Ransomware Evil

I’m an avid reader of all things tech, and every one in a while an article comes along that is so brilliantly simple, its worth sharing.  Here’s the original article if interested in reading it.

8 tips for preventing ransomware

To sum up the article quickly, here are the 8 tips:

  1. Backup your files regularly and keep a copy off-site or offline
  2. Don’t enable macros
  3. Consider installing Microsoft Office viewers
    1. Turn on “disable internet macros” if running Office 2016
  4. Be very careful about opening unsolicited attachments
  5. Don’t give yourself more login power than necessary
    1. E.g. – Administrator is not required for normal operations
  6. Patch, patch, patch
  7. Train and retrain employees in your business
    1. Not really applicable to home users 🙂
  8. Segment the company network
    1. This works for home users as well

Protecting yourself isn’t really that hard to be honest.  It’s more behavior conditioning than anything else.  For instance, I’ve been around the block so many times with crap like this, I question everything that doesn’t seem right.  For a novice user, it’s the same method.  Say one day, you get an email from FedEx asking you to review an invoice.  Did you ship anything?  Does the logo look right?  Are URLs in the email going to the appropriate places (www.fedex.com/blahblah)?  If any of the answers are “No”, chances are its crap and will likely result in some nasty infection or ransomware.  Just delete it.

I’ve been running without commercial (paid) anti-virus/anti-malware software for more than 3 years now without a single infection.  You can too (looking at the McAfee and Norton users out there) with a little thought before blindly clicking a link.  If you do by some chance get encryption ransomware, the fact you had an offline/offsite backup of your data turns what could be an expensive proposition into one that only take a few hours of your time.  Just reformat, reinstall, and restore.

#ransomware

An open letter to Microsoft and HTC

The History

I’ve been using Microsoft Windows Phone (now Windows 10 Mobile) since the first release of the OS after the appalling Windows Mobile 6.5.  Here is a list of the mobile devices that I’ve owned, all running Windows Mobile:

  • Samsung Focus (Windows 7.x)
  • Nokia Lumia 920 (Windows 8.x)
  • HTC One M8 for Windows (Windows 8.x, 10 preview)

Current Status

It’s just been announced that at this point there is to be no update to Windows 10 Mobile for my HTC One M8 for Windows.  This is a technically superior phone to the Microsoft Lumia 640 (that’s getting the update btw) that I purchased mainly for the fact that the hardware would easily get me 3-5 years of efficient usage or more.  In fact, I’ve been running the Windows 10 Mobile Insider Preview for over 6 months without any major or minor issue found.  This is my daily driver AND is used for work as well through the BYOD program at my company.

The Rub

This says it all:  HTC M8 Is The Latest Windows Phone Model Not Getting Windows 10 Mobile

Open Letter to HTC

Dear HTC,

I’m disappointed that you have not stood by your products in the last several years.  You’ve developed some fantastic hardware that can easily be classified as flagship devices, however I’m concerned that you’re missing a huge market that I personally think is about to explode.  Supporting a device for two years is just that, supporting it.  Dragging your feet and delaying a response to customers on an upgrade, regardless of mobile OS, is just plain out manipulative.  At this point in time, I will never own another HTC device and will actively discourage family and friends from purchasing an HTC device.  I’m disappointed in you as a company.

Open letter to Microsoft

Dear Microsoft,

Our relationship goes back to Windows 3.0 on my Packard Bell 486.  I’ve continually used a system that has had OS’s from Windows 3.x, 9x, Me, 2000, NT, 7, 8 and now 10.  It was an easy decision for me to jump on the Windows Mobile wagon as everything I ever used was called Windows or was from Microsoft at some point in time or another.  After the announcement that the HTC One M8 would not be receiving Windows 10 Mobile, which at almost 2 years old is still superior to the Lumia 640, is very disappointing.  In fact, its downright shitty if I’m being honest.  It seems that it was based on Insider feedback, which I personally always answered honestly, usually positive though as I worked through the minor issues with certain apps or services.  A techie does that.

The fact that now you’re not supporting a large fan base and leaving them out to hang stuck with Windows 8.1 on hardware that can easily support Windows 10 Mobile isn’t a good move.  I’ve championed Windows 10 for both PC and Mobile and now am questioning your commitment to making the Mobile part even the least bit successful.  It would seem that you’re focusing on the business market, which is what Blackberry did, we all see how that ended up.

My plea

I urge you, HTC and Microsoft, release Windows 10 Mobile for the M8 and let the phone users decide if they want to upgrade.  The Insider Preview has been running on this device for months without a lot of issues (that I’ve seen at least), the least you can do is release a version that can be used.  I still have over a year before I can get a new phone and having to face that year on Windows Mobile 8.1 just sucks.

Fix it, or I’m going to Android.

References for this letter:

  1. Windows Insider
  2. Microsoft
  3. HTC

#android, #htc, #htc-one-m8, #microsoft, #windows, #windows-10-mobile

It’s not a matter of if, but when (Part II)

As promised, here is the second part of the post the other day. A disclaimer, these are only services and resources I’ve used in the past and found useful or appropriate for the situation at that time. I’ve noted the ones that I’m using currently and why I’m still using them despite more well known products or resources being available. The majority of what I’ve found in my experience is that online protection and security is more behavior (knowing what not to do or recognizing signs its bad stuff) rather than finding the right application to rely upon. What I’m using currently is an extension to my own experience and knowledge that helps when its not clear if I’m going down a road to something malicious.

Online Safety Resources

These are sites that I’ve come back to time and time again as resources to help people. Everyone has to realize that it’s their responsibility to keep themselves safe online because no one else is going to do it for you (unless you’re a child with proactive parents). The wife and I have consistently kept a lot of technology away from our daughter on purpose because we knew she wasn’t ready to 1) listen to our advice and 2) properly police herself online. A recent foray into YouTube that got her into some real-life videos with questionable content is a perfect example. She didn’t know enough to say “I shouldn’t be watching these” and close the application. The computer is now only allowed in open family space, no more in the bedroom with a closed door!

YouthSpark Hub (sponsored by Microsoft)

StaySafeOnline.org (sponsored by National Cyber Security Alliance)

Get Safe Online

Protection (Anti-Virus / Anti-Malware / Web Filtering)

Out of all the things that you can choose to passively keep yourself safe out there, these are the three that I highly recommend. They’re a good balance between protection and minimal resource impact on the machines you’re running them on. I’ll address each individually to make things easier.

Microsoft Internet Safety & Security Center

This is a combination service that includes Microsoft Security Center and Windows Defender that come bundled with Windows 8.x and Windows 10. It’s automatically enabled by default and if you don’t know that they’re there, you’re already protected to a certain extent. I like this application because it literally sits in the background and only reminds you its there when something bad is about to happen or your actions are going to trigger something bad. It would well despite some of the bad press online, however its free and capable at protecting the “macro” stuff.

Microsoft Family Safety

Probably one of the best services I’ve seen from Microsoft, this lets you create an account for your child with a password they select, yet let you watch/see/block anything you want. An amazingly easy interface, you create the Microsoft account while logged in with your account and authorize their account on only the devices you want them to be able to log onto. You have the ability to restrict their total time, the time frames they’re allowed to log on, as well as see everything they download/install/browse online. If a site shows up you don’t want them getting on, a quick click of “Block” next to the site will remove their ability to get to it via any browser. You can also block installations of certain applications (like Firefox or Chrome) forcing them to use IE or Edge so you can keep track of their online behavior. Instructions are easy and they take you through every step.

Sophos Home (anti-virus/anti-malware/web filtering)

I highly recommend this service due to the ease of use and quick setup. You create an account, then install the Sophos Home agent on every computer you want to protect (up to 10 for free). Each computer shows up individually by machine name (I change them to be specific, e.g., “DaughtersLaptop”) and lets you review their online activity. This is an added blocking defense for any site that they got to that Family Safety didn’t block for some reason. In addition to the web filtering, this is also an added anti-malware tool and has an extensive database of web sites that have been reported as having a bad reputation in regards to malware or virus activity. Simple installation and small footprint (less than 50MB of memory used when running), this passively watches in the background.

Passwords

I can’t stress enough how important it is to have strong, complex, and long passwords. A password using capital/lowercase letters, numbers, and special characters that is 8 characters long, can be cracked in about 6-8 hours @ 1,000 attempts/minute. The same type of password at 15 characters will take 2-3 years @ 1,000 attempts/minute. Once you add in non-standard characters, it could take decades to crack. It’s not a matter of making your password uncrackable (that’s impossible) but more a matter of making it so long to get it cracked that they move on to the poor guy that has decided to use “12345678”, “p@ssword1”, or “qwerty1234” as their password for their banking site. And please, don’t be a smart-ass and make it “passwordWITH1number”….. that’s just stupid.

I personally use LastPass and definitely utilize the password generator built into it for everything now. I can access my password database on all my devices including my mobile. The database is encrypted even in the cloud to the point where LastPass is unable to decrypt it should I happen to forget my master keycode. They also just released an authenticator application (numbers that sequence every 60 seconds) to allow for dual-factor authentication on sites that allow it. WordPress supports it 🙂

LastPass – Password Manager

Creating a strong password

How to Create a Strong Password (and Remember It)

How to Create a Super Strong Password (Infographic)

Well, there you have it, a lot of information to digest and absorb. It’s worth the read in my opinion as it holds true: “It’s not a matter of if, but when” you get hacked / you get a virus / you get malware / you get phished / etc. Stay safe out there!

#breach, #hacking, #internet, #lastpass, #mobile-2, #security

It’s not a matter of if, but when (Part I)

I received a letter from American Express yesterday.  It was nothing out of the ordinary as they send me crap all the time, but this was different.  The letter informed me that my information changed via a third party service sometime in January 2016.  Red flag.  The letter didn’t tell me that this was an ordinary or extraordinary action and in the 22 years I’ve had this card I’ve never had anything changed via a third party.  Red flag.  Upon calling them, I was informed of a potential breach in a third party system that American Express uses to update their credit files.  The letter was auto generated and was a result of a changed file.  My question “Why did I get a letter its changed as I’ve never received this before?” went unanswered.

This event triggered me to write about it, because I’ve yet to talk to someone that completely understands the extent of their threat exposure.  So here, a short list of items that I’m sure everyone has an account with or a device in their possession:

  • Mobile Devices:  mobile phones, wifi doorbells, wifi cameras, wifi baby monitors
  • WiFi Vehicles:  On-Star, Hyundai Assist, Ford Sync
  • Medical Devices:  pacemakers, defibrillators, insulin pumps
  • Social Engineering:  email, text messages, phone calls
  • Service Providers:  mobile phone companies, cable, phone, electric, gas, water

Every single one of the above items (its not an exhaustive list) has a component that can be breached and used to take advantage of unsuspecting people.  I’ve been in this industry for years and still see threat deltas that I’ve never seen before.  The potential that hundreds of thousands of people are even less aware is very real and the news tends to support that theory.  Here are some scenarios that may or may not fit:

  • Get a new WiFi router for your home and just plug it in and it works.  No changing of the default password, no wireless security (open), no update to the default factory settings that allows for internal device browsing, etc.
  • Get a new Android phone and start to build out your profile, download apps, etc.  You get a prompt to enter in your credentials for GooglePlay and blindly enter in your credentials because you think its for an app.  You don’t notice that you’re not prompted for a username/password ever for downloading apps (since it uses your Google account automatically) through official channels.
  • Connect your personal mobile device to a hotspot for internet access without reviewing the entire list of available networks.  Most places of business will display their wifi network name so you don’t connect to something malicious.  Ex – a wifi network will NEVER show up as “ad-hoc”, the ones that do are malicious almost in every case.

There are literally hundreds of thousands of articles and resources available if you want to learn more about protecting yourself.  I’m going to list a few of the more easier to understand resources in my next post.  Keep yourself safe online and the horror stories you see online will never be about you.

#breach, #hacking, #internet, #mobile-2, #security

Sweets, I hate you

American food manufacturers have spent the last 50 years perfecting delivery systems that lack any nutrition but taste fantastic.  Delivery systems in this context is a generalization of food that falls into the “processed” category.  You know, the high fructose this and the chemically derived isolates that make up almost all the food we eat today.  They’ve even started mucking with our fresh food too:  GMO’s for fruits and vegetables and grain/hormone/antibiotic laden meat.  It’s disgusting that what, if prepared from scratch (like an american classic cheeseburger) meal contains 300-500 calories, is instead topping the scales at 1,300 calories if purchased from McDonalds or Burger King.  I don’t eat that crap anymore.

Here are the things that I think are pure evil and I swear haunt my dreams on a nightly basis.  Be prepared, the food here is delicious and not easy to walk away from.

#3 – Entenmann’s Lemon PieLemonPie

This is a highly processed and manufactured piece of sweet delight.  No one, anywhere, could replicate this pastry if they tried.  This is an old picture, the pie now is exactly what was sold by Hostess (Entenmann’s purchased the rights).  I had one of these today, they were on sale at Wawa.  I’ve been so good lately that I didn’t want to deprive myself as it would have turned ugly.  Someone would have felt the lemon pie starved wrath that is my sweet tooth for sure!

ThinMints#2 – Girl Scout’s Thin Mints

The ONLY Girl Scout cookie that is worth its money in my opinion.  A chocolate covered mint chocolate cookie that is packaged in such a way that an entire sleeve can be consumed without you even realizing it.  I have forbidden these cookies from entering my house for the last two years and have only had a few from people at work when they’re offering me some (so they don’t feel guilty for almost eating a sleeve of course).

ChocBells#1 – Tastykake Chocolate Bells

If Hell had an official food, this would be it.  A creme filled cupcake is awesome enough on its own, but NOOOOO, Tastykake had up the anty, they covered it in chocolate.  OMG, a chocolate covered cupcake!  The guy that developed this idea I’m sure is sitting back in his McMansion thinking about how he got rich by covering a cupcake with chocolate.  The picture doesn’t do it justice.  It’s hydrogenated oil based creme, overly processed chocolate cake (two steps away from not being food honestly), and then covered in what looks like chocolate (I think its liquid drugs disguised as chocolate to be honest).  Yeah, they’re that good.

I’m sure we all have our top three, but these are mine.  I’m “poofy” because of these three evil sweet temptations.  Hopefully, the vegetables that are being consumed when I’m hungry will make a difference.  I will always have a sweet tooth though.