Is Apple’s New Face ID a Security Risk?

Sam Harrelson on September 15, 2017

The majority of negative commentary I’m seeing about Face ID in particular amounts to “facial recognition is bad” and that’s it. Some of those responses seem to be based on the assumption that it introduces a privacy risk in the same way as facial tracking in, say, the local supermarket would. But that’s not the case here; the data is stored in the iPhone’s secure enclave and never leaves the device. More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It’s not “less secure than a PIN”, it’s differently secure and the trick now is in individuals choosing the auth model that’s right for them.

via Troy Hunt: Face ID, Touch ID, No ID, PINs and Pragmatic Security

Good read here on the pragmatic nature of what Apple is doing by pushing technologies such as Touch ID and Face ID in its devices. No, they aren’t foolproof and there are downsides. But Face ID is a way to help ensure that the “mainstrem” of security-apathetic users of these devices have at least some protection if their device is stolen etc.

However, that most people simply ignore or don’t care enough about basic security options such as 2 Factor Authentication that is available on most of the web and financial etc services we all use is appalling.

I’m constantly urging clients to use services such as 1Password or LastPass for their password generation and storage as well as services such as Authy which make it easy to use 2 Factor Authentication (and safer than relying on SMS for codes).

“But I’m a nobody. Who would want to hack my GMail or Facebook or Twitter?” isn’t a viable rationale or excuse anymore, if ever!

Even Hackers Take Summer Vacations

Sam Harrelson on August 10, 2017

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report

Why Your Church or Nonprofit Website Needs Regular Security Updates

Sam Harrelson on April 6, 2016

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.

Your Email Privacy (Thanks, Government)

Sam Harrelson on December 2, 2015

Scary, true, and worth your attention if you value your privacy…

Mozilla will let go of Thunderbird | Boing Boing: “There are many good reasons to use standalone email clients, but for Americans one of the most compelling is the absurdly outdated Electronic Communications Privacy Act of 1986, which treats any file left on a server for more than six months as ‘abandoned’ and accessible to law enforcement without a warrant (no, really!). That includes all your Gmail previous to June 2015. Really. All of the efforts to reform ECPA have died on the vine, because law enforcement loves this creaking piece of legislation.”

Vote out your representative if they don’t “understand technology.” That’s not an excuse anymore.

Don’t Hold Up Signs on the Internet…

Sam Harrelson on December 1, 2015

NewImage

We’ve all seen them before and I’m seeing more and more of them now that the Holiday Season is upon us (and today is “Giving Tuesday”).

I know I’ve seen a number of well-intentioned pictures of people holding up signs to support a specific cause on social networks this winter. A large number of those, especially on Facebook, have been churches and religious groups.

I hate to be Donald Downer, but be careful with such postings, especially if they include your face. It’s very (very very) easy to take those and do less-than-well-intentioned things with the images after they’re found via Google Image Search or a Twitter Search or Instagram hashtag search etc.

You’re not Michelle Obama, but that doesn’t mean that your own perception of your network size (or good intention) protects you from the wilds of the internet in 2016 and beyond…

Michelle Obama gave the Internet a sign—here’s what it gave back: “But once Reddit got ahold of the photo, its users—well-known for hosting Photoshop battles such as this—went wild adding anything and everything to the blank page”

So be careful, or you could be espousing something you probably wouldn’t agree with.

Amazon Finally Gets 2 Factor Authentication (Please Go Turn This On For Your Account Now)

Sam Harrelson on November 18, 2015

amazon_logo_RGB

Here’s how to enable Amazon’s Two-Step Verification, a feature that adds an extra layer of security by asking you to enter a unique security code in addition to your password on computers and devices that you haven’t designated as trusted.

Source: Amazon.com Help: Turning On Two-Step Verification

Amazon finally has 2 Step Authentication. By all means, please go turn this on (and turn on for all the services you actively use from GMail to Slack to Dropbox to Facebook to Twitter etc).

I’m a big fan of Authy as my preferred authenticator, but Google has one and you can always use your mobile device for receiving authentication texts.

But you need to do this asap for your personal and business accounts or count the days until you’re “hacked.”

“Censorship that doesn’t look like censorship”

Sam Harrelson on October 18, 2015

Remember, “free speech” doesn’t always align with the user policies on Facebook, Twitter etc. Own your content and your books or learn to live with the trade off of letting the algorithm decide how you vote…

“Censorship that doesn’t look like censorship. It deliberately reduces the spread of information that might otherwise go viral. Vicious. “You can say what you like but no one will hear you. And also, you’ll think no one cared, so you’ll give up trying.” Subtle, deniable, and quite ruthless.”

via Paul Dietric: Adventures in Twitter Censorship (PDF for obvious reasons)

Another Digital Divide Coming

Sam Harrelson on December 26, 2014

Niels Ole Finnemann, a professor and director of Netlab, DigHumLab in Denmark, said: “The citizens will divide between those who prefer convenience and those who prefer privacy.”

via The Future of Privacy | Pew Research Center’s Internet and American Life Project.

I’ve long said that as the web continues to evolve, particularly as a social medium, we’ll see privacy and the idea of a federated web help shape a new digital divide.

On one side, there will be people who choose convenience and ease by utilizing networks akin to our current ones (ie Facebook). They’ll trade their privacy and data for connections for social connections in a walled garden with pretty flowers.

On the other side will be the federated web by those who are able (either technologically or financially or both) to have and sustain their own web presence that they own and control.

This isn’t a geek vs non-geek distinction as it has been since the web started or something like we have in 2014-2015 where people who care about things like federation or privacy are outsiders.

Now we just need to kill apps.

Don’t Use Admin As Your WordPress Username

Sam Harrelson on December 15, 2014

We create, host, and manage a number of sites for churches, non-profits, community groups, and businesses. As a part of that, we also spend a good deal of time “behind the scenes” keeping these websites safe and secure. Our clients often don’t realize how much work that entails in 2014 / 2015 with the ongoing proliferation of sophistication and the sheer numbers of bots and bad folks looking to exploit poorly constructed sites or social media accounts to use for other nefarious purposes (nor should they).

Setting up a WordPress site on your own is not hard to do. You have to find a host, click a few selections for your server, then run through the install. It’s gotten tremendously easier over the years. However, if you’re setting up a self-hosted WordPress site, you have to take security seriously.

For example, the screenshot above is just a small sampling of the attempts to “brute force” access to this site from this morning. There are hundreds of these everyday for this site and I see thousands daily for some of our larger clients. You’ll notice the attempts are all trying to gain access to the site with the username “admin.” Before WordPress 3.0, the default for new site installs was to use “admin” as the username. Combine that with the terrible passwords that most people online use, and it’s not hard to see that with enough permutations, the math is there. It’s fairly easy to buy a list of the most commonly used passwords on the web if you know the dark parts of the web to look, as well.

Here are my surface level and generic recommendations if you do decide to set up a WordPress site for your church, group, or business after about a decade of working in this area…

1) Don’t use admin as your login username for WordPress or for any other account whether it will just be you logging in or a team of people.

2) Don’t use a short or “dictionary” phrase password. Use something unique to you and combine numbers, letters, etc as much as you can. That’s not fool proof and there’s research showing that doing so isn’t as effective as it was previously, but it’s still a good practice. Even if you’re “bad at passwords” as most humans claim to be, figure out system for a stronger password. It’s worth your time and it’s important no matter how small or large your site or social media account will be.

3) Use a good plugin such as Sucuri to keep track of security audits, reviews, and monitoring. Again, it’s worth your time and easy to set up email alerts for certain events.

4) Keep track of installed plugins and make sure that no one has installed a plugin that is actually a piece of malware or using your WordPress install for nefarious purposes. This is important especially if you are working with a number of people on a WordPress site and sharing a common user account rather than setting up various users (which you should do for a number of reasons).

5) Update, update, update. Keep your WordPress version, plugins, and themes as updated as possible. That usually means at least a couple of times a month.

Of course, there are many other things to consider but I get this question frequently and wanted to make my initial thoughts easy for others to find. Setting up a WordPress site is a great idea and it’s not terribly difficult. However, do it the right way and make sure you are keeping your brand, visitors, and users free from any potential threats that you can avoid with a little time investment.

Home Screen on My iPhone 2014

Sam Harrelson on September 20, 2014

I like to post these every so often (this one from 2010 is historic) for my own archive uses

IMG_0333.PNG

By the way, someone asked me yesterday why I had Lastpass on the front page and what it did as an app. I don’t know any of my passwords as they are all generated by Lastpass. Between that and using 2 factor authentication for everything I can (the Google Authenticator app beside Lastpass on the top row), I feel pretty confident about my security online. Those are two of myost used apps as a result.

Additionally, I’m glad to see services like Mint (my personal accounting app) and Evernote integrate their apps with TouchID on the iPhone so that I have to supply my thumbprint to open them up (Bank of America is releasing their updated app with that integration as well).

Security is my app theme for the end of 2014, evidently.