Whether or not they do is a different and perhaps even more important question. Exactly how much they might track is also at play.
Naturally, the next question is what to do about it.
Whether or not they do is a different and perhaps even more important question. Exactly how much they might track is also at play.
Naturally, the next question is what to do about it.
Your current password?
You may not be able to.
You may be able to use the account-recovery techniques offered by Google and Gmail to set a new password, but Google will not tell you your current password.
If you’re very lucky, however, you may be able to discover it somewhere else: your browser’s saved passwords.
As support comes to an end for Windows 7, many people are concerned about the security ramifications of continuing to browse the internet with it.
As Windows XP users discovered, many browsers continued to support XP long after its end-of-support date.
Were they secure?
To answer that, we need to dispel a common myth.
I’ll assume you mean BitLocker whole-disk encryption, but the concept applies to many different encryption tools. You can often change the password (or passphrase) without needing to re-encrypt whatever it is you’ve encrypted.
The secret is simply this: your password wasn’t used to encrypt the disk.
Something else was.
One question that shows up almost every day in the Ask Leo! inbox is how to remove malware.
The scenarios differ, but the problem is the same: a machine has been infected with spyware, a virus, or some other form of malware, and that machine’s owner is having a tough time getting rid of it.
And often there is anti-malware software installed that “should” have taken care of it before it got to this stage.
Hopefully, that’ll never be you. If it is, let’s review the steps I recommend for removing malware and reducing the chances it’ll happen again.
I was somewhat taken aback by this question. It’s a perfectly good question — it’s one that more people should be asking more often.
No, my reaction was due to the lack of a good answer.
It turns out that it’s fairly difficult to ascertain whether or not something you’ve downloaded is about to play havoc with your system, particularly before you download it.
But it’s getting better.
Passwords have been in the news a lot lately, mostly due to various breaches at an assortment of online service providers.
I want to briefly touch on four topics:
Yes, it’s true.
But before you focus on it too much, there are two things to keep in mind:
Let me explain what I mean and what you can do to protect yourself — if, indeed, you can protect yourself at all.
I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.
The problem is simple, but the solution is a bit of work.
First, you have to realize that while someone else has access to your account, they have access to everything related to that account.
As a result, changing your password just isn’t enough. You need to do more.
1: I think this is probably the biggest reason secret questions are being used less often of late.
While it might seem that it’s taken over your computer, it’s more than likely it’s taken over something much simpler: your browser.
As you might imagine, I get questions like this all the time.
Here’s a short summary of my current recommendations.
My email address was in one of breaches we keep hearing about. Is that address still safe to use? Should I get a new email address?
There’s no need to get a new address just because your email account was part of a breach — as long as you can still log in to your account.
There are steps you should take, but that’s not one of them.
If you can’t log in to your email account any more, though, you may have no other choice.
Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
That’s where Password Checkup comes in.
2: And, yes, I did change my password for ring.com.
3: It is, indeed, an implication, but one that is simple and makes sense as a completely secure approach to doing this.
This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just … no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
There are some clues to look for, and I’ll review a few of those, but ultimately, there’s no way for the average computer user to know with any certainty that a hacker is not in the process of weaseling in or that they haven’t done so already.
Perhaps now you’ll understand why I talk so much about prevention.
And I’ll talk about it some more.
It hasn’t been that long since I wrote about SMS two-factor being hackable, and why you should use it anyway.
It’s an important enough topic that when I saw another article discussing a potential two-factor exploit — ‘You can’t relax’: Here’s why 2-factor authentication may be hackable — I just have to jump in to reinforce my message.
Use two-factor authentication anyway.
I’ll explain why it’s important, even if two-factor is technically hackable.
Overseer.exe is apparently installed sometimes by Avast Free Anti-virus (and possibly other packages). The problem, as I discovered myself, is that uninstalling Avast did not remove overseer.exe.
That takes some extra steps.
4: Yep, it happens to me too.
As I write this, there’s been a breach (referred to as the “Collection #1 breach“) that apparently contains something like three-quarters of a billion email addresses and plain-text passwords. It’s newsworthy because it’s huge and contains passwords for anyone to see.
