• Home
  • What We Do
  • Examples
  • About
  • Blog
  • Tweet!
  • Zoom Running
  • Contact
Your Attention, Please! communications

The Nightmare Is Real: LastPass Password Manager Hacked

12/26/2022

0 Comments

 
Picture

For a long time, I kept all of my account passwords in an encrypted file on my computer. While millions of people were turning to online password-management services, I was reluctant, fearing the calamity that might ensue were such a service to be hacked, exposing the sensitive information of perhaps millions of people.

Finally, in April of 2021, I decided to take the plunge. While continuing to maintain my offline password file as a backup, I started using an online service, and even started advising my clients that it seemed safe to do so, if they followed some essential security practices — starting with creating very secure master passwords for their online password vaults that would not be guessable, not use patterns commonly used in passwords, and not be used as the passwords for anything else.

Then came the multiple breaches of security at LastPass, one of the most popular password-management services.

In August, LastPass alerted customers that someone had broken into a portion of their system that is physically separated from where customers’ information is stored, and that customers’ information itself was secure. More recently, the company reported that, using resources gleaned from that August breach, malicious actors had gotten ahold of some customer information — names, partial credit-card numbers, and other data — but not any stored password information.

Finally, on December 22, the company sent an alert to customers notifying them that an update had been posted in the LastPass CEO’s blog. In that blog, the CEO reported that the hackers have indeed accessed backup copies of users’ password “vaults,” the files storing their passwords.

The user IDs and passwords in those files, along with any secure notes stored there, are strongly encrypted, but that doesn't mean the problem isn't severe. As LastPass personnel confirmed to me, some portions of those files were not encrypted — including the Web addresses of services used by those customers. So, for example, while the hackers cannot readily access the log-in data for sites used by LastPass customers, they can compile a list of those sites — a digital “map” showing which online services each customer uses. Paired with the stolen customer data previously reported and other information that can be found on the Internet, this means that accounts included in those LastPass vaults are at risk if they themselves don’t have strong passwords. People who have used the same password on multiple sites are especially vulnerable.

Moreover, it’s very likely a large percentage of LastPass users haven’t followed the best practices in creating the master passwords that unlock their password vaults. If the hackers can guess those master passwords, then every account in that customer‘s LastPass vault is accessible.

LastPass says that if you have a good master password for your LastPass vault, it would take millions of years to decipher it. But determined hackers can set up networks of thousands of computers to work on the problem, possibly reducing “millions of years” to a few years, or even several months. It is likely that a substantial number of the stolen password vaults will be cracked in the next couple of years (and some of the most vulnerable will be accessed much sooner).

Customers Are Vulnerable Immediately

Even if the hackers can access only the portions of the LastPass files that are not encrypted, there are many ways that data can be used maliciously. Obviously, someone who has stored passwords to illegal or unsavory Web sites in LastPass will be very unhappy that their use of those sites is exposed, even if their account log-ins remain secure. And if the person has easy-to-guess user IDs and passwords on any of those sites, they may be at risk of having their accounts broken into.

But perhaps the most immediate danger is that the data can be used for "social engineering" attacks. This means criminals can call, text, or email a person, using information gleaned from their LastPass account to make them sound legitimate, and trick people into divulging passwords or other data. For example, a person could call you and say that they are calling from your Wells Fargo bank to report that your Netflix, San Diego Gas & Electric, and Humana Health Plan payments aren't going though, and they need a credit card number from you to fix the problem. They sound legitimate to you — after all, they know you have Netflix, SDG&E, and Humana. It doesn’t occur to you that they learned about those accounts from your stolen LastPass vault.

I am not, for now, recommending people switch from LastPass to other password-storage services, mainly because I think any password service might be vulnerable to such attacks; in fact, the steps LastPass has taken since this happened may make LastPass less vulnerable to future hacks than other services. Rather, after reading several reports in the tech press about this incident, I have stopped recommending using any online password-storage system, at least if you can set up a secure password vault on your own devices or offline (e.g., in a paper notebook). I can advise clients on how to do that.

Steps Everyone Should Take

Meanwhile, the following five steps are crucial (for everyone, not just LastPass users):

PictureGraphic by Pete Linforth via Pixabay
(1) MOST IMPORTANTLY: Make it a rule to never give out log-in IDs, passwords, answers to security questions, account numbers, or any other sensitive information to anyone who contacts you, unless you first requested the contact. Even then, a legitimate call will almost never include requesting your full credit-card number, full account number, or your full Social Security number. Be aware that these callers can sound very persuasive: I've been taken in by them myself in the past.

(2) If you are a LastPass user, look through your LastPass vault to review what someone can learn about you by knowing which Web sites and services are included there, and how you can defend yourself against misuse of that information. Whether you use LastPass, another password service, or no password service, be aware that if someone contacts you who knows things about you, such as that you use certain online services, they may have learned that illicitly — don't trust them just because they know a lot about you. Similarly, if someone contacts you who claims to be connected to a friend of yours, and “proves” it by mentioning private information about that friend, keep in mind that they may have stolen that private information.

(3) If you are continuing to use LastPass, change the master password to your password vault, so updated information it contains won’t be accessible to the hackers if they should be able to figure out your master password using the data they’ve already stolen. If you use any password service, change your master password for that service it if isn't highly secure — 12 characters or more, and not guessable (doesn't include your birthday, Social Security number, street name or address, pet name, school you went to, common words, etc.). Some rules for strong passwords are provided here.

(4) If you have insecure passwords on any of your online accounts, change them. If you are a LastPass customer, change the passwords on your most critical accounts (banks, credit cards, utilities, government log-ins, etc.) within the next few weeks, and all other accounts over the next few months. It’s a pain, but not nearly so much of a pain as having your money or identity stolen. Keep in mind there is no such thing as an “unimportant” online account — nearly any account can be used to pose as you and trick your friends, for example.

(5) If you re-use the same password on multiple accounts, change them to unique passwords. That way, if someone steals or guesses your password on one account, they won't be able to access others. With the recently revealed LastPass hack, criminals now know which sites each person uses, making it easier to find all of a person's online accounts.

It's a sad fact of life that these kinds of breaches will continue to happen. None of us is truly safe; but if you practice security hygiene principles like the ones listed above, you will be fairly secure. After all, plenty of people will use passwords that are easy to guess or will be too gullible on the phone. If you are more careful, and make your information hard to get at, criminals won’t waste their time on you; they’ll just move on to someone else who’s an easier mark.

More About This Incident
  • LastPass Confirms Hackers Stole Its Password Vaults — What You Should Know (HotHardware.com)
  • LastPass Password Vaults Stolen By Hackers — Change Your Master Password Now (Forbes)
  • How To Delete Your LastPass Account … and Move Elsewhere (Tom’s Guide) [Note: As I wrote above, I don’t think other online password managers are likely to be immune from similar attacks in the future]
0 Comments

Amazon Just Hacked Your WiFi; But You Can Stop Them

6/9/2021

0 Comments

 
Picture
Yesterday (Tuesday, June 8, 2021), Amazon hacked into your home’s WiFi network and started sharing it with the world.
 
If you have Amazon’s Ring camera or Echo smart devices connected, the company started sharing your WiFi network with your neighbors. Without asking you. Without telling you (unless you happened to notice an obscure announcement made last September.) And without paying you for the share of your Internet service it will be using.
 
The good news is, you can turn off Amazon’s hack. Instructions are below.
​
You’ve Been Sidewalked
 
What exactly did Amazon do? It turned on a network function it calls Sidewalk. This function uses low-power Bluetooth and a new, untested WiFi protocol called “LoRa” (I hadn’t heard of it either) to enable devices carried by anyone near your home to use your network to transmit and receive data. While Amazon says the network is secure (triple-encrypted, separate from your own data streams), nobody outside of Amazon has really had a chance to vet it before millions of customers were unwittingly sucked into Amazon’s massive experiment.
 
Sidewalk is supposed to make your life even greater by keeping your security camera working if your Internet goes down (as long as your Amazon-equipped neighbor’s WiFi is still working), support devices like Tile that help you find a lost item (if you’d attached a Tile to it), activate a CareBand tracker attached to someone with dementia, operate a Level smart lock, increase the range of these devices so they can be farther from your Internet router, and more.
​
Security Concerns
 

Internet security advocates were caught off-guard. “They dropped this on us,” Jon Callas, director of technology projects for the Electronic Frontier Foundation (EFF), told Threatpost. EFF hadn’t even seen Amazon’s white paper on Sidewalk’s privacy and security functions until a day before Sidewalk was switched on.
 
While Amazon says the triple-encrypted content transmitted by Sidewalk is safe from snooping, even by Amazon itself, there is much Amazon can learn from Sidewalk transmissions. Amazon can discover who's walking by your house, knocking on the door, or unlocking a door if they happen to use a Sidewalk device, or just be carrying one, PC Magazine notes. (PC’s article lists the specific Amazon devices that broadcast the Sidewalk network.)
 
PC, c|net.com, the Washington Post, and Forbes.com have all raised various potential security concerns regarding Sidewalk and have provided instructions for turning off the system. I strongly recommend doing so, at least for several months, until we know more about how secure the system is in the real world versus Amazon’s untested imagination. I also find it deeply offensive that Amazon made millions of its customers into guinea pigs for an untried technology without asking them. Such a system absolutely should be opt-in rather than opt-out (i.e., you should have to proactively give consent).
Picture
How to Turn Off Sidewalk
 

To turn off Amazon Sidewalk in your devices, you need to use the Alexa mobile app; it cannot be done from a computer. (You can't get to it on the desktop.) In the Alexa app, go to More (lower right corner) → Settings → Account Settings → Amazon Sidewalk. Click the toggle so it says “disabled.” PC shows these steps in an image.
 
For more information about Sidewalk, click the links in this post. And as always, please post your questions and comments below (click "# Comments"  below the Like button ↓).
 
Photo illustration credits: Amazon Sidewalk image by Steve Freedkin, Your Attention, Please! communications. You’re free to use it for non-commercial purposes if you don’t remove or hide the text in the upper-right corner. Woman with red numerals projected on face by cottonbro via Pexels.

0 Comments

How to Secure Your Zoom Video Calls

4/4/2020

4 Comments

 
Woman wearing mask while video chatting on phone, illustrating using Zoom videoconferencing during the COVID-19 coronavirus pandemic
We now offer personalized, one-on-one Zoom training. Group training, too. Click for more.

​With so many people around the world avoiding in-person contact, videoconferencing has exploded. The most widely known platform, Zoom, has come under scrutiny for its security practices (or lack of them).
 
Because we have substantial experience working with Zoom, we are being called upon regularly to help people set up Zoom, learn how to use it, and even to run complex Zoom calls for our clients. This includes maintaining security so Zoom calls aren’t invaded, spied upon, or disrupted.
 
I’m still using Zoom myself, and I believe that for most uses, the security is sufficient, if certain precautions are taken. In my judgment, it’s probably as secure as other online communications channels we all use every day — e-mail, Web forms, online calendars, and other tools. I certainly don’t agree with the harshest critics, who say thinks like, “Zoom is malware” (malicious software). It is probably not suitable for highly sensitive communications that bad actors with resources might target — state secrets, for example, or the most private conversations of people like Edward Snowden. But for everyday folks who aren’t being surveilled by major governments or criminal enterprises, Zoom can be secure enough.

Here are some of the issues security experts have raised, along with what users can do about them. (Unless otherwise indicated, the in-app instructions below are for the computer version of Zoom; these controls may not be available, or may be accessed differently, on phone and tablet versions of the Zoom app. Also, some of these controls are applicable to all users, but others are applicable only to meeting hosts. If you simply join meetings but don’t have your own Zoom account, only the in-app controls are relevant to you, not the Web-site controls; it may be worth setting up a free Zoom account so you can access the Web controls, too.)
Caution cone on keyboard
​Zoom Sharing Data with Facebook
 

Zoom made use of the Facebook Software Development Kit (SDK) for certain functions, such as being able to create a Zoom account by logging in with your Facebook credentials. Facebook’s SDK is insidious: It sends user data to Facebook. According to Zoom, “The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”
Woman's face over computer coding, illustrating Facebook collecting data from Zoom calls
This is written in the past tense because once the issue was brought to Zoom’s attention, the company has removed the Facebook SDK from its software. Users will need to update their Zoom apps to get the new, more-secure version.
 
Solution: Update your Zoom software.  Updates available since mid-afternoon on March 27, 2020 remove this security hole. In fact, there have been several security updates in the past few days. I recommend updating your Zoom software manually now, on all platforms where it is installed — computers, tablets, and phones. To do so:
  • Mac/Windows: Launch Zoom, sign in if not already logged in, click your profile image near upper right, and select Check for Updates.
  • Android: Launch Zoom, then click Settings at bottom right, then About, then Version.
  • iPhone/iPad: Launch App Store, then click Search at lower right, then type Zoom in the search box at top and click Search on the keyboard, then click UPDATE at upper right. If it says OPEN instead of UPDATE, you already have the latest version.
 
I recommend checking for updates periodically, say once a week, at least on the Zoom app you use most frequently.
Keeping Calls Encrypted
 
Zoom offers what it calls end-to-end encryption. As security specialists have noted, that term connotes that Zoom cannot access the call content, but in reality, while Zoom can’t possibly monitor the zillions of sessions taking place every day, if the company has a reason to look in on you in particular, it theoretically can. That means a government agency could issue a secret National Security subpoena and require Zoom to share your calls with the government. If that is a concern for you, don’t use Zoom. (Some Zoom calls may use encryption that is set up by computers in China, according to two researchers, even if nobody on the call is in China, which could mean the Chinese government could gain access to the calls.) 
Ones and zeroes over meridian lines, illustrating Chinese servers involved in Zoom video call security
Additionally, Zoom may have access to chat messages, whiteboards, and files shared through Zoom during calls; and it is possible to share Web links in Zoom chat messages that connect to malicious sites which can then steal the user’s log-in credentials and other data. If you have a large, public meeting and want to prevent this, allow users to chat only with you, the meeting host. (In the desktop app, open the Chat window if not already opened, click the ••• box near the bottom right, and select Participant Can Chat With: Host Only.)

Partial Solution: Change Settings.
Everyone should turn on maximum encryption in most instances, which may not lock out the Zoom company itself but will protect calls from most third-party hacking. Unless you have a specific reason not to, I recommend logging into your account at the Zoom.us Web site, then under Personal in the left column clicking Settings, then under In Meeting (Basic), turning on Require Encryption for 3rd Party Endpoints (H323/SIP). Do the same under ADMIN → Account Settings → Meeting → In Meeting (Basic). If you are the administrator of this Zoom account, and your account includes other users who can also initiate Zoom calls, this will prevent them from allowing non-secure third-party connections. For most people, this won’t be relevant, but if you host a call that someone is joining from a platform other than Zoom that is compatible with Zoom, they will be required to have encryption turned on.

Zoom version 5.0, released April 27, 2020, uses stronger encryption, and it’s automatically turned on for all calls. Zoom 5.0 will be required after May 30; older versions of Zoom will no longer function, as Zoom won't accept their weaker encryption.

 
You might also want to change the settings for recording a meeting. For example, under PERSONAL → Settings → Recording, you can turn off allowing recording to the Cloud (a recording of your meeting is stored on Zoom’s computers), and turn off local recording (so participants can’t record the meeting). If Local recording and/or Cloud recording is turned on under ADMIN → Account Management → Account Settings → Recording, the host can still record. Review the other settings under Recording (both for PERSONAL and for ADMIN) and set them as strictly as is appropriate for your needs.
 
While you are in Settings, take a look through the other meeting settings and tighten up any that you need to. And before you leave the Settings, see the next section. …
Angry face, illustrating Zoombombing
“Zoombombing”: People Behaving Badly
 
As Zoom has gained in popularity and more organizations are holding meetings open to the public, a phenomenon called “Zoombombing” has been on the rise. This is where malicious individuals join a Zoom call and then display inappropriate material by sharing their screens. White nationalist messages and pornography are among the disturbing images Zoom-bombers have used to disrupt meetings. The FBI has even warned that organized groups are attacking Zoom calls this way.
Solution: Limit Screen Sharing, Control Participation. The easiest solution to the screen-sharing attack is to allow only the meeting host to share screens. In both PERSONAL and ADMIN (again, the latter controlling anyone other users in your Zoom account), go to Settings → Meeting → In Meeting (Basic) and set Screen Sharing to Host Only. During a meeting, you can change this on the fly. In the desktop app, click the upward chevron (^) next to Share Screen in the control bar at the bottom, then Advanced Sharing Options…, then change Who can share? as needed.

In the Web-site settings, under In Meeting (Basic), you’ll also probably want to turn off Allow removed participants to rejoin. This way, if you boot someone out of a call, they can’t come back. Other ways to control access include to turn on the Waiting Room, so new people need to be manually allowed in by a host (and it’s good to have a co-host in this case, so the host can concentrate on the meeting itself); turn off Allow participants to join before host if you don’t want to use the waiting-room feature; and lock a meeting once everyone is present, preventing anyone else from joining. (During the call, select Manage Participants from the control bar at the bottom if the participant list isn’t already showing, then under the list of participants select More v, then Lock Meeting. You can also Unlock Meeting here in case someone leaves who should be allowed back in.) Finally, when setting up a meeting, you may want to use a randomly generated meeting I.D. if your personal meeting I.D. has been made public, so Zoombombers won’t know where to find your Zoom call. Or you can use a password, and make sure nobody has the Zoom call link except authorized participants, since the link will include an encrypted version of the password (unless you turn off that setting). Or, share the link without the password (omit the “?” and everything following it), and circulate the password separately to trusted invitees. These procedures will help keep out people who might be disruptive in other ways than screen-sharing. (Note: On April 4, Zoom enabled Waiting Rooms and passwords by default for individual and K–12 educational accounts. K–12 educational accounts cannot turn off the passwords feature.)
Zoom link with password: https://zoom.us/j/00000000?pwd=MURkQzRMR0ZpN3hjem9qc3BsclUxUT09
Zoom link without password: https://zoom.us/j/00000000
Additionally, the host can mute any participant and turn off that person’s video. Point to that person’s video box, click the ••• that appears at upper right, and choose Mute Audio or Stop Video, or do both. To prevent participants from unmuting themselves, select Manage Participants from the control bar at the bottom if the participant list isn’t already visible, then at the bottom of the participant list choose More v and select Allow Participants to Unmute Themselves to un-check it.
 
Health providers, including mental-health providers, are required to use HIPAA-compliant software for remote client meetings. (HIPAA is a federal law that mandates securely maintaining personal medical information.) Zoom offers that option with its more-expensive paid accounts. While some HIPAA enforcement is being suspended during the pandemic, I recommend providers get compliant anyway, to avoid risking clients’ information or forgetting to upgrade later. The process of becoming HIPAA-compliant with Zoom is beyond the scope of this blog. We have assisted several clients with this issue; contact us if you are interested.
Picture
Maintain Social Closeness
 
Because Zoom has become so crucial for so many during the novel coronavirus pandemic, the platform will continue to attract bad actors bent on causing trouble, so I have no doubt that more security issues will emerge. Zoom has halted all new-feature development and reassigned its engineers to security and safety matters — a prudent and responsible approach. For most of us, there is little choice but to continue using Zoom while keeping an eye on our settings and keeping the software updated; other platforms aren’t used nearly as widely, and may be less secure anyway.
Please do not let these concerns increase your isolation at home. If you are really worried about Zoom security but you still want to see the faces of other folks, you can always use Zoom for video viewing and a simultaneous phone call for your audio, with your Zoom disconnected from audio. (Click ^ next to the Mute/Unmute control, then Leave Computer Audio.) Or rotate different calls among Zoom, FaceTime, Skype, and other channels, particularly for two-party calls. Don’t let the Chicken Littles of the Internet-security world suppress your mental health even further by making you afraid to have innocent calls with family and friends. We need each other more than ever right now.

Excerpts from this post have been translated into Japanese and appear on this Japanese blog page.
この投稿の抜粋は日本語に翻訳されており、この日本語ブログページに表示されます。
Photo credits, from top: Masked woman, Anna Shvets via Pexels; caution cone, Fernando Arcos via Pexels; AI woman over data, Gerd Altmann via Pixabay; meridian lines and data, Gerd Altmann via Pixabay; angry face, Gerd Altmann via Pixabay; woman near fence, Andrea Piacquadio via Pexels.
4 Comments

Identity Theft Scam: Don’t Fall for It!

3/12/2018

0 Comments

 
An identity-theft scam e-mail was received by someone I know early this morning, in the form of an e-mail message purporting to be from the Apple iTunes Store saying he needed to verify his identity.

While this particular scam message had many giveaways showing it was not legitimate, the person fell for it anyway, and the consequences began within minutes.
Picture
The initial message from the scammers is shown here. While it contains several indications that it’s not actually from Apple — a non-apple “From:” address, poorly written text, a link that doesn't go to Apple.com — these can all be overlooked by someone who is tired, worried that their account is limited, or simply not paying close attention.

Many scam messages contain these flaws, but it is possible for a scam message to look entirely legitimate: It can have a legitimate Apple address in the From line (it's easy to fake this information), it can be well written, and the Click Here link can be made to look like it goes to a page at apple.com. So, how do you protect yourself?

One Weird Trick To Stay Safe
​
There is one simple step I recommend you always, always take when receiving an e-mail asking you to log in to an account (and it's not really weird; I just wrote that to get your attention). Instead of clicking a link in the e-mail to go to the log-in page, type the known, legitimate address of the page into your browser yourself.
In this case, if the person had gone to his Web browser and typed “appleid.apple.com,” he'd have known he was on a real Apple page. (All pages whose addresses end with “apple.com” are real Apple pages.)


What Happened To The Victim

​The victim of this scam filled in a whole bunch of personal information on a page that claimed to need that data to verify his account. This included his Social Security Number, mother's maiden name, date of birth, and credit-card information, in addition to his Apple ID log-in and password.

Within minutes, the scammers changed his Apple ID password so he couldn't get in. Now they have his contact lists and possibly all data backed up from his iPhone and Mac. He will need to recover access to his account, possibly by phoning Apple and reporting the problem.
Picture
Worse, the scammers have everything they need to perform identity theft: His name, address, Social Security Number, credit-card information, and mother's maiden name. The fake Apple page where he entered his data asks for other information an ID thief would find useful: driver license or passport number. These are requested under the guise of Security Question answers. No legitimate site will ask for driver license or passport as a Security Question item.

A victim of this scam will need to cancel the credit card, initiate a fraud alert with the credit bureaus, report the data theft at IdentityTheft.gov, and watch for instances of the thieves using his information for harm. It is possible they will use his e-mail to send out spam, including the spam that tricked him; they may also use the information they've gathered about him to rob his friends (e.g., by e-mailing them that he needs them to send an immediate loan because he is abroad and has lost his passport, which they can do convincingly because they have a lot of info about him that they can use in an e-mail to make the request seem genuine).

So, once again, what’s the one thing you can do to always avoid falling for this kind of scam? That’s right: Instead of clicking a link in the e-mail to go to the log-in page, type the known, legitimate address of the page into your browser yourself.
If you want to do a good deed for the community-at-large, report these scams when you get them. You can report them at:
  • https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en (do this one first)​
  • https://submit.symantec.com/antifraud/phish.cgi​
  • Forward the e-mail as an attachment (instructions here) to: is-spam@labs.sophos.com​
  • Report the site by sending its Web address to:  phishing-report@us-cert.gov
Picture
Picture
0 Comments

KRACK and ROCA: Monster data security flaws

10/16/2017

0 Comments

 
Data tunnel stylized image, public domain (from DARPA), illustrating the KRACK and ROCA data security flaws announced Oct. 16, 2017 --
Monday, Oct. 16, 2017, 9:50 p.m. PDT — Internet security experts are calling today “Black Monday” because two huge, worldwide Internet security flaws were announced today.
 

KRACK Attacks
 
First, and getting the most attention: A security flaw dubbed “KRACK” (Key Reinstallation Attack) affects most modern devices that connect to the Internet via Wi-Fi. Discovered by Belgian researchers, KRACK is a shortcoming in WPA2 (Wi-Fi Protected Access version 2), the standard protocol for secure wireless connection. It would allow a hacker situated in the vicinity of a wireless device to intercept its communications with the Internet and decipher them.
 
The good news is that the hacker must be near your device. So, the chance that you could be subject to such an attack at home or in a business’s office (other than a shared workspace) is quite slim. Hackers are more likely to go after specific targets or to situate themselves in target-rich locations like libraries, cafés, hotel lobbies, and other locations where many users would be connected to WiFi at once.
 
The vulnerability rests not on the wireless access point (the network router or modem), but on the devices connected to it — your computer, smartwatch, smartphone, wireless printer, NEST devices, Amazon Echo, Google Home, Net-connected television, and everything else that connects to the Internet. As security updates to the software of these devices become available, they should be installed promptly.
 
Some systems will update automatically when the manufacturers “push” out the security patch. Others will notify you when an update or patch is available. Most likely, you will be asked to update the operating system — Windows, MacOS, iOS, Android, etc. (Apple’s iOS and MacOS are considered somewhat less vulnerable, as is Microsoft Windows. More vulnerable: Android, Linux, some other systems.)

Green button with WiFi symbol, public domain (via openclipart.org), illustrating security steps to take to protect your Wi-Fi devices.
Here are my recommendations for dealing with this issue:

  1. Make sure the operating systems of your devices are updated. When you are notified that an update is ready, install it without delay. (The status of such updates for many manufacturers is listed at the bottom of this article. Some already fixed the problem as early as July 2017.)
  2. Limit your activity on public Wi-Fi networks, particularly in locations where many people are connected simultaneously (a target-rich environment for hackers). In particular, avoid conducting secure communications such as banking, or anything requiring logging in to a site or service with a password.
  3. Consider turning off Wi-Fi on your smartphone when not connected to your home or (unshared) office network. Your cellular company’s data uses different encryption protocols than WPA2, and is not subject to the same vulnerability.
  4. I have previously recommended using Signal by Open Whisper Systems (recommended by Edward Snowden!) for encrypting texting; Signal also now offers reasonable quality encrypted voice calling, and various extras like the option to set text messages to disappear after a time period you specify.
  5. If you must have secure Web communications, install Virtual Private Network (VPN) software, which applies its own encryption to all data transmitted over Wi-Fi. Even if someone intercepts your signal and uses the KRACK hack to break WPA2’s encryption, all they’ll get is unreadable data scrambled by the VPN’s encryption. VPN apps are available for various computers and smartphones. I have a VPN on both my Mac laptop and my Android phone. For a basic primer on what VPN is, see VPN for Beginners. For ratings of some VPN services on a 5-point scale, see The Best VPN Services of 2017 from c|net. VPN may slow you down a bit as it launches, and some VPN services have slow data transmission because they’ve been overwhelmed with new clients since the current Administration was inaugurated in Washington as activists and plain old citizens became concerned about the risk of greater government intrusion into their private communications. Many VPN services can also be set to disguise your location, too. (Right now, the Internet thinks I’m connecting from a spot several thousand miles away from my actual location.)
 
 
ROCA Rolls
 
A second security flaw announced Monday, ROCA (Return of Coppersmith’s Attack), is dubbed “worse than KRACK” by some writers. This flaw affects encryption in critical applications, such as for national identity cards, software “signing” (by which the genuineness and security of software is confirmed), digital-signature documents, and protections for government and corporate computers.
 
You may have heard of “public-private key encryption.” This is a schema whereby data is encrypted using two “keys,” or strings of data. One is public, and one is private. If I send you a message, I encrypt it using your public key. You then decrypt it using your private key. This is secure only if a person’s public key can’t be used to figure out that person’s private key, which was believed to be the case — until ROCA, which enables an attacker to figure out your private key from your public key.
 
Versions of public-private key encryption are used in many protocols for secure Internet communications.
 
What you can do (the second and third of these are fairly technical; if you don’t understand them, they probably don’t apply to you):

  1. If you are asked by the issuer to replace a chip card (such as a credit card or secure ID card) or another device that uses encryption, do so promptly.
  2. If you have set up your own public-private keyset, using software like PGP or GPG, test your public key to determine whether it’s vulnerable. If it is, expire that key and create a new key, then share it with everyone who has your old key. (“Keys generated with OpenSSL, PGP-compliant programs, and other similar programs aren’t affected by ROCA. However, those that rely on embedded chips or smart cards for cryptographic functions may be vulnerable,” according to WCCFtech. GPG is PGP-compliant.)
  3. Counterintuitively, it appears that 3072-bit keys are harder to crack than the longer 4096-bit keys. If creating a new key, keep this in mind. However, you may want to do your own research before you choose a key size; it’s possible the advice regarding ROCA will evolve over the coming days, as this is new information in the public realm.

New/Not New animated GIF image, based on public-domain image (openclipart.org), illustrating that the KRACK and ROCA security holes are newly announced but not newly discovered. Animated GIF by Your Attention, Please! communications (Web developer).
New/Not New
 
Although these security flaws hit the technical press on Black Monday, neither is really a new discovery. The paper outlining KRACK was submitted for peer review in mid-May, and vendors were warned at that time. The ROCA vulnerability, found in chips manufactured starting in 2012, was discovered in January 2017, and reported to chipmaker Infineon, maker of the Trusted Platform Module (TPM) security chip containing the flaw, on Feb. 1. The TPM is used in business-class HP, Lenovo, and Fijitsu computers, as well as Google Chromebooks, routers, and “Internet of Things” devices (such as home controllers and security systems that can be monitored online).
 
So why are we just learning of these today? For one thing, the researchers who discovered these flaws wanted to give manufacturers a head-start in fixing the problems before hackers learned the details.
 
Why today, then? I can only speculate. It may be that these are being publicized now to prod companies to get moving on solutions; after all, it seems they’ve had plenty of time by now, and have not done much, as a group. Perhaps the release is intended to create “buzz” before researchers present their findings at a computer security conference Nov. 1–2.

Pink fading interrobangs © 2017 Steve Freedkin/Your Attention, Please! communications, illustrating the puzzle of how to deal with Internet security problems today.
Meaning of It All
 
We are in a brave new world. The advent of e-mail brought with it the scourge of spam. The World Wide Web brought phishing sites — Web sites that pose as log-in portals of banks and other vendors to dupe you into entering your passwords. The last year or so has brought a third wave — hacking of major institutions, such as the stealing of information from all Yahoo user accounts. Now, deeply embedded security protocols are at risk.
 
We have a choice to make: Accept the convenience and, sometimes, necessity of maintaining sensitive information in digital venues that can be hacked, or store them offline — on paper or on devices that aren’t connected to the Internet. If we choose the former (and most of us will), we need to become more knowledgeable about online security and act accordingly. There is no such thing as absolute security. KRACK and ROCA make that abundantly clear.


Pink fading interrobang image © 2017 Steve Freedkin/Your Attention, Please! communications. New/Not New image based on public domain image.
Other images are in the public domain.

0 Comments

The Equifax Hack: How To Protect Yourself

9/13/2017

4 Comments

 
Updated 10/6/17 — added reference and links to people facing delays buying iPhones because of their credit being frozen
Updated 10/4/17 2:44 p.m. PDT — updated info on TransUnion’s TrueIdentity free credit freeze;
    reply to reader comment about a fourth credit bureau, Innovis.
Updated 9/15/17 5:49 p.m. PDT — new date for expiration of free credit-freeze offer from Equifax
Updated 9/14/17 5:07 p.m. PDT — New Info re TransUnion’s TrueIdentity program


It’s almost certainly the worst data breach in U.S. history in terms of the amount of damage likely to be done and the number of people likely to be hurt. Hackers have stolen the sensitive personal information of 143 million U.S. consumers (plus an undisclosed number of Canadian and U.K. residents) from Equifax, one of the “Big Three” credit-rating bureaus (the other two being Experian and TransUnion). 
Picture
​
​What Was Stolen, When, and Why

 
The amount of data isn’t the main issue, though; it’s the types of information they got, including Social Security numbers, birthdates, home addresses, driver licenses, credit-card documents, and other sensitive personal information that can be used to steal your identity; open accounts in your name; file false tax returns in your name and steal your tax refunds; ruin your credit; and more. As USA Today noted in a blistering editorial, “A breach at one of the nation’s three major credit bureaus is far more dangerous than the typical retail credit card breach. It's easy enough to get a new credit card, but you can’t change your birth date or easily get a new Social Security number.”
Picture
​The hack probably was made possible by Equifax failing to patch security holes in its software, security expert and former Homeland Security official Paul Rosenzweig writes in Scientific American. “The real loser here is you and me. We have no privacy left.” And, he adds, the cost of protecting our data is increasingly borne by us, the consumers, not the companies that hold the data. (This is not the first time Equifax has been hacked due to lax security, victims allege.)
 
The hack occurred beginning as early as mid-May. Equifax didn’t discover it until July 29, and didn’t make it public until Thursday, Sept. 7. During the interim, three top Equifax officials sold off millions of dollars worth of company stock. The company claims the executives — its Chief Financial Officer, U.S. Information Solutions President, and Workforce Solutions President — were unaware of the data breach that had been discovered a few days before they sold those holdings.

​Equifax Compounds the Problem
 
After revealing the breach, Equifax made the situation worse by urging people to sign up for a free year of a credit-monitoring service (far short of what’s needed), after which they would be prompted to pay for continuing the service. The Web site Equifax set up to supposedly tell you whether your data was stolen and to sign up for the free year of monitoring itself has security flaws. Moreover, when registering to find out whether your data has been stolen, you can get different answers with the same information entered on different Web browsers; in tests, entering nonsense information (“123456” for Social Security number, “Test” for name) produced a message saying your data might have been affected. (The site is EquifaxSecurity2017 — I do not recommend registering at that site.) My recommendation: Assume your data was stolen, and act accordingly. Even if you weren’t a victim in this breach, taking action now may protect you against the next one.
Picture
Perhaps worst of all, for the first couple of days, the site’s Terms of Service contained a clause that said by signing up for the free monitoring, users were giving up their right to sue over the data breach. That “binding-arbitration” clause has been removed as of this writing, but people who signed up before it was removed may need to write to Equifax within 30 days of signing up to get their legal rights back. (Write to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, including your name, address, and Equifax User ID, as well as a clear statement that you do not wish to resolve disputes with Equifax through arbitration.)


What You Need to Do
 
I won’t mince words. This is very bad. It’s not possible to put the genie back into the bottle: Your information is out there, criminals will try to use it, and there is no 100% secure defense.
 
But there are things you can do to make yourself a less-easy target. With luck, that will prompt the bad actors to move on to someone else and leave you alone.
 
Based on recommendations from sources I trust, here are steps to take:
​1. Freeze your credit

The best, most effective action you can take is to place a security freeze on your credit files at the Big 3 bureaus, according to Consumer Reports and others. This will block most requests for your credit information, preventing thieves from setting up new accounts in your name. You must do this with all three credit bureaus, and there is a charge (varies from state to state, typically $10, waived for verified victims of ID theft and often reduced or waived for people 65 or older). Note that if you want your credit report shared — to open a new account, get a new job, rent a new home, make a major purchase — you will need to lift the freeze temporarily or permanently or just for the specific inquirer, which may involve additional fees. (Some people trying to buy the new iPhone (including as upgrades), for example, have been delayed because they needed to unfreeze their credit first.

It’s a pain, and can get expensive, but not nearly as painful or expensive as having your identity stolen, which can be very costly and take years to unravel. Order separately at Equifax, Experian, and TransUnion. (I was unable to freeze my credit with Experian online or on the phone; I am required to send a written request by certified or overnight mail.)
Picture
Free alternatives: Equifax is waiving its fee for credit freezes through Nov. 21; I've frozen my credit report with that company.

TransUnion offers a free alternative to credit locking called TrueIdentity. It lets you lock and unlock your credit report at will. TrueIdentity seems as useful as a credit freeze without the fees and with less hassle. I haven’t been able to find any reliable reviews of the service, but it’s what I’m doing for the time being.

Some drawbacks, which weren’t dealbreakers for me: After creating my account on Sept. 14, 2017, I kept getting log-in errors, even after I had supposedly successfully changed my password. That night I got an e-mail from TransUnion with the Subject "You're In!" with small print saying I’d be charged $19.95/month. I phoned the next day; the customer service representative fixed the problem with my login, and then confirmed I wasn’t signed up for any services that cost money. (Apparently, the e-mail was a mistake.) As of Oct. 4, I haven’t been charged anything. I don’t like that the sign-up process required giving my mobile phone number; I gave my voicemail number instead. The agreement for the service says I “agree to receive targeted offers by TransUnion and other parties in exchange for receiving the product at no charge” (another good reason not to give my actual cell number); I can deal with that. It also requires binding arbitration of disputes, not as crucial an issue for a free product, but I’ll exercise my right to reject binding arbitration anyway. (“Within 60 days of signing up, write to TransUnion Interactive, 100 Cross Street, Suite 202, San Luis Obispo, CA 93401 with your current username and a clear statement of your intent, such as I reject the arbitration clause in the TransUnion Interactive Service Agreement.”)
TransUnion does offer the paid Credit Freeze option, too. And remember: This option must be requested from each of the three credit unions, so the one-time cost could be $20 total ($10 each from TransUnion and Experian, with Equifax waiving its fee until Nov. 21, 2017).
Picture
2. Initiate a fraud alert
 
This is a free option, and easier than a credit freeze, though it provides weaker protection. You sign up at just one of the three credit bureaus; they are required to notify the other two. I did mine at Experian (not trusting Equifax to keep anything secure right now).
​

A fraud alert lasts 90 days and can be renewed. When you sign up, put a note in your calendar every 90 days to renew it.
 
A fraud alert can make it harder to open new accounts in your name, according to the Federal Trade Commission (FTC). Businesses “see a ‘red flag’ on your account and know to take extra steps to verify your identity.” Of course, thanks to Equifax’s security breach, a thief may be able to answer a business’s questions correctly; a savvy business will try something like phoning you at the number shown in your credit report. (The thief may have your phone number, but probably doesn’t have your actual phone.) A fraud alert entitles you to a free copy of your credit report (though you may already have one coming — see next section). A fraud alert is probably unnecessary if you’ve ordered a credit freeze from all three bureaus.
 
​

3. Review and correct your credit report
 
By law, you are entitled to review your credit report from each of the three bureaus once a year at no charge. This doesn’t include your credit score — the numerical ratings that indicate how credit-worthy the companies think you are — but it does include all of your credit accounts and their current payment status, as well as your address and other identifying information. Best practice is to request the free report from just one of the credit bureaus every quarter, so you can keep on top of the info without paying for additional reports. For example, check Equifax’s now; Experian’s in four months; TransUnion’s in eight months; and then in a year, you’ll be due for another free report from Equifax. If you’ve recently requested your free report from any or all of the bureaus, filing a fraud alert (see previous section) apparently entitles you to a new free report.
 
If you find anything amiss, follow the bureau’s procedures for correcting the information. That will also help protect against the Equifax hack because your information will now be different from what the thieves stole, which may result in failure when they try to steal your identity later.
 
The official Web site for requesting your free report is annualcreditreport.com. Imposters are legion, and may come with strings attached or even be fraudulent; use only this site, which is sponsored by the three bureaus and recommended by the FTC.

Picture
4. Review your accounts regularly
 
It should go without saying that this breach makes it all the more critical to carefully review credit and bank accounts as well as other financial statements (e.g., mortgage bills) immediately upon receipt to make sure there are no fraudulent transactions. Particularly with credit accounts, reporting fake charges promptly is necessary if you don’t want to be held liable for them. 

​I check my accounts at least weekly online to make sure nothing is amiss. (Don’t log in on a public wireless network unless you use a VPN — virtual private network — to shield your data, and make sure your computer has up-to-date antivirus software to make sure nobody is spying on you when you type in your passwords. And, of course, have strong passwords, and a different one for each account; if one account is breached by hackers, they won’t automatically be able to get into others.)

5. File your taxes early
 
One way identity thieves profit is by filing a tax return in your name and then collecting your refund. To reduce the chance of this occurring, file your tax return as early as you can, improving the chance that yours will be filed before someone else submits a fake one in your name.
 
 
The Way Things Are Now

I have already seen reports from several friends that their credit-card accounts have been hacked in the past few days. While I can’t say for sure this is a result of the Equifax calamity, it’s quite plausible.
 
This is all a massive pain, and we’re just getting started. I’m sorry to say, this breach represents the shape of things to come. If you have been lax about online security until now, it’s time to “harden your defenses,” knowing that nothing will keep you entirely safe, but at least you can reduce the likelihood you’ll be subjected to headaches and heartache down the road.
4 Comments

Two New Online Threats: Fake "Tech Support"; WordPress Hack

2/9/2017

2 Comments

 
Screen Image of Adware Site
Visiting a mistyped version of "squarespace.com" leads you to one of several scam sites. This one purports to download an update of Adobe Flash Player (even if you click "Cancel"), but the installer actually includes numerous pesky "adware" programs that fill your screen with pop-up ads and are very hard to uninstall.
 Just today, two new malicious online attacks came to our attention. One was discovered by Wordfence, the security service we use to protect clients' WordPress sites. The other was first encountered by one of my clients due to an unfortunate typographical error.

Fake Squarespace Site / Fake Download / Fake Tech Support

One client tried to visit Squarespace today to update her Web site. She got a pop-up warning her that something was wrong with her account and directing her to call a toll-free number, which she did. The person at the other end attempted to persuade her to give him remote access to her computer. She declined, but she kept getting the pop-up warning. When I examined her computer, I found (as I had guessed) that she had mis-typed "Squarespace" — she had scrambled a couple of the letters, which led her to a site whose name was almost Squarespace, but which was actually a scam site.

Visiting the scam almost-Squarespace address causes the Web browser to redirect to one of several different scams. One site contains the admonition to call that toll-free number. Another displays a fake pop-up window that says you need to update Flash Player on your computer. (Flash Player allows the display of certain animated and interactive content on Web sites.) Clicking "cancel" still causes a download to begin. The small print at the bottom of the page says the installer will also include pesky "adware" programs that threaten your computer security and are hard to remove.

We've reported the fake almost-Squarespace address to Squarespace (which was not aware of it when we first reached out), Google, Sophos Antivirus, Firefox/Mozilla, StopBadware, and the Federal Bureau of Investigation.

The fake tech-support scam is quite widespread and dangerous and its perpetrators are very persuasive — so much so that even I fell for this scam a few months ago. I allowed the criminal at the other end to access my computer; when I noticed that he was rooting around in my private files, I turned off my WiFi (the only way to boot him off of my machine) and deleted the software that let him control my device. He phoned me several times attempting to persuade me to grant him access again, until I told him I had reported him to the FBI. (I reported the almost-Squarespace scam to the FBI tonight, and to Google, Firefox, Sophos, and other services that block scam sites.)

Often, these fake tech-support folks reach out to victims by telephone, saying they are from Microsoft Support or something similar and that they have detected a virus on your computer. My partner has gotten several such calls at her office. In fact, this scam is widespread enough that the Federal Trade Commission has published an alert about it. If anyone calls you, or you get an e-mail or on-screen pop-up, claiming your computer is infected, that is almost certainly a scam. Almost all infection monitoring is done by software installed on your computer, not remotely. (If you'd like, I can help you install and update security software, identify and get rid of infections, and fix other technical issues.)

Picture

WordPress Hacking/Defacement

Meanwhile, we learned today that hackers are on a tear defacing WordPress Web sites — one source says more than 60,000 sites have been defaced, and another says more than 1.5 million pages on 39,000 sites have been messed up just this week. The attackers are using a vulnerability that was fixed in WordPress 4.7.2. If you have WordPress 4.7 or above, it probably has automatically updated itself to 4.7.2, but earlier versions may not auto-update. Check your WordPress version (log in to your site's dashboard and click the WordPress "W" icon at top left); if it's older than 4.7.2, you'll want to update, but first back up your current installation, because sometimes updates will cause your Web site to go offline and there may be no ready way to recover it other than to reinstall the older version, then fix the problem there before updating again. (Some Web hosts automatically keep nightly backups for you, either as part of the basic service or for an extra charge.) I can help with these issues if desired.

I am currently booked solid with tight-deadline projects for several clients, so unless you are facing an immediate problem (infected computer or defaced Web site), it may be a week or so before I can get to you, so if you will want my help, I recommend reaching out soon to get on my calendar.

2 Comments

Latest Hacker Actions Underscore Our Vulnerability

9/18/2016

0 Comments

 
Picture
​​Uh-oh. Hackers have published the coding they used to launch a gigantic attack against the Web site of an Internet security journalist. The malware (malicious software) uses the “Internet of Things” — Web-connected cameras, thermostats, and other devices, which are often poorly protected — to send overwhelming traffic to the targeted Web site, causing it to slow down or become entirely unavailable. The attack was so huge that the massive Akamai network stopped hosting the security site (which it had previously hosted as a public service), fearing future attacks would overwhelm even it. The security site was picked up by Google, which has the power to repel such massive attacks — for now.

Picture
Experts say the release of this coding may lead to many more attacks on Web sites. It also seems to have prompted manufacturers to start tightening security on “Internet of Things” (IoT) devices: The hacker who released the code said the number of devices it can control through one system has dropped by more than 20% recently.

The vulnerability of the Internet to hacking by malicious countries (Russia has been attacking all over the place lately, including targets related to the U.S. Presidential election), criminal enterprises, or even a single individual should set off alarm bells. We are reaching a critical juncture where the future of our connected world is looking increasingly fragile. Governments and private enterprise need to greatly step up the resources they put into online security, and that includes makers of stuff that connects to the Internet.

At our office, some of the items connected to the Internet are our electric power (including our solar panels), our computers of course, our system for listening to music and accessing radio (except our emergency hand-cranked radio). Beyond that, the utility power grid, the city's water and sewer system, and probably all communications systems are potentially vulnerable. You may be even more connected — does your refrigerator use the Internet to report energy usage or compile your shopping list?

Here in California, we all are advised to keep earthquake supplies on hand, including enough food and water to last at least several days. Former "Nightline" host Ted Koppell warns, in a book published almost a year ago, that we should all be prepared to do without the electric grid for months, not just days or weeks.

In the meantime, I recommend we all contact our elected officials and ask what they are doing about our increasing vulnerability to cyberattacks, without compromising our privacy. After all, if laws are passed requiring that security and encryption systems contain “back-door keys” the government can use in criminal investigations, for example, you can bet hackers will be stealing and using those keys, while terrorists and crime syndicates will just apply their own encryption that has no such keys. Such systems would decrease our security without affecting determined bad guys.


0 Comments

iSpy with My Little eye (phone) …

9/18/2016

1 Comment

 
Stylized image of computer hacker. Source: https://commons.wikimedia.org/wiki/File:Syrian.hacker.jpg
Two items in the news recently, taken together, underscore the threats being targeted at our computers and devices — and that Apple products, not just Windows, are now being targeted by sophisticated operatives.
 
First is a story from c|net, a top-notch source for technology news, reporting the first instance of fully functional “ransomware” that attacks Macintosh computers being found “in the wild.”
 
Since I like to say “we speak human,” let me unpack those computerese terms.
 
“Ransomware” is software that scrambles (encrypts) your files, and the criminals behind the software demand you pay a ransom to get your files unscrambled. The encryption is strong enough that it’s effectively impossible to unscramble the files without the key held by the criminals. The scrambled files are useless.
 
“In the wild” means that the ransomware has been discovered circulating on the Internet, not just among security experts. In other words, you could become a victim.
 
Until now, ransomware was designed to attack Windows computers. With Windows running nearly 90% of all computers, versus about 5% for Macintosh, criminals generally haven’t felt it was worth their while to write software that attacks Macs.
 
C|net’s Claire Reilly was a bit sensationalist in starting off her report with, “Sorry, Mac fans. Now you're no better off than regular old PC users.” One ransomware program is nothing compared to the thousands upon thousands of malicious programs unleashed upon Windows. Still, the amount of damage that could be done by the Mac ransomware program, nicknamed KeRanger, is substantial: There were signs that a new version under development would also scramble users’ Time Machine backup files, leaving them with only two options: Lose everything, or pay the $400 ransom.
 
If you have Mac computers, you are unlikely to be infected though, because it appears KeRanger was circulated via a corrupted version of a program called Transmission that was available for download only on March 4 and 5. The Transmission team removed the infected software from their site soon after it was placed there, and within days, Apple made changes that automatically prevented KeRanger from running on Macs. (This was a instance where Apple could block the malicious software without users needing to do anything; often, it’s necessary to update your system software to close security holes.)
 
Although KeRanger surfaced six months ago, it has popped up in technical news lately along with another recent report, this one about software that can see and record everything on an Apple iPhone. An Israeli firm, the NSO Group, sells that software. With a price tag of $650,000, NSO’s spyware has been bought by governments around the world. It came to light last month when attackers tried to install it on the iPhone of a human-rights activist in the United Arab Emirates and on the iPhone of a Mexican journalist who wrote about government corruption.

Docked iPhone. Source: https://commons.wikimedia.org/wiki/File:Original_iPhone_docked.jpg
​The attack on the UAE activist came in the form of a text message urging him to visit a Web site for information about human-rights issues. Suspicious, he instead sent the text to security experts, who followed the link and found that the Web site would automatically download NSO’s software onto any iPhone that visited the site.
 
You may not be a human-rights activist in a country where you legitimately should fear your government, but that doesn’t mean you’re immune. A pricetag of $650,000 isn’t too high for a criminal enterprise that wants to steal credit-card information or bank log-ins.
 
Two computer-security operations, Citizen Lab and Lookout, figured out how NSO is able to infect iPhones and alerted Apple, which patched the vulnerabilities in its update to iOS 9.3.5. As Lookout* writes, “All individuals should update to the latest version of iOS immediately. If you’re unsure what version you’re running, you can check Settings > General > About > Version.” This is a case where you may need to take action to keep your device safe. (*I have used Lookout software for a few years now.)
 
The lessons here:

  1. Never click links in text messages or e-mails unless you are expecting that information, even if the message looks like it comes from someone you know and trust. The “from” line of a message can be faked (“spoofed”). To visit a Web site you trust, type its address into your browser rather than clicking a link in a message; links in e-mail can be made to disguise their true destinations. 

  2. Keep your software updated, especially system software (for example, Mac OS, Windows, or Linux on your computer; iOS, Android, or Blackberry OS on your phone).

  3. If you suspect your device may be infected — it slows down dramatically or behaves in other unexpected ways — you might want to have an expert check it out. I am happy to do a security scan, as are most computer repair and service providers. However, don’t trust a Web site to do such a scan unless you confirm it’s legit (I can point you to trustworthy sites); some sites masquerade as security scans, but use the access you grant them to actually install malicious code.
 
Bottom line: When in doubt, check it out.

1 Comment

“I Used To Get Lots of Prospects, but Now…”

8/26/2016

0 Comments

 
Are fewer people finding your Web site? Time to refresh your search-engine standings. We can help you show up earlier in Google searches (and Yahoo, Bing, others).
“What happened? When I launched my Web site I got lots of inquiries, but now it has slowed. I thought it was SEO’d — Search Engine Optimized!”

This is a common experience among Web-site owners, including my clients. After launching a new or redesigned site with all the right stuff in terms of SEO (that is, designed to show up near the top of results when people search for what you offer using Google or other sites), you might get a whole bunch of inquiries from people who find your site online. But later, you find it slows down. How come?

SEO, it turns out, is an ongoing program, not a one-time project. There are several reasons:​

  • Your competitors are also trying to get found, and as they improve their own sites’ SEO, they may show up before you, pushing you further down the page or onto a later page.
  • Search engines like Google are constantly refining and revising their algorithms, which might help you or hurt you.
  • If your site is fairly static — that is, it’s not updated very frequently — it may appear “stale” to the search engines compared to another site that is regularly updated with new information.
  • Language shifts over time, and a term that was popular when you launched your site might be used less often in searches today, while other terms might come to the fore. For instance, a few years ago, people seeking pain relief or psychological counseling may have been unlikely to search using the term “neuroplasticity,” but that has become a hot topic of late, so some of my Web clients have been making sure their sites include that word.

Search the Internet to see whether your Web site shows up well. We can help you get better results using SEO (Search Engine Optimization).
​How do you know whether your SEO is up-to-date or falling behind? One way is to conduct some sample searches on terms you think your prospects might use. For example, if you search Google for “neuroplasticity pain Berkeley,” three of the top five results will be from medicalcounseling.net, my client whose site emphasizes the term, which is a good result. If, however, you conduct a search relevant to your business and your competitors show up first in the results, you can examine those competitors’ Web sites to see how they make that happen. In the above example, if you visit medicalcounseling.net, you’ll see that “neuroplastic” or “neuroplasticity” appears several times on the home page, as does “pain.” “Berkeley” appears twice in the footer, the text at the bottom of every page. That’s important, because people very often search for services near them, and often it is difficult-to-impossible to rank first in search results for a topic worldwide. (Search “neuroplasticity pain” without “Berkeley,” and my client doesn’t show up until the tenth page of results.)

Be careful, though, to make sure the terms you emphasize are genuinely related to the main topic of your site. “Keyword stuffing,” or inserting words onto your site because you want people to find you by searching that term even though it doesn’t really relate to your business, will hurt you in search results: The search engines have algorithms that watch for this strategy and will actually downgrade you for employing it.

I recommend reviewing your search standings every three or four months and adjusting as needed. This is something I do for some of my clients and would be happy to do for you, if desired. I keep on top of SEO trends and strategies, and in just two or three hours can help keep you easier to find by people who are looking for what you’re offering.

0 Comments
<<Previous

    Whozat?

    Steve Freedkin, proprietor of Your Attention, Please! communications, has a background as a journalist, nonprofit manager, activist, and entrepreneur. He works mostly with people in business for themselves (therapists, artists, consultants, etc.), for whom he provides online promotion (SEO), Web upgrades and updates, and social-media presence (LinkedIn, Twitter, Facebook, Yelp, and the like).

    Archives

    December 2022
    June 2021
    April 2020
    March 2018
    October 2017
    September 2017
    February 2017
    September 2016
    August 2016
    January 2016
    October 2015
    September 2015
    December 2014

    Categories

    All

    RSS Feed

Your Attention, Please! communications
Web sites, social media, online promotion, computer and technical support, writing, editing, publicity, and more
Mail: 5111 Telegraph Ave. #274  •  Oakland, CA 94609-1925  •  Voicemail: (510) 595-4626  •  info@your-attention-please.com