Thursday, June 27, 2019

// // Leave a Comment

Akiva's Latest 'Net Security Primer

by Reb Akiva at Mystical Paths

Being of the techie genre, I'm frequently asked by friends and family about computer / internet / phone security advice.  Here's my latest advice... and it's kind of long and detailed, but since everyone is now managing many life activities through their phone and computer -- YOU ARE A TARGET for criminals because that's where the money is!

Security Tip #1 - use 2-factor authentication on any service that offers it.

What does this mean?  It means you can't just log in to a service with your password, the service will require either another special code or send you an SMS with another code (or call you with it).

How do I do this?  Each service has it's own option you have to find and turn on in settings.  For Google (Gmail, etc), go here.  Facebook go here.  For any other service, check for a 2 factor or multi-factor option in settings.

This is a major security control to immediately put in place!  Also make sure there is a recovery or work-around option in case the device (usually phone) is lost or stolen, and keep track of the recovery information.

Security Tip #2 - 2-factor authentication usually offers an option to use an "Authentication App" (here's Google's), which is much more convenient that having to receive an SMS - and therefore I recommend.  But what if your phone is stolen or hacked (and the app is on your phone)?  I use Authy, an authentication app that works with everyone (Google, Facebook, Amazon, etc), and requires a pin code to enter - so the app is protected if your phone is stolen or hacked.  A further advantage of Authy is it can be shared on multiple phones, so your spouse and you can have access.  (Other authentication apps only work on one phone at a time, so if the phone is lost or stolen - or the person is unavailable to unlock it, then the access is unavailable.).  Here's Authy for Android, and here it is for iPhone.

Security Tip #3 - Your internet browser is a weak point, select a new one focused on security and control.  Chrome used to be the fast and secure browser, and it's the default on all Android phones.  But between hacks, attacks, and Google tracks, it's become a risk point and a way to track you.  I currently recommend Brave browser, which has many security and privacy capabilities built in and turned on by default.  Brave is available for all platforms - Windows, Mac, Android, iPhone and iPad.

If you are on a Mac, then Safari is an ok choice...with some adjustments (see Ghostery below).

BUT, if/when you must use Chrome... there are a few sites that only work correctly in Chrome.  Since sometimes Chrome must be used, I recommend installing the following Chrome Extensions - get them here - to improve security and the browsing experience.  (But note, the extensions can also cause some rare sites to have issues and may need to be disabled for that site - click on each extension icon to 'disable or trust this site').  Chrome extensions work on all versions of Chrome - Windows, Mac, phone.

Extension - uBlock Origin.  This add-on blocks most ads and some forms of attack.

Extension - Ghostery.  This add-on blocks tracking and data leakage.  I strongly recommend this one also if you are using Safari, special version for Safari available here.

Extension - Poper Blocker.  This add-on blocks pop ups, pop under, and overlays.  Stops both ads and attempts to fake you out by laying things on top of a page without you knowing it.

Security Tip #4 - Use a Password Manager and DO NOT use the same password or derivative versions of it on different sites.  When a site you belong to gets hacked, it's likely your email address and password to that site will be shared across the internet.  Want to check?  Use this site.  Note it says I've had my info stolen 8 times, and it includes (for me) my email, username, password, phone number and date of birth.

The reason this is important is because if you use the same email address and password, attackers will use stolen lists to try known combinations.

Avoid this by using a password manager that will both generate long random passwords, and then enter them for you when you go to the sites (since no one is going to remember 30 different 15 character passwords).  I recommend LastPass, the free version is adequate for most situations.  I particularly like and recommend their "security audit", which identifies weak passwords, hacks and attacks that you should pay attention to.  I also like using it across computers and phones, and therefore (again) sharing it with my spouse.  But others prefer other options that store the passwords (securely) locally or share via Dropbox.  I see PCMag is recommending Keeper, may be worth trying.  I see some nice advanced features like choosing users to share a particular password with (like sharing bank password access with your spouse).

Switching over to a password manager is a pain, and updating passwords across sites even more so.  But it's a critical security control with information being stolen from major sites and companies weekly.

Security Tip #5 - Turn on your iPhone and Pad security!  Android phones are logged into your Google & Gmail account, and iPhones are logged into your Apple account (and you set up your email access on your phone).  So if your phone is in someone's hand, they can reset passwords through an email recovery -- if they can access your phone.  On older phones, this means you will have to enter a code or diagram every time you access your phone - newer phones should have fingerprint or facial recognition to make it quick and easy.  But regardless, turn it on!

Double secret hint... in the U.S. you can't be required to give your ID for your phone, but you can be forced to put your finger on it by authorities (a quirk in U.S. law).  So ID is better for confidentiality.

Triple secret hint... U.S. border authorities are permitted to require you to dump your whole phone ignoring the law above and ignoring business, legal or journalistic confidentiality.  So you may want to LOG OUT of Google, Apple, and Social Media accounts before coming to border control stations, and making sure anything really confidential is encrypted.

Security Tip #6 - Encryption is complicated and a pain, BUT if your device is taken it's the only way to make sure your data / pictures / financial information / etc is not.

For your computer / laptop - if you have Windows, turn on Bitlocker or Windows Device Encryption.  Here's some instructions.  (Note some Home versions of Windows have neither option.  There are free but more complicated alternatives, but I don't recommend them because of the complexity to set up and deal with if there are problems.).

If you have a Mac, here's instructions for Mac FileVault.

The big warning with both of these is - if you loose your password and recovery key, the disk/data is unaccessible forever.  Therefore, take your password and/or recovery key and put a copy of them somewhere else... like in your password manager.  This is particularly important that your spouse or family know how to get access -- so if you are unable or unavailable (like in the hospital) they can access things they need to.  And disk encryption ONLY protects you if your device is taken - it does not protect the content when the device is logged in and running.

How about phones?

If you have an iPhone 3GS or later, when you turn on the password it encrypts the phone.

The same is true for most Android phones, just adding the password encrypts the phone.  But I have noted with my Samsung that it offers both "secure albums" for (double?) encrypting select photos and also has a "Secure Folder" option (under Security) for (double?) encrypting other content - in both cases not allowing access to the content without another entry of PIN or biometric ID.

As they say, stay virtually safe out there!

0 comments:

Post a Comment

Welcome to Mystical Paths comments. Have your say here, but please keep the tone reasonably civil and avoid lashon hara. Due to past commenting problems, all comments are moderated (this may take a few hours.)

Your comments are governed by our Terms of Use, Privacy, and Comments policies. We reserve the right to delete or edit your comments for any reason, or use them in a future article. That said, YOU are responsible for YOUR comments - not us.

Related Posts with Thumbnails