SSL Certificates for Websites

When it comes to the security of your business website, size does NOT matter. Your business most likely either houses some bit of information about clients or customers or has access to information. That makes you a target for hackers. It also makes you a target for a Google search engine flag to warn that your website may not be secure because your security certificate isn’t current.

Starting July 1, Google will require that websites have current SSL certificates. SSL (Secure Socket Layer) is used to provide an extra layer of security for websites, and it’s added to each individual page on a site. You are most likely familiar with SSL as a computer user. When you go to a secure page for transacting business, you may have noticed that the secure page URL begins with https:address instead of http:address. You’ll also usually notice the image of a padlock.

Google is implementing the requirement for its Chrome browser, which is widely used worldwide. When someone uses the browser to visit a site without an updated SSL certificate, they’ll see the phrase “Not Secure” before your URL in the address bar. Most likely, they’ll leave the page immediately, and that will increase your site’s bounce rate and endanger your inbound leads. The increased bounce rate will hurt your overall Google ratings, and that will affect your Google page ratings on all browsers, such as Firefox, Edge and Safari.

You can see if your certificate is up to date simply by looking to see if your URL starts with https:. If not, it’s an easy problem to fix with the services of website developer. They can help you purchase an SSL certificate through your website’s hosting company and then add the proper code to your pages. The certificate costs between $40 and $100 per year, and the coding can typically be added in two to four hours.

We are more than happy to refer you to one of our partners, Rachel Durkan at Paradigm Marketing and Design. You can email Rachel for specific information about getting your website in compliance. If you have any other questions or concerns about SSL certificates and website security, call us – 973-433-6676 – or email us to talk about them.

Advice from the FBI

If you’re a longtime client or reader of Technology Update, you can say the FBI has either listened to us or validated us with its recent call to restart your routers. Our national law enforcement agency says that routers can be vulnerable to hackers, and one of your best defenses is to restart them. There’s more you can do, but restarting a router is easy to do.

First, let’s look at the restart process, which clears out a lot of junk piles – junk piles that make great hiding places for the bad guys who want to use your network as the entrance to your entire computing world. Rebooting can also help your network’s performance, just like a reboot or restart helps your computer. All you need to do is:

  1. Unplug your router and modem – or combined gateway, which includes your router/modem and VOIP telephone – from the power source. If there is an adapter that plugs into your unit, you can usually do it right there. Do the same for any network switches you might have. If you have batteries for backup power in any equipment, make sure you pull them out.
  2. Wait at least 30 seconds. This is important to help junk clear out, and it signifies your system is offline. Waiting a minute wouldn’t hurt.
  3. Reconnect your system, starting with your modem if it’s a separate unit. If you have a gateway, connect that. If it doesn’t power on automatically, press the power button. Wait at least a minute to give your ISP time to authenticate your connection and assign a public IP address.
  4. Reconnect your router and wait two minutes. This gives your router time to boot back up and gives everything on your network time to get new private IP addresses assigned by the DHCP service in your router. If you removed the power from any switches or other network hardware, now is the time to power those back on. Just give them a minute or so, too. If you have several devices, be sure to power them on from the outside-in, based on your network map.

If you don’t understand anything in the fourth step, it’s a good idea to call us for help. We can follow the map and help you test everything on your network to make sure it’s all working properly. You can also reset your modem if you are concerned about security and/or performance, and that’s something we can help you with, too. Call us – 973-433-6676 – or email us with questions or to set up an appointment.

Reboot Your Thinking About Restarts

Restarting your Windows-based computer clears out a lot of electronic junk and improves performance. The only problem is that you may not be restarting – or rebooting – your computer when think you are. We had one client go 73 days without performing an actual restart on a computer, which meant we needed a lot of time to clear out all the junk and reset the system.

One of the most common misconceptions we’ve found about restarting is that people think that simply turning on a computer after it’s been sleeping is a restart. To human logic, that makes good sense. To a modern computer, it’s all wrong. When you select the “sleep” option to close a session at your computer, you’re putting it into a state of hibernation. Your PC will seem like it’s completely off, but it saves a hibernation file to boot back to where you were before going to sleep.

When you tap your keyboard to wake up your computer, you’re using Microsoft’s “fast startup” feature to launch the hibernation file that essentially restores your system to where it was before going to sleep. The combination of sleep and fast startup get you up and running faster to use your computer, and it also helps various software and hardware vendors update your system while it’s not in use. Whatever electronic junk your computer has been holding is still there.

Fast startup also helps your computer get up and running faster from a complete shutdown. In a sense, shutting down your computer puts it into a stage of hibernation if fast startup is enabled, so you’re not getting a complete restart, which is necessary for clearing out the electronic junk. In our experience, fast startup is the root of all evil in a lot of problems we’re finding that can be solved by a restart.

All of this leaves you with two options. The first is simple: restart your computer once a week. It’s sort of like flossing your teeth; it’s another thing to remember, and it’s time-consuming. But it will keep your system clean and maintain a higher level of performance. To restart make sure you have saved all work files and application settings by properly closing out of everything. Then, just click the Windows icon at the bottom of your screen, click the power icon and click Restart.

The other option is to disable fast start. You can do that by doing a search for Control Panel, and then clicking on Power Options. On the left side of your screen, click on “Choose what the power buttons do.” Then, uncheck “Turn on fast startup.” Doing that will give you a complete restart when you power up from a shutdown. It can also be helpful when working with a speedy solid-state drive (SSD).

Along with restarts from a shutdown, we’ve found that clients using a laptop as a second computer have another set of problems. When their computers are out of action for an extended period of time, the startup routine when they power on induces a search for all sorts of system and application updates. In the case of Windows updates, the computer looks at when the last update was installed and then initiates a sequence of consecutive updates. That’s necessary because unless Microsoft issues a Service Pack that consolidates several updates, the latest update is typically an addition to a previous update. If you missed three updates, for example, your computer goes back to the first of that sequence and goes through three update procedures.

That entire process can take up a lot of time, and we usually get a call in the middle of it all because it seems like the computer isn’t functioning properly. The easiest way to solve that problem is to turn a computer once a week. It will look for updates as part of its boot-up, and the need to download and install only one Windows update or just a few recent updates for apps will get your second computer operational faster.

Just remember, though, if you’ve turned off the “fast startup” feature for a computer that’s been powered down, you’ll need to make sure you check for updates.

If you have any questions about restarts and power-ups, call us – 973-433-6676 – or email us. We can walk you through the process to set up the options that will be best for you or work with you remotely to set them up.

Fraud’s Warning Signs

Anyone who tries to defraud you online – or even on the telephone – is literally banking your carelessness. Take a good look at emails and links and listen carefully on the phone. You can spot the fraud, and if you’re not sure, disengage and call the person you think contacted you – on the telephone – or send a new email, totally separate from the thread.

It’s important to be on “high alert” because the hackers and scammers are at the top of their game, and their targets include trusted advisors, such as accountants and tax preparers. We should state that these people should have secure systems in place and should know not to send or request sensitive, confidential information through email.

But at the end of the day, you need to take ownership of your privacy, so here are some tipoffs that a communication might not secure or might be out-and-out fraudulent.

First, does your accountant normally contact you by email? If not, that ought to raise a red flag. Second, can you absolutely verify that the email is from your accountant? While some email systems are good at spotting something fishy (or phishy), a scammer is betting that you’re not going to pay attention. Check the properties of an email address. It could very well be that cybercriminals were able to recreate the look and feel of an email from your accountant, but unless they actually got into the accountant’s server, a phony email will have a phony email address.

Attachments can be another tipoff to fraud. You should be suspicious if you get an email with attachments that are supposed to be forms, such as a tax form you need to fill out or a return to verify, are you being asked to provide your Social Security number and maybe your birthday? Can you open it without having to go to a secure website and enter a password? That doesn’t pass our initial smell test.

If your accountant does contact you about sensitive information or forms, are you referred to a secure website? Do you have that link with your access credentials safely stored? In a safe world, you can log into your account by entering the website address from your browser and entering your credentials.

If something doesn’t look right, you should always be able to call your accountant on the telephone.

And just to go one step farther this spring, here are some other things to be wary of.

Are you getting emails supposedly from someone you haven’t heard from in ages? And does have a short subject line, such as “hi”, with no message but a link? That’s a sign of fraud and clicking the link could open a breach in your system that can expose your sensitive data.

Are you getting Facebook friend requests from people who are already your friends? That’s generally a fraudulent request by someone looking to get into your system.

Anyone using fraudulent methods to get into your computer system may also be planting some kind of virus or malware to help infect other computers. If you think you may have clicked a link by mistake that could lead to a breach of your system, shut down your computer and disconnect it from the internet. Then call us – 973-433-6676 – so that we can apply our tools and expertise to minimize the damage and clean up your system.

‘Free’ Streaming

Not all streaming is meant to be shared – or least not shared with dozens of strangers around the world. Cable companies and content providers are concerned about lost fees as access credentials to programming are increasingly abused. They’re cracking down on piracy.

Stealing service has been a problem since the first electrical wires and meters were installed more than 100 years ago. For cable and content providers, it became an issue when the first cable wires were strung up. The problem has grown as technology has developed more content and more ways to get it. Putting aside the issue of whether it’s all overpriced, it costs money to develop and deliver the content we love to watch, and too much of it is “falling off the back of an electronic truck.”

We can watch content for free on our TVs when they receive broadcast signals. But for the most part, the only people who watch broadcast TV are those who have cut the cord and stream through their TVs on their internal Wi-Fi or wired networks. For them, a TV is a device, just like a tablet, wireless phone or computer.

Cable providers have relationships with content providers that enable subscribers to stream cable-delivered content or simply stream it from the content providers. You get a username and password, and you’re good to go. You can even share your account with others, and almost all of us have done it at one time or another, especially with Netflix or Amazon Prime. Some providers encourage it.

Unfortunately, some people have taken sharing too far. The content industry has been OK with sharing info with a few friends or family members, but the problems arise when those friends and family members start sharing access with their friends and family. It’s all gone viral, and it hasn’t gone unnoticed.

Every provider who issues usernames and passwords also has the means to track who is accessing content and where they’re watching it. They expect that subscribers will stream their programming when they’re traveling, and they can usually verify access privileges are being properly used. Most vacations are a week or two, and even if you move around a bit, you’re generally not in locations a world apart within the space of two days – or on the same day.

The industry can track possible abuse, and there are steps they can take – if they haven’t done so already – to limit access without alienating honest, rule-abiding subscribers. They can require all subscribers to re-enter or change passwords more frequently. It’s a risk for them because some subscribers may find this an inconvenience and drop their service. However, it’s one way to shut off access to a large number of pirates in one fell swoop.

They can also limit the number of shares they’ll allow. While Netflix, for example allows up to four shares for its most expensive plan, and providers such as HBO and DirecTV allow limited sharing. ESPN may have limits on how many streams are allowed, but that could be independent of limits placed by cable or satellite carriers.

The industry can threaten to cut off subscribers – or actually cut their cords – but that gets into all sorts of sticky legal and customer-service issues. For example, do you take action against the parents who gave their college-age kids access? Do you go after their kids? Do you go after the users of devices they believe are “invalid users?”

This problem will become more prominent on the industry’s radar screen because a lot of money is at stake. Content producers need to be paid for their product, and that payment depends on how many subscribers watch it. Cable and satellite companies pay fees to producers and collect fees from advertisers and subscribers based on the number of valid users. Nobody wants money taken off the table because of a discrepancy between subscribers and viewers.

Finally, all this sharing raises a nagging question in the back of our mind: If someone has access to an account that you pay for, how can they use this access for their own gain at your expense? Call us – 973-433-6676 – or email us for help in tightening up your access controls.

Homeland Security’s New Website for Trusted Travelers

If you’re a world traveler for business or pleasure – or plan to be – Homeland Security’s new Trusted Traveler Programs (TTP) System website is your cyber destination for managing Global Entry, NEXUS, SENTRI and The Free and Secure Trade (FAST) programs. The four TTP programs are great time savers for frequent travelers who have been pre-approved and are considered low-risk. They also represent a process of security checks that make it extremely difficult for someone to steal personal identities.

