DocuSign Hacked, Exercise Caution

Standard

DocuSignLast week DocuSign, one of the market leaders in online eSignatures and contract execution and management, announced that it had discovered a data breach.  The result?  A targeted phishing campaign using social engineering gathered from the breached data to trick people into executing a document that is not a real DocuSign document.

If you are not familiar with DocuSign, here is an excerpt from their About Us page on their website.  “DocuSign® is changing how business gets done by empowering more than 300,000 companies and 200 million users in 188 countries to sign, send and manage documents anytime, anywhere, on any device, with confidence.”

The phishing attack, which DocuSign acknowledges, targets those who have used DocuSign to sign and execute contracts in the past.  It is doing this using data obtained from the breach.  Through social engineering techniques, users are tricked into activating macro code in an attached Word document that loads malware onto the victims computers.

An important thing to note is that DocuSign never sends attachments and asks the recipient to open the attached file.  That should be an immediate red flag.  If you have used the system, you know that the document you are being asked to sign in the DocuSign system is presented within your web browser over a secure SSL session.  You “sign” the document online and are then presented the option to download a PDF copy of your signed document.  This should be an easy phish to spot, yet people are falling victim to it.

Here is a recommendation that has been put out in collaboration with KnowBe4, our partner in helping to educate our clients about risks like this:

“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”

Simple, but important advice to always verify the source, especially when you are not expecting something that you have received.

DocuSign maintains a good site regarding their security posture at https://trust.docusign.com.  I recommend you keep watch on this site if you are a regular DocuSign user.

 

 

 

Microsoft Authenticator App-The New 2FA Kid on the Block

Standard

In yesterday’s post, I talked about two factor authentication and why it’s important and supported virtually anywhere you logon.  I did not mention Microsoft’s Authenticator app, which is a newer option and one that is gaining momentum and support.

Last night, I came across an article that highlighted some of the new capabilities of the Microsoft Authenticator and this has prompted me to post this update.

The Microsoft Authenticator is quite similar to the Google Authenticator app.  And in true rival fashion, Google and Microsoft continue to one up one another and right now, it appears Microsoft has moved into the lead.

Microsoft AuthenticatorThe latest features available in the Microsoft Authenticator allow you to use your Microsoft Account without having to enter your password and then the Authenticator code that is generated.  Instead, when you enable muti-factor support for your Microsoft account, you have the option to set the default logon action to notify you via the Authenticator app on your smartphone and approve the logon from your smartphone.

Especially if you have multiple Microsoft accounts, this is a huge time saver as well as considerably more secure.  With more people using Office 365 and other Microsoft Cloud services like Azure, this will make navigating the Microsoft Cloud ecosystem considerably more efficient.Authenticator Notification

This type of push notification for logon approval is becoming more common.  Like other authentication apps, you can scan QR codes to enable the Microsoft Authenticator as your 2FA choice on sites like Facebook and yes, Google.

With all these developments in the 2FA space, you can expect to need to use multiple authenticators to secure your accounts.  Myself, I use three.  Four if you consider receiving authentication codes via text message another authentication method, which it is.

My current 2FA apps include AuthAnvil, Google Authenticator, Microsoft Authenticator and text message OTP’s (one time passcodes).  What are you using?

Ski Technology at its Finest

Standard

While I would love to be talking about the technology in my 2017 K2 Pinnacles, that’s not what this post is about.  However, it you are looking for an incredible all-mountain ski that performs above expectations on both east coast mountains and the Rockies, this is the ski for you…but I digress.

I spent a week skiing in Colorado with a good friend and my son.  The skiing was fantastic, as expected.  What I was pleasantly surprised with was the use of technology on the mountain to make the experience even more pleasant.

We mostly skied at Vail Resort mountains.  Vail, Beaver Creek, Breckenridge and Keystone.  We also skied a day at one of my all-time favorites, Steamboat.  The ticketing systems at both mountains leverage RFID technology to make the experience simple and efficient.

