Using Credit Freeze for Self Defense

Identity theft is arguably one of the worst things that can happen to a person, financially. When someone steals your identity, they can basically do anything you can do – including obtaining loans or credit cards in your name. And when the spending spree is over, you are left holding the bag. If it’s not bad enough that they’ve taken your money and left you with a huge bill, it may also have a major negative impact on your credit report. It can be very difficult and time consuming to undo all this damage.

In order to open a new loan or credit card in your name, the criminals have to pass a credit check through one of the big three credit bureaus: Experian, Trans-Union and Equifax. Therefore, if you can somehow stop the credit check from passing, you can prevent the bad guys from getting a new line of credit in your name.

The easiest way to do that is to “freeze” your credit – basically you tell the credit bureaus to put a halt on all credit checks until you tell them otherwise. This obviously only works if you yourself don’t need to have your credit checked. If you’re about to get another credit card (including store cards) or need to finance something (car, house, appliances, etc), then you’re going to need to run a credit check. Also, some other activities will trigger a credit check, such as background checks, opening a new financial account, or even signing up for a new utility (cable, for example).

Freezing your credit has absolutely no impact on your credit score. You have to do it with all three credit companies and there is a small fee involved usually (up to $10). There’s also a fee to “thaw” your credit, so you don’t want to do this often.

Basically, if you rarely if ever need to open new lines of credit, you should go ahead and put a freeze on your credit. It does no harm and can save you a ton of heartache. I recommend reading this Clark Howard article. It has all the details on how to freeze your credit with each of the three credit companies.

http://www.clarkhoward.com/credit-freeze-and-thaw-guide

If you’d like more info on credit freezes, check out this Federal Trade Commission web site:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

If you’d like to stop getting “pre-screened” and “pre-qualified” credit card offers in the mail (which can sometimes be stolen and used to open credit in your name), see this FTC web site. It will tell you how to opt out. It’s a bit of a pain, but well worth it.

https://www.consumer.ftc.gov/articles/0148-prescreened-credit-and-insurance-offers

Windows 10 Privacy Issues

If you use a Windows computer at all, you’ve probably seen that annoying little pop-up message that keeps reminding you that Windows 10 is coming. Windows 10 is a free upgrade for most people and Microsoft is clearly banking on most people taking the Trojan horse free software. Microsoft is also counting on most people to just use the “express install” option – that is, take all the Microsoft-chosen default settings. I’m here to tell you: DON’T DO THAT.

Microsoft has really gone overboard with privacy-threatening features in this release, and it appears that most of them are on by default. When I write the second edition of my book, I’ll have a full explanation of how to guard your privacy on Windows 10. But here are some quick recommendations.

NOTE: If you can wait to install Windows 10, then by all means wait. We will learn more things about it in the coming weeks and months, and security and privacy experts will get a chance to learn what’s really going on and hopefully figure out how to fix the problems. And if there’s enough uproar, perhaps Microsoft will even dial back on some of these privacy-invading features. But if you can’t wait, or if you’ve already installed it, here are a few key tips.

  1. Don’t use the Express Install option. Customize your install and read over every option.
  2. Don’t sign into Windows with your Microsoft account. This allows Microsoft to associate all sorts of info and activities with you, and share it with others. Just use a local account.
  3. Don’t use Cortana. Yeah, it’s really cool, but by enabling this one feature, you open yourself up to all sorts of spying by your operating system and Microsoft. Until they can address security and privacy concerns, this feature is just too scary.
  4. Don’t use WiFi-Sense. This is a new feature which conveniently lets you share your WiFi password with people you know. This means syncing them to the cloud, which to me invites security risks that aren’t worth the convenience.

Here are some more articles you might want to check out.

 

It’s time to just ditch Adobe Flash. Here’s how.

