Maybe you saw a report that suggested free smart phone charging stations can steal information from the phone. A company called Authentic8 performed an experiment that showed most people would use a free charging system without asking about security.
Does this mean you shouldn't plug your cell phone into a power outlet in an airport (assuming you can find one, of course)? The answer is no.
There's a big difference between a wall outlet and a charging station that includes cables that are intended to fit popular mobile phones and tablets, but let's start by examining Authentic8's experiment. At the most recent RSA Conference in San Francisco, the company offered such a free charging station. Bear in mind that the RSA Conference is for security professionals. About 45,000 people attend one of the group's events every year in the US, Europe, Asia, and the Middle East. Authentic8 says that 80% of the people who used its free charging station did so without asking about security.
Unlike computers that have separate connectors for power and data, smart phones and tablets combine power and data on a single port. That's where the danger lies. If you have your own power supply, plugging it into a power outlet presents no danger so long as the power supply is designed to work with the electrical system. Throughout North America, power standards are identical and many power supplies are designed to work with electrical systems found elsewhere. In any event, there's no data security risk.
But a device that connects to your smart phone's data and charging port could be used to extract data while charging the device. Your phone can be locked -- what manufacturers call "charging only" mode, but it still exposes the device name, vendor name, and serial number.
The safest way to charge your device is with a power supply that plugs into the wall outlet or with a portable battery pack. Charging stations should be thought of in the same way we think about open Wi-Fi hot spots.
Far too many people seem to be unconcerned about security for mobile devices. If you think that your mobile device really doesn't have any important information on it, step back and give that another thought. How many photographs are there? What about address lists and phone numbers? Are there links to your bank's or credit card's on-line interface? A lost or stolen device can create serious problems that might take a lot of time to fix.
Most phones have a default setting that allows the device to install applications only when they come from the device's associated store. There's a way to override this and occasionally that's necessary, but must of us know that installing apps from outside the store can be dangerous. That doesn't necessarily mean that all apps in the store are safe, though. The stores have suffered breaches and have occasionally served malware to users.
As with all other computing devices, regardless of their size or portability, strong passwords are essential for mobile devices. The more complicated the password, the better. Entering a complex password on a small device can be challenging and that's why we have password managers. No computing device should allow bypassing the lock screen without a password. Once you're in, use the password manager for apps and on-line log-ins that need them.
Is your mobile device encrypted? It should be and that is now the default for most devices.
Updates are every bit as important on a mobile device as on desktop and notebook computers. When security flaws are found, developers push corrections out as patches. These are useless if you don't allow them to be installed.
Open Wi-Fi systems, as convenient as they are, can be a gigantic security hole. It's relatively trivial for crooks to snoop on information when you're connected to an open Wi-Fi system unless you have a virtual private network (VPN) application installed. Some of these are free and they will be adequate for those who rarely use public Wi-Fi. If you travel a lot or frequently need to use open Wi-Fi systems, a VPN service is a worthwhile expense.
The embarrassing thing is that I knew better, yet when Lenovo insisted that a BIOS update was really, really important, I agreed to having the system install it. That's almost always a mistake and it was this time. The general rule is this: If you're not having any problems that can be traced to the BIOS, don't install an update.
That sounds like the exact opposite of everything we're told about updates. We're told to install them without delay -- at least those for the operating systems. BIOS updates are different animals.
BIOS, an acronym for Basic Input/Output System, is what holds the firmware used at boot time to initialize the computer's hardware. It performs some initial tests and then loads the code needed to continue the boot process by reading information from a disk drive. The BIOS once provided runtime services for the operating system and programs that run on the computer, although that function has generally been eliminated.
The BIOS in more modern computers is called UEFI, the Unified Extensible Firmware Interface that provides enhanced security at the hardware level. In some cases a system problem can be resolved by a BIOS update, but these updates also can cause problems and even make it impossible to boot the computer.
Other devices such as routers also have BIOS circuits that can be updated.
Updating the BIOS on the router I use would render the attached network storage drive invisible. I found that out the hard way. Rolling the update back was easy enough, but the router repeatedly tells me an update is available. After accidentally installing the router update a second time, I have made copious notes reminding myself not to update the router's BIOS.
And generally I practice avoidance for computer BIOS updates, too. But Lenovo was insistent about this update and some of the other Lenovo system management tools don't function as they should. So a BIOS update seemed at least to be plausible.
It wasn't.
The update ran as expected, but when the computer attempted to boot it stalled before any graphical user interface components loaded. To figure out where the conflict was, I started unplugging USB devices. No change. At some point, it occurred to me to take the computer out of its docking station and the computer booted normally. However, putting the computer back into the docking station resulted in gigantic text on the external monitors.
So the conflict involved the monitors and possibly the docking station. (Additional research later showed that other users with external monitors -- whether they have a docking station or not -- experienced the same problem.)
The BIOS update was version 1.42 and, as I found on Lenovo's user forum website, the last known good version was 1.38. I hadn't installed any version after 1.38, so that's the version I needed. Because of UEFI security measures, that's the earliest version that I could roll back to. Even so, that couldn't be done until I modified a BIOS setting that would block any attempt to install an older version over a newer version.
So overall, the process of diagnosing, researching, and fixing the result of a bad BIOS update took about 4 hours over 3 days.
And that's why the general rule is If you're not having any problems that can be traced to the BIOS, don't install an update.
Recently I was pondering the absence of email from people in Nigeria who want to give me vast sums of money for helping them to move various inheritances, ill-gotten gains, and windfalls out of the country. Most of those scams were written so poorly, some believe intentionally, that only an imbecile would fall for it.
So I thought that all of the imbeciles had been bilked out of whatever money they had or that enough people had finally become sufficiently intelligent that there was no longer a future in that scam.
Apparently not.
This week I received a message from someone who claims to be a 52-year-old mining services consultant and project director who advises several mining companies on liquefied natural gas exports and storage. But now the South African government wants him to be the new spokesperson for South African Airways.
Sure he is and sure it does.
The message explains that the Ministry of Energy and Mineral Resources where he worked as "director of Auditing and Project Implementation, Mining and Quarrying" handles hundreds of billions of Rands per year. A Rand is worth about 8 cents at the current exchange rate.
His pitch: "I write, asking for your indulgence in re-profiling funds to tune of Fifty-two Million United States Dollars (US$52,000,000.00) which we want to keep safely overseas under your supervision. In other words, we would like you to receive the said funds on our behalf. The Funds were derived over time from a project awarded to a foreign firm by my Department, and presently the actual contract cost have been paid to the original project executors, leaving the balance in the tune of the said amount which we have in principle obtained approval to remit overseas." In other words, he's pitching this as a way for you to get your hands on money that he's embezzled.
Here's a different approach: He says that he's currently in the United States for a short holiday. So "Doctor Bernard Mokoena" wants to give me 23% of his stolen money if I help him and his partners get the money out of South Africa.
The part I find most interesting about this scam is that the writer claims to be in the United States. This opens up all sorts of possibilities for the scammer. But at its core, it's just the same old wolf in a new sheep suit.
Ars Technica had an article this week about malware aimed at Macs. It secretly takes control of webcams, can capture what's typed on keyboards, and can see data on the system. None of that is particularly surprising, but this is: The malware has been infecting Macs for at least 5 years and possibly 10.
The article says a researcher at security firm Synack compares the malware to a malicious program that was discovered January. It's been given the name "Fruitfly". Current versions of the MacOS will detect the malware.
The researcher found some 400 infected Macs -- mostly in the United States -- connected to the malware's command and control server. But there are lots of mysteries, including how the malware spreads and what it's really intended to do.
There's no evidence that it installs ransomware or captures user names and passwords.
The original command and control server is no longer on-line, so possibly the creator abandoned the project. The article notes that the infections were unnoticed for an uncommonly long period.
So if you have a Mac, never say "never," and if you'd like to read the full article, you'll find it on the Ars Technica website.
Maybe you've heard the gnashing of teeth this week. Microsoft will eliminate Paint from Windows 10's next edition. Oh, boo hoo! Well, that's fake news. A half truth. Call it what you will, but I call it a lie.
Here's what's going to happen: Microsoft will deprecate Paint. After all, this is an application that shipped with Windows 1.0 and even then it wasn't that great. It's been updated over the years, but it's still not much of an application. But it won't be gone. Paint will still be in Windows 10 for a while, but it just won't be updated.
See that green arrow over there. It points to a button that says Open Paint 3D.
After all, it's 32 years old and technology -- both hardware and software -- has changed quite a bit since 1985. Yes, 1985.
But guess what! In the last Windows 10 upgrade, Microsoft introduced Microsoft Paint 3D.
So if you fell for the overblown stories about big, bad old Microsoft taking away the most important part of Windows, relax. You can use the brand new Paint 3D or continue to use the old Paint, which will now be frozen in time.
When will it really be removed from Windows? Probably never. There are lots of old applications still rattling around in the Windows cage, including a bunch of command-line utilities that pre-date Windows.