Registering through the TTP site is your one-stop center for all of the programs, although it’s not likely most of you will use all of them. If you have used any of them before, you’ll need to re-register. If you’re not familiar with them, here are quick descriptions:

  • Global Entry is for travel back into the Unites States At selected airports, you go to a designated kiosk, present your machine-readable passport or U.S. permanent resident card, place your fingerprints on the scanner for fingerprint verification and complete a customs declaration. You get a transaction receipt and go to baggage claim and the exit. You must be pre-approved for the program. All applicants undergo a rigorous background check and in-person interview before enrollment.
  • NEXUS expedites processing when entering the United States and Canada. You use dedicated NEXUS kiosks when entering Canada by air and Global Entry kiosks when entering the United States via Canadian Preclearance airports. You also receive expedited processing at marine reporting locations.
  • SENTRI (Secure Electronic Network for Travelers Rapid Inspection) expedites clearance for pre-approved, low-risk travelers upon arrival in the United States. Participants may enter the United States by using dedicated primary lanes into the United States at southern land border ports. It’s primarily for travel from Mexico.
  • FAST (Free and Secure Trade) is a commercial clearance program for known low-risk shipments entering the United States from Canada and Mexico by truck. It expedites processing for commercial carriers who have completed background checks and fulfill certain eligibility requirements. The majority of dedicated FAST lanes are located in northern border ports in Michigan, New York and Washington and at southern border ports from California to Texas. Participation in FAST requires that every link in the supply chain, from manufacturer to carrier to driver to importer, is certified under the Customs-Trade Partnership Against Terrorism (C-TPAT) program.

If you already participate in one of the programs, you’ll have to go through a new registration process, which is an admitted ordeal, and you’ll need your PASSID number, which should be on any membership cards you have for the program or on any notification letters you might have received.

To start the re-registration process, go to https://ttp.cbp.dhs.gov/, log in, go to Manage My Membership and then Consent and Continue. Eventually, you’ll be redirected to a page where you’ll need to create an account. You’ll need to enter your email address, and then you’ll receive a confirmation. If all goes well, you’ll need to enter a password – a strong one – and you’ll need to provide a phone number (mobile is better) as part of the new website’s two-factor authentication process.

Through the process, you’ll be given a “personal key” that you should write down and keep with you. It’s your backup in case something goes wrong in your two-factor authentication scheme. After that, you’ll be redirected to the new TTP registration site, where you’ll need to enter personal information and your PASSID.

It’s a lot of work, but it’s a process that comes as close as anything I’ve seen to having both convenience and protection – once you go through all the gyrations to set it up. It has two-factor authentication and a secure back-up process, and the end result is convenience and time-saving at a place where it’s important for travelers and shippers.

We hope this helps you see the value of two-factor authentication. While secure borders are a top priority for our country, securing your personal data should be a top priority for you. Spending a few minutes early on can pay big dividends later. If you have questions about your security and setting up a two-factor authentication system, call us – 973-433-6676 – or email us for help.

Are You Printing Invitations to Your System?

Printers have been fingered as the weak link in many business and home networks. Most small businesses and home users tend to run their printers into the ground, and the longer they hang around without the latest firmware updates, the more vulnerable they are to a cyber-attack.

You can stop printing invitations to intruders – even with your current, old printer. Let’s start with the firmware. Simply go to your printer manufacturer’s support website and you can see all the firmware and driver updates available for download and installation.

Whether your printer is on a home network or small business network, make sure your firewall software is up to date and that you have a strong, secure network password for each printer. It’s too easy, especially in an office, to use a simple password that everyone can remember and hackers can figure out. And too many, especially in an office, keep their passwords stuck to monitors, where anyone walking by can see them. Your employees and/or family members just need to bite the bullet and remember a strong password – and keep that knowledge to themselves. It’s also worth noting, too, that sometimes the printers don’t even have those default passwords; they have none at all.

You can further restrict access to your printers by properly managing your printer settings and ports. Just as we’ve seen everything related to the IoT, printers can be shipped with default settings controlling printers and default port assignments. Any third-rate hacker can figure them out. You can and should change them immediately when you set the printers up to work on your networks.

Some manufacturers are recognizing the role they can play in protecting your printers. HP recently introduced its Connection Inspector for enterprise systems, and we can only hope the company and other manufacturers start incorporating similar tools for small businesses and homes.