Uninstall Flash Player

In my book, I made it clear that the Flash Player (that little browser plugin that you’re constantly having to update due to new security bugs) is one of the prime targets of hackers. In the last week, in the wake of the Hacking Team being hacked, there have been no fewer than 3 “zero day” flaws exposed in Flash (unfixed bugs that allow hackers to exploit your system).

So, it’s time to throw in the towel. It’s time to just remove Flash from your system. It’s not worth the risk. Most web sites have abandoned Flash, and after this latest security debacle, that trend it surely going to accelerate. Most web sites will work just fine without Flash – and if not, there are workarounds (see below).

Mac users see this article; Windows users see this article.

Workaround

I personally prefer the Firefox web browser, but I use Chrome as a backup in certain cases – usually when my rather Draconian security settings on Firefox break some web site and I can’t figure out how to unbreak it. Chrome actually bundles Flash directly into the browser and goes out of its way to try to “sandbox” Flash (preventing it from reaching out into things it shouldn’t be touching). So the workaround is to use Chrome in those cases where you simply have to use Flash. That is, even if you uninstall Flash using the above directions, it will still be embedded into the Chrome browser, so you can still use it. NOTE: Chrome is not necessarily a safe way to use Flash, either, but it’s probably the safest option you have (short of using a virtual machine).

 

LastPass data breach

LastPass has notified its users that it experienced some “suspicious behavior” on their servers and they believe that “email addresses, password reminders, server per user salts, and authentication hashes were compromised”. They also made clear that “we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed”.

I encourage you to read the full blog post, along with the updates. They do a very good job of answering the burning questions, so I won’t repeat that all here. You can also get another view from this Sophos post and even deeper info from this Krebs On Security post, if you’re interested.

For those of you who are not cryptographers, when they say “server per user salts” and “authentication hashes”, what they’re talking about is the munged version of your master password that they save. It’s important to realize that they don’t store your actual master password – they save a unique, irreversible version of your password – because saving the actual password is horribly insecure. This is covered in my book, but basically you enter your password and it’s “salted” and “hashed” to arrive at some other, completely different and unique value. This is compared to the version that they salted and hashed before, and they should match. But the key is that given the salt (which is a fancy name for a random number) and the hash, you can’t work backwords to get the actual password. Okay, you can, but if you have a strong password, it would literally take years on a supercomputer. So if you change your master password anytime soon, you’re safe. The best they could do is figure out your old password, which no longer works (because you changed it).

This is why it’s absolutely crucial that you have unique, strong passwords for everything. If you reused your LastPass master password on any other site (which you should never do), then you need to change the password there, too. The whole point of using a password manager is to generate ridiculously strong and completely unique passwords for everything – you don’t have to remember them, so why not? The only password you need to know is your master password. If you need help with this, you can watch my short YouTube video on how to choose a good master password.

So what do we take away from this? First of all, we should just all assume that this is going to happen repeatedly. Every one of these sites is a prime target for hackers, and they will eventually get in and steal passwords (hopefully salted and hashed). If you have a strong, unique password for every site, then it will take the bad guys a long time to crack it. And if and when they do, it won’t give them access to any other account – because you have different passwords for every site.

The other thing this underscores is the importance and utility of two-factor authentication. If someone steals and cracks your password, they’re still screwed – because they don’t have the second factor. This gives you time to change the password once the breach is announced. Unfortunately, not all sites have two-factor authentication yet, but incidents like this are prompting many sites and services to adopt it. When they do, sign up.

And finally, it proves once again that passwords suck. But it’s still the best option we have today. Various efforts are under way to come up with new authentication schemes, but beware of anything that uses biometrics (that is, “something you are”). Biometrics are really more like a user name than a password. You don’t want your password to be something you can’t change, from a privacy perspective if nothing else. The most interesting technology I’ve seen so far is called SQRL (pronounced “squirrel”), which has the advantage of never needing to store your credentials on a web server somewhere – that is, there’s nothing for hackers to steal.

Many people will now be asking: should I abandon LastPass? In short, I would say no. LastPass appears to have done everything right here, and I still think it’s the best option out there for most people. There are other password managers that don’t store your password database in “the cloud”. This means that if you want to access your passwords from multiple devices and places, that it’s up to you to copy and/or synchronize the password database yourself (using something like DropBox or iCloud Drive). I find that to be too cumbersome for most people, but it’s doable. If you would like to look at this option, check out 1Password. It’s more expensive, but it’s probably the best alternative to LastPass that doesn’t have your password database stored on the provider’s servers.

The more incidents like this that we have, the more attention the topic will receive and the more people will realize that they need to take charge of their own security.

miniLock: how to send and receive encrypted files easily

For over two decades, the prevailing utility for sending and receiving encrypted files was PGP (Pretty Good Privacy) – including the popular free and open-source implementation GNU Privacy Guard (GPG). In order to use PGP, you needed to use a software tool to create at least one pair of encryption keys: one public (which you give away freely) and one private (which you guard very carefully). People use your public key to encrypt something and then send it to you via email or whatever. You then use your closely-guarded private key to decrypt it.

The problem, though, is that PGP is complicated and normal people just don’t have the patience for it. It’s also tricky to integrate PGP into things like email clients, especially web-based clients. And having to manage these keys is a real pain – they’re quite large and ugly. Here, for example, is one of my PGP public keys:

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

mQENBFMgmu4BCADis9lcLt4Rvu8qs557zOI+immGGHki7i8H01tXJvJOicKniWo/
IP3p3MM4dPsggyCXB1LA1qZxDsiGvJVB2H+kCWmHClFfzBi6/G/RTzaB2+ecmcdl
Etc1JHeaSzJjSEcSAAV9dwp3toQuID2JX5O6mtodCxufZnjrkyVauLL3GCAT99s7
mu5g87r+HTNiyl43RHAvZp1trsWQvwT/VtQOkUMKJBDs5s4l8UJEDLFPEN6JBJE1
dK8DplG5+i5jYQWEJi5OI/eu4/GYzkMsXfbnbk+6ufiO3Ik5rNWGxqm7zD21lwLL
+V8M19l2dGVIcu/OhBPEEsZEcJB2Bh3msRUBABEBAAG0JUNhcmV5IFBhcmtlciA8
Y2FyZXkucGFya2VyQGdtYWlsLmNvbT6JAT0EEwEKACcFAlMgmu4CGwMFCQeGH4AF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQVLmNqFHnFbqKlgf/fuhtyfmf4zyb
YLUEutZFx57bkExonB33UVZZ/phgo+Z6c60XPfizmNG5qBHA9IaG5VvX9kel1mea
qtFrNdISOsVCDCzLTpI1mN3X8Dn6Fhk70APAHOiABxJr7LF+aX/t1GV4dQZjD4RL
8eRST6q7RsGrYIAFSbeUjZooeSkqUThGeeuIrKcMUhnTPG20uIGVDQ/x1tCjcnUR
fgpUUO5o1TMLEsylGYTKASJYJc5uiIcXgCV+FUmpt21OM2rxpaf7AkCx0Qcm3Cro
B8O+BiVqM7KYTRxu6CaVbb2lvYQqp+wUqSx1GussZ/Es1zno5ZXs9PVc+8LIK6XH
PQm88aabd7kBDQRTIJruAQgAoxMGQJ5ntCa1orN7emuHg4EnazmrFGH0iMT83gR7
k8rhMEs2tYc46aFsiQhPmltH6YNbzeIA+7SArIc5YwKCcoGpJxQWznGysQuuT76s
ScZnq/5AzhpOjymixAmMCXJ3X8LhWery4Ufw0mnHhJ7EhM0UP4o/7oXC1CHeXtwx
abo4tVkxc0lMvclecc5IZQCbZlxukNLCkvQz91MgT0EnTD1akSOW211gO4JQ2rdu
e0b7rVFGih+BOx6idJNfpKz+PheUo77ohLmnHFf0rWDPoCPjw/OIEiXd5JgLg8bH
xqCEV6SXmgvOZFIylwDlFLUtzlSFTSreLseAv3NeeGzZEwARAQABiQElBBgBCgAP
BQJTIJruAhsMBQkHhh+AAAoJEFS5jahR5xW6xQoH/1Yz0MT8a1tXKCOz5eX/Ed6D
f+oY0f0q0TfOFABT7AxFqDkjP/aUwS7KhpRGGFDiwReDOip/U93U7kODdsILXpxF
3BQZrs74l7tjbKa5PlE8QWjtNZuxPLtB6f3sJ2XpRH0dD8vWyykvIH/Xig+Qjl+a
wECfusncBkvrniXCSfTH0+uLtUUUpMdaT9i1DoQwGTSeUnUq/QOw+zGKyo0/b1Z3
ZwcYSz4zQhidLU5PrlOENBWDHZp2qlFFuB1f6THkHmqfUZG2mCEeUHwT6ztC0hA3
it22/PoHkXU+p1z5vIMcI5AUFFDCUBN8P/E+ghcDywfxMJruxeJ5j+kmN2od5ZI=
=rZkO
-----END PGP PUBLIC KEY BLOCK-----