It’s also quite frustrating, for reasons I’ll outline in a moment.
Naturally, the question I’m getting most is simply this: what should you and I do?
The same thing we do every breach, my friend; the same thing we do every breach.
5: Per the initial announcement, there are 772,904,991 email addresses, but 1,160,253,228 unique combinations of email addresses and passwords, in a total of 2,692,818,238 records.
I don’t get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is “I’ve been hacked, please recover my account/password for me!” (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I’m asked.)
The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.
What can you do to make sure your account doesn’t get hacked in the first place?
6: I often hear from folks who are concerned that providing a phone number is really just another way to track you. I don’t buy into that conspiracy theory. Providing a phone number is all about being able to prove you are the rightful account owner should you ever lose access to the account.
Not a day goes by that I don’t hear from someone who’s in the middle of some kind of account recovery process that isn’t working.
While I try to help out to the degree that I can — usually with instructions that are often no more than the service provider’s instructions translated into clearer English — it’s also not at all uncommon for those accounts to never be recovered.
And, to be super blunt about it, most of the time, it’s the account owner’s own fault.
In a world where we measure things (like speaker volume) from 0 to 10, it’s time crank your password strength up to 11. Take whatever you think a strong password might be — and make it stronger.
Unfortunately, too many people still have their password strength firmly planted at zero.
7: Which I did not have to look up — it’s that memorable.
As you can see, this is a composite question based on a scenario I hear from time to time.
A relative or acquaintance has passed away and left behind a password-protected PC containing files that are important for any number of possible reasons.
You may be able to get in. On the other hand, particularly if your late relative was security conscious, you may not.
8: Yes: had the BitLocker key been saved somewhere else, the drive could potentially be accessed. There are many different things the original computer owner could have done to make this easier, but for the sake of this article, I’m assuming none of them happened.
If you’ve been on the internet for any length of time, you probably feel like its main purpose is to distribute pornography, drug ads, and questionable financial solicitations. If you’ve got kids, you’re probably also worried about pedophiles, cyber-stalkers, bullies, and other nefarious net inhabitants.
While things aren’t nearly as bad as the press might make it out to be, it is bad enough.
What’s a responsible parent to do?
9: Seriously. Over the years I’ve been taken to task for using “OMG”, as well as saying something “sucked”, because those terms were respectively considered blasphemous and pornographic in origin — at least to the complainers.
10: Many libraries choose not to filter internet access, and others are
prevented from doing so.
There’s so much more to your computer, as well as your activity history, than just cookies and whatever tools like CCleaner can clean.
So much more.
I’ll review a few of the more obvious ways employers can recover or collect information about your activity. Realize, though, it’s not with the intent that you be able to hide what you’re doing, but to illustrate the futility of even trying.
11: Sadly, there are no absolutes. For example, there’s a very small chance that data overwritten on magnetic material could still be recovered through extensive (and expensive) forensic analysis.
12: Remember, I’m not a lawyer, and none of this is legal advice. If you need legal advice, get an attorney.
Whole-disk encryption is a form of data security that encrypts all the data on a hard disk, irrespective of what that data might be.
Encryption and decryption happen at a low level, making it transparent to normal usage. As long as you’re able to log in to your Windows machine, you’ll have access to everything on it as if it were unencrypted. Turn the machine off, and the data is inaccessible and securely encrypted until you sign in again.
Low-level encryption and decryption can happen either by the hard disk itself, as data is read from or written to the drive (hardware encryption) or by Windows (software encryption).
The problem? Some drives using hardware-based encryption have been discovered to have vulnerabilities that could allow encrypted data to be exposed.
13: That being said, this too can change. Whatever whole-disk encryption solution you might use, check with its provider to ensure that the vulnerabilities don’t impact it.
Making technology both convenient and secure is a problem we deal with daily. We make trade-offs and use techniques that we hope strike an appropriate balance.
A more difficult dilemma that we rarely think about, however, is death. If something were to happen to you, would the people you leave behind be able to access the information they need? What happens to your encrypted data, online accounts, social media, online finances, pictures, and digital-whatever-else if for some reason you’re not around or able to access it?
I hear regularly from people frantically trying to access important, sentimental, or critical data that a recently deceased or incapacitated friend or family member has locked up tightly.
It’s not particularly pleasant to think about, but with all the security measures we put into place to keep bad people out, it’s worth having a plan for letting the good people in.
14: If, like me, you use two-factor authentication, make certain that your friend is likely to have access to your second factor, and/or provide a few of the one-time passwords that should be set up to access your account should your second factor ever be lost. Most two-factor solutions provide this ability.
Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.
But that doesn’t mean they can’t help.
15: Taken to an extreme, it’s quite possible to specify that your mother’s maiden name (or other security answer) is something like “K5rhts87w4McPVwFqK2A”.
Mobile phones are amazing devices. They’re much more than just having your email or social media at your fingertips; they’re truly portable general-purpose computers that also happen to be able to make phone calls.
We do a lot with our phones. Because they’re always with us, they’re one of our primary means of content consumption — everything from social media to news to maps to ebooks and more — as well as our primary means of communication (though ironically, rarely by actually using the telephone) and one of our primary content-creation devices as well, in the form of photos and videos.
As tiny computers, we’ve come to rely on them to store data, act as security keys, wallets, fitness trackers, automotive trackers, and dozens of things I can’t even think of right now.
Given everything we use our phones for, to say that we shouldn’t lose them is stating the obvious. And yet lose them we do. I’m going to review some of the things you need to be aware of when (not if) you lose your phone, and some of the ways you can mitigate the damage when it happens.
One of the hidden issues in online storage is privacy. Almost all online storage providers have the ability to examine your data or hand it over to law enforcement even if the provider has encrypted your data.
Hopefully, most of us will never have to deal with the law-enforcement scenario, but even the realization that a rogue employee at an online data storage provider could peek into what we keep online can cause concern. For some, it’s enough concern to avoid using cloud storage at all.
The solution is simple: encrypt the data yourself.
Unfortunately, implementing that “simple” solution isn’t always that simple or transparent, and can add a layer of complexity to online storage some find intimidating.
BoxCryptor is a nicely unobtrusive encryption solution that is free for personal use.
16: The over-hyped marketing term “cloud” is nothing more than a replacement for “online”. “Cloud storage” is nothing more than storage provided by online services.
17: Depending on the laws in your locality, of course.
18: And, of course, anyone you choose to share the password with.
19: Based on the original TrueCrypt project.
I’m occasionally faced with this same dilemma. Either for expediency or convenience, I want to email something I wouldn’t want to fall into the hands of anyone else.
While there are many approaches, there’s really only one pragmatic approach.
20: PGP or mime, for the curious.
I’ve reviewed similar questions but I’m not sure I truly understand what information a web server can collect from my connection/browser.
This turns into a fairly complex answer pretty quickly. It’s both more and less than you might think.
I’ll start by covering what every website sees.
Yes, it’s still true: a VM doesn’t get you any additional privacy from your ISP.
I do need to clarify exactly what “everything you do” means. I’ll also revisit what you need to do to avoid ISP monitoring. Hint: a VM isn’t the solution, but might be a convenient part.
21: Performance is amazingly good. On my machine (a four-year-old 12-core Mac Pro) I’ve successfully run Windows 98, XP, Vista, 7, 8, and 10, all at the same time, for fun. While not ideal, the fact that this was even possible is pretty impressive.
In addition, askleo.com itself is a virtual machine. Virtual hosting providers use exceptionally high-end servers with multiple cores and lots of disk space and RAM to host multiple instances of various servers for various customers. That the askleo.com server is on such a virtual host is completely transparent to it: it thinks it’s on a dedicated server.
22: Even this isn’t absolute. While your ISP can’t decrypt the data, they might be able to compare characteristics of your download against known downloads of specific files. As a grossly oversimplified example, if they download a specific movie and you download the same movie, the encrypted data might look identical, so they would “know” what you’ve downloaded.
How do you know your computer is free of keyloggers? You don’t.
It’s not the answer most people want to hear, but it’s the true bottom line.
There are a few reasons for it, which I’ll discuss, as well as what you and I need to do in the face of this rather grim reality.
I talk about encryption a lot. I talk about backing up even more.
Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.
Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.
Unfortunately, I’d wager that most people are backing up their encrypted data improperly. The result is that they’re not as protected by that backup as they might think they are.
Encryption comes up frequently in many of my answers. People are concerned about privacy as well as identity and data theft, particularly on computers or portable devices where they don’t always have total physical control of the media.
The concern is that someone might gain access to sensitive data.
Encryption is the answer.
Even if your device falls into the wrong hands, proper encryption renders that access useless.
VeraCrypt makes encryption not only easy, but nearly un-crackable.
23: When the option “Preserve modification timestamp of file containers” is not checked in VeraCrypt’s options. This is actually a security/plausible deniability setting that, in essence, “hides” changes occurring within the container from external detection. Unfortunately, it breaks the ability to back up VeraCrypt containers or sync them to cloud storage providers reliably.
Well, it depends.
I’ll look at several approaches, but I need to be honest: you may not always be able to tell — at least not right away.
My bank account was just hacked. The hacker opened a new account, transferred money from my line of credit into that account, then transferred the money out to his outside account. So, it appears he somehow got my client card number and my password.
My laptop is about five years old, running Windows 7, which I update every week. I have BitDefender for virus scans, which I do a full system scan every week. My password was 15 characters long, with a mix of numbers and upper and lowercase letters. When I am not at home, I use a VPN service while on the internet. I have changed my bank passwords to 22 characters long and installed Malwarebytes Premium for real time virus protection.
So, I have two questions: how could a hacker possibly do this with the precautions I have? and how can I protect myself further from this point?
You do have good security in place — above average, I’d say. That makes this situation a little more difficult to diagnose, as well as a tad more frustrating.
While I certainly can’t tell you exactly what happened, I can speculate on some possibilities. I also have a few ideas on how I’d protect myself if I were in your shoes.
24: Don’t laugh. It’s happened, usually with some kind of legacy compatibility as an excuse.
25: Happens to me about once a year.
We frequently hear of major websites suffering data breaches that expose millions of user accounts and passwords to hackers.
This type of theft makes the concept of “good passwords” all that much more important to understand.
28: Technically, this is actually not true: it is possible that two inputs will generate the same hash. However, it is statistically so extremely unlikely that it is simply a non-issue. And as stated in the hashing algorithm requirements, there’s no way to know how to pick an input value that would give you a specific hash value.
29: Trust me, you do not want to dream up your own hash. You really want to leave the math involved to trained professionals. Homebrew hashes are typically cracked within seconds.
Password Haystacks – GRC.com has a great look at the password-length issue, including a calculator to play with.
There’s been a tremendous amount of discussion relating to the amount of data kept, shared, sold — and occasionally leaked — by large service providers like Facebook and Google.
Regardless of how you feel about it, it highlights something I believe is important to realize: these services collect a lot of data. We may never know just how much is being collected or with whom it is being shared.
However, both Facebook and Google allow you to download data they’ve collected relating to your account. It’s unlikely to be everything, but even so, it’s a heck of a lot. It’s worth understanding what they have.
30: These instructions assume the desktop/web interface to Facebook. While these options may be available on a mobile device, the interface is clearer on a PC, and, pragmatically, you’ll need a PC to examine results.
31: Probably mostly full of Corgi pictures. 🙂
The technique is simple.
The problem is that the technique is time-consuming and ponderous.
Let’s review that technique, and what you can do to avoid this situation in the future.
32: There may be a couple of recovery techniques, but you need to set them up beforehand. Most people don’t.
My wife needs to encrypt patient files on her laptop.
She has been encrypting individual files, but I wonder if you recommend a program that will encrypt folders. e.g. her Documents folder?
Is there a way to encrypt a hard drive or partition?
Encrypting individual files is perhaps the least efficient way of protecting data. There’s also a serious potential for data leakage, as you must securely delete the unencrypted files after encrypting them. Most people don’t do that.
There are three basic approaches to securing data on a laptop. Which is most appropriate for you or your wife depends a little on how conscientious you are and a little on how geeky you are. Of course, all methods depend on how religious you are about backing up.
33: A Mac, but this functionality is available for PCs in the form of BitLocker.
Avoid getting infected.
I know, that sounds trite and flippant, and I don’t mean to be so. Ultimately, though, all the advice boils down to exactly that: do what it takes to stay safe on the internet.
I regularly bank online. In fact, I’ve done so for years without incident. I much prefer it over the alternatives.
You would think.
That’s what makes it so frustrating when these attacks end up being successful.
The problem is that security is often an afterthought. In fact, it’s often not thought of in any deep sense until after a successful attack.
The good news is, there’s something simple you can do about it.
34: This is an over-simplification. A properly secure password storage mechanism would use a different hashing function, for a variety of reasons, as well as a unique, random number as a salt. I found a good, more detailed rundown at Salted Password Hashing – Doing it Right.
A few minutes ago I scanned a page on generators from a Harbor Freight catalog and sent it to my son using Gmail. A few minutes later I got an email from Harbor Freight — in Yahoo, via Thunderbird — with this subject line: “You Can Rely on These Predator Generators on Sale Now.”
How does this happen? How does Harbor Freight know that I’m thinking about generators? Seems like there’s something on my computer monitoring my outgoing emails and alerting sellers to send me an ad on the item.
Or is it my son’s computer that’s doing it?
Either way, it’s creepy and something I’d like to stop.
I understand it feels creepy, but many aspects of what you describe represent the “cost” of free services like Gmail and Yahoo! Mail: advertising.
There’s not enough information for me to say exactly what happened, but I’ll describe some possibilities. There’s also one aspect of it I can’t explain at all.
It’s impossible to prove that it can’t be (or wasn’t) recorded: you can’t prove a negative. And ultimately, if this is something that really concerns you, then don’t do that!
But I don’t think there’s going to be a problem here. In practical terms, with one exception that most people don’t think about, it’s highly unlikely.
It’s a term you hear frequently of late, usually in the context of newly-discovered vulnerabilities in operating system software: “privilege escalation”. Recently we’ve even heard it in the context of a newly-discovered hardware issue.
On the surface, the term seems fairly simple, but as we know by now, when it comes to computers, it’s rare that anything is truly simple.
In this article, I’m going to look at one type of privilege: the privilege model used by your operating system to allow software to do useful things while simultaneously restricting what it can do, so as to keep you safe.
35: For this discussion, drivers are best considered part of the operating system.
36: I’m using the term “user-mode” here explicitly as part of this kernel/user distinction. It’s actually unrelated to whatever user you happen to be logged as.
37: As I write this, the details haven’t been released, so it’s impossible to say how much control the user-mode code would have over choosing what it might want to peek at.
Two newly discovered vulnerabilities have been getting a lot of press recently. Much of it has been quite sensationalist, due to the nature of the underlying issues.
The flaws are in hardware design — specifically the CPU — and not just one CPU, but apparently a wide variety of CPUs — meaning that just about any computer or device using the most popular CPUs of the last couple of decades is probably vulnerable to the issue.
So, to answer everyone’s first question: yes, your computer or mobile device is likely affected.
The next question is, what to do about it?
Step one: don’t panic.
It’s a very unlikely scenario that could allow a turned-off computer to be hacked. I’ll describe it and show you how to prevent it.
I normally avoid these types of relationship-related tech questions, because they’re more about relationships than about technology. And I’m certainly no therapist.
However, I get this type of question often enough that I’m going to use it as an example of the technological implications when good relationships go bad.
Short answer: you’re in trouble until you take some drastic action.
38: And probably the passwords to other accounts that he created or had access to while setting up your machine.
Normally, this is where I’d quote the original question.
This topic appears in so many different guises and in so many different ways that quoting a single question would represent only a very small slice of a much larger issue.
Call it what you will, cyber-bullying, or online harassment, is a frighteningly common occurrence. Those most at risk appear to be children and individuals who’ve been in abusive domestic relationships.
The questions I get most often are:
I’ll tackle each one of those and a couple more.