Arming the ‘Road Warrior’

I’ve been traveling a lot over the past two years, and that’s made me more conscious than ever about what we all need to do to create mobile fortresses wherever we are. Some of the best defenses are tried and true, and some take advantage of new technologies. Here are steps for you to consider.

If you haven’t done so already, the first thing you should do is install a VPN on every device you use in a place that’s not your office or home. A VPN, or Virtual Private Network, creates a secure connection between your device and the internet. It encrypts your internet traffic, making it unreadable to anyone who might intercept it, and routes it through a remote server, which helps protect your online activities from being monitored. It also protects sensitive information, such as passwords and personal data, especially on public Wi-Fi networks. And if you’ve been reading this newsletter for several years, you know that we don’t consider a password from a publicly provided network, such as a hotel, to be secure.

A VPN can replace your real IP address with its own server IP address and enhance your online privacy by making it difficult for websites and services to track your location and browsing habits. It also allows you to bypass geographic restrictions on websites and streaming services so you can access content that may be blocked where you are.

With a VPN significantly improving your online security and privacy, you can take advantage of other technologies, such as Microsoft’s Cloud PC, which allows you to access a full Windows desktop experience from any device with an internet connection. For business travelers, this means you can replicate your work environment during a flight or while sitting in a public place.

I’ve started using it during my travels to conferences as well as while on vacation. It has two major caveats, which don’t bother me at all. One is that it is a subscription service, so I wouldn’t recommend it for casual use. The other caveat is that it works better on a laptop computer or a tablet. Because it displays what you would get if you logged into your Microsoft 365 account on your office computer, you need a bigger screen. I think a telephone display is too small to be effective.

Combining a VPN and Cloud PC are just two tools you can use to make your online life safe and efficient. We can help you find and configure the tools you need to be productive on the road – or in the air or at sea. Call us – 973-433-6676 – or email us to discuss your needs for online safety when away from the office.

Authenticator Apps Can Protect You from SIM Swapping

We hate taking extra steps, especially if we think they’re complicated. But with the rise of SIM swapping, you might want to bite the bullet and get used to using an authenticator app.

The benefits of using an authenticator app for 2FA were illustrated by the problems of a new client who was victimized by a SIM swap of their phone number. The SIM swap caused untold problems, including untangling them based on hard-to-find phone records.

Again, just to recap from last month, SIM swaps happen when a bad actor is able to convince a carrier that they’re you and that you need to transfer your phone number to a new device. While the bad actor has your phone number hijacked, you lose your cellular service. You can’t make or receive phone calls or send or receive texts. If it happens for a short time and you’re not using your phone, you’ll never know it happened. If you’ve set up a form of 2FA that involves getting a code through a text message, you’ll never know about that, too.

An authenticator app is different. It uses a Time-Based One-Time Password (TOTP) algorithm to generate unique, time-sensitive codes for 2FA. The apps are set up on a mobile phone, and the process can be difficult for some. We suggest professional help to avoid untimely problems down the road.

When you type in a link from a computer or a phone to link the app to an online service, both the app and the service’s server use a shared secret key and the current time to independently generate the same time-sensitive codes. When a user logs in, they enter the code from the app, which the server verifies by comparing it to its own generated code. The verification code almost always comes in on your cell phone, and the authenticator app automatically regenerates the code every 30 seconds.

The key point here is that the authenticator app is tied to your device, not your phone number. So, if the bad actor tries to enter a website or app link that uses an authenticator app, they will not see the code. It will come to your device. If you don’t recognize the reason for that code being sent, it’s a big, bright flag that someone may have hijacked your phone number or breached your security in some way.

Of course, the website or online app being accessed must offer an authenticator app as a security measure. More of them are offering it as a security measure, and you should take advantage of it wherever you can. If you’re on your computer, you need to have your phone handy, and if you’re using your phone, it will take a little juggling. But it’s well worth the effort.

We can help you set up Microsoft Authenticator or any other authenticator app. Call us – 973-433-6676 – or email us to learn more about the app and get help setting it up.

Hardware Plays Hard to Get

As we were writing this issue of Technology Update, tariffs hit the fan. We have discussed their possible impact on prices before, but that was hypothetical. Now, they’re real, but we’re still not sure where they will land and how they will affect supplies and prices. At the same time, technological advances make hardware obsolete faster.

Before tariffs were officially announced, we saw a 10 percent minimum increase in hardware prices. Now, nobody is betting on how long the tariffs will stay in effect and for how long. Anyone who’s been living on the bleeding edge of their hardware’s service life – and there are many – has to feel uncomfortable because there is uncertainty supplies, prices and delivery dates.

That discomfort is heightened by a crunch from software providers, who need to meet demands for better online security and performance from operating systems and applications. It used to be that in some cases, you could expect seven years of service from a piece of equipment. That’s because the hardware manufacturers could provide updates for their products’ firmware (hardware operating system software) to keep pace with software developments.

Today, hardware can become obsolete in as little as three years. Security systems, working in the cloud, and higher-performing application software all demand more powerful equipment. The technology industry has made a business decision to put its resources into supporting the larger base of forward-moving customers than those who are trying to hang on to older systems.

For some organizations, it’s a double-edged sword. They find it’s especially critical to be lean and mean to survive in tougher economic conditions. But they can’t cut away too much meat after they’ve trimmed all the fat. At some point, they’ll need to buy new hardware regardless of the price.

The best way to work around a double-edged sword is to see what hardware is connected to the internet. That’s a security move. Hackers look for the weakest link in any system, and if you have any hardware that’s connected to the internet, it must be able to handle the latest security software.

When one of our retail clients ordered 10 new computers, we saw one old computer just running ads on a TV in their store. It was not connected to the internet, and that was a perfectly good use for it. You may have equipment in your office that’s not connected to the internet – or can be used without an internet connection.

We can help you make more efficient use of your hardware by taking a close look at what equipment you have to determine what needs to be replaced and what can be used in other ways. Call us – 973-433-6676 – or email us to set up an appointment.

Is ‘Zero Trust’ in Your Future?

The words “zero trust” in Zero Trust Network Access (ZTNA) are probably appropriate in a time when it seems like we don’t trust anybody about anything. ZTNA is being touted as a replacement for VPNs (Virtual Private Networks), especially for remote business needs. It could be more effective, but small businesses will need to jump through hoops.

ZTNA is a technology designed to limit who can access a network and where in the network they can go. The limits are important. For example, anyone who can access a Microsoft 365 network as a global administrator can effectively play God; they can do ANYTHING.

The goal of a ZTNA is to keep out false gods. Its proponents tout the following benefits:

  • Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network, thereby eliminating risk to the network.
  • More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. Managers can see everything and create access policies for user groups or individual users.
  • Simpler app segmentation: Because ZTNA isn’t tied to the network, organizations can segment access down to individual applications instead of complex network segmentation.

Proponents further contend ZTNA is faster and more convenient than VPNs, offer better security, and are easier to manage. Gartner, a technology and research consultancy for large corporations and government, predicts its client base will largely phase out VPNs for ZTNA.

If you’re a small business or nonprofit organization that deals with large companies and government agencies, you may need to learn how to live in the world of ZTNA at the very least. If you want to adopt for your own use, you’ll need to answer some risk/reward questions:

  • Do you need a Ft. Knox type of defense system?
  • Are you willing to build new access systems to maintain your current business process?
  • Are you willing to take on the learning-curve risks of implementing a new security system?

There are no cookie-cutter solutions to changing your security measures. Call us – 973-433-6676 – or email us to discuss the specifics of ZTNA, especially if you need to use it to comply with another organization’s directive. We can help you design and implement a plan that minimizes your risk as best as possible.

Hacked SSNs: What, Me Worry?

With apologies to Alfred E. Neuman, yes, you should worry. But you don’t need to panic, especially if you have Windows 11, a computer with a later-generation chipset and a lot of common sense.

New reports say the hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, FL. The breach was believed to have happened in or around April, according to the lawsuit. A class-action law firm said the stolen file includes 277.1 gigabytes of data and includes names, address histories, relatives, and Social Security numbers dating back at least three decades. A post from a cybersecurity expert on X claims the records for citizens of the U.S., U.K., and Canada were sold on the dark web for $3.5 million.

Yes, that’s scary. But it’s not as dire as you think. Security breaches happen all the time because thieves find vulnerabilities in large systems and exploit them. Some thieves steal simply because they can. If they don’t try to use stolen information, you don’t have a problem. But if they do try to use stolen data, they need to know how to defeat whatever aggressive defenses exist at, say, a bank. Often, they fail.

They may try to sell the data, but if there’s no market, the stolen information languishes. If they do sell it, the data might turn out to be outdated. Finally, the buyers may be state actors. If you’re not a likely target of blackmail or in possession of interesting secrets, they may have the goods on you but not want to use them.

All you can do is harden your defenses as best you can.

Set up two-factor authentication for every online account that offers it, or use an authentication app, such as Microsoft Authenticator to secure your online accounts. If thieves haven’t intercepted your email, text messages, or phone, it’s going to be hard for them to break in.

Sign up for account alerts. Depending on your bank or card company, you can set them up for many things, including any charge outside your home country, any (or all) ATM withdrawals, or transactions over a certain amount.

If you get an alert you didn’t expect — or even one you did — don’t click links or call phone numbers in the alert. Instead, log into the account in question and find a contact number there. That will keep thieves from redirecting you to their own operations.

We can answer questions about 2FA, and we can help you set up Microsoft Authenticator. A proper set-up will prevent problems down the line. Call us – 973-433-6676 – or email us for an appointment.

You and Your Credit Card

Credit cards can be convenient and reliable, but sometimes, you’re much better off if you just leave yours in your wallet. The following “don’ts” apply to online and offline occasions when you’re tempted to pull out that piece of plastic.

  • If you don’t see the letters https as the first letters in the address bar of a website’s URL, don’t use a credit card. https is the universal protocol for secure communication over a computer network on the Internet. However, don’t blindly trust this. A scam website or scam merchant can obtain https certification, so be sure it’s the correct website before you type in your info. As an alternative, you can use PayPal if it’s presented as an option.
  • If you don’t see any online reviews of a merchant, consider that a red flag. If you see a merchant with no or few reviews while shopping on a site like Amazon, it’s a caution flag. While you assume they were vetted, they could have slipped something through the process. Some other things that shouldn’t be missing from a website are social media accounts, though there are Facebook marketplace scams. Be wary if you don’t see complete, verifiable physical addresses and telephone numbers.
  • Don’t put your credit card info into an email, especially if responding to an email. It could be part of a phishing campaign. We’ve written extensively on how responding to misspelled email addresses or URLs are ways to get you to provide a valid card number to a fraudulent operation. You’re actually better off giving your credit card to someone over the phone – but only if you initiated the call. A valid merchant uses a system that only retains the last four numbers of your card.
  • Going offline, don’t allow a merchant to take your card out of your sight. Who knows what they’re doing with it? More restaurants are processing your credit cards at your table. It’s all the same “trust but verify” thing.

If you’re a consumer, you likely know just about everything we discussed in our “don’t do” list.

If you’re a merchant, we can help you keep your credit card system secure by providing you with hardware and software systems that comply with all regulations. We can also help you get the proper https certification you need for your website. Call us – 973-433-6676 – or email us for an appointment to talk about it.

Manage Your Email to Avoid a Scam

As more businesses are bought and merged, it’s more important than ever to pay attention to email accounts for all the entities involved. We’re finding “sleeper agents” hiding in neglected accounts, and they’re waking up to bite hard.

In a recent case, a client bought a business a few years ago and set up a number of special email accounts to help manage the transition and keep tabs on things going forward. The only problem is that going forward, they did not monitor those emails – and the account – so they didn’t realize their system was compromised.

They did notice irregular financial dealings in a bank account, and they went to the bank to change the account and the associated online password. But the person who had infiltrated their system still had access to all the email notifications, rendering each system fix ineffective. It took some heart-to-heart conversations with our client to get to the root of the problem and then fix it.

We needed strong passwords on every online and email account they had, but with a mole inside the system, that wasn’t enough. There are two more steps you need to take to tighten your system.

The first step is to set up two-factor authentication (2FA) for every account. Yes, it is a pain to wait to complete a secondary step, but it works. We find a text connected to a cell phone is effective because whoever is accessing the account has the cell phone nearby, and you know the verification code is going to the right person. The chances of the text message being intercepted are extremely remote.

The second step is to manage your email more effectively – and that calls for more than just checking it frequently. Whether it’s at the office or home, many email accounts have – or can have – a secondary email associated with each account. Please don’t leave it blank. That’s the door a hacker uses to get in. When you change the password, go into the profile for the user and reset or start using the secondary email account. At the same time, reset the rules for managing each account. The hackers had email forwarded to an account they could monitor, which let them stay up to date on all the changes our client made.

For both online and email accounts, you need to check each user’s profile information regularly. That’s where we can help. We can check or tell you where to look to see if anyone has electronically “jimmied” open a window to your system and help you take more protective measures. As businesses and consumers, we depend more and more on electronic payment systems to pay our bills and have our invoices paid accurately and on a timely basis.

Call us – 973-433-6676 – or email us to talk about your concerns and to schedule an assessment and a remediation plan – if needed. It’s your money, and if a scammer gets it, you likely will never get it back.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.