Security Corner

Here’s How to Lock Down Your Facebook Privacy Settings—to the Extent Possible

Facebook has dominated the news headlines of late, but not for good reasons. There were the 50 million Facebook profiles gathered for Cambridge Analytica and used in the 2016 presidential election. Facebook has long been scraping call and text message data from Android phones. And within the Facebook iOS app, the company pushes the Onavo Protect VPN, an app made by a subsidiary that literally collects all your mobile data traffic for Facebook.

Because of this, many have encouraged Facebook users to delete their accounts. That even includes the billionaire co-founder of the WhatsApp messaging service, which Facebook bought in 2014. If you’re done with Facebook, you’re welcome to deactivate or even delete your account. Facebook provides instructions for both actions. Deactivating your account basically just makes you invisible on Facebook, whereas deleting your account may eventually (up to 3 months) result in most of the data being removed.

The problem is that Facebook is useful. It may be the only connection you have with certain friends or family members, and many informal groups use Facebook for meetup logistics. For many of us, losing access to Facebook would hurt our real-world relationships and activities. Plus, lots of companies have Facebook pages, and taking those down might result in a loss of business from customers who would find out about the firm only through Facebook. What to do?

If you’re a business, the most sensible tack is to keep your Facebook page but avoid relying on it. Remember, Facebook is not your friend. Earlier in 2018, Facebook announced that it would be prioritizing posts from friends and family over public content, which is a nice way of saying that Facebook is deprecating business-related posts. So make sure you have a Web site that you control, and make sure that customers can easily find it and contact you through it. It’s also a good idea to offer customers multiple ways to contact you, including via email.

On a personal level, there are two ways to think about privacy on Facebook: limiting the information you share with other people on Facebook, and limiting the information that you’re willing to provide to Facebook at all. If Facebook doesn’t have certain data about you, they can’t sell it to the highest bidder, let it be harvested by hackers, or use it in ways you might find creepy.

To control who on Facebook can see what you share, click the ? button on the Facebook Web site on your Mac, or tap the hamburger button in the bottom right corner of the Facebook iOS app and tap Privacy Shortcuts. Then click or tap Privacy Checkup and run through the steps to make sure you’re sharing the right info with the right people. Be sure to lock down or remove any apps that you don’t need, since they can leak all sorts of data.

Also, go to Facebook’s Privacy Settings & Tools page. Click the Edit button next to each item, and make it as specific as you can. You also might want to review the posts you’re tagged in and remove those that you don’t want on your timeline.

But what if you don’t want to give information to Facebook for it to use? Go to Facebook’s page for Uploading and Managing Your Contacts, and delete them all. You’re just giving away your contacts’ personal information without their permission otherwise.

To ensure that contact uploading doesn’t happen again, in the Facebook iOS app, tap the hamburger button, scroll to the bottom, and then tap Settings & Privacy > Account Settings > General > Upload Contacts and make sure the switch is off. (Some versions of the Facebook app just have Settings, not Settings & Privacy, and show a popover for Account Settings.)

Also, in the iPhone Facebook app, tap the hamburger button again and then Settings & Privacy > Account Settings > Location > Location, and make sure it’s set to Never. And whatever you do, keep Location History off—Facebook doesn’t need to know everywhere you’ve ever been.

If you’re perturbed by the way Facebook’s iOS app is trying to capture your contacts and locations, you could delete it from your iOS devices and rely instead on the Facebook Web site, which can’t access nearly as much information about you. To make it easier to open, in Safari, visit, tap the Share button, and then tap the Add to Home Screen button in the bottom row of the share sheet.

Let us leave you with one thought. Always assume that anything you post to Facebook or allow Facebook to have access to could end up on the front page of your local newspaper… or the New York Times. Nothing on Facebook is ever completely private—Facebook has shown it isn’t trustworthy or reliable—and the best way to ensure confidential information doesn’t leak inadvertently is to avoid posting it to Facebook in the first place. So stay safe out there and remember that your data has value, so be wary about who you give access to it. And as always, stay tuned for more tech and security tips from the Simply Computing Blog!

Security Corner – A Quick Guide to Meltdown and Spectre Vulnerabilities

Security Corner – A Quick Guide to Meltdown and Spectre Vulnerabilities

Simply Clog Spectre and Meltdown Hack

Confused by the recent tech babble about “speculative execution vulnerabilities in ARM-based and Intel CPUs”? Here are the basic facts you should know as a user of Apple products.

