It’s no secret that I’m a proud Android smartphone user, but a large majority of my clients and acquaintances are iPhone users, and I know that many of them have not been having a good weekend due to a series of bugs in the latest version of iOS. Some of the bigger bugs include a crash tied to notifications, auto-correct changing “it” to “I.T”, the calculator producing incorrect results if numbers are entered too quickly (let that one sink in!), and being unable to delete photos if your iCloud drive was full. Normally it’s Android users suffering as smartphone guinea pigs, but, just like last week’s ginormous OS X cock-up (supposedly fixed now), Apple seems fairly driven to join everyone else at the bottom of the barrel with its initial release of iOS 11.
What this means for you
Hopefully you’ve not destroyed your iPhone in a fit of rage because Apple just released 11.2 that supposedly fixes many of the above-mentioned bugs. Lest you think this was only a bug hunt, Apple, with this release, also started the roll out of their new ecash platform “Apple Pay Cash” which is their version of Venmo or Paypal, and introduced fast charging with Qi wireless accessories. But let’s be serious – this was a major bug hunt, and it seems like there was a long list of critters to exterminate. As always, if you aren’t experiencing problems (possibly because you held off on upgrading to 11 in the first place), you may want to sit tight to make sure Apple hasn’t introduce a set of new bugs while squashing the current ones, but if you are one of the many suffering from from the buggy state we Android users know as “Tuesday”, check your iPhone for the 11.2 update. Make sure you plug it in and connect to the closest WiFi for a (hopefully) better, more functional tomorrow.
Not to be outdone by Intel’s jaw dropping vulnerability reveal last week, Apple stepped up to the plate with what appears to be an epic “Hold My Beer” moment: the latest version of their computer operating system “High Sierra” can be completely compromised through a serious bug. Even more unfortunate is the fact that it is trivial to execute: in any instance of the OS X system asking for authentication to perform a task requiring administrative access, the user merely has to use “root” as the login name and leave the password field blank. Tapping “enter” repeatedly to authenticate will eventually result authentication being granted without ever having to enter any password at all.
What this means for you:
For the majority of the business world, this is a rare respite from the constant deluge of vulnerabilities that plague Windows users, but that is no consolation for the millions of Mac users out there who usually enjoy a relatively secure platform. At the moment there is no patch from Apple but sources say they are scrambling to release a fix soon. In the meantime this vulnerability can be fixed quickly, assuming your machine has not already been compromised. By default, the “root” account is not assigned a password, and assigning one plugs the hole immediately. But there is a catch: setting the password requires a little bit of technical work that initially may seem “too technical” for the self-professed “non-technical” user. You have a choice: earn your geek wings by following this guide from Apple on setting the root password, or give us a ring. We can fix this problem for you, remotely, in a few minutes.
I had a nice little article planned for everyone about avoiding Black Friday/Cyber Monday shopping “deals”, but Intel just had to hog the spotlight this Thanksgiving. Based upon findings by security researchers several weeks ago, computer chip manufacturer Intel has released information on multiple vulnerabilities in the following CPU models:
- 6th, 7th, and 8th generation Intel® Core™ Processor Family
- Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
- Intel® Xeon® Processor Scalable Family
- Intel® Xeon® Processor W Family
- Intel Atom® C3000 Processor Family
- Apollo Lake Intel Atom® Processor E3900 series
- Apollo Lake Intel® Pentium® Processors
- Intel® Celeron® N and J series Processors
Given that this represents a large chunk of what most computer manufacturers have been selling since 2015, it’s safe to say that millions of computers and devices are at some risk. HOWEVER there are (as of the moment) no known exploits in the wild seeking to take advantage of the published security flaws.
As of this writing, the major computer manufacturers have not yet released any firmware updates that will address these vulnerabilities. Dell has said that patches are coming but has not said when, and Lenovo has said that it is “hoping” to have “some” firmware updates by the 23rd. For now, the most that anyone can do is run a tool provided by Intel (Linux and Windows only at the mment) to determine if their system is vulnerable. It’s not clear whether Apple computers are affected – the current consensus is “maybe not,” but don’t take that to the bank just yet.
