Friday, October 20, 2017

KRACK safety precautions


I've had a chance to track down more information about the KRACK attack and what can be done to protect against it.

It's what is known as a "Man in the Middle" attack. Someone has to be physically on your network in order to execute an attack on your router or devices. This makes it unlikely to be a problem for home users. And probably not a huge issue for a small library wifi network. But it's always better to patch devices when you can and take precautions.

A few points that can stand further clarification:

  • Windows and iOS devices are not particularly susceptible to this breach as WPA2 was never implemented entirely correctly in these operating systems. The protocol didn't work as planned. Neither does the hack. Regardless, both Microsoft and Apple have patches in the works.
  • Android 6.0 and higher are most vulnerable to attack. Google is working on patches for Android. Whether or not your device gets an update is largely up to the manufacturer. Most current models will most likely get the patches eventually. Many old ones won't. But these devices have always been vulnerable to attacks. This is just another one to add to the list.

Information of a highly confidential nature that requires a good measure of privacy protection should probably never be done over wifi. If you have such a network, the best advice is to turn off the wifi router and use ethernet cabling to make it a wired LAN. It's always a good practice to use ethernet for secure transmissions.

Other general good practices for wifi networks will help protect you in this instance as well:

  • Use a VPN (Virtual Private Network) when you're connected to a wifi network. This creates a kind of tunnel connecting your device to a server owned by the VPN company. That information is not accessible to anyone on the wifi network with you. When your request reaches the company's server, it then proceeds the rest of the way to its destination via the wired Internet. But don't rely on a free VPN. They may not to be reliable or trustworthy. Remember the adage, if the service is free, you're what's being sold. But even a paid VPN can slow you down and they don't work with every site.
    We'll look at VPN options in a future post.
  • Https Everywhere: https://www.eff.org/https-everywhere
    Electronic Freedom Foundation offers an extension for your browser that chooses the secure web protocol https over the unsecured general protocol http when more than one is available on a website. It's available for Chrome, Firefox and Opera browsers. The impetus behind this is reasonable. A secure website connection is better for many reasons including protection from attacks like KRACK. Financial and shopping sites, in particular, should be using this protocol and you should look for it. And, opting for it, when it's available, as this extension is supposed to do, is a good practice. Unfortunately, the extension can also break some sites if there is no https available. Or if the transfer from one protocol to another cannot be completed smoothly. Possibly worth a try, but don't be surprised if you hit some snags.
  • Cellular data - using a cell phone's data option is almost always more secure than public wifi. If you're concerned about security, you should probably consider increasing your data plan and reducing your use of public wi-fi. You can also use your cell phone as a modem and tether a laptop or tablet to it for use outside the home.


Steve Gibson makes the point on Security Now that is CLIENTS not ACCESS POINTS that particularly need to be patched. This cartoon shows a reason why.

That said, the other option to protect a network from a man in the middle attack is to update the router. Many router manufacturers are offering firmware updates. It's a good idea to check your make and model number on the manufacturer's website to see if there are updates available. Protecting the router becomes particularly important when you're running a network with a lot of IoT (Internet of Things) gadgets on it: doorbells, cameras, light switches, thermostats, etc. Cheaper gadgets, like cheap Android phones, will probably never get updates or patches. So they are best protected from the router side. If your wireless router is so old that you have no way to update it, it may be time to get a replacement. 

For more information on the KRACK Attack

Monday, September 11, 2017

How to protect yourself in a massive data breach

Hopefully, everyone is aware of the data breach at Equifax, one of the major credit bureaus. Reportedly, the data of 143 million people has been compromised, including social security numbers, names, addresses, phone numbers, credit card numbers, in short everything someone would need to commit identify theft.

Equifax is offering a website where you can go and enter your name and part of your social security number to see if you are among those whose information has been compromised. Some hackers and tech enthusiasts claim that the viability of this system is questionable as it provides different results to the same information entered in subsequent queries. It also has provided positive results for fabricated data. It's probably safe to assume that your data has been compromised and proceed from that assumption.

Equifax also provides a solution for that possibility: a year's free enrollment in their identity protection program: Trusted ID. Many are skeptical as to whether they want to trust the company whose potential gross negligence resulted in the problem in the first place.

CNET offers A guide to surviving the Equifax data breach (without Equifax's help). Not all of the information provided in this piece is uniformly agreed upon. For example, apparently enrolling in the Equifax Trusted ID program no longer requires you to opt out of a class action lawsuit. I think most of the advice about checking credit reports, freezing credit, setting fraud alerts and being vigilant during tax season is good advice.

Update 9/12/2017 - Thanks to Diane Van Gorden and Alex Clark
How to Protect Yourself from Identity Theft - Montana Legal Services Association

Update 9/14/2017 - Thanks to Steve Gibson on Security Now
Credit Freeze Guide: The best way to protect yourself against identity theft

Here is more information and background on the data breach from some of my preferred sources:

Wednesday, August 23, 2017

Unlimited data - can it replace your home broadband?

The FCC has recently released an inquiry on the current state of broadband in the U.S. One of the questions they raise is whether or not it's necessary to have a wired broadband connection (fiber or cable) and to reach the previously set targets of 25 Mbps down and 3 Mbps up for home users. Or is a cellular connection enough?

This report from 2016 shows that the U.S. lags well behind most of the rest of the world in cellular data download speeds at around 10 Mbps.
See how painfully slow 4G LTE is in the U.S. compared to the rest of the world
That's also about what I've gotten on personal tests on Verizon in my area.

But there are also questions about data caps and throttling. So, along come new unlimited data plans from the major cellular carriers.
VERIZON'S UNLIMITED DATA PLAN HAS CHANGED. HERE'S HOW IT COMPARES TO OTHER CARRIERS

You can see there are limits on mobile tethering. So, the data is not unlimited if you want to use it with a tablet or PC. Plus there are limits on video quality and the data can be throttled even if you stay under a given level.

This may be good news for some cellular users. But it doesn't look like an adequate replacement for high speed broadband, particularly in areas with spotty cell service.

Friday, August 18, 2017

Passwords Guidelines Changed

Finally the guidelines about passwords that made me crazy - change every 90 days, include an upper case, lower case, number and other character - are being changed as we see in this NPR article.
Forget Tough Passwords: New Guidelines Make It Simple

I'd often thought it couldn't be terribly secure if we had to write it down to remember it. Of course, I find the best solution is still a password manager.

Here's some information and a review of some of the best rated ones from PC Magazine:
The Best Password Managers of 2017

I use LastPass and have generally been quite happy with it but it can be a challenge to use with mobile apps and sites.

Friday, June 9, 2017

Internet of Things article from Pew Research

There was a fascinating if long article from Pew Research Center on Internet and Technology on:
The Internet of Things Connectivity Binge: What Are the Implications?

Well worth at least a scan to remind you of the potential risks in unbridled connectivity with no questions asked.

Wednesday, October 19, 2016

2016 Cell phone wrapup

Is your contract up and you're starting to look at upgrade options? Or, are you finally ready to make the leap to a smart phone? If so, I'll give you a quick rundown on the latest models launched this fall.

Apple iPhone 7 and 7 Plus

It seems like all we've heard about the new iPhones is the lack of a headphone jack. That may be a deal breaker for some. But early reviews have talked about the amazing camera on the 7 Plus. It now features a second lens for telephoto. And there will soon be a software update which promises to offer new portrait possibilities. Other than that, the usual minor updates in hardware. This new model purports to be water resistant. The new color for this year is jet black - fingerprint magnet. iPhone continues to be a solid seller with reliable and predictable updates from Apple and very good resale value. And it offers seamless integration with other iOS and Mac OS products.

iPhone 7 starts at $649
iPhone 7 Plus starts at $769
Available from all carriers, many retailers as well as Apple Store
Previous years' models available at discounts.

Review from the Verge - http://www.theverge.com/a/apple-iphone-7-review-vs-iphone-7-plus

Samsung


Samsung is suffering greatly from the adverse publicity associated with its burning Galaxy Note 7. They've been recalled twice now. If you should happen to find one for sale, DON'T BUY IT! And if you have one in your possession that you're hard pressed to give up, get the fire resistant containers and/or take it back to your point of sale. But GET RID OF IT NOW!

That said, Samsung still makes other great phones and devices. The Galaxy S7 has no battery issues and is a well regarded new model in the very popular Galaxy S series. It also comes as the Galaxy S7 Edge. The Edge is larger and has a curved display. Both are water resistant.

Some of tech pundits recommend a Galaxy Note 5 for those with an earlier Note who are looking to upgrade and/or for those who are really attracted to a stylus.

Galaxy S7 Edge starts at $729.99
Galaxy S7 starts at $672.99
Available from all carriers and most retailers.
Previous years' models available at discounts.

Galaxy S7 Edge Review - http://www.theverge.com/2016/3/8/11172968/samsung-galaxy-s7-edge-review

Google Pixel

Google recently unveiled its new Made by Google entry into the Android smartphone market: the Google Pixel and Pixel XL. These are designed by Google from the ground up but manufactured by HTC. This is a departure from the Nexus phones where Google contracted with various manufacturers to design a phone for Google.

Not surprisingly, this flagship phone from Google makes excellent use of all Google services from the newly renamed if not reworked Google Assistant to Google Play Music to Google Drive for storage... What's different this time is that it's also top of the line hardware with an excellent camera. The Pixel is also designed to work with Google's new VR system the Daydream View. This is due to release in November. Those who preorder the Pixel will get a free Daydream View unit. Pixel owners are also offered the option of signing up with Google Fi service for wireless access. This is no doubt a more attractive option in some areas. In Billings, you'd be relegated to 2G data.

Pixel starts at $649
Pixel XL starts at $769
The only carrier offering it for sale is Verizon. But unlocked version will work on other carriers and is available from Best Buy and Google Play Store

CNET Google Pixel Review - https://www.cnet.com/products/google-pixel-phone-review/


Mid-Range Phones

I think the CNET review pretty much sums it up. Samsung Galaxy S7 and Edge continue to be the primary non-iPhone alternatives at the top of the market. But Google Pixel is a fine choice for anyone who is wary of Samsung and/or prefers the pure Google Android experience. But there are a number of well rated Android cell phones including a few who are new to the US market.

Motorola

Moto Z series
I don't pretend to know enough about the numerous models of various Android handset manufacturers to be able to recommend one over another. I do know that these are phones which get overwhelmingly positive reviews. The Moto Z Play is the least expensive model. The top of the line is the Moto Z Force and is apparently available only from Verizon. All models in the Moto Z series are modular, meaning you can buy accessories called Moto Mods to change different aspects of the phone. You can buy a zoom lens, speaker, projector, power pack batteries with or without wireless charging as well as customizable backs. Nice idea but I don't know enough about it to know whether or not this is really a useful feature or more of a gimmick.

CNET Moto Z Play review with comparisons to other models in the series
https://www.cnet.com/products/motorola-moto-z-play/review/

Moto G series
There's also the Motorola budget series. Reviews say that these reasonable phones. The Moto G4 sells for $149.99

Motorola phones are available from carriers and retailers. The exception are the Droid versions of the Moto Z models that are exclusive to Verizon.
CNET Moto G4 review - https://www.cnet.com/products/motorola-moto-g4/

OnePlus 3

This is the third generation of a smart phone that has been well reviewed and regarded by tech enthusiasts. Earlier versions were invitation only. This the first one that seems widely available. It has a lot of the features of higher end smart phones at a mid range price. OnePlus has their own customized version of Android, Oxygen OS but I haven't heard any complaints about it.

Sells for $399 from the OnePlus Store - https://oneplus.net/3
International version available from Amazon at higher price. I'd go with manufacturer.

Huawei

Huawei is the Chinese cell phone company that manufactured the last Google Nexus phone - the Nexus 6P. They have only recently begun marketing their phones directly to US consumers. The model currently available in the US is the Honor 8. This phone has a lot of high end features including dual camera.

Huawei Honor 8 is available from major retailers starting at around $390
CNET Huawei Honor 8 Review - https://www.cnet.com/products/huawei-honor-8/review/

There are numerous other phones by other manufactures worth consideration. As always the array is mind numbing as well. I can say that Windows Phone is pretty much dead as is Blackberry. Too bad for those of us who were rooting for other OS alternatives, but at least the choice is down to iOS vs. Android.

For a rundown and comparison of all the major phones this year thus far:

Monday, February 29, 2016

Biting the Apple

A couple of my friends were talking last evening about iPhones. I heard one ask another why I hadn't talked her into an iPhone and away from a Samsung Galaxy 3, which, btw, I had recommended several years ago. I didn't hear the response. But it did get me thinking about Apple, the appeal of its products and the current controversy with the FBI.

I think Apple products hold a special appeal to people who view technology as a tool that can be used to enhance creativity. That's the market they're appealing to with many of their ads - artists, graphic artists, designers, photographers, filmmakers, musicians, writers, etc. If technology is viewed as an important tool in the creative process, you want it to work consistently. You want it to be maintained and improved on a predictable and on-going basis so that it will continue to enhance rather than distract or detract from your creative process. You don't want to have to spend valuable time worrying about technology or futzing with it. You're probably willing to pay a little more, and customer service like Apple Care and the Genius Bar is invaluable ensuring it all continues to work. At heart, it's a bit of a niche market. But I wonder. It's a comfortable world and easy to get used to. Technology just works. It took me a long time to appreciate that.

The iPhone has confused matters a bit. It's probably the logical choice for someone new to the smartphone market who knows little or nothing and doesn't want to spend a lot of time learning. IPhone is simple and pretty foolproof. But it does tend to be more expensive than its Android counterparts and not as enthusiastically marketed by cellular providers. However, I'd argue, as most don't really do much with their smartphones other than make calls, send and receive texts, take an occasional photo and perhaps check a few apps, it doesn't really make much difference which OS they use. Nor is the issue of privacy terribly important to the average person. They tend to see it in terms of location and call information. I've had several tell me you give that up when you get a smartphone anyway. You give some up when you get and use any cell phone. But the crucial question remains, does it have to be an all or nothing proposition? Shouldn't you be able to choose to keep some information secure and private without having to become a security expert?

To the creative person who uses Apple products including iPhones, privacy and security are about protecting the fruits of their imagination. Their iPhones are likely to be filled with photos, videos, notes: beginnings and continuations of ideas. Who knows what snippets might be misconstrued as having some nefarious intent when taken out of context? Therefore one can appreciate the fact that Apple, the company that provides the tools to aid the creative process, is also showing a dedication to respecting and protecting the content that is produced and stored on those iPhones. This sign of mutual respect will no doubt enhance brand loyalty in the future.

What do you think about Apple's decision to fight the FBI in the courts? Does privacy and security of your mobile devices matter to you? Do you take extra steps to encrypt or in other ways secure your device and/or data?