Who’s in Your Electronic Wallet?

Complacency is likely to be the greatest threat to your online security. The FBI recently reported that the padlock icon and HTTPS:// in a website cannot be trusted all the time in letting you know a site is safe. With the cost of SSL-TSL certificates falling, it’s cheap for crooks to set up malware sites and lure you in. We’ve discussed on-line shopping security and keeping other transactions secure, but the FBI’s warning compels us to revisit a few ideas.

First, what is an SSL-TSL certificate? The certificate is an acknowledgement that the owner of a website has installed SSL or TSL technology provide secure communications over a computer network. The certificates are granted by third-party providers, such as VeriSign, which is now owned by Symantec. The certificate shows us HTTPS (Hyper Text Transfer Protocol Secure) in a secure website’s URL. You can view the certificate by clicking on the lock symbol on the browser bar.

What do SSL and TSL stand for? In short, SSL stands for Secure Sockets Layer, the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. It’s designed to prevent criminals from reading and modifying any information transferred, including potential personal details. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. Symantec still refers to security certificates as SSL because it is a more commonly used term. SSL certificates can also cover other internet- based communications, and they come in various levels. If you are curious, you can click here to read more from Symantec than you might want to know.

What you should know, the FBI reports, is that cybercriminals are more frequently incorporating website certificates when they send emails that imitate trustworthy companies or email contacts. They’re typically phishing schemes used to acquire sensitive logins or other information by luring potential victims to a malicious website that looks secure.

We’ve published many articles that call for the internet industry to provide more safeguards, but as we’ve always noted, cybercriminals are working just as a hard to defeat current and developing security tools. One industry executive hit the nail on the head by noting that cybercriminals can’t work around an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon. Addressing her firm’s corporate business targets, the executive called on organizations to invest in solid, continuing training programs.

We echo the FBI, which says the following (familiar) steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to HTTPS/SSL/TSL issues in a phishing expedition, write “HTTPS phishing” in the body of the complaint.

You can protect yourself by being prudent and deliberate when opening emails and clicking on links, and you can support your efforts by installing, updating and using anti-virus and anti-malware protection programs. We work with several trusted providers, including Symantec, and we can help you select and set up the programs that best meet your needs. Call us – 973-433-6676 – or email us if you think your security may have been compromised or if have any questions about online security verification.

DIY and a Scam

When one of our clients decided to add a Wi-Fi extender in a home office, she contacted a phone number that purported to be a helpline from the manufacturer. It wasn’t, and it opened up a door for someone to gain access to sensitive information.

We’re certainly not opposed to any of our clients buying and installing their own technology. It can save you money and give you a better understanding of how your technological systems all fit together to make your life better. But there are a few things everyone should be aware of when they start the process – because you may not discover a problem until some damage has been done.

In this case, our client bought and set up a network extender from Netgear. She needed to strengthen an in-home network to accommodate her mother’s computer, and this was a reasonable step. When she ran into a problem, she called the manufacturer for help – or thought she did, and this is where problems began.

She said she called the phone number on the extender’s box. We won’t quibble. It could have come with a Google search. The lesson is more important than any finger-pointing. One of the problems with a Google search is that companies can place advertisements to show up above the “natural search” results. In times of stress, it’s easy to mistake an ad for a search result, and you click it. Both the advertiser and Google benefit from the ad; you visit a website you wouldn’t have otherwise gone to, and Google gets paid for directing you there. That’s business.

But when the advertiser is, shall we say, shady, it’s an ideal way to lure somebody into a scam. That’s what happened here. Our client clicked on what she thought was Netgear customer service but went to a website called Trucept. They walked her through a setup and told her she had no virus protection. She paid $300 for a package that included five years of security protection. That’s likely how they got into her network and likely were able to hack her mother’s computer.

Unbeknownst at that time, her mother started to receive online banking messages about owing a lot of money. That’s when we got a call. We told our client to shutdown her mother’s computer immediately and to call the bank. Then, we went to the Trucept website together, and to our experienced – and skeptical – eye, it had the look of scam all over it. Some of the telltale signs we saw were:

  • An address for a residence in Queens Village, NY
  • Lots of misspelled words
  • A PC Max Ultra Prime package for $800 with no customer reviews
  • A policy that requires two days before you ask for a refund (which gives them time to access a computer)

We were able to clean up her system and her mother’s. Now let’s look at things going forward.

First, be very careful about what you find on the internet. In the heat of trying to get something done in our overstressed lives, it’s easy to overlook something – especially a Google ad that looks like a search result. Take a deep breath before you click.

Second, get help from someone you know. It doesn’t have to be us. Call a friend. Go on Nextdoor Neighbor or Facebook and ask for a recommendation. Just don’t call a stranger out of the blue.

Third, only pay with a credit card for an online service. Credit cards have a mechanism in place to reverse charges. Processors record an IP address for every transaction, and they can tell where it took place.

We can help you install new systems or devices in your home or office, either in person or – typically – by walking you through the process. Call us – 973-433-6676 – or email us for an appointment or a walkthrough. 

Rule Your Email

We recently had to help a client resolve a rules-based email hack. It seems that hackers were able to change the rules in the email system to forward email to their own site and respond – and they could activate or deactivate the rule at will.

The problem showed up when our client’s clients were flooded with messages about sharing files. The client normally does share files – and so do we; it was the volume that grabbed their attention. Fortunately for everyone in this email chain, we were one of those who got caught up in the problem, and that helped us understand what was going on.

The hackers changed the rules for handling emails. They were able to intercept emails and then send new messages to the original senders with a request to share files. The requests, of course, looked like they were coming from our client. Sharing those files gave the hackers access to the computer systems of anyone who responded to that request.

We were able to go in and fix the rules that affected our client’s system. It wasn’t particularly difficult to do once we identified the problem. But what can you do solve the problem and/or prevent it? The answers won’t surprise you.

  1. Everyone who uses email should make sure you have strong, secure passwords for your email – and for your network, too. We find that in most cases, our clients who get hacked have simple passwords that are easy for hackers to figure out. So, the best thing you can do before anything else is to change your email password and make sure it’s strong – upper and lower case letters, numbers and special characters.
  2. Make sure your anti-virus and malware software is up to date and running
  3. If you see something that looks just the slightest bit out of order – different writing or phrasing or spelling mistakes – don’t click on a link. Don’t reply to the email, either. If you have a question, pick up the phone. Alexander Graham Bell invented the telephone in 1876, and the cell phone was introduced April 3, 1973. Telephones in any technology are proven to connect – and with rare exceptions, they’re private connections
  4. Forward the suspicious email to your IT provider. Those of us in the business share a lot of knowledge, and we have a good chance of determining if the request to share is legitimate or where there could be problems
  5. Call us to look at your email setup and see what rules might have been placed on your account without you knowing it. Even if you’ve changed your password, hackers still have ways of planting malware. We can see if you have malware or a virus and help you get rid of it.

In the final analysis, it’s up to you to rule your email inbox. We can help. Call us – 973-433-6676 – or mail us if you have any questions or need help.

Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.

Hack Attack Continues vs. Businesses and People

While government-sponsored hacking and disinformation makes big news, don’t take your eye your eye off the ball when it comes to protecting your personal and corporate data. A report from a consulting firm, Positive Technologies, painted a dark, dark picture, saying the second quarter of 2018 showed a 47 percent increase over 2017. You need to remain vigilant, even when events are beyond your control. Nobody is immune.

As reported in Tech Republic, Positive Technologies said the most common methods of cyberattack are:

  • Malware (49%), with spyware or remote administration malware being the most widely used forms of infection.
  • Social engineering (25%) is the term for manipulating users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
  • Hacking (21%) exploits vulnerabilities in software and hardware, causing the most damage to governments, banks, and cryptocurrency platforms.
  • Credential compromise (19%) targets password managers used for storing and keeping track of passwords.
  • Web attacks (18%) are online racketeering attempts to extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
  • DDoS (5%) tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists. Political events can drive attacks on government institutions. Criminals can use DDoS attacks to take websites offline and demand payment from the victims.

Attacks can be made in tandem, such as the common duo of using phishing emails to trick users into downloading malware.

Financial and healthcare institutions, retailers, and government databases remain prime targets, but higher education institutions and even school districts are being attacked. Wired reports that this past March, the Department of Justice indicted nine Iranian hackers in alleged attacks on 144 US universities and 176 in 21 other countries. They were also cited for attacking 47 private companies.

Hackers are homing in on the money. Positive Technologies said targeted attacks are outnumbering mass campaigns, with attacks directed at companies and their clients, as well as cryptocurrency exchanges. Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%). To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites.

The scary part for us is the report you can never be sure that criminals don’t have your credit card number from one source or another. Even a brand-new smartphone in a store can have pre-installed malware.

People and businesses can take steps to keep their data safe by installing updates for operating systems and application software and installing antivirus protection on all systems and endpoints and keeping it up to date.

Businesses can encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication. Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect systems.

We offer security audits for businesses, and we can answer any questions individuals have about protecting themselves from cyberattacks. Call us – 973-433-6676 – or email us to set up an appointment.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.

Airports, Wi-Fi and VPNs

Since most of us fly in and out of Newark Liberty International Airport, you might want to know that it’s ranked fifth on one list of airports where your phone is mostly likely to be hacked. Setting up a VPN (virtual private network) might not be your answer, either, because they are not always as reliable as you think for protecting privacy. Your best protection is your own cybersmarts.

Newark’s lack of security was highlighted in a recent article by Tech Republic about the 10 US airports where you’re most likely to be hacked. That article was based on a report by Coronet, an internet security provider, which looked at the 45 busiest airports in the country. The report applies mostly to businesses, but a lot of it can apply to all travelers.

Why are airport wi-fi systems vulnerable? Lax cybersecurity at most airports lets bad guys onto insecure public wi-fi to introduce a plethora of advanced network vulnerabilities, such as captive portals (AKA Wireless phishing), Evil Twins, ARP poisoning, VPN Gaps, Honeypots and compromised routers. Any one of these network vulnerabilities can empower an attacker to obtain access credentials to Microsoft Office 365, G-Suite, Dropbox and other popular cloud apps; deliver malware to the device and the cloud, and snoop and sniff device communications. Further, not all VPNs give you rock-solid protection against attacks, and USB charging stations are notorious being vulnerable to attack.

To be fair, the report puts the probability of connecting to a medium-risk network at 1 percent and the probability of connecting to high-risk network at 0.6 percent. The same numbers for the worst airport, John Wayne Airport-Orange County Airport are 26 and 7 percent, respectively.

But why take a chance when you can take steps to reduce even the slightest risk? Even at a 1 percent risk, you’re still gambling, and the cost of a breach could be more than the cost of more data on your cellular plan. To be safe, use cellular data in public places.

But let’s try to put all of this in perspective. If you’re checking your email or browsing the internet at the airport, you’re not using much cellular data. The heavy use comes in streaming movies or TV shows or in downloading content with a lot of pictures and video. To keep data use minimal, change your settings so you don’t download pictures and video. If you can, download and store reading and viewing material onto a device before you leave home. If not, buy a newspaper or carry a book to kill time at the airport.

When you’re at various locations – anywhere in the world – make sure you check that you are on a legitimate network. In Europe, for example, we found that the wi-fi networks were faster than data networks, and that made it better to use them to download email. But if speed is not an issue or if the wi-fi is slow, you’re safer on cellular.

We’d also like to add one more reminder: Although this article deals with airports, the same safety precautions apply to any public network. They’re all prime targets for hackers. The notorious bank robber Willie Sutton was once asked why he robbed banks. His answer: “That’s where the money is.” Today, data is where the money is; hence the hackers.

If you have any questions about securing your phones, devices and computers, call us – 973-433-6676 – and email us.

Tech Preps for Trips

For all the acclaim that Israel gets for technology, I was shocked at how slow the wi-fi service was while we visited there. With all the advanced security systems in place and all the tech startups and established R&D places there, I was expecting blazing internet service. Instead, I found internet service was based on DSL technology, and I had to ask why??? It was the slowest internet service I’ve experienced anywhere on the planet (though I’m sure I haven’t visited the places that are even slower).

While your experiences in Israel may differ from mine, the visit reinforced the need to plan for your tech needs as you plan your itinerary. In our case, I brought two phones, and we had Danit’s phone.

I ordered SIM cards for Israeli cellular service for my iPhone X and Danit’s iPhone before we left the US. They were ready for me at the airport, and using a little tool I carry, it was a simple matter to pop out our US SIM cards and install the Israeli cards. Our cost was $60 for the two cards, and we got 10 gigabytes each of data usage plus the ability to make unlimited calls worldwide. We also got the 4G cellular data service, and it was really fast.

Of course, that meant my iPhone X did not have my US phone number. That meant I lost access to voice mail for my number, and I lost the ability to receive text messages. The solution was to carry an old iPhone 5, which was activated for my US number. That gave me the ability to monitor US calls and texts and to use my “Israeli” phone to call and text as needed. The only issue with SIM cards in other countries is that you are likely to get text messages in the language of the country tied to the phone number. Along that line, if you are using your phone for GPS car navigation, you should check your settings to make sure you get displays and voice directions in English – and maybe in kilometers, too.

There are a number of workarounds for phone-number challenges. One is to get a Google Voice number through Google. You can then forward that to any phone number you want, such as the phone number tied to your SIM card in another country. I chose to get a US phone number in Israel for my Israeli phone, and people who needed to reach me immediately could use that number. That helped me balance time away while being accessible.

If you are averse to getting a SIM card and changing your phone number, you can arrange for international service with your cellular carrier. That can be expensive (“expensive” can be a relative term), and if you have an iPhone phone that you bought from a Verizon store, you’re stuck with just a CDMA radio in your phone. Without getting overly technical, CDMA is one of the two radio systems used in cell phones, and it’s used in the US. GSM is the other radio system, and it’s used worldwide.

Most Android-based phones, all iPhones sold in AT&T stores and iPhones sold in Apple stores have both radios built in, giving you seamless service if you decided to use an international phone plan from your carrier. If you are planning to buy a new iPhone and want to use Verizon as your carrier, we recommend buying it in the Apple store to get both radios and keep more options available.

If you opt not to have cellular service on your phone, you can still use wi-fi for email, browsing and making calls through various apps, such as WhatsApp, Viber, Skype and others. Just be aware of security needs when using public networks. You can also rent a cellphone in the country you are visiting.

We can help you plan for tech needs for travel. Give us a call – 973-433-6676 – or email us to talk about what’s available in the countries you’ll be visiting.

SSL Certificates for Websites

When it comes to the security of your business website, size does NOT matter. Your business most likely either houses some bit of information about clients or customers or has access to information. That makes you a target for hackers. It also makes you a target for a Google search engine flag to warn that your website may not be secure because your security certificate isn’t current.

Starting July 1, Google will require that websites have current SSL certificates. SSL (Secure Socket Layer) is used to provide an extra layer of security for websites, and it’s added to each individual page on a site. You are most likely familiar with SSL as a computer user. When you go to a secure page for transacting business, you may have noticed that the secure page URL begins with https:address instead of http:address. You’ll also usually notice the image of a padlock.

Google is implementing the requirement for its Chrome browser, which is widely used worldwide. When someone uses the browser to visit a site without an updated SSL certificate, they’ll see the phrase “Not Secure” before your URL in the address bar. Most likely, they’ll leave the page immediately, and that will increase your site’s bounce rate and endanger your inbound leads. The increased bounce rate will hurt your overall Google ratings, and that will affect your Google page ratings on all browsers, such as Firefox, Edge and Safari.

You can see if your certificate is up to date simply by looking to see if your URL starts with https:. If not, it’s an easy problem to fix with the services of website developer. They can help you purchase an SSL certificate through your website’s hosting company and then add the proper code to your pages. The certificate costs between $40 and $100 per year, and the coding can typically be added in two to four hours.

We are more than happy to refer you to one of our partners, Rachel Durkan at Paradigm Marketing and Design. You can email Rachel for specific information about getting your website in compliance. If you have any other questions or concerns about SSL certificates and website security, call us – 973-433-6676 – or email us to talk about them.

Advice from the FBI

If you’re a longtime client or reader of Technology Update, you can say the FBI has either listened to us or validated us with its recent call to restart your routers. Our national law enforcement agency says that routers can be vulnerable to hackers, and one of your best defenses is to restart them. There’s more you can do, but restarting a router is easy to do.

First, let’s look at the restart process, which clears out a lot of junk piles – junk piles that make great hiding places for the bad guys who want to use your network as the entrance to your entire computing world. Rebooting can also help your network’s performance, just like a reboot or restart helps your computer. All you need to do is:

  1. Unplug your router and modem – or combined gateway, which includes your router/modem and VOIP telephone – from the power source. If there is an adapter that plugs into your unit, you can usually do it right there. Do the same for any network switches you might have. If you have batteries for backup power in any equipment, make sure you pull them out.
  2. Wait at least 30 seconds. This is important to help junk clear out, and it signifies your system is offline. Waiting a minute wouldn’t hurt.
  3. Reconnect your system, starting with your modem if it’s a separate unit. If you have a gateway, connect that. If it doesn’t power on automatically, press the power button. Wait at least a minute to give your ISP time to authenticate your connection and assign a public IP address.
  4. Reconnect your router and wait two minutes. This gives your router time to boot back up and gives everything on your network time to get new private IP addresses assigned by the DHCP service in your router. If you removed the power from any switches or other network hardware, now is the time to power those back on. Just give them a minute or so, too. If you have several devices, be sure to power them on from the outside-in, based on your network map.

If you don’t understand anything in the fourth step, it’s a good idea to call us for help. We can follow the map and help you test everything on your network to make sure it’s all working properly. You can also reset your modem if you are concerned about security and/or performance, and that’s something we can help you with, too. Call us – 973-433-6676 – or email us with questions or to set up an appointment.