Inside a Hack Investigation

Getting hacked doesn’t always mean your world has come to an end. In many cases, however, fixing it is a grueling process, physically and mentally, and you’ll have to provide a lot of information you hadn’t planned to disclose.

Here’s how it started. A client clicked on a pop-up window at 3 p.m. that said their computer was infected with a virus. The message in the pop-up said illegal activity was detected on the computer. But if the client called the number in the window, they could clean it up.

The client let them on the computer and was given a cost (it doesn’t matter what it was) to fix the problem. They said it could be paid for by taking cash out of his account and depositing the cash at a specified ATM. They said not to turn off the computer. The client told friends they thought they’d been hacked.

They called the next morning and said they felt stupid. We told them not to. We see hacks from pop-up windows all the time – and they frequently happen on sites where people print recipes. The site opens what looks like a print dialogue box, and it can sometimes be difficult to know what the icon in the box means.

Our first advice to anyone who thinks they’ve been hacked is to turn off the computer and call us immediately at 973-433-6676. In most cases, the money is already gone by the time you turn it off, but nobody can get anything out of a computer that’s shut down.

To do our best to close off any new attempts from a hacker, we ask our clients to walk us through every detail of the incident. We need to find where something started so that we can close off any loops. We need to do this at every point affected by the hack. Once a hacker has gotten into your computer, you can bet they’ll be back – and you can bet they’ll look for all the doors they got through.

The obvious lesson we can all learn from this is to be extremely careful about pop-up windows. You can install pop-up blockers on your computer’s browser, and they can be configured so you can allow them on a case-by-case basis.

But pop-ups can pose additional risks, especially as artificial intelligence (AI) becomes more widely deployed. When you call a phone number in a pop-up – or any link for that matter – your voice can be recorded and synthesized. If you visit financial or health-related websites that rely on voiceprints as part of their security, you can be at risk. Whenever you answer any phone call from a number you don’t know, avoid saying the word “yes.”

We can help you tighten your security by helping you configure pop-up blockers and fine-tune your anti-virus programs. Call us – 973-433-6676 – or email us to discuss your needs.

You and Your Credit Card

Credit cards can be convenient and reliable, but sometimes, you’re much better off if you just leave yours in your wallet. The following “don’ts” apply to online and offline occasions when you’re tempted to pull out that piece of plastic.

  • If you don’t see the letters https as the first letters in the address bar of a website’s URL, don’t use a credit card. https is the universal protocol for secure communication over a computer network on the Internet. However, don’t blindly trust this. A scam website or scam merchant can obtain https certification, so be sure it’s the correct website before you type in your info. As an alternative, you can use PayPal if it’s presented as an option.
  • If you don’t see any online reviews of a merchant, consider that a red flag. If you see a merchant with no or few reviews while shopping on a site like Amazon, it’s a caution flag. While you assume they were vetted, they could have slipped something through the process. Some other things that shouldn’t be missing from a website are social media accounts, though there are Facebook marketplace scams. Be wary if you don’t see complete, verifiable physical addresses and telephone numbers.
  • Don’t put your credit card info into an email, especially if responding to an email. It could be part of a phishing campaign. We’ve written extensively on how responding to misspelled email addresses or URLs are ways to get you to provide a valid card number to a fraudulent operation. You’re actually better off giving your credit card to someone over the phone – but only if you initiated the call. A valid merchant uses a system that only retains the last four numbers of your card.
  • Going offline, don’t allow a merchant to take your card out of your sight. Who knows what they’re doing with it? More restaurants are processing your credit cards at your table. It’s all the same “trust but verify” thing.

If you’re a consumer, you likely know just about everything we discussed in our “don’t do” list.

If you’re a merchant, we can help you keep your credit card system secure by providing you with hardware and software systems that comply with all regulations. We can also help you get the proper https certification you need for your website. Call us – 973-433-6676 – or email us for an appointment to talk about it.

Passkeys Not There…Yet

Passkeys hold a lot of promise in eliminating passwords. They rely on an electronic handshake to allow your device to access a secure website, and many password managers claim to link to passkeys. They’re getting there, but they’re not there yet.

A major hurdle right now is that not all websites recognize the passkeys from password managers. Sometimes, recognition depends on the device. Since most of us have fairly new cell phones, our phones usually have the ability to work with facial recognition, which is a form of a passkey. Older devices may not have the ability to work with this type of technology.

We suspect the move to newer computers – especially as Microsoft ends support for Windows 11 – and the need for better security will speed the drive to make more devices capable of using passkeys.

Why are passkeys secure? They eliminate the need to enter usernames and passwords, both of which are stored on the website you’re trying to access. We know the problems with usernames and passwords: they can be stolen by hackers from the website or your device, they can be forgotten, and we can make them less effective by using simple passwords multiple times so we don’t forget them.

Passkey information is stored on the website and in your device. They are not the same info; they rely on the handshake – sort of like two spies who each know what they need to hear in a phrase. On your device, the most common passkey information is a biometric (facial recognition or fingerprint) or a PIN (personal identification number). Because they are device specific, the system relies on you having your device when you log into the website.

When you combine a passkey with some form of 2FA (two factor authentication), you’re using an access method that has proven reliably secure up to now. Many of the leading password manager programs, such as Dashlane, 1 Password and Bitwarden, can create and store passkeys for you, and both Apple and Android can store their passkeys locally and access them using the keychain app on mobile devices.

Even if you can’t use the passkey with your password manager, you’re still ahead. Remember, with a password manager, you only need to remember a single master password. You can let the password manager generate a long, complex password for each website. That password should be immune from guesses based on any of your personal information.

More websites, too, are using passkeys instead of the username/password duo. As the websites use them more, you will have easier access to more websites, but that comes with a caution. The websites will need to tighten their security, too, to prevent more sophisticated hijackers from getting info from their sites. One of their hacks is to hijack cookies. You can help prevent that by not clicking on “Accept” when the cookie dialog box pops up. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window.

To expand the conversation about the internet and security, you can apply the same security measures to any device in your office or home that uses the internet or a Wi-Fi network. Printer manufacturers such as HP have created anti-hacking steps, such as entering a PIN, to gain access to the information stored in a printer.

We can help you install and configure password managers and set up effective passkeys and other security measures. Call us – 973-433-6676 – or email us to talk about it.

Phishing in Your Own Waters

If you own a small business or professional services firm, you depend on your employees to have enough tech savvy and common sense to avoid links in email messages or on websites that open your system to bad actors. No matter how much you trust them, you need to verify they’re doing the right thing. You can test your human security defenses by using your own phishing expedition to see how they’re doing.

We’ve become acquainted with independent cybersecurity firms by attending conferences over the years. We learn a lot from our peers and presenters – such as it takes an average of 244 days to detect a system breach and that using the cloud will be a necessity by 2028. We’ve also emphasized the need to have a thorough security audit, but as an IT firm, there’s only so much we can do. We also think that an IT firm is not the best organization to really get into the granular details of your security because we all have a vested interest in finding problems to fix.

An independent security expert can find the smallest breach openings in your system and tell you what needs to be done. One of the most fascinating tools they use is a phishing campaign aimed at everyone who works in your organization. They can plant fake links and QR codes and any other tool that a hacker can use to get someone to open a window into your system. They also have tools to mimic the follow-up methods that hackers use once somebody makes the initial click – or the first phone call to a bogus number.

The educational value of using your own phishing expedition is enormous. Not only will it help you patch up holes in your organization, but it also becomes a great teaching tool about why everyone needs to be vigilant. As we use more and more data to conduct business – and in our personal lives – it becomes more and more important to protect that data. You should remember that your organization is part of a data custody chain – a chain that can branch off in many directions. Intruders are highly sophisticated and well-funded – as well as very patient. They will do whatever it takes to get into your system and build tunnels to other systems. You put your reputation and integrity on the line every time you take in data and send it out.

AI will be able to generate untold amounts of data, but there is little it can do to eliminate misinformation automatically.

Eliminating misinformation requires real human intelligence and deliberate, active steps to prevent that first breach – the one that could take 244 days to find. At the risk of sounding like a broken record, in every location and on every device used to conduct your business:

  • Use a firewall and make sure it’s up to date.
  • Use anti-virus and malware software and make sure it’s up to date.
  • Install updates to operating systems and application software on every device you have. Those updates contain security patches and bug fixes to prevent intrusions.

We can help you arrange for a comprehensive security audit that includes a phishing expedition and a deep dive into your equipment and practices. Call us – 973-433-6676 – or email us to discuss your needs and develop a security action plan.

Living and Growing with Technology

We have kids and grandkids who have never known life without wireless technology, and now we’re moving on to AI. Whether you’re a business or a family with an array of technology comfort zones, there’s an array of paths you can follow to help you keep it all together.

I believe one of our biggest dangers with technology is online shopping. Did you see who had the most ads? According to my observations, it was Temu, the Chinese shopping site. What’s the red flag? There are two: 1.) data collection and 2.) legal recourse.

With every purchase you make, Temu collects a tremendous amount of personal data, including, of course, the credit card number you use to buy stuff. AI, which is really the use of superfast computers that can digest and regurgitate massive amounts of data, makes it possible to analyze every aspect of your shopping preferences. Even if you guard the privacy of your data persistently and diligently, some well-programmed AI can find out things you never knew about you. Conceivably, it helps Temu and similar websites present you with product choices and price points that will generate a purchase.

And because Temu is based in China, it operates under Chinese law, not US law. Not only will you not have the same legal recourse in China to protect you from financial loss, you likely won’t have the same regulatory protection about what data is collected and how it’s protected.

Another convenience we like is setting up automatic payments for products or services that are linked to our credit card or bank account. It’s a convenience for consumers and providers, and you can sometimes get a discount for automatic payments.

I dread the day my payment info gets hacked, and there’s no convenience factor that makes it worth the risk of being hacked. If you agree, there are two critical steps you can take to minimize your risk: 1.) Reset your login credentials for your financial accounts and the sites that draw automatic payments. 2.) Set up two-factor authentication (2FA) for every website account that offers it; biometrics and text messages to a device only you can access are best.

Biometrics can include facial recognition, and it offers the best combination of safety and convenience, especially for phones and tablets. Unless somebody has stolen your device and used your digital passcode to get into your settings and take a picture of themselves to reprogram your facial ID, only you can respond. Using a mobile device for a text is good because you should have the device in your possession for the authentication process. The use of authenticator apps such as Microsoft Authenticator or Google Authenticator is a good step.

Younger people typically take more easily to these new authentication methods, but those who are older or not entirely comfortable with technology should find them easy to use once they’re properly installed and configured.

Staying with the theme of age and technology, we have an elderly client who had some issues with a new computer. We tend to think older people are more comfortable with a computer, but we found the client preferred to have a second iPad. We associate iPad and iPhone use with younger people who can easily adapt to a different way of doing things with really quick thumbs. But there are keyboards for any mobile device, and those who use hearing aids can take advantage of Bluetooth with their devices.

The biggest challenge with using a tablet or phone in place of a computer is setting up ways to download, store, and use files with apps mostly associated with a computer. Multitasking is more difficult with a tablet or phone, but we can accommodate most needs for most people.

With tech playing such a large part of everyone’s business and personal lives, it makes sense to tailor the technology to the person rather than the other way around. If you or someone you know has special technology needs, call us – 973-433-6676 – or email to discuss ways to make technology work.

Cookies, Passwords, and Computerless Invasions

We disdain cookies and passwords so much that we expose our sensitive data to hackers who never need to invade our computers, phones, or tablets to get it. There’s so much information about each of us out in there, yet we use skeleton keys instead of padlocks to protect what we can.

You can adjust your cookie settings to limit tracking cookies, but website operators make it cumbersome – because they want advertisers and merchants to pay them for ways to track you across the internet and sell you stuff. Cookies get a lot of notoriety because of that, but they also serve useful purposes. They enable a site to direct you properly to the areas you need to go to and display appropriately for your browser and device.

Tracking cookies are another matter. They can tell anyone who plants a tracking cookie on your device where you go, and that’s creepy on the one hand and dangerous on the other.

I generally ignore all those cookie messages or just accept all cookies. I feel that many trackers already have information on me, and I am confident I’m savvy enough to avoid online traps. You should be, too, if you follow us regularly. The ads and even the phishing expeditions are a royal annoyance, but you’re safe if you’re smart.

Tracking cookies get dangerous when they converge with weak passwords. This affects business and personal internet use, and here’s how cybercriminals get you.

Once cyberstalkers know where you go, they can make some guesses about your username, which usually has an element of your name or your entire email address, and they have software to try to crack passwords. If you have a weak password – such as the first initial, last name, and 123 that a friend who got hacked used – they’ll crack it. And if you use it at multiple sites, they’ll get into every one of them. And they never had to get into your computer to get into your accounts. The clues were out there to find your bank account or credit card number to clean you out or go on a shopping spree.

The problem, of course, is with a weak password and the lack of a password manager. As an aside, if you are hacked, we use your cookies to see where you’ve been and see if something there has led to someone getting your info and maybe your money.

Finding a strong, unique password or several really strong passwords that you can easily remember is not that hard. What’s an odd association with your name or something you see when you look out the window? What’s a number that’s not tied to your birthday, phone number, or something else that could be part of your public record? What’s a random word that relates to nothing? Where can you substitute a number or special character for a letter? Following that process, any combination of 12 to 16 characters should give you a strong password.

If you combine a strong password with a password manager, you can let the password manager generate random strings of letters, numbers, and characters that become strong passwords. And if your password manager and the websites you visit have facial recognition capability, it’s simpler, stronger, and even faster.

We can help you configure a password manager for individuals or groups, and we can help with improving your password security. Call us – 973-433-6676 – or email us to discuss your needs and develop a plan.

A Guy Gets in a Tesla in Ukraine…

A Tesla driver in Ukraine got a “free ride” on Spotify, courtesy of a US Tesla owner whose car was totaled. It was one of the many ways electronic hitchhikers can access your data on so many different kinds of things. This is just the latest story of how our data lives on – and on – when we no longer own (or lease) a car with an infotainment system or Bluetooth, a copier, or a mobile device.

How did a Tesla owner in Ukraine happen to have access to a Spotify account? It happened like this.

An executive news editor at a major TV outlet recently tweeted (or X’d) that a Tesla he had totaled last year was now in southern Ukraine, and the new owner was listening to Drake on his Spotify account. Reporters tracked down what happened to their editor’s car. An online auction site scooped up the Tesla after it was totaled and listed for sale. Someone in Ukraine appears to have won the bid, and the car was shipped from New Jersey to Europe, where its new owner was able to access the editor’s personal Spotify playlists.

The editor contacted Tesla to see how he could log out of his former car, and the company instructed him to disconnect the vehicle from his account. But several steps, such as entering new owner information, were impossible. Experts in data security told reporters that simply disconnecting an account from the car does not prevent your data from being extracted. They said Tesla should have had a feature to “wipe all my info from this car” long ago.

This is far from a Tesla-specific issue. Cars, laptops, smartphones, TVs, and even refrigerators are now internet-connected devices that can store personal data.

In the office, networked copiers are used as printers and scanners and save everything that passes through them. The equipment manufacturers build this in because leases can be based on the number of pages a unit scans, copies or prints. Today’s units also have long service lives after a lease expires. So when you turn back a copier to lease a newer model, the copier company puts it back on the market. Unless you’ve taken specific steps to wipe the data clean, every document run through the copier goes on the market, too.

We must confess we don’t have access to the menus for the service functions that can wipe the data from a unit, and we haven’t found a way into them – yet. So your best resort is to contact your copier company and make sure all your personal data is wiped clean before the machine leaves your premises.

It may take a little searching through the menus for other devices, but you should be able to find the magic button that returns each of them to factory default settings. iPhones are top of mind for this now because the iPhone 15 is hitting the market later this month, and that – along with new phones from other manufacturers – triggers a spree of trade-ins to bring down the price of a new phone. You might also plan to get new computers for your office or your children for the new school year. The same principle applies. Wipe every device clean of all your data.

Along the same lines, wipe them clean if you’re renting a car and using your data on the Bluetooth and infotainment system, including iOS and Android systems that run through the radio. And make sure you log out of your TV subscriptions before checking out of your hotel room or rental home.

If you’re not sure how to wipe a device clean or log out of a subscription, call us – 973-433-6676 – or email us to walk you through the process. We recommend you do this well before you turn in your car or room key so we’re available to help. In the age of internet-connected vehicles and devices, you never know who’s going to get one of them next.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.