The new tool is designed primarily to combat malware intrusions through printers by looking at unusual behavior on network traffic going to a printer. It learns what “normal” traffic looks like, and when it detects malicious activity, it can immediately go into a protected mode, stopping any further unfamiliar or unusual requests and sending a warning to IT administrators. It can even trigger a reboot of the printer.

We’ll keep an eye on developments in printer security to let you know when tools like Connection Inspector become available for you. There should be an incentive to develop them because more and more professional services corporations and families, especially those with school-age children, rely on remote and/or wireless access to printers to create hard copies of information in a corporate database or a collaborative research project.

In the meantime, we can help you tighten your printer security by looking at your machine’s settings and ports and checking your network’s security, too. We can also help you with the installation of firmware and driver updates. Call us – 973-433-6676 – or email us for an appointment. It’s time to make sure you’re printing documents, not invitations to enter the inner sanctum of your system.

‘KRACKing’ Your Wi-Fi Network

KRACK is an ominously named crypto attack that exploits a flaw in the process of connecting a device and a Wi-Fi network. By allowing network access without the password, effectively it opens up the possibility of exposing credit card information, passwords, and practically any other data on your device. Here’s how to protect yourself – somewhat.

Using WPA2 security, the standard of protection for the past 13 years, is still the way to go, and setting a strong, secure password is just as important as it ever was. But it’s like a lock on your front door. Locks, according to conventional wisdom, keep out honest people. But a lock that’s strong enough to delay a would-be thief was thought to still be effective.

That was until KRACK (Key Reinstallation Attack) was discovered. It exploits a flaw in the four-way handshake process between a user’s device trying to connect and a Wi-Fi network, allowing an attacker to access a network without the password. It’s an equal-opportunity attack, too. It can affect Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others, but the most current versions of Windows and iOS devices are not as susceptible to attacks because of how Microsoft and Apple implemented WPA2. Linux and Android-based devices are more vulnerable to KRACK.

Fortunately, it’s not a helpless situation. Attacks can only be successful when someone has access to the wireless network you’re on at the time of the attack. That means you need to be especially careful on public networks. You can further help yourself by:

  • Making sure you’re up to date with all available security patches
  • Using a VPN, which will encrypt your internet traffic
  • Visiting only websites that use HTTPS, though it’s not a guarantee you’ll be safe.

We’ll keep you updated on developments against KRACK, and we can help you now by taking a look at your systems and security to make sure you’ve maximized your protection. Call us – 973-433-6676 – or email us for an appointment.

Equifax and Protecting Your Identity

If anyone learns just one lesson from the recently disclosed hack of Equifax, the credit-rating service that has the keys to many people’s vital data, here it is: You have to take your data protection into your own hands.

We had a really queasy feeling when we saw the news reports, and a lot of the information didn’t pass our initial smell test. First, why did it take so long for Equifax to notify its customers and authorities? More than a month went by before there was any announcement. Second, when Equifax did respond, it seemed ineffective. You can go to https://www.equifaxsecurity2017.com/, enter some information about your name and Social Security number and see if you have something to worry about. From there, you need to scroll to the bottom of the page to find the Potential Impact button, which will take you to https://www.equifaxsecurity2017.com/potential-impact/. Most people will learn that their data has possibly been compromised.

If you don’t want to fuss around with the internet, you can call a dedicated call center, 866-447-7559, from 7 a.m. to 1 a.m. ET every day to discuss your account.

You can go back online and enroll in a credit monitoring with program with Equifax – or with Experian or TransUnion, the other two credit reporting agencies in the US. Equifax will give you the program free for a year without requiring you waive the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms-of-use for this cybersecurity incident.

We strongly recommend you take these additional steps:

  • Place an initial fraud alert on your credit records. Again, it doesn’t matter which reporting agency you use. They all “talk” to each other. When lenders see the fraud alert when checking your credit, they must take additional steps to verify that it is actually you who wants to open the account. Initial fraud alerts are good for 90 days, and you can renew them or cancel them as it suits your needs. Equifax is offering an “automatic fraud alert” feature, which automatically renews itself every 90 days.
  • Freeze your credit. This makes it virtually impossible to open an account in your name because it blocks access to your credit report. Nobody can complete a credit check, so someone else won’t be able to open an account. A credit freeze won’t expire until you choose to remove it, and you can cancel and reinstate them as needed. However, you must place a credit freeze with each bureau individually, and that can come with a fee, usually $10 or less, depending on what state you live in or if you’re already a victim of identity theft.
  • Sign up with a credit monitoring service. We have a service that does this, but there are others.
  • Check your bank and charge accounts and your credit score regularly. If you see something that raises a red flag, contact your financial institutions or credit reporting agencies immediately.

 We spoke to a number of people involved in the storage of highly sensitive personal information, and they all reminded us that you need to protect more than your financial information. Any organization that stores your medical and insurance records is vulnerable to a hack, and that can lead to additional problems. For example, someone who has your medical records can file a fraudulent medical insurance claim using your records.

That, of course, gets us back to advice you’ve often heard from us:

  • Install all updates for operating systems and application software as soon as they are available for computers and devices. The updates almost always include security patches and bug fixes.
  • Manage your passwords. Keep them long and complex and change them frequently.
  • Keep your networks secure by installing updates, managing passwords effectively, making sure your firewall and anti-virus protection is active, and limiting access to administrative functions.
  • Use common sense. Don’t click on links within an email from someone you don’t know or on something that looks out of the ordinary from an address you recognize. Email addresses are easily hijacked – and not necessarily because the owner of the address did something wrong. Don’t click on pop-up ads or ads with offers that are too good to be true.

Are we safe on the internet anymore? No, but you can be safer if you take ownership of your security. We can check security settings and run deep scans to help keep you as safe on the internet as possible. Call us – 973-433-6676 – or email us to set up a security audit or answer any questions you have about managing your security.

Passwords Becoming Passé

I’m as tired as anyone else when it comes to remembering dozens of arcane passwords for all the websites I need to access. Current and future technology will be able to provide relief and stronger protection. Here’s the lowdown on locking down.

If we’ve learned anything at all from the monthly ransomware reports, electronic “locks” are pickable. We’ve also learned that time is money for hackers when it comes to planting ransomware and other viruses that can make life painful or costly or both.

Operating under the assumption that any electronic barrier can be hurdled in time, you want to lengthen the time of your defense as much as possible – and we’re talking decades. The longer and more complicated the password, the longer it will take for hacking software to crack your code. We all know that when you include uppercase and lowercase letters in combination with numbers and special characters, the time stretches out. Making sure it follows no special pattern – that it’s totally random – adds to the security.

Many theories abound as to how to create a complex, random password that’s easy to remember. One suggestion is to take a phrase or sentence that you can easily remember. Then, take the first or second letter in your phrase and turn some into uppercase letters, numbers or special characters in a random order.

I have one password I use for everything, and I am extremely confident its length and complexity will deter hackers. You may find fault that I have only one password, and that would be a valid criticism. If it’s cracked, someone could get into every internet account I have.

You can eliminate the need to remember multiple passwords by using a password manager program. Some are free and some have a nominal cost. Basically, you just need to remember a master password to get into the system. The password manager randomly generates new complex passwords when you visit each site. Yes, you can argue that somebody could crack the password manager’s system. It’s possible, but would you feel more comfortable with $1 million under your mattress or in a vault that’s a half-mile underground, encased in 20 feet of concrete and guarded by a randomly rotated army that’s always being retrained?

You can augment the password manager with two-factor authentication, something we’ve liked and used for years. In many cases, you need to answer a question, and it should be something only you know. Other measures might include answers to randomly generated multiple choice questions based on publicly available information that can be verified as “right” or “wrong.” No “maybes” allowed.

In the future, passwords will give way to biometrics. The software is there; the hardware needs to catch up. Windows 10’s Hello can handle the biometrics, but most computers don’t have the 3-D cameras needed to use the feature. Some Microsoft Surface tablets have the cameras, and if you are in the right place, it works really well.

Regardless of what technology you use, don’t let your guard down. Don’t buy things or do your banking over a public Wi-Fi network. Use a trusted, secure network or a cellular data network. Make sure the networks you control are secure with up-to-date firewalls and anti-virus and anti-malware software. Make sure all operating systems and firmware are current with all bug fixes and security patches.

Remember that we can help you with all of your internet password and security needs, including choosing and setting up a password manager, setting up two-factor authentication and answering your questions about biometrics systems. Call us – 973-433-6676 – email us to set up an appointment.