Skip to content

Posts from the ‘Other’ Category

16 days of security

We’re 1/2 way through our 31 days of security posts in honor of the October Cyber security awareness month.

Today we live in a world where recording devices are ubiquitous.  There are recording devices on public streets, recording devices in the door bells of houses, and in general, there is often a video recording that Authorities can obtain to gain more information.  California has a law that states….

California’s wiretapping law is a “two-party consent” law. California makes it a crime to record or eavesdrop on any confidential communication, including a private conversation or telephone call, without the consent of all parties to the conversation. See Cal. Penal Code § 632. The statute applies to “confidential communications” — i.e., conversations in which one of the parties has an objectively reasonable expectation that no one is listening in or overhearing the conversation. See Flanagan v. Flanagan, 41 P.3d 575, 576-77, 578-82 (Cal. 2002).  A California appellate court has ruled that this statute applies to the use of hidden video cameras to record conversations as well. See California v. Gibbons, 215 Cal. App. 3d 1204 (Cal Ct. App. 1989).

If you are recording someone without their knowledge in a public or semi-public place like a street or restaurant, the person whom you’re recording may or may not have “an objectively reasonable expectation that no one is listening in or overhearing the conversation,” and the reasonableness of the expectation would depend on the particular factual circumstances.  Therefore, you cannot necessarily assume that you are in the clear simply because you are in a public place.

If you are operating in California, you should always get the consent of all parties before recording any conversation that common sense tells you might be “private” or “confidential.” In addition to subjecting you to criminal prosecution, violating the California wiretapping law can expose you to a civil lawsuit for damages by an injured party.

If you have security cameras in a location where there is no expectation of privacy – out in the street in front of your house – you would not be under a wiretapping law.  However if your security cameras are inside your house, there is an expectation of privacy and thus wiretapping laws would come into play.  Now let’s layer on how some of these video cameras have less than stellar security and now layer on the ability to search for such internet of things devices through a specially crafted search browser, it’s no wonder that we’re all a bit paranoid these days.  Make no mistake, video cameras often help law enforcement put evidence together.  Case in point a local homicide in my City was able to spot an assailant’s truck in several videos captured by surrounding homes and businesses and was able to use the video as additional evidence of proof that the assailant was in the area where the homicide occurred.  So video capturing helps a great deal.  BUT… as with all technology – it can be abused both in terms of privacy and as well as being used by attackers.

If you set up a home video camera consider the vendor security features:  Make sure it doesn’t have embedded passwords, demands complex passwords, can be updated relatively easily among other things.

Cameras can help make you safer, but they can also introduce security risks as well.  Be aware of both when you install a video camera in your house.  If you have a camera or security system, ensure that you place the stickers on the windows which inform those entering your home that they just might be recorded.

17 days of security

Too often people see cloud services as easy to set up, and they are, but they don’t take the time to think about security.  I have personally seen where users of cloud services will often share credentials to another person without thinking of the risk of sharing credentials.  I’ve seen where consultants can misconfigure settings or – as often seen in big cloud breaches – leave files in cloud locations and not set the file security properly.

There’s a lot of good things about cloud services.  And then there’s a lot of risks to cloud services.  Always ask and check on how easy it is move FROM a cloud provider, check on the encryption status, check on the backup status.  And these days I’m seeing more and more vendors providing cloud backup solutions to give users more granular options in restoring files saved in the cloud.

So read those end user license agreements, and ask questions of your vendors before you sign up.

18 days of security

If you have a bit of time on your hands, take a stroll through the FBI’s most wanted for Cyber security attacks.  You’ll find Russian hackers targeting our elections as well as one gentleman who

is allegedly a North Korean computer programmer who is part of a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history, including the cyber attack on Sony Pictures Entertainment, a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars, and the WannaCry ransomware attack that affected tens of thousands of computer systems across the globe.

Park was alleged to be a participant in a wide-ranging criminal conspiracy undertaken by a group of hackers employed by a company that was operated by the North Korean government.  The front company – Chosun Expo Joint Venture, also known as Korea Expo Joint Venture – was affiliated with Lab 110, one of the North Korean government’s hacking organizations.  That hacking group is what some private cybersecurity researchers have labeled the “Lazarus Group.”  On June 8, 2018, a federal arrest warrant was issued for Park Jin Hyok in the United States District Court, Central District of California, after he was charged with one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer-related fraud (computer intrusion).

The NHS was impacted to an estimated 92 million pounds (assuming I have my monetary naming correct). The disturbing concern of WannaCry was that most were impacted by the ransomware attack due to the fact that they had not installed updates to protect from the Eternal Blue exploit.  The patch was available but many had not yet installed it for various reasons.  This is why installing updates is so key to keeping systems secure.

Ironically enough Eternal Blue was a USA government exploit that got exposed to the public.  One government trying to attack other governments and ultimately we all got damaged in the process.

Needless to say, the FBI who’s who of cyber villains is chilling, and interesting read

19 days of security

 

The FBI put together a video to warn those running for office to not be tricked into running or installing malicious code on your system.   While it’s geared towards those running for office, it’s also wise to check out browser settings.  As noted in the video when you install your browser, you want to check it’s settings:

Disable autofill, remembering passwords, and browsing histories.

Do not accept cookies from third parties.

Clear all forms of browser history when closing the browser.

Block ad tracking.

Enable ‘do not track’ requests to be sent to websites.

Disable browser data collection.

When certificates are requested, ensure the browser requests your permission to provide them.

Disable cache (or storing) of web pages or other content, or set the cache size to zero.

Enable browser capabilities to block malicious, deceptive or dangerous content.

And while you are checking out your browser, there are a couple of new kids on the block that you might want to check out.  Both have a musical name…. Opera is one…. Vivaldi is the other.

Check them out!

21 days of security

Have you ever checked to see if your password has been discovered by attackers and is known by them?  There is a site called “https://haveibeenpwned.com/” that has accumulated many email addresses and passwords that have been in data breaches.  The site checks to see if any password of yours has been discovered.  Recently Brian Krebs has had several stories about how phishing emails have been sent with old passwords being used in the email to frighten you into thinking the attackers had some information about you.

Pwned or being owned, is slang for the process of taking over your account.  The database showcases the sites and databases that were exposed in data breaches.  You can then think of all the times you used THAT password on a web site and determine how many sites might be compromised.  Better yet using a password management program can ensure that you can use strong passwords or passphrases.  Changing passwords and adding multi factor authentication is one of the key things you can do on any cloud service you are concerned about.

So?  Did you find your passwords have been breached?

22 days of security

Recently Microsoft paused the release of Windows 10 fall release due to some data loss bugs.  This is just the latest of patching quality issues that leaves me concerned.

Ed Bott and Mary Jo Foley added to the choir of voices asking Microsoft to slow down and focus on quality, not quantity.  I remember a time years ago that patches came out at any time, any hour and I had to review if I was at risk of attack and consider installing updates during lunchtime and rebooting our office server to ensure that I was protected.  Now we are at a point in time that no prudent person alive would install updates on the day they come out.  Even worst, most prudent folks are waiting at least a week or longer.  That’s making me very paranoid that we are going to have a very bad security issue arise because we aren’t patching.

In patching there is a point in time where the risk of installing the patch and the resulting side effects is less than the risk of the attack that the patch is protecting you from.  It’s that point in the middle where the scale tips away from patch pain to risk of attack that is the perfect point of installing updates.  Microsoft tries to be the system administrator for all home users and any small (or even medium) business that is looking to Microsoft update for their updates.

As we come up to the 15 year anniversary of when Microsoft moved to a second Tuesday security patch release, I honestly feel that patches have less quality than before.  It’s time for Microsoft to slow down the feature release process and focus on quality, not quantity.

31 days of security

October is National cyber security awareness month and because accounting and security go hand in hand, I’m going to be posting every day for the month of October a cybersecurity tip.

The first tip is actually based on a 2004 FBI tip on Identity Theft:

https://archives.fbi.gov/archives/news/stories/2004/october/preventidt_102104

14 years ago the FBI recommended the following:

DO:

  • Order a copy of your credit report each year from one of the national credit bureaus and review it closely for any questionable entries;
  • Shred or cut up all credit card receipts and old bank statements and bills before throwing them away;
  • Close all unused credit card or bank accounts;
  • Remove your name from mailing lists for pre-approved credit lines and telemarketers;
  • Keep your PIN number hidden when you use an ATM or public telephone;
  • Contact your creditor or service provider if you notice odd charges or if expected bills don’t arrive;
  • Update your computer virus software, use a secure browser, and install a firewall program

And 14 years later about all I can say is that I’ve not found a good way to remove your name and phone number from telemarketer lists.  I’d add one suggestion to this list, sign up for Informed Delivery by the post office.  This sends you an email on a daily basis indicating what mail is expected.  I also have a camera at my door to watch for “Porch Pirates”, folks who steal packages off your front door.  Bottom line be aware of what transactions post to your accounts and review them on a regular basis.

 

Got Windows 7?

For those of you with computers still running Windows 7 and Windows 8 be aware that Microsoft will begin pushing an update to Windows 10 in 2016. You may have seen an icon in your system tray and various pop ups indicating that you could download the free upgrade. Our IT manager here at the office, Susan Bradley is recommending the upgrade for those running Windows 8 and 8.1, but not if your computer system was originally purchased with Windows 7.  While the free upgrade is compelling, the concern she has is that older printers won’t work as well with the newer software and software you have may not be compatible with the upgrade.  Up to now one could ignore the icon in the system tray but in 2016, Windows 10 will be changed to be a recommended update. To ensure that if you are on Windows 7, that you stay on this platform, there is a third party tool that will block the Windows 10 offering.  The software is called GWX control panel and can be downloaded from http://ultimateoutsider.com/downloads/GwxControlPanelSetup.exe

 

If you’d like to read more about Windows ten and what this blocking software does, you can read more about it here: http://blog.ultimateoutsider.com/2015/08/using-gwx-stopper-to-permanently-remove.html  If you need help with issues after the Windows 10 upgrade if you so decide to take Microsoft up on their free offer, or if you decide you want to block the upgrade, please feel free to contact Susan at sbradley@tshb.com or call her at the office at 252-8585.  She will be able to remotely assist you in your efforts.

End of the year tax planning

As we come up to what is the official end of the 2011 tax season – that is – the filing of the extended tax returns, it’s a reminder that you need to start thinking about how to reduce your taxes for the 2012 year.  Since this is an election year it brings more questions of what might change before the end of the year.

Living in America we tend to take Elections for granted.  They are noisy, long and drawn out, but they don’t cause the great upheaval that occurs in other countries.  I urge you to vote for your candidate this year. Making your voice heard in this simple step at the ballot box is important to our businesses and our pocketbooks.