Category: Security (Page 1 of 3)

Canary Tokens

March 5, 2023 / / 0 Comments

Miners used to bring canaries with them deep underground, to help detect dangerous gases. If the bird perished, the humans knew to retreat before they too suffered harm. Nowadays, the canary-in-a-coalmine concept extends to other type of alerts & security “tripwires”, such as Thinkst‘s Canary Tokens.

Offered as a free service, this website allows anyone to generate a canary token and make immediate use of it. Now, many of the token options are beyond my ken, and I won’t embarrass myself, trying to explain them. But there are a few options here that are accessible & usable by most computer users. If you click the first drop-down menu on their token page, consider the options for Microsoft Word Document, Microsoft Excel Document and Adobe Reader PDF Document.

Creating a Token

Select the token document type, fill in an email address and the notes field below. Here’s an example:

Click the Create button and then the Download button on the next page. For the pictured example, you’ll now have a Word doc with a weird name to it. And now you can plant it somewhere to test your security.

Examples of Use

With a Word, Excel or PDF file token, you might just place the file on your computer’s desktop, or some other conspicuous place. Rename the file to be PASSWORDS.docx or InvestmentAccounts.pdf and then wait. If someone comes snooping while you are away from your system, you’ll get an email as soon as the file is opened.

If you’re an employer, you might test your staff’s security savvy by emailing out a harmless test phishing message. Send them a suspicious email with a token attachment. If they aren’t fooled, and they report the message to you as a fake, great! If they trust the email and open the attachment, you’ll get email receipt(s) about it. Depending on the results, you might follow-up with some internet safety training.

If you are worried that your email is being intercepted, then attach the token file to a new message and send it to yourself. When you receive your own email, let it set and do not open the attachment yourself. If you later get a canary token alert, that will help to prove that the attachment was opened by someone else.

Final Comments

I’m just scratching the surface with what canary tokens can do. If you work in web design, infosec, or other tech fields, the other listed options for canary tokens may make a lot of sense to you. They can help you figure out if/when your database has been stolen or misused, when a website has been intruded upon, and more.

Also, please appreciate that this tool is not specific to any operating system. You can use canary tokens on virtually any machine you have control over.

I Found Someone’s Phone

January 14, 2023 / / 0 Comments

Everyday, I see this posted to social media: “I found someone’s phone, anyone know whose it is?” And it rarely works. It can’t hurt to crowdsource the request, but please know that you should first check the found phone for Emergency Info.

  • On an iPhone, trigger the Lock Screen and tap Emergency, then tap *Medical ID.
  • On an Android phone, trigger the Lock Screen and tap Emergency, then tap View emergency info.

The following screen may reveal one or more Emergency Contacts. Tap on an Emergency Contact to call them on the spot. You may be able to work with them to reunite the phone with its owner!

Add Emergency Info to Your Phone

Now that you know this tidbit, your next question is probably “How do I add Emergency Contacts to my phone?”

  • On an iPhone, find and open the Health app. Tap your picture to the upper-right and then tap Medical ID. Tap Get Started, and fill out your basic info. Scroll down to find the Emergency Contacts section.
  • On an Android phone, find and open the Safety app. Sign in if prompted and then fill out your basic info. Scroll down to find the Emergency Contacts section.
  • Add at least one person as an Emergency Contact, and now they can be dialed from your phone, even when it is lost and locked. Note: you can only add them if they are in your normal Contacts list.

As you venture into this part of your phone, you may find a wealth of other safety features. Some phones may offer Car Crash Detection, Emergency SOS and the ability to record and store a video. Explore and learn about them, and activate any others you think are a good idea. Semper Paratus!

Miscellany

If you’ve lost your phone, I’ve already blogged about how to track it down. Make sure to use those methods before you report the phone as lost and disable the SIM.

If you have found someone’s phone, but cannot determine the owner, then you’ll have to figure out what to do with it. Use your best judgment and factor in these items:

  • Apple does not typically assist with lost iPhones.
  • Keep the phone on and charged, if possible. The owner may call at any moment!
  • Turning the phone into the local police is a solid option.
  • Turning the phone over to a storefront might be helpful, depending on the circumstances. A phone found in a dressing room should go to the front sales desk. A phone found in a strip mall parking lot? Surrendering it to the police may be a better idea.
  • If you can tell what cellular provider services the phone, then you might be able to take it to the appropriate cellular storefront. T-Mobile definitely welcomes you to bring in a found phone. Others may help as well, give them a call before you make the trip.

