That’s been the case for a very long time now – and this data doesn’t take a lot of technology or expertise for someone to see it and learn about you from it.  Let’s take a look at what your browser can be telling people about you.

Browsers transmit and receive a lot more data that is visible on your screen.  They also transmit what are known as browser headers – metadata (data about data) that identifies what your browser is capable of displaying, how much data it can accept, and a lot more details

When you connect to a website or service via a browser, the web server and your machine exchange a lot of information.  This is necessary since thousands if not millions of people visit a website, and not all fo them use the same web browser, Operating System (Windows, Mac, Linux, etc.), have the same fonts installed, have the same browser add-ons and extensions, etc.  So, in order to figure out what should be sent to your machine, the web server needs this metadata so it can send you the right information to display in your browser.

Most, but not all, of this data is sent in the browser headers.  Here’s what can be sent via headers during any connection to a web server:

 The IP address (a digital address assigned to your computer by your Internet Service Provider) so that the website knows who it is talking to.
The browser you are using (Internet Explorer, Firefox, Chrome, etc.) and what version of it you are running so that the website knows what your browser is capable of displaying
What fonts, add-ons, and extensions you have installed in your browser – also to help the website figure out what can be displayed.

That may no sound all that informative to a website, but it really is.  With the right tools, here’s what a website can find out based on that information:

 Your IP address can identify where you physically are at the moment.  While it’s not precise, IP geo-location is capable of finding your location within a couple hundred meters if not closer.  IP addresses can also identify what Internet Service Provider you use, if the connection is a cable modem, DSL, fiber, etc. and if you’re using something that can anonymize you (like a VPN or TOR networks).
Your browser type and version can identify what Operating System you use – Internet Explorer only runs on Windows and Safari typically runs on Mac, for example.
The combination of the above information combined with the add-ons, fonts, and other details can allow a website to “fingerprint” your machine to a high degree of accuracy.  This means that if you visit the site again – or go from site to site between websites that share information – these sites can track you and establish a pattern to your browsing history that cannot be removed by clearing your cache.

There are also small text files known as cookies that are placed on your computer/laptop/tablet/phone disk.  These cookies allow a specific site to recognize your device when you re-visit that site, and it’s how sites like FaceBook, Twitter, Amazon, etc. know you when you return to them later on.  Generally, cookies are harmless and only apply to a specific website you visit.  Others, known as “supercookies” are used by advertising networks to track you all around the Internet, however. By setting your browser’s “Do Not Track” settings you can eliminate most – but not all – of them.  Clearing your browsing history, cache, and cookies will get rid of them, though.

There are also tools for most major browsers that can help keep you more private while web surfing.  The Electonic Frontier Foundation (https://www.eff.org) has a tool called Privacy Badger that blocks most tracking cookies but can let you allow them on sites you do trust.  Ad Blockers can stop ad networks from landing supercookies on your machine.  They’re usually free, and well trusted tools like uBlock Origin are regularly checked for malware to make sure you’re not opening more security holes than you close.

So, as you can see, a browser can leak a lot of information about you and your devices.  Headers and cookies can tell a website a tremendous amount about who you are, where you are, and where you’ve been online.  Normally this isn’t a problem, as this information is fairly public and not considered Personally Identifiable Information like your name, phone number, social security number, etc. would be.  Just be aware that sites can see this information about you when you visit, and avoid even visiting sites that you don’t ever want to have this level of detail about you in the first place.