Hanukkah is some six weeks away, and Christmas is some two months away – but product shortages and rising prices already have put many people deep into their holiday shopping season. So, as you search for . . .
Continue readingPrivacy vs. Privilege
So, you want to block ads and pop-ups? That’s fine – because we’ve identified ads and pop-ups as gateways for hackers to penetrate your systems and networks. But even the safe ads and pop-ups can be annoying and an intrusion on your privacy.
Continue readingKaseya Ransomware Hack Sets off Holiday Fireworks
It took a perfect storm of cleverly written software, one weak link and a holiday weekend in the United States to launch the world’s largest ransomware hack to date. As this was written, some 1,500 businesses were being held up for a total of $70 million.
Continue readingDid We Learn Anything from Colonial Pipeline?
Today, the gasoline shortages caused by the ransomware hack of Colonial Pipeline are in our rearview mirror. Hopefully, the memories are not forgotten. There are things we can all do to make it harder to access and hold our data for ransom . . .
Continue readingPasswords’ Brave New World
While passwords need to go away, they won’t disappear overnight. So, we highly recommend you – and the internet world – follow some guidelines from the National Institute of Standards and Technology (NIST) in managing your online presence.
For individuals and small businesses, managing hundreds of passwords for all the websites and resources you need to access requires a concentrated effort. Every organization with which you interact online has to manage your password and everyone else’s. Website managers and administrators work hard to roll out security strategies, but piecemeal security strategies are ineffective and risky. There are too many cracks for passwords and other measures to fall through. Ad hoc strategies leave room for errors that could put customers’ data in jeopardy. This is where NIST comes into play and understanding what’s behind their guidelines can help you take some action for your online security.
Part of the Department of Commerce, the NIST develops guidelines based on best practices from a diverse array of security organizations and publications. NIST guidelines are so well-respected that private sector organizations have adopted them to keep their entire infrastructures secure. They affect some of the requirements you get when creating your own passwords – which you need to follow because they are in response to newer, more powerful threats.
Here are some of the most important new guidelines that NIST has issued to those who provide the services that manage internet access. You can expect them to affect you.
- Go long: The suggested minimum is 8 characters when a human sets a password and 6 when it’s set by automation. However, NIST encourages users to create passwords with 64 characters or more, including things like spaces and emojis. They’ll be harder to crack.
- Remove reset requirements: As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones.
- Keep it simple: How often have you created a new account, for a new application, online store, or digital news outlet, and encountered the prompt, “your password must contain one lowercase letter, one uppercase letter, one number, and one symbol”? Overly complex passwords can lead to poor password behavior, just as with frequent resets.
- Be more user-friendly affair: The “show password while typing” is a rare option that can let you use longer, stronger passwords because you don’t have to remember all those gyrations you created. Another friendly option is to allow users to copy and paste passwords. Users who are allowed to copy and paste their passwords are more likely to create and store stronger, lengthier passwords within password managers than those who are forced to type out their password every single time.
- Go clueless: Knowledge-based authentication clues can save time, but with all the personal data available today, it’s easier than ever for hackers to decode hint prompts and breach systems.
- Limit attempts: NIST password standards recommend providing users with a maximum of 10 login attempts before they are turned away. That should be enough to aid a forgetful user but not assist brute-force attackers.
- Go hands-free: SMS texting services should not be a part of any two-factor authentication (2FA) process. It isn’t entirely secure, enabling cybercriminals to insert malware that can redirect text messages and facilitate attacks against the mobile phone network.
NIST standards and the guidelines listed above are important because newer, more powerful cyberthreats will always be deployed. As a user, you need to be aware of newer and better security options. We continue to advocate for biometrics and other measures that are unique to you – and only you – to allow access to your online world.
For most of us, a password manager that works across all the platforms you and your family or businesses use is still a strong defense against hackers. We like Dashlane because its paid version covers an unlimited number of website passwords across multiple devices. For those of you with the right technology, you can start to take advantage of other techniques to access your protected websites. Contact us by phone – 973-433-6676 – or email to discuss your needs and see how we can make you more secure.
Email in Disguise
The trend of getting voicemail messages through email is opening new doors for hackers to enter computer systems. Scammers are using email with spoofed addresses to hack into business operations, such as wiring money. Today’s office environment provides a perfect setup for a hacker: You hit people when they’re juggling multiple tasks, and you come across as a colleague or customer in an expected environment. We have two examples from our client experiences that show how easy it is for a problem to go undetected. And we have some tips to strengthen your security.
The problem with the voicemails happened while we were on vacation in Hawaii, which has a six-hour time difference with New Jersey. Our client reported getting emails about missed calls – which could have been generated by their voicemail/email system. It’s a growing trend to handle voicemails because phone and email run on the same networks, and sometimes it’s more effective for an employee to click a link and return the call while the message is on the screen.
And that’s how this problem showed up. Every time our client clicked on the link, nothing happened. When we got back from vacation, our first job was to install a new computer for the client. Everything went as planned, but then we got a call that the client only had 11 emails in the system. To make a long story short, it took all day to find all of the emails in a “recovery for deleted emails” folder and restore them – all 75,000 of them. The time was lengthened because we needed to sort them to cull the voice-mail files.
We changed the password immediately to cover the possibility the computer may have been hacked. After that was done, we got a call that our client couldn’t click to return numbers left in voicemails. I left a voicemail, and we were able to get a return call.
The likely issue is that someone from the outside spoofed a known and trusted phone number. The lesson here is that if it happens a second time, don’t click the link. While you may not know if you were hacked or fooled by some malware, you should know that something is wrong and needs attention. The earlier you let us know about it, the sooner we can work with you to mitigate the problem and minimize damage.
A second incident could have been catastrophic. Again, we awoke to find several urgent emails from a client that regularly wires large sums of money to entities worldwide. The incident occurred July 1, when they were preparing to wire nearly $100,000 to an entity. The entity to which they were wiring the money said they hadn’t received their wire in April. That raised alarms. We learned that the amount of money in both transfers was consistent, and the entity to which the money was to be wired could change names from time to time. Everything with the April and July transfers seemed to be within the realm of normal operations.
While we couldn’t get the April money back (the client had insurance to cover it), they were able to halt the July transfer. At the same time, we worked with them to develop new policies to help double-check money-wiring instructions and monitor the process better.
Among the key takeaways from these incidents, you should always be on guard because hackers and cyberthieves are getting much, much better at disguising their identities. When it comes to VOIP and cellular voicemails, it becomes way too easy to click on a number to return a call. That click could direct you to a link that installs some kind of malware. You can write down the phone number and initiate a phone call – much in the same way you can open a browser and go to a website instead of clicking on a suspicious link. In a related matter, the Federal Communications Commission (FCC) is about to force telephone carriers to verify the phone number location of incoming calls. This should reduce – at least for now – phone number spoofing.
Also, be vigilant about looking for anything that looks like a change in your operations or the entities you deal with. Don’t hesitate to pick up the phone and call somebody to verify instructions.
We can help you fight fraud and mitigate security issues in a number of ways, including security assessments and developing and installing rules and policies for critical operations. Call us – 973-433-6676 – or email us for an appointment.
How Secure is Cellular Data?
We know public Wi-Fi networks can be unsecured, and we’ve tailored our use to deal with those problems. But now, hacking cellular networks may be a growing danger as more cracking devices and techniques become more available.
Continue readingUsing Alternatives to Passwords
We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.
When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.
IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.
You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:
- Sign-in risk to identify who’s signing in and determine who’s a risk.
- Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
- Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
- Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.
There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.
Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.
If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.
Hello, New Security Technology
Passwords are on the verge of becoming extinct, and for many people, the passing of passwords will be like getting rid of a migraine. With the latest Windows 10 major update from Microsoft, your computers and devices may now say “hello” to you to access Microsoft accounts, and additional security measures may now work together better with smart devices. Facial recognition is playing a big role.
Security is more important than anything in today’s world, and hackers keep cyber defenders back on their heels in many instances. Our message continues to be that you need to harden your security measures while you have control of your computer, device, network, etc. If you wait until it controls you, it can cost you a lot of time, money and aggravation.
Combining facial recognition with another authentication factor is one element of Hello, which is available on certain computers with Windows 10 installed. It replaces a password with biometrics to authenticate secure access to devices, apps, online services and networks with a fingerprint, iris scan or facial recognition. It’s considered to be more user friendly, secure and reliable than traditional passwords, which are easy to crack because most people use simple ones they can remember or leave written notes in easy-to-find places.
You can authenticate a Microsoft account or a non-Microsoft service that supports Fast Identity Online (FIDO) by setting up a facial scan, iris scan or fingerprint to log into a device. Hello uses 3D-structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system. Once you set up your initial scan, the image will enable you to unlock access to Microsoft accounts, core applications and third-party applications that use the system. You can modify facial and iris scans, and add or remove additional fingerprints, and you can uninstall biometric identification.
Microsoft has updated Hello to support new security keys and offers two-factor authentication. There are keys to authenticate users for Azure Active Directory without requiring that a user enter a username or password, or even set-up Windows Hello beforehand. Technology advances could include authentication through a smartphone, but don’t expect any of those to involve text messages. Your cell phone number can be easily highjacked, and a perpetrator can simply have all of your passwords sent somewhere else without you ever knowing about it.
Windows’ latest update, version 1809, which is being pushed out this month, will increase the number of computers able to use Hello, and that will certainly help expand its user base – which, in turn, will spur more development of more ways to use it.
Microsoft is working with a growing number of service providers and device manufacturers to give its users a more seamless method to authenticate multiple accounts. Ultimately, the industry needs to tighten its false rejection rates and “liveness detection,” which ensures that the scan is that of a living person.
We’re confident that use of these new systems, such as Hello, will make us more secure, especially for business systems. We still see so many offices with passwords attached to computer monitors. Hello will go a long way to eliminating this particular potential for security breaches.
If you have computers that can work with Hello, we urge you to take a close look at implementing it. If you have questions about getting computers that are compatible with Hello or will be, we can help you set it up or prepare you to set it up. In the meantime, we can perform a security assessment to make sure your information technology system has no open backdoors or trapdoors that can allow access. This can be especially important, as one client discovered after they bought a company and started to merge IT systems.
Call us – 973-433-6676 – or email us to talk about your security.
Refreshing Devices Re-Energizes Them – Up to a Point
Refreshing your computers, peripherals and devices requires you to take a long pause, but in the end, it still might leave you thirsting for better results. If you’re hanging onto old equipment, Tech Data reports a few facts that might make you change your mind.
First of all, the report says, some 46 million small and medium-size businesses rely on devices dating back to 2014. That’s approaching five years, and that can be a lifetime in technology. Second, repair costs for equipment four years old or more can be 1.5 times the cost of repairing newer technology. Finally, PCs older than four years can be less than half as productive – costing an average loss of productivity rate of $1,260, according to an internal study by Microsoft.
Microsoft, which is phasing out Windows 7 because of its increasing inefficiency (Windows 7 Support Ends in January 2020), certainly has an interest in seeing you buy new computers with their operating systems. But they also know that the more efficient and productive their customers are, the more likely they’ll continue to use Microsoft software.
So, with that last point out there, what are your considerations for refreshing or replacing a computer? If you’re running Windows 7, we see replacement as a no-brainer. One client engagement illustrates how extreme it can get. We were tasked with refreshing a 10-year-old computer to get it to run better, which we did at a cost of $200 or so – after we advised our client to replace it. Refreshing, in this case, meant reinstalling software and updating it as much as possible. A 10-year-old computer cannot run the latest versions of Windows or any application software, and you cannot install the latest, most secure browser software. If we had installed a new hard drive and added licensing fees and our setup time, it would have been about $570. A new computer would have been around $800 plus some setup time to properly install the operating system and applications and transfer some data files.
With that as background, let’s delve more into a cost-benefit analysis.
Performance: Older PCs, according to Tech Data, can only run approximately five applications simultaneously without performance degradation, while newer PCs can easily run eight or more, according to a 2016 study. On the other hand, new Windows 10 Pro devices with 7th and 8th generation Intel® vPro™ processors keep users more productive with up to 25 percent more time efficiency. They are also up to 28 percent faster for startup on average compared to Windows 7. Batteries can last up to three times longer on newer Windows devices.
Repairs: We mentioned early on that repairs can cost 1.5 times more for older computers than for newer computers. Some of that extra cost can come from more time to find parts. Generally speaking, older parts are scarcer and more expensive.
Security: We’ve harped on security, and here’s something to add: More than 50 percent of smaller businesses have suffered a data breach or cyberattack with the cost averaging more than $84,000 per breach. Older Windows devices are likelier to lack the latest hardware and software security features, putting data at risk. When you factor in the fact that small-business customers are prime targets for security breaches, you can be looking at costly recovery. Upgrading to a computer that can run Windows 10 Pro will give you more built-in defenses and increased support for the lifetime of your device.
To translate all this into an action plan, we recommend refreshing and some component replacement for computers three years old or younger. For older computers, especially those running Windows 7, we recommend replacement. Business users will benefit from improved performance and security, and home users will benefit from better security. Call us – 973-433-6676 – or email us to discuss your refresh/replacement needs.