Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Honda key fobs vulnerable to hack

  • 0
Christopher Woo
Tuesday, 12 July 2022 / Published in Woo on Tech
Honda Hacked

If you are a long-time reader of this blog, you’ll know that while the majority of our focus is on business technology, I like to keep an eye on all technology, especially issues that can affect our quality of life and personal safety. Hondas are very popular (even here in Los Angeles where it seems like every 3rd car is a Tesla) and according to at least one statistics website, Honda accounts for between 8-9% of the U.S. car market in 2020 and 2021, and the Honda CR-V is near the top of the list of best-selling vehicles for the past several years. It’s safe to say that there are probably millions of Hondas on the road right now, and apparently any that are accessed using a key fob are vulnerable to a hack that allows attackers to unlock car doors and remotely start engines if the car has that capability.

What this means for you

If you own a Honda, you may want to give this article a read, which was based a relatively unknown vulnerability dubbed “Rolling-PWN” by the researchers/hackers that discovered it. The vulnerability is documented and published in the National Vulnerability Database run by the National Institute of Standards and Technology, which is about as official as you can get in terms of documenting vulnerabilities. Despite this, Honda has yet to confirm or even acknowledge the issue. Which also means that there is very little you can do about it other than the following:

  1. Reconsider what sort of valuables you keep in your car, even if you don’t drive a Honda. This particular hack may not be limited to just Honda according to the researchers. It just happens to be the manufacturer they’ve tested and confirmed vulnerable across multiple years and models.
  2. Even though they may be able to start the car, they can’t drive the car because they can’t exploit the proximity requirements of the key fob…yet. Regardless, if you park your car in a garage, make sure that it is well ventilated. Carbon monoxide kills, and some prankster might put you in real danger by leaving your car running for hours in garage with poor ventilation.
  3. Perhaps write a letter to your local congress-critter (Representative and Senator) asking them to look into Honda’s seeming disregard for a significant security issue. If you are friendly with a local Honda dealership (because you own a Honda and use them for service), you could also stop in and show them the article and a link to the exploit on the official government website of vulnerabilities as well. If enough of us raise our voices, perhaps some of these big companies will take notice!
exploitHackingHondaNISTsecurityvulnerability

Gmail security change creates unintentional headaches for businesses

  • 0
Christopher Woo
Tuesday, 21 June 2022 / Published in Woo on Tech

You may not realize it, but your organization is probably using one or more free email accounts from platforms like Google and Microsoft. Smaller companies may still be using them as their primary email accounts (let’s talk – you need to stop doing that!), but most have moved up to what we call “enterprise-grade” versions from the same providers. Despite upgrading their email to the more secure, paid services, many companies opt to continue using free-mail accounts for various applications like email copier scanning, Quickbooks invoicing, and automation systems that send out email alerts. In the case of the latter two, not having this functionality could result in some pain or even safety concerns.

What did you do, Google?

I looked back at my long-standing free Gmail account to see if Google sent any notifications out about this change. I don’t see anything in an email, but it’s likely they posted on-screen notices in their webmail interface, which I rarely see as I use Outlook or my phone to view email for this particular account, so I’m going to say this was a stealth change. What changed? They removed the “less secure apps” feature on May 30th of this year. Unless you are a Gmail aficionado or in IT, you probably aren’t going to know what this does, or how it impacts you now that it’s gone. In a nutshell, it allowed you to use your Gmail account with applications that Google considers “less secure” – including Outlook (a little rivalry shade or legit concern?) and more importantly, any device or service that uses SMTP delivery to send emails via their servers, such as your multi-function copier when you scan to email, or your building automation alarms that send emails to engineers or security that there is a leak or a door propped open. If you suddenly find that something that was previously Gmail-powered has stopped sending emails, it’s probably because you were using the less secure apps feature to do so.

How do you fix this?

Unfortunately, it’s not as simple as turning that feature back on – Google has removed it completely. Now you will have to set up an “app password” for your service or function to use. As the name would imply, app passwords are passwords that are set up for a specific application and only that application. You can have multiple app passwords for your email account, and they aren’t recoverable or resettable if you happen to lose them. That’s OK because they can be re-created easily and without additional cost (except for your time) as long as you can log into your Gmail account using your main password. However, in order to enable the app password feature, you have to set up 2-Factor Authentication for your account, and before you think of jumping ship to Microsoft’s Outlook.com free-mail service, they are doing the same thing – requiring 2-factor authentication before you can set up app-specific passwords. You can thank the hackers and spammers for this – they have been abusing free-mail accounts for years and finally the big boys are doing something about it by locking down exploited features of free-mail accounts, but rest unassured – this will only slow them down, and create minor headaches for everyone else. Get used to it – two factor isn’t going away anytime soon.

emailgmailGooglesecurity

Japan strengthens cyberbullying penalties

  • 0
Christopher Woo
Tuesday, 14 June 2022 / Published in Woo on Tech

As Americans, you may be surprised to hear that Japan has laws that cover cyberbullying. Up until recently, offenders could be jailed for up to 30 days or fined 10,000 yen, which is currently equivalent to about $75 US. Due in part to the suicide of a Japanese reality-TV star following months of social media abuse, Japan’s parliament strengthened those penalties to up to one year and 300,000 yen. While there are laws in the US that govern libel and defamation, including the ones that have been highlighted in another, much more high-profile case, the language and penalties are vague enough that cyberbullying is rarely prosecuted, as is demonstrated with the rampant abuse that appears regularly in all social media platforms.

What this means for you

Opponents of this legislation are understandably concerned that this type of law could lead to suppression of free speech and criticism of those in power and cite the vague language of the current penal code that determines what constitutes an insult and where it differs from defamation, another activity that is governed by separate laws in Japan. As it stands the increased penalties only came after both sides agreed that the language of the law should be reviewed in three years time to gauge whether the stiffer punishment had any chilling effect on free speech. Prior to this recent change in Japanese law, several people were convicted of cyberbullying in the matter of the aforementioned suicide, but the penalties were so slight (fines of $66 USD) that the ruling just incited outrage amongst the communities lobbying for more attention on social media abuses.

As serious as the Japanese take the concept of honor and “face,” the same could be said of how passionate Americans are about free speech, and despite pledges from the major social media platforms, reforms, moderation and accountability are still only paid lip service with very little concrete action from any platform. We are currently at a crossroads of ethics, capitalism and global politics – platforms like Facebook are so monolithic and monopolistic across all societies and cultures they defy any and all country’s laws and norms, to the point of being able to set the rules and enforce their own worldview, apparently with no accountability, forcing countries who are trying to protect their citizens to make laws that possibly undermine values they claim to value the most. Various laws have been made here in the states that challenge both sides of this thorny issue, but it only highlights the fact that the internet and social media has given bullies more freedoms than should have been allowed, ever. It also asks a very uncomfortable question: do humans have the inalienable right to be awful to their fellow humans with no accountability? There seems to be a lot of people who think that our First Amendment allows just that.

Image courtesy of Stuart Miles from FreeDigitalPhotos.net

cyberbullyingJapanlawsocial media

Still no update to address Office Vulnerability

  • 0
Christopher Woo
Tuesday, 07 June 2022 / Published in Woo on Tech
Warning!

We are now well into week two of a significant vulnerability in all versions of Microsoft Office which allows attackers to use the preview function of Office apps to execute malicious code on Windows PCs. Though Microsoft finally admitted to it being a problem in their CVE posting last Tuesday after knowing about it since early April, they have yet to actually issue any updates to fix the problem. For the moment, we still only have a single way to mitigate this problem, by manually removing Office’s ability to use the app that contains the vulnerability.

What this means for you

What’s unnerving about this lack of urgency on Microsoft’s part is that this vulnerability – dubbed Follina – isn’t obscure or hard to exploit. It’s in the wild now, as reported and cross confirmed by several security firms, including Proofpoint (whose services we use to protect our clients). At the moment, it’s not clear when (or if!) Microsoft will address this weakness. The danger of Follina is in its ability to be exploited covertly to exfiltrate data. Microsoft Office is pretty much a fixture of every business and government entity on the planet, and the fix is not something your average office worker is going to be able to apply, nor confirm that it is in fact effective. Typical virus protection may not detect an attacker exploiting Follina as the attackers can use existing apps and protocols built into Windows to do their exfiltration, and once they have a better understanding of what access and data their compromised machine contains, they can focus their efforts on establishing additional footholds from within, whether in an attempt to ransomware a company, exfiltrate valuable information, or undermine a governmental organization. For now, all we can do is hope that Microsoft realizes how bad of a problem they have on their hands and actually issue a fix. In the meantime, you can contact C2 to make sure the interim fix gets applied to your Windows workstations, as well as ensuring your critical data is backed up in the event you are attacked.

Bolster your vigilance with technology and expertise

  • 0
Christopher Woo
Tuesday, 17 May 2022 / Published in Woo on Tech

A little over a month ago, I wrote about how being vigilant wasn’t going to be enough to stay safe on the internet. Don’t get me wrong, being vigilant about technology safety is a base-level requirement, like understanding elemental concepts like “fire hot” and “that scorpion is dangerous”. But knowing you need to be careful and exerting the discipline and training to actually be safe are miles apart in execution. In case you haven’t heard my analogy before, internet security is likely juggling dozens of plates while hackers continually toss more plates into your hands. They win when you drop even one plate, and they have an endless supply of plates and patience while they wait for you to lose focus. But what if you could add some robot arms to your juggling act?

We can all use an extra hand (or two) these days

At one point, it was possible for a normal human being to self-manage their business technology. Many business owners saw it as a rite of passage in securing their own domain name, spinning up a website and email boxes for all their employees, while simultaneously ordering a bunch of computers in black-and-white boxes. You could buy and install virus and spam protection from a friendly nerd named Norton and it did the trick. All was (relatively) well until the internet connected everything and hackers discovered that cybercrime was profitable. Hugely profitable. They upgraded quietly while the rest of the world marched on oblivious, starting an arms race in which our self-built technology infrastructure was outpaced before we even know there was a race. While you were busy running a business (and not a never-ending technology upgrade parade), they were running their own business of dismantling or bypassing your rapidly aging technology security.

Unfortunately, the insurance companies see this, and are now recommending or requiring all companies big and small to use advanced security tools that even the large enterprises with dedicated IT staff are only now adopting. But here’s where you have the advantage in this juggling act: big companies need a lot more robot arms than you do to keep all those plates in the air but, as always, there’s a catch: you still need some robot arms and implementing them isn’t as simple has mail-ordering some parts in a Holstein-colored box. Today’s new security technologies are complicated like you might imagine robot arms to be, and even worse, if you install or use them incorrectly, the insurance companies might even deny your claims. But you have this covered because you are partners with C2, right? Call us and ask about our new security bundle for small businesses – let’s add some robot arms to your juggling act!

Image by kiquebg from Pixabay

cybercrimeinsurancesecurityvigilance

Ransomware attack shuts down college. Permanently.

  • 0
Christopher Woo
Tuesday, 10 May 2022 / Published in Woo on Tech

Having your company’s operations halted due to a ransomware attack is pretty high up on the list of nightmare situations for any business owner. Depending on the severity of the attack and the state of your backups and business continuity plan, this could mean days of downtime while data is restored, and systems sanitized. In the case of a storied Illinois college, it took them months to restore services after a ransomware attack in December 2021, and by the time systems were brought back online, the downtime was enough to hammer the final nail in the coffin for Lincoln College, a 157-year old institution that was already financially reeling from the Covid pandemic.

What this means for you

It’s unclear from the small amount of information available on the incident on why it took so long to restore systems at the college, but if my time in the higher-education industry illuminated anything for me, it was that academic institutions aren’t always at the forefront of technology security or disaster recovery, mostly because of underfunded technology budgets. If I had to name one thing that always catches ransomware victims off-guard, it’s the misconception that their particular company or organization is not worthy of being targeted for these types of attacks. While cybercriminals are definitely targeting high-value organizations in a very specific and determined manner, there is a wider, more generalized “net casting” of ransomware attacks that are more opportunistic and seem to care not for the financial means of the victim. Lincoln College may have not been targeted specifically – someone with sufficient privileges to key systems may have inadvertently fallen into a widely-cast phishing net (a broadly targeted phishing campaign), and once the hook was set, the hackers moved in for the kill, not caring (or even knowing) that the college was already in dire financial straits. What most people don’t realize is that there is literally no financial disincentive for hackers to attack, hook and ransomware as many targets as possible. It costs them literally nothing to spread ransomware, and if the victim doesn’t pay, they just move on to the one that will. Unfortunately for victims without proper data backups and a business continuity plan, that random attack could shutter the business for good.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

backupsransomwaresecurity

T-Mobile hackers grab source code, try to hack govt accounts

  • 0
Christopher Woo
Tuesday, 26 April 2022 / Published in Woo on Tech
T-Mobile hacked

Last year we wrote about T-Mobile getting massively hacked, which essentially led to their entire customer database being leaked. This was a problem because among the information leaked were cell numbers and their associated, unique IMEI numbers which in theory could result in phones getting duped and/or services for accounts being switched to a different phone if the hackers had access to some of T-Mobile’s core systems. And now we’ve come to discover they did in fact have that privileged access, though we do not know to what extent it was used to exploit the information they most assuredly had. T-Mobile has since confirmed that hackers did have access to very sensitive data, including source code and privileged accounts, which the hackers themselves have boasted about stealing. As revealed in private chat logs acquired by security researchers, the hackers also admitted to not being able to access law enforcement and DoD T-Mobile accounts to attempt sim swaps, but it’s not clear if they were successful with non-government accounts.

What this means for you

Many people use texts sent to their smartphones as a second-factor authentication method. If a hacker were able to SIM-swap or dupe a phone used as such, and they had other elements of that person’s digital life, such as logins and passwords to online banking that are protected by SMS-based second-factor, then those accounts are no longer secure, and most likely exploited. The most important element of a second factor is the fact that it is something that is in your sole possession, and this hacking group’s access to secure T-Mobile account management systems completely undermined that security method for T-Mobile devices.

As is to be expected, T-Mobile has been tight-lipped about whether or not it has been able to keep hackers out of their core account management systems. Supposedly they are safeguards in place that prevent the tools from being run from unauthorized computers and networks, but according to the same chat logs mentioned above, it was clear this particular threat group already had this particular problem solved. Even when compromised credentials were shut down, this group continued to secure new, usable credentials either by buying them through the dark web or tricking actual employees into giving up their credentials. By their own alleged admission, the leader of this threat group shut down their backdoor access so as to not draw too much attention to their efforts before he was able to achieve his personal objective of stealing T-Mobile’s source code. This did cause some infighting within the threat group as there was a faction that wanted to keep trying to gain access to government accounts, and others that wanted to target high net-worth accounts for SIM-swapping and account takeovers.

Fortunately for us, and possibly for T-Mobile, seven teenage members of the threat group behind the T-Mobile hack have been arrested. Ironically, they were identified probably by getting doxxed from within their own hacking community which appears to be rife with infighting and drama, just like any other large, online community. Does this mean you can trust T-Mobile’s security? I moved my family’s service off T-Mobile despite being a fan of their customers service for years. Is the carrier I moved to any more secure than T-Mobile? Only time will tell, but they, like all the others, are run by humans, and as we all know, humans make mistakes. Is it time to add another line to the list of life’s certainties? Death, Taxes and Hacking? Somedays it certainly feels like it.

Why does everything have a password?

  • 0
Christopher Woo
Tuesday, 19 April 2022 / Published in Woo on Tech

For those of us who’ve been using computers in the workplace for more than a decade or longer, we have frequent “Pepperidge Farm moments” about technology (and other stuff too, let’s be honest!) but for good reason. How many of you have been grinding through emails for the better part of a Monday morning, gathering up a pile of work, and when you go to open that attachment (which you know is safe, right?) and instead of getting to work, you get password checked. More often than not, if you are from my generation or possibly older, you’ll grind your teeth while looking up those credentials and reminisce about those halcyon days when apps just opened and let you get to work. They didn’t need constant updates, repairs and password checks. You opened them, did your work, and maybe left them open for days at a time, because they didn’t need to be relaunched three times a day just to keep it functioning.

Get off my lawn?

I know that joke doesn’t play as well for the younger crowd, but while they are quietly chuckling about our obsession with ancient technologies like email, they too are subject to the same plague of passwords and the various hoops we all have to jump through in our current technology age, and they don’t have those yesteryears to view through nostalgic glasses. Those bygone days may have seemed glorious; some of us remember when your appliances didn’t need Bluetooth to wash clothes, or doorbells needing WIFI to work properly, or needing a phone app to get a date. But those were also the days when pregnant women drank and smoked, kids rolled around in the backseat or cargo space without seatbelts, and computers (and ourselves) weren’t connected to the internet all the time.

The internet is and will be a permanent part of our culture, business and human progress, whether we like it or not. It has allowed us to globalize and democratize in a way that eclipses every other technology before it, but as I have mentioned before, not without a razor-sharp edge that cuts both ways. The rise of cyberthreats have forced our technology tools (and toys!) on a security march at a pace that no sane consumer finds comfortable, and the only way technology companies can keep us (moderately) safe and stay profitable (and therefore viable) is to move their pricing models to subscription-based services to support the constant development costs. Which also means for the foreseeable future you are going to have to regularly prove you have the right to use the technology to which you subscribe. The only way passwords go away is if we find a better way to authenticate you as you, and so far, even though the need and the threat has existed for well over a decade, no one has found a better, cost-effective solution than the password.

