Before the articles...
Two friends and acquaintances reached out to me this week with two security-related items I'd like to pass along.
Wordfence, a Wordpress website security company, has published an article: Thousands of Hacked Home Routers are Attacking WordPress Sites. What's notable is that they've created a utility you can use to check to see if your router is vulnerable. (Thanks to my friend David for the heads-up.)
From Jeff: "I've been receiving a new phone scam on the landline where a 'computerized' voice tells you 'Your Windows License is about to expire, call our 800 number immediately.' I thought you would like to hear about this so you can warn more people than I ever could."
Remember, if THEY call YOU with dire warnings or technical issues you supposedly have it's almost always a scam. If you're at all uncertain, hang up. Then reach out to someone you already know and trust for help.
Coincidentally, this came across my desk this weekend: "Inside the Tech Support Scam Ecosystem," a fascinating look at the tech support scam landscape, and why the problem's not going away any time soon.
In other news, I've made a (hopefully) minor technical change in the formatting of the newsletter. Ideally you won't notice a thing-- unless you're on a mobile device, in which case things will hopefully wrap a little more sensibly.
As always, thanks for being here!
A VPN, or Virtual Private Network, is one approach to securely connect to a remote resource. Depending on the VPN, that privacy can extend from one end of the connection to the other, or it can protect you only for a certain portion.
I'll describe the different scenarios and how you are, and perhaps are not, protected by a VPN.
No VPN at all
I'll use this scenario as the base: you're in an open WiFi hotspot, connecting to a remote resource like your email, or your bank.
All the connections are unencrypted. That includes:
- The connection from your laptop to the wireless access point (aka hotspot).
- The connection from the wireless access point to the ISP providing the internet connection.
- The connection from that ISP to the rest of the internet.
- The connection to the specific service you're using.
The largest area of concern is the connection from your laptop to the WiFi access point. That open WiFi signal traveling through the air can be "sniffed" (or read) by anyone in range with a laptop and the appropriate software.
Lately, however, there's been concern about the fact that your ISP can monitor what you're doing. Specifically, they can see every remote site or service you connect to, and can examine all data not otherwise encrypted you exchange with those servers.
The traditional approach to protect yourself from open WiFi sniffing is to use WPA1 encryption built into the WiFi specification.
This secures the path between your computer and the WiFi's access point. Hopefully, it's how your home WiFi is configured, so as to prevent nearby homes or others from connecting to your WiFi, and through it, to your network, without the appropriate encryption password.
There are problems with this approach:
- Most open hotspots at coffee shops, airports, and elsewhere don't use encryption; the password requirement would confuse their customers more than it's worth. That's why these hotspots are called "open".
- When WPA is used, it protects only the connection between your computer and the WiFi access point. Everything past that point in the diagram above remains "in the clear".
That last point becomes important because all the traffic is visible to the hotspot's owner, should he or she care to peek, and to the internet service provider to which that hotspot is connected.
A VPN service
To protect yourself further, a VPN is a common solution.
A VPN securely encrypts the entire path from your computer to the VPN provider. No one along that path can see your data: not other WiFi users, not the people managing the hotspot, and not the hotspot's ISP.
For open WiFi, or other situation with questionable security (such as connecting to the internet at your hotel), a VPN can be a great solution.
But it's not perfect.
There are some things to note:
- The connection is only secured up to the VPN's servers; the connection from the VPN provider's servers to the final destination is once again unencrypted. That means the VPN provider, as well as any other networking equipment along the rest of the way, may be able to see your data, and can at least see which servers you're connecting to.
- You're adding steps between your computer and the server you're accessing. The practical effect of this is that your connection becomes slower. How much slower varies based on the VPN service you're using, their capacity, and the server you're attempting to access.
- Not all VPN services support all protocols. For example, your web browsing might work, but your attempts to use BitTorrent might not.
- Not all remote servers allow connections through VPNs. One non-security-related reason to use a VPN is it can make you appear as if you're located in another country. As a result, many services – such as streaming video services – block connections using VPNs.
- Not all governments allow VPN connections out of their countries, so as to effectively censor what their residents can view.
The ISP you're connecting through can't see, for example, that you're using BitTorrent, but the VPN service can. Your ISP would still see that:
- You're using a VPN (and which VPN service you're using).
- You're sending and receiving an awful lot of data.
The only true privacy is achieved with end-to-end encryption. Unfortunately, that isn't possible in many cases, since it must be supported by the service to which you are connecting.
Https is end-to-end encryption
Connections you make via https are completely encrypted along the entire path from your machine to the remote server you're accessing. That's why banks (and other services that allow you to access sensitive data) should use https. Most web-based email providers also provide full https connectivity. In fact, more and more sites — including Ask Leo! — are switching to support https.
Similarly, when configuring a POP3, IMAP, or SMTP connection in your email program, if your email provider supports it, choose SSL or TLS. That's the underlying encryption protocol used by secure connections like https. That way, your email uploads and downloads – as well as your log-in information – is completely encrypted along the entire path to your mail server.
Note, however, that even when using https, your ISP can still see which sites you connect to. Only a VPN can hide that information from them.
Https over a VPN?
Just to complete the picture, if you're using a VPN, and you happen to connect to an https web site, your data is doubly encrypted for part of the trip.
- The VPN protects you between your computer and the VPN service.
- Https protects you between your computer and the service to which you're connecting.
There's really no practical harm. One benefit is that the VPN prevents your ISP from seeing which site you're connecting to.
Related Links & Comments: How Does a VPN Protect Me?
Some time ago, I realized the external hard drive I carry with me when traveling was an easy thing to lose. Some of the data on that drive is encrypted in various ways, but the vast majority is completely unencrypted.
If that conveniently small, portable drive walked off in someone's pocket, they'd have access to a lot of my stuff.
In a forehead-slapping moment, I realized I was going about this all wrong.
I should encrypt the entire drive.
Continue Reading: How Do I Encrypt a Hard Drive Using VeraCrypt?
The Windows 10 "Creators Update" is slowly rolling out via the normal Windows Update channels.
If you're impatient (like me), here's how to get it now.
Continue Reading: Get the Windows 10 Creators Update Now, If You Like
This actually represents a couple of very common points of confusion. One is very easy to clear up; the other, not so much.
First, the easy: the terms junk and spam are synonymous. Some email programs or services call it spam, some call it junk mail, but it's the same thing in either case. What you're seeing in Thunderbird is what happens when those worlds collide.
The confusion about training the spam or junk filters, however, is both important to understand and somewhat more complex. While I'll use your AOL account as an example, this applies to all email services and all desktop email programs1 that have spam filters.
Continue Reading: What's the Difference Between Spam and Junk Mail?
I don't get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is "I've been hacked, please recover my account/password for me!" (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I'm asked.)
The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.
What can you do to make sure your account doesn't get hacked into in the first place?
Continue Reading: 12 Steps To Keep from Getting Your Account Hacked
A feature exclusively available to Ask Leo! Patrons Bronze level & above.
- Tip of the Day: Beware Recharging Stations
- Tip of the Day: Use Remote Files Without Connecting First
- Tip of the Day: File Extensions
- Tip of the Day: SHIFT+Right Click
- Tip of the Day: Shake to Minimize
- Tip of the Day: Side By Side Windows Key + Arrows
- Tip of the Day: Don't Blindly Trust HTTPS
More Ask Leo!
Leo's Other Projects....HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.
Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it.
leo.notenboom.org - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.
Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at https://newsletter.askleo.com for their own FREE subscription!
Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC