LetMeIn101: How the Bad Guys Get Your Password

by

Passwords are essential to our cybersafety. We all know it, but if you’re like the rest of the digital society, you probably have dozens of passwords to remember. It’s a lot. So, you might take shortcuts.  We understand. But taking advantage of our laissez-faire attitude is one way bad guys access your passwords.

Incredibly, there are still people out there using “password” or “123456” in their access credentials. Some people don’t change the default passwords on their devices when they first set them up. So, anyone can pick up a router, look at the sticker identifying the password, and access that network.  Even if the bad guys are not around to physically look at your device, they can hack into your network from the outside and wreak some real havoc.

Tip: Avoid the obvious passwords! When you have to create a password, make an effort. When it’s time to update a password, don’t ignore it and change it now. Steer clear of simple, easily guessed patterns.

Cybercriminals can also guess your password. With a little bit of research about you online, they can make some informed guesses. Common passwords include pet names, birthdays, and anniversaries. These are all easy to find via your social media accounts.

Tip: Be careful what you share on social media! Don’t befriend strangers, as you are giving them access to a goldmine of info for personalizing an attack on you.

If that doesn’t work, criminals may try brute force. They might get really sophisticated and script an automation bot to run thousands of password permutations until they get a hit. The software will try a long list of common passwords and run through dictionary words to gain access to your stuff.  Not cool.

Tip: Use a complex password with numbers, letters, and symbols or a passphrase. A passphrase is typically at least 19 characters long but is more memorable, as it unique to you.  Try some song lyrics and some meaningful numbers.

The criminal may also be working with info from a data breach. In early 2019, a security researcher found more than 2.7 billion email/password pairs available on the Dark Web. Criminals accessing that database could use the data as a starting point, as many people duplicate their passwords across accounts.  So once a bad guy gets into one account, they can keep going and try other accounts.

Tip: Use a unique password for each site. Yes, that’s overwhelming to remember, and that’s also why you should use a password manager to keep track of it all for you.  A password manager is a piece of software that runs on your computer and smartphone and records and manages your website logins, making your life easier.  You can create a Master password that opens the vault to all your other passwords.  You can also simply use a notepad or password book.  Less sophisticated and convenient, but gets the job done.

Criminals can also access your account if you’ve used a hacked public computer.  The bad guys may have installed a key logger on the computer. The logger records every key you press on the keyboard. Or they might have compromised a router or server to be able to see your information if you’ve connected to free wifi (we say that’s always a No-No!).

Tip: Be cautious about your online activity on computers or networks you don’t trust.

Of course, there’s one more method of getting your password that we haven’t addressed yet. It’s the familiar phishing attack. For instance, you get an email that looks like it was sent by your bank or other familiar place. Phishing typically has an urgent message and a link that directs you to what looks like a credible page.  You click a link and it asks for your email address and email password.  Once you’ve done that, you gave the bad guys your credentials.

Tip: Pay attention to who is sending the email and hover the mouse over the link to see where it goes. If you are concerned about your bank account, for example, open up a browser and type the URL manually rather than clicking the link.  Or if you’re really nervous, call the number on the back of your credit card or ATM card and ask the bank if they sent you the email.  Another trick is to simply hit the REPLY button and see where the email is going…if it looks sketchy and unusual it’s probably bad.

 

One of our favorite exercises is to have everyone change their email and banking passwords when you change the clocks for daylight savings.  That way your oldest password is just 6 months and you will be familiar with the process in case you’re away from your computer and need to get into one of your accounts.

Finally, turning on 2FA (2-factor Authentication) or MFA (Multi-Factor Authentication) is a great way to secure your accounts.  Basically, when you login to your email or bank it will send a one-time code to your cell phone in order to get into the account.  So, if a bad guy tries to hack into your account, he won’t be able to because he needs the code sent to your phone.  It’s a good thing.

 

These tips can help you to protect your valuable passwords. Still, setting up a password manager and amping up your internet security can help too. Need support getting ahead of the cybercriminals?  Contact our experts today! Call us at (732) 747-0020.

Managed Services for Computers – a Dragon for Home and Business

by

This may or may not be something you want to do.  The question is do you NEED it?  Let me first explain what it is.

Managed Services is the process of providing computer hardware and software (collectively known as IT) support to a company.  Everything from managing the anti-virus software on your computer, your hosted website and email, not to mention the most popular use of this…replacing or augmenting your own in-house IT department.

Most businesses are in the business of doing what they do best…and it’s usually not IT support, unless they’re an IT company (duh).  So instead of paying a staff to manage the internet, network/wifi, website, email, software questions and hardware problems, businesses will contract for Managed Services.  Those companies are known as MSPs…Managed Service Providers.  Many things are being outsourced these days.  In fact, it’s been going on for decades.  MSPs have been developing over the last decade, with a big growth spurt in just the past few years.  Breakthroughs in technology, inexpensive online storage and super-fast internet have helped to make this a viable alternative for many businesses.  Why pay a staff that needs sick and vacation days, not to mention benefits and other related things provided to an employee when you can outsource it?  Signing on with an MSP can let your business do what they do best.  Period.

Some micro-businesses (less than 10 people), like retirement specialists, wealth managers and other financial services providers often broker for a bigger firm and have security rules they need to abide by.  Having an MSP handle the complex firewall needs, data encryption and protection can be a blessing for these “little guys” because the costs to bring that in-house can be overwhelming.  Yet they need to be compliant with the brokers demands.  Surprise audits by the broker reveal shortcomings that threaten their dealership.

Generic businesses have concerns beyond the simple management of their IT stuff.  They too need to be concerned about exposing their clients’ data to the “bad guys”.  That can be a big problem if you’re storing Social Security numbers, birth dates and credit card information.  If that gets out, identity theft is sure to follow and your business will be liable for the damages.  We always recommend that clients storing this type of data seek out a Cyber insurance policy.  That’s not enough though because if you haven’t adequately protected your network and the data, the policy won’t pay if you get breached.  And speaking of breached…

A breach is when bad guys get past your network security and start poking around your internal network and computers until they find some data.  Often times they will then encrypt your data making it impossible to open and then try to sell you the key to unlock it.  It’s a dirty, dirty business and is happening all over to small and large businesses alike.  It’s called Ransomware and can cost thousands of dollars.  If one of your employees clicks on a bad link in an email or social media post taking them to a poison website, that can start this nastiness.  If your network typically allows for remote access by employees, you are particularly prone to an attack because the access exists, even if there’s username/password to get in.  The bad guys are good at “brute force” attacks that can crack that info and get in.  You need to treat your business like a medieval castle; you need a moat, a drawbridge, vats of hot oil, archers in the towers and my favorite…a dragon!  Just a lock on your front door is not enough for these types of attacks.

An MSP can provide network protection, hardware support, handle software installations and questions and perhaps the most important thing is protecting you from yourself with managed anti-virus and web-filtering to make sure if you do click that bad link it will prevent any bad stuff from coming back in.

 

What about a home user…do they need an MSP?  Maybe not to the extent a micro-business needs it, unless there’s a home-based business being run out of the house.  Home users still may need or want robust network security as well as support when something goes wrong.  The needs of the home user are a bit different, if not the same but on a smaller scale than a business.  They still need a managed anti-virus, web-filter and a good firewall to be truly protected.  Maybe just a moat and a drawbridge will do.  But a dragon would be super-cool!

Home users are also worried about identity theft and password management (jeez, what a mess that has become for us all), not to mention internet access rules for the kids.  Seeking out a company that can put a security blanket around your house (maybe decorated with dragons?) can be very comforting.  With all the tech in our homes these days, the concept of a breach using those devices is becoming more and more possible.

 

So, do what you do best and let the MSP handle the rest.  And don’t forget the dragon!

Computer Scams on the Rise

by

More than ever, the bad guys are trying to get you to part with your money.

 

Scenario #1 – the phone rings.  Either a recorded voice or a live person with a foreign accent tells you that your computer is infected with viruses and your data and banking transactions are at risk.  They claim to be with Microsoft, Windows, Apple, iCloud, Verizon, Comcast and others.  They will say anything to give themselves enough credibility that you don’t hang up on them!

 

Scenario #2 – you’re surfing the web or fiddling on social media.  Maybe you simply mistyped a web address, but you end up on a website you did not intend.  Then it happens.  A scary screen shows up saying you’re infected and your data and banking transaction are at risk.  Sometimes it even talks to you or a siren begins blaring.  It says to call the 800 number or really bad things will happen.  So you call.

 

Scenario #3 – you’re struggling with some tech item.  Maybe a printer or your wifi.  So you google “tech support phone number XYZ company” and you see the number and call.  The only problem is that’s not the company you were looking for and the bad guys with money advertise so heavily on Google that they appear at the top of the search results.  You call and speak to the pleasant sounding bad guys.

 

Scenario #4 – like #3 above, you’re having a tech problem, but this time you know the right number to call.  You have it printed on the manual or some other documentation.  You call and speak to a tech from the right company.  During the conversation, maybe it’s discovered you have some malware or other bad software installed on your computer causing you problems, so the tech gives you another number to call.  A number that IS NOT for the company you called in the first place!  It’s his buddy somewhere else who’s trying to get money from you.

 

With any of the above scenarios, the bad guys convince you to allow them to connect remotely to your computer so they can show you the problem.  Many people smell a rat at this point, but others remain concerned their data may actually be at risk or that they are spreading a virus and they let the bad guys in.  They point you to a website and have put in a code and click a few buttons, and voila!  They are on your computer and moving your mouse around.  It’s fascinating.  To a point.  To watch the mouse move, letters being typed and windows popping up is oddly…well, fascinating!  Also, very dangerous if the one’s moving the mouse are the bad guys.

They show you some scary things that they pawn off as viruses.  The fact is, every computer has scary looking stuff on it.  The key here is scary “looking”.  If you don’t know what you’re looking at, it can be scary for sure.  At this point the bad guys convince you they can clean up the infections and make it all better.  They install some programs (which are all legitimate by the way) to clean-up some junk files that all computers have.  They may even install an anti-virus program and sell you on a subscription.  They want your credit card info so they overcharge you for the software and their services.  Sometimes as much as $1000 for “lifetime” protection.  They may even tell you to go to Walgreens or CVS and get some gift cards to pay for the items.  This is the second point where people smell a rat.  Some will just hang up the phone.  The bad guys call back and maybe you yell at them or hang up again.  That’s when they put a password on your computer so you can’t get back in again.  Terrible stuff.  They keep calling you back and then you pack up your computer and bring it to your local computer repair shop.

 

We see this so often here at Two River Computer that we gave it a name; Unauthorized Access.  Read more about it by clicking here.  If this happens to you, just turn the computer off or close the lid if it’s a laptop.  Then call your local computer repair shop for help.  Don’t be too quick to cancel all your bank accounts and credit cards, but if you’re genuinely concerned ask them to put a “watch” on the accounts for suspicious activity.

 

Trust your instincts when it comes to this stuff.  If you’re on the phone with someone and you don’t feel right about what they are asking you to do, just hang up!

Did the Russians hack your router?

by

It’s possible, but probably not based on what we know at this moment.

 

However, like many stories in the headlines of the newspapers, TV and social media the numbers and facts can change.  It’s true.  How many times have you read about a tragedy only to find it’s actually 10 times worse than originally reported.  Likely because it’s more important to be first, than to be accurate.  It was originally reported that Russian hackers had attacked some internet routers.  Now they are saying that even more countries were targeted than initially thought, though the Ukraine was notably the largest. And the number of affected routers is growing.

 

So here’s what we know right now.

 

On Friday May 25, 2018 the FBI reported that hundreds of thousands of home and small office routers had been compromised by Russian computer hackers with malware called VPNFilter.  Their goals are typically to collect user data (browsing habits, identity info, passwords), shut down your network or attack another network using your devices.

 

Scary to be sure.

 

The original suspected intent of this attack was to target all those devices inside your home that connect to the internet and don’t have a person sitting at them.  Video cameras, nanny-cams, thermostats, speakers, alarms, personal assistants (Amazon Echo, Google Home), smart TVs and more can all become an army of robots that can attack and bring down websites and servers.

 

Now they are saying that the attack can alter info you see on the internet if your network is compromised.  Imagine seeing your bank balance at a steady number, but the bad guys are siphoning off your money?  You could even be making a purchase at a familiar place, but your payment is going somewhere else and you never get your item.

 

They are also saying even more countries were targeted than initially reported…and the total number of targeted routers now exceeds 700,000.  And the number of manufacturers named in the router list has expanded greatly from initial reports.

 

So now what?

 

We are all concerned, even if only mildly, that our money will get stolen or our identity will get hijacked while surfing.  My opinion is that I think we are all pretty safe.  The same safe feeling you get when you get in your car and you buckle up and see that airbag light on.  But that doesn’t mean some idiot won’t hit us because they’re updating their Instagram while driving!  We need to always be diligent even if we feel safe.

 

The fact is there’s loads of safeguards to protect our online surfing.  Your local computer has protection, your bank has protection, the Amazon web servers all the big companies use all have military-grade firewalls for protection and Google is always on-guard to secure its traffic.  And even if something did happen to you, it can and will be fixed.  It may be a colossal pain in the butt, but even an identity theft can be undone.

 

What we were told to do to fight this attack was to reboot (restart) our routers.  Yup, simply unplug them from power, wait 30 seconds and then plug them back in.  That action will “flush out” any malicious code that was injected into your router.  For the time being.  There’s software that runs on your router, called firmware.  It should be updated if your router is on the list.  And perhaps more importantly, the default administrative password that came with your router needs to be changed NOW!  You may even want to consider performing a “factory reset” of your router, or better yet, a new router if this whole thing makes you nervous.

 

List of affected routers

 

You can contact the router manufacturer for assistance in upgrading firmware and changing the default password.  You can also call your local computer repair folks.  They can handle this for you.

 

PLEASE NOTE: as of this writing, Verizon FiOS and Comcast/Xfinity routers ARE NOT AFFECTED.  Primarily because they have unique default passwords and firmware upgrades are handled directly by them.

 

So, will the list of affected routers get bigger?  Will the attack be more widespread?  The FBI actually seized the server that started all this, but they believe the bad code is still out there and may even have a delayed payload and attack later on.  We feel that it’s better to be safe than sorry and you should do something if your router is on the list.  Maybe even if it isn’t.

 

Heed the warnings and carry on.

How much control can parents have over the internet?

by

Looking at this as a parent myself, and a technologist, I say “just enough” control is all I really need.

 

I want something that will lessen my own anxiety and make me feel like I’m in charge…not my kids.  I’m one of the few parents I know that actually knows more than their kids about technology.  So I can only imagine some of the genuine fear that some may have when the kids are behind closed doors or little Johnny’s friend brings over his laptop or iPad for a playdate.  What are they watching?  Why do they keep hiding the screen when I walk in the room?

 

As I am prone to say, “the fun never stops”.

 

There have been many approaches to the concept of “parental controls” since computers began appearing in kitchens and family rooms in the mid-1990s.  Some of the early players were software programs that got installed into a computer and could filter internet requests.  It was sometimes tedious to work with because you often had to create your own “black list” of websites or keywords that you didn’t want your kids to see.  And then came the “white list” when good things got blocked.

 

We saw a lot of this being applied when classrooms full of computers started appearing.  Products like NetNanny, SafeEyes and K9 were popular and did the job.  In homes, some parents would put the computer with the screen pointing into an open area so they could see everything.  That was a great deterrent.  The software helped too, but kids are curious.  Naturally.  It’s normal.

 

Next, we saw some internet routers that had some of this web-filtering capability built-in already.  That was helpful in homes with more than 1 computer, which started in the early 2000s.  It was a great start to what I call “whole-house” protection.  Anything that connected to the router to get internet access had the parental controls applied.  Sounds good, but it was cumbersome.  Again, you had to create white and black lists of websites and keywords.

 

As time marched on, these products got better.  Then the websites themselves got classified based on content, which helped a lot.  Like the movie or video game rating system; G, PG, MA, R, etc.  The software installed on the computer or built-in to the router could filter by category.  You could easily block things like guns, drugs, sex, hate and more.  They also started using their own database of dirty words and phrases so you didn’t have to make your own lists.  Some of those words…wow!

 

These days with each person having 2 or more devices (and some of those persons are under the age of 5!) managing the internet access and content allowed has become a real job to manage.  Software and apps can do a lot, but they are device-dependent.  If the software gets removed or another device is used, then it doesn’t work.  I run into parents all the time that tell me about the best app they just put on their kids’ phone and how they feel so safe knowing they are being protected.  Until I show them the workaround that kids can usually find a few hours after you put something on the device.  I often say, “install something at breakfast and they found a workaround by dinner”.  This is not true for all, but I see this a lot.

 

So what’s a concerned parent to do?

 

I prescribe to the idea that in life there is “an acceptable amount of abuse”.  This may not be popular, and abuse is a strong word, but somehow fitting.  In the 1980s it was using the work phone to talk to your sister in Indiana.  In the 1990s it was using AOL instant messenger to chat with your friends.  In the 2000s it was using company internet to sell your Beanie Babies on eBay.  Now it’s social media and texting while working.  It’s OK to do these things a little.  We sometimes need to look the other way…but not for long.  I think the same thing applies to the kids and internet access.  We hope they make good choices based on how we raised them.

 

Back to the “whole-house” solutions.  The concept here is that ANY device that enters your home can have filters applied.  Individual profiles can be created for each family member and their respective devices to allow the proper amount of access.  A 5 year-old shouldn’t have the same access as a 15 year-old.  The bigger bonus these days is how much control we can actually have.  Things like a “bedtime” when the internet will cutoff for a user and ALL their devices.  You can even assign an amount of time per day they can spend on their devices; even how much time per app can be assigned also.  Some devices even allow for a PAUSE the WHOLE HOUSE for when it’s dinner time.  Game changer!

 

In the end, parental controls are good.  They can help us feel better about what our kids our seeing and how much they are seeing. But it’s no substitute for good parenting.  Tell your kids why the internet can be bad…or addictive…or hurtful…or helpful.  Teach them about time.  Good time.  Bad time.  Wasted time.  Time well spent.  You get the idea.

Cyber Security…much ado about nothing?

by

It depends if you like to gamble or not.

It seems that not a week goes by when we are not reading about some kind of cyber security breach at a big-name retailer or corporate giant.  Sometimes they can be attacks by a rogue government, or even by a teenager in the Ukraine.

 

But what about me?  Am I safe?  Surely these problems won’t ever affect me, will they?

 

Well, that depends on a lot of things.  Cyber security requires that we adhere to same basic rules:

  1. limit physical access to our device(s)
  2. have strong passwords in place to access our information
  3. keep devices and operating system software up to date
  4. use a good security program
  5. have a plan if things go bad

 

Allow me to elaborate a little on each of the rules.

Rule 1 – Limiting physical access.  This may seem really basic, but its importance cannot be stressed too much.  Lock your doors, keep your phone in your purse or pocket and don’t let other people use your stuff.

Rule 2 – Strong passwords are always a must.  Here’s some things to help you make them.  Use special characters to replace letters; use a $ instead of an S, how about a 3 instead of an E, or maybe a ! instead of a 1.  Those can definitely help make the password stronger.  A phrase “sandwiched” between some numbers, like 19BornToRun75! As a Springsteen fan you would easily remember that this album came out in 1975 and adding the ! at the end makes it stronger.

Rule 3 – If the hardware or software manufacturer issues you an update, you need to install it.  We all need to be sure we have a proper backup before installing the update (also referred to as a patch) in case something goes wrong.  Microsoft and Adobe routinely release updates, but not so for Apple.  We sigh when we see the pop-up about even more Microsoft updates, but they are all still important.  And when Apple releases a security update, it’s usually pretty serious so do it right away.

Rule 4 – Have a good security program installed on your computer.  And yes Virginia, Macs so get infected.  And don’t forget about backup.  The best plan is 3-pronged; the original data on your computer, a local backup device like a USB external drive or even a flash drive, and also a cloud copy using a service like Carbonite or CrashPlan.

Rule 5 – What if my device is compromised, now what?  First, we need to assess what it really means.  Most of our devices are not that important to be attacked.  Nor is the data on them…at least not to anyone but ourselves.  The best plan is prevention.  That and have a someone to call for help, whether that’s your neighborhood computer folks, banker, attorney or kid brother.  Don’t panic, just ask for help.

 

For business, cyber security has an enormous and scary downside if the data gets compromised.  They even sell insurance now in case your data gets stolen.  But for consumers, it’s really about identity theft.  Long gone are the days when our contact list was stolen and emails about Viagra, Low-Interest Mortgages and Weight-Loss were sent out.  Embarrassing to be sure, but pretty harmless in the end.

 

Now the bad guys are more surgical.  They are hijacking your email and looking for conversations between you and your brokerage house; searching for terms like “wire transfer” and other things that will allow them to see a pattern and try to have money re-routed to their account instead of yours.  We witnessed it enough because the protocols of the bank or broker are not followed precisely, but it shouldn’t have happened in the first place, right?

 

Right.

 

And identity theft…this can be the worst.  Accounts opened in your name or tax returns filed on your behalf are obvious signs your identity has been stolen.  You have resources to help you at the Federal Trade Commission – www.identitytheft.gov.  Go there to report an event if it ever happens to you.

 

Keep your devices near you.  Have strong passwords.  Install software updates.  Use a security program.  Know what to do if something does go wrong.