BitLocker Has Locked My Computer!

November 1, 2022 / / 0 Comments

A small number of people are encountering this message on their Windows 11 computers right now, following some overnight Windows Updates:

And for those who discover this, it’s about as fun as having a dead battery in your car or no dial tone when you pick up the phone. The computer is stuck like Chuck and won’t go anywhere!

What To Do

This is solvable but the solution is not necessarily intuitive to all. I’ll describe the process, but please reach out to me if you want help along the way.

First, you must know the Microsoft Account credentials you’ve used on your PC. This is usually your email address, and the Microsoft account password that goes with it. Your PIN will not help and your Microsoft password is different from your PIN! If you’ve forgotten your Microsoft password, you’ll need to reset it.

You’ll need to go to a different computer or device, and visit this site to log in with your Microsoft credentials: Microsoft Account.

Once you’ve logged in successfully, click “Devices” along the top toolbar selections. Then down lower, click on BitLocker recovery keys and you’ll arrive at a screen like this:

Using the Device Names, try to find the corresponding row for your locked device. Then take the longest string of numbers to the right, and type it in to the BlueScreen message. If done precisely, your computer should unlock and boot into Windows as normal.

Follow-Up Info

BitLocker is a drive encryption tool, and Microsoft only includes it on the Professional, Education and Enterprise editions of Windows. If you have Windows 11 Home edition, this issue won’t happen to you, and you won’t find Bitlocker if you go scrounging around in the Settings panel for it.

But if your computer does offer BitLocker, please know that you do have the option of turning it off. BitLocker is a powerful tool for protecting the data on a computer, in case of theft, but not all may want to use that tool, especially if it caused this problem or some other stoppage. Here’s how to track it down on your computer:

Go to Start -> Settings -> Privacy & Security -> Device Encryption.

At this panel, you are free to enable or disable this feature. If you cannot see the Device Encryption option, then it is simply not offered on your Windows computer.

Credential Stuffing

September 15, 2022 / / 0 Comments

The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.

How Credential Stuffing Works

It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.

While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.

These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.

What You Need To Do

You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.

OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!

Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.

Coping with Too Many Passwords

Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.

As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.

You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.

Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.

Microsoft Defender’s Offline Scan

June 1, 2022 / / 0 Comments

Microsoft Defender Antivirus is part of every Windows 10 and Windows 11 computer. Whether you use Microsoft Defender or another antivirus, please know that you can use the Microsoft software to run a deep scan on your computer. This will not conflict with your current security software, and can be useful if you feel you may have a virus problem that is not being detected with normal system scans.

The “deep scan” is officially called the Microsoft Defender Offline scan, and here’s how you can use it:

  1. Click the Start Button and go to Settings. In the search field, type “windows security” and then click on Windows Security to open it.
  2. Click on Virus & Threat Protection.
    a. If you are using a non-Microsoft antivirus, click on Microsoft Defender Options and then turn on Periodic Scanning.
  3. Under the Quick Scan button, click “Scan Options”.
  4. Click the bubble next to Microsoft Defender Offline scan, and then click Scan Now.

This begins the Offline scan, and will reboot your computer to fulfill this action. So close and save your work before going through with this! Expect to see this sort of scan screen running for 15 minutes or more:

After the scan is over, you may not see much, other than your computer boots up to your normal wallpaper and icons. To see the results of the scan, follow the steps 1 & 2 from above, and the Virus & Threat Protection panel will tell you if it caught any baddies. Feel free to click on Protection History for more details on your scan history.

Facebook Protect

April 21, 2022 / / 0 Comments

Facebook is rolling out a new tool for safeguarding your account. But not everyone will see this just yet. For now, they’re pushing this feature out to high-profile accounts and business pages with significant reach. You may see this pop-up for you if you are a politician, for example, or run a Business Page with thousands of Likes on it.

Unfortunately, when Facebook does reach out to someone about their new Protect feature, it presents as a scam. The sender’s email looks fishy and the message urges to you act soon, lest you be locked out.

If you get a notification for Facebook Protect, please understand that it is probably legitimate. And if you ignore it for too long, you truly could get locked out of your Facebook account!

If you get an email or notification about this, cooperate with it if you are comfortable doing so. If you aren’t 100% sure, you can still satisfy the Facebook Protect requirement without clicking on the email:

  • Open Facebook.com in your computer’s web browser.
  • Click the triangle button in the upper-right corner, click Settings & Privacy, click Settings.
  • On the left, click Security & Login, then to the right, look for Facebook Protect and click Get Started.

You cannot sign up for Facebook Protect before you are invited, so if you can’t do this now, no worries! There’s nothing to do until you get a notice that you should activate this.

Windows Account Sign-In Options

March 4, 2022 / / 1 Comment

People complain to me all the time about having to sign on to their computers. As people buy new Windows 11 computers, Microsoft makes it almost impossible to avoid creating login credentials. Win11 forces you to give your email, create a Microsoft account, choose a password and then a PIN. But let me give you some extra info about all of this. You do have some choices on how your computer treats you, when you turn it on.

Microsoft Account Pros & Cons

As mentioned, most new Windows PCs frogmarch you into making a Microsoft Account. And there are pros and cons to this. When you do this, Microsoft collects info about you and may track how you use your computer. But the Microsoft account also may also help track your computer if it’s ever stolen, and it can help streamline your use of OneDrive or other Microsoft tools. The Edge browser can use your Microsoft account to backup and sync your Favorites and other settings.

The Microsoft Account also enables other sign-on features inside of Windows, so that you can pick the easiest method for you. Very few people want to type in their cumbersome Microsoft password everyday. So that’s why Microsoft pushes that PIN on you. If you have a PIN on your Windows computer, then that saves you from having to type something longer.

Depending on your computer, you may also be allowed to “sign-in” to your computer with your fingerprint, or your face, or a physical security key. You can check these out by going to Start -> Settings -> Accounts -> Sign-in Options.

But perhaps the best part of a Microsoft Account is that you are unlikely to get locked out of your computer, if you lose your password/PIN. When a person can’t sign in on their computer with their Microsoft credentials, it’s often a simple process to reset things. They would go to another computer and reset their Microsoft password.

Local Accounts on Windows

But some people don’t want to have a sign-in on their PC. Or they don’t care for Microsoft to gather info on them. For these situations, you can switch to a Local Account. But you need to understand the full ramifications of this, because it is not a perfect solution!

First, to switch your PC to a local account, you would have to to go Start-> Settings -> Accounts -> Your Info. To the right, you will see an option for “Sign in with a local account instead. Using that will convert the logged in PC account to a local account. The Microsoft Account still exists, but will no longer govern this particular sign-on.

If you make use of this option, you will get the chance to declare a new name for the account. This is just a text label, and doesn’t matter to the computer, so choose anything you’re comfy with. It will also ask you to choose a password. You have two choices here:

  1. No password: if you leave these passwords field blank, you can set your computer up with no password at all. If your office is safe from intrusion, you might choose this. But please understand that this means that anyone could power on the PC and have 100% access to it. If there is any chance of the computer being stolen or used by an unwanted guest, you may want to avoid this.
  2. Any password: you may choose any password you want for a local account. There are no restrictions or requirements, like with a Microsoft account. It can be “dad” or “98765” or “keepthekidsout”. But if you set a password on a local account, the PC should also force you to setup security questions. And there’s a big reason for this. The local password is not stored anywhere else. You cannot reset it from another computer, like with a Microsoft account. If you forget your local account password, and you fail your security questions, you might be stuck like Chuck. In that situation, you’ll have to haul your computer to a storefront that has access to clever hack tools that can forcibly remove the password.

Contactless Payments

December 14, 2021 / / 1 Comment

You’ve probably seen people paying with their phones or watches, instead of using cards or cash. This type of payment is called a “contactless payment”. But despite the boring name, this is a great convenience and security upgrade that I think more people should try.

The Basics

To make a contactless payment, you generally need a smartphone that features NFC. (Smartwatches and tablets may also allow for this!) On your phone, you’ll need to choose and install your contactless payment app. You have 3 choices:

Once you’ve chosen and installed your app, you’ll need to add at least one of your payment card’s info. Many cards are accepted into these apps, but there are some exceptions. If you find your credit card isn’t compatible with contactless payment apps, you can use a different card or talk to the card issuer for other options.

With a card accepted into your Pay app, you are ready to use it at any stores offering contactless payments. Keep an eye out for the universal symbol on storefront doors, windows and payment terminals to know where contactless payments are accepted.

The Security Benefit

I understand that some folks dismiss contactless payments as just a convenience item. “I don’t mind taking a card out of my pocket to pay!” is a common remark. But these Contactless Payments apps protect your account information in a significant way.

When you enroll a payment card into one of these Pay apps, your account number is not stored on your phone. The app builds a secure relationship with your bank, and every time you wave your phone at a reader to make a payment, a unique account number is created for that purchase only. That one-time number makes the transaction go through, and then can never be used again.

The benefit to this is that your true card number is never out in the wild. Criminals have all kinds of tactics for learning your card information, so they can place fraudulent charges. Contactless payment apps defeat a lot of them:

  • If you use Android Pay at a compromised gas pump, the hidden credit card skimmer captures a useless number from you.
  • Let’s say you use Apple Pay at the grocery store, and their servers are hacked the following week. The criminals may get other people’s credit card information, but not yours.
  • If you’re on public Wi-Fi and need to buy something over the internet, using Google Pay or Apple Pay (through your computer) would prevent your true card number from being seen in transmission.

It is true that bank cards in your wallet could still be skimmed and stolen, wirelessly. To help prevent that, I can recommend you also use a RFID-blocking wallet. You can find them as low as $20 on Amazon!

Some Cautions

If you use Contactless Payments, you’ll have to have a screen-lock on your phone. Because otherwise, someone could steal your phone and start buying things with it! As you set up a contactless payment app, it will check and tell you if your phone’s security needs to be improved.

Contactless Payments are not universally accepted (yet). Some stores may not accept them, because it requires newer card-reading equipment, or because it would increase their card-processing fees. But over time, this technology should become more and more widely adopted. Just keep an eye out for the payment symbols:

Bitdefender Discontinues Its Free Antivirus

December 9, 2021 / / 2 Comments

For many years, Bitdefender has offered free antivirus to all, but that ends soon for Windows users. As of 1/1/2022, they say that their free software will be discontinued. And they’d love to sell you their paid antivirus!

But whoa there, let’s slow it down a bit. If they’re trying to convert you to a paying customer, put your wallet away and consider other free protection software. There’s plenty of options out there!

Your first step will be to uninstall all Bitdefender Free software from your computer. After you do that and reboot your PC, check the white or blue shield icon in your taskbar. The Windows Security Center should allow you to turn on Microsoft’s built-in protection, Microsoft Defender Antivirus. (And in many cases, it turns itself on!) That is enough protection, and equivalent to any other free antivirus out there!

If you really want to go above and beyond, you may. I don’t necessarily recommend it, but I realize that some folks appreciate having a 3rd party antivirus app. And many other companies still offer free antivirus, like:

Avast Free Antivirus

AVG Free Antivirus

Avira Free Antivirus

These programs are trustworthy and quality, but may advertise to you after you install them. If you go with Microsoft’s free protection, you won’t see any ads or sales offers!

If you have any difficulty or concern with this switch, please call me! I can remotely assist with this quick changeover.

Google 2FA Becomes Mandatory

December 2, 2021 / / 0 Comments

2FA is shorthand for Two-Factor Authentication. It’s an extra security feature to protect an online account, and is offered by many companies for their users. But soon, Google is making this feature mandatory for its Google and Gmail accounts. If you aren’t already using 2FA to protect your account, you may soon get an email like this from Google:

Google 2FA Email Notice

This requirement has been in the works for a while now, and Google is just now rolling it out. I want to assure you that the above email is legitimate, if you receive it. You can click the Turn On Now button and fulfill the 2FA setup, or you can visit this link to learn more and get started.

Not sure if you have 2FA turned on yet? Go to the Google Security Checkup page to determine this.

Reach out to me if you need help with this process!

« Older posts

© 2023 BlueScreen Computer

Theme by Anders NorenUp ↑

Terms and Conditions - Privacy Policy