Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

Most Android devices impacted by critical vulnerability

  • 0
admin
Wednesday, 29 July 2015 / Published in Woo on Tech
Android in the crosshairs again

Due to a vulnerability in Android’s implementation of MMS, nearly one billion smartphones and tablets could be impacted by a security weakness known as Stagefright. In a nutshell, an attacker exploiting this vulnerability could send an MMS message with an infected attachment that could literally take over your device without you knowing it. Even though Google has released a fix for this vulnerability none of the major carriers and manufacturers have pushed the update to the affected devices, including Google’s own Nexus devices, which are due to be patched next week.

What this means for you:

This vulnerability can affect you even if you don’t open an infected MMS attachment, which could appear as a picture, movie or just about anything that can be attached to an SMS message. Stagefright’s actual purpose is to provide you with the thumbnail preview of the attachment in your SMS application, so having the attachment appear while scrolling through your messages would be enough to get infected. Regardless of what app you use to view MMS messages on your Android device, the only way to combat this attack is to prevent your device from automatically downloading MMS attachments. In Google’s default SMS application Hangouts, this is accomplished by doing the following:

  1. With Hangouts open, tap the Menu icon (3 horizontal lines in a stack) in the upper left corner.
  2. Tap the “Settings” icon (looks like a gear)
  3. Tap “SMS” (usually at the bottom of the list, below “Add Google Account”)
  4. Scroll down to “Auto retrieve MMS” and uncheck that box.

    Disable auto retrieve MMS

If you aren’t using Hangouts to view your SMS and MMS, make sure you check with the software developers to find out if disabling this option is possible in their app. I was previously using ChompSMS as my messaging app, and this option was NOT available, so I immediately switched back to Hangouts.

AndroidbugexploitGooglehangoutsmmssecuritysmsstagefrightvulnerability

Ashley Madison hacked – 37M users exposed

  • 1
admin
Monday, 20 July 2015 / Published in Woo on Tech
Ashley Madison websites hacked

Hackers will go where the data resides, and there is perhaps no “juicier” website than the infamous Ashley Madison website that facilitates extra-marital relationships for nearly 40 million people. Owned by the Avid Life Media group, the Ashley Madison website is part of a family of similarly-minded websites including Couger Life and Established Men. The breach was allegedly perpetrated by a group known as the Impact Team, and according to their posted manifesto, the attack was in response to alleged corporate malfeasance on ALM’s part – not, as many might think, in response to the encouragement of cheating spouses. Impact Team alleges that the program promoted by ALM called “full delete” does not in fact do what it promises: for a fee, members can request their profiles be completely erased from ALM records. The supposed “hacktivists” are threatening to post online all the data they’ve stolen from ALM unless their demands are met: take Ashley Madison and Estalished Men offline permanently.

What this means for you:

Personally identifiable information aside, getting outed for having an account on an adultery website is really “sensitive” data, no question. Though it shouldn’t hurt your employment prospects in theory – employers can’t discriminate based upon marital status (or fidelity for that matter) because that category of information falls under protected status, it can definitely wreck a marriage, and theoretically your finances from that point on. Assuming Impact Team plans to release all the data they’ve stolen, someone will undoubtedly turn it into a searchable database, and even the most trusting of spouses would be hard tempted to not have a peek. So on top of having your identity stolen, you could also lose the love and trust of a spouse, friends and family. I’m pretty sure the latter is worse than the former.

Despite ALM’s vague promises to remove confidential data as it appears, once data is on the internet, you can never take it down. It’s clear that ALM has no plans to accede to any of Impact Team’s demands, and even if the hackers don’t make good on their threats to publish, it’s still highly likely that trove of info will get sold or stolen and consequently published and used. So what do you do if you happen to have an entry in ALM’s database? It’s too late to take advantage of their “full delete” service-if it ever worked in the first place! If you haven’t already done so, getting some form of credit watch service lined up is a good idea, and changing your passwords is a solid first step. Next, I’d recommend seeking advice from qualified professionals in the areas you’ll most likely be living through from here on out.

 

affairsashley madisonbreachcheatingestablished menhackedimpact teamsecurity

The last days of Adobe Flash?

  • 0
admin
Tuesday, 14 July 2015 / Published in Woo on Tech
Adobe Flash Zero Day

Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:

It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.

— Alex Stamos (@alexstamos) July 12, 2015

What this means for you:

If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.

