A Review of EaseUS Data Recovery Software for Mac

I have never really had the need for data recovery software until recently, when I mistakenly deleted a bunch of data off of a USB thumb drive, thinking I had backed it up somewhere. Much to my chagrin, I had not in fact backed it up. There were some files I was really going to miss, such as recordings of music I had made in Logic, and some various photos I’ve carried around with me over the years.

As I quickly learned, these type of apps do not run cheap. After doing some digging, I ran across a promising candidate called EaseUS Data Recovery. As far as data recovery software goes, they seemed to have been around a while, and had some good reviews. At $89.95, though, I expected it to do great things. Not only did I want Mac data recovery, I wanted a tool that would let me recover data from external hard drives, USB thumbs drives, and more. EaseUS promised to do that.

Installing The App

There were a few concerning things that happened during the installation process. For starters, Little Snitch reported outbound connections to track.easus.com. I could understand the need to reach out and check the license key, but over port 80? The subdomain “track” indicated that this was collecting some sort of metrics. I’m not sure I feel OK about that, especially over an unencrypted connection.

I let it pass through, and the installation continued. Another outbound connection warning appeared:

Hmm…another non-SSL connection to their website. I would hope that a company charging $90 for an application would be able to (and be smart enough to) get an SSL certificate to encrypt these connections, thereby helping protect their customer’s privacy.

Post Installation

Once installed, I went to plug in the license information that EaseUS had provided to me to register the product and assure I was getting all the features. When I did this, another unencrypted outbound alert appeared, which I can only assume contained my license key information as the software called home to validate it:

EaseUS doesn’t seem to care about encrypted data transfers. Not good!

The last complaint about the installation process is that I was left with a new taskbar widget that looked like a weather alert. 35 degrees? What is that?

Turns out this is a widget that provides “S.M.A.R.T.” monitoring of my drives. I’m not sure what that acronym stands for, but this widget was added for me without my knowledge, and it was promising to monitor my drives for issues. I decided to disable it since I am not a fan of widgets being added for me without asking.

Recovering Data with the Recovery Wizard

At this point, things got considerably better. The application was a breeze to figure out and use. I was first asked what type of files I wanted to recover. I left all of them checked since I wasn’t sure what all was on my deleted USB thumb drive.

From there, I was given a list of drives on my system:

Selecting my USB drive, I proceeded. Within a minute I was shown a bunch of files that were recoverable from my USB drive. I was able to choose what I wanted to be restored.

After that, all it took was clicking the Restore button, and I was asked where I wanted to save everything. Another 2 minutes later, I had all my files back! I’m not sure why I’d want to Tweet about that or “share my happiness” on Facebook, but I was given that option when the operation was complete.

MP3’s worked, images were viewable, and everything was good. I did notice a few filename characters had been replaced with a “#” sign, but they still operated normally. The EaseUS software did exactly what it said it would do.

Summary

All in all, this is a good product based my testing experience, and I’d recommend it if you need to recover data from a computer or external drive. There are some installation shenanigans to be aware of, as the software tries to install its monitoring widget without your consent. The worst part of it all is that the outbound calls to easus.com are not encrypted. EaseUS: get your stuff encrypted, please!

Tool Sharpening

As honest Abe Lincoln said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

For the last six months, I have been playing the part of Hey Blinkin, getting the tools in my toolbox sharpened, honed, configured, and ready as I am inches away from starting the PWK/OSCP course. As soon as some paperwork clears, I’ll be signing up, hopefully to start in mid-July. You may have seen me posting things I’ve learned so far here on my blog. I intend to keep it up, as finding other OSCP adventurer blogs, tips, and tools along my journey has been invaluable. I hope to pay it forward here.

That said, here are a few very sharp tools I’ve come to love (as recently as this evening):

iTerm 2 – http://iterm2.com/ – a better Terminal app for Mac. Highly configurable, integrative, and versatile. Not exactly a pentesting tool, but something anyone doing command line work on a Mac should check out.

Sn1per – https://github.com/1N3/Sn1per – a super-thorough and invasive reconnaissance tool. It is very noisy and not recommended for actual pentesting, but it is great for working on CTF and Vulnhub VMs.

OSINT Framework – http://osintframework.com/ – a hefty, well-organized set of free tools for gathering all kinds of information. Originally geared towards security, it includes a lot of other fields as well. Follow it on GitHub here.

 

Microsoft Windows has Free Virtual Machines

Wish I had know about these earlier. Microsoft offers free Windows virtual machines for VirtualBox, VMWare, and others. You can choose from Windows 7, Windows 8, or Windows 10 (a few different flavors of each). They last 90 days before expiring, but you can snapshot them right after you install them to make it easy to reset that 90 days by rolling back to the snapshot.

Officially, these are for testing out the Edge browser, but you can also use them for whatever else 😉

Check them out here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

 

 

Get With The Program: Learning To Code

As computers become more omnipresent in our lives, coding knowledge is becoming more and more in demand. With enough programming knowledge you can create your own website, build your own app, develop your own software and even engineer your own hardware. If you’re considering learning to code from scratch, here are the steps you should take.

Choose your language

First you will need to choose your programming language. Different languages are better suited to different applications – for example C++ is good for creating games, Java is good for mobile apps and PHP is specific for web programming. Some languages such as Python are more versatile. Most programmers learn multiple languages – once you know one, the others come more naturally as they rely of the same basic principles.

Take a course

Self-teaching yourself code is possible, although you’ll probably still want a few tips and pointers. Books, blogs, video tutorials and online training courses can be good for learning at home. If you work better with other people, a coding workshop or a short course may be more suitable. You can even hire private tuition.

Experiment

Once you’ve got to grips with the basics, it’s time to start experimenting. From here you can start to build your own code and better understand how to enable certain functions. Use open-source software to research other codes that people have discovered and shared. Try writing your own basic processes from scratch. Soon you will be able to start a full project of your own.

Build your own program

Eventually you will be ready to build your own program. You should start with something basic and work your way up to building a professional program – one that you may or may not wish to commercially sell.

Building something complex may require assembling a team, largely because it will be time-consuming and allocating tasks could speed up the whole process. Before building a program, you should lay out a design document to follow. From here you can start developing until you have a working prototype. This prototype will then need to be tested for bugs. You can get friends and family to test it, or – if you are creating a commercial product – you can hire a test group of professionals and download a test management solution to record any bugs they find. Learning to deal with bugs is a frustrating but essential part of programming.

Eventually, once you have ironed out bugs, you will have a fully-working computer program, which you can try and sell or use as a personal project to put in a portfolio.

Getting paid to code

There are all kinds of avenues you can take from here. You can develop your own software based on your own idea, work freelance turning other people’s ideas into realities or work for a software development company following set projects and a set wage. There are all kinds of areas that you can specify in from web design to PPC marketing to video games development to mobile app development to business software development to creating digital security and protecting against hacks. The world is your oyster.

Read Now If Your Employees Are Using 123RandomWord As Their Password

Ever since the internet rose up from the mists of nowhere, security breaches have been a source of big news, terrifying news. Whether it is the likes of Yahoo being hacked, or Election Results being tampered with, hacking scandals seem to be rearing their ugly heads more often than not. We read story after story about security leaks and each one ends with the same paragraph, the same foregone conclusion; businesses and business leaders need to up their game when it comes to protecting the sensitive data they hold. That is the common message from security experts, and yet so many businesses still don’t prepare themselves properly. Because they have been targeted and affected, they don’t take it seriously enough to seek out the weak links in their business, research the most recent trend in threats, and thus fail to protect themselves and their clients/customers from any breach.

Don’t believe us? Well, the recent State of Risk report concluded that a majority of businesses – big and small – have not invested in a system that will protect, control and track the sensitive data they have been entrusted with. The majority have no or only a partial, system in place. Trust us, if Yahoo is struggling to hold their defensive line against hackers then, chances are, you are going to struggle too. That’s why it is imperative to invest in security. Put it this way, the average cost incurred by a cyber breach on a small or medium sized business is £325,000.

I thought that would grab your attention.

So what preventative measures can you take? How do you best protect yourself and your customers? How do you make sure you are doing all you can to prevents a security breach? How do you stop your sensitive data getting into the wrong hands? Well, we have conducted thorough interviews with security experts to hear what they say, and have compiled a list of the most common areas of weakness in most businesses.

  1. On The Go Tech

In the early 90s and before, a data hack would mean someone would have to hack into your servers or break into your premises in order to access your sensitive data. But these days are gone, and data theft has been made so much simpler by the rise in mobile technology. Simply put, mobile devices increase your vulnerability and thus increase the risk. Of course, mobile devices are a must-have for all employees these days because it increases flexibility and productivity, and reduces the issue of wasted time and resource. However, the more your employees use these devices to share data and access your servers or fail to change their passwords, the more risk you are at. In fact, mobile breaches account for almost three-quarters of all breaches, a rise that mimics the rise of the bring your device to work policy that so many companies are embracing.

As such, it is imperative that you renew your BYOD policy so that it carefully spells out certain rules and expectations. This will better educate your workforce on the risks. A great way to make this more effective is to relate security breaches at work to the risks they face at home; make it relatable to personal risks like using ATM machines. You should also ensure that you have the capabilities to better monitor mobile devices. This way you will be able to quickly pinpoint any breach or any weakness.

  1. Uneducated Employees

We don’t mean uneducated in terms of schooling, we mean uneducated regarding security, and that means your training program is letting them down. But, yes, all too often your employees are a security risk. It could be that employee leaves their laptop on a table in Costa as they nip to the bathroom, or a smartphone gets left on the subway, or in a taxi. All of these pose serious threats to your security. But it is not just about exposure outside the office. Too many employees are not educated on the importance of a strong password, what constitutes a strong password or how often they should change their password. This leaves you exposed on the inside. The same goes for training on what to look out for when it comes to suspicious emails.

Cyber attacks have got more and more sophisticated. The phishing techniques have improved, spear fishing is now called upon, unauthorized websites are now able to install malware without the user knowing, and all of these pose a serious threat to both your systems and your data. That is why training is so important, and regular training too, as this will allow you to renew their understanding as different trends arise. A great way to do this is to approach digital learning companies who have experience in this kind of training. This will offer you a cost-effective means of training that is not just interactive and engaging but offers an audit trail too. They will know how to teach your employees about passwords, phishing, keylogging and much more.

  1. Inside Jobs

It is hard to say exactly where an internal attack originates, but it is typically unhappy or disgruntled employees. What’s more, these account for a seriously high number of breaches. Of course, any inside attack will require in-depth knowledge of your IT systems and will require someone to have access to all areas of your network, which is why most inside attacks come from within the IT Department. A disgruntled employee working within IT support can create a huge amount of problems.

How you can prevent this weakness is a challenge, but it requires mitigating any chance of employees in this sector becoming disgruntled. This is not always possible, so it is crucial you identify all those that have access to all areas of the server, this way you will be able to act quickly should an event happen. Another step should be to terminate access to anyone that no longer works within this capacity as soon as possible.

  1. The Cloud

The most effective way to protect all data that is stored in the cloud is to encrypt any access at ground level. Different experts suggest different encryption software, but all suggestions usually represent the gold standard in this field. We can’t stress enough the importance of investing in this kind of security. Since the cloud first originated, a high proportion of cyber attacks have been made possible by companies not using data level encryption devices to protect data stored up high, so make sure you invest well and invest fast.

  1. Third Parties

There are a few reasons why outsourcing has become more and more attractive. It is cost-effective, it frees up resource time, it allows experts to address what is becoming a more and more complex area. It could be you outsource the maintenance of your server, or your point of sale system, or a myriad of other things. However, while they may be experts in protecting you, third-party providers sometimes don’t follow best-practices themselves. It may be they use one password to connect to all of their clients, for example, which poses a threat should that password be hacked.
As such, you should always ask as many questions as you possibly can. Make sure they follow the best practices of remote access security, and enforce stringent policies for their workforce to uphold, and use sophisticated authentication techniques to ensure there are unique credentials required for each user. The other step you must take is to know which third parties you are using and then terminate their access as soon as their contract runs out or as soon as they no longer require access.

Let’s Encrypt The World

lets-encrypt-logoI have been a big fan of free SSL certificate authority LetsEncrypt.org since it was in Private Beta. Now in Public Beta, and now being a Certificate Authority recognized by every major web browser, it’s time for you to start using it on your website!

The great thing about Let’s Encrypt is that it is free. Why? Because the sponsors behind it believe encryption is for the public good. And they are correct. No more do you need to pay $80/year or more for an SSL certificate through some company like GoDaddy. This all may sound too good to be true, but it isn’t.

Wait, what?

In case you are unfamiliar with what I’m talking about here, LetsEncrypt.org offers you free SSL (Secure Socket Layer) certificates for your website. This make your website secure and encrypted for your visitors, just like your bank does, by changing your site’s address from using http://  to https://.

Being a user of the WHM/CPanel web hosting tools for the handful of websites I run, I found a great set of instructions and scripts you can use to get this set up and running in that environment. Just follow the instructions in the WHM forum here. Be sure to set up the cron job so that your cert(s) get renewed automatically. If you forget, it’s very easy to do it by hand from the command line, but the cron job makes it so that you don’t need to remember.

Encrypt WordPress

If you are a WordPress website owner, you can configure it to use the SSL certificate by editing your site’s URL in Settings > General. I especially recommend this for WordPress admin area logins, but there’s not reason you shouldn’t be using SSL on your whole site anymore. This is especially true considering Google favoring SSL-enabled sites over non-SSL sites.

Redirect Traffic to HTTPS

Using an .htaccess file, you can set it up so that any traffic going to your http:// website is automatically redirected to your https:// version. This is the snippet I use in my .htaccess file for that:

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Go forth and encrypt all the things!