Category: Security (Page 1 of 3)

Hiding Photos on Your Phone

August 10, 2023 / Jesse Mueller / 0 Comments

Smartphones offer you an important tool for hiding photos on your phone. Whether you have an Android or an iPhone, you should consider using this function!

For Android users: Google gives you the ability to securely stash photos in the Locked Folder, in the Google Photos app. Here’s a simple Google article on how you would use it.

For iOS users: Apple offers the same sort of tool, but they call it the Hidden Folder. Apple offers this article to explain on its use.

Once you’ve placed anything in this special folder, you should know:

These items are well-protected, and you’ll have to enter your passcode or thumbprint every time you enter the folder.
When you move a file into the Locked/Hidden Folder, that file is removed from its location in your photo library. That also means it disappears from the normal cloud backup and any other devices that it synced to.
The contents of this protected folder won’t turn up in any searches performed on your phone.
If you still want an important photo to be backed up or synced, make a copy of it and move the copy into this folder.

Possible Uses

With a little imagination, you’ll find a variety of uses for this tool. Perhaps you have some delicate photos that shouldn’t be seen by anyone who borrows your phone. Maybe you need a safe place for some critical evidence you’ve photographed. My favorite, though, is keeping a record of everything that’s in my wallet.

It’s true, I could lose my wallet and my phone at the same time. So I’ve also recorded my wallet contents elsewhere at home. But let’s say I’m travelling and my wallet decides to travel somewhere without me. I’ve socked away a photo of each card in my wallet. I can immediately go to my Locked Folder, refresh my memory of all the cards I carry, and start calling the associated banks and companies. It would make a tough situation a little easier to resolve.

Microsoft’s Over-Protective SmartScreen

May 23, 2023 / Jesse Mueller / 1 Comment

Windows computers have a lot of built-in protections, to help fend off viruses and malware and more. One of these protective components is called SmartScreen. Microsoft SmartScreen is always watching for malware and phishing attempts, and may pop up at any time, to ask if you really want to run that file. Or it may simply prevent you from opening something. Sometimes, SmartScreen is over-protective like that.

In general, I recommend that people abide by this sort of message. SmartScreen is there for the health of your computer, and if it is blocking something you’ve just downloaded, there may be a good reason for that. Better safe than sorry. But once in a while, SmartScreen will clamp down on a file that you know darn well is perfectly safe. In that case, you can ask SmartScreen to ease up, for just that one file.

To disable SmartScreen for a particular file, first open a File Explorer window. Using File Explorer, locate that file. Right-click your file and then left-click Properties. At the bottom of the Properties window, check the box next to Unblock, and then click OK.

Please be careful with this tip. Only use this tactic on files you are 100% sure to be safe.

Stolen Facebook Accounts

May 12, 2023 / Jesse Mueller / 0 Comments

There is a large rise in Facebook Account Theft right now. I can’t explain the sudden surge, but for the last few weeks, I see people complaining about and suffering from stolen Facebook accounts almost every day. We need to go over the details, so that you are prepared and protected.

How Facebook Accounts Are Stolen

Your Facebook account can be stolen when a bad guy tricks you into revealing your password. Or, a cybercriminal can attempt to reset the password on your account, and then trick you into giving them the reset/authorization code. Then, they set a new password on the account, locking you out and giving themselves all the control.

To finalize the theft, the crook replaces the email address and/or phone number on your account with their own email/number. This makes it nearly impossible for you to recover your account.

Phishing emails are a common way to take passwords from people. Messages or pop-ups that look deceptively similar to real Facebook notices can pressure people to type in their credentials. But right now, I’m seeing a lot of password-theft happening via stolen accounts, using impersonation tactics. Example:

John Doe gets a PM from his cousin, Uncle Buck. “Hey, John! I’m having trouble with my Facebook account, and I need your help. Imma send you a code — can you tell me what that number is? It’ll help me reset my password, thanks!” John Doe thinks he’s helping his uncle, so he waits for the code to arrive by text message. When it comes, he types it in and sends it over.

But Uncle Buck isn’t Uncle Buck. A cybercriminal is inside Buck’s account, and when he gets the code, it allows him to finish a password reset on John Doe’s account. John Doe soon finds this out, when he is forced out of Facebook and cannot log back in. His account has been hijacked just like Uncle Buck’s.

How to Protect Your Facebook Account

Never share any security code with anyone. When a numeric code is texted or messaged to you, it is for your use only. In the wrong hands, that simple code can defeat the security of an important account. This goes for Facebook, Gmail, your bank login and any other online account you use.
Facebook offers some basic security tips at this page. Implement as much of their advice as you can handle.
Consider setting up additional security features for your Facebook account, like 2FA and login alerts. More info on that at this page.
If you get any fishy emails or PMs from people you would normally trust, pick up the phone and call the sender. Figure out if they really sent those message, or if you’re corresponding with some impostor in Scamdinavia.
Change your Facebook password at the first sign of trouble.
Review your Facebook Profile and make sure your Friends List, phone number and other personal info is not viewable by the public. The privacy level on that info should be “Friends Only”, or better yet, “Only Me.”

What to Do If Your Facebook Account is Stolen

Do not delete any security-alert emails that you receive from Facebook. They could be invaluable toward recovering your Facebook. When your password, email address or other sensitive info is changed on your account, you will receive an email. Each message will state: “If you did not make this change, click here.” Sometimes, clicking where indicated is your only hope of reverting the scammer’s change!
Try to recover your account at www.facebook.com/hacked . Alternate links and methods are at this page. I must warn you, though, this process can be time-consuming, frustrating and ultimately unsuccessful. Facebook has made this process difficult, and there is no easy way to contact them.
Contact people outside of Facebook, to let them know your account has been compromised. Tell them to not trust your account until further notice. Ask them to look at your account for any suspicious posts or content. If they see anything that looks bad, suggest to them that they report it to Facebook.
If you want to try to call Facebook, please know that it probably will not help. They do not want to answer the phone for non-paying customers, and at this time, you cannot yet pay Facebook for proper support. But I will give you their corporate numbers in California, just in case: 650-543-4800 and 650-308-7300. Please be careful seeking out other Facebook contact info, as most of the phone numbers you might see in a Google search belong to scammers.
There are many companies on the internet that claim to be able to recover your stolen account, for a fee. Most of these are fraudulent operations. Beware! But one company called Hacked.com seems to be legitimate. I can’t vouch for them 100%, but they have a significant internet footprint and reasonable reviews about the recovery services that they provide.
If all else fails, or the recovery process is too money or time-consuming, make a new Facebook account.

Relevant for Protecting Other Social Media Accounts

This post focuses on Facebook, as that’s where I’m seeing the most harm done right now. But the overall threat and advice is relevant elsewhere. LinkedIn, Instagram, Twitch, Twitter… Accounts can be targeted and stolen on many other social media websites, using the same tactics I’ve described.

And the amount of support you get (almost none) will probably be the same, if you are a free or non-paying user. I will help where I can, but I have no special abilities to get Facebook to do the right thing. It’s up to you to stay alert and not get in a jackpot. Stay suspicious, my friends!

Canary Tokens

March 5, 2023 / Jesse Mueller / 0 Comments

Miners used to bring canaries with them deep underground, to help detect dangerous gases. If the bird perished, the humans knew to retreat before they too suffered harm. Nowadays, the canary-in-a-coalmine concept extends to other type of alerts & security “tripwires”, such as Thinkst‘s Canary Tokens.

Offered as a free service, this website allows anyone to generate a canary token and make immediate use of it. Now, many of the token options are beyond my ken, and I won’t embarrass myself, trying to explain them. But there are a few options here that are accessible & usable by most computer users. If you click the first drop-down menu on their token page, consider the options for Microsoft Word Document, Microsoft Excel Document and Adobe Reader PDF Document.

Creating a Token

Select the token document type, fill in an email address and the notes field below. Here’s an example:

Click the Create button and then the Download button on the next page. For the pictured example, you’ll now have a Word doc with a weird name to it. And now you can plant it somewhere to test your security.

Examples of Use

With a Word, Excel or PDF file token, you might just place the file on your computer’s desktop, or some other conspicuous place. Rename the file to be PASSWORDS.docx or InvestmentAccounts.pdf and then wait. If someone comes snooping while you are away from your system, you’ll get an email as soon as the file is opened.

If you’re an employer, you might test your staff’s security savvy by emailing out a harmless test phishing message. Send them a suspicious email with a token attachment. If they aren’t fooled, and they report the message to you as a fake, great! If they trust the email and open the attachment, you’ll get email receipt(s) about it. Depending on the results, you might follow-up with some internet safety training.

If you are worried that your email is being intercepted, then attach the token file to a new message and send it to yourself. When you receive your own email, let it set and do not open the attachment yourself. If you later get a canary token alert, that will help to prove that the attachment was opened by someone else.

Final Comments

I’m just scratching the surface with what canary tokens can do. If you work in web design, infosec, or other tech fields, the other listed options for canary tokens may make a lot of sense to you. They can help you figure out if/when your database has been stolen or misused, when a website has been intruded upon, and more.

Also, please appreciate that this tool is not specific to any operating system. You can use canary tokens on virtually any machine you have control over.

I Found Someone’s Phone

January 14, 2023 / Jesse Mueller / 0 Comments

Everyday, I see this posted to social media: “I found someone’s phone, anyone know whose it is?” And it rarely works. It can’t hurt to crowdsource the request, but please know that you should first check the found phone for Emergency Info.

On an iPhone, trigger the Lock Screen and tap Emergency, then tap *Medical ID.
On an Android phone, trigger the Lock Screen and tap Emergency, then tap View emergency info.

The following screen may reveal one or more Emergency Contacts. Tap on an Emergency Contact to call them on the spot. You may be able to work with them to reunite the phone with its owner!

Add Emergency Info to Your Phone

Now that you know this tidbit, your next question is probably “How do I add Emergency Contacts to my phone?”

On an iPhone, find and open the Health app. Tap your picture to the upper-right and then tap Medical ID. Tap Get Started, and fill out your basic info. Scroll down to find the Emergency Contacts section.
On an Android phone, find and open the Safety app. Sign in if prompted and then fill out your basic info. Scroll down to find the Emergency Contacts section.
Add at least one person as an Emergency Contact, and now they can be dialed from your phone, even when it is lost and locked. Note: you can only add them if they are in your normal Contacts list.

As you venture into this part of your phone, you may find a wealth of other safety features. Some phones may offer Car Crash Detection, Emergency SOS and the ability to record and store a video. Explore and learn about them, and activate any others you think are a good idea. Semper Paratus!

Miscellany

If you’ve lost your phone, I’ve already blogged about how to track it down. Make sure to use those methods before you report the phone as lost and disable the SIM.

If you have found someone’s phone, but cannot determine the owner, then you’ll have to figure out what to do with it. Use your best judgment and factor in these items:

Apple does not typically assist with lost iPhones.
Keep the phone on and charged, if possible. The owner may call at any moment!
Turning the phone into the local police is a solid option.
Turning the phone over to a storefront might be helpful, depending on the circumstances. A phone found in a dressing room should go to the front sales desk. A phone found in a strip mall parking lot? Surrendering it to the police may be a better idea.
If you can tell what cellular provider services the phone, then you might be able to take it to the appropriate cellular storefront. T-Mobile definitely welcomes you to bring in a found phone. Others may help as well, give them a call before you make the trip.

BitLocker Has Locked My Computer!

November 1, 2022 / Jesse Mueller / 0 Comments

A small number of people are encountering this message on their Windows 11 computers right now, following some overnight Windows Updates:

And for those who discover this, it’s about as fun as having a dead battery in your car or no dial tone when you pick up the phone. The computer is stuck like Chuck and won’t go anywhere!

What To Do

This is solvable but the solution is not necessarily intuitive to all. I’ll describe the process, but please reach out to me if you want help along the way.

First, you must know the Microsoft Account credentials you’ve used on your PC. This is usually your email address, and the Microsoft account password that goes with it. Your PIN will not help and your Microsoft password is different from your PIN! If you’ve forgotten your Microsoft password, you’ll need to reset it.

You’ll need to go to a different computer or device, and visit this site to log in with your Microsoft credentials: Microsoft Account.

Once you’ve logged in successfully, click “Devices” along the top toolbar selections. Then down lower, click on BitLocker recovery keys and you’ll arrive at a screen like this:

Using the Device Names, try to find the corresponding row for your locked device. Then take the longest string of numbers to the right, and type it in to the BlueScreen message. If done precisely, your computer should unlock and boot into Windows as normal.

Follow-Up Info

BitLocker is a drive encryption tool, and Microsoft only includes it on the Professional, Education and Enterprise editions of Windows. If you have Windows 11 Home edition, this issue won’t happen to you, and you won’t find Bitlocker if you go scrounging around in the Settings panel for it.

But if your computer does offer BitLocker, please know that you do have the option of turning it off. BitLocker is a powerful tool for protecting the data on a computer, in case of theft, but not all may want to use that tool, especially if it caused this problem or some other stoppage. Here’s how to track it down on your computer:

Go to Start -> Settings -> Privacy & Security -> Device Encryption.

At this panel, you are free to enable or disable this feature. If you cannot see the Device Encryption option, then it is simply not offered on your Windows computer.

Credential Stuffing

September 15, 2022 / Jesse Mueller / 0 Comments

The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.

How Credential Stuffing Works

It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.

While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.

These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.

What You Need To Do

You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.

OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!

Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.

Coping with Too Many Passwords

Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.

As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.

You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.

Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.

Microsoft Defender’s Offline Scan

June 1, 2022 / Jesse Mueller / 0 Comments

Microsoft Defender Antivirus is part of every Windows 10 and Windows 11 computer. Whether you use Microsoft Defender or another antivirus, please know that you can use the Microsoft software to run a deep scan on your computer. This will not conflict with your current security software, and can be useful if you feel you may have a virus problem that is not being detected with normal system scans.

The “deep scan” is officially called the Microsoft Defender Offline scan, and here’s how you can use it:

Click the Start Button and go to Settings. In the search field, type “windows security” and then click on Windows Security to open it.
Click on Virus & Threat Protection.
a. If you are using a non-Microsoft antivirus, click on Microsoft Defender Options and then turn on Periodic Scanning.
Under the Quick Scan button, click “Scan Options”.
Click the bubble next to Microsoft Defender Offline scan, and then click Scan Now.

This begins the Offline scan, and will reboot your computer to fulfill this action. So close and save your work before going through with this! Expect to see this sort of scan screen running for 15 minutes or more:

After the scan is over, you may not see much, other than your computer boots up to your normal wallpaper and icons. To see the results of the scan, follow the steps 1 & 2 from above, and the Virus & Threat Protection panel will tell you if it caught any baddies. Feel free to click on Protection History for more details on your scan history.

Windows Account Sign-In Options

March 4, 2022 / Jesse Mueller / 1 Comment

People complain to me all the time about having to sign on to their computers. As people buy new Windows 11 computers, Microsoft makes it almost impossible to avoid creating login credentials. Win11 forces you to give your email, create a Microsoft account, choose a password and then a PIN. But let me give you some extra info about all of this. You do have some choices on how your computer treats you, when you turn it on.

Microsoft Account Pros & Cons

As mentioned, most new Windows PCs frogmarch you into making a Microsoft Account. And there are pros and cons to this. When you do this, Microsoft collects info about you and may track how you use your computer. But the Microsoft account also may also help track your computer if it’s ever stolen, and it can help streamline your use of OneDrive or other Microsoft tools. The Edge browser can use your Microsoft account to backup and sync your Favorites and other settings.

The Microsoft Account also enables other sign-on features inside of Windows, so that you can pick the easiest method for you. Very few people want to type in their cumbersome Microsoft password everyday. So that’s why Microsoft pushes that PIN on you. If you have a PIN on your Windows computer, then that saves you from having to type something longer.

Depending on your computer, you may also be allowed to “sign-in” to your computer with your fingerprint, or your face, or a physical security key. You can check these out by going to Start -> Settings -> Accounts -> Sign-in Options.

But perhaps the best part of a Microsoft Account is that you are unlikely to get locked out of your computer, if you lose your password/PIN. When a person can’t sign in on their computer with their Microsoft credentials, it’s often a simple process to reset things. They would go to another computer and reset their Microsoft password.

Local Accounts on Windows

But some people don’t want to have a sign-in on their PC. Or they don’t care for Microsoft to gather info on them. For these situations, you can switch to a Local Account. But you need to understand the full ramifications of this, because it is not a perfect solution!

First, to switch your PC to a local account, you would have to to go Start-> Settings -> Accounts -> Your Info. To the right, you will see an option for “Sign in with a local account instead. Using that will convert the logged in PC account to a local account. The Microsoft Account still exists, but will no longer govern this particular sign-on.

If you make use of this option, you will get the chance to declare a new name for the account. This is just a text label, and doesn’t matter to the computer, so choose anything you’re comfy with. It will also ask you to choose a password. You have two choices here:

No password: if you leave these passwords field blank, you can set your computer up with no password at all. If your office is safe from intrusion, you might choose this. But please understand that this means that anyone could power on the PC and have 100% access to it. If there is any chance of the computer being stolen or used by an unwanted guest, you may want to avoid this.
Any password: you may choose any password you want for a local account. There are no restrictions or requirements, like with a Microsoft account. It can be “dad” or “98765” or “keepthekidsout”. But if you set a password on a local account, the PC should also force you to setup security questions. And there’s a big reason for this. The local password is not stored anywhere else. You cannot reset it from another computer, like with a Microsoft account. If you forget your local account password, and you fail your security questions, you might be stuck like Chuck. In that situation, you’ll have to haul your computer to a storefront that has access to clever hack tools that can forcibly remove the password.