Tips on protecting your online personal data while using Facebook apps

Thumbprint providing access to online accounts

In today’s always-on connected world, most people know not to give away too many personal details of themselves on Social Media sites like Facebook, Twitter, etc., as online details can be easily harvested by innocent actors as well as those who have more devious intentions. However, one area most people neglect to protect is when answering nostalgic questionnaires or playing games on sites such as Facebook. The information gained from these items is exactly what bad actors desire in pursuit of a user’s personal assets.

As this article describes, people that play games, answer questionnaires, or otherwise reminisce with people online about personal details may inadvertently give away answers to online accounts’ security questions. The purpose of these security questions is to assist in preventing unauthorized access to sites such as online bank accounts or credit card accounts. Unfortunately, it has been revealed over the years that security questions are a vulnerable method for secondary authorization.

An example of a type of game where a user might provide personal details would be when there’s a word game that gives them a chance to come up with a DJ (disc jockey) name by using their first pet’s name combined with the street that they grew up on. Or it combines the first name of their best friend from high school and the city they were born in. These answers would all be examples to popular security questions for online accounts. In addition, posting an answer to this online can also potentially cause a reaction from others to post their answers as well.

If a user does take part in these questionnaires or games, it’s a good tip to make the security questions for online accounts not truthful (and write down these fake answers for ease of remembering later on). Or better yet, make another password as the answer for the security questions, as in reality, the answer to security questions is just another password. Using another password for the answer to security questions navigates around the issue of having the same answers as provided with these questionnaires and games.

Other secondary authorization methods like text messages to a user’s mobile phone can present additional vulnerabilities, like being susceptible to mobile phone SIM swapping. A better way to secure an account versus using security questions or text messages is to use 2fa (Two factor authorization) through an app like Authy or Google Authenticator, both which are installed on the user’s mobile device. These 2fa apps provide a one-time-use key as a secondary authorization for online accounts. When a user logs in to an online account, they input the number generated by the 2fa app for the secondary authorization, thereby allowing access to their online accounts in a more secure manner. It’s best to setup the 2fa app for all online accounts (bank accounts, credit card accounts, Facebook, Gmail, etc.) where it’s an option.

Tips for resolving iCloud password issues

Person holding iCloud picture with Blue Sky in the background

On July 4th, Apple experienced issues with most of its iCloud services, per this site. End-users were having trouble signing into iCloud and accessing their accounts, along with Photos, Mail, Backup, Find My Friends, Contacts, Calendars, and more seeing downtime. Apple Stores were also reportedly affected by the outage and were not able to process transactions.

While this issue was eventually resolved by Apple, there could be other times where iCloud has issues and end-users are asked for a password. End-users will tend to try their known password, which in these times will not work. After trying multiple times, end-users will then think they have the wrong password and try another password, which gets saved in the keychain and is wrong. 

This will result in the following scenario for the end-user: 

  • Lost access to their account.
  • Not understanding why they lost access.
  • Not knowing what password is the truly correct password.

This can lead to all sorts of issues. For example, Denial of Service attacks can be leveraged to get end-users to use side channels, and these side channels can be loaded with spam and other undesirable internet materials. In the event there are issues with iCloud and passwords, it is recommended to do the following procedure:

  • At the first prompt for a password for an account that has been working fine up to that point, just ignore for a few minutes. 
  • After this, the first move should be to power cycle the computer (shut it down (not restarting), giving the computer 5-10 seconds to rest, and then powering it back on). 
  • If it is still asking for a password that worked previously, check for service interruptions and/or contact tech support. 
  • If the account is of security concern, consider logging into the account via a different method and reset the account password. 
  • Make sure you didn’t get locked out by a hacker. It is important that you determine this ASAP because the longer you wait after they log you out, the more time they have to get into other accounts and lock you out. 
    • If you find you have been locked out of your account, change passwords in your other accounts, starting from highest priority to lowest.

If you have any questions, or would like to discuss further, let us know!

Beware Applications requesting a plug-in be downloaded

Computer displaying directory computer code

As noted in this article, “a security researcher has disclosed a new flaw that undermines a core macOS security feature designed to prevent apps, or malware, from accessing a user’s private data, webcam or microphone without their explicit permission.” Recent privacy protections, expanded in the Mojave version of the Macintosh operating system, were meant to make it more difficult for malicious apps to get access to the user’s private information, unless the user allows access through a pop-up dialog.

However, these protections weren’t as good as Apple previously believed. This bug is the result of a whitelist of approved applications that are allowed to create “synthetic clicks” to prevent them from breaking. This includes the popular video playing application VLC, which the researcher showed could access a user’s camera, microphone, and other Macintosh computer services, through a plug-in that performed malicious actions.

This is a reminder that users should be aware anytime an application asks for permission to download and/or load additional software. In this case, any application that requires a download and installation of a plug-in would require closer scrutiny. This is especially true for anyone who attempts to access files through something like torrent services, which could potentially request to download a plug-in to view the downloaded file (or else the file that is downloaded through the torrent file could also be a payload with malicious intent, even if not requiring a plug-in).

If you’d like to discuss further, please let us know!

Outlook breach reportedly targeted Crypto users

Laptop, iPhone and Mouse locked inside heavy duty metal chain

We previously notified our readers of a breach involving Microsoft Outlook email. Users of Cryptocurrency are now coming forward to indicate that this Outlook breach led to a theft by hackers of their Cryptocurrency from various Cryptocurrency Exchanges, as detailed in this follow-up article.

Keeping anything online, whether it be email or items like Cryptocurrency, leaves a user open to potential hacks. It is wise to copy email to a folder on the user’s computer vs. leaving it online in an inbox or the like for hackers to gain access to. When stored in a folder on a personal computer, it’s much harder to access.

Also, enabling verification items like 2fa (Two-factor authorization), where a user is required to verify log-ins and other procedures using an application on their phone, are wise to use to prevent access to user accounts. As one user indicated in the article, they did not have 2fa enabled on their account, so it allowed the hackers easier access.

If you’d like to discuss further on ways you can protect yourself online, please let us know!

New WiFi to offer security, speed improvements

Girl holding paper into the sky with outstretched arm, showing cut-out of Wifi logo and trees in the background

Individuals that rely heavily on WiFi may want to hold off on new equipment purchases until they are WiFi 6 (aka 802.11ax) equipped and/or upgradable to WiFi 6. As detailed in this article, the new upgrade will make WiFi faster, while also approving its efficiency in other areas. The speed is almost tripled from WiFi 5 (aka 802.11ac), meaning that it can deliver more speed to more devices. And with its efficiency improvements, the advantages are more apparent through improving the network when lots of devices are connected.

WiFi 6 puts forth new technologies to help mitigate the issues that come with putting dozens of Wi-Fi devices on a single network. It allows routers to communicate with more devices at once, send data to multiple devices in the same broadcast, and lets Wi-Fi devices schedule check-ins with the router. When all is said and done, the result should be that the devices are more likely to maintain top speeds even in busier environments.

In addition to speed improvements, WiFi 6 should provide greater security, as WiFi 6 will need to support WPA3 to receive certification from the Wi-Fi Alliance. WPA3 is the most recent security protocol and the biggest upgrade to the security level of WiFi in a decade. This will make it harder for hackers to crack passwords by guessing multiple times, and make some data less useful even if hackers are able to gain access. Therefore, most devices will include this greater level of security to receive certification.

In order to use WiFi 6, you’ll need a router that supports it. Those that will see the biggest improvements in WiFi performance are those that have WiFi 6 enabled devices and have lots of devices attempting to connect to one WiFi 6 router. At this point, the routers remain relatively expensive, but should become more affordable as time goes on.

If you’d like to discuss WiFi topics like this further, please let us know!

Microsoft admits hackers had access to online email

Computer with new email notification displayed

For the first three months of 2019, Microsoft has admitted that hackers had access to some details of certain Outlook.com email accounts. As this article states, Outlook.com is the web version of Microsoft’s email service, and this online service was previously known as Hotmail. Per Microsoft, “this unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account …but not the content of any emails or attachments.”

While it appears no actual emails were read or attachments were accessed, this is an important reminder that being online brings its share of risks to user data. It’s a smart idea to use an actual email application to view email, in companion with a web browser, and to store as much email off-line as possible. This will help in prevention of potential data access in the event your email account gets hacked.

In relation to this, and as has been mentioned before, it is important to ensure the safeguarding of passwords, for email and other sites. It is good practice to change passwords periodically throughout the year. By doing so, there’s less of a chance that the current password is in the hands of hackers if it is changed more often, in the event an account is compromised. Also, never send password or login information via email, as this just opens user’s data to easily being compromised.

As always, please contact us if you have questions or would like to discuss further!

