Spectre and Meltdown Raise Need to Update

We’ve seen lots of patches from chip manufacturers and operating-system publishers trying to resolve the Spectre and Meltdown issues. Their effectiveness is mixed, but there are a couple of things you can do to help protect your systems: backup your files and update your software.

The patches came out quickly last month, and they kept on coming as chip manufacturers and publishers of apps and operating systems tried to close the open doors that Spectre and Meltdown use to get into a computer. If you installed all the updates, even multiple updates from chip manufacturers and software publishers, you did the best you could to mitigate problems.

If you haven’t installed updates for operating systems, applications, firmware, browsers and antivirus protection, do it NOW. If you have not set up your systems to automatically install updates, we suggest you do that now, too. Every supplier with a stake in your success is working ‘round the clock to shore up any weaknesses in their products. The faster you install them, the faster you’ll protect your systems and data.

Here is what you and the computer industry are up against:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, you risk leaking sensitive information. This applies both to personal computers as well as the cloud’s infrastructure.

Spectre also breaks the isolation between applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets and may actually make applications more susceptible to attacks.

While Spectre and Meltdown affect chips, they resulted in computer failures that, in turn, resulted in the losses of apps and data files. In a number of cases in which our clients were affected, we found that Google Chrome was piece of every problem. We don’t say this to point a finger at Google; we note it to make sure you have the latest version of your browser installed.

In the more severe cases, we had to reinstall software systems – with all the cumulative patches – and data files because everything was wiped out. In the most extreme cases, we had to replace computers. This, of course, required that all data files were backed and that all software for operating systems and applications were licensed.

Using subscriptions for operating and application software can eliminate just about all problems associated with keeping your systems up-to-date and licensed. They also can provide access to backed-up data files to help restore your system. The bottom-line benefit is that if your system is struck by some disaster, which can include Spectre and Meltdown, a ransomware attack, or a virus or malware invasion, we can wipe your computers and servers of infections and initiate clean installations of your operating system, firmware, and application software and then restore settings and data.

Without the subscription, you may need to purchase software and then recreate all of your settings as best as possible. And if you don’t have data files in a separate, secure location, you’ll need to find the latest files you have and then restore them in your recreated system.

As we make these points, we are aware that everyone has budget restrictions. However, you need to look at the costs associated with an interruption due to an IT system failure. Any money you may have saved by hanging onto old equipment and software can be wiped by a single event.

By making smart investments to your system, you’ll be able to maximize your security and efficiency. That’s important for home use as well as a business. More and more, we have multiple users conducting some sort of transactions over the internet, and those activities can take place from remote locations. It’s a continuing trend in our use of technology. Subscriptions are a continuing trend, too, in the way we keep our systems ready to do all the things we do.

We can help you make the best decisions to balance your IT needs and available funds. Call us – 973-433-6676 – or email us to discuss your update needs and develop a plan to meet them.

Tax Season: The Next Scam Season

I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.

Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.

The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.

From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?

You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.

With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.

If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.

While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.

Protecting Your Email Accounts

My dad wasn’t getting his personal email for a few days and thought it was because his service was down. We found otherwise, and he wasn’t the only victim. The message here is: Pay attention to oddities.

One of my dad’s symptoms of an email problem was that he wasn’t getting any messages. Unfortunately, that symptom doesn’t raise too many eyebrows these days because he figured a server was down – again.

But when the problem continued, he called, and we logged in to discover that his email was being forwarded to a Gmail account. We were able to re-secure his account, and it was one of those “no harm, no foul” situations this time. Next time, he might not be lucky.

But my dad wasn’t the only victim of an email invasion. One of our clients with an international business discovered that for a couple of days, all of their email was going into the “deleted” folder. They were expecting to have money wired in, so the email problem put them on heightened alert.

When we investigated, we found that they had been hacked and that hackers had added a rule to their email system that sent messages to the “deleted” folder and also forwarded the messages to an email address they had set up.

Both instances point out the need to be vigilant – and to follow safety precautions we’ve mentioned many times before.

  1. Make sure you have a strong password.
  2. Use long passwords that include upper- and lower-case letters, numerals and special characters.
  3. Change your password periodically.
  4. Never put information such as Social Security and bank account numbers in emails. They’re so easy to get picked off by hackers.
  5. Avoid sending emails that have umpteen thousand addresses in the “To” and “Cc” lines. It’s very easy for hackers to insert their own email address into someone else’s name and start a phishing expedition that could reel in sensitive, private information.

If you notice something funky about your email, get in touch with us right away. Call us – 973-433-6676 – or email us to help secure your email.

Managing Assistants

Alexa, Google Home, Siri and Cortana are online assistants who can help you get information and even order products without you ever having to tap a screen or look at one. They are a convenience, but they also raise privacy and security issues.

Siri (Apple) and Cortana (Microsoft) are associated with devices, such as phones, tablets and computers. In that type of user environment, you need to activate them with the device in your hand or on your desk, and they’re typically used for getting information, such as the weather, restaurant info or the answer to which person played for both the New York Rangers and Brooklyn Dodgers.

Alexa and Google Home may present other issues. In addition to answering questions, Alexa is tied to Amazon and its online shopping capabilities. We hear that Google Home may tie in with Walmart. With shopping available, you have another layer of concern. Somewhere, they have access to your credit-card information, and it may be possible for any voice to make a purchase.

We’ll be going to CES, the huge annual trade show for consumer electronics, in Las Vegas this month, and we plan to talk to all the manufacturers about their security and privacy protection measures. Until we have more information, here are some things you should know and can do to minimize your risk of a privacy breach or unwanted purchase – especially with Alexa, whom I call Alex when I don’t want to wake her.

Alexa and her fellow assistants remain asleep until they hear their “wake” word, but their microphones are always on. Being on is how they stay ready for your commands, but they should not be active until you wake them. So, here are some ways to help you protect from someone turning them on without your knowledge:

  • Change your “wake” word. Like most things in the IoT world, these assistants come with a default “wake” word. Go into the setup menu on the app, which you can get for your cell phone, and change it.
  • Use the mute button. Yes, it’s a pain to physically walk over to Alexa and push a button (some of you will cringe at memories of getting up to change a television channel), but it is effective – and easier than trying to run through 80-something over-the-air TV channels.
  • Use a PIN to make purchases or disable the function to make purchases by voice commands. Again, it’s an inconvenience, but we’ve discussed the tradeoff between security and convenience many times before.
  • Keep them away from windows so that any activity outside doesn’t activate them.
  • Use your app to see what’s been recorded through your assistant and delete any or all of those recordings. You can also your app to configure and toggle sound notifications, even for multiple units in one home (or office).

You can also follow the IoT cybersecurity steps we’ve published over the past year or so:

  • Change default usernames and passwords immediately. Make your new passwords strong and unique.
  • Install upgrades and updates from your IoT manufacturers. They usually contain security patches and bug fixes.
  • Make sure your Wi-Fi systems and firewalls are secure. That’s your first line of defense. Install upgrades and updates for your gateways and anti-virus and anti-malware apps.
  • Only use secure Wi-Fi networks.

We can audit your Wi-Fi security and help you fine tune the settings for your virtual assistant. Just call us – 973-433-6676 – or email us for an appointment, and follow us on Twitter and Facebook for reports from CES.

‘Free’ Streaming

Not all streaming is meant to be shared – or least not shared with dozens of strangers around the world. Cable companies and content providers are concerned about lost fees as access credentials to programming are increasingly abused. They’re cracking down on piracy.

Stealing service has been a problem since the first electrical wires and meters were installed more than 100 years ago. For cable and content providers, it became an issue when the first cable wires were strung up. The problem has grown as technology has developed more content and more ways to get it. Putting aside the issue of whether it’s all overpriced, it costs money to develop and deliver the content we love to watch, and too much of it is “falling off the back of an electronic truck.”

We can watch content for free on our TVs when they receive broadcast signals. But for the most part, the only people who watch broadcast TV are those who have cut the cord and stream through their TVs on their internal Wi-Fi or wired networks. For them, a TV is a device, just like a tablet, wireless phone or computer.

Cable providers have relationships with content providers that enable subscribers to stream cable-delivered content or simply stream it from the content providers. You get a username and password, and you’re good to go. You can even share your account with others, and almost all of us have done it at one time or another, especially with Netflix or Amazon Prime. Some providers encourage it.

Unfortunately, some people have taken sharing too far. The content industry has been OK with sharing info with a few friends or family members, but the problems arise when those friends and family members start sharing access with their friends and family. It’s all gone viral, and it hasn’t gone unnoticed.

Every provider who issues usernames and passwords also has the means to track who is accessing content and where they’re watching it. They expect that subscribers will stream their programming when they’re traveling, and they can usually verify access privileges are being properly used. Most vacations are a week or two, and even if you move around a bit, you’re generally not in locations a world apart within the space of two days – or on the same day.

The industry can track possible abuse, and there are steps they can take – if they haven’t done so already – to limit access without alienating honest, rule-abiding subscribers. They can require all subscribers to re-enter or change passwords more frequently. It’s a risk for them because some subscribers may find this an inconvenience and drop their service. However, it’s one way to shut off access to a large number of pirates in one fell swoop.

They can also limit the number of shares they’ll allow. While Netflix, for example allows up to four shares for its most expensive plan, and providers such as HBO and DirecTV allow limited sharing. ESPN may have limits on how many streams are allowed, but that could be independent of limits placed by cable or satellite carriers.

The industry can threaten to cut off subscribers – or actually cut their cords – but that gets into all sorts of sticky legal and customer-service issues. For example, do you take action against the parents who gave their college-age kids access? Do you go after their kids? Do you go after the users of devices they believe are “invalid users?”

This problem will become more prominent on the industry’s radar screen because a lot of money is at stake. Content producers need to be paid for their product, and that payment depends on how many subscribers watch it. Cable and satellite companies pay fees to producers and collect fees from advertisers and subscribers based on the number of valid users. Nobody wants money taken off the table because of a discrepancy between subscribers and viewers.

Finally, all this sharing raises a nagging question in the back of our mind: If someone has access to an account that you pay for, how can they use this access for their own gain at your expense? Call us – 973-433-6676 – or email us for help in tightening up your access controls.

Are You Printing Invitations to Your System?

Printers have been fingered as the weak link in many business and home networks. Most small businesses and home users tend to run their printers into the ground, and the longer they hang around without the latest firmware updates, the more vulnerable they are to a cyber-attack.

You can stop printing invitations to intruders – even with your current, old printer. Let’s start with the firmware. Simply go to your printer manufacturer’s support website and you can see all the firmware and driver updates available for download and installation.

Whether your printer is on a home network or small business network, make sure your firewall software is up to date and that you have a strong, secure network password for each printer. It’s too easy, especially in an office, to use a simple password that everyone can remember and hackers can figure out. And too many, especially in an office, keep their passwords stuck to monitors, where anyone walking by can see them. Your employees and/or family members just need to bite the bullet and remember a strong password – and keep that knowledge to themselves. It’s also worth noting, too, that sometimes the printers don’t even have those default passwords; they have none at all.

You can further restrict access to your printers by properly managing your printer settings and ports. Just as we’ve seen everything related to the IoT, printers can be shipped with default settings controlling printers and default port assignments. Any third-rate hacker can figure them out. You can and should change them immediately when you set the printers up to work on your networks.

Some manufacturers are recognizing the role they can play in protecting your printers. HP recently introduced its Connection Inspector for enterprise systems, and we can only hope the company and other manufacturers start incorporating similar tools for small businesses and homes.

The new tool is designed primarily to combat malware intrusions through printers by looking at unusual behavior on network traffic going to a printer. It learns what “normal” traffic looks like, and when it detects malicious activity, it can immediately go into a protected mode, stopping any further unfamiliar or unusual requests and sending a warning to IT administrators. It can even trigger a reboot of the printer.

We’ll keep an eye on developments in printer security to let you know when tools like Connection Inspector become available for you. There should be an incentive to develop them because more and more professional services corporations and families, especially those with school-age children, rely on remote and/or wireless access to printers to create hard copies of information in a corporate database or a collaborative research project.

In the meantime, we can help you tighten your printer security by looking at your machine’s settings and ports and checking your network’s security, too. We can also help you with the installation of firmware and driver updates. Call us – 973-433-6676 – or email us for an appointment. It’s time to make sure you’re printing documents, not invitations to enter the inner sanctum of your system.

Here’s Lookin’ at Your Password

Passwords are just as painful for companies that require them as they are for you. And, they’re expensive as well as subject to theft. What are we looking at in the near future? The eyes have it.

Microsoft and Apple are moving ahead with facial recognition to replace passwords. The technology is getting better and better, and, let’s face it, once their systems can recognize you and match you up with other records, you won’t have to remember some arcane, complex password – which you could mistype…

Going “password-less” would create a huge economic benefit for the business world. At our recent Microsoft IT conference in Orlando, the company said lost passwords are their biggest IT cost. In the month of July, they spent $686,000 in IT-related costs for restoring forgotten passwords. Annually, the cost is roughly $12 million.

The way systems work, it’s always to your benefit to say you’ve forgotten your password if you risk being locked out of website or application, such as your Office 365 account or a bank account. While their security needs dictate making a password reset more difficult, the complexities raise costs.

Also, in today’s world, all of these systems and interactions can be hacked, and dark-web operatives can change your letters, numbers and special characters once they’ve cracked your code. Your face is another matter. And while someone at some point in the future will figure out a way to defeat facial recognition, I believe this gets us ahead of the curve – for now.

Microsoft has facial recognition tools available for computers that have Windows 10 with Hello installed, and Apple has it for iPhones and iPads. While you can use them now for their own websites and online apps, it will take some time for the rest of the online world to get there. Your bank or credit card company, for example, will need to develop tools that work with all platforms and operating systems, and they will need to make sure online performance doesn’t suffer.

One online security app that some banks encourage their customers to use is Trusteer. While it can be effective as form of two-factor verification, it can slow down a user’s computer. We’ve had numerous incidents of clients calling us about slow computers, and Trusteer has been the problem. Once it’s uninstalled, performance levels return to what they should be.

There are other two-factor authentication methods you can use, but you’ll be up against that issue of whether you want more convenience or more security.

If you have any questions about facial recognition tools or two-factor authentication, call us – 973-433-6676 – or email us. New technologies can be scary, mostly because you can worry about making a mistake somewhere that can lock you out of the info and apps you need for work and life. We can help you navigate the brave new world with confidence.

Equifax and Protecting Your Identity

If anyone learns just one lesson from the recently disclosed hack of Equifax, the credit-rating service that has the keys to many people’s vital data, here it is: You have to take your data protection into your own hands.

We had a really queasy feeling when we saw the news reports, and a lot of the information didn’t pass our initial smell test. First, why did it take so long for Equifax to notify its customers and authorities? More than a month went by before there was any announcement. Second, when Equifax did respond, it seemed ineffective. You can go to https://www.equifaxsecurity2017.com/, enter some information about your name and Social Security number and see if you have something to worry about. From there, you need to scroll to the bottom of the page to find the Potential Impact button, which will take you to https://www.equifaxsecurity2017.com/potential-impact/. Most people will learn that their data has possibly been compromised.

If you don’t want to fuss around with the internet, you can call a dedicated call center, 866-447-7559, from 7 a.m. to 1 a.m. ET every day to discuss your account.

You can go back online and enroll in a credit monitoring with program with Equifax – or with Experian or TransUnion, the other two credit reporting agencies in the US. Equifax will give you the program free for a year without requiring you waive the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms-of-use for this cybersecurity incident.

We strongly recommend you take these additional steps:

  • Place an initial fraud alert on your credit records. Again, it doesn’t matter which reporting agency you use. They all “talk” to each other. When lenders see the fraud alert when checking your credit, they must take additional steps to verify that it is actually you who wants to open the account. Initial fraud alerts are good for 90 days, and you can renew them or cancel them as it suits your needs. Equifax is offering an “automatic fraud alert” feature, which automatically renews itself every 90 days.
  • Freeze your credit. This makes it virtually impossible to open an account in your name because it blocks access to your credit report. Nobody can complete a credit check, so someone else won’t be able to open an account. A credit freeze won’t expire until you choose to remove it, and you can cancel and reinstate them as needed. However, you must place a credit freeze with each bureau individually, and that can come with a fee, usually $10 or less, depending on what state you live in or if you’re already a victim of identity theft.
  • Sign up with a credit monitoring service. We have a service that does this, but there are others.
  • Check your bank and charge accounts and your credit score regularly. If you see something that raises a red flag, contact your financial institutions or credit reporting agencies immediately.

 We spoke to a number of people involved in the storage of highly sensitive personal information, and they all reminded us that you need to protect more than your financial information. Any organization that stores your medical and insurance records is vulnerable to a hack, and that can lead to additional problems. For example, someone who has your medical records can file a fraudulent medical insurance claim using your records.

That, of course, gets us back to advice you’ve often heard from us:

  • Install all updates for operating systems and application software as soon as they are available for computers and devices. The updates almost always include security patches and bug fixes.
  • Manage your passwords. Keep them long and complex and change them frequently.
  • Keep your networks secure by installing updates, managing passwords effectively, making sure your firewall and anti-virus protection is active, and limiting access to administrative functions.
  • Use common sense. Don’t click on links within an email from someone you don’t know or on something that looks out of the ordinary from an address you recognize. Email addresses are easily hijacked – and not necessarily because the owner of the address did something wrong. Don’t click on pop-up ads or ads with offers that are too good to be true.

Are we safe on the internet anymore? No, but you can be safer if you take ownership of your security. We can check security settings and run deep scans to help keep you as safe on the internet as possible. Call us – 973-433-6676 – or email us to set up a security audit or answer any questions you have about managing your security.

Google Drive Drives into the Sunset

Here we go – again. Another staple of our applications is being replaced. This time, it’s Google Drive, which Google will stop supporting as of this coming Dec. 11 and will shut down next March 12. Taking its place: Backup and Sync, which will be more powerful.

Backup and Sync replaces both the company’s Drive and Photos desktop apps for Windows PCs and Macs. It allows you to store any photos, videos and documents in the same format on Google’s cloud for safekeeping from crashes and unfortunate accidents. You can use the app to back up the contents of your entire computer – or just selected folders.

Once you download the app and launch it, sign into your Google account and select which folders you’d like to continuously back up to Google Drive. For photos, you have two options: High Quality or Original Quality. High Quality will compress photos larger than 16 megapixels and videos with a resolution higher than 1080p, but these compressed files will not count against your data cap.

Oh, yes, there is a data cap. Are you surprised? The new and improved Google Drive gives you 15GB of file storage for free. Then, the rates go up to $19.99 a year for 100GB or $100 a year for 1TB. That’s not excessive. You get additional flexibility by being able to download files to work offline, and you can download the app for your mobile device, too. Plans for even greater storage capacity are available.

The new app is available now from the Google Drive or Google Photos page. The only downside is that you can’t use Backup and Sync as a restore tool if your computer crashes. But we have options available for that.

We can also help you set up Backup and Sync so it works as you want and coordinate how it works on your computer and mobile device. Storing your data files and photos and videos offsite is the way to go for safety and flexibility. Call us – 973-433-6676 – or email us to answer your questions or provide assistance.

Passwords Becoming Passé

I’m as tired as anyone else when it comes to remembering dozens of arcane passwords for all the websites I need to access. Current and future technology will be able to provide relief and stronger protection. Here’s the lowdown on locking down.

If we’ve learned anything at all from the monthly ransomware reports, electronic “locks” are pickable. We’ve also learned that time is money for hackers when it comes to planting ransomware and other viruses that can make life painful or costly or both.

Operating under the assumption that any electronic barrier can be hurdled in time, you want to lengthen the time of your defense as much as possible – and we’re talking decades. The longer and more complicated the password, the longer it will take for hacking software to crack your code. We all know that when you include uppercase and lowercase letters in combination with numbers and special characters, the time stretches out. Making sure it follows no special pattern – that it’s totally random – adds to the security.

Many theories abound as to how to create a complex, random password that’s easy to remember. One suggestion is to take a phrase or sentence that you can easily remember. Then, take the first or second letter in your phrase and turn some into uppercase letters, numbers or special characters in a random order.

I have one password I use for everything, and I am extremely confident its length and complexity will deter hackers. You may find fault that I have only one password, and that would be a valid criticism. If it’s cracked, someone could get into every internet account I have.

You can eliminate the need to remember multiple passwords by using a password manager program. Some are free and some have a nominal cost. Basically, you just need to remember a master password to get into the system. The password manager randomly generates new complex passwords when you visit each site. Yes, you can argue that somebody could crack the password manager’s system. It’s possible, but would you feel more comfortable with $1 million under your mattress or in a vault that’s a half-mile underground, encased in 20 feet of concrete and guarded by a randomly rotated army that’s always being retrained?

You can augment the password manager with two-factor authentication, something we’ve liked and used for years. In many cases, you need to answer a question, and it should be something only you know. Other measures might include answers to randomly generated multiple choice questions based on publicly available information that can be verified as “right” or “wrong.” No “maybes” allowed.

In the future, passwords will give way to biometrics. The software is there; the hardware needs to catch up. Windows 10’s Hello can handle the biometrics, but most computers don’t have the 3-D cameras needed to use the feature. Some Microsoft Surface tablets have the cameras, and if you are in the right place, it works really well.

Regardless of what technology you use, don’t let your guard down. Don’t buy things or do your banking over a public Wi-Fi network. Use a trusted, secure network or a cellular data network. Make sure the networks you control are secure with up-to-date firewalls and anti-virus and anti-malware software. Make sure all operating systems and firmware are current with all bug fixes and security patches.

Remember that we can help you with all of your internet password and security needs, including choosing and setting up a password manager, setting up two-factor authentication and answering your questions about biometrics systems. Call us – 973-433-6676 – email us to set up an appointment.