CompTIA Statement on SOTU

Standard

CompTIA has released an excellent statement, commenting on last nights State of the Union address to Congress.  Regardless of your politics, the statement puts forth some excellent ideas for working with the current administration to advance technology issues that have impact on every American citizen and business.

You may read the statement here.

state-of-the-union-33-epa-jc-180130_4x3_992

Data Privacy Day is Every Day

Standard

Yesterday, January 28, was Data Privacy Day, an annual campaign about online privacy awareness led by the National Cyber Security Alliance (NCSA).  This annual event began in 2008 and this years theme is “Respecting Privacy, Safeguarding Data and Enabling Trust.”

share-with-care-twitter

“Data Privacy Day highlights our ever-more connected lives and the critical roles consumers and businesses play in protecting personal information and online privacy,” says Michael Kaiser, executive director of NCSA. “Our personal information and our habits and interests fuel the next generation of technological advancement like the Internet of Things, which will connect devices in our homes, schools and workplaces. Consumers must learn how best to protect their information and businesses must ensure that they are transparent about the ways they handle and protect personal information. The future holds tremendous opportunities for improving our lives through connected technologies, but we can only build a safer, more trusted internet if everyone works in collaboration to make respecting and protecting personal information a priority.”

While this is an annual awareness campaign, the fact of the matter is that every day is Data Privacy Day.

Here are some tips from this years event:

PRIVACY INSIGHTS AND ADVICE FOR CONSUMERS: OWN YOUR ONLINE PRESENCE

+ PERSONAL INFO IS LIKE MONEY: VALUE IT. PROTECT IT. Information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions.

+ SHARE WITH CARE. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future. It’s a good idea to review your social network friends and all contact lists to ensure everyone still belongs.

+ OWN YOUR ONLINE PRESENCE. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. It’s OK to ask others for help.

+ LOCK DOWN YOUR LOGIN. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Choose one account and turn on the strongest authentication tools available, such as biometrics, security keys or a unique one-time code sent to your mobile device.

+ KEEP A CLEAN MACHINE. Keep all software, operating systems (mobile and PC) and apps up to date to protect data loss from infections and malware.

+ APPLY THE GOLDEN RULE ONLINE. Post only about others as you would have them post about you.

+ SECURE YOUR DEVICES. Every device should be secured by a password or strong authentication – finger swipe, facial recognition etc. These security measures limit access to authorized users only and protect your information if devices are lost or stolen.

+ THINK BEFORE YOU APP. Information about you, such as the games you like to play, your contacts list, where you shop and your location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through apps

PRIVACY INSIGHTS AND ADVICE FOR ORGANIZATIONS: PRIVACY IS GOOD FOR BUSINESS

+ IF YOU COLLECT IT, PROTECT IT. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.

+ BE OPEN AND HONEST ABOUT HOW YOU COLLECT, USE AND SHARE CONSUMERS’ PERSONAL INFORMATION. Think about how the consumer may expect their data to be used, and design settings to protect their information by default.

+ BUILD TRUST BY DOING WHAT YOU SAY YOU WILL DO. Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.

+ CREATE A CULTURE OF PRIVACY IN YOUR ORGANIZATION. Educate employees on the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.

+ DON’T COUNT ON YOUR PRIVACY NOTICE AS YOUR ONLY TOOL TO EDUCATE CONSUMERS ABOUT YOUR DATA PRACTICES. Consider features that allow consumers to opt-in to certain forms of data sharing rather than requiring them to opt-out.

+ CONDUCT DUE DILIGENCE AND MAINTAIN OVERSIGHT OF PARTNERS AND VENDORS. If someone provides services on your behalf, you are also responsible for how they collect and use your customers’ personal information.

To learn more and get involved, visit https://staysafeonline.org/data-privacy-day/.

Solid Phishing Example

Standard

I received the following email the other day and it’s one of the best examples of a phishing email I have seen.  It’s clean, branded properly and I can certainly envision an unsuspecting recipient clicking the link and exposing themselves to theft and hacking.

Here’s what the email looked like when it arrived in my Inbox:

Inbox Message

This particular phishing campaign is obviously targeting users of Microsoft OneDrive.  With so many people now using Office 365 subscriptions, of which OneDrive is a part, this is a fertile target for hackers to go after.

