For a long time, I kept all of my account passwords in an encrypted file on my computer. While millions of people were turning to online password-management services, I was reluctant, fearing the calamity that might ensue were such a service to be hacked, exposing the sensitive information of perhaps millions of people.

Finally, in April of 2021, I decided to take the plunge. While continuing to maintain my offline password file as a backup, I started using an online service, and even started advising my clients that it seemed safe to do so, if they followed some essential security practices — starting with creating very secure master passwords for their online password vaults that would not be guessable, not use patterns commonly used in passwords, and not be used as the passwords for anything else.

Then came the multiple breaches of security at LastPass, one of the most popular password-management services.

In August, LastPass alerted customers that someone had broken into a portion of their system that is physically separated from where customers’ information is stored, and that customers’ information itself was secure. More recently, the company reported that, using resources gleaned from that August breach, malicious actors had gotten ahold of some customer information — names, partial credit-card numbers, and other data — but not any stored password information.

Finally, on December 22, the company sent an alert to customers notifying them that an update had been posted in the LastPass CEO’s blog. In that blog, the CEO reported that the hackers have indeed accessed backup copies of users’ password “vaults,” the files storing their passwords.

The user IDs and passwords in those files, along with any secure notes stored there, are strongly encrypted, but that doesn't mean the problem isn't severe. As LastPass personnel confirmed to me, some portions of those files were not encrypted — including the Web addresses of services used by those customers. So, for example, while the hackers cannot readily access the log-in data for sites used by LastPass customers, they can compile a list of those sites — a digital “map” showing which online services each customer uses. Paired with the stolen customer data previously reported and other information that can be found on the Internet, this means that accounts included in those LastPass vaults are at risk if they themselves don’t have strong passwords. People who have used the same password on multiple sites are especially vulnerable.

Moreover, it’s very likely a large percentage of LastPass users haven’t followed the best practices in creating the master passwords that unlock their password vaults. If the hackers can guess those master passwords, then every account in that customer‘s LastPass vault is accessible.

LastPass says that if you have a good master password for your LastPass vault, it would take millions of years to decipher it. But determined hackers can set up networks of thousands of computers to work on the problem, possibly reducing “millions of years” to a few years, or even several months. It is likely that a substantial number of the stolen password vaults will be cracked in the next couple of years (and some of the most vulnerable will be accessed much sooner).

Customers Are Vulnerable Immediately

Even if the hackers can access only the portions of the LastPass files that are not encrypted, there are many ways that data can be used maliciously. Obviously, someone who has stored passwords to illegal or unsavory Web sites in LastPass will be very unhappy that their use of those sites is exposed, even if their account log-ins remain secure. And if the person has easy-to-guess user IDs and passwords on any of those sites, they may be at risk of having their accounts broken into.

But perhaps the most immediate danger is that the data can be used for "social engineering" attacks. This means criminals can call, text, or email a person, using information gleaned from their LastPass account to make them sound legitimate, and trick people into divulging passwords or other data. For example, a person could call you and say that they are calling from your Wells Fargo bank to report that your Netflix, San Diego Gas & Electric, and Humana Health Plan payments aren't going though, and they need a credit card number from you to fix the problem. They sound legitimate to you — after all, they know you have Netflix, SDG&E, and Humana. It doesn’t occur to you that they learned about those accounts from your stolen LastPass vault.

I am not, for now, recommending people switch from LastPass to other password-storage services, mainly because I think any password service might be vulnerable to such attacks; in fact, the steps LastPass has taken since this happened may make LastPass less vulnerable to future hacks than other services. Rather, after reading several reports in the tech press about this incident, I have stopped recommending using any online password-storage system, at least if you can set up a secure password vault on your own devices or offline (e.g., in a paper notebook). I can advise clients on how to do that.

Steps Everyone Should Take

Meanwhile, the following five steps are crucial (for everyone, not just LastPass users):

It's a sad fact of life that these kinds of breaches will continue to happen. None of us is truly safe; but if you practice security hygiene principles like the ones listed above, you will be fairly secure. After all, plenty of people will use passwords that are easy to guess or will be too gullible on the phone. If you are more careful, and make your information hard to get at, criminals won’t waste their time on you; they’ll just move on to someone else who’s an easier mark.

More About This Incident

• LastPass Confirms Hackers Stole Its Password Vaults — What You Should Know (HotHardware.com)
• LastPass Password Vaults Stolen By Hackers — Change Your Master Password Now (Forbes)
• How To Delete Your LastPass Account … and Move Elsewhere (Tom’s Guide) [Note: As I wrote above, I don’t think other online password managers are likely to be immune from similar attacks in the future]

Yesterday (Tuesday, June 8, 2021), Amazon hacked into your home’s WiFi network and started sharing it with the world.
 
