Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT

New Year, New (More Secure) You

  • 0
admin
Wednesday, 20 January 2016 / Published in Woo on Tech
ID-10069440.jpg

It’s a new year, and I’m sure every one of us made at least one small promise (if only whispered to ourselves at 12:01am on Jan 1)  to be better or do better at something this year. I can help you out with an easy one that will definitely improve your security profile, and I’m pretty sure a safer you = a more healthier you (at least digitally).

Let’s talk about the foundation of personal security: the Password.

Change that password. You know the one. The one you use everywhere. Change it! Make it hard. There are dozens of methods for coming up with one. Here’s one:

  1. Pick your favorite quote (or one you have memorized), use the first letter from each word. How about, “Twas the night before Christmas” which gives us “Ttnbc” – 5 characters, a good starting point.
  2. Randomize the capitalization in a way you can remember. How about reverse camel caps? “tTnBc”.
  3. Since we need 8 characters minimum, let’s add two numbers, and since we’re talking about Christmas, let’s add “24” on the end (or the beginning, it doesn’t matter).
  4. And we need a special character, how about the “@” symbol which looks like a Christmas ornament.

So now we have “@tTnBc24”. You’ll remember it because you created a small story behind the password, which will make it memorable. But Chris, you always say to use a unique password for every account! No problem, here’s how you do that, while still making every password you create memorable:

  1. For every unique account password you need to create, pick a string of 3 or 4 letters based on the name of the account (however you remember it, company name or type) – let’s say the first 3 letters, and always use the same rule. So for your Chase bank account, you’d add “Cha” somewhere to the password, either beginning or end.
  2. Before you tack it on the end of the password, pick a symbol that will act as the glue (or divider) between your specific account divider, let’s just say “+” because that makes sense right?
  3. Now you have “@tTnBc24+Cha”.

WARNING: if anyone ever gets ahold of more than one of your passwords generated via the above method, they may spot the pattern right away, especially if the account is known for each password, making it relatively easy to guess other account passwords. My recommendation here is to not use this method with passwords that you have to share with other people (it will be obvious if they see more than one). For those, use a random generator and store them in a known secure password utility, such as LastPass, KeePass, Dashlane or Roboform. 

Use the above method for the accounts you access frequently, but don’t want to lower your security because of how valuable they are. Examples should include your email account (especially the one you use to send password resets/reminders to), anything that is attached to your money, accounts that has sensitive private information like insurance websites, and, most importantly, all of your social media sites, especially any in which you interact with friends and family.

If you are wondering if a password you’ve used in the past has been exposed, you can check https://haveibeenpwned.com if you know the email address to which the account was attached. This website is essentially a giant database of all the known data breaches over the past couple of years. If your email address raises a red flag, you should change the password you used for that account, especially if you used that same password elsewhere.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

new year's resolutionpasswordssecurity

Microsoft tries to retire older IE versions

  • 0
admin
Wednesday, 13 January 2016 / Published in Woo on Tech
IE-targeted.jpg

Back in 2014 Microsoft announced that in 18 months it would cease to support older versions of Internet Explorer on currently supported operating system platforms. As of January 12th, Microsoft is making good on that promise and will only support the latest version of its web browser on supported OS’es. You might think that this will mean less zero-day exploits of older versions of IE (one of the biggest security risks to date) because people will be forced to abandon the older browsers, but not so fast! Microsoft is trapped within their own doublespeak, and the catch is “lastest version of IE released on a particular supported platform”.

What on earth does that mean?

If you happened to only skim (instead of read) their 2014 announcement or the news stories released this week about this new policy, you might have come away with the impression that Microsoft was finally dropping support for older versions of IE, namely 6, 7, 8, 9 and 10. Depending on your business need, this may have been cause for celebration or hair pulling, but a slightly deeper dive on this tells a less draconian tale. In a nutshell, depending on the operating system, some older versions will still be getting patched and updated, but only because the newer versions of IE were never officially released on a particular OS. Still confused? That’s OK, it’s Microsoft, so just shrug and take away the following:

  1. Microsoft will still be patching older versions of Internet Explorer as far back as version 7, but…
  2. Patches for versions 7-9 are likely to be hard to get, if not near impossible for normal consumers.
  3. Don’t use older versions of IE unless you have a compelling business restriction that prevents the use of IE 11.
  4. Businesses relying on websites that require the use of older versions of IE should be upgraded ASAP. You are putting your employees/clients/customers in danger.
  5. Remember #3? If you have to use Internet Explorer, you should be using version 11. It has competent backwards-compatibility capabilities that should work with websites that require older versions of IE to function.
ieinternet explorermicrosoftsecurityupdate