 

If the computer that stores my private key dies, then I can no longer decrypt anything that was sent to me. Worse yet, if that computer is lost or stolen, then anything ever encrypted with it is vulnerable.

There’s a new kid on the block called miniLock which has three very important improvements over PGP:

  1. The private key is generated using an email address and a long passphrase. You no longer have to worry about storing and potentially losing your private key, you recreate it as needed from something you can easily remember.
  2. The public key is much, much shorter – only 44 characters long. This may seem bad since we know that shorter keys make for weaker encryption, but miniLock uses a different form of cryptography that can use smaller keys with the same level of security.
  3. Under the covers, miniLock uses a new(er) type of encryption called elliptic curve cryptography which allows for much smaller keys.

For comparison, here is my public miniLock key (or “miniLock ID”):

dtsyrmf4mQamR3G4xfMaCRe5zdRi78M6rvdJr5owgtg8z

 

That’s it! These keys are so short that you can easily send them to others, even tweet them.

This tool is brand new and hasn’t even officially been released yet, let alone fully vetted by the crypto experts. But it’s got a lot of potential and may finally allow regular people to use truly-secure, end-to-end encryption for all sorts of communication.

Until encryption is easy and built in to everything, it won’t be used. We have to find ways to make it much more accessible – and miniLock is a valiant attempt.

Security roundup (4/5/15)

Here are some top stories from the last month:

  • The FREAK bug. You can read the in-depth info here, but the gist of this is that a “man in the middle” could force an encrypted HTTPS web connection to use really old and really weak encryption, thus allowing someone (probably the man in the middle) to break the encryption and eavesdrop. These holes will be plugged soon and they don’t affect many people. The real take-away here is that our government’s policy of purposely weakening encryption standards (a legacy from the Crypto Wars of the 90s) has come back to bite us. These are some of the unintended consequences, and it happened over a decade ago.
  • BIOS hacks. There’s an even more fundamental piece of software on your PC than the operating system: it’s the BIOS. The BIOS is built into your computer and it runs before the OS even starts. Most people don’t know it’s even there – and therefore, most people don’t even know it can be updated. But as Bruce Schneier explains here, it’s a very powerful place to hack a system – and it’s in dire need of enhanced security mechanisms. The industry is moving to replace BIOS with UEFI, which is supposed to allow secure booting… but it opens up a whole case of cans containing worms (pun intended). The upshot here is that we need to completely rethink computer security from the ground up, and that’s going to take some time and a lot of transparency. (Fingers crossed.)
  • The Surveillance State Repeal Act (HR 1466). Some of the key dragnet surveillance laws in the Patriot Act are set to expire on June 1st unless Congress re-enacts them and the President signs them (which is causing some much-needed debate). However, HR 1466 will go much further. I encourage you to contact your representatives and voice your strong support for meaningful surveillance reforms.
  • Opt out of Verizon tracking. Verizon is apparently bowing to pressure and allowing their users to opt out of their nasty super-cookie tracking program. Click here for info.
  • Firefox adding new privacy option. Available in the latest Firefox builds is a new, hidden feature that helps users block web tracking. You can read about it here. This hidden option will be revealed in Firefox version 39, supposedly, but you can turn it on right now using the instructions at the link I just gave. This just re-affirms my choice of Firefox as the best current browser for security and particularly privacy.

