Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Popular Android app became malware vehicle

  • 0
Christopher Woo
Tuesday, 27 August 2019 / Published in Woo on Tech
Android in the crosshairs again

I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.

What this means for you

Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.

As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:

  1. Remove any apps you aren’t using, especially ones you don’t remember installing.
  2. Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
  3. Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
  4. Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
  5. Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
  6. Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.

Even the Ransomware is big in Texas

  • 0
Christopher Woo
Tuesday, 20 August 2019 / Published in Woo on Tech

Ransomware attacks are on the rise. Depending on which security company you get your news from, the percentage increase from 2018 varies from 110% to a whopping 365% as reported by Malwarebytes Labs. Also important to note: attackers are going after government institutions in the US in a noticeable way. Since the start of 2019, there have been 22 documented attacks on city, county or state governments, including the high-profile incident in Baltimore which I wrote about back in May of this year which has thus far resulted in $18 million in remediation costs and lost revenue. Not to be outdone, the state of Texas can add new record to its list of big things: 23 local government organizations were attacked simultaneously in what is being called the largest coordinated ransomware attack against multiple government entities…so far.

What this means for you

Unless you happened to be served by one of the 23 unlucky institutions affected by this attack, this will be one more splash of water in our ongoing drink from the malware fire hose. Texas officials are keeping mum so far on who-what-where’s of the attack, but if I had to guess, someone got phished via email, gave up credentials, which led to the hackers being able to drop malware on critical systems that all went off on August 16th. Given the breadth of the attack, it’s likely the attackers have been working this particular set of targets for months, meaning it was organized and purposeful.

You might not have noticed this, but ransomware attacks had slipped to the background in 2017, but they are back with a vengeance and focused on businesses and government entities because the hackers realized deeper pockets are just as susceptible to ransomware, and are more likely to pay ransoms because they can’t afford to not pay, as seems to be painfully exemplified by Baltimore’s ongoing recovery. As always, your best protection against this type of malicious, technological pollution is a multi-layered defense perimeter that consists of at minimum: email filtering, workstation and server malware protection, a strong firewall, and cloud-based backups. If you can add employee training to that list, you will be much better protected than your neighbor or even the competition. And in case you were wondering where you might be able to cover all these bases with one call, just give us a ring.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Two for Tuesday Part 2: More Malfeasance, Misuse and Morons

  • 0
Christopher Woo
Tuesday, 06 August 2019 / Published in Woo on Tech

There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:

AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.

More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.

Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.

Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”

Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.

Image courtesy of TAW4 at FreeDigitalPhotos.net

attelephantelephant on the internetnsapoliticsprivacyTwitter

Two for Tuesday: Big Companies mishandling your data

  • 1
Christopher Woo
Tuesday, 30 July 2019 / Published in Woo on Tech
Privacy sign

It’s a day ending in “Y” so that means yet another company CEO is on the news apologizing for exposing your PII to the internet. This time around it’s Capital One CEO Richard Fairbank having to say sorry for letting a hacker get access to approximately 100 million US and 6 million Canadian credit card applications. While Capitol One was quick to try to downplay the severity of the the incident, asserting that no credit card numbers were stolen, there is no sidestepping the fact that the hacker, who has since been arrested, was attempting to sell information that includes 140K US Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as an undisclosed number of names, addresses, credit scores, limits and balances.

Not feeling violated enough yet?

To add to everyone’s continuing dystopian nightmare this week, Apple was recently caught in a glaring contradiction to its ongoing marketing message of being a champion of its users’ privacy. Despite buying huge billboards touting that “what happens on your iPhone stays on your iPhone”, a whistleblower has shared damning details on Apple’s use of contractors who have access to numerous private and very sensitive audio snippets recorded by Siri. According to Apple, only a small number of Siri requests are reviewed by humans for accuracy and algorithm tuning, and supposedly these small audio files are semi-anonymized to protect user privacy. Not so, says the whistleblower. As anyone who uses a voice-activated device can attest, Siri and its ilk can perk an ear up even when not being directly addressed, resulting in plenty of unintended recordings that people would definitely not want shared.

“…you can definitely hear a doctor and patient, talking about the medical history of the patient. Or you’d hear someone, maybe with car engine background noise – you can’t say definitely, but it’s a drug deal … you can definitely hear it happening. And you’d hear, like, people engaging in sexual acts that are accidentally recorded on the pod or the watch.”

Anonymous Apple Contractor to The Guardian, 26JUL2019

An important distinction needs to be made with regards to Apple’s voice recognition data gathering practices, especially since they themselves take great pains to tout their privacy advocacy. While Google and Amazon both allow some opt out options on the use of their recordings, Apple does not offer this option short of disabling Siri altogether.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Equifax Breach Settled with FTC for $575-700M

  • 0
Christopher Woo
Tuesday, 23 July 2019 / Published in Woo on Tech

As reported here and everywhere, the 2017 breach of Equifax credit reporting agency exposed critical PII (personally identifiable information) for 147 million Americans. It remains equally notorious for Equifax’s botched handling of the breach as well as the thundering silence (until now) from the government on what should be done to address the appalling privacy breach as well as what consequences the company should face as a result. If it had been announced a few months earlier, Equifax’s settlement with the FTC, Consumer Financial Protection Bureau, and 50 US States and Territories for $575-700M might seem significant, but in the face of the record $5B fine levied against Facebook just two weeks prior, the amount seems paltry, especially considering that Equifax reported revenue of $3.41B in 2018.

What does this mean for you?

From a raw-math perspective, this settlement values your most critical financial data (full name, address, social security number, email address, phone number, credit card numbers, bank account numbers…feel ill yet?) at around $2-3 dollars. Yup, sorry, no “B” or “M” or even “K” following those numbers. Two dollars.

However, if you are willing to put in the work, you can possibly claw back as much as $20,000 depending on your circumstances. For a more comprehensive outline of how you can get your share of the Equifax settlement, the Wall Street Journal spells it out fairly well, but I’ll hit the high notes if you want to hit the ground running from here:

  • Were you affected by the Equifax breach?
  • Check your credit report.
  • Get email updates about the settlement.
  • You are entitled to up to 6 free Equifax credit reports a year from 2020 through 2027.
  • You may be partially compensated for credit monitoring or identity protection paid for between 9/7/2016 and 9/7/2017.
  • You may be eligible for free identity restoration services for at least seven year.

Image courtesy of Stuart Miles from FreeDigitalPhotos.net

Old Accounts Can Come Back to Haunt You

  • 0
Christopher Woo
Tuesday, 16 July 2019 / Published in Woo on Tech

A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.

How many zombie accounts do you have?

One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.

Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.

What does this mean for me?

First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.

Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.

Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.

Image by Gordon Johnson from Pixabay

Zoom to patch Mac client security weakness

  • 0
Christopher Woo
Tuesday, 09 July 2019 / Published in Woo on Tech

Videoconferencing darling Zoom stirred up a pot of controversy earlier this week after it first disclosed and then defended an apparent security weakness in its OS X video conferencing client. According to the security researcher who discovered and reported the flaw back in March of this year, the Mac version of Zoom installs a webserver on the computer on which it is used that will enable users to quickly make and answer Zoom calls. Unfortunately, the main reason they implemented this method was because the built-in security restrictions of the Mac operating system were getting in the way of this quick-connect feature, a “benefit” which Windows users did not enjoy. On top of this, even after the Zoom software was removed from the Mac, this local webserver remained in place, allowing for quick reinstallation in case the user needed to make or receive a Zoom call, the latter of which could be exploited to gain unauthorized access to the Mac’s built-in camera.

Subverting security for convenience is always good practice, right?

Initially, Zoom defended their Mac client methodology and insisted that the changes they made to the Mac client’s settings should be sufficient protect against any exploits of their software. The security researcher remained unconvinced that it was sufficient protection for Mac Zoom users and released his findings to the public alongside a proof of concept demonstration of a malicious Zoom invite attack. After about 24 hours of internet uproar over the vulnerability, Zoom reversed their position on the subject and has just released a patch that removes this feature, as well as adding a new menu choice to do a full uninstall of the software to remove the hidden webserver.

If you are using the Mac version of Zoom, you will want to update your software immediately if it hasn’t already prompted you to update. Windows users, for once, don’t need to do anything. Enjoy your small respite from the usual flood of security flaws.

Two billion-record database left open on internet

  • 0
Christopher Woo
Tuesday, 02 July 2019 / Published in Woo on Tech
Biohazard warning

Among the many problems of the internet, one of the most egregious is the fact that anyone can create a website, put it online, and not really be held accountable for what is actually published on said website. Let’s take the website of home automation company Orvibo, who, at the time of this article’s writing, states on their website:

“Cloud platform supports millions of IoT devices and guarantees the data safety.”

The claim that their platform supports “millions” of devices is backed up by the Orvibo database size, which appears to contain more than two billion records, but the fact that we know exactly how many records are in the cloud platform and that their database is currently open for viewing on the internet without a password is the exact opposite of guaranteeing data safety.

How can a company screw up so badly?

I’ve answered this rhetorical question several times in the past on this blog, but in case you’ve missed it: Technology is fallible because humans are fallible. They are also lazy and sometimes downright malicious, but in the case of the Orvibo database which remains open and accessible at the time of this blog’s publication, we have a stunning example of gross negligence and incompetence that is impacting millions of its customers in very personally identifiable ways. Among the two billion records that includes customers from China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. are email addresses, passwords, geolocation data, IP addresses and device reset codes. Given that Orvibo devices include home automation and security products, the data exposed in this open database gives hackers literally the keys to many family’s homes and hotel rooms, and could potentially endanger their actual lives.

What should you do if you are using Orvibo technology in your home or workplace? Discontinue using it immediately if possible, and if that isn’t possible, see if you can at least disconnect it from the internet and change any passwords used on the device, especially if it’s a password you’ve used elsewhere (also a no-no for just this very reason). It’s not clear when, or even if, Orvibo will address this vulnerability anytime soon, nor will we know whether the data has been access by anyone with ill intent, but in this case, erring on the side of caution is the best course of action.

breachelephantelephant on the internetsecurity

Deceptive web tactics might soon be outlawed

  • 0
Christopher Woo
Tuesday, 25 June 2019 / Published in Woo on Tech

Very early on, during my time as a young support technician nearly twenty years ago, I quickly learned that most people, particularly those who had grown comfortable working with office computers, frequently did not read many of the dialog and alert boxes that popped up on screen, which often-times led to unexpected or even deleterious results. Even if they did read what was presented (or thought they read it), most of the time they could not recall what the dialog box actually said. Despite what you might think, this is actually very human, and not limited to technology use. When performing menial tasks (as many things we do on computers now are), we are prone to learning how to do them as quickly and efficiently as possible, which includes tapping “OK” as quickly as possible to the numerous prompts our devices pose to us throughout the day. You may have already noticed that many online services, apps and websites have taken advantage of this tendency and present patterns of interaction that mimic expected use, but lead to unexpected outcomes, like accidentally downloading and installing antivirus protection that we don’t need, or adding a paid subscription service for an app that was supposed to be free.

I can feel you clicking “Get to the point, Woo…”

While most people have come to expect that websites and online platforms are going to gather demographic information on them and show advertisements that can sometimes seem uncomfortably accurate, they are not as jaded as yours truly to believe that these same “free” services aren’t actively trying to deceive them through misleading and/or confusing interfaces, dialog boxes and obtuse language, but a recently published European study found that this is exactly what they are doing it, and it’s no accident, nor, if you think about it, is it a new practice. McAfee and Adobe have been doing this for years with their Adobe Reader – McAfee Security Center downloads, and I’m pretty sure every single one of my clients has fallen victim to this particularly trap at least once, despite years of warning about the dangers of clicking “OK” before reading the message. Heck, even IT professionals like yours truly have fallen victim to clicking when in a hurry because, we (despite appearances sometimes!) are human too.

At least two US Senators have finally deigned to do something about the alarming increase in deceptive interface practices and have floated new legislation creatively named “Deceptive Experiences to Online User Reduction Act.” The DETOUR Act would give the Federal Trade Commission the legal means to regulate the use of purposefully deceptive or confusing practices to steer users to decisions that may not be in their best interests or subvert expectations, something they have been monitoring in traditional advertising for decades. For now, this legislation is still in committee, but we can take a small measure of hope that this bipartisan bill finds its way to the voting floor soon. Make sure you contact your Congress-critter to let them know that this is important to you.

CONTACT CONGRESS

Image by Gerd Altmann from Pixabay

Supreme Court Weighs in on Social Media and 1st Amendment

  • 0
Christopher Woo
Tuesday, 18 June 2019 / Published in Woo on Tech

Since the advent of online discussion forums and the resulting need for forum moderators that can reign in unruly participants, there have been endless (if constitutionally ill-informed) debates in the US about free speech rights and their applicability to the internet. This particular debate has loomed ever larger as social media’s sudden dominance in politics, economics and ethics surprised even the gloomiest doomsayers in the past three years. Last year, the New York 2nd Circuit Court ruled that a public access TV channel had violated the 1st amendment rights of two producers who appeared to have been fired for criticizing their employer. The TV channel, Manhattan Neighborhood Network appealed to the Supreme Court who just earlier this week reversed the decision.

How does this apply to social media?

The details of the case at first don’t seem to apply at all to social media: MNN is a state mandated and funded public access network, an entity that most analysts agreed would appear to be subject to 1st Amendment jurisdiction. Social media platforms, on the other hand, are clearly not state-owned or operated nor is access to them mandated by any state or federal law. Surprisingly, the decision to reverse the 2nd Circuit ruling was led by the “conservatives” on the court, the exact opposite of what was expected by many conservatives pursuing free speech cases against YouTube and other media platforms for their alleged “anti-conservative bias.”

Instead, the majority opinion took a rather narrow view of public forum doctrine, stating that even though the creation and operation of MNN was mandated by the state, it is operated as a private company in a function that is NOT the exclusive domain of the state, much the same as every social media platform in existence. Just because a private entity (even one as big as Google/YouTube) allows everyone to post and participate does not turn it into a protected free speech zone. Justice Kavanaugh states in his conclusion:

“A private entity […] who opens its property for speech by others is not transformed by that fact alone into a state actor.”

While the court did not directly call out social media platforms in their decision, even the dissenting opinion, written by Justice Sotomayor, seems to leave little room for creative interpretation, and seems to be speaking directly to the heart of the matter:

“The First Amendment leaves a private store owner (or homeowner), for example, free to remove a customer (or dinner guest) for expressing unwanted views…. In these settings, there is no First Amendment right against viewpoint discrimination.”

Image courtesy of Stuart Miles from FreeDigitalPhotos.net

  • 18
  • 19
  • 20
  • 21
  • 22

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP