Hello again! As the sun rises later and later each day, we're finding ourselves really appreciating the value of a cup of hot tea in the morning - nothing fancy or elaborate, just plain, good tea before we head out the door. In the same way, as the internet gets more dangerous and new threats are discovered each day, we're appreciating the value of security basics, like strong passwords in a password manager. Two of today's stories cover new reports of attacks where giving each site a unique, strong password would have kept you safe.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

We've talked before about how useful computer backups can be, and we've also talked about the risk of social media companies disabling your account without warning. In addition to backups of your computer, it's useful to have backups of your social media data. If you ever lose access to your account for any reason, you won't lose access to any photos or posts you only posted to social media.

Many social media sites make it easy to download your data, including Facebook, Instagram, and Twitter. There's …

Continue reading…

Happy Friday! We hope you had a good Halloween and didn't get any candies laced with marijuana as police departments had been warning about - but of course you didn't, it's an urban legend, much like the fears from a few decades ago about candies with razor blades inside. Even police departments sending out these warnings have no record of it happening, and a bit of common sense shows why not: "edibles" are far too expensive for anyone to want to give out for free, and they also look nothing like children's candy. From a computer security perspective, we'd say that this worry demonstrates a lack of realistic threat modeling and an undeserved fear of the spookiest and scariest risks, without assessing how likely they are.

Threat modeling is, essentially, a systematic approach to determining what can go wrong and what we're going to do to protect ourselves. The first step is to accurately describe what we want to protect and who we're protecting against. (Criminal justice professor Joel Best tracks reported stories of drugs and harmful objects in Halloween candy, many of which turn out to have nothing to do with Halloween - for instance, after a 1970 tragedy where a …

Continue reading…

Did you know that October is National Cybersecurity Awareness Month? We just found out, though we try to be aware of cybersecurity all the time. It feels a lot like having a tea month when you could be drinking delicious tea all year. (Did you know that January is National Hot Tea Month?)

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

If you ever get a pick up a call and the caller asks you for personal information like a password, two-factor code, social security number, or even your address, you should hang up. If they say they're from a bank you have accounts with, an online shopping service you use, or something else that sounds important, look up their main number yourself and call there to ask if there's anything on your account that requires attention. If you don't know the right phone number, look it up on their website over a secure HTTPS connection - don't just trust numbers aggregated into search results - and if there's another canonical place to find it, like the back of credit or debit cards, you can verify that's a reasonable number …

Continue reading…

Good afternoon! Today, we're taking a look at some security news from around the world. China and India, which are ramping up facial recognition, also happen to be two of the world's major tea producers. Meanwhile, activists in Morocco were targeted by advanced phone malware. Morocco doesn't have a climate to grow the tea plant, but they import green tea and brew it with native spearmint to make a mint tea. Delicious!

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

Have I Been Pwned is a volunteer-run service from security professional Troy Hunt that tracks breaches and compromises ("pwning" in hacker-speak) of websites that leak personal information. You can see known breaches that have involved your email address there. In some cases, these breaches only include email addresses, which you may be less concerned about - especially if your email address is already public like ours are. However, if you see "Compromised data: Passwords," you should definitely make sure you've changed your password for that account since the breach. (If you aren't sure, update it again just in case.)

You can also sign up for future breach alerts: whenever …

Continue reading…

Welcome back to Loose Leaf Security's weekly newsletter! This week, we're introducing a new section for a tip of the week, either something we learned recently and want to share with you or just a classic that we may have mentioned briefly in a previous episode (like this one!).

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

Tip of the week

The best way to avoid losing access to your two-factor authentication is to have multiple second factors available. If you're using authenticator apps, one of the stronger methods, it's a good idea to configure an authenticator app on both your current phone and an old phone that you don't carry with you all the time - that way, if you break or lose your phone, you won't lose access to your second factor and need to find a backup code.

Lots of accounts only let you set up an authenticator app once, but you can typically still set up two authenticator apps on different phones at the same time: simply scan the QR codes with both your phone and your backup phone at the same time, and they'll generate the same …

Continue reading…