SECURITY ALERT: Amazon Echo & Ring

You may not know this yet, but if you use Amazon devices in your home, you should keep reading…

On June 8th, Amazon automatically enrolled most of it’s devices (Alexa, Ring, Echo, etc.) onto it’s new Amazon Sidewalk service.  Which is basically an experiment by Amazon that leaves your personal privacy and security open to the world.  The new wireless mesh service will allow sharing of bandwidth with nearby compatible Amazon devices and other Sidewalk users.

If you haven’t already opted out, you and millions of other Amazon customers in the U.S. are now Sidewalk users.  Amazon wrote a whitepaper on the service detailing the technology and service terms. But my advice would be to opt out, particularly on corporate Amazon devices where sensitive business information could be at risk.

Historically, new implementations of wireless network technologies (WEP, Bluetooth, etc.) have been plagued with security problems. I am already concerned with the risks of using IoT devices and this will only compound the security risk by allowing passers-by into your networked devices without your knowledge. There’s little reason to believe Amazon will do much better to protect your security. With so many people working from home, the risk involves not just your own privacy, but the integrity of your company’s most sensitive data. I recommend creating a company policy that anyone working from home must disable their Amazon Sidewalk services.

Fortunately, it’s pretty simple to opt out of or disable the Sidewalk service on your Amazon devices. 

As always, this newsletter is for informational purposes, but I am available to help update your Amazon Echo, Ring or other IoT devices. It might also be a good time to for us to review your security settings and policies to ensure that you are doing everything you can to protect your business (and personal) information.

Andy

TECH ALERT: TECH SUPPORT SCAM

The pandemic has kept people stuck at home, and in front of their computers…which has brought out nefarious characters finding new twists on old scams.

Another scam…another newsletter to help you avoid being taken advantage of, or worse, losing your data and money. Hackers are now preying on vulnerable people to commit online fraud, using the old ‘tech support’ scam that has bilked people out of billions of dollars for the last several years.

What’s new is that now scammers are targeting more people over the age of 60 via their computers as they spend more time online. The FTC also reports fraud losses totaled $388 million through the third quarter of 2020, a number that’s up 23% from 2019!

Scammers are using realistic looking pop-ups on Macs and PC’s alerting you to a virus or issue with your system, and providing a phone number to call. This should be your first red flag…Not to make light of the situation, but when was the last time a company gave you an actual customer service phone #?!?

Once they get you on the phone, the real scam begins as they will assure you that they are a certified Microsoft technician (or a tech from Apple, or any other well-known company), and may request access to your system via TeamViewer (or other screen sharing device).

These scams have become so popular that Microsoft and Apple are now warning about various iterations of this scam on their websites. But, unfortunately, the tricks of cyber thieves are constantly evolving and becoming more convincing. Here are some tips on how you can avoid these scams in the future:

•    Apple, Microsoft, and other reputable tech companies do not ever contact customers about “tech support,” unless the customer initiates communication.  EVER!

•    If a pop-up or error message appears with a phone number, don’t call the number. Error and warning messages never include phone numbers!

•    If you get a tech support scam pop-up, close your browser immediately. On a Windows PC, press Control-Alt-Delete to bring up the Task Manager. On a Mac, click on the Apple icon in the upper left corner of your screen and use the Force Quit command.

•    Never pay for tech support or other services with a money transfer app, gift card, cash reload card, or wire transfer.  The only tech support you should be paying for is from ProActivist Computer Support.  (wink, wink)

•    If you get a call after the pop-up, do NOT answer. If you answer, hang up, and block the call. Once scammers know they have reached a working number, you become a recurring target. One of the most common scams after you engage with cyber-crooks over fraudulent services is the “refund scam.”

•    Never trust any company that requests personal or financial information.

•    Keep your security software, browser, and operating system up -to-date, and consider using your browser’s pop-up blockers (if you have turned these off previously).

As always, this newsletter is for informational purposes, but I am available to answer any questions or to discuss more about these types of scams.  It might also be a good time to for us to review your security settings, and ensure that you are doing everything you can to protect your business (and personal) information.

Andy

TECH ALERT: Text Skimming

 

Your phone number is an easy-to-find key that can be used by hackers and scammers to unlock your personal data. They can also use your number in many other malicious ways.

Unfortunately, there’s another new threat to our privacy, this time involving your cell phone texts.  I don’t like to stoke unnecessary fears, but this is truly a frightening new scam. A gaping flaw in SMS texting service lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.  For $16, an anonymous prepaid credit card, and a couple of lies, you can literally forward the text messages from ANY phone to your phone. 

There are the multiple ways that your phone can be a target of hackers, below are the most common with links should you want to dig deeper: 

SMS Hijacking
Data Mining
SIM Swapping / Rerouting your Number
Spoofing
Texting Scams / Smishing

I recommend that to combat your phone number being misused, you should share it as little as possible. Many apps and services require a cell number for verification at sign up. By handing your data to these apps, services, and businesses, you increase the likelihood that your cell number will be passed on to third parties and data aggregators.

However, as keeping your phone number private is not always possible, you can at least track it so you are aware of when it has been compromised. Sign up for an account at OkeyMonitor and they will alert you via email (or two) when it detects anyone tampering with your SMS number.

You also may want to consider an alternative to SMS, which provides for multi-factor authentication.  I recommend Authy, or Cisco DUO, but other options include Google Authenticator and 1Password.

As always, this newsletter is for informational purposes, but I am always available for questions or to discuss any of these scams, and ways to protect your business.

Andy

 

I’ve adopted a Cloud Strategy…but, now that my data has spread to the winds, how do I get it back under control??

 

CLOUD STRATEGY 2.0

Over the past year, many of my clients have accelerated the shift from in-house hardware and software to Cloud-based services. This has caused many changes in our daily business lives, the first of which was the shifting of IT dollars from replacement projects every 5-years, to ongoing monthly service charges. Additionally, now that computers are no longer in the office, we must grapple with how we keep the systems standardized and maintained.

Home users naturally conflate business-time and personal-time. We may also conflate business-use and personal-use.  The impact of this is that some of your company data may be located in personal Dropbox accounts, OneDrive folders, and Google Docs, and shared with who knows who?  If one of your employees leaves, how will you ensure you have all your data back? How will you ensure it doesn’t get leaked inappropriately?  In the meantime, your company has most likely started using many new services which were setup on the fly, and without any strategy or planning. Do you have a backup plan for all this ‘stuff’?

I’ll keep this brief, but I highly recommend everyone go back and do some of the planning and strategizing which may have been skipped over in the rush to enable employees to work from home last year.

1. Inventory. Take the time to do one-on-one inventory interviews with each employee to discover what you have and where.

2. Consolidate. Assemble all the inventory information and make a plan to consolidate your data and services, however you can. Standardize the way you treat each problem.  Since OneDrive, DropBox, Box, Amazon C3 and Google Drive are all doing the same thing, pick one and make it the official Cloud drive for your organization. Get your employees to distinguish company-related data held in personal accounts, and shift it over to company-owned accounts. Direct your employees to stop using personal email for business purposes.

3. Centralize. Get all the accounts with company data under your control and convert them to Team accounts, if that is possible. Setup an onsite NAS backup system with the ability to sync-down all your Cloud data. Get a company-owned and managed laptop into the hands of every employee. Consider getting company issued phones. There may be automated software plug-ins available which could consolidate accounts from multiple cloud services into one service.

4. Secure. Setup multi-factor authentication for email, and for every fiscal account, as well as every account with Personally Identifiable Information. Get a team-based password management system and train everyone how to use it.  Password management systems allow you to generate and save easy-to-use passwords for every website. The team feature will allow you to maintain the passwords which employees are using on your company’s behalf, even after an employee leaves the organization. At the same time, it will help prevent your employee’s personal passwords from falling into your own hands – which is a stickier legal issue than you might imagine at first.

5. Policies. Create written policies to govern and explain your decisions. Review these annually.

6. Training. Create a quarterly training schedule for all employees along with a certain allowance of time for individualized training to ensure that you stay on top of what is being done in your company’s name.

As always, this newsletter is for informational purposes, but I am always available for questions or to discuss any of these tasks, or your cloud strategy in general.
Andy

Password Management 911


From here on out, I recommend using a password management software to learn your passwords and store them securely. Then you can use the built-in password generation function to create and remember very long and complex passwords which would otherwise be impossible to remember.

Once you have a good software program to easily learn and securely remember all your passwords, you will still have one password which you will be responsible to remember yourself: the password to get into the password software itself.

Here is how to create a secure password which you can remember:

-Write down a list of several random words.
-Each word should be at least four characters long.
-Avoid proper names, such as of pets, relatives or sports teams, since either you or the people you know have probably already divulged such information on Facebook and the like.
-Avoid picking phrases from literature, since there are hacker scripts which look for that. (However; you might decide to pick a book you like and pick words from random positions on random pages.)

Start writing your password beginning with one of those words:
-Before or after each word, insert either a number or symbol. (It’s okay to repeat an element!)
-Avoid the numbers 0 and 1 since they can be confused with the letters “oh” and “el”.
-Capitalize some of the characters.
-Use 3-5 words.
-Type your password into a document to see if it is easy to type quickly.
-Adjust your password for ease of use.

Write down the final version of your password before you enter it into a website or program, then:
-Write the final password
-Then transcribe the password by looking at the written version, rather than typing what you remember.
-Once you have created your password, log out and log back in. (This avoids issues with both misremembering and mistyping a password.)
-Keep the password in a safe place you can easily remember, such as a household safe or a safe deposit box.
-Avoid attaching it to your laptop or any part of your computer (such as monitor or keyboard) or anywhere in your workspace, such as in a desk drawer.
-Practice using your password several times a day until you are sure it is memorized.

Here are some interesting resources for you to look at when thinking about how passwords work and how to make them better:

Graham Cluley discusses password rules and password management software –

N3v$r M1^d password rules. Get a password manager to generate and remember your passwords instead

Dr. Mike Pound demonstrates how quickly scripts can crack passwords and explains in simple terms what that means –

In 2013 (seven years ago) a security researcher loaded Wikipedia into a password cracking algorithm and found this password “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn” which is a quote from a book by H.P. Lovecraft –
https://arstechnica.com/information-technology/2013/08/thereisnofatebutwhatwemake-turbo-charged-cracking-comes-to-long-passwords/

And here’s a little humor – https://www.youtube.com/watch?v=2tJ-NSPES9Y

Surge Protectors 101: What to do after a power surge.

I was recently on-site at a client’s after they had three power-related outages due to windstorms. In all three outages, a power strip was affected. One surge protector had turned itself off, and two had burned out. (The picture above shows the brown stains from ionized metal and plastic vapors which were caused when the power tap burned out.)
=
While you can’t prevent power spikes, you can make sure that any damage falls on a good quality surge protector rather than your cell phone or computer.  The first step is to ensure all equipment is plugged into a quality surge protector. Electricity will find ANY path to ground, so if even one of your devices is plugged directly into the wall, then the voltage can flow through it into the computer and then throughout the network cabling, potentially damaging multiple devices and systems. A good motto to live by, is “if any equipment is unprotected, all of it is unprotected.” (Please note that “power taps” don’t offer this same level of protection.)  

If you already have a surge protector, check the light on it to ensure the protective parts are still functional. After absorbing a certain amount of damage, the surge protector stops working and turns into a power tap. You will still have the illusion of protection, but if your surge protector doesn’t have an indicator light, or if it is over 10 years old, it is time to replace it!

Here is a review of one option that I recommend which auto-shuts off when it burns through the protection.  To purchase this APC protector, click here

Additional options may also be found at Lowe’s Hardware.

If you are interested in learning more about surge protectors, this is a good article by CNET

Additionally, sometimes people use battery backups for their servers, and even sometimes for desktops.  If you have a battery backup, it makes sense to purchase a spare battery for it so you can quickly repair it when the battery gets used up or stops functioning.

I believe it’s also important to mention that surge protectors are not a solution for all devices. Some devices don’t need surge protection, and some are actually a source of electrical noise themselves. For example, if you plug a space heater, fan, shredder, microwave, refrigerator, or vacuum cleaner (…or really any appliance in general) into a surge protector, it can actually damage the surge protector and reduce it’s lifespan.

This newsletter is meant for informational purposes, but as always, I’m here to support you. Please call me if you would like assistance in selecting surge protectors for your business, or would like for me to review your current power set-up.  

Andy

Check your clipboard!

Do you know who has access to your clipboard?

Smartphone apps are repeatedly reading and accessing your saved clipboard data, which may include all sorts of sensitive information. This privacy invasion is the result of these apps repeatedly reading any text that resides in your clipboards (which computers and other devices use to store data that has been cut or copied from things like password managers and email programs). For reasons that have nothing to do with the services the apps are supposed to provide, smartphone apps as diverse as TikTok and New York Times are pulling personal data from your clipboard in an attempt to spy on your other phone activity.

Initially, these activities had only been observed on iOS platforms, but it is now known that they occur on Android platforms as well.  Regardless of your device choice, it’s a good idea to avoid copying sensitive data unless absolutely necessary, and to clear out the clipboard when you do copy valuable info.  Many of us use the clipboard to copy and paste passwords, while password apps such as LastPass use direct mechanisms. This is yet another reason you should switch to a secure, easy-to-use password management system.Additional information can be found in these articles and blogs:
Schneier Tech Blogs: iOS and Android
ARS Technica Article 
EnGadget Article

This post is meant for informational purposes, but as always, I’m here to support you. Please call me if you would like assistance in clearing your clipboard, or to review best practices for saving data to your clipboard. 
Andy

News About Newsletters…

Staying in touch with your current or potential clients is more important than ever.  Whether it’s communicating new hours of operation, changes in accessing your offices, or any other news about your business is crucial.  However, sending out a newsletter or marketing campaign correctly, and making sure the intended audience is reached, are even more important.  

Based on my research, as well as personal experience with my own clients, I’ve discovered that most people will mark your newsletter or email campaign as spam – rather than unsubscribe – even if they signed up for it (and liked it at one time).  As well, the dead addresses in your distribution lists might be re-animated by GMail, Yahoo or Hotmail in order to catch spammers who still have those addresses in a database.   

One way to fix this is to sign up with both Outlook.com and GMail in
order to claim, or vouch for the legitimacy of your domain. You can register through Gmail to validate your identity, as well as to learn how you can better control your email blasts to ensure that fewer of them end up in the oubliette.

Both these linked articles below are from email marketing companies, but they offer plenty of good advice for people doing a lot of email marketing:

How Spam Filters Work (And How to Stop Emails Going to Spam) [ca. 2018]

Where Do Boring Marketing Emails Go to Die?  [ca. 2016]

This post is meant for informational purposes, but as always, I’m here to support you. Please call me if you would like to discuss the best email campaign options for you and your business.  

Andy

New Billing Policies

Due to the majority of my client support work now being done remotely, I have been forced to change my billing procedures.  For phone support, I previously only charged for calls longer than 15-minutes.  I will now begin billing for phone support after 5-minutes.  Client phone support billing will now be in 5-minute increments instead of 15-minute.  And, any support requiring remote access will be billable from start of call.  Thank you for your understanding of these changes.  Please don’t hesitate to contact me with any questions or concerns.

On another note, I spent some time this weekend on the phone with Comcast to better understand the ways in which they (and other utilities) are helping their customers during the Covid crisis.  My rep at Comcast has helped his small business clients move to smaller office spaces, reduce broadband service levels to cut costs, and has even waived early-termination penalties for business that needed to stop their services altogether.  If you’re interested in learning more, send me an email or call me directly to discuss, as I can offer some good advice on lowering your monthly bill, as well as who to contact at Comcast.

I also have many tools for remote access and remote control support. I recently setup Zoom for my grandma in her farmhouse in rural Wisconsin so she could get more company from distant relatives – all by remote control. If you have family needing tech help, let me know and I can arrange for it!  

This newsletter is meant for informational purposes, but as always, I’m here to support you – especially during these challenging times.  Please call me if you would like to discuss the best options for you and your business to continue to successfully work remotely, and best utilize my services.  

Andy

Scams…again??!!

I know it is exhausting to be constantly viligant about emails, but sometimes you can fall victim to a scam or virus even from trusted senders. 

Unfortunately, it is becoming all too common that you or your business might be sent an invoice, letter or invitation via email – possibly to be listed in a bogus directory, pay an invoice, or to renew your website domain name – that is really a phishing scam.These scams take advantage of the fact the person handling the administrative duties for the business may not know whether any vendor purchases, advertising or promotional activities may have actually been requested.

Many email-based ransomware scams use fake invoices as attachments to infect your computer. As an example, if you receive an unexpected bill from a utility provider, do not open the attachment.  

Using information they have obtained by hacking your computer systems, a scammer posing as one of your regular suppliers will tell you that their banking details have changed. They may tell you they have recently changed banks, and may use stolen letterhead and branding to convince you they are legitimate.

They will provide you with a new bank account number and ask that all future payments are processed accordingly. The scam is often only detected when your regular supplier asks why they have not been paid.Fake invitations will often include a form to be filled out, and ask for your business contact details with an approval signature. You might be led to believe that you are responding to an offer for a free entry, but the form you are asked to complete is a disguised invoice or contract with the amount owed hidden in tiny print.

Some things you can do to protect yourself and your business:

  • Always check that goods or services were both ordered and delivered before paying an invoice, and always read the fine print carefully.
  • Try to limit the number of people in your business who are authorised to make orders or pay invoices. Make sure the business billing you is the one you normally deal with.
  • If you notice a supplier’s usual bank account details have changed, call them to confirm.
  • If you receive a telephone call or ‘invoice’ that comes from a publication you have never heard of, do not pay or give out your details until you have looked into the matter further.
  • Keep written records of your authorisations for advertising or directory entries. If you receive an invoice or a telephone call, you can go back to your records to check it.
  • If you are happy with your current domain name registration provider, simply ignore any other ‘renewal’ or ‘registration’ letters that you may receive from a different company. If you do want to switch domain name registration providers—make sure you know the full costs, terms and conditions of the offer before agreeing.

Recently, one of my clients was forced to format and rebuild their entire infrastructure of 2 servers and 20 laptops from the ground up. They were down for 2 full days, and it took weeks to get back to normal. Don’t get caught, get prepared!

Copyright © 2021 Pro Activist Computer Support

Theme by Anders NorenUp ↑