MyFitnessPal Data Breach


MyFitnessPal, the popular exercise and food tracking platform from Under Armour has announced a data breach.  If you are a MyFitnessPal user, you should have received the following email over the last 24 hours.  I have highlighted in red the actions steps that are recommended in response to this breach.



To the MyFitnessPal Community:

We are writing to notify you about an issue that may involve your MyFitnessPal account information. We understand that you value your privacy and we take the protection of your information seriously.

What Happened?

On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

What Information Was Involved?

The affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.

What We Are Doing

Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.

We are taking steps to protect our community, including the following:

  • We are notifying MyFitnessPal users to provide information on how they can protect their data.
  • We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
  • We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
  • We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.

What You Can Do

We take our obligation to safeguard your personal data very seriously and are alerting you about this issue so you can take steps to help protect your information. We recommend you:

  • Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

For More Information

For more information, please go to


Paul Fipps
Chief Digital Officer

Are You Aware of our National Cybersecurity Emergency?


First, sorry for the brief hiatus in posts.  I took a last minute mini-vacation with my wife and forgot to post an udpate to that effect.  So, time to get back to blogging.

This week, President Trump extended the state of national cybersecurity emergency in response to malicious attacks that continue to pose an extraordinary threat to the United States.  This extends the national cybersecurity emergency that was implemented by President Obama on April 1, 2015.  It was due to expire on Sunday.  President Trump’s order is for a one year extension, which is a very good thing.

TreasuryThe original order was in response to growing cyber attacks that have been tied to various malicious actors, including nation states.  The primary response mechanism of the order is sanctions and freezing of assets that are in or passing through the United States by known bad actors.  This responsibility falls to the Department of the Treasury, who has levied sanctions on individuals and governments under this order.

Unless you have been living under an extremely large rock, you should be well aware of the hacking activity of foreign powers that seek to disrupt our economy and weaken our nation.  In announcing the extension of the order, the President said that “significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”

I’m glad to see this order extended and the continued spotlight on these issues.  This is not a simple problem to solve.  More damage is likely to be done.  Stay vigilant protecting yourself and your business online.

CompTIAWorld Spring 2018


CompTIA has just released the spring edition of CompTIAWorld.  This is a twice a year publication that CompTIA puts out and it’s full of great insight into the state of the IT industry, trends, new and emerging technologies.  There is a wealth of information in each issue and if you are in the IT industry, you should be reading this.

Check out the current issue here:

CompTIAWorld Spring 2018

CompTIAWorld Spring 2018



Should You Dump Facebook?


Probably not.

I’ve been holding off on posting about the Facebook/Cambridge Analytica mess.socialspread  Clearly it’s a mess and both firms are struggling to explain themselves.  Should users be surprised?  Absolutely, positively not.  This was bound to happen.  If not with these two, with other companies.  The amount of users, data and activity on social media platforms is massive and it was only a matter of time for it to be misused like this.  Was Facebook complicit?  It doesn’t sound that way, but as we learn more, it’s certainly possible.  Was Cambridge Analytica in the wrong?  That looks far more likely, but it’s still early and this is a very charged topic, so theories are rampant and varied.  Here’s what is known at this moment.

Facebook has allowed outside developers to create apps, games and quizes on it’s site.  These all use your personal Facebook data to identify who you are and some, pass a lot of your profile data back to the developer.  Have you ever answered a quiz asking you to name all the States in the US you have visited?  To rank your favorite movies or used the “Login with Facebook” button to log in to another site or app, so you didn’t have to take the time to setup a new account?  If you have, you’ve exposed your Facebook profile, the entire thing, to some of these apps, developers and sites.  That’s why I have previously posted a caution”Those Fun Facebook Lists Could Pose Risk.”

This is how Cambridge Analytica hosted Facebook user data.  A personality test was developed on the Facebook platform and 270,000 users granted permission to this app to view and gather data from their profiles.  From that, data was also grabbed from 50 million users who were friends of the 270,000 who took the profile.  This is because when those original 270,000 users allowed the personality test to access their profile data, they also allowed it to access their friends.  This is the root of the problem.  It spread like wildfire, jumping from profile to profile, gathering data that we now believe was used to influence the 2016 Presidential Election.

It has taken Facebook several days to more fully respond to this.  Rightly or wrongly, they took time to understand the nature and scope of the issue before making official comments, which came over the last 24 hours.  Facebook acknowledges they failed to protect their users privacy.  As early as 2014, Facebook implemented controls to prevent something like this from happened, but this event predated those enhancements.  Facebook has promised to audit all entities that had access to data before these new controls were in place.  Any entity that does not comply with the audit will be banned from Facebook.  That’s a good start to make things right and restore users confidence in their privacy.

Love it or hate it, Facebook does serve positive purposes.  While there is no doubt there is a lot of negativity on Facebook in many forms, the vast majority of users use it for good, whether keeping in touch with friends and family far and wide, or sharing useful information like this blog post.  The good outweighs the bad and Facebook will be better moving forward.  Many challenges lie ahead, not the least of which is an investigation by the Federal Trade Commission (FTC) and a class-action lawsuit alleging that Facebook did not adequately protect user data.

If you want to stay on Facebook, here are some things you should do to better safeguard your Facebook profile.

  1. Check how many apps have access to your Facebook data.
    1. Click the drop down arrow next to the help question mark and go to Settings.
    2. Click on Apps in the left hand column.  Be sure you click Show All.  I bet you’ll be surprised to see how many apps have access to your profile.
    3. Hover over each app and click the x to remove it or the pencil to edit permissions.  If an app says Only me, you’re in pretty good shape.  If an app says Friends, it can grab their data through you.  That’s not good.
  2. If you don’t want any apps to have access to your profile at all, scroll down a bit and click the Edit button under Apps, Websites and Plugins and click the Disable Platform button.  Before you do, be sure you read what this will change, as your online experience will change, not just on Facebook.
  3. Scroll a bit further and click the Edit button under Apps Others Use and here you can really restrict what apps can see about you.

These few simple steps will secure your data and allow you to continue to use Facebook with less risk of others getting more information on you and your friends than you intend.

Don’t Get Fouled Out by March Sadness


March Madness is here and the brackets were busted up pretty well by the early upsets. With the Sweet 16 set, March Madness is in full swing and so are the hackers who want to take advantage of it.


Be on the lookout for phishing email tryingMarch-Madness-sadness to get you to go to fake web sites that are copies of the legitimate ones.  These are sites that cover the brackets and stream the games.  The phishing is all designed to get you to expose your username and password so the hackers can use it to gain access to your network or other sites where you use the same credentials.


Be aware of how many of your users are going to March Madness web sites during this time of year.  It’s not uncommon to hear complaints about the network being slow being tied to numerous users streaming games at work.  This is exactly what the hackers are hoping to find, so be cautious.  Only use sites you can guarantee are real.  Be skeptical of apps that you are encouraged to install to follow the madness.  Be sure these are legitimate as well.  Otherwise March Madness will turn into March Sadness in the time it takes to dribble the ball and get fouled.

Why Default Spam Filters Are Not Enough


The following was published in today’s Foster’s and Seacoast Sunday.

Whether you connect to an on-premise email server or use Cloud-based email servicesspam-mail like G Suite or Office 365, if you rely on the built-in spam filtering that comes with your mail service, you are leaving yourself exposed to email borne threats.

Microsoft Outlook users who rely on the built-in junk mail features face the same lack of truly robust spam filtering. Here’s why.

Most built-in spam filtering technologies use basic methods to identify what may be spam. This often leads to legitimate email messages being missed or outright deleted. An effective corporate spam filter layers in multiple techniques and technologies to keep you safe from email borne threats of all types, not just spam. These systems also layer in additional security features that are not part of built-in spam filtering solutions.

A robust corporate spam filtering solution should block the majority of spam destined for your inbox, preventing it from reaching your mailbox, as opposed to simply moving it to a junk folder within your mailbox. The key concept here is in preventing the spam from even getting to your email server, whether on-premise or hosted. It should provide a daily report of everything it captured as spam, so you are able to release anything legitimate that was caught. Most will even allow you to get a notification in real time whenever your spam filter traps a spam email. It should also provide inbound and outbound spam protection to alert your IT team should someone on the corporate email system become infected with malware that tries to send spam from a corporate email account. It happens.

Other features of a robust corporate spam filtering solution include detailed logging and reporting, the ability for users to tune their personal settings for optimal protection. One size does not fit all when it comes to spam filtering. Most email administrators will setup a default filtering level that will work for most people, but allow individual users to fine tune settings to their needs.

Continuity and disaster recovery are another set of features. The key to effective continuity is to ensure email flows even if internet access is lost, or if your corporate email system is down. Effective email continuity allows you to continue to send and receive email, which prevents any sender from receiving a bounce message that your mailbox is unreachable. Another key to this type of service is that it is seamless to the user, available via a web portal or within the mailbox they work with daily.

Disaster recovery extends the continuity service to maintain email communication through some form of disaster that would otherwise take these services offline. By leveraging geographically dispersed data centers to run these services, providers of these services can maintain their services through local internet, power or other outages, including something as extreme as a fire that destroys an office. Once normal services are restored, the disaster recovery service will seamlessly switch back and deliver all email received during the outage back to the primary system.

A concept often referred to as sandboxing is another advanced feature. In effect, when a user receives an email with an attachment, that attachment is removed from the message, moved to a sandbox and tested for any threats. If the attachment is safe, it is moved back to the original message and that message is delivered to the intended recipient. If the attachment is not safe, it is stripped from the message and the recipient is notified of the threat. This is an effective defense against malware and ransomware, where an attachment carries a malicious program or link that when opened, infects the user’s computer. This type of active, inline testing is the best known defense against this type of threat.

Finally, email encryption and archiving are integral parts of a complete solution. So much communication takes place via email that it is easy to email protected information, be it personal, health related or financial. Email encryption can prevent this information from being sent via email, or automatically encrypt it, when found, to protect the information. If you are a regulated entity in the health care or financial space, this is critical to have in place. Regulators are continually cracking down on this and fines are becoming quite steep for violations.

Email archiving keeps a copy of every message sent and received. This may be for convenience, as in not maintaining a large mailbox of everything you send and receive, or for compliance. In the case of convenience, it is far easier to search an email archive for older messages than it is to maintain them within your day-to-day email program. For compliance, archiving retains messages for defined period of time to meet regulatory requirements around reproducing communication threads. This is often referred to as eDiscovery. If you are regulated by the SEC, NASD, IDA, HIPAA, SOX, FRCP or others, you are required to have this in place.

Hopefully, this will help you ensure you more than just a basic spam filtering solution in place. It’s important to understand everything that a solution like this should encompass, not just to keep you safe, but also to keep you compliant.


Recap: CyberSecure My Business Webinar



Last week, I posted about a Free CyberSecure My Business Webinar that took place this past Tuesday, March 13th.  I wanted to follow up that post with a quick summary of what was presented on the webinar.

The webinar was presented by the National Cyber Security Alliance.  Presenters were from the National Institute of Standards and Technology, security vendor Trend Micro, the Small Business Administration and the Michigan Small Business Development Center.

The presented from NIST focused on the five major functions of the NIST Cybersecurity Framework.  The NIST framework is the defacto standard for defining cybersecurity needs.  The five functions are as follows:

  1. IDENTIFY assets you need to protect.
  2. PROTECT assets and limit impact.
  3. DETECT security problems.
  4. RESPOND to an incident.
  5. RECOVER from an incident.

The presented from Trend Micro talked about a new phenomenon they have termed the “Double Whammy.”  Esentially, this is when one cyberattack actually masks another and the second attack is the one that is designed to do the actual damage.  Another key point the presenter made was that if you get infected with malware, you can’t be confident that you’ve removed it all.  Your best bet is to replace the machine.  The presenter almost pointed to the website where some of the major cybersecurity companies have collaborated to publish decryption keys for known ransomware outbreaks.  Of course, the bad guys develop new ransomware faster than the site can keep up with, but this is a good start at what amounts to a crowdsourced defense.

The presented from the SBA shared the wealth of cybersecurity resources that the agency makes available to businesses.  He made a point to reference the SBA’s Social Media Cyber-Vandalism Toolkit, to help people maintain a safe social media presence for themselves and their businesses.

The presenter from the Michigan Small Business Development Center showed a web site they have put together to help their constituents address cybersecurity concerns.  This is part of local outreach activities that the SBA supports.

He also shared the following bullets, which are great reminders for any response to a cybersecurity incident.

Process to Follow:

  • Identify
  • Contain
  • Investigate
  • Remediate
  • Communicate
  • Review Lessons Learned

People to Notify:

  • Cyber Security Expert & IT
  • Employees
  • Customers
  • Partners
  • Vendors
  • Attorney
  • Law Enforcement

Technologies to Help Mitigate Risk:

  • Encryption (full disk, files, folders, email, VPN)
  • Mutli-Factor Authentication (MFA, 2FA)
  • Mobile Device Management (MDM)
  • Data Loss Prevention (DLP)
  • Security Information and Event Management (SIEM)
  • Intrusion Prevention/Intrusion Detection Systems (IPS/IDS)

Key Takeaways:

  • Have a Business Continuity Plan
    • Incident Response Plan
    • Disaster Recovery Plan
  • Identify Key Assets
  • Choose Protection Considering Based On:
    • Budget
    • Industry Requirements
    • Capacity
    • Legal Restrictions

I know there is a lot of information in this post.  If you were not able to make this webinar, I wanted to share a good summary to help you review your own cybersecurity posture.  Please check the links and leverage this great content to help improve your cybersecurity.  Stay Safe Online.

Staying Connected When Winter Weather Hits


With the snow still coming down, it reminded me that Onepath published a great blog post about today’s storm.  You can check out the post on Onepath’s website here or read on below for a copy of the post.


New Englanders faced yet another major winter storm just days after Quinn left three feet of snow in some areas. As folks in the northeast continue digging cars out of snow drifts, many are still trying to figure out how they can get their work done (or keep their business running) while stuck at home. In fact, most of our Onepath colleagues working out of our Massachusetts, Rhode Island, and New Hampshire offices already had to work remotely last week, and many are stuck at home and away from their physical office again this week.

Fortunately, Onepath has tools in place to keep all our employees connected to each other, to our clients, and to the systems and data they need to stay productive. The evolution of the cloud and the ecosystem of platforms and apps that developed around it, gives organizations the ability to build robust networks that can be utilized anywhere. It’s no longer just email and messaging apps; it’s a complete system allowing people to engage their coworkers and clients in just as meaningful a way as if they were in the office.

When planning our IT infrastructure, we identified areas that are mission critical for our teams to continue working without interruption. For us that was the ability to remotely access client data, use all our software, share files, receive or forward phone calls to our computers or cellular phones, message one another on the fly, and have face-to-face or screen-sharing meetings. While we can’t turn around in our chair or walk down the hall to have a meeting or conversation, we can get pretty close with all our collaborative tools.

Here’s a look at a few of the things that Onepath is using to stay connected during this storm without missing a beat.

Tools We’re Using to Successfully Work From Home

CRM. All of our client data sits in a cloud-based CRM system. It functions as a great deal more than just a database, though. Our clients use the system as well, so we can quickly and easily share information and communicate with each other.

Office365No remote workforce would be complete without cloud-based office productivity software! We’ve got the full suite of Microsoft’s ubiquitous apps. And everything is backed by OneDrive, which not only keeps our files stored in the cloud, but also allows for easy sharing and collaboration with other users.

SharePoint. We utilize SharePoint as a file server in that we have file versioning, uploads, security groups, and a single place where we can upload, store and share files, templates, and documentation.

VoIP System. Our phone system operates over the Internet, so no one is tied to a physical phone device. Employees can make and receive calls from their laptops and mobile devices, so we are reachable just about everywhere. Helpdesk or support phone calls coming in our main numbers are rerouted to the support teams on their computers or cell phones at home.

Skype for BusinessWe use Skype primarily as an instant messaging tool, but it also works for video chats. And like our phone system, Skype works on a variety of devices.

WebExSkype works well for video chatting with small groups. If we have a lot of people or are doing a presentation, though, we use the web conferencing tool WebEx. We can share PowerPoints or our screens as if our colleagues were looking at a screen over our shoulder.

This is just a handful of the tools we leverage to keep us connected, and there is an ever-growing list of alternatives to each of them, all with various pros/cons and price points. The key for our New England IT team’s ability to temporarily transition from an onsite workforce to an offsite one, was preparedness. When planning for the future of your IT infrastructure, be sure to select flexible and cloud-based technology solutions that allow for at-home workers to be productive and keep your business running — whether your staff is working from home by choice or by storm.

OK Waze!


As you may know, I’m a big fan of Waze.  I use it every day and use it instead of my OKWazevehicles built in navigation as it’s more up to date and reliable, not to mention offers a wealth of additional features that I value.

Recently, the Google team updated Waze to respond to voice commands.  If you go into “Settings” and then click on “Sound & voice” and then “Talk to Waze” and enable “Say “OK Waze”” you can speak to Waze in a completely hands free experience.

When this was first released, it was flawed.  When your smartphone is connected to your in-car Bluetooth and this feature is enabled, the first time you say “OK Waze,” Waze took over your in-car audio system.  Once you issued that verbal command, your in-car microphone remained engaged so that you were no longer able to use any of your in-car entertainment options.  This was not good.

I’m pleased to see that Waze has released an update so that this no longer takes place.  Waze now uses the smartphone microphone to listen for your “OK Waze” command and then allows you to speak to Waze through your in-car Bluetooth, as if you are on a phone call.  Once you are done, control is passed back to your in-car entertainment system and Waze returns to listening via your smartphone microphone.  This is perfect!

Here is how this works.  I’m driving with Waze up on my smartphone and the radio on.  I see a car stopped on the side of the road.  I say “OK Waze” and the radio goes silent and Waze goes into listening mode.  I say “Report vehicle stopped on shoulder” and Waze repeats my request and asks me to approve.  I say “yes” and Waze notes my report on the map at the point I first said “OK Waze.”  This contrasts with no less than 5 taps on the screen to accomplish the same thing, which is not at all safe and a violation of many states hands free laws.

To be fair, there is also a setting you can enable so that when you tap with three fingers on the screen Waze would listen for voice commands.  However, not having to touch or look at the smartphone at all is the best and safest method.

Well done Waze!  Keep up the innovation with a constant focus on user safety.

Free CyberSecure My Business Webinar


I received the below message today and wanted to share it on my blog.  The National Cyber Security Alliance does a great job putting free educational material out to the public.  This free webinar covers a very important and timely topic:  “Know What Recovery Looks Like.”  In light of the strong winter nor’easters that have hit hard along the eastern seaboard this week, a lot of businesses will benefit from this webinar.

I encourage you to sign up for this webinar.


%d bloggers like this: