Wednesday, April 30, 2014

10 Reasons to use Google Chrome for Security

Internet Explorer has been there for good long time now and each version has exposed security vulnerabilities.  What that mean to user is that any website that you visit can take control of your computer remotely and can do anything without you noticing it. Microsoft has recently (26th April 2014)  notified users about flaw in Internet Explorer https://technet.microsoft.com/en-US/library/security/2963983 . Here is why its time to switch to better options for free.

As internet has matured new web technologies have immersed. Modern browser has been developed to meet those needs and keep users safe. Google Chrome and Firefox has grabbed market share from IE with due its appealing functionality over IE . Today FireFox has released their new version 29 which has refreshing looks, boost privacy and provides new customization.  Try it! https://www.mozilla.org/en-US/firefox/new/



Why Google Chrome:
Google Chrome has became popular since it launched in 2008 and is the fastest growing browser.  Its based on open-source project called Chromium which is driven by Google and people around the world.

Here are some notable features from security point that strongly suggest using Google Chrome or Chromium -
  1. Secured Tabbed browsing - All new browsers supports browser tabs to visit different websites in different tabs. In Chrome each tab is separate process running on your system which makes it secure. Web-page from one page cannot infect or access data from other. Chrome has made best use of OS security functionality to extend to browser
  2. Auto-updates in Chrome ensures you get latest fixes and functionality. As a user you never need to force update or worry about it. It’s a patented technology from Google to update their products silently and automatically

  3. Plugins/add-ons to enhance secure browsingMy other blog details about security enhancing Chrome plugins that you should be using. Most of these are also available in Firefox also
  4. Chrome maintains blacklisted (Phishing & malware) websites for protecting users. Users are warned if they are visiting these websites which gives in-built protection without any other plugins
  5. Google promotes security research on their Chrome browser and offers bounty if people find security issues in their products. Good few issues has been reported and addressed quickly by Google. Open-source nature provides access to source code that people around world can use and can dig deep to find vulnerabilities. Both of these programs give higher confidence of security
  6. Chrome scans files that you download for viruses. A built in virus protection in browser just works
  7. Security warnings/alert when web-certificates of websites mismatch, an indication of doggy website. If a website claims like your bank website, however has red warning alert from Chrome, then that's likely fraudulent website
  8. Parental controls with in browser - An In-built parental controls to secure your kids online is available for parents to configure. Here is guide available for same - http://www.howtogeek.com/177958/use-supervised-users-to-set-up-parental-controls-on-a-chromebook-or-just-in-chrome/
  9. Private Browsing" mode or "Incognito" mode as in Google Chrome. No traces are left behind when you browse in private mode. No history, no temporary files, no web cookies to track users and no cache. Files you explicitly download do remain. Here is my other blog on it.
  10. Google Sync - A feature that allows you to login to browser using Google account and then sync your bookmarks, extensions/plugins, history and other configurations. This makes it easy for users to give consistent experience on different machines. All your bank/important website bookmarks are available to use on new machines if you switch between devices.

Oddly, there are some websites that need Internet Explorer only. You will have to stick with IE in those cases and user other for rest.

Other notable browsers include Opera & Safari from Apple. They too do great job in many aspects of security as listed above. However Google Chrome is its way ahead.

Note - Chromium is Open-source version of Google Chrome. Both share same code base. Google Chrome gives a touch of Google branding and more suited if you heavy use Google account, which most of us do.

Other blog reference - http://tiptopsecurity.com/safest-web-browser-chrome-firefox-ie-opera-safari-comparison-chart/

Monday, April 28, 2014

Windows XP is dead, Why not switch to Ubuntu Linux?

Microsoft has stopped supporting its 14 year old Operating system - Windows XP this month(April 2014). No new updates or fixes and security updates will be released to XP machines (Unless you are in government and ready to pay heavy charges). Here are is Microsoft announcement on XP http://windows.microsoft.com/en-IE/windows/end-support-help

While XP was great for personal use, it is one of the least secure Operating System(OS) today.  The most vulnerable OS by Microsoft and this is due to its single-user architecture.  Microsoft has surely moved ahead with lessons learned and improved with Windows7 and Win8+ . Its still is most exploited OS on planet due to its design.


Time to switch to Ubuntu Linux:
With no updates on XP from Microsoft, its time for you to switch to better OS. Either upgrade to Win7/Win8 if your machine supports and ready to throw away some cash, OR try out new Ubuntu Linux 14.04.

Ubuntu (http://www.ubuntu.com/) is Linux distribution which is FREE for use.  It’s a general purpose OS which comes with set of default application for you to get started immediately. It has built is apps for document, spreadsheet, presentation editing and browser (Firefox). Ubuntu is Linux version which is known for security and stability. Linux is Open-source operating system built by huge set of developers world wide and has been most successful for last 23 years. Linus Torvalds is the person behind building Linux OS, which has made so many technology things possible around us.

There are other variations of Linux (called as Linux distros). These are different vendors which package linux with different requirements. Some popular Linux distros are - Fedora, Linux Mint, Open Suse, etc. Here is good site to visit to know more about Linux distros - http://distrowatch.com/



Performance advantage with Linux:
Linux works great on old PCs and you should be able to clearly see performance improvement over Windows. Linux uses resources diligently and give max performance on your hardware. If your hardware/machine is really really old(7+ years) then try other Linux distro like Lubuntu (http://lubuntu.net/) or  Puppy Linux - http://puppylinux.org/


Screenshot showing office applications on Ubuntu 14.04

\
Screenshot showing lock screen of Ubuntu

Screenshot showing Software Package Manager from Ubuntu 14.04 


Where all is Linux used ? 
Open source & free nature has brought huge attention to Linux across globe. All major websites run on Linux (facebook, google, twitter, wikipedia, and many more). Your android has Linux OS underneath. Your TV, washing machine, Wi-Fi router has been built on top of Linux OS. You can connected to Linux already by one or other way.

Why is Linux secure ?

  1. Any one can see the source code of Linux and that makes it most secure. Any new code is reviewed by developers around the world. No commercial software company can afford as many developers on single project has been working on Linux for last 23 years.
  2. Program are run on normal user and not admin(root) user. Any access to damage your system will require admin access and that is not what all applications run with. Keeping access to minimal makes the OS secure.
  3. Its design and architecture is based on Unix which has been around for 41 years now.
  4. Huge set of applications are available via Software package manager in Linux. 
    • All apps are build from source and deployed on servers for you to use for free. 
    • You do not (generally) need to visit any third-party website to download and install an app. 
    • This eco-system makes it Linux secure as no unknown sources are executed on your machine. 
    • Entire concept of app-store (Apple/google) has been inspired from linux package manager. 
    • It provides updates for OS and for all apps and that’s a great benefit on Linux. 
    • Also security is built around about this to ensure valid packages are downloaded & installed and users does not need to worry   about
  5. Networking stack (Communication layer) of Linux prevents viruses from propagating. Networking stack is conservatively build and firewall is at heart of Linux to make it secure. 


Does that mean there are no Viruses on Linux ?
1. No. That’s a myth. There has been viruses reported on Linux and Ubuntu has documented it well for users to know about. Here it is - https://help.ubuntu.com/community/Linuxvirus

2. Linux makes it hard for viruses to reproduce and spread due to its architecture and that prevents it out-break on Linux. Here is great article on Anti-Virus from Ubuntu - https://help.ubuntu.com/community/Antivirus

3. There are Anti-Virus applications for Linux and it’s a good practise to install and run them. You would not like to host a windows virus on your linux machine and allow it to spread on other windows machines around right ?

Where can I get Ubuntu and How can I install it ?



Saturday, April 26, 2014

Why you need to understand mobile app permissions ?

Android has been successful due to huge array of apps available and ease of download for users.  Open nature of android helps app developers do develop various kinds of apps and do magic. Installing an app shows permissions required for an app and that gives us a hint what this app can do/access from you smartphone/tablet

App permissions are access that an app is requesting before you download and install it. If you grant the access, app downloads and has all required permissions to run. No permissions are asked thereafter unless additional permissions are required to update newer version from Google play.

Android platform provide granular permission set for apps. Based on what an app does, it defines which permissions are required and does let android-platform know about those.  As a user you get to know these permissions when you opt to install the app and before you download it.

It depends on app what permissions it needs. If you are just installing a game, then it may ideally not need any permissions. However if it needs to show ads then it needs internet access.




Why you need to worry about app permissions: 

  • Android apps or mobile apps in general have much more control over your mobile and can do anything it wants. Imagine you download a game and in addition to the play, it uploads all your photos/videos from mobile and sends to third-party website ? Or track your exact location and capture all your private info and notify others about it without you knowing anything.
  • Fake apps - All top games on Google play has a copy-cat app which can unwanted stuff behind the scene
  • Pre-Installed app can have more permissions than required - Huge number of apps come pre-installed on your phone which you may never use. These apps can have all permissions and you may never notice them doing anything. Even though you don’t actively use them, they can run behind the scene and do all damage. Pre-Install apps cant be uninstalls as they are marked as system apps. You can still go ahead and disable those apps. This blog post of mine provides more details
  • Mobile malware/viruses has grown high. Here is report from Mcafee http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx
  • Its been reported that apps request for 33 % extra permission than what they need. This hints of something fishy in the app 

Here are permissions that are available for any android app to use.

Network access :
Can connect to internet to upload/download data. It can be app specific or from your mobile

Phone calls/SMS: 
Can make phone calls or send SMS. Can read/write SMS

Your Location: 
Can access your location via GPS. Apps can exactly know where you are at any point

Storage: 
Can read/write all of your data on phone and sdcard. Photos/videos/songs/

Account access: 
Can access your gmail account for email-Id, name, phone number, contacts and friends.

System access: 
Can scan files, change lock screen, change enable/disable settings on phone, start on phone restart.

Hardware controls: 
Can access camera and take photos, vibrate phone,  use NFC, accelerometer

Payment access: 
Can request for purchases within apps

Providing access to some or all of the above android-permissions to any app may be harmful in anyway. You data/identity/location and more info is available for apps to use and send to outside world. You need to revisit permission thoroughly before you install.

How to prevent surprises on mobile ?

  • Review permission of apps you install. Be careful if apps demanding too many permissions
  • Review app permissions for pre-installed apps and disable them
  • Install Mobile security Product that scans for malware and highlights you. Try McAfee Mobile Security - Award winning mobile security for FREE. This is security app and thus needs more permissions to scan and fix issues on your mobile - Go ahead and install with confidence.
  • Do not install apps from unknown sources. Prefer only Android Google Play to download apps
  • Check if you are not downloading fake version of popular apps. Check for download number and reviews around it. Do a quick check on correct version of app
  • Uninstall / Disable apps that you don’t use
  • Keep eye on data-usage,  battery-usage by apps. Navigate to  
    • Android Setting > Data Usage > List of apps showing network/data usage 
    • Android setting > Battery > List of apps that consume battery
  • Read reasons for permissions needed by app on Google Play store. Many developers do detail out this info to be transparent.


Hope this helps. Do write back or comment below.

Thursday, April 24, 2014

Use Bookmarks for Bank websites!

Online banking is preferred way for bank transactions and we hardly visit bank building. Most banks do provide android/iphone apps  to take it further. Bank websites are here to stay and do provide rich set of services for customers; and here lies the security issue. You need to protect you identity while logging in and prevent using your credentials on any other fake websites.

Use browser bookmarks to open bank website:
Always visit your bank using a bookmark on your browser. Simple practice can save your money
  • Never search for bank URL in google or any search engine. You may land up in fake website
  • Never search bank website URL in emails, you might open fraudulent email with URL pointing to site that looks similar to your bank. You may end up entering credentials and give away access to hackers
  • Do NOT bookmark 'Sign in' page as it can change, always bookmark main website of bank e.g. https://www.hsbc.co.in, you can then follow the 'Sign in' page from there. Just Bookmark bank website once and use it thereon! 




Secured Bank website:
Ensure you open up bank website that starts with https://  (secure) and not http:// (non-secure). When you bookmark website make sure it points to HTTPS secure link. All banks should be using secure mechanism on their website. Bailout if you see non-secure version of website. Note - There might be cases wherein base bank page is non-secure, however 'Sign in' page will be secure - keep an eye when you login.



Do NOT login if web certificate shows red/yellow alert:
Trusted web authorities issues digital certificates to bank for their websites. If certificate matches the website you are visiting then no issues. However if certificate granted is for different website and webpage claims that its for your bank then a red alert message is shown by browser as below. There is something surely wrong. Do NOT login and enter your credentials. There are high chances that your username/password may land up in hands of third-party website which can then be used on real bank website.





These rules are of course not just for banks, but for any website that you think should be securely accessed. e.g. email/stock website/social networking/etc. You know it better for that matter now.


Disable apps that you don't use and can't uninstall

You got a brand new Android mobile ? Great. Got lots of app pre-installed ? Yeah.  Mobile manufactures (Samsung/LG/Asus/HTC/Nokia and others) pre-install loads of apps by default. They partner with other app developers to promote apps and make money in turn. Great business sense to pre-install and get people use those apps with ease.


There are apps that are common and people do install it eventually (e.g. Gmail/facebook/Whatsapp). It make sense to install it by default and make it available for people to start using right away on their new phone.  However there are ton of other apps  that mobile manufactures pre-install and that is annoying to users.

As a user you may never use these pre-loaded apps. Just an example, I got Samsung S4 (from phone service provider) and it came with 80 odd apps, out of that I never ever used 40 apps!  That's huge set of apps pre-loaded. It may vary based on which phone you buy, however its obvious that new mobiles does comes with good number of pre-loaded apps - which you never will use!

Pre-installed apps can run in background and has all permissions: 
Even though you never use all those pre-installed app, they are still there and running behind the scene. Each app has permission granted to them and can read/write your SD card, has network access, can intercept phone calls/sms and do much more. Result - Privacy/security issue in addition to battery drain which you never notice.

User can't uninstall pre-installed apps: 
Problem with these pre-installed apps is that user cannot remove them. They are installed in system space/partition and thus locked by android/mobile vendor. Users cannot uninstall it.  You are stuck with those 40+ odd apps!

You can remove those apps if you root your phone. However rooting is not recommended and not easy way for anyone to try out. Rooting is a process of gaining admin access to your phone and with that access you can do all things on your phone. There are ways to root your phone and you can find steps on google to do so. However its not straightforward and it voids your phone warranty.

Best way to solve this is to disable pre-install apps! 
Navigate to Settings > Application Manager  and open up apps that you don't not use. Mark them as disabled and here you go. These apps will not run or update any more. Will not carryout any function and will not read/write data or use your internet. Result - a safe phone to use.

Basic security concept used here is - less the number of apps, less is the security risk. Same concept applies to your new laptop/tablet too.

Its not that user don't have option about pre-installed apps. You do - go ahead and review apps that you don't use and disable them.

Warning: Do make sure you are not disabling any system apps. Do try to run the app that you plan to disable and check if its not a android-system app.

Advantage you get  - 

  1. Better security / privacy by keeping minimal apps running
  2. Improved battery performance 

 Do comment below and I will be glad to answer it.

Wednesday, April 23, 2014

Is your Anti-Virus working ?

If you are using Windows/Linux/Mac then you would have installed an Anti-Virus(AV). If not then better get one and setup. Its too easy for a machine to get infected and it has been reported that malware and viruses are on their all-time high.

