Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Public Chargers Could Hack Your iPhone

  • 0
admin
Monday, 03 June 2013 / Published in Woo on Tech
Poisoned charger!

The upcomign Black Hat security conference features a topic that may give traveling iPhone users second thoughts about using a public charging station to juice up their phones. Three security researchers from Georgia Institute of Technology have built a prototype device that can hack an iPhone through the dock connector merely by being plugged in. Supposedly this hack can be accomplished on the latest iOS update, and does not require any interaction from the user, nor does it rely on the device being jailbroken.

What this means for you:

I’ve always viewed public charging stations as being rather sketchy to begin with, especially the ones that charge you for the service and offer “highspeed charging” which could easily fry your phone’s battery if not the device itself. I’d rather spend a few extra minutes locating a regular wall outlet and using my own equipment. Supposedly the prototype that will be demonstrated at the upcoming conference is too big to fit into a standard Apple-branded iPhone charger, but the designers of the device inferred that stealthier versions wouldn’t be hard to produce at all.

Most modern smartphones combine data and power in the same port (Android phones and most tablets also feature this same convenience) so it may not be just iPhones that will be vulnerable to this method of attack. For now, make sure you use chargers you know are safe regardless of what type of mobile device you use, and avoid public charging stations. This particular cow is well on its way out of that barn.

AndroidApplechargercharging stationHackingiPhonemactansmalwaresecuritysmartphonetabletvulnerability

Hackers Crack Hashed Passwords in Minutes

  • 0
admin
Tuesday, 28 May 2013 / Published in Woo on Tech
ID-10028974.jpg

In a controlled experiment run by technology website ArsTechnica.com, hackers were given a list of over 16000 hashed passwords and asked to try to decipher as many as possible. Not only were they able to crack over 90% of the passwords in about 20 hours, one of them managed to decipher over 60% of the encrypted passwords in less than an hour using a single computer.

To put this into some context, the target list contained passwords of varying lengths and composition, containing both letters, numbers and symbols, and was encrypted using an MD5 Hash. For the uninitiated, “hashing” a password is a one-way encryption method used to store passwords. When you go to log into your password-protected service, the server takes the password you just typed in, “hashes” it, and then compares it to the hashed password it has stored for you, and if they match, you are authenticated. Hashing is commonly used so that if a server is compromised and a list of passwords is downloaded, all the hackers have gained is a list of unencryptable letters and numbers. Of the encryption methods available, “MD5” is very common, because it requires little computational power, something that busy websites want to reserve for other functions.

The hackers in the ArsTechnica project used brute-force dictionary attacks driven by their own hand-built hash source lists, essentially decoding the target list by comparing hashes with lists that contains upwards of a billion combinations of letters, numbers and symbols. The computers used in this exercise were garden-variety workstations capable of processing several million guesses per second using parts easily procured from any computer store. Late last year one of the hackers involved showcased a cluster computer built using the same parts. Designed specifically for cracking passwords, this machine was capable of processing 350 billion hash guesses per second, and if it had been used in the above exercise, would have rendered out the list in a few hours.

What this means for you:

The real intent of ArsTechnica’s exercise was to demonstrate how trivial passwords are in terms of true security, even ones that are traditionally believed to be very strong, e.g. “qeadzcwrsfxv1331”. The hackers involved in the exercise pointed out the controlled nature of the exercise actually limited their ability and efficiency as compared to “real world” scenarios – the fact that they were limited to traditional workstations and were cracking a list about which they had no further information. Typically, crackers will have much more information about the passwords they are attempting to decipher, such as the security rules enforced when the users create them (e.g. 8-14 characters, must contain a letter, number but no symbols, etc.). Even knowing the service or site the passwords were used on will help crackers decipher passwords, as it will often allow them to uncover the encryption method used to hash the passwords.

If you think you are being clever by creating “hard” passwords that are ten characters or longer and interspersed with numbers, there is a statistically high probability that even that combination will be on these brute-force source lists, especially if you use the common substitutions like 3 for “e”, zero for “o” and so on. Computers have become so powerful that cracking even the most complex passwords is really a matter of patience and persistence.

On the flip side, most services we use are secured against brute-force attacks, at least on an account by account basis. No hacker is going to waste his or her time trying to guess your online banking password via the methods described above, as they would get locked out after the 3rd or 4th failed guess. But if they somehow managed to get into the bank’s servers and download a list of hashed passwords (which has been happening to other services quite often), you can bet your password will soon become another statistical probability in some hackers brute-force dictionary list.

brute-forcecrackingdictionary attackHackinghashingMD5passwordssecurity

Popular Consumer Router Vulnerable

  • 0
admin
Wednesday, 10 April 2013 / Published in Woo on Tech
linksys-ea2700.jpg

Security tester Phil Purviance has gone public with his findings on a popular router that widely sold to consumers and small businesses. He sums it up succinctly:

…any network with an EA2700 router on it is an insecure network! 

The router in question is commonly found at big box retailers like Fry’s Electronics, Best Buy and pretty much any retailer that sells consumer electronics. Purviance reported his findings to Cisco over a month ago, but the hardware giant has yet to comment or issue any fixes to the public.

What this means for you:

If you are using a Cisco Linksys EA2700 router for your internet connection, your device and any computer connected to the EA2700 is at risk. Seeing as most folks aren’t even aware that their routers have software/firmware that can be upgraded, it’s likely that even if Cisco were to fix all the vulnerabilities outlined by Purviance, those fixes are unlikely to be applied by most consumers and small businesses. At the moment, the only true fix for the EA2700 is to replace it with something else, but with what? Researchers are still playing catch-up in this space, as there are literally hundreds models of consumer-grade routers installed in the US alone.

As a business owner, you should consider upgrading to a business-class router from a major manufacturer like Dell, Cisco, Fortinet, etc. (Cisco’s business-class equipment, ironically, is typically considered a standard choice). At the very minimum, understand what you have installed, upgrade the firmware if possible, and check with your local IT professional (C2 is always there to answer your questions!) to determine if there are any widely known exploits published about your particular router model.

ciscoconsumer gradeea2700exploitsHackinghome routerlinksysrouterssecurityvulnerability

Home Internet Routers Could Be Next Hacker Target

  • 0
admin
Wednesday, 03 April 2013 / Published in Woo on Tech
Hackers invading your home

As if you didn’t have enough to worry about, the security blogosphere has dragged another bogeyman out into the daylight, and this one is ugly. Researchers from ioActive are now positing that rather than targeting businesses and their more sophisticated technology defenses, hackers could very easily begin to target consumer-grade equipment installed by internet service providers (ISP’s e.g. Time Warner or Comcast) in your home.

Why would they do this? Aside from the much flimsier technology used throughout the home-internet industry, the IP address assigned to your device is easily discoverable because the ISP’s themselves publish information about entire blocks of internet addresses that are allocated to them. This is doubly bad because not only do hackers now have an easy-to-parse list of targets, they can make assumptions about the targets based upon the ISP that services those addresses: things like the types of equipment used by the ISP (and default passwords), geographical locations, even the types of internet service (ie. DSL, cable, satellite, etc).

As part of their investigation into the feasibility of such an attack, ioActive researchers were able to compile a list of 400,000 actual devices installed in customer homes that might be vulnerable to a simple attack that could allow hackers to “own” the device and use it as a means to gain access to any computer connected to that device, ie. all the computers in your home. The basis for the attack? The simple assumption that the default administrative password was not changed since it was installed by the ISP.

What this means for you:

Having equipment installed in your home that you don’t understand and can’t personally confirm as secure is risky and negligent. It would be akin to leaving power tools lying around within reach of a child. Sadly, most ISPs have very thin (to nonexistent) policies around governing the security of the devices they install in your home, and worse, they often rely on third-party labor to do the installs, further increasing the chances that your router was installed quickly and possibly carelessly. On top of this, how many of you after having waited multiple hours for an internet install to happen, watched the installer rush out the door before learning anything about how your new equipment works, who to call for support, or how to change the password on the newly installed router?

Do yourself a favor: familiarize yourself with your internet router, WiFi access point, or any other piece of network equipment in use in your home, figure out how to log into the device(s), and then change the password to something that is hard to guess, and written down in a safe a secure place. Don’t make it easy for the hackers by continuing to ignore the backdoor into your home network!

adslcablecomcastHackinghome networkinternet servicepasswordroutersecuritytime warner

Is your webcam spying on you? Maybe.

  • 0
admin
Wednesday, 13 March 2013 / Published in Woo on Tech
Eye Spy

When laptops and desktops first started shipping with webcams built right into the chassis, people immediately started joking about their computers spying on them, and I saw numerous semi-serious and completely serious attempts to cover them up with tape, post-it notes, permanent marker and just about anything people could put their hands on to alleviate that prickling sensation of being watched. Unfortunately, reality isn’t typically far behind imagination, and you probably aren’t surprised to know that it is completely possible for your webcam equipped device to be hacked, and yes, your webcam activated and watching whatever is in front of it. Not scary enough for you? What about that laptop you just gave your daughter?

Sadly, this isn’t just a scare tactic. ArsTechnica has a chilling article that takes a detailed look into the creepy world of “ratters” – young, mostly-male hackers who use covert Remote Access Terminal software (RATs) installed on compromised computers for the express purpose of spying on and remotely tormenting their “slaves.” RAT software is based on the same technology commonly found in support software used by IT professionals (like C2) to provide remote assistance and control on their customer’s computers. Unlike those legitimate tools, RAT software is designed to being undetectable and easy to install and spread without the victim’s knowledge.

What this means for you:

In nearly every case of malware attacks, especially ones that can deliver a payload like a RAT package, the incursion is typically the result of an action taken by the victim: visiting questionable websites, opening unknown attachments, clicking strange links in emails. Alongside of this is a set of inactions that the user is also guilty of: failure to install reputable antimalware software, failure to make sure the OS and installed software are kept up to date, and of course, failure to remain constantly vigilant!  As you’ve heard me say many times, nothing will stop a dedicated hacker from penetrating even the most stalwart of defenses. However, a good malware application and some common sense will put you miles ahead of the less cautious and less safe and typically off the radar of hacking ratters, who are looking for easy targets.

Another simple solution? That piece of tape ain’t looking so bad now, right? Just remember to cover the lens and not the “activity” light for the camera, which will tell you when your camera is possibly watching your every move. As always, if you notice your computer behaving strangely, disconnect it from the internet immediately and call a professional for advice.

Image courtesy of idea go / FreeDigitalPhotos.net

exploitationHackingmalwareprivacy invasionratting

Fake Emails are getting harder to spot

  • 0
admin
Tuesday, 26 February 2013 / Published in Woo on Tech
No Phishing Zone!

Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.

How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.

Apply Common Sense

Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.

Who’s the email from? And who is the actual recipient?

In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.

In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.

But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!

Are the embedded links legitimate?

Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)

In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?

What this means for you:

These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.

counterfeitcybercrimeemailfiltersHackingjunkmalwarephishingsecurityspam

Apple joins the ranks of hacked companies

  • 0
admin
Thursday, 21 February 2013 / Published in Woo on Tech
Apple Logo

In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.

What this means for you:

Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a  mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training. 

Appleburger kingcybercrimefacebookHackingjava exploitjeepsecurityTwitterwall street journalzero day

FED and DOE Hacked

  • 0
admin
Tuesday, 05 February 2013 / Published in Woo on Tech
Hacker invading your laptop

Following recent attacks by hacktivist group Anonymous on various government websites, the Department of Energy has reported that it too has been hacked, and personal information on hundreds of its employees has been compromised. The DOE has been relatively tight-lipped about the breach, and it’s not immediately clear whether this may be related to Anonymous’s current campaign “Operation Last Resort” which aims to reform computer criminal laws in the wake of internet celebrity Aaron Swartz’s suicide. In the case of the Anonymous-led attacks, various government websites have been completely taken over by hackers and used to post derogatory videogame parodies and login credentials for hundreds of banking executives.

What this means for you:

The gloomiest of the doomsayers are saying that in the near future, there will be only 2 types of businesses: “Businesses that have been hacked, and ones that don’t know that they’ve been hacked.” We’re not there yet, but some analysts believe we’ve hit an inflection point in cyber security where the criminals are now ahead of the business world in terms of sophistication and advantage. If the above is any indication, many government institutions are probably even further behind businesses in terms of security. Does that mean it’s time to pack up all that technology and return to paper ledgers, brick and mortar storefronts and hand-written checks? Not yet, but the businesses that take an aggressive stance towards tightening up their ships will stay well ahead of the competition, especially when those looser ships start to spring cyber-leaks.

What’s the first step? Find out if you have an information security policy. If so, make sure it’s being enforced. If not, call me right away to start talking about how to get your company’s technology battened down for the coming storm.

aaron swartzAnonymousgovernmentHackinghacktivismoperation last restortsecurity

Passwords can no longer protect us

  • 3
admin
Saturday, 17 November 2012 / Published in Woo on Tech
Passwords are a Dead End

If you didn’t get your fill of scares this past Halloween, sit down and read this article about password security from Matt Honan, the Wired Magazine writer who’s digital life was destroyed this past summer in minutes by teenage hackers. If you only read one article this year, you should read this one, but in case you don’t (or can’t or won’t), I’ll try to sum up the most important parts of the article:

  • We are sacrificing privacy and security for convenience.
  • Passwords (even long, hard to guess ones) are no longer viable.
  • The technology industry hasn’t been able to come up with a better solution to this problem.

 

What this means for you:

Again, if there is one article you should read this year, especially as you gear up to get your online shopping done this upcoming Black Friday, it’s this one! You’ve heard me give you all the precautions and practices you should be following to better secure your online information, but Matt explains in easy-to-understand, non-technical terms why folks like me are growing increasingly concerned – and in some cases frightened. We, as a civilization, have hit a critical point in our history, and if we don’t make some careful choices and some necessary changes to how we use computers, we are heading down a road of security ruin that could impact anyone that uses technology as a critical part of their lives.

Until better solutions to the password problem arrive, there are some things you can do:

  • Don’t use the same login and password for multiple sites.
  • If it’s available, use 2-factor authentication to secure accounts, especially email.
  • Don’t use easy to guess passwords. Use really hard ones for your most important accounts.
  • Use a separate, hard-to-guess email account for password resets that is separate from your main email account. Gmail is great for this, as it offers two-factor authentication.
  • For password hint questions, eg. “What is your mother’s maiden name?” use incorrect answers that aren’t easily found on the web, and only you would know.

Read the article for even more tips on how to make yourself harder to hack.

 

2-factor authenticationdead endemailHackingpasswordssecurity

Millions of SC ID’s Compromised

  • 0
admin
Thursday, 01 November 2012 / Published in Woo on Tech
The state flag of South Carolina

On Friday, the state of South Carolina announced that it had been the victim of a major security breach, and that as many as 3.6 million state residents (nearly 77% of the total state population) may have had their Social Security numbers and other personal identifying data stolen by person or persons unknown. As security firm Mandiant investigates the breach, they further revealed today that as many as 657,000 local businesses may have also be impacted by the data leak. The severity of the breach was exacerbated by the fact that the compromised data was actually being stored unencrypted on state-run servers, despite the fact it contained extremely sensitive tax information going back multiple years.

What this means for you:

Unless you are a resident of South Carolina or your business has filed taxes in that state, this particular event probably won’t impact you directly. However, it does serve to highlight that governments, like many businesses, fail to take security as seriously as they should, often under-spending on security or even ignoring potential threats. If you work with customer data that might be considered sensitive, are you doing enough to make sure that data is kept safe, not only from hackers, but from loss due to physical device theft, and damage from things like wildfires, floods, earthquakes or even a spilled cup of coffee? Most business won’t be able to prevent a determined hacker from penetrating their defenses, but they can make sure that sensitive data is stored properly (or not at all!) to minimize the collateral damage.

Hackingidentity theftsecuritysocial security numberssouth carolinataxpayers
  • 2
  • 3
  • 4
  • 5

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP