Digital Security

Today's Digital Security Tip: #U2F used by a hardware device like Trezor is better than the #TOTP authentication used by Google Authenticator. https://blog.trezor.io/why-you-should-never-use-google-auth

TLDR: Follow us! www.twitter.com/Digsec88 Hello friends. We started this not-for-profit blog to SHARE our knowledge, since we spend a lot of time following the latest security threats BUT Facebook consider PAGES to be a business tool and they're rarely showing our posts to you unless we pay. We're altruistic but not that altruistic! Follow us at www.twitter.com/Digsec88 for important, time-dated tweets, and here on FB for longer posts.

"Ultrasonic Cross-Device Tracking" uses your device mic to track you without your permission. Massive invasion of privacy.

Today's Tip- follow Rob Braxman, a top PRIVACY expert on YouTube. Today's video link examines encrypted chat and mail services for their flaws and we can summarize in one word: it's the METADATA. USER comment: Rob, it's clear you're a huge proponent of privacy but I'd like to make a request- please start to distinguish between privacy and SECURITY. What I am extremely concerned about is NOT Google tracking me, it's all the security holes on my PC and devices. Accordingly, I'm outraged at Google for discontinuing security updates on older but still perfectly good phones.. like the Nexus 6, for example. Can you please address how to keep our (especially older) phones SECURE, even if we're not so privacy-fixated as you?

The vast number of zero day exploits that no AV can defend you against means you need to develop AUSTERE digital security practices. Today's TIP: Use completely separate devices for web browsing & reading email versus your critical business, banking and crypto activities. Your secure devices should have an absolute minimum number of apps on them and be used only for those purposes. https://www.zdnet.com//this-stealthy-hacker-for-hire-gro/

TLDR: Your iPhone is NOT secure any more. Sorry to share bad news with you but this detailed video by The Hated One, our go-to YouTube security expert, blasts Apple for massive unpatched vulnerabilities, especially in iOS, from 2016 to present, stemming from its secret source code. Android, meanwhile, has great improved its security in recent years due to its open architecture and transparency.. thousands of programmers are studying it for vulnerabilities and reporting them f...or bug bounties. Even so, the most secure OS by far is the custom Android OS called GRAPHENE. We'll be covering it in future posts. Stay safe. Please share and like so the word gets out.

Today's post: how to password-protect sensitive apps on your Android device? We used to highly recommend free Norton Applock (until it installed AV software without permission). An ad-supported/paid app is APPLOCK by DoMobile. Here's a review (this is NOT an endorsement from us). "AppLock. developed by DoMobile Lab. It is one of the most popular and downloaded third-party app-lock apps out there. With an impressive half a billion downloads, AppLock is also the most downloaded... lockscreen and app-lock app featured on the Google Play Store. And with its measly 5.3MB (DigSec: it's now 8+ mb) AppLock is won't even take up much of your phone's storage or impact its performance. Despite its small size AppLock is loaded with an abundance of security features. "You can lock individual programs on your smartphone with either a password, PIN, or a biometric like your fingerprint. Asides from its impressive app protection capacity, AppLock also features an incognito browser if you want to privately surf the internet, an intruder selfie function which automatically takes a photo of any would-be-thief using the front-facing camera, customizable timed lock/unlock, a lock for incoming calls, passwords for WiFi and Bluetooth and much more. "Some of these features include the option to hide your photos and videos from the gallery app and save them in a private vault within the program. You can also make sure AppLock doesn't get deleted (without the appropriate password) or being shut down by ram boosters or task killing apps and processes designed to hinder apps like AppLock. "When you first install the app you will be prompted to set-up a master password, pin or pattern (make sure you don't lose it) which you would use to unlock your phone each and every time you want to start or open a locked app. From there you can then choose to set up fingerprint unlock and even hide the AppLock icon from your phone's app drawer so you don't tip off any would-be invaders." https://www.cyclonis.com/how-to-password-protect-apps-andr/

Google One is a paid cloud storage product. We highly recommend backing up your Android phone to a special Google Acct you create for the purpose; ie: with a high-security password (which is used as the encryption key) and an email address that you keep secret so you can never be sent phishing/spear-phishing or any other criminal hacker emails. GOOD NEWS: Now you can do all of the above absolutely FREE! ZDNet: Google One, Google's paid consumer storage product, makes some fe...atures free. https://www.zdnet.com//google-one-googles-paid-consumer-s/ See more

Dear Reader: Some may need to stay digitally-safe in a police state. We never imagined this would apply to OUR countries, so we did nothing for years. Now, in the USA, data collected from ALPRs (automated license plate readers used by police) and other sources is often sold to third parties, who then resell that data to insurance providers, banks, and credit monitors. What an invasion of privacy! The famous magazine Popular Mechanics has written this advice for US citizens...Continue reading

TLDR: do NOT reuse passwords! Use a password manager like LastPass to make it easy to use different, auto-generated passwords for everything. Forbes: Got An Email From A Hacker With Your Password? Do These 3 Things. https://www.forbes.com//got-an-email-from-a-hacker-with-y/

Home security tips. Our fave: Say, "Alexa, I'm leaving" and if she hears breaking glass, etc, she'll notify you. https://www.cnet.com//best-cheap-home-security-devices-f/

TLDR: The U.S. Senate has introduced Senate Bill 4051, the Lawful Access to Encrypted Data Act aka LEAD Act that plans to be the worst infringement of YOUR data security and privacy EVER! What if you say, "But I'm not American"? Is any of your tech made in America? Do you use FB, Google, Microsoft, Apple etc? Then you should be concerned. If the US gets away with this, THEN your government will try to confiscate your privacy too! Contact your political representative and...Continue reading

FYI Only. TLDR: Any Chinese software can easily be malware. Much-maligned Facebook has taken big steps to increase your data security options, such as the "encrypted chat" capability of FB Messenger. Privacy opponents say they're trying to fight "child pornography" which is a GREAT line, because who would ever say they're against fighting child porn? Thankfully, Zuckerberg isn't that easily pressured into giving away your data security. Apple famously refused the FBI request to include backdoors to its iPhones. Meanwhile, NO Chinese company has the right to resist their own government's demands to compromise the security of their own products.. as evidenced by the backdoor-laden official bank software described in this article!

Further to the danger of insufficiently vetted apps on Google Play, we present "Inputting Plus", a helpful utility app that adds keyboard functions. As useful as this app is, it's potentially very DANGEROUS & insecure. Think about it: the app is always listening for your keystrokes & it has full internet access. Foreign actors in Russia, China etc are using seemingly-helpful apps like this one to harvest usernames & passwords by the millions. Google does NOT thoroughly check ...out apps and the ID of developers on Google Play, they just run a security scan 2 detect known malware signatures.. not nearly enough! YOU have 2 care about yr own security, the big players (Microsoft, Google etc) don't! https://play.google.com/store/apps/details

There are fake apps on Google Play and Chrome Store. Do your due diligence in checking the provenance (where it comes from) of ANY app but especially money-related apps. Decrypt: Podcast host loses 7 years of Bitcoin savings in a single mistake. https://decrypt.co/?p=32173

#Phishing never ends, but the lures get updated. Now it's emails about missed Zoom meetings. Don't click on links within emails, enter the URL's yourself in your browser bar. Don't open attachments either.

In the midst of this BS meme that Zoom isn't safe, here's a REAL security issue: Get phished by clicking this fake Covid-19 hospital email, and the Excel file attached will.. ".. open as an excel file and alert users to enable content - however, once the content is enabled, the embedded macros in the excel file start to download, install and execute a malware. This malware can remain hidden from many forms of antivirus software, before tracking and stealing personal inform...ation such as: Cryptocurrency wallets Browser cookies containing saved login credentials Local IP address and other related information Modify network settings and allow files to be shared via the internet List out all the programs installed on the system." We recommend disabling Excel macros from even running at all on your system. Contact us to find how how.

Good security news for once. The outcry over Zoom is basically nothing, since #Zoom "offers its own security features, including the ability to password protect chat rooms, and enable virtual lobbies that can prevent Zoom-bombing, they werent turned on by default until the company released an update on April 2." Zoom-bombing involved people getting hold of a Zoom invite and crashing the party since the hosts hadn't enabled passwords. So what!? Enable PW's next time. More ...seriously, the end-to-end encryption they advertised, although good, wasn't true end-to-end. As for Google banning Zoom for its own employers, they're a competitor. The very real concerns we advise you about here are for protecting your key email and other accounts, and indeed your whole device and its contents, from getting hijacked. THAT'S what you need to pay attention to. Stay tuned.

URGENT: zero-day exploit, patch your PC Firefox browser! Free Android security tip: Talking about browsers.. also install the "Firefox Focus" browser, turn off JavaScript and make Focus the default browser. This protects you from all sorts of click and get infected risks. It's very easy in Focus to open pages that need JavaScript in the main Firefox or other browser. The more layers and moats your security has, the better.

IMPORTANT: You need a special, high-security email for important accounts (like online banking) and this email service must NOT allow online password resets! Our top recommendations is TUTANOTA, a fully encrypted email service from Germany, free by donation, definitely not NSA-approved. Here's their e-mail security guide. Read it. https://tutanota.com/blog/posts/email-security-guide-online/

Installing #AdBlocker software like "AdBlock Plus" isn't just to reduce annoyance of glaring, flashing ads. It has an important security function since hackers place rigged ads that put malware on your devices! "On arrival, like a growing number of websites, Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords,... personal data and banking information. Or, as is popular worldwide with these malware "exploit kits," lock up their hard drives in exchange for Bitcoin ransom." "..a bogus banner ad was found serving malvertising to visitors of video site DailyMotion. After discovering it, security company Malwarebytes contacted the online ad platform the bad ad was coming through, Atomx. The company blamed a "rogue" advertiser on the WWPromoter network. It was estimated the adware broadcast through DailyMotion put 128 million people at risk. To be specific, it was from the notorious malware family called "Angler Exploit Kit." " https://www.techdirt.com//forbes-site-after-begging-you-tu

Today's post is about Adobe FLASH Player. It's outdated technology and a constant security risk, requiring constant security patching. Don't use it and, above all, don't okay windows that pop up to update Flash Player.. this is a common way to trick people into installing malware. The latest HTML5 can natively run videos so Flash is no longer required. To dinosaur companies still requiring Flash to view content on their websites: shame on you. https://www.pcrisk.com/internet-t/10500-flash-security-risk

EDITORIAL. Normally we just pass on important new info but this post has a simple message: as a customer, you have to right to DEMAND better security! Unless we REQUIRE companies to take our security seriously, they won't. In this link, the popular android task manager app "Any Do" is taken to task for its lack of user security. https://anydo.uservoice.com//39874777-increase-app-desktop

Review of top Android AV (antivirus) apps. Google Play Protect is at the bottom of the list!

Today's useful security post examines how someone got locked out of her Google account, and how to avoid this happening to us! We add: use hardware 2FA (2 factor authentication) as the new gold standard of account protection.

Important Reminder: when browsing, NEVER permit anything to be installed, not even a new "security certificate". Websites compromised by evil-doers can pop up a real-looking but fake security warning. End result.. using Java, a permanent backdoor now installed on your PC. Bad news. This is exactly why we recommended using Firefox Focus with Java disabled as your default browser for exploring in the wild. Use your regular Firefox for going to bookmarks of known good sites.

** Warning! ** Your older Android device is INSECURE because Google & other phone makers don't care about your security, and don't see ANY responsibility to provide security updates! (They WANT you to discard your perfectly good 3-year old phone so you buy another one.) Support #anti-obsolescence and #right-to-repair.. contact your legislator because we need laws to protect us. (ps: Apple is even worse because they won't let repair shops fix your own iPhone.) ANDROID SECUR...ITY BY VERSION: "Current version is Android 10 while Android 9 (Android Pie) and Android 8 (Android Oreo) are still getting security updates; anything below Android 8 will carry security risks"! Its very concerning that expensive Android devices have such a short shelf life before they lose security support leaving millions of users at risk of serious consequences if they fall victim to hackers, said Which? computing editor Kate Bevan. Google and phone manufacturers need to be upfront about security updates with clear information about how long they will last and what customers should do when they run out. ( DigSec88: yeah, be upfront that they screw us! No, we need LEGISLATION.) "For its test Which? asked antivirus lab AV Comparatives to try to infect five test phones with malware: a Motorola X, a Samsung Galaxy A5, a Sony Experia Z2, a LG/Google Nexus 5 and a Samsung Galaxy S6. It succeeded on every phone, including multiple infections on some. "Which? added that Google and other manufacturers have questions to answer about the environmental impact of phones that can only be supported for three years or less. (DigSec88: think of the vast resources wasted when millions of good devices are discarded. We need legislation!) What to do if your phone is at risk: The magazine also provided tips on updating an Android device to a newer version of the operating system. To see which version of Android a device is using, open the phones settings app, tap system, then advanced and then system update. It recommended users on anything older than Android 7.0 Nougat update their phone or tablet through the system update menu. Smartphone users unable to update their version of Android will be at an increased risk of a hack, Which? said, especially if running Android 4 or lower. The current version is Android 10 while Android 9 (Android Pie) and Android 8 (Android Oreo) are still getting security updates, Which? said, and anything below Android 8 will carry security risks."

Why a Chromebook is more secure than a Windows laptop. TLDR : they're encrypted. https://www.howtogeek.com//traveling-bring-a-chromebook-t/

IMPORTANT security-enhancing tips for ANDROID/iPhone, direct from the hacker's mouth in this 5 minute YouTube video. TLDW (too long, didn't watch video):... 1. Install the free, open-source app NETGUARD (iOS: Lockdown) which uses a local VPN to block apps using the Internet without your permission. (China & other bad actors release free, fun, useful apps.. but the apps send your data daily to servers back in China. Why does a calculator app need to access the internet?) NB: Our hacker says that you can only use one VPN at a time and the local VPN is more important than a network VPN since most web traffic now uses HTTPS, meaning it's encrypted anyways! BUT we say a regular VPN protects you at, say, coffee shops from man-in-the-middle attacks that steal your log-in PW's! We use both VPNs, one at a time, depending on the threat. 2. Encrypt your DNS easily, so your web browsing is hard to track. For Android, just go to Settings, Network, Advanced and choose "Private DNS". Then change setting from "Automatic" to "Private DNS provider hostname" and put in: dns.google (Ironic, since Google is one of the entities that we are blocking from tracking you! :)) 3. For Android & iOS, use DuckDuckGo privacy browser instead of Google Chrome or Google Search. Google tracks everything you do! 4. Use throwaway privacy web browser FIREFOX FOCUS as your default browser to open links.. and make sure JAVA is OFF! The easiest way for a hacker to completely take over your phone is to get you to click on a bad website that has malware embedded in the Java. (ps: We go farther: do NOT click on any web link sent to you by text message or email!) By using FOCUS with Java disabled as your default browser, your device just became a lot safer and you can still use the regular Firefox browser with Java enabled to use known sites that are safe, that you have bookmarked. 5. For private messaging, use SIGNAL, the gold standard for open source, free, private, encrypted messaging. Facebook owns WhatsApp. Microsoft owns Skype and China surveils WeChat. 6. Use PROGRESSIVE WEB APPS (supported by Safari, Firefox & Chrome) to create homescreen shortcuts for services like Instagram, FB, etc. This way you don't need the actual apps for those services, thus you don't have to give those apps permission to access your files, documents, contacts, mic, camera, location, device identifier and more! 7. Be a minimalist. Only install apps that you absolutely need; the more of them you have, the more exposed you are. Review the permissions of apps.. most can work just fine without every permission. https://youtu.be/tkY9dhOF2WU

There's a new threat every day. That's why it's smart to follow our blog. Now what? The latest Cereberus malware in beta can steal Google Authenticator 2fa codes! Too bad the following article gives no solution to this issue! https://www.zdnet.com//android-malware-can-steal-google-a/

Today's smartphone security tip: Norton App Lock. It's free, no ads. Apps like Google Drive or banking apps are convenient but not very secure unless you build SECURITY MOATS around them. The first moat is always a good, unique password that you have not used anywhere else. A great second moat is to have any important account's associated email be a clean, new gmail account known only to you. Hackers can't phish an email nobody knows about but you. This brings us back to Norton App Lock, a third moat. Its only drawback is that there's a lag between when you invoke an app and when the AppLock screen pops up. If you use it, protect your Settings and Google Play too, so a snoop or thief can't just uninstall AppLock. Happy digital surfing y'all.

We all have smartphones and many devices (eg iPhones) have built-in batteries which cost a lot of money to replace. To extend battery life: DON'T HEAT THE BATTERY. Simple, huh? Some sources even say to extend your battery's life, charge it only within the range of 25-80% to avoid overcharging. Some people put their overnight charger on an electrical timer so the phone doesn't keep charging after 100% We recommend using Qi charging.. being wireless, it doesn't wear out your phone's jack and is more convenient. When charging overnight, we intentionally use a different, very slow, weak charger (600mA) to avoid battery heating. This way, even though it does go to 100% by morning, it did it slowly without any battery cooking.

Using FB and Google to log in to websites is called "single sign-on". It's a security risk: don't do it for banking, financial and other important sites. https://medium.com//the-dangerous-world-of-single-sign-on-

Large cellphone companies like #Rogers in Canada and Verizon in the US do not take your #security seriously at all. Scammers can easily steal your phone number and use that to reset your password on any account that used your cellphone for #2FA (2-factor authentication). For 2FA, use Google #Authenticator instead of your mobile. Or use a free VOIP Android app like Fongo instead of Rogers.

US law enforcement is aggressive so these Police iPhone security tips will be helpful no matter which regime you are dealing with, or whether you have Android. TLDR: Fingerprint or facial recognition is more easy to bypass by police or criminals than a good alphanumeric device PW. https://medium.com//how-to-keep-law-enforcement-out-of-you

Today's security tip: 'Using public USB charging stations, such as those found at airports, is kind of like finding a toothbrush on the side of the road and deciding to stick it in your mouth. Turns out hackers can compromise these stations so that they transfer data or install malware on any device that connects to them. Barlow recommends using a plug-in wall charger, a portable charger, or a Juice Jack Defender.' Here at #DigSec88, we recommend using Qi charging.. being w...ireless, it doesn't wear out your phone's jack and is more convenient. Battery Life Tip: to extend your battery's life, charging it within the range of 25-80% avoids overcharging. When charging overnight, we intentionally use a very slow, weak charger (600mA) to avoid battery heating. This way, even though it does go to 100% by morning, it did it slowly without any battery cooking. More travel security tips: https://medium.com//dont-use-public-usb-charging-stations-

We keep saying this: #2FA via cellphone is not safe because your number is easily stolen via #porting. If you MUST use a cellphone for 2FA, we suggest the FREE app #TextNow, available on Google Play. Actually, we also suggest #TextNow as a way to ditch the phone company and save a lot of money: they give you a free nbr, free texting and even free calling using VOIP (voice over internet protocol). No catch.. they pay for it with in-app ads, which you can pay to remove.

FBI warning about Smart TVs: easily hacked. How to fix: if it's an Android TV, since we recommend using a VPN for your smartphones, install your VPN app on your TV too.

TLDR: major #security risk if you ever use an open Wi-Fi network, even once. Solution: a VPN subscription. Your phone connects automatically to any #WiFi #SSID it has ever connected to before.. and they're super-easy to spoof.. you can rename your home WiFi "McDonald's" and anyone walking by with a smartphone will probably inadvertently connect to it. If it's an open network that your phone connects to, hackers can then easily mine all your passwords as your phone logs in. In the following TED Talk, Bram spoke all about the Open WiFi problem but never mentioned the simple solution: a #VPN. With a VPN your data is encrypted from everybody.. not just the #Man-in-the-Middle hacker but your ISP, the NSA, everyone. Follow us here (check "show posts first") because we'll be posting about the best VPN's and some fantastic price specials.

TLDR: Just because #passwords are displayed as ******** doesn't mean others can see them, using Inspect Element. #Inspect_element is one of the developer tools incorporated into the Google Chrome, Firefox, Safari, and Internet Explorer web browsers. By accessing this tool, you can actually view and even edit the HTML and CSS source code behind the displayed web content. One way to view a saved password is to right-click in the text area where the saved password is automatically entered but obfuscated, click Inspect Element, and change the type="password" attribute to type="". The password is then displayed.

Today: HOW TO BROWSE PRIVATELY "If youre logged in to a website, no matter if you are using incognito mode, or even a VPN, the websites owners can see exactly what you are doing. For the people who recognize the limits of #incognito mode, theyll generally then use browser extensions to help block more information being sent back to tech companies. These usually involve script, cookie, and ad blockers. The problem with this is that many websites rely on those same technolo...gies to work right again, this is especially true of websites you need to log into, like banks, social media sites, and shopping sites." What to do then? Click and find out. Too busy? Ok, here's TLDR: "Users will use one browser for any and all websites they need to log in to. This browser is the one on which theyll access their social media, banks, and shopping sites. "The big catch here is that users will never use this browser to search the web or randomly browse the internet. This browser is only used for bookmarked sites you need to log in to. Lets call this your accounts browser. "Users will then use a second browser for all their web searching and random browsing. On this browser, a user will never log into any website ever. They will never use this browser to personally identify themselves in any way, period. Well call this your everyday browser. By splitting up your web activity between two browsers, youll obtain the utmost privacy and anonymity possible without sacrificing convenience or the ease of use of the websites you need to log in to." The article has more detailed info but this is the concept. #StaySafe

#SecurityEssentials 101: Read thr article below to learn how to not lose your entire #digital-life and crypto to a hacker. TLDR follows: #GoogleVoice 2FA: In some cases, an online service will not support hardware-based 2FA (they rely on weaker SMS based 2FA). In these cases, you (should) create a Google Voice phone number (which cannot be SIM ported) and use that as your 2-Factor Auth recovery number.... Create a Secondary Email Address: Instead of binding everything to a single email address, create a secondary address for your critical online identities (bank accounts, social media accounts, crypto exchanges, etc.). Do not use this email address for anything else and keep it private. Back up that address with some form of hardware-based 2FA."

WiFi warning: hackers can easily spoof the WiFi hotspots you go to (eg "Starbucks") and capture all your logins. If your bank uses 2FA via text message, hackers can take over your phone number (by porting; carriers like Verizon are happy to oblige) and then pass 2FA authentication with your stolen phone number. Boom.. all your money is gone! Solution: use a VPN!! Contact us for a great VPN deal.

More Android security flaws. Researchers have invented "a method to decrypt the Samsung smartphone backup data which is encrypted by a user input called PIN (Personal Identification Number) and a Samsung backup program called Smart Switch. In particular, we develop algorithms to recover the PIN and to decrypt the PIN-based encrypted backup data as well." This is not good news for regular people who are relying on Samsung to protect their data.