Insights For Success

Strategy, Innovation, Leadership and Security

Quickly uninstall apps from windows, even the sneaky ones

GeneralEdward KiledjianComment
excavators-1680634.jpg

When you first started using your computer, it was silky smooth and fast. Now it is a sluggish mess.
Especially now that many of you are stuck at home, you may be trying new apps that turn out to be a disappointment.

  • How do you make sure you remove all the files when you uninstall that application?

  • Why doesn't the app you just installed have an uninstall option in add/remove applications?

The free app I am going to talk about will help with all of the above and more. It is called BCUninstaller.

What is BCUninstaller?

BCUninstaller stands for Bulk Crap Uninstaller and is a well designed tool to help remove any application, leftover files and more simply and quickly.

Many apps don’t have easy to find uninstaller options in the Windows Add/Remove Application applet but most leave behind a ton of garbage files. BCUninstaller uses its own appliction detection engine and has options to clean up “leftoer files”.

Here is a great video that shows how it works

Installing BCUninstaller is as simple as downloading the installer (from here) and then following the standard installation options.

1.png

Once the application installs, it will scan your computer and find all the installed applications. If you want to uninstall something, search for it using the search feature and then click on the uninstall button at the top.

It can detect these types of applications:

  • Normal registered applications (same as Programs and Features and many other uninstallers)

  • Hidden/protected registered applications

  • Applications with damaged or missing uninstallers

  • Portable applications (looks in common locations and on portable drives, configurable)

  • Chocolatey packages

  • Oculus games/apps

  • Steam games/apps

  • Windows Features

  • Windows Store apps (Universal Windows Platform apps)

  • Windows Updates Applications from all of these sources are treated the same - you can filter, export and automatically uninstall them in the same way.

4.png

To clean leftover files, click the Tools tab, then choose Clean up Program file folder and choose which discovered files you want to delete.

Use Google Chrome's built-in antivirus to scan windows

GeneralEdward KiledjianComment
map-of-the-world-4799734.jpg

As millions around the world work from home, corporate security teams have ramped up their protection protocols because the threat actors are very active. Many threat actors have also lost their “day jobs” and are relying on their nefarious cyber activities to pay the bills/

From an antivirus perspective, most users will be properly protected by the free Windows Defender included with all versions of Windows 10 . You may have clicked on a questionable link or opened a questionable attachment and you scan your computer using Windows Defender. Sometimes you may want a “second opinion” and the question is which online scanner should you use?

How about none of them. Why not rely on the free antivirus included in Google Chrome. What, you say. Google Chrome? Chrome the browser? Why yes.

Open the Google Chrome browser

In the address bar, enter chrome://settings/cleanup

Capture.JPG

You click on Find and let it run.

So what is it looking for?

  • Hijacked settings detection - It will detect if a browser extension ha changed your settings without your consent.

  • Chrome Cleanup - Sometimes you download and install the software you need and install unwanted secondary software unwittingly. Often times this is how some of the download sites monetize their service. Chrome will detect many of these unwanted installations and remove them.

  • ESET Antivirus - Google can change the AV engine anytime but right now they have partnered with ESET.



Capture2.JPG

Obviously, this isn’t a complete antivirus and should be relied on as your primary protection mechanism but it is nice to know there is a second opinion waiting for you if you ever need it.

How to secure a smartphone

GeneralEdward KiledjianComment

Smartphone hacking is a very lucrative business “threat actors”. Vulnerability broker Zerodium is now paying as much as $2,500,000.00 for an Android full chain (Zero-Click) with persistence.

https://zerodium.com/program.html

https://zerodium.com/program.html

The increased payouts and interest in smartphone hacking isn’t because they are easy targets but because they are valuable. For most users, the smartphone is like a second brain. It contains personal data and insights like nothing ever has in the past. Access into your smartphone is almost like gaining access into your brain, your thoughts, your beliefs and your habits.

There is this misguided belief in the market than an iPhone is more secure than an Android device. That is not the case. An adequately secured Android can be as (or more) secure than a normally configured iPhone. And Android offers more options to heighten your security where you may need it (whereas iPhone is one size fits all).

As you read through this article, I will try to explain some of the differences.

Who is this tutorial for?

As a security professional, my recommendations are designed based on the threat model of the customer I am advising. This article aims to help a general consumer or business user, that is trying to mitigate the most common and general types of risks. This means that their typical attacker will be a low-resource individual using conventional attack techniques such a stalkerware, scams, social engineering and easily accessible hacking tools.

This article is not for an individual that is targeted by a nation-state or well-funded criminal organization. This last category requires custom attention that cannot be addressed via an article.

What is the goal of strong security?

Total, complete and unbreakable security does not exist. The goal of this article is to set up enough roadblocks that the type of adversary you are dealing with will likely give up and move on to another target. The best analogy is to think of this in terms of a door lock. A good door lock will keep out common criminals but won’t deter a determined, skilled and well-funded adversary.

Is Security the same as privacy?

Privacy is becoming more and more talked about because of very public breaches (Marriott, Equifax, etc.) and new regulations like GDPR or CCPA. Security often will support privacy but not always. There are times when you have to choose one of the other. Where such a choice is required in this article, know that I have chosen the secure option.

Encryption

Most modern devices are encrypted during the initial setup but you should double-check just to be sure.

Screenshot_20191228-192553.jpg

The EFF published an article explaining how to encrypt IOS devices (from version 4-11).

To maximize the protection encryption offers, you should choose a long (but memorable) alphanumeric password or a 6-8 digit passcode.

  • An example of a long memorable alphanumeric passphrase is: [email protected]

  • An example of an 8 digit secure passcode is: 72046290

You should also configure your device to erase all contents after a certain number of failed login attempts. This will protect you from a brute force attack.

Device encryption is a tool to secure your data when someone has physical access to your device but does not have the password (loss or theft of your device). It offers no protection from malware, viruses, or other related nasties.

Find my device

The iPhone and Android offer free tools to find a lost or stolen device. More importantly, they offer the option to remotely wipe your device if you are sure it is lost (not misplaced). For this remote feature to work, you have to ensure that the option is enabled on your device.

Screenshot_20191228-194232.jpg
  • Here is the Apple article explaining how to enable Find My Phone on IOS devices.

  • Here is the Google article explaining how to enable Find My Phone on Android devices.

Remember that this option needs to be enabled before you lose your device (it cannot be done afterwards).

Both IOS and Android require that the phone be powered on and connected to the internet for this feature to work. If you want to remotely wipe your device, do it before you report your phone lost to your carrier (they will immediately deactivate your line and remote wiping won’t work).

Enable two-factor authentication

A chain is only as strong as its weakest link. Today’s smartphone is a powerful network-connected computer. Most smartphones connect back to either an Apple or Apple account. Any compromise of these accounts can lead to a compromise of your smartphone.

Two-factor authentication may sound scary but it is very simple to implement with Apple and Google. By doing this you secure your online presence by making your account more difficult to compromise and more resilient to unauthorized access.

  • Here is a Google article on how to enable two-factor authentication for a Google account.

  • Here is an Apple article on how to enable two-factor authentication for an Apple ID.

The modern implementation of this system is that your phone will be pinged by the service (when you are logging in from a computer) or another device connected to your account (when logging in from a mobile device).

When setting up, you will be asked to choose a backup authentication mechanism and you should choose a Time Based One Time Password (TOTP) option. Never choose SMS or email (as those are very easy to compromise).

You will be asked to download a TOTP application and scan the barcode they show during the setup of two-factor authentication. This barcode is a one-time thing and will never be shown again. A good cross-platform TOTP app that synchronize your codes across multiple devices is Authy. Authy is a trusted well-designed app and is completely free.

  • You can download Authy from the Google Play store (for Android) here

  • You can download Authy from the iTunes store (for IOS) here

Another good app (that is available on both platforms) is the Google Authenticator app. The Google app does not sync TOTP tokens across devices so if you change your smartphone, you have to revisit each site and reset the two-factor authentication process to get a new seed (aka the barcode).

Another good backup option is using a USB security token. The best option right now is the Yubikey product. It does cost money but is solid and unbroken (as I write this). I am not recommending the Google Titan key because many third party sites that allow two-factor authentication (see the list here) do not support the Google Titan but do support the Yubikey products.

Update, Update, Update

I had to write update three times because it is critically important. Make sure you configure your phone to download and install updates automatically for both the operating system AND the applications.

95% of hacks are made possible because people use insecure passwords, don’t enable two-factor authentication and don’t update their applications & operating systems.

Reboot regularly

We have seen a healthy number of non-persistent malware in the wild. This means that the hack used does not persist after a reboot (aka a reboot get’s rid of the hack). This isn’t always the case but nevertheless, it is a good idea to regularly reboot your device.

Application firewalls

Know that hackers that crack software are not benevolent and that cracked app probably contains malware. Unless you know what you are doing, never download applications from third-party app stores or web sites (this is a problem on Android but not on IOS since Apple does not allow users to side-load applications).

Even apps on the app stores can sometimes become malicious when the original developer sells the app and the new owners push a change containing malware. Apple and Google work hard to prevent this but we have seen examples of this in the real world on both platforms.

Application firewalls are an easy way to control which apps can have access to mobile or WIFI data.

  • On Android, you can use the NetGuard application available on the Google Play store.

  • On IOS, you can use the Lockdown application available on the Apple AppStore.

There are other apps available but these are the easiest for the general user. Here is a quick tutorial and overview of NetGuard

Take the time to install and configure one of those apps. Remember that attackers love using loose application permissions to steal information from your device.

As you set this up, take the time to review all of your installed apps and uninstall any that you no longer require (we call this reducing your attack vector). If you use an app once a quarter, install it and use it, then uninstall it.

Some apps request a lot of permissions but will still work if you restrict some of the more worrisome ones (think about access to your location, photos, microphone, etc). As an example, read this article documenting the time Uber switched when it collected user location data and started collecting it all the time.

The app update (it’s 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company. - TechCrunch

Android 10 and IOS 13 both allow you to choose when an app can access your location so ensure you make the right choice and don’t just share your location (or other data) all the time when it may not be required).

Public WIFI is evil

Many companies and venues use WIFI and Bluetooth to track you as you walk around their establishments. Many malls use tools from companies like AisleLabs to track you thus enabling them to target you more accurately. Attackers can use WIFI or Bluetooth to compromise your device as well.

The easiest approach is to assume that all public WIFI is evil.

When not absolutely required, turn off WIFI and Bluetooth.

Do not automatically connect to WIFI networks. I won’t get into the details here (because this is a more general article) but hackers can find out what your home network is called and trick your device into connecting to them (thinking it is that trusted home network).

Screenshot_20191228-203459.jpg

Anytime you connect to a public (aka not your own WIFI) network, use a VPN to protect your traffic.I won’t discuss which VPN to choose here but stay away from free or very cheap VPNs.

If you aren’t paying for the product, you are the product.

Chose a solid well known provider whose policies and practices have somehow been reviewed.

You can run TOR to secure your traffic but that will be too slow and cumbersome for most users.

Secure backup and cloud

August 31, 2014, hackers released tones of celebrity personal photos and videos (many naked and pornographic in nature). This event was called the fapening and this was made possible because the icloud accounts, used to back up those photos from the smartphones, had been compromised. We don’t believe Apple was compromised but the attackers somehow managed to find the usernames and passwords for these users. Another reason you should enable two-factor authentication now.

Beyond 2 FA, most users may not realize that their information is being backed up to the cloud. Remember that cloud backup is an easy way for attackers to steal your data. Once you have two-factor authentication enabled on your accounts, ask yourself what you should be backing up to the cloud and where it should be backed up.

Remember that if you choose to trust the backup of your default provider (Apple or Google), you are not in control of your data. In most cases, we now the data is saved unencrypted on those services.

  • Apple has given police data backed up from an iPhone to icloud

  • Google, Dropbox and others routinely scan your content looking for malware or copyrighted material

I recommend choosing a secure end-to-end encrypted cloud backup service (if you want to use one). Although there are a bunch in the market, I recommend looking at Sync.com. They offer an end to end encrypted product (using the Trust No One Model). This means that as long as you use two-factor authentication and a long passphrase, your content should be relatively secure.

Your Browser

So your browser is one of the most dangerous apps on your smartphone because it is designed to run code from a remote server (aka a webpage). In the worst-case scenarios, a browser can load a malicious zero-click compromise that would take over your phone without you having to do anything and without you even realizing it. Most of these are non-persistent which is why I recommended regularly rebooting your device earlier.

On Android, I recommend you take a look at a browser called Bromite. Unfortunately due to app store rules, they do not offer a version on the Google Play store and you have to sideload it if you want it. Bromite supports ad-blocking natively and it uses the Ublock Origin model.

It also supports DNS over HTTPS (DOH). You can also enable HTTPS Everywhere and configure it to block unencrypted traffic. You should also disable Javascript and sparingly re-enable it for some sites that you absolutely need but that break without Javascript.

On IOS, I recommend the Brave browser (which is also available on Android but Bromite is more secure). You can download Brave from the Apple AppStore here.

Stalkerware

Stalkerware is a category of badware installed on your device by a third party to spy on you and often to track you.

The EFF is spearheading an initiative to fight Stalkerware (read this) because it is often used to victimize you. Think of it as commercial spyware that covertly steals your data and sends it to the stalker. In some cases, the stalker can be an ex but remember that many companies use Mobile Device Management software that often can perform the same function (normally if the device is owned or is allowed to access the corporate network.) In the case of companies, it is most often done for security reasons. Otherwise (in the private space), it is used to victimize or control someone.

If you are not using a corporate phone and suspect something may be going on (in most cases you won’t realize it), the only way to secure your device is to perform a factory reset and restart the set up from scratch.

Remember that the threat actor (partner, ex, etc.) has to access your device to install the stalkerware so never leave your device unlocked, never leave it unattended and choose a long and complicated passphrase.

Other settings

On IOS, choose to Limit Ad Tracking, instructions can be found here. Choose to reset your Advertising ID (instructions here) periodically.

On Android, choose Opt-Out of Interest-based Ads, instructions can be found here.

Conclusion

I know this was probably a dry and long article for most of you but I needed to get it out. This is a question I receive regularly and I wanted to write about it rather than respond individually to each of you. If you have questions or want to send me a note, do it on twitter (my handle is @ekiledjian).

Hope you found this article interesting and useful.

The Google Pixel 4 isn't a good deal

GeneralEdward KiledjianComment
google-485611.jpg

Many friends and colleagues asked why I am not buying the Pixel 4, here is my diatribe.

I am a big gadget geek. I love everything new and shiny, I have been an early adopter of every single Nexus, and Pixel phone Google has ever made. The Pixel 4 is their first device I will not acquire and here is why.

Why I buy Google-branded devices?

I am a big fan of Google-branded devices because they show what Google believes their software can do running on optimized hardware. Their hardware typically is the first to receive new updates (both operating system and security updates). Usually, it includes limit-pushing software breakthroughs (e.g. think night sight and hybrid zoom).

An example of this was the Pixel 2. It was the first Google device (I consider) designed for mass-market adoption and showed Google's software prowess. After all, it had an average camera sensor but turned out to be the best android smartphone camera for years.

Not only have I owned almost all the Nexus and Pixel phones, but I also bought every Google Chromebook (starting with a Kijiji bought CR48). I was an early Google Home adopter and more. I want to make it clear that I am a huge Google fan.

So why not buy a Pixel 4?

The Pixel 4 is the first device that feels like Google has fallen behind (since the Pixel 2).

Remember that Rick Osterloh kicked off the event by saying Google wanted to build devices that were more useful for consumers.

It feels like they failed with the Pixel 4 especially when Marc Levoy

(Google distinguished engineer) stood on stage and told us why we didn't need a wide-angle lens and why a telephoto is what uncle Google believes we need instead.

"While wide-angle can be fun, we think telephoto is more important" Marc Levoy, Google Launch Event 2019 (timecode 1:03:43)

Google should have included both considering the price point of the Pixel 4 and the fact its competitors almost all include three lenses now (wide-angle, normal and telephoto). You cannot create a wide-angle shot with computational photography, and it is something I use often enough. This is the first reason the Pixel 4 isn't attractive to me. I need it to be a tool to accomplish what I need done and not what Google believes I should be doing with it.

As a father with young kids, I take a ton of videos and was disappointed Google's Pixel 4 has not improved in the video department (still limited to 4K 30fps). Since the Pixel 4 is now more expensive than the entry-level iPhone 11, we should compare the video quality of the iPhone 11 & the Pixel 4, and there is no comparison. The iPhone blows the Pixel 4 video quality out of the water (frame-rate, colour accuracy, high dynamic range, etc.)

I know the Pixel 4 needed a large forehead to house their new Soli sensor, but I find that sensor a bit gimmicky (the video they released two years ago showed incredible fine-grain control while the Pixel 4 uses it to switch songs.). Additionally, I am still not sure the benefits of face unlock outweigh that ugly 2017-looking phone design.

They touted the incredible smoothness and silkiness of a 90Hz screen. What we are now learning is that under 75% brightness, it drops to 60Hz (75% would kill your battery in no time). The other issue with 90hz is that it hits battery life and the Pixel 4 and Pixel 4 XL already have mediocre battery life.

There are three ways to tackle battery life issues. You can make the battery bigger, you can design an optimized hardware/software set that sips battery, or you can add extreme fast charging.

Companies that have chosen the 5,000 mAh battery route include ASUS ROG Phone II, Samsung Galaxy S30M, Vivo Z1 Pro, etc. Apple has taken the hardware and software optimization road. OnePlus and Oppo have taken the fast charging route pushing 30+ watts, which means you can go from 0 to 75% battery charge in 30 minutes. The Google Pixel just has a mediocre battery with no mitigating features.

If the Pixel 4 were priced $150-200 less than its current MSRP, it would be a bargain, but it is charging flagship pricing. Even a gadget-loving early adopter like me can't justify this device. The other device I won’t be buying is the Pixel Go. I own a Pixelbook (with a pen I use regularly) and a PixelSlate. Both are devices that I love. The Pixelbook Go is a step back at what looks like an attempt to create a mass-market product.

I chose to get the OnePlus 7T that is a well-packaged phone at a very competitive price. Sure the Pixel 4 camera will beat the OnePlus, but overall; the OnePlus is just a better package.

Post Article

As I prepared to publish this article, I saw the below tweet complaining about a generalized slowdown 2 days into using the phone. I am 100% sure this will get fixed by Google but it shouldn’t happen on a device made by the Sultan of Search.

How to search the web while protecting your privacy

GeneralEdward KiledjianComment
doors-1767563.jpg

They want to know everything about you

It is no secret that every advertising-funded site (Facebook, Yahoo, Google, Bing, etc) works very hard to build a complete profile about you. They want to know as much as possible so they can sell expensive highly targeted advertisements.

Every search you perform, every site you visit, every link you click is recorded and analyzed.

You live in a filter bubble

The profile we talked about above is also used to return information the site believes you will like most (therefore making themselves more sticky). this is the filter bubble problem.

The site (e.g. Google) will return results that it believes are aligned with your view and this is what we call the filter bubble. At some point, you will stop seeing other opinions or points of view. In the most extreme examples, it can reinforce certain questionable points of view such as the earth is flat or other similar prejudices.

How do I search the web privately

There are many search engines that promise private searches but the problem with most is that they crawl the web themselves and their index of the web just isn’t as good as Google. This is where startpage.com comes in. It allows you to search using the Google web index without giving up your privacy.

  • Startpage.com does not log user activity and does not perform any type of user tracking or profiling

  • Startpage.com allows you to browse any of the pages returned in a search query anonymously

  • Startpage.com is based in the Netherlands which has better privacy protection than the US

Capture.JPG

Ok but are the search results good?

  • Search results use the Google index so they are as good as can be without profiling you to customize the response

  • The results layout page is clean and uncluttered

  • You can search the web, images or videos


Capture2.JPG
  • You have all of the advanced search options you could need (including words contained, avoiding certain words, dates, domains, language, file type, etc)

  • Some searches won’t contain ads and those that do clearly mark them with the word Ad

  • You can browse any search result link using their free anonymous browsing option (called Anonymous View)

Capture3.JPG

When you browse using the Anonymous View, the webpage is surrounded by a blue frame

Capture4.JPG

How it makes money

Startpagecom generates its revenue from clearly marked search ads and affiliate links.

These ads are not targeted (since they do not profile visitors).

The ads are segregated from the actual search results so as not to confuse the visitor.


Tell me more about Startpage.com’s privacy

Since most of its users originate from the US, Startpage.com has search servers located in the US to speed up searches. These servers are said to be hardened and properly secured.

This should be perfectly acceptable to most users but if you are extra paranoid, Startpage.com does offer users the option of choosing non-USA servers.

Their privacy claims have been independently verified (read this).

They have never showed up on any blacklist (that I can find)

They have an A+ rating from the Qualys SSL Labs site


Capture5.JPG