SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 152: Sharing is Scaring

Posted on August 29, 2019

This week on the Checklist, we take a look at how Yelp is rolling out a feature that may force users to choose between convenience and privacy. We’ll share some tips to help college freshmen stay safe on campus. Finally, we’ll follow up on a story from last week’s Checklist…and tell you why you should update everything!

Here’s the weekly Checklist:

  • Convenience versus privacy on Yelp
  • Tips for staying digitally safe on campus
  • Everybody needs to update their everything!

Yelp offers convenience or privacy (choose one)

This week Yelp introduced a new feature which allows users to customize their app experience based on their diet and lifestyle.

In theory, this sounds great! If you have any kind of dietary restrictions, whether you’re eating keto, vegan, or gluten-free, you’ll now be able to search for restaurants on Yelp and see results that have been filtered by your preferences—skipping over all the places that aren’t relevant to you.

Yelp also allows users to see search results filtered by lifestyle and individual needs. You can mark yourself as a parent or a dog owner, limit search results to places that have gender-neutral bathrooms or wheelchair access, or simply tell the app to show you the kinds of restaurants you typically enjoy.

Sounds good, what could go wrong?

Well…a lot.

The problem is that in order to offer tailored search results, Yelp has to store all that personal data somewhere. And once data like that lives on a company’s servers, it’s vulnerable to falling into the wrong hands.

For one thing, companies tasked with storing personal data get hacked all the time. And as we’ve seen, their responses to these security incidents often leave much to be desired. Information like whether or not someone owns a pet or has children is exactly the sort of thing that could make it easier for hackers to guess the security questions used to recover lost passwords or access certain sites.

Perhaps an even more likely scenario is that a marketing-focused company such as Yelp might simply sell your data on to a third party, leaving you beset by ads for paleo brownies or vegan protein powder. Aside from being annoying, this kind of advertiser info-sharing and tracking is, frankly, pretty creepy.

So is the convenience of tailored search results worth the risk of losing your privacy?

It’s a personal decision, but we tend to fall on the side of privacy. Both of our hosts, for instance, made the switch from Google to DuckDuckGo as their search engine of choice—and they haven’t looked back. Like Google, DuckDuckGo provides an easy-to-use interface and high-quality search results. But unlike Google, DuckDuckGo doesn’t track your activity, follow you around the web with ads, or sell your data to digital marketers.

So are privacy-focused vegans stuck with search results full of burger joints and steakhouses? Maybe not. Sign in with Apple is coming this fall, and promises a way for folks to use apps without being tracked or even identified. We’ll have to see if Apple’s newest privacy tool lives up to the hype, but it does seem to be a ray of hope for those of us who like our apps…and our privacy.

Campus security for college freshmen

Summer is almost over and for millions of young people, the next couple of weeks will mark the start of a whole new phase of their lives: College!

The first month of freshman year goes by in a blur of orientations, class registration, dorm room decorating, and social events.

It’s an exciting time, but like most things these days, not without digital security and privacy issues. That’s why we’ve put together these tips for college freshmen to help them stay safe as they start their first year of university life.

Passwords and more

New schools mean new email accounts—as well as new logins for Wi-Fi networks, online insurance and medical portals, and even the websites of clubs and student organizations.

Students should change the default credentials for new accounts right away, and create strong, unique passwords for all of them. The best bet is to use a password manager like Dashlane, iCloud Keychain, or 1Password to keep track of it all.

Also, they should do their best to never give away more information than is strictly necessary. If the rock climbing club is asking you for your social security number and home address, it might be worth asking them if that’s actually necessary. Oftentimes, just giving an email address is enough.

Shredding and checking

Even in 2019, college campuses are swimming in paper credit card offers and other sorts of forms that have the potential to be abused. Students may also be receiving hard copies of bank statements, medical bills, and other sensitive information through campus mail. If they just toss these in the trash, there’s no way to know what’s going to happen to them—and with identity theft rife across the nation, it’s not worth taking risks.

Students should pick up a paper shredder at an office supply store (they only cost around $100, which will seem like a bargain after buying textbooks) and get in the habit of shredding financial statements, unwanted credit card offers, and other sensitive documents before taking out the trash.

They should also learn how to check their credit report with a credit bureau to see if any suspicious activity is going on or if new accounts are being opened in their names. It only takes a few minutes, and everyone is entitled to one free report per year with each of the three major bureaus, so there’s no excuse not to do it.

Fighting creepers with burners

Professors often ask their students to work with classmates on team projects, and that’s fine—but the problem comes in when social media accounts, messaging services, or even email accounts are used to get the work done. Why? Because you could be giving random classmates the opportunity to see your family vacation photos or send you unwanted messages.

We recommend creating “school only” versions of these sorts of accounts and services that are linked to an email that is only used for this purpose (either an official school email account or a dedicated free email account). That way, students can still work with classmates easily, but without sharing too much of their personal lives with people who are basically strangers.

Making Wi-Fi safe with VPNs

Wi-Fi is everywhere on campuses and in nearby coffee shops and restaurants. This can be a real lifesaver when working in the dorm is going to present too many distractions.

But public Wi-Fi is inherently insecure, because it’s impossible to know who set the network up…or if they knew what they were doing. Local businesses and even larger organizations frequently create poorly secured networks that can be abused by malicious actors looking to intercept network traffic.

The best way to enjoy Wi-Fi safely is to use a good VPN—one which is well-reviewed and has a reputation for protecting its users’ data from third parties.

Not sure what a VPN is or how one works? The Checklist has you covered. Listen to Episode 19 of the show or read the notes here.

Using public computers

Using computer labs or classroom computers is sometimes necessary, but public computers carry risks, since it’s impossible to know who used them before you…or who will use them after you.

When accessing the Internet on a public machine, it’s best to use the web browser’s privacy features (Incognito in Chrome or Private Browsing in the other major browsers). This way, form field data, web history, and cookies won’t be saved for the next user to see.

If it’s necessary to do any kind of data transfer, like downloading or uploading files to or from the local machine, it’s safer to use cloud services instead of USB flash drives. USB drives can pick up some nasty malware if they’re inserted into an infected endpoint (another reason to run reliable, regularly updated AV on all computers).

Roommates and randoms

The social experience of college is a huge part of what people love about university life. But all those new friends, and friends of friends, and the guy who just happens to live across the hall, are, for all intents and purposes, still strangers.

It’s essential to protect your devices with passwords and screenlocks, and ideally set up two-factor authentication whenever possible.

Students who may need to allow roommates or friends to use their computer from time to time should set up a guest user account for that purpose, and make sure that the account has limited permissions.

Back it up

Campus computer networks get attacked by hackers. Dorms lose power.  Bros spill beer on one another’s computers.

That’s why it’s important to back up files and systems regularly. You can use services like iCloud, Time Machine, or some other reputable third-party backup system.

If you’re composing term papers or taking important notes, consider using something like Google Docs or iCloud Pages to do this—that way even a sudden power outage or system freeze won’t result in much (if any) loss of data.

Do you know someone who’s heading off to college or already settling into their dorm? Share these tips with them today and help keep them safe.

An update about updates

On last week’s Checklist, we talked about the somewhat shocking iOS jailbreak story, and what that meant for your security.

Since that show aired, Apple released a fix for the vulnerability in the form of iOS 12.4.1.

As we predicted, Apple wasted no time in getting a patch out…appropriately enough, given the severity of the issue. But there’s still room for a bit of follow-up discussion—and a list of stuff you’re going to need to update.

One notable feature of Apple’s patch announcement was that the update notes recognized the security researcher who uncovered the issue, @Pwn20wnd, in a very conspicuous and very public way.

Magnanimous to be sure, but also something we’re seeing more and more of. This may be indicative of Apple’s evolving stance on engaging third-party security researchers to help make their products and platforms more secure. It also jibes with Apple’s recent talk at the Black Hat conference, in which they announced expanded bug bounty programs and higher rewards for researchers who discover vulnerabilities. All in all, it’s a good look for Apple, and a move in the right direction.

Another thing we noted was that there were several other OS updates released last week as well:

  • watchOS 5.1.3
  • tvOS 12.4.1 
  • macOS 10.14.6 

It looks as though the vulnerability that affected iOS affected the other operating systems as well, which makes sense, as the release notes for iOS 12.4.1 mark it as addressing a kernel issue. The word “kernel” here refers to the core functionality of an operating system. Since all of Apple’s operating systems are built on the same kernel, it makes sense that a kernel issue in one OS would also affect the others.

The macOS release also addressed some lingering issues in Mojave, including a problem that was causing some notebooks to shut down while in sleep mode, a performance issue related to the handling of large files, and a bug that kept some popular apps from updating properly.

So…tl;dr: Update! Update everything!

And while you’re at it, consider enabling automatic updates on all your computers and devices, which is the best way to protect yourself from both major security issues as well as minor inconveniences.

Join our mailing list for the latest security news and deals