The Not-So-Hidden Costs of Free Apps

Facebook is free. You can get a free Starbucks app that gives you savings. You can use any number of free navigation apps, such as Waze or Google Maps. They may be free of fees, but they have costs, but they have costs, and that may be at the practical heart of privacy.

Our purpose here is not to get into the specifics of how you can delete apps like Facebook from your computers and devices. You can find a lot of those steps within the apps themselves. Nor is our purpose here about whether you should delete those apps. Facebook continues to come under fire – and to fire back – as the news changes every day.

In our opinion, the issue of Facebook and Cambridge Analytica, which brought a lot of this discussion to a head, happened in 2015. Facebook shared data with Cambridge Analytica under an agreement, but when the agreement was terminated, the data wasn’t deleted. In some ways, we are now looking at several issues, so let’s separate them. I did download all of my personal information that Facebook has about me, and some of it was scary. The scariest part was that they have all of my contact information, and I could see the names of all the people who may have requested to “friend” me but did not accept.

In a way, all of the info didn’t surprise me, and we should all note that Google probably has more information about all of us than Facebook. Like it or not, our likes and dislikes, which are all reflected in what we say on Facebook and in Google product reviews, to name a few, plus all the searches we do and websites we visit all become valuable information for advertisers who want to focus on those who are most likely to buy a product. John Wannamaker, the Philadelphia-based department store owner, said some 150 years ago that he knew only half his advertising dollars were working; he just didn’t know which half. Today’s analytics help businesses and political campaigns make their dollars work more efficiently.

That’s where “free” comes in. We like free apps, free things and being free to express opinions. But it has a cost: whatever level of privacy you are willing to give up. Yes, those “terms and conditions” and “privacy statements” are long and difficult to read, but we all know the drill. In return for being able to use their apps and be eligible for certain perks, we give them the ability to track our locations and share information with their business partners. If anything, the Facebook fiasco has raised our awareness of what goes on behind the scenes, and we may be less willing to give everyone unlimited access to our preferences and whereabouts when given the opportunity.

Another related issue is the Internet of Things, or IoT. All the “smart” home systems, including the smart speakers from Amazon, Google and Apple, collect data based on the info you request, the songs you play and even the merchandise you buy using their systems. Two things we don’t know are: 1.) Do they collect information even when you haven’t activated them? 2.) Who has access to the information they collect?

Moving forward, I am not going to drop out of Facebook. But we can all download the info Facebook has collected on us and look at the apps and advertisers we are tied into through Facebook. We can delete those we don’t want.

Looking at all the data collected about us and figuring out what to delete or hide can be a daunting task, but we can help. Call us – 973-433-6676 – or email us to make an appointment to review whatever information you can collect from the apps you use. We’ll do the best we can to find that happy medium between convenience and security. But even if you decide to drop off the internet and just pay cash for bills and goods and services, your privacy still cannot be ensured.

Don’t Go to the Dark (Web) Side

The story of the hacking frenzy would be incomplete without mentioning the dark web. Some adventurous souls might think they can just drop in for a quick visit to see what’s it like and leave, but two thoughts come to mind: Trying to leave the Hotel California and a lamb sauntering into a lions’ den. Resist the temptation to take a peek.

Trying to poke around the dark web just for grins is the equivalent of going to a bad neighborhood at 2 a.m. just for sake of seeing what it’s like. It’s the place where stolen information, such as driver’s license numbers, credit card numbers, health records and the like are bought and sold. It’s no place for thrill seekers.

Yes, there are websites that will provide you with information on how to get to the dark web, and privacy is critical. Those who trade illicit information guard their privacy very tightly, and they use special VPNs (virtual private networks) to make sure they minimize detection by other criminals or law enforcement officials. And, you also want to minimize your exposure to other criminals who won’t think twice about stealing info and money from you.

Cybercriminals using the dark web never use any common ISPs (internet service providers) or browsers. That’s like walking into the bad neighborhood wearing a bright-colored reflective jacket. Rather, the dark web relies on special browsers designed to be undetectable. Users are advised to disconnect and/or disable recording devices such as microphones and cameras.

Dark web transactions are generally done using Bitcoin or some other form of cryptocurrency that makes it difficult, if not impossible, to trace the hands through which money passes. Users of the dark web generally use multiple aliases and anonymous email addresses to hide their identities and locations.

Criminals on the dark web know that other criminals and law enforcement agencies are marshaling all the tools they can to crack the dark webs, and the sophistication on both sides is constantly evolving. If you suspect some members of your family or employees might be thinking about taking a little peek at the dark web, let them know it can be an extremely dangerous undertaking. Once anyone wanders in, they’re prey for hardened criminals, and it’s unlikely they can wander back out.

If you’re concerned about whether someone in your home or office may have compromised your system’s security in some way, call us – 973-433-6676 – or email us for a security audit. If there’s something going on, we can take steps to mitigate the effects.

Spoofs and Email Management

Spoofing email addresses is so common that you might as well accept the fact that you have to scrutinize every message you get. With our switch to a new Office 365 management portal, many clients have been getting emails allegedly from Microsoft, and some are more obvious spoofs than others. It might be time to look at your email management processes.

Hackers use spoofing as a way to get into your computer or network. They are relying on your carelessness to click a link that allows them to introduce some sort of malware that will give them access to your critical personal or corporate data and your address book or contact list. Once they get in there, they can replicate the same message that snared you and hope they get lucky with a few more careless people.

To clean out the malware, we need to isolate the message to see what the hacker is spreading through your system. We’ve received a number of calls from clients in the past few weeks about problems with spoofing, and our issue has been the size of clients’ email folders. Simply put, when there are 100,000 messages stored in the inbox, finding the spoofed message that caused the problem can be extremely time-consuming.

In all likelihood, you’ve run into a similar problem when trying to find a specific message. Outlook gives you some search parameters for finding any message you may have saved, but because of the way most people search, you get a lot more possibilities, and that still slows down your search. And, of course, the more messages you have stored in one place, the longer it takes your program and you to find the message you want.

Setting up an email management system can make your searches more efficient, and it can also help you or any IT support team isolate a message that might be causing a problem with your system. Again, Outlook has a few tools, but you might want to start by creating a system of subfolders within your inbox. For example, I file all emails by client, and within each client, I file them by the year. That makes it easy to get to a place to find a message I want to retrieve. It’s similar to the way most of you would set up folders for documents, photos and videos, and business records.

Of course, that system is only as good as the effort you put into moving messages to folders. If you suffer from a severe case of email overload, you may want to consider an archiving program that works on the back end of your email program. It can be especially helpful for a business, particularly where employees deal with multiple people from the same organization. For as little as $3 per month, it can set up and execute a system that even isolates people within a company, making it easier for you or anyone in your organization to get to a specific message to resolve any kind of problem – customer service or malware.

While home users may not be concerned with customer service issues, there are times when you need to find a message to resolve a problem, and good organization can make a busy life a little less hectic. We can help you set up set up Outlook folders or find and set up an archiving system that works best for your needs. Give us a call – 973-433-6676 – or email us to discuss your email management issues and explore the most appropriate solutions.

Safe Travels, Safe Wi-Fi

It’s getting near spring-break time, and summer vacations will soon follow. You may have seen the reports about wi-fi issues and data security. One of the biggest problems you face is how easy it is to log onto a “fake” wi-fi network – a network that is neither part or your hotel’s system nor secure. But if you pay attention and follow a few simple tips, you can safely stream your favorite content and handle some routine email tasks.

The first and most obvious thing to do is make sure you understand your hotel’s or resort’s log-in information when you check in. Get the proper names of any network that the hotel makes available for you. Then, when you try to log in when you get to your room or sit down at the pool, you can pick out that network from the many that will display when your computers or devices search for the network. Don’t be surprised to see several networks that have spellings or character-and-number sequences that are similar to the networks you were given at check-in.

When you go to log in to the network you’ve selected, you’ll likely be asked for your name and room number. Tip No. 1, don’t enter a correct room number or even a correct name. Misspell your name, if you want. If the network lets you in, then you are not on a legitimate network. If you are denied access with your incorrect info, you should feel confident the network is OK.

Depending on the property’s size and network setup, you may be required to log onto multiple networks. Follow the log-in test for each network. And, most important, make sure everyone in your family or travel group follows that procedure because the breach of one computer or device could compromise everyone in the group.

Also, be aware of network names and connections as you float around. You or one of your family members could inadvertently wind up on an open, unsecured network that can be used to breach your computers or devices to steal information. Tip No. 2, you might want to consider disconnecting from the network when you finish your online session.

Tip No. 3, don’t use a wi-fi network conduct online business, such as credit-card purchases or accessing your bank accounts. You should also avoid wi-fi for logging onto sites related to your health or finances. Instead, use your cellular network. It’s much safer. That may require you to make some additional arrangements with your cellular carrier or to buy and install a SIM card with a data plan for service. However, it’s well worth the time and expense.

Personally, when I travel, I “hotspot” my computer in connection with my cell phone number. It can be expensive (though that’s a relative term), but it removes me from the wi-fi network. So far, hackers have not breached the cellular networks.

Just as a related point, if you are going to depend more on cellular data, make sure you have a plan that will cover your use, and make sure everyone who uses your plan knows its limits. If you’re streaming a lot of video content or gaming, data gets sucked up faster than you can imagine, and charges for exceeding your plan’s limits can be steep.

We can help you prepare for an internet-safe trip or make sure your systems are secure whenever you go remote near your home or office. Call us – 973-433-6676 – or email us to set up an appointment to look at your systems (we can do a lot remotely) and answer your questions.

Fraud’s Warning Signs

Anyone who tries to defraud you online – or even on the telephone – is literally banking your carelessness. Take a good look at emails and links and listen carefully on the phone. You can spot the fraud, and if you’re not sure, disengage and call the person you think contacted you – on the telephone – or send a new email, totally separate from the thread.

It’s important to be on “high alert” because the hackers and scammers are at the top of their game, and their targets include trusted advisors, such as accountants and tax preparers. We should state that these people should have secure systems in place and should know not to send or request sensitive, confidential information through email.

But at the end of the day, you need to take ownership of your privacy, so here are some tipoffs that a communication might not secure or might be out-and-out fraudulent.

First, does your accountant normally contact you by email? If not, that ought to raise a red flag. Second, can you absolutely verify that the email is from your accountant? While some email systems are good at spotting something fishy (or phishy), a scammer is betting that you’re not going to pay attention. Check the properties of an email address. It could very well be that cybercriminals were able to recreate the look and feel of an email from your accountant, but unless they actually got into the accountant’s server, a phony email will have a phony email address.

Attachments can be another tipoff to fraud. You should be suspicious if you get an email with attachments that are supposed to be forms, such as a tax form you need to fill out or a return to verify, are you being asked to provide your Social Security number and maybe your birthday? Can you open it without having to go to a secure website and enter a password? That doesn’t pass our initial smell test.

If your accountant does contact you about sensitive information or forms, are you referred to a secure website? Do you have that link with your access credentials safely stored? In a safe world, you can log into your account by entering the website address from your browser and entering your credentials.

If something doesn’t look right, you should always be able to call your accountant on the telephone.

And just to go one step farther this spring, here are some other things to be wary of.

Are you getting emails supposedly from someone you haven’t heard from in ages? And does have a short subject line, such as “hi”, with no message but a link? That’s a sign of fraud and clicking the link could open a breach in your system that can expose your sensitive data.