Mar-a-Lago intruder sneaks surveillance Hardware into Club

Wood-grain USB thumb drive laying on tree stump

An intruder into Donald Trump’s Mar-a-Lago private club had, amongst several other pieces of technology such as cell phones, a thumb drive that could apparently immediately begin installing files onto a computer when plugged in, per the U.S. Secret Service. They indicated that this is very out of the ordinary, as detailed in this story.

A few interesting aspects of this story, in relation to thumb drives as well as other hardware and security. The first is that thumb drives (aka flash drives) are very popular, primarily because of their ease of use: they are an easy way to get programs and files from one computer to another. Because of this, they’re also easy to use to get malicious software onto a computer. This leads to the second and most important point: it is wise to not plug-in thumb drives without positively knowing their source and potential side effects. On this point, it’s a bit alarming that the Secret Service agent didn’t follow this point when they plugged it into their work computer.

The lesson to be gained from the linked article is that employers should not allow their employees to plug-in items such as thumb drives into their computers, or at the very least have security software which prevents the mounting of this type of hardware when it is plugged in.

In addition to being wary of thumb drives, other insecure types of hardware purchased off of sites such as eBay should give a user pause, whether the hardware has been previously used or not. Used hardware always has the potential of having been tampered with, from both a hardware and installed software perspective. For example, users could be spied on through a laptop’s camera, or their keystrokes captured through a hidden keylogger program.

In the realm of “new” hardware, what one person may think is new may actually not be. New hardware should always come in a factory sealed box with a security sticker. Of course, it is possible that this could be faked, but it is much less likely, especially when purchased direct from the Manufacturer.

Separate recent ransomware attacks affect Spectrum Health, MI doctor’s office

Metal chain link with lock, locking wood gate entrance

A cyber attack that hit a contracted vendor of Spectrum Health, Wolverine Services Group, has impacted approximately 60,000 patients of Spectrum Health Lakeland. Wolverine’s systems were attacked by a ransomware attack. A ransomware attack occurs when hackers gain access to a system and encrypt a portion or all of the files and demand ransom payment in order to release instructions on how to decrypt the files.

The breach in this incident affected only the Lakeland portion of Spectrum Health, not their entire system. As is usual with breaches such as this, it occurred well before it was discovered: the breach occurred in September but wasn’t discovered until December. More can be read about this incident here.

In a more recent ransomware hack in Michigan, which occurred on April 1st at a doctor’s office in Battle Creek, the doctors of this office decided to retire early, after they refused to pay the ransom payment and the hackers erased all their files. The files were already encrypted by the office’s software system, so no personal information was gained. However, with patient files gone forever, much data that was already gained through tests and other means will never be recovered, as the article from WWMT states.

While these two cases show issues at businesses, and we as citizens only have so much control over business records, it is important for every person to keep secure their private information. We will continue to work to update this blog on ways users can prevent becoming the victim of cyber incidents (malware, phishing, etc.). If you have any questions or would like to discuss, we’re here to help.

Reminder to keep passwords secure…

Computer code displayed on Monitor

It is a vitally important practice to keep your passwords safe. As a general rule, never give out passwords to anyone. The article here notes that Facebook asked a user for their email login and password to verify who they were. This can open up a user to phishing attacks.

If you need to use Facebook, it is advised to create a new Gmail account and use that specifically for Facebook, rather than risking the potential of a frequently-used email account being compromised.

In addition to this, it is wise to use different and hard-to-guess passwords for different websites. Using the same password for different sites opens one up again to issues if one site’s password file gets hacked.

Feel free to discuss with us your options with keeping your passwords safe. We’re here to help!

Facebook stored users’ passwords in unsecure manner

User holding iPhone with Facebook, Snapchat, Instagram, Twitter, Chrome, Gmail, Spotify, Facebook Messenger application icons displayed

Facebook stored passwords for hundreds of millions of users, exposing them for years to any person who had internal access to these password files. Passwords are usually encrypted, but errors led to some 200 million to 600 millions passwords being exposed. Passwords that were affected were for Facebook, Facebook Lite and Instagram. More information can be found here.

This is a good reminder of the importance of:

  • Changing passwords often, while making them not easily guessable
  • Using 2fa (Two Factor Authorization) applications on your mobile phone, such as Authy
  • Configuring Facebook to send you alerts in the event an unauthorized computer or mobile device logs into your account
  • Using Facebook to audit your account to see what devices are currently logged into your account, to determine if there are any that may look suspicious

If you’d like assistance with setting up any of these items, or have questions, let us know!