When I opened the email this is what I saw:

Phishing Email.png

The address looks like it should be legitimate and the branding is very good.  I could easily see someone going ahead and clicking on the View File link, so let’s look a little more closely at this message.

Email Tips.png

What you can see inside the red circles is what gives this away as a fake.  In the upper red circle, the actual “from” address is clearly not a Microsoft email address.  You will never receive a message from a service like OneDrive where the display name says “Microsoft Office OneDrive Online Notification Message Center” and the actual email address is a person at a different domain name.  The spacing between the words “Online” and “Notification” in the display name is also a hint that something is suspicious with this message.

Finally, the lower red circle shows that if you hover the mouse over the View File link without actually clicking, that the URL that the link goes to is not a OneDrive address.  This is a clear warning sign that if you click the link you will be directed to a web site that may try to trick you into entering private information or worse, may silently install malware onto your device.

I hope sharing this example will help you avoid falling victim to any phishing attempt, not just this one.  Stay Safe Online!

Another Exciting Day for Onepath-Updated

Standard

Paradigm-to-Onepath

Update – Channele2e posted a nice article about this on January 26, 2017. –

Today, Onepath announced our acquisition of Paradigm Computer Consulting to our clients.  This is an especially exciting development for me, as I have been friends with the owners of Paradigm since 2004.

Ironically, even through Paradigm is headquartered in Bedford, NH, we actually met in Tampa, FL at the inaugural ConnectWise Partner Summit, what is now known as IT Nation.  There were several of us from New England, all about the same age, all with very similar young and growing Managed IT Services businesses.  At that time, we formed a group we called NECWUG, short for New England ConnectWise User Group, to stay connected with one another throughout the year.  It started as an email group on Yahoo and we stayed in close touch, helping each other to grow our businesses.  What started as professional interactions quickly became strong friendships that bridged the professional interaction to share personal triumphs, tragedies and all that life has to offer.  Over the years, the ranks grew to include others across the country, some just as professional friends but many becoming personal friends as well.

Fast forward to today’s announcement and for some of us, things have come full circle.  Two years ago, Paradigm acquired Excel Tech in Providence, RI, another NECWUG original.  Today, Paradigm is now part of the Onepath family.

Coupled together as Onepath, we are the best team in the industry with years of excellence, expertise and passion that is simply unmatched!  In case it’s not obvious, I’m incredibly excited about our future and welcoming the Paradigm team and clients to Onepath.  With strong local presence throughout the Northeast and Southeast coupled with our growing national presence, we are truly the Easier Way to Get Hard Things done, from the Cable to the Cloud.  We do this by bringing More Horsepower, More Commitment and a More Complete Game Plan to our clients, every day.

Here is the announcement we sent to our New England based clients this morning.  A similar message was sent to our Southeast clients as well:

As an important Onepath client in New England, I wanted to share some exciting news with you. We at Onepath are continuing to evolve and expand our capabilities to better meet your business needs.
 
After successfully integrating Internet & Telephone into the Onepath family last summer, I am excited to share that we recently acquired Paradigm Computer Consulting (Paradigm), a leading technology services company, headquartered in Bedford, NH with offices in RI, FL and OH. With this acquisition, we are happy to have an expanded presence in New Hampshire, serving our existing and legacy clients. In addition to that, we now have enhanced our presence throughout the northeast and strengthened our capabilities in the legal, financial services and healthcare market verticals in the managed services market nationally, all while remaining just a click, email, or short drive away from our clients.
 
Paradigm has been extremely successful in expanding its business and loyal client base across multiple geographies. By combining forces, we now expect to build upon our collective strengths to offer more horsepower and local presence as we continue to deliver superior end-to-end technology solutions to clients like you.
 
We look forward to sharing more details in the coming months.
 
About Paradigm
  • Paradigm Computer Consulting provides business-class Managed IT Services, VoIP Telephony Solutions, Backup and Disaster Recovery Services, and Network Security Solutions to help businesses with almost any aspect of their IT and communications strategy.
  • The company, headquartered in Bedford, NH and with regional operations in Providence, RI, Columbus, OH, and Clearwater, FL, provides first class service in a proactive manner to over 300 business customers in those markets across legal, healthcare and the financial services market verticals, among others.
  • You may learn more about Paradigm by visiting: http://www.paradigmcomputer.com/
We are excited about the future as Onepath continues to expand our portfolio and geographies. In the meantime, if there is anything I can do to help you please let me know. Thanks for being a great client.
 
