Help with on-line security for mere mortals like me?

[Tigger]

I have read with great interest the information shared on the Politico folder re internet security.

I'm probably an 'average' user: on-line banking, access to credit card statements, frequent flyer info, paypal, Ebay, Wine Club, electronic purchases from various places ... that sort of thing. No business involvement.

I'm REALLY interested in what those in the know suggest as the appropriate approach to password security for these various sites.

[Olaf Hart]

One of our boys runs the technical side of a competitor of Beau's company.

He has us all apple, touch passwords, and sensitive stuff is on "One Password".

It's quite a balancing act, matching his advice on security with our Luddite approach to tech ...

One thing that was really useful when our iPads were stolen in France was a program that localised our phones and iPads and allowed him to completely wipe them as soon as someone took them online.

Pissed off the French police though when they found out they couldn't use them to locate the relatives of the Albanian cleaners in the hotel ...

So last advice, don't leave them lying around, keep,them on you.

[LarryHoward]

Beau is probably the best person to address it but it's a "defense in depth." situation.

At home. Have a wireless router? Is it still named "netgear" with an Admin Password of "Admin" or "Password"?
- Change the name to something innocuous. I found that my mother named hers "Bootie" after her white footed cat. In a dense, trendy section of Dallas and a high population of very net connected young urban professionals, that name was not a good idea.
- Give it a strong password. upper and lower case,
- Set it to suppress the SSID so casual searchers don't see it. A scanner still will see the signal but you have taken away the first step in breaking it. Give it a strong password. Your mobile devices If you are running a LAN at home with multiple connected devices, consider a switch after the modem and a second wireless router that serves guests only and cannot access the LAN, shared documents, stored data, etc. Visiting Scantlingers can be a bit shifty.

Web browsing. Here is where it gets hard because the tech community really wants to mine and sell everything from your sports and shopping interests to your late night browsing habits. Google and Facebook are notorious for burying their freedom to mine and share your data in their Terms of Service (3-4 pages of 6 point legalese) and you often hove to dig deep to find out how to "Opt out" and some places are making it impossible to opt out under the "You want to use our platform to read fake news we shove at you? You must allow us to Customize your user experience." My wife asked me to order a swim suit from her one day last summer. My SA pages had Google ads for swimsuits, Russian wives, lingerie, etc. for over a month because google decided a old guy browsing ladies swimsuits was likely a voyeur. What to do?
- Use "in Private browsing". An imperfect approach but rejects some tracking cookies, etc.
-Use a strong Ad Blocker. Its a pushback against aggressive tailored (read tracking you) ads, bandwidth stealing audio/video ads, etc. Providers hate ad blockers because their financial model is based on their ability to provide advertising hits, with higher compensation for "tailored" ads. (sending me hunting or bowling ads are pretty useless. Sending me sports car, sailing, and the like ads is tailored to how I spend my money. More and more sites are detecting ad blockers and denying you access with it enabled. You can "white list" sites you still want to access.
- relook at your security settings. Shut of automatic down loads and require positive assent to download active context on emails.
- Set your browser to erase history, cookies, etc. Means you will likely have to sign in to scantlings every day but also assists in cleaning up your electronic trail.
- Think hard about your social media use. My sister happily over shares on facebook so "all my friends know what I'm up to". So do their friends, random hackers and the homeless lady in the library (Meli?) after someone left their facebook page open when they left. She's great about posting photos of her Air BNB place in New Orleans "Where I'm here for the week at a riveting medical conference learning about hospital acquired infections that rot your extremities off." OK. A bit OTT but you get the idea. Every body knows she is not home for the week and due to previous sharing, including "checking in" when she arrives home, where her empty house is. Don't be stupid. Social media sites are free because what you click and how long you stay their is advertising gold. Yeah, I was snarky to Beau yesterday but if fake news gets clicks, Facebook will roll out all the lawyers to allow them to continue to push it to your page. I looked at my wife's FB page last night. She is not a power user. More keeping up with a small set of friends and watching cat videos. Her page is easily 75% clickbait Even her PMs get screened. We have a nephew in Melbourne with leukemia who is not doing well. It has only been discussed via PMs. She is getting tailored click bait from leukemia based charities, etc. Lesson. Everything on social media is fair game to build your advertising target file.

Banking, insurance, Credit card access. Strong passwords and consider usernames that are not "LarryHoward". Try to use different user names and passwords for each site and change them at some interval (we are all likely guilty of not doing that and many sites won't allow username changes). My banks have been moving to higher security. Username and password plus PIN and if its a different computer than the last one I used, I get the 3 question treatment or they send me a verification alphanumeric code to my registered phone or email account. Fail 3 times? Lock out until you call access security. Some investment accounts require a new access code on every visit, even when it's what I did yesterday and visit the same site twice in 15 minutes. Multifactor ID is good. Something you have, something you know and something they send to a trusted contact as a 1 time code. Not unbreakable but a lot better than your name for a username and your birthdate (or the very secure ABCDEF). Make up your won mind about saving credit card info to a webstore. SUre makes it easy to click on AmazonPrime with autofill username and password and then 1-click order. Works great for you and anyone who accesses your device. Oops.

