Will they? There’s no way to know. It depends on how closely they’re looking.
Can they? Absolutely.
Will they? There’s no way to know. It depends on how closely they’re looking.
Can they? Absolutely.
This simple question opens up a veritable Pandora’s box when it comes to understanding URLs and what is safe to click on.
The concepts are simple, but how those concepts can be combined is complex, particularly if someone is attempting to deceive you.
I’ll try to make some sense of it all.
In May of 2014, the TrueCrypt project unexpectedly shut down. There’s been no official word on exactly why, but the fact is, it’s dead.
Like many, I’d recommended using TrueCrypt for years, and had at times used it extensively. I’ll review a little of what happened and look at available alternatives.
Ending up with random software on your machine that you never wanted in the first place is annoying as all heck.
Unfortunately, it’s happening more and more. I’d say that PUPs (Potentially Unwanted Programs, although there’s rarely any “potentially” about it), rogue toolbars, and search-engine hijacks are some of the most common issues I see in my inbox.
I’ll talk a little about prevention, but first, let’s walk through the steps I recommend when you suddenly realize you’ve been saddled with software you didn’t know you’d agreed to and certainly never wanted.
Some time ago, news broke that the U.S. government had plans to destroy up to $3 million worth of computers. In fact, they had already destroyed thousands of dollars of computers by the time the story came out.
Why were they doing it? Because of a malware infection.
I get the question, “Should I just throw it out?” due to malware more often than you think. It’s the knee-jerk reaction of someone who has a machine that is fairly infected and feels utterly hopeless about getting it cleared up again.
But I want to be very clear about something. There is never, ever a reason to destroy hardware because of malware.
There are two answers:
The bad guys aren’t necessarily winning, but they’ll always present a challenge for the good guys.
That’s a very good question. Most people believe they’re totally protected because they have an anti-malware program.
Unfortunately, that’s not true.
The answer is partly the nature of anti-malware software …
… and partly the nature of the race.
Once your machine has been hacked, it’s not your machine any more.
And yes, that sounds serious, because it absolutely is.
Whether or not they do is a different and perhaps even more important question. Exactly how much they might track is also at play.
Naturally, the next question is what to do about it.
Your current password?
You may not be able to.
You may be able to use the account-recovery techniques offered by Google and Gmail to set a new password, but Google will not tell you your current password.
If you’re very lucky, however, you may be able to discover it somewhere else: your browser’s saved passwords.
As support comes to an end for Windows 7, many people are concerned about the security ramifications of continuing to browse the internet with it.
As Windows XP users discovered, many browsers continued to support XP long after its end-of-support date.
Were they secure?
To answer that, we need to dispel a common myth.
I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt whatever it is you’ve encrypted.
The secret is simply this: your password wasn’t used to encrypt the disk.
Something else was.
One question that shows up almost every day in the Ask Leo! inbox is how to remove malware.
The scenarios differ, but the problem is the same: a machine has been infected with spyware, a virus, or some other form of malware, and that machine’s owner is having a tough time getting rid of it.
And often there is anti-malware software installed that “should” have taken care of it before it got to this stage.
Hopefully, that’ll never be you. If it is, let’s review the steps I recommend for removing malware and reducing the chances it’ll happen again.
I was somewhat taken aback by this question. It’s a perfectly good question — it’s one that more people should be asking more often.
No, my reaction was due to the lack of a good answer.
It turns out that it’s fairly difficult to ascertain whether or not something you’ve downloaded is about to play havoc with your system, particularly before you download it.
But it’s getting better.
Passwords have been in the news a lot lately, mostly due to various breaches at an assortment of online service providers.
I want to briefly touch on four topics:
Yes, it’s true.
But before you focus on it too much, there are two things to keep in mind:
Let me explain what I mean and what you can do to protect yourself — if, indeed, you can protect yourself at all.
I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.
The problem is simple, but the solution is a bit of work.
First, you have to realize that while someone else has access to your account, they have access to everything related to that account.
As a result, changing your password just isn’t enough. You need to do more.
While it might seem that it’s taken over your computer, it’s more than likely it’s taken over something much simpler: your browser.
As you might imagine, I get questions like this all the time.
Here’s a short summary of my current recommendations.
My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?
There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.
There are steps you should take, but that’s not one of them.
If you can’t log in to your email account any more, though, you may have no other choice.
Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
That’s where Password Checkup comes in.
This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just … no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
There are some clues to look for, and I’ll review a few of those, but ultimately, there’s no way for the average computer user to know with any certainty that a hacker is not in the process of weaseling in or that they haven’t done so already.
Perhaps now you’ll understand why I talk so much about prevention.
And I’ll talk about it some more.
It hasn’t been that long since I wrote about SMS two-factor being hackable, and why you should use it anyway.
It’s an important enough topic that when I saw another article discussing a potential two-factor exploit — ‘You can’t relax’: Here’s why 2-factor authentication may be hackable — I just have to jump in to reinforce my message.
Use two-factor authentication anyway.
I’ll explain why it’s important, even if two-factor is technically hackable.
Overseer.exe is apparently installed sometimes by Avast Free Anti-virus (and possibly other packages). The problem, as I discovered myself, is that uninstalling Avast did not remove overseer.exe.
That takes some extra steps.
As I write this, there’s been a breach (referred to as the “Collection #1 breach“) that apparently contains something like three-quarters of a billion email addresses and plain-text passwords. It’s newsworthy because it’s huge and contains passwords for anyone to see.
It’s also quite frustrating, for reasons I’ll outline in a moment.
Naturally, the question I’m getting most is simply this: what should you and I do?
The same thing we do every breach, my friend; the same thing we do every breach.
I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)
The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.
What can you do to make sure your account doesn’t get hacked in the first place?
Not a day goes by that I don’t hear from someone who’s in the middle of some kind of account recovery process that isn’t working.
While I try to help out to the degree that I can — usually with instructions that are often no more than the service provider’s instructions translated into clearer English — it’s also not at all uncommon for those accounts to never be recovered.
And, to be super blunt about it, most of the time, it’s the account owner’s own fault.
In a world where we measure things (like speaker volume) from 0 to 10, it’s time crank your password strength up to 11. Take whatever you think a strong password might be — and make it stronger.
Unfortunately, too many people still have their password strength firmly planted at zero.
As you can see, this is a composite question based on a scenario I hear from time to time.
A relative or acquaintance has passed away and left behind a password-protected PC containing files that are important for any number of possible reasons.
You may be able to get in. On the other hand, particularly if your late relative was security conscious, you may not.
If you’ve been on the internet for any length of time, you probably feel like its main purpose is to distribute pornography, drug ads, and questionable financial solicitations. If you’ve got kids, you’re probably also worried about pedophiles, cyber-stalkers, bullies, and other nefarious net inhabitants.
While things aren’t nearly as bad as the press might make it out to be, it is bad enough.
What’s a responsible parent to do?
There’s so much more to your computer, as well as your activity history, than just cookies and whatever tools like CCleaner can clean.
So much more.
I’ll review a few of the more obvious ways employers can recover or collect information about your activity. Realize, though, it’s not with the intent that you be able to hide what you’re doing, but to illustrate the futility of even trying.
Whole-disk encryption is a form of data security that encrypts all the data on a hard disk, irrespective of what that data might be.
Encryption and decryption happen at a low level, making it transparent to normal usage. As long as you’re able to log in to your Windows machine, you’ll have access to everything on it as if it were unencrypted. Turn the machine off, and the data is inaccessible and securely encrypted until you sign in again.
Low-level encryption and decryption can happen either by the hard disk itself, as data is read from or written to the drive (hardware encryption) or by Windows (software encryption).
The problem? Some drives using hardware-based encryption have been discovered to have vulnerabilities that could allow encrypted data to be exposed.
Making technology both convenient and secure is a problem we deal with daily. We make trade-offs and use techniques that we hope strike an appropriate balance.
A more difficult dilemma that we rarely think about, however, is death. If something were to happen to you, would the people you leave behind be able to access the information they need? What happens to your encrypted data, online accounts, social media, online finances, pictures, and digital-whatever-else if for some reason you’re not around or able to access it?
I hear regularly from people frantically trying to access important, sentimental, or critical data that a recently deceased or incapacitated friend or family member has locked up tightly.
It’s not particularly pleasant to think about, but with all the security measures we put into place to keep bad people out, it’s worth having a plan for letting the good people in.
Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.
But that doesn’t mean they can’t help.
Mobile phones are amazing devices. They’re much more than just having your email or social media at your fingertips; they’re truly portable general-purpose computers that also happen to be able to make phone calls.
We do a lot with our phones. Because they’re always with us, they’re one of our primary means of content consumption — everything from social media to news to maps to ebooks and more — as well as our primary means of communication (though ironically, rarely by actually using the telephone) and one of our primary content-creation devices as well, in the form of photos and videos.
As tiny computers, we’ve come to rely on them to store data, act as security keys, wallets, fitness trackers, automotive trackers, and dozens of things I can’t even think of right now.
Given everything we use our phones for, to say that we shouldn’t lose them is stating the obvious. And yet lose them we do. I’m going to review some of the things you need to be aware of when (not if) you lose your phone, and some of the ways you can mitigate the damage when it happens.
One of the hidden issues in online storage is privacy. Almost all online storage providers have the ability to examine your data or hand it over to law enforcement even if the provider has encrypted your data.
Hopefully, most of us will never have to deal with the law-enforcement scenario, but even the realization that a rogue employee at an online data storage provider could peek into what we keep online can cause concern. For some, it’s enough concern to avoid using cloud storage at all.
The solution is simple: encrypt the data yourself.
Unfortunately, implementing that “simple” solution isn’t always that simple or transparent, and can add a layer of complexity to online storage some find intimidating.
BoxCryptor is a nicely unobtrusive encryption solution that is free for personal use.
I’m occasionally faced with this same dilemma. Either for expediency or convenience, I want to email something I wouldn’t want to fall into the hands of anyone else.
While there are many approaches, there’s really only one pragmatic approach.
I’ve reviewed similar questions but I’m not sure I truly understand what information a web server can collect from my connection/browser.
This turns into a fairly complex answer pretty quickly. It’s both more and less than you might think.
I’ll start by covering what every website sees.
Yes, it’s still true: a VM doesn’t get you any additional privacy from your ISP.
I do need to clarify exactly what “everything you do” means. I’ll also revisit what you need to do to avoid ISP monitoring. Hint: a VM isn’t the solution, but might be a convenient part.
How do you know your computer is free of keyloggers? You don’t.
It’s not the answer most people want to hear, but it’s the true bottom line.
There are a few reasons for it, which I’ll discuss, as well as what you and I need to do in the face of this rather grim reality.
I talk about encryption a lot. I talk about backing up even more.
Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.
Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.
Unfortunately, I’d wager that most people are backing up their encrypted data improperly. The result is that they’re not as protected by that backup as they might think they are.
Encryption comes up frequently in many of my answers. People are concerned about privacy as well as identity and data theft, particularly on computers or portable devices where they don’t always have total physical control of the media.
The concern is that someone might gain access to sensitive data.
Encryption is the answer.
Even if your device falls into the wrong hands, proper encryption renders that access useless.
VeraCrypt makes encryption not only easy, but nearly un-crackable.
Well, it depends.
I’ll look at several approaches, but I need to be honest: you may not always be able to tell — at least not right away.
My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So, it appears he somehow got my client card number and my password.
My laptop is about five years old, running Windows 7, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.
So, I have two questions: how could a hacker possibly do this with the precautions I have? and how can I protect myself further from this point?
You do have good security in place — above average, I’d say. That makes this situation a little more difficult to diagnose, as well as a tad more frustrating.
While I certainly can’t tell you exactly what happened, I can speculate on some possibilities. I also have a few ideas on how I’d protect myself if I were in your shoes.
We frequently hear of major websites suffering data breaches that expose millions of user accounts and passwords to hackers.
This type of theft makes the concept of “good passwords” all that much more important to understand.
There’s been a tremendous amount of discussion relating to the amount of data kept, shared, sold — and occasionally leaked — by large service providers like Facebook and Google.
Regardless of how you feel about it, it highlights something I believe is important to realize: these services collect a lot of data. We may never know just how much is being collected or with whom it is being shared.
However, both Facebook and Google allow you to download data they’ve collected relating to your account. It’s unlikely to be everything, but even so, it’s a heck of a lot. It’s worth understanding what they have.
The technique is simple.
The problem is that the technique is time-consuming and ponderous.
Let’s review that technique, and what you can do to avoid this situation in the future.
My wife needs to encrypt patient files on her laptop.
She has been encrypting individual files, but I wonder if you recommend a program that will encrypt folders. e.g. her Documents folder?
Is there a way to encrypt a hard drive or partition?
Encrypting individual files is perhaps the least efficient way of protecting data. There’s also a serious potential for data leakage, as you must securely delete the unencrypted files after encrypting them. Most people don’t do that.
There are three basic approaches to securing data on a laptop. Which is most appropriate for you or your wife depends a little on how conscientious you are and a little on how geeky you are. Of course, all methods depend on how religious you are about backing up.
Avoid getting infected.
I know, that sounds trite and flippant, and I don’t mean to be so. Ultimately, though, all the advice boils down to exactly that: do what it takes to stay safe on the internet.
I regularly bank online. In fact, I’ve done so for years without incident. I much prefer it over the alternatives, particularly since many alternatives seem to be slowly disappearing.