Copilot is My God?

We likely don’t realize how much AI plays a role in our daily lives. You know those annoying phone trees, the ones that don’t seem to ask the right questions for your problem or offer a good answer or access to a real human being? That’s AI at work. They drive me nuts, but what keeps me awake is who has access to my data?

Many of our customers are turning to Microsoft Copilot to access the power of AI, and if you’re thinking about doing it, here are a couple of things to consider.

As you’ll discover upfront, there’s a free version and a paid version. The main difference is that free Copilot is a basic AI assistant with web-grounded chat and limited image creation. The paid Copilot Pro and Microsoft 365 Copilot offer deeper integration with Microsoft apps, priority access to advanced models, and higher usage limits. I can use ChatGPT to create Excel formulas for my data, but it’s the paid version that accesses my data.

AI carries a number of risks, including data poisoning, adversarial attacks, and privacy leakage, which can compromise a model’s integrity and sensitive data. There’s also the potential for model theft and vulnerabilities in the supply chain and APIs. Let’s focus on risks related to data, privacy, and model integrity.

  • Privacy Leakage: AI models trained on sensitive data may inadvertently leak that information through their outputs. This includes data inversion and membership inference attacks, where attackers try to extract private information about the training data.
  • Model Stealing: Attackers can reverse-engineer or replicate an AI model by analyzing its outputs, which can be used for malicious purposes or to steal intellectual property.
  • Data Breaches: AI systems often require large amounts of data, making them attractive targets for data theft. A breach can expose sensitive personal, financial, or proprietary information.

Whether you use AI or not, Windows 11 and your computer play key roles in your security. All computers are not created equal. If you do a lot of work with Copilot, your computer may not cut it. You should have a computer with a neural processing unit (NPU) capable of processing 40 TOPS – 40 trillion operations per second. Anything less than that will require your computer to offload data from your CPU and graphics card by sending it to the cloud.

Sending it to the cloud involves a security risk, no matter how small the risk may be, and that’s a breach opportunity. Sending data to the cloud also slows you down. If your computer can keep all your work local, it’s faster and more private.

Windows-based computer chips that run 40+ TOPS or more are the specialized Neural Processing Units (NPUs) in new “Copilot+ PCs,” which include processors from Intel’s Lunar Lake series and upcoming Qualcomm Snapdragon X Elite/Plus chips. These are not standard CPUs like the Intel Core Ultra 7 155H, which does not meet the requirement.

Computers capable of 40 TOPS start at around $600 to $700. More powerful and versatile models can cost more than $1,000, but prices could be much higher, depending on the NPU or if it uses a more expensive, high-performance GPU, which can add significant cost for graphics-intensive tasks. In addition, you likely will have licensing fees depending on what you’re doing and how many computers are doing the work.

We can help you assess your AI needs and sort through myriad options for Copilot licenses and the computers needed to accomplish the tasks you require. AI can require a large investment, which requires intensive investigation. Contact us by phone – 973-433-6676 – or email to set up an appointment to start the investigation process.

 

Fools and Their Money: A Seasonal Shopping Guide

“A fool and his money are soon parted” is a saying often attributed to Thomas Tusser, an English poet and farmer, who first wrote a version of it in his 1573 book Five Hundreth Pointes of Good Husbandrie. If only he could have envisioned today’s internet. AI will test your ability this year to differentiate the fake from the real more than ever.

As we scour the internet for bargains, hard-to-find items, and the best possible shipping terms, charities are making their annual push for donations, including major online solicitation campaigns. Scammers of all sizes are also using all sorts of AI tools to get between you and the companies you want to buy from or donate to.

Succumbing to a scam doesn’t make you a fool; the scammers and their tools are really, really good. AI helps them create exceptionally good graphic and video deep fakes. It helps them replicate flawless logos and improve their grammar, spelling, and syntax, all of which used to be dead giveaways of a scam.

But it would be foolhardy not to raise your antennae and harden your common sense with renewed vigilance. The cardinal rule remains the same: If something looks too good to be true, something is likely wrong.

Let’s look at some things that should raise a red flag:

  • Links: Whether in an email or especially on a website popup, don’t click on a link from a person or entity you don’t know or can’t verify. It’s the quickest way to allow a bad actor to plant malicious code that can compromise your data and that of anyone in your contact list.
  • Emails from Businesses, Charities or People You Don’t Recognize: The sender’s name may look legitimate, but you can hover your mouse over the sender’s name and see the real email address. If you’re not sure about anything you see, you have two options:
    • Delete the email.
    • Open a new browser window and type in the name of the business or charity as you know it to be. You should be able to find a phone number to call to verify if it’s from a legitimate organization.
  • Unsolicited Text Messages: This is another form of phishing known as smishing. Treat them the same as an email.

Be careful of really good prices when shopping for all products and services. Prices that are too good to be true may be outright fraudulent or carry terms and conditions that are extremely unfavorable to you. Check closely to make sure a product or even an airline ticket or hotel room is not offered by a gray-market or third-party provider. Read the terms and conditions and look for authentic user reviews. Again, if something looks funny, it should raise a red flag.

No matter what you’re looking to do online, it’s more important than ever to use two-factor authentication (2FA) for all the websites you can. While a code sent to your computer or phone is better than nothing, more advanced forms of 2FA, such as authenticator apps or biometrics, rely more on information stored on a specific device, making them more secure.

If you think you may have been hacked, call us – 973-433-6676 – as soon as you possibly can to assess the breach and take steps to close up your security holes.

The Monitor Whisperer

If the eyes are the windows to one’s soul, then the monitor can be the window to your computer’s hardware issues. Here are two examples of what a monitor revealed, and how we found their revelations. It wasn’t as high-tech as you might think.

Our first instance involved a panicked client with a year-old Mac laptop that was hooked up to an external monitor. They said the computer was making a noise intermittently, and they were afraid it was the Mac’s version of a death rattle. We have to admit that the noise confounded us, too.

We did a search on the monitor make and model. Virtually all monitors have a single button that you need to push multiple times to make adjustments, and half the time, the user doesn’t know what adjustments are being made – or not being made. In this case, the monitor has a feedback feature that causes it to make a sound when it wakes up. That is scary until you learn about it; then it’s annoying.

We worked the button to shut off the monitor sounds.

In our second instance, a client thought they were hacked because they kept seeing a message in the corner of the screen. We remoted into their system but never saw that problem. Nor did we find any evidence that they had been hacked or compromised.

One thing you have to keep in mind is that when we look at your computer remotely, we don’t see your monitor screen. We see a representation that enables us to see what’s going on inside your computer. We didn’t see anything on our view, and the client couldn’t see any messages because they saw the same view we did.

Yet the problem persisted. So, we decided to do a FaceTime call, which enabled us to see what the client saw during their normal work. We saw that the monitor was throwing off alerts. We did some research and found the monitor was from 2006. The monitor owed the client nothing. We ordered two new monitors for the client and installed them. The client got better performance from their new monitors and screens with larger viewing areas.

The lesson learned from these experiences is that if we can’t remotely see the problem you reported, it’s likely a hardware issue. Call us – 973-433-6676 – or email us if you see something odd. We can confirm if it’s a hardware issue and help you solve it or replace it. And if it is a software issue, we can take care of that during the remote session.

Carrots: The Root of Speedier Scrolling, Less Clutter

Carrots can provide useful shortcuts for navigation and decluttering your screen. You can find them almost anywhere on your screen. You’ve likely seen them and never paid much attention to them.

The carrot symbol ^ can be pointed in any of four directions on a screen – up, down, left, right – and carrots are most useful in File Explorer and Outlook, although they’re not exclusive to those apps.

Most of us will find carrots useful for doing a quick search in File Explorer. If you look at the upper left corner of File Explorer, you’ll see three listings: Home, Gallery, and your OneDrive. In Home, for example, you might find a screen to the right that shows > Recommended on the top row and > Recent, Favorites, Shared. If one of those three folders is highlighted, you can click on it and get a listing of files for a quick search. You can then open a selected file or simply collapse the listing by clicking on the downward-pointing carrot.

In the next grouping on the left, clicking on Documents or Pictures, for example, opens a dropdown menu of folders and subfolders (showing as many levels of subfolders as you have) to give you a quick look at your files. We’ve found it quicker to search this way than scrolling through our folder or subfolder lists of Documents or Pictures.

Farther down on the left are This PC and Network. Clicking the > carrots will show you more information about files on your PC or devices connected to your network. Again, they’re easily collapsable.

Similarly with Outlook, you can use carrots to expand or collapse your Favorites and the contents of each mailbox (account) that you have through Outlook. This can help you keep your screen less cluttered and more organized, helping to navigate the contents of each account more efficiently.

Working in Microsoft Word, if you keep the ribbon open and expanded across the top, you can access more options by using carrots for things such as fonts, sizes, colors, bullets in bullet lists, etc.

We encourage you to look for carrots in File Explorer, Outlook, and your Office apps. Looking at the results of each click may lead you to a new shortcut that makes your computing life easier.

Secure Your Email

Security measures such as encryption and 2FA help make email communications more secure, but they have their own issues for many users and fall short in some ways. Use them wherever you can, but remember that nothing works better than common sense, especially when you click on links in an email.

The majority of breaches of computer systems through email are user-initiated. A user clicks on a link – usually because of carelessness – that results in giving up login credentials for a website or a technology system. Encryption is no protection against a user causing a breach.

Security holes in encrypted email include human error, such as failing to encrypt messages or falling for phishing attacks, reliance on imperfect encryption in transit where servers may not support it, vulnerabilities on the recipient’s device like malware or unsecured devices, and issues with key management, such as weak passwords or lost private keys.

Let’s focus on those last two points. Securely managing and distributing encryption keys is complex. If private keys are lost or stolen, recipients may be unable to access their encrypted messages, and attackers could use stolen keys to decrypt emails. Easily guessed passwords for email accounts can be compromised, allowing attackers to access encrypted emails on a device.

Attackers can also exploit complex email systems by compromising intermediary servers or utilizing features that weaken security. These can include URL redirects to bypass encryption and deliver malicious content.

Instead of adding complexity, it might be better for most organizations to reemphasize some proven basics. One of them is 2FA. As imperfect as it is, 2FA can utilize a device such as a cell phone, which should be in the hands of the user. Yes, it can be defeated, but that happens if a system has already been breached and the attacker has changed the phone number and/or email address of the user.

The other basic is common sense. Don’t click on a link in an email unless you are 10,000 percent certain it’s correct and legitimate. AI is making it harder to detect malicious links, so users must be more vigilant. Don’t be in a rush, especially if you’re juggling several tasks. The safest way to respond to an email with a link or phone number is to open a browser and go to the website of the company. You should be able to find a phone number and maybe a legitimate email address to contact.

We can help you with email security in two ways. One way is to conduct a security audit of your email system to find and patch holes. The other way to help you set up 2FA systems, including biometrics and authenticator apps. Call us – 973-433-6676 – or email us to discuss your needs and possible solutions.

Authenticator Apps Can Protect You from SIM Swapping

We hate taking extra steps, especially if we think they’re complicated. But with the rise of SIM swapping, you might want to bite the bullet and get used to using an authenticator app.

The benefits of using an authenticator app for 2FA were illustrated by the problems of a new client who was victimized by a SIM swap of their phone number. The SIM swap caused untold problems, including untangling them based on hard-to-find phone records.

Again, just to recap from last month, SIM swaps happen when a bad actor is able to convince a carrier that they’re you and that you need to transfer your phone number to a new device. While the bad actor has your phone number hijacked, you lose your cellular service. You can’t make or receive phone calls or send or receive texts. If it happens for a short time and you’re not using your phone, you’ll never know it happened. If you’ve set up a form of 2FA that involves getting a code through a text message, you’ll never know about that, too.

An authenticator app is different. It uses a Time-Based One-Time Password (TOTP) algorithm to generate unique, time-sensitive codes for 2FA. The apps are set up on a mobile phone, and the process can be difficult for some. We suggest professional help to avoid untimely problems down the road.

When you type in a link from a computer or a phone to link the app to an online service, both the app and the service’s server use a shared secret key and the current time to independently generate the same time-sensitive codes. When a user logs in, they enter the code from the app, which the server verifies by comparing it to its own generated code. The verification code almost always comes in on your cell phone, and the authenticator app automatically regenerates the code every 30 seconds.

The key point here is that the authenticator app is tied to your device, not your phone number. So, if the bad actor tries to enter a website or app link that uses an authenticator app, they will not see the code. It will come to your device. If you don’t recognize the reason for that code being sent, it’s a big, bright flag that someone may have hijacked your phone number or breached your security in some way.

Of course, the website or online app being accessed must offer an authenticator app as a security measure. More of them are offering it as a security measure, and you should take advantage of it wherever you can. If you’re on your computer, you need to have your phone handy, and if you’re using your phone, it will take a little juggling. But it’s well worth the effort.

We can help you set up Microsoft Authenticator or any other authenticator app. Call us – 973-433-6676 – or email us to learn more about the app and get help setting it up.

If You Know All Your Passwords…

If you know all your passwords, your cybersecurity can be breached. Why? Anything that’s easy for you to remember follows a logical pattern that AI is getting better at picking up. A strong password has no logic. You must have a password manager, and you must let it generate a password for each online account.

You all know the drill by now. A strong password combines upper and lower case letters, numbers, and special characters in strings that generally are 12 to 16 characters long. We won’t say it’s impossible for a human being to create and remember 100 or more strong passwords. But it’s highly unlikely.

The best part of a password manager is that you only need to remember one strong master password. The downside is that if you lose or forget the password, you may not be able to access the app, or you’ll need to jump through a lot of hoops to gain access.

AI is making passwords weaker and weaker. Remember that at its core, AI is massive computing power. Anyone who tries to crack passwords can run an untold number of scenarios for as long as they need to crack a code or give up – momentarily. If you have a password that follows some kind of publicly available personal information and/or a pattern, the hacker’s computer will eventually pick it. The computer-generated password from a password manager doesn’t use any of that information, and it’s not readily machine readable.

In addition to giving you a strong password, a password manager does away with any need to reuse a password. There’s a tendency to reuse a password because you can remember it, especially if we fear it may be difficult to access the password manager. This can be true with a smartphone, where you can only view one screen at a time. However, you can copy a password from your password manager app and paste it into your smartphone’s browser.

As you all know, reusing passwords poses a significant risk if a password is cracked at one site. Again, using AI, the hacker can quickly apply the password to every website they know you access, and chances are good that they’ll get a hit and get in.

Just about any top-rated password manager works across all platforms and should give you the option to choose a family/friends subscription for personal use and a corporate subscription. It should be mandatory for everyone in your family and for all employees using corporate online accounts to have and – more important – use the password manager.

We can help you select a password manager that meets your needs and make sure that everyone in the program is properly set up. We can also make sure that everyone knows how to download their passwords and make a hard copy, which protects everyone if they lose or forget their password or if you want to change password managers. Call us – 973-433-6676 – or email us for an appointment.

It’s Time to be Authentic

Getting a text (SMS) code to verify your access to a website is becoming increasingly vulnerable because of SIM swapping. It’s essentially a way for a hacker to “borrow” your mobile phone number without you ever knowing it – until you suffer the consequences. It’s time to use a better authentication method.

One of our clients was victimized by SIM swapping. We suspected a problem when none of their cellular devices worked. They used a family member’s phone to call us about the problem. We told them to get to the Apple Store immediately to buy new devices and bring them directly to us – without opening any boxes. Using special tools, we were able to set up all their devices securely, but the damage had been done.

How does SIM swapping work? It requires a fraudster to convince a mobile carrier to transfer your phone number to a SIM card they control. With your phone number, the attacker can intercept one-time passcodes and two-factor authentication (2FA) codes sent via text message, allowing them to gain access to bank accounts, which they can quickly drain, and social media and other sensitive online services.

The SIM swappers usually get your information through phishing expeditions, which are designed to trick you into revealing details like birthdates, full names, and addresses. Then, they pretend to be the account holder and claim their SIM card is lost or damaged, and they request to have your number “ported” to a new SIM card, which they have in their phone. Conceivably, they can access your bank account if your 2FA is a text message, clean you out, and wipe the SIM from their phone. You’ll only notice it when your phone doesn’t work – at which point you’ll contact your carrier, who will issue you a new SIM card.

You can prevent SIM swapping by not using SMS or text as an authentication method. Our recommendation is to use an authenticator app, such as Microsoft Authenticator or Google Authenticator. If you are signing into a website from your computer, the authenticator will send a code to your phone, and you’ll enter the code from your computer.

This is one area we strongly urge you to avoid shortcuts. There are a lot of authenticator apps available, but Microsoft and Google have a lot at stake in your security. Both have huge customer bases and publish a lot of apps.

An alternative to an authenticator app is a biometric, such as facial recognition (iPhones and other Apple devices) or a thumbprint (Android phones). As with an authenticator app, these measures are device-specific.

We can help you set up both an authenticator app and biometric authentication to replace an SMS message. Call us – 973-433-6676 – or email us to talk about it.

Not All Cloud Storage is a Backup

We tend to use the terms data storage and data backup interchangeably. It can be a costly mistake.

Cloud storage is all about easy access to files. It’s not only your access, but also collaborative access that allows teams of people to work on projects together without the need to email various versions. Cloud storage servers such as Microsoft OneDrive, Google Drive, and Dropbox allow team members to be online at the same time and see changes to files in real time. They also allow a single user to access files from anywhere in the world where you can get an internet connection.

Stored files typically are not encrypted or protected with any special technology, and that makes them vulnerable to theft and ransomware attacks. If just one team member has lax security, such as an easily cracked password or uses an unsecured public network, all those stored files are exposed. Further, it could open someone up to SIM swapping.

How should you store your data? We like Microsoft’s Conditional Access, an access management solution that enforces security policies by bringing together real-time signals from users, devices, locations, and applications to block, allow, or require additional verification steps to access resources.

It works on a granular level. For example, you can set limits on which countries someone can log into your system. You can limit IP addresses. Steps like these can provide extremely useful insurance against worldwide hacker organizations that take advantage of local weaknesses in our global networks.

Installing and configuring the right access limits for your needs is not something you should attempt by yourself. There are myriad variables to the conditions that limit access, and if you make a mistake, you could lock out access to people who need it. If that happens, you’ll need an IT professional to undo the problems and reconfigure your system.

How should you back up your data? The short answer is to use specific backup technology. It makes a copy of files in storage and then encrypts them for protection. In the event of a cyberattack, a system outage or some other disaster, the encrypted files are used to restore the files to your system.

We can help you set up and configure both Microsoft Conditional Access and a backup program to keep you safely up and running. We can also provide the training needed to maintain both systems. Call us – 973-433-6676 – or email us to set up an appointment to design a coordinated plan that best meets your needs.

Secure Your Email

Email security continues to be the most vulnerable security link in your email chain. Ninety-six percent of all phishing attacks use email, and some three billion emails are launched daily. Phishing can cost businesses $26 billion annually. The more email accounts you have, the more vulnerable you are.

One of our clients had six email accounts, all of them created for a variety of legitimate reasons. The problem is that it meant they had to guard six doors against intruders. That’s worrisome enough, but if you use multiple email clients, such as Outlook and Gmail, you need to deploy your security measures in line with each client.

Google’s Gmail has a particular vulnerability. According to a report from Malwarebytes, Russian hackers were able to bypass Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks. They did it by posing as US Department of State officials in advanced social engineering attacks, building a rapport with their target, and then persuading them to create app-specific passwords (app passwords). App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Outlook faces several significant security challenges, including vulnerabilities that allow for remote code execution, phishing attacks, and the potential for credential theft. These vulnerabilities can lead to data breaches, unauthorized access, and the spread of malware.

Here’s how to strengthen your defenses.

  • Only use app passwords when absolutely necessary. Change to apps and devices that support more secure sign-in methods whenever you can.
  • Authenticator apps, such as Microsoft Authenticator, or hardware security keys (FIDO2/WebAuthn), are more resistant to attacks than SMS-based codes.
  • Stay up to date on phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords.
  • Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. Limit those logins where possible.
  • Regularly update your operating system and the apps you use to patch security vulnerabilities.
  • Enable automatic updates whenever possible so you don’t have to remember them yourself.
  • Use security software that can block malicious domains and recognize scams.

When it comes to SMS-based codes, we want to emphasize one particular vulnerability: SIM swapping. It’s one of the internet security industry’s biggest worries.

It’s undetectable and it works like this:

  • A hacker puts your mobile phone number on a SIM card installed in their own phone.
  • Using their phone, they get your authentication code, which gives them access to a website or email account.

Despite this vulnerability, SMS-based codes are better than nothing. At a recent training seminar, we learned that many people don’t use any kind of 2FA or MFA methods at all. That is totally unacceptable.

We can help you – and your employees and family members – set up better security measures on all apps devices. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.