The Time to Do the Right Thing

Be honest. How many times do you use a password for multiple websites because you need to remember it? You know that a string of 16 to 20 random characters upsets any pattern a hacker might use to steal a password for one site and maybe get into multiple places.

One of our clients recently told us how they saw the light, and it was a really gratifying conversation for me. He said: “I listened to what you said about passwords, and I did everything. Life is so much simpler now.”

It shocked me because that’s not usually what we hear. I wish more of our clients would get on the bandwagon when it comes to passwords and password managers. I can’t emphasize enough how password managers enable you to have unique, complex passwords for every website you need to access and how easy they are to use. You don’t always get to “stronger” and “simpler” as adjectives for a single concept.

What’s the “stronger” part of password managers? They generate those ideal passwords of 16 to 20 random characters that include upper and lower case letters, numbers and special characters. If everyone in your password chain – the people, companies and institutions you deal with – has a strong, generated password, that should make everyone as hack-proof as you can get. The problem is that the weakest link in the chain is the easy-to-crack password.

The” simpler” part is that you only need to remember one master password. (The hard part is making sure you have access to it in case you do forget it.) Before getting all his passwords into a password manager, our client said he would change a password by adding a number or a character because it was easier to remember. But it wasn’t simple. He would still need to remember what number or character he added to the old one, and maybe he had 50 passwords to remember – or carry around in a list.

A good password manager that can work across multiple devices can cost $50 to $100 a year. We believe that’s relatively cheap for the security you gain and the time you save from trying and retrying passwords or resetting them. The password manager becomes stronger and simpler when you combine it with facial recognition on a mobile phone.

Using a password manager and other forms of authentication will take some getting used to. But it’s worth it to take the time to do the right thing to protect your online security and your sanity.

Call us – 973-433-6676 – or email us if you need help in choosing a password manager and setting up the basics. We can also help you with other ways to authenticate your online access. See our article Pass the Key, Please.

 

Pass the Key, Please

If you’re sick and tired of managing passwords (see our article Take the Time to Do the Right Thing), take a new look at using passkeys and forget about the hassle. A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. They may take some getting used to, but the security boost will be well worth the effort.

Microsoft is encouraging everyone to use a passkey when they sign up for a new account, and they’re moving away from the default of passwords for all new accounts allowing you to ditch them altogether. Just as a related side note, when you create a Microsoft account, do not create a local passkey. It will only work on the device you used to create the account, and that will defeat the purpose of being able to sign in from anywhere on any device.

A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. If you remember going to your safe deposit box at the bank, you had one key in your possession, and you got a key from the bank for your visit. This is an electronic variation of the theme.

Microsoft introduced passkey support across most of its consumer apps a year ago, eliminating the need for two-factor authentication (2FA) or passwords. Now, it’s encouraging all new signs up to use passkeys as it removes passwords as the default. Websites are increasingly allowing you to passkeys for secure access.

Passkeys and password managers are able to work together for the most part. Usually, the device or software generating the passkeys uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If your password manager is the passkey source, you can log in with your master password. Passkeys are unique to each app or website and stored in a password manager’s vault or your device’s keychain. Passkeys can also sync across devices, making them a convenient choice.

There are some holes in the passkey strategy that you should be aware of. The websites themselves can be the source of weakness in the security chain. Security experts say criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.

While that puts an onus on the websites  to tighten up their operations, you can help protect yourself better. For example, don’t just accept the website’s data privacy settings when a box pops up on a website. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window. You can also turn off various marketing and targeting cookies.

Again, passkeys take time to set up, and there’s a learning curve to using them effectively. We believe it’s well worth your time to start using them. Call us – 973-433-6676 – or email us to learn more about passkeys – and how they work with password managers. We can help you select and configure passkeys and password managers together and move you up to the next level of online security.

Hardware Plays Hard to Get

As we were writing this issue of Technology Update, tariffs hit the fan. We have discussed their possible impact on prices before, but that was hypothetical. Now, they’re real, but we’re still not sure where they will land and how they will affect supplies and prices. At the same time, technological advances make hardware obsolete faster.

Before tariffs were officially announced, we saw a 10 percent minimum increase in hardware prices. Now, nobody is betting on how long the tariffs will stay in effect and for how long. Anyone who’s been living on the bleeding edge of their hardware’s service life – and there are many – has to feel uncomfortable because there is uncertainty supplies, prices and delivery dates.

That discomfort is heightened by a crunch from software providers, who need to meet demands for better online security and performance from operating systems and applications. It used to be that in some cases, you could expect seven years of service from a piece of equipment. That’s because the hardware manufacturers could provide updates for their products’ firmware (hardware operating system software) to keep pace with software developments.

Today, hardware can become obsolete in as little as three years. Security systems, working in the cloud, and higher-performing application software all demand more powerful equipment. The technology industry has made a business decision to put its resources into supporting the larger base of forward-moving customers than those who are trying to hang on to older systems.

For some organizations, it’s a double-edged sword. They find it’s especially critical to be lean and mean to survive in tougher economic conditions. But they can’t cut away too much meat after they’ve trimmed all the fat. At some point, they’ll need to buy new hardware regardless of the price.

The best way to work around a double-edged sword is to see what hardware is connected to the internet. That’s a security move. Hackers look for the weakest link in any system, and if you have any hardware that’s connected to the internet, it must be able to handle the latest security software.

When one of our retail clients ordered 10 new computers, we saw one old computer just running ads on a TV in their store. It was not connected to the internet, and that was a perfectly good use for it. You may have equipment in your office that’s not connected to the internet – or can be used without an internet connection.

We can help you make more efficient use of your hardware by taking a close look at what equipment you have to determine what needs to be replaced and what can be used in other ways. Call us – 973-433-6676 – or email us to set up an appointment.

Is ‘Zero Trust’ in Your Future?

The words “zero trust” in Zero Trust Network Access (ZTNA) are probably appropriate in a time when it seems like we don’t trust anybody about anything. ZTNA is being touted as a replacement for VPNs (Virtual Private Networks), especially for remote business needs. It could be more effective, but small businesses will need to jump through hoops.

ZTNA is a technology designed to limit who can access a network and where in the network they can go. The limits are important. For example, anyone who can access a Microsoft 365 network as a global administrator can effectively play God; they can do ANYTHING.

The goal of a ZTNA is to keep out false gods. Its proponents tout the following benefits:

  • Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network, thereby eliminating risk to the network.
  • More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. Managers can see everything and create access policies for user groups or individual users.
  • Simpler app segmentation: Because ZTNA isn’t tied to the network, organizations can segment access down to individual applications instead of complex network segmentation.

Proponents further contend ZTNA is faster and more convenient than VPNs, offer better security, and are easier to manage. Gartner, a technology and research consultancy for large corporations and government, predicts its client base will largely phase out VPNs for ZTNA.

If you’re a small business or nonprofit organization that deals with large companies and government agencies, you may need to learn how to live in the world of ZTNA at the very least. If you want to adopt for your own use, you’ll need to answer some risk/reward questions:

  • Do you need a Ft. Knox type of defense system?
  • Are you willing to build new access systems to maintain your current business process?
  • Are you willing to take on the learning-curve risks of implementing a new security system?

There are no cookie-cutter solutions to changing your security measures. Call us – 973-433-6676 – or email us to discuss the specifics of ZTNA, especially if you need to use it to comply with another organization’s directive. We can help you design and implement a plan that minimizes your risk as best as possible.

Inside a Hack Investigation

Getting hacked doesn’t always mean your world has come to an end. In many cases, however, fixing it is a grueling process, physically and mentally, and you’ll have to provide a lot of information you hadn’t planned to disclose.

Here’s how it started. A client clicked on a pop-up window at 3 p.m. that said their computer was infected with a virus. The message in the pop-up said illegal activity was detected on the computer. But if the client called the number in the window, they could clean it up.

The client let them on the computer and was given a cost (it doesn’t matter what it was) to fix the problem. They said it could be paid for by taking cash out of his account and depositing the cash at a specified ATM. They said not to turn off the computer. The client told friends they thought they’d been hacked.

They called the next morning and said they felt stupid. We told them not to. We see hacks from pop-up windows all the time – and they frequently happen on sites where people print recipes. The site opens what looks like a print dialogue box, and it can sometimes be difficult to know what the icon in the box means.

Our first advice to anyone who thinks they’ve been hacked is to turn off the computer and call us immediately at 973-433-6676. In most cases, the money is already gone by the time you turn it off, but nobody can get anything out of a computer that’s shut down.

To do our best to close off any new attempts from a hacker, we ask our clients to walk us through every detail of the incident. We need to find where something started so that we can close off any loops. We need to do this at every point affected by the hack. Once a hacker has gotten into your computer, you can bet they’ll be back – and you can bet they’ll look for all the doors they got through.

The obvious lesson we can all learn from this is to be extremely careful about pop-up windows. You can install pop-up blockers on your computer’s browser, and they can be configured so you can allow them on a case-by-case basis.

But pop-ups can pose additional risks, especially as artificial intelligence (AI) becomes more widely deployed. When you call a phone number in a pop-up – or any link for that matter – your voice can be recorded and synthesized. If you visit financial or health-related websites that rely on voiceprints as part of their security, you can be at risk. Whenever you answer any phone call from a number you don’t know, avoid saying the word “yes.”

We can help you tighten your security by helping you configure pop-up blockers and fine-tune your anti-virus programs. Call us – 973-433-6676 – or email us to discuss your needs.

You and Your Credit Card

Credit cards can be convenient and reliable, but sometimes, you’re much better off if you just leave yours in your wallet. The following “don’ts” apply to online and offline occasions when you’re tempted to pull out that piece of plastic.

  • If you don’t see the letters https as the first letters in the address bar of a website’s URL, don’t use a credit card. https is the universal protocol for secure communication over a computer network on the Internet. However, don’t blindly trust this. A scam website or scam merchant can obtain https certification, so be sure it’s the correct website before you type in your info. As an alternative, you can use PayPal if it’s presented as an option.
  • If you don’t see any online reviews of a merchant, consider that a red flag. If you see a merchant with no or few reviews while shopping on a site like Amazon, it’s a caution flag. While you assume they were vetted, they could have slipped something through the process. Some other things that shouldn’t be missing from a website are social media accounts, though there are Facebook marketplace scams. Be wary if you don’t see complete, verifiable physical addresses and telephone numbers.
  • Don’t put your credit card info into an email, especially if responding to an email. It could be part of a phishing campaign. We’ve written extensively on how responding to misspelled email addresses or URLs are ways to get you to provide a valid card number to a fraudulent operation. You’re actually better off giving your credit card to someone over the phone – but only if you initiated the call. A valid merchant uses a system that only retains the last four numbers of your card.
  • Going offline, don’t allow a merchant to take your card out of your sight. Who knows what they’re doing with it? More restaurants are processing your credit cards at your table. It’s all the same “trust but verify” thing.

If you’re a consumer, you likely know just about everything we discussed in our “don’t do” list.

If you’re a merchant, we can help you keep your credit card system secure by providing you with hardware and software systems that comply with all regulations. We can also help you get the proper https certification you need for your website. Call us – 973-433-6676 – or email us for an appointment to talk about it.

Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.

Phishing in Your Own Waters

If you own a small business or professional services firm, you depend on your employees to have enough tech savvy and common sense to avoid links in email messages or on websites that open your system to bad actors. No matter how much you trust them, you need to verify they’re doing the right thing. You can test your human security defenses by using your own phishing expedition to see how they’re doing.

We’ve become acquainted with independent cybersecurity firms by attending conferences over the years. We learn a lot from our peers and presenters – such as it takes an average of 244 days to detect a system breach and that using the cloud will be a necessity by 2028. We’ve also emphasized the need to have a thorough security audit, but as an IT firm, there’s only so much we can do. We also think that an IT firm is not the best organization to really get into the granular details of your security because we all have a vested interest in finding problems to fix.

An independent security expert can find the smallest breach openings in your system and tell you what needs to be done. One of the most fascinating tools they use is a phishing campaign aimed at everyone who works in your organization. They can plant fake links and QR codes and any other tool that a hacker can use to get someone to open a window into your system. They also have tools to mimic the follow-up methods that hackers use once somebody makes the initial click – or the first phone call to a bogus number.

The educational value of using your own phishing expedition is enormous. Not only will it help you patch up holes in your organization, but it also becomes a great teaching tool about why everyone needs to be vigilant. As we use more and more data to conduct business – and in our personal lives – it becomes more and more important to protect that data. You should remember that your organization is part of a data custody chain – a chain that can branch off in many directions. Intruders are highly sophisticated and well-funded – as well as very patient. They will do whatever it takes to get into your system and build tunnels to other systems. You put your reputation and integrity on the line every time you take in data and send it out.

AI will be able to generate untold amounts of data, but there is little it can do to eliminate misinformation automatically.

Eliminating misinformation requires real human intelligence and deliberate, active steps to prevent that first breach – the one that could take 244 days to find. At the risk of sounding like a broken record, in every location and on every device used to conduct your business:

  • Use a firewall and make sure it’s up to date.
  • Use anti-virus and malware software and make sure it’s up to date.
  • Install updates to operating systems and application software on every device you have. Those updates contain security patches and bug fixes to prevent intrusions.

We can help you arrange for a comprehensive security audit that includes a phishing expedition and a deep dive into your equipment and practices. Call us – 973-433-6676 – or email us to discuss your needs and develop a security action plan.

Living and Growing with Technology

We have kids and grandkids who have never known life without wireless technology, and now we’re moving on to AI. Whether you’re a business or a family with an array of technology comfort zones, there’s an array of paths you can follow to help you keep it all together.

I believe one of our biggest dangers with technology is online shopping. Did you see who had the most ads? According to my observations, it was Temu, the Chinese shopping site. What’s the red flag? There are two: 1.) data collection and 2.) legal recourse.

With every purchase you make, Temu collects a tremendous amount of personal data, including, of course, the credit card number you use to buy stuff. AI, which is really the use of superfast computers that can digest and regurgitate massive amounts of data, makes it possible to analyze every aspect of your shopping preferences. Even if you guard the privacy of your data persistently and diligently, some well-programmed AI can find out things you never knew about you. Conceivably, it helps Temu and similar websites present you with product choices and price points that will generate a purchase.

And because Temu is based in China, it operates under Chinese law, not US law. Not only will you not have the same legal recourse in China to protect you from financial loss, you likely won’t have the same regulatory protection about what data is collected and how it’s protected.

Another convenience we like is setting up automatic payments for products or services that are linked to our credit card or bank account. It’s a convenience for consumers and providers, and you can sometimes get a discount for automatic payments.

I dread the day my payment info gets hacked, and there’s no convenience factor that makes it worth the risk of being hacked. If you agree, there are two critical steps you can take to minimize your risk: 1.) Reset your login credentials for your financial accounts and the sites that draw automatic payments. 2.) Set up two-factor authentication (2FA) for every website account that offers it; biometrics and text messages to a device only you can access are best.

Biometrics can include facial recognition, and it offers the best combination of safety and convenience, especially for phones and tablets. Unless somebody has stolen your device and used your digital passcode to get into your settings and take a picture of themselves to reprogram your facial ID, only you can respond. Using a mobile device for a text is good because you should have the device in your possession for the authentication process. The use of authenticator apps such as Microsoft Authenticator or Google Authenticator is a good step.

Younger people typically take more easily to these new authentication methods, but those who are older or not entirely comfortable with technology should find them easy to use once they’re properly installed and configured.

Staying with the theme of age and technology, we have an elderly client who had some issues with a new computer. We tend to think older people are more comfortable with a computer, but we found the client preferred to have a second iPad. We associate iPad and iPhone use with younger people who can easily adapt to a different way of doing things with really quick thumbs. But there are keyboards for any mobile device, and those who use hearing aids can take advantage of Bluetooth with their devices.

The biggest challenge with using a tablet or phone in place of a computer is setting up ways to download, store, and use files with apps mostly associated with a computer. Multitasking is more difficult with a tablet or phone, but we can accommodate most needs for most people.

With tech playing such a large part of everyone’s business and personal lives, it makes sense to tailor the technology to the person rather than the other way around. If you or someone you know has special technology needs, call us – 973-433-6676 – or email to discuss ways to make technology work.

Cookies, Passwords, and Computerless Invasions

We disdain cookies and passwords so much that we expose our sensitive data to hackers who never need to invade our computers, phones, or tablets to get it. There’s so much information about each of us out in there, yet we use skeleton keys instead of padlocks to protect what we can.

You can adjust your cookie settings to limit tracking cookies, but website operators make it cumbersome – because they want advertisers and merchants to pay them for ways to track you across the internet and sell you stuff. Cookies get a lot of notoriety because of that, but they also serve useful purposes. They enable a site to direct you properly to the areas you need to go to and display appropriately for your browser and device.

Tracking cookies are another matter. They can tell anyone who plants a tracking cookie on your device where you go, and that’s creepy on the one hand and dangerous on the other.

I generally ignore all those cookie messages or just accept all cookies. I feel that many trackers already have information on me, and I am confident I’m savvy enough to avoid online traps. You should be, too, if you follow us regularly. The ads and even the phishing expeditions are a royal annoyance, but you’re safe if you’re smart.

Tracking cookies get dangerous when they converge with weak passwords. This affects business and personal internet use, and here’s how cybercriminals get you.

Once cyberstalkers know where you go, they can make some guesses about your username, which usually has an element of your name or your entire email address, and they have software to try to crack passwords. If you have a weak password – such as the first initial, last name, and 123 that a friend who got hacked used – they’ll crack it. And if you use it at multiple sites, they’ll get into every one of them. And they never had to get into your computer to get into your accounts. The clues were out there to find your bank account or credit card number to clean you out or go on a shopping spree.

The problem, of course, is with a weak password and the lack of a password manager. As an aside, if you are hacked, we use your cookies to see where you’ve been and see if something there has led to someone getting your info and maybe your money.

Finding a strong, unique password or several really strong passwords that you can easily remember is not that hard. What’s an odd association with your name or something you see when you look out the window? What’s a number that’s not tied to your birthday, phone number, or something else that could be part of your public record? What’s a random word that relates to nothing? Where can you substitute a number or special character for a letter? Following that process, any combination of 12 to 16 characters should give you a strong password.

If you combine a strong password with a password manager, you can let the password manager generate random strings of letters, numbers, and characters that become strong passwords. And if your password manager and the websites you visit have facial recognition capability, it’s simpler, stronger, and even faster.

We can help you configure a password manager for individuals or groups, and we can help with improving your password security. Call us – 973-433-6676 – or email us to discuss your needs and develop a plan.