Despite our hard work to keep our technology devices safe from malware, many of us underestimate a threat living right under our noses. Worse still, these threat vectors don’t even know they are potential harbingers of doom, so neither of you will see it coming until it’s too late. Yes, I’m talking about family & friends, and especially your children (if you have them). Unfortunately for everyone, malicious developers continue to hone their skills at conning our trusted friends and loved ones into compromising themselves, which will oftentimes result in everyone around them being put at significant security risk, just by nature of the trust we extend to this close circle. The most recent example of this is the discovery of 6 popular apps on the Google Play store that hide their malicious intent (to zombify your smartphone) behind the most innocuous and tempting lure, especially for kids: add-on eye candy for the popular mobile game Minecraft: Pocket Edition.

What’s a professional surrounded by loved ones to do?

Being safe doesn’t mean having to cut off everyone around you, but it may require you to pay attention to what they are doing with systems that you use or share with family and friends, such as home office computers, mobile devices, Wi-Fi networks, NetFlix passwords, etc. I’ve seen numerous parents hand their phones over to their younger children as entertainment devices, often acquiescing to insistent demands to install this app or that app without much attention being paid to what is actually being installed. I’ve even seen this dynamic played out on home office computers and not just to appease little ones. Wi-Fi passwords are simplified and widely shared for convenience, with never a thought that you are handing the keys to your network kingdom to a device you know little to nothing about. It may seem a bit Scrooge-ish or even paranoid to some of your family, but if you are serious about security consider the following:

1. If you work from home and use Wi-Fi, but you want to provide internet for your kids or guests, consider setting up a “Guest” Wi-Fi network just for them. Most modern day home firewalls and access points can do this easily. Even the cheap routers provided by ISPs can do this.
2. If you have sensitive data on your phone or tablet (and who doesn’t at this point), don’t let others install apps on your device, and definitely don’t let your kids play with it without close supervision.
3. If you have access to sensitive data on your home office computer, keep it strictly business and specifically for you. Set up a separate device for guests, family and especially children.
4. Don’t share passwords for household internet services like NetFlix unless they are unique. If you use that same password elsewhere, especially on important accounts, you are asking for a breach.
5. Always treat emails or messages containing links and enthusiastic urging to “check this out” from friends and family with suspicion. Call and ask if they sent the message, and if they did, ask where they got the link from, followed by a friendly, “Oh by the way, your antivirus is up to date, right?”

Image courtesy of graur razvan ionut at FreeDigitalPhotos.net

DO NOT USE PUBLIC WIFI WHEN WORKING WITH SENSITIVE DATA

• This exploit has not yet been seen in the wild, and it does rely on someone being physically close enough to you to start the attack.
• In any instance when either the provider or receiver are patched to fix this loophole, this exploit will not work.

• Android 6.0 devices and newer, which are just about all current and previous generation phones and tablets.
• Any routers or firewalls with built-in WiFi
• Just about all consumer-grade WiFi access points
• Unpatched computers with WiFi capabilities
• Home automation devices that rely on WiFi for control (Nest thermostats, Ring doorbells, etc.)
• WiFi connected cameras

It may be days or even weeks before this vulnerability is patched on mobile devices, and in the case of some older phones and tablets, this vulnerability may never be patched if the manufacturer has abandoned support for that particular model. Windows 10, 8 and 7 have already been patched. Apple has a patch in beta right now for most of its late model devices and OS X, and most variants of Linux are already distributing patches for this hole. Firmware updates for higher-end, late-model routers and access points are likely to happen, but it will vary greatly by manufacturer and age of device, and it’s still too soon to tell when or if automation and security devices will be patched.

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

I spend so much time looking at search results that I’ve learned how to effectively ignore the advertising surrounding them, but two recent client incidents have again reminded me that not everyone is savvy to the way that Google and several other search engines present their search results, and more importantly, how advertisements are displayed on the very same page, above the actual search results giving them visual priority over actual, legitimate links. Depending on how harried or distracted you are at the moment, you might not notice that the first few items presented on the results page are actually ads, and this is where things can get nasty. One of my clients was having trouble with Quickbooks and typed this search into Google, “Quickbooks Payroll support”. Below is the actual page that comes up in Google with names and numbers blurred to protect us from being sued by the illegitimate advertiser (click for a larger view):

What’s going on here?

The first two links provided are advertisements, as indicated by the small “ad” icon on the second line of each entry. Easy to miss, especially if you are looking for a phone number (which my client was). Right next to the “ad” icon is the actual domain and URL of the entry. For the entry marked as “1” on my screenshot, the domain was for a company definitely NOT Intuit (the developers of Quickbooks), which would also provide a hint that this “search result” might not be what you think it is. The third entry marked as “2” in my screenshot is the actual link to Intuit’s support website, and (after several clicks) eventually will lead to a real phone number to call for support from Intuit.

My client called that first number at the top of the page and walked right into a classic scareware scam. The “technician” on the other end claimed to be Quickbooks support and promised to help my client with their issue, but they had to resolve numerous “errors” prior to doing so, and they would only perform this work if my client renewed their Intuit “support subscription”. The “tech” showed my client an “log” full of errors and then quoted them an outrageous price for a one-time “cleanup”. Smelling a rat, my client hung up on the scammer and called me. After a quick recounting, I was able to ascertain that they fell down this rabbit hole because the top link on the search results page isn’t Intuit, but an ad designed to trick the unwary into a costly mistake. Once I pointed out the tell-tale signs, my client soberly asked how many other people fall for this trick. Unfortunately, quite a few people get fooled by this scam, and it’s important to point out that buying an ad with that sort of ranking isn’t cheap, so clearly this tactic is paying off.

How do I avoid getting tricked?

Never forget that Google runs ads right next to its search results. Look for the visual clues that differentiate ads from actual search results – legitimate providers always identifies their ads, but their means for doing so isn’t always obvious. Type the URL manually in a new browser window instead of clicking the link. There are numerous examples of domains deliberately registered and used that look like the website they are spoofing, including using unicode characters to produce character strings that look like actual domains but are in fact cleverly-designed counterfeit sites that will lead to further technology ruin. Always be suspicious if a vendor you are calling asks for payment information up front, and even more so if they immediately open with a screensharing invite. Another great way to tell if they are trying to con you is to offer to conference in your IT consultant (me, for example). Legitimate support providers will always agree to this, but scammers immediately make excuses or will try to discourage you from getting a second opinion as your IT person is “probably not qualified” or not good at their job (“otherwise how would so many errors/viruses/problems be on your computer?”) Another client of mine had someone she had called for printer repair ask for a screenshare session and credit card payment to resolve the issue, when all she wanted was help to remove some jammed paper in her printer. She too had been fooled by an advertisement masquerading as a support website for her printer’s manufacturer.

Stay vigilant, and always be careful when calling numbers you find in search results. At minimum, follow the link by manually typing in the listed URL to make sure it leads to your manufacturer’s website, and verify that it’s the legitimate site with a little exploring. Most counterfeit sites aren’t much deeper than a page or two before they try to lure you into giving up your data, so be wary of sites that seem small, broken or unfinished. The top search engines and many antivirus platforms (including Webroot used by C2) also keep track of counterfeit websites and will warn you if something seems suspicious. Keeping your eyes wide open and your brain on the defensive will help you avoid getting goosed by fake ads.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Yahoo has just announced that instead of one billion accounts being compromised in the 2013 security breach, all of its approximately three billion accounts were compromised in some form. In case you’ve lost track, the 2013 breach is different from the 2014 breach, in which “only” 500 million accounts were compromised. The press release from Verizon/Oath is predictably vague, stating that information stolen did not include passwords in the clear, banking information or payment card details, but did not detail what was stolen/exposed in the breach. The statement “passwords in the clear” could be taken to imply that encrypted passwords were stolen, and who knows whether they were stored securely, as since then, several weakness in previously-used encryption methods have since come to light. Seeing as this was 4 years ago, it’s highly likely that any encrypted information stolen has already been cracked.

What this means for you:

If you haven’t stopped using Yahoo as an email provider, it’s time to kick that email address to the curb, especially if you are using it for business. Yahoo has repeatedly demonstrated it’s not deserving of your trust or your data, so its time to stop using them. Period. Your second takeaway should be this: stop using the same password for everything, and definitely don’t resurrect old passwords thinking that there is no way someone could come across that password. I will guarantee you that despite the gigantic amount of leaked identity information out there, it has been amassed and cross indexed. If you used a password on Yahoo, LinkedIn, Adobe, or any of the numerous other breaches that have occurred in the past 5 years, that password is in a database next to your email address, and it will be used against you, guaranteed, if it hasn’t already.

Looking for a way to create memorable, but unique passwords? Try this site. My favorite setting is:

• Two words
• 4-8 characters each
• Alternating case lowerUPPER
• Surrounded by 2-digit numbers

If you are looking for a way to organize and use the many unique passwords you are creating, try one of these services:

• PC Magazine’s “Best Password Managers of 2017”
• Lifehacker’s “The Five Best Password Managers”
• Wirecutter’s “The Best Password Managers”

In case you thought the Equifax breach might be easing itself out of the limelight, news has arrived that is just pouring more fuel onto this raging dumpster fire. Reports are surfacing that the credit agency was breached earlier this year in March, possibly by the same hackers, which now puts extra spice on speculation that company executives who sold stock in the intervening months may have taken advantage of the insider knowledge. The beleaguered company also announced the “retirement” of its Chief Information Officer and Chief Security Officer (editorializing quotes are mine), presumably as sacrificial lambs, which also adds weight to the claim that perhaps security wasn’t being handled as well as it should.

While the lawsuits are piling up at the Equifax doorstep, Congress is also turning its admittedly distracted gaze on the circus, with the news that Republicans are floating two bills that would further deregulate companies like Equifax, gut the agencies that protect consumers from exploitation, and reduce damage awards from lawsuits. Democrats, for their part, have proposed legislation that will hopefully force Equifax (and presumably their competitors) to stop charging for freezing and unfreezing your credit history.

None of this is stopping any of the credit agencies from attempting to continue to profit from the breach, including Equifax itself. Popular credit monitoring service Life Lock has grudgingly admitted that it actually protects its customers partly through services purchased from Equifax as part of a 4-year contract it entered into with Equifax in 2016. Life Lock competitor LegalShield purchases its services from Experian. Essentially, these companies are paid to protect you from the results of data breaches of the companies whose services they use to provide that protection. This is hiring the wolf to herd the sheep.

On top of all this nonsense, the credit companies themselves continue to suffer from significantly degraded customer service – long hold times, dropped calls, misleading information – as millions of consumers attempt to freeze their credit. Notably, several clients have reported back to me and I myself experienced attempts to direct us away from freezing our credit towards “free” locking and monitoring services, both on the phone and via vague, misleading web pages. Rather than just taking our money for the freeze, the agencies still seem hell bent on the opposite. I wonder what they know that we don’t.

Don’t be deterred. Don’t give up. My advice to you is still for you to seek a full freeze on all three credit histories. Don’t let them sweet talk you or frustrate you into any other alternative. You can always go back and sign up for their “free” monitoring services after you get the freeze in place.

I’m pretty sure even if you were hiding under a rock in some remote corner of America you probably heard that credit reporting company Equifax was breached and confidential information on nearly 150 million Americans was stolen. Rather than handling it like an industry leader, they seemed to have stumbled around like a tyro startup experiencing their first breach. Much criticism has been leveled at the company for its apparently hamfisted opportunism by first leading consumers to a site that is supposed to show whether your info was exposed in the breach (news flash: most likely it was), and then after confirming the bad news (a result that appears initially to have been random, though possibly corrected now), dropping you into the signup page for their free credit-monitoring service. Initially the legalese surrounding this process suggested that by signing up for their free service you would be waiving your right to sue Equifax, but after a heated backlash from the internet, Equifax clarified their language to exclude the breach incident from this indemnification:

“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

Unfortunately, they still seem to be bumbling their way through this, with continuing reports of false positive results from their website, compulsory signups for the credit monitoring service, as well as a stony silence on why they took over a month to report the breach, why 3 executives sold off stock before the announcement, or why we should trust them to monitor our credit when they were the ones that lost our data in the first place.

What should I do now?

Cybercriminals have had your information for at least a month if not longer (from prior breaches), and with the amount of information now exposed (SSN, DOB, addresses, credit history) and capabilities of well-funded (and now well-armed) cybercrime organizations, the likelihood of your identity getting stolen is growing, but you still have to “win” the equivalent of an anti-lottery among 140M people. Because of the amount of publicity the Equifax breach is receiving and the gravity of the matter, there is a lot of information out there both good and misleading, and the seeming urgency of the situation leads to snap judgments and possibly poor choices. Overall, the current consensus on what to do next is to put a freeze on your account at the three major credit reporting companies: Equifax, Xperian and TransUnion. This action is often poorly understood or explained, but Brian Krebs does a great job explaining what it is why you should do it.

If you can’t get to their respective websites to initiate a credit freeze, here are the numbers you can call to initiate a credit freeze:

• TransUnion: 1-888-909-8872
• Equifax: 1-800-349-9960
• Experian: 1 888 397 3742

Get a copy of your current credit report, if only for historical documentation and spotting new, unauthorized items that might appear later: Government-mandated Credit Reporting Website. In case you were wondering if this was legitimate, here are the sources:

1. https://www.usa.gov/credit-reports#item-35962
2. https://www.transunion.com/annual-credit-report
3. http://www.experian.com/consumer-products/free-credit-report.html
4. https://www.consumer.ftc.gov/articles/0155-free-credit-reports
5. https://en.wikipedia.org/wiki/AnnualCreditReport.com

If your identity gets stolen, or you suspect that a theft is in process, this page provides easy to understand steps on what to do next.

If you are civic-minded and believe that “something should be done about this mess”, you can use this page to send a message to your congress-critter.

As always, stay vigilant, even paranoid, in these less secure times. Be on the lookout for scams exploiting the FUD created by this breach, and NEVER give out your personal information to anyone who calls you directly unless (a) you contacted them first, and (b) you verify they are who they say they and they are legitimate. There is never a better time to rely on the experts in the business, but you should work with people you trust. Don’t have a trusted lawyer, financial adviser or IT professional? Ask someone who you trust if they know someone, and then ask another person you trust for someone else. Don’t be afraid to ask for references, and in the case of licensed or certified professionals, it’s never rude to ask for credentials, especially if you can’t meet them in person. As you know, “On the internet, nobody knows that you’re a fake.”

Much thanks to this post on Reddit (Warning: very useful info interspersed with salty language)

Image courtesy of Miles Stuart on FreeDigitalPhotos.net

Last week an astounding 700 million logins and passwords were discovered when a misconfigured spam server leaked them on the internet.  Research on the massive database by security analyst Troy Hunt of Have I Been Pwned fame indicates that the data is likely an aggregation of many previous breaches as well as various “dark net” databases. Ironically, the database was so easily accessed that it is likely it was downloaded an unknown number of times by both white and black hat hackers. On top of this massive database dump comes another very large breach and leak from website Taringa, billed as Latin America’s largest social network, with more than 28 million logins and passwords exposed in an encrypted (now cracked and decrypted) database.

What exactly are they doing with all these passwords?

If the actual process of stealing your identity weren’t so resource intensive and relatively tricky, you can bet a lot more of us would be lined up at the local Federal building to get a new Social Security number right after spending thousands of dollars to repair our credit and hundreds of hours trying to reclaim our digital lives. Instead, they are going for a much easier target of just stealing your email account, which they then use to spew more spam, phishing and malware traps. They have to do this as email filters are getting very good at spotting spoofed and fake email addresses, but your company email account is the perfect Trojan horse for getting past the guards at the gate. The real trick is doing it without being noticed.

One method that I’ve encountered several times is using rules to delete the evidence of their presence – a rule that automatically deletes sent emails, and if they are clever, any non-delivery or out of office replies a mailbox would normally receive in the course of spamming out hundreds of fake email messages every day. Fortunately for my clients afflicted by this nuisance, it’s easy to spot as the bot handlers are typically very careless when setting up the rules, usually deleting ALL emails coming and going, which is painfully obvious after a few hours.

The much more devious takeover is one that is clearly handled by a skilled human versus an automated script. After confirming access to your email account, they will scan your correspondence and look for likely targets, sending out emails requesting wire transfers, bank withdrawals, resetting of forgotten passwords, etc. While most banks and money managers are typically well-versed in spotting these types of attempts, your employees and vendors may not be, which can lead to some very regrettable transactions. This is how many data breaches start – a hacker pretending to be someone with privileged access successfully fooling someone else with privileged access into resetting a key password.

On the flipside, security researchers are using these gigantic databases to research password behavior and to build websites like Have I Been Pwned to inform and educate people on proper password discipline. They are also planning to use the decrypted login and password pairs to build a database that can be used by websites to check if a new password entered has already been compromised and warn against or prevent the user from using it, a new best practice I wrote about a few weeks back. It will be some time before this new practice comes into widespread usage – until then, you should adhere to the #1 Rule of Passwords: never use a password more than once.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Where do your devices go when they’ve outlived their usefulness? What about the ones that croaked prematurely and have turned into expensive paper-weights, door-stoppers and dust collectors? Most of us have been working with technology long enough now that even the most restrained consumer will have amassed a small pile of metal, glass and plastic that is taking up valuable space, and at worst, a ticking security and environmental time bomb. First and foremost, tossing your old equipment in the trash is unconscionable on multiple levels. The plastic alone will bury us before we know it (literally and metaphorically), but even the simplest of devices are full of chemicals and metals that are harmful to the environment. You know this – the pile of old equipment taking up space in your closet, garage and office proclaims it loud and clear. So what’s a security-conscious, environmentally-mindful individual to do?

What do I do with all this “junk?”

For your devices that don’t store data – printers, scanners, monitors, keyboards, mice, etc – make a quick assessment of their actual utility. If they are still working and just old or retired for something sexier (no judgement – we all like shiny things), consider cleaning them up and donating them to a worthy cause. But call before dropping them off – not all charities take old technology for a variety of reasons, including the fact that they get way too much of it and it requires resources they don’t have to clean it up for use or resale. Printers are a special breed of unwanted donation: most often they are being disposed of because they don’t work well and the consumables are too costly, so consider whether your donation to your favorite charity is a gift or an albatross.

For devices that store data, computers, smartphones and tablets, regardless of their final destination – reuse, recycle or destruction – you should be mindful of the data that the devices may contain. If the device is still in good condition it may be able to enjoy a second, useful life with a non-profit or local shelter, but you (or your designated IT professional) should make sure your data is completely removed and the device is wiped and returned to factory settings if possible. Giving a computer with a wiped hard drive to a non-profit might actually be saddling them with a costly and useless gift, as these organizations may not have the resources to get that device working again.

If an older devices is destined for an eWaste program that guarantees destruction or recycling (not all do), make sure this includes hard drive destruction. If they offer “certified” data destruction you should know that, as of now, there is no official destruction certification issued by any regulatory agency, but failure to properly destroy protected classes of data (like HIPAA) might actually get you into trouble with the government. If a company guarantees that they will securely destroy all data, the only thing holding them to that guarantee is their own word and a disciplined, consistent approach. If they don’t guarantee destruction, pull the hard drives out of all computers, and definitely don’t include mobile devices, as there is a chance they might be resold in the gray market in another part of the world, possibly with your data still on the device.

Fortunately, mobile devices and hard drives are a bit smaller and easier to store, and there are ways to securely destroy data on them that will make a recovery attempt unreasonable or impractical. There are also many companies out there that will guarantee physical destruction and recycling of the materials, but not for free. While it may sound like fun to work out your technology frustrations by using a hammer or power drill on a pile of old hard drives, the only way to truly be certain of destruction is to literally have those devices ground into tiny bits after all the data has been digitally and securely wiped.

Worst case, put those old drives and mobile devices in a secure drawer for the possibility of a more cost-effective destruction method in the near future. This a growing, but still hidden problem that will eventually be forced out in the harsh light of reality, but for the moment, secure data destruction and eWaste management is still in its “Wild West” stage of development with its share of snake oil salesmen and misconceptions.

Free Image From BlogPiks.com