It’s a new year, and I’m sure every one of us made at least one small promise (if only whispered to ourselves at 12:01am on Jan 1) to be better or do better at something this year. I can help you out with an easy one that will definitely improve your security profile, and I’m pretty sure a safer you = a more healthier you (at least digitally).
Let’s talk about the foundation of personal security: the Password.
Change that password. You know the one. The one you use everywhere. Change it! Make it hard. There are dozens of methods for coming up with one. Here’s one:
- Pick your favorite quote (or one you have memorized), use the first letter from each word. How about, “Twas the night before Christmas” which gives us “Ttnbc” – 5 characters, a good starting point.
- Randomize the capitalization in a way you can remember. How about reverse camel caps? “tTnBc”.
- Since we need 8 characters minimum, let’s add two numbers, and since we’re talking about Christmas, let’s add “24” on the end (or the beginning, it doesn’t matter).
- And we need a special character, how about the “@” symbol which looks like a Christmas ornament.
So now we have “@tTnBc24”. You’ll remember it because you created a small story behind the password, which will make it memorable. But Chris, you always say to use a unique password for every account! No problem, here’s how you do that, while still making every password you create memorable:
- For every unique account password you need to create, pick a string of 3 or 4 letters based on the name of the account (however you remember it, company name or type) – let’s say the first 3 letters, and always use the same rule. So for your Chase bank account, you’d add “Cha” somewhere to the password, either beginning or end.
- Before you tack it on the end of the password, pick a symbol that will act as the glue (or divider) between your specific account divider, let’s just say “+” because that makes sense right?
- Now you have “@tTnBc24+Cha”.
WARNING: if anyone ever gets ahold of more than one of your passwords generated via the above method, they may spot the pattern right away, especially if the account is known for each password, making it relatively easy to guess other account passwords. My recommendation here is to not use this method with passwords that you have to share with other people (it will be obvious if they see more than one). For those, use a random generator and store them in a known secure password utility, such as LastPass, KeePass, Dashlane or Roboform.
Use the above method for the accounts you access frequently, but don’t want to lower your security because of how valuable they are. Examples should include your email account (especially the one you use to send password resets/reminders to), anything that is attached to your money, accounts that has sensitive private information like insurance websites, and, most importantly, all of your social media sites, especially any in which you interact with friends and family.
If you are wondering if a password you’ve used in the past has been exposed, you can check https://haveibeenpwned.com if you know the email address to which the account was attached. This website is essentially a giant database of all the known data breaches over the past couple of years. If your email address raises a red flag, you should change the password you used for that account, especially if you used that same password elsewhere.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Back in 2014 Microsoft announced that in 18 months it would cease to support older versions of Internet Explorer on currently supported operating system platforms. As of January 12th, Microsoft is making good on that promise and will only support the latest version of its web browser on supported OS’es. You might think that this will mean less zero-day exploits of older versions of IE (one of the biggest security risks to date) because people will be forced to abandon the older browsers, but not so fast! Microsoft is trapped within their own doublespeak, and the catch is “lastest version of IE released on a particular supported platform”.
What on earth does that mean?
If you happened to only skim (instead of read) their 2014 announcement or the news stories released this week about this new policy, you might have come away with the impression that Microsoft was finally dropping support for older versions of IE, namely 6, 7, 8, 9 and 10. Depending on your business need, this may have been cause for celebration or hair pulling, but a slightly deeper dive on this tells a less draconian tale. In a nutshell, depending on the operating system, some older versions will still be getting patched and updated, but only because the newer versions of IE were never officially released on a particular OS. Still confused? That’s OK, it’s Microsoft, so just shrug and take away the following:
- Microsoft will still be patching older versions of Internet Explorer as far back as version 7, but…
- Patches for versions 7-9 are likely to be hard to get, if not near impossible for normal consumers.
- Don’t use older versions of IE unless you have a compelling business restriction that prevents the use of IE 11.
- Businesses relying on websites that require the use of older versions of IE should be upgraded ASAP. You are putting your employees/clients/customers in danger.
- Remember #3? If you have to use Internet Explorer, you should be using version 11. It has competent backwards-compatibility capabilities that should work with websites that require older versions of IE to function.
Reports are streaming in of Dell customers being targeted by scammers pretending to be Dell support staff, leading many in the industry to wonder if the computer manufacturer has been hacked and their customer database stolen. The con artists are phoning Dell users and gulling the victims with convincing information about equipment and service records that should only be known to Dell. After the fake support techs gain access to their target’s computer, the usual scare scam follows, intimidating users into paying for virus removal, performance tuning, etc. This may have been going on as far back as May of last year, but with reports flooding Dell’s actual service desk, they are finally admitting it’s a problem without confirming whether any data has been stolen.
What this means for you:
Unless you’ve hired a company like C2 to monitor your equipment and network, it’s extremely rare that a company like Dell or Microsoft will call someone directly to fix a problem, especially if you didn’t initiate the interaction from the onset. While manufacturers like Dell do actually ship some of their models with software that can perform monitoring and remote access, they aren’t actually in the business of monitoring the millions of computers they sell. The same is true of Microsoft – they have support desks, but proactively contacting customers about problems on individual machines is just not something either company will do. Anytime you receive a call like this from someone you don’t know, your best course of action is to disengage immediately and contact a trusted technology professional. If you are feeling cheeky, you can try to get a callback number (they may actually give you one) and get someone like C2 to vette the caller. Ninety-nine times out of 100, it’s going to be a scam. Don’t waste your time on these con artists, and always get a second opinion before acting on an unsolicited technical support call.
Image courtesy of Miles Stuart at FreeDigitalPhotos.net
Though it may feel like it some months, I don’t intend to write about doom and gloom every week on this blog. Scattered in among the zero-days, hacks and malware infections are a handful of articles you don’t want to miss. As you prepare to wind down the year and check off your various lists, why not add these to your to-do’s and give yourself the gift of a more secure technology infrastrucure!
- How to be a secure mobile citizen – ’tis the season for travel. Take a refresher on traveling safely with your mobile technology.
- Cheap technology not always a great buy – the same goes for gifts for yourself and others. You get what you pay for!
- Backups more important than ever – If I didn’t regularly remind you to back up your data, you’ll know something is very wrong with me.
- User, heal thyself! – Sometimes your technology falls down. This is how you can pick yourself up.
- Security 1-2-3 – If only security was as easy as…
- Understanding how your internet works – It’s nearly 2016. Don’t you think it’s about time you learn how your internet works?
- Email’s growing problem – part 1 of a 3-part series on taming the email beast. Let me email it to you!
- Can your business survive an internet outage? – El Nino is here! Your internet provider is not ready, but your business can be!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Looking for a small gift for the technophile in your life? These are my recommendations for this holiday season:
- Portable Battery Charger: At least one person on your gift list spends their day on the move, whether at work or play, and probably spends the back third of that day babying their mobile device’s dwindling battery while desperately looking for a convenient AC outlet. Give them one of these chargers for their daily carry and they can work or play into the wee hours of the next day without being tethered to a wall socket. They are small, light enough to carry in a jacket pocket and will quickly charge just about any USB powered device and then some.
- Brightly colored, extra-long Lightning charging cable: Everyone and their mother’s brother has an iSomething at home, and you can bet their one power cord is one tug away from an electrical disaster. Why not get them something that is hard to miss and long enough to use comfortably while being plugged into an inconvenient power source? If they have an older model iPad or iPhone with the older connector, this will work for them. Sadly, the color choices aren’t nearly as festive. If they hail from the Android side of the fence, these swanky cables will work for micro-USB devices, and these will work for the ones that come with the new-fangled Type-C connectors (the new Nexus phones, for example).
- Portable 4-port Wall Charger: The best holidays are spent with friends and family, and you can bet a full house will have its share of dying mobile devices looking for a charger. These handy devices are compact with a folding plug for easy storage and portage, and can provide a quick, safe charge for up to 4 devices and with minimal wall-wart eruptions.
- Chromecast TV: Small enough and cheap enough to put one on every HDMI TV in the house, and capable of playing content from both Android and iOS devices. Small warning, they will need Wi-Fi, and cat videos are even more awesome on a big screen in your living room. If you are more into music, they make an audio-only version as well.
- I call this the “Gadget Hound Night Stand Sanity Saver“: Some of us keep our phones and tablets on the night stand by our bed. Every single one of us has at least one charging cable dangling on or about our work space. This handy gadget provides charging for up to 4 USB devices, two AC outlets and a convenient stand that works perfectly for phones or small tablets, and is right at home by the bed or on your desk. Why not have one for every night stand in the house, so your family and guests can charge up right where their devices work and sleep?
- Waterproof Bluetooth Earbuds: While perhaps a little steep for a stocking-stuffer, these might be the perfect gift for that special, active person in your life. I personally find music, audio books and podcasts to be great motivators while engaged in labor-intensive but otherwise mindless endeavors (exercise, yard work, house work, etc), but I hate getting tangled in the cord running to my smartphone. Bluetooth headphones allow you to cut the cord without sacrificing quality audio, and they can double as a headset when the inevitable call comes in right while you are in the middle of your activities.
I really wanted this holiday season to be one of joy and goodwill towards all people, but it seems like the black hats will never rest. Let’s just get the ugliness out of the way: VTech – maker of tech toys for kids – has suffered a data breach that has exposed over five million customer accounts, and worse still, over six million child profiles. As per the usual, it seems that the Hong Kong company initially tried to downplay the breach by omitting any numbers or that kid’s profiles might be at risk, but eventually came clean as word began to spread. Even after announcing the number of people affected by this breach, VTech continued to spin the incident and tried to downplay the extent of data leaked, despite proof provided to the media that the data exposed included a year’s worth of chat logs and childrens’ profile pictures, which were uploaded to VTech’s Kid Connect service, a supposedly secure social media platform that parents can use to chat with their children through VTech’s tablets.
What this means for you:
It’s not clear yet when VTech (if ever) will take action and contact the affected families. Hopefully you will know whether or not you’ve purchased an internet-capable VTech toy for your child and set up the Kid Connect service. The information exposed in this hack has not been released to the internet, and the hacker behind the breach says that the info that was shared with the press to expose VTech’s poor security practices, but that’s not to say that it won’t eventually be released. As a parent, you should be mindful of any activity that involves exposing confidential information about your children on the internet (including Facebook!) and this will continue to be more important as more and more toys become increasingly sophisticated, connected and complex. According to VTech’s own admission, they were unaware of the security breach until the media contacted them for comment. As a business owner or manager, that is one nasty surprise you don’t want as a holiday gift. Make sure you have a good understanding of what confidential information you do store, and make sure it’s wrapped tight and kept safe, if it has to be kept at all.
When you sell as many computers as Dell does, all it takes is one small screw-up to create a security catastrophe. In this case, computers sold as far back as August of this year may have shipped with a compromised security certificate that could lead to a complete breach through a trivial exploitation of that certificate. So far, Dell has refused to disclose exactly which products are affected, but reports are confirming their Inspiron, XPS, Precision and Latitude lines are shipping with this problem. They are admitting that the problem exists, have published instructions on how to manually remove the compromised certificate, and will be releasing a software update to remove the certificate altogether. If you’ve purchased a Dell since Spring of this year, you should probably read on.
What this means for (some of) you:
In case the above didn’t contain enough technical jargon to convince you of how serious this is, let me unload on you: Dell shipped a slew of computers with a self-signed security certificate installed as a root trusted authority, and left the private encrpytion key on the devices. Even if you only understood part of that sentence, I’m betting you can intuit what publishing a private key does to the certificate. Yes, that’s right, it’s like sending everyone keys to your front door with your address printed on the key. Why this is a big deal is also fairly simple to explain. Because this key is essentially available for anyone to use, any reasonably proficient hacker could set up a fake hotspot at your local coffee shop, wait for a Dell computer to walk in, and then pretend to be Dell while unencrypting all of your network traffic. If that sounds bad, then you are picking up what I’m putting down. What do you do if you have an affected computer? Here are the instructions on manually removing the bad certificate, or wait for Dell to release a fix, which is schedule to arrive as of the time of this writing.
Full Disclosure: C2 Technology Partners, Inc. is a Dell Partner, meaning we sell Dell equipment and services, though after this particular goof, perhaps not as much as we had in the past.
Want to know more about security certificates? Here’s a reasonably straight-forward explanation of what they are and how they work.
It’s not exactly a walk in the park when a cash register gets infected, but when technology on the front lines of law enforcement is infected out of the box, we have an entirely new set of nightmares to keep us up at night. It’s bad enough that our military is using 14 year-old software to operate the most powerful naval fleet in the world, and now we have to worry about police officers trying to do an already tough job with infected body cameras. As of this writing, the manufacturer of the devices has yet to comment, but according to the security firm assisting law enforcement agencies with the implementation of these devices, the cameras are shipping with the Conficker worm, a virulent strain of malware that first appeared in 2008 and continues to exploit unpatched Windows machines to this day.
What this means for you:
The more savvier among you may have already posed the question, “How on earth does a simple flash memory-based camera get a virus infection?” The original success of the Conficker worm actually came from its ability to spread via USB devices through a well-known weakness in Windows operating systems: the short-lived “autorun on insert” functionality would execute a script on an infected thumb drive, infect the host computer with the Conficker virus, which would in turn search for any attached networks and other USB devices to infect. Police body cameras are designed to record data to built-in flash memory, and then have that data transferred via USB to a computer. See where this is going? Imagine your local, overworked Police Departments now being overrun by a 6 year-old virus. On top of this, it’s not a stretch to imagine savvy defense attorneys calling into question the integrity of video footage captured by compromised hardware. Though Confickers true purpose was never discovered, it infected millions of PCs. It’s not hard to imagine a new wave of malware infections brought on by untested and widely available devices like web cameras, USB chargers and many other devices that make up the rapidly growing “internet of things.”
Fortunately for the law enforcement agencies that purchased the equipment, their integrator was on their game and detected the infection before the cameras were put into the field. This only came about because the computers to which the cameras were attached were protected by up-to-date and reputable antimalware software. While it won’t be the magic bullet we all wish existed, solid antimalware protection will go a long way towards preventing disaster in your organization. Don’t skimp in this regard – it might put more at risk than you think.
According to the meteorologists (and just about every media outlet) we are in for a very wet Winter. Depending on where you live and work, this may just mean miserable traffic, or it might mean flooding, mudslides and worse. One thing we can always count on when it rains in Southern California is less reliable internet connectivity. On its best day SoCal is ill-prepared for any sort of weather other than the mild temperate climate we normally enjoy, and severe weather invariably impacts all of the major ISPs in the area. I can say without a doubt that while every single ISP labors unceasingly to improve the reliability and speed of their networks, but they all rely on physical infrastructure that is sometimes (oftentimes) outside of their direct control. Most of that is copper wire or optical fiber that is distributed through poles, buried cable lines, and subterranean tunnels, all of which are subject to the forces of nature. To top it all off, all of the internet traffic in the world passes through an absurdly small number of chokepoints, including one in Downtown LA that, last year, was taken out temporarily by a car crashing into the building lobby where it’s located. And it wasn’t even raining that day. Not convinced? Northern California experienced multiple widespread outages recently due to malicious parties physically cutting subterranean fiber lines that would seem to be too easy to access.
What this means for you:
Hopefully you have built a business sustainable enough to withstand an internet outage of an hour or two, but what if that outage were to last an entire day, or, even worse, multiple days? Most of my clients are savvy enough to know how to get work done from other locations, and many of them use cellular broadband on a regular basis, but what if your entire company had to figure out how to work from another location because the internet was down? Even worse, what if your building was flooded or rendered uninhabitable/unreachable because of the weather? While it would be impossible to provide a comprehensive guide on what to do in these types of situations, here is are a few questions that should help you start planning for that inevitable rainy day we will all face at some point:
- Who provides your internet service? Do you have their contact information handy some place other than your office?
- Who provides your phone service? Is it tied to your internet service? What happens to inbound calls when your phones are offline?
- Who hosts your email? Is it provided by a server in your office? What would happen if your customers/clients could not reach you via phone or email for any length of time?
- Do the primary operations of your business rely on the internet in some form or other? e.g. point of sale systems, call centers, web servers, etc. How much revenue might be lost if you were “offline” for a day? A week?
- Do you have a way of communicating with your co-workers or employees if the main office is “offline”? What about your vendors, clients and customers?
A sustainable and successful business must be able to operate in adverse conditions, and most importantly, not have the internet be a critical failure point. We are still a ways away from a highly reliable information superhighway, so make sure you have a rainy day plan ready.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
T-Mobile is set to announce a new device that will purportedly offer “full-bar” coverage for your home, even in areas that offer little or no tower-based cellular signal. The “4G LTE Cellspot” plugs into your home’s router and uses your internet connection to provide the cellular connection you may be lacking. To make this even more enticing, T-Mobile is offering this device free of charge ($25 deposit required) for all post-paid (as opposed to pre-paid) customers. Suspicious yet of this gift-horse? Good for you if you spotted the hitch.
Here comes the sucker punch:
The self-proclaimed “un-carrier” isn’t the first to offer this sort of device: ATT, Verizon and Sprint all have similar devices, with one glaring exception: you can’t limit who has access to the T-Mobile device plugged into your router and using your bandwidth. This might not be a problem for those blessed with larger homes or big yards, but the Cellspot is designed to boost signal for any T-Mobile device within 3000 square feet. The device works by routing cellular calls (and data) via your internet bandwidth, which may or may not be capped, depending on your provider. Translation: any T-Mobile device, yours or a complete stranger’s, will consume bandwidth on your dime. On top of this, any data bandwidth transmitted via this device still counts towards your bandwidth limit (if you have one), even though you aren’t technically using T-Mobile’s infrastructure to transmit that data. All of sudden, that device ain’t looking so “free” anymore, eh? All said, if you are among the unfortunate who suffer from poor cellular coverage in your home or office and rely heavily on your T-Mobile cellphone, and you have the fortune of having plentiful broadband coverage (with no bandwidth caps) this device might be the ticket to glorious full-bar coverage. Caveat emptor, and always beware carriers bearing “gifts”.