What this means for you:
Don’t panic. Enjoy your holiday (if you are taking one), and give us a ring on Monday to schedule a check of your equipment. Even though I’m sure there are some black hats out there right now frantically working on a way to exploit Intel’s colossal goof, the actual execution still requires a fairly specific set of conditions for the exploit to be possible. In the meantime, make sure your critical data is backed up, keep your operating system, antivirus and anti-malware software updated, avoid clicking suspicious links, don’t open strange attachments, and above all, stay vigilant.
Previously I wrote about the Elephant on the Internet, and lately it seems like we can’t stop blundering into the pachyderm that shall not be mentioned. Last week, Medium published a controversial article about a strangely mutated (but inexplicably popular) genre of kids videos on YouTube. For those of us hardened by years of work (and play) in the darkest and weirdest corners of the internet, the article wasn’t surprising, but it was definitely disturbing how bad things had become in this area. If you don’t mind wearing the mental equivalent of hip-waders, James Bridle’s article plays Rod Serling to this Twilight Zone-esque subgenre that evolved to exploit YouTube’s keyword and “Suggested Videos” algorithm. One of my “favorite” videos from this story is entitled, “BURIED ALIVE Outdoor Playground Finger Family Song Nursery Rhymes Animation Education Learning Video”. Rolls right off the tongue, eh?
What this means for you
A few years back, my wife and I made the sad (but not surprising) discovery that YouTube was not something that could be left in a child’s hands unsupervised. At the time, it had yet to grow the strange and mutated mushrooms that crowd the darker corners as described in Bridle’s article, but we encountered too many inappropriate “suggestions” from YouTube’s algorithms and came to the conclusion that (a) nobody was driving this particular bus, and (b) some people would do anything to make a buck, especially if they could do it by exploiting technology. In other words – not family friendly, and definitely not kid safe. A few years after that, Google announced YouTube Kids – a walled-garden subset of age-appropriate content that parents could trust to entertain their progeny, and we had a brief glimmer of hope that someone at Google noticed their space needed some adult supervision.
It’s no secret that children’s content is an evergreen but highly competitive industry. Prior to the internet, media companies would spend millions chasing short attention spans in the hopes of cashing in on an ephemeral merchandising craze, eg. Cabbage Patch Kids, Tickle-me Elmo and Baby Einstein videos. Now, thanks to the popularity of crowd-generated content, YouTube is a top destination for Internet “Gold Rushers” with children’s videos a particularly profitable and exploitable “vein”. The problem is not with the creators of these freaky videos – capitalism and Internet make for some strange, but predictable bedfellows. It’s that YouTube is yet another example of a system that has gotten away from its creators, and despite their attempts and promises to close yet another Pandora’s box, the sheer size and scale of the Internet continues to overwhelm and surprise the companies that laid the groundwork for its current dominance.
To sum up: it should come as no surprise that when the Internet gets ahold of something and everyone’s too busy watching the scenery to drive the bus, we can end up on the wrong side of town with no idea how to get back. Add YouTube to the crowd of monsters (Twitter, Facebook, Equifax, Wikileaks etc.) that have gotten away from their masters in service of agendas outside of their control.
Image courtesy of TAW4 at FreeDigitalPhotos.net
The technology gremlins are in beast-mode this week, and I haven’t had the time to pen a carefully thought-out blog post for you, but I did go back into our archives to dig out some treasures that I think are still relevant!
- Make Yourself Less Hackable (2012) – a few handy, still relevant tips on keeping ahead of the hackers
- Spear-Phishing Effectiveness on the Rise (2012) – Maybe not surprising, but tricking people with fake emails is still effective even now
- Stolen Laptop Equals $50k Fine (2013) – People are still walking around with laptops chock full of sensitive data
- Is your webcam spying on you? Maybe. (2013) – This is still happening, and now in higher-definition!
- Applebee’s demonstrates how NOT to do social media – Little did we know just how much influence Social Media would have.
Image courtesy of Stuart Miles at FreeDigitalPhotos.Net
It may not surprise regular readers to know that I don’t spend much time frequenting social media spaces despite working in the technology industry. Up until 2016, my primary beef with platforms like Facebook, Twitter and Instagram was a mix of privacy concerns and disdain for banal content that had to be sifted constantly for relevant information. When I participate, it’s with purpose and definitely clinical in nature. This approach seems even more justified now with recent reports of Facebook’s undue influence on last year’s elections, and it would seem that Americans aren’t the only ones getting tricked by fake news on Facebook, and in some cases, with much more dire consequences.
“But I needs my Facebook!”
Social media plays a critical role in the non-profit I support – our success in fundraising and spreading awareness comes largely through posting on Facebook. But as I have repeatedly said over many years, the Internet makes it increasingly difficult to separate fact from fiction, and it’s very clear that some folks are determined to exploit this ambiguity for anything but altruistic pursuits. The spread of fake news on Facebook is even more insidious primarily for its influence on the masses. Around the world, even more so than in the US, people have an overwhelming tendency to see the information pushed out on Facebook as “truth”, especially in nations where traditional media outlets are state-run or mistrusted, primarily because it often comes by way of a friend or relative, i.e. someone they trust. Where someone would be inclined to view a news piece from an established news agency with skepticism, that same story regurgitated by a friend or loved one would get a free pass on fact-checking.
It’s pretty clear that this is one Pandora’s box we won’t be able to close. Facebook and other internet companies are struggling to control the monsters they created – the dual-edged sword of the Internet that facilitates the spread of information greases the skids for all information with zero regard for integrity or morality. As you may have guessed, the latter two traits require humans to judge, and as even the biggest internet companies are finding out, this is like a child standing in front of a fire hose. They are getting soaked and knocked down by a seemingly unstoppable force.
There is no easy fix for this, but if every human were to do two things, we might prevail against the liars and crooks seeking to exploit our naive trust in the Internet: view social media with a healthy dose of skepticism and approach all viewpoints with an open mind. Blindly accepting every Facebook postings as truth is a one-way ticket to getting tricked.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite our hard work to keep our technology devices safe from malware, many of us underestimate a threat living right under our noses. Worse still, these threat vectors don’t even know they are potential harbingers of doom, so neither of you will see it coming until it’s too late. Yes, I’m talking about family & friends, and especially your children (if you have them). Unfortunately for everyone, malicious developers continue to hone their skills at conning our trusted friends and loved ones into compromising themselves, which will oftentimes result in everyone around them being put at significant security risk, just by nature of the trust we extend to this close circle. The most recent example of this is the discovery of 6 popular apps on the Google Play store that hide their malicious intent (to zombify your smartphone) behind the most innocuous and tempting lure, especially for kids: add-on eye candy for the popular mobile game Minecraft: Pocket Edition.
What’s a professional surrounded by loved ones to do?
Being safe doesn’t mean having to cut off everyone around you, but it may require you to pay attention to what they are doing with systems that you use or share with family and friends, such as home office computers, mobile devices, Wi-Fi networks, NetFlix passwords, etc. I’ve seen numerous parents hand their phones over to their younger children as entertainment devices, often acquiescing to insistent demands to install this app or that app without much attention being paid to what is actually being installed. I’ve even seen this dynamic played out on home office computers and not just to appease little ones. Wi-Fi passwords are simplified and widely shared for convenience, with never a thought that you are handing the keys to your network kingdom to a device you know little to nothing about. It may seem a bit Scrooge-ish or even paranoid to some of your family, but if you are serious about security consider the following:
- If you work from home and use Wi-Fi, but you want to provide internet for your kids or guests, consider setting up a “Guest” Wi-Fi network just for them. Most modern day home firewalls and access points can do this easily. Even the cheap routers provided by ISPs can do this.
- If you have sensitive data on your phone or tablet (and who doesn’t at this point), don’t let others install apps on your device, and definitely don’t let your kids play with it without close supervision.
- If you have access to sensitive data on your home office computer, keep it strictly business and specifically for you. Set up a separate device for guests, family and especially children.
- Don’t share passwords for household internet services like NetFlix unless they are unique. If you use that same password elsewhere, especially on important accounts, you are asking for a breach.
- Always treat emails or messages containing links and enthusiastic urging to “check this out” from friends and family with suspicion. Call and ask if they sent the message, and if they did, ask where they got the link from, followed by a friendly, “Oh by the way, your antivirus is up to date, right?”
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net
DO NOT USE PUBLIC WIFI WHEN WORKING WITH SENSITIVE DATA
Websites and applications that communicate via HTTPS and the use of a VPN will protect you from snooping, but won’t prevent someone from actually piggy-backing onto your data connection and sniffing all the unencrypted traffic, which can include many mobile apps and regular websites that don’t use HTTPS. For much better security, wired networks are still superior and are completely unaffected by this particular flaw.
- This exploit has not yet been seen in the wild, and it does rely on someone being physically close enough to you to start the attack.
- In any instance when either the provider or receiver are patched to fix this loophole, this exploit will not work.
- Android 6.0 devices and newer, which are just about all current and previous generation phones and tablets.
- Any routers or firewalls with built-in WiFi
- Just about all consumer-grade WiFi access points
- Unpatched computers with WiFi capabilities
- Home automation devices that rely on WiFi for control (Nest thermostats, Ring doorbells, etc.)
- WiFi connected cameras
It may be days or even weeks before this vulnerability is patched on mobile devices, and in the case of some older phones and tablets, this vulnerability may never be patched if the manufacturer has abandoned support for that particular model. Windows 10, 8 and 7 have already been patched. Apple has a patch in beta right now for most of its late model devices and OS X, and most variants of Linux are already distributing patches for this hole. Firmware updates for higher-end, late-model routers and access points are likely to happen, but it will vary greatly by manufacturer and age of device, and it’s still too soon to tell when or if automation and security devices will be patched.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
I spend so much time looking at search results that I’ve learned how to effectively ignore the advertising surrounding them, but two recent client incidents have again reminded me that not everyone is savvy to the way that Google and several other search engines present their search results, and more importantly, how advertisements are displayed on the very same page, above the actual search results giving them visual priority over actual, legitimate links. Depending on how harried or distracted you are at the moment, you might not notice that the first few items presented on the results page are actually ads, and this is where things can get nasty. One of my clients was having trouble with Quickbooks and typed this search into Google, “Quickbooks Payroll support”. Below is the actual page that comes up in Google with names and numbers blurred to protect us from being sued by the illegitimate advertiser (click for a larger view):
What’s going on here?
The first two links provided are advertisements, as indicated by the small “ad” icon on the second line of each entry. Easy to miss, especially if you are looking for a phone number (which my client was). Right next to the “ad” icon is the actual domain and URL of the entry. For the entry marked as “1” on my screenshot, the domain was for a company definitely NOT Intuit (the developers of Quickbooks), which would also provide a hint that this “search result” might not be what you think it is. The third entry marked as “2” in my screenshot is the actual link to Intuit’s support website, and (after several clicks) eventually will lead to a real phone number to call for support from Intuit.
My client called that first number at the top of the page and walked right into a classic scareware scam. The “technician” on the other end claimed to be Quickbooks support and promised to help my client with their issue, but they had to resolve numerous “errors” prior to doing so, and they would only perform this work if my client renewed their Intuit “support subscription”. The “tech” showed my client an “log” full of errors and then quoted them an outrageous price for a one-time “cleanup”. Smelling a rat, my client hung up on the scammer and called me. After a quick recounting, I was able to ascertain that they fell down this rabbit hole because the top link on the search results page isn’t Intuit, but an ad designed to trick the unwary into a costly mistake. Once I pointed out the tell-tale signs, my client soberly asked how many other people fall for this trick. Unfortunately, quite a few people get fooled by this scam, and it’s important to point out that buying an ad with that sort of ranking isn’t cheap, so clearly this tactic is paying off.
How do I avoid getting tricked?
Never forget that Google runs ads right next to its search results. Look for the visual clues that differentiate ads from actual search results – legitimate providers always identifies their ads, but their means for doing so isn’t always obvious. Type the URL manually in a new browser window instead of clicking the link. There are numerous examples of domains deliberately registered and used that look like the website they are spoofing, including using unicode characters to produce character strings that look like actual domains but are in fact cleverly-designed counterfeit sites that will lead to further technology ruin. Always be suspicious if a vendor you are calling asks for payment information up front, and even more so if they immediately open with a screensharing invite. Another great way to tell if they are trying to con you is to offer to conference in your IT consultant (me, for example). Legitimate support providers will always agree to this, but scammers immediately make excuses or will try to discourage you from getting a second opinion as your IT person is “probably not qualified” or not good at their job (“otherwise how would so many errors/viruses/problems be on your computer?”) Another client of mine had someone she had called for printer repair ask for a screenshare session and credit card payment to resolve the issue, when all she wanted was help to remove some jammed paper in her printer. She too had been fooled by an advertisement masquerading as a support website for her printer’s manufacturer.
Stay vigilant, and always be careful when calling numbers you find in search results. At minimum, follow the link by manually typing in the listed URL to make sure it leads to your manufacturer’s website, and verify that it’s the legitimate site with a little exploring. Most counterfeit sites aren’t much deeper than a page or two before they try to lure you into giving up your data, so be wary of sites that seem small, broken or unfinished. The top search engines and many antivirus platforms (including Webroot used by C2) also keep track of counterfeit websites and will warn you if something seems suspicious. Keeping your eyes wide open and your brain on the defensive will help you avoid getting goosed by fake ads.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Yahoo has just announced that instead of one billion accounts being compromised in the 2013 security breach, all of its approximately three billion accounts were compromised in some form. In case you’ve lost track, the 2013 breach is different from the 2014 breach, in which “only” 500 million accounts were compromised. The press release from Verizon/Oath is predictably vague, stating that information stolen did not include passwords in the clear, banking information or payment card details, but did not detail what was stolen/exposed in the breach. The statement “passwords in the clear” could be taken to imply that encrypted passwords were stolen, and who knows whether they were stored securely, as since then, several weakness in previously-used encryption methods have since come to light. Seeing as this was 4 years ago, it’s highly likely that any encrypted information stolen has already been cracked.
What this means for you:
If you haven’t stopped using Yahoo as an email provider, it’s time to kick that email address to the curb, especially if you are using it for business. Yahoo has repeatedly demonstrated it’s not deserving of your trust or your data, so its time to stop using them. Period. Your second takeaway should be this: stop using the same password for everything, and definitely don’t resurrect old passwords thinking that there is no way someone could come across that password. I will guarantee you that despite the gigantic amount of leaked identity information out there, it has been amassed and cross indexed. If you used a password on Yahoo, LinkedIn, Adobe, or any of the numerous other breaches that have occurred in the past 5 years, that password is in a database next to your email address, and it will be used against you, guaranteed, if it hasn’t already.
Looking for a way to create memorable, but unique passwords? Try this site. My favorite setting is:
- Two words
- 4-8 characters each
- Alternating case lowerUPPER
- Surrounded by 2-digit numbers
If you are looking for a way to organize and use the many unique passwords you are creating, try one of these services:




![printlogo[1]](https://c2techs.net/wp-content/uploads/2017/11/printlogo1-460x260_c.png)







