‘KRACKing’ Your Wi-Fi Network

KRACK is an ominously named crypto attack that exploits a flaw in the process of connecting a device and a Wi-Fi network. By allowing network access without the password, effectively it opens up the possibility of exposing credit card information, passwords, and practically any other data on your device. Here’s how to protect yourself – somewhat.

Using WPA2 security, the standard of protection for the past 13 years, is still the way to go, and setting a strong, secure password is just as important as it ever was. But it’s like a lock on your front door. Locks, according to conventional wisdom, keep out honest people. But a lock that’s strong enough to delay a would-be thief was thought to still be effective.

That was until KRACK (Key Reinstallation Attack) was discovered. It exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network, allowing an attacker to access a network without the password. It’s an equal-opportunity attack, too. It can affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others, but the most current versions of Windows and iOS devices are not as susceptible to attacks because of how Microsoft and Apple implemented WPA2. Linux and Android-based devices are more vulnerable to KRACK.

Fortunately, it’s not a helpless situation. Attacks can only be successful when someone has access to the wireless network you’re on at the time of the attack. That means you need to be especially careful on public networks. You can further help yourself by:

  • Making sure you’re up to date with all available security patches
  • Using a VPN, which will encrypt your internet traffic
  • Visiting only websites that use HTTPS, though it’s not a guarantee you’ll be safe.

We’ll keep you updated on developments against KRACK, and we can help you now by taking a look at your systems and security to make sure you’ve maximized your protection. Call us – 973-433-6676 – or email us for an appointment.

Here’s Lookin’ at Your Password

Passwords are just as painful for companies that require them as they are for you. And, they’re expensive as well as subject to theft. What are we looking at in the near future? The eyes have it.

Microsoft and Apple are moving ahead with facial recognition to replace passwords. The technology is getting better and better, and, let’s face it, once their systems can recognize you and match you up with other records, you won’t have to remember some arcane, complex password – which you could mistype…

Going “password-less” would create a huge economic benefit for the business world. At our recent Microsoft IT conference in Orlando, the company said lost passwords are their biggest IT cost. In the month of July, they spent $686,000 in IT-related costs for restoring forgotten passwords. Annually, the cost is roughly $12 million.

The way systems work, it’s always to your benefit to say you’ve forgotten your password if you risk being locked out of website or application, such as your Office 365 account or a bank account. While their security needs dictate making a password reset more difficult, the complexities raise costs.

Also, in today’s world, all of these systems and interactions can be hacked, and dark-web operatives can change your letters, numbers and special characters once they’ve cracked your code. Your face is another matter. And while someone at some point in the future will figure out a way to defeat facial recognition, I believe this gets us ahead of the curve – for now.

Microsoft has facial recognition tools available for computers that have Windows 10 with Hello installed, and Apple has it for iPhones and iPads. While you can use them now for their own websites and online apps, it will take some time for the rest of the online world to get there. Your bank or credit card company, for example, will need to develop tools that work with all platforms and operating systems, and they will need to make sure online performance doesn’t suffer.

One online security app that some banks encourage their customers to use is Trusteer. While it can be effective as form of two-factor verification, it can slow down a user’s computer. We’ve had numerous incidents of clients calling us about slow computers, and Trusteer has been the problem. Once it’s uninstalled, performance levels return to what they should be.

There are other two-factor authentication methods you can use, but you’ll be up against that issue of whether you want more convenience or more security.

If you have any questions about facial recognition tools or two-factor authentication, call us – 973-433-6676 – or email us. New technologies can be scary, mostly because you can worry about making a mistake somewhere that can lock you out of the info and apps you need for work and life. We can help you navigate the brave new world with confidence.

iOS 11 Has a Lot to Like

Apple has released iOS 11 for mobile phones and tablets, and it has a lot of great features. For cars, we really like the “Do Not Disturb, I’m Driving” response to text messages, and for iPads, we like the drag-and-drop feature.

The “Do Not Disturb” feature has been available on Android phones, and for somebody like me, who spends a lot of business time traveling to clients while always on call, it could be a lifesaver. You can activate in one of three ways: Bluetooth, when your vehicle reaches a specified speed, or manually. I have been able to add a customized message to let texters know that they can call because I can talk while I drive. Because the screen stays dark in this mode, I am looking at the phone a lot less now, and that’s much, much safer.

The camera on the iPhone is getting better, too. You can take Portrait Mode images with optical image stabilization, True Tone flash and HDR. Memory movies are optimized to play in portrait and landscape orientation, and more memories, such as photos of pets or birthdays, are automatically created and a new technology, called High Efficiency Image File Format (HEIF), reduces the file size of every photo taken with iPhone 7 and newer models.

Siri has new male and female voices that are more natural and expressive, adjusting intonation, pitch, emphasis and tempo while speaking, and it can translate English words and phrases into Mandarin, French, German, Italian or Spanish. It uses on-device learning to offer suggestions based on personal usage of Safari, News, Mail, and Messages.

For AR (augmented reality), there’s a new platform for developers to create experiences on phones and tablets using the built-in camera and the latest computer vision technologies. You’ll likely see content for interactive gaming, immersive shopping experiences, industrial design and more.

iPad’s drag-and-drop capability across the entire system makes it easier to move images and text, and when combined with the new Files app, you can keep things in one place, whether you store files locally or in the cloud. Its new, customizable Dock and a redesigned control center give you access to frequently used apps and documents from any screen and let you move documents between apps using a split screen or Slide Over. Apple Pencil lets you draw or add notes from the lock screen through the Instant Notes feature opens Notes by tapping Apple Pencil on the display.

The new screen sharing capability, however, tops off all the new features. It enables two people to share screens in real time on any iOS-powered device. For us, that will increase our capability to help clients troubleshoot problems in a timely manner.

Make the most of your Apple devices by understanding all the features of iOS 11 and how they work. Call us – 973-433-6676 – or email us if you have any questions, and have more fun with your devices or make them more useful.

Tips from Orlando

Although we played as much as anyone who visits Orlando, we got a lot of work done at Microsoft’s annual tech conference. When I looked at my calendar, I had booked 21 sessions for the week, each session some 75 minutes long, and I probably walked some 40 miles in the expo. I narrowly avoided DBP – otherwise known as “Death by PowerPoint – surviving to get some useful information in many places.

As useful as the sessions were, some of the best learning took place offline while walking the expo hall with fellow members of The Crew. I joined The Crew several years ago. We’re all independent IT consultants, and we stay in touch all year long through a variety of ways, including phone calls. We can turn to each other when we have questions, and my Crew members have been an invaluable resource everywhere we go.

That includes Orlando. When one of members gave a presentation at the conference, we turned up to support him – and we wound up helping him out when he experienced “technical issues.”

Walking the expo gave us access to the best and brightest in the Microsoft arena. All of the booths were staffed by software engineers from Microsoft and its affiliated companies, and we got to talk to them in depth. We could talk about problems we’ve experienced or features we like and get more in-depth knowledge. We learned about workarounds for problems and ways to use advanced features in software and hardware.

Here are my three favorite take-aways from the conference.

  1. Many people who use Microsoft One Drive like to use # and % in their file names, but the system would not accept names with those characters. One Drive now allows you that option, so go ahead and # and % to your heart’s content.
  2. The fall update of Windows 10 will include more capabilities for One Drive. You’ll be able to sync large libraries of files on demand and be able to open files without having to download them.
  3. You can add the ability to share calendars in Outlook or native applications on mobile devices. The feature is not automatically available; you need to re-share calendars each time you want to sync them. While it’s a bit of a pain, all you need are valid permissions for sharing, and you can differentiate each person in the group by color. We can help you set it up.

To borrow an old phrase, we passed the last exit on the information super highway light years ago. With conferences like Microsoft’s annual event, we can be the roadside service resource that keeps you moving. Call us – 973-433-6676 – or email us at any time with any questions or service requests.

Shooting Yourself in Your IT Foot

We got a call recently from an MIA client who was trying to save money by relying on their “resident IT expert.” They could have shot themselves in the foot, but somehow, a few dance steps worked in their favor. They dodged this bullet, but not everyone is that lucky.

Our client is a multi-generational company, and one of its long-time employees served as their “resident IT expert.” A couple of members of the younger generation called us in because something didn’t seem to be right with their system. They thought their system was beyond repair for all intents and purposes. What concerned us most were two answers that we got for most of our questions:

  1. “I don’t know.”
  2. “We don’t have that information.”

When we logged into their system, we looked at their router and firewall and started to look at their setup. This time, we got some answers.

“Do you have another office?”

“Yes.”

“Does it connect to your system here?”

“Yes.”

The connection was made through a desktop computer that was sitting in a corner of the office – a computer that nobody ever touched. It was wide open; they allowed remote access to the desktop, and there was no protection against any kind of intruder. The hacker was able to get in and hijack their software by encrypting it.

We made phone calls to all of their application software vendors to learn how everything interacted, and we learned that they used Carbonite to back up their data. Trying to recover it was useless because all the data was corrupted, but we were able to get in. What we saw was eye-opening.

It turned out that they were hosting one small application that opened the door. Then we saw that nothing had been backed up for the entire year – and the ports were wide open. They also had an antiquated email system that was hijacked. Their in-house person never foresaw any issues with their setup and didn’t know the consequences of any settings that were tweaked or ignored.

We recommended they contact the hacker and see what it would cost to ransom their data, but they preferred to re-enter all of their data for the year. They had hard copies.

Before they began their recovery, we installed a new server and firewall, and while working with one of their software companies, we learned they had a copy of the data up to Aug. 1. Before they began any work, we set up a new email system and new log-in credentials.

It looked like they had dodged a hail of bullets, but within a day, their in-house person was already compromising their system by installing a bunch of utilities and other software. We put a stop to that, and that halted their system leaks and plugged their gaps. However, the whole process of investigating their processes and systems and buying and installing their new systems cost them almost $7,000 – plus their internal cost to re-enter what now amounted to one month’s worth of data. You could also add in a cost factor for aggravation.

In today’s age of a hacker-happy internet, you need a security audit to make sure your vulnerabilities are shored up. Call us – 973-433-6676 – or email us to set up your security audit. It will take an hour or two and cost less than $200. Hackers are highly sophisticated. How much could a breach of your system cost you? Don’t be penny wise and pound foolish.

Equifax and Protecting Your Identity

If anyone learns just one lesson from the recently disclosed hack of Equifax, the credit-rating service that has the keys to many people’s vital data, here it is: You have to take your data protection into your own hands.

We had a really queasy feeling when we saw the news reports, and a lot of the information didn’t pass our initial smell test. First, why did it take so long for Equifax to notify its customers and authorities? More than a month went by before there was any announcement. Second, when Equifax did respond, it seemed ineffective. You can go to https://www.equifaxsecurity2017.com/, enter some information about your name and Social Security number and see if you have something to worry about. From there, you need to scroll to the bottom of the page to find the Potential Impact button, which will take you to https://www.equifaxsecurity2017.com/potential-impact/. Most people will learn that their data has possibly been compromised.

If you don’t want to fuss around with the internet, you can call a dedicated call center, 866-447-7559, from 7 a.m. to 1 a.m. ET every day to discuss your account.

You can go back online and enroll in a credit monitoring with program with Equifax – or with Experian or TransUnion, the other two credit reporting agencies in the US. Equifax will give you the program free for a year without requiring you waive the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms-of-use for this cybersecurity incident.

We strongly recommend you take these additional steps:

  • Place an initial fraud alert on your credit records. Again, it doesn’t matter which reporting agency you use. They all “talk” to each other. When lenders see the fraud alert when checking your credit, they must take additional steps to verify that it is actually you who wants to open the account. Initial fraud alerts are good for 90 days, and you can renew them or cancel them as it suits your needs. Equifax is offering an “automatic fraud alert” feature, which automatically renews itself every 90 days.
  • Freeze your credit. This makes it virtually impossible to open an account in your name because it blocks access to your credit report. Nobody can complete a credit check, so someone else won’t be able to open an account. A credit freeze won’t expire until you choose to remove it, and you can cancel and reinstate them as needed. However, you must place a credit freeze with each bureau individually, and that can come with a fee, usually $10 or less, depending on what state you live in or if you’re already a victim of identity theft.
  • Sign up with a credit monitoring service. We have a service that does this, but there are others.
  • Check your bank and charge accounts and your credit score regularly. If you see something that raises a red flag, contact your financial institutions or credit reporting agencies immediately.

 We spoke to a number of people involved in the storage of highly sensitive personal information, and they all reminded us that you need to protect more than your financial information. Any organization that stores your medical and insurance records is vulnerable to a hack, and that can lead to additional problems. For example, someone who has your medical records can file a fraudulent medical insurance claim using your records.

That, of course, gets us back to advice you’ve often heard from us:

  • Install all updates for operating systems and application software as soon as they are available for computers and devices. The updates almost always include security patches and bug fixes.
  • Manage your passwords. Keep them long and complex and change them frequently.
  • Keep your networks secure by installing updates, managing passwords effectively, making sure your firewall and anti-virus protection is active, and limiting access to administrative functions.
  • Use common sense. Don’t click on links within an email from someone you don’t know or on something that looks out of the ordinary from an address you recognize. Email addresses are easily hijacked – and not necessarily because the owner of the address did something wrong. Don’t click on pop-up ads or ads with offers that are too good to be true.

Are we safe on the internet anymore? No, but you can be safer if you take ownership of your security. We can check security settings and run deep scans to help keep you as safe on the internet as possible. Call us – 973-433-6676 – or email us to set up a security audit or answer any questions you have about managing your security.

Google Drive Drives into the Sunset

Here we go – again. Another staple of our applications is being replaced. This time, it’s Google Drive, which Google will stop supporting as of this coming Dec. 11 and will shut down next March 12. Taking its place: Backup and Sync, which will be more powerful.

Backup and Sync replaces both the company’s Drive and Photos desktop apps for Windows PCs and Macs. It allows you to store any photos, videos and documents in the same format on Google’s cloud for safekeeping from crashes and unfortunate accidents. You can use the app to back up the contents of your entire computer – or just selected folders.

Once you download the app and launch it, sign into your Google account and select which folders you’d like to continuously back up to Google Drive. For photos, you have two options: High Quality or Original Quality. High Quality will compress photos larger than 16 megapixels and videos with a resolution higher than 1080p, but these compressed files will not count against your data cap.

Oh, yes, there is a data cap. Are you surprised? The new and improved Google Drive gives you 15GB of file storage for free. Then, the rates go up to $19.99 a year for 100GB or $100 a year for 1TB. That’s not excessive. You get additional flexibility by being able to download files to work offline, and you can download the app for your mobile device, too. Plans for even greater storage capacity are available.

The new app is available now from the Google Drive or Google Photos page. The only downside is that you can’t use Backup and Sync as a restore tool if your computer crashes. But we have options available for that.

We can also help you set up Backup and Sync so it works as you want and coordinate how it works on your computer and mobile device. Storing your data files and photos and videos offsite is the way to go for safety and flexibility. Call us – 973-433-6676 – or email us to answer your questions or provide assistance.

Cyberbullying Hits Home

When you know a family that’s been victimized by cyberbullying, you take a closer, more personal look at this problem as both a parent and an IT professional.

As I was waiting for a flight home the week before last, I saw something on Facebook and had a sinking feeling. I knew the family through my affiliation with the Morris County Chamber of Commerce, and I had heard about a service earlier in the week for a young woman in our community, Mallory Grossman.

It was a suicide that came to a head because of cyberbullying. It brought home problem that is plaguing mostly youngsters but also people of all ages. The internet allows anyone to post the meanest messages imaginable and largely stay anonymous.

The solution is not a tech issue because this problem is rooted in how we function as a society. Some people have cruel senses of humor, and in the absence of personal filters, there are few filters to prevent them from spewing venomous posts. When the target of cyberbullying is experiencing other issues, which the bully likely doesn’t know about (and could selfishly care less), it’s like pouring gasoline on a fire.

I honestly don’t know what the answer is. As parents of two children approaching their teenage years, my wife and I are extremely concerned. Perhaps we need an even more concerted effort to provide better education for parents and students, and maybe that can be done through the school curricula in coordination with programs run by PTAs and/or business associations. The business associations can encourage their members to provide some kind of education program for their employees.

Technology measures by themselves will be ineffective for many reasons. Chief among them, very few parents have the capability to totally monitor and control their children’s online activity. Even for those of us who know a lot about technology, what will it accomplish? It won’t teach our kids about social responsibility. Instead, it will motivate them to find ways to break our technological measures, and kids in groups are pretty good at figuring out how to override our controls.

Further, what’s to stop any kid who has no access to some websites from going to a friend’s house and getting online there?

Any blocking we can do is ultimately temporary, but if it can be a sufficient delay to prevent just one tragedy, it helps. If you have any questions about what you can do and need any help in setting up parental controls, call us – 973-433-6676 – or email us. And that goes double for working together on what we really need to do as a community to fight cyberbullying.

Passwords Becoming Passé

I’m as tired as anyone else when it comes to remembering dozens of arcane passwords for all the websites I need to access. Current and future technology will be able to provide relief and stronger protection. Here’s the lowdown on locking down.

If we’ve learned anything at all from the monthly ransomware reports, electronic “locks” are pickable. We’ve also learned that time is money for hackers when it comes to planting ransomware and other viruses that can make life painful or costly or both.

Operating under the assumption that any electronic barrier can be hurdled in time, you want to lengthen the time of your defense as much as possible – and we’re talking decades. The longer and more complicated the password, the longer it will take for hacking software to crack your code. We all know that when you include uppercase and lowercase letters in combination with numbers and special characters, the time stretches out. Making sure it follows no special pattern – that it’s totally random – adds to the security.

Many theories abound as to how to create a complex, random password that’s easy to remember. One suggestion is to take a phrase or sentence that you can easily remember. Then, take the first or second letter in your phrase and turn some into uppercase letters, numbers or special characters in a random order.

I have one password I use for everything, and I am extremely confident its length and complexity will deter hackers. You may find fault that I have only one password, and that would be a valid criticism. If it’s cracked, someone could get into every internet account I have.

You can eliminate the need to remember multiple passwords by using a password manager program. Some are free and some have a nominal cost. Basically, you just need to remember a master password to get into the system. The password manager randomly generates new complex passwords when you visit each site. Yes, you can argue that somebody could crack the password manager’s system. It’s possible, but would you feel more comfortable with $1 million under your mattress or in a vault that’s a half-mile underground, encased in 20 feet of concrete and guarded by a randomly rotated army that’s always being retrained?

You can augment the password manager with two-factor authentication, something we’ve liked and used for years. In many cases, you need to answer a question, and it should be something only you know. Other measures might include answers to randomly generated multiple choice questions based on publicly available information that can be verified as “right” or “wrong.” No “maybes” allowed.

In the future, passwords will give way to biometrics. The software is there; the hardware needs to catch up. Windows 10’s Hello can handle the biometrics, but most computers don’t have the 3-D cameras needed to use the feature. Some Microsoft Surface tablets have the cameras, and if you are in the right place, it works really well.

Regardless of what technology you use, don’t let your guard down. Don’t buy things or do your banking over a public Wi-Fi network. Use a trusted, secure network or a cellular data network. Make sure the networks you control are secure with up-to-date firewalls and anti-virus and anti-malware software. Make sure all operating systems and firmware are current with all bug fixes and security patches.

Remember that we can help you with all of your internet password and security needs, including choosing and setting up a password manager, setting up two-factor authentication and answering your questions about biometrics systems. Call us – 973-433-6676 – email us to set up an appointment.

Big-Picture Solution

When a new client wanted to go wireless in their new space, we found a way to wire it now and avoid future problems. The client is happy we offered the alternative, and that’s what got us the business.

There were two compelling reasons to wire the space.

The first reason was that the company, which does interior space planning, uses printers and plotters that cannot be connected over a wireless network. We noticed that when we went to their old offices the night before the move to disconnect all their systems.

The second compelling reason was that the opportunity was there.

Here’s how those two reasons fit together.

We had blocked out an entire day to install their equipment in their new office space, and that turned out to be a good move. From studying the map of where everything was supposed to go, we had envisioned a half-day of work. But experience has taught us that something always pops up.

When we arrived at the new offices, we noticed immediately that the floor below was vacant and that there was easy access to the space between the two floors. Our client’s new offices also had floor jacks to accommodate computers and work stations.

To our way of thinking, that was a bonus. We started to wire the office. The client agreed with our belief that wired systems are more reliable than wireless, and because there was wide-open space, it would be less disruptive and less expensive to do the wiring while moving in.

In the few weeks they’ve been in their new space, they’ve been running at top speed with no signal interruptions. That’s the benefit an experienced IT service firm can bring to a business. If you’re moving, we can look at your equipment, your new space and your business needs and help you optimize your information management system.

If you’re planning a move, call us – 973-433-6676 – or email us to look at your new space and plan a setup that works for you.