Posted on

Welcome to the “friendly admin”

If you ever encountered an IT (Information Technology) related issue, maybe with your PC (Personal Computer) not working as expected or your application not doing what you’d expect it to do or maybe your company provided mobile phone doing odd and unexpected things, you may have taken to find out where your IT administrator is located in your office and maybe you’ve even gone to see your administrator in person to ask for support.
There, sometime referred to as Service Desks or IT Support Centre, a friendly and service oriented person may have offered you the support and advise you needed and enabled you to happily continue your daily endeavour with a well working device.

Now, with PCs and Smartphones having entered also many homes, you may at some time miss such support option when encountering some strange things happening, or not happening, with your personal gadgets.
What now?

In this informative section our “friendly admin” will address some topics you may find interesting and hopefully even sometimes helpful.
Topics are related to gadgets and digital lifestyle we encounter and where we feel sharing our insights may help you to navigate those areas faster, safer and easier. Sometimes we may even guide you to a viewpoint with a different perspective.

You may sign up with your email address here to receive our info, news and knowledge blogs freshly served to your inbox as soon as available.

Welcome and enjoy!

Posted on Leave a comment

Email Encryption – Update GPG4Win

To encrypt emails, and maybe also files on the local harddisk, GPG (the GNU Privacy Guard) is the Open PGP tool of choice. And keeping applications up to date is safety relevant and important, especially for security related applications, so let’s cut the cake and get to it and let’s update GPG4win, the Windows variant, to the latest version.

1. Download the new version of the tool.
Select the donation amount you like and click on the blue Download button.
(a click on the image will open a new window/tab with the download page of GPG4WIN.)

2. Next, validate the downloaded is untempered and authentic.
To do this, click the red coloured text “OpenPGP signatures and source code packages” right under the Download button. This will bring up the page that amongst other information also contains the SHA256 signature checksum for the downloaded file.

A right-click on the downloaded file in the file explorer opens the contextual menu.
Click on the SHA-256 item in the CRC SHA menu to calculate the SHA-256 checksum of the downloaded file and compare the calculated hex-number with the one shown on the download webpage. A little re-arrangement of the windows may be required to be able to see both numbers at the same time.
Both numbers shall be identical.

If for some reason the calculated number and the one shown on the webpage differ, then the file in your local download folder is not the same as the one you intended to download. There may be various reasons for this, however, important is only to NOT install this file if there’s any doubt about it’s authenticity. Better check if the correct numbers are compared and the right file was downloaded and rather attempt to re-download the file again and double check the webpage address, etc.

After the signature checksum validation also let the virus scanner check the downloaded file. Right click to open the contextual menu then select either Scan with Windows Defender … or Scan with Malwarebytes or your preferred Anti-Virus software.
Once this is completed without any warnings or errors it shall be safe to install the downloaded file.

3. Installation
Double-click on the downloaded file in the file explorer to start the installation process.


Select the components to install or rather update. The pre-selection should already fit as it is derived from the current installed version. Check the installation directory and adapt in case a custom location is to be used. After the installation is completed, a reboot is required. Save any open work and close other applications and click Finish to reboot.

4. Check the results
Note, the application can be found under GPA (GNU Privacy Assistant) which may be a new name depending on what version was used previously and Kleopatra.
Start Thunderbird to see if emails still work as expected and maybe try sending an encrypted email to yourself as a test.

Congratulations, GPG4win is now up to date again.

Posted on Leave a comment

Multi Factor Authentication (MFA) – secure your accounts

Here’s the 2nd part to the secure password considerations – MFA, multi-factor authentication.

Traditionally, the access to your online bank account looks like this:
you type your

, your
and in you are and ready to go about your business.

Account in the following is not limited to a bank account but can be the personalized access to any webpage, web-service, online-store or similar.

Now, if you’re like the majority of internet users that only use 5 different passwords for all their online activities, you could unconsciously create a domino effect that allows hackers to take control over several of your accounts after just cracking one password.

In comes MFA, multi-factor authentication.

What is MFA? Most likely you’ve already used it, e.g. when using your bank card at an ATM together with your PIN number, or maybe at some webpage that sent a numeric code to your mobile phone which you then entered on the webpage to gain access.

MFA, sometimes referred to as 2-factor authentication (or 2FA), is a security enhancement that allows you to present two components – your credentials – when accessing your account.
Your credentials are of either category:

  • something you know, like your password or PIN
  • something you have, for example a smart card or a key, or
  • something you are, like your face, fingerprint, retina or voice

For enhanced security, your credentials must come from at least 2 different categories.

Now the above example to access your online bank account would look slightly different.
With MFA enabled, after entering your username and password, you’ll use some authenticator app that will generate a one-time-code (OTC) that you then enter on the next screen before you’re logged in.

In some cases the whole process is even made more simple by your bank remembering the device you use.
So when you come back to login again with the same mobile phone or computer, the site will remember the device and use this as the second factor.
Certainly, there’s some advanced analytics done on recognition of your device, e.g. whether you’re logging in just 20 minutes later from halfway across the globe.

MFA helps to protect you by adding another layer of security and thus making it harder for anyone to pretend to be you to log in.
Your information is safer because now a thief would need to steal both, your password and your mobile phone.
And you’d probably notice if your mobile went missing and you’d report it before the thief could use it to log in. Additionally, your phone should be locked, requiring a PIN or your fingerprint to unlock it.

While stopping all online crime is not a realistic goal, but a few simple steps can massively reduce the likelihood you’ll be the next victim.
You should use MFA whenever possible, especially when it comes to your most sensitive data — like your primary email, your financial accounts, and your health records.
While some organizations require you to use MFA, many offer it as an extra option that you can enable, but you must take the initiative to turn it on.

Remember to take a look at the password tips to create strong and memorable passwords.

Posted on Leave a comment

[your email] is compromised. Password must be changed.

Be warned, there’s a phishing email around with above title in the subject and often with the following content:

Hello!

I’m a programmer who cracked your email account and device about half year ago.
You entered a password on one of the insecure site you visited, and I catched it.

Of course you can will change your password, or already made it.
But it doesn’t matter, my rat software update it every time.

Please don’t try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.
Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom.
But I was struck by the sites of intimate content that you very often visit.

I am in shock of your reach fantasies! Wow! I’ve never seen anything like this!
I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it?
BUT I’m sure you don’t want it. I definitely would not want to …

I will not do this if you pay me a little amount.
I think $853 is a nice price for it!

I accept only Bitcoins.
My BTC wallet: 1M2D1PzyyiZBrSh8qcdts5kecQAX3S9xuF

If you have difficulty with this – Ask Google “how to make a payment on a bitcoin wallet”. It’s easy.
After receiving the above amount, all your data will be immediately removed automatically.
My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment.
If this does not happen – all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours)

Do not take this frivolously! This is the last warning!
Various security services or antiviruses won’t help you for sure (I have already collected all your data).

Here are the recommendations of a professional:
Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.
Bye.

While this is widely regarded as a phishing attempt, it may be a good time to consider changing your passwords for your email accounts and other online service accounts.
Switching to a multi-factor authentication (MFA) where possible and feasible is also recommended.
The trait-off is, as so often, between convenience and security.

Please have a look at our post for creating a safe and secure password to ease the burden.

Posted on Leave a comment

Create a strong yet memorable password

In the digital world, passwords are used and required for many applications and services.
Access to your PC or to your email account will require a password, as will access to your favourite online shop or the web access to your bank.
Passwords are the digital version of our traditional door keys, and yes, there are already possibilities to replace traditional door keys also with a digital lock or even your mobile phone.
Passwords help to protect your data and your privacy.

It is strongly recommended to use different passwords for different applications.
This, to avoid granting access to all the digital services you use at once if ever one of your passwords should be compromised, be it accidentally from your side or from the service provider side.
Just as a reminder, see what recently happened at Cathay Pacific and the privacy breach.

The tricky thing with passwords is that on the one hand the password shall be strong, i.e. as random as possible to avoid guessing or easy password cracking, but on the other hand you shall be able to remember the password.

Here are some tips for creating a safe and secure password.
Make sure that the password is strong.

  • It should contain
    https://dilbert.com/search_results?page=2&terms=password
    • upper case letters (A-Z),
    • lowercase (a-z) letters,
    • at least one number (0-9),
    • and at least one special character, e.g. !#$%^&*_-+=?().
  • Don’t reuse any of your last five passwords. Even though the password history requirement lets you reuse a more recent password, you should select something that the attacker can’t guess.
  • It shall not be a word that can be found in a dictionary, or a combination of dictionary words.
  • It should not rely on “obvious” substitutions, e.g. H0use isn’t strong just because of replacing ‘o’ with ‘0’.

Certainly, being able to remember the created password is equally important.
If you’re using a password manager, those will likely create very strong passwords and take over the task to remember it for you – just that you now rely on this application and it’s database to not getting lost, broken or stolen and that it is available and functional when and where you need it.

My tool of choice is KeePass Password Safe, a free, open source and easy to use cross platform solution to manage passwords.
It is available on Windows, on Linux and also on Android and iOS for mobile phones. This makes it convenient to have your passwords with you, even if you’re not in front of your PC and yet your passwords are protected.
As with all important data, regular backup of the working password eWallet is a must.
And of course, you can still create your own memorable passwords and use KeePass simply to store the ever increasing number of passwords in a safe place.

One trick, to create a rather random and strong password that you can still remember as well, is to derive the password from a sentence.
For example, “When I wake up in the morning at 6:00am, I first open my eyes.” could be turned into “WIwuitm@6:00am,Ifome.” That is a rather strong password at 21 digits with mixed letter, numbers and special characters.



Comic from XKCD on passwords

Another approach as proposed on the Diceware webpage is to use 6 random words that are not in any grammatical or logical order.
As the name my imply, you’re to roll a dice and write down the numbers in a sequence of 5 numbers (each between 1-6) for each word and then pick the words corresponding to the resulting 5 digit number from the list provided at the Diceware website.
The use of dice help to improve the randomness of the words mixed together, as it’s traditionally rather difficult for people to come up with random combination of words.
And because the resulting password is a list of words, it should be fairly easy to remember.

Of course you could also follow along with the following joke:

I changed my password to “incorrect”. So whenever I forget what it is the computer will say “Your password is incorrect”.

An additional complication comes with different password requirements by different applications or organizations.
And yet this may help to ensure that you don’t get tempted into using the same password for different websites and applications – a good thing.
The bank HSBC, for example, has the following requirements for your password:

Your password is not case-sensitive and must be between 8 and 30 characters.
It must include only letters, numbers or the characters @ _ ‘ . – ? ! $ * =.

And I’m sure the additional advise offered together with the requirements for the password does by now sound familiar to you:

To protect your security, do not use the same password on different websites
and do not use easy-to-guess information such as your name,
identification number or date of birth.


Have a safe online experience.

Posted on Leave a comment

Privacy – the handling of the breach by CX

Privacy is a big topic all in itself, and I shall provide some more related information in separate posts.

The recent incident, however, has caught my attention and also the urge to comment.
Cathay Pacific (CX), Hong Kong’s flagship airline, finally came forward on 25th October 2018 with information that their servers were accessed without authorization and data of 9.4 million of the airlines customers had been compromised.
This incident already happened in March 2018, so “only” 7 months before Cathay Pacific chose to inform their customers.

Shortly after the story made headlines in the news, I also received an email informing me that my data at the carrier had been accessed without authorization.

Data privacy is an important topic to me and I shall use the excellent example from Cathay Pacific to explain some details, what to watch out for and also what an impacted company should or should not do.

1. Informing the impacted customers after 7 months.

This feels just like a slap in the face.
It shows very clearly how little the carrier cares for their customers – and yes, I’m well aware on the prayer like repetitions of phrases from Cathay Pacific claiming their customers are important to them.
But that’s just that, empty phrases, a waste of digits, paper or air, depending on the medium used for the attempts to convey their marketing message.

Trust is an fragile thing, easy to break and hard to mend.

In our fast paced and increasingly digital life, time is of the essence.
Knowing that your data has been compromised or lost allows you to be aware and vigilant.
It allows you to watch out for anything fishy happening and you may think twice and with a different perspective about that unsolicited email in your inbox informing you that you have just signed up for whatever-it-is new membership or shop or .. .
Of course, you’d never click on such potential phishing or virus carrying thread anyway and likely you’d just delete such email.
However, if you are aware that your email address and other personal information had been stolen, you may look at this more sincerely also from the perspective that someone may try to setup a faked digital identity of you somewhere in the web.
And that should certainly catch your attention as it may have some long spanning implications for you, the real you, I mean.

Thus, knowing of a breach and actively not informing the very people that are impacted immediately is just wrong.

But then again, looking at this little breach – after all “only” 9.4 million customers were impacted – from Cathay Pacific perspective, it is not their data that is at risk, it is the data of their customers! So, why bother to rush and risk looking bad? Maybe they thought that later-on an opportunity to cover it up or hide this little incident would arises? Well, I don’t know about that, but I do know that coming out so late does not play in their favour and will customers will likely not take it kindly.

Of course, chances are that there was also some of Cathay Pacific own data compromised during that incident, but that’s their very own internal pleasure to handle and may only be of interest for their curious share holders.
Add 2018-11-12: my assumption has just been confirmed (see SCMP report)

2. We have no evidence that any personal data has been misused.

This statement is taken from the email, I received from Cathay Pacific.
Now, that feels reassuring, doesn’t it? (Please see the sarcasm in the sentence.)

How would Cathay Pacific even know if the thief of the data has setup a false identity of me somewhere in the web? Did they expect a confirmation email?

“Dear Cathay,
I have used the personal data of your customer Mr. T that you so generously provided
to implement a fake digital identity
and I’m now happily shopping at Amazon
under Mr. T’s name, all billed to his credit card.
Yours faithfully,
a grateful hacker.”

Cathay Pacific is an airline – to the best of my knowledge – and I think, they yet have to fathom what can be done with stolen personal data in the bad world out there.
To lull the unaware and inexperienced customer into a false sense of security is, in my eyes, a dangerously wrong approach.

3. The free monitoring service

Generously, Cathay Pacific is offering to utilise an “ID monitoring service”, provided by Experian. (Note, this is not the link to the free service offered by Cathay Pacific, but the link to the main webpage of the mentioned service provider.)
This confirms point 2. above, i.e. they just can’t know what the intruder is possibly doing with the data.

Now to the tricky part.
To enable this monitoring of your data that was accessed without authorization (aka stolen) you have to provide your data to this third party company.
It’s a little like in the old Grimm Brothers fairy tale “Frederick and Catherine (aka Freddy and Katy Lizzy)“, rolling the cheese down the hill to go tell the first cheese to come back.
Certainly, there’s a necessity to let this monitoring service provider know what to monitor, i.e. your personal data, but at the same time you’re putting your data at risk again and at an additional company.
A difficult decision to find a good balance. I’d recommend to only provide the service company with one of your email addresses (if that is among the data that was illegally accessed) and not the whole set of data.

4. What next?

Various suggestions are already circulating the media and web, from class legal action to lobbying with the Hong Kong Watchdog for Privacy (PCPD).
Feel free to check what you’d consider worth of your time – I shall not recommend anything specific in this regards here.
The information from the South China Morning Post at https://www.scmp.com/news/hong-kong/law-and-crime/article/2171092/cathay-pacific-data-leak-what-can-customers-affected-do may serve as an entry point.

However, there must be some actions taken to ensure similar incidents can not happen again.
I’m drawing from my own experience of running our own little webshop.
Being cautious where I provide my what personal data, I shall ensure proper handling of the trust put into us when customers provide their personal data to us.

  1. Only requesting the minimum required information to allow functioning is the first step.
  2. Ensuring the customer is aware what personal data we ask for and why via clearly documented privacy policies is the next.
  3. When it comes to the really, really sensitive data for payments, like credit card numbers, expiry dates, etc., we actively chose to NOT hold any credit card data and information of our customers on our own servers. Instead we opted for a payment flow where we utilise a trustworthy and trusted payment provider who’s specialised in handling such sensitive data. No customer credit card information will ever be seen by our server but only the confirmation that a transaction was executed is returned to us from the payment gateway provider so we can trigger the shipment.

How can our small experience be translated for use at Cathay Pacific and potentially other companies?

  • Well, as a starting point, be clear about your company targets.
    We are NOT in the business of collecting personal data but many companies out there have deep routed desires for collection and aggregation of personal data.
  • Up to date applications on well maintained servers help to reduce the numbers and risks of potential attack vectors (that’s for the IT department to watch over).
  • Industry best practice standards need to be in place wherever sensitive personal data is handled. Learn from other industries that have gone through such learnings already (well, some are still in the midst of it) like banking.
  • Have a defined and clear communication protocol to inform customers in case there was an incident, not only for the ISO9001 folders and audits but also apply it. This will help to keep or mend the trust in the relationship with your customers – certainly they’ll be angry as a first reaction but a professional handling will help to keep them as future customers.

To summarize:

  • timely availability of information is important
  • sugar coating is like misinformation and makes the issue potentially more worse
  • be cautious what information you provide to the monitoring service provider as this may put you in additional risk
  • companies and personal users should be cautions regarding the data they collect resp. provide and be clear on the privacy policies applied to protect such data

 

Posted on Leave a comment

Congratulations!

You have just bought yourself a fantastic, new, shiny high-tech toy called Smartphone.
Yeah! The world to phone calls, internet, a pocket sized camera and lots of entertainment is now open and available in your palm.

But do you know that you have at the same time also signed up for a new job?
Yes, you heard right. You have just signed up for a new job.
Congratulations again and welcome to the world of computer administration.

After all, this new device in the size of your palm is a powerful computer.
And yes, it can likely also do phone calls.

With great power comes great responsibility.

With the first excitement ebbing a little after unpacking and unwrapping (often referred to as “unboxing”) the new device, the operation and plentiful options with the new device may start to look a little overwhelming.
What applications (apps) are essential? What apps to use for what? How to protect my privacy? How to protect my data from theft or loss?
So many questions.

Don’t worry, your friendly admin is here to help.

I’ll provide some (hopefully) helpful guidance for your daily life with electronic gadgets, from a close look at some devices to the day-by-day operations and practical use cases.
Of course, I’ll also provide some information on applications (apps) that I consider useful.