Are you getting Facebook friend requests from people who are already your friends? That’s generally a fraudulent request by someone looking to get into your system.

Anyone using fraudulent methods to get into your computer system may also be planting some kind of virus or malware to help infect other computers. If you think you may have clicked a link by mistake that could lead to a breach of your system, shut down your computer and disconnect it from the internet. Then call us – 973-433-6676 – so that we can apply our tools and expertise to minimize the damage and clean up your system.

Spectre and Meltdown Raise Need to Update

We’ve seen lots of patches from chip manufacturers and operating-system publishers trying to resolve the Spectre and Meltdown issues. Their effectiveness is mixed, but there are a couple of things you can do to help protect your systems: backup your files and update your software.

The patches came out quickly last month, and they kept on coming as chip manufacturers and publishers of apps and operating systems tried to close the open doors that Spectre and Meltdown use to get into a computer. If you installed all the updates, even multiple updates from chip manufacturers and software publishers, you did the best you could to mitigate problems.

If you haven’t installed updates for operating systems, applications, firmware, browsers and antivirus protection, do it NOW. If you have not set up your systems to automatically install updates, we suggest you do that now, too. Every supplier with a stake in your success is working ‘round the clock to shore up any weaknesses in their products. The faster you install them, the faster you’ll protect your systems and data.

Here is what you and the computer industry are up against:

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, you risk leaking sensitive information. This applies both to personal computers as well as the cloud’s infrastructure.

Spectre also breaks the isolation between applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets and may actually make applications more susceptible to attacks.

While Spectre and Meltdown affect chips, they resulted in computer failures that, in turn, resulted in the losses of apps and data files. In a number of cases in which our clients were affected, we found that Google Chrome was piece of every problem. We don’t say this to point a finger at Google; we note it to make sure you have the latest version of your browser installed.

In the more severe cases, we had to reinstall software systems – with all the cumulative patches – and data files because everything was wiped out. In the most extreme cases, we had to replace computers. This, of course, required that all data files were backed and that all software for operating systems and applications were licensed.

Using subscriptions for operating and application software can eliminate just about all problems associated with keeping your systems up-to-date and licensed. They also can provide access to backed-up data files to help restore your system. The bottom-line benefit is that if your system is struck by some disaster, which can include Spectre and Meltdown, a ransomware attack, or a virus or malware invasion, we can wipe your computers and servers of infections and initiate clean installations of your operating system, firmware, and application software and then restore settings and data.

Without the subscription, you may need to purchase software and then recreate all of your settings as best as possible. And if you don’t have data files in a separate, secure location, you’ll need to find the latest files you have and then restore them in your recreated system.

As we make these points, we are aware that everyone has budget restrictions. However, you need to look at the costs associated with an interruption due to an IT system failure. Any money you may have saved by hanging onto old equipment and software can be wiped by a single event.

By making smart investments to your system, you’ll be able to maximize your security and efficiency. That’s important for home use as well as a business. More and more, we have multiple users conducting some sort of transactions over the internet, and those activities can take place from remote locations. It’s a continuing trend in our use of technology. Subscriptions are a continuing trend, too, in the way we keep our systems ready to do all the things we do.

We can help you make the best decisions to balance your IT needs and available funds. Call us – 973-433-6676 – or email us to discuss your update needs and develop a plan to meet them.

Protecting Your Email Accounts

My dad wasn’t getting his personal email for a few days and thought it was because his service was down. We found otherwise, and he wasn’t the only victim. The message here is: Pay attention to oddities.

One of my dad’s symptoms of an email problem was that he wasn’t getting any messages. Unfortunately, that symptom doesn’t raise too many eyebrows these days because he figured a server was down – again.

But when the problem continued, he called, and we logged in to discover that his email was being forwarded to a Gmail account. We were able to re-secure his account, and it was one of those “no harm, no foul” situations this time. Next time, he might not be lucky.

But my dad wasn’t the only victim of an email invasion. One of our clients with an international business discovered that for a couple of days, all of their email was going into the “deleted” folder. They were expecting to have money wired in, so the email problem put them on heightened alert.

When we investigated, we found that they had been hacked and that hackers had added a rule to their email system that sent messages to the “deleted” folder and also forwarded the messages to an email address they had set up.

Both instances point out the need to be vigilant – and to follow safety precautions we’ve mentioned many times before.

  1. Make sure you have a strong password.
  2. Use long passwords that include upper- and lower-case letters, numerals and special characters.
  3. Change your password periodically.
  4. Never put information such as Social Security and bank account numbers in emails. They’re so easy to get picked off by hackers.
  5. Avoid sending emails that have umpteen thousand addresses in the “To” and “Cc” lines. It’s very easy for hackers to insert their own email address into someone else’s name and start a phishing expedition that could reel in sensitive, private information.

If you notice something funky about your email, get in touch with us right away. Call us – 973-433-6676 – or email us to help secure your email.

‘Free’ Streaming

Not all streaming is meant to be shared – or least not shared with dozens of strangers around the world. Cable companies and content providers are concerned about lost fees as access credentials to programming are increasingly abused. They’re cracking down on piracy.

Stealing service has been a problem since the first electrical wires and meters were installed more than 100 years ago. For cable and content providers, it became an issue when the first cable wires were strung up. The problem has grown as technology has developed more content and more ways to get it. Putting aside the issue of whether it’s all overpriced, it costs money to develop and deliver the content we love to watch, and too much of it is “falling off the back of an electronic truck.”

We can watch content for free on our TVs when they receive broadcast signals. But for the most part, the only people who watch broadcast TV are those who have cut the cord and stream through their TVs on their internal Wi-Fi or wired networks. For them, a TV is a device, just like a tablet, wireless phone or computer.

Cable providers have relationships with content providers that enable subscribers to stream cable-delivered content or simply stream it from the content providers. You get a username and password, and you’re good to go. You can even share your account with others, and almost all of us have done it at one time or another, especially with Netflix or Amazon Prime. Some providers encourage it.

Unfortunately, some people have taken sharing too far. The content industry has been OK with sharing info with a few friends or family members, but the problems arise when those friends and family members start sharing access with their friends and family. It’s all gone viral, and it hasn’t gone unnoticed.

Every provider who issues usernames and passwords also has the means to track who is accessing content and where they’re watching it. They expect that subscribers will stream their programming when they’re traveling, and they can usually verify access privileges are being properly used. Most vacations are a week or two, and even if you move around a bit, you’re generally not in locations a world apart within the space of two days – or on the same day.

The industry can track possible abuse, and there are steps they can take – if they haven’t done so already – to limit access without alienating honest, rule-abiding subscribers. They can require all subscribers to re-enter or change passwords more frequently. It’s a risk for them because some subscribers may find this an inconvenience and drop their service. However, it’s one way to shut off access to a large number of pirates in one fell swoop.

They can also limit the number of shares they’ll allow. While Netflix, for example allows up to four shares for its most expensive plan, and providers such as HBO and DirecTV allow limited sharing. ESPN may have limits on how many streams are allowed, but that could be independent of limits placed by cable or satellite carriers.

The industry can threaten to cut off subscribers – or actually cut their cords – but that gets into all sorts of sticky legal and customer-service issues. For example, do you take action against the parents who gave their college-age kids access? Do you go after their kids? Do you go after the users of devices they believe are “invalid users?”

This problem will become more prominent on the industry’s radar screen because a lot of money is at stake. Content producers need to be paid for their product, and that payment depends on how many subscribers watch it. Cable and satellite companies pay fees to producers and collect fees from advertisers and subscribers based on the number of valid users. Nobody wants money taken off the table because of a discrepancy between subscribers and viewers.

Finally, all this sharing raises a nagging question in the back of our mind: If someone has access to an account that you pay for, how can they use this access for their own gain at your expense? Call us – 973-433-6676 – or email us for help in tightening up your access controls.

Are You Printing Invitations to Your System?

Printers have been fingered as the weak link in many business and home networks. Most small businesses and home users tend to run their printers into the ground, and the longer they hang around without the latest firmware updates, the more vulnerable they are to a cyber-attack.

You can stop printing invitations to intruders – even with your current, old printer. Let’s start with the firmware. Simply go to your printer manufacturer’s support website and you can see all the firmware and driver updates available for download and installation.

Whether your printer is on a home network or small business network, make sure your firewall software is up to date and that you have a strong, secure network password for each printer. It’s too easy, especially in an office, to use a simple password that everyone can remember and hackers can figure out. And too many, especially in an office, keep their passwords stuck to monitors, where anyone walking by can see them. Your employees and/or family members just need to bite the bullet and remember a strong password – and keep that knowledge to themselves. It’s also worth noting, too, that sometimes the printers don’t even have those default passwords; they have none at all.

You can further restrict access to your printers by properly managing your printer settings and ports. Just as we’ve seen everything related to the IoT, printers can be shipped with default settings controlling printers and default port assignments. Any third-rate hacker can figure them out. You can and should change them immediately when you set the printers up to work on your networks.

Some manufacturers are recognizing the role they can play in protecting your printers. HP recently introduced its Connection Inspector for enterprise systems, and we can only hope the company and other manufacturers start incorporating similar tools for small businesses and homes.

The new tool is designed primarily to combat malware intrusions through printers by looking at unusual behavior on network traffic going to a printer. It learns what “normal” traffic looks like, and when it detects malicious activity, it can immediately go into a protected mode, stopping any further unfamiliar or unusual requests and sending a warning to IT administrators. It can even trigger a reboot of the printer.

We’ll keep an eye on developments in printer security to let you know when tools like Connection Inspector become available for you. There should be an incentive to develop them because more and more professional services corporations and families, especially those with school-age children, rely on remote and/or wireless access to printers to create hard copies of information in a corporate database or a collaborative research project.

In the meantime, we can help you tighten your printer security by looking at your machine’s settings and ports and checking your network’s security, too. We can also help you with the installation of firmware and driver updates. Call us – 973-433-6676 – or email us for an appointment. It’s time to make sure you’re printing documents, not invitations to enter the inner sanctum of your system.

‘KRACKing’ Your Wi-Fi Network

KRACK is an ominously named crypto attack that exploits a flaw in the process of connecting a device and a Wi-Fi network. By allowing network access without the password, effectively it opens up the possibility of exposing credit card information, passwords, and practically any other data on your device. Here’s how to protect yourself – somewhat.

Using WPA2 security, the standard of protection for the past 13 years, is still the way to go, and setting a strong, secure password is just as important as it ever was. But it’s like a lock on your front door. Locks, according to conventional wisdom, keep out honest people. But a lock that’s strong enough to delay a would-be thief was thought to still be effective.

That was until KRACK (Key Reinstallation Attack) was discovered. It exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network, allowing an attacker to access a network without the password. It’s an equal-opportunity attack, too. It can affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others, but the most current versions of Windows and iOS devices are not as susceptible to attacks because of how Microsoft and Apple implemented WPA2. Linux and Android-based devices are more vulnerable to KRACK.

Fortunately, it’s not a helpless situation. Attacks can only be successful when someone has access to the wireless network you’re on at the time of the attack. That means you need to be especially careful on public networks. You can further help yourself by:

  • Making sure you’re up to date with all available security patches
  • Using a VPN, which will encrypt your internet traffic
  • Visiting only websites that use HTTPS, though it’s not a guarantee you’ll be safe.

We’ll keep you updated on developments against KRACK, and we can help you now by taking a look at your systems and security to make sure you’ve maximized your protection. Call us – 973-433-6676 – or email us for an appointment.