Here are some reasons why you need Anti-Virus
  1. You connect to internet and download/install files 
  2. You exchange data with your colleagues or friends via pen-drives  
  3. You connect you machine to different Wi-Fi networks 
  4. You use shared folders or use torrent for file sharing 


 How to know if your Anti-Virus is working ? 
Any Anti-Virus product generally operates in three modes to give you full protection.  Here is gist that you need to know before you proceed

  1. Real time scanning (RTS) - In this more Anti-Virus product is active under the hood and constantly monitoring files that are open/written/closed/downloaded. AV product will scan them immediately and flag an alert if there is any virus detected
  2. On-Demand scanning - User initiates virus scanning whenever required. Generally available with right-click scan option on files/folder. This forces AV to re-scan all files that you think may be infected
  3. Scheduled scan - This is periodic AV scanning done to ensure nothing is missed out. A fallback and automated way to scan your machine once a week at given time 
There might be more scanning modes to provide more granular functionality depending on AV product you use.

To ensure your Anti-Virus is running you need to check if all above methods of scanning and making sure everything is setup correctly to avoid any data loss or issues.

Check 1: Is your Anti-Virus subscription active ? 
As you know there are paid and free AV products out in market and each of them has pros/cons. For a free product it may only function for certain period and then ask for registering/purchasing of product. For paid AV product, it may expire as per your subscription timeline and may not be fully functional. In either cases you need to ensure you have active protection. There might be more business conditions for any AV product to stop working or reduce its effectiveness and you may not notice it. Most of the products do show up alerts to warn user to renew or buy subscription.

Secondly, most of Anti-Virus vendor tie-up with laptop/desktop manufacturer to provide free AV for certain duration. Thus AV comes by-default with your new machine and is functional (You may need to signup for an account). However there is time limit and you need to renew/buy subscription to keep it running beyond it, else AV functionality is ineffective.

Open your Anti-Virus product and check if it shows RED or GREEN (most of AV vendors use these colors to indicate issue or non-issues). Check for subscription expiry and its validity. If all ok then great, else its time to renew your subscription. There should be links in AV products to buy or renew and all will be good after that. Do perform a full scan once you buy subscription to ensure nothing was infected in case your AV was non-functional.

Check 2: Download a dummy virus!  
Don’t panic! Its only to check if your AV is running Real-time scan and effectively detecting viruses. There will not be any damage if you download the one said in images below. Anything other than that should be strictly avoided. It’s a simple test that is also used by AV vendors to perform test in their environments.

Navigate to website shown below and visit 'Download anti-malware test file' page.



Scroll down a bit and copy text shown in box similar to below image.



Open notepad on your machine and copy this text and save file on your desktop. Give any name to it. Say 'SampleTest.txt'



If Real-time scan is functioning then it should detect this action of saving the file and prompt an alert or clean up the file immediately. That’s the PASS for you’re your AV. Be assured that AV you have installed is running and will catch any viruses if it finds. It’s a very simple test and you may use it anytime to double check if everything is fine.

In case your AV does NOT alert or delete the file (in few seconds) then that’s an issue. Close notepad and open same file again and double check if AV is detecting. If its not then something is wrong with your AV and you need to take action for it.

  • Uninstall and reinstall the product 
  • Buy other Anti-Virus vendor product 
Ensure that you run above test again after you install the AV product.

Check 3: Checking if on-demand scan is functioning (Optional) 
You can test On-Demand scan (Right click and scan file/folder) same way as above. Only difference is that you will need to explicitly turn RTS off (Be careful to turn is ON again once you do the test).  Switching off RTS will avoid cleaning up sampleTest.txt file immediately and will give you a chance to run 'Right click scan' option on file.

Check 4: Latest updates installed ?

Every AV product needs to Virus-Signature info to detect and clean viruses. This info is updated by AV vendors on daily(ideally) basis. Your AV product should download up-to-date signatures to give you max protection against latest viruses. Check for "Last update date" or similar option in your AV product and make sure its current. If not force an product update.

Check 5: Better and consistent way to test AV - Install 'McAfee Security Scan Plus'  (MSS+)

Another way to test AV (on Windows) is to install a small free product from McAfee (an Intel Company) named 'McAfee Security Scan Plus'.  You can download it from here.
Features -

  1. Checks for Anti-Virus and Firewall status on your machine periodically
  2. Alerts user if RTS is off or, virus-signatures info (info required by AV product to clean viruses) is old and need and update
  3. Alert user if AV is not installed or not active. Provides a purchase link to McAfee product if status is red 


Note - Its NOT a full Anti-Virus product. It is light weight application to help users to keep their Anti-Virus and Firewall up-to-date. Please read in details here.

Here are some screenshot



Monday, April 21, 2014

Software Security is not one-stop shop!

Security is not one-stop shop and you get everything. It’s not about you install a product and forget everything about keeping every things secure. Here are numerous topics around security that you should be aware of to keep up to security.



Anti-Virus and Firewall: This is the most common term people think of security. It’s still valid, however it’s not everything. All of us now do things on internet and there has many more things to take care. You still need to worry about what you download/install or connect your friends pen-drive to your machine. Security products does great job here.

Web security: Internet is full of good and bad sites. You need to ensure either not to land on those or be careful about those. Good browser plugins do help in to give us rating and categorization. You need to keep an eye and ensure not land-up into unwanted sites.  Security products does great job here. Here is good read on it.

Social networking: This has become part of our lives now. You need to ensure whom you add as friend, what information you share with people, what photos/status you post. Social network is your identity to world and that can be used against you by anyone.

Privacy: Host of apps exposes your data/identity to world. Your Facebook/Whatsapp/Google+ info. Apps can access your GPS location and time. Apps have access to what you do on internet and songs you listen too. Google has access to all your info - your search, contacts, docs and much more. You data/identity can easy be exposed to embarrass you. This is entirely in your hands.

Email Spam: You share your email and there you go with flood of emails all around the world. Security products and email providers do great job here. You still need to improve on this by marking emails spam if you see one. Phishing is common security issue that people fall - ensuring you validate who sent you email and review authenticity

PIN/Password: This is gateway to your account and all your data. It’s of utmost importance how you manage them and how strong your passwords are. Same password for multiple accounts is common problem. Two factor authentication is way to go ahead. Learn best practices around your passwords. Security products do come in handy to help you. However still in your hands to ensure end-to-end protection. Here is good read on two-factor authentication.

Mobile/device Theft:  Mobile theft is on rise and governments are working on laws to help people. You still need to ensure you are prepared for it and follow best practices around it. Here is good read on it to be prepared.

Wireless security: Wi-Fi & blue-tooth is great however equally vulnerable. Which Wi-Fi networks you connect to, how secure your Wi-Fi network connection is? It matters as all your data goes through Wi-Fi and can be easily accessible to anyone on around you. Bluetooth exposes similar security issues and you need to enable/disable as you need to keep yourself secure.

Parental control: Kids are exposed to internet at early age and huge content on internet is just a click away. You need to setup good parental control products and keep an eye on internet usage to ensure kids are not exposed to bad content or more. Security products do come in handy. Here is good read on it.

Data backup: Photos/Videos and your data from various devices needs to be backed up to avoid losing them due to hard-disk failure. Hard disk/Pen-drives has life up to 5 years and can stop working all of sudden. Also with high resolution photos/videos with your latest phone/camera you need more space. You need to ensure your data is backed up from all devices and maintain securely as it’s your personal and private. There are multiple vendors around and you need to manage it well.

Operating System and browser updates: Bug fixes, Security fixes, performance fixes or new functionality and more reasons to keep your operating system and other apps up-to-date. Don’t turn off updates even though it’s annoying at times.

Mobile apps and permissions: Contacts/photos/videos/songs/location/messages/emails and more data resides in your mobile and everything is exposed to apps you install with permissions you grant to them. You need to keep eye on what you are installing and what all it needs to access. Any app with access for more than it needs is point of concern. Security apps do come in handy here; base rule still is to keep your apps under control to avoid exposing private-data/location/network to world.

Home network and devices connected: More and more network devices (TV/XBOX/Tablets/Phones/Laptops/Setup-box/etc.) are in home than it used to be five years back. Each of them has potential to run apps and data you store/share in your home network. You Wi-Fi router is one point of contact to setup and secure all. There is no good security solution to manage them all and it’s in your hand to ensure security.

Phone number and calls: Similar to your email address, your phone number is also exposed to world and it would be hardly anyone not getting unwanted calls or messages. There are apps to block calls/SMS and do-not-call registry to secure. There are good practices around this to follow.

Surely more things will come-up as technology grows up. There will be more things to take care from security point moving ahead; technology will surely catch-up and assist you along the way. Do keep reading and follow best practices on security to stay ahead.


Wednesday, April 16, 2014

Are you prepared in case your phone is stolen?

Global reports on mobile theft has reported 1 in 3 phones are stolen or lost. You lose your photos, contacts, messages, data within apps and expose your identity (email, facebook, google+, banking apps) and importantly your two-factor authenticator app!

That’s quite of a risk in addition to value of your phone. Better option is to be prepared in case it happens. It takes less than 5 minutes to setup your phone so that you can remotely locate, lock and wipe it if required. If you have Android phone, here is how you do it. For iPhone users, here is another blog.

Android comes with built-in 'Android Device Manager' functionality that you need to setup. Here is how -



Step 1 - Enable 'Android Device Manager' (ADM)
Android Device Manager is functionality of Android to allow user to lock or erase a lost device. This is installed by default in android beyond Android version 4.1 (Jelly Bean). You need to tell give permissions to 'Android device manager' so that it can lock and erase data when needed.

Navigate to Settings > Security > Device Administrator > Enable check box for 'Android Device Manager'






Step 2 - Enable remote Lock and Erase functionality in Android Device Manager
You need to enable remote locate and remote lock/erase functionality.

Open 'Google Settings' > Android Device Manager > Enable both check boxes


Step 3 - Setup PIN/Password
Enable the PIN/Password for your phone. This will block anyone accessing your data and/or disable 'Android Device Manager'. No one should be able to disable ADM. Here is how to setup PIN/Password. Skip to next step if you already have this in place.

Setting > Lock Screen > Screen Lock > PIN / Password

Next time you lock your phone, it will ask for PIN/Password.

Step 4 - Go to web(on another device - tablet/phone) and you are ready to locate, lock, erase or ring your phone

Navigate to https://www.google.com/android/devicemanager and it will show you last location of your phone when it successfully located. You can click "Ring" to ring your phone even if its silent. Locate your phone, Lock your phone and erase content of your phone remotely. Do give it a try and be aware you can do this remotely anytime.



Step 5 - Note your phone IMEI 
Your phone has unique 15 digit ID which is called IMEI ( International Mobile Equipment Identity) You will need this number to register a complain to police and your network operator. Make a note of this number for future reference. You can find it by navigating to

Settings > About Device/About Phone > Status > IMEI




Pros and Cons

Pros

  • No third-party software required to install and setup. Its available in android 4.1 Jelly Bean version by default. You get performance advantage due integrated solution from android. Any third-party app will add some performance impact on memory, battery and CPU
  • It is well integrated in Android/Google ecosystem. Your phone is linked to google account and always accessible via web
  • Remotely set password on device using web interface even if your phone initially didn’t had PIN/Password set

Cons

  • No backup of your data done. You cannot get back data from phone once its lost. Note - Google does backup contacts via its account and photos/videos via google+ auto-backup. You need to set this up explicitly via Google Drive or DropBox
  • There are host of other features available from competitive products like, Lock phone when SIM changed, Capture photo of would-be thief, locking and erasing phone data with SMS commands from your friend, and working only on SMS commands if data network is not available due to SIM changed. This is where other vendors kick in to give you competitive advantage. Read my other blog on 'McAfee Mobile Security' to get all these functionality for free
For most of the people and myself, remote locate / Lock and data wipe is what is important and "Android Device Manager" fits perfectly. It is a clear winner when you want to get best of android/google ecosystem without third-party apps.

Why not avoid losing your phone in first place ?

  • Never leave your phone in unattended car
  • Never leave your phone behind in public places restaurants/pubs/coffee-shops/office/airports/cinema/etc.
  • Mobile is just any other thing that you take care to avoid loss. You know it better and can take care of it :-)


Hope this helps. Wish you don’t lose your phone and don’t need to lock or erase data - but being prepared for it is important!

Monday, April 14, 2014

Use "Private browsing" mode for security reasons

All modern browsers support "Private Browsing" mode or "Incognito" mode as in Google Chrome. No traces are left behind when you browse in private mode. No history, no temporary files, no web cookies to track users and no cache. Files you explicitly download do remain.

Private browsing mode shield you only on local machine; your Internet service provider or your company can still know what your are browsing. Private-browsing still make sense from security point as explained below.



Here are good reason why you should use private-browsing mode 

  • Public computer usage - You are using a public computer and accessing your email/Facebook or bank accounts. Use private mode. No history, no passwords will be stored back for others to use.

  • Temporary login to friends machine - Logging in from friends/colleagues machine to do a quick email/Facebook/etc. check. Leave no traces for friend to see.

  • Login to bank website - Accessing bank account for any transaction? prefer private browsing as all plugins get auto-disabled and no unknown plugin records your keystrokes or monitors your web page and data posted to bank site.

  • Privacy from google search - If you sign into chrome then all your search results are stored by google. If you wish to keep some privacy over what you search, use private browsing mode. Google or any other search engine will not be able to map search back to your account; of course you will be restricted to search non-adult content

  • No auto-fill history - You don’t wish your username, search fields, or address get added to auto-fill history; private-browsing make sense.

  • Privacy while accessing porn. Self explanatory as you don’t wish to leave everything in history.

Browser plugins and Private-Browsing mode - Browser plugins are apps that run as part of your browser to enhance your internet experience. Plugin as they are part of browser has access to each web page you browse, content of the page, and data you enter (email and passwords). With private browsing all plugin get auto-disabled and that’s great. You can enable a plugin selectively if you wish to. Ensure you enable only minimal set of plugins to keep risk low.

Starting browser in private-browsing mode by default - For any of the above security reasons or more, you can always start browser in Private-browsing mode by default. Here are ways to get browser auto-start in private mode - http://lifehacker.com/5530828/start-any-browser-in-private-browsing-mode

Incognito(Private-Browsing) in Chrome




Private-Browsing in Firefox -






Securing your account with password only? That’s not enough anymore - Use two-factor authentication

Using userID and password only to login to your account is old method to ensure security to your account(email, bank, facebook, etc.). It has been reported numerous times that passwords can be stolen, leaked, cracked, captured, sniffed & guessed. Bad guys (may be your own people with bad motives) are trying hard to get your password and get into your account to steal data/money/identity/photos.

You need to protect your account with something more than just UserID and password. Strong password is not enough to protect your account and you need to go beyond that to make your account secure.

What is two factor authentication ?
In simple terms you can consider two factor authentication as "Two Locks" for your account. You need to open both the locks before your get into your account. And to open two locks you of course need two separate keys.

Two factor authentication is security process in which you use your userID+Password and physical token. Its "something you know" and "Something you have". E.g. If you wish to login to your email account, your emailID & password is what "You know" and an addition short numeric code(Verification code) that is available on your phone which acts as "You have".




Why two factor authentication?
According to security research, two factor authentication drastically reduces the risk of your account getting exposed or hacked by anyone. Anyone who knows your userID+Password, now cannot open your account unless they enter the code which only you have it(on phone or physical).

Banks, enterprise business, and small/medium business already got this started early on and now lots of online companies provide this feature for free to users to increase level of security around your accounts. Your data & identity is equally important as your bank account, which you don’t wish to loose.

Why anyone cant break into your account with two factor authentication ?
By adding a second lock to your account it gets hard for anyone to crack your account. Numeric code is usually generated every time and it keeps changing. Anyone who has your userID & password also now needs this numeric code to open your account and that’s not with them(unless your phone/device is lost).

Here is a short video on Two factor / Two step authentication from google.



Google Authenticator - An Android and iOS app to generate verification codes on your phone

  • Google provides a generic phone app on android/iPhone for users to setup and use two factor authentication. Install "Google authenticator" from Google Play and follow steps to setup.
  • Note that 'Google Authenticator' is not just for your google accounts, its generic enough to help you setup two-factor authentication for numerous other websites too. A good example here is "Lastpass" which integrates well with Google app and makes your master password/account in Lastpass safe.



Who all provides two factor authentication?
In addition to your bank, lots of companies on web offer it. Google, Facebook, Microsoft, Lastpass, Apple, Dropbox, Evernote, Yahoo, Linkedin and many more. And this is all for free. So go and secure your account now.

Here are some services that support two-factory authentication, with instructions on how to enable it -

  • Google/Gmail - Google provides six digit verification code via sms or by Google authenticator app.  You can enable it by following steps from here - http://accounts.google.com/SmsAuthConfig
  • LastPass - Most important service that you should enable two factor authentication. Here are steps - https://helpdesk.lastpass.com/security-options/multifactor-authentication-options/google-authenticator/
  • Facebook calls it as 'Login approvals' and provides couple of ways to setup. You can get verification code via sms or setup google authenticator or via facebook app itself. See https://www.facebook.com/settings?tab=security
  • For your favorite services apart from above search google or have a look here - http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now

Hope this helps to secure your accounts!

Sunday, April 13, 2014

Use these browser plugins to keep yourself safe online

Your browser is the point of contact to internet and *the* most vulnerable spot. In addition to which browser you use, its most important to use it with right set of apps (plugins). Plugins are apps that run within your browser and enhances your browsing experience.

Using random plugins can expose all your browsing history and data to external world. Every plugin has access to all your web history and data that you send. All your user names, passwords, emails, and chats can be accessed by plugins. So make sure you monitor your usage of plugins in your browser.
Plugins can also ensure your safety online. Here is good list of plugins that improves your online experience and keeps your safe.

I am using Google Chrome as reference browser to demonstrate various plugins. Almost all of the below plugins are also supported on other browsers (Internet explorer, FireFox & Safari). Google Chrome claims to be most secure browser plus its fast and comes with great user interface - try switching to chrome if you haven’t tried it yet. Each tab in Chrome is separate process and that helps on security and memory management - *the* feature that I like most in chrome.


HTTPS Everywhere - Encrypt all your communication on web automatically. Your browser uses network protocol to fetch web pages from internet. This protocol (HTTP) is unsecured by default and all communication happening can be sniffed over network. HTTPS takes this web protocol to next level by adding encryption. It uses secret keys to encrypt data between your browser and web to ensure no one in middle can see or change what you are doing.

Installing HTTPS ensures that any website that also supports secure browsing is used automatically. You do not need to do anything extra once you install it. This plugin will do the job of connecting you to secure channel whenever available.
Install HTTPS Everywhere via this link - https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en

SiteAdvisor & WOT - Both of these plugins are great in categorizing web page as 'Red', 'Green', 'Amber' or 'Grey'(unknown). Red indicates unsafe and you should avoid navigating to those sites. Green is for safe sites that are tested and confirmed by security vendors. Amber/Yellow color indicates possible issues and gives it as warning. Grey is for new websites that are still unknown and not categorized.   WOT and

SiteAdvisor show red/green/amber & grey icons next to links in browser and help you right away before you move to dangerous website. It updates your search results, social networking pages and emails to ensure that all web links are tagged for ratings.
SiteAdvisor comes from McAfee and Intel company.  McAfee (And other security vendors) does job of visiting millions of websites for security/safety and categorizes given site/web-page for users. Great amount of research and work is done behind the scene to provide such kind of easy to use functionality for users. Websites are tested frequently enough to keep the categorization up-to-date and ensuring no users are infected due to stale reports.

Content from websites is constantly scanned to ensure you don’t get spam-emails, virus downloads, automatic downloads, script execution to take your identity, third-party links referenced from those sites and more.



Download and Install SiteAdvisor from - http://www.siteadvisor.com/download/mac.html?q=promo
Installing WOT - https://chrome.google.com/webstore/detail/wot/bhmmomiinigofkjcapegjjndpbikblnp?hl=en

DoNotTrackMe - Plugin that disables websites for tracking you. When you visit a website, it can write into your machine the time and date you visited with your id. It can then track back your history and monitor what you do on websites. Someone on web knows what exactly you do on and can use it for their advantage. Good way to disable this is by using 'DoNoTrackMe' plugin. It disables tags(cookies) that are used by websites and thus protects your privacy.

This plugin also provides email blocking functionality by providing a dummy email and links to your emails. You can stop receiving emails by blocking dummy email-address and free yourself from spam.
Install DoNotTrackMe - https://chrome.google.com/webstore/detail/donottrackme-online-priva/epanfjkfahimkgomnigadpkobaefekcd?hl=en


AdBlock - Disable annoying ads shown on search result, websites or facebook. It blocks all unwanted
traffic and improves your browsing experience. Its not purely a security related plugin, however as it blocks ads you are ensured of showing content from unwanted websites and thus tracking you





Install Adblock from - https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom?hl=en

Sign into Chrome to sync plugins  - Google chrome provides this functionality to sync your bookmarks, history and plugins in browser. Do sign in chrome to ensure all your plugins are also available on other computers which you use and don’t have to re-install them. 

Saturday, April 12, 2014

Best free products from McAfee - An Intel company


McAfee Mobile Security - Award winning mobile security product from McAfee.

Features -

  • Anti-Virus - Scan for app & files for infections
  • Backup your contacts, sms, photos and restore them if you loose your phone
  • Anti-Theft - Lock and Wipe your phone if you lose your phone
  • Web protection for safe browsing
  • Available for Android & iOS










McAfee Stinger
- McAfee Stinger is a standalone utility used to detect and remove specific viruses on Windows platform. It is not a substitute for full anti-virus protection, but a specialized tool to assist administrators and users when dealing with infected system. Stinger utilizes next-generation scan technology, including rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the "Threat List" option under Advanced menu options in the Stinger application.

Advantages

  • Small download and quick scan. 
  • No installation required - No registration required. 
  • Just download and scan for infection on Windows machines



McAfee Security Scan Plus - Actively checks your computer for anti-virus software, firewall protection, and web security.

  • No registration required
  • Small installer
  • Minimal disk space required
  • Minimalist product to keep an eye on your Anti-Virus and Firewall

Friday, April 11, 2014

Secure all your devices with parental controls for free!

Internet is cool, However there are websites that you do NOT want your kids to browse. And there are new websites everyday that spring up with content that is inappropriate for kids. As a parent you cannot keep adding websites to block list in browser everyday! You need to have a system working in background that provides up-to-date protection.

… And there are devices that your kids use. Tablet, iPad, Phones, Smart TV, Kindle, Desktop/Laptops, XBOX and other gaming units. You can't keep track of all of them - cannot setup protection on all of them! Or its tedious.

There is a simple way - Setup OpenDNS on your Wi-Fi router at home! Every Wi-Fi Router has support to change DNS settings. Here are the details.

OpenDNS is worlds largest internet security network.

  • They provide free web-filtering to consumers. Check out "OpenDNS family shield product" free for consumers 
  • It blocks adult content, and makes your internet faster and reliable 
  • DNS (Domain name system) is used by browsers(and apps) to resolve website name to actual web-server. By redirecting all DNS queries to OpenDNS, makes it possible for you to block/filter web content 
  • You can then go to openDNS.com and find our reports about your kids browsing patterns.

Wi-Fi Routers - Most of the houses now use Wi-Fi routers for internet connectivity.

  • All devices listed above has network connectivity and you probably have already connected all those devices to your Wi-Fi router to browse or play online. 
  • Wi-F router is thus a single point that you can setup/enable web filtering. If its done here then all devices gets the benefit and you no longer need to configure each device. 
  •  OpenDNS can be setup on any Wi-Fi router. Details below 
  • If you don’t use Wi-Fi router, you still can setup web content filtering by setting up openDNS on your device directly

Comparison Paid Vs Free (OpenDNS & Wi-Fi solution) Parental control products 

  • Security vendors like McAfee, Symantec and others do have Parental control products. They do granular web filtering and provide higher level protection. E.g. Page level web filtering against domain level web filtering provided by OpenDNS.
  • OpenDNS comes with other advantage of blocking inappropriate content on all devices as you setup protection on Wi-Fi routers. You do not need to install and configure on each device. Security products has limitations to support on set of devices and not all. E.g. you cannot install parental control on TV, Kindle Reader, XBOX, etc. (to my knowledge)
  • Paid (Product installed on device) products provide protection on the move as it is installed on your device. OpenDNS is configured on Wi-Fi router and thus limits you to protection only at home
  • With Wi-Fi solution, kids can still access all web content on Phone/Tablet with 3G network and disabling home Wi-Fi network. Paid products does come handy here.
  • Paid (Product installed on device) brings in performance delay while browsing as it has to check for every page. OpenDNS promises faster page loads.
  • Conclusion - Current solution explained here about OpenDNS & Wi-Fi compliments Parental control products from security vendors and provides greater level of protection. 
Here is step-by-step guide to do this. Seven easy steps to start protecting kids online. For Free!

Step 1 - Sign up on OpenDNS

Visit & sign up on http://www.opendns.com/





Step 2 - Follow steps on openDNS website to setup and configure DNS IP address on your router





You need to open your router webpage (generally http://192.168.1.1 or http://192.168.0.1) and change primary & secondary DNS IP addresses to the one given below.
If you are not aware of router password, then search for default router passwords here - http://www.routerpasswords.com/




Step 3 - Navigate to OpenDNS Dashboard to configure your network



Step 4 - Add your home network to your account
Add IP address shown from top of the page to the input boxes.



Step 5 - Customize web content filtering High/Moderate/Low/None



Note that all devices(that connect using Wi-Fi) will get blocked for inappropriate content. In case as adult if you wish to browse the content then you can disable it temporarily and set it back ;-)

Step 6 -Test if all works

Try navigating to any adult content! Alcohol website http://www.guinness.com/
You should see below page in browser or any device at your home. Hurray its working!



Step 7 - Monitor your network over time
OpenDNS website provide good statistics about blocked sites and sites visited over time. Visit it and keep an eye on whats your network usage.

Relax and be assured that OpenDNS is working in background protecting all devices on your network the way you configured it.

Hope you find this useful.

Transform your $15 router to $200 security router for FREE

Technology is evolving faster and there are more IoT devices at home/office than a few years back. Software Security companies are movi...