Don has noticed someone from the Ukraine has tried to log into his Microsoft account on a weekly basis. Should he be concerned? Leo says as long as you don't use the same password, have 2-factor authentication, and have a password manager like Last Pass, there's no way he can get into it. But make sure you have 2 Factor turned on just in case someone manages to guess the password. It will then ask for an authentication code from you through Microsoft Authenticator, which notifies you via text. It's very secure.
Charles got a new Eero mesh router all set up (Eero is a sponsor of the TWiT Network), but now he gets a warning that his router can be seen online. Leo says that the best thing a router can do is be invisible by not responding to any online queries. It's called Stealth Mode. That's what GRC's Shields Up will test. Most routers have PING turn on by default. But you can turn it off in the security settings. Also, turn off universal plug n play and file sharing.
Kevin bought some Feit smart bulbs from Costco. Leo says that LED light bulbs can be controlled by mobile phones. But he's concerned about security because they connect to his network. Leo says that's a concern with IoT devices. But if he can keep it up to date, he'll be fine. But the risk is there. He's also been using an Apple Airport. Leo says Apple isn't supporting the Airport anymore and he wants a WiFi 6 router. Leo recommends the TPLink Archer A7.
This is creepy. A hacker managed to hack into a ring camera placed in the bedroom of an 8-year-old girl, and then pretended he was Santa Claus talking to her. RING said it wasn't a breach in Ring's security, but was due to the parent not using a unique user name and password. She used the same one as for other things, making it really easy to breach. Leo says that hackers can read a unique signature for internet enabled cameras and then can use that login to brute force it open. Leo says to stop reusing the same password. That's a recipe for calamity.
Brett is worried he's been hacked. He used UNRAID to create his own Network Attached Storage. But he recently got a message that he had 114 login attempts on his network. Leo says that it is very common. Any server that is online and attached to the internet will be attacked. Mostly by a bot that is programmed to look for servers online. Make sure you have security features that only allow logins from approved regions, IP addresses, or from your work. There should also be a feature that will lock out an IP address that keeps trying to log in.
Looking at Internet of Things phenomenon, the Portland FBI issued a blog post talking about how connecting your computer to the same network as your internet-enabled refrigerator could pose a security risk. They advise changing the device password settings from the default, make them as long as possible and unique. Leo says that it's not practical to have a separate connection for your IoT devices. But regularly updating your devices and giving them a good password is a good idea.
Tamar let her grandson use her iPad, and now there's a ton of games on them and she's concerned that there may have been a security issue. Leo says that Apple's app store is very safe, and as long as her credit card wasn't used, or as long as he hasn't made any in-app purchases, she's safe. And it's off by default. To delete, just press and hold until it jiggles and then select the little X to delete. She can also turn off In-App Purchases completely. Here's how.
Also, sit down and give the kid a little chat.
Leo says that many are complaining that big tech is far too intrusive and is destroying our privacy. But Leo says that this is largely overblown with people acting like "privacy puritans." A lot of it can be mitigated by Big Tech keeping our data secure and coming out with an accurate and truthful privacy statement for all to see. If we give up some data privacy for free services, Big Tech should treat it as a public trust, and give customers the right to opt-out.
Jay is being bothered by third party cookies and notifications. Is that still a security risk? Leo says that websites don't want to wait for you to come to them, they want to push their content to you. Leo always says no by default, and he also recommends browsers like Firefox and Brave, that will globally say no to notifications. It's in their app settings. Cookies, by contrast, get a bad wrap. Cookies aren't really dangerous. They basically save settings so when you return to a site, you don't have to enter your password again.
Dan signed up for a VPN recently, and he can't use it with his banking, Netflix or other apps. Leo says that the bank is probably blocking it. VPNs can break IP-based authentication. BBC iPlayer, for instance, blocks VPNs, because you're not paying for the TV license fee. Netflix does it because it doesn't want another region to be watching content that isn't available for licensing reasons. Banking activity is encrypted, so you don't really need a VPN for it. Google has also been pushing for HTTPS encryption with every site, so if every site is encrypted, there's no real need for VPNs.