Security Saturday
[NB: check the byline as usual, thanks. /~Rayne]
I have Disney’s ‘Cinderelly’ song from the animated movie Cinderella stuck in my head now as I do my weekend cleaning.
We observed “Cinderella Saturdays” when my kids were younger. At 10:00 a.m. the morning cartoons were turned off (or the teenagers awakened) and appropriate Get Moving music put on the stereo.
For the next two to four hours we’d tear through the house with vacuums and mops and dust rags, throwing bedding in the laundry and hanging wash on the line.
It felt so good to be done with the chores by mid-afternoon. Or done with the irritating question, “When are we going be able to play?”
~ ~ ~
It’s Saturday once again, but our cleaning chores have changed. Now it’s time to address digital chores like information security, ensuring the week will be safer than the last.
— If you haven’t reset your passwords recently, it’s past time.
— If you haven’t set up Multi-Factor Authentication, it’s also past time.
— If you haven’t recently used some apps on your mobile devices, it’s time to remove those you don’t need. Please consider using a good browser to access services instead of apps because each app is a new security risk, a chance to be hacked.
— If you feel like you need more information about personal information security, visit Electronic Frontier Foundation’s Surveillance Self-Defense page.
https://ssd.eff.org
— This site by Tactical Tech is no longer being updated but it’s still a decent guide to privacy and security considerations you might want to browse as a guideline:
https://myshadow.org/increase-your-privacy
Tactical Tech also offers their own resource kit called Security in a Box:
https://securityinabox.org/en/
— If you don’t have this automated already and haven’t cleaned your browser’s cache, search and download history, cookies, site settings, now’s the time to go through them.
— If you don’t have antivirus and antimalware applications set up on an automatic schedule, it’s also time to get this done.
— If you don’t have instructions “in case of an emergency” about your online accounts for your family, now’s the time to draft them and put them wherever you also keep your legal documents like a springing power of attorney, patient advocate authorization, so on.
~ ~ ~
Now a few words about housekeeping for this site.
First, you may have noticed occasional lags or quirks in service of late. You may assume we’ve made somebody unhappy and they’re having a “tantrum,” in which case you may need to wait until the “tantrum” is done.
You can check for us online at Twitter — our accounts are:
@emptywheel
@bmaz
@raynetoday
@MasaccioEW
@JimWhiteGNV
(I don’t think Peterr has a Twitter account, sorry.)
Second, how our security works won’t be elaborated upon here, but you can guess there are triggers which may cause your comments not to make it directly onto the page. Things you can do to reduce the possibility of tripping a trigger:
— Make sure you use the same username each time, spelled the same way. (You have NO idea how much time is spent checking users’ account information and correcting some minor typo or spelling error because it’s tripped up a comment.) Save the information in a plain text notepad file to cut-and-paste if you’re forgetful or prone to fat fingering keys.
And no, we’re not going to look for a new comment system. We do not need to maintain a separate database which may also collect and sell your data.
— If your post has links, you may wish to “break” the link by inserting blank spaces so that it’s not active when posted; an active link may cause auto-moderation. The more links you share in your comment, the more likely your comment will go into auto-moderation.
— There are times when security is tighter, especially if you’re using a VPN. I’m sorry but this is simply a necessity for the security of the site and community members.
— Comments do not allow but a narrow range of HTML tags here; this is another security measure.
— If you’re being an ass and/or SHOUTING or swearing at community members or contributors/moderators, you can expect auto-moderation to kick in; see our Community Guidelines for more elaboration.
— For the safety of this site and others, please consider removing tracking from URLs you share in your comments. Links to sites of a questionable nature will never make it onto the site, including links to Google Docs.
Twitter links in particular are very easy to edit to remove tracking — just delete the question mark and everything after it so Twitter doesn’t have a full path from you, your machine, the person you’re retweeting/sharing, back to this site.
~ ~ ~
And now set up reminders in your calendar: clean your browser weekly, change your password monthly to quarterly, check all your other security bells and whistles at least 2-4 times a year.
You can go play when you’ve finished your housekeeping chores.
I started writing this post last night and now I see the The New York Times published a piece today which discusses personal cybersecurity — there are a few points in the article I didn’t address in my post, but I may address them next week as they’re not strictly related to information security. NYT’s point about ensuring you have duplicates of important personal data is good, though; however it doesn’t go far enough to address how to ensure you’re back up and running after a ransomware attack.
