Unsecure Security Cameras

As more businesses and homes add security cameras to monitor their premises, hackers are enjoying the view, too. While camera manufacturers can and should secure the backdoors to their systems, there are also steps you can take to protect your property.

We’re seeing an uptick in security camera systems being hacked, and one recent incident involved one of our retail clients and a newly installed system. Surveillance makes a lot of sense for retailers, especially if a camera image can help identify thieves. However, surveillance can also tip off potential thieves about the location of targeted goods to steal and camera blind spots, and sometimes your security system manufacturer leaves a back door open for Peeping Toms.

We discovered this possibility while working with a retail client. Both of us were surprised when a new system was hacked, and we had to pull a lot of information from our client when we responded to a call that the cameras weren’t working. We checked the system and found that not only had they lost their network, they also had some weird, out-of-character names for firmware and software upgrades.

We restored the network and the camera system, but it went out again the next day. We asked about changing camera-system names, and decided to call the manufacturer. In our conversations, we learned that the manufacturer had left a back door open, so they could work on various systems. From them, we learned how to close the back door so that our client’s system would be secure.

As disturbing as our experience was, it just reinforced our message to everyone with an IoT system, such as security cameras, to take these important steps:

  1. Change the default usernames and passwords that manufacturers supply with the equipment.
  2. Make sure you install all software and firmware updates for your IoT systems and your firewall.
  3. After you install any new or updated software or firmware, go back and check that there are no changes to any unique information you may be added.
  4. Recheck that information periodically to make sure nothing had changed.

If you see something that doesn’t look right, report it to us right away. Hacking is only going to become more problematic in 2018, and it only takes one intrusion point to open your entire system to cyberthieves. It can be devastating for you if it’s your home system, but it can much more devastating if it affects any client or customer information you’ve collected. Reach us by phone – 973-433-6676 – or email to close your back doors, side doors and trap doors.

Managing Assistants

Alexa, Google Home, Siri and Cortana are online assistants who can help you get information and even order products without you ever having to tap a screen or look at one. They are a convenience, but they also raise privacy and security issues.

Siri (Apple) and Cortana (Microsoft) are associated with devices, such as phones, tablets and computers. In that type of user environment, you need to activate them with the device in your hand or on your desk, and they’re typically used for getting information, such as the weather, restaurant info or the answer to which person played for both the New York Rangers and Brooklyn Dodgers.

Alexa and Google Home may present other issues. In addition to answering questions, Alexa is tied to Amazon and its online shopping capabilities. We hear that Google Home may tie in with Walmart. With shopping available, you have another layer of concern. Somewhere, they have access to your credit-card information, and it may be possible for any voice to make a purchase.

We’ll be going to CES, the huge annual trade show for consumer electronics, in Las Vegas this month, and we plan to talk to all the manufacturers about their security and privacy protection measures. Until we have more information, here are some things you should know and can do to minimize your risk of a privacy breach or unwanted purchase – especially with Alexa, whom I call Alex when I don’t want to wake her.

Alexa and her fellow assistants remain asleep until they hear their “wake” word, but their microphones are always on. Being on is how they stay ready for your commands, but they should not be active until you wake them. So, here are some ways to help you protect from someone turning them on without your knowledge:

  • Change your “wake” word. Like most things in the IoT world, these assistants come with a default “wake” word. Go into the setup menu on the app, which you can get for your cell phone, and change it.
  • Use the mute button. Yes, it’s a pain to physically walk over to Alexa and push a button (some of you will cringe at memories of getting up to change a television channel), but it is effective – and easier than trying to run through 80-something over-the-air TV channels.
  • Use a PIN to make purchases or disable the function to make purchases by voice commands. Again, it’s an inconvenience, but we’ve discussed the tradeoff between security and convenience many times before.
  • Keep them away from windows so that any activity outside doesn’t activate them.
  • Use your app to see what’s been recorded through your assistant and delete any or all of those recordings. You can also your app to configure and toggle sound notifications, even for multiple units in one home (or office).

You can also follow the IoT cybersecurity steps we’ve published over the past year or so:

  • Change default usernames and passwords immediately. Make your new passwords strong and unique.
  • Install upgrades and updates from your IoT manufacturers. They usually contain security patches and bug fixes.
  • Make sure your Wi-Fi systems and firewalls are secure. That’s your first line of defense. Install upgrades and updates for your gateways and anti-virus and anti-malware apps.
  • Only use secure Wi-Fi networks.

We can audit your Wi-Fi security and help you fine tune the settings for your virtual assistant. Just call us – 973-433-6676 – or email us for an appointment, and follow us on Twitter and Facebook for reports from CES.

‘Free’ Streaming

Not all streaming is meant to be shared – or least not shared with dozens of strangers around the world. Cable companies and content providers are concerned about lost fees as access credentials to programming are increasingly abused. They’re cracking down on piracy.

Stealing service has been a problem since the first electrical wires and meters were installed more than 100 years ago. For cable and content providers, it became an issue when the first cable wires were strung up. The problem has grown as technology has developed more content and more ways to get it. Putting aside the issue of whether it’s all overpriced, it costs money to develop and deliver the content we love to watch, and too much of it is “falling off the back of an electronic truck.”

We can watch content for free on our TVs when they receive broadcast signals. But for the most part, the only people who watch broadcast TV are those who have cut the cord and stream through their TVs on their internal Wi-Fi or wired networks. For them, a TV is a device, just like a tablet, wireless phone or computer.

Cable providers have relationships with content providers that enable subscribers to stream cable-delivered content or simply stream it from the content providers. You get a username and password, and you’re good to go. You can even share your account with others, and almost all of us have done it at one time or another, especially with Netflix or Amazon Prime. Some providers encourage it.

Unfortunately, some people have taken sharing too far. The content industry has been OK with sharing info with a few friends or family members, but the problems arise when those friends and family members start sharing access with their friends and family. It’s all gone viral, and it hasn’t gone unnoticed.

Every provider who issues usernames and passwords also has the means to track who is accessing content and where they’re watching it. They expect that subscribers will stream their programming when they’re traveling, and they can usually verify access privileges are being properly used. Most vacations are a week or two, and even if you move around a bit, you’re generally not in locations a world apart within the space of two days – or on the same day.

The industry can track possible abuse, and there are steps they can take – if they haven’t done so already – to limit access without alienating honest, rule-abiding subscribers. They can require all subscribers to re-enter or change passwords more frequently. It’s a risk for them because some subscribers may find this an inconvenience and drop their service. However, it’s one way to shut off access to a large number of pirates in one fell swoop.

They can also limit the number of shares they’ll allow. While Netflix, for example allows up to four shares for its most expensive plan, and providers such as HBO and DirecTV allow limited sharing. ESPN may have limits on how many streams are allowed, but that could be independent of limits placed by cable or satellite carriers.

The industry can threaten to cut off subscribers – or actually cut their cords – but that gets into all sorts of sticky legal and customer-service issues. For example, do you take action against the parents who gave their college-age kids access? Do you go after their kids? Do you go after the users of devices they believe are “invalid users?”

This problem will become more prominent on the industry’s radar screen because a lot of money is at stake. Content producers need to be paid for their product, and that payment depends on how many subscribers watch it. Cable and satellite companies pay fees to producers and collect fees from advertisers and subscribers based on the number of valid users. Nobody wants money taken off the table because of a discrepancy between subscribers and viewers.

Finally, all this sharing raises a nagging question in the back of our mind: If someone has access to an account that you pay for, how can they use this access for their own gain at your expense? Call us – 973-433-6676 – or email us for help in tightening up your access controls.

Are You Printing Invitations to Your System?

Printers have been fingered as the weak link in many business and home networks. Most small businesses and home users tend to run their printers into the ground, and the longer they hang around without the latest firmware updates, the more vulnerable they are to a cyber-attack.

