Secure Your Email

Email security continues to be the most vulnerable security link in your email chain. Ninety-six percent of all phishing attacks use email, and some three billion emails are launched daily. Phishing can cost businesses $26 billion annually. The more email accounts you have, the more vulnerable you are.

One of our clients had six email accounts, all of them created for a variety of legitimate reasons. The problem is that it meant they had to guard six doors against intruders. That’s worrisome enough, but if you use multiple email clients, such as Outlook and Gmail, you need to deploy your security measures in line with each client.

Google’s Gmail has a particular vulnerability. According to a report from Malwarebytes, Russian hackers were able to bypass Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks. They did it by posing as US Department of State officials in advanced social engineering attacks, building a rapport with their target, and then persuading them to create app-specific passwords (app passwords). App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Outlook faces several significant security challenges, including vulnerabilities that allow for remote code execution, phishing attacks, and the potential for credential theft. These vulnerabilities can lead to data breaches, unauthorized access, and the spread of malware.

Here’s how to strengthen your defenses.

  • Only use app passwords when absolutely necessary. Change to apps and devices that support more secure sign-in methods whenever you can.
  • Authenticator apps, such as Microsoft Authenticator, or hardware security keys (FIDO2/WebAuthn), are more resistant to attacks than SMS-based codes.
  • Stay up to date on phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords.
  • Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. Limit those logins where possible.
  • Regularly update your operating system and the apps you use to patch security vulnerabilities.
  • Enable automatic updates whenever possible so you don’t have to remember them yourself.
  • Use security software that can block malicious domains and recognize scams.

When it comes to SMS-based codes, we want to emphasize one particular vulnerability: SIM swapping. It’s one of the internet security industry’s biggest worries.

It’s undetectable and it works like this:

  • A hacker puts your mobile phone number on a SIM card installed in their own phone.
  • Using their phone, they get your authentication code, which gives them access to a website or email account.

Despite this vulnerability, SMS-based codes are better than nothing. At a recent training seminar, we learned that many people don’t use any kind of 2FA or MFA methods at all. That is totally unacceptable.

We can help you – and your employees and family members – set up better security measures on all apps devices. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.

Cybersecurity Keeps Them Awake at Night

“What keeps you awake at night?” That’s a question that seems to come up at many a business networking group when someone begins to offer a solution to a problem they can solve. If you’re a CEO at a major corporation, the answer to that question is: cybersecurity.

Internet systems are more complex, and complexity leads to more risks. It’s become a boardroom issue, and the most concerning part of the problem should be the increased time it takes to find a system intrusion. It now takes 292 days – more than nine months – to discover a breach.

Part of the problem is the size and complexity of large corporate networks. They have thousands of endpoints, and it’s become harder to spot anomalies and deploy patches. While our clients typically don’t have large, sprawling networks, we all interact on the corporate or personal level with large global networks for just about everything we do.

Other parts of the problem are that companies may take too long to investigate the breach, and then they need time to develop a plan to patch it. That time is directly related to the network’s size and complexity. If a company doesn’t have a continuous monitoring plan (yes, it’s hard to believe a large company wouldn’t have one), it also extends the time to discover a breach.

Two other reasons are:

  1. Hackers have better stealth tools to invade a network. Once they’re in undetected, they can take their time to look at all of their victim’s data to see what’s best to monetize.
  2. Hackers can steal login credentials and hang around a system for a long time until they’re detected.

Companies that can detect intrusions in less than 100 days can save $1 million in containment costs. But they may not be as motivated as you are to protect your network and the people they serve.

Here are some things you can do right away:

  1. Make sure you have strong passwords for every account you and your employees and family members have.
  2. Insist on using passkeys or some other form of two-factor authentication (2FA) wherever possible. A good authenticator should be device-specific and tied to a device that’s always with the user.
  3. Make sure all your software (operating systems and apps) and firmware (hardware systems) is up to date.
  4. Have an easily accessible list of your key usernames and passwords for emergency use.

Microsoft is making strides in a couple of areas. The company introduced passkey support across most of its consumer apps a year ago, allowing you to sign into your account without the need for 2FA methods or remembering long passwords. Today, it’s encouraging all new signups to use passkeys as it removes passwords as the default.

Windows Hello allows users to securely sign in to their accounts with their face, fingerprint, or PIN. Today, more than 99 percent of users sign into their Windows devices using Hello. The company reports that 98 percent of passkey attempts to login are successful; passwords are only 32 percent successful.

To help keep all your software up to date, Microsoft is developing an update orchestration platform designed to unify the updating system for all apps, drivers, and system components on Windows systems. Right now, it’s aimed at developers and IT product teams. The goal is to run an update scan tool that will queue downloads and updates at optimal times. We’ll see if they can actually make it work.

That’s in the future. For the here and now, we recommend you contact us for a security audit. It’s something you should do annually to make sure you’ve taken the four steps we enumerated above. At the very least you can strengthen your own systems before the big guys know they were breached. Call us – 973-433-6676 – or email us for an appointment.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.

Tax Season: The Next Scam Season

I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.

Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.

The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.

From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?

You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.

With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.

If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.

While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.