If you have Amazon’s Ring camera or Echo smart devices connected, the company started sharing your WiFi network with your neighbors. Without asking you. Without telling you (unless you happened to notice an obscure announcement made last September.) And without paying you for the share of your Internet service it will be using.
 
The good news is, you can turn off Amazon’s hack. Instructions are below.
​

You’ve Been Sidewalked
 
What exactly did Amazon do? It turned on a network function it calls Sidewalk. This function uses low-power Bluetooth and a new, untested WiFi protocol called “LoRa” (I hadn’t heard of it either) to enable devices carried by anyone near your home to use your network to transmit and receive data. While Amazon says the network is secure (triple-encrypted, separate from your own data streams), nobody outside of Amazon has really had a chance to vet it before millions of customers were unwittingly sucked into Amazon’s massive experiment.
 
Sidewalk is supposed to make your life even greater by keeping your security camera working if your Internet goes down (as long as your Amazon-equipped neighbor’s WiFi is still working), support devices like Tile that help you find a lost item (if you’d attached a Tile to it), activate a CareBand tracker attached to someone with dementia, operate a Level smart lock, increase the range of these devices so they can be farther from your Internet router, and more.
​

How to Turn Off Sidewalk
 
To turn off Amazon Sidewalk in your devices, you need to use the Alexa mobile app; it cannot be done from a computer. (You can't get to it on the desktop.) In the Alexa app, go to More (lower right corner) → Settings → Account Settings → Amazon Sidewalk. Click the toggle so it says “disabled.” PC shows these steps in an image.
 
For more information about Sidewalk, click the links in this post. And as always, please post your questions and comments below (click "# Comments"  below the Like button ↓).
 
Photo illustration credits: Amazon Sidewalk image by Steve Freedkin, Your Attention, Please! communications. You’re free to use it for non-commercial purposes if you don’t remove or hide the text in the upper-right corner. Woman with red numerals projected on face by cottonbro via Pexels.

We now offer personalized, one-on-one Zoom training. Group training, too. Click for more.

​With so many people around the world avoiding in-person contact, videoconferencing has exploded. The most widely known platform, Zoom, has come under scrutiny for its security practices (or lack of them).
 
Because we have substantial experience working with Zoom, we are being called upon regularly to help people set up Zoom, learn how to use it, and even to run complex Zoom calls for our clients. This includes maintaining security so Zoom calls aren’t invaded, spied upon, or disrupted.
 
I’m still using Zoom myself, and I believe that for most uses, the security is sufficient, if certain precautions are taken. In my judgment, it’s probably as secure as other online communications channels we all use every day — e-mail, Web forms, online calendars, and other tools. I certainly don’t agree with the harshest critics, who say thinks like, “Zoom is malware” (malicious software). It is probably not suitable for highly sensitive communications that bad actors with resources might target — state secrets, for example, or the most private conversations of people like Edward Snowden. But for everyday folks who aren’t being surveilled by major governments or criminal enterprises, Zoom can be secure enough.

​Zoom Sharing Data with Facebook
 
Zoom made use of the Facebook Software Development Kit (SDK) for certain functions, such as being able to create a Zoom account by logging in with your Facebook credentials. Facebook’s SDK is insidious: It sends user data to Facebook. According to Zoom, “The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”

Solution: Limit Screen Sharing, Control Participation. The easiest solution to the screen-sharing attack is to allow only the meeting host to share screens. In both PERSONAL and ADMIN (again, the latter controlling anyone other users in your Zoom account), go to Settings → Meeting → In Meeting (Basic) and set Screen Sharing to Host Only. During a meeting, you can change this on the fly. In the desktop app, click the upward chevron (^) next to Share Screen in the control bar at the bottom, then Advanced Sharing Options…, then change Who can share? as needed.

In the Web-site settings, under In Meeting (Basic), you’ll also probably want to turn off Allow removed participants to rejoin. This way, if you boot someone out of a call, they can’t come back. Other ways to control access include to turn on the Waiting Room, so new people need to be manually allowed in by a host (and it’s good to have a co-host in this case, so the host can concentrate on the meeting itself); turn off Allow participants to join before host if you don’t want to use the waiting-room feature; and lock a meeting once everyone is present, preventing anyone else from joining. (During the call, select Manage Participants from the control bar at the bottom if the participant list isn’t already showing, then under the list of participants select More v, then Lock Meeting. You can also Unlock Meeting here in case someone leaves who should be allowed back in.) Finally, when setting up a meeting, you may want to use a randomly generated meeting I.D. if your personal meeting I.D. has been made public, so Zoombombers won’t know where to find your Zoom call. Or you can use a password, and make sure nobody has the Zoom call link except authorized participants, since the link will include an encrypted version of the password (unless you turn off that setting). Or, share the link without the password (omit the “?” and everything following it), and circulate the password separately to trusted invitees. These procedures will help keep out people who might be disruptive in other ways than screen-sharing. (Note: On April 4, Zoom enabled Waiting Rooms and passwords by default for individual and K–12 educational accounts. K–12 educational accounts cannot turn off the passwords feature.)

