Hold off on updating to Mojave – a good rule of thumb for any new OS

MacOS Mojave has been released to the public, and everyone wants the shiny new toy, but hang on before you click update.  As with any OS, you should always wait for the first round of bugs and flaws to be fixed.

Mojave brings a lot of great security features to MacOS – like locking down Documents and other user folders most often targeted by malware and ransomware.  It also brings some cool features to MacOS outside the security realm, like Dark Mode.  In time, this OS will no doubt become the new standard for Apple’s desktops and laptops; just like High Sierra and Sierra before it.  But that doesn’t mean you should run out and immediately upgrade to the new OS today, or even in the next few weeks.

Unlike iOS, which is a much more limited (from a technical perspective) platform, MacOS is much more open.  I say this because a desktop or laptop running any OS can load and run software from thousands of sources – where an iPhone or iPad can only run software that has been at least somewhat vetted by Apple themselves before it is available in the app store.  The system isn’t perfect, but for the most part updating to iOS 12 is safe because attackers have to first find a way to execute their code on the device, and they have a really hard time doing that through a downloaded app.  iOS vendors (those that are still in business, anyway) also tend to update their stuff for the new iOS way ahead of time – since iOS typically allows for more backwards compatibility.  MacOS, on the other hand, can run Chrome, Firefox, and other 3rd-party browsers alongside Safari – all of which can easily download malware.  Since MacOS does allow non-signed applications to run, that means that a Mac-specific payload can easily find its way onto your machine.  MacOS software developers also seem to require a few weeks to update their apps to either take advantage of new features, or to just plain work on the new version of MacOS – this is even more of a problem since Mojave is starting the process of ending 32-bit applications, making many apps that rely on 32-bit components rendered semi- or totally-non-functional until the vendor moves off those bits.  So while iOS security and updating isn’t bulletproof by any stretch of the imagination, it’s far easier for a malware developer to get a Mac infected when compared to an iPhone or iPad, and for some reason more likely that your apps will be ready for a new version if iOS than MacOS.

What does this have to do with Mojave?  Simple; both security researchers and malware developers have been pouring over the betas of the new desktop/laptop OS for months.  There have already been several security holes found – and that’s before the OS officially even launched.  Since malware makers can find many more ways to trick you into launching their code on MacOS, that’s where they will focus their time and effort, and most likely already have.  A brand new OS will always have flaws that take some time to find.  This is mostly because what happens in the lab isn’t always representative of what happens on hundreds of thousands of computers out in the real world.  Developers can only check for so many things, and often they don’t even think of some of the ways that users and attackers find to break things.

Software developers have also been working with Mojave betas, but major software packages like Zoom web conferencing and others still haven’t ditched all the 32-bit code and are already experiencing major problems.  Since Apple doesn’t test these apps, it’s up to the developers – who may often be focused on Windows or other platforms – to correct any conflicts with the new MacOS, and that takes time.  In many cases, especially with enterprise apps, developers themselves may not have a full contingent of MacOS testers; and may not even realize how big the problem is until users start screaming.

When a new version of any OS (Windows, Linux, MacOS, etc.) is released, you should always wait until at least the first major patch.  That means waiting for TWO “patch Tuesdays” on Windows (the first usually squashes bugs, while the second will include more security fixes); and until the 10.x.1 update for MacOS.  It only takes 2-3 weeks, and you’re not missing out on much in the meantime.  In fact, since there are always at least a few major non-security bugs and tons of application issues in the first few weeks of a new OS, waiting will make life a lot easier for you on many different levels beyond just safety and security.

So hang in there, and stick to High Sierra for a few more weeks.  Everything still works just fine, and you don’t need Dark Mode today.  Your frustration levels will be lower, and overall security will be higher, if you hold off for just a little time now.

Newbie2Security: Passwords

A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site.  How do I make sure my passwords are good enough for security, but not forget them continuously?”

Well, passwords are a tough nut to crack these days.  Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords.  Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack.  There’s good news, though, so let’s talk about passwords:

Passwords should be:

1 – Difficult for an attacker to guess

2 – Easy for you to remember

3 – Never re-used

4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)

Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password.  Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.

Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords.  They might be able to manage 1, 2, and 4; but only at the expense of 3.  If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.

The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:

1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected.  This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps.  You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords.  Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself.  1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.

2 – Use a Pass Phrase Instead:  Who says a password has to only be one word?  Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use.  How about “ThisIsMySecureGooglePassword!” for your Google account?  It’s the right length, has upper and lowercase letters, has a special character, etc.  It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.

NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords.  PLEASE think up a passphrase or sentence of your own.

4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever.  If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.

5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone.  It is never necessary for them to do so.  They can access your information via their own methods, and don’t need you to tell them your password in order to do it.  So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info.  Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured.  So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.

Defending yourself with strong, non-reused, passwords is a critical part of online security.  These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of.  Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.

Newbie2Security: What Your Browser can Tell Sites About You

Here’s a great reader-submitted question, “I heard that if I connect to a site from a web browser, they can tell a lot about me.  Is that true? What can they see?”

It’s absolutely true, and your browser can tell a website or service a tremendous amount of information about you.  This can happen even if you haven’t specifically given the site, service, or app any privileges beyond just connecting to it in your browser.  That’s been the case for a very long time now – and this data doesn’t take a lot of technology or expertise for someone to see it and learn about you from it.  Let’s take a look at what your browser can be telling people about you.

Browsers transmit and receive a lot more data that is visible on your screen.  They also transmit what are known as browser headers – metadata (data about data) that identifies what your browser is capable of displaying, how much data it can accept, and a lot more details

When you connect to a website or service via a browser, the web server and your machine exchange a lot of information.  This is necessary since thousands if not millions of people visit a website, and not all fo them use the same web browser, Operating System (Windows, Mac, Linux, etc.), have the same fonts installed, have the same browser add-ons and extensions, etc.  So, in order to figure out what should be sent to your machine, the web server needs this metadata so it can send you the right information to display in your browser.

Most, but not all, of this data is sent in the browser headers.  Here’s what can be sent via headers during any connection to a web server:

 The IP address (a digital address assigned to your computer by your Internet Service Provider) so that the website knows who it is talking to.
The browser you are using (Internet Explorer, Firefox, Chrome, etc.) and what version of it you are running so that the website knows what your browser is capable of displaying
What fonts, add-ons, and extensions you have installed in your browser – also to help the website figure out what can be displayed.

That may no sound all that informative to a website, but it really is.  With the right tools, here’s what a website can find out based on that information:

 Your IP address can identify where you physically are at the moment.  While it’s not precise, IP geo-location is capable of finding your location within a couple hundred meters if not closer.  IP addresses can also identify what Internet Service Provider you use, if the connection is a cable modem, DSL, fiber, etc. and if you’re using something that can anonymize you (like a VPN or TOR networks).
Your browser type and version can identify what Operating System you use – Internet Explorer only runs on Windows and Safari typically runs on Mac, for example.
The combination of the above information combined with the add-ons, fonts, and other details can allow a website to “fingerprint” your machine to a high degree of accuracy.  This means that if you visit the site again – or go from site to site between websites that share information – these sites can track you and establish a pattern to your browsing history that cannot be removed by clearing your cache.

There are also small text files known as cookies that are placed on your computer/laptop/tablet/phone disk.  These cookies allow a specific site to recognize your device when you re-visit that site, and it’s how sites like FaceBook, Twitter, Amazon, etc. know you when you return to them later on.  Generally, cookies are harmless and only apply to a specific website you visit.  Others, known as “supercookies” are used by advertising networks to track you all around the Internet, however. By setting your browser’s “Do Not Track” settings you can eliminate most – but not all – of them.  Clearing your browsing history, cache, and cookies will get rid of them, though.

There are also tools for most major browsers that can help keep you more private while web surfing.  The Electonic Frontier Foundation (https://www.eff.org) has a tool called Privacy Badger that blocks most tracking cookies but can let you allow them on sites you do trust.  Ad Blockers can stop ad networks from landing supercookies on your machine.  They’re usually free, and well trusted tools like uBlock Origin are regularly checked for malware to make sure you’re not opening more security holes than you close.

So, as you can see, a browser can leak a lot of information about you and your devices.  Headers and cookies can tell a website a tremendous amount about who you are, where you are, and where you’ve been online.  Normally this isn’t a problem, as this information is fairly public and not considered Personally Identifiable Information like your name, phone number, social security number, etc. would be.  Just be aware that sites can see this information about you when you visit, and avoid even visiting sites that you don’t ever want to have this level of detail about you in the first place.