Consumer Alert / Safety

How to Protect Your Smart Home From Hackers

By Rachel Cericola (Ms. Cericola is a Staff Writer at Wirecutter, the product review site owned by The New York Times Company.) March 27, 2019

By connecting smart devices like lights, cameras, door locks and thermostats to the Internet, you may be making them — and you — visible to digital thieves or hackers.

“Every device connected to the Internet is a target,” said Theresa Payton, a former White House chief information officer and the founder and chief executive of Fortalice Solutions. A few recent news stories also illustrate the power these devices have.

One family’s living room Wi-Fi camera was infiltrated, allowing someone to not only control the camera and spy on them, but to broadcast sound — including a false report of a nuclear missile attack. We’ve also seen domestic abusers tap into smart home technology to intimidate and stalk former partners.

According to statistics website Statista, there will be about 42 million smart homes by the end of 2019, but little more than anecdotal evidence of security compromises. So while stories about hacks and privacy breaches are indeed scary, so far they’re also rare. The vast majority of smart home users aren’t getting hacked.

Still, as with any internet-connected device, taking precautions is essential. At Wirecutter, the New York Times company that reviews products, we’ve consulted with a range of experts who offered some tips that will go a long way toward protecting you and your home — and don’t require a lot of time, money or technical know-how. We’ve also done extensive testing of smart home devices and we consider a product’s security measures as part of our evaluation process.

One of the things that makes smart home devices “smart” is their ability to connect to the internet over your home’s Wi-Fi network. That’s why it’s essential that you properly secure it. If you don’t protect your Wi-Fi network with a password, or you only use the default password that came with your modem or router, all of your devices are exposed — the digital equivalent of leaving your front door wide open with a neon welcome sign overhead.

“People need to realize there’s actually catalogs of all those default passwords on the internet,” Ms. Payton said. Lock your network down with a password, one that is unique and not shared with any other accounts you have. Ms. Payton also suggests completely hiding your home network from view, an option in your router’s settings menu. “So when somebody drives by, they think you don’t have internet. They can’t see it,” she said.

You can add another layer of protection by isolating your smart home devices from your computers and smartphones using a guest network, a common option in many popular routers.

“That way, the devices will be sort of quarantined by themselves,” said David Templeton, an information security analyst at The New York Times. Doing this also makes it easier to take devices offline without having to upset your entire network.

Many people make the mistake of using the same username and password combination on multiple devices or accounts. If any one of those combinations is discovered — as happens a lot, such as when giant companies like Facebook and Yahoo get hacked — an enterprising thief could try them out on popular banking websites, social networks, email providers and websites that allow control of smart devices.

You need to use unique passwords for everything — including shopping sites you visit, services you use, your home network and of course, each of your smart home devices. Remembering such an encyclopedia of passwords is functionally impossible, which is why Mr. Templeton suggests using a password manager, which not only creates unique passwords automatically but also keeps track of them across all your devices. Wirecutter has suggestions for the best ones to use here.

All of our security experts agree that it’s best to pick smart devices from established brands. Those companies have a reputation to protect, along with the infrastructure to back it up.

That also means they likely have the ability to employ better security measures when designing their products, and unlike no-name brands or many start-ups, you can reasonably expect them to release software patches and fixes if vulnerabilities are discovered. And naturally, we recommend reading good, high-quality reviews (and admittedly, we’re biased toward our own) before making a purchase.

There are a few additional ways to further secure your smart devices. A number of companies now offer a verification system to control access to devices, called two-factor authentication. When you attempt to log into an app, a one-time-use code is sent to another of your devices, which then needs to be entered in the original app. It’s not perfect, but makes it virtually impossible for someone unwanted to access your accounts.

Also, many manufacturers allow you to opt into automatic hardware and software updates, something that will ensure the latest fixes get installed to repair new security vulnerabilities. Make sure you check the settings section of your devices’ apps and your smartphone’s app marketplace for updates to devices that don’t automatically do this.

Ms. Payton said she also reboots smart home devices once a week as an added security measure. “That reboot will actually make it grab any new security and privacy settings and downloads when it reconnects to the internet,” she explained. However, this is impractical for some devices, especially ones that are hard-wired into your home like in-wall dimmers and smart thermostats.

Just because you’re ready to ditch a device doesn’t mean it’s ready to forget you. After all, your Wi-Fi password and other personal info is often stored on that camera, smart plug or smart bulb. Before selling or recycling any device, be sure to do a factory reset first. Some devices require a button-press on the actual device, while others allow you to do it from the app. Either way, make sure that your info is no longer available through the app.

If a device is broken and you’re unable to wipe it clean, make sure it’s really broken and smash its components to pieces. According to the United States Computer Emergency Readiness Team, “Physical destruction of a device is the ultimate way to prevent others from retrieving your information.”

I like to think about all those times a device stopped working or disconnected from the network, and the idea of whacking it with a hammer. Just make sure you don’t hurt yourself in the process.

There is mounting pressure on manufacturers to adopt better security practices. “The industry should be using strong encryption wherever possible, verifying firmware updates and inviting security audits,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation.

The E.F.F. and organizations like The Digital Standard and the Mozilla Foundation are pressuring companies and government bodies to put stronger security practices in place. But everyone we spoke to agrees that, for now, consumers need to be proactive about security.

“Honestly, given where we are and how businesses think about security and privacy, the onus is on you. Nobody can look out for your security and privacy like you can for you and your family,” Ms. Payton said.

Here Are The Most Common Ways You’re Wasting Water That Cost You More Than You Think

24 Nov 2018

Keeping an eye on your water usage is a good way to save money and help the planet at the same time. Plenty of us have bad habits that could be costing us hundreds of dollars in water bills over the long run.

Here are a few ways that you could be wasting water without realising it, and what you can do about it.

You wait for the tap water to get cold during the summer.


When you want a cool glass of water, do you run the faucet for a few moments until the stream is cold? Unless you live somewhere where the tap water is always icy, this little habit wastes a surprising amount of water.

According to the Alliance for Water Efficiency, a new kitchen faucet flows at a rate of half a gallon per minute, on average. Faucets installed during the 1990s, however, may flow at closer to 2.2 gallons per minute. That means you could be pouring up to a gallon of water down the drain for every 30 seconds you leave the tap running.

A better way to satisfy your cold water cravings is to fill up a large container of drinking water from the tap and keep it in the fridge.

You have an old toilet.

BIWater2(Nadine Hutton/Getty)

According to Energy Star, a government-backed energy-efficiency program, the one appliance that uses the most water in a home is the toilet.

Older toilets installed before 1992 can use between 3 and 7 gallons of water per flush. In comparison, federal plumbing standards now specify that new toilets can only use up to 1.5 gallonsper flush.

You plant the wrong kind of flowers or shrubs for your climate.


If you live in a dry and arid region, planting greenery that requires large quantities of water can be a major waste of money and natural resources.

According to the gardening website GrowVeg, using grey water – i.e. water that has already been used in your washing machine, showers, and sinks – is one way to cut down your water waste. 

You hose down your driveway or patio instead of sweeping it.


You probably don’t think twice about giving your dusty driveway or porch a quick rinse with a hose, but it’s actually a wasteful way to keep your property tidy.

Considering that a garden hose can emit between 6 and 24 gallons of water per minute, you’re much better off sweeping your outdoor living areas with a broom.

You water your plants in the afternoon.

BIWater5(Christopher Craig/Flickr)

According to the Royal Horticultural Society, the best time to water most outdoor plants is in the early morning or evening.This is because watering in the afternoon can lead to water loss through evaporation, since it’s generally the warmest part of the day. That’s not good for your plants or your budget.

You haven’t installed a shower aerator.


If you’ve been looking for an excuse to indulge in a new shower head, here’s one – when you install a high-efficiency faucet aerator or showerhead, you can save almost 3,500 gallons of water per year. That adds up to major savings and is better for the environment.

Read more:The best shower heads you can buy

You put off repairing leaky faucets.


Fixing a leaky faucet is no one’s idea of an exciting afternoon, but letting leaky fixtures drip can cost you serious cash and waste water. According to the US Environmental Protection Agency, a leaking faucet can waste up to 3,000 gallons per year.

In fact, 10% of US homes have leaks that waste 90 gallons or more per day, the EPA estimates. To put that in perspective, that’s like taking an extra five showers per day.

You run your dishwasher when it’s not full.

BIWater8(Joanna Bourne/Flickr)

Everyone has lazy days when washing a single cup seems like a Herculean task. But running your dishwasher when it’s not full is a poor use of electricity and water, according to Energy Star.

Wait to run your dishwasher until you have enough dirty dishes to pack it full, or simply get into the habit of washing some items by hand.

You throw just a few items of clothing in the washing machine.


Even highly efficient modern washing machines typically use 8 to 12 gallons of water per cycle, according to laundry machine maker Samsung. Although it’s not good practice to stuff your washing machine to the max, running this water-hungry appliance with just a few items of clothing inside is a serious waste of resources and money.

You leave the faucet running while you brush your teeth.

BIWater10(Cody Long/Flickr)

This is a classic water-wasting mistake. According to the Alliance for Water Efficiency, leaving the tap running while you brush your teeth has the potential to waste gallons of water.

According to the US Green Building Council, the maximum flow rate for a private lavatory faucet is 1.5 gallons per minute. So if you’re brushing your teeth for two minutes, you might waste 3 gallons of water.

You own a pool but don’t cover it.

If you have your own pool, use a pool cover when you’re not swimming. According to the Department of Energy, using a cover can significantly reduce evaporation from both indoor and outdoor pools.

It only takes 1 Btu (British thermal unit) to raise 1 pound of water 1 degree, but each pound of 80-degree-Fahrenheit water that evaporates takes a whopping 1,048 Btu of heat out of the pool. Long story short, don’t let your heated pool water evaporate.

How to Safely and Securely Dispose of your Old Gadgets

by David Nield Nov 11, 2018

THERE COMES A period of time in every beloved gadget’s life—some more prolonged than others—when you need to think about replacing the electronic device that’s given you so much loyal service, whether it’s a smartphone, a laptop, a digital camera, or anything in between.

Aside from the fun of choosing a replacement piece of hardware, you’ve got two main considerations to think about when it comes to disposing of your outdated gadgets carefully: security, and the impact on the environment. You don’t want your personal and private data accessible after the gadget has left your possession. And you want to get rid of the device in a way that’s as kind to the planet as possible.

Here we’ll show you how to take care of both considerations, no matter what the gadget you need to dispose of.

Wipe Your Data


Whether you’re sending your device to be recycled or sticking it on Ebay, you don’t want your finance spreadsheets, family photos, or Twitter login to stick around on the hardware, even if you don’t think anyone would go to the trouble of trying to extract the data from your old gadgets.

When it comes to gadgets with on-board storage, we’re primarily talking phones, tablets, and computers. The easiest way to wipe these devices—and all the data and applications on them is to do a full reset of the operating system. But first, make sure to back up all your precious documents, pictures, and so on to a hard drive or the cloud.

For Android devices, open up the Settings app then tap System > Advanced > Reset options, and then Erase all data (factory reset). Over on iOS, the equivalent option is in the Settings app under General > Reset > Erase All Content and Settings.

If you’re using a Windows computer, you need to load up the Settings app then click Update & Security, then Recovery, then Get started under the Reset this PC option. Choose to remove all personal files during the process. If you’re using a Chromebook or Chrome OS tablet, open up the Settingspane and pick Advanced, then Powerwash to get your computer into an as-new state.

It’s slightly more involved on a Mac: You need to restart macOS, then as soon as it begins to boot up again, hold Option+Command+R until you see a spinning globe. Release the keys, then choose Reinstall macOS, then choose Continue. Follow the on-screen instructions and select your main hard drive when prompted.


For most devices using flash or SSD storage, that should be enough to stop all but the most determined data recovery experts. If your computer uses an older, mechanical hard drive (i.e. not an SSD), certain bits of data may still be recoverable by tech-savvy users with the right tools.

It’s up to you whether to take the risk and leave it at that. The average Ebay buyer or computer recycling facility employee likely isn’t going to go to the trouble of putting together a complicated hard disk recovery setup, just on the off chance that they might stumble across some of your home movies or budget spreadsheets.

But if you want to be absolutely sure nothing can be recovered from a drive, US-CERT recommends actually physically destroying it—a hammer or drill will do the job well enough, but wear some safety goggles. You can also find specialist facilities that will take care of the destruction for you, but again, this is only really necessarily if have extremely sensitive data on your machine, or a reason to suspect that someone has specifically targeted your old electronics.

Perhaps just as importantly, you need to disconnect the devices you’re about to discard from your various your online accounts. If you’ve followed the steps above, it’s going to be very, very hard for anyone to log into your Facebook, for instance. But to be absolutely sure, you can log in on a different device and log out of other sessions remotely.

Most apps and services—Facebook, Twitter, Google, Apple, Microsoft and more—let you do this. Follow those links, log in, and look for the option to sign out of a session or remove a device to make sure it’s disconnected from your key apps and services.

Safe Disposal


If you’re not selling your device or passing it on to someone else, it’s important to make sure it’s disposed of correctly. Fortunately, you’ve now got a choice of ways to get rid of your laptop, phone, or other gadget in a way that minimizes the impact on the environment.

Your first port of call should be the company that manufactured your device. Apple, for example, has a comprehensive recycling program, and will even give you some cash back for a new purchase if your device is in reasonably good condition. Answer some questions online, then mail off the device or take it into an Apple Store.

Other manufacturers have similar schemes available, including Google and Samsung. Again, you can to ship your device back to the company involved, and you might get access to a trade-in deal depending on the age and condition of your gadget.

If you don’t want to give the device back to the manufacturer for whatever reason, then try the place where you bought it. Best Buy will accept just about any used electronic device, giving you some trade-in value or just taking care of the recycling for you. All the major phone carriers have trade-in and recycle programs as well.

That should give you enough options no matter what type of gadget you’re dealing with, but you can also opt to go for one of the local electronic recycling programs in your area. These vary state by state, but if you head to the E-Cycling Central website you can plug in your address and see what’s available in your region.

New Uses for Old Gadgets


You don’t necessarily have to get rid of your old gadget; in fact, it’s better if you don’t. Most obviously, you can simply pass it on to a friend or family member, who can make good use of it and save another laptop or phone from being built, as well as saving you the hassle of disposing of it. Chances are you don’t need to worry too much about wiping a device you’re giving to a nephew or niece, either (though you never know…).

If there’s no one to take the redundant hardware off your hands, stick it on Ebay, Craigslist, or your selling platform of choice. You might be surprised at the prices you can get even for older or damaged devices; plenty of repair shops and people needing parts happily scavenge broken down gear. If you don’t get any interest, give the kit away for free. Just make sure you do wipe your devices and disconnect your accounts, as detailed above, before you sell.

It’s also worth taking a moment to consider whether you really need to get rid of your old device after all. An old phone or tablet can become a Spotify controller or a security camera; an old laptop can be set up to serve up videos and music to the other devices in your house; you could use an unwanted tablet as a dedicated ereader; and so on.

As West Grows, Water Use Declines Thanks To Better Toilets

by Luke Runyon

Throughout the western U.S., water conservation is in the toilet.

And that’s a good thing.

Since the 1990s, a strange phenomenon has played out in arid western urban areas. Populations are booming while overall water use is staying the same or going down.The trend is clear in Denver, Albuquerque, N.M., Las Vegas, San Diego and Phoenix: Cities are growing and using less water in the process.

It’s impossible to give credit to one single solution, but one could make a strong case that the MVP award for water conservation efforts should go to the modern toilet.

The toilet is the single largest user of water in the home. It uses more than the washing machine, the dishwasher, the shower or the kitchen faucet. About a quarter of all water that enters a home will flow through the toilet according to a 2016 study. Each day the average toilet will use about 33 gallons of water.

That might sound like a lot, but it’s a big improvement. In 1999 the average toilet guzzled more than 45 gallons of water daily.

The story of how the toilet became the unsung hero of water conservation includes an act of Congress, some elbow grease and logs of miso paste.

Out with the old

Theresa MacFarland lives in a historic two-story house in Longmont, Colo., with her husband and two kids. Built in 1928, their home has all the vintage touches: hardwood floors, big windows, wood detailing and one really old toilet.

A little stamp on the bowl says it was built in the 1950s. MacFarland points it out to her 4-year-old daughter Althea.

“That toilet has been there longer than daddy and I have been alive,” she says. “Probably longer than grandma and grandpa have been alive.”

Resource Central employees Max Hartmann (left) and Neka Sunlin haul the MacFarland family’s vintage toilet out of their Longmont, Colorado home.
Luke Runyon/Freelance

As aging toilets are wont to do, it started acting up. So MacFarland contacted Resource Central, a Boulder-based conservation group and asked for help installing a new, more water-friendly model. Neka Sunlin showed up with the latest in toilet technology. Sunlin oversees the group’s toilet replacement program, Flush for the Future.

“We guesstimate this one is using about five gallons a flush,” she says about the old toilet. “The new one uses less than one.”

In Sunlin’s years with Resource Central, this is the oldest toilet she’s condemned to the local recycling center. By swapping it out, the McFarland family could see a dip in their water bill, she says.

A fast-growing alternative to high-priced Boulder, the city of Longmont has an interest in what happens in the MacFarland family bathroom. Water saved from their home is water that can be put to use somewhere else.

That’s why the city, along with a handful of other water providers on Colorado’s Front Range, subsidizes the cost of high-efficiency toilets. MacFarland is paying $175 for the new toilet, the cost of installation and removal of the old one. Her new model retails for $160.

Sunlin says it’s an easy switch with a big pay off. With other conservation programs you first have to convince people to use less water.

“But a toilet is a toilet,” she says, “and it’s no behavior change whatsoever. You literally just save water with every flush.”

In the last three years Resource Central has upgraded 2,000 toilets, which calculates out to 500 million gallons of water saved when looking at the average lifespan of the toilet of 30 years.

“Most people don’t realize that if their toilet is more than 10 or 15 years old, replacing their toilet or upgrading their toilet is one of the most impactful ways they can save water,” says Neal Lurie, president of Resource Central.

The group receives funding from the Walton Family Foundation, which also provides support for public radio member station KUNC’s water reporting.

“It can save between 200 and 300,000 gallons of water over the life of that toilet,” he says.

In with the new

The road to high-efficiency toilets began back in 1992. The concern was less about water scarcity in the West and more about overwhelmed sewage systems on the East Coast.

Congress was feeling pressure to pass national standards for water use and came up with the Energy Policy Act, a law that spawned a generation of low-flow fixtures.

For the plumbing industry, it was a huge deal.

“Absolutely, it was an extremely watershed moment, no pun intended,” says Pete DeMarco with the International Association of Plumbing and Mechanical Officials.

The law mandated that toilets flush using 1.6 gallons of water or less. Throughout the 1990s, low-flush toilets flooded the market. But the results were not always satisfactory.

DeMarco says users hated the new models. They complained that their “new and improved” toilets performed worse than the old ones, unable to finish the job in a single flush.

“There were some poor-performing products back in the mid-90s. I think the regulation caught some manufacturers off guard,” he says.

In many cases, DeMarco says, manufacturers had simply reduced the amount of water a toilet used without making significant changes to the inner workings. A lower flow just couldn’t cut it.

Frustrated customers sent toilet-makers back to the drawing board and manufacturers came up with a test to demonstrate flushing effectiveness for new toilets. The test came from a company called Maximum Performance. Using logs of miso paste in the toilets, the test allowed manufacturers to demonstrate that their new low-flow toilets could actually evacuate the bowl with one flush.

Indoor water use drops

DeMarco says toilets can’t take all the credit, but this one innovation is a big reason why cities have been able to grow and still keep their water use in check. Indoor use dropped 22 percent nationwide between 1999 and 2016, much of that due to swapping out old fixtures.

In recent years some states with water scarcity problems — like Colorado and California — have passed even tighter regulations on how much water toilets can use.

“So you basically have these high-efficiency toilets now as a matter of course. You cannot go out in a store in Colorado, in California, and buy an old toilet,” says Drew Beckwith, a water policy expert who works in suburban Denver.

Beckwith says conservationists have been a victim of their own success. With national standards in place and active replacement programs throughout the country, there’s not much more they can do to limit water use inside homes. All new residential developments are putting in high-efficiency toilets because there’s no other option on the market. And when old models need replacing in existing homes, the only available option is a high-efficiency toilet.

“We’ve sort of done our business with respect to toilets,” Beckwith says. “And it’s time to, you know, maybe get off the pot and move on to outdoor water use which is more the focus of urban water efficiency today.”

Fixing the flush

Back at the MacFarland home, the toilet transition is complete. The nearly 70-year-old toilet is loaded on a van bound for the recycling plant. The brand new high-efficiency toilet is hooked up and the water is flowing.

“This is going to be a huge improvement,” Theresa MacFarland says. “And it feels like with very little effort, which I’m very excited about.”

Even though some conservationists say much of the indoor water use fruit has been plucked, a 2017 Alliance for Water Efficiency study found that more than 13 million non-efficient toilets — those that flush more than 1.6 gallons — remain in five states, including those with the toughest restrictions: California and Colorado.

A nationwide push to rid the country of old toilets could have a significant effect.

If all toilets were high-efficiency, indoor water use could drop an additional 35 percent to below 40 gallons per person per day, the study projected.

MacFarland says she loves the character and charm of her historic home, and she’s focused on making it environmentally-friendly. But it takes time, energy and money to make it happen.

“We’ve been slowly trying to figure out ways to have just less water usage in this home,” she says. “Knowing in Colorado it’s such a precious resource, and we want our kids to grow up here and also recognize what comes with living in Colorado and trying to do our part.”