An identity-theft scam e-mail was received by someone I know early this morning, in the form of an e-mail message purporting to be from the Apple iTunes Store saying he needed to verify his identity.

While this particular scam message had many giveaways showing it was not legitimate, the person fell for it anyway, and the consequences began within minutes.

Worse, the scammers have everything they need to perform identity theft: His name, address, Social Security Number, credit-card information, and mother's maiden name. The fake Apple page where he entered his data asks for other information an ID thief would find useful: driver license or passport number. These are requested under the guise of Security Question answers. No legitimate site will ask for driver license or passport as a Security Question item.

A victim of this scam will need to cancel the credit card, initiate a fraud alert with the credit bureaus, report the data theft at IdentityTheft.gov, and watch for instances of the thieves using his information for harm. It is possible they will use his e-mail to send out spam, including the spam that tricked him; they may also use the information they've gathered about him to rob his friends (e.g., by e-mailing them that he needs them to send an immediate loan because he is abroad and has lost his passport, which they can do convincingly because they have a lot of info about him that they can use in an e-mail to make the request seem genuine).

So, once again, what’s the one thing you can do to always avoid falling for this kind of scam? That’s right: Instead of clicking a link in the e-mail to go to the log-in page, type the known, legitimate address of the page into your browser yourself.

If you want to do a good deed for the community-at-large, report these scams when you get them. You can report them at:

• https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en (do this one first)​
• https://submit.symantec.com/antifraud/phish.cgi​
• Forward the e-mail as an attachment (instructions here) to: is-spam@labs.sophos.com​

• Report the site by sending its Web address to:  phishing-report@us-cert.gov

Monday, Oct. 16, 2017, 9:50 p.m. PDT — Internet security experts are calling today “Black Monday” because two huge, worldwide Internet security flaws were announced today.
 
KRACK Attacks
 
First, and getting the most attention: A security flaw dubbed “KRACK” (Key Reinstallation Attack) affects most modern devices that connect to the Internet via Wi-Fi. Discovered by Belgian researchers, KRACK is a shortcoming in WPA2 (Wi-Fi Protected Access version 2), the standard protocol for secure wireless connection. It would allow a hacker situated in the vicinity of a wireless device to intercept its communications with the Internet and decipher them.
 
The good news is that the hacker must be near your device. So, the chance that you could be subject to such an attack at home or in a business’s office (other than a shared workspace) is quite slim. Hackers are more likely to go after specific targets or to situate themselves in target-rich locations like libraries, cafés, hotel lobbies, and other locations where many users would be connected to WiFi at once.
 
The vulnerability rests not on the wireless access point (the network router or modem), but on the devices connected to it — your computer, smartwatch, smartphone, wireless printer, NEST devices, Amazon Echo, Google Home, Net-connected television, and everything else that connects to the Internet. As security updates to the software of these devices become available, they should be installed promptly.
 
Some systems will update automatically when the manufacturers “push” out the security patch. Others will notify you when an update or patch is available. Most likely, you will be asked to update the operating system — Windows, MacOS, iOS, Android, etc. (Apple’s iOS and MacOS are considered somewhat less vulnerable, as is Microsoft Windows. More vulnerable: Android, Linux, some other systems.)

Here are my recommendations for dealing with this issue:

1. Make sure the operating systems of your devices are updated. When you are notified that an update is ready, install it without delay. (The status of such updates for many manufacturers is listed at the bottom of this article. Some already fixed the problem as early as July 2017.)
2. Limit your activity on public Wi-Fi networks, particularly in locations where many people are connected simultaneously (a target-rich environment for hackers). In particular, avoid conducting secure communications such as banking, or anything requiring logging in to a site or service with a password.
3. Consider turning off Wi-Fi on your smartphone when not connected to your home or (unshared) office network. Your cellular company’s data uses different encryption protocols than WPA2, and is not subject to the same vulnerability.
4. I have previously recommended using Signal by Open Whisper Systems (recommended by Edward Snowden!) for encrypting texting; Signal also now offers reasonable quality encrypted voice calling, and various extras like the option to set text messages to disappear after a time period you specify.
5. If you must have secure Web communications, install Virtual Private Network (VPN) software, which applies its own encryption to all data transmitted over Wi-Fi. Even if someone intercepts your signal and uses the KRACK hack to break WPA2’s encryption, all they’ll get is unreadable data scrambled by the VPN’s encryption. VPN apps are available for various computers and smartphones. I have a VPN on both my Mac laptop and my Android phone. For a basic primer on what VPN is, see VPN for Beginners. For ratings of some VPN services on a 5-point scale, see The Best VPN Services of 2017 from c|net. VPN may slow you down a bit as it launches, and some VPN services have slow data transmission because they’ve been overwhelmed with new clients since the current Administration was inaugurated in Washington as activists and plain old citizens became concerned about the risk of greater government intrusion into their private communications. Many VPN services can also be set to disguise your location, too. (Right now, the Internet thinks I’m connecting from a spot several thousand miles away from my actual location.)

 
 
ROCA Rolls
 
A second security flaw announced Monday, ROCA (Return of Coppersmith’s Attack), is dubbed “worse than KRACK” by some writers. This flaw affects encryption in critical applications, such as for national identity cards, software “signing” (by which the genuineness and security of software is confirmed), digital-signature documents, and protections for government and corporate computers.
 
You may have heard of “public-private key encryption.” This is a schema whereby data is encrypted using two “keys,” or strings of data. One is public, and one is private. If I send you a message, I encrypt it using your public key. You then decrypt it using your private key. This is secure only if a person’s public key can’t be used to figure out that person’s private key, which was believed to be the case — until ROCA, which enables an attacker to figure out your private key from your public key.
 
Versions of public-private key encryption are used in many protocols for secure Internet communications.
 
What you can do (the second and third of these are fairly technical; if you don’t understand them, they probably don’t apply to you):

1. If you are asked by the issuer to replace a chip card (such as a credit card or secure ID card) or another device that uses encryption, do so promptly.
2. If you have set up your own public-private keyset, using software like PGP or GPG, test your public key to determine whether it’s vulnerable. If it is, expire that key and create a new key, then share it with everyone who has your old key. (“Keys generated with OpenSSL, PGP-compliant programs, and other similar programs aren’t affected by ROCA. However, those that rely on embedded chips or smart cards for cryptographic functions may be vulnerable,” according to WCCFtech. GPG is PGP-compliant.)
3. Counterintuitively, it appears that 3072-bit keys are harder to crack than the longer 4096-bit keys. If creating a new key, keep this in mind. However, you may want to do your own research before you choose a key size; it’s possible the advice regarding ROCA will evolve over the coming days, as this is new information in the public realm.

Updated 10/6/17 — added reference and links to people facing delays buying iPhones because of their credit being frozen
Updated 10/4/17 2:44 p.m. PDT — updated info on TransUnion’s TrueIdentity free credit freeze;
    reply to reader comment about a fourth credit bureau, Innovis.
Updated 9/15/17 5:49 p.m. PDT — new date for expiration of free credit-freeze offer from Equifax
Updated 9/14/17 5:07 p.m. PDT — New Info re TransUnion’s TrueIdentity program

It’s almost certainly the worst data breach in U.S. history in terms of the amount of damage likely to be done and the number of people likely to be hurt. Hackers have stolen the sensitive personal information of 143 million U.S. consumers (plus an undisclosed number of Canadian and U.K. residents) from Equifax, one of the “Big Three” credit-rating bureaus (the other two being Experian and TransUnion). 

​
​What Was Stolen, When, and Why
 
The amount of data isn’t the main issue, though; it’s the types of information they got, including Social Security numbers, birthdates, home addresses, driver licenses, credit-card documents, and other sensitive personal information that can be used to steal your identity; open accounts in your name; file false tax returns in your name and steal your tax refunds; ruin your credit; and more. As USA Today noted in a blistering editorial, “A breach at one of the nation’s three major credit bureaus is far more dangerous than the typical retail credit card breach. It's easy enough to get a new credit card, but you can’t change your birth date or easily get a new Social Security number.”

​The hack probably was made possible by Equifax failing to patch security holes in its software, security expert and former Homeland Security official Paul Rosenzweig writes in Scientific American. “The real loser here is you and me. We have no privacy left.” And, he adds, the cost of protecting our data is increasingly borne by us, the consumers, not the companies that hold the data. (This is not the first time Equifax has been hacked due to lax security, victims allege.)
 
The hack occurred beginning as early as mid-May. Equifax didn’t discover it until July 29, and didn’t make it public until Thursday, Sept. 7. During the interim, three top Equifax officials sold off millions of dollars worth of company stock. The company claims the executives — its Chief Financial Officer, U.S. Information Solutions President, and Workforce Solutions President — were unaware of the data breach that had been discovered a few days before they sold those holdings.

​Equifax Compounds the Problem
 
After revealing the breach, Equifax made the situation worse by urging people to sign up for a free year of a credit-monitoring service (far short of what’s needed), after which they would be prompted to pay for continuing the service. The Web site Equifax set up to supposedly tell you whether your data was stolen and to sign up for the free year of monitoring itself has security flaws. Moreover, when registering to find out whether your data has been stolen, you can get different answers with the same information entered on different Web browsers; in tests, entering nonsense information (“123456” for Social Security number, “Test” for name) produced a message saying your data might have been affected. (The site is EquifaxSecurity2017 — I do not recommend registering at that site.) My recommendation: Assume your data was stolen, and act accordingly. Even if you weren’t a victim in this breach, taking action now may protect you against the next one.

Perhaps worst of all, for the first couple of days, the site’s Terms of Service contained a clause that said by signing up for the free monitoring, users were giving up their right to sue over the data breach. That “binding-arbitration” clause has been removed as of this writing, but people who signed up before it was removed may need to write to Equifax within 30 days of signing up to get their legal rights back. (Write to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, including your name, address, and Equifax User ID, as well as a clear statement that you do not wish to resolve disputes with Equifax through arbitration.)


What You Need to Do
 
I won’t mince words. This is very bad. It’s not possible to put the genie back into the bottle: Your information is out there, criminals will try to use it, and there is no 100% secure defense.
 
But there are things you can do to make yourself a less-easy target. With luck, that will prompt the bad actors to move on to someone else and leave you alone.
 
Based on recommendations from sources I trust, here are steps to take:

Free alternatives: Equifax is waiving its fee for credit freezes through Nov. 21; I've frozen my credit report with that company.

TransUnion offers a free alternative to credit locking called TrueIdentity. It lets you lock and unlock your credit report at will. TrueIdentity seems as useful as a credit freeze without the fees and with less hassle. I haven’t been able to find any reliable reviews of the service, but it’s what I’m doing for the time being.

Some drawbacks, which weren’t dealbreakers for me: After creating my account on Sept. 14, 2017, I kept getting log-in errors, even after I had supposedly successfully changed my password. That night I got an e-mail from TransUnion with the Subject "You're In!" with small print saying I’d be charged $19.95/month. I phoned the next day; the customer service representative fixed the problem with my login, and then confirmed I wasn’t signed up for any services that cost money. (Apparently, the e-mail was a mistake.) As of Oct. 4, I haven’t been charged anything. I don’t like that the sign-up process required giving my mobile phone number; I gave my voicemail number instead. The agreement for the service says I “agree to receive targeted offers by TransUnion and other parties in exchange for receiving the product at no charge” (another good reason not to give my actual cell number); I can deal with that. It also requires binding arbitration of disputes, not as crucial an issue for a free product, but I’ll exercise my right to reject binding arbitration anyway. (“Within 60 days of signing up, write to TransUnion Interactive, 100 Cross Street, Suite 202, San Luis Obispo, CA 93401 with your current username and a clear statement of your intent, such as I reject the arbitration clause in the TransUnion Interactive Service Agreement.”)

TransUnion does offer the paid Credit Freeze option, too. And remember: This option must be requested from each of the three credit unions, so the one-time cost could be $20 total ($10 each from TransUnion and Experian, with Equifax waiving its fee until Nov. 21, 2017).

2. Initiate a fraud alert
 
This is a free option, and easier than a credit freeze, though it provides weaker protection. You sign up at just one of the three credit bureaus; they are required to notify the other two. I did mine at Experian (not trusting Equifax to keep anything secure right now).
​
A fraud alert lasts 90 days and can be renewed. When you sign up, put a note in your calendar every 90 days to renew it.
 
A fraud alert can make it harder to open new accounts in your name, according to the Federal Trade Commission (FTC). Businesses “see a ‘red flag’ on your account and know to take extra steps to verify your identity.” Of course, thanks to Equifax’s security breach, a thief may be able to answer a business’s questions correctly; a savvy business will try something like phoning you at the number shown in your credit report. (The thief may have your phone number, but probably doesn’t have your actual phone.) A fraud alert entitles you to a free copy of your credit report (though you may already have one coming — see next section). A fraud alert is probably unnecessary if you’ve ordered a credit freeze from all three bureaus.
 
​
3. Review and correct your credit report
 
By law, you are entitled to review your credit report from each of the three bureaus once a year at no charge. This doesn’t include your credit score — the numerical ratings that indicate how credit-worthy the companies think you are — but it does include all of your credit accounts and their current payment status, as well as your address and other identifying information. Best practice is to request the free report from just one of the credit bureaus every quarter, so you can keep on top of the info without paying for additional reports. For example, check Equifax’s now; Experian’s in four months; TransUnion’s in eight months; and then in a year, you’ll be due for another free report from Equifax. If you’ve recently requested your free report from any or all of the bureaus, filing a fraud alert (see previous section) apparently entitles you to a new free report.
 
If you find anything amiss, follow the bureau’s procedures for correcting the information. That will also help protect against the Equifax hack because your information will now be different from what the thieves stole, which may result in failure when they try to steal your identity later.
 
The official Web site for requesting your free report is annualcreditreport.com. Imposters are legion, and may come with strings attached or even be fraudulent; use only this site, which is sponsored by the three bureaus and recommended by the FTC.

4. Review your accounts regularly
 
It should go without saying that this breach makes it all the more critical to carefully review credit and bank accounts as well as other financial statements (e.g., mortgage bills) immediately upon receipt to make sure there are no fraudulent transactions. Particularly with credit accounts, reporting fake charges promptly is necessary if you don’t want to be held liable for them. 

​I check my accounts at least weekly online to make sure nothing is amiss. (Don’t log in on a public wireless network unless you use a VPN — virtual private network — to shield your data, and make sure your computer has up-to-date antivirus software to make sure nobody is spying on you when you type in your passwords. And, of course, have strong passwords, and a different one for each account; if one account is breached by hackers, they won’t automatically be able to get into others.)

5. File your taxes early
 
One way identity thieves profit is by filing a tax return in your name and then collecting your refund. To reduce the chance of this occurring, file your tax return as early as you can, improving the chance that yours will be filed before someone else submits a fake one in your name.
 
 
The Way Things Are Now

I have already seen reports from several friends that their credit-card accounts have been hacked in the past few days. While I can’t say for sure this is a result of the Equifax calamity, it’s quite plausible.
 
This is all a massive pain, and we’re just getting started. I’m sorry to say, this breach represents the shape of things to come. If you have been lax about online security until now, it’s time to “harden your defenses,” knowing that nothing will keep you entirely safe, but at least you can reduce the likelihood you’ll be subjected to headaches and heartache down the road.

 Just today, two new malicious online attacks came to our attention. One was discovered by Wordfence, the security service we use to protect clients' WordPress sites. The other was first encountered by one of my clients due to an unfortunate typographical error.

Fake Squarespace Site / Fake Download / Fake Tech Support

One client tried to visit Squarespace today to update her Web site. She got a pop-up warning her that something was wrong with her account and directing her to call a toll-free number, which she did. The person at the other end attempted to persuade her to give him remote access to her computer. She declined, but she kept getting the pop-up warning. When I examined her computer, I found (as I had guessed) that she had mis-typed "Squarespace" — she had scrambled a couple of the letters, which led her to a site whose name was almost Squarespace, but which was actually a scam site.

Visiting the scam almost-Squarespace address causes the Web browser to redirect to one of several different scams. One site contains the admonition to call that toll-free number. Another displays a fake pop-up window that says you need to update Flash Player on your computer. (Flash Player allows the display of certain animated and interactive content on Web sites.) Clicking "cancel" still causes a download to begin. The small print at the bottom of the page says the installer will also include pesky "adware" programs that threaten your computer security and are hard to remove.

We've reported the fake almost-Squarespace address to Squarespace (which was not aware of it when we first reached out), Google, Sophos Antivirus, Firefox/Mozilla, StopBadware, and the Federal Bureau of Investigation.

The fake tech-support scam is quite widespread and dangerous and its perpetrators are very persuasive — so much so that even I fell for this scam a few months ago. I allowed the criminal at the other end to access my computer; when I noticed that he was rooting around in my private files, I turned off my WiFi (the only way to boot him off of my machine) and deleted the software that let him control my device. He phoned me several times attempting to persuade me to grant him access again, until I told him I had reported him to the FBI. (I reported the almost-Squarespace scam to the FBI tonight, and to Google, Firefox, Sophos, and other services that block scam sites.)

Often, these fake tech-support folks reach out to victims by telephone, saying they are from Microsoft Support or something similar and that they have detected a virus on your computer. My partner has gotten several such calls at her office. In fact, this scam is widespread enough that the Federal Trade Commission has published an alert about it. If anyone calls you, or you get an e-mail or on-screen pop-up, claiming your computer is infected, that is almost certainly a scam. Almost all infection monitoring is done by software installed on your computer, not remotely. (If you'd like, I can help you install and update security software, identify and get rid of infections, and fix other technical issues.)

WordPress Hacking/Defacement

Meanwhile, we learned today that hackers are on a tear defacing WordPress Web sites — one source says more than 60,000 sites have been defaced, and another says more than 1.5 million pages on 39,000 sites have been messed up just this week. The attackers are using a vulnerability that was fixed in WordPress 4.7.2. If you have WordPress 4.7 or above, it probably has automatically updated itself to 4.7.2, but earlier versions may not auto-update. Check your WordPress version (log in to your site's dashboard and click the WordPress "W" icon at top left); if it's older than 4.7.2, you'll want to update, but first back up your current installation, because sometimes updates will cause your Web site to go offline and there may be no ready way to recover it other than to reinstall the older version, then fix the problem there before updating again. (Some Web hosts automatically keep nightly backups for you, either as part of the basic service or for an extra charge.) I can help with these issues if desired.

I am currently booked solid with tight-deadline projects for several clients, so unless you are facing an immediate problem (infected computer or defaced Web site), it may be a week or so before I can get to you, so if you will want my help, I recommend reaching out soon to get on my calendar.

​​Uh-oh. Hackers have published the coding they used to launch a gigantic attack against the Web site of an Internet security journalist. The malware (malicious software) uses the “Internet of Things” — Web-connected cameras, thermostats, and other devices, which are often poorly protected — to send overwhelming traffic to the targeted Web site, causing it to slow down or become entirely unavailable. The attack was so huge that the massive Akamai network stopped hosting the security site (which it had previously hosted as a public service), fearing future attacks would overwhelm even it. The security site was picked up by Google, which has the power to repel such massive attacks — for now.

Experts say the release of this coding may lead to many more attacks on Web sites. It also seems to have prompted manufacturers to start tightening security on “Internet of Things” (IoT) devices: The hacker who released the code said the number of devices it can control through one system has dropped by more than 20% recently.

The vulnerability of the Internet to hacking by malicious countries (Russia has been attacking all over the place lately, including targets related to the U.S. Presidential election), criminal enterprises, or even a single individual should set off alarm bells. We are reaching a critical juncture where the future of our connected world is looking increasingly fragile. Governments and private enterprise need to greatly step up the resources they put into online security, and that includes makers of stuff that connects to the Internet.

At our office, some of the items connected to the Internet are our electric power (including our solar panels), our computers of course, our system for listening to music and accessing radio (except our emergency hand-cranked radio). Beyond that, the utility power grid, the city's water and sewer system, and probably all communications systems are potentially vulnerable. You may be even more connected — does your refrigerator use the Internet to report energy usage or compile your shopping list?

Here in California, we all are advised to keep earthquake supplies on hand, including enough food and water to last at least several days. Former "Nightline" host Ted Koppell warns, in a book published almost a year ago, that we should all be prepared to do without the electric grid for months, not just days or weeks.

In the meantime, I recommend we all contact our elected officials and ask what they are doing about our increasing vulnerability to cyberattacks, without compromising our privacy. After all, if laws are passed requiring that security and encryption systems contain “back-door keys” the government can use in criminal investigations, for example, you can bet hackers will be stealing and using those keys, while terrorists and crime syndicates will just apply their own encryption that has no such keys. Such systems would decrease our security without affecting determined bad guys.

Two items in the news recently, taken together, underscore the threats being targeted at our computers and devices — and that Apple products, not just Windows, are now being targeted by sophisticated operatives.
 
First is a story from c|net, a top-notch source for technology news, reporting the first instance of fully functional “ransomware” that attacks Macintosh computers being found “in the wild.”
 
Since I like to say “we speak human,” let me unpack those computerese terms.
 
“Ransomware” is software that scrambles (encrypts) your files, and the criminals behind the software demand you pay a ransom to get your files unscrambled. The encryption is strong enough that it’s effectively impossible to unscramble the files without the key held by the criminals. The scrambled files are useless.
 
“In the wild” means that the ransomware has been discovered circulating on the Internet, not just among security experts. In other words, you could become a victim.
 
Until now, ransomware was designed to attack Windows computers. With Windows running nearly 90% of all computers, versus about 5% for Macintosh, criminals generally haven’t felt it was worth their while to write software that attacks Macs.
 
C|net’s Claire Reilly was a bit sensationalist in starting off her report with, “Sorry, Mac fans. Now you're no better off than regular old PC users.” One ransomware program is nothing compared to the thousands upon thousands of malicious programs unleashed upon Windows. Still, the amount of damage that could be done by the Mac ransomware program, nicknamed KeRanger, is substantial: There were signs that a new version under development would also scramble users’ Time Machine backup files, leaving them with only two options: Lose everything, or pay the $400 ransom.
 
If you have Mac computers, you are unlikely to be infected though, because it appears KeRanger was circulated via a corrupted version of a program called Transmission that was available for download only on March 4 and 5. The Transmission team removed the infected software from their site soon after it was placed there, and within days, Apple made changes that automatically prevented KeRanger from running on Macs. (This was a instance where Apple could block the malicious software without users needing to do anything; often, it’s necessary to update your system software to close security holes.)
 
Although KeRanger surfaced six months ago, it has popped up in technical news lately along with another recent report, this one about software that can see and record everything on an Apple iPhone. An Israeli firm, the NSO Group, sells that software. With a price tag of $650,000, NSO’s spyware has been bought by governments around the world. It came to light last month when attackers tried to install it on the iPhone of a human-rights activist in the United Arab Emirates and on the iPhone of a Mexican journalist who wrote about government corruption.

​The attack on the UAE activist came in the form of a text message urging him to visit a Web site for information about human-rights issues. Suspicious, he instead sent the text to security experts, who followed the link and found that the Web site would automatically download NSO’s software onto any iPhone that visited the site.
 
You may not be a human-rights activist in a country where you legitimately should fear your government, but that doesn’t mean you’re immune. A pricetag of $650,000 isn’t too high for a criminal enterprise that wants to steal credit-card information or bank log-ins.
 
Two computer-security operations, Citizen Lab and Lookout, figured out how NSO is able to infect iPhones and alerted Apple, which patched the vulnerabilities in its update to iOS 9.3.5. As Lookout* writes, “All individuals should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Settings > General > About > Version.” This is a case where you may need to take action to keep your device safe. (*I have used Lookout software for a few years now.)
 
The lessons here:

1. Never click links in text messages or e-mails unless you are expecting that information, even if the message looks like it comes from someone you know and trust. The “from” line of a message can be faked (“spoofed”). To visit a Web site you trust, type its address into your browser rather than clicking a link in a message; links in e-mail can be made to disguise their true destinations. 
   
   
2. Keep your software updated, especially system software (for example, Mac OS, Windows, or Linux on your computer; iOS, Android, or Blackberry OS on your phone).
   
   
3. If you suspect your device may be infected — it slows down dramatically or behaves in other unexpected ways — you might want to have an expert check it out. I am happy to do a security scan, as are most computer repair and service providers. However, don’t trust a Web site to do such a scan unless you confirm it’s legit (I can point you to trustworthy sites); some sites masquerade as security scans, but use the access you grant them to actually install malicious code.

 
Bottom line: When in doubt, check it out.

“What happened? When I launched my Web site I got lots of inquiries, but now it has slowed. I thought it was SEO’d — Search Engine Optimized!”

This is a common experience among Web-site owners, including my clients. After launching a new or redesigned site with all the right stuff in terms of SEO (that is, designed to show up near the top of results when people search for what you offer using Google or other sites), you might get a whole bunch of inquiries from people who find your site online. But later, you find it slows down. How come?

SEO, it turns out, is an ongoing program, not a one-time project. There are several reasons:​

• Your competitors are also trying to get found, and as they improve their own sites’ SEO, they may show up before you, pushing you further down the page or onto a later page.
• Search engines like Google are constantly refining and revising their algorithms, which might help you or hurt you.
• If your site is fairly static — that is, it’s not updated very frequently — it may appear “stale” to the search engines compared to another site that is regularly updated with new information.
• Language shifts over time, and a term that was popular when you launched your site might be used less often in searches today, while other terms might come to the fore. For instance, a few years ago, people seeking pain relief or psychological counseling may have been unlikely to search using the term “neuroplasticity,” but that has become a hot topic of late, so some of my Web clients have been making sure their sites include that word.

​How do you know whether your SEO is up-to-date or falling behind? One way is to conduct some sample searches on terms you think your prospects might use. For example, if you search Google for “neuroplasticity pain Berkeley,” three of the top five results will be from medicalcounseling.net, my client whose site emphasizes the term, which is a good result. If, however, you conduct a search relevant to your business and your competitors show up first in the results, you can examine those competitors’ Web sites to see how they make that happen. In the above example, if you visit medicalcounseling.net, you’ll see that “neuroplastic” or “neuroplasticity” appears several times on the home page, as does “pain.” “Berkeley” appears twice in the footer, the text at the bottom of every page. That’s important, because people very often search for services near them, and often it is difficult-to-impossible to rank first in search results for a topic worldwide. (Search “neuroplasticity pain” without “Berkeley,” and my client doesn’t show up until the tenth page of results.)

Be careful, though, to make sure the terms you emphasize are genuinely related to the main topic of your site. “Keyword stuffing,” or inserting words onto your site because you want people to find you by searching that term even though it doesn’t really relate to your business, will hurt you in search results: The search engines have algorithms that watch for this strategy and will actually downgrade you for employing it.

I recommend reviewing your search standings every three or four months and adjusting as needed. This is something I do for some of my clients and would be happy to do for you, if desired. I keep on top of SEO trends and strategies, and in just two or three hours can help keep you easier to find by people who are looking for what you’re offering.