Security and Relationships

May 23 started out like a quiet day, but one phone call created a two-day scramble to quell a crisis. The solution included working around an unresponsive bank, rapidly deploying technology tools, and cashing in the benefits of good working relationships. It was the stuff of a thriller novel.

It had been a couple of very tough weeks. Your special agent/tech guy (me) was at the carwash when the cell phone rang. A client reported $140,000 was missing. It had been wired out of an account that day, and they couldn’t get anyone from their bank to respond to their phone calls.

“Hmm,” the special agent/tech guy thought, “$140,000 can cover the detailing work for several fleets of Corvettes,” but reality took hold. He couldn’t wait for them to clean his car’s interior. He jumped behind the wheel and headed for his client’s office.

With $140,000 missing and nobody at the bank picking up the phone, we found the police already involved in the case. We quickly realized there would be no telephone solution to the problem, and it took us until the early evening to solve this problem. The good news is that we were able to reverse the wire transfer all on our own after trying for hours to get phone support.

Here are the facts – just the facts, ma’am.

Obviously, our client’s system was hacked. It was a complicated case because it involved the email of an employee in the finance department who had just left the company. That’s one reason why the police were involved. There was no criminal activity, but there was a lot of sloppiness.

The hackers got into the former employee’s email account and saw that one password opened up a lot of doors in the company’s financial system. They reset the account’s password, created a new account that they could use to “approve” new transactions, and used it for the $140,000 wire transfer.

However, they made one mistake: They forgot to turn off forwarding in the account they hacked, and that’s how they were discovered. Our client had done the right thing by having the ex-employee’s email forwarded, and they created a special rule so that all the emails went into a separate folder. Several people monitored that folder periodically, and as soon as one of them saw the emails, the alarm went off. In most cases, this kind of wire fraud isn’t discovered for days, and the money is lost.

Our client was able to freeze their account immediately online, but they still had outstanding checks on that account. That matter also needed immediate attention.

So, the special agent/tech guy took advantage of a good relationship with another bank, which is also a client, first thing the next morning. He jumped in his car. The interior was still dirty. He drove to the bank, where he was able to help his other client open a new account and get checks they could print immediately to replace those outstanding in the frozen account.

But his work wasn’t done. The victimized client had resisted instituting multifactor authentication for all financial transactions. So, the rest of the day was spent instituting a two-factor authentication system and training everyone in its use.

We like to think the goodwill we’d built up with both clients helped one client get out of a hole and another gain a new customer. But it all could have been prevented with better passwords and an authentication system. Don’t wait for a disaster to strike. Call us – 973-433-6676 – or email us to discuss your online security and the steps we can take to improve it.

The 2FA Police

Microsoft is enforcing requirements for 2FA (two-factor authentication) for many of its apps. The good news is that it protects your data better. The bad news is that you must use authenticator codes and messages. It’s time to ensure everyone in your office (or family for home users) is up to speed on using authenticators and other 2FA measures.

Microsoft’s Authenticator App gets downloaded onto your iPhone or Android phone and helps to verify it’s you when you log in to an online account using two-step or two-factor verification. It uses a second step, such as a code sent to your phone, to make it harder for others to break into your account. Two-step verification helps you use your accounts more securely because passwords can be forgotten, stolen, or compromised.

One common way to use the Authenticator app is through 2FA, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code. Options include:

  • Signing in by phone with a version of two-factor verification that lets you sign in without requiring a password. It uses your username and your mobile device with your fingerprint, face, or PIN.
  • Using a code generator for any other accounts that support authenticator apps.
  • Using it with any account that uses 2FA and supports the time-based one-time password (TOTP) standards.

Any organization can require using the Authenticator app to sign in and access its data and documents. Even if your username appears in the app, the account isn’t set up as a verification method until you complete the registration. The entire process can be done more efficiently with a mobile phone that can scan a QR code on a computer screen.

Remember that most authenticator apps still require a password in commercial use, and every user must know their password or risk being locked out. The consequences can be time-consuming and costly – if not fatal. Everyone should write their passwords on a piece of paper and store them in a safe place.

We had a case with a client who used a customized database that was never upgraded for 20 years. A former IT company did the last work on it. Nobody had the password to get into the account housing the database. They suggested calling the programmer, but the programmer had died. Nobody admitted to changing the password at any time. We spent a few hours trying to access the database to no avail. Finally, we called the former IT company, and they had a password for one file.

That was the password that worked, and we were able to perform the necessary work. But we can’t stop thinking about all the time – and money – that was wasted because nobody had a password.

In today’s world of hacking and cybercrime, it will become more and more challenging to try multiple passwords without severe consequences. It’s up to you to ensure that you and key employees have all your necessary passwords and 2FA to protect your data – and to insist that your employees have 2FA set up for their corporate login info.

We can help you ensure you have all the correct authentication and management systems. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.

Old Security Habits Never Die; They Should

We still seem to see the same bad security habits we’ve always seen. Now, they involve PINs as well as passwords. Here are some bad habits you need to break.

The first bad habit has to do with keeping track of passwords and PINs (Personal Identification Numbers). We’ve discussed passwords ad nauseam, and the problems we find with them are they’re either forgotten, left in places where anyone can see them, used repeatedly, or made so simple that they’re easy to crack.

If you habitually run across any of these problems, you need to seriously think about how you can make your password system stronger. Some of the suggestions we’ve offered include making your passwords long and using a system that lets you vary one or two keystrokes or a word or phrase to keep them different. The system helps you remember your passwords – or at least the ones you use the most or ones you need while away from your computer. In creating your passwords, you’re better off using a longer password instead of a shorter complex one. Longer passwords make it more difficult for hacking software to figure it out.

A related issue is those security questions. Don’t give real answers that involve information in public records. Somebody can easily see where you’ve lived, where you went to school, etc. They can probably find out what your first car was.

PINs are meant to solve most of the issues, but they can run into that “forgetful” problem, too. An additional problem with PINs is that when you change devices, you need to reset the PIN. Again, that can be a real problem if you don’t remember the PIN you used.

Some people use their browser or a feature on their phones to save passwords. The danger there is that those passwords can be easily stolen, especially if you happen to visit a “phishing website,” one that has the look and feel of a legitimate website. When we feel rushed or stressed about things going on in life, we’re more susceptible to clicking one of those links or making a typing mistake. The owners of “phishing websites” typically have website domains related to common typing mistakes – although some companies have those sites, too, to make sure you can reach them. The old habit to break here is to take a deep breath when you’re online to make sure click on a legitimate link or type a domain name correctly.

Rather than use a browser or phone password saver, we recommend you a password manager. Dashlane and Last Pass are two that are well known, but using any manager gives you stronger protection. You’ll need to set aside time to get your password manager properly configured and to enter all the passwords you want to protect. The process includes setting up a master password that gives you access to the electronic vault where all your passwords are stored. The key to success is never, ever forgetting that password or giving it to anyone except one or two trusted people.

Credit card numbers can be hacked, too. A couple of our clients had their numbers stolen, and although they changed passwords, they still wondered what else might be broken in their system.

We can help you with security breaches. We take the time to look closely at your system to see how each change you might make – changing passwords or adding a password manager – will affect you. Our analogy here is to the new kitchen that we’re getting. As we change the room and add things like electrical outlets or lighting fixtures, we have to open holes in our walls and ceiling, and we don’t know what’s there until we get them open. It’s the same with your tech system. Without looking at everything, we can’t tell how one change will affect your system.

Call us – 973-433-6676 – or email us to discuss your needs and do the appropriate patching, including installing and configuring a password manager.

Holiday Security Alert

Holiday Security Alert —
Scammers love chaos, and they are in heaven this holiday season. With shortages and high prices sending everyone scrambling for gifts while we dash to the end of the business year and try to make plans to see family and friends, scammers have an abundance of opportunities to find a weak spot in anyone’s online armor and penetrate for all you’re worth. Here are our steps to stop the scams.

Continue reading

Home is Where the Hack Is

Don’t think your home is too small to be a hacker’s target. The recent invasion of a young girl’s bedroom through a camera system has sparked a lawsuit and some hot discussion about who’s at fault. Ultimately, you need to make you cover all the bases, and the Department of Homeland Security offers some help in making sure you know where the bases are.

DHS rightly states what we think is obvious about the two common misconceptions home users share about the security of their networks:

  1. Their home network is too small to be at risk of a cyberattack.
  2. Their devices are “secure enough” right out of the box.

Besides those misconceptions, home networks – no matter how many smart devices or dumb devices they connect – have many moving parts. In addition to cameras and smart speakers, to name just two, our networks include routers, computers, mobile devices and TVs. So, even though you may think you have a strong username and/or password for every device, there’s a possibility you can miss one key setting – or there’s a possibility that someone using your network has the weak link in your security chain that provides outside access.

The DHS checklist, which we summarize below, is a good place to start. It reiterates a lot of actions we’ve told you to take over the years, and it’s a good refresher.

  • Update your software regularly. Besides adding new features and functionality, software updates often include critical patches and security fixes for newly discovered threats and vulnerabilities. (See Understanding Patches and Software Updates.)
  • Remove unnecessary services and software. They can create security holes in a device’s system that could lead to a larger attack surface of your network environment. This is especially true with pre-installed trial software and apps installed on new computers. Remove what you don’t use.
  • Adjust factory-default configurations on software and hardware. They’re intended to reduce the troubleshooting time for customer service. Harden them to reduce vulnerabilities.
  • Change default log-in passwords and usernames. Most network devices are pre-configured with default administrator passwords to simplify setup. They’re not secure. Change them.
  • Use strong and unique passwords. Choose strong passwords and don’t use the same password with multiple accounts. (See Choosing and Protecting Passwords for more information.)
  • Run up-to-date antivirus software. A reputable antivirus software app can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware.
  • Install a network firewall. It can block malicious traffic from your home network and alert you to potentially dangerous activity. When properly configured, it can also serve as a barrier for internal threats, preventing unwanted or malicious software from reaching out to the internet. We can help you configure them.
  • Install firewalls on network devices. In addition to a network firewall, consider installing a firewall on all computers connected to your network. We can help you configure them, too.
  • Regularly back up your data. Consider using a third-party backup application, which can simplify and automate the process. Be sure to encrypt your backup to protect the confidentiality and integrity of your information. Data backups are crucial to minimize the impact if that data is lost, corrupted, infected or stolen.
  • Increase wireless security. Follow the steps below to increase the security of your wireless router or ask us for help.
    • Use the strongest encryption protocol available. DHS recommends using the Wi-Fi Protected Access 3 (WPA3) Personal Advanced Encryption Standard (AES) and Temporary Key Integrity Protocol (TKIP), which is currently the most secure router configuration available for home use.
    • Change the router’s default administrator password to deter an attack using default credentials.
    • Change the default service set identifier (SSID), the “network name” that identifies a wireless network. Make it unique and not tied to your identity or location.
    • Disable Wi-Fi Protected Setup (WPS). A design flaw in the WPS specification for PIN authentication significantly reduces the time required for a cyberattacker to brute force an entire PIN.
    • Reduce wireless signal strength to reduce your electronic footprint.
    • Turn the network off when not in use or automatically disable the Wi-Fi at specified times to prevent outside attackers from breaching your home network.
    • Disable Universal Plug and Plan (UPnP) when not needed. Recent large-scale network attacks prove that malware within your network can use UPnP to bypass your router’s firewall to control your devices remotely and spread malware to other devices.
    • Upgrade firmware to enhance product performance, fix flaws, and address security vulnerabilities.
    • Disable remote router management to guard against unauthorized individuals accessing and changing your router’s configuration.
    • Monitor for unknown device connections to monitor for unauthorized devices joining or attempting to join your network. Also see the manufacturer’s website for tips on how to prevent unauthorized devices from connecting to your network.
  • Mitigate Email Threats. Phishing emails continue to be one of the most common and effective initial attacks. They prey on the human element – the weakest component in every network – by persuading a user to click on a link or open an attachment.

All the steps you can take are common sense, but they’re often overlooked in our hurry to get a new product or feature online. The hacker looks to exploit momentary carelessness. We can review your home or office network with a security assessment and help you implement any of the steps in this checklist. Call us – 973-433-6676 – or email us for an appointment.

Email in Disguise

The trend of getting voicemail messages through email is opening new doors for hackers to enter computer systems. Scammers are using email with spoofed addresses to hack into business operations, such as wiring money. Today’s office environment provides a perfect setup for a hacker: You hit people when they’re juggling multiple tasks, and you come across as a colleague or customer in an expected environment. We have two examples from our client experiences that show how easy it is for a problem to go undetected. And we have some tips to strengthen your security.

The problem with the voicemails happened while we were on vacation in Hawaii, which has a six-hour time difference with New Jersey. Our client reported getting emails about missed calls – which could have been generated by their voicemail/email system. It’s a growing trend to handle voicemails because phone and email run on the same networks, and sometimes it’s more effective for an employee to click a link and return the call while the message is on the screen.

And that’s how this problem showed up. Every time our client clicked on the link, nothing happened. When we got back from vacation, our first job was to install a new computer for the client. Everything went as planned, but then we got a call that the client only had 11 emails in the system. To make a long story short, it took all day to find all of the emails in a “recovery for deleted emails” folder and restore them – all 75,000 of them. The time was lengthened because we needed to sort them to cull the voice-mail files.

We changed the password immediately to cover the possibility the computer may have been hacked. After that was done, we got a call that our client couldn’t click to return numbers left in voicemails. I left a voicemail, and we were able to get a return call.

The likely issue is that someone from the outside spoofed a known and trusted phone number. The lesson here is that if it happens a second time, don’t click the link. While you may not know if you were hacked or fooled by some malware, you should know that something is wrong and needs attention. The earlier you let us know about it, the sooner we can work with you to mitigate the problem and minimize damage.

A second incident could have been catastrophic. Again, we awoke to find several urgent emails from a client that regularly wires large sums of money to entities worldwide. The incident occurred July 1, when they were preparing to wire nearly $100,000 to an entity. The entity to which they were wiring the money said they hadn’t received their wire in April. That raised alarms. We learned that the amount of money in both transfers was consistent, and the entity to which the money was to be wired could change names from time to time. Everything with the April and July transfers seemed to be within the realm of normal operations.

While we couldn’t get the April money back (the client had insurance to cover it), they were able to halt the July transfer. At the same time, we worked with them to develop new policies to help double-check money-wiring instructions and monitor the process better.

Among the key takeaways from these incidents, you should always be on guard because hackers and cyberthieves are getting much, much better at disguising their identities. When it comes to VOIP and cellular voicemails, it becomes way too easy to click on a number to return a call. That click could direct you to a link that installs some kind of malware. You can write down the phone number and initiate a phone call – much in the same way you can open a browser and go to a website instead of clicking on a suspicious link. In a related matter, the Federal Communications Commission (FCC) is about to force telephone carriers to verify the phone number location of incoming calls. This should reduce – at least for now – phone number spoofing.

Also, be vigilant about looking for anything that looks like a change in your operations or the entities you deal with. Don’t hesitate to pick up the phone and call somebody to verify instructions.

We can help you fight fraud and mitigate security issues in a number of ways, including security assessments and developing and installing rules and policies for critical operations. Call us – 973-433-6676 – or email us for an appointment.

Who’s Your Office 365 Partner?

As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.