Regards,
MJ
Please check out my IT blog at mjshoer.com.  I hope you’ll consider subscribing for updates and please share your feedback.
MJ Shoer | Director, Client Engagement & vCIO

logo-onepath
Direct: 978.683.9100 x305 | Mobile: 603.234.2079
mshoer@1path.com | www.1path.com

 

 

Netflix Phishing Alert

Standard

There is a new, pretty aggressive phishing attack against Netflix users out there.  The 1015netflix-960x540scam starts with a friendly email regarding your account and if you engage, the bad guys behind this will try to trick you share information with them.  Don’t ever provide billing information via email.  If you think it may be legitimate, call the company, don’t give them what they are looking for electronically.  With so many Netflix users out there, this will not be the last time that hackers try to get you to release information that will let them compromise your account and steal your identity.  Stay Safe Online!

Beware the Tax Scam – Updated

Standard

The following was published in today’s Foster’s and Seacoast Sunday.  This is an updated and expanded version of post from earlier this week.

It seems like each year, there are more and more tax scams that kick into high gear right after the New Year. This is because tax season is upon us. As the tax man cometh, so does the tax scam, especially online.

tax_scam_alertYou may recall that last year, the IRS reported an alarming rise in the number of fraudulent tax returns filed, using compromised identities in order to get tax refunds the legitimate taxpayer was entitled to. Unfortunately, the criminals doing this were the recipients of these refunds and the actual taxpayer was often unaware this had happened until they tried to file their actual tax return.

The increased alarm this year is in part due to the massive Equifax data breach that was reported last summer. That data breach was unique as it was the first time that a credit bureau had been breached. Because they are a credit bureau, you may not have realized how much personal data that they have on file for you. The exposure was reported to be nearly half the population of the United States. Literally hundreds of millions of Social Security numbers and other private information related to your personal identity may have been released. To date, the impact is not truly known.

Many security experts are concerned that this year could see a record number of fraudulent tax return filings due to the massive amount of information from the Equifax data breach that may be in the hands of bad actors. We likely will not know for sure until tax season has passed.

Many tax professionals are advising that individuals file their tax returns as early in the tax season as possible. In effect, try to beat the hackers by filing before they do. That is one way to potentially prevent a fraudulent filing in your name. However, you have no way of knowing if you could be a victim, nor will you know until you actually file. As the cliché goes “the best defense is a good offense,” thus the recommendation.

There are several other tax scams to be aware of as well. The most common are phishing email campaigns that try to trick you to open attachments or click links that will compromise your system, allowing the hackers to steal your personal information. Remember the IRS will never send you an email attachment, nor a link to click and then enter private information. Nor will the IRS ask you to make a payment via email or link within an email. If you owe money to the IRS, you will always receive a paper bill, in the mail. Even at that, it’s a best practice to call the IRS and verify the validity of that notice.

If you use a tax preparer, check with them for their guidance before doing anything online. While many are able to e-file, do so at your preparers direction, not from unsolicited email messages. As with just about everything in life and online, common sense is your best defense. If it doesn’t seem right, don’t do it.

You even need to be careful using your social media accounts. I’m sure you’ve seen people posting their responses to what seem like fun lists of information. These are posts you will see from friends that list places they have been, what their first pet was, states they have lived in and more. While these seem like fun and innocent things to do, they expose information that can be used to help compromise your personal identity through social engineering when combined with other information about you. So think twice before participating in these, as tempting as they are.

The IRS maintains a page devoted to communicating tax scams and consumer alerts at www.irs.gov/newsroom/tax-scams-consumer-alerts. I recommend you check that page whenever you have a concern about a potential tax scam. Currently, the page lists the following scams considered to be actively in use: IRS-impersonation telephone scams, scams targeting tax professionals, soliciting W-2 information from payroll and human resources professionals, email, phishing and malware schemes and fraudsters posing as taxpayer advocacy panel.

What is important to recognize from this list is that in addition to the actual taxpayer, tax preparers are a target. Obviously, these firms have access to a wealth of private information that includes everything a hacker would need to impersonate someone. It stands to reason they would be a target and these firms have an obligation to do everything that they can to protect the private information that is in their trust. Similarly, HR departments are a target, for the personal and payroll information that they have access to. They too, just have robust defenses and procedures in place to protect this information and prevent unauthorized release.

I posted about this on my blog, earlier this week. I will continue to monitor for new information as it becomes available. Hopefully, this information will help you maintain the safety of your personal information and ensure that your tax information and hopefully refund, remains yours and yours alone.

Beware the Tax Scam

Standard

The good ‘ole cliché is usually “Beware the Tax Man” but in today’s interconnected world, the tax scam is more concerning than the tax person (the cliché is gender specific in its origin), for sure.

As tax season is now in full swing, you will surely be the target of a hacker, phone scammer, phishing campaign or other attempt to get you release private information that could be used for fraudulent purposes.

tax-scamCommon scams include email phishing with links to malicious sites that will install malware on your systems in an effort to obtain private information like social security numbers, account numbers, address verification, confirmation of responses to secret questions and more.  Even answering those fun lists on social media sites like Facebook that as you to list out things only you know about yourself are a risk.  Social engineering will scrape this information and put it together with other information to gain a more complete picture of you which may be used to open accounts, file tax returns or more.

Experts advise filing your returns as early as possible as a proactive defensive measure.  Last year, many fraudulent tax returns were filed and hackers received refunds from the fraudulent filings.  The actual taxpayer did not learn this had happened until they filed their return, often in April.  Then they learned a return had already been filed in their name.  Filing early can prevent that from happening.

With the massive Equifax hack that occurred this past year, experts are expecting that this tax season may see a sharp increase in the filing of fraudulent tax returns.  That hack exposed millions of social security numbers to unknown bad actors.  Tax season could present the conditions for these leaked identities to be taken advantage of.

Remember that the IRS will never call you or email you asking for payment via phone or by responding to an email or clicking a link to enter payment information.  The IRS is very specific in how it communicates with taxpayers.  Asking for payment via obscure payment methods or through email will never happen.  If you owe the IRS money, they will send you a bill via the US Postal Service.  Call the IRS and verify the legitimacy of the bill.  Don’t pay it until you confirm it.

If you use a tax preparer, be sure they are informed of any contact you receive as they can help you validate whether or not the contact is legitimate.  If you don’t use a tax preparer, practice extreme caution when providing information over the phone or electronically.

Huawei & ZTE, the New Lenovo and Kaspersky?

Standard

You may recall reading about US government concerns regarding Kaspersky Lab‘s alleged ties to the Russian government and Lenovo‘s ties to the Chinese government.  Both of these brands are banned in most US government agencies out of a concern that their presence could present security risks.  Specific concerns were related to software and hardware components that could be used to spy on users with hardware and software from those companies.

hzYou may not yet recognize the names Huawei and ZTE, but they are Chinese manufacturers of technology devices.  Both have manufactured devices for other manufacturers, but both are also introducing devices into the US market under their own brand names.  Huawei has started an aggressive advertising campaign to drive demand ahead of entering the market.  The US government has similar concerns about these companies.  They have long been rumored to have ties to the Chinese government.

In response to these concerns, Texas Representative Mike Conaway has introduced a bill called the Defending U.S. Government Communications Act.  It’s intent is to ban US government agencies from using products from these manufacturer’s.  It follows a growing concern within many governments about adversaries using technology to try to infiltrate secure systems or influence society.

It is unclear if this new legislation will become US law, but it does underscore the concern of the intelligence communities around the world about this evolving threat.

Update on Meltdown & Spectre

Standard

meltdown-spectre-cpu-security-vulnerabilities-logos-610x318Here is the latest regarding the Meltdown & Spectre threats that have been widely reported on since last Thursday.  If you are not aware of what these risks are, please review my prior post; Meltdown & Spectre, What You Should Know.

Here’s what we know as of this moment:

  1. The bug is real and affects just about every microprocessor released since 1995.  This includes server, PC’s, Mac’s, Smartphones, Tablets and even Internet of Things devices like smart thermostats and other smarthome and commercial technologies.
  2. The flaw was discovered by Google security researchers this past summer and reported it to the appropriate manufacturers.  While the threat was taken seriously and work has been underway to fix the flaw, the information was released to the public out of concern that details were beginning to leak out before the patches were ready for distribution.
  3. Microsoft, Intel and others have already released patches to begin fixing this issue.  Your internal IT department or trusted IT partner is likely already in the process of deploying these patches to safeguard your systems.  For home, personal, devices, only install patches that you are certain are from the actual manufacturer.
  4. Never apply a patch from a link in an email message.  Bad actors are taking advantage of phishing and other social engineering techniques, to try to trick users into installing a patch that is actually malware from a hacker.  Only install patches you can verify!
  5. Most reports suggest that you will see a performance slowdown as a result of these patches.  Maybe.  For most users, you will not notice a performance impact.  For some intensive applications, a performance slowdown may be unavoidable, but for most average users, you will not notice a difference once the patches are installed.
  6. Intel has stated that they will have patches for 90 percent of the affected chips within a week.
  7. Some users with AMD chips are reporting issues after applying patches, so be sure to read up on the manufacturers web sites for the latest information before applying a patch.
  8. Just last night, during the keynote address at the Consumer Electronics Show, chip maker Intel announced the formation of a new internal security group to focus on improving the overall security of Intel technologies.  “Security is Job No. 1 for Intel and the industry,” said Intel CEO Brian Krzanich.  This type of focus will only help mitigate future issues and I applaud the response.

I will continue to monitor events for any new developments.  For now, it still seems that these threats have not actually be exploited, but nonetheless, I absolutely recommend remaining diligent and patching your systems without delay.

How Did You Weather The Bomb Cyclone?

Standard

The following article was published in todays Foster’s and Seacoast Sunday.

BombCyclone2By the time you read this, you will have hopefully survived the “Bomb Cyclone” that rolled through on Thursday. I got a kick out of all the reports in various media about the storm’s “wicked cold” and “polar vortex.” It’s winter in New England. You never know what’s coming and when.

Storms like this provide a stark reminder that businesses don’t stop due to weather. Successful companies need to be able to operate through storms like this and ensure their staffs are able to work wherever and whenever they need to.

Successful companies today, employ a range of strategies to remain functional throughout any event that could impact their offices or staff. This is mostly done by leveraging Cloud or data center services to disperse the organization’s business systems across geographies in order to insulate the business from a catastrophic event in any one geography.

To put this in layman’s terms, this means not relying on a computing infrastructure that is solely located in the company’s sole office location. That’s how it used to be done, but not today. In the past, especially for smaller businesses, but for much medium- and larger-sized organization as well, a single location would be where you would find one or more servers that run all of the business systems. Email servers, file systems, printing, databases, accounting applications, any proprietary software would all be on these servers. If the office was not accessible, neither were the systems unless the business invested in power infrastructure, like generators, to keep the servers running the event of a power outage. This would also require robust remote access infrastructures, so that employees would be able to access these resources.

Today, this is accomplished very differently and quite cost effectively. Smart businesses have servers and systems offsite, in the Cloud, a private or public data center or a combination of these. Many companies have moved to Office 365 or Google G Suite, mostly for email, but potentially other productivity applications and services as well. With email moved offsite and into a data center infrastructure managed by industry giants Microsoft and Google, you can be assured you will not lose your ability to electronically communicate when a storm runs through your local regions. Email has become a primary form of communication for both internal and external contacts. Ensuring this capability is “always on” is more critical than it has ever been.

Having critical business systems offsite also ensures availability. When your applications are running in the Cloud or a data center, your systems will be more accessible than they would be if they were only located within your office. Hardly any business that considers itself a small- or medium-sized could afford to maintain the highly available and redundant infrastructure that exists in the Cloud and other data centers. The power and connectivity capabilities within these sites are truly impressive. They are all designed to ensure uptime and availability, regardless what may be happening.

While the above addresses the systems your teams use every day to accomplish their goals, telecommunication requirements are often overlooked. It’s equally important to make sure callers are able to call your organization and get through to someone throughout an extreme event, be it weather, natural disaster or other. Having a redundant telecommunications infrastructure will further ensure your customer experience is consistent through any event that might otherwise negatively impact the business.

If you or your teams experienced any issues during this last storm that should be a clear sign you need to review how your company is structured to ensure employees, customers and business partners are able to continue to work together and support one another, regardless of environmental or other events that would otherwise interrupt this. Make 2018 the year that your business embraces truly high availability and redundancy.