Jeff is concerned with the current state of online security. So many companies are taking security for granted. They send software passwords in an email and other foolish acts online. Leo says that the CTO should know better. But Leo also admits that security is hard, and there's no such thing as perfect, bulletproof software when it comes to security. Inevitably, the software will get flaws, as they get updated. But a lot of the software has dumb mistakes that slip through due to arbitrary deadlines.
security and privacy
Bruce can't get the latest Windows Update 1903 on his HP laptop. Microsoft says that this BIOS is too out of date and as such, it'll fail and roll back. Is there a way to block it so it won't keep doing it? The problem is, that Microsoft has stopped supporting 1803, which is where Bruce is stuck, and as such, he won't get security updates starting at the end of the year. That's a real concern. He tried putting it on a metered connection and that does stop it, but he's worried about security. He still wants the security updates.
The mobile app called FaceApp is causing concern with privacy advocates, and even members of Congress because people are concerned that their photos are being uploaded to servers in Russia. But the developer, who worked for Microsoft when he got the idea, assures that all photos are uploaded to Amazon cloud servers. The bigger concern is that the terms of service grant FaceApp the ownership of your likeness forever. Leo says, though, that it's just legal-speak that's written in the broadest possible terms.
Jim ran GRC Shields Up scanner on his router and he discovered that port 443 was open, not stealth. Is he vulnerable? Leo says you have to have port 443 to run on the internet, but it should be in "stealth mode." You'll also want to find out what's using it. NetStat will help you determine that. Wireshark will also do that. His fan is also running a lot. Leo says that may mean your computer is getting hotter. Probably needs to have the dust cleaned out of it.
Hackers somehow got ahold of a malware exploit that was developed by the NSA and used it to attack the city of Baltimore. The malware, a ransomeware exploit known as Eternal Blue, was taken home by an NSA contractor, and Leo says that Kaspersky antivirus quarantined the malware and then sent it to the home office in Russia.
Marie wants to know an alternative to Gmail. Leo stopped using Gmail because of their invasive ads, but the other side of the coin is that Gmail has the best spam filters of all. Leo moved to FastMail, so Marie can use Gmail to initially filter her emails, and then forward the rest to FastMail. Then she can run the secondary SPAM Sieve there.
Facebook had another security issue hit this week, as the social media company admitted that millions of Instagram passwords were stored in a plain text file that could be easily accessed from anyone on the network. But they swear that it wasn't accessed or maliciously maligned. Since they initially stated thousands, then admitted millions of accounts were at risk and that it has happened many times now, Leo says that Facebook's priorities are out of whack. They don't really care about protecting user data.
Dolores wants to know if it's safe to scan images of documents and send them to her attorney. Rich says it depends on the app itself. Take proper precautions and use a reliable/reputable app. Rich uses Google Drive to scan apps on an Android phone. On the iPhone, scan the document with Apple's NOTES app, or with Scannable.
Once she's scanned them, then she wants to be sure she can send them securely.
Leo says that while 2018 was the year Ransomware, 2019 is even worse. Arizona Beverages got hit by ransomware last week. The attack shut down sales operations for days, scuttled their networks, and servers. The network was hacked and encrypted, targeted by hackers with a ransom note posted to their website. Leo says that Arizona struggled with trying to rebuild their operations for five days. Most of their servers hadn't been given security patches in years and their backups didn't work.
Nathan wants to know if there's any recourse if a company isn't protecting his passwords. Leo says in Europe they have the GDPR, but in the US the only real protection is through HIPPA in the medical field. Leo recommends talking to Brian Krebbs at Krebbs on Security and asking him how he should write a letter to warn them of their liability.