In case you thought the Equifax breach might be easing itself out of the limelight, news has arrived that is just pouring more fuel onto this raging dumpster fire. Reports are surfacing that the credit agency was breached earlier this year in March, possibly by the same hackers, which now puts extra spice on speculation that company executives who sold stock in the intervening months may have taken advantage of the insider knowledge. The beleaguered company also announced the “retirement” of its Chief Information Officer and Chief Security Officer (editorializing quotes are mine), presumably as sacrificial lambs, which also adds weight to the claim that perhaps security wasn’t being handled as well as it should.
While the lawsuits are piling up at the Equifax doorstep, Congress is also turning its admittedly distracted gaze on the circus, with the news that Republicans are floating two bills that would further deregulate companies like Equifax, gut the agencies that protect consumers from exploitation, and reduce damage awards from lawsuits. Democrats, for their part, have proposed legislation that will hopefully force Equifax (and presumably their competitors) to stop charging for freezing and unfreezing your credit history.
None of this is stopping any of the credit agencies from attempting to continue to profit from the breach, including Equifax itself. Popular credit monitoring service Life Lock has grudgingly admitted that it actually protects its customers partly through services purchased from Equifax as part of a 4-year contract it entered into with Equifax in 2016. Life Lock competitor LegalShield purchases its services from Experian. Essentially, these companies are paid to protect you from the results of data breaches of the companies whose services they use to provide that protection. This is hiring the wolf to herd the sheep.
On top of all this nonsense, the credit companies themselves continue to suffer from significantly degraded customer service – long hold times, dropped calls, misleading information – as millions of consumers attempt to freeze their credit. Notably, several clients have reported back to me and I myself experienced attempts to direct us away from freezing our credit towards “free” locking and monitoring services, both on the phone and via vague, misleading web pages. Rather than just taking our money for the freeze, the agencies still seem hell bent on the opposite. I wonder what they know that we don’t.
Don’t be deterred. Don’t give up. My advice to you is still for you to seek a full freeze on all three credit histories. Don’t let them sweet talk you or frustrate you into any other alternative. You can always go back and sign up for their “free” monitoring services after you get the freeze in place.
I’m pretty sure even if you were hiding under a rock in some remote corner of America you probably heard that credit reporting company Equifax was breached and confidential information on nearly 150 million Americans was stolen. Rather than handling it like an industry leader, they seemed to have stumbled around like a tyro startup experiencing their first breach. Much criticism has been leveled at the company for its apparently hamfisted opportunism by first leading consumers to a site that is supposed to show whether your info was exposed in the breach (news flash: most likely it was), and then after confirming the bad news (a result that appears initially to have been random, though possibly corrected now), dropping you into the signup page for their free credit-monitoring service. Initially the legalese surrounding this process suggested that by signing up for their free service you would be waiving your right to sue Equifax, but after a heated backlash from the internet, Equifax clarified their language to exclude the breach incident from this indemnification:
Unfortunately, they still seem to be bumbling their way through this, with continuing reports of false positive results from their website, compulsory signups for the credit monitoring service, as well as a stony silence on why they took over a month to report the breach, why 3 executives sold off stock before the announcement, or why we should trust them to monitor our credit when they were the ones that lost our data in the first place.
What should I do now?
Cybercriminals have had your information for at least a month if not longer (from prior breaches), and with the amount of information now exposed (SSN, DOB, addresses, credit history) and capabilities of well-funded (and now well-armed) cybercrime organizations, the likelihood of your identity getting stolen is growing, but you still have to “win” the equivalent of an anti-lottery among 140M people. Because of the amount of publicity the Equifax breach is receiving and the gravity of the matter, there is a lot of information out there both good and misleading, and the seeming urgency of the situation leads to snap judgments and possibly poor choices. Overall, the current consensus on what to do next is to put a freeze on your account at the three major credit reporting companies: Equifax, Xperian and TransUnion. This action is often poorly understood or explained, but Brian Krebs does a great job explaining what it is why you should do it.
If you can’t get to their respective websites to initiate a credit freeze, here are the numbers you can call to initiate a credit freeze:
- TransUnion: 1-888-909-8872
- Equifax: 1-800-349-9960
- Experian: 1 888 397 3742
Get a copy of your current credit report, if only for historical documentation and spotting new, unauthorized items that might appear later: Government-mandated Credit Reporting Website. In case you were wondering if this was legitimate, here are the sources:
If your identity gets stolen, or you suspect that a theft is in process, this page provides easy to understand steps on what to do next.
If you are civic-minded and believe that “something should be done about this mess”, you can use this page to send a message to your congress-critter.
As always, stay vigilant, even paranoid, in these less secure times. Be on the lookout for scams exploiting the FUD created by this breach, and NEVER give out your personal information to anyone who calls you directly unless (a) you contacted them first, and (b) you verify they are who they say they and they are legitimate. There is never a better time to rely on the experts in the business, but you should work with people you trust. Don’t have a trusted lawyer, financial adviser or IT professional? Ask someone who you trust if they know someone, and then ask another person you trust for someone else. Don’t be afraid to ask for references, and in the case of licensed or certified professionals, it’s never rude to ask for credentials, especially if you can’t meet them in person. As you know, “On the internet, nobody knows that you’re a fake.”
Much thanks to this post on Reddit (Warning: very useful info interspersed with salty language)
Image courtesy of Miles Stuart on FreeDigitalPhotos.net
Last week an astounding 700 million logins and passwords were discovered when a misconfigured spam server leaked them on the internet. Research on the massive database by security analyst Troy Hunt of Have I Been Pwned fame indicates that the data is likely an aggregation of many previous breaches as well as various “dark net” databases. Ironically, the database was so easily accessed that it is likely it was downloaded an unknown number of times by both white and black hat hackers. On top of this massive database dump comes another very large breach and leak from website Taringa, billed as Latin America’s largest social network, with more than 28 million logins and passwords exposed in an encrypted (now cracked and decrypted) database.
What exactly are they doing with all these passwords?
If the actual process of stealing your identity weren’t so resource intensive and relatively tricky, you can bet a lot more of us would be lined up at the local Federal building to get a new Social Security number right after spending thousands of dollars to repair our credit and hundreds of hours trying to reclaim our digital lives. Instead, they are going for a much easier target of just stealing your email account, which they then use to spew more spam, phishing and malware traps. They have to do this as email filters are getting very good at spotting spoofed and fake email addresses, but your company email account is the perfect Trojan horse for getting past the guards at the gate. The real trick is doing it without being noticed.
One method that I’ve encountered several times is using rules to delete the evidence of their presence – a rule that automatically deletes sent emails, and if they are clever, any non-delivery or out of office replies a mailbox would normally receive in the course of spamming out hundreds of fake email messages every day. Fortunately for my clients afflicted by this nuisance, it’s easy to spot as the bot handlers are typically very careless when setting up the rules, usually deleting ALL emails coming and going, which is painfully obvious after a few hours.
The much more devious takeover is one that is clearly handled by a skilled human versus an automated script. After confirming access to your email account, they will scan your correspondence and look for likely targets, sending out emails requesting wire transfers, bank withdrawals, resetting of forgotten passwords, etc. While most banks and money managers are typically well-versed in spotting these types of attempts, your employees and vendors may not be, which can lead to some very regrettable transactions. This is how many data breaches start – a hacker pretending to be someone with privileged access successfully fooling someone else with privileged access into resetting a key password.
On the flipside, security researchers are using these gigantic databases to research password behavior and to build websites like Have I Been Pwned to inform and educate people on proper password discipline. They are also planning to use the decrypted login and password pairs to build a database that can be used by websites to check if a new password entered has already been compromised and warn against or prevent the user from using it, a new best practice I wrote about a few weeks back. It will be some time before this new practice comes into widespread usage – until then, you should adhere to the #1 Rule of Passwords: never use a password more than once.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Where do your devices go when they’ve outlived their usefulness? What about the ones that croaked prematurely and have turned into expensive paper-weights, door-stoppers and dust collectors? Most of us have been working with technology long enough now that even the most restrained consumer will have amassed a small pile of metal, glass and plastic that is taking up valuable space, and at worst, a ticking security and environmental time bomb. First and foremost, tossing your old equipment in the trash is unconscionable on multiple levels. The plastic alone will bury us before we know it (literally and metaphorically), but even the simplest of devices are full of chemicals and metals that are harmful to the environment. You know this – the pile of old equipment taking up space in your closet, garage and office proclaims it loud and clear. So what’s a security-conscious, environmentally-mindful individual to do?
What do I do with all this “junk?”
For your devices that don’t store data – printers, scanners, monitors, keyboards, mice, etc – make a quick assessment of their actual utility. If they are still working and just old or retired for something sexier (no judgement – we all like shiny things), consider cleaning them up and donating them to a worthy cause. But call before dropping them off – not all charities take old technology for a variety of reasons, including the fact that they get way too much of it and it requires resources they don’t have to clean it up for use or resale. Printers are a special breed of unwanted donation: most often they are being disposed of because they don’t work well and the consumables are too costly, so consider whether your donation to your favorite charity is a gift or an albatross.
For devices that store data, computers, smartphones and tablets, regardless of their final destination – reuse, recycle or destruction – you should be mindful of the data that the devices may contain. If the device is still in good condition it may be able to enjoy a second, useful life with a non-profit or local shelter, but you (or your designated IT professional) should make sure your data is completely removed and the device is wiped and returned to factory settings if possible. Giving a computer with a wiped hard drive to a non-profit might actually be saddling them with a costly and useless gift, as these organizations may not have the resources to get that device working again.
If an older devices is destined for an eWaste program that guarantees destruction or recycling (not all do), make sure this includes hard drive destruction. If they offer “certified” data destruction you should know that, as of now, there is no official destruction certification issued by any regulatory agency, but failure to properly destroy protected classes of data (like HIPAA) might actually get you into trouble with the government. If a company guarantees that they will securely destroy all data, the only thing holding them to that guarantee is their own word and a disciplined, consistent approach. If they don’t guarantee destruction, pull the hard drives out of all computers, and definitely don’t include mobile devices, as there is a chance they might be resold in the gray market in another part of the world, possibly with your data still on the device.
Fortunately, mobile devices and hard drives are a bit smaller and easier to store, and there are ways to securely destroy data on them that will make a recovery attempt unreasonable or impractical. There are also many companies out there that will guarantee physical destruction and recycling of the materials, but not for free. While it may sound like fun to work out your technology frustrations by using a hammer or power drill on a pile of old hard drives, the only way to truly be certain of destruction is to literally have those devices ground into tiny bits after all the data has been digitally and securely wiped.
Worst case, put those old drives and mobile devices in a secure drawer for the possibility of a more cost-effective destruction method in the near future. This a growing, but still hidden problem that will eventually be forced out in the harsh light of reality, but for the moment, secure data destruction and eWaste management is still in its “Wild West” stage of development with its share of snake oil salesmen and misconceptions.
Free Image From BlogPiks.com
In 1993, The New Yorker magazine published the cartoon “On the Internet, Nobody Knows You’re a Dog” by artist Peter Steiner. More than two decades later, this simple illustration continues to highlight the double-edged sword that is the internet’s ability to widely spread information effortlessly. This is a powerful force multiplier for both good and evil, even more so if the information is wrong, or worse, deliberately misleading with no way to hold anyone accountable for the malicious activity. A few years back I wrote about how easy it was to misinform “the public” resulting in adverse consequences, a trend that seemingly culminated into a highly effective political strategy of deliberately spreading false or misleading stories on Facebook and other social media platforms. Unfortunately, fake news purveyors are upping their game and have now descended to building counterfeit websites that ape actual, legitimate news organizations, hoping to further obfuscate research into an article’s legitimacy now that social media news readers have become a little more savvy.
How does an average citizen tell the real from the fake?
As you might have already noticed, conning someone via the internet has become increasingly more likely and common. Where before we could roll our eyes at obvious spam emails filled with broken English and ridiculous schemes, our mailboxes and social media accounts are flooded with well-funded and cleverly disguised content that appears legitimate, and because no one has the time investigate every single thing we receive, we take the most expedient path to discovery – we click and consume without engaging some critical reasoning, the internet equivalent of finding out if milk is bad by taking a swig before giving it the sniff test. Unfortunately for us, clicking a bad link or passing along a fake news story will result in way worse consequences than a mouthful of sour milk. Dealing with bad milk is easy – toss that carton in the trash – but how do you hold accountable someone (who might or might not be a figurative dog) on the internet?
All hope is not lost. While it may be misleading to fear that anyone can remain completely anonymous on the internet, it’s actually still difficult to accomplish this. Maybe less so when you have the backing of a nation-state and an army of hackers whose full-time job is to cause disruption through fake news, but the tool they use, the internet, still sees and tracks everything, and spreads the truth just as freely and quickly as the false information. For now it will be a competition to see who can spread information more effectively, and the only way good prevails if we the audience engage our brains to the fullest whenever we take a dip in the currently muddy waters of the internet.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
I received an interesting email earlier this week that was almost consigned to digital oblivion when it showed up in my inbox. Throwing it in the trash was reflexive and it was only after my subconscious had a few minutes to chew on it that it occurred to me why it was different: it was in my inbox, not my spam folder. Even though I very clearly knew it was fake, Gmail’s usually reliable filtering had failed to detect anything wrong with the email. Not one to pass up an opportunity to teach vigilance, I’m sharing this little “gem” as a bite-sized lesson in spotting fake emails.
Here’s the culprit:
- Clue #1: I do have an digital fax account, but I can count on one hand the number of digital faxes I have received ever. I also didn’t recognize the area code, which a quick Google search reveals to be a Mexican area code. Seeing as receiving a fax is out of the ordinary, I knew this was probably fake, but I did look at it because it was in my inbox. Lesson: Anything out of the ordinary should be treated with a large helping of caution.
- Clue #2a: The use of “eFax®” to refer to digital faxes is like the corrupted use of “Xerox®” and “Kleenex®”. Officially, I’m pretty sure that eFax® isn’t using “omnesys[.]com” as a mail server, and if it was instead that company sending me a fax, a quick search reveals they are in New York, not Mexico. The footer of the email implies this is an official eFax® email, so why isn’t this email from “eFax[.]com”? Here’s where it gets interesting: Google didn’t flag this email as spam because it looks like it was actually sent by Omnesys’s authorized email server “secureserver[.]net” which happens to be a GoDaddy email server. Which means someone’s email account has been compromised. Lesson: Based upon the content of the email, does who sent the email make sense? Even the slightest inconsistency should be a red flag.
- Clue #2b: The fax was sent to info@. My digital fax account is not linked to that email address. Info@ is our website catch-all account, so anything sent to it is already held at arms length it not immediately marked as spam. Lesson: Look carefully at who the email was sent to, especially if you consolidate your email from multiple addresses.
- Clue #3: Rolling over (NOT CLICKING) the link shows me that the “fax” they want me to view goes to “1camper1tree[.]com”. I’m pretty sure that’s not a digital fax service website. Conclusion: totally fake email. Lesson: Checking the URL before clicking will save you from a world of heartache. Learn how to check URLs in whatever program you use to view your email. This is a critical skill you must learn if you want to be safe.
What’s likely to happen in the above situation if you clicked that link is the page you would be taken to would have a very legitimate-looking login prompt asking your email address and password. Entering of such would result in (a) those credentials being stolen and (b) a blank page or possibly a redirect to another website which will then attempt to install malware on your machine.
As I find more of these types of emails that readily illustrate other “tells” I’ll be sure to share them with you in future blog entries.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In 2003, a man named Bill Burr wrote the password guidelines for the National Institute for Science and Technology (NIST) that went on to shape the password standards that have permeated the world of technology in the intervening 14 years, much to everyone’s continued annoyance. At the time, his heart and mind were in the right place: forcing us to use complex passwords and frequently change them was actually effective at the time they were initially drafted, but as humans often do, we shaped our practices and habits to adhere to the letter of the guidelines while taking the path of least resistance to reduce the hassle. This has led to passwords that appear complex and secure but are in actuality predictable because humans are nothing if not predictable. This makes them trivial to crack, especially in light of the massive data breaches and cheap, powerful computers. Thankfully, the industry seems to be slowly coming to its senses on traditional password guidelines and the NIST has just recently introduced a new set of guidelines that will hopefully make passwords less painful.
What this means for you
I know some of you might be feeling like this was all a cruel prank perpetrated by IT to torture you while we cackled like evil scientists. In reality, because of these mis-guided guidelines, “password reset” requests have been and continue to be the #1 help desk ticket by a landslide, so perhaps you’ll believe me when I say that your local IT professional definitely does NOT like the current state of passwords any more than you do. Our initial sense of relief and confidence when these guidelines were adopted evolved into a few years of complacency, and then slowly slid into an increasing sense of horror and helplessness as hardware grew powerful enough to completely dismantle passwords created and enforced by established guidelines we finally got everyone to adopt.
The new guidelines reverse rules that will hopefully make passwords easier for everyone (except the hackers, hopefully), but don’t pop the cork on that champagne just yet. It’s going to take the industry some time to shed the old ways. Yes, even the technology industry can be slow to change too! That said, here’s what you can look forward to based upon the new NIST password guidelines:
- No more frequent password changes. Research has shown that forcing people to change complex passwords wasn’t improving security. If anything the password was only incrementally changed, and that change was too predictable to result in any significant security gain. The new rules suggest only requiring a change if a security incident has occurred.
- The burden of password security should be on the service requiring a password. Instead of relying on the user to make sure their password is complex via seemingly arbitrary and complex rules, let them create longer, less-complex passwords and check their creations against a database of known or poor choices.
- Require longer but not necessarily more complex passwords. Simple phrases (checked against a central database of known or too easy to guess passwords) of sufficient length aren’t harder to memorize but become exponentially harder to crack as compared to shorter but more complex passwords. See xkcd’s (internet) famous explanation of this concept.
- No more password hints and secret questions. These practices were only crutches that propped up the complex password practice. Hints invariably were either too vague or too much information, and Google, for better or worse, has made knowledge-based authentication like “Mother’s maiden name” useless.
- Organizations and services will store passwords with stronger, more complex methods. The massive password breaches of previous years were only useful to hackers because they were stored in weakly protected databases. The NIST guidelines spell out methods and standards that will make stolen passwords much, much harder to decrypt.
Until your services shed their old password rules, you may still be forced through some seemingly passé password hoops. Keep in mind that even “old-school” passwords are better than none, and complex passwords are better than short, commonly-used ones. Until your providers get on board, start making a secret list of nonsense phrases to prepare for the password revolution.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Starting in October of this year, pedestrians in Honolulu, Hawaii can be fined up to $100 if they are caught crossing a street with eyes on their cell phone instead of traffic. Coincidentally (and somewhat ironically), I read this bit of news on my phone, in Hawaii, while I was on vacation last week. However, I wasn’t walking so I can’t claim a trifecta. My first, flippant thought was, “How could anyone have their eyes on their phones while walking around one of the most beautiful places on earth?” In my defense, I was catching up with the news on my phone after a long day of specifically not looking at electronic screens, but it got me to thinking about how invaluable my phone was throughout the trip.
Could you take a vacation without your smartphone?
For those of us whose number one work tool is our phone, the answer is reflexively “Yes!”, but only because we aren’t remembering just how thoroughly indispensable the internet has become to destination vacations. Throughout the nine days we spent traversing the island, GPS, online reviews, local weather forecasts and instant access to just about any fact known to man allowed us to really get the most out of our vacation. And several of us had plenty of quality time with phone screens while standing in line, driving from scenic view to scenic view and staying in touch with friends and family who couldn’t be there with us. Could we have done the same things without the aid of such a device? Sure, but it would require a lot more planning, paper and reliance on human memory. On your next trip, make sure you leverage your technology to maximize your vacation, but don’t forget to observe local laws (and customs!) as it might just cost you more than you planned on spending!
Image courtesy of blackzheep at FreeDigitalPhotos.net
When Microsoft announced that Windows 10 would be available as a free upgrade to Windows 7 and 8 computers, millions of people took them up on the offer (some involuntarily). The upgrade was meant to jump start adoption of the new OS, and was intended to provide a way for older PCs to take advantage of a more powerful, versatile and secure operating system without having to go through a major hardware investment to do so. As many found out, the upgrade process wasn’t always the smoothest, but once your computer and you finally arrived on the proper side of Windows 10, the new OS actually performed surprisingly well on older hardware, something that couldn’t be said of previous Windows upgrades.
Unfortunately, older PCs are already being abandoned by Microsoft’s forced updates
Flash forward to present day, after the gamut of upgrade experiences, and after the most troublesome upgrades have turned the corner as productive computers, many users are finding that Microsoft’s forced updates are no longer available for certain hardware configurations or even rendering parts of their computers unusable.
As always, the fine print is where we “get got”: When the free Windows 10 upgrade was first announced we were told that Windows would be kept up to date “for the supported lifetime of the device at no additional charge.” Just prior to the actual Windows 10 launch date, Microsoft clarified this stance with the following:
A device may not be able to receive updates if the device hardware is incompatible, lacking current drivers, or otherwise outside of the Original Equipment Manufacturer’s (“OEM”) support period. (emphasis mine)
What most people still fail to realize that on top of the Windows operating system being updated by Microsoft, there are typically a whole host of drivers that your computer manufacturer provides for the various bits of hardware that comprise your particular computer model. In the past, the manufacturer would launch a particular model line as “certified” for a particular version of Windows, allowing them to also build and maintain a set of hardware drivers that were designed for a specific OS. As Microsoft marches forward, the hardware manufacturers are forced with the choice of spending resources to patch (or even rewrite) drivers to keep up with Windows on their older hardware, or focus those resources on putting out new drivers on new hardware. It shouldn’t take much thought to see why both Microsoft and your PC’s manufacturer are leaving your old PC behind.
Sadly, you are now forced to make a choice. Roll-back (if you can, and some of my clients can’t) the update that killed your PC, and then figure out how to avoid the forced updates pushed out by Microsoft (inadvisable in the long run due to security risks), or cough-up for a new Windows 10 PC. While the first choice may save you some money in the short-run, you will eventually have to succumb to Microsoft’s update cadence, and unless your PC’s manufacturer takes the unlikely approach to releasing working drivers for your old hardware, it will be time to go computer shopping once again.
Normally I try to keep to pure technology news on this blog, but I believe this issue is important, probably more so than many of my clients realize. Net Neutrality is a simple issue made complex by sophisticated marketing, partisan politics and the fact that both sides have reasonable points. What’s currently at stake is this: the FCC, after previously passing rules in 2015 to “prohibit Internet providers from blocking, throttling, and paid prioritization—”fast lanes” for sites that pay, and slow lanes for everyone else,” is now seeking to repeal those rules due to a dramatic shift in FCC leadership. Predictably, money supporting the repeal of these rules is coming from ISPs, and they are spending a lot of money to lobby for Net Neutrality to NOT be protected.
Fortunately for consumers, many of the internet companies we use everyday (Spotify, Netflix, Amazon, Dropbox to name a few) continue to fight for your right to unfiltered, unthrottled internet. July 12th has been named as a the “Day of Action” in support of Net Neutrality, and you may see sites all over the internet (like this one) sporting banners and images indicating that support. What are they asking you to do? Primarily, they are asking you to demonstrate your support by writing or calling your local congress-critter to let them know you are in favor of Net Neutrality and that FCC should reconsider their plans to repeal the rules that were established in 2015.
I believe it’s important for you to be aware of what’s at stake. The internet is an indispensable part of our lives both personally, professionally and politically whether we like it or not, so issues that affect your access and use of it should not be taken for granted. Please take a moment to familiarize yourself with Net Neutrality if only to understand what’s happening on the internet on July 12.