Back to Top

Tech, Web, Cloud & Cabling Services

Category: Security

Security Category

Old Windows PCs can stop WannaCry ransomware with new Microsoft patch

In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8

Users of old Windows systems can now download a patch to protect them from this week’s massive ransomware attack.

In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8 — all of them operating systems for which it no longer provides mainstream support.

Users can download and find more information about the patches in Microsoft’s blog post about Friday’s attack from the WannaCry ransomware.

The ransomware, which has spread globally, has been infecting computers by exploiting a Windows vulnerability involving the Server Message Block protocol, a file-sharing feature.

Computers infected with WannaCry will have their data encrypted, and display a ransom note demanding $300 or $600 in bitcoin to free the files.

Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits — but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack.

Researchers originally believed the ransomware was spread through attachments in email phishing campaigns. That no longer appears to be the case.

Infection attempts from the WannaCry ransomware.

Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.

Businesses can prevent this by disabling the Server Message Block protocol in vulnerable PCs. They can also use a firewall to block unrecognized internet traffic from accessing the networking ports the Server Message Block uses.

Fortunately, Friday’s ransomware attack may have been contained. A security researcher who goes by the name MalwareTech has activated a sort of kill-switch in WannaCry that stops it from spreading.

As a result, over 100,000 new infections were prevented, according to U.K.’s National Cyber Security Centre. But experts also warn that WannaCry’s developers may be working on other versions that won’t be easy to disable.

“It’s very important everyone understands that all they (the hackers) need to do is change some code and start again. Patch your systems now!” MalwareTech tweeted.

Unfortunately, the kill-switch’s activation will provide no relief to existing victims. The ransomware will persist on systems already infected.

Friday’s ransomware attack appears to have spread mainly in Europe and Asia, with Russia among those nations hardest hit, according to security researchers.

Security experts are advising victims to wait before paying the ransom. It’s possible that researchers will develop a free solution that can remove the infection.

Have questions?

Get answers from Microsofts Cloud Solutions Partner!
Call us at: 856-745-9990 or visit: https://southjerseytechies.net/

South Jersey Techies, LL C is a full Managed Web and Technology Services Company providing IT Services, Website Design ServicesServer SupportNetwork ConsultingInternet PhonesCloud Solutions Provider and much more. Contact for More Information.

To read this article in its entirety click here.

10 reasons why you shouldn’t upgrade to Windows 10

The end of Microsoft’s free Windows 10 upgrade offer is right around the corner. But while Windows 10 is great, there are valid reasons to reject it.

windows-7-to-windows-10

An offer you can refuse

The clock is ticking, folks. If you want to upgrade to Windows 10 for free, you only have until July 29, 2016 to do so. And most people should! Windows 10 is the best Windows yet, chock full of handy new features, sleek under-the-hood improvements, andheadache-killing extras.

But it’s not for everybody. There are some very real, very valid reasons not to upgrade to Windows 10.

If you’re on the fence about whether to accept or reject Microsoft’s freebie, read on for some concrete justifications for staying put.

windows-media-center

No Windows Media Center or DVD support

Before we dig into the meatier stuff, let’s take a look at what you’ll potentially give up if you upgrade to Windows 10, starting with some robust media playback options.

Windows 10 kills Windows Media Center off completely, after Windows 8 pushed it into a dark corner. There’s a reason for that: Windows Media Center is fairly niche, and not a lot of people use it. But if you do, you won’t want to upgrade to Windows 10 unless you’re prepared to dive into alternatives like Kodi, Plex, and DVR workarounds.

Oh, and if you’re on Windows 7, be aware that Windows 10 doesn’t offer native DVD playback, though there are no-cost alternatives you can use.

windows-gadgets

No desktop gadgets or widgets

Likewise, if you’re a big fan of Windows 7’s gadgets and widgets for the desktop, they aren’t available in Windows 10. Which is good, because they’re horribly insecure. Whether you choose to stay on Windows 7 or upgrade to Windows 10, you’d probably be better off using Rainmeter’s seriously slick interactive desktop software.

onedrive

No OneDrive placeholders

Windows 8.1 offered a handy feature for hardcore OneDrive users: placeholders. Placeholders showed everything stored in your OneDrive account in the Windows 8.1 file system, but only downloaded files to your PC when you opened them. It was a wonderful way to stay on top of your cloud-stored files without downloading all of them to every Windows device you logged into with your Microsoft account, especially if you’ve stashed dozens of gigabytes’ worth of stuff into OneDrive.

Unfortunately, users found it confusing, and Microsoft ripped placeholders out of Windows 10. There are hints that a similar feature may make an appearance someday, but it hasn’t yet, so if placeholders are a must-have feature for you, you’ll want to avoid upgrading to Windows 10. The new operating system’s less granular selective sync options just aren’t the same.

windows-10-updates

No control over Windows Updates

Aaaaaand here’s the biggie. Windows 10 utterly eradicates the ability to manually control your system updates. Windows 10 Pro will let you defer updates for a few months, but that’s the extent of it. If Microsoft pushes out an update, your system willinstall it eventually (though identifying your Wi-Fi connection as “metered” lets youchoose when updates download, at least).

This isn’t a big deal for people who stuck with Windows 7 and 8’s default Windows Update options, which downloaded patches automatically. But if you like to control your own update destiny, this could be a showstopper.

privacy

Privacy concerns

That segues nicely into another controversial Windows 10 “feature.” Microsoft’s new operating system tracks you far more closely than previous versions of Windows, especially if you use the express settings during the initial setup. The search bar utilizes Cortana, Windows 10’s digital assistant, and sends all your queries to Microsoft servers. Your Windows Store app usage is tracked for ad targeting. Windows 10 tracks your typing, location, Edge browser behavior, program installations and more.

It’s a lot. To be fair, a lot of the concern roaring around this is overblown; most of Windows 10’s potential privacy concerns can be disabled. But there’s no way to turn off some of the telemetry data Windows 10 collects about your system and beams back to the mothership. Microsoft executives don’t consider this a privacy issue. If you do, Windows 10 isn’t for you.

get-office-windows-10-pop-up

Ads and more ads

Windows 10 doesn’t only track your Windows Store app usage for improved ad targeting; it frequently pushes ads of its own at you. By default, you’ll see pop-up notification ads imploring you to get Skype or Office (even if you have Office), ads for suggested Windows Store apps slipped into your Start menu, and even occasional full-screen lockscreen ads for high-profile Windows Store releases.

I loathe the idea that my paid-for operating system—and yes, Windows 10 isn’t truly free—is pushing ads in my face. Fortunately, all of the offenders can be disabled. But doing so requires diving into arcane system settings located in different far-flung corners of the operating system.

 windows-10-full-screen-prompt

Microsoft’s aggressive upgrade tactics

Microsoft’s been acting pretty shady in its aggressive quest to push Windows 7 and 8 users to Windows 10, employing unstoppable pop-ups, malware-like tactics, forced upgrades, intrusive full-screen takeovers, and nasty tricks to coax—and sometimes outright deceive—people into adopting the new OS. It eventually became so heavy-handed that some users have disabled Windows Updates entirely rather than suffer the barrage.

But you know that. If you’re still considering upgrading to Windows 10, you’ve lived through it.

None of that detracts from Windows 10’s underlying awesomeness. But it may have detracted from your desire to upgrade to Windows 10—and rightfully so. If you’re unhappy with Microsoft’s ethics and tactics in handling Windows 10 upgrades, you’re well within your rights to stay put where you’re at.

windows-xp-mode-windows-7

Software compatibility

In the wake of those forced upgrades, dozens and dozens of readers reached out to me with tales of woe, many revolving around software that simply doesn’t work with Windows 10. As my colleague Glenn Fleishman recently pointed out at Macworld, old software isn’t inherently bad software—but some of it won’t work in Windows 10.

If you rely on particular pieces of software, do a quick Google search to make sure they’ll work in Windows 10 before you upgrade. Office 2003—the last pre-Ribbon UI Office—isn’t compatible, for instance, nor is software that requires the use of Windows 7’s “XP Mode” compatibility, which isn’t available in Windows 10. Microsoft’s upgrade advisor is supposed to let you know if any software won’t work with Windows 10, but users report that it isn’t very reliable. Doing some homework now could save you some big headaches in the future.

printers

Hardware compatibility

Similarly, you’ll want to make sure Windows 10 works with your PC, too. No matter whether you’re running Windows 7 or Windows 8.1, I’d recommend running Microsoft’s hardware compatibility tool to scan your system. To do so, open the Get Windows 10 app—the taskbar icon that’s been tossing out all the upgrade pop-ups—and click on the compatibility report option.

But wait! That’s not all. The tool only checks your core PC reliably. Some people who upgrade to Windows 10 discover that their hardware peripherals won’t work, particularly older printers and scanners. If you have any aging peripherals connected to your PC, be it a printer or a beloved keyboard, I’d again suggest conducting some quick Google searches to ensure your gear won’t become paperweights if you decide to upgrade.

 windows-10-samsung-laptop

Ain’t broke, don’t fix it

This final reason applies more to people who resist change or aren’t very technically savvy. Yes, Windows 10 is stellar and absolved Windows 8’s worst sins. Getting used to the new operating system shouldn’t be too difficult for many PC users—but the transition isn’t entirely seamless. From Cortana to the introduction of the Edge browser to the radically new-look Start menu, and Windows 10’s evolution into being a more cloud-centric operating system, there are some big changes you’ll need to wrap your head around.

Do Windows 10’s new features and under-the-hood improvements make upgrading worthwhile? I think so. But if you aren’t comfortable dealing with changes on your computer, you might want to stay put. I know several less technically inclined people who paid technicians to revert their PCs to Windows 7 after they couldn’t wrap their heads around Windows 10.

Conversely, if you’ve perfected your workflow on your current operating system and don’t see much benefit in marquee Windows 10 features such as Cortana, the Windows Store, DirectX 12, and virtual desktops, it may not be worth the hassle to switch over to Windows 10.

Have questions?

Get answers from Microsofts Cloud Solutions Partner!
Call us at: 856-745-9990 or visit: https://southjerseytechies.net/

South Jersey Techies, LL C is a full Managed Web and Technology Services Company providing IT Services, Website Design ServicesServer SupportNetwork ConsultingInternet PhonesCloud Solutions Provider and much more. Contact for More Information.

To read this article in its entirety click here.

 

Disabling SSL 3.0 Support on Your Server (POODLE Configuration)

 

Due to a critical security vulnerability with SSL 3.0  (an 18-year-old, outdated technology), we recommend disabling it on your server. We have instructions on how to do that in the Updating section but recommend reading the entire document to understand the scope of what this does.

What does POODLE do?
In short, it’s a way attackers can compromise SSL certificates if they’re on the same network as the target if (and only if) the server the target is communicating with supports SSL 3.0.

Google has a lot more detail on their security blog here.

Does POODLE affect my server/sites?
Because POODLE is a vulnerability in SSL technology, it only impacts sites using SSL certificates. If your server or your sites don’t use an SSL certificate, you don’t need to update your server. However, we recommend doing it now in case you do end up installing an SSL certificate at a later date.

Updating
How you update your server depends on whether your server uses a Linux® distribution or Windows® and if it uses cPanel.

cPanel

cPanel requires slightly different steps from any other control panel/operating system configuration.

To Configure cPanel to Prevent POODLE Vulnerability on HTTP

1. Log in to your cPanel (more info).
2. In the Service Configuration section, click Apache Configuration.
3. Click Include Editor.
4. In the Pre Main Include section, from the Select an Apache Version menu, select All Versions.
5. In the field that displays, type the following, depending on which version of CentOS you’re using:

CentOS Version Type this…
Cent OS/RHEL 6.x
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Cent OS/RHEL 5.x
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1

If you encounter errors while applying this update, please review this forum post at cPanel that discusses potential fixes.

6. Click Update.

Preventing POODLE on Other Protocols (FTP, etc.)

Right now, only servers using RHEL can protect themselves against POODLE on non-HTTPS protocols. They can do this by updating the latest version of OpenSSL, and then implementing TLS_FALLBACK_SCSV.

Servers using CentOS do not yet have a known fix for the vulnerability on non-HTTPS protocols. However, we will update this article with those instructions as soon as we do.

Linux (Apache)

Modify your Apache configuration to include the following line:

SSLProtocol All -SSLv2 -SSLv3

For more information on how to do that, view Apache’s documentation.

Windows (IIS)

Modify your server’s registry (which removes access SSL 3.0 support from IIS) using Microsoft’s document here. You can jump down to the Disable SSL 3.0 in Windows section.

Hillary Clinton’s infamous email server: 6 things you need to know

Hillary Clinton’s use of a private email server when she served as US secretary of state has been a major issue for the 2016 presidential candidate. Here are the six most critical facts about it.

hillary_clinton3_3_3

The FBI recently wrapped up its investigation into Hillary Clinton’s use of a personal email server while she was serving as secretary of state. FBI director James Comey called the actions “extremely careless,” but recommended that no charges be brought against Clinton.

She is now the presumptive Democratic nominee for the upcoming presidential election in November, and her actions relative to the email server have become a hot-button issue among her opponents. The situation, however, is nuanced; and there are a lot of details to understand about the scenario. Here are the most important facts.

1. What happened?

While serving as secretary of state under President Barack Obama, Hillary Clinton used multiple private email servers to communicate regarding government business, according to the State Department. Additionally, it was revealed that Clinton never had a government (.gov) email address while she was serving in her post—we’ll talk about which email address she used in a moment—and her aides did not take any actions to preserve the emails sent through her personal account. This prompted an investigation by the FBI to determine if Clinton intentionally put classified information at risk.

2. Why does it matter?

Clinton handed over 30,000 emails to the State Department, of which 110 contained classified information at the time they either were sent or received, according to the FBI’s findings. During the investigation, though, Clinton asserted that none of the emails she sent or received were classified at the time. The biggest implication has been the potential threat to national security. While the contents of the emails have not fully been released, if they had contained sensitive information it could have possibly fallen into the wrong hands. As noted by the New York Times, Comey said it was “possible” that enemy foreign governments had accessed Clinton’s personal email account.

The second biggest implication is that of transparency. The Federal Records Act requires that all communication in certain branches of government be recorded on government servers, and it forbids the use of a personal email account for government business, unless those emails are then copied and archived. However, there are a lot of technicalities involved, and there is evidence that other government officials had violated the act. As Alex Howardwrote for the Sunlight Foundation, there is also evidence that Clinton tried to control the discoverability of the emails under the Freedom of Information Act (FOIA), which could set a precedent for limiting public access to government records. It is also believed that Clinton deleted 31,000 emails deemed personal in nature before turning the emails over to the State Department.

3. When did it start?

When she was appointed secretary of state in 2009, Clinton began using the email address hdr22@clintonmail.com, tied to a personal server. Clinton’s personal email server was first discovered in 2012, by a House committee investigating the attack on the American Consulate in Benghazi. In 2013, hacker Guccifer claimed to have accessed Clinton’s personal email account and released emails that were allegedly related to the Benghazi attack.

The next year, in the summer of 2015, the State Department began asking Clinton for her emails correspondence, and she responded by delivering boxes containing more than 30,000 printed emails. In early 2015, the New York Times reported that Clinton had been using her personal email exclusively, and never had a government email address. A federal watchdog group issued an 83-page report condemning the “systemic weaknesses” of Clinton’s email practices in May. On Tuesday, the FBI concluded its investigation and recommended against any charges.

4. What tech was used

When Clinton was running for president in 2008, she had a private server installed at her home in Chappaqua, New York. The domains clintonemail.com, wjcoffice.com, and presidentclinton.com, which were registered to a man named Eric Hoteham, all pointed to that server. In 2013, a Denver-based IT company called Platte River Networks was hired to manage the server, but wasn’t cleared to work with classified information. The company executivesreceived death threats for taking on the contract. It was later discovered that multiple private servers were used for Clinton’s email.

Clinton used a BlackBerry phone to communicate during her tenure as secretary of state, including sending and receiving emails through her private server in New York. The State Department expressed concern about the security of the device. Clinton had requested the NSA provide a strengthened BlackBerry, similar to the one used by President Obama. But, her request was denied. Instead, the NSA requested that Clinton use a secure Windows Phone known as the Sectera Edge, but she opted to continue using her personal BlackBerry.

5. Will she be prosecuted?

Right now, it’s too early to tell whether or not Clinton will be charged for her use of private email servers. While Comey’s recommendation that no charges be brought will likely weigh in the decision, it is ultimately up to the US Department of Justice to make the call. However, a recent Politico analysis of multiple, similar cases spanning the past 20 years, seem to point to an indictment being “highly unlikely.” According to a former senior FBI official quoted in the analysis, the Justice Department tends to avoid prosecution in cases that are not “clear-cut.”

6. What can businesses and IT leaders learn?

The first lesson that IT can learn from this situation is that transparency is critical, at all levels in your business. This isn’t to say that the CEO should be broadcasting his or her emails to all employees every week, but steps should be taken to ensure that information can be accessed if need be. As part of adigital leak protection program, security expert John Pironti said that organizations need to know if users are using a personal email account to conduct business.

“This behavior is often a violation of acceptable use policies and can expose an organization’s sensitive information to unsecured systems and e-mail accounts,” Pironti said. “Without this visibility an organization may not be aware that their intellectual property, customer data, or sensitive data assets are not being protected appropriately and they also may be in violation of contractual agreements with their clients regarding the security of their data as well as regulatory requirements.”

The second takeaway for IT is that policies should be enforced from the top down. Sure, a CXO may get their support tickets expedited, but that doesn’t mean that exceptions should be made that could compromise the security or integrity of the organization for the sake of comfort or convenience. Leaders should model the policies that are in place to showcase the importance of adhering to them, especially regarding security and privacy policies.

Finally, the importance of records management should not be overlooked. In Clinton’s case, since multiple servers were used, the FBI had to piece together “millions of email fragments” before they could look into them. Proper labeling and management of all records will make for a more cohesive environment and assist in accountability.

Have questions?

Get answers from Microsofts Cloud Solutions Partner!
Call us at: 856-745-9990 or visit: https://southjerseytechies.net/

South Jersey Techies, LL C is a full Managed Web and Technology Services Company providing IT Services, Website Design ServicesServer SupportNetwork ConsultingInternet PhonesCloud Solutions Provider and much more. Contact for More Information.

To read this article in its entirety click here.

Wi-Fi-enabled ‘Hello Barbie’ records conversations with kids and uses AI to talk back

Today, Mattel released Hello Barbie, a WiFi-enabled doll that detects language and ‘talks back.’ But how will this high-tech toy impact real-life relationships?

Hello-barbie

She wears black flats, a motorcycle jacket, and skinny jeans. Her curly, bleach-blonde hair falls just past her shoulders. She has a permanent smile and large blue eyes. And, when you talk to her, she listens.

But this young woman isn’t an ordinary friend. “Hello Barbie” is less than a foot tall, weighs just under two pounds, and is made of plastic. And she is on sale for $74.99.

Mattel’s latest Barbie, marketed for children six and up, has just hit the shelves. She is unlike any doll before her—not only does she listen, but she can talk back.

To get started, kids simply download the Hello Barbie companion app. And to turn her on, you push a button on her silver belt buckle. Hello Barbie’s necklace is both a recorder and a microphone. Using WiFi, the jewelry will pick up a child’s questions and conversations—and transmit them back to a control center for processing. Speech-recognition software, operated through ToyTalk, will detect the input. Then, Hello Barbie will reply, using one of 8,000 pre-programmed lines. Examples include:

  • You know, I really appreciate my friends who have a completely unique sense of style…like you!
  • Here’s what’s up: I’m worried my sister Stacie is having a hard time finishing her homework. Does that ever happen to you?
  • I think Santa is real. There’s something very magical about the holiday season and I think he helps bring that magic to all of us!
  • So if you were planning the biggest, raddest, most unforgettable party of the year, what would it be like?
  • Of course we’re friends! Actually, you’re one of my best friends. I feel like we could talk about anything!

Hello Barbie’s dialogue, while perky and fashion-focused, reflects an attempt by Mattel to create a more well-rounded character than in the past. In 1992, Mattel pulled its string-operated Teen Talk Barbie from shelves after being criticized by The American Association of University Women for the inclusion of an unfortunate line: “math class is tough.” It is no mistake that Hello Barbie’s lines includes: “Oh nice! Fun with numbers! Teaching math sounds like a lot of fun. What kinds of things would you teach—Counting? Addition? Subtraction?”

Still, the implication that Barbie is being sold as a ‘friend’ is unsettling. “Hello Barbie can interact uniquely with each child by holding conversations, playing games, sharing stories, and even telling jokes!” boasts Mattel’s website. Hello Barbie, claims Mattel, is “Just like a real friend. [She] listens and remembers the user’s likes and dislikes, giving everyone their own unique experience.”

But is she really listening?

While Barbie may appear to listen and respond, “pretend empathy is not empathy,” said Sherry Turkle, professor at MIT and author of Reclaiming Conversation. Turkle worries about how children will understand their new ‘friend.’

“They are drawn into thinking that pretend empathy is the real thing,” said Turkle. “But objects that have not known the arc of a human life have no empathy to give. We put our children in a compromised position.”

Beyond the social implications of the doll, the capabilities of the recording technology raise privacy issues.

Using Hello Barbie involves recording voice data (see the privacy policy here) and requires parental consent. However, Mattel states that “parents and guardians are in control of their child’s data and can manage this data through the ToyTalk account.” The company also states that the recordings are protected under the “Children’s Online Privacy Protection Act,” and recordings containing personal information will be deleted once they “become aware of it.”

Still, the potential for misuse of this private data is a legitimate concern. “Obviously it is a security and privacy nightmare,” said Roman Yampolskiy, director of the Cybersecurity Lab at the University of Louisville. “[The] company [is] collecting data from kids—hackers [could be] getting access to private info.”

However, like Turkle, Yampolskiy is “more concerned about social development of the children interacting with it.”

“We are basically running an experiment on our kids and have no idea if it will make them socially awkward, incapable of understanding body language, tone of voice and properly empathize with others,” he said.

It all raises the question of what is meant, exactly by ‘real’ conversation? Turkle said, “Why would we take such risks with something so delicate, so crucial: Our children’s ability to relate to each other as human beings?”

Despite concerns, Hello Barbie is here, being shipped to homes across the globe beginning today. She is being turned on, spoken to, and listened to. And when children are finished with her, she is shut down, stood on a charger (Hello Barbie cannot stand on her own) and charged back up.

When she is turned on again, Barbie might ask: “Did you miss me at all?”

“Not even an itsy bitsy, eensy weensy bit?”

How children will respond remains to be seen.

Mattel did not respond to repeated requests for comment for this story.

Have questions?

Get help from IT Experts/Microsofts Cloud Solutions Partner
Call us at: 856-745-9990 or visit: https://southjerseytechies.net/

South Jersey Techies, LLC is a full Managed Web and Technology Services Company providing IT Services, Website Design ServicesServer SupportNetwork ConsultingInternet PhonesCloud Solutions Provider and much more. Contact for More Information.

To read this article in its entirety click here.

What You Need to Know About the Big Chip Security Problem

According to Intel Corp.,most of the processors running the world’s computers and smartphones have a feature that makes them susceptible to hacker attacks. The chipmaker, working with partners and rivals, says it has already issued updates to protect most processor products introduced in the past five years, but the news sparked concern about this fundamental building block of the internet, PCs and corporate networks.

The revelation of the so-called Meltdown and Spectre vulnerabilities spurred a scramble among technology’s biggest players, from Apple Inc. to Amazon.com Inc., to enact fixes and reassure customers they were on top of the problem.

1. What’s the problem?

Modern processors guess what they’ll have to do next and fetch the data they think they’ll need. That makes everything from supercomputers to smartphones operate very fast. Unfortunately, as Google researchers discovered, it also provides a way for bad actors to read data stored in memory that had been thought to be secure. In a worst-case scenario, that would let someone access your passwords.

2. How bad is it?

The vulnerability won’t stop your computer working and doesn’t provide an avenue for hackers to put malicious software on your machine. Though it could put important data at risk, there’s been no report so far of anyone’s computer being attacked in this manner. More broadly, though, the new fears could undermine longtime assurances that hardware and chip-level security is more tamper-proof than software.

3. How was it discovered?

The weakness was discovered last year by folks Google employs to find such issues before the bad guys do. Usually, solutions are developed in private and announced in a coordinated way. This time the news leaked before the companies involved had a chance to get a fix in place.

 

 

4. What’s being done to fix it?

Chipmakers and operating system providers, such as Alphabet Inc.’s Google and Microsoft Corp., are rushing to create software patches that will close the potential window of attack. Intel said that it expects to have issued updates for more than 90 percent of recently introduced processor products. Amazon.com Inc. said “all but a small single-digit percentage” of its servers have already been protected. In a blog post, Google said its security teams immediately “mobilized to defend” its systems and user data. Some customers of Android devices, Google Chromebook laptops and its cloud services still need to take steps to patch security holes, the company said. Patches for Windows devices are out now and the company is securing its cloud services, Microsoft said in a statement.

5. Is this just an Intel problem?

No, though that seems to be what panicky investors initially thought. Intel says it’s an issue for all modern processors. But rival Advanced Micro Devices Inc. stated that its products are at “near-zero risk.” ARM Holdings, which has chip designs that support all smartphones, said that, at worst, the vulnerability could “result in small pieces of data being accessed” and advised users of its technology to keep their software up to date. Google fingered all three companies. Apple said all Mac computers and iOS devices — including iPhones and iPads — were affected, but stressed there were no known exploits impacting users and that steps taken to address the issue haven’t dented performance.

6. What will the fallout be?

Some computers, mostly older ones, could be slowed down by the software patches that will make them more secure. Intel said that in common situations software might be slowed down by as much as 3 percent or not at all. But in other rare situations, performance might be reduced as much as 30 percent. The company doesn’t expect any financial impact and said it thinks customers will keep buying. As the fixes haven’t been widely deployed yet, it’s unclear whether anyone will even notice or whether computer slowdowns will be widespread. Intel has only done lab tests.

10 Tips for CyberSecurity Recommended By The FCC

Cybersecurity is of paramount importance in today’s digital age as it plays a crucial role in safeguarding sensitive information, ensuring the privacy of individuals, and maintaining the integrity of critical systems and infrastructure. The Federal Communications Commission (FCC) in the United States recognizes the significance of cybersecurity and has provided recommendations and guidelines to help individuals, businesses, and organizations protect themselves from cyber threats. Here are some key points highlighting the importance of cybersecurity along with recommendations from the FCC:

 

  • Train employees in security principles – Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data. We offer Security Awareness Training as an option for continuous security training for staff.
  • Protect information, computers, and networks from cyber attacks – Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. We offer Managed Services & Support as an option for preventing cyber-attacks.
  • Provide firewall security for your Internet connection – A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall. We offer a Managed Network Services & Support as an option for firewall security.
  • Create a mobile device action plan – Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment. We offer Mobile Device Management as an option for a mobile device action plan.
  • Make backup copies of important business data and information – Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud. We offer various Backup & Recovery Solutions as an option for business continuity & disaster.
  • Control physical access to your computers and create user accounts for each employee – Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel. We offer Multi-Form Authentication Solutions as an option for computer login security.
  • Secure your Wi-Fi networks – If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router. We offer Managed Network Services & Support is an option for Wi-Fi security.
  • Employ best practices on payment cards – Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet. Risk Intelligence is an option we offer to identify potential vulnerabilities.
  • Limit employee access to data and information, limit authority to install software – Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission. We offer Network & Security Assessments that can scan data repositories for user permissions, security and much more.
  • Passwords & authentication – Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data to see if they offer multi-factor authentication for your account. We offer Cloud Security Assessments which are used to ensure proper password & security practices are in place.

Download the 10 Tips Below

SJT-QR-CyberSecurity-10 Tips

If you have any questions, please email us at support@sjtechies.com or call us at (856) 745-9990.

Quick Reference CyberSecurity Guide

In today’s digital age, cybersecurity is at the forefront of technology, both at the workplace and in our personal lives. With the increasing frequency and sophistication of cyber threats, it is essential that we all play a role in protecting sensitive information both business and personal.

 

To help you stay informed and vigilant about cybersecurity best practices, we have created a Quick Reference Guide for Cybersecurity to be shared with your users as a courtesy to better protect themselves from cyber threats and contribute to a safer digital environment.

Please Download Our Quick Reference Cyber Security Guide Below

Quick Reference CyberSecurity Guide

If you have any questions, please email us at support@sjtechies.com or call us at (856) 745-9990.

What Terms You Need to Know to Get Your Business GDPR-Ready

 

What Is EU GDPR? 

The EU GDPR is a law designed to protect and empower residents of the EU by guiding business usage of personal data. In essence, it is reshaping the way corporations handle personal data by controlling its collection, use, and storage. It will replace the regulations and frameworks of the existing 20-year-old directive (95/46/EC).

 

Who Is the GDPR Protecting and Empowering? 

The data subject: This is any individual that can be directly or indirectly identified or uniquely singled out in a group of individuals, from any stored data.

 

What Is the GDPR Protecting? 

Personal data: This is any information relating to an individual, whether in reference to their private, professional, or public life. It includes things like names, photos, email addresses, location data, online identifiers, a person’s bank details, posts on social networking websites, medical information, work performance details, subscriptions, purchases, tax numbers, education or competencies, locations, usernames and passwords, hobbies, habits, lifestyles, or a person’s computer’s IP address.

 

Who Is the GDPR Regulating? 

The data controller: This is the person who, alone or jointly with others, determines the purposes for, and means of, processing personal data. A data controller is not responsible for the act of processing (this falls to the data processor); they can be defined as the entity that determines motivation, condition, and means of processing.

Generally, the role of the controller is derived from the organization’s functional relation with the individual. That is, a business is the controller for the customer data it processes in relation to its sales, and an employer is the controller for the employee data they process in connection with the employment relationship.

 

Who Else Is the GDPR Regulating? 

Data processors: This is the person who processes personal data on behalf of the controller. Typical processors are IT service providers (including hosting providers) and payroll administrators. The processor is required to process the personal data in accordance with the controller’s instructions and take adequate measures to protect the personal data. The GDPR does not allow data processors to use the personal data for other purposes beyond providing the services requested by the controller.

 

What Does the GDPR Consider “Processing?” 

Processing refers to any operation or set of operations performed upon personal data, whether or not by automatic means—such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Processing must be fair and lawful, although transparency is significantly strengthened. The processor may not use the personal data for their own purposes.

 

What Rights Do the Data Subjects Have? 

Under the GDPR, data subjects can request the following:

  • To be informed about the data processing
  • To consent to the processing of their personal data (opt in) or object to the processing of their personal data (opt out)
  • To obtain their personal data in a structured and commonly used format in order to transfer that data, in certain circumstances, to another controller (data portability)
  • To not be subject to fully automated data processing or profiling
  • To know what data is processed (right of access)
  • To correct where any data is incorrect
  • To have data erased under certain circumstances, for example, where the retention period has lapsed or where consent for the processing has been withdrawn (referred to commonly as the “right to be forgotten”) and to register a complaint with the supervisory authority

 

Other Key Elements to Consider in Preparing for GDPR

We’re not done yet. There are four more important elements to consider with GDPR as you become ready.

 

1) Data Breach Notification

For controllers, GDPR requires that breach notice must be provided, where feasible, within 72 hours of becoming aware of a breach; processors need to provide notice to controllers without undue delay. Any data breaches must be documented.

2) Data Minimization

This requires the level and type of data being processed to be limited to the minimum amount of data necessary. This requires you to ensure that the purpose in which the data is agreed and the purpose in which the data was collected are materially similar. The processors should ensure that individuals’ privacy is considered at the outset of each new processing, product, service, or application, and only minimum amounts of data are processed for the specific purposes collected and processed.

3) Data Pseudonymization

The GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymize data, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” In other words, it is a strategy designed to enhance protection and privacy for applicable identifying data.

Although similar, anonymization and pseudonymization are two distinct techniques that permit data controllers and processors to use de-identified data. The difference between the two techniques rests on whether the data can be re-identified.

4) Fair Processing of Personal Data

This requires the processing of personal data to be fair and lawful. Generally, only the level and type of data collected should be limited to the minimum amount of data necessary (see data minimization above). There are a number of methods in which the data may be processed, including: express consent (which may be withdrawn at any time), legitimate interest basis (the subject of which legitimacy may be challenged by the data subject), honoring obligations under the agreement with the data subject, or any other legal basis that may apply.

 

What We Can Do to Help

We know this information can be overwhelming, but taking the proper steps now will save you headaches later. SolarWinds provides products that can help you with getting ready. Our Risk Intelligence software is one of them, providing you with hard data on:

  • A business’ quantified financial risk
  • Personally identifiable information (PII)
  • Protected health information
  • Payment information located in storage
  • Access permissions for sensitive data

Search your ‘data at rest’ for risk areas and start the data mapping you need to get ready for GDPR.

National Cyber Security Awareness Month Tips

360px-US_Department_of_Homeland_Security_Seal.svg

October is National Cyber Security Awareness Month by Department of Homeland Security.

National Cyber Security Awareness Month encourages vigilance and protection by sharing tips and best practices in regard to how to stay safe.

Small businesses are a large target for criminals because they have limited resources dedicated to information system security.  Cyber criminals look for access to sensitive data.

Create a cyber security plan

The Federal Communications Commission offers a Cyber Planner for small businesses.  The planner guide allows specific sections to be added to your guide, including Privacy and Data Security, Scams/Fraud, Network Security, Website Security, Email, Mobile Devices, Employees, Facility Security, Operational Security, Payment Cards, Incident Response/Reporting and Policy Development/Management.

Generate a personalized Small Biz Cyber Planner Guide.

Establish Rules and Educate Employees

Create rules and guidelines for protecting information.  Educate employees on how to post online in a way that does not share intellectual property.  Clearly explain the penalties for violating security policies.

Network Protection

Deploy and update protection software, such a antivirus and antispyware software, on each computer within your network.  Create a regularly scheduled full computer scan.

Manage and assess risk

Cyber criminals often use small businesses that are less-protected to get to larger businesses.  Being a victim of a cyber-attack can have a huge impact on any business including financial issues, loss of possible business partner(s) and many more issues.

Download and install software updates

Installing software updates from vendors can protect your network for unwanted viruses and malware.  Vendors frequently release patches/updates for their software to improve performance and fine-tune software security.  (Example:  Adobe Reader, Adobe Flash and Java updates are critical for protection.)

Backup important business data and information

Create a backup plan for all data including documents, databases, files, HR records and accounting files.  A regularly scheduled backup can be a full, differential or incremental.

  • Full Backup:  Backup of all data.
  • Differential Backup:  Backup of all data that has changed since the last full backup.
  • Incremental Backup:  Backup of all data that has changed since the last full or incremental backup.

Control physical access

Protecting physical property is a very important role in protecting intellectual data.  Create a physical security plan to prevent unauthorized access to business computers and components. 

Secure Wi-Fi

Securing your Wi-Fi network consists of a few configurations.  Configure a device administrator password for your wireless access point (WAP) or router, require a password for Wi-Fi access and do not allow the WAP or router to broadcast the Service Set Identifier (SSID), also known, as network name.

 

CALL US NOW!