Be Vigilant: Phishing Works

A friend writes:

I received an email from a colleague this afternoon. She uses Google Drive to send big files. The email said, “Barbara is trying to send you a file too big for email. Please sign into Google Drive.”

Not thinking that I was already signed in, I clicked and signed in, and even gave my phone number. It only took a min for me to realize what happened when I was taken to an art gallery. So I’m changing everything, all credit and bank and passwords, etc.

But I’m guessing they could have sucked every bit of data out of all my Google info in a couple of minutes. Oy vey…

It’s such a horrific — and tragically common — story these days. My friend has made the right move: Changing all his passwords, especially to all the major accounts such as Facebook, Apple, and Google, should secure him for the time being. Also, I think making sure you’re subscribed to a credit-monitoring bureau, and alerting them to such a happenstance, would be beneficial.

So just to make sure you know: Using a password manager such as 1Password [affiliat link], Dashlane, or LastPass helps immensely in these situations. You can use 1P to change all your passwords much faster than doing it manually, ensuring their all different and superlong. I even use 1Password to help me store the fake answers I create for the security questions.

iOS 7, after the folderol

Sympathy

I want to start by sympathizing with iPhone users who have been reluctant to upgrade to iOS 7, and for those who did the upgrade and regret it. They have legitimate issues, ones that can’t be lumped under a sweeping, “Change is hard.”

Many folks have suffered dramatic decreases in battery life. Some found their apps crashing, and older apps not working at all. The new animations are dramatic enough to induce vertigo. If not for those serious problems, more people might have forgiven Apple’s choosing garish colors for their app icons, and going rather overboard in the Kate Moss-ification of their interface design.

Satisfaction

Now I’ll say that I have had an almost totally satisfactory experience with the new OS. Control center saves me a ton of time, Siri feels smarter, I love knowing my phone is locked to my Apple ID, Safari works better, and Camera and Photos saw massive improvements. And the layered-but-simple interface makes the whole experience more fun, more playful.

But I got bit by the iMessages bug, and was annoyed by the fix. And I have weird problems placing the text cursor.

I would entertain the popular beef with Apple’s app icons, but I don’t use many apps by Apple. Only the ones I have to, like Phone and Messages. On my phone, I have gone into Settings > General to Reduce Motion (I wish it were more comprehensive), adjust Text Size larger (I wish more apps accommodated Dynamic Type). I tried Increase Contrast, but I prefer the new translucent effects.

I do appreciate where Apple has taken their design language, and I think they had to push it as far as they did. They had to make a dramatic point about software UI, to challenge the rest of the developing world to break out of the bubbly chains of skeuomorphism. The resulting overall look is unquestionably cleaner and more efficient. It’s also worth saying that 7 beats the current Android and Windows Phone offerings into the ground.

Conclusion

While iOS 7 does represent a marked step forward for mobile technology, those who haven’t upgraded don’t have to just yet. Apple should have an update out soon that fixes the majority of bugs, and until they do, later adopters might stick with ol’ reliable iOS 6. When you do make the switch, there are dozens of articles to help you recover from problems and tune the system to your liking.

But change is inevitable. Developers have actively left iOS 6 behind. Apple is sure to require 7 to interface with whatever new magic they release. And once you’re in it, I really think you’re gonna enjoy it.

How much should I fiddle with the privacy settings on iOS?

O’Grady is a legit writer, and his tips here are not specifically wrong. But I personally have less worry about this stuff, mostly because I think anyone who actually wants to track my location that bad can follow my car around.

This article by Jason O’Grady has some reasonable recommendations.

O’Grady is a legit writer, and his tips here are not specifically wrong. But I personally have less worry about this stuff, mostly because I think anyone who actually wants to track my location that bad can follow my car around.

Also, there are so many other things that companies know about us. Every time we charge our credit card, we reveal our location.

I don’t know how someone would cause me harm just from having the information. But I do know that I benefit from my phone being able to use my location to give me more relevant data and get me through my day.

So, while one can certainly switch these switches, and feel a little more private, I think it’s important to take privacy concerns in context, and recognize where each of us are, and are not, truly vulnerable.

DNS, DoS, and recent cyber attacks

How concerned should I be in light of the recent cyber
attacks? Is my cable modem an “open resolver”? Can it be highjacked?

The short answer: I have configured most of my clients’ routers to distribute addresses for DNS servers provided by the OpenDNS project. Read on to learn how that protects you.

I had never considered the possibility of a hacked cable box, I suppose mostly because I’ve never heard a geek mention it. I just did a googling of “hack cable modem,” resulting only in discussions of how one might rejigger one’s own modem to elevate the connection speed or get free Internet, both of which appear to be quite prosecutable offenses.

I’m no hacker, but I have a decent handle on small-network security, and I have difficulty imagining the purposes to which a miscreant might put a cable modem. It can’t send data by itself, and your own local network is protected by the router that sits behind the modem.

So, onto discussion of the recent cyber attacks against Spamhaus.

As this article explains, the attack is actually performed on vulnerable DNS servers, such as those run by less vigilant Internet service providers around the world.

What’s a DNS server?

DNS is not hard to understand — it can be thought of as the phonebook of the Internet. When you ask your web browser to go to http://www.i-wish-elliot-spitzer-hadnt-been-such-a-schmuck.com…well, let’s use http://www.google.com as a shorter example…your browser first asks your computer what DNS servers it should use to look up the address.

In my house, my computer sends my browser to the OpenDNS Project’s servers 208.67.222.222 or 208.67.220.220. (We always have a second server as a backup in case the first one isn’t available.)

Then my browser asks the OpenDNS server where to find http://www.google.com. It receives a numerical reply, the IP address of Google’s Web server. Then the browser goes to that IP address and asks for whatever web-page information the server cares to give it.

How does this help hackers?

To understand the recent malfeasance, it’s called a Denial of Service (DoS) attack. This is one example:

Imagine someone hijacks one of these vulnerable DNS servers, so that when you ask for Google.com, you actually get directed to some other Web server. Now imagine everyone using that ISP’s servers having every single one of their browser requests directed to the same Web server. The unsuspecting server would get barraged by requests, and would have to start turning some of them away — denial of service.

Service breaks down, customers get angry, service loses money, attack successful.

The big ISPs in America protected themselves against these attacks a few years back. But even before that, when the attacks first reared their heads, I looked into the proscribed ways to protect oneself, and immediately started plugging in the OpenDNS servers into all my clients’ routers. Crisis averted, at least for us.

Hackers employ several methods to affect a DoS. As I understand it, the goal is not direct monetary gain, but perhaps a hobbling of an adversary, or even an expression of protest. DoS is a typical weapon of the hacker collective Anonymous.

As you can see on the OpenDNS page, using their servers offers other benefits and features, including faster replies to queries and configurable web-content filtering for those with tender sensibilities.

Bonus nerdy information

Google actually started its own public DNS service a little while ago. You can use the servers 8.8.8.8 and 8.8.4.4 in place of the OpenDNS servers.

They have put up a page explaining DNS security in more depth.

I hope you find this information in any way helpful or reassuring.

J2 News: Prevent Someone From Becoming You

Black HatIf you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.

Got GSP? Picking a Good, Strong Password

You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?

Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.

This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)

How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, @gmail.com addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.

Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.

So, I’ve already posted this, but it’s well worth restating:
Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.

A Good, Strong Password contains:

  • at least 10 characters of both letters and numbers
  • at least 1 capital letter, preferably in the middle
  • at least one non-alphanumeric character, preferably in the middle
  • no recognizable names or words.

Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.

I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.

Keeping Track

The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.

Do the It’s-Really-Me Two-Step

There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.

You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.

Google two-step verification

Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.

“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…

Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.

They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.

Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.

Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:

Facebook Account Security settings

Facebook should already know your cell number, and will text you a code to enter.

I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.

Welcome to the Age of the Hack. Don’t shoot the messenger.

Creating a small, secure network in your home or office

Note: The recommendations, opinions, and prescriptions are just one man’s view on creating a basic secure network. There are infinite ways to do this dependably, and these are the ones I think are easiest and most cost-effective.

I’m setting up my home network. I would like to allow connections with just one computer from outside the firewall, via VPN, and not allow any other incoming browser or FTP or any other sessions. What hardware can accomplish this?

First of all, it’s worth reading this explanation of home networking.

In many ways, any proper router, including an Apple Airport device, provides a firewall when you don’t open ANY holes in its network configuration. When a router or server manufacturer promotes its “firewall” as a feature, they mean that you can configure those holes more specifically.

Definition: Here, I use “holes” as English for “ports,” which on a network are numerical openings in a firewall, through which network traffic is allowed to pass. We might open those ports using a protocol called NAT (network address translation). With NAT, I can say, just for example, “When I am away from home, I want to securely access my home network with a web browser, to see my security cameras.” So I set my router to direct all traffic on port 443 (the secure web browsing port, or HTTPS) to the network address — the IP address — of my security system.

You might, for example, schedule certain ports to be open at certain times of the day, or direct certain traffic to one IP on your network, in case you did indeed want to have a web or FTP server. A firewall might also let you restrict outgoing traffic to specific ports, and will also keep a log — at a detail level you specify — of incoming and outgoing traffic.

In your case, I’m seeing that you want all holes blocked, except for those that would permit the VPN. A VPN allows you to establish a tunnel through the firewall — a tunnel that encrypts all the traffic going through it.

Can I achieve this with a VPN installed on Mac mini?

Yes, combined with a good router.

If I do not have a dedicated firewall, what is keeping the bad guys out?

See above. One of the most important strategies in security is not to turn services ON. Older Windows machines, especially before XP Service Pack 2, seemed to me to be wide freakin’ open out of the box, advertising their presence on a network and too easily offering basic file sharing, even without requiring a password. Macs are not that open straight off, but their firewall is not on by default, so whenever you turn on a service — iTunes music sharing, for example — it does not request permission to open a port, which does happen when you have the firewall on. The firewall on the Mac also includes logging.

On a laptop or other mobile device, I usually turn almost all services fully off. But It’s nice to have some services turned on on some desktop computers. It would be a shame, for example, to have music or photo sharing turned off on the machine where those things mainly reside.

So here’s the HEADLINE: To maintain good security, the most absolutely crucial technique is to lock down all services with good passwords, and use as many different passwords as you can safely store and readily access.

“Good,” in this case, means letters (some capitalized), numbers, and a special character or two. Learn where and how to change your passwords, and do so regularly. Don’t write them down. Your Mac stores passwords, certificates, and private notes in a well-encrypted file, the keychain, and that’s the best place for them. There’s also software called 1Password that’s worth a look.

Learn to manage passwords and you’ve learned to manage your security.

I am renovating my house, and I want to wire most of the rooms with Ethernet.

That is a fantastic idea, for several reasons: It increases the resale value of your house just like a good electrical or HVAC system does. It’s also important to realize that, while wireless networking is cool and all, there is nothing as reliable as a cable.

I have more information, and a table to help calculate the costs of setting up your network posted at Google Docs, right here.


Theft-prevention for your Mac

Last year, I wrote about some folks in San Antonio who lost a couple of iMacs to theft. The SAPD reports that crime went up last year from 2006, and I have heard, secondhand, from a crime-statistician that there has been a marked increase again in 2008.
It goes without saying that portable computers are even more vulnerable than desktops, and it’s inconvenient to use on them the security cables I mentioned in the previous post.

So here are a few software-plus-service packages that people should know about. One of them you may already be using:

Back to My Mac

Since Leopard came out, the MobileMe-né-.Mac service has offered a feature called Back to My Mac. I’m not going to dwell on this, because it is one of the least reliable things Apple has ever produced, but it is worth mentioning that it did help one user reclaim her stolen MacBook.

Paid services: MacPhoneHome and Undercover

These are really cool services, and quite inexpensive. I really like that they involve one-time fees, with no monitoring charges. The first one, MacPhoneHome, has been around for awhile, along with its cousin PCPhoneHome. They purport success, and the $30 tag is great. But my main man Erick recently uncovered Undercover, which has a phenomenal feature set, and is clearly designed by Mac lovers. I’m sure both of these services would have roughly the same chance of recovering your property — may you never have to find out — but Undercover just feels like a better product.

Dynamic DNS

I also won’t spend much time here either, ‘cos it would have to get technical. Quick definition: Dynamic DNS uses a free service such as dyndns.com to translate an IP address — be it your home or office internet’s ever-changing IP, or whichever connection your laptop happens to be using a the moment — into a hostname, e.g. johnqmacbook.dyndns.org. So I have a program called DNSUpdate continually reporting my MacBook Pro’s external IP address to DynDNS. It’s a system-level process that starts at bootup, so the hope is that, if someone swiped my laptop and fired it up, it would reports its address, and just maybe Johnny Law could work with the relevant internet service provider to track down that last-known location. It’s a long shot, but the other services discussed here partially bet on the same probability.