Per a recent updated report from the FBI and CISA, the telecomm hacks that had been previous announced (and most likely missed amidst the election and holidays) are now being regarded as much worse than previously thought, and that there is no anticipated ETA as to when the hackers can be evicted from the various compromised infrastructures. As such, the FBI and CISA are recommending everyone avoid unencrypted communications methods on their mobile devices, which includes SMS messaging between Android and Apple phones, and carrier-based cellular voice calls (which have never been encrypted).
What this means for you
If you are like 95% of the world, you are probably thinking, “Well, if China wants to know about the grocery list I texted to my spouse, they are welcome to it,” or “I’ve got nothing to hide,” or even more naively, “I’ve got nothing worth stealing.” Most people do not consider just how much they communicate via unsecured text – banking two-factors, prescription verifications, medical complaints to doctors, passwords to coworkers, driver’s license pictures, credit card pins – the list is endless, and extremely valuable to threat teams like Salt Typhoon, the APT allegedly behind this huge compromise. The reason that this is a big deal is that we as a society (at least in America) have grown overly comfortable with this lack of privacy, and on top of that, the market has encouraged a fractured and flawed approach to communications between the various community silos we have created for ourselves online. What you might not know is that messaging from iPhone to iPhone, and Android to Android, are fully encrypted, as well as messages in WhatsApp, Facebook Messenger and Signal, but as you consider your circle of family and friends, how many of them are on the same platform and use the same messaging apps to communicate? How many of your two-factor codes arrive via SMS?
To address this latter issue, you should move any multi-factor codes to an app like Microsoft or Google Authenticator (if the platform even allows it – many banks do not yet support apps). This process will be painful and tedious, but probably most important in terms of improving your personal safety. The messaging problem is not so “easily” solved at least from a friends and family perspective, but for business communications, you should consider moving everything to a platform like Microsoft Teams, Google Workspace, Slack, etc. And stop sharing passwords via text. More information to come as we learn more about the severity of this telco hack.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Ever since they were hacked in 2023, genetics and ancestry website 23andMe has been more or less moribund, going from a high of $16 per share to $0.29 today and the resignation of their entire board of directors last month. When we last wrote about them in December of last year, the beleaguered DNA testing company had to revise their initial statement about only getting a “little” hacked (1.4M records) to admitting that they got majorly hacked (6.9M records). As you can imagine, this didn’t bode well for their marketability.
Why are we talking about them again?
It’s been nearly a year since the initial data breach, and judging by the lack of faith the recently departed board of directors had in the company’s founder, they aren’t likely to return to full potential any time soon, if ever. If you were one of the millions of people that sent them your DNA to analyze, you’ve probably already reaped whatever benefits (positive and negative) you will likely get from 23andMe, but they may not be done making money from your data. While they claim that much scientific good has been generated if you were one of the many who consented to allow your de-personalized data to be used by researchers, you may want to consider the consequences of letting a company who’s security practices led to their current downfall continue to have access to your data. Because you do have the option of asking them to delete your data. And seeing as you paid them for the privilege of providing your data, it seems rather mercenary for them to then take your data and continue to sell it without compensating you. Rather, they got hacked, exposed your confidential information, and then continued to (somewhat) operate. If you’d like to see some consequences, you can do your part by asking them to delete your data which can be done merely by logging into your account on their website and submitting that request. Do it. If a majority of their customers were to do this, perhaps it will send a warning to competitors to do a better job with your precious data, and a message to our government about doing a better job protecting our privacy.
Image courtesy of geralt at Pixabay
California is one of 7 states participating in a pilot program that allows drivers to store their license on their phone in their Apple or Google wallet. California’s rollout is part of a larger project called “Digital ID Framework” which lays the groundwork for a much broader implementation of identification that is intended to supplement and eventually replace physical ID’s like Passports, government badges, and Driver’s Licenses. Their vision is to link the various State-certified credentials, government programs with day-to-day practicalities like checking in at an airport, purchasing groceries through EBT, or proving to local agencies that you are a licensed cosmetologist. But don’t throw your Driver’s License in a drawer just yet.
What this means for you
First off, California’s pilot program is limited to 1.5 million participants at the moment, and obviously you will need to have an Android or late model Apple smartphone with a functioning digital wallet. Additionally, using Apple or Google’s wallet mobile Driver’s License only grants you the ability to use it to verify your ID at airports, so unless you are a frequent traveler, adding your license to your digital wallet is really more of a novelty at this point. The DMV also has a wallet app that adds a little more functionality: in addition to using it at Airports, the DMV wallet app allows you to verify your age at a select few stores in San Francisco and Los Angeles, and the reader function of the app allows you to verify identification of other DMV wallet users. Not exactly the bold new world you might have originally envisioned.
More importantly, your California mobile Driver’s License cannot currently be used for things like traffic stops or other law enforcement verifications. Some states like Louisiana and Colorado have begun adoption at this level, and as I mentioned above, California intends to expand capabilities of their Digital ID Framework to eventually make your phone a valid ID for this exact purpose. Until this comes to pass, and even when it does arrive, privacy advocates are recommending that you never voluntarily surrender your phone to law enforcement for any reason without a proper search warrant and legal representation. Even the Supreme Court has ruled in this matter. Even if you’ve done nothing wrong and are confident that there is nothing incriminating on your phone, it does not mean the person requesting your phone won’t abuse your privacy or their authority. For now, even if it seems like a very convenient feature, keep your phones in your pocket and your Driver’s License handy.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I’ve been doing technology support long enough to tell you that many of the problems that people experience with computers are self-inflicted. I even have clients who truly believe they have a little black cloud hanging over them every time they sit down in front of a computer, and having witnessed their track records first-hand, I make sure to keep my tech poncho handy. It’s hard to deny empirical data that clearly indicates some folks might be better keeping their distance from expensive or important technology. Today, however, some of my tech-kryptonite clients can hold their heads high because…guess what?! In the case of a large number of computers built with Intel CPU’s the technology problems plaguing those PCs might have been the hardware and not them!
“I’ll need an old priest and a young priest.“
Unfortunately for Intel, exorcising this particular demon won’t be nearly so simple (or cinematic). The tech manufacturer most widely known for making CPUs used in just about every desktop computer, laptop and server on this planet has recently admitted that they created, manufactured and sold two entire generations of CPUs with a flaw that basically causes them to commit electrical seppuku by requesting more voltage than they can safely handle. Intel’s Raptor Lake 13th and 14th generation CPUs have been installed in PCs since late 2022 all the way through today, and no one’s quite sure how many PC’s might be affected because it’s very difficult to determine if your repeated crashing is from a fried CPU or you are just one of my “stormy” tech friends.
After strongly denying this for several weeks, Intel finally came clean and admitted to the manufacturing defect, and after some prodding from the industry, also committed to extending warranties on retail CPU’s (ie. sold in boxes for installation into computers by system integrators, hobbyists and MSP’s like yours truly) by 2 more years. And after a little more prodding from their biggest customers, extended that same 2-year grace to OEM computers as well – these would be the ones you buy from Dell, Lenovo, HP, etc. Additionally, Intel is prepping a firmware update for mid-August that will supposedly rectify this nasty bug, but sadly, the fix won’t do anything for CPUs that have already lobotomized themselves. For that, you’ll need to seek a warranty replacement. As someone who has gone through that particular process more times than should be allowed by the Geneva Conventions, make sure you get your “waiting boots” on and keep your favorite stress toy handy. The next few months are going to be a hoot. And by “hoot” I mean nothing at all resembling such a thing. Thanks, Intel.
The past few days I’ve been working with several clients who are in various stages of being compromised or having their online accounts attacked. The recent surge of activity is possibly related to the recent RockYou2024 “publication” wherein a file containing nearly 10 billion passwords was posted to a popular online hacking forum on July 4th. Analysis of the new file demonstrated that the bulk of the data is a compilation other breaches, including the previous release of this compilation, RockYou2021, which contained over 8 billion passwords at the time. Regardless of whether it’s old or new, many people will continue to use old passwords across multiple accounts for years if they aren’t forced to change them, so it’s a good bet that a large majority of the information in this file is quite usable, adding significant firepower to any hacker’s arsenal.
Passwords alone aren’t safe enough
While I was working to restore some semblance of security to my clients, one of the things I noticed was that the various bank accounts they accessed via the web or their phone did not have multi-factor security enabled, nor were my clients aware that it wasn’t actually turned on, or even available to be enabled. I was always under the impression that banks were forcing this on everyone, as it was a constant struggle for many of my clients who are accountants or financial professionals, but for at least one of my clients, all four banking accounts did not have the full multi-factor security login process enabled. On top of this, it was a struggle sometimes to actually enable the multi-factor as each bank buries the settings in their gloriously bad interfaces, and the instructions to turn it on aren’t always clear. And if someone like ME struggles with enabling this type of security, imagine what your elderly parents might be facing. Do yourself a favor: if you don’t know for a fact that you have multi-factor enabled for your banking accounts, log in and check, or call the number on the back of your credit card or debit card to find out. You might be surprised at how unsecure you were.
Image by Manuela from Pixabay
One of the most appalling practices in the current world of online hacking and phishing is the constant attacks on our elderly friends and family because the attackers know they are easy targets. Unfortunately, I don’t see technology becoming any easier for anyone, especially the elderly, so if they are going to continue using technology for things like shopping, paying bills and handling various elements of their health and property, see if you can get them to abide by some simple but critical rules when they get into unfamiliar situations. This may mean more calls to you on trivial things, but if you are like me, I’d rather that then getting the, “I’ve been hacked,” call.
Rule Number One: “Never trust popups on your devices that warn you about something scary and ask you to call a number.” None of the legitimate malware protection software on the market will do this. This is nearly always a scam. If they get something like this on their computer, tell them to take a picture of it and then just power off the device, manually if it won’t shutdown normally, and physically by unplugging the cord if that doesn’t seem to be working. These fake popups are meant to be frightening, disorienting and sometimes incredibly annoying. If the popup comes back after powering up their device (and it may, as many are designed to do just this) it may require some additional, technical expertise to get rid of it. For actual tech savvy users, it’s a quick fix, but it may be hard to explain over the phone if the recipient is flustered or otherwise frightened. If you can’t go yourself, it may require a visit from a local technician.
Rule Number Two: “Don’t “google” the contact number or email for important services.” All of the popular search services offer ad results at the top of actual search results that are often hard to distinguish from the legitimate information you were seeking. Bad actors are paying for ads that pretend to provide support for various commonplace companies. They will answer the phone as that service, including pretending to be Microsoft, Amazon, Apple, or Google in order to trick callers into giving them access to their devices. If your loved one is fond of using the phone in this manner, provide them with a printed list of known-good numbers for their most used services like their banks, pharmacies, etc, as well as including lines like “FACEBOOK: NO NUMBER TO CALL-DO NOT TRY” as a reminder that certain services are never available via phone.
Rule Number Three: “Always call someone you trust about anything on which you are uncertain.” Our loved ones often will refuse to call us because they don’t want to be a bother. Frequent calls may seem like a nuisance, but they pale in comparison to the absolute disaster you will both have to handle if they get hacked. I’d rather have dozens of calls of “Is this OK?” than the single, “I may have done something bad.” Reinforce their caution with approval, and if you have the time, perhaps explore with the caller what clued them into making the call. If it boils down to them just applying the above 3 rules, then score one for the good guys!
Image by Fernando Arcos from Pixabay
It seems rare to find feel-good information about artificial intelligence lately, so when I spot it, I like to share it, especially when it has to compete for attention with discouraging stories where AI technology is enabling the spread of hate and misinformation. After a young woman in Rhode Island lost her voice due to a brain tumor removal, a team of Doctor’s and ChatGPT-maker OpenAI were able to utilize a short voice recording to create a specialized app that allows her to speak again with an accurate recreation of her own voice.
Stop there if you want to keep feeling good.
Still reading? OK, I warned you. While I’m not going to go into details because I don’t want to give them any more publicity, there are plenty of other AI startups who aren’t focused on limiting their platforms to only medical applications where all parties involved are providing ongoing consent for the use of their voice. While I’m sure they claim their software can only be used in completely consensual situations, we’ve already seen spreading usage of deepfakes for political propaganda, extortion and reputation destruction.
Given the potential AI has, many companies may have started out with stars in their eyes for all the imagined possibilities the technology could enable, but once buyers with suitcases of money started showing up, ethics seem to be relegated to a secondary (or lower) concern, if it was ever a constraint in the first place. As always, money and politics complicate matters, and we humans are not known for approaching things cautiously, especially when being first to the prize means establishing dominance. It’s heartening to know that at least some folks are intent on developing genuinely helpful applications of AI technology, even if in the end, their efforts will most assuredly be monetized. Our hope here, like 3-D printing, is that the technology becomes so widespread that it levels the playing field for (most) everyone.
Image by bamenny from Pixabay
If there’s one thing I can state with certainty in 2024, technology is not getting easier. Just about every aspect of our lives, personal and professional, is getting automated, appified and otherwise “wired up” like we were living in a 90’s cyberpunk novel. Many aspects of those landscapes were eerily prescient (hello mega corporations), but there is one trope that you might not have considered yourself to be a part of: “hacking” your own technology to fix a problem or change an outcome. Let’s be clear, when I say “hacking” I’m referring to the more genteel, non-criminal activity of solving a technical need or problem via unconventional and/or creative methodology and materials. At a certain point, lots of people started using the term ironically (or in self-deprecation) when they managed to solve technical issues on their own, sometimes without even understanding how it was done.
Hang on, Neo. You don’t know Kung Fu yet.
Internet purists will lambast me if I don’t post the usual disclaimer, “In order to truly hack something, you need have a full understanding of how that thing works.” In the day and age of YouTube videos on just about anything and everything, it’s possible to find an endless supply of “How to hack (a thing)” and a lot of them are quite good. But many of them are not, so how do you sort out the bad from the good? Well, you can either work for 30+ years as a technology consultant, or you can at least try to get some basics under your belt, at least as far as hacking personal technology is concerned. I’m only going to outline the topics – there isn’t enough space nor attention span to spell it out in full. Not all of these areas of study are compelling – some are hella boring, but these are things that I believe everyone should know at least a minimal amount about in order to be competent, productive person.
- Know how your internet works – do you know the difference between a modem, router, firewall and access point? Wired and wireless? What’s an SSID? Do I have guest WIFI? How do I “reboot” my router? Is Bluetooth the same as WiFi? What’s bandwidth and why is it important (or not)?
- Know the parts of your computer and peripherals – is that USB-C port or a Thunderbolt port? What’s a function key? Is that a power button or a reset button? Is my printer wireless or wired? Whats the difference between “sleep” and “shutdown”? How do I change my ink cartridge? Does my phone have a sim card? Is there a warranty on my device? How would I go about getting it repaired?
- Know who provides your technology – whats the brand or manufacturer of your smartphone? Model? Who provides your email? How do I contact technical support for this bit of software? Do you know who your internet provider is, and what they are supposed to be delivering to you for your monthly internet bill? Is this software free, or do I pay for it? Do I even own this software?
- Understand where your data “lives” – is it on your computer’s internal storage? How do you navigate your device’s internal storage to find things? Is your data in the cloud? Which cloud provider? How do you get access to that data from something that is not your computer or phone? Can you? Is your data backed up? Is it encrypted? Should it be? Who owns my social media posts? Is my private information searchable on the internet?
We are well past dismissing this type of knowledge as something only “nerds and geeks” need to know. Whether we like it or not, we should start thinking about this type of technology savvy on the same level of importance as understanding how road traffic works, managing personal finances and differentiating fact from fiction. Failure to grasp the basic concepts of technology will just add more struggle on top of the regular uphill battle we face everyday.
Image by Bruno /Germany from Pixabay