As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:

  • Block Flash and other dangerous plugins with Click to Play: A how-to guide to improve your security
  • How to Enable Click-to-Play Plugins in Every Web Browser
adobechromeexploitsfacebookfirefoxflashGooglemozillapluginssecurityzero day

Who hacks the hackers?

  • 0
admin
Wednesday, 08 July 2015 / Published in Woo on Tech
Who's hacking who?

Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.

What this means for you:

Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?

governmenthackersHackinghacking teamprivacysecurityspywaresurveillanceTwitter

File sync is not back up

  • 0
admin
Wednesday, 01 July 2015 / Published in Woo on Tech
Backup

I am increasingly encountering a dangerous misconception about data backups that could lead to some serious “facepalm” moments. On at least three separate occassions while speaking with someone about data backups, the person I was with referred to DropBox as their primary data backup platform. In case you are unfamiliar with DropBox, it’s a cloud-based platform that can be used to sync files and folders between multiple computers, while also maintaining a copy of that data in the cloud as well. This cloud component is what many folks like to believe is their “offsite backup”. It’s true – if your local hard drive were to fail and you lost files that were being synced by DropBox, you could retrieve a copy from one of your other mirrors or the copy in the cloud. However, what if you or one of your employees who has access to the DropBox repository accidentally deleted some important files? DropBox doesn’t know you (or they) didn’t mean to delete those files, but it will make sure that change is reflected across your entire DropBox repository. What if you got hit with one of those nasty ransomware viruses which encrypts files, including the files in your DropBox repository? DropBox will dutifully overwrite your data with the encrypted copies, effectively destroying your “offsite backup”.

Let me ‘splain:

DropBox’s strength lies in easily establishing a set of files and folders that can easily be synced across multiple machines and locations, and it does this through a simple mechanism which essentially looks at each endpoint (and the cloud) and says, “Make all these the same.” This same strength is a resounding weakness when it comes to proper backup methodology. In a nutshell, your backups should keep track of your data across time, in set intervals, so that you can, in theory, go back to any one of those points in time and retrieve the data as it was at that moment. The reason this is important is for the two situations mentioned above (and many other scenarios as well). In both cases, mistakes were made. Our best course of action would be to go back in time to before those mistakes were made, but seeing as we can’t actually time travel yet, we use backups to accomplish nearly the same thing with our data. Even if the mistakes weren’t noticed for a period of time, as long as you have sufficient version depth in your backup strategy, you can look back to a time interval before the deletion and retrieve the files. This is something that DropBox can’t do, and probably shouldn’t, as it’s not meant to be a data backup platform. There are hundreds of viable backup solutions that range in price and complexity, and many of them are as easy to set up as DropBox. Don’t stop short of using a real backup solution just because you’ve got a copy of your files somewhere else. A good backup solution requires some thought and determination, but can pay back huge dividends when mistakes or disaster strikes.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

backupdropboxransomwaresecuritystrategy

Windows XP – the OS that won’t die

  • 0
admin
Wednesday, 24 June 2015 / Published in Woo on Tech
Windows XP

Despite the imminent arrival of Windows 10, thousands of businesses and organizations around the world continue to cling to Windows XP. In the business world, this position is increasingly dangerous to a company’s bottom line for a variety of reasons, but for the world’s most (arguably) powerful navy, it could be downright dangerous. The US Navy is actually paying Microsoft nearly $10M to continue to support and patch the expired OS, which was officially “put out to pasture” over a year ago. With over 100K Windows XP computers powering critical systems, the Navy still has a tremendous undertaking to phase the (un)dead OS out of daily operations.

What this means for you:

In a broader sense, it’s disheartening (and a little frightening) to think that our shores are being defended by warships powered by a 14-year old operating system, but the government, like our aircraft carriers, have never been capable of quick maneuvering, so this should come as little surprise to anyone. The fact that many businesses still heavily rely on XP despite repeated warnings from just about everyone in the industry is indicative of a larger problem, which is partly the industry’s fault, as well as a certain willful blindness we all share.

From an IT perspective, we’ve historically done a poor job preparing everyone for the security issues we now face, perhaps relying too heavily on tools and fixes, instead of emphasizing education and reforming business thinking. From an individual (and probably first-world) perspective, we’ve allowed ourselves to become increasingly reliant on technology to accomplish even the most basic tasks, and have built complex technological systems that support our daily lives that most of us can barely comprehend, let alone troubleshoot. A simple password hack can turn into a life-altering identity theft only because most of us fail to truly understand how everything is intertwined, and our personal veils of security are only as strong as the weakest password in your entire collection. The same can be said of your technology infrastructure: you are only as strong as the lowliest of forgotten XP machines on your network, and that isn’t very strong at all, regardless of how much you pay Microsoft.

microsoftnavypasswordssecuritywindows xp

LastPass Hacked – Change your master password

  • 0
admin
Wednesday, 17 June 2015 / Published in Woo on Tech
LastPass hacked!