Thanks Rayne—you provided just the info I need. I’ve been concerned about a Russian cyberattack and with your article I can now make changes to increase my security.
You did some great work for us!
Hmm . . . Just what a GRU officer would say. :)
” If you haven’t recently used some apps on your mobile devices, it’s time to remove those you don’t need.”
It’s also a good idea to think about cutting back substantially on online activity. The fewer online shopping accounts you have, and the fewer times you log in to systems, the fewer opportunities for your data being stolen. The fewer email promo lists, the lower your risk of being tripped up by phishing.
Switching back to brick and mortar cash transactions (when possible keeping Covid in mind) means your accounts are at less risk. A lot of people have gotten in the habit of weekly inpulse buys of toothbrushes and dog treats that incrementally build to a lot more exposure than is really necessary.
It’s analagous to the way baseball addresses risks of arm injuries — better technique helps, but they’ve realized that cutting back on how much pitchers throw in the first place is crucial.
I use cash 98% of the time, but I’m paranoid and old. Perhaps Bitcoin, et al, is indeed the future, of something . . .
I would like to add Brian Kreb’s site: https://krebsonsecurity.com/ as a good resource.
He’s disliked enough by the bad guys that they keep trying to interfere with his publishing.
I have a default recommendation for friends and associates to help them with secure browsing on Windows PCs. It’s intended to minimize your data footprint while also avoiding site-breaking side effects that more aggressive tools produce. I’m sure there are security pros who would quibble with the setup, and I welcome that, but I’ve found this mix is easy for even non-technical, convenience craving people to stick with over time. It starts with using Firefox as your primary browser and then installing the following add-ons:
Privacy Badger
HTTPS Everywhere
uBlock Origin
Decentraleyes
Facebook Container (Even if you never use Facebook you should still use this)
I’d also advocate people to adopt the use of Password Managers which can really ease the process of using a different, stupidly complex password on each site you visit without having to worry about remembering any of them. I hesitate to recommend a specific one because there are wildly differing opinions but if you haven’t considered one before it’s something you should start looking into.
You should use encrypted storage for all your devices. If you travel internationally, all of those devices should be powered off at the time of your border crossing. Regarding the above advice about backups, be prepared for the possibility of having your device confiscated if you refuse to power the device on for the border guards.
Freeze your credit report. https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/
Using Apple AirTags as a stalking/surveillance tool has become a thing lately. If you’re an Apple user, there are measures in place that can help you be automatically warned if somebody else’s AirTag has been foisted on you, but Android users have to do manual scans. Android users who travel, or who belong to a vulnerable demographic, or might have any reason to suspect that a retail bugging device could have been put on your car, your luggage etc. should use Tracker Detect published by Apple to periodically check your home/car/hotel room for AirTags.
When the law firm where I work went into lockdown in 2020 and I began working remotely full time from my home computer, we were offered a free upload of Sophos – which I’ve been relying on since March 2020.
Is that sufficient?
From my PC, I do very minimal shopping/buying: mostly through Amazon and See’s Candy (because, See’s candies).
Nice reminders, Rayne!
(And you’re right – I don’t have a Twitter acct. Maybe someday . . .)
Just say no
Thanks Rayne. I laughed when I saw your “Cinderella Saturdays” considering Cinderella is with me all the time and shows up to do the work or not. This morning, the laundry. Yep, cleaning on the outside is cleaning on the inside.
Thank you, good advice and shared.
I would add one thing, if you aren’t tied to Windows by requirements, you consider Linux. ;-)
also, BleepingComputer suggests that AirGuard is better than Tracker Detect for Android users.
https://www.bleepingcomputer.com/news/security/free-android-app-lets-users-detect-apple-airtag-tracking/
For the average consumer I’d rather suggest Chrome OS (for most people this means getting a Chromebook) than Linux regardless the distro, as Linux isn’t as user friendly for most US consumers who don’t have much IT background. Chrome OS *is* based on Linux anyhow.
Yes, Chrome OS means more invasive corporate influence. If one is using Windows, they’re already up to their ears in it, would only be changing from one corporation to another, and one they’re likely exposed to already. Updates to Chrome OS are far less disruptive than Microsoft’s or Apple’s iOS.
And yes, there are security threats to the Linux kernel or Google wouldn’t be offering bounties for bug detection.
If a user has/had some proficiency with DOS and has been inside say a MS .inf file then trying out a common version of Linux by running Linux on a USB thumbdrive will help gauge its suitability.
If it looks ok and cash isn’t tight then purchasing a new SSD and swapping that for the existing HDD will give; ease in returning to Windows if needed, backup storage and a backup ready-to-go primary drive. The preceeding gives, IMO, a fair indication of the complexity and technical demands of Linux.
“Thank you, good advice and shared. I would add one thing, if you aren’t tied to Windows by requirements, you consider Linux” (mvario)
Which flavor of Linux is useful for the paranoid-but-technically-naive among us, IYO? Also, is it a step too far to run a Live CD version of Linux (say, Ubuntu?) to prevent malware / spyware infections?
Some people run the TAILS version of Linux, built on the the TOR browser, but those are mainly political dissidents who face imprisonment or worse.
Yes, TAILS is the way to go if you are super paranoid (or as you said, a target). You can definitely run off of a live CD. If you want settings saved you’ll want one that does ‘persistence’. And if you want to save anything to disk you can always mount a drive temporarily.
While there is malware, I have never heard of anyone running Linux as an end user running in to any. Mostly it’s stuff targeted at servers. In like the dozen years since I’ve left Windows behind I haven’t come across anything personally. Just use common sense, unless you have other requirements, get software from the distro’s repository.
I’m not an expert on all different distros, the stuff I’ve run has all been Debian-based… Puppy, Bodhi, Mint, and a few different Ubuntu flavors, and MX which I’ve been running for a few years now and I’m happy with it. So I can’t really help you as far as RPM stuff or Arch or other branches.
But a live USB is a great way to give a distro a spin and see if you like it. Of course it will run a bit slower than if it’s installed, so allow for that.
You can run a live usb of TAILS or any Linux distribution. It’s a good way to experiment with the system, get further along the learning curve, and decide whether you want to use it as a permanent replacement.
Read the list of things to do and don’t know what most of it means. I know how to turn on this computer, find blogs I read and e-mail. Don’t use apps because I can’t figure them out. Change passwords, o.k.
Don’t bank or do anything financial on computer or buy on line.
I do have a sense that if I’m to follow instructions I won’t be going out to play today. Thank you for the reminder and suggestions on where to find information.
If you’re using a different password for every account (which you should be) and you’re using strong, randomly-generated passwords that you store in a password safe (which, likewise), there’s no benefit to rotating passwords. So best to start using a password safe, and then reclaim that time.
The need for a paper back-up of cell phone numbers hit home the other week when I accidentally left my phone at home. Even though I had use of the office phone, I had no way to contact friends or family. I’ve been hesitating to store things in the cloud. Maybe it’s time to commit to memory a few phone numbers, like in the olden days.
Rayne, when you mentioned Cinderella and clean-up songs, the “Happy Working Song” from the live action Disney movie Enchanted came to mind. The princess-to-be wakes up in a messy Manhattan apartment, shakes her head in disapproval at the mess, and enlists the help of Manhattan’s native wildlife.
https://www.youtube.com/watch?v=Pb2si7fClqA
ha! whenever someone makes fun of my flip phone, or folded piece of paper i carry with me that has key friend and family contact info on it, i ask them “you lose your phone – how many numbers do you know by heart?” i enjoy the blank looks i get in return. if feeling especially mean, i ask them what their phone number is (no looking allowed).
I have yer number. So watch out!
In the early days it took me a while to learn my cellphone number, and, for a few years, when asked for it during a phone call, I would politely hang up, scroll through phone settings, and call back with the answer! I guess this was before caller ID was ubiquitous. (I still am not certain I know how to place a caller on hold on my cell phone)
My parents were much smarter and wrote all that information on the piece of masking tape they placed on the back of their cell phones!
wrt phone apps: I avoid them as much as possible. I log on to websites on my phone the same as if I am on my computer. Gmail must be shaking their head at me.
Over 20 years ago, a friend was trying to get phone numbers to contact family members. He wanted to do a conference call from big old Nextel work flip phone and have them sing Happy Birthday during a dinner party. He had noticed my old landline wall phone had an insert where I’d recorded different numbers and the speed dial settings, and figured he’d be able to get all the numbers easily.
The flaw…the list of numbers was from the mid-80s and out-of-date. The story came out at the birthday dinner, he managed to get the numbers through dogged work with other friends from college. The birthday phone call was one of the best surprise gifts ever. :)
When he was telling the story, I explained that if it was a number I called a lot, they were all memorized and I never used a speed dial setting or looked them up. People scoffed, until I went around the table and rattled off everyone’s number.
Unfortunately, I’ve gotten out of that habit over the last 20 years because smartphones make it so easy. But part of my clean-up tasks today will be to commit every close family and friend number to memory…just in case. Thank you, Rayne and everyone else, for the reminder. Hope you all have a great weekend!
Hope it’s not a 3G flipper.
LOL IIRC, my son was 9 or 10 years old when Enchanted was released — wouldn’t have been able to drag him to see it let alone listen to any cut from its soundtrack. He’s the one who constantly asked when we were done with cleaning. Although I wonder in hindsight if I’d promised him a pet rat if he would have been more cooperative about doing his chores.
I use Parallels on my MAC. Is Parallels run by a Russian Company. If so, what are the risks? The main reason I like Parallels is that I can info on the clipboard can be read on both the PC and Mac side.
Thanks to anyone who knows this stuff.
And Rayne: EW does not need a new mail system – it just needs to add a little CSS code to fix what it has. No big deal probably. Maybe indent 2 spaces for replies and not 5 or 10.
Parallels is owned by Corel, a Canadian holding company.
https://www.parallels.com/about/
https://en.wikipedia.org/wiki/Corel
Thanks. I think the origins of the company was software developed by a Russian Nikolay Dobrovolskiy, and I once received tech support in the middle of the night from someone in Russia. Glad to hear that it is safe. Imagine the access that a backdoor in Parallels could have.
And check out this Linked In entry – https://www.linkedin.com/in/nickdob/?originalSubdomain=ru for Nikolay Dobrovolskiy.
ParallelsParallels
18 yrs18 yrs
SVP, Engineering and SupportSVP, Engineering and Support
Full-timeFull-time
Jan 2017 – Oct 2021 · 4 yrs 10 mosJan 2017 – Oct 2021 · 4 yrs 10 mos
Moscow, Russian FederationMoscow, Russian Federation
Responsible for the full cycle of planning, development, release and ongoing technical support of all Parallels products.
Good luck finding a major software company which doesn’t have at least one Russian employee.
I think that Nikolay Dobrovolskiy was the developer and brains behind Parallels. When I first started using Parallels, I recall that it was almost all Russian. Perhaps the sale of Parallels to a non-Russian company was prompted by security concerns by US companies because of the obvious security opportunities.
There are a LOT of originallly-russian companies who have set up shop in supposedly safe havens like Switzerland. Many virus scanning organizations, one of the leading backup companies, Acronis, was started by the same Russian (Serguei Beloussov) who had the company (SWSoft) that also started Parallels.
I’ve tried to limit my exposure to companies that are obviously linked to Russia or China. But unraveling all the connections would be impossible.
Speaking of safety, I think a discussion of backups (on-site, off-site, cloud) would be good. I hear from many friends and neighbors who think they don’t really need to backup. And then I get frantic calls for help…
This is a great service! Thank you so much. I try to read every comment on this site along with the articles. It takes a lot of time. I literally can’t imagine how the screening is possible. Without the screening, I would avoid reading here the same way I avoid Twitter, Facebook, and all the many places ruined by screaming matches between people with ulterior motives. Again, thank you.
I enjoy the world of audiophile equipment, an area in which there are many excellent smaller producers working as hard as they can to create excellence. Why? Because they are driven by a love of music. Similarly, the integrity and excellence of this site obviously reflects intense devotion of its staff. A rare thing happens here: focused discussion of important topics with integrity, grounded in facts.
Thank you!
It would be nice to have some documentation as to what markup is allowed.
Here are some empirical observations, which are better than nothing, but even so it would be nice to know what the actual intended rules are.
+++ A few tags seem to work more-or-less as expected:
<blockquote>
<a href>
+++ named HTML ampersand entities seem to work as expected:
& … <> … ¢ … &&zwsp;#8364;
& … <> … ¢ … €
+−? numbered HTML ampersand entities mostly work, but there are bugs.
&#8364; turns into €
(I betcha this is due to unprotected sequential subsitution. Classic programming blunder.)
??? Some results can be achieved in nonstandard ways:
Single newline becomes a <br>.
Double newline becomes a <p>.
−−− A great many tags are ignored AFAICT, even quite basic ones such as:
<br> <p> <hr> <a name>
<ol> <ul> <li>
Some authors have managed to create enumerated lists and itemized lists, but I have no idea how, since the ordinary <ol> <ul> and <li> tags are ignored.
It would be nice to have some documentation as to what markup is allowed.
Here are some empirical observations, which are better than nothing, but even so it would be nice to know what the actual intended rules are.
+++ A few tags seem to work more-or-less as expected:
<blockquote>
<a href>
+++ some named HTML ampersand entities seem to work as expected:
& … <> … ¢ … €
& … <> … ¢ … €
+−? numbered HTML ampersand entities mostly work, but there are bugs.
&#8364; turns into €
(I betcha this is due to unprotected sequential subsitution. Classic programming blunder.)
??? Some results can be achieved in nonstandard ways:
Single newline becomes a <br>.
Double newline becomes a <p>.
−−− A great many tags are ignored AFAICT, even quite basic ones such as:
<br> <p> <hr> <a name>
<ol> <ul> <li>
Some authors have managed to create enumerated lists and itemized lists, but I have no idea how, since the ordinary <ol> <ul> and <li> tags are ignored.
I routinely use a VPN. While you mention that this may cause problems with posts, you don’t mention anything about it as a routine practice.
VPNs are a subject of contention. VPNs can add a layer of risk for some users while for others they can reduce risks. Unlike operating systems which are much narrower in number, there are a lot of them making it really difficult to suggest one. Each individual needs to make their own threat assessment to determine appropriate personal risk mitigation measures.
I mentioned VPNs because some VPN users have their traffic routed through a ‘network sharing device’ — a networked server — which has had IP addresses blacklisted because the server may have been used for spamming or other inappropriate use. If a community member has been routed through a blacklisted server/assigned a blacklisted IP address, they may need to reroute through their VPN service.
Thank you Rayne…
Very good reminder, helpful tips and resources.
I think that Nikolay Dobrovolskiy was the developer and brains behind Parallels. When I first started using Parallels, I recall that it was almost all Russian. Perhaps the sale of Parallels to a non-Russian company was prompted by security concerns by US companies because of the obvious security opportunities.
https://en.wikipedia.org/wiki/Serguei_Beloussov
Serguei Beloussov (born August 2, 1971) is a Singaporean businessman,[1] entrepreneur, investor and speaker, is the founder and Chairman of the Board of Schaffhausen Institute of Technology and multiple global IT companies, including Acronis, a global data protection company, and is the senior founding partner of Runa Capital, a technology investment firm.[2] He is also executive chairman of the board and chief architect of Parallels, Inc., a virtualization technology company,[3][4] co-founder and chairman of the board of Acumatica, an enterprise resource planning software (ERP) company,[5][6] and co-founder of QWave Capital.[7]
Thanks for posting this, Rayne. I found it quite helpful.
Thanks Rayne. That’s a good summary of “personal digital hygiene.”
Off topic: I recently read a Twitter thread that purports to be a translation of an FSB analyst’s opinion of what’s gone wrong (and going to get worse) for Russia.
https:// twitter .com/ igorsushko/status/1500301348780199937
It contains a mention that Iran’s Soleimani had played the Russians for his own benefit. I found that interesting and mused about whether Trump’s decision to [illegally] assassinate Soleimani by drone strike in Iraq might have been more about doing a favor for Putin than playing tough guy avenging a missile strike on a US base. Certainly, informed opinions in geopolitics & defense published in the wake of Soleimani’s death seemed to believe that the principal beneficiary was Putin.
Of course, people who pay more careful attention to such things knew this all along. People like me who read a bit here and there may have missed it.
Strange old world, hey.