Goodbye 2020 - you will NOT be missed

In the fall of 2019, a long time friend of 25 years passed away unexpectedly at my former firm. He had taken over most of my duties since my retirement at the end of 2015. Since I was still handling the cybersecurity chores as a part time contractor, I agreed to help out while they decided what to do.

There were two options as I saw it:

1. Contract with a recruiting firm to find someone with the necessary skill set. This would be six-figure position and require someone with broad experience and would be hard to keep at a small firm.
2. Ditch the on-premise hardware, migrate the remaining functions to O365 and Azure, leaving only client based devices and connectivity.

I strongly encouraged them to take option 2 and they did. Now, 15 months later, the task is done. The majority of the time was waiting - waiting for people to go through 20+_years of files and decide what needed to stay or go and where to put it in the cloud.

When the pandemic shutdowns started in April, the firm was not impacted as we had implemented remote working options over 10 years prior. By choosing option #2, they are now truly location agnostic with full redundancy within the Azure fabric. As long as a user has internet connectivity, they will be able to work safely and securely from anywhere.

As 2020 comes to a close, there will be little about it I will miss, but many things to remember.

Is it SAFE?

Before I click on any link or open a file attachment sent to me via email, I have Déjà vu of the 1976 movie Marathon Man, where Dustin Hoffman was continually asked 'Is it safe?' while being tortured. While clicking on an email link may not be as physically painful, the angst involved can be just as real.

So, how does one determine if a link or file is safe?

• First is this email from an entity or person you know?  If not, DELETE!
• If it is a file, were you expecting a file?  If not, DELETE!
• Is it a shortened URL (like those sent via Twitter or in text messages)?  DELETE!
• If it is a link, do you really need to click on that link, or is it just another cat video on YouTube? DELETE (ok, I enjoy ICanHasCheezeburger as much as the next guy, but I type in the web address for my fix)
• If the email is from a financial service provider (bank, Schwab, etc) - the first choice is to open your browser and type in their web address (or use a previously saved shortcut) - or even better, use LastPass to open the website and log you in.

Step 1: Copy the link to your clipboard. To do this, hover your mouse over the link and then RIGHT CLICK (emphasis on RIGHT mouse button click) on the link and select 'Copy'.

Step 2: Open your browser and go to: https://www.virustotal.com
Step 3: Select the URL tab in the center, then click in the 'Search…' box and either press 'CTRL-V' to paste the link you just copied or, right click and select 'Paste…' and then press the ENTER key.

Virus Total (a Google company spinoff) will then check that link against 4+ dozen different scanners. If they do not all come back as ‘Clean’ (the number in the upper Left should be ZERO)– then…DELETE!

For a file attachment do the following:

Step 1: Save the file without opening it to your computer. How you do this can vary based upon your email program, provider – for some, there is a small arrow you click on and select ‘Save As’. In Gmail, if you hover your mouse over the filename, the image will change and a down-arrow will appear to Download the file. Select a location and save the file but DO NOT open it.

Step 2: From the Virus Total website select ‘File’, then click on the ‘Choose file’ button.

When you click on ‘Choose file’ a dialog box will open where you can find and select the file. Click on ‘Confirm Upload’.

After the file is uploaded, Virus Total will check it using 50+ different scanners. If the number in the upper left is not ZERO, then DELETE!

Another useful tool/website that I use for checking links is called URLScan (https://urlscan.io). This works in the same manner as VirusTotal, but it also will show you a thumbnail of the webpage which can be helpful as well as a lot of the technical info to tell what this site is really doing.  

Paste the link into the search box and then click on ‘Public Scan’

The results are really geeky and technical and will look like the following –

This tool contains a lot more technical info that may not be as helpful to most, so start with VirusTotal and if you still have concerns, check it on URLScan.

If this seems a bit inconvenient…it is. That is the nature of security. But the consequences can be much worse.

If a link is not worth the trouble of taking 30 seconds to scan it with VirusTotal, can it really be that important?

Spear Phishing

noun: spear phishing

1.    the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

"spear phishing represents a serious threat for every industry"

The incidence of spear phishing continues to increase. At Henssler, even though our in-bound email is filtered through two different 3^rd party services, well-crafted spear phishing attempts can still make it through. Why? Because it is almost impossible for the filters to tell the fake emails from the legitimate.  These emails are simply requests for routine functions that we perform on a regular basis. What set these apart is the criminals have taken the time to get the correct names, and in some cases format the request in a very believable manner.

We have seen multiple incidences of criminals purporting to be clients and employees trying to fool us into wiring money and changing payroll direct deposit accounts. Some of these have been ‘a cut above’ the usual stuff our staff easily identifies as bogus. Fortunately, thanks to regular employee training as well as policies and procedures designed to confirm and verify these type of requests, none have been successful. However, we are always diligent and attempt to learn from each attempt, as the bad guys need only succeed once, whereas we must get it right 100% of the time.

How the criminals obtain access to this information varies, but it shows a level of sophistication much greater than the average email scam artist. What makes this even more disconcerting is there are international gangs that specialize in these tactics, a few of which have been identified by authorities, but prosecution of cybercrime is extremely difficult and the possibility of recovered assets, almost nil.

The simplest and most effective way for you to protect yourself from these type of attempts is also the most old fashioned - simple one to one contact, either in person or via telephone. However, when using the phone, do NOT rely on a phone number that was provided in the suspicious email, instead look up the number separately. For example, if you receive an email purporting to be from a friend, financial or government representative requesting you to send or electronically transfer money, you should independently verify that request using a phone number you have for that individual. If you do not know them well enough to recognize their voice…should you really be sending them money?

One thing these scams tend to have in common is they try to instill a sense of urgency and when pressed, they have excuses why you cannot reach them through your known contact methods. If you think that you would never fall for something like this… so did many of those exploited by these scams every day, totaling an unknown number of billion$ lost by people throughout the world. [the estimated cost of cybercrime worldwide for 2018 was over $600 billion, the true cost can never be calculated as much of it goes unreported and unidentified ]. 

When in doubt, DON’T send it out!

Privacy does not exist with the Internet

Some may believe that if they restrict their personal use of the Internet they can limit what information about them can be stolen. After all, if we don’t post anything on social media or order anything online, we have nothing to worry about…right? While this might seem logical, unfortunately it is naïve and inaccurate. While judicious use of the ‘Net and following our top 3 things to do / not do will limit your potential direct losses (your mistakes), nothing will protect you from the carelessness of others.

The Equifax hack of 2017 remains the largest publicly known loss of US consumer personal information but there are many others that either do not make national news or more disconcertingly have yet to be discovered.  In late April 2019, independent security researchers discovered a treasure trove of personal information on 80 million Americans freely accessible on the Internet. No hacking skills were required, the information was easily accessible to anyone who wanted to look. (More details here.)

There are thousands of entities worldwide that have been gathering our personal data for decades, long before the World Wide Web (90s) and the value of this data is in the billion$. Information brokers buy, sell and rent this information and unfortunately, some do not protect it very well – or in some cases, at all. While governments may pass laws to try and control it, the reality is that the genie has been out of the bottle for so long, there is no legislation that will force it back in. 

We as consumers and US citizens need to accept that not only will we never know what type of information may have been collected on us (some of which may be inaccurate) we also have no way to know who has this information nor how it may be used. What, if anything can we do? Sadly, very little other than to take the initiative and proactively and regularly monitor what we can. For the average (non-celebrity) the most likely usage of personal information will be to try and steal from you, by either accessing your accounts directly or opening new accounts in your name- and then sticking you with the bill.  Since you cannot STOP them from attempting it nor a vendor from mistakenly allowing them to do so, it is up to you to catch and report it quickly to mitigate the possible loss and damage.

Our mobile devices and the apps on them can track not only what we do but where we do it (sometimes without our knowing it). Google maintains a rather detailed history of everywhere we go and how long we are there and until recently kept that data – forever. While you could manually delete this data, most were unaware of this feature or the extent of the tracking. If you have a Google account I suggest you familiarize yourself with these settings (more details here).  Personally, I do like the information and features provided by this service, but I do want to limit how long it is retained. As such, I welcome this new ability to auto-purge my data.

Recommendations:

1. Create a FREE Credit Karma account OR sign up for one of the paid plans with any of the 3 credit bureaus that will help you monitor your credit. If anyone tries to open an account in your name, either of these should give you a heads up. I do NOT recommend LifeLock
2. Turn on any and all notifications that are offered by the financial services you use (banks, credit cards, stock brokers, etc). If you see something unusual – follow-up. It’s your money and YOUR responsibility.
3. Consider a Credit Freeze or a Credit lock (more information here)
4. If you use Google, review the tracking data they have about you – you may be shocked (and a little freaked out). There are some benefits to it, but everyone should at least be aware of what is being tracked and make a personal decision if it is right for them.

We know our information is ‘out there’ what we don’t know is who has it now nor who will get in the future nor what they may do with it. Take control and responsibility for your digital data by monitoring your accounts.

Just say NO!

Another day, another few hundred million accounts compromised. Facebook is the most recent (as of this writing in late March). This problem has become so common place that it hardly qualifies as news. What is different about this one is that it wasn’t criminals who broke into Facebook and obtained the data, instead Facebook found that this information was left unprotected (unencrypted) and available to Facebook employees and ‘there is no evidence of date’, that the information was compromised. Which is a backhanded way of saying, “We don’t know what the heck happened, we just found these few hundred million accounts lying around and figured it probably wasn’t a good thing.” Do ya think? Oh, and it turns out, this info has apparently been ‘just lying around’ like this …. For YEARS! The only reason we know about it now is due to a whistle blower at Facebook.

The questions that immediately come to mind for me are:

1. How did something like this happen? Several hundred MILLION accounts just ‘lying around’. I doubt Mr. Zuckerberg leaves a few hundred million dollars lying around. A leprechaun, he is not.
2. What else is there just lying around- at Facebook and on other systems? Who is protecting our information?

From a cybersecurity and IT professional viewpoint, this indicates an egregious lack of basic security protocols and – RESPECT for the privacy and confidentiality of your clients. While I would not be surprised to see Mr. Zuckerberg making another trip to Washington for yet another Congressional hearing, let’s be honest – that doesn’t do squat but give some politicians facetime and help them think they are doing something.  One would hope that after the last high profile pillorying, Facebook would have realized their internal systems might just need a bit of an overhaul. Hopefully, the FTC will fine them a few billion after the Cambridge Analytica mess, but even that won’t be enough to move the needle.

What can we do? The only thing that the average individual can do - anyone that has a Facebook account should give serious consideration to deleting their account and just say NO to Facebook. They can only sell, exploit and LOSE what we give them.

Fool me once…

Who is watching whom?

With the advent of the ‘Internet of Things’ IoT (internet connected devices), the average consumer is likely to have multiple devices in their home, office or on their person that is capable of surreptitious surveillance and not be aware of it. One of the more high profile examples of this was the recent Apple FaceTime bug that would allow anyone to activate the microphone and camera in your iPhone or iPad without your permission. While Apple released a patch for this bug within a few days of it being made public, how long this bug existed and may have been exploited, is unknown. If you have an Apple device, please make sure you have installed this update and if you do not use FaceTime, disable it.

Unfortunately, the FaceTime bug is just one of the many exploits that we know about. Any internet connected OR wireless device (think baby monitor) in your office, home, car, coffee shop or on your person is vulnerable to be exploited. To make this problem worse, some of these devices come pre-configured for ease of installation with default settings that either cannot be changed or the user does not bother to change. This allows anyone with a very basic knowledge to gain access to and control those devices. Additionally, some of the older devices (3+ years) have very basic (if any) security and do not have the option to be upgraded (built in obsolescence).

So, what does the average consumer do? If you do a web search for ‘how to protect yourself from the internet of things’ you will find a LOT of articles. Unfortunately, most of them use terminology and give recommendations that can be daunting for many.  One of the better articles that gives some common sense advice is this one from Lifehack. While some of these may require enlisting the help of a family friend or local geek, at a minimum we suggest you make an inventory of your connected devices (tip #1), so that you at least know what is at risk and can potentially mitigate your exposure.

Did you know? If you have an Amazon Alexa or a Google Home device, then you have a built-in, always on, microphone (and possibly camera) listening/watching and recording everything within range, 24x7. George Orwell would be so proud! If you have an Alexa and want to really be freaked out, login to your Amazon account and you can review and listen to all of the recordings it has made – and fortunately, delete them. Perhaps Jeff Bezos should pay a bit more attention to his own personal internet security…?

I love technology and have many IoT devices (including Alexa -which I turn off when not in use and restrict to my office), but I always assume that any of these devices has the potential to ‘go rogue’. As such, I am cautious about not only what I use but where I install it, to help me manage the failure points.

Back(up) to the basics

While the primary focus of these articles to date has been on cybersecurity, there is another aspect of protecting your information that is of equal importance – the regular and secure backup of your ‘digital data’ (files, photos, etc).

While hacking gets the majority of the headlines, the average user is more likely to lose some of their important information due to something much more…banal, a simple equipment failure.  Think of those files and photos that are on your home computer and mobile devices – what would happen if they were stolen, damaged or your device simply failed? Do you have a recent backup of this information AND know how to restore it? If so, congratulations as you are in the 10% club. The vast majority of users do not regularly backup their important stuff and when tragedy strikes, they are faced with permanent loss or paying a data recovery service ‘big bucks’ to try and get their stuff back.

If you are using all Apple devices and have everything backed up to iCloud then congratulations, you are a step ahead of most. My only recommendation to you would be to: 

1. Confirm everything important is truly being backed up
2. If you have multiple devices, do a test restore of some random files

Odds are, your photos, music and phone numbers are being backed up as those are handled with minimal user intervention. But what about important files that may be on another device that isn’t connected to iCloud, or physical paper that exists only in a file cabinet in your home? Periodically, do a gut-check – assume your house is destroyed in a fire and all of your contents, including all of your smart devices are lost. Now what?  Not sure, then ask an expert so you know what options are available to you and have a recovery plan. Make sure you know your AppleID/login information so you can purchase a new iPhone, iPad or iMac and quickly begin the recovery process.

For all the myriad of non-Apple or mixed environment users, we (I’m one of you) must do something different for our other non-Apple stuff. If you are a mixed Apple/Windows user, you may want to consider using iCloud to backup your Windows data. While it’s not quite as simple as using it on your i-Devices, it is still pretty straight forward. The only downsides are: 1) it will only back-up files (not applications) and 2) the cost.  The price per GB of data for iCloud is on the high side when compared to other vendors.

Other options:

Google – personally, I save all of my photos to Google, even those on my Apple devices (there’s an app for that!). Why? Because it is unlimited and totally FREE. (high resolution files are downsized but for everyone but photo buffs, this is probably ok. You do have the option to save files of any resolution, but it does count towards your file usage totals).  I also keep all of my regular files in Google Docs (Word, Excel, PDF) – and I can access them from anywhere on most any device.  I also scan all of my important ‘physical paper’ and upload those to Google docs as well.  Another benefit is I can share any of these files and photos with anyone at any time. Google gives you 5GB for free and additional storage is available at a reasonable cost.

What neither Google nor iCloud can do is backup my actual Windows operating system and all of its applications, settings, etc – all that stuff I’ve spent years installing and configuring. To lose that would be a major PITA, so I use a different option for that.

There are a number of cloud based back up options that are both inexpensive and very easy to use. Which one is ‘best’ depends on your particular needs. If you do not have a lot of installed applications on your computer and most of what is important is individual files, then iCloud or Google drive may be sufficient for your needs. If however, you want to backup EVERYTHING on your computer, then consider one of the following:

1. Veeam FREE backup for Windows: https://www.veeam.com/windows-endpoint-server-backup-free.html   This is what I use personally and I have also used their enterprise product for many years. It is truly the best of the best. However, this does require that you create these backups on REMOVABLE media, which you periodically store somewhere else. Why? Because backing up your data onto the same computer doesn’t help you if the event of fire or theft. It is also possible to store this backup in the cloud, if it’s not too large and/or you have a fast internet connection.
2. There are also several cloud based options that can automatically backup everything, even your operating system. The major drawback to this is recovery time. The more stuff you have on your computer the longer to back up and the longer to download/restore in the event of loss. Some also provide an option to send you a recovery device (for an extra fee). This is a recent review of some of the cloud based backup solutions: https://www.tomsguide.com/us/best-cloud-backup,review-2678.html

In summary:

1. Do an audit – identify what you do not want to lose and how much space all of that ‘stuff’ requires.
2. If what’s important to you is just files and photos, then iCloud, Google or any of the cloud based solutions will do a great job.
3. IF you want to backup EVERYTHING on a computer (PC or Mac), then consider Veeam (if Windows) or those cloud based solutions that offer a ‘full system restore’. Don’t forget to review their recovery instructions and save that information somewhere you can find it, if needed.