SSV Program Audio now available (@cvillepodcast)

The audio from the October 14 meeting of the Senior Statesman of Virginia, focusing on Internet Security, is now available through the Charlottesville Podcast Network.  10 Don’ts author Eric Rzeszut was one of two featured speakers.

Senior Statesmen of Virginia: Internet Security

Why the Hell Is Windows 10 Sharing My Wifi Passwords? (@gizmodo)

Without the profanity, we discussed Microsoft’s new Wi-fi Sense “feature” in chapter 7 (“Don’t Be Careless with Your Phone”) of 10 Don’ts.  We called it a “potentially enormous security risk,” and Gizmodo would seem to agree:

“Look, Microsoft. Just because I am Facebook friends with someone, doesn’t mean I want to share my wifi passwords with them.


I’m not really complaining about the existence of the feature in the first place — I can see how it could be helpful, if you’re a non-data-plan-having tween hopping between various wifi-enabled basements. It’s the fact that Wi-Fi Sense is enabled by default, and most people will never know that it’s there.”

Full story: Gizmodo

Why Yahoo’s new on-demand password system is no two-factor authentication killer (@macworld)

In Chapter 2 of 10 Don’ts, we tell readers: “Don’t Give up Your Passwords.”  We discuss methods for improving password security, including the use of “two-factor authentication,” which uses two forms of credentials instead of one.  The two factors can be drawn from something you know (a password or PIN); something you have (your cell phone or an identity token); and something you are (a fingerprint or retinal scan).

Yahoo! already had optional two-factor authentication for users of its online services, similar to offerings from Google, Microsoft, Apple, and others.  This week, they introduced a new form of authentication, which seems to take a step backwards:

In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones…

The new system offers better security than static passwords, which can be stolen in a variety of ways, but it’s not as effective as two-factor authentication because it depends solely on how secure the user’s phone is…

In addition, if a phone is lost or left unsupervised, it could be used to generate a password for the phone owner’s Yahoo email account. As many incidents have shown, a person’s email account can be a gateway for further compromises, because it can be used to reset the password for the user’s accounts on other websites.

MacWorld’s article recommends (and we agree) that users stick with two-factor authentication if seeking a more secure form of password management.  This “reset-by-phone” method introduces additional vulnerability.

Full story: MacWorld

10 Days of “10 Don’ts.” Day 10: Physical

As a 10-day countdown to TOMORROW’s launch of 10 Don’ts on Your Digital Devices, each day an excerpt from a different chapter has been published here.

Chapter 10 of 10 Don’ts is entitled “Don’t Forget the Physical.”  With so much advice in the previous nine chapters focused on how to digitally protect your data, the final chapter reminds the reader that if a thief has unfettered physical access to your devices, many of your electronic precautions can be defeated.  A character named Tanya finds this out the hard way.

Tanya is the senior gastroenterological fellow at a large private hospital in a medium-sized city in the Northwest. As a physician working for a large, diverse practice, she is well versed in the protection of medical data, HIPAA (Health Insurance Portability and Accountability Act), and similar medical records–keeping regulations intended to help preserve the privacy of patients’ personal medical data. In order to maintain up-to-date patient records, which takes her hours at the end of each workday, Tanya has a work laptop computer she uses at home that connects her to the hospital’s servers via a VPN (virtual private network), which is completely secure.

The laptop is immediately protected by a password any time the lid is closed and reopened, or after ten minutes of inactivity, as required by the hospital’s IT policy. An additional requirement of the policy is that no one else is allowed to use her work laptop. Because of these non-employee-use constraints, Tanya and her family (husband and two kids) have a desktop computer at home.

Tanya’s kids primarily use the computer for games and social networking, while Tanya and her husband also use it to pay bills, check Facebook, etc. They all use the computer together and share it. Because the computer is their “home” computer, it has no password enabled and no “inactivity period” after which the screen locks itself. One month, while reconciling bank accounts and credit card bills, Tanya notices some charges from Amazon that she doesn’t remember making.

When she checks with her husband and kids, it turns out that they didn’t make the charges either. After consulting with Amazon, MasterCard, and the issuing bank, Tanya discovers that it was a baby-sitter who watched their kids a couple of times who had ordered several things illegally from Amazon. Their unsecured home computer had files containing important financial information, including their credit card numbers and checking account. The baby-sitter was able to use one of those credit card numbers to place orders for herself with the giant web retailer.

The teenage baby-sitter’s parents agreed to reimburse Tanya for the unauthorized charges, and neither Tanya nor MasterCard elected to press charges against the underage thief. The losses ultimately were relatively small, but Tanya recognized that the situation could have been much worse. After discussing the problem with the IT experts at the hospital, Tanya realized that her computer should always be locked when there’s even a remote possibility that someone other than her family might gain physical access to her property.

Don’t forget the physical

Chapter 10 of 10 Don’ts reminds the reader that, even in a world with so many digital assets, physical protection of devices should also not be overlooked.  The links below discuss physical safeguards of laptops, tablets, phones, and other technology.