alt tag

Posts Tagged ‘IT security’


The End of the Samsung Galaxy Note 7: Device Explosions Trigger Full Recalls

Tuesday, December 13th, 2016

samsung-1666557_640

In a rare move, Samsung fully recalled and discontinued production on its previously well-reviewed Galaxy Note 7 model following several verified cases of the devices catching fire. This unexpected turn of events has left a vacuum in the large smartphone and phablet product space. Businesses often rely on these devices to increase productivity on the go, as they are much easier to haul around than a full-sized tablet or laptop.

What’s going on with Samsung’s Galaxy Note 7?

Samsung issued two recalls on the Galaxy Note 7, the second of which included phones that were sent out to replace the faulty ones in the first recall.

Essentially, the problem with the Galaxy Note 7 over other faulty device recalls is that Samsung is unable to figure out exactly why these devices are exploding. Samsung initially thought it was a problem with defective batteries from a supplier, but the fires continued with the new models.

This issue is confined to the Galaxy Note 7: Galaxy S7 and Galaxy S7 Edge. Older Samsung smartphones are not affected. However, Samsung has made the news over defective product problems in the past, including washing machines and microwaves.

Consumer Confidence and Recall Fallout

Because of the safety problems with the devices and tarnished branding, Samsung has discontinued the Galaxy Note 7 product line. The FAA banned Galaxy Note 7 devices from airplanes, even when powered down. According to CNET, 40 percent of people surveyed claim they will not purchase another Samsung phone after this debacle. And while the publication notes that this survey may represent a higher share than reality, there’s no question that the brand has been damaged by bad PR.

The same survey reports that around 30 percent of people will switch to iPhones, while the other 70 percent will switch to a different Android manufacturer. While Samsung’s reputation will certainly take a hit from the Note 7 recall, and Android’s market share will dip slightly, claiming it’s “doomsday for Android” is an exaggeration based on market data.

About Lithium-Ion Battery Safety

Lithium-Ion batteries, which are found in just about every device with a rechargeable power source, are prone to catching fire in overheating, overcharging, and physical damage situations. Issues including swollen and punctured batteries can happen to any phone or device using these batteries. Such problems are, of course, a major safety issue, as the devices can burn people and/or start larger fires.

Galaxy Note 7 Alternatives

Even if your employees love their Galaxy Note 7 devices, they’re not safe to use and should be replaced. Several other viable large-form smartphones on the market can replace most, if not all, of the Note 7’s functionality. Android Community recommends the following devices:

  • Samsung Galaxy Note 5 (there was no Galaxy Note 6 model)
  • Samsung Galaxy 7 Edge
  • LG V20
  • Google Pixel XL
  • Xiaomi Mi 5
  • OnePlus 3
  • Huawei P9 Plus
  • ZTE Axon 7

Alternatively, your employees could look at switching to an iPhone 7 Plus or larger Windows Phone device.

For help improving your business IT productivity and guidance in finding the right technology solutions for your company’s specific needs, contact the experts at MPA Networks today.

Hack of 500 Million Yahoo Accounts Reminds Industry to Increase Security Measures

Wednesday, November 23rd, 2016

password-397652_640

In September 2016, half a billion Yahoo account users received the bad news that their names, email addresses, phone numbers, and security questions were potentially stolen in a 2014 hack.

According to CNET, the Yahoo hack is the largest data breach in history.

In the wake of a major hack like this one, the only silver lining is a powerful reminder for businesses to review their IT security practices. In the case of the Yahoo breach, hackers can use the stolen information to compromise other employee accounts and further extend the reach of the hack. Here’s how they do it, and what you can do to stop them.

The “Forgot My Password” Reverse Hack Trick

Hackers can steal information from many accounts with the information taken from a single account. If you’ve set your Yahoo email address as your “forgot my password” account for other services, a hacker can use a password reset and reminder commands to compromise even more important accounts. Hackers can use stolen security question answers here to obtain other account credentials as well.

The “Same Password, Different Account” Hack

Memorizing a different password for each account is pretty much impossible for the average person. Most people end up using the same password for many accounts. For example, if you own the email addresses “myemail@yahoo.com” and “myemail@gmail.com” and use the same password for both, it’s likely that a hacker who stole your Yahoo password and security questions will try them on the account with the same name on Gmail.

Password Theft Prevention Strategies

Security breach prevention starts with a strategic security plan and a series of best practices:

Account-Specific Logins and Passwords. One way to prevent a hacker from using your stolen username and password on another account is to create site-specific login and password credentials. This is easily accomplished by memory by adding a site-specific prefix or suffix for each account. For example, your Yahoo and Gmail credentials may be “myemailYHOO/YHOOP@ssw0rd” and “GOOGLmyemail/P@ssw0rdGOOGL” respectively. Alternatively, password managers are an easy way to manage login credentials across accounts and generate random passwords.

Secure the Fallback Account. We’ve previously discussed the security benefits of “two-step verification” as an effective way to keep hackers out of your accounts even if they manage to steal your password or security question answers. Make sure all of your accounts that feature a “forgot my password” function lead back to a “two-step” secured email address.

Update Passwords Frequently. Typically, hackers use your stolen information immediately to access your accounts and steal your information. That’s why frequent password changes are often considered a waste of time. However, the Yahoo hack bucks this trend as the information being released in late 2016 came from 2014.

IT security and password protection are an essential part of doing business in the modern digital world. Contact us today for IT consulting advice for better security practices and managed services assistance to help keep your business’s confidential information safe.

Massive IoT DDoS Attack Causes Widespread Internet Outages. Are Your Devices Secured?

Tuesday, November 1st, 2016

finger-769300_640

As you probably know already, the United States experienced its largest Internet blackout in history on October 21, 2016, when Dyn—a service that handles website domain name routing—got hit with a massive distributed denial of service (DDoS) attack from compromised Internet of Things (IoT) devices. The day will be known forevermore as the day your home IP camera kept you from watching Netflix.

The writing has been on the wall for a while now when it comes to IoT security: We’ve previously discussed how IoT devices can be used to watch consumers and break into business networks.

This specific outage is an example of how the tech industry is ignoring security mistakes of the past and failing to take a proactive approach in protecting IoT networks.

The Outage

The October outage included three separate attacks on the Dyn DNS provider, making it impossible for users in the eastern half of the U.S. to access sites including Twitter, Spotify, and Wired. This attack was different from typical DDoS attacks, which utilize malware-compromised computers to overwhelm servers with requests to knock them offline. Instead, it used malware call Mirai that took advantage of IoT devices. These compromised devices then continually requested information from the Dyn servers en masse until the server ran out of power to answer all requests, thus bringing down each site in turn.

This outage did not take down the servers hosting the platforms, but rather the metaphorical doorway necessary to access those sites.

Ongoing Security Concerns

According to ZDNet, the IoT industry is, at the moment, more concerned with putting devices on the market to beat competition than it is with making devices secure. IoT devices are notably easy to hack because of poor port management and weak password protection. IoT devices are also known for not encrypting communication data. October’s attack wasn’t even the first of its kind: A 145,000-device IoT botnet was behind a hospital DDoS attack just one month prior.

What You Can Do

MacWorld recommends changing the default security configuration settings on all IoT devices and running those devices on a secondary network. The Mirai malware works simply by blasting through default username and password credentials—so users could have protected themselves by swapping the default “admin/admin” and “password/password” settings. There are also IoT security hub devices available to compensate for IoT security shortcomings.

IoT devices can offer fantastic perks for your office, but the security concerns are too important to ignore. If you’re interested in improving network security pertaining to IoT devices or looking for advice on which IoT devices would benefit your workplace, don’t hesitate to contact MPA Networks today.

Are Comatose Servers Draining Your Wallet and Leaving You Vulnerable?

Tuesday, August 30th, 2016

bones-1294357_640

Those old servers your business no longer uses—and keeps running anyway—are more than just a security risk: They’re hurting your firm’s bottom line.

The term comatose server describes a functional server, connected to a network, that sits idle virtually all of the time. If your business is running three servers, there’s a high chance that at least one of them is a “zombie server.” 

30 percent of all servers are comatose. This means that approximately 10 million servers across the planet are sitting around doing nothing productive.

According to the Wall Street Journal, most companies are better at getting new servers online than taking old servers offline. A managed service provider (MSP) can help your business identify inactive servers and dismantle them, both to reduce costs and improve security.

Security Concerns

A comatose server can be a major security risk for your business. Unlike that shiny new server running the latest software, the old one is likely running a legacy operating system necessary to utilize older applications. These forgotten servers are also unlikely to receive security updates. If hackers are looking to break into your business network, they are going to have an easy time breaching an outdated system with established security exploits. Because even though these servers aren’t being used, they are likely to hold important—or even confidential—information.

Wasting Electricity

That’s not all, says the Wall Street Journal. The 3.6 million zombie servers in the United States are also wasting a staggering 1.44 gigawatts of electricity—enough to power every home in Chicago. While your business’s unused servers are just a drop in the bucket compared to the national problem, you’re still looking at a hefty energy bill to keep a dormant server running over time. If we consider that, on average, electricity costs 12 cents per kWh in the U.S., that means running a 850-watt server costs about $890 a year. Two comatose servers wasting energy for five years total nearly $9,000 in electricity expenses—money your business could save just by flipping a switch.

Hunting for Zombies

An IT consulting service can help your business identify and dismantle comatose servers. The process involves identifying every server your business owns and runs, and determining which ones aren’t being used anymore. Some older servers may not be running domain-name-system software, so they may not show up when searching the network directory—meaning you may need to hunt them down manually.

Of course, it’s unlikely that a smaller firm has more than a handful of servers, so creating a server inventory is often as straightforward as looking at the office server rack. Businesses that have a much larger group of servers to work with may need a network scanning tool to find servers. But remember: The savings and security benefits begin as soon as the comatose servers are turned off.

Password Managers and Recovery Strategies

Tuesday, August 16th, 2016

password-397656_640

Secure passwords and recovery strategies are an essential part of doing business in the digital age—and password manager programs can help streamline the process.

Password managers store and, often, automate login credentials for individuals across all secured online platforms for easy, secure, and fast access.

Why You Need It

Password-related IT security is an always-hot topic in the tech world; new reports of password security breaches are still hitting headlines with alarming frequency. In June of 2016, hackers hit remote desktop access service GoToMyPC® with a sophisticated attack, causing the company to send out a mass password reset to all of its users. Security breaches like these are a good reminder of why your business should use a password manager.

Everyday Use

Using the same password for every platform is problematic for the obvious fact that hackers can use that one password to break into several accounts. Your best bet is to use different passwords for different platforms—but trying to remember them all can, of course, be a challenge. For services you use infrequently, a password manager can improve productivity by helping you avoid tedious password search and reset processes.

Naturally, the biggest advantage of password manager platforms is that they allow you to easily create and store complex, hack-proof passwords. What do those look like? Here are a few tips: Secure passwords should use 10-12 characters with a mix of capital letters, lowercase letters, numbers, and symbols. And since it’s admittedly difficult for humans to remember 12+ character passwords that look like someone punched a keyboard, a password manager can come to the rescue.

Restoring Secure Access

When it comes to passwords, the best defense is a good offense—but breaches are going to happen. According to PCWorld, password leaks should be treated more like a “when” situation than an “if” situation.

Password managers can help you each step of the way, from locking down compromised accounts to restoring access on all devices so your employees can get back to business like nothing ever happened. After you regain control of the account, the password manager can generate a new, secure password. Additionally, the program will restore access on all of your connected devices by entering the new password in a single location, saving you the time and hassle of re-entering each new password on your work computer, personal desktop, personal laptop, smartphone, tablet, etc.

If you’re worried about password security, talk to your IT consulting service. A local MSP can help your business establish and implement secure password practices and manage them with ease. Check out PC Magazine’s list of top password managers for 2016 for a closer look at your best options.

Defend Your Network Against Advanced Persistent Threats

Tuesday, July 12th, 2016

computer-1500929_640

If you’ve looked over our previous posts since we’ve started our blog, you know how serious we are about protecting your company from everyday cyber-threats—mainly phishingransomware, and various other malware. Today we’d like to discuss a different form of cyber-threat plaguing businesses over the past decade: what the security community has termed advanced persistent threats, or APT.

What exactly is “persistent” about APT? Most hacking attacks can be classified as “smash-and-grab robbery”: Break into a network and make off with anything of value—user identities, account numbers, cash—and disappear before anyone notices.

An APT attack compromises a network’s defenses and stays as long as possibleweeks, months, or years—discreetly infiltrating servers, eavesdropping on email, or discreetly installing remote bots or trojans which enable deeper espionage.

Their primary goal is information—classified material, trade secrets, or intellectual property—that might draw interest on the black market.

Robbery, Inc.: A Worldwide Enterprise

While unsophisticated hackers might lurk in the shadows like criminal gangs, APTs often emanate from professional environments not unlike a prosperous Bay Area tech company—posh high-rise offices, full-time employees with salaries and benefits, and formal product development teams. The difference is they’re conducting business in China, Russia, and other cyber sanctuary nations where international cybersecurity is unenforced and intellectual property laws don’t exist.

The more extensive an APT infection, the harder it is to isolate and eradicate it—like cockroaches under a kitchen sink. Many enterprise IT managers simply accept APT as a fact of life—conceding that trying to combat these intrusions would actually encourage the culprits to dig deeper into the network.

So if APT makes long-term data theft inevitable, how can you still protect yourself? Make the stolen data unusable.

Alphabet Soup? Fight APT with DLP

The second acronym we’ll talk about today is DLP: data leak protection. DLP encrypts sensitive data so that it can only be accessed by authorized users or workstations with a corresponding decryption key. If that data is intercepted by an APT, it’s rendered unreadable—and worthless.

Multiple name-brand security vendors offer a wide range of turnkey DLP solutions. Low-end products will automatically encrypt data which follows specific patterns (Social Security numbers, 16-digit credit cards), while high-end products can be configured to use complex algorithms and language analytics to locate and protect other specific forms of confidential data (such as client files, product designs, or sales figures). When unauthorized access is suspected, files can be temporarily quarantined against a possible data breach before they leave the company network.

Are APTs already lurking within your network? What proprietary data can your business not afford to lose? How can you evaluate DLP products to find the best solution for you? Talk to us for help.

The “Wearable Revolution”: Is Your Company Prepared?

Thursday, July 7th, 2016

smart-watch-821559_640

It’s a fair bet that one of your employees has already shown off a trendy new wearable gadget around the office. What began with Bluetooth earpieces would branch off into smartwatches, smart glasses, wrist-worn fitness trackers, and even smart clothing (including a smart bra!) Research firm Gartner forecasts sales of over 274 million wearable technology products in 2016—soaring past 322 million by 2017.

New Technology = New Targets for Hackers

For better or worse, wearable devices are on their way to becoming part of everyday life—including the workplace. But while manufacturers race to pack every new gadget with interesting bells and whistles, hackers and cyber-crooks are looking for emerging security weaknesses to exploit.

What are the potential security risks with wearable devices?

No Password Protection. Many wearable devices on the market—including high-end fitness trackers with email and social media connectivity—access external networks and store data without the password/PIN protection, biometric authorization, or other user authentication we’ve come to expect on smartphones. If the device is physically lost or stolen, that data is virtually exposed to anyone.

Unencrypted Data. A lack of standard encryption is also an issue for many wearables—either unencrypted files stored locally on the device or unsecured wireless connections when synced with smartphones or other host devices (Bluetooth encryption is avoided as it often causes additional battery drain).

A Spy’s Dream? James Bond (circa the “Goldfinger” era) probably would have loved the miniaturized functions of a modern smartwatch—in particular its ability to record still images, video, and audio. But if that device is hijacked by a malicious hacker, it may become a mobile portal for industrial espionage, either stealing recordings or eavesdropping in real time.

But That’s Not All… If the above reasons weren’t enough to be wary of the influx of wearable devices, a 2015 study released by the University of Illinois revealed that monitoring the electronic motion sensors on a Samsung Gear smartwatch could determine words typed on a keyboard! Think about that before you write your next confidential email or memo.

Where Do Wearables Fit In to Your BYOD Policy?

While wearables are increasingly common on and off the job, they represent an undefined grey area for business IT security. Many operate on their own platforms and aren’t compatible with most MDM solutions designed to regulate smartphones and laptops. Permissible onsite use of wearable devices will need to be incorporated into your company’s formal BYOD policy, which we’ve recommended that our customers define in writing.

Are your employees’ wearable devices a potential “weakest link” in your security chain? For ideas and solutions, talk to us.

The “Seven Deadly Sins” of Ransomware

Wednesday, June 29th, 2016

 

seven-1181077_640

Readers of our blog over the past few years know we were among the first in the Bay Area to warn our customers about the growing threats of ransomware—from the emergence of CryptoLocker and CryptoWall to our federal government’s startling admission that they’re virtually powerless to stop it.

Mostly originating from sophisticated cyber-gangs in Eastern Europe, ransomware may be the most profitable organized crime scheme in the world today.

We weren’t exactly surprised, then, when we received 2016 Will Be the Year Ransomware Holds America Hostage,” a 40-page report from The Institute for Critical Infrastructure Technology (ICIT), a non-profit cybersecurity think tank.

The ICIT report is a comprehensive review of the ransomware landscape—from its earliest origins to the major active strains “in the wild” to the likeliest targets (particularly American small businesses). Today we’d like to highlight the seven delivery channels of ransomware and other malware infections—what we refer to as “The Seven Deadly Sins.”

1. Traffic Distribution Systems (TDS)

If you visit a website and suddenly see an annoying pop-up ad, it’s because the website sold your “click” to a TDS vendor, who contracted with a third-party advertiser. Pop-up blockers have rendered most pop-up ads obsolete, but some of the shadiest TDS vendors contract directly with ransomware groups to spread exploit kits and “drive-by downloads.”

2. Malvertising

As we discussed last July, even trusted web pages can include third party ads embedded with malware-inducing code. One click on a bogus ad can wreak havoc.

3. Phishing Emails

From phony bills and résumés to bogus “unsubscribe” links in annoying spam, email recipients can be tricked into clicking a link allowing an instant viral download of ransomware. Research reveals that despite strong security training, up to 15% of employees still get duped by phishing schemes.

4. Gradual Downloaders

Exploit kits and ransomware can be discreetly downloaded in “segments” over time, evading detection by most anti-virus defenses.

5. Social Engineering

Also known as simple “human ignorance,” a user can be tricked into downloading a phony software update or other trusted download link—even ignoring warning messages (as happened to a friend of ours) only to allow a costly malware infection.

6. Self-Propagation

Once inside a single computer, the most sophisticated ransomware strains can automatically replicate through an entire network via the victim’s address book. ICIT expects that self-replicating ransomware will evolve to infect multiple devices within the Internet of Things.

7. Ransomware as a Service (RaaS)

ICIT predicts that the largest ransomware creators will syndicate “retail versions” of their products to less sophisticated criminals and lower-level hackers who’ll perform the day-to-day grunt work of hunting down new victims around the world. The creator collects a percentage of every successful ransom payment.

In the coming weeks, we’ll continue to examine ransomware and other cyberthreats our customers need to defend against. For more on how to protect your company, contact us.

Where’s Your Company’s WISP? Why You Need One NOW

Tuesday, June 14th, 2016

writing-1149962_640

A WISP is one of the most important documents for any company doing business over the Internet—which, in this day and age, is pretty much everybody. Who’s responsible for drafting and maintaining your company’s WISP? Or are you even sure what a WISP is? If not, your company is already at serious risk for additional legal action—lawsuits and punitive fines—following a data breach, whether the result of external hacking or internal human error.

WISP stands for Written Information Security Programessentially your company’s formal road map for safeguarding the privacy of customers’ Personally Identifiable Information (PII), as well as a response plan after a data breach—including customer notification.

WISPs are already required for companies dealing in financial services (the Gramm–Leach–Bliley Act) or medical health records (HIPAA). Additionally, most states now have their own laws governing data privacy standards for businesses.

Here in California, the California Data Protection Act (Civil Code Section 1798.80-1798.84) requires businesses to “implement and maintain reasonable security procedures” to ensure the electronic privacy of customers’ personal information—their names combined with any of the following:

  • Usernames/passwords for online accounts
  • Social Security/Driver’s License numbers
  • Credit/debit card numbers
  • Medical history/health insurance records

How Much Is “Reasonable”?

The tricky thing here is that the California law doesn’t define what “reasonable security procedures” really are. And if even one of your customers resides out of state, your company is likewise bound by the corresponding data protection laws in that state—such as Massachusetts, where a WISP is a legal business requirement. At a time when new corporate data breaches seem to grab headlines every month, a formal WISP program for any company—large or small—is just good common sense.

Cover All the Bases

What are the elements of a comprehensive, iron-clad WISP? Here are the essential points to cover:

  • The designated person(s) to administrate the WISP
  • An assessment of reasonably foreseeable risks to security/confidentiality of protected PII data
  • Locations where personal information is stored (electronic or hard copies, as well as access from portable devices)
  • Specific measures to safeguard confidential data (encryption, firewalls, security patches, or more)
  • Ongoing employee data security training, with disciplinary policy for WISP violations
  • Monitoring and review of the program’s effectiveness, annually or as necessary
  • Your company’s official breach response plan

The Commonwealth of Massachusetts offers a good WISP template for small businesses here.

Most importantly, if your company is partnered with a managed service provider or other third-party IT services, make sure they’re on board with your WISP program—that they’ll take time to assist in crafting your initial policy in addition to providing regular enforcement and documentation. We certainly will.

Data Sanitization: Are You Erasing Your Old PCs COMPLETELY?

Tuesday, June 7th, 2016

eraser-507018_640

One of our pet peeves with some of our new customers is that once we come in to upgrade their IT network, they’re careless about disposing their old hardware—specifically, their PC hard drives. They think that by simply deleting their existing files—email, customer records, and other sensitive or proprietary data—that information will be fully erased and irretrievable. That couldn’t be further from the truth.

Deleting a file merely tells the computer that the space it occupies on the hard drive is no longer deemed “protected.” It will physically remain on the drive—encoded in ones and zeros—until those binary digits are overwritten by new data.

If your desktop or laptop PC has reached the proverbial “end of the line,” there won’t be any further input to write over those old files. Before it leaves your control forever, you’ll need to take additional steps to ensure its hard memory is absolutely wiped away.

How Clean Is “Clean”?

For many years, the gold standard for data sanitization was the Gutmann method, where the entire drive was manually rewritten—all in ones or zeros, or binary gibberish—a whopping 35 times, or passes. Today there are a range of standards employed around the world. Our Department of Defense (DoD) considers three passes to be sufficient for national security.

Data wiping isn’t as complicated as it might sound, though there are a few differences between the traditional rotating hard disk drives (HDDs) and the smaller, flash-based solid state drives (SSDs) commonly built into laptops. It can actually be a DIY project, thanks to several time-tested freeware utilities favored by IT pros and computer geeks alike:

  • Eraser thoroughly overwrites all or selected files of an HDD drive—from the Gutmann 35-pass standard downward. It can also be configured to wipe specific files or sectors of the drive on a regular basis.
  • Roadkil’s Disk Wipe effectively cleanses data from both internal HDD and SSD drives, via multiple passes (we recommend at least the DoD standard of three).
  • Darik’s Boot and Nuke, commonly known as DBAN, has remained largely unchanged since the earliest versions of Windows (forgive the primitive interface’s resemblance to the infamous “Blue Screen of Death”). While DBAN still holds an excellent reputation as a comprehensive HDD data cleanser, like most utility software of its era, it can take a full day or more to finish the job.

“Non-Technical” Alternatives

It’s also possible to render a hard drive permanently inoperable using simple methods: a hammer, power drill, or hacksaw—anything to physically destroy it. Some electronics recyclers around the Bay Area will feed your hard drive into a shredder, for an additional fee. Whether you rely on software or brute force, never say goodbye to a computer before knowing its hard drive can never be accessed again.

For more ideas about the full “life cycle” of IT data security, talk to us.