Password Problems Revisited

To take our discussion of vanishing passwords one step farther, some recent service calls for clients who’ve been hacked – some multiple times – have provided still more reasons to move on to newer technologies.

We are getting numerous calls from clients to help them set up Dashlane, including one client who has been hacked seven times. We tried to get them to use Dashlane or Password Keeper. Now, they’re ready to do it the right way. They’re ready to move beyond the annoyance of having to remember or look up passwords for security and type them into a website. For now, Dashlane or another password manager can resolve the issue for most people who are fearful of trading passwords for newer password-less technologies.

As we’ve noted, people set up passwords that are easy to remember or type. There’s generally enough repeatability that a code cracker can solve the puzzle you’ve tried to create. That happened with our client, whose bank account was hacked. As we were setting up Dashlane and downloading emails, we noticed the client had been getting alerts that the password had been changed. They had not made those changes. It took a phone call to resolve that issue, and it took Dashlane to ward off the hackers.

We should note here that there are a couple of important side lessons to learn from this experience. The first is on you: Call the company – and don’t necessarily use the phone number in the email; get one from their website. The second is on the companies: Make it easier to get a human on the phone when somebody has a security issue. We went through five layers of voice prompts before talking to a person.

Once the “alert” issue was resolved, we were able to fully install Dashlane. The process does take time. Installing any password manager requires you to pay attention to details and maybe some repetition. For financially sensitive accounts, you may want to generate another round of new random-pattern passwords as an extra layer of security. A password management program should allow you to print a copy of your database with all of your passwords – just in case there’s a mistake or if you decide to stop using the program. It should also work across all of your devices: computers, phones, tablets, etc. If you are one of the growing number of people who use an infotainment system in your car like a computer, you might want to change sensitive passwords frequently – as often as once a week.

Again, you only need to remember your master password for the password manager, and that can be a tremendous time saver, especially if you need to access a website from a mobile device.

But again, we believe you should use password-less technologies. They’re more secure, and they are easier to use than many perceive. For example, many Windows 10 computers have Windows Hello, and you can use that to add a fingerprint reader. The reader itself is about the size of a wireless mouse device and plugs into a USB port. Similarly, many mobile devices can use your fingerprint to verify you are the owner and user. If your computer or device has this capability, we strongly urge you to use it.

Many computers and devices also have built-in cameras that can be used for biometrics, and some advanced security measures use locations and usage patterns in place of passwords. As a backup, all of these measures have provisions for a PIN or a password if the biometric program can’t be used or if you don’t want to use it.

We can help you set up a password manager or – better still – go password-less. Call us – 973-433-6676 – or email us to get answers to your questions or to set up an appointment to manage your online security.

Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.

Hack Attack Continues vs. Businesses and People

While government-sponsored hacking and disinformation makes big news, don’t take your eye your eye off the ball when it comes to protecting your personal and corporate data. A report from a consulting firm, Positive Technologies, painted a dark, dark picture, saying the second quarter of 2018 showed a 47 percent increase over 2017. You need to remain vigilant, even when events are beyond your control. Nobody is immune.

As reported in Tech Republic, Positive Technologies said the most common methods of cyberattack are:

  • Malware (49%), with spyware or remote administration malware being the most widely used forms of infection.
  • Social engineering (25%) is the term for manipulating users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
  • Hacking (21%) exploits vulnerabilities in software and hardware, causing the most damage to governments, banks, and cryptocurrency platforms.
  • Credential compromise (19%) targets password managers used for storing and keeping track of passwords.
  • Web attacks (18%) are online racketeering attempts to extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
  • DDoS (5%) tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists. Political events can drive attacks on government institutions. Criminals can use DDoS attacks to take websites offline and demand payment from the victims.

Attacks can be made in tandem, such as the common duo of using phishing emails to trick users into downloading malware.

Financial and healthcare institutions, retailers, and government databases remain prime targets, but higher education institutions and even school districts are being attacked. Wired reports that this past March, the Department of Justice indicted nine Iranian hackers in alleged attacks on 144 US universities and 176 in 21 other countries. They were also cited for attacking 47 private companies.

Hackers are homing in on the money. Positive Technologies said targeted attacks are outnumbering mass campaigns, with attacks directed at companies and their clients, as well as cryptocurrency exchanges. Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%). To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites.

The scary part for us is the report you can never be sure that criminals don’t have your credit card number from one source or another. Even a brand-new smartphone in a store can have pre-installed malware.

People and businesses can take steps to keep their data safe by installing updates for operating systems and application software and installing antivirus protection on all systems and endpoints and keeping it up to date.

Businesses can encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication. Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect systems.

We offer security audits for businesses, and we can answer any questions individuals have about protecting themselves from cyberattacks. Call us – 973-433-6676 – or email us to set up an appointment.

Refreshing Devices Re-Energizes Them – Up to a Point

Refreshing your computers, peripherals and devices requires you to take a long pause, but in the end, it still might leave you thirsting for better results. If you’re hanging onto old equipment, Tech Data reports a few facts that might make you change your mind.

First of all, the report says, some 46 million small and medium-size businesses rely on devices dating back to 2014. That’s approaching five years, and that can be a lifetime in technology. Second, repair costs for equipment four years old or more can be 1.5 times the cost of repairing newer technology. Finally, PCs older than four years can be less than half as productive – costing an average loss of productivity rate of $1,260, according to an internal study by Microsoft.

Microsoft, which is phasing out Windows 7 because of its increasing inefficiency (Windows 7 Support Ends in January 2020), certainly has an interest in seeing you buy new computers with their operating systems. But they also know that the more efficient and productive their customers are, the more likely they’ll continue to use Microsoft software.

So, with that last point out there, what are your considerations for refreshing or replacing a computer? If you’re running Windows 7, we see replacement as a no-brainer. One client engagement illustrates how extreme it can get. We were tasked with refreshing a 10-year-old computer to get it to run better, which we did at a cost of $200 or so – after we advised our client to replace it. Refreshing, in this case, meant reinstalling software and updating it as much as possible. A 10-year-old computer cannot run the latest versions of Windows or any application software, and you cannot install the latest, most secure browser software. If we had installed a new hard drive and added licensing fees and our setup time, it would have been about $570. A new computer would have been around $800 plus some setup time to properly install the operating system and applications and transfer some data files.

With that as background, let’s delve more into a cost-benefit analysis.

Performance: Older PCs, according to Tech Data, can only run approximately five applications simultaneously without performance degradation, while newer PCs can easily run eight or more, according to a 2016 study. On the other hand, new Windows 10 Pro devices with 7th and 8th generation Intel® vPro™ processors keep users more productive with up to 25 percent more time efficiency. They are also up to 28 percent faster for startup on average compared to Windows 7. Batteries can last up to three times longer on newer Windows devices.

Repairs: We mentioned early on that repairs can cost 1.5 times more for older computers than for newer computers. Some of that extra cost can come from more time to find parts. Generally speaking, older parts are scarcer and more expensive.

Security: We’ve harped on security, and here’s something to add: More than 50 percent of smaller businesses have suffered a data breach or cyberattack with the cost averaging more than $84,000 per breach. Older Windows devices are likelier to lack the latest hardware and software security features, putting data at risk. When you factor in the fact that small-business customers are prime targets for security breaches, you can be looking at costly recovery.   Upgrading to a computer that can run Windows 10 Pro will give you more built-in defenses and increased support for the lifetime of your device.

To translate all this into an action plan, we recommend refreshing and some component replacement for computers three years old or younger. For older computers, especially those running Windows 7, we recommend replacement. Business users will benefit from improved performance and security, and home users will benefit from better security. Call us – 973-433-6676 – or email us to discuss your refresh/replacement needs.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.

Airports, Wi-Fi and VPNs

Since most of us fly in and out of Newark Liberty International Airport, you might want to know that it’s ranked fifth on one list of airports where your phone is mostly likely to be hacked. Setting up a VPN (virtual private network) might not be your answer, either, because they are not always as reliable as you think for protecting privacy. Your best protection is your own cybersmarts.

Newark’s lack of security was highlighted in a recent article by Tech Republic about the 10 US airports where you’re most likely to be hacked. That article was based on a report by Coronet, an internet security provider, which looked at the 45 busiest airports in the country. The report applies mostly to businesses, but a lot of it can apply to all travelers.

Why are airport wi-fi systems vulnerable? Lax cybersecurity at most airports lets bad guys onto insecure public wi-fi to introduce a plethora of advanced network vulnerabilities, such as captive portals (AKA Wireless phishing), Evil Twins, ARP poisoning, VPN Gaps, Honeypots and compromised routers. Any one of these network vulnerabilities can empower an attacker to obtain access credentials to Microsoft Office 365, G-Suite, Dropbox and other popular cloud apps; deliver malware to the device and the cloud, and snoop and sniff device communications. Further, not all VPNs give you rock-solid protection against attacks, and USB charging stations are notorious being vulnerable to attack.

To be fair, the report puts the probability of connecting to a medium-risk network at 1 percent and the probability of connecting to high-risk network at 0.6 percent. The same numbers for the worst airport, John Wayne Airport-Orange County Airport are 26 and 7 percent, respectively.

But why take a chance when you can take steps to reduce even the slightest risk? Even at a 1 percent risk, you’re still gambling, and the cost of a breach could be more than the cost of more data on your cellular plan. To be safe, use cellular data in public places.

But let’s try to put all of this in perspective. If you’re checking your email or browsing the internet at the airport, you’re not using much cellular data. The heavy use comes in streaming movies or TV shows or in downloading content with a lot of pictures and video. To keep data use minimal, change your settings so you don’t download pictures and video. If you can, download and store reading and viewing material onto a device before you leave home. If not, buy a newspaper or carry a book to kill time at the airport.

When you’re at various locations – anywhere in the world – make sure you check that you are on a legitimate network. In Europe, for example, we found that the wi-fi networks were faster than data networks, and that made it better to use them to download email. But if speed is not an issue or if the wi-fi is slow, you’re safer on cellular.

We’d also like to add one more reminder: Although this article deals with airports, the same safety precautions apply to any public network. They’re all prime targets for hackers. The notorious bank robber Willie Sutton was once asked why he robbed banks. His answer: “That’s where the money is.” Today, data is where the money is; hence the hackers.

If you have any questions about securing your phones, devices and computers, call us – 973-433-6676 – and email us.

IoT and the Fourth Industrial Revolution

At a recent technology conference in Las Vegas, I was overwhelmed by how far technology has advanced in such a short time – and by how much faster the impact of technology on our lives will grow. We are in the Fourth Industrial Revolution.

Where are we headed? We’re headed for the clouds – the massive server and data storage networks make it possible to do everything imaginable from a phone or tablet from anyplace in the world where you can get an internet connection. This time-compressed evolution is the Fourth Industrial Revolution. Yes, it does seem strange to talk of an evolution, which is long-term movement, with the short burst of a revolution. But that’s just how fast technology moves.

In 1995, we were astounded that we had PCs on every desk. By 2005, we had democratized data in the sense that businesses of all sizes stored and sometimes shared data they gathered and used. That could be correspondence (email), financial records (banks, large retailers), or business info of all sorts, ranging from sales and inventory records to programming heavy industrial equipment. In 2015, society made a really big leap to the cloud to store and manage all the data we use for practically every aspect of our lives. Even people who never use the internet and pay cash for everything are affected by today’s technology if they drive or vote or pay taxes.

Some things I saw in Las Vegas give indications where we’re heading. Business is undergoing a digital transformation built around their customer experiences and new business models. Some one million digital devices come online every day, and by 2025, 60 percent of all computing will be in the cloud. While we each need to maintain our online security vigilance, the entire computing world needs to step its efforts because no bit of information ever goes away. Further, no matter how deeply hidden any information remains, the tools to find it and exploit it are constantly developing. The bad guys can build botnets (networks of electronic robots) to find IP addresses for any exposed device. The Boa open source server, which was used to automate a lot of web-related functions quickly and securely, was discontinued in 2005. But it’s still used in some devices, and with no technical support, bad guys are free to try to pick away at out-of-date defenses. Opening one door can lead to other doors that can be opened, and in some cases, the hackers who open the doors can’t be traced – or can’t be traced quickly enough.

It’s not just the bad guys using stealthy methods to find information. Anyone can use a Google search to find systems and get into them. Those systems can include security cameras and alarms and smart speakers. A Google search can also turn up expired security certificates, which can indicate vulnerabilities.

So, here’s some of what needs to happen:

  • The owners and operators of every server – from a single location to server farms with multiple links – must make sure their firewalls are “locked-down” and secure. That requires the installation of all security updates and patches as they become available and constant monitoring to make sure all ports are secure.
  • All device manufacturers must keep their firmware updated for maximum security. And, if the manufacturers can’t send you updates, you should get and install them on your own.
  • You need to make sure your firewalls and devices are secure through patches and strong passwords. You also should be running virus and malware scans regularly and frequently.
  • Be extremely careful and attentive when you click on a link. You can’t afford to let down your guard.

We also highly recommend an onsite security audit if you have any hint you may have an exposure. We can check all connections for everything on your network – home or office – and trace back anything that looks like a possible security issue, apply a fix and test it. Security issues never resolve themselves and fixing them involves looking at a variety of complexities.

If your computers or devices are running slowly, if you clicked on an email or link you think shouldn’t have, or if you think you’ve been hacked, call us – 973-433-6676 – or email us to set up a security audit. None of us wants to give up our technology; we just need to make it as safe as possible.

Advice from the FBI

If you’re a longtime client or reader of Technology Update, you can say the FBI has either listened to us or validated us with its recent call to restart your routers. Our national law enforcement agency says that routers can be vulnerable to hackers, and one of your best defenses is to restart them. There’s more you can do, but restarting a router is easy to do.

First, let’s look at the restart process, which clears out a lot of junk piles – junk piles that make great hiding places for the bad guys who want to use your network as the entrance to your entire computing world. Rebooting can also help your network’s performance, just like a reboot or restart helps your computer. All you need to do is:

  1. Unplug your router and modem – or combined gateway, which includes your router/modem and VOIP telephone – from the power source. If there is an adapter that plugs into your unit, you can usually do it right there. Do the same for any network switches you might have. If you have batteries for backup power in any equipment, make sure you pull them out.
  2. Wait at least 30 seconds. This is important to help junk clear out, and it signifies your system is offline. Waiting a minute wouldn’t hurt.
  3. Reconnect your system, starting with your modem if it’s a separate unit. If you have a gateway, connect that. If it doesn’t power on automatically, press the power button. Wait at least a minute to give your ISP time to authenticate your connection and assign a public IP address.
  4. Reconnect your router and wait two minutes. This gives your router time to boot back up and gives everything on your network time to get new private IP addresses assigned by the DHCP service in your router. If you removed the power from any switches or other network hardware, now is the time to power those back on. Just give them a minute or so, too. If you have several devices, be sure to power them on from the outside-in, based on your network map.

If you don’t understand anything in the fourth step, it’s a good idea to call us for help. We can follow the map and help you test everything on your network to make sure it’s all working properly. You can also reset your modem if you are concerned about security and/or performance, and that’s something we can help you with, too. Call us – 973-433-6676 – or email us with questions or to set up an appointment.

The Not-So-Hidden Costs of Free Apps

Facebook is free. You can get a free Starbucks app that gives you savings. You can use any number of free navigation apps, such as Waze or Google Maps. They may be free of fees, but they have costs, but they have costs, and that may be at the practical heart of privacy.

Our purpose here is not to get into the specifics of how you can delete apps like Facebook from your computers and devices. You can find a lot of those steps within the apps themselves. Nor is our purpose here about whether you should delete those apps. Facebook continues to come under fire – and to fire back – as the news changes every day.

In our opinion, the issue of Facebook and Cambridge Analytica, which brought a lot of this discussion to a head, happened in 2015. Facebook shared data with Cambridge Analytica under an agreement, but when the agreement was terminated, the data wasn’t deleted. In some ways, we are now looking at several issues, so let’s separate them. I did download all of my personal information that Facebook has about me, and some of it was scary. The scariest part was that they have all of my contact information, and I could see the names of all the people who may have requested to “friend” me but did not accept.

In a way, all of the info didn’t surprise me, and we should all note that Google probably has more information about all of us than Facebook. Like it or not, our likes and dislikes, which are all reflected in what we say on Facebook and in Google product reviews, to name a few, plus all the searches we do and websites we visit all become valuable information for advertisers who want to focus on those who are most likely to buy a product. John Wannamaker, the Philadelphia-based department store owner, said some 150 years ago that he knew only half his advertising dollars were working; he just didn’t know which half. Today’s analytics help businesses and political campaigns make their dollars work more efficiently.

That’s where “free” comes in. We like free apps, free things and being free to express opinions. But it has a cost: whatever level of privacy you are willing to give up. Yes, those “terms and conditions” and “privacy statements” are long and difficult to read, but we all know the drill. In return for being able to use their apps and be eligible for certain perks, we give them the ability to track our locations and share information with their business partners. If anything, the Facebook fiasco has raised our awareness of what goes on behind the scenes, and we may be less willing to give everyone unlimited access to our preferences and whereabouts when given the opportunity.

Another related issue is the Internet of Things, or IoT. All the “smart” home systems, including the smart speakers from Amazon, Google and Apple, collect data based on the info you request, the songs you play and even the merchandise you buy using their systems. Two things we don’t know are: 1.) Do they collect information even when you haven’t activated them? 2.) Who has access to the information they collect?

Moving forward, I am not going to drop out of Facebook. But we can all download the info Facebook has collected on us and look at the apps and advertisers we are tied into through Facebook. We can delete those we don’t want.

Looking at all the data collected about us and figuring out what to delete or hide can be a daunting task, but we can help. Call us – 973-433-6676 – or email us to make an appointment to review whatever information you can collect from the apps you use. We’ll do the best we can to find that happy medium between convenience and security. But even if you decide to drop off the internet and just pay cash for bills and goods and services, your privacy still cannot be ensured.