You can stop printing invitations to intruders – even with your current, old printer. Let’s start with the firmware. Simply go to your printer manufacturer’s support website and you can see all the firmware and driver updates available for download and installation.

Whether your printer is on a home network or small business network, make sure your firewall software is up to date and that you have a strong, secure network password for each printer. It’s too easy, especially in an office, to use a simple password that everyone can remember and hackers can figure out. And too many, especially in an office, keep their passwords stuck to monitors, where anyone walking by can see them. Your employees and/or family members just need to bite the bullet and remember a strong password – and keep that knowledge to themselves. It’s also worth noting, too, that sometimes the printers don’t even have those default passwords; they have none at all.

You can further restrict access to your printers by properly managing your printer settings and ports. Just as we’ve seen everything related to the IoT, printers can be shipped with default settings controlling printers and default port assignments. Any third-rate hacker can figure them out. You can and should change them immediately when you set the printers up to work on your networks.

Some manufacturers are recognizing the role they can play in protecting your printers. HP recently introduced its Connection Inspector for enterprise systems, and we can only hope the company and other manufacturers start incorporating similar tools for small businesses and homes.

The new tool is designed primarily to combat malware intrusions through printers by looking at unusual behavior on network traffic going to a printer. It learns what “normal” traffic looks like, and when it detects malicious activity, it can immediately go into a protected mode, stopping any further unfamiliar or unusual requests and sending a warning to IT administrators. It can even trigger a reboot of the printer.

We’ll keep an eye on developments in printer security to let you know when tools like Connection Inspector become available for you. There should be an incentive to develop them because more and more professional services corporations and families, especially those with school-age children, rely on remote and/or wireless access to printers to create hard copies of information in a corporate database or a collaborative research project.

In the meantime, we can help you tighten your printer security by looking at your machine’s settings and ports and checking your network’s security, too. We can also help you with the installation of firmware and driver updates. Call us – 973-433-6676 – or email us for an appointment. It’s time to make sure you’re printing documents, not invitations to enter the inner sanctum of your system.

Here’s Lookin’ at Your Password

Passwords are just as painful for companies that require them as they are for you. And, they’re expensive as well as subject to theft. What are we looking at in the near future? The eyes have it.

Microsoft and Apple are moving ahead with facial recognition to replace passwords. The technology is getting better and better, and, let’s face it, once their systems can recognize you and match you up with other records, you won’t have to remember some arcane, complex password – which you could mistype…

Going “password-less” would create a huge economic benefit for the business world. At our recent Microsoft IT conference in Orlando, the company said lost passwords are their biggest IT cost. In the month of July, they spent $686,000 in IT-related costs for restoring forgotten passwords. Annually, the cost is roughly $12 million.

The way systems work, it’s always to your benefit to say you’ve forgotten your password if you risk being locked out of website or application, such as your Office 365 account or a bank account. While their security needs dictate making a password reset more difficult, the complexities raise costs.

Also, in today’s world, all of these systems and interactions can be hacked, and dark-web operatives can change your letters, numbers and special characters once they’ve cracked your code. Your face is another matter. And while someone at some point in the future will figure out a way to defeat facial recognition, I believe this gets us ahead of the curve – for now.

Microsoft has facial recognition tools available for computers that have Windows 10 with Hello installed, and Apple has it for iPhones and iPads. While you can use them now for their own websites and online apps, it will take some time for the rest of the online world to get there. Your bank or credit card company, for example, will need to develop tools that work with all platforms and operating systems, and they will need to make sure online performance doesn’t suffer.

One online security app that some banks encourage their customers to use is Trusteer. While it can be effective as form of two-factor verification, it can slow down a user’s computer. We’ve had numerous incidents of clients calling us about slow computers, and Trusteer has been the problem. Once it’s uninstalled, performance levels return to what they should be.

There are other two-factor authentication methods you can use, but you’ll be up against that issue of whether you want more convenience or more security.

If you have any questions about facial recognition tools or two-factor authentication, call us – 973-433-6676 – or email us. New technologies can be scary, mostly because you can worry about making a mistake somewhere that can lock you out of the info and apps you need for work and life. We can help you navigate the brave new world with confidence.

Shooting Yourself in Your IT Foot

We got a call recently from an MIA client who was trying to save money by relying on their “resident IT expert.” They could have shot themselves in the foot, but somehow, a few dance steps worked in their favor. They dodged this bullet, but not everyone is that lucky.

Our client is a multi-generational company, and one of its long-time employees served as their “resident IT expert.” A couple of members of the younger generation called us in because something didn’t seem to be right with their system. They thought their system was beyond repair for all intents and purposes. What concerned us most were two answers that we got for most of our questions:

  1. “I don’t know.”
  2. “We don’t have that information.”

When we logged into their system, we looked at their router and firewall and started to look at their setup. This time, we got some answers.

“Do you have another office?”

“Yes.”

“Does it connect to your system here?”

“Yes.”

The connection was made through a desktop computer that was sitting in a corner of the office – a computer that nobody ever touched. It was wide open; they allowed remote access to the desktop, and there was no protection against any kind of intruder. The hacker was able to get in and hijack their software by encrypting it.

We made phone calls to all of their application software vendors to learn how everything interacted, and we learned that they used Carbonite to back up their data. Trying to recover it was useless because all the data was corrupted, but we were able to get in. What we saw was eye-opening.

It turned out that they were hosting one small application that opened the door. Then we saw that nothing had been backed up for the entire year – and the ports were wide open. They also had an antiquated email system that was hijacked. Their in-house person never foresaw any issues with their setup and didn’t know the consequences of any settings that were tweaked or ignored.

We recommended they contact the hacker and see what it would cost to ransom their data, but they preferred to re-enter all of their data for the year. They had hard copies.

Before they began their recovery, we installed a new server and firewall, and while working with one of their software companies, we learned they had a copy of the data up to Aug. 1. Before they began any work, we set up a new email system and new log-in credentials.

It looked like they had dodged a hail of bullets, but within a day, their in-house person was already compromising their system by installing a bunch of utilities and other software. We put a stop to that, and that halted their system leaks and plugged their gaps. However, the whole process of investigating their processes and systems and buying and installing their new systems cost them almost $7,000 – plus their internal cost to re-enter what now amounted to one month’s worth of data. You could also add in a cost factor for aggravation.

In today’s age of a hacker-happy internet, you need a security audit to make sure your vulnerabilities are shored up. Call us – 973-433-6676 – or email us to set up your security audit. It will take an hour or two and cost less than $200. Hackers are highly sophisticated. How much could a breach of your system cost you? Don’t be penny wise and pound foolish.

Google Drive Drives into the Sunset

Here we go – again. Another staple of our applications is being replaced. This time, it’s Google Drive, which Google will stop supporting as of this coming Dec. 11 and will shut down next March 12. Taking its place: Backup and Sync, which will be more powerful.

Backup and Sync replaces both the company’s Drive and Photos desktop apps for Windows PCs and Macs. It allows you to store any photos, videos and documents in the same format on Google’s cloud for safekeeping from crashes and unfortunate accidents. You can use the app to back up the contents of your entire computer – or just selected folders.

Once you download the app and launch it, sign into your Google account and select which folders you’d like to continuously back up to Google Drive. For photos, you have two options: High Quality or Original Quality. High Quality will compress photos larger than 16 megapixels and videos with a resolution higher than 1080p, but these compressed files will not count against your data cap.

Oh, yes, there is a data cap. Are you surprised? The new and improved Google Drive gives you 15GB of file storage for free. Then, the rates go up to $19.99 a year for 100GB or $100 a year for 1TB. That’s not excessive. You get additional flexibility by being able to download files to work offline, and you can download the app for your mobile device, too. Plans for even greater storage capacity are available.

The new app is available now from the Google Drive or Google Photos page. The only downside is that you can’t use Backup and Sync as a restore tool if your computer crashes. But we have options available for that.

We can also help you set up Backup and Sync so it works as you want and coordinate how it works on your computer and mobile device. Storing your data files and photos and videos offsite is the way to go for safety and flexibility. Call us – 973-433-6676 – or email us to answer your questions or provide assistance.

Passwords Becoming Passé

I’m as tired as anyone else when it comes to remembering dozens of arcane passwords for all the websites I need to access. Current and future technology will be able to provide relief and stronger protection. Here’s the lowdown on locking down.

If we’ve learned anything at all from the monthly ransomware reports, electronic “locks” are pickable. We’ve also learned that time is money for hackers when it comes to planting ransomware and other viruses that can make life painful or costly or both.

Operating under the assumption that any electronic barrier can be hurdled in time, you want to lengthen the time of your defense as much as possible – and we’re talking decades. The longer and more complicated the password, the longer it will take for hacking software to crack your code. We all know that when you include uppercase and lowercase letters in combination with numbers and special characters, the time stretches out. Making sure it follows no special pattern – that it’s totally random – adds to the security.

Many theories abound as to how to create a complex, random password that’s easy to remember. One suggestion is to take a phrase or sentence that you can easily remember. Then, take the first or second letter in your phrase and turn some into uppercase letters, numbers or special characters in a random order.

I have one password I use for everything, and I am extremely confident its length and complexity will deter hackers. You may find fault that I have only one password, and that would be a valid criticism. If it’s cracked, someone could get into every internet account I have.

You can eliminate the need to remember multiple passwords by using a password manager program. Some are free and some have a nominal cost. Basically, you just need to remember a master password to get into the system. The password manager randomly generates new complex passwords when you visit each site. Yes, you can argue that somebody could crack the password manager’s system. It’s possible, but would you feel more comfortable with $1 million under your mattress or in a vault that’s a half-mile underground, encased in 20 feet of concrete and guarded by a randomly rotated army that’s always being retrained?

You can augment the password manager with two-factor authentication, something we’ve liked and used for years. In many cases, you need to answer a question, and it should be something only you know. Other measures might include answers to randomly generated multiple choice questions based on publicly available information that can be verified as “right” or “wrong.” No “maybes” allowed.

In the future, passwords will give way to biometrics. The software is there; the hardware needs to catch up. Windows 10’s Hello can handle the biometrics, but most computers don’t have the 3-D cameras needed to use the feature. Some Microsoft Surface tablets have the cameras, and if you are in the right place, it works really well.

Regardless of what technology you use, don’t let your guard down. Don’t buy things or do your banking over a public Wi-Fi network. Use a trusted, secure network or a cellular data network. Make sure the networks you control are secure with up-to-date firewalls and anti-virus and anti-malware software. Make sure all operating systems and firmware are current with all bug fixes and security patches.

Remember that we can help you with all of your internet password and security needs, including choosing and setting up a password manager, setting up two-factor authentication and answering your questions about biometrics systems. Call us – 973-433-6676 – email us to set up an appointment.

Pulling the Plug at BA

An IT contractor for British Airways accidentally pulled the wrong plug as travelers queued up for a holiday weekend. That pulled the plug on travel plans for some 75,000 passengers and cost the airline a reported $128 million. It makes you wonder: Who else is vulnerable to an “oops”? Probably everybody, but we can all reduce our risk exposure with good backup systems.

The contractor’s mistake occurred at BA’s data center, and it caused the airline to cancel flights at London’s two airports, Heathrow and Gatwick. Besides the millions BA will pay for their customers’ inconvenience, there will be an investigation that will draw on company resources. It affected operations throughout the BA empire.

The incident raises two questions?

  1. Why wasn’t that cord clearly marked in some way, shape or form to give anyone a clue that it absolutely had to stay plugged in?
  2. Why wasn’t some sort of backup system available?

To me, the second question gets to some very fundamental issues about how major companies operate in today’s world. One of them is cost-cutting. News reports indicate that BA’s management was under pressure to cut costs and boost profit margins in a highly competitive industry. Well, we’re all in highly competitive situations, and we all want to raise our profit margins because we can’t raise prices – at least not without significant pushback.

But at some point, the large corporations that provide so many services for small businesses and consumers, like us, need to step up their game. They should be taking the steps our clients and customers would demand of us to make sure we serve them as expected. If one of the package delivery services, such as UPS or FedEx – or even the Post Office – has an IT failure that causes one of our deliveries to miss a deadline, the consequences for us will be much greater proportionately than for the big corporation.

Mechanical problems at a specific location can happen, but a data center problem should never happen because there are so many ways to add backups. Here are a few examples of what they can do:

  • Have a battery-powered back-up system in place so that everything in the system can be saved.
  • Have a back-up location that can be immediately and automatically activated so that critical operations continue.
  • Make time to make sure everyone is trained and retrained for all tasks they need to do on the system.
  • Keep your hardware and software up-to-date to make sure you have all performance and security measures installed. One of the things we’ve seen in many IT-related catastrophes, such as WannaCry ransomware, is that large businesses simply don’t bother to invest in technology in order to cut costs. They wind up paying more when something happens.

Let’s take this one step farther. You can be exposed to many of the same risks and can benefit from the same preventive measures in your office and at home. You can buy battery back-up systems and plug in your servers, routers and computers to give you time to save your data. You can use remote storage – the cloud – to save data and apps. You can make sure everyone knows what to do and not do with your system. You can automatically update your systems – especially your operating system and app software – to keep them secure.

Call us – 973-433-6676 – or email us if you have any questions about keeping your home and office systems running in the face of any incidents – manmade or natural. We can also audit your system and give you a plan to stay plugged in.

Home Router Vulnerability

Your home router is easily your most essential device for connecting businesses and family members to the world. It’s also the most vulnerable opening for hackers. How vulnerable is your router? One good place to look is Port 7547. If it’s closed on your router, it’s safe – for now. If it’s open, you’re vulnerable.

You can test your router by visiting a blog post from Wordfence, which makes a firewall and malware scanner that protects over 2 million WordPress websites. They also monitor attacks on those sites to determine which IPs are attacking them and blocks them in real-time through a blacklist. They recently published a post showing that 6.7 percent of the hacks they see on WordPress sites comes from hacked home routers. Hacking gives them access to workstations, mobile devices, Wi-Fi cameras, Wi-Fi climate control and any other devices that use the home Wi-Fi network. From there, they can implant malware or viruses in your system, which can lead to all sorts of problems.

Hacking through an open Port 7547 is known as the “misfortune cookie,” or MC. ISPs (internet service providers) use the port to manage home routers, and they should configure their network to prevent access by outsiders. But many do not block the port, leaving you vulnerable. By clicking the Scan Me button on the post, you can find out if it’s open or closed.

If it’s closed, your OK for now. You should check back periodically, however, because your ISP could open it for some reason and then forget to re-block it. If it’s open, Wordfence suggests you immediately reboot your router, which may flush out malware. You can also run a virus scan on all computers and devices in your home and update your operating systems. Almost anyone can take these steps.

You may be able to take the more advanced step of upgrading your router firmware, but in most cases, you can’t. In all cases, you can contact your ISP and let them know there’s a security vulnerability in your home router and ask them to help you fix it. You can specifically mention Port 7547.

If you are unable to take all the steps mentioned above, call us immediately at 973-433-6676. We can help you reboot your router and may be able to help you close the port or upgrade the firmware. Just have your router name and model number handy to help us serve you better. If necessary, we can coach you in dealing with your ISP to resolve this important security issue.

If you want to take preventive action on Port 7547 vulnerabilities, call us – 973-433-6676 – or email us to schedule an appointment. Remember, you are your router’s first line of defense.