The Resource Central technicians ask for a practice flush to make sure it’s working right before they depart. The honor of the first flush goes to McFarland’s daughter Althea.

“Check it out. There’s this new button,” MacFarland says as she motions to her daughter. “Kind of the same as the other one, except inside the tank this is so different than the other one. This one just uses a little bit of water.”

“And it’s cleaner,” Althea says.

“And it’s cleaner, way cleaner,” MacFarland says.

This story is part of a collaborative series from the Colorado River Reporting Projectat KUNC and Elemental: Covering Sustainability, a new multimedia collaboration between public radio and TV stations in the west.

How to test your tap water for lead

Nearly half of Americans suspect that their water might be unsafe. 

This article helps you understand the cause of lead in water and shares some lead test kits to identify the presence of lead.

By Kendra Pierre-Louis

People don’t trust the water that comes out of their tap, and not just in places without adequate sanitation. A 2016 survey by The Meyocks Group, an Iowa-based marketing firm, found that 43 percent of Americans either believe their tap water is unsafe to drink or are unsure of its safety.

In the wake of the Flint water crisis, that fear isn’t wholly unexpected. The city’s troubles began when the state switched the water supply from Lake Huron to the notoriously polluted Flint River, failing to properly treat it to kill pathogens and prevent lead pipe erosion. But the mistrust came when—as residents complained of foul water, disease, and even death—the Michigan Department of Environmental Quality continued to claim that the water was safe.

Luckily, homeowners who suspect that their drinking water might be contaminated have more options than ever before. In New York, for instance, folks can order a free at-home testing kit. And most hardware stores offer a similar system for purchase. We pitted those up against a new product called Tap Score to see just how accurate—and easy to understand—the results are.

How good is New York City tap water?

Most NYC locals claim to guzzle some of the best water in the country. To hear them talk, you would think the city’s soft water begins in a mythical land known as “upstate,” where it’s filtered through pristine forests and a unicorn’s mane before it descends onto the city, via a canal of pure angelic light, to create the best bagels, pizza, and drinking water known to human kind.

An Environmental Working Group (EWG) analysis of 100 municipal tap water systems found that New York City had six contaminants at levels above the health guidelines established by either a federal or state authority (though lead wasn’t among them). EWG, it should be noted, has been criticized in the past for overstating chemical risks, especially those related to food and drink. That said, EGW’s overall assessment of New York City’s tap water as compared to the rest of the country is… well, it falls short of the fantasy set by locals, but the tap is just fine.

How good is our water, really?

Popular Science’s commerce editor Billy Cadden lives in an older part of the city than I do, where buildings are more likely to use lead somewhere in their plumbing system—it’s been phased out ever since scientists confirmed how dangerous the metal can be.

“Even though the town might say, look, there’s no in the water, they then put it into a distribution system,” says Mark Burns, a professor of chemical engineering at the University of Michigan. “That distribution system goes through many different pipes, across many different joints—that are connected by many different materials—and then it gets to your glass.”

So Billy opened his home (and his taps) to three tests.

two bottles on a table

These are the collection bottles that New York City sends out. We’ve blurred out the potentially identifying information.

Kendra Pierre-Louis

Our results

Testing for lead in New York City

Using the free service from New York City’s Department of Environmental Protection proved pretty straightforward. First, you abstain from water use in your home for 12 hours—there’s generally more lead in the liquid if your pipes have settled a bit. You then fill collection bottle one (the yellow bottle) and let the pipes flush for one to two minutes before filling bottle two (the red one). You bundle the whole thing up in a package and mail it back. We got the results about three weeks later.

The city found that the first draw had 1 microgram of lead per liter, well below the federal action level of 15 micrograms per liter. The second draw, after Billy had let the water flow for a bit, had no detectable lead at all. The test was reassuring, though the results were in a form letter that wasn’t exactly user-friendly.

But in the wake of Flint, many people are understandably distrusting of reassurances from government agencies. How could we know the test was accurate? Then there’s the fact that the test only looks for lead; it may be a hot-button contaminant right now, but there are certainly other things that could make your tap water unsafe.

Home Testing

Our second round used a “First Alert” home test (sold online and in many hardware stores) that promised to detect not only lead, but also bacteria, pesticides, nitrates, chlorine, hardness, and pH. If you have lead pipes, acidic water can cause the lead to leach out. That’s essentially what happened in Flint. Because water managers failed to add an anti-corrosive agent (as a cost-cutting measure), water from the Flint River ate away at the pipes and pulled lead into the drinking supply.

Contaminants are broken down into individual tests, each requiring a separate vial of water or testing strip. Like the test done by the city, we were in the clear for lead. We also came up either negative or within normal range for everything else, which certainly suggests that Billy can continue to happily drink his tap water.

This test certainly gets points for immediate gratification. With the exception of the bacterial test, which took 48 hours, we didn’t have to wait more than 10 minutes for any result. For less than $15 on Amazon, it’s a good option for someone looking for quick reassurance.

Tap Score

Of the three tests that we took, Tap Score was the easiest. It also had the most comprehensive results, including measurements for things like copper (which only makes you sick at very high levels, but can kill your goldfish at a much lower threshold), hexachlorobutadiene (which can affect the kidneys), and isopropylbenzene (which may increase risk of cancer). But Billy did not dig the delayed gratification.

With Tap Score, you have to fill two vials—much smaller than the ones the city had sent—mail them off, and wait for them to get back to you. Still, it was fun getting a cheerful email telling us that our water ranked in the 99th percentile for tap water quality.

“You’re living in the best possible scenario,” says John Pujol, who created Tap Score with his company Simplewater. “You have this fantastic water system in New York City, a big, rich, dense population where people are actively on top of problems. That’s a luxury. But for 20 to 30 percent of Americans that live in communities that are much smaller, either these issues never emerge—so the water system doesn’t feel the heat to solve problems—or it does emerge, and you have a water system that knows it has a problem but doesn’t have the funding to fix it.”

The goal of Tap Score isn’t really to test water like New York’s, but for small municipal systems and the 40 to 50 million people who are on wells, and maybe wouldn’t ordinarily get their water tested—or know what to do with the results.

“It’s really the interpretation of the water that other tests lack that sets Tap Score apart,” says Pujol. “If it’s a municipality, they’re only going to test your water for certain controlled substances that are managed by the EPA, but those are by no means the full set of parameters anymore. It’s been around 10 years since the United States Environmental Protection Agency (EPA) has introduced any new standards.”

In the interim, companies have introduced thousands of new potential contaminants.

“So, what we seek to do is not just test for those regulated contaminants, but go a little bit further and test for pharmaceutical compounds,” says Pujol. “We test for unregulated but potentially dangerous compounds that are on the contaminate candidate list. These are contaminants which the EPA is looking at, but it’s going to take them 10 years to come to any decision.” 

If your test turns up positive, Tap Score offers you potential solutions. But it also costs at least a hundred bucks, and prices are higher for the most comprehensive tests.

Should I test my water for lead?

If you’re at all uncertain of your water’s safety—and you live in New York State—nabbing a free testing kit is a no-brainer. If your state doesn’t offer testing for free, consider investing in a $15 kit to ease your mind. The redundancies between our three results certainly suggest that all of the options we tried are fairly accurate, so if spending 100-200 dollars on a testing kit sounds like overkill, it probably is. But if you live in a town where municipal testing is infrequent—or if you get your water from a well you’ve never tested—it might be worth upgrading to a test that’s as comprehensive and user-friendly as Tap Score.

Don’t keep cell phones next to your body, California Health Department warns


The California Department of Public Health (CDPH) issued a warning against the hazards of cellphone radiation this week. Yes, the thing we are all addicted to and can’t seem to put down is leaking electromagnetic radiation and now California has some guidance to safeguard the public.

The CDPH asks people to decrease their use of these devices and suggests keeping your distance when possible.

“Although the science is still evolving, there are concerns among some public health professionals and members of the public regarding long-term, high use exposure to the energy emitted by cell phones,” said CDPH director Dr. Karen Smith.

The warning comes after findings were offered up this week from a 2009 department document, which was published after an order from the Sacramento Superior Court.

A year ago, UC Berkeley professor Joel Moskowitz initiated a lawsuit to get the department to release the findings after he started looking into whether mobile phone use increased the risk of tumors.

A draft of the document was released in March, but the final release is more extensive.

“The cellphone manufacturers want you to keep a minimum distance away from your body and you should find out what that distance is,” Moskowitz told local news station KCRA, shortly after the draft release. “If you keep the device by your body you will exceed the safety limits provided by the FCC.”

According to the Federal Communication Commission’s website, there is no national standard developed for safety limits. However, the agency requires cell phone manufacturers to ensure all phones comply with “objective limits for safe exposure.”

The CDPH recommends not keeping your phone in your pocket, not putting it up to your ear for a prolonged amount of time, keeping use low if there are two bars or less, not sleeping near it at night and to be aware that if you are in a fast-moving car, bus or train, your phone will emit more RF energy to maintain the connection.

Other organizations have warned of the dangers of cell phone radiation exposure as well, including the Connecticut Department of Public Health, which issued similar recommendations in May of 2015.

However, Moskowitz maintains most state and federal health agencies have not kept up with the research. “The preponderance of the research indicates that cell phone radiation poses a major risk to health,” he said in a statement.

KRACK Wi-Fi bug: Here’s how to protect yourself


Solid advice for setting up a new wireless router or Wi-Fi network in your home is to password-protect it. Set a secure password using Wi-Fi Protected Access 2 (WPA2) and only share it with those you trust.

Since the WPA2 standard became available in 2004, this was the recommended setup for wireless area networks everywhere — and it was thought to be relatively secure. That said, like the deadbolt on your house, password protection is really only a strong deterrent. Like most things, as secure as WPA2 was believed to be, it was only ever as strong as your password or any vulnerabilities discovered in its security.

Over the weekend, a vulnerability was indeed discovered and turned the internet on its head.

A proof-of-concept exploit called KRACK (which stands for Key Reinstallation Attack) was unveiled. The ominously named crypto attack exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network. It allows an attacker unauthorized access to the network without the password, effectively opening up the possibility of exposing credit card information, personal passwords, messages, emails and practically any other data on your device.

The even more terrifying bit? Practically any implementation of a WPA2 network is affected by this vulnerability, and it’s not the access point that’s vulnerable. Instead, KRACK targets the devices you use to connect to the wireless network.

The website demonstrating the proof-of-concept states, “Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others are all affected by some variant of the attacks.” That said, most current versions of Windows and and iOS devices are not as susceptible to attacks, thanks to how Microsoft and Apple implemented the WPA2 standard. Linux and Android-based devices are more vulnerable to KRACK.

What you can do

So what can you do right now? 

Keep using the WPA2 protocol for your networks. It still the most secure option available for most wireless networks. 

Update all your devices and operating systems to the latest versions. The most effective thing you can do is check for updates for all of your electronics and make sure they stay updated. Users are at the mercy of manufacturers and their ability to update existing products. Microsoft, for example, has already released a security update to patch the vulnerability. Google said in a statement that it “will be patching any affected devices in the coming weeks.” Patches for Linux’s hostapd and WPA Supplicant are also available.

Changing your passwords won’t help. It never hurts to create more secure password, but this attack circumvents the password altogether, so it won’t help.

Know that a KRACK is mostly a local vulnerability — attackers need to be within range of a wireless network. That doesn’t mean your home network is totally impervious to an attack, but the odds of a widespread attack are low due to the way the attack works. You’re more likely to run into this attack on a public network. For more, read our FAQ on KRACK.

Available updates so far

The good news is that with such a dangerous vulnerability, companies have been quick to patch their software. Here’s a list of all the companies that have released security patches or information so far:

A list of vendors that have patched the vulnerability can be found on the CERT website, though the site appears to be under heavy traffic.

More important KRACK facts

Fortunately, there are a few comforting thoughts:

  • The Wi-Fi Alliance stated it now “requires testing for this vulnerability within our global certification lab network,” which is promising for for any new devices headed to shelves. It’s also providing a vulnerability detection tool for Wi-Fi Alliance members to test their products with.
  • Using a virtual private network (VPN) will encrypt all your internet traffic and could protect you from such an attack. Not to mention, it’s good practice to use a VPN if you care about your online privacy or security anyway.
  • Strictly using sites that use HTTPS can help protect you against KRACK, but HTTPS isn’t totally impervious either.

This is a developing story. Check back for additional tips as we have them.

Your Yahoo account info was definitely hacked — here’s what to do


If you’re wondering what to do after hearing about the massive data breach, follow these steps to make sure you’re safe.

In September 2016, Yahoo revealed a hack that compromised 500 million user accounts. In December, the company revealed yet another hack, this time affecting a record 1 billion accounts. On Tuesday, Yahoo updated that number to all 3 billion accounts its services.

And yes, that includes yours.

The hack exposed names, email addresses, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions. Here’s what you can do now to protect yourself.

Log into your Yahoo account

This might sound obvious, but if you’re like a lot of people, you might not use Yahoo Mail as your primary email account. Yahoo has 1 billion monthly active users on its services overall and just 225 million monthly active users for its Yahoo Mail service, according to figures the company gave CNET in June.

So check the email affiliated with your Yahoo account if you haven’t already. Yahoo has started sending out notifications to users, and you should be receiving one at that account if you were affected by the data breach.

Change your password

If you haven’t changed your password in a few years, do it — now. The company says the passwords that hackers stole were encrypted — scrambled up with a tool called bcrypt. This kind of encryption can potentially be broken with enough persistence, said Brett McDowell, executive director of the FIDO Alliance, a nonprofit group that vets login systems.

That’s especially true “when the attacker can make relatively accurate guesses at what the password might be,” McDowell said. “Yahoo users with relatively weak or obvious passwords should take the recommended precautions.”

I’m looking at you, “passw0rd.”

Ask yourself, ‘Did I use this password somewhere else?’

It’s a common habit. Use the same password for lots of different accounts. If this breach has anything to teach you, it’s that this is a terrible idea.

If you recycled your Yahoo password on a different account, go change your password on that account too. The hackers who have your password could easily try it on a whole bunch of different websites — think bank websites or health insurance websites — to try to access information beyond your Yahoo account.

Don’t let them.

Change your security questions and answers — everywhere

Since the hack exposed security questions that were not encrypted, change them. If you used the same security questions for other sites or services, change those, too. And if you’re unsure, change them anyway.

It’s a headache, but doing so could save you a huge inconvenience in the future. Security questions are often used to verify identity and gain account access, without the help of email verification.

Some security experts go as far as recommending you create random, unique answers to security questions like, “Where was your mother born?” since, often, that information is easy to uncover. That’s a high expectation for most normal folks, so instead…

Enable two-step verification

If you plan to keep your Yahoo account, enable two-step verification. It’s one of the best forms of account security widely available on sites like Yahoo. Two-step means that after you log in with your password (as usual) Yahoo will text you a security code, which you’ll enter in the next step.

This way, only someone who has in-person access to your phone (you) can access your account — even if the password entered was correct.

As with changing your security questions on all services, take the time to enable two-step verification on other websites, like Facebook, Google, Twitter and so on.

Think twice before deleting accounts

Yes, it’s tempting to want to wash your hands and sever ties with Yahoo after such an egregious violation. But doing so can actually open you up to additional security headaches. That’s because Yahoo deleting your account lets Yahoo recycle your old email address — thus letting someone spam every site they can find with “forgot password” requests and/or otherwise impersonate you using a known (albeit out-of-date) alias.

Better to leave the account inactive — but with two-step verification turned on.

How to spot a phishing email

Even if you have security software, phishing is a serious threat, one that can expose you to ransomware. Here’s how to avoid these dangerous emails.

Security threats come in all shapes and sizes. You’ve probably heard of viruses, trojans, keyloggers and, more recently, ransomware. Want to know what they all have in common? They can all be the result of phishing.

The word itself is a homophone; hackers use bait — usually in the form of a seemingly legitimate file or link — to “phish” for victims. And because this bait is usually spread via email, it’s hard for security software to, er, philter out. That’s what makes it so pernicious.

A sad example of a business ‘phished’

True story: A couple years back, my brother-in-law’s business was breached by ransomware. This horrific code encrypted nearly every data file — Word documents, Excel spreadsheets and so on — and literally held them for ransom. If he wanted his data back, the price would be $700.

According to a security pro hired to help, the ransomware got in when one of the owners opened an email attachment marked “My resume” — a seemingly harmless action, especially given that the company was, in fact, actively hiring.

Phishing can also result in identity theft and even lock you out of your phone. But wait, isn’t security software supposed to protect you from such threats? It is, but that’s what makes phishing so devious: It arrives as seemingly harmless-looking email and cajoles or frightens you into action — usually clicking a link or opening a file. And often that’s all it takes.

While many people are well acquainted with this practice and know what to look for, I suspect there are plenty of folks who still fall victim. Heck, I consider myself an expert at phishing avoidance, yet I’ve had occasional momentary lapses that almost got me to click a fraudulent link.

How to spot a fake email

Below I’ve shared an actual email that shows some telltale signs of phishing fakery. Note that because I’m a PayPal user, the email certainly caught my attention — at least initially.

Screenshot by Rick Broida/CNET
  1. Like many people, I have several email addresses. But this message came to an address that isn’t linked to my PayPal account. What’s more, the “To” field is blank, an obvious sign it didn’t actually come from PayPal.
  2. Bad grammar and spelling are telltale signs of phishing. Big companies hire professional copywriters (and editors) for email communication.
  3. My name is missing. The salutation merely reads, “Hello, [blank].” I’m pretty sure PayPal would communicate with me by name.
  4. Another strong clue this is a fake: I didn’t just sign up for PayPal. Now, you might think, “Oh, no, somebody created a PayPal account in my name!” Again, this is a scare tactic (and a weak one at that) designed to get you to click the inviting blue button. Were you to do so, you’d probably be directed to a site that looks fairly PayPal-like, with a form requesting all kinds of personal info — including a credit card number. Alternately, you could land at a site that stealth-installs a bunch of spyware and/or viruses.

This was some sloppy phishing. But there are much craftier ones out there, like “your account has been compromised!” or “FedEx has a delivery waiting for you” emails that look indistinguishable from the real thing.

Fortunately, it’s fairly easy to protect yourself against come-ons like these.

How to avoid getting caught in a phishing net

Always be suspicious. Phishing emails try to freak you out with warnings of stolen information or worse, and then offer an easy fix if you just “click here.” (Or the opposite: “You’ve won a prize! Click here to claim it!”) When in doubt, don’t click. Instead, open your browser, go to the company’s website, then sign in normally to see if there are any signs of strange activity. If you’re concerned, change your password.

Check for bad spelling and grammar. Most of the missives that come from outside the US are riddled with spelling mistakes and bad grammar. As I noted earlier, big companies hire professionals to make sure their emails contain perfect prose. If you’re looking at one that doesn’t, it’s almost certainly a fake.

Beef up your browser. An accidental click of a phishing link doesn’t have to spell disaster. McAfee SiteAdvisor and Web of Trust are free browser add-ons that will warn you if the site you’re about to visit is suspected of malicious activity. They’re like traffic cops that stop you before you turn down a dangerous street.

Use your phone. If you’re checking email on your phone, it might actually be harder to spot a phishing attempt. You can’t “mouse over” a questionable link, and the smaller screen makes you less likely to spot obvious gaffes. Although many phone browsers (and operating systems) are immune from harmful sites and downloads, it’s still good to exercise caution when dealing with suspicious links. (Obviously you still shouldn’t complete a form that asks for your password or other personal info.) Android users in particular should be aware of the potential risks.

Most of all, rely on common sense. You can’t win a contest you didn’t enter. Your bank won’t contact you using an email address you never registered. Microsoft did not “remotely detect a virus on your PC.” Know the warning signs, think before you click, and never, ever give out your password or financial info unless you’re properly signed into your account.

Have any other antiphishing tips? Share them in the comments.

New details emerge on Fruitfly, a near-undetectable Mac backdoor

 By  |

The malware went largely undetected for several years and is only detectable on a handful of security products, but the “fully featured” Mac backdoor can take control of an entire computer.

Six months after it was discovered, the first Mac malware of the year is still causing a stir.

The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, and keyboard and mouse.

But despite its recent discovery, little is known about the malware.

Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at ‎Synack, got to work.

Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said. Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.

But what it does, and why, aren’t widely known.

“It’s not the most sophisticated Mac malware,” said Wardle in a Signal call last week, but he described it as “feature complete.” Like others, he wasn’t sure what the malware did exactly on first glance.

Instead of reverse-engineering the malware’s code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.

“I had to figure out how to create a command and control server that could speak the ‘language’ of the malware,” he said. That let him fully deconstruct what the malware did simply by “asking” the malware the right questions, giving him an unprecedented view into its capabilities.

He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.

“The most interesting feature is that the malware can send an alert when the user is active,” said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. “I haven’t seen that before,” he said. He even found that some commands supported additional parameters. What he called the “second byte” to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality — a useful feature for low-bandwidth connections or trying to evade network detection.

He noticed that the malware was communicating out to primary servers that were offline. But some of the backup servers were available.

Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers. And that’s when his screen began to fill up with victims’ computers connecting to his servers, one after the other.

“I thought — ‘f**k!’ — I have to be responsible here,” he said. When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user). “I just logged the connections and parsed the computer names, then closed the connection,” he said.

The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said. “It was just a general smattering of users.”

But questions remain over where the malware came from, and what purpose it performs.

Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

He also wasn’t sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.

Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.

“You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack,” he said. “This is just another illustration that Macs are just as vulnerable as any other computer.”

In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.

“It’s not surprising that this malware wasn’t detected for five or more years, because current Mac security software is often rather ineffective,” he said. “Most don’t even look for this kind of activity.”

Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.

Apple did not respond to a request for comment.

Load More Posts