Category: Security (Page 2 of 4)

Credential Stuffing

The recent compromise of the Seesaw Learning website and app has a lot of people asking me: What is credential stuffing? It’s a good question to know the answer to. Once you get it, you will also know how to keep your online accounts safer.

How Credential Stuffing Works

It begins with cybercriminals attacking and hacking an online website or company. When they gain access, they steal the login info for as many accounts as they can, for that site. They’re looking for a list of email addresses, and the corresponding passwords that are used on that site.

While this starts with the hack of one company, the stuffing happens elsewhere. These thieves are counting on one common tech mistake: People tend to use the same password for all of their online accounts. So if they steal login info from one site, the crooks are hoping those credentials will work on other websites.

These cybercriminals actually have a bit of programming skill. They take their stolen credentials and write a program (bot) to try each email/password combination at the login screen of another website. If they’ve stolen 500 logins or a million, it doesn’t matter. They can set their bots to stuff all of those logins into various other websites, until they get lucky access with someone’s stolen credentials.

What You Need To Do

You cannot predict or prevent this kind of attack, because it is launched against the companies you use. You are not the initial target. But you can protect your other accounts from collateral damage. It’s very simple: Always use a different password with each account you create.

OK, maybe it’s not that simple to do, but it is simple to state. No one likes this advice, because passwords are such a tedious burden to most internet users. But if you can improve your habits and avoid password re-use, then credential stuffing attacks will not affect you as much as other people. If your password is stolen from one website, it will not do the crooks any good when they try to use it elsewhere!

Additionally, turning on 2FA can further protect your accounts against password theft. But not all sites offer 2FA. Using unique passwords remains the best defense.

Coping with Too Many Passwords

Maintaining unique passwords is about as fun as remembering to floss. But it could make a big difference someday. There’s always another big hack about to happen, and you’re going to wake up one morning to find that your bank or your favorite store is involved in the latest tech debacle. That awful cybercrime news won’t affect you as much, if you have good security practices in place.

As you set passwords to online accounts, your browser may recommend unique passwords, and offer to Save them for you. This is a solid tool and fairly reliable. And if you need to know a particular password, you can find it by going into your browser’s options menu and searching for the Passwords List. This is how I manage my 700+ passwords, in Google Chrome and Microsoft Edge.

You might also consider using a Password Manager program, and there are many of them out there. Some are free, some have an annual fee. LastPass, Roboform, Keepass and Bitwarden are some trustworthy password managers.

Using an Excel spreadsheet or a “little black book” is also acceptable. I see plenty of folks using these methods, and I don’t criticize it if it is working well for them.

Microsoft Defender’s Offline Scan

Microsoft Defender Antivirus is part of every Windows 10 and Windows 11 computer. Whether you use Microsoft Defender or another antivirus, please know that you can use the Microsoft software to run a deep scan on your computer. This will not conflict with your current security software, and can be useful if you feel you may have a virus problem that is not being detected with normal system scans.

The “deep scan” is officially called the Microsoft Defender Offline scan, and here’s how you can use it:

  1. Click the Start Button and go to Settings. In the search field, type “windows security” and then click on Windows Security to open it.
  2. Click on Virus & Threat Protection.
    a. If you are using a non-Microsoft antivirus, click on Microsoft Defender Options and then turn on Periodic Scanning.
  3. Under the Quick Scan button, click “Scan Options”.
  4. Click the bubble next to Microsoft Defender Offline scan, and then click Scan Now.

This begins the Offline scan, and will reboot your computer to fulfill this action. So close and save your work before going through with this! Expect to see this sort of scan screen running for 15 minutes or more:

After the scan is over, you may not see much, other than your computer boots up to your normal wallpaper and icons. To see the results of the scan, follow the steps 1 & 2 from above, and the Virus & Threat Protection panel will tell you if it caught any baddies. Feel free to click on Protection History for more details on your scan history.

Facebook Protect

Facebook is rolling out a new tool for safeguarding your account. But not everyone will see this just yet. For now, they’re pushing this feature out to high-profile accounts and business pages with significant reach. You may see this pop-up for you if you are a politician, for example, or run a Business Page with thousands of Likes on it.

Unfortunately, when Facebook does reach out to someone about their new Protect feature, it presents as a scam. The sender’s email looks fishy and the message urges to you act soon, lest you be locked out.

If you get a notification for Facebook Protect, please understand that it is probably legitimate. And if you ignore it for too long, you truly could get locked out of your Facebook account!