truly secure mobile communication (for free)

It’s been almost two years now and the bombshells from the Snowden leaks are still falling. If we didn’t believe it before, we must all now acknowledge that we simply cannot trust that our regular mobile communications are secure – that includes phone calls as well as text messaging. While I believe in my heart that companies like Apple are trying to minimize illicit access to these communications, their system and their software are closed and proprietary – and therefore, we can never be truly sure.

The only solution to this is 100% transparency: the software must be open for inspection and auditing. It’s the only way we can know what’s going on behind the scenes.

And thankfully, Open Whisper Systems has come to the rescue! Over the past few years, they have developed some fantastic apps for truly secure phone calls and text messaging – all completely open source. Co-founded by security researcher Moxie Marlinspike, these tools are the real deal – praised by both Edward Snowden and the EFF.

Originally developed as two separate tools for Android called RedPhone and TextSecure, they have since been combined into a new app called Signal for iPhone/iPad. (The Android apps will eventually be consolidated under the same name.) These apps will allow you to make truly secure phone calls and send text messages that simply cannot be cracked – anywhere around the world, for free. It doesn’t get much better than that. You use your existing phone number to register, making it easy to add your friends and family at contacts.

You can read all about how to install and set up these apps here:

Here’s the important part: we should ALL immediately download, install, and use these apps. And we need to encourage everyone we know to do the same. The only way this works is if everyone does it. And I mean everyone. Your mom. Your neighbor. Your kids. Your friends. Everyone. It’s not about having something to hide. You’re a human and privacy is a human right. When we’re being watched, we act differently (see this TED talk if you’re skeptical). The only way we can fight back against dragnet surveillance and avoid the Panopticon is to “go dark” – all of us. If you need more convincing, check out this wonderful essay by Bruce Schneier.

I’ll give you one more reason to download and use these apps: you will be registering your concern for privacy and showing support for groups that are taking steps to preserve this most basic of human rights.

Security roundup (3/1/2015)

It’s been quite an active few weeks in the realm of security and privacy. Here are the top stories and what they mean for you. I’m trying to keep these short and sweet, and then point you to other sources for more information.

  • IRS phone scams. It’s tax time, and the bad guys are out in full force. The money to be made can be massive. First of all, there’s a phone scam where people call you pretending to be an IRS agent and tell you that you owe back taxes. You must pay immediately by wire transfer or credit card – if you refuse, they threaten arrest or deportation. See this IRS web site for more info on how to spot this scam, but the bottom line is that the IRS will never ask you for a wire transfer or credit/debit card.
  • Fraudulent tax returns. The folks at Intuit (the makers of TurboTax) are saying there’s been a massive spike in fake tax returns being filed, particularly at the state level. This is basically identify theft – these crooks have enough info on you to file a tax return on your behalf. But it appears that the way they’re getting this info is to hack your TurboTax Online account by using hacked passwords found from other sites. So if you filed your taxes using the web version of TurboTax, and you used the same password on some other web site that was hacked, then you’re at risk. Log in to TurboTax and change your password to something strong and unique. If they offer two-factor authentication, sign up for it. Check for a return filed this year that you didn’t file. Look at the direct deposit information and make sure it hasn’t been changed. You can find more info in this NY Times article and this more technical article on Krebs Security.
  • Beware stowaway crapware. How can you make money on “free” software? Answer: lace it with crap software (“crapware”) that pays money. Download sites like Download.com provide a handy one-stop-shop for finding and downloading free applications, but in order to “monetize” this business model, they turn to lacing this software with lots of other junk software that you didn’t ask for. How bad is it? Pretty bad. Check this fascinating article from HowToGeek. Always try to get your free software directly from the source. If you’re on a Mac, try to use the Mac App Store as much as you can.
  • Malware you can’t see or remove. There were two bombshell stories in the past few weeks in the realm of government mass surveillance. First up: superhuman malware. Kaspersky Labs uncovered a vicious new bit of malware that corrupts your hard drive directly. Hard drives are not just dumb buckets of bits – they’re highly sophisticated mini computers complete with a mini operating system. While this has become a necessity due to the high complexity of modern drives, it has allowed the NSA and/or GCHQ to install malware that your operating system can’t see and you can’t remove, even if you try to erase the entire drive… because all you’re really doing is asking the drive to do something, and it’s lying to you when it says that it did what you asked. Read the technical details here. The only good news is that this software is likely not already installed with every computer, it appears to be highly targeted.
  • The Great SIM Heist. (bombshell #2) Mobile phones weren’t really built for privacy – this capability was added after the fact. Unfortunately, it was built around symmetric keys – that is, both sides have to use the same key. That means that in addition to the secret key burned into the SIM card (which is the Subscriber Identity Module built into almost all modern cell phones), the cell network needs to also have a copy of that key. Turns out that most SIM cards are made by one company – and that company was hacked, probably by the NSA or GCHQ. Whoever has those keys can now decrypt all cell phone communication, including past conversations that were recorded in encrypted form. This is just appalling and astounding. Read more here and here.
  • “The Man” in the Middle. Computer maker Lenovo was caught red handed breaking SSL encryption with the purpose of inserting advertising on your computer. Lenov did this using a third party tool called Superfish that basically allowed them to insert themselves into the middle of all your supposedly private, encrypted web connections so that they could insert advertisements. This by itself would be bad enough – but the implementation of this adware was so bad, they exposed their users to hacking from just about anyone else. And just to make matters worse, the underlying tool that performs this hack from a company called Komodia is embedded in other software. Read more about the Lenovo part here, and how to remove Superfish software here.

Security news update (Feb 8)

While I try to send out timely notes via Twitter for security issues, I’m going to also try to periodically summarize recent news items with a blog post. This is the first such posting. Let’s get to it…

  1. If you haven’t updated your Adobe Flash player, you should do it right away. Adobe has patched 2-3 nasty bugs. Firefox has been blocking the older plugin (Chrome bakes Flash directly into the browser and updates it for you). To be absolutely sure, go to the Adobe Flash web site and download the latest Flash.
  2. Bowing to pressure from Congress and others, Verizon is supposedly going to allow people to opt out of their tracking “super cookie”. However, I think the only way to really put a stop to this is with regulation. This information is too valuable for companies to ignore.
  3. Apparently there has been a rash of IRS scams lately, including one where someone posing as an IRS agent calls you and threatens to sue you. Keep your guard up.
  4. Scammers are all over the Anthem data breach, as well. Have a look at this article and the FAQ from Anthem on how to protect yourself. When you get the opportunity to sign up for the free credit monitoring, be sure to do it.
  5. When the US government wants you to divulge information, it has been turning to National Security Letters. These secret demand notifications explicitly prohibit the companies from telling anyone that they have been served. It may be illegal for them to say when they’ve gotten an NSL, but (so far) it’s not illegal to say that they HAVE NOT. Enter CanaryWatch.org. Very clever. Let’s see how long it lasts.