Posts

iPhone Security Crash Course: 13 Hacker-proofing Tips

iphone security - privacy expert John Sileo

iPhone Security In the Mid/Post-Pandemic World

We are no longer just addicted to our iPhones; we are officially in a committed relationship, thanks to the pandemic. We mobile office from them, bank from them, attend doctor’s appointments, kids’ classes and Zoom happy hours from them. And in the midst of all of this critical and effective use, we are dropping our guard when it comes to iPhone security. 

But there is good news! Changing your default privacy and security settings keeps you from being shark bait (because hackers usually go for the easy kill). Even for iPhone users, who often mistakenly believe that all security is taken care of by Apple. Spoiler – it’s not. Smartphone security takes mindful tweaks on your part – even if Apple does a good job of rooting out malicious apps. Here is a short description of what steps I would take first to to defend your phone (other than never losing it). 

Too much reading? Check out the webinar – in less than an hour I’ll walk you through HOW to do it all for less $ than an Apple dongle!


smartphone privacy

iphone Security Webinar: Wednesday, June 24 @ 1pm ET

Cost: $29

Register: Sileo.com/webinar

Course Description: iPhone Security – See Below (Note: Android OS will not be covered)

 


The Lucky 13 –  iPhone Security & Privacy Tweaks   

  1. Prune Your Apps. You have far more apps on your phone than you use regularly. Outdated and extraneous apps are a backdoor into your privacy. Delete those you don’t use often (Apple can help automate this) and reinstall when needed. Before you install a new app, find trusted reviews online to determine the company’s privacy and security record.
  2. Auto-Update Your iOS. Turn on automatic updates for your iOS operating system so that security patches are installed immediately upon release. This protects you from something called zero-day exploits, which I will explain as I demo how to turn this on during the webinar). Safari is part of the operating system, and just as vulnerable to hacking  as on your computer, making these updates even more critical.
  3. Hide Your Location. Your flashlight app (not  the Apple one) may be spying on you.Third-party apps often request access to iPhone features and data they don’t really need, like your location, camera, contacts, and microphone. Turn off location sharing on most apps, and set it to “Only While Using App” on most of the rest. Bring your app-specific location questions to the webinar.
  4. Hide Your Contacts, Photos & Conversations. Many apps have access to your contacts, calendar, photos, Bluetooth, microphone, camera and health data. Customize these settings to only allow access to apps that you trust or that have to have access to work.
  5. Robustify Your iPhone Passcode. Four digits is not enough! Six-digit numeric codes are still vulnerable to cybercriminals. Even if you conveniently unlock your iPhone with a thumbprint or facial recognition, the passcode behind the biometric is what gives it all of its strength! Lengthening codes is a bit confusing, so I will save it for the online demonstration.
  6. Password Manage Your Online Accounts. Mobile password aggregators help you create unique, long and strong passwords for all of your online accounts. The iPhone integrates with many common password managers to make logging in to critical sites faster and safer than the old fashioned way. Happy to make “endorsement-free” product recommendations if you need them.
  7. Double Your Passcodes. When you turn on two-step logins (aka, two-factor authentication), a hacker’s ability to break into your online accounts plummets. Having a passcode you know (the one you memorize to get into your phone) and a passcode you have (from a passcode authenticator app or text message), makes you exponentially safer. Enable this on every cloud service you use, from email to banking, health sites and business logins to social media. And make sure you turn it on for iCloud, which stores a backup of everything on your phone.
  8. Backup Your Phone. Whether you back up to a physical computer or to iCloud, this is the best way to recover from ransomware or a lost, stolen or hacker-scrambled phone.
  9. Stop Brute Force Logins. If you’re worried about your device falling into the wrong hands, you can prevent an attacker from brute-force break-ins using the “erase data” option. This automatically deletes all data on your phone after 10 consecutive failed login attempts. Just don’t ever forget your code, and be careful that your kids don’t erase your data by entering the wrong code too many times!
  10. Shut Down Eavesdropping Advertisers. Many websites use cross-site tracking to monitor your surfing habits so that marketing companies and advertisers can push products and services tailored to your interests. This can be turned off in Safari for iOS. It is also possible to block pop-ups, enable fake website warnings, disable location-based and interest-based ads and switch from Google’s search engine to a more private source like DuckDuckGo.
  11. Enable Location Tracking and Wiping
  12. Secure Your Free Wi-Fi Hotspots (VPN)
  13. Disable Creepy Photograph Tracking

If you are looking for a bit of hand/phone holding, join my webinar, where I will walk you through HOW to implement all 13 iPhone Security Steps.


Webinar: iPhone Security Crash Course: 13 Ways to Keep Hackers & Advertisers Out

Every website you visit, location you frequent and app you use on your iPhone can be tracked, hacked and abused. By default, your smartphone is open to cellular providers, digital advertisers and cybercriminals. Until, of course, you proactively take steps to minimize how your private data is being captured, shared and sold. 

In this iPhone-specific workshop, John will perform a live demonstration of 13 critical iphone security and privacy settings. Bring your iPhone to the webinar, as you will be actively changing settings during the presentation. 

Smartphone Privacy & iPhone Security Tools Covered Will Include:

  1. App pruning and vetting
  2. Operating system patches and automatic updates
  3. Limiting location tracking performed by Apps
  4. Keeping hackers out of contacts, photos and voice recordings
  5. Hack-proof passwords (almost)
  6. Implementing a password manager
  7. Turning on two-step logins on vital online accounts
  8. How to back up your phone in case of loss or ransomware
  9. Eliminating brute-force logins
  10. Disabling advertising tracking and sharing
  11. Enabling location tracking and wiping in case of loss
  12. Installing and utilizing a VPN to protect Wi-Fi usage
  13. How to disable creepy photo location tracking
    If time permits:
  14. Evaluating of the Pros/Cons of biometric passwords (fingerprints and facial recognition)
  15. A discussion on the security of Apple Pay and Wallet options
  16. Banking and investing vulnerabilities on you smartphone

By the end of this webinar, your iPhone will be 99% more secure than the average smartphone user. Time for Q&A with John will be provided at the end of the demonstration.

Is Document Shredding Still a Thing in This Digital Age?

Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents.  If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?

In case you have the same questions, here are my thoughts:

Is Identity theft via paper still an issue in this digital age?

Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).

Do people still need to shred all of their paper documents? 

The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.

Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?

For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.

The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.

In other words, how paranoid should we still be about shredding documents?

Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.

So what are the basic reasons behind document shredding?

  • Prevent identity theft
  • Protect your customers and your employees
  • It’s the law (under the Data Protection Act)
  • It saves space
  • It’s “green”! Shredded paper makes recycling much easier

What documents should you shred?

  • Medical records and bills (keep for at least a year after payment in case of disputes)
  • Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
  • Old photo IDs
  • Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
  • Credit card offers and expired credit and debit cards
  • Canceled or voided checks
  • Pay stubs
  • Copies of sales receipts
  • Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
  • Junk mail that contains personally identifying information (watch for barcodes)
  • Mail related to your children or their school

Remember, shredding isn’t only for large companies.  As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.

About Cyber Security Keynote Speaker John Sileo

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

FaceApp is Fun, But Putin Will Own Your Privacy

FaceApp quite literally owns your face forever (or atleast the image of your face).

It’s funny how we spend billions of dollars a year on health and beauty products and treatments designed to keep us looking, as Carrie Underwood sings, “young and beautiful”, but when a fun app comes along that gives us a goofy look or makes us look 30 years older, we jump at the chance to see it and share it with all of our friends on Social Media.  That’s exactly the case with FaceApp, an app that alters photos to make you look years older or alter facial expressions, looks, etc.  Thanks in part to use by celebrities such as Underwood, the Jonas Brothers and LeBron James, more than 150 million users have uploaded their photos to the app and it is now the top-ranked app on the iOS App Store in 121 countries. Free, fun and harmless, right?  Maybe, maybe not…

Every app is uploading your data and daily habits and locations, combining it with your social media profile and exploiting or selling it. That’s the profit model of the internet, not just FaceApp. That’s not what makes this particular app unique or noteworthy.  Wireless lab, creators of FaceApp is based in St. Petersburg, Russia, which means that by default, Vladimir Putin has a picture of you someplace on his hard driveLet’s be clear, Russia can get into any centralized database of facial recognition photos it wants to – this just makes it easier for them.

Not only that, but FaceApp retains a perpetual license to utilize your photo in any way it sees fit. In their words you are granting FaceApp “a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you”.

This makes it not just a privacy issue, but also a security issue, as there is no guarantee that your photos and device data are stored securely. In fact, there is almost no chance that they are stored securely. In addition to your photo, some other personal information is transmitted, and you are never alerted to the fact that either are being uploaded.

For now, it seems that they are only uploading the photo that you choose to upload, but I see no reason why they won’t slyly begin uploading every photo in your album as their terms of service don’t preclude that evolution. Facebook didn’t always collect and sell our information as they do now, but that didn’t stop them when profit is involved.  Information collection companies start by collecting very little until we stop paying attention, and then they transmit everything. They love the slippery slope of boiling the privacy frog!

So-what can you do about it?

  • The Democratic National Committee sent out a warning to campaigns recently telling people to delete the apps from their phone.  It’s a start, but deleting the app doesn’t get rid of your data in the cloud, and doing so is time-consuming and confusing.
  • For the fastest processing, try sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line.
  • If it’s not too late, resist the urge to download the app!  Maybe look at a picture of your parents instead.

Most importantly, the next time you are giving away access to your photos or allowing any app to access data on your phone, read their privacy or data use policy first. You will be amazed at what you are giving away for free that makes them gobs of money.

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.