Hacked SSNs: What, Me Worry?

With apologies to Alfred E. Neuman, yes, you should worry. But you don’t need to panic, especially if you have Windows 11, a computer with a later-generation chipset and a lot of common sense.

New reports say the hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, FL. The breach was believed to have happened in or around April, according to the lawsuit. A class-action law firm said the stolen file includes 277.1 gigabytes of data and includes names, address histories, relatives, and Social Security numbers dating back at least three decades. A post from a cybersecurity expert on X claims the records for citizens of the U.S., U.K., and Canada were sold on the dark web for $3.5 million.

Yes, that’s scary. But it’s not as dire as you think. Security breaches happen all the time because thieves find vulnerabilities in large systems and exploit them. Some thieves steal simply because they can. If they don’t try to use stolen information, you don’t have a problem. But if they do try to use stolen data, they need to know how to defeat whatever aggressive defenses exist at, say, a bank. Often, they fail.

They may try to sell the data, but if there’s no market, the stolen information languishes. If they do sell it, the data might turn out to be outdated. Finally, the buyers may be state actors. If you’re not a likely target of blackmail or in possession of interesting secrets, they may have the goods on you but not want to use them.

All you can do is harden your defenses as best you can.

Set up two-factor authentication for every online account that offers it, or use an authentication app, such as Microsoft Authenticator to secure your online accounts. If thieves haven’t intercepted your email, text messages, or phone, it’s going to be hard for them to break in.

Sign up for account alerts. Depending on your bank or card company, you can set them up for many things, including any charge outside your home country, any (or all) ATM withdrawals, or transactions over a certain amount.

If you get an alert you didn’t expect — or even one you did — don’t click links or call phone numbers in the alert. Instead, log into the account in question and find a contact number there. That will keep thieves from redirecting you to their own operations.

We can answer questions about 2FA, and we can help you set up Microsoft Authenticator. A proper set-up will prevent problems down the line. Call us – 973-433-6676 – or email us for an appointment.

Inside a Hack Investigation

Getting hacked doesn’t always mean your world has come to an end. In many cases, however, fixing it is a grueling process, physically and mentally, and you’ll have to provide a lot of information you hadn’t planned to disclose.

Here’s how it started. A client clicked on a pop-up window at 3 p.m. that said their computer was infected with a virus. The message in the pop-up said illegal activity was detected on the computer. But if the client called the number in the window, they could clean it up.

The client let them on the computer and was given a cost (it doesn’t matter what it was) to fix the problem. They said it could be paid for by taking cash out of his account and depositing the cash at a specified ATM. They said not to turn off the computer. The client told friends they thought they’d been hacked.

They called the next morning and said they felt stupid. We told them not to. We see hacks from pop-up windows all the time – and they frequently happen on sites where people print recipes. The site opens what looks like a print dialogue box, and it can sometimes be difficult to know what the icon in the box means.

Our first advice to anyone who thinks they’ve been hacked is to turn off the computer and call us immediately at 973-433-6676. In most cases, the money is already gone by the time you turn it off, but nobody can get anything out of a computer that’s shut down.

To do our best to close off any new attempts from a hacker, we ask our clients to walk us through every detail of the incident. We need to find where something started so that we can close off any loops. We need to do this at every point affected by the hack. Once a hacker has gotten into your computer, you can bet they’ll be back – and you can bet they’ll look for all the doors they got through.

The obvious lesson we can all learn from this is to be extremely careful about pop-up windows. You can install pop-up blockers on your computer’s browser, and they can be configured so you can allow them on a case-by-case basis.

But pop-ups can pose additional risks, especially as artificial intelligence (AI) becomes more widely deployed. When you call a phone number in a pop-up – or any link for that matter – your voice can be recorded and synthesized. If you visit financial or health-related websites that rely on voiceprints as part of their security, you can be at risk. Whenever you answer any phone call from a number you don’t know, avoid saying the word “yes.”

We can help you tighten your security by helping you configure pop-up blockers and fine-tune your anti-virus programs. Call us – 973-433-6676 – or email us to discuss your needs.

Bring on the Passkeys

Passwords are porous, and so are some forms of two-factor authentication (2FA), such as those numeric codes sent to your phone or email to verify your identity. Known as one-time passwords (OTPs), they’re relatively safe, but hackers are getting better at breaching that defense. Passkeys are coming into their own as a stronger cybersecurity tool.

OTPs are typically provided in a text message, which is vulnerable to attacks in several ways. A hacker who intercepts the text to your phone might not get the password directly, but they could launch a smishing attack (it’s like an email phishing attack) and wait for you to make a mistake (responding to the text) to get into your account. More sophisticated hackers engage in SIM swapping or a more effective means of message interception to take over your phone and account. With those latter two forms of intrusion, it may take a while for you to discover the hack. Even if it’s less than an hour, it could be too late.

Risky as they are, OTPs by text are likely to remain in use for a while. Some companies are reluctant to change because they fear it will cost them customers who are not tech-savvy enough to adapt to more sophisticated verification tools. Most of you can reduce the risk somewhat by using a password manager. Reputable providers keep your master password secure – sometimes allowing you to bypass using it (as you’ll read shortly) – and add a strong layer of protection by generating long, complex passwords that are hard to crack.

As a smartphone and password manager user, you’re likely to be using a passkey already. For iPhone users, it’s facial recognition. For Android users, it’s a fingerprint. These and other passkeys work in the background to assemble a mathematical puzzle. The numbers are always changing, and they are not tied to anything that’s unique to you as a person. It doesn’t care about your mother’s maiden name or your first-grade teacher.

Most password managers use biometrics to authenticate you and your device, and you don’t need to be a tech wizard to set up and use it. For facial recognition, you just need to let the authentication app see several views of your face. For fingerprints, you just need to roll a finger over a sensor. In most cases, when using your smartphone, tapping on the app for a website automatically starts the authentication sequence.

Authenticator apps such as Microsoft Authenticator and Google Authenticator can work with website visits from a computer or mobile device. We like to set up our Microsoft OneDrive clients using Microsoft Authenticator to access files securely from any device from any internet connection.

For mobile devices, you can use a mobile app push for even more security. It works with mobile apps on your phone. When you log in to a website, you get a notification in the corresponding app on your phone that prompts you to verify your identity through that notification. This verification method is independent of the device you are logging in on and better than SMS or authenticator OTPs. However, you still need to pay attention. A hacker could repeatedly try to log in to your account using a stolen password, and you would get multiple messages on your phone to verify. If you click to verify, you could give the hacker account access.

We can help you move to a stronger authentication process. Call us – 973-433-6676 – or email us to see what authentication could work best for you. We can help you install and configure the necessary software and get you started on using it.

You and Your Credit Card

Credit cards can be convenient and reliable, but sometimes, you’re much better off if you just leave yours in your wallet. The following “don’ts” apply to online and offline occasions when you’re tempted to pull out that piece of plastic.

  • If you don’t see the letters https as the first letters in the address bar of a website’s URL, don’t use a credit card. https is the universal protocol for secure communication over a computer network on the Internet. However, don’t blindly trust this. A scam website or scam merchant can obtain https certification, so be sure it’s the correct website before you type in your info. As an alternative, you can use PayPal if it’s presented as an option.
  • If you don’t see any online reviews of a merchant, consider that a red flag. If you see a merchant with no or few reviews while shopping on a site like Amazon, it’s a caution flag. While you assume they were vetted, they could have slipped something through the process. Some other things that shouldn’t be missing from a website are social media accounts, though there are Facebook marketplace scams. Be wary if you don’t see complete, verifiable physical addresses and telephone numbers.
  • Don’t put your credit card info into an email, especially if responding to an email. It could be part of a phishing campaign. We’ve written extensively on how responding to misspelled email addresses or URLs are ways to get you to provide a valid card number to a fraudulent operation. You’re actually better off giving your credit card to someone over the phone – but only if you initiated the call. A valid merchant uses a system that only retains the last four numbers of your card.
  • Going offline, don’t allow a merchant to take your card out of your sight. Who knows what they’re doing with it? More restaurants are processing your credit cards at your table. It’s all the same “trust but verify” thing.

If you’re a consumer, you likely know just about everything we discussed in our “don’t do” list.

If you’re a merchant, we can help you keep your credit card system secure by providing you with hardware and software systems that comply with all regulations. We can also help you get the proper https certification you need for your website. Call us – 973-433-6676 – or email us for an appointment to talk about it.

Manage Wi-Fi Network Overload

We love our smart-home devices, and it’s easy to overload our Wi-Fi networks with them. When that happens, our network traffic can slow to a crawl – just like we see at our Hudson River crossings. It’s easier and faster to clear up your network traffic jams.

Just as roads have a capacity, your Wi-Fi network can only handle a specific volume of traffic, which means it can handle only so many devices before performance backs up. We don’t think much about it as we add all sorts of smart devices in our homes, such as smart speakers, cameras, lighting, HVAC controls and some appliances. They’re all in addition to computers, TVs, and all our mobile devices. In most cases, the problems creep up on us gradually until we notice not everything is working at their expected speeds. Sometimes, we’ll see a lot of buffering while streaming 4K video or gaming, and those problems grab our attention.

To clear up network traffic jams, you can start with some easy steps. First, make sure all dongles and power cords have solid connections. That could solve a problem with one or a few devices. The next step is to restart your router. Unplug it from the electric outlet, and if you have a power on/off switch, hold it in for 30 seconds. That will help clear out the electronic junk that can accumulate in any device. While you’re at it, you should also check for firmware updates for your router and install any that are available.

Another easy step is to make sure your router has plenty of room around it. If it’s in the middle of clutter or too close to a wall, moving it or cleaning up the surrounding area can help.

If you still don’t get the performance you want, you can take a couple of technical measures. The first is managing the traffic on the router’s frequency bands. Most routers are dual-band routers, which means they run both the 2.4 GHz and 5.0 GHz bands. In an ideal setup, the 2.4 band carries signals for smart speakers, light switches, door locks, garage door openers, and security cameras – to name a few. Those devices usually have default settings for that band. Computers, TVs, tablets, and other devices used for streaming and gaming are suited for the 5.0 band, which is faster and more robust for shorter distances.

There are a number of apps – including those from Apple (Siri), Amazon (Alexa), Google, and others – that can tell what devices are connected to your Wi-Fi network. Some apps allow you to assign some devices to one band or the other and even let you assign devices to specific channels in each band. The apps also enable you to disconnect devices from your network, and this alone might be enough to restore some speed to your network.

If none of these steps gives you the performance you want, you can consider getting a new router and/or adding a mesh network. Electronic components do wear out, and older routers may lack the technology needed to handle the growing demands on your network. A mesh network is essentially a system of smart repeaters that work in combination with your router to extend and manage network traffic to optimize performance for connected devices. Like routers, newer generations of mesh networks are built to handle more network traffic, and if you have an older one, it may not be able to keep up with your technology needs.

If the simple DIY suggestions in this article don’t give you the network performance you want, we can help you with more extensive analyses and solutions, including setting up a network management app and selecting and installing a router, mesh network, or both. Call us – 973-433-6676 – or email us to discuss your needs.

Red Light, Green Light, Warning Signs

How many of you ignore red or amber warning lights when they appear on your car’s dashboard? Based on what we see in IT, most of you probably ignore them. When you see a red warning on your computer screen, it could be a security alert or a malfunction.

I recently got a red warning when I tried to print a document. When I looked, the system was objecting to my print parameters. I was trying to eliminate the margins so that I could fit everything I wanted on the piece. In this case, I was able to add some instructions to override the printer’s setting; it’s something I’d bet a lot of you have done.

Other types of warnings can’t be circumvented. In our next example, a client got a new computer but didn’t pay close attention to a OneDrive warning about synching files between his old computer and OneDrive. Typical OneDrive accounts provide a terabyte (1 TB) of storage space. It sounds like a lot of room, and we keep throwing stuff there. However, there is a finite limit on how much you can store. And just as with your hard drive, you need to have space available to be able to manage files. That’s one reason OneDrive and your computer’s hard drive can’t sync.

Microsoft is pretty good about giving you a heads-up on problems, but you need to be proactive, too. In the lower right corner of your computer screen, OneDrive users can see an icon for their drive on their service tray; it should be a blue cloud, and you should monitor that corner of your screen – just like you check your dashboard and mirrors when driving your car. When there’s a problem with OneDrive, you’ll see a red indicator. You can right click on the icon to see what the problem is.

In this client’s case, they missed the warning as they were transitioning to a new computer. When they started to use it, they were missing six months’ worth of files because unbeknownst to them, the synching stopped. Fortunately, they were able to recreate the lost files, but it cost considerable time and money.

It goes without saying that the earlier you catch a problem, the faster and easier it is to fix. Sometimes, it’s an administrative issue, such as a problem with your account. Signing in to your account may point you to a few steps. Sometimes, it can be as simple as just signing in.

But other times, you may have run into a complicated technical issue, and that’s where you need an IT professional’s help. We have seen just about all OneDrive problems known to the world, and we have tools to get to the heart of your issue. Depending on the problem and your comfort/skill level with technology, we get you started on the solution, work with you at various stages of the solution, or fix it for you.

Taking a few steps back from the crisis stage, you can prevent a number of problems by properly setting up OneDrive on a new computer. We can verify all systems are working as they are supposed to. We can do this in one of two ways: 1.) access your new computer remotely once you take it out of the box and get it online; or 2.) take delivery of your new computer, start the setup with you on the phone, ship it to you, and finish the setup remotely.

No matter what we do for you or how we do it, we will remind you: red light, green light. If you can get into the habit of checking the status of apps on your service tray, you need our services a lot less often. Call us – 973-433-6676 – or email us if you have a problem or want to take a step to avoid one.

WiFi Jammers

A recent TV news report on criminals in Morris County using Wi-Fi jammers to disable security cameras and communications grabbed our attention. It should grab yours, too.

The news report focused on a crime ring that’s using Wi-Fi jammers to break into homes. In some cases, they’ll install their own surveillance cameras in a property’s landscaping to know when residents leave their homes. In this case, the homeowner was in his basement when he heard a loud noise coming from the ground floor of his residence. He used his home surveillance cameras to see someone attempting to enter his home. He soon lost his camera and phone service, indicating to police that a Wi-Fi jamming device was in use. The resident was still unable to utilize his cellular phone to call for assistance due to the jamming device.

Let’s look at that last sentence first. The reason the resident couldn’t use his cellphone is because it was likely set to make calls on the Wi-Fi network if the network is available. Our guess is that he could have made the call if he had turned off Wi-Fi on his phone. Heed that point when you face an emergency.

That can be especially true when it comes to security devices. Hard-wired devices perform better and more reliably. Yes, it sounds old-fashioned, but it works. If you have a security system installed by an alarm company, it’s likely hard-wired and connected to a monitoring station via a cellular network – and it has a battery backup in case the power goes out.

Wi-Fi networks are low-hanging fruit for criminals, and we make that fruit more accessible through our own ignorance or laziness. You can’t make your Wi-Fi totally jam-proof, but you can make your network more secure.

The following steps are nothing new to long-time clients and readers of this newsletter, but let’s run through them anyway:

  • Whenever you install a new device – especially a security device – that’s tied to your Wi-Fi network, IMMEDIATELY change the default username (it’s usually “admin”) and the password (it’s usually 1234).
  • Make sure your firewall software is up to date and running to keep out unwanted intruders. It’s one thing to be jammed. It’s another thing to be invaded.
  • Make sure you keep all software for operating systems, hardware and apps up to date and running. Updates contain security patches and bug fixes as well as performance enhancements. A single weak link anywhere in your technology chain can expose your entire system.

In our opinion, a security camera system that’s hardwired to a central location in your home but is accessible through the internet – independently of Wi-Fi – is best. We can help you with the internet connection and show you how to access your security system from anywhere in the world.

We can also help you prevent intrusions by outsiders by providing a thorough security audit of your technology system and making recommendations to improve security. That can include the installation of new systems and user training.

We all have a lot at stake in our homes and businesses. With the rise in hacking and the use of technology to break down our defenses, it makes sense to take every step you can to harden those defenses. Call us – 973433-6676 – or email us to talk about your needs. And make sure you turn off Wi-Fi on your cell phone in an emergency.

Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.

Time for a Hardware Refresh

Windows 7 is long gone, and Windows 10 is scheduled to leave our technology world in October 2025. If you haven’t installed Windows 11 yet on all your desktops and laptops, now is the time. If your computer cannot accommodate Windows 11, it’s because it lacks a security chip that’s designed to work in the AI (artificial intelligence) environment. The longer you wait, the longer you keep that 244-day window open for someone to hide in your system. Start planning your upgrade now.

One of my secret indulgences is watching shows on air disasters on the Smithsonian Channel. One thing I’ve learned is that many disasters don’t happen because of one thing. Many small things happen over a period of time, and then the disaster happens. It’s no different with your technology systems.

Windows 11 has built-in security systems based on its NPU or Neural Processing Unit. NPUs are optimized for data-driven parallel computing, making them highly efficient at processing massive multimedia data like videos and images and processing data for neural networks. They are particularly adept at handling AI-related tasks, such as speech recognition, background blurring in video calls, and photo or video editing processes like object detection.

Video and photos are a key part of new security measures. We’re familiar with them through facial recognition. But, they require massive amounts of data and encryption to be effective. For securing NPUs, a key performance challenge is in the encryption and integrity protection for external memory. NPUs will be able to handle AI applications, from voice recognition in virtual assistants to real-time language translation and facial recognition. Facial recognition is a rapidly growing security feature that you probably use a lot to replace entering passwords when using your cell phone. Newer, higher-end cell phones have NPUs.

The bottom line for security is that the better your computer can verify a face or a voice, the more confident you can be with security. Facial recognition is widely used in 2FA (two-factor authentication), which you, your employees, and your family members should be using for every website that offers it. All of this keeps that 244-day clock from starting by preventing an intrusion.

For business applications, the speed of NPUs is just as important as security. With Windows 11, your business will be able to process more data faster – and more securely – because the software will be able to send smaller packets of data through the internet and have them reassembled at cloud servers. That aids encryption, which helps security. You can’t have it without Windows 11.

Oh, and one more thing. When old, slow Windows 10 goes away, so will all those bug fixes and security patches from Microsoft. You will be easier prey for the bad actors who will use your system to tunnel into other, larger systems and just wait there – for 244 days or whenever – to make a huge cyberattack with a big haul.

If you haven’t made the switch to Windows 11, we urge you to do it now. If you need to buy new computers to run Windows 11, don’t wait until October 2025 or even 244 days from now. Start the hardware refresh process now. We can install and configure Windows 11 to maximize its benefits for you. If you need new computers, we can help you select the ones that best meet your needs and transfer all your data and reinstall your apps. Call us – 973-433-6676 – or email us to talk about it.

Phishing in Your Own Waters

If you own a small business or professional services firm, you depend on your employees to have enough tech savvy and common sense to avoid links in email messages or on websites that open your system to bad actors. No matter how much you trust them, you need to verify they’re doing the right thing. You can test your human security defenses by using your own phishing expedition to see how they’re doing.

We’ve become acquainted with independent cybersecurity firms by attending conferences over the years. We learn a lot from our peers and presenters – such as it takes an average of 244 days to detect a system breach and that using the cloud will be a necessity by 2028. We’ve also emphasized the need to have a thorough security audit, but as an IT firm, there’s only so much we can do. We also think that an IT firm is not the best organization to really get into the granular details of your security because we all have a vested interest in finding problems to fix.

An independent security expert can find the smallest breach openings in your system and tell you what needs to be done. One of the most fascinating tools they use is a phishing campaign aimed at everyone who works in your organization. They can plant fake links and QR codes and any other tool that a hacker can use to get someone to open a window into your system. They also have tools to mimic the follow-up methods that hackers use once somebody makes the initial click – or the first phone call to a bogus number.

The educational value of using your own phishing expedition is enormous. Not only will it help you patch up holes in your organization, but it also becomes a great teaching tool about why everyone needs to be vigilant. As we use more and more data to conduct business – and in our personal lives – it becomes more and more important to protect that data. You should remember that your organization is part of a data custody chain – a chain that can branch off in many directions. Intruders are highly sophisticated and well-funded – as well as very patient. They will do whatever it takes to get into your system and build tunnels to other systems. You put your reputation and integrity on the line every time you take in data and send it out.

AI will be able to generate untold amounts of data, but there is little it can do to eliminate misinformation automatically.

Eliminating misinformation requires real human intelligence and deliberate, active steps to prevent that first breach – the one that could take 244 days to find. At the risk of sounding like a broken record, in every location and on every device used to conduct your business:

  • Use a firewall and make sure it’s up to date.
  • Use anti-virus and malware software and make sure it’s up to date.
  • Install updates to operating systems and application software on every device you have. Those updates contain security patches and bug fixes to prevent intrusions.

We can help you arrange for a comprehensive security audit that includes a phishing expedition and a deep dive into your equipment and practices. Call us – 973-433-6676 – or email us to discuss your needs and develop a security action plan.