Vtech breach exposes kid and parent info

  • 0
admin
Wednesday, 02 December 2015 / Published in Woo on Tech
VTech Hacked

I really wanted this holiday season to be one of joy and goodwill towards all people, but it seems like the black hats will never rest. Let’s just get the ugliness out of the way: VTech – maker of tech toys for kids – has suffered a data breach that has exposed over five million customer accounts, and worse still, over six million child profiles. As per the usual, it seems that the Hong Kong company initially tried to downplay the breach by omitting any numbers or that kid’s profiles might be at risk, but eventually came clean as word began to spread. Even after announcing the number of people affected by this breach, VTech continued to spin the incident and tried to downplay the extent of data leaked, despite proof provided to the media that the data exposed included a year’s worth of chat logs and childrens’ profile pictures, which were uploaded to VTech’s Kid Connect service, a supposedly secure social media platform that parents can use to chat with their children through VTech’s tablets.

What this means for you:

It’s not clear yet when VTech (if ever) will take action and contact the affected families. Hopefully you will know whether or not you’ve purchased an internet-capable VTech toy for your child and set up the Kid Connect service. The information exposed in this hack has not been released to the internet, and the hacker behind the breach says that the info that was shared with the press to expose VTech’s poor security practices, but that’s not to say that it won’t eventually be released. As a parent, you should be mindful of any activity that involves exposing confidential information about your children on the internet (including Facebook!) and this will continue to be more important as more and more toys become increasingly sophisticated, connected and complex. According to VTech’s own admission, they were unaware of the security breach until the media contacted them for comment. As a business owner or manager, that is one nasty surprise you don’t want as a holiday gift. Make sure you have a good understanding of what confidential information you do store, and make sure it’s wrapped tight and kept safe, if it has to be kept at all.

breachchildrenconfidential dataexposedkidparentssecurityvtech

Dell Scrambles to Fix Security Goof on New Computers

  • 0
admin
Wednesday, 25 November 2015 / Published in Woo on Tech
Dell Logo

When you sell as many computers as Dell does, all it takes is one small screw-up to create a security catastrophe. In this case, computers sold as far back as August of this year may have shipped with a compromised security certificate that could lead to a complete breach through a trivial exploitation of that certificate. So far, Dell has refused to disclose exactly which products are affected, but reports are confirming their Inspiron, XPS, Precision and Latitude lines are shipping with this problem. They are admitting that the problem exists, have published instructions on how to manually remove the compromised certificate, and will be releasing a software update to remove the certificate altogether. If you’ve purchased a Dell since Spring of this year, you should probably read on.

What this means for (some of) you:

In case the above didn’t contain enough technical jargon to convince you of how serious this is, let me unload on you: Dell shipped a slew of computers with a self-signed security certificate installed as a root trusted authority, and left the private encrpytion key on the devices. Even if you only understood part of that sentence, I’m betting you can intuit what publishing a private key does to the certificate. Yes, that’s right, it’s like sending everyone keys to your front door with your address printed on the key. Why this is a big deal is also fairly simple to explain. Because this key is essentially available for anyone to use, any reasonably proficient hacker could set up a fake hotspot at your local coffee shop, wait for a Dell computer to walk in, and then pretend to be Dell while unencrypting all of your network traffic. If that sounds bad, then you are picking up what I’m putting down. What do you do if you have an affected computer? Here are the instructions on manually removing the bad certificate, or wait for Dell to release a fix, which is schedule to arrive as of the time of this writing.

Full Disclosure: C2 Technology Partners, Inc. is a Dell Partner, meaning we sell Dell equipment and services, though after this particular goof, perhaps not as much as we had in the past.

Want to know more about security certificates? Here’s a reasonably straight-forward explanation of what they are and how they work.

certificatecompromisedelledellrootsecuritysuperfish

Virus found on Police body cameras

  • 0
admin
Wednesday, 18 November 2015 / Published in Woo on Tech
Biohazard

It’s not exactly a walk in the park when a cash register gets infected, but when technology on the front lines of law enforcement is infected out of the box, we have an entirely new set of nightmares to keep us up at night. It’s bad enough that our military is using 14 year-old software to operate the most powerful naval fleet in the world, and now we have to worry about police officers trying to do an already tough job with infected body cameras. As of this writing, the manufacturer of the devices has yet to comment, but according to the security firm assisting law enforcement agencies with the implementation of these devices, the cameras are shipping with the Conficker worm, a virulent strain of malware that first appeared in 2008 and continues to exploit unpatched Windows machines to this day.

What this means for you:

The more savvier among you may have already posed the question, “How on earth does a simple flash memory-based camera get a virus infection?” The original success of the Conficker worm actually came from its ability to spread via USB devices through a well-known weakness in Windows operating systems: the short-lived “autorun on insert” functionality would execute a script on an infected thumb drive, infect the host computer with the Conficker virus, which would in turn search for any attached networks and other USB devices to infect. Police body cameras are designed to record data to built-in flash memory, and then have that data transferred via USB to a computer. See where this is going? Imagine your local, overworked Police Departments now being overrun by a 6 year-old virus. On top of this, it’s not a stretch to imagine savvy defense attorneys calling into question the integrity of video footage captured by compromised hardware. Though Confickers true purpose was never discovered, it infected millions of PCs. It’s not hard to imagine a new wave of malware infections brought on by untested and widely available devices like web cameras, USB chargers and many other devices that make up the rapidly growing “internet of things.”

Fortunately for the law enforcement agencies that purchased the equipment, their integrator was on their game and detected the infection before the cameras were put into the field. This only came about because the computers to which the cameras were attached were protected by up-to-date and reputable antimalware software. While it won’t be the magic bullet we all wish existed, solid antimalware protection will go a long way towards preventing disaster in your organization. Don’t skimp in this regard – it might put more at risk than you think.

body camerasconfickerlaw enforcementmalwaresecurity

Flash zero-day exploit targeting govt agencies

  • 0
admin
Wednesday, 14 October 2015 / Published in Woo on Tech
Adobe Flash Zero Day Warning

Adobe Flash can’t seem to catch a break. Their most current black eye has arrived in the form of yet another zero-day exploit of a vulnerability in the latest versions (19.0.0.185 and 19.0.0.207) of the browser plug-in. According to Trend Micro’s blog, the hacking group Pawn Storm is targeting government workers via spear-phishing emails that contain links to news about current events. Instead of taking them to a legitimate news story, the links lead to compromised websites that can install malware onto the victim’s computer via the aforementioned exploit. Rather than the usual identity theft, this group seems to have a more politicized agenda and bears similarities to attacks on NATO from last year.

What this means for you:

If you are new to this blog, you may not have been briefed on the #1 Rule of Personal Technology Security: “Don’t click strange email links.” Even clients who have weathered years of me saying this sometimes let their guard down, so Rule #2 is “Be prepared for the worst,” which you should interpret as (1) having a strong firewall, (2) trusted anti-malware installed, and (3) a contingency straegy that includes backups and plans for operating without core infrastructure when things do go wrong. The sad matter of fact is that cyberattacks will get past anyone’s mental guard – we are only human after all – at which point properly installed and configured technology can act as a safety net. Note the emphasis – poorly implemented security is worse than nothing at all in some cases. When you have nothing, at least you aren’t lulled into a false sense of security. And don’t count on the (perhaps prematurely reported) death of Flash as means to improve everyone’s overall security profile. We haven’t quite seen the end of Flash just yet, and there are plenty of other platforms (Java anyone?) that could easily take its place if and when Adobe finally puts this software out to pasture for good.http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/

adobeexploitflashgovernmentsecurityspear phishingzero day

T-Mobile, Scottstrade join the hacked parade

  • 0
admin
Wednesday, 07 October 2015 / Published in Woo on Tech
T-Mobile hacked

Three major companies and a popular crowdfunding website joined the illustrious ranks of the hacked last week. At the forefront of media attention was mobile service provider T-Mobile who had to explain to nearly 15 million of its customers that anyone who had their credit checked while in the process of applying for T-Mobile service would now be enjoying the “benefits” a near perfect (for identity thieves) exposure of their data, including name, date of birth, social security number, addresses, phone numbers and even government-issued ID numbers. Online brokerage Scottstrade suffered a breach exposing nearly 5 million customers over a year ago that they didn’t even know about until informed by authorities investigating the matter. Rounding out the list of big names is everyone’s favorite business bad-boy, Donald Trump and his Trump Hotels business, of which seven luxury hotels appeared to have suffered a year-long breach in security that allowed thieves to siphon off guest credit and debit card data. And if that wasn’t enough, data thieves also managed to penetrate Patreon, a website used primarily by independent artists and entrepreneurs for fundraising, and exposed over 2 million users emails, passwords as well as their specific site activity.

What this means for you:

By this point, if you haven’t at least racked up two years or more of “free” identity theft protection from the numerous data breaches, you have been living the life of a true luddite and should share the secrets of your success (just not online, right?). What I’ve found among many of my clients, friends and family is that most have just furrowed their brows, shaken a symbolic fist at the faceless enemy/internet/corporation and more or less accepted this as a new fact of life. Many of them haven’t even taken advantage of the credit protection services offered as compensation for being a victim of one or more data breaches. As I’ve mentioned in the past, most Americans are now suffering a near textbook-perfect example of bad news fatigue, primarily because it seems like nothing can be done. But there are things you can do:

  1. Have a look at Have I Been Pwned to see if any of your email addresses show up. If they do, you should change your passwords, especially if the account that was “pwned” was associated with a password you use elsewhere.
  2. Sign up for any identity/credit protection services offered to you if they are still available. While they may not be able to prevent an attempt to use your identity, you are much more likely to catch it happening, and these companies can help recover from damage caused by the theft.
  3. Most critical online services such as banking and email offer two-factor authentication which can provide a much higher degree of security. Even though a hacker may have a password for your account, they won’t be able to access accounts protected by two-factor authentication.
  4. Understand what data you or your company is responsible for, and if you use vendors to process any of that data, make sure they are exercising proper diligence in securing their perimeter and your data. In the case of T-Mobile’s breach, credit-check vendor Experian was the source of the breach that will likely result in significant financial and reputation distress.
breachdataexperianexposurepatreonscottstradesecuritytmobiletrump

Malware penetrates Apple’s walled garden

  • 0
admin
Wednesday, 23 September 2015 / Published in Woo on Tech
Apple app store not bullet proof

Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.

What this means for you:

Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:

  1. No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
  2. The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
Androidapp storeAppleGoogleinfectioniosipadiPhonemalwaresecurityxcodexcodeghost

Quantum computers could render current encryption obsolete

  • 0
admin
Wednesday, 09 September 2015 / Published in Woo on Tech
Current encryption standards in danger?

Though the average consumer is still many years away from seeing or using one, quantum computers are moving steadily from theory to reality, and seems to be following the same accelerated curve most other technologies follow. First theorized in the 1960’s, the field of quantum computing was formally established in the early 1980’s, but actual systems using quantum computing only appeared in this decade. Lockheed Martin purchased in 2011 what appears to be the first physical implementation of a quantum computer: the D-Wave One. Google launched its own quantum computing initiative in 2013 in joint effort with NASA, and Edward Snowden revealed in 2014 alleged plans by the NSA to build a quantum computer expressly for cracking encrypted data.

[Skip this section unless you really want a brain twister!] Quantum mechanics on its own is an incredibly dense and complex field of science, and even though quantum computing concerns itself with a specific application of quantum mechanics, it is just as inscrutable as modern computers are now to most people. In a nutshell, where modern computers process data by boiling down everything to zeros and ones (bits), quantum computers process data using qubits, which can exist as either a zero or one, or any number of infinite states in between. While you are trying to wrap your head around that one, consider this next mind-blowing fact: where traditional CPU’s solve problems by switching between one or zero (albeit very, very quickly) and testing a condition (is it 0 or 1), a quantum CPU can simulaneously solve for one and zero at the same time. Because of this capability, a quantum CPU would be vast leap forward both in speed and complexity as compared to a “traditional” CPU.

What this means for you:

Scientists and security experts are justifiably concerned that quantum computers could easily crack the toughest encryption methods in use today. Encrpytion that would normally take today’s computers thousands of years to crack could, in theory, be broken within hours on a quantum computer. It’s not a long jump to suppose that the first organizations to implement quantum computers will be nation-states and large corporations, and then the race will be on to safeguard data with even stronger cryptographic algorithms. Echoing an arms race not unlike the nuclear one in decades past, modern technology is advancing at a pace that most humans will never stay ahead of, and we are relying on a small number of people in power who continually demonstrate an alarming lack of understanding of technology in general. Its important for all of us to step up our game and to focus on, at minimum, learning more about the technology we use everyday, and when we hit our limit, making sure we are protected and led by more knowledgeable people we can trust.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

dataencryptionquantum computingquantum physicssecurity

Ashley Madison searchable data wreaks havoc

  • 0
admin
Wednesday, 26 August 2015 / Published in Woo on Tech
Can't keep this one quiet

