COVID Vax Posts Help ID Thieves

You lock your doors. Security cameras ring your house. And then you post pictures of your vaccination cards on Facebook after you get your injection. We regard our vaccinations as an achievement and an encouragement for others to get their shots. Identity thieves are not gonna miss their shot at mining your data.

Let’s be real. The information on most vaccination cards is minimal: your name and your date of birth. Both pieces of information are likely known to many people and organizations who interact with you, and it’s all readily available on public information websites. We won’t get into how many of you don’t make your year of birth available on Facebook for “privacy” reasons. But you do appreciate birthday greetings.

That said, let’s get back to the vaccination cards. I fall into two groups: 1c for my age and 1b for health reasons. If an ID thief is looking for some way to carry out medical fraud, my info is right there. Looking at my age and 1b status, the thief has the makings of a target. The name and date of birth on an official document validates who you are.

The thief can find my home address. Again, it’s public information, but when it’s added to my “dossier,” it’s another piece of a puzzle. I know I have added more clues about me when I shared some of my hospital visits. By and of themselves, each piece is small, but a thief may have enough to start looking at things just to let me know that they know me.

Then comes the phishing email disguised as an offer about some kind of insurance. If I bite by clicking on a link or opening an attachment, the thief can plant some malware to get a lot more information by mining my data. They might even get into my medical records and have enough info to file a false claim for treatment I never had. They might also lock me out of my records by changing all my login credentials and using HIPPA regulations. In short, I can wind up on the hook to pay for treatment I never had, and I can’t get info about the bill.

It’s one scenario about how big data can be mined – legally and illegally – from one small piece.

You can be vulnerable in other ways.

Let’s say you take a car trip somewhere, and you post a picture that includes your car and shows its license plate number. If your car is desirable, a thief can use your license plate number to trace your address – or maybe start observing you. When you leave the car somewhere, such as in a supermarket parking lot, it’s easy enough to get the VIN number through the windshield and then take steps to retitle your car before stealing it and selling it “legitimately.”

Big data makes these examples possible. There’s a lot more out there all the time, and hackers are more sophisticated. Better software tools allow more thieves to gather and analyze data to pinpoint a target and let them commit a larger number of small crimes that add up to decent money.

Our advice is simple: Don’t put any more of your data out there than is absolutely necessary. Be careful about what you photograph and post. Be careful about how you handle email and about the info you provide – even to legitimate businesses and organizations – by email or telephone. Even with those you know, question why they need certain information, such as your Social Security Number. Use common sense.

You can augment your common sense by keeping all your operating system and application software up to date; updates usually include security patches and bug fixes. Install, properly configure and update anti-virus and malware protection software. We can help you install and maintain software. Call us – 973-433-6676 – or email us to set up an appointment.

Oh, and one more thing: Get your COVID vaccination as soon as you can!

Unlocking Phones of Masked Users

Apple’s upcoming upgrade to iOS 14.5 will make it possible to use an Apple Watch to use facial recognition to unlock your iPhone while wearing your mask. iPhone users without the watch and Android users will still have to jump through hoops to unlock their phones while masked. A year into the pandemic, we have to ask: Why has this taken so long?

Biometrics have long played a role in being able to unlock a cell phone. The first systems used a fingerprint for touch ID, and it has been a bellwether. Many cell phone users still rely on it. Face ID came along next, and many cell phone users rely on it to unlock phones quickly and easily. It’s as good as unencumbered gets.

But with COVID-19 and mask wearing, Face ID doesn’t work. If you want to use the technology while complying with public health needs, Face ID is about as cumbersome as it gets. The less-than-ideal workaround is something like this:

  1. Go to the Face ID option in the settings.
  2. Register for an alternate appearance by going to Set Up Alternate Appearance (or the Reset Face ID).
  3. Take a mask and fold it in half. Assuming the nose as the center point, put it in front of your face. It is recommended that you cover only the tip of the nose with the mask.
  4. Start registering your face like you normally do with the Face ID.  When the system prompts with a message “Face Obstructed,” start removing the mask very slowly until the system says move your head slowly to complete the circle.
  5. Once the process is done successfully, you will get a message that the Face ID is set up.

If this doesn’t work the first time, you’ll need to retry it. You may need to try another trick, such as selecting an alternate appearance option if it’s available.

Apple contends you should use a numeric code to unlock your phone while wearing a mask. They also note that manipulating the Face ID software could compromise your phone’s security. Most likely, they’d prefer you get an Apple Watch if you don’t already have.  

Once your iPhone is running iOS 14.5 and your Apple Watch has WatchOS 7.4 installed, you can turn on Unlock with Apple Watch with a few taps. Open the Settings app on your iPhone and then select Face ID & Passcode. Next, scroll down until you find the section titled Unlock with Apple Watch. The name of your Apple Watch should be listed there. Next to it is a toggle to turn the feature on or off. Slide that switch to the On position and then back out of the Settings app. 

Whenever you’re wearing a mask, all you’ll need to do is hold your phone up as normal to unlock it with Face ID. You’ll feel a haptic tap on your wrist, letting you know your watch was used to unlock your phone. The alert on your watch will also include a button to lock your phone in case it was unlocked by someone else. It’s a security feature to ensure someone else doesn’t pick up your phone and unlock it while wearing a mask.

You can expect to see iOS 14.5 in April. As the release date gets closer, we’ll pass along whatever we find out about other security features. Once it’s available, we’ll be on hand to help you configure your watch, phone and iPad if need be. Call us – 973-433-6676 – or email us to find out what you’ll need to upgrade your iOS security.

The Ill Winds of Solar Winds

Look for a continuing fallout from the breach of Solar Winds, the giant technology management company that was responsible for the high-level federal government systems that were hacked last year. The hack is top of mind because some of our most sensitive systems were hacked, but businesses were affected, too. It’s time to look at the world of big data management.

The lesson we all need to learn from the hack of Solar Winds is that nothing is truly, truly safe. We don’t know where government agencies and private industry systems were breached – and how badly they were breached – and when it comes to the government systems, we’ll probably never know. But I don’t think we’re going out on a limb by saying that 1.) Solar Winds will need to work extra hard to regain the confidence of customers (and their customers, too) and that if 2.) they don’t succeed in repairing their systems and reputation, they’ll join a lot of other companies on technology’s garbage heap. From our various industry contacts, we had heard customers wanted to leave Solar Winds for reasons other than security.

The big data management companies should be subject to much more scrutiny by government oversight and by their customers. Strict government oversight similar to what we do to monitor CIA activity is necessary because of the extremely critical and sensitive nature of government work. Industry regulation is required to set standards for performance and accountability.

How much oversight and regulation are needed is a political question. What is not political is the need to keep our systems secure and, where possible, insist on transparency in letting us know when things go wrong. Dependency is critical because every system is so intertwined. It’s easy to see it if you look at it like a wheel. In the case of Soar Winds, look at them as the hub, and then look at every organization in their customer list as spokes connecting the hub to the rim. The rim is everyone who does business with any one of the spokes.

Solar Winds and its customers are not the first victims of sophisticated hacking, and unfortunately, they won’t be the last. Google has experienced problems, including an email issue last month, and Microsoft has had its share of issues. Look at what our nation went through with security for our elections.

As individuals we can demand that big data management companies take greater care, but we also need to own our security and asset protection. A lot of it is technology-based. We’ve implored everyone over the years to keep all operating systems, networks and application software up to date – to make sure you download and install updates, security patches and bug fixes. We’ve implored everyone to have all data securely backed up and to have a plan to get your assets – like money in your bank account – when you need them.

Beyond that, be critical of information requested when you fill out forms. Why does somebody need your social security number? Even for a job application, does your prospective employer need that information before they’re ready to do a background check or pay you? Don’t be afraid to question a request or demand a satisfactory answer. For companies where you have critical relationships, like your bank, maintain personal contacts. Know that you can pick up a phone and actually talk to a real human being when you’re concerned about your asset. We can help you with the technology part of security. Call us – 973-433-6676 – or email us for a security audit or to discuss applications and processes that can keep your computers as safe as possible when a big data manager is breached.

Strengthen Your Security

We’re probably as normal as we’re going to get with working at home, and that will put more pressure on businesses and employees to step up security. Virtual Private Networks (VPNs) have been around for a while, but we’ve never been completely sold on them. They can give you a false sense of security.

As we see it, they depend on too many people (and organizations) doing the right thing to work effectively. Essentially, they take you across somebody else’s network, and unless you’re the one who vetted the provider and set it up, you have no way of knowing if it’s safe. If you use a computer, cell phone or tablet on a compromised VPN, you’re providing multiple access points for anyone who’s hacked the VPN. It only takes one weak link to compromise a network, and it could take months before a security breach is found. That could be too late to prevent any damage, such as an intrusion of sensitive files or identity theft.

We’re OK with using a VPN while traveling. It’s generally good for a short period of time, and it’s likely to be used by a small group of people in your traveling party on known devices. Whether VPNs are reliably secure in certain communications environments is a debatable point. Given all that is going on today, we believe it’s better to err on the side of caution and use them in limited situations to meet specific needs.

There are much better steps to take, such as two-factor authentication and using mobile apps that store your password.

We’ve discussed two-factor authentication before. While it can take many forms, it generally works by sending a 6-digit code in a text message to a designated mobile device. You then need to enter that code on whatever device you’re using to log onto a website. The problem is that if you are near a cell tower that has been compromised, the communication involving your text message could be intercepted and redirected. It’s not likely in the United States right now; it was more of a problem with older towers. Still, it’s yet another reminder to keep your guard up at all times.

The authentication apps that save your passwords are run through Microsoft and Google, two behemoths that have an equally large stake in your security. The key factor here is that the password is stored in your device, not in the cloud. Anyone who steals your password this way must physically have your device, and they must know your username and password. That minimizes the chance you’ll be compromised – even with a lost or stolen phone.

We’re available to answer any questions you have about security on all your devices and across all networks. Call us – 973-433-6676 – or email us to talk about who uses various devices within your business organization or family and where they use them. We’ll help you develop a plan or policy, if necessary, to strengthen your weakest links and maximize security.

Home Remodeling – Technology Style

Homes were caught short when everybody had to stay home to work, learn and entertain themselves. Wi-Fi networks and the internet had to carry much more traffic, and the rapid rise of new technology needs created holes for hackers to tunnel into systems. Here’s what you need to do.

First, shore up your security. Treat every device in your home that’s connected to the internet like it’s a block of gold in Fort Knox. Make sure your gateways, routers and firewalls have up-to-date security patches and bug fixes installed and running. Do the same for the firmware for every piece of hardware and software for every operating system and application that everyone in your household uses. That includes all of your smart-home devices and TVs – and make sure you have changed the default user names and passwords that came along with those devices.

We can’t emphasize this enough. That’s because between work, school and socializing, we all have more people coming in contact with our systems and every other system we’re connected to. If you have weakspots in your home system, the security of your personal financial and health data could be at risk, and so could the systems at your place of work.

In short, you may need to “remodel” the technical architecture of your home to make sure your systems and devices are airtight.

Second, make sure everyone in your home understands the security settings of all the new software you’re using for work, school and social interaction. We and our kids are all into using the latest and coolest collaboration tools, and the providers of those tools and the users need to pay special attention to how to set them up and use them safely.

Zoom is the collaboration tool that comes immediately to mind. Ever since stay-at-home orders went into effect some three weeks ago, very few people knew about Zoom, which is still considered a startup company. To encourage people to use it, Zoom quickly spread the word about its free service that allows 100 people to gather interactively online for up to 40 minutes. The two operative words here are both four-letter words: Zoom and free. You get what you pay for.

To make a long story short, Zoom rushed out the adaptation of a business application as a consumer app, and it left a lot of security holes. Two of the glaring issues, which were acted on by Zoom two weeks ago, were the sale of user data to partners for marketing purposes and the insidious “Zoombombing” incidents. The latter problem led to hackers placing porn material in school lessons and white-supremacist invasions of meetings, classes and chats sponsored by religious organizations.

Zoom stopped some of the data sales and reworked its privacy setup. It also ramped up the security requirements for people to join a Zoom session.

One other thing that home users likely have noticed is the drop-in internet speeds from their ISPs. That’s a consequence of the ISPs trying to manage the massive demand for data. As a result, you’ll all need to manage your internet use to optimize performance in your homes.

We can help you with security audits, setting up security software and automatic updates for firmware and software. We can also help you with security settings for apps like Zoom. Call us – 973-433-6676 – or email us for an appointment.

What Are Your Biggest Online Threats in 2020?

Cyberthreats will be coming at you – and any person or organization with whom you have an online relationship – with increasing speed and sophistication. For some, it might feel like you’re living inside an online fantasy game, but it’s real life. Here’s what to look for.

Phishing and Social Engineering

There’s nothing new about phishing, where cybercriminals try to obtain sensitive information, like passwords or financial information, usually by using links in emails to install malware to breach your system. Non-profits have been major targets because they don’t have alert systems built into network infrastructures, but any business, governmental organization or individual can be hit. We’ve discussed the need to be highly aware of what you’re clicking and to exercise extreme caution. As an individual user, you have control.

At businesses, it’s a bigger chore to combat phishing. Attacks enable hackers to steal user logins, credit card credentials and other types of personal financial information, as well as gain access to private databases.

Going hand-in-hand with phishing is social engineering, which can cover a multitude of attacks such as disinformation and deep fakes spread by social media. We see this as one of the biggest threats you face this year.

Social media makes it easier to spread disinformation faster than anyone can send out the facts to repudiate fakery or misrepresentation. Deep fakes relate to fake images and videos being created by deep learning techniques. We’ve seen them in the political arena and can expect more them to be leveraged as a tool to attempt to discredit candidates and push inaccurate political messages to voters via social media. We’ll also see them in ransomware, showing targets realistic videos of themselves in compromising situations. We’ll also see more spoofing in business email with deep fakes used to add a further degree of realism to the request to transfer money.

Ransomware

Ransomware attacks cost billions of dollars every year, as hackers literally kidnap an individual or organization’s databases and hold all of the information for ransom. The rise of cryptocurrencies such as Bitcoin spurred ransomware attacks by allowing ransom demands to be paid anonymously. As companies build stronger defenses against ransomware, some experts believe hackers will increasingly target other potentially profitable ransomware victims such as high-net-worth individuals.

Third-Party Vulnerabilities (IoT, Cloud, Supply Chain)

This is a tough threat to ward off because you have some control over your vulnerabilities but not all of them. With the Internet of Things (IoT), you have control. Make sure that you change every default username and password for every device you connect to your network and have a strong network password and firewall. I have little sympathy for people whose systems are hacked because they didn’t take the proper setup steps to prevent invasion.

The cloud is as safe as you can get, especially with large, reputable service providers. They have the resources to deploy the most advanced security measures and multiple services to protect your data. Our advice here is to use a top-rated cloud service provider and make sure you have protected your network, just you would to maintain IoT security.

The supply chain is tough. With so many companies using the internet to fulfill product orders, manage vendors and customers and provide financial services, each one of them can rely on hundreds of vendors. You rely on all of them to keep your data safe, and that can make any one of them the weakest link in your security. Your best defense is to take every security precaution you can, such as keeping your software and hardware up to date, using common sense on what you click, and letting others know when you have concerns about their security.

Internal Attacks

We have only begun to see the impact insiders can have on organizations as well as national and global security. While the news focuses on dangerous insiders exfiltrating data to foreign governments and terrorist organizations, you need to focus on your business – and your business partners. In all likelihood, your biggest threats will be data theft for monetary purposes – similar to effects of ransomware – or some disruption of your business by a disgruntled or careless employee.

5G’s Unprecedented Data-Theft Speeds

5G cellular technology promises unprecedented speed to make it possible to have more effective infrastructure, autonomous vehicles, faster emergency response and greatly improved telemedicine. It will be almost entirely software-driven; you’ll need hardware capable of handling it. Because it will be software-driven, it will be susceptible to hacks. You’ll need to follow safe internet practices and hope that everyone else does, too. There’s not much you can do technologically in the grand scheme of things, but you can and should demand that large organizations and governments take steps to protect 5G networks.

We can help you make sure you have the knowledge and systems in place to protect your systems from cyberthreats. Contact us by phone – 973-433-6676 – or email to discuss your needs.

7-bit#, 7-bit#-not PW123 – A Password Primer

This headline depicts how passwords are written and stored in your computing environment. We won’t go into heavy details, but it essentially works this way.

When you put letters – upper and lower case – and numerals and special characters into your password, the storage system records them in a code involving 7 bits and a # symbol. Hackers have learned that if they attack your password in #s, or hashes, they have a shot at cracking your password.

When you change just one special character – or number or letter, you’re only changing one #. You’re actually making your security worse when you do that, especially if you have a really simple password and depend on a &, $ or @ to keep your passwords secure.

Here’s what you need to know about keeping them secure, and if you understand the principles, you’ll know why passwords can’t go away fast enough.

  • Don’t change just one number or special character. If someone has managed to get close to your password, it doesn’t take much run a program that swaps out 10 numerical characters and maybe eight special characters.
  • Don’t use short passwords. A computerized analytics program can run through a short combination of letters and characters faster than you read this sentence.
  • Do use long passwords with combinations of upper- and lower-case letters, numerals and special characters.
  • Do change several numbers and/or special characters when you change your password.
  • Do make your passwords illogical. We all try to keep some semblance of something we can remember because we need to have passwords for so many websites or apps. But if a hacker catches onto your logic, you’re more vulnerable.

We can’t emphasize strongly enough that password and internet security get more critical every day. Hacking and ransomware attacks get more prevalent, and the stakes are higher as we digitize every aspect of our corporate and personal lives. Governments, agencies and school boards – Livingston here in NJ being the latest – have fallen victim to ransomware attacks, and all face the agonizing decision of whether to pay up or try to recover their data. The latter can take longer and be more expensive than the ransom payment, but for some, it’s a matter of principle.

This leads us to four other recommendations when it comes to passwords and internet security:

  1. Use fake answers for the security questions that accompany passwords on many websites. So many of them involve facts that are the matter of public record, including addresses, your first car and your maternal grandmother’s middle name.
  2. Use a password manager program – and let it generate random passwords for every online account you have or ever hope to have. You just need to remember one password, and you can use it to download every password you have if and when you need to know each one.
  3. Have a real backup program for your data. OneDrive and Dropbox are good for storage, and you can recover your data file by file. A backup program such as Azure allows recovery and restoration more efficiently.
  4. Switch from passwords to biometrics whenever and wherever you possibly can. Biometrics are becoming more available, and it makes sense to incorporate them where you can.

Contact us by phone – 973-433-6676 – or email to talk about a good backup program, a password strategy and/or moving to biometrics. And above, practice safe password protection.

Email in Disguise

The trend of getting voicemail messages through email is opening new doors for hackers to enter computer systems. Scammers are using email with spoofed addresses to hack into business operations, such as wiring money. Today’s office environment provides a perfect setup for a hacker: You hit people when they’re juggling multiple tasks, and you come across as a colleague or customer in an expected environment. We have two examples from our client experiences that show how easy it is for a problem to go undetected. And we have some tips to strengthen your security.

The problem with the voicemails happened while we were on vacation in Hawaii, which has a six-hour time difference with New Jersey. Our client reported getting emails about missed calls – which could have been generated by their voicemail/email system. It’s a growing trend to handle voicemails because phone and email run on the same networks, and sometimes it’s more effective for an employee to click a link and return the call while the message is on the screen.

And that’s how this problem showed up. Every time our client clicked on the link, nothing happened. When we got back from vacation, our first job was to install a new computer for the client. Everything went as planned, but then we got a call that the client only had 11 emails in the system. To make a long story short, it took all day to find all of the emails in a “recovery for deleted emails” folder and restore them – all 75,000 of them. The time was lengthened because we needed to sort them to cull the voice-mail files.

We changed the password immediately to cover the possibility the computer may have been hacked. After that was done, we got a call that our client couldn’t click to return numbers left in voicemails. I left a voicemail, and we were able to get a return call.

The likely issue is that someone from the outside spoofed a known and trusted phone number. The lesson here is that if it happens a second time, don’t click the link. While you may not know if you were hacked or fooled by some malware, you should know that something is wrong and needs attention. The earlier you let us know about it, the sooner we can work with you to mitigate the problem and minimize damage.

A second incident could have been catastrophic. Again, we awoke to find several urgent emails from a client that regularly wires large sums of money to entities worldwide. The incident occurred July 1, when they were preparing to wire nearly $100,000 to an entity. The entity to which they were wiring the money said they hadn’t received their wire in April. That raised alarms. We learned that the amount of money in both transfers was consistent, and the entity to which the money was to be wired could change names from time to time. Everything with the April and July transfers seemed to be within the realm of normal operations.

While we couldn’t get the April money back (the client had insurance to cover it), they were able to halt the July transfer. At the same time, we worked with them to develop new policies to help double-check money-wiring instructions and monitor the process better.

Among the key takeaways from these incidents, you should always be on guard because hackers and cyberthieves are getting much, much better at disguising their identities. When it comes to VOIP and cellular voicemails, it becomes way too easy to click on a number to return a call. That click could direct you to a link that installs some kind of malware. You can write down the phone number and initiate a phone call – much in the same way you can open a browser and go to a website instead of clicking on a suspicious link. In a related matter, the Federal Communications Commission (FCC) is about to force telephone carriers to verify the phone number location of incoming calls. This should reduce – at least for now – phone number spoofing.

Also, be vigilant about looking for anything that looks like a change in your operations or the entities you deal with. Don’t hesitate to pick up the phone and call somebody to verify instructions.

We can help you fight fraud and mitigate security issues in a number of ways, including security assessments and developing and installing rules and policies for critical operations. Call us – 973-433-6676 – or email us for an appointment.