Phishing. This is what happened to the DNC and they are getting good. We have made folks sensitive to hacking so an email from Google saying "Someone just tried to access your account from Macedonia and we have disabled t to protect you. Click here to rest your password.' Isn't that great. The mighty Google just saved you. Not so fast. the email came from GOOGLEsecurity at scammer.ru.net. Click that link, put in your of and new passwords and you are done. The good ones may even send you to the google password change page with a script to actually change your password. So now they have your old and new password. If you are like a lot of folks, that is your google password, you Scantlings password (are you sure this is me?), your bank password and your credit card password. Oops.

Reputable online sites are trying to get better even as they steal your history and push ads. I recently worked with a vendor to customize a higher end laptop ($2200) so still cheaper than a MacBook. To buy in through Amazon Marketplace, the vender had to price the configuration and then post it to Amazon as a "Quantity limited to 1" item and immediately sent me the ad ID. Takes Amazon about 5 minutes from the time a vendor pushes an ad to them and it shows up online, pretty amazing if you think about it. I clicked "add it to my cart and checkout" less than a minute after it popped up on Amazon and relatively large purchase of a customized ad immediately after it was posted popped Amazon's fraud filter and I got an email telling me the order was on hold asking me to call fraud prevention at Amazon.

Mobile devises are huge risks and we all use them in multiples. Between my wife and I, we have 2 iPhones, 2 iPads, a Surface Pro and we are lightweights compared to power users. Beau is spot on 6 digit security and biometric identification. Enable "FindmyIPhone." It's good to spy on your kids, allowed me to recover an iPad left on an airplane (yeah, that was scary) and, as Olaf found, remotely wipe the device if its lost or stolen. One flaw that APPLE exhibits it ITunes will load every ap associated with an account to every device when the device is updated. That means your banking ap may show up on your kid's phone. If you encrypted your backup, your stored passwords can also get loaded. Minimize APs to only those required on that device. If it's a tablet, consider not using the convenient mobile ap, particularly when travelling, and manually go to the website and type in your username and password. clear history after the transaction and a stolen tablet isn't preset to access your bank. Basically make considered decisions on convenience and security. Modern devices and make it simple to handle daily tasks. That tends to make it simple for someone else to access your life as well.

You can't be 100% safe but avoid "stupid things" like an email that sends a username and password to yourself at another account. Assume your email will be read. As a senior defense guy, I assumed any email on an unclassified system could end up on the front page of the Washington Post, even casual emails to close friends. (we called it the Washington Post test or could you live with this being published on the front page of the Post? ) Wouldn't that have served the DNC well?

Tech has brought tremendous change to our lives but with it a full new set of risks. It's an industry where first to market with the cool stuff makes everybody an instant millionaire and the law of diminishing returns doesn't apply. First often gets a monopoly position until the "miss a shift". Functionality and innovation rule and security is "Yeah, we need some of that. I do believe that they must do better and users should not have to be security pros, advanced coders, etc. For the most part though, users don't even close the door, much less lock it. IT security was the last thing the DNC thought about and their team was obviously not sensitive to the chance of a breach and had not protocol to deal with indications of a problem such as a call from the frigging FBI telling them "we believe you have a problem". Podesta was warned about his email habits during the 2008 Obama transition. http://theintercept.com/2016/11/03/john-podesta-was-warned-in-2008-to-start-encrypting-sensitive-emails/ Some folks just don't learn.

[Orestes Munn]

Our IT security does their own phishing. It's very, very sophisticated and I have been caught by it.

[BeauV]

Thanks, Larry, I'm not sure I'm the best. You've really covered a lot of it. I have been trying to balance my desire for security, secrecy, and privacy with being able to get stuff done and enjoy myself on-line for years. Here are a few things that really aren't all that hard to do.

1) Don't do on-line banking. Period. If that's too harsh, then do what we do. Each month we transfer the cash for the month into a checking account via wire transfer. It comes from a different bank. We have Paypal, various auto-pay, etc... all tied to that checking account. If someone hacks us, the worst they can do is steal one months worth of cash. The account that holds all the assets is NOT on-line in any way at all. The only, literally only, way to get money out of that account if for me to call someone who I know at the bank and ask them to send the money to my checking account. They listen to my request, then they hang up (as do I) and they call me back on a different number which they have on file. They don't know or care how I called them or what phone number I use, they call the one number that they have and after that I still have to answer some questions which are basically a set of verbal passwords. They often ask things about transactions in my file like: "Have you moved money to bank X?" I have to say "no" about 50% of the time. Yes, I know it's a little more bother to make one of these phone exchanges at the beginning of each month, but it is worth it.

Secondly, a lesson that everyone of us should have taken away from the crash that took down Bear Stearn and Lehman Brothers, you should not keep all your assets in one financial institution. If possible, spread your assets across institutions that have radically different risk profiles. For example, one stock brokerage (Schwab is nice because they aren't really a commercial bank along with being a brokerage account so there's less cross risk.), one real bank (EG: Wells Fargo or Bank of America), Perhaps a foreign trust account with a Bank in a country you trust (EG: UK, Germany, Switzerland). The goal is to have most of your assets survive a collapse of one category of institution.

2) Use two computers. There is simply no way to keep a computer you use for email, general web browsing, and all other garbage clean. Yes, it's a good idea to have virus scanners running, a firewall turned on, etc... But even with all this, you'll still make mistakes. If you're doing anything that is really important, do it on your "clean" computer and not on the one you web-surf with. Only use your clean computer from a network you trust and use and ethernet cable. My clean computer is plugged directly into my router, the WiFi has never been turned on (in the computer) and never will be.

The clean computer has never been subjected to the WiFi at Peet's coffee or on a United flight (Where I've found a number of sniffers looking for open systems). I simply can't use the clean computer in any of those places, including hotels, conferences, etc.... If I must use the clean computer wirelessly in an emergency I use a cellualr modem which is connected with an ethernet cable (the cell phone system is much safer than WiFi) and I only send mail, I don't receive anything.

3) Don't share stuff. Larry did a great job of explaining that it's idiotic to post on Facebook that you're having a great time in Hawaii for the Christmas Holidays, thereby telling the bad guys that it's a good time to break into your home. My lovely Admiral thinks I'm nuts. But I post cover stories when I say anything at all. For example, when out sailing I'll say something like: "Sailing down the coast to LA, wish my wonderful wife was with me. She couldn't come because she wrangling our 120 lb German Shepherd through the final classes of protection training. She's loving it, but does worry about how aggressive the German Shepherd has become with the UPS guy."

4) Don't trust vendors to provide security. If the 1 billion customer records that were hacked isn't enough to persuade you, consider this. Comcast just enforced an upgrade to all their cable modem wifi access points. I was pondering why they'd do this, and reading the documentation. In it I found that they now broadcast a wifi SSID of xfinitywifi (I think that's what they called it). Anyone with a Comcast account and password anywhere on their network can log into that xfinitywifi accesspoint! They did this without asking anyone, because they can, and they'd like to start snarfing up the community wifi traffic and running it over "their network". Your Comcast access point that you rent from them means they can do this using your electricity to run their access point.

What this means is that Comcast now has put your personal network in the same box as their open-2-the-public xfinitywifi SSID. That is a TERRIBLE idea. Moreover, I have no way of shutting that off, that I know of. Thus, my use of ethernet wires to get from the Comcast box to my own wifi access points and also to my clean computer. That said, I am still actively digging through the various websites on security looking for folks who have gone after the Comcast boxes to see if they've found a way from the xfinitiwifi network and my ethernet network. It's a terrible design, but Comcast doesn't give a damn. Simply put, you can't trust vendors to protect you, they aren't competent to do so. (Thus, my voice call based access to my real financial assets.)

Conclusion: there is no perfect system. The "One Password" application that Larry mentioned is a good one, but I'm really dubious about putting all my passwords in one place. I simply go to the trouble of remembering the passwords for each of the sites. There are lots of sites that don't matter, on those I reuse one of five passwords. But for sites that do matter, I memorize the password and change it every 60 days.

As to the privacy stuff, I don't actually care about ad tracking etc... I ignore all that garbage and gmail does a pretty good job of filtering out a lot of it. My dirty computer picks up about one virus per week, and I don't click on any bait I can see. If you want to be a bit safer, don't go to any place that isn't https. What this means is that web addresses that are "https://maps.google.com" are much more secure than ones that start with "http://"

That's probably more than anyone ever wanted to know.... between Larry's great run down and these additional details.

[BeauV]

Our IT security does their own phishing. It's very, very sophisticated and I have been caught by it.

Eric, I have written a number of password trappers over the years and turned them loose on my own companies. These simply pretend to be a log in page and I've found that more than 50% of the people working for me fall for it. I have a chat with them and give them their password back, telling them to change it and be more careful. Even after doing that, I can usually get about 20% of the folks on the second application of this.

[Orestes Munn]

Our IT security does their own phishing. It's very, very sophisticated and I have been caught by it.

Eric, I have written a number of password trappers over the years and turned them loose on my own companies. These simply pretend to be a log in page and I've found that more than 50% of the people working for me fall for it. I have a chat with them and give them their password back, telling them to change it and be more careful. Even after doing that, I can usually get about 20% of the folks on the second application of this.

This doesn't go that far; they just get you to click on a link. I caught the first one I got, but the signs on the second we're so subtle that I missed them.

[SemiSalt]

On the narrow topic of picking passwords, I think this video is pretty good:

https://youtu.be/3NjQ9b3pgIg

It's really the second of two videos. The first is interesting, but bascially background info and not advice on what to do.

https://youtu.be/7U-RbOKanYs

[kimbottles]

If you avoid clicking links and type in the known website address instead it gives some additional protection.

I look at the actual website address on links and many of them end in ".ru"