Image by Gerd Altmann from Pixabay

nostalgiapasswordssecurity

Apple AirTags used to stalk women

  • 0
Christopher Woo
Tuesday, 12 April 2022 / Published in Woo on Tech

Back in February I wrote about a nasty new trend of hiding Apple’s AirTags to covertly track targets for various illicit and possibly harmful pursuits. At the time, the media had a handful of reports of the small tracking devices being used to locate and steal cars, and 2 high-profile instances of alleged stalking but it seems to have been enough negative attention to get Apple to address this unintended use case. Since the reporting in Februrary, Apple has made some changes to the technology that will make unwanted or hidden devices easier to find, which appears to be working more or less, as police report filings seem to be demonstrating.

What this means for you

From reports acquired from eight police departments, Vice Magazine identified 150 reported incidents involving AirTags, and 50 of them were from women who detected and/or found unknown AirTags being used to track their location. Using GPS devices and software to track people covertly isn’t new, but the widely available, cheap ($29) and easy-to-use AirTag has delivered a stalking tool of nightmarish proportions. On top of this, if you don’t own an iPhone and aren’t aware of the Android app (Apple’s app and the open source one I recommended on my previous post) that can detect unwanted AirTags or aren’t even aware that such a technology exists, it’s quite possible there are plenty more people who are being stalked and just don’t know about it. Just doing back-of-the-napkin math based on an average of six reports per police department, with approximately 18,000 police departments in the US, we’re looking at potentially over 100,000 potential victims, just in the US. Unfortunately for everyone, this technology cat is well out of the bag – estimates have as many as 25M of the devices sold since launch, and even if Apple was to stop producing this device, a dozen cheap copy-cat devices will step right into the void, with or without Apple or Google’s permission. Even more disheartening was the reported knowledge gap many victims encountered from local law enforcement when reporting the digital stalking. It’s not even universally clear whether using AirTags to stalk someone is a crime, nor would it be practical for law enforcement alone to police this problem. We have yet another technology pickle on our hands where perhaps profit got ahead of thoughtful and ethical implementation.

Image by Tumisu from Pixabay

airtagssecuritystalking

Personal vigilance won’t be enough

  • 0
Christopher Woo
Tuesday, 05 April 2022 / Published in Woo on Tech

Though it won’t be something most of us would like to hear, staying safe in technology is no longer a matter of being savvy, street-smart and vigilant. The concept of “rugged individualism” is considered one of the foremost tenets of American culture and stems from the countless (and most likely glorified) stories of pioneers and young entrepreneurs fighting what seems like impossible odds to come out on top, merely through tenacity, ingenuity and pluck. What the history books fail to share are the numerous accounts of everyone else barely surviving, or in many cases outright failing. Make no mistake, even experienced technology experts are getting hacked, so the chances of you coming out unscathed in today’s dangerous internet environment are slim to none.

What this means for you

Most likely you are in fact experienced, street-smart and savvy. You might be able to troubleshoot basic technology issues, navigate bizarre support bureaucracies to get a password reset, and even change a tire or check your own oil on that Honda Accord that’s still running like a champ after 100k miles. You know better than to use “Secret1234” as a password, and you’ve even figured out how to block some trackers in your browser from sniffing out your shopping habits. Unfortunately, you’ve learned what would be now considered baseline survival on the internet. Unfortunately, the current state of internet security is thus: at no point can anyone, me or the leagues of hardened technology experts, sit back and say, “There! I’ve learned all I need to stay safe online.” Your internet safety habits are the equivalent of learning how to drive, and like most everyone, we still need a pervasive infrastructure, mechanics and engineers to maintain the elaborate systems that have become essential for us to pursue a modern life. The majority of us aren’t expected to be auto mechanics, or even roughly familiar with how a car even works, and likewise I don’t expect everyone to be a technology expert, BUT you mustn’t take it for granted nor undervalue the true costs of staying safe. The more reliant you become on technology, the more you will have to invest in either training yourself, or take the more practical approach of making sure you have an expert like C2 Technology on speed-dial.

Image by Schäferle from Pixabay

safetysecuritytraining
  • 7
  • 8
  • 9
  • 10
  • 11

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP