Wednesday, January 13, 2016

Identity Theft: What To Do

Many people do not appreciate the seriousness of identity theft until it actually happens to them and in result, many people are unprepared for the impact it has on their lives. Identity theft happens so often today that it is becoming the norm.

  • Have you ever had a bank or creditor contact you telling you that someone attempted or successfully opened an account under your name?
  • Have you ever noticed an account on your credit report that you did not open?
These are all signs of identity theft but what exactly do you do when this happens? Identity theft protection services are expensive and typically only help you clean things up after the incident has occurred. These services are helpful but you don't need them to take action. 

If your identity has been stolen and someone attempted or successfully used your identity, here are the steps you should take:

  1. Notify Banks and other Financial Institutions - Banks and other financial institutions can put your accounts on fraud alert and may also provide information regarding recent suspicious transactions you may not know about. 
  2. Put Credit Reports on Fraud Alert - Call one of the three credit bureaus and request your credit report to be placed on a 90 day fraud alert. Once this is done, the credit bureau will contact the other two credit bureaus for you and place them on fraud alert. If you feel you need longer than 90 days, you can request your reports to be placed on fraud alert for up to seven years. 
  3. Cancel or Request new Credit and Debit Cards - If you suspect your credit and/or debit card(s) may be involved, cancel the cards and request new ones from your financial institution(s). Credit and Debit Card theft is the most common form of identity theft.
  4. File a Police Report - In the event you need to go to court or fight with your financial institutions and credit bureaus, you need documentation to back you up. Filing a police report shows them you took appropriate actions and establishes an official "Identity Theft Report". This gives you a solid track record that will work to your advantage when attempting to reclaim your identity. 
  5. Review your Credit Reports - Get a copy of your most recent credit reports and review them. Look for any suspicious new accounts or inquiries. If any are identified, contact that creditor immediately and notify the credit bureaus. 
For your convenience, below are the US phone numbers for the credit bureaus and the Federal Trade Commission. These may change in the future but as of today they are current.

Federal Trade Commission - 1-877-438-4338
Equifax - 1-888-685-1111
Experian - 1-888-397-3742
TransUnion - 1-800-680-7289

Identity theft is never going away and in this digital age, it is going to get worse. Just as you need to be prepared for a natural disaster or warfare, you need to be prepared for identity theft. Have a plan and be ready for when this happens to you.

Thursday, December 10, 2015

Controlling Android App Permissions - Android 6.0

Have you ever tried to download an app from Google Play only to find out the app wants access to practically everything on your device? Like a simple wallpaper app that requests access to your contacts or a crossword puzzle game that requests access to your location, photos, and calendar. The permissions you allow an app to have on your device is often overlooked or ignored and can result in data theft, viruses, and can certainly allow hackers to own your device. It is extremely important to watch and restrict the permissions these apps are requesting. Even if they seem credible from big names like Facebook or Google, they need to be regulated and its up to YOU to do that.

Until recently, you had two options when downloading apps from Google Play:

  1. Accept whatever permissions the app is requesting and install the app.
  2. Don't download the app at all.
This is extremely frustrating for those of us who care about our privacy and security. Google seems to have recognized this and now allows YOU to control the permissions the app has on your device. This feature came with Google's latest release of their Android operating system, version 6.0 (a.k.a., Marshmallow). If you are lucky enough to have received this update already, then you have the power to control the permissions apps have. And I'm gong to show you how.

1. Go into the "Settings" menuscroll down and press "Apps".

2. Find and press the app you want to change the permissions for. 

3. Press "Permissions" to access the list of permissions the app has on your device. Flip the switch to turn off a permission you don't want the app to have. 

NOTE: Your device will warn you that "the app may not function correctly" if you turn off a permission. The keyword here is "may". The app will work fine but certain functionality of the app may be limited. Do what you need to do. 

Now you are done! Do this for all the apps already installed on your device and any future apps you install. This will greatly improve the overall security of your device and will certainly keep you safer than you were. Cheers!

Thursday, October 15, 2015

Stay Secure on Public WiFi

With data plans becoming more expensive and less optimal, it has become critical to use WiFi to avoid high phone bills and to provide a better experience with streaming media, uploading, downloading, etc.. Most people know this already so when there is free WiFi available they connect without hesitation. Coffee shops are the most common but now they are popping up everywhere including libraries, airports, retail stores, and so on. These networks are insecure and you really should not be using them until the security improves. But since I know you are going to anyway, here are some tips for improving your security while using these open WiFi networks.

Use a VPN

A VPN (Virtual Private Network) creates a secure tunnel between your device and the VPN provider. Any traffic going in or out of your device (Internet, Outlook, RDP, etc.) will be forced through the tunnel (which is encrypted and secure). There are many good VPN providers but the key is finding one you can trust. They are typically a subscription service that can range anywhere from $3/month to $20/month but its well worth the money. Additionally, most of them have their own mobile app for Android and iPhone which is pretty awesome. Using a VPN is the best thing you can do to improve your security on open WiFi networks.

Disable Network Discovery & Sharing (Windows Users)

When you first connect to the open WiFi, if you haven't connected there before you will be prompted by Windows to select the type of network you are connecting to: Home, Work, or Public. The option you choose is important because this setting determines the level of trust on the network. For example, selecting the Home Network option tells Windows that you are on a private and secure network and to trust the other computers on the network. Windows will attempt to find other computers on the network and will also advertise your computer on the network. Always select Public Network when using open WiFi networks. This automatically disables network discovery and sharing.

Uncheck "Connect Automatically"

When you connect to a WiFi network for the first time, the box "Connect Automatically" is checked by default. This is because most people don't want to re-type the password each time they connect to that WiFi network. So what if someone spoofs the network and your device automatically connects to them? Everything will seem normal except the attacker is sniffing all your passwords and spying on you. You want to ensure your device is connecting to the correct WiFi network so uncheck this box and deal with typing in the password each time. In Mac OS X it is called "Remember networks this computer has joined".


Mac (AirPort Settings):

Avoid Sensitive Websites

Avoid accessing sensitive websites such as financial sites, work sites, etc. Even if you are using a VPN or connecting to a site that is using HTTPS, it doesn't mean you are 100% secure. So why risk it? Do you really need to check your bank accounts while having a cup of coffee at Starbucks? It can wait, avoid sensitive sites.

Use "HTTPS Everywhere"

HTTPS Everywhere is a Chrome and FireFox add-on that forces encryption between you and several major websites. This is a fantastic add-on but you shouldn't rely on it entirely for your browsing security. Use this in conjunction with a VPN.

In conclusion, my best recommendation is to avoid these "free" and open WiFi networks altogether but if you absolutely need to connect then follow the recommendations in the post. It will greatly improve your security but remember, there is no such thing as being 100% secure.

Thursday, October 8, 2015

Android Lock Screen Security

If offered a choice between security and convenience, what would you choose? Many people would choose convenience over security because security can be very inconvenient and people just don't want to deal with that. But sometimes you need to sacrifice convenience to protect yourself.

The lock screen is the gateway to your Android device, just like the login screen is the gateway to your laptop. Many people overlook the importance of locking it down because it is inconvenient or they are ignorant. Would you allow your laptop to display your emails on the lock screen of your computer? Would you secure your laptop with a four digit PIN? Probably not, and your phone is no different.

Here are some tips for securing your Android lock screen:

Use a Strong Password instead of PIN or Pattern

In your security settings, you can choose to enable a Screen Lock. Android offers many choices for a screen lock including Swipe, Pattern, PIN, Face Unlock, and Password. Of these choices, using a strong password is the best and most secure option available to you. Patterns can easily be compromised by tilting the device and viewing the finger marks. Additionally, people tend to use patterns related to them (i.e., William using "W" for his pattern) and simple to guess patterns. PIN's are also a bad choice because the are short and only contain numbers. With passwords, you can create a strong password which is not bullet proof but is definitely more secure than a pattern, PIN, or facial recognition. Refer to my previous post "How to Create Strong Passwords" to assist you with this.

Automatically Lock - Immediately

In the security settings, under Screen Lock, there is an option to "Automatically Lock". This should be set to lock "Immediately". Why does this matter? Well, lets say your phone is set to lock after 5 minutes rather than immediately. This means when you lock your screen you can unlock your phone again within 5 minutes without entering your password. So what happens if you set down your phone and someone steals it? If they access your phone within that 5 minute time period, the thief will be able to remove the security, access all your apps and resources, and ultimately own your device.

Hide Sensitive Notification Content

Android notification content is displayed on your lock screen by default (starting with version 5.0). This means each time you receive a text message for example, you can read some or all of the message right from your lock screen without even unlocking your phone. Pretty convenient but what if you receive a text message for accessing your online bank account? Or what if you receive a confidential text message from your work? If your phone displays this content on the lock screen, anyone can view it by simply picking up your phone. You want to change this setting to "Hide sensitive notification content". This will allow you to continue receiving notification content on you lock screen but it will hide the content form text messages, emails, and other notifications that may contain sensitive information. You can change this setting under Sound & Notification in your phone settings.

Google has been working on improving the overall security of their Android operating system to provide security by default and security without the expense of convenience. Though they have made good progress, there are security settings that remain a choice for the end user. It is important that you review these settings and make good decisions when it comes to security. Use good judgement.

Thursday, October 1, 2015

How to Create Strong Passwords

Currently hackers can process thousands of randomly generated passwords in a matter of minutes. In a recent study a security research group was successfully able to crack over 14,000 password hashes in only 16 minutes! So how easy can your password can be cracked? Well, it depends on how strong your password is. This post offers some guidelines for creating strong passwords, how to remember them, and how to store them securely.

First off, there is no such thing as an impenetrable password. Any password can be cracked. So look at it this way, the longer and stronger your password is the longer and harder it will be to crack. Think about it. If you are a hacker and you have 900 password hashes, and the first 850 of them are using things like "password123" or "billybob1951", why waste your time cracking a strong password that could take weeks to crack when you can spend five minutes cracking these easy ones. Hackers are knocking on the door, all they need is someone (anyone) to open the door. 

So lets start with the general password rules:
  1. Should be a minimum of 10 characters long (but again, the longer you make it the better).
  2. Should contain at least 1 special character (#, !, &, *, etc.).
  3. Should contain at least a mix of numbers, upper and lower case letters.
  4. Avoid repeating characters (mypassword7777).
  5. Avoid dictionary words, names, etc. (ilovepizza2001 = awful password).
  6. Avoid using words that describe you (pets names, SSN, birth date, etc.). 
  7. Avoid using the same password(s) for different websites and applications (if one website password is compromised, all your websites are compromised). 
But if I create strong passwords, how will I remember them? First, create your passwords based on sentences or phrases that you will remember:

"I live at 233 Park Street" = "!L!v3@233P@rkStr33t"

Or you can use a password generator such as to create you a strong password based on the criteria you select:

Now if you follow these guidelines and are creating all these strong passwords, chances are you are not going to remember them and you are going to have a hard time managing them. So what do you do? Use a password vault such as LastPass or KeePass. With a password vault, you only have to remember one password (which lets you into your vault). Then you can store all your usernames and passwords in one place. 

Password vaults are generally free and are a good method for storing your passwords securely. You simply copy and paste your passwords into websites, applications, etc. Some password vaults can even populate your username and password automatically into the website or application with the click of a button. 

Bottom line, creating strong passwords is very important. It is incredibly easy to guess and crack passwords. This guide will help you create strong passwords and there are options for remembering and storing these passwords. Find what works for you and you will be better off than most people, in a world dominated by technology.

Thursday, September 24, 2015

Protecting Yourself From Microsoft - Windows 10 Privacy

In July 2015 Microsoft released Windows 10, the latest version of their operating system. Windows 10 is a significant improvement from Windows 8.1 and if you haven't already, you should upgrade to Windows 10. However, there are some privacy settings you should change immediately after upgrading. This post describes the Windows 10 privacy settings and how to change them.

Customize Settings

1) Under Browser and Protection, turn off "use page prediction...". Yes, this does speed up your browsing but with this enabled you are sending all your browsing data to Microsoft.

2) Under Connectivity and Error Reporting, turn off both options. These options will automatically connect your device to open hotspots and networks shared by your contacts. These network connections may not be secure and could compromise your device. Additionally, you are sending this data to Microsoft.

Privacy Settings

1) Open your Settings menu and go to the Privacy settings. Click on the General tab on the left and turn all the options off. These settings are the most intrusive because they allow Microsoft to share your data with third-parties AND allows Microsoft to collect your keystrokes meaning every key you press on your keyboard is logged and sent to Microsoft (i.e., keylogger).

2) Click on the Location tab on the left side. In Windows 10, location tracking is enabled by default. If you do not want Microsoft tracking your every movement, turn this off by clicking the Change button under "Location for this device is on".  Next, just below the previous setting, flip the "Location" button to off.

3) Now, click on the Speech, Inking, and Typing tab on the left. This is another location where you can allow or disallow Microsoft to collect your keystrokes and personal information. Click Stop Getting To Know Me to turn this off.

Wi-Fi Sense Settings

1) Click on the Start Menu and search "wifi". You should see "Change Wi-Fi Settings" somewhere in there, click on it. Under Wi-Fi Sense, change both settings to off. These settings will share your wifi settings with all of your contacts and connect you to open hotspots. Both are dangerous situations if not managed properly. 

Microsoft has provided a good operating system with Windows 10 but with this new operating system, they introduced several new or improved features that can steal your data and invade your privacy. Always review your settings when you get a new device or operating system because the default settings are usually invasive and not what you want.

Thursday, September 17, 2015

Securing Your iPhone or iPad - iOS 9

iOS 9 has finally been released by Apple and includes a wide range of changes that boost security and privacy. Here are some settings you need to check, and change if necessary, to take advantage of these new features.

1) Update Your Passcode! 

Until now, passcodes were limited to just 4 digits. iOS 9 allows you to create passcodes up to 6 digits which is far more secure than a 4 digit code.

2) Enable TouchID 

To add an additional layer of security, enable fingerprint authentication. This can easily be done in the Settings. Make sure you have enabled the "Phone Unlock" setting.

3) Change your Hotspot Password

Though the default password is stronger in iOS 9 than it used to be, you should change the default password to a stronger one of your choosing. The default password can be found on the internet and would allow anyone who knows that password to be able to connect to your hotspot. Changing the default password is a common best practice.

4) Require Password for Every Purchase

With this enabled, you will be prompted to enter your password or TouchID for every purchase in the App Store and iTunes. This prevents unauthorized purchases and adds an additional layer of security in the event your device is lost or stolen. When you see the prompt below, choose "Always Require".

5) App Privacy

Apps have become quite good at sneaking permissions that impose on your privacy such as location tracking and information gathering. When you install an app and receive a prompt such like the one seen below, select "Don't Allow". It is common for an app to track your location in the background, even when you are not using the app. You may also want to go through your apps that are already installed and disable location tracking in them too.

6) App Permissions

When you are downloading apps, take the time to go over the permissions the app is requesting from your device. It is common for apps to request permissions they do not need and many of these permissions can be used to steal data from you such as your contacts or other private information. If an app wants any of these imposing permissions, you will see the prompt below. Always select "Don't Allow". For apps that are already installed, you can manually go through them and change the privacy settings to "Off".

7) Enable "Find My iPhone"

Time and time again, the "Find My iPhone" feature has assisted the police with locating stolen devices. If you are concerned with locating your device if it has been lost or stolen, enable this feature in your Settings. But please note, by enabling this feature you are allowing Apple to track your device. 

If you must use a mobile device, securing your mobile device is critically important. More and more attackers are targeting mobile devices and this will only increase as time goes by. Do what you can, with what you have. 

Copyright Clyde Frog Security | All Rights Reserved