If you get an email or notification about this, cooperate with it if you are comfortable doing so. If you aren’t 100% sure, you can still satisfy the Facebook Protect requirement without clicking on the email:

  • Open Facebook.com in your computer’s web browser.
  • Click the triangle button in the upper-right corner, click Settings & Privacy, click Settings.
  • On the left, click Security & Login, then to the right, look for Facebook Protect and click Get Started.

You cannot sign up for Facebook Protect before you are invited, so if you can’t do this now, no worries! There’s nothing to do until you get a notice that you should activate this.

Windows Account Sign-In Options

People complain to me all the time about having to sign on to their computers. As people buy new Windows 11 computers, Microsoft makes it almost impossible to avoid creating login credentials. Win11 forces you to give your email, create a Microsoft account, choose a password and then a PIN. But let me give you some extra info about all of this. You do have some choices on how your computer treats you, when you turn it on.

Microsoft Account Pros & Cons

As mentioned, most new Windows PCs frogmarch you into making a Microsoft Account. And there are pros and cons to this. When you do this, Microsoft collects info about you and may track how you use your computer. But the Microsoft account also may also help track your computer if it’s ever stolen, and it can help streamline your use of OneDrive or other Microsoft tools. The Edge browser can use your Microsoft account to backup and sync your Favorites and other settings.

The Microsoft Account also enables other sign-on features inside of Windows, so that you can pick the easiest method for you. Very few people want to type in their cumbersome Microsoft password everyday. So that’s why Microsoft pushes that PIN on you. If you have a PIN on your Windows computer, then that saves you from having to type something longer.

Depending on your computer, you may also be allowed to “sign-in” to your computer with your fingerprint, or your face, or a physical security key. You can check these out by going to Start -> Settings -> Accounts -> Sign-in Options.

But perhaps the best part of a Microsoft Account is that you are unlikely to get locked out of your computer, if you lose your password/PIN. When a person can’t sign in on their computer with their Microsoft credentials, it’s often a simple process to reset things. They would go to another computer and reset their Microsoft password.

Local Accounts on Windows

But some people don’t want to have a sign-in on their PC. Or they don’t care for Microsoft to gather info on them. For these situations, you can switch to a Local Account. But you need to understand the full ramifications of this, because it is not a perfect solution!

First, to switch your PC to a local account, you would have to to go Start-> Settings -> Accounts -> Your Info. To the right, you will see an option for “Sign in with a local account instead. Using that will convert the logged in PC account to a local account. The Microsoft Account still exists, but will no longer govern this particular sign-on.

If you make use of this option, you will get the chance to declare a new name for the account. This is just a text label, and doesn’t matter to the computer, so choose anything you’re comfy with. It will also ask you to choose a password. You have two choices here:

  1. No password: if you leave these passwords field blank, you can set your computer up with no password at all. If your office is safe from intrusion, you might choose this. But please understand that this means that anyone could power on the PC and have 100% access to it. If there is any chance of the computer being stolen or used by an unwanted guest, you may want to avoid this.
  2. Any password: you may choose any password you want for a local account. There are no restrictions or requirements, like with a Microsoft account. It can be “dad” or “98765” or “keepthekidsout”. But if you set a password on a local account, the PC should also force you to setup security questions. And there’s a big reason for this. The local password is not stored anywhere else. You cannot reset it from another computer, like with a Microsoft account. If you forget your local account password, and you fail your security questions, you might be stuck like Chuck. In that situation, you’ll have to haul your computer to a storefront that has access to clever hack tools that can forcibly remove the password.

Contactless Payments

You’ve probably seen people paying with their phones or watches, instead of using cards or cash. This type of payment is called a “contactless payment”. But despite the boring name, this is a great convenience and security upgrade that I think more people should try.

The Basics

To make a contactless payment, you generally need a smartphone that features NFC. (Smartwatches and tablets may also allow for this!) On your phone, you’ll need to choose and install your contactless payment app. You have 3 choices:

Once you’ve chosen and installed your app, you’ll need to add at least one of your payment card’s info. Many cards are accepted into these apps, but there are some exceptions. If you find your credit card isn’t compatible with contactless payment apps, you can use a different card or talk to the card issuer for other options.

With a card accepted into your Pay app, you are ready to use it at any stores offering contactless payments. Keep an eye out for the universal symbol on storefront doors, windows and payment terminals to know where contactless payments are accepted.

The Security Benefit

I understand that some folks dismiss contactless payments as just a convenience item. “I don’t mind taking a card out of my pocket to pay!” is a common remark. But these Contactless Payments apps protect your account information in a significant way.

When you enroll a payment card into one of these Pay apps, your account number is not stored on your phone. The app builds a secure relationship with your bank, and every time you wave your phone at a reader to make a payment, a unique account number is created for that purchase only. That one-time number makes the transaction go through, and then can never be used again.

The benefit to this is that your true card number is never out in the wild. Criminals have all kinds of tactics for learning your card information, so they can place fraudulent charges. Contactless payment apps defeat a lot of them:

  • If you use Android Pay at a compromised gas pump, the hidden credit card skimmer captures a useless number from you.
  • Let’s say you use Apple Pay at the grocery store, and their servers are hacked the following week. The criminals may get other people’s credit card information, but not yours.
  • If you’re on public Wi-Fi and need to buy something over the internet, using Google Pay or Apple Pay (through your computer) would prevent your true card number from being seen in transmission.

It is true that bank cards in your wallet could still be skimmed and stolen, wirelessly. To help prevent that, I can recommend you also use a RFID-blocking wallet. You can find them as low as $20 on Amazon!

Some Cautions

If you use Contactless Payments, you’ll have to have a screen-lock on your phone. Because otherwise, someone could steal your phone and start buying things with it! As you set up a contactless payment app, it will check and tell you if your phone’s security needs to be improved.

Contactless Payments are not universally accepted (yet). Some stores may not accept them, because it requires newer card-reading equipment, or because it would increase their card-processing fees. But over time, this technology should become more and more widely adopted. Just keep an eye out for the contactless payment symbol, or branded symbols for Google, Apple and Samsung.

Bitdefender Discontinues Its Free Antivirus

For many years, Bitdefender has offered free antivirus to all, but that ends soon for Windows users. As of 1/1/2022, they say that their free software will be discontinued. And they’d love to sell you their paid antivirus!

But whoa there, let’s slow it down a bit. If they’re trying to convert you to a paying customer, put your wallet away and consider other free protection software. There’s plenty of options out there!

Your first step will be to uninstall all Bitdefender Free software from your computer. After you do that and reboot your PC, check the white or blue shield icon in your taskbar. The Windows Security Center should allow you to turn on Microsoft’s built-in protection, Microsoft Defender Antivirus. (And in many cases, it turns itself on!) That is enough protection, and equivalent to any other free antivirus out there!

If you really want to go above and beyond, you may. I don’t necessarily recommend it, but I realize that some folks appreciate having a 3rd party antivirus app. And many other companies still offer free antivirus, like:

Avast Free Antivirus

AVG Free Antivirus

Avira Free Antivirus

These programs are trustworthy and quality, but may advertise to you after you install them. If you go with Microsoft’s free protection, you won’t see any ads or sales offers!

If you have any difficulty or concern with this switch, please call me! I can remotely assist with this quick changeover.

Google 2FA Becomes Mandatory

2FA is shorthand for Two-Factor Authentication. It’s an extra security feature to protect an online account, and is offered by many companies for their users. But soon, Google is making this feature mandatory for its Google and Gmail accounts. If you aren’t already using 2FA to protect your account, you may soon get an email like this from Google:

Google 2FA Email Notice

This requirement has been in the works for a while now, and Google is just now rolling it out. I want to assure you that the above email is legitimate, if you receive it. You can click the Turn On Now button and fulfill the 2FA setup, or you can visit this link to learn more and get started.

Not sure if you have 2FA turned on yet? Go to the Google Security Checkup page to determine this.

Reach out to me if you need help with this process!

Bluetooth Scanners Used in Car Burglaries

Here’s another reason not to leave your electronics in your car: Thieves may target your vehicle if they detect your devices’ Bluetooth signals.

Anyone can use free apps to scan for Bluetooth in their vicinity. And this kind of app has a very legitimate use: Finding your lost Bluetooth device! If you misplace your Fitbit or drop a wireless earbud, a Bluetooth scanning app will detect all active Bluetooth signals near you, as well as report how close you are to them.

Unfortunately, thieves have repurposed this sort of tool. They can walk around parking garages and other areas dense with vehicles, and determine which cars have active electronics inside them. I can’t tell how widespread this tactic is, but when I see multiple police departments warn about it, it looks credible enough to pass on.

So many of your tech devices give off Bluetooth signals:

  • Laptops
  • Smartphones
  • Tablets
  • Wireless headphones and earbuds
  • Fitness trackers and smartwatches

Sure, you could go to the effort of disabling Bluetooth on your electronics or turning your devices completely off, before locking them in your car. But that’s a hassle, and something we all might forget to do. It’s probably easier just to take your electronics with you.

Shentel Email Best Security Practices

Many of my clientele are in the Shenandoah Valley of Virginia, the home territory of an ISP named Shentel. And like many ISPs, Shentel provides free, courtesy email addresses to its subscribers. It’s like a mint on your pillow, except this mint needs some extra warnings on its wrapper and may give you some indigestion…

I can level a variety of criticisms against any ISP-provided email another time. For this post, I need to write on how Shentel customers can keep their email more secure. There are frequent scams targeting Shentel email addresses, and I want to help as many people as I can to tighten their defenses.

If you don’t have a Shentel email address, this post will not directly apply to you, but the overall security recommendations do. So please consider these points, and implement anything you are comfortable with!

Password Strength

I’ve helped with Shentel email users for almost 20 years now, and from the beginning, I’ve noticed Shentel doling out really weak passwords to their email addresses. In 2002, it was common for a brand-new Shentel email address to come with a 6-digit password. It was typically 3 letters (part of the person’s name), and 3 numbers (often the phone exchange of the user). To this day, I still encounter Shentel email addresses with these old, short passwords, like “abc465” and “joe933”.

If your email password is this short and simple, please change it now. Email thieves can determine such short passwords quickly, without hacking you or tricking you. There are password-guessing programs readily available on the dark web that anyone buy and use for this. And once they guess your password, they can use your email to start scamming your friends and family, or worse.

Changing your Shentel email password is easy, especially if you know your current password.

  • Go to the Shentel Webmail website and login with your email credentials.
  • Click the cogwheel icon to the upper-right.
  • When the Settings screen appears, click Password.
  • Type in your old password and then enter a new password on the next two fields.
  • Click Save and you are done!

Try to choose a password that is 8 or more characters long, and use a capital letter, a number and a special symbol. An example of a strong password is: Maverick20#21 .

If you do not remember your Shentel password, call Shentel at 1-800-SHENTEL and ask their tech support to change your password over the phone.

Recovery Options

If your password is strong enough, you should still visit Shentel’s Webmail website. Shentel is starting to implement Password Recovery Options for its email users, but you won’t see these if you use Outlook, Thunderbird or a Mail app to see your messages. You must go to their Webmail site!

When you visit that site nowadays, you will be prompted to set a recovery email and recovery phone number. Fill out and satisfy these items as best you can, and call Shentel for assistance if there’s any difficulty. These are important to do! If some bad actor invades your email next month, these will help you more quickly to regain control of your account.

Request 2FA to Be Implemented

The best security tool to prevent email abuse is 2FA. This stands for two-factor authentication, and adds an extra layer to the login process for an account. When you use 2FA, you first login using your password, and next have to enter a token or code sent to your mobile number or other security device. If someone steals your email password, the second step will block them from accessing your account.

Shentel does not offer 2FA on their email accounts and has a hard time answering my most basic questions about it. But many other email providers do offer 2FA. If you are going to stick with your Shentel email address, you might reach out to Shentel to ask them to consider adding this security feature. It would greatly reduce the number of hacked Shentel email accounts!

When In Doubt, Pick Up the Phone

If you receive an email, and something doesn’t seem right, take your hand off the mouse. Take a moment to think about what isn’t sitting right with you, and contact someone without using that email in front of you.

That means: if you want to contact Shentel, dial 1-800-SHENTEL or any support number that is printed on their bills. Do not use any number in the fishy email! Contact info showing in a suspicious email will often put you in touch with criminals. And those guys will be all too happy to pretend that they are with whatever company you say you’re trying to reach.

If you can’t reach the company for advice, call someone else. Talk to a trusted friend, police officer, church pastor or relative. Or drop me a line for a second opinion, I am happy to sound off on all things, legitimate and scammy! You’re even welcome to forward odd emails to me, and I will quickly write you back with my verdict of them.

Trend Micro Check

The Trend Micro company has come out with a new tool that I want to recommend. Trend Micro Check is a free browser extension that you can install in Google Chrome (or Microsoft Edge) that will protect you as you surf the web.

Specifically, Trend Micro Check blocks ads and trackers (like AdBlockPlus), warns you when you visit scam or misinformation websites (like Bitdefender Trafficlight) and also goes through your surfing history for baddies. If it finds anything worrisome in your browser history, it will report it to you and then offer to remove it.

You can install the extension from the Get Now button on this page, or try this direct link to it in the Google Play Store.

« Older posts Newer posts »

© 2024 BlueScreen Computer

Theme by Anders NorenUp ↑