Password storage utility LastPass reported earlier this week that they discovered suspicious activity on their servers and as a result, some of their users’ data has probably been compromised: account emails, password reminders and some of the decryption hashes and salts. According to LastPass, user password vaults were not compromised, nor does it appear that any user accounts were accessed. As a precautionary measure, LastPass has turned on a secondary email authentication confirmations for all LastPass logins from new IP addresses, and they are recommending enabling multifactor authentication – a good security practice for any sensitive account (like your email).

What this means for you:

LastPass uses a very strong encryption method to secure your data, and it would take some significant computing resources to crack their encryption from a brute-force perspective. However, if your LastPass master password was easily guessable, in theory they could use the stolen hash and salt to confirm that password, and attempt to gain access to your LastPass account. In short: change your LastPass master password, and if you used that password anywhere else, change it there as well.

brute-forceencryptionhackedlastpasspasswordsecuritywarning

Samsung Smartphones Vulnerable to Hack

  • 0
admin
Wednesday, 17 June 2015 / Published in Woo on Tech
Samsung Logo

Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.

What this means for you:

This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.

AndroidexploitGooglesamsungsecuritysmartphoneswiftkeyvulnerability

OPM Hack Follow-up

  • 0
admin
Monday, 15 June 2015 / Published in Woo on Tech
Office of Personnel Management Hacked

As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.

What this means for you:

Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:

  • Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
  • Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
  • Review the Federal Trade Commission’s recommended actions.
  • Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
creditgovernmenthackidentity theftopmsecurity

Government hacks go undetected by $4.5B security system

  • 0
admin
Wednesday, 10 June 2015 / Published in Woo on Tech
OPM-hacked.jpg

Last week, over 4 million people had their PII (Personal Identifying Information) exposed. Suggestive humor aside, this is still scandalous as this breach came by way of the Office of Personnel Management (OPM – the government’s HR department), an agency supposedly being protected under the watchful eye of the Department of Homeland Security’s (DHS) $4.5B National Cybersecurity and Protection System (NCPS), aka “Eienstein”. I’m sure that the real Einstein would be horrified to know that his good name was being sullied by a multi-billion dollar boondoggle. Adding insult to injury, the PII exposed wasn’t your “run of the mill” variety either – OPM databases housed information on security clearance investigations which also contains information on family, neighbors and close associates of any government employee who went through that process – meaning a lot more than “just” 4 million people were affected. Not quite disturbed enough yet? The OPM data infrastructure was housed in a “shared data center” which provided services to many more government agencies, all of whom could have been breached as well. US government officials have made noises that the Chinese are to blame, and of course, China called those allegations “irresponsible” and “baseless”.

What this means for you:

What this event demonstrates is that stupid amounts of money can’t buy security if you are always playing catch-up. DHS’s Einstein is only able of detecting attacks that have been seen before – it’s basically a monstrously expensive filter that looks for “signatures” that are based on – that’s right – previous attacks. Once the hack gets past the gate and they are able to “own” the system by using legitimate credentials (either stolen or created through their initial hack), the attackers can transact business through normal protocols and transactions, making detection extremely difficult. It’s the equivalent of looking for a needle on a conveyor belt full of hay – and you don’t know even know what the needle looks like, other than “not hay”. It seems that we will need a real Einstein to develop a system that can detect attacks that have never been seen before.

I can hear you say, “If the government can’t secure themselves with $4.5B, how am I supposed to do it with my modest means?” Well, if a nation-state is targeting your organization, probably no amount of money you could reasonably spend is going to protect you. Fortunately, nation-states and advanced persistent threat (APT) groups usually have bigger fish to fry. The “garden-variety” malware you and your employees will encounter can be stopped by a combination of up-to-date antimalware software, a good firewall, and training. In the case of our government, technology advances are hampered by an alphabet-soup of bureaucracy and glacial culture adoption, something attackers count on. Don’t let red tape slow down your organization on this issue – security should be at the top of your list and a budget priority, no matter your industry or size.

dhseinsteinhackopmsecurity
  • 8
  • 9
  • 10
  • 11
  • 12

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP