When Microsoft introduced Windows 8 they introduced a new “feature” in the wizard that walks you through the process of setting up your new PC. This new feature was the ability to use a Microsoft account as your user login on the PC instead of the traditional user account that has been used for years with prior versions of the Windows OS. Unfortunately, they did an extremely poor job explaining what this actually was, or how it worked. This feature is still used extensively in Windows 10 PC’s today, it is still not explained well in the wizard, it’s still difficult to understand and can cause quite a bit of confusion when used unintentionally.
What this means for you
If you’ve ever walked through the process of setting up a new computer, you’ve come across and probably implemented this feature without even realizing the extent of it’s capabilities or how it differs from the “old” way of creating an account for your PC. Since the very early days of Windows, most people interact with the operating system and their apps through what’s known as a user profile. The profile mechanism allows more than one person to use the same hardware while retaining their own set of data and settings. On home PC’s typically you only had one profile and in versions past, you might have had one set up without a password, not realizing you were even logging into a profile at all. Up until Windows 7, this profile was a “local” profile on most personal and home PCs and for most users was something the only had a vague awareness of, if at all.
Starting with Windows 8, Microsoft implemented the means for a local computer profile to be synced to the internet, ostensibly to back up your settings and password to a “cloud profile” that was tied to your Microsoft Account. Though its intent wasn’t clear at the time, the end goal was to allow you build a profile that could be moved from PC to PC as you upgraded your hardware, or used on multiple PCs simultaneously, giving you perfectly synchronized data across all of them through the magic of the internet. Except at the time, Microsoft didn’t explain any of its vision at all well during the process, and we actually wouldn’t see the full vision realized until the arrival of Windows 10 and OneDrive many years later. On top of this, they would typically funnel you into creating a Microsoft Account by using your email address, which most people mistook for Windows just asking for their email password which, if your email account was provided by Microsoft, is actually what they are doing, but if you give them an non-Microsoft email account (say Gmail or AOL) then you would be prompted to create a Microsoft Account on the spot using your email address as the login name. Not confusing at all, right? This resulted in tons of questions: “Is Microsoft taking over my email?” “Am I converting my Gmail/AOL/Yahoo email into a Microsoft email?” “Which password should I use to log into Windows?” “How do I access my Microsoft Account?”
Now, let’s add Office/Microsoft 365 into the mix. With the arrival of Microsoft’s cloud platform, it’s actually possible to have TWO Microsoft Accounts that use the same email address. Let’s say you have your own domain name and email account, and you’ve just recently moved hosting to Microsoft 365. But prior to that, you set up a Microsoft Account using that same email address. Whenever Windows needs to access your Microsoft Account it will ask you for your email address, and if you happen to have two accounts, it will present you with a choice to pick between your Work or School Account or your Personal Account. But depending on which service you are accessing – let’s say your Xbox Game Pass subscription (Personal Account) or your OneDrive account (might be work, might be personal, you probably have both!), or even setting up your new PC with a new profile. You can use either one!! But which one to choose?!?
Next week – more details on Microsoft Account Madness!
Image by PIRO4D from Pixabay
Despite the fact that a database containing personal information scraped from Facebook on over half a billion people has appeared on the internet and is available for anyone with a modicum of technical skill, Facebook doesn’t appear to be concerned at all, dismissing this particular news with a hand wave, “This is old data that was previously reported on in 2019…We found and fixed this issue in August 2019,” per email statement sent to the Associated Press. And it seems they have good reason to downplay this “old news” as its stock hits a record high despite facing news that would be catastrophic for just about any other company. Unfortunately for us, this issue they “fixed” in 2019 might have been any number of security problems they had in that year, and yes, this database may be an amalgamation of several breaches. Which doesn’t make it any better.
What this means for you
To put this in perspective, here is a visualization of just how big a number 533,000,000 actually is:
The above is just the first of 4 slides so click through for other 3 slides – it’s worth a look. The amount of data leaked is larger than the population of the USA. Unfortunately for the world, the leaks seems to have been global in scale, affecting 106 countries in total and over 32 million Americans. On a personal level, the data contains information that would be classified as Personally Identifiable Information including names, physical addresses, phone numbers and email addresses. This is enough info to put your identity at serious risk (if it wasn’t already before) for theft, and as such, at minimum you should be putting a freeze on your credit reports. This leak may also pose a risk for anyone who has a need to keep such data private, such as celebrities, or abuse/stalking victims, or just your regular social media user who had no idea their “personal” information could be made so widely available.
Seeing as Facebook does not seem to be taking any sort of ownership on this, you will have to rely on third-party site HaveIBeenPwned.com to see if you were one of the 533 million affected by this latest leak. At this point, even if you weren’t affected by this particular breach, I can almost guarantee that if your email address is more than year old, you are likely still going to find yourself on that site. You can also check at this newer site by phone number, just to cover all the bases.
Some of us maintain Facebook accounts because we have to, but if you aren’t using it anymore or want to stop using it because this was the last straw, you can delete your account here: https://www.facebook.com/help/224562897555674. On top of this, you should be:
- Using two-factor authentication for all your important email, financial and work-related accounts,
- Backing up your data to the cloud via a reputable platform like BackBlaze, Carbonite or iDrive
- Using unique, complex passwords for everything, and
- Managing those passwords through a like LastPass, 1Password, Dashlane or Roboform.
Oh, and you put a freeze on your credit reports, right?
Image by Tumisu from Pixabay
Last week I wrote an article about another mega-corporation that starts with “A” that presents a more benevolent public image than they actually behave, but in the case of AT&T, I don’t think anyone mistakes them for a business with a progressive ideology. As a matter of fact, you could say their latest blog as purportedly written by one of their executive VP’s is exactly the opposite with a very conservative view on what America needs in terms of internet speeds. The blog appears to be in response to the Biden administration’s call to define a new baseline for internet broadband at 100mbs for both upload and download speeds as well as proposals from the Administration and Congress to subsidize infrastructure development in under-served geographical and income-challenged populations.
What this means for you
Let’s cut to the chase: AT&T believes that rural America doesn’t need 100Mbs upload speeds. As a matter of fact, according to their blog post [emphasis ours]:
“The pandemic has broadened the consensus opinion that it’s time to revisit the FCC’s current broadband definition of 25/3 Mbps. To be clear, service at that speed is sufficient to support zoom working and remote learning.“Defining BroadbandFor the 21st Century – AT&T Public Policy
To be fair, they do go on later to say that the 25Mbs download speed is less than optimal for a family of four, especially in light of the pandemic. But what they are objecting to is the current Administration’s attempt to redefine the baseline standard of broadband any higher than their current infrastructure can support, and a 100Mbs upload speed is way more than their ancient DSL (top speed of 3Mbs in most areas) networks can handle. They are also objecting to the proposals that would provide billions of dollars in subsidies to competitors, including municipal-backed co-ops and smaller ISPs that would challenge their monopoly (or duopoly if you are lucky) in most broadband markets, including urban and commerce hubs. I’m pretty sure they know that most Americans, given a choice, will absolutely consider other options, especially if they are competitive (and not AT&T), and AT&T hasn’t had to compete in decades in a large part of their market. Hopefully the current administration can push forward some serious upgrades to the nation’s infrastructure that includes establishing a broadband speed standard in every part of the country, breaking the monopolistic inertia that is holding large swaths of our population hostage with 90’s-era technology and speeds.
How can you do something about this? Contact your elected officials and let them know you want faster internet and a choice of providers. This isn’t a partisan issue – everyone should have fast, affordable internet.
Image by kewl from Pixabay
If there is one thing that has been consistent with the Apple brand throughout the years, it’s that they have a fiercely loyal customer base that has expanded from what was once a very small percentage of the market, to worldwide dominance through their mobile devices. The reasons why Apple’s brand is so popular could be the subject of numerous dissertations on the power of marketing, psychology and design aesthetics, and for the most part, their hardware and software has consistently been of high quality (with a handful of high-profile exceptions) since the very first Apple computer took the world by storm. If you are choosing Apple products for their hardware, software, or design aesthetic and can afford their comparatively higher cost, I find no fault with that reasoning. However, if all other things being equal (hardware, software, design) when determining which brand to pursue, and you select Apple based on their perceived ideological stance, it may be worth considering the below.
What this means for you
Since taking over for Steve Jobs in 2011, Apple CEO Tim Cook has work studiously and successfully to elevate Apple’s branding to represent the company as having a more socially and environmentally conscious stance. This includes several, high-profile incidents such as where he challenged stockholders to sell if they disagreed with Apple’s increasing investment in renewable energy, Apple’s public filing of a friend-of-the-court brief on Trump’s intent to cancel DACA, and most recently in the spat with Facebook over recent changes to the Apple iOS to provide more transparency on the apps that track their user’s activities. While there is nothing wrong with these stances – they are each of them laudable – these are the ones that Apple wants you to recognize them for, and not for other, more questionable decisions, such as their removal of a Hong Kong protest app at the request of the Chinese government, and most recently, their change in policy to allow phones sold in Russia to prompt users to install state-approved Russian apps, something they have never done for any other country or market…until now.
As I’m sure you are aware, Apple is a publicly traded company and is, in the end, beholden to its shareholders, regardless of its stated ideals. Yes, Tim Cook told disgruntled investors to sell if they don’t like Apple’s decision to invest in renewable energy sources, but as time has since revealed, this appears to be a shrewd forecasting of the world’s turn towards renewables. Likewise, Apple punished Facebook in January of 2019 in a highly-publicized incident where Facebook was revealed to be using an app to scrape users phones for data. Apple appeared be championing privacy for its users, but in fact the punishment levied against Facebook was for violating the licensing terms Apple extended to Facebook for the app – the license granted Facebook the ability to distribute apps for non-public apps, which this “research” app was clearly not. They were not punished for the intent of the app nor did Apple address the fact that participants were paid by Facebook for access to their data.
Social media has popularized a concept known as “virtue signaling” (controversial on its own) which seems to fit Apple’s publicity model. While Wikipedia’s definition seems to imply that Apple (as a company) should not been seen as a champion of human rights while quietly doing the opposite when it serves them, they aren’t the only company doing this, and this is not something new to for-profit companies. In the advertising world, this is known as “good branding” and Apple, if nothing else, is a textbook example of excellent brand management. Make no mistake, as long as you recognize Apple (or any other company behaving similarly) as company with a bottom line and not an entity forwarding an agenda, their ideological stance should be viewed first as a marketing strategy and evaluated on what they do, and not what they signal.
I would hazard a guess that a large percentage of Facebook’s user base was actually alive at the time it was first created as a dating app for college students, but it’s very clear that a significant portion of Facebook users now look upon it as an (if not their only) authoritative information source, valuing the opinion of their social circles more than scientific evidence and fact-checked expertise. An internal Facebook study has confirmed that a very small number of accounts out of the 3.3 billion total on its platforms (including WhatsApp and Instagram) account for half of all “vaccine hesitancy” content appearing on the platforms. While Facebook has only recently started banning false and misleading content related to the Coronavirus Pandemic, apparently there is still a vast amount of content expressing concerns about vaccine effectiveness or severity of side affects.
What this means for you
Conversations about vaccine hesitancy and fears are considered nuanced enough to fall well short of being labeled as “harmful” and rightly so – Facebook is a place for people to share their opinions. However, when those opinions are formed from what may have been deliberately planted misinformation, they can sway large swaths of populations into making choices that may prove detrimental to everyone’s health, such as vaccine reluctance in 30% of Americans. According to the Facebook’s own study, there appears to be 111 accounts that were the source of half the content published on Facebook that is causing a widespread distrust of a vaccines. Social media communities, especially ones that identify around a single (possibly controversial) belief tend towards reinforcing narratives instead of challenging them. The basic human need for validation has always created “echo chambers” in society, even well before the internet, but the size and speed of platforms like Facebook allow for the viral spread of both harmless fun and extremely harmful ideology with horrific outcomes.
To deliberately misquote a line from one of my all-time favorite movies, “What can we do against such reckless misinformation?” Riding out on a horse, while glorious, isn’t going to be effective. Make sure you are challenging misinformation by gathering information from a wide variety of sources. Don’t just assume those sources are reputable or trusted because they are on the internet or worse, found in your own echo chamber. Facebook can be a source of information, but as has been demonstrated time and time again, not one that should be fully trusted any time soon.
Image by Pablo Jimeno from Pixabay
As if the SolarWinds fiasco wasn’t enough to completely undermine any trust in technology security, Microsoft is warning everyone about a significant exploit in its Exchange email platform that is actively being leveraged by a Chinese advanced persistent threat group dubbed “Hafnium.” According to Microsoft’s Threat Intelligence Center, this group is known for targeting entities in the United States primarily to steal data and intellectual property from a wide swath of industry, political and government organizations, but with this recent exploit, the attackers have spread globally, attempting to compromise as many servers as they can before administrators can patch vulnerable servers.
What this means for you
First and foremost, if your email is provided by an on-premise Exchange Server that is not being actively maintained by a qualified technology professional, you may be in danger, and you should contact an IT professional or a company like C2 immediately. It will be important to patch your servers immediately and then determine if the server has been breached. If you are breathing a sigh of relief because your email is hosted in the cloud, it’s still important to make sure your vendor has taken appropriate steps to make sure their platform is properly secured as they may be using Exchange to provide email services to you.
If your email is provided by Microsoft 365 or Google, this exploit does not impact you directly, but keep in mind that vendors and clients you work with may have been compromised, which may also have implications for your organization. Information stolen from a client or vendor in breach could be used to impersonate a trusted individual in an attempt to trick you or someone in your organization into any number of activities that could end up directly affecting your bank account. One of our clients recently notified us that one of their vendors fell for an email spoofing campaign that resulted in that vendor writing a very large check to pay off our client’s invoice, but that check was sent to a fake address. Even though you might not be directly impacted by the Hafnium campaign, the sheer size of the information breach means that someone likely very close to your organization may be affected. As such, you and all your organization’s employees should treat any unusual emails or transaction requests with caution and skepticism for the foreseeable future.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite their best efforts, SolarWinds isn’t going to be able to slip back into obscurity anytime soon. Up until late last year, most regular folks wouldn’t have any idea who SolarWinds was, let alone what they did. But when one of the world’s largest outsource IT providers gets hacked, leading to the compromise of approximately 100 very large companies and NINE federal agencies including the National Nuclear Security Administration, you aren’t going saunter casually out of sight after such a massive gaffe. You might try a little misdirection by throwing an underling under the bus, but all that is doing is making things worse, regardless of whether it’s true or not.
True leaders know where the buck stops
As the SolarWinds “saga” started to slowly unfold for us in December and January in all of its terrible glory, one of the minor “subplots” that was revealed involved a comically weak password that was used to secure a SolarWinds server. If you ever want to bring a rain of derision and reproach from the technology community, use a password like “solarwinds123” as part of your infrastructure while providing IT to the agency that manages our nuclear arsenal. And if you want to double-down on your foolishness, blame an intern for it.
It’s entirely possible that an intern might actually be at fault; all of us were young and “wet behind the ears” at some point in our careers, and let’s face it, there are a ton of people out there who might think that this is at least an OK password. But let me tell you something: every single SolarWinds technician, engineer, senior engineer and up that typed in that password KNEW it was a bad password and didn’t bother changing it. Everyone reading this article knows this is a bad password, and if you’ve been a reader for any amount of time, you’ve known this for years. It’s reasonable to assume that a fresh-faced intern with no IT experience may have chosen such a password, but it should have never survived the moment any SolarWinds employee had to use it even once. Regardless of who made the initial mistake, allowing it to continue being used is absolutely leadership’s fault – all the way to the CEO. Bad passwords have consequences, but excusing and ignoring them is even worse.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Not even three months into Apple’s release of new computers powered by the Apple M1 processor, researchers have discovered at least two malware platforms that seems to have been specifically written to target Apple’s new CPU. One of the new apps, “GoSearch22” is actually a recompiled version of a known adware app called “Pirrit”. The new M1 variant has already been decertified by Apple, meaning that it will be blocked from running in the OS if your Mac is current on updates. The other malware app, dubbed “Silver Sparrow” appears to be brand new and is showing up on at least 30K Macs both M1 and Intel-powered machines, but at the moment, researchers aren’t quite sure what it’s intended to do.
What this means for you
For the majority of Windows users this is not relevant and you can carry on worrying about the myriad other security concerns that the platform is infamous for, but if you happen to use Apple computers for your daily work, take note. At the moment, Silver Sparrow isn’t doing anything except existing and looking very suspicious. It may never be deployed – think of it as a sleeper agent whose cover has been blown. The fact that it exists and a version of it written explicitly for Apple’s new M1 CPU means that cybercriminals are leaving no stone unturned in their pursuit of exploiting every internet connected device. Where before Apple users could work knowing that because of their relatively small market share they were unprofitable targets for malware developers and as a result slightly more secure than their Windows brethren, this is clearly no longer the case. OS X is definitely being targeted by mature, sophisticated adversaries. While security through obscurity was never a good enough reason to not run malware protection on OS X, it’s definitely been invalidated by the sudden and widespread appearance of Silver Sparrow. Make sure you are running up to date and effective malware on your Mac, old or new. If you don’t know what to install, contact us for advice or a managed solution.
Last week the sleepy Florida town of Oldsmar made headlines as its municipal water utility was targeted in a cyberattack. The attack resulted in the unauthorized access of a computer that controlled the chemical treatment of the city’s potable water supply, and the attackers actually managed to adjust a setting that could have poisoned the water for 15k people. Fortunately, the computer was actually being monitored by an employee who was able to safely reverse the settings change and alert authorities. Aside from the ominous implications evoked by cyberattacks on critical infrastructure like water supplies, this specific attack garnered additional attention because of Oldsmar’s proximity to the stadium hosting this year’s Super Bowl and the fact that it happened 2 days before the actual game.
What this means for you
What many of you might not realize, even though we’ve written about it before, is that our nation’s utility infrastructure is protected by technology that is outdated, underpowered and poorly managed. And it has been under constant attack since at least 2013 and most likely even before then. That being said, it appears the Oldsmar attack was not perpetrated through a series of exotic, Hollywood-esque tactics, but rather by exploiting a forgotten install of remote management software TeamViewer that was using a shared password set for the entire company. On top of this, the computer was connected directly to the internet with no firewall in place. While this lack of security isn’t uncommon in small organizations around the world, the fact that this is happening at companies that control vital services like drinking water should be fairly alarming to you. According to utility officials, there are plenty of other safeguards in place that would have prevented the actual poisoning from actually occurring, but one has to wonder whether or not an audit might be in order? If they installed a bit of software in a fashion that allowed it to be exploited with almost no effort and then forgot about it, what else might they have installed poorly and then forgotten?
When working with people who are actively attempting to correct or remediate behaviors that were previously unproductive or destructive it’s important to provide encouragement and feedback on the positive changes. Common sense would dictate that any progress is better than none at all, and it serves no one to berate someone for shortcomings they are actively working to improve. But corporations aren’t people, and social media mega-corporations like Facebook have such a significant impact on the world that they should given no quarter when it comes to criticism. I understand that they are a for-profit company and have no other master to serve, and if they just openly stated that everything they do serves that master, I wouldn’t bother taking them to task. But what they say and what they do are two different things.
Facebook – Hold Them Accountable
On April 16, 2020, over a year after the “friendly warning” from Congressman Schiff, and months after the pandemic had already spread around the globe, Facebook finally acknowledges that their platform is being used to spread misinformation and promises to engage “fact-checking” and warning labels to inform users of possible misleading information.
In May 2020, they pat themselves on the back for putting warning labeling 50 million (!) pieces of content. “Warning labels”, like the ones on packages of cigarettes that clearly keep people from smoking them.
Fast forward to Feb 8 2021, over 2.3 million Covid-related deaths later, and Facebook is finally getting around to straight-up removing misinformation from its platform. How many deaths could have been avoided if they hadn’t allowed rampant misinformation, fear and hate to spread on Facebook? Don’t get me wrong, never at any point since the day I first heard of Facebook did I suspect them of possessing any shred of altruism or compassion. The initial concept of Facebook sprung from a crude looks-based popularity contest (Hot or Not), and it still remains in part, like most of social media, a popularity contest. If any company in the world had the resources and the brain power to be ethical and compassionate and profitable, Facebook should have this advantage in spades, and yet they have been content to let the market rule until it’s more convenient (read: a shift in political power) for them to behave otherwise.
Don’t make the mistake of thinking Facebook (or any for-profit company) is motivated by ethics or altruism until they demonstrate it at the cost of profit. While I am not foolish enough to believe that all the death and heartache caused by Covid-19 was due to the purposeful spread of misinformation on Facebook, if even one death is attributable to this, isn’t that one death too many? Is it too much to ask the biggest, wealthiest company in the world to be more responsible, more ethical? I don’t think so, and I hope more people will continue ask this same question and demand answers.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net