Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.

Hack Attack Continues vs. Businesses and People

While government-sponsored hacking and disinformation makes big news, don’t take your eye your eye off the ball when it comes to protecting your personal and corporate data. A report from a consulting firm, Positive Technologies, painted a dark, dark picture, saying the second quarter of 2018 showed a 47 percent increase over 2017. You need to remain vigilant, even when events are beyond your control. Nobody is immune.

As reported in Tech Republic, Positive Technologies said the most common methods of cyberattack are:

  • Malware (49%), with spyware or remote administration malware being the most widely used forms of infection.
  • Social engineering (25%) is the term for manipulating users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
  • Hacking (21%) exploits vulnerabilities in software and hardware, causing the most damage to governments, banks, and cryptocurrency platforms.
  • Credential compromise (19%) targets password managers used for storing and keeping track of passwords.
  • Web attacks (18%) are online racketeering attempts to extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
  • DDoS (5%) tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists. Political events can drive attacks on government institutions. Criminals can use DDoS attacks to take websites offline and demand payment from the victims.

Attacks can be made in tandem, such as the common duo of using phishing emails to trick users into downloading malware.

Financial and healthcare institutions, retailers, and government databases remain prime targets, but higher education institutions and even school districts are being attacked. Wired reports that this past March, the Department of Justice indicted nine Iranian hackers in alleged attacks on 144 US universities and 176 in 21 other countries. They were also cited for attacking 47 private companies.

Hackers are homing in on the money. Positive Technologies said targeted attacks are outnumbering mass campaigns, with attacks directed at companies and their clients, as well as cryptocurrency exchanges. Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%). To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites.

The scary part for us is the report you can never be sure that criminals don’t have your credit card number from one source or another. Even a brand-new smartphone in a store can have pre-installed malware.

People and businesses can take steps to keep their data safe by installing updates for operating systems and application software and installing antivirus protection on all systems and endpoints and keeping it up to date.

Businesses can encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication. Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect systems.

We offer security audits for businesses, and we can answer any questions individuals have about protecting themselves from cyberattacks. Call us – 973-433-6676 – or email us to set up an appointment.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.

Airports, Wi-Fi and VPNs

Since most of us fly in and out of Newark Liberty International Airport, you might want to know that it’s ranked fifth on one list of airports where your phone is mostly likely to be hacked. Setting up a VPN (virtual private network) might not be your answer, either, because they are not always as reliable as you think for protecting privacy. Your best protection is your own cybersmarts.

Newark’s lack of security was highlighted in a recent article by Tech Republic about the 10 US airports where you’re most likely to be hacked. That article was based on a report by Coronet, an internet security provider, which looked at the 45 busiest airports in the country. The report applies mostly to businesses, but a lot of it can apply to all travelers.

Why are airport wi-fi systems vulnerable? Lax cybersecurity at most airports lets bad guys onto insecure public wi-fi to introduce a plethora of advanced network vulnerabilities, such as captive portals (AKA Wireless phishing), Evil Twins, ARP poisoning, VPN Gaps, Honeypots and compromised routers. Any one of these network vulnerabilities can empower an attacker to obtain access credentials to Microsoft Office 365, G-Suite, Dropbox and other popular cloud apps; deliver malware to the device and the cloud, and snoop and sniff device communications. Further, not all VPNs give you rock-solid protection against attacks, and USB charging stations are notorious being vulnerable to attack.

To be fair, the report puts the probability of connecting to a medium-risk network at 1 percent and the probability of connecting to high-risk network at 0.6 percent. The same numbers for the worst airport, John Wayne Airport-Orange County Airport are 26 and 7 percent, respectively.

But why take a chance when you can take steps to reduce even the slightest risk? Even at a 1 percent risk, you’re still gambling, and the cost of a breach could be more than the cost of more data on your cellular plan. To be safe, use cellular data in public places.

But let’s try to put all of this in perspective. If you’re checking your email or browsing the internet at the airport, you’re not using much cellular data. The heavy use comes in streaming movies or TV shows or in downloading content with a lot of pictures and video. To keep data use minimal, change your settings so you don’t download pictures and video. If you can, download and store reading and viewing material onto a device before you leave home. If not, buy a newspaper or carry a book to kill time at the airport.

When you’re at various locations – anywhere in the world – make sure you check that you are on a legitimate network. In Europe, for example, we found that the wi-fi networks were faster than data networks, and that made it better to use them to download email. But if speed is not an issue or if the wi-fi is slow, you’re safer on cellular.

We’d also like to add one more reminder: Although this article deals with airports, the same safety precautions apply to any public network. They’re all prime targets for hackers. The notorious bank robber Willie Sutton was once asked why he robbed banks. His answer: “That’s where the money is.” Today, data is where the money is; hence the hackers.

If you have any questions about securing your phones, devices and computers, call us – 973-433-6676 – and email us.

Tech Preps for Trips

For all the acclaim that Israel gets for technology, I was shocked at how slow the wi-fi service was while we visited there. With all the advanced security systems in place and all the tech startups and established R&D places there, I was expecting blazing internet service. Instead, I found internet service was based on DSL technology, and I had to ask why??? It was the slowest internet service I’ve experienced anywhere on the planet (though I’m sure I haven’t visited the places that are even slower).

While your experiences in Israel may differ from mine, the visit reinforced the need to plan for your tech needs as you plan your itinerary. In our case, I brought two phones, and we had Danit’s phone.

I ordered SIM cards for Israeli cellular service for my iPhone X and Danit’s iPhone before we left the US. They were ready for me at the airport, and using a little tool I carry, it was a simple matter to pop out our US SIM cards and install the Israeli cards. Our cost was $60 for the two cards, and we got 10 gigabytes each of data usage plus the ability to make unlimited calls worldwide. We also got the 4G cellular data service, and it was really fast.

Of course, that meant my iPhone X did not have my US phone number. That meant I lost access to voice mail for my number, and I lost the ability to receive text messages. The solution was to carry an old iPhone 5, which was activated for my US number. That gave me the ability to monitor US calls and texts and to use my “Israeli” phone to call and text as needed. The only issue with SIM cards in other countries is that you are likely to get text messages in the language of the country tied to the phone number. Along that line, if you are using your phone for GPS car navigation, you should check your settings to make sure you get displays and voice directions in English – and maybe in kilometers, too.

There are a number of workarounds for phone-number challenges. One is to get a Google Voice number through Google. You can then forward that to any phone number you want, such as the phone number tied to your SIM card in another country. I chose to get a US phone number in Israel for my Israeli phone, and people who needed to reach me immediately could use that number. That helped me balance time away while being accessible.

If you are averse to getting a SIM card and changing your phone number, you can arrange for international service with your cellular carrier. That can be expensive (“expensive” can be a relative term), and if you have an iPhone phone that you bought from a Verizon store, you’re stuck with just a CDMA radio in your phone. Without getting overly technical, CDMA is one of the two radio systems used in cell phones, and it’s used in the US. GSM is the other radio system, and it’s used worldwide.

Most Android-based phones, all iPhones sold in AT&T stores and iPhones sold in Apple stores have both radios built in, giving you seamless service if you decided to use an international phone plan from your carrier. If you are planning to buy a new iPhone and want to use Verizon as your carrier, we recommend buying it in the Apple store to get both radios and keep more options available.

If you opt not to have cellular service on your phone, you can still use wi-fi for email, browsing and making calls through various apps, such as WhatsApp, Viber, Skype and others. Just be aware of security needs when using public networks. You can also rent a cellphone in the country you are visiting.

We can help you plan for tech needs for travel. Give us a call – 973-433-6676 – or email us to talk about what’s available in the countries you’ll be visiting.

SSL Certificates for Websites

When it comes to the security of your business website, size does NOT matter. Your business most likely either houses some bit of information about clients or customers or has access to information. That makes you a target for hackers. It also makes you a target for a Google search engine flag to warn that your website may not be secure because your security certificate isn’t current.

Starting July 1, Google will require that websites have current SSL certificates. SSL (Secure Socket Layer) is used to provide an extra layer of security for websites, and it’s added to each individual page on a site. You are most likely familiar with SSL as a computer user. When you go to a secure page for transacting business, you may have noticed that the secure page URL begins with https:address instead of http:address. You’ll also usually notice the image of a padlock.

Google is implementing the requirement for its Chrome browser, which is widely used worldwide. When someone uses the browser to visit a site without an updated SSL certificate, they’ll see the phrase “Not Secure” before your URL in the address bar. Most likely, they’ll leave the page immediately, and that will increase your site’s bounce rate and endanger your inbound leads. The increased bounce rate will hurt your overall Google ratings, and that will affect your Google page ratings on all browsers, such as Firefox, Edge and Safari.

You can see if your certificate is up to date simply by looking to see if your URL starts with https:. If not, it’s an easy problem to fix with the services of website developer. They can help you purchase an SSL certificate through your website’s hosting company and then add the proper code to your pages. The certificate costs between $40 and $100 per year, and the coding can typically be added in two to four hours.

We are more than happy to refer you to one of our partners, Rachel Durkan at Paradigm Marketing and Design. You can email Rachel for specific information about getting your website in compliance. If you have any other questions or concerns about SSL certificates and website security, call us – 973-433-6676 – or email us to talk about them.

Advice from the FBI

If you’re a longtime client or reader of Technology Update, you can say the FBI has either listened to us or validated us with its recent call to restart your routers. Our national law enforcement agency says that routers can be vulnerable to hackers, and one of your best defenses is to restart them. There’s more you can do, but restarting a router is easy to do.

First, let’s look at the restart process, which clears out a lot of junk piles – junk piles that make great hiding places for the bad guys who want to use your network as the entrance to your entire computing world. Rebooting can also help your network’s performance, just like a reboot or restart helps your computer. All you need to do is:

  1. Unplug your router and modem – or combined gateway, which includes your router/modem and VOIP telephone – from the power source. If there is an adapter that plugs into your unit, you can usually do it right there. Do the same for any network switches you might have. If you have batteries for backup power in any equipment, make sure you pull them out.
  2. Wait at least 30 seconds. This is important to help junk clear out, and it signifies your system is offline. Waiting a minute wouldn’t hurt.
  3. Reconnect your system, starting with your modem if it’s a separate unit. If you have a gateway, connect that. If it doesn’t power on automatically, press the power button. Wait at least a minute to give your ISP time to authenticate your connection and assign a public IP address.
  4. Reconnect your router and wait two minutes. This gives your router time to boot back up and gives everything on your network time to get new private IP addresses assigned by the DHCP service in your router. If you removed the power from any switches or other network hardware, now is the time to power those back on. Just give them a minute or so, too. If you have several devices, be sure to power them on from the outside-in, based on your network map.

If you don’t understand anything in the fourth step, it’s a good idea to call us for help. We can follow the map and help you test everything on your network to make sure it’s all working properly. You can also reset your modem if you are concerned about security and/or performance, and that’s something we can help you with, too. Call us – 973-433-6676 – or email us with questions or to set up an appointment.

Reboot Your Thinking About Restarts

Restarting your Windows-based computer clears out a lot of electronic junk and improves performance. The only problem is that you may not be restarting – or rebooting – your computer when think you are. We had one client go 73 days without performing an actual restart on a computer, which meant we needed a lot of time to clear out all the junk and reset the system.

One of the most common misconceptions we’ve found about restarting is that people think that simply turning on a computer after it’s been sleeping is a restart. To human logic, that makes good sense. To a modern computer, it’s all wrong. When you select the “sleep” option to close a session at your computer, you’re putting it into a state of hibernation. Your PC will seem like it’s completely off, but it saves a hibernation file to boot back to where you were before going to sleep.

When you tap your keyboard to wake up your computer, you’re using Microsoft’s “fast startup” feature to launch the hibernation file that essentially restores your system to where it was before going to sleep. The combination of sleep and fast startup get you up and running faster to use your computer, and it also helps various software and hardware vendors update your system while it’s not in use. Whatever electronic junk your computer has been holding is still there.

Fast startup also helps your computer get up and running faster from a complete shutdown. In a sense, shutting down your computer puts it into a stage of hibernation if fast startup is enabled, so you’re not getting a complete restart, which is necessary for clearing out the electronic junk. In our experience, fast startup is the root of all evil in a lot of problems we’re finding that can be solved by a restart.

All of this leaves you with two options. The first is simple: restart your computer once a week. It’s sort of like flossing your teeth; it’s another thing to remember, and it’s time-consuming. But it will keep your system clean and maintain a higher level of performance. To restart make sure you have saved all work files and application settings by properly closing out of everything. Then, just click the Windows icon at the bottom of your screen, click the power icon and click Restart.

The other option is to disable fast start. You can do that by doing a search for Control Panel, and then clicking on Power Options. On the left side of your screen, click on “Choose what the power buttons do.” Then, uncheck “Turn on fast startup.” Doing that will give you a complete restart when you power up from a shutdown. It can also be helpful when working with a speedy solid-state drive (SSD).

Along with restarts from a shutdown, we’ve found that clients using a laptop as a second computer have another set of problems. When their computers are out of action for an extended period of time, the startup routine when they power on induces a search for all sorts of system and application updates. In the case of Windows updates, the computer looks at when the last update was installed and then initiates a sequence of consecutive updates. That’s necessary because unless Microsoft issues a Service Pack that consolidates several updates, the latest update is typically an addition to a previous update. If you missed three updates, for example, your computer goes back to the first of that sequence and goes through three update procedures.

That entire process can take up a lot of time, and we usually get a call in the middle of it all because it seems like the computer isn’t functioning properly. The easiest way to solve that problem is to turn a computer once a week. It will look for updates as part of its boot-up, and the need to download and install only one Windows update or just a few recent updates for apps will get your second computer operational faster.

Just remember, though, if you’ve turned off the “fast startup” feature for a computer that’s been powered down, you’ll need to make sure you check for updates.

If you have any questions about restarts and power-ups, call us – 973-433-6676 – or email us. We can walk you through the process to set up the options that will be best for you or work with you remotely to set them up.

Who Really Sent That Email?

We’re seeing a pattern in security problems caused by “fake emails.” Although the pattern is not restricted to business emails, they seem to show up more frequently in offices. Here’s what’s happening.

Just like good marketers, email spoofers and hackers have noticed that Wednesdays and Thursdays are “light days” for email traffic. If someone who’s not overwhelmed by email gets no messages (OK, this might be theoretical), it doesn’t raise eyebrows because they’re not accustomed to a huge number of messages. When traffic gets back to its normal level on Friday, nobody bats an eye or says anything. That leaves the hackers free to move about.

What we’ve found when that happens is that a hacker has created a rule to move email messages to a place where they can do their dirty work. One of their tricks is to change a log-in to a fake website that looks like one you frequently visit. When your password is not accepted, you have them send you a link to change your password. When you sign into the fake site with the real password, they can use it to update your info on the real site and keep all of the function for themselves.

That “password” scenario is the one that seems to be most common way for hackers to gain their access, and as in most cases, the cybercriminals count on the fact that you’ll be too busy to notice anything unusual – and that you won’t say anything until well after the fact.

While offices – even SOHO businesses – seem more susceptible to this type of attack, anyone can be a victim. Here are a couple of telltale signs that you might be under attack.

The first is that you get an email that directs you to a website that you can’t log into because your password is invalid. If you use a “master password” application, that should tip you off right away. If you enter passwords for your sites and have them written down in a safe place, consult your records. If you can’t enter a password that you firmly believe is correct, that should be a tipoff, too.

The second telltale sign is that people got messages that looked like they were coming from their office’s email system. To see if something like that is a fake message, you have to find the IP address for the computer. If it didn’t come from your computer system, that could be the tipoff, but not always. In one case we had to solve, a New Jersey company was victimized by a New York IP address, but that didn’t raise any concerns at first because the company does a lot of business with New York IP addresses.

We can use a number of tools to help pin down the IP address from where the email originated, and the earlier we can get on the case, the better the chances of resolving your issue. If you want us to look at a message, you need to follow this procedure:

  1. Drag the message from your email inbox to your desktop. You’ll see it as an envelope.
  2. Email us that envelope as an attachment.

If you are convinced you have a threatening email, call us right away – 973-433-6676 – so that we can ask you a few “yes or no” questions and help you take appropriate steps before the consequences get really costly. If your questions aren’t urgent, email us for answers or to set up an appointment to talk. Email security problems will only get worse as time goes on.

The Not-So-Hidden Costs of Free Apps

Facebook is free. You can get a free Starbucks app that gives you savings. You can use any number of free navigation apps, such as Waze or Google Maps. They may be free of fees, but they have costs, but they have costs, and that may be at the practical heart of privacy.

Our purpose here is not to get into the specifics of how you can delete apps like Facebook from your computers and devices. You can find a lot of those steps within the apps themselves. Nor is our purpose here about whether you should delete those apps. Facebook continues to come under fire – and to fire back – as the news changes every day.

In our opinion, the issue of Facebook and Cambridge Analytica, which brought a lot of this discussion to a head, happened in 2015. Facebook shared data with Cambridge Analytica under an agreement, but when the agreement was terminated, the data wasn’t deleted. In some ways, we are now looking at several issues, so let’s separate them. I did download all of my personal information that Facebook has about me, and some of it was scary. The scariest part was that they have all of my contact information, and I could see the names of all the people who may have requested to “friend” me but did not accept.

In a way, all of the info didn’t surprise me, and we should all note that Google probably has more information about all of us than Facebook. Like it or not, our likes and dislikes, which are all reflected in what we say on Facebook and in Google product reviews, to name a few, plus all the searches we do and websites we visit all become valuable information for advertisers who want to focus on those who are most likely to buy a product. John Wannamaker, the Philadelphia-based department store owner, said some 150 years ago that he knew only half his advertising dollars were working; he just didn’t know which half. Today’s analytics help businesses and political campaigns make their dollars work more efficiently.

That’s where “free” comes in. We like free apps, free things and being free to express opinions. But it has a cost: whatever level of privacy you are willing to give up. Yes, those “terms and conditions” and “privacy statements” are long and difficult to read, but we all know the drill. In return for being able to use their apps and be eligible for certain perks, we give them the ability to track our locations and share information with their business partners. If anything, the Facebook fiasco has raised our awareness of what goes on behind the scenes, and we may be less willing to give everyone unlimited access to our preferences and whereabouts when given the opportunity.

Another related issue is the Internet of Things, or IoT. All the “smart” home systems, including the smart speakers from Amazon, Google and Apple, collect data based on the info you request, the songs you play and even the merchandise you buy using their systems. Two things we don’t know are: 1.) Do they collect information even when you haven’t activated them? 2.) Who has access to the information they collect?

Moving forward, I am not going to drop out of Facebook. But we can all download the info Facebook has collected on us and look at the apps and advertisers we are tied into through Facebook. We can delete those we don’t want.

Looking at all the data collected about us and figuring out what to delete or hide can be a daunting task, but we can help. Call us – 973-433-6676 – or email us to make an appointment to review whatever information you can collect from the apps you use. We’ll do the best we can to find that happy medium between convenience and security. But even if you decide to drop off the internet and just pay cash for bills and goods and services, your privacy still cannot be ensured.