Newsletter Archives

  • 31 days of Paranoia – day 31

    First off a bit of Halloween humor seen on a twitter post… someone was saying they were dressing up as “Outlook”.  Their costume was to wrap themselves up in a translucent shower curtain with a sign that said “Not Responding!”.

    I think we all can relate to that.

    So as I’m here at the front door (dressed up like Supreme Court Justice Ruth Bader Ginsburg I might add) waiting for the trick-or-treaters let’s end our 31 days of paranoia with one more post of resources:

    Places to go to get help – especially for Windows issues.

    First off – and above all – this site.  Specifically the Forums on this site.  There is nothing that helps better than someone else saying “gee I don’t see that here”… or “yes, I’ve had that EXACT same issue and here’s how I fixed it!”.  When you have no other machine to compare to, you tend to get a bit paranoid thinking that attackers are making your machine freak out when it might just be… well… patching or anti virus scanning or something third party making it freak out.

    Next I’d recommend something that makes me shiver… and not just because it’s Halloween and I’m listening to the Amazon Halloween playlist (It’s playing Michael Jackson’s thriller right now).  Twitter.  Yup Twitter.  I am lately finding that you can get one on one help when you direct it to a corporate or official twitter account.  There is a list (it might be a bit outdated) of official twitter aliases, and their official support alias for Microsoft is https://twitter.com/microsofthelps

    You can direct message them and get communication back.  The reason it makes me shiver is I find that twitter is too narrow of a channel and the knowledge or solution doesn’t often get exposed like it does in a forum venue.

    If you are an IT pro kind of person, I’m finding that Microsoft employees respond pretty good on the Techcommunity venue.

    Also make sure you have at least SOMETHING that can get to google.  The best way to fix a Windows machine is a working computer or device and a search engine.  There are so many times I’ve fixed something scrolling around a page on my iPhone.

    Now just so you don’t think I’m going to end the 31 days of paranoia in a happy spot here are some parting trends to worry about:

    Crypto mining attacks are trending.  The bad guys get on your machine and use the excess CPU to coin bitcoin.  So they don’t want to steal your credit card data, they want to use your computer to make their own money.

    Smaller more targeted phishing is on the rise.

    Attackers that set up Office 365 relay rules and then hide the fact that they’ve taken over your email box.

    And with that we close this month of paranoia.  Going forward I’ll still throw in a paranoid post or two…. just not as often as one a day.

  • Patch Lady – 31 days of Paranoia – Day 30

    Today’s topic on paranoia is about resources to keep yourself aware and secure.  Besides this site (obviously) here are some other resources I recommend:

    Krebs on security

    Threatpost.com

    Schneier on Security

    Naked Security

    Internet Storm Center

    Zero day initiative blog

    FSecure blog

    Dark Reading blog

    Information for businesses:

    Cost of a breach study

    Symantec security report

    NIST guidance

    So what do you follow that keeps you aware and secure?

    Edit:  I am gobsmacked.  I indeed should have included the following:

    Ghacks

    Bleeping computer

    BornCity

     

     

     

  • Patch Lady – 31 days of Paranoia – Day 29

    Today’s topic of paranoia is one that I’m already paranoid over.  While 2017 had the largest number of public data breaches, there is a bigger risk that I’m concerned about.  That of the data breaches that we aren’t aware of.  Just about every day I hear on the radio or TV an ad for identity theft monitoring services that tout the ability to search the “dark web” for sensitive information.  I chuckle a bit a that because for something to be truly found on the dark web, then it’s no longer “on” the dark web but exposed as a known breach.  I don’t buy for one minute that these identity theft companies have the ability to see into the dark web before the bad guys find ways to obfuscate it again.

    I’m paranoid that we’re always going to be one step behind the bad guys, with our financial institutions (who already have proven that they can’t be trusted) making security decisions that are good enough.  Good enough for their bottom line, but not good enough for our data.  I’m paranoid that our legislature won’t understand the cyber issues well enough to ensure we have laws in place to disclose breaches and protect our data.

    So?  Are you as paranoid as I am?  Do you think we’re doing enough to protect our financial data?  What do you think they should do to make it better?

  • Patch Lady – 31 days of Paranoia – Day 28

    Today’s paranoia topic is about hardening Windows… and specifically if Windows  7 is really more or less secure than Windows 10.

    For all that people do not like about Windows 10 privacy (or lack of) settings and telemetry, Windows 10 does have much more hardware based security that can be enabled than Windows 7 has.

    But therein lies the problem, many of this security goodness only kicks in if you have the right hardware, and the right operating system and the right knowledge to set it up right.  Take credential guard for example… it’s only in Enterprise sku.  Others like attack surface reduction rules only kick in as well with the Enterprise version.  1809 was supposed to get block suspicious behaviors but it was pulled at the last minute.

    So whenever you hear that Windows 10 is the most secure version of Windows ever… it is.  But…. depending on the version you have, you may not get all the features.

    One thing you can do is to “harden” the operating system by uninstalling any software added by the vendor during the OEM process you don’t use, or better yet, reinstalling the operating system from scratch before you use it.  Then you can use various tools to “de bloat” the games and other items from the operating system as well as possibly disable services.

    But I don’t recommend following that guidance without making a solid backup of your system before you start tweaking and making changes.

    So is Windows 10 the most secure operating system ever?  Sure.  But like most things in security, it takes work and nothing right out of the box is as secure as it can be.

  • Patch Lady – 31 days of Paranoia – Day 27

    I apologize in advance if I’m a bit controversial tonight.  In the last several days we’ve had horrific things occur in the United States and I think some of this bad stuff going on… or perhaps all of this… is enhanced by social media.  I have posted in and on online forums for many years and remember the days of nntp and newsgroups.  There were always good places to hang out and not so good places to hang out.  The anonymous nature of technology tended to encourage some folks to be a bit too brutal, a bit too honest, and a bit… well.. just too much.

    Fast forward twenty years to where twitter, facebook, Instagram and other platforms are deemed “mainstream” and I think the same issues we saw twenty years ago in the newsgroups – that where communication is broken down – is now in our daily lives.  And now what used to be a small small group of folks that you could easily ignore is now a much larger problem in society.

    In 2016, this page indicates that 87% of kids have witnessed cyberbullying.  Wow.  I wonder what that statistic is now.

    So I challenge all of us.. .including me, to do something tomorrow. Instead of using technology tomorrow, glance up at another human being and say Hi to them.  Keep your phone in your pocket and technology away from your fingertips and your head up tomorrow.

    Consider this an online hug from me, and here’s hoping something can be done.

     

  • Patch Lady – 31 days of Paranoia – Day 26

    Our next topic of paranoia is one that there is more paranoia than there is reality:  Being concerned about automobiles being hacked.  Sure there are headlines about attacks and threats, but is there truth and fact in these attacks?

    To be fair there is ample evidence to be concerned about the risks.  There have been clear demonstrations of cars taken over and remotely controlled.  But to be clear these hacks occurred after a long period of investigation.  The risk of cars…to me… is no different than the risk of the internet of things.  We have devices that you don’t normally think of needing updates and patches.  We have devices that are probably hard to patch (one doesn’t normally think of rebooting a car does one?)  We have a thing that most of us can’t service ourselves and must rely on the vendors and “consultants” (car dealers and mechanics) of varying quality that we have to rely on.

    Don’t get me wrong, I love the idea of driverless cars, of technology that can drive me automatically to where I want to go, of technology that will ensure that we can be mobile at any age of our lives.  But with every technology we build, there are always people that will want to make that technology not work.

    So when you buy a car and there is technology under the hood, ask about how that technology gets serviced.  Is it over the air patching?  Do you have to take the car to the dealer to get boards “flashed”?

    It’s time to ask hard questions of all of our vendors.

  • Patch Lady – 31 days of Paranoia – Day 25

    How many times has this happened to you?  You get a call and the person on the other end of the phone says you have a problem with your [computer, iPhone, apple device, technology].  They usually say that your device is alerting them that it is full of viruses.

    Their goal?  To either get on your machine or get your credit card from you and then steal money from you.  As noted on this FTC page,

    The scammers may then

    Ask you to give them remote access to your computer — which lets them access all information stored on it, and on any network connected to it

    Try to enroll you in a worthless computer maintenance or warranty program

    Install malware that gives them access to your computer and sensitive data, like user names and passwords

    Ask for credit card information so they can bill you for phony services or services available elsewhere for free

    Try to sell you software or repair services that are worthless or available elsewhere for free

    Direct you to websites and ask you to enter credit card, bank account, and other personal information

    How many of you try to play along and keep the scammers online?  I know some folks that purposely keep a virtual machine around and let scammers log into that and pretend to be really really dumb in regards to technology to keep the scammers online as much as possible.  I have often dragged them along for a time and then finally asked them if they feel right scamming people.  They promptly hang up.

    If you’ve let them on your system, make sure you scan your system with an antivirus program.  Cancel credit cards if you gave them any financial information.

    But just know that Microsoft never calls you, unless you’ve called them first.

  • Patch Lady – 31 days of Paranoia – Day 24

    Today Tim Cook spoke at a Privacy conference and asked that we set new policies for privacy.

    He asked for four things: 

    1.  the right to have personal data minimized;

    2.  the right for users to know what data is collected on them;

    3.  the right to access that data;

    4.  the right for that data to be kept securely.

    Online tracking is a big problem.  Big data is a big problem.  I always say if you don’t pay for something, you are the product.

    [embed]https://youtu.be/kVhOLkIs20A[/embed]

    Watch Tim Cook’s speech here

    What do you want from your vendors in regards to privacy?  But can we trust our vendors to do the right things in regard to privacy?  Or should we push for more than even what our vendors what?

  • Patch Lady – 31 days of Paranoia – Day 23

    Small and even medium sized businesses often use consultants to help them in their network and security setups.  Recently the US computer emergency readiness team showcased that these very consultants are being targeted.  Often Managed Service Providers use remote management tools to remote into systems.  Attackers are using phishing attacks, going after remote portals, or attacking the software that MSP’s use to gain control of their customer’s networks.

    While the recommendations that the US Cert have some merit, there are some suggestions that either don’t make sense, or miss a step.  One of them I would add is multi factor authentication to remote access solutions to ensure that any new or unusual remote access demands a code verifier from a cell phone or other two factor means. Also the other recommendation that doesn’t make sense is the recommendation that MSP accounts don’t have domain administrator access.  Especially with smaller firms that are monitored by MSP’s, that’s the entire point… they often are the remote domain administrators.

    If you are a small business that relies on consultants, send them that link and ask them…what are you doing to ensure that you are not targeted to that I am not targeted?  And ask them if they have a technology checklist they can share with you.

  • Patch Lady – 31 days of Paranoia – Day 22

    We come to our 22nd day of paranoia and today is about a topic that is near and dear to many of you….. end user license agreements.  Those statements that vendors provide that we all click through and most of us don’t understand them, nor read them like we should.  The electronic foundation recaps most of the terminology that we miss, but there’s another end user license agreement issue that we often overlook.  One where the terms change and we don’t realize that it has changed:

    For example… let’s look at the Windows 10 end user license agreement.

    In Windows 10 the eula specifically says this:

    Section 2 c (v):
    use the software as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users;

    Windows 8.1 Pro the eula says this:
    The software is not licensed to be used as server software or for commercial hosting, so you may not make the software available for simultaneous use by multiple users over a network

    One could argue that the eula specifically disallows the ability to set up a headless Windows 10 machine that one can remote into and use remotely.

    Given that they have announced a Microsoft virtual desktop hosted on Azure, you can see that’s where they want the remote experience to be.

    Bottom line, never assume that end user license agreements are static.  They can be updated with newer terms.  Keep reading ….and keep reading between the lines… as necessary.

  • Patch Lady – 31 days of Paranoia – Day 21

    Ever heard of swatting?  It’s when someone calls the police and tells them that something is happening that isn’t just to harass the person.   The police arrive at the door with sirens going and guns pulled thinking they are walking into a situation where someone is being hurt or robbed by someone or held at gunpoint.   It can often lead to horrible consequences.  Just the other day I heard of something that made me go… really?  Has it gone THAT far?

    You can now sign up in the Seattle area to be on a swatting list so that the Police know that should they get a call to the address that it may be a swatting event, and not just a normal incident.  So the police are now put on notice that an individual or business may be harassed.  At times the person harassed is involved in online gaming and the swatting is done to enable others to watch the harassment.  Other times Technology journalists like Brian Krebs have been swatted and harassed.

    Bottom line it’s a prank that isn’t funny one bit.  And it’s a bit sad that police departments have to set up programs to ensure people don’t get hurt.

    Doxing is another term that is a side effect of having so many databases and so many ways to post information.  Someone either researches or has access to private information and then posts that information to the web.  Often it can be phone numbers, or addresses or other private information that when the information is posted to a public venue, it can put the person at risk, or encourage harassment.  The best way to anticipate doxing is googling yourself and seeing what information you can find about you, your family members, phone numbers, addresses, and then attempt to lock the information down.  In some databases you can unsubscribe and ask that your information be removed.

    Technology can be used for good, but there are times like this that technology brings out the worst in people.

     

  • Patch Lady – 31 days of Paranoia – Day 20

    Here’s a paranoia item for you… what happens if…or rather when… the Internet goes down for enough time that you have to make a plan B?  Note this post is slightly influenced by the fact that just as I sat down to write the nightly paranoia item, Comcast experienced an outage in my area and won’t be back until 1 a.m.  So now I’m on a much slower cellular connection writing this.  And I must say you get spoiled with highspeed access.

    But it reminds me that there will be a day when there will be an Earthquake in California, possibly large enough to impact a major Internet connection and thusly impact services and experiences that I’ve come to take for granted.  It’s one of the reasons that I keep this laptop that has built in cellular connectivity as a backup.

    What alternatives do you have in place to provide alternatives should a major catastrophe impact technology that you are used to?  In some areas of the country generators are the norm (they aren’t in California).  Do you have flashlights and radios.

    But bottom line there will be a cyber attack or an Internet outage…. and then what will we do?