What’s all the fuss about?

Researchers recently discovered two major security problems with the modern chips made by Intel, ARM and others. Since these chips are at the heart of most processors manufactured in the past twenty years, nearly all computing devices and operating systems are affected. Apple has confirmed this includes all Mac systems (iMac, MacBook), iOS devices (iPhone, iPad, iPod) and the Apple TV. The Apple Watch is unaffected by both Meltdown and Spectre.

What’s the problem?

Modern computers improve processing speed by employing shortcuts, known as “speculative execution.” Unfortunately, As it turns out these can be exploited to access data from the chip’s memory. Thus, a hacker could gain access to the passwords, encryption keys and other sensitive data stored on your personal devices. If you use a cloud or other online services, your data kept there is also vulnerable on their servers. The two security vulnerabilities have been dubbed “Meltdown” and “Spectre.” Spectre is considered the more worrisome flaw. Although it’s harder to exploit, it’s more challenging for manufacturers to solve with some experts believing a hardware redesign will be required. Spectre could also potentially affect more people as the chips involved are more widely-used.

Have I been hacked?

Apple has given assurances that no known exploits have yet affected its customers. Expert-level knowledge would be required to prepare and initiate an attack. However, now that these vulnerabilities are widely known, who can predict whether criminals or maybe “big brother“ will hasten their efforts before these loopholes are closed?

What can I do to protect my devices?

Simply Computing Hacker Spectre and Me Tech companies usually wait until they’ve solved a problem before announcing it, but this time the cat got out of the bag early. Although scrambling a bit, the industry is working hard to develop and disseminate security updates as soon as possible. For Meltdown, Apple already released mitigations for iOS, macOS and tvOS in December. For Spectre, there is a new Safari update for iOS and macOS as of January 8th. If you use one or more of these operating systems, you should immediately download and install the updates. Apple reports no measurable reduction in speed because of the security updates. Other experts, however, say devices older than 5 years may be slowed.

As of January 8, 2018, Apple is still working on Security Updates to mitigate the impact of Spectre. Apple will continue to develop and test further mitigations and will release them in upcoming updates of iOS, macOS, and tvOS. To avoid missing these, consider setting yourself a Google alert as the releases are sure to be reported in the news and discussed on technology websites. Again, download and install any updates immediately.

Since a malicious app is required to exploit both Meltdown and Spectre, Apple also recommends only downloading software from trusted sources, including the Apple App Store. Untrustworthy websites, especially those using JavaScript, should also be avoided.

For a more detailed explanation of these exploits, you can read the official Apple release on this issue here.

That’s it from the Simply Blog for now! Stay tuned for more security tips!

By Dan Daly.

Five Things You Should Never Do with Passwords (and Three You Should)

Passwords are the bane of our modern existence. Nearly anything you want to do, it seems, calls for a password. As the Internet’s reach extends beyond computers and into phones, TVs, appliances, and even toys, we have to enter passwords with increasing frequency and in ever more annoying ways.

To make dealing with passwords easier and more secure, everyone should use a password manager like 1Password or LastPass. Such apps generate random long passwords like kD*SSDcCl7^6FN*F, store those passwords securely, and automatically enter them for you when you need to log in to a Web site. They are essential in today’s world.

Simply Computing Passwords blog

Creating Strong Passwords

You’ll still need a few passwords you can remember and type manually—for instance, the master password for your password manager and your Apple ID password. Make sure those passwords are at least 12 characters, and we recommend going to at least 16 characters.

If you’re unsure of the best way to create a strong password, try taking the first letter of each word in a sentence you can remember, and also change a few words to digits. Then “Now is the time for all good men to come to the aid of the party!” becomes a password along the lines of Nitt4agm2c2ta0tp!. So that no eavesdroppers learn your password, avoid saying your sentence out loud whenever you enter it! Or, combine four or five unrelated dictionary words, like correct-horse-battery-staple, that add up to at least 28 characters. (Don’t use the examples in this paragraph!)

Two Step Verification

When possible, take advantage of two-factor authentication on sites like Apple, Google, Dropbox, Facebook, Twitter, and more. Accounts protected by two-factor authentication essentially require that you enter a second, time-expiring password as part of the login process. You’ll get that second password via text message, authenticator app, or other notification method when you log in.

What Not To Do

But what we really want to talk about today is what you should not do with passwords. Follow these tips to avoid making mistakes that can undermine even the security provided by a password manager.

  1. Don’t use the same password twice. This is key, because if the bad guys get your password—no matter how strong—for one site, they’ll try it on other sites.
  2. Don’t share passwords with anyone you don’t trust completely. That’s especially true of passwords to accounts that contain sensitive information or that can be used to impersonate you, like email and social media. However, sometimes you have to share a password, such as to a club blog with multiple authors. In that case…
  3. Don’t send passwords to shared sites via email or text message. If someone hacks into your recipient’s email or steals their phone, the password could be compromised. Instead, use a site like One-Time Secret to share a link that shows the password only once, after which the recipient should put the password into their password manager.
  4. Don’t write your passwords on sticky notes. Yeah, it’s a cliché, but people still do it. Similarly, don’t put all your passwords in a text file on your computer. That’s what password managers are for—if someone steals your computer, they can’t break into your password manager, whereas they could open that text file easily.
  5. Don’t change passwords regularly if you don’t have to. As long as every site has a strong, unique password, changing a password is a waste of time, especially if doing so makes you write down the password or communicate it insecurely. If you do have to update a password regularly, a password manager makes the task much easier.

We realize that it’s tempting to take the easy road and share a password with a friend via email or write a particularly gnarly one on a sticky note. But today’s easy road leads directly to identity theft and is paved with insecure password habits. You might think no one would pay attention to little old you, but times have changed. And organized crime is interested in any Internet account that can be cracked.

By Dan Daly

How to avoid phishing scams

We’ve noticed a huge increase in fraud recently, as more individuals are targeted both over the phone and the computer.

Most of these attempts are based on tricking you into providing personal information or letting the bad guys through the cyber door. Listed below are some common examples of what to look out for in deceptive communication.

  • You may get phone calls claiming to be from big companies such as Apple or Microsoft, or a support firm that will refer you to their company page containing official looking receipts and account notes. They’ll tell you that your computer is infected and spreading viruses, and that the bank has asked them to contact you and clean up the problem, for a fee. They will offer to set up an account, with the full intention of obtaining your credit card number for theft.
  • Other common stories include the “police” needing access to your computer to “help catch a crook”, or the “tax department” demanding access to your computer remotely. In any case, it is best to approach these calls rationally. Fraudulent calls thrive off of quick decision making, and their time sensitive narratives are designed to hinder questions or analysis. By remaining calm and thinking about just what exactly the caller is asking, it will help you to distinguish fact from fiction. Remember that calls asking for access to personal information over telecommunication systems are fake.
  • At other times, you’ll be working along and suddenly your computer crashes – or seems to, a message pops up on the screen with all sorts of dire warnings about viruses and network problems. If you phone the number provided or click on a link, you’ll be convinced into letting someone into your computer remotely. They’ll sign you up for a support package and move some files around on your screen, delete some harmless ones, and tell you that they were damaged or dangerous-and then charge you a few hundred dollars. Sometimes they leave a little “time bomb” on your computer that will make your computer act up in a few weeks, with the intention that you’ll have to phone them back to get the problem fixed again.
  • Crooks may phone or email you, asking for some information, then assemble little bits of data they’ve acquired and use this to rack up huge loans under your name or create fake or stolen IDs. This is called phishing, as in “fishing” for information. You’ll get calls claiming to be a relative in need of money due to a car accident or legal problem. If you ask them for a phone number they usually hang up or give you excuses as to why they can’t give you a number. Again, this is a phony call.
  • You may also get emails claiming to be from the bank or other large businesses that you may have accounts with. These official looking forms are usually asking for account information, passwords, your mother’s maiden name, and so on. Sometimes they take the form of a bill or rental form to convince you to call or email and dispute the charge. Never reply to emails like this, or call the phone numbers that they provide as you will just be contacting the scammers.

Many of these claims are skillfully planned out so it is understandable why people fall victim to hoax. It is important to remain cautious whenever dealing with personal information and to be clear on the major indicator signs. Demographics that are more often susceptible to fraud, such as elderly individuals or extremely young adults, are at a particular risk. By staying informed and educating friends and family on the signs of fraud, there is a better chance that everyone will be protected.

If you ever question that something may be fraud, it is best to contact the company or individual directly with a reliable phone or email address, in order to distinguish the truth.