Here is a picture of the RFID card issued at each mountain.

EpicDayCard_LIThe EpicDay card is Vail Resorts card.  You can go online and purchase single or multiple day lift tickets and just pick up this card on your first visit to any of the mountains.  Once you have the card, it just needs to be on your person, somewhere on its own, so the mountain RFID readers can scan and validate your card as you ski.

When at the base lifts on the mountain, lift staff carries a Symbol/Zebra RFID reader and will wave the device in front of you to pick up and validate your ticket.  Once you are up the mountain, there is no longer a need to read the ticket, as you wouldn’t be able to get there without riding a base lift first.  However, every lift still has RFID readers and they are used for a couple of purposes.  Namely, they keep track of the lifts you ride and they are used to calculate the wait time in the lift line.  Vail Resorts has a mobile app called EpicMix which will track all of this for you.  There are even photographers on the mountain and they too will use RFID to track your photo opps.  If you hold a season ticket, these photos will automatically post to your Facebook account if you allow that.

At Steamboat, their technology is called QuickTrax and SteamboatCard.jpgworks similarly.  You register the card and it’s good for 3 years.  You don’t have to visit a ticket window again during this time.  You may simply go online, purchase your ticket or tickets and load them to your card so you can walk right to the lift and get to the slopes.

One thing to keep in mind with RFID technology is that you don’t want to have interference issues.  If you have both of these two cards in the same pocket, only one will read and you might have issues getting on the lift if the card that reads is not the mountain you are at.  Credit cards and cell phones may also interfere, so just be sure to have the card in an outside pocket on its own and you should be fine.

 

Mr. Shoer Goes to Washington

Standard

us-capitolMy younger readers probably won’t get the reference in the title of this post.  If you’re that person, Google Mr. Smith Goes to Washington and learn about the classic 1939 movie starring the late, great Jimmy Stewart.  Now on to my post…

CompTlA DC FLY-IN

Businesses like mine are the lifeblood of our national economy. They employ more than half of the country’s private sector workforce.

Internet & Telephone, LLC is proud to be part of the economy. We employ professionals with IT infrastructure expertise and contribute to our local economy through our work with regional and national employers to keep their businesses competitive by leveraging IT as a strategic asset.  We also help our local communities through philanthropic activities and work closely with higher education to provide internship opportunities for students interested in exciting IT careers.

I am thrilled to join forces with fellow IT colleagues to advocates in Washington, D.C., on
February 14-15, to speak with Members of Congress about issues that are critical to the future of my business and the overall tech industry. The annual “Fly-ln” is organized by CompTlA to advocate on behalf of the tech community.

logo-small_jpegCompTlA, the Computing Technology Industry Association, represents technology companies of all sizes and is committed to expanding market opportunities and driving the competitiveness of the U.S. technology industry around the world.

Innovation is a key force behind a strong 21st century economy, and our leaders should prioritize issues that affect growing companies like Internet & Telephone, LLC.

While in Washington I will visit Senator Hassan‘s, Congresswoman Shea-Porter‘s, Congresswoman Kuster‘s, Senator Warren‘s and Senator Markey‘s office to advocate on tax reform, workforce development, cybersecurity, broadband communications and digital privacy – all are central to our industry. These legislative issues are key ingredients for helping technology firms like mine to become more competitive.

I am particularly looking forward to discussing with my elected officials the importance of:

Data Breach Notification

THE ISSUE:

There is currently no national standard for how a company must notify its customers in the wake of a data breach. Instead, companies must navigate a complex web of 47 different, often conflicting, regularly changing state data breach notification laws in the aftermath of a breach. With the increasingly mobile and decentralized nature of our economy, data storage and dissemination technologies, it can be nearly impossible for companies to determine which state laws apply when a breach occurs. The current regulatory landscape not only places an immense financial compliance burden on businesses, but also delays the process of getting information into the hands of those who need it most: the customers whose data was compromised.

WHAT CompTlA SUPPORTS:

A national standard for data breach notification would provide consumers and businesses
with consistency and predictability on how consumer notice must be provided. Until
Congress passes a national standard, CompTlA and its membership continue to advocate
for the following in breach notice bills:

“Harm” Trigger for Acquired Data: The notification requirement should be triggered when there is a real risk of actual harm, not a theoretical concept that could lead to over-notification about data breaches that aren’t harmful.

No Private Right of Action: Individuals should not be able to sue companies who have suffered a data breach for actions covered by federal data security and data breach notification laws. The businesses who have suffered breaches are victims of criminal activity.

Narrow Definition of “Personal Information”: To avoid over notification of consumers and unnecessary costs, the definition of “personal information” in the legislation should not include information accessible through public records. For example, merely the combination of a name, address and birthday should not qualify as personal information.

Preemption of State Laws: Any federal data security and data breach notification law should preempt State laws and requirements. Without strong preemption language, the compliance burden for small businesses will not be alleviated and the effectiveness of any law would be significantly undermined.

Exemption for use of Technology that Renders Data Unusable or Unreadable: Federal legislation should include an exemption from notification requirements for companies
who utilize technologies to render data unusable or unreadable. This exemption should
be technology-neutral.

Limits on Financial Penalties: Massive financial penalties are unwarranted, and could force small businesses out of existence. Penalties should be reasonable, and should take into account the size of the company that suffered the breach and the type of data that was accessed.

No Fixed Data Security Requirements: Data security requirements should not be specifically enumerated within the legislation. Instead, the legislation should direct the government to work with industry to develop a set of flexible “best practices.”

No Over-Burdensome Notification Requirements: Data breach notification legislation
should avoid overly prescriptive notification requirements. In the event of a breach, companies should dedicate their resources to efforts that most directly notify and protect consumers. Additional requirements, such as those mandating the creation of call centers or the provision of credit reports, would divert resources away from small businesses seeking to protect and inform their customers.

Reasonable Notification Timeframe: Legislation should require a reasonable timeframe for notification, which includes allowances for risk assessment without requiring a specific time limit that must apply to every case.

Take Other Laws into Account: Companies that are subject to other data security and/or
breach notification laws, such as HIPAA, Gramm-Leach-Bliley or the Fair Credit Reporting Act, should be exempt from these requirements.

How Do You Handle Inclement Weather?

Standard
work_sea_getty

I know this isn’t exactly a snow storm, but it’s a nice alternative reality.

What does your company do when a Nor’easter is bearing down on you?  Do you close your business for the day or do you have plans to keep operations seamless even during the worst of weather?

Today is a great example and a good opportunity to review your capabilities and possibly make some changes.  It all starts with your back end infrastructure, be it Cloud or on-premise.  Is your infrastructure redundant and able to operate through power outages without interruption?  Are you dispersed across multiple, geographically separated data centers for both your public, private and hybrid-Cloud infrastructures?  These are all important considerations.

You want your servers to be configured in high availability clusters, so that if any one component should suffer a hardware failure or software corruption, your standby systems take over immediately and as seamlessly as possible.  This goes for your Internet connectivity as well.  It needs to be redundant, from different carriers and coming in to your physical sites via different paths, to protect against single points of failure like the telephone pole in front of your building.

Are your users versed in working remotely?  Do you have secure Virtual Private Network (VPN) connections available and properly secured?  Do you have Citrix or RemoteApp’s deployed for users to connect to?  It’s important that users know how to access company systems when working remotely.

It’s also important to determine your company policy with regard to working remotely.  Do you issue company laptops for users to take home or do you allow users to work on their home PC’s?  If you are allowing your users to connect from their home computers, be sure you enforce at least minimal management and security best practices on that computer, so you do not expose your corporate resources to any risk from a home computer that is unmanaged and not monitored for threats.

Don’t forget about the phone.  If you have an IP based phone system, do users have phones at their homes, allowing them to work from their home as if they were sitting in the office.  If they don’t, they should.

For me, today will be as productive a day as when I am in the office.  Actually, it may be even more productive as there will not be as many interruptions.  I have a laptop with a secure VPN that allows me to connect to all of our company resources.  I am able to work no differently than if I was sitting in any of our physical offices.  I have a telephone on my desk that also securely connects back into our unified communication system.  My extension works just as if I was at my desk.  I can call my colleagues by extension and speak with them whether they are in the office or at home themselves.  I even have softphone capability on my computer, so that if I were in a hotel or somewhere other than my home, I could still work in the same manner.  I just need to connect a headset to my computer, which can be done wired or wirelessly with Bluetooth headphones.

So, as you can see, a day when it’s not safe to travel to the office does not need to be a lost day.  In fact, it should be just as productive as any day at the office, or possibly even more so.  Enjoy the snowy day!

TripIt is a Great App/Website

Standard

tripitIf you travel, whether for business or pleasure, check out TripIt, if you are not familiar with it.  It’s one of the best travel apps/websites there is.  It will help you keep track of your travel plans and automatically organize them so you don’t have to worry about keeping all the elements of your travel itineraries on hand as you move from place to place.

If you travel for business, you may wish to subscribe to the Pro version for $49.00 a year.  It’s a bargain.  The free version is very capable on its own, so I recommend you try that out and if you think the Pro features are worth the cost, subscribe.

What I like most about TripIt is that it will automatically import nearly any travel confirmation email from your inbox to the app/website.  You can work with the information via the website or an app of your smartphone, tablet or Apple Watch.

As an example, let’s say you are taking a trip to Washington, DC for the upcoming Presidential Inauguration.  First you book your hotel, then you book your flights and then you book tickets for various things like the Inauguration itself, museums, etc.  TripIt will import your flight and hotel information, including all the important information related to your booking.  They will be placed on the proper date and times for things like hotel check in and out.  Slightly more obscure things like museum tickets may not actually import, but you can forward them to plans@tripit.com and they will show up as an item that needs to be filed, so you can move it to your trip on the day and time you intend to go.

It makes for a smooth and far less stressful trip, especially with the notifications TripIt can provide.  Everything from check in reminders, to connecting flight updates to delays and even tracking your preferred seat for your flights.

There’s even a social media aspect to it, where you can connect with your friends who also use TripIt.  I don’t use that feature very much, but you are traveling to the same place, it makes it a snap to organize meeting up.  Check it out, you’ll be glad you did.

Gooligan, the Latest Android Security Threat

Standard

Google Android remains one of the two dominant mobile software platforms, along with Apple‘s iOS.  Android is known to be a more “open” operating system, in that it is not as rigidly controlled as other operating systems.  This has lead to concerns that Android is more vulnerable that others.  In some cases, these concerns are justified.

Google’s Play Store has seen several apps be compromised with malware.gooligan  Gooligan, the latest Android malware, discovered by respected security company, Checkpoint.  To date, over 1 million Google accounts have been compromised.  There is a rather unique twist to this threat.  While the account tokens have been compromised, the accounts on Google’s servers appear to be unaffected.  Instead, what the malware seems to be doing is tricking infected systems into downloading infected apps in the background, unknown to the user, that then presents ads to the user that tricks them into purchasing something, thus paying the people behind the malware.  It does this by increasing the download counts for the infected apps, making them look appealing to others to download and buy.  It’s a clever attack vector that leverages the setting to allow applications to be installed from unknown sources.  Simply turning this capability off will defeat Gooligan.

The problem is that many application developers entice users to install their applications, outside of the Google Play Store, therefore requiring this setting to be disabled.  This is the root of the problem.  As is rooting, the process whereby a user can “root” their device, unlocking the operating system to do essentially whatever you may want with it.

As it relates to Gooligan, the good news is that Checkpoint has a free tool to help you check to see if you have been infected with the malware.  Click here to get the tool, if you’re an Android user and want to be sure your device is safe.