Remember a couple weeks ago when the adultery website Ashley Madison and assorted “sibling” sites were hacked? The alleged hackers were holding the data hostage and demanding (parent company) Avid Life Media be held accountable for what the hackers claimed was the fraudulent business practice of offering website “patrons” the opportunity to pay have their data completely erased. The data has been released (including the supposedly erased data), it is now searchable thanks to websites like Have I Been Pwned, and it’s wrecking lives like, well, a proverbial home-wrecker. It doesn’t take much imagination to envision why this is happening – marriage as an institution in America has been on some fairly rough ground lately, but you don’t come to this blog for that kind of gossip…

So here’s my IT angle on the whole mess:

  1. Just one, simple piece of data in the wrong place at the wrong time can be a game changer. In the case of the above, finding someone’s email address in the database separate from any other context can utterly destroy trust. And this doesn’t have to be a spouse or a family member: it can be a congregant, constituent, employee, employer, customer, client, prospect, competitor, adversary or worse – a true enemy. Many have said that their accounts were created for research (I didn’t even put that in quotes), and many probably were and even have official documentation backing up that claim, but when data is released without context, the victims don’t have any control over how the data is viewed or used.
  2. Most agree that Avid Life Media’s IT team had more that adequate protections and data encryption in place, but like every other business, they were fighting a losing battle. As I’ve said repeatedly (as has most of the industry), the current battle against digital intrusion is a war of attrition, and the attackers have the upperhand. They only have to succeed once to win, but we, in defending our organizations, cannot stumble even once. In case you are having trouble envisioning why this is, imagine a game of soccer where you are the goalie and the hacker is the other team. It’s just you versus the entire team, and there are multiple balls in play. They only have to score once to win. You, on the other hand, can only hope to get one of the opposing team out on penalty to slow them down, but guess what? They have a rather deep bench. And there are no time outs.
  3. Do your employees or vendors have access to data or systems to which they shouldn’t? Some believe the hack was an inside job. Keep in mind that you have to trust someone at some point to manage your security. Though it may be difficult or even painful to examine your operations for disgruntled employees or customers, unethical or inhumane practices reap as they sow, as Avid Life Media is perhaps experiencing first hand.
  4. Things done on the internet can never be erased. Even if you pay someone to do so, and they make an honest attempt at it, the internet never forgets. Want to keep something secret? Keep it as far away from the internet as possible. Can’t (or won’t) do that? Count on it not being secret and at least you’ll be prepared for when it does become public. Also, there are very few levels of obscurity on the internet, in most cases, things are merely forgotten or overlooked, but they never truly disappear from view.
  5. Privacy and security are hard won, and increasingly so as time progresses. Expect the costs of maintaining these things to continue to rise.

With all the recent, high profile hacks it’s hard to not be a “Debbie Downer” when it comes to the current state of security and privacy – but don’t fool yourself into thinking that things aren’t as bad as they might seem. Taking a realistic view on internet privacy and security is important in achieving a balanced perspective when making decisions on what to spend (both in dollars and energy) on defending yourself and your business. It’s not the end of the world. Not nearly. But it’s rough out there, and likely to get worse before it gets better. Be prepared, be realistic: plan for the worst and hope for the best.

 

ashley madisondata breachhackprivacysecuritytrust
  • 7
  • 8
  • 9
  • 10
  • 11

Recent Posts

  • mid year check-in

    Mid-Year IT Health Check: 10 Things Professional Services Firms Should Review Now

    Most firms set their technology priorities in J...
  • Cloud Migration for Professional Services: When It Makes Sense

    Cloud Migration for Professional Services: When It Makes Sense (And When It Doesn’t)

    Every vendor in the technology industry will te...
  • mid age man working on laptop while floating in the sea summer vacation

    Summer Vacation Security Checklist for Professional Services Firms

    Summer is the one time of year when professiona...
  • The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    The $300 Laptop vs. The $1,300 Laptop: A Technology Investment Guide

    I have had this conversation more times than I ...
  • Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote Work Technology Setup: What Matters for Professional Services Firms

    Remote work is no longer a temporary arrangemen...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP