Contact Us Today!   314.394.3001   |   info@andersontech.com

Archive for category: News

Office Depot Pays for False Malware Reports

/in , , , /by

Do you trust your computer’s security to anonymous department store employees?

For many, the low price, high convenience, and ease of taking a home computer or laptop to a store like Office Depot or OfficeMax for maintenance or repair far outweighs any risk that would normally be associated with a stranger sifting through your files. A solid reputation for service makes a free scan from stores like Office Depot seem like the perfect solution to minor computer issues.

Unfortunately, between 2009 and 2016, one corporation violated the trust that comes with that reputation.

PC Health Check

During this time, Office Depot/OfficeMax utilized an application called PC Health Check and ran the program as part of its in-store computer services. The program’s free scan was marketed to check the “health” of PCs by scanning for malware. However, instead of actually checking the computer, if any one of four signs of probable malware were selected by the user, PC Health Check automatically reported the presence of malware and suggested the user pay for PC cleaning and repair.

PC Health Check was licensed to Office Depot and OfficeMax by Support.com, who received a percentage of each purchase. In late March, the FTC reported on their ruling that the companies will now be prohibited from making deceptive claims, and will pay $35 million in fines to the FTC, which the government will then distribute as refunds for fraudulently-triggered purchases.

Exposed!

Ars Technica reported that in November of 2016, this scam was exposed by Jesse Jones of news station KIRO 7 in Seattle. The investigations team ran six brand new computers through PC Health Check, and four of the six were flagged with symptoms of malware, even though the computers had never been connected to the internet. These same computers were found to be malware-free by an independent IT services provider!

After this report, Office Depot/OfficeMax pledged to take appropriate action and pay the agreed-upon fine. According to the FTC, that had not yet happened, though the PC Health Check program’s use was discontinued.

Read about Anderson Technologies’ approach to managed IT services here!

The Takeaway

This FTC ruling should serve as a warning to anyone soliciting unneeded maintenance and repair, but it’s also a warning for consumers. The security of your business machines and network shouldn’t be trusted to just anyone.

Ask questions. What evidence does the IT services expert have for the action they propose? Does the software they utilize for diagnostic purposes have a solid reputation? Have other individuals and businesses experienced positive results after working with the expert or team?

At Anderson Technologies, we recommend cultivating a relationship with your IT services provider over time. The best results come from managed services providers who interact with all levels of your network and computer systems. Of course, emergencies happen, often when we least expect it. In those cases, resist the temptation of a quick fix even from a brand name.

Could you be eligible for a refund from the FTC in this case? Click the Get Email Updates button on their announcement. Seeking an alternative to cookie-cutter IT support? Contact Anderson Technologies and see how we’ve earned our reputation over twenty-plus years.

Chrome Zero-Day Threat Exploit Found

/in , , /by

At Anderson Technologies, we take reports of zero-day threats very seriously. So when Google disclosed one in their popular Chrome browser, our IT experts moved swiftly to patch our managed IT services clients’ devices immediately.

We also want to spread the word on how to mitigate this threat.

The Exploit

Dubbed CVE-2019-5786, this zero-day Chrome exploit can bypass security measures and run a Remote Code Execution. This allows malware or other code to be loaded onto your computer without detection from the browser’s built-in security.

Read more about this threat exploit at Forbes.

The Solution

Update Chrome. It’s as easy as that. Google’s already fixed the problem and issued a patch.

Your Chrome browser may already be updated. To check, go into Chrome “Help” in the options button (the three vertical dots in top-right corner) and click “About Google Chrome.” The current version should be 72.0.3626.121. If you don’t have this version, you’ll need to update Chrome immediately.

password breach category 1

Collection #1 Security Breach

/in , /by

Here at Anderson Technologies we like to keep our clients updated on the latest cyber security news. We’ve covered such breaches as KRACK and the Equifax hack in the past, and now we’re reporting on a breaking data breach called Collection #1, which affects nearly 2.7 billion emails and password combinations.

What Exactly Is the Collection #1 Breach?

The Collection #1 Breach was first reported January 17, 2019, by Troy Hunt, a cyber security researcher and operator of Have I Been Pwned (HIBP). Hunt named the breach after the root folder—containing over 87GB of data—that was uploaded to a hacking forum. Comprised of around 773 million unique email addresses and 21 million unique passwords, this information seems to have been gathered from databases of personal information from over 2000 breaches as far back as 2008.

“This number makes it the single largest breach ever to be loaded into HIBP,” Hunt states in his blog post explaining the breach.

While this personal information may not be much use to one-off hacking attempts, the real danger comes with a technique known as “credential stuffing.” Gizmodo explains:

Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos.

How Do I Know if I’ve Been Impacted?

Thankfully, the easiest way to see if any of your email addresses, usernames, or passwords have been affected by Collection #1 is to use Hunt’s HIBP. You may have even used this resource to know whether or not to change a password after past breaches like Equifax!

Hunt has painstakingly cleaned and entered all data from Collection #1 into HIBP’s (safe) search engine, allowing anyone to securely check if any individual user account information was compromised.

have i been pwnd

How Do I Keep My Accounts Safe from Future Breaches?

The nature of these data breaches indicate decoding of previously encrypted account information like email addresses and passwords. Anderson Technologies recommends protecting yourself with multi-factor authentication (MFA), as well as a password manager like LastPass or Dashlane.

“The only way to effectively deal with it is to use MFA,” says Joe Baker, Anderson Technologies Systems Administrator. “I like the MFA standard of something you know and something you have—you know your password, and you have your phone for authentication.

“Everyone should go to haveibeenpwned.com to check their email addresses. For me, after entering my email, I searched for and found my compromised email and old password in a matter of seconds. It’s shockingly easy to get this info once it’s out there in plain text. If it’s something that you care about, protect it with MFA. If you can’t protect the account with MFA, then don’t use that account.”

If you believe information vital to your business has been compromised (current administrator credentials, for example), immediate intervention can help mitigate further security threats. Senior Systems Administrator Eric Dischert suggests the following steps:

  • Update passwords for all affected accounts
  • Temporarily lock all systems until extent of the breach is known and appropriate steps have been taken
  • Ensure proper auditing and logging are running
  • Determine the root cause, impact, and necessary steps to fix
  • Deliver a public announcement (if industry regulations require it) and prepare for corresponding responses
  • Educate employees regarding breach details and lessons learned

As always, consult with your managed services provider to ensure all these steps are completed thoroughly enough to protect your business from further threat. For more information about Collection #1 and the consequences for your personal information, contact us here or at 314.394.3001.

windows 7 end of life windows 10 upgrade

Countdown to Windows 7 End of Life on January 14, 2020

/in , , /by

While the world celebrated the New Year, Microsoft enjoyed their own major milestone as Windows 10 was finally declared more popular than Windows 7.  Previous iterations of the Windows operating system couldn’t sway many Windows 7 corporate holdouts (Windows 8 and Windows Vista, for example), but for several years Windows 10 has demonstrated the stability and performance necessary to support business users.

More than half of enterprise machines run Windows 10 today. However, many others still use Windows 7. Experts consider these active machines a security risk—not to mention their poor performance due to aging hardware. Now Microsoft is forcing everyone’s hand.  Exactly one year from today, Windows 7 joins other aged operating systems in “end of life,” placing any machines still running it on a deadline.

What Does This Mean for Your Computer and Your Business?

Windows 7 reaches end of life on January 14, 2020. After this date, Microsoft will no longer develop countermeasures or fixes to address new breaches, exploits, viruses, and attacks, leaving Windows 7 computers vulnerable. Some businesses may require a machine to stay on Windows 7 to run legacy software, but these machines should not be connected to the network as they will be a high-value target, giving hackers easy access to an otherwise secure network.

This deadline is an opportunity. Consider it a countdown to more efficient work spaces, more secure transactions, and features that integrate seamlessly with the Cloud and mobile devices. Speed, usability, and security all see major upgrades in Windows 10—upgrades that can make a huge difference for your business.

With the help of a managed services provider like Anderson Technologies, “end of life” doesn’t have to derail you. Is your business still relying on Windows 7? Contact us today to discuss your options for this important transition.

Best IT Firm 2018

/in /by

In December, Small Business Monthly listed Anderson Technologies as one of St. Louis’s Best IT Firms of 2018. Small Business Monthly is a St. Louis magazine that highlights local businesses. We are proud of the recognition in the Best IT Firms category for the second year in a row, and we are grateful to be serving you!

Our team strives to bring professionalism, honesty, and responsiveness to other small businesses with the goal of implementing robust and secure IT solutions designed to meet your needs. The experts at Anderson Technologies know what it takes to keep your business running smoothly.

In the past year, we have grown in service and expertise. Our team of managed IT service providers delivers long-term, enlightened IT solutions for local small businesses and organizations, as well as many out of town clients!

We work with many small businesses in the St. Louis area to provide cyber security protection, cloud storage and backup, and hardware and software consultation. Whether your business is facing ransomware or needs a website design, Anderson Technologies is here for you.

In 2018 we also launched Anderson Archival—sharing our expertise in historical and archival materials to organizations and individuals, backed by the technical know-how of Anderson Technologies.

Being awarded as one of the best IT firms in St. Louis in 2018 is a great honor. We look forward to expanding our business and continuing to serve the St. Louis area. Thank you for your appreciation and support!

If you would like a free IT consultation or if you are in need of a full network audit, please call us at 314.394.3001 or email us at info@andersontech.com.

Infected? A New Phishing Attempt for 2018

/in , , /by

Even managed service providers receive scam emails and phone calls.

These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.

But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?

As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.

Pink phishing lure

Can you spot the phish? Take our quiz today by clicking on the image above!

Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.

It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.

The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.

Because these phishes do have some truth mixed in, many do fall victim.

False Blackmail

It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.

About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.

The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.

Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”

So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:

  • While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
  • The password they listed was not the current (or even recent) password for that account.
  • Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
  • Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.

If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.

Are you looking for an IT expert to help guard your small business from scams like this? Contact Anderson Technologies by phone (314.394.3001) or email (info@andersontech.com) today.

GDPR: How It Impacts You

/in , , /by

On May 25th, the European Union implemented their country-spanning General Data Protection Regulation (GDPR). Even if you’re not sure what it is or how it affects you, you’ve probably seen the results of this directive in action. New cookie consent notices pop up on home pages, and countless companies sent out emails with updated privacy policies. You may have noticed Anderson Technologies has gone through this process recently. All of this is due to GDPR.

What Does GDPR Change?

GDPR gives citizens in European Union (EU) countries clear rights to their data regardless of who is collecting it or where that entity is located. Some of these rights include:

  • The right to know what happens with their data.
  • The right to be shown all data collected on them.
  • The right to update or modify that data.
  • The right to be forgotten or to have all data relating to them deleted.

It also places the burden of informing and obtaining consent to collect data on the entity collecting it. This means it is illegal to use email lists from a newsletter to send promotional advertisements without the user specifically agreeing for you to do so. Most importantly, visitors who refuse to allow their personal data to be collected must receive the same experience as those who allow the collection of their data.

It also demands that those who collect or process personal data do so with data protection at the forefront through means such as pseudonymization, full anonymization of data, and encryption. It becomes the business’s responsibility to protect personally identifiable data and to know that all vendors and third parties with access to it have equivalent security measures in place.

Companies can be fined for failure to comply with GDPR guidelines.

Does GDPR Affect Your Company’s Website?

There is a good chance some aspect of GDPR affects you even if you don’t actively do business in the EU. Personal information can include names, addresses, email addresses, and IP addresses. To collect any of this, even through the use of cookies, explicit consent is required. It’s hard to find any website with zero visitors from EU countries. If even one EU citizen’s data is gathered, then the GDPR relates to you.

The good news is…

Unless you’re actively working with the EU, in which case you’ve probably already implemented compliance standards, only a few sections of the GDPR affect you. And if you don’t collect or transfer any personal data through cookies, contact forms, newsletter sign-ups, or analytics, then it doesn’t matter how many people from the EU visit your site.

The bad news is…

Personal data is collected in ways you might not think about, and just because someone is already signed up for your services or newsletter doesn’t mean their previous consent is compliant. Some means of data collection you might not think about are Google Analytics or share buttons on your site that connect to social media. Also, passive consent (i.e., pre-filled check boxes to sign up for emails or providing an email address that will be used for marketing in order for the user to download an eBook) is no longer allowed.

All consent must be optional and freely given.

Is the EU Going to Come After You?

Keep in mind that if you are seriously concerned about GDPR compliance and the responsibilities your business has in regard to the data you collect, you should contact a lawyer who specializes in GDPR compliance for full legal guidance. The information here is meant to provide a general understanding regarding GDPR and shouldn’t be taken as legal counsel on compliance issues.

For most US-based small businesses that do not have working relationships within the EU and do not intend to court them as potential clients/vendors, the immediate risk of not being 100% compliant after May 25th is minimal. That’s not to say you shouldn’t take practical steps to become compliant if the law affects you. Non-compliance can have steep fines of up to 10-20 million euros or 2-4% of total global turnover—whichever is higher. But those are for serious violations and a last resort after contacting the business about non-compliance and issuing warnings to resolve any problems.

What’s important is that a reasonable effort to comply within the means of your business is made with user privacy and data protection in mind.

Making Your Website GDPR Compliant

The first thing you need to know is whether or not you collect data from EU citizens.

In order to do that, you need to know what data, if any, you collect. This can include analytical data, physical and email mailing lists, names/IDs in comments or forums, and IP addresses. Then it’s time to get consent. Depending on what you collect, there are tools available to help. If you run a WordPress site, this guide can be helpful in figuring out what issues WordPress has already resolved and what issues you need to address.

  • Cookie Consent Bar — You’ve probably seen a lot of these lately. If your site installs any cookies, whether for the functioning of the website, collecting analytical data, third-party cookies for plug-ins, etc., then the user must not only be notified, but allowed the option to not have them activated. There’s no need to figure out how to do this all on your own. If you’re not sure if you need a consent bar, Jeffalytics created a flowchart to help figure it out. There are also plenty of plug-ins and add-ons available that will do this for you, and some of them are free. Not all these plug-ins are user-friendly or even fully functional, so your developer should verify that cookies are not added until the user hits accept. Cookies required to run the site can be excluded from the block as long as your Privacy Policy explains why.
  • Consent Checkbox Beneath Forms — Whenever you directly collect information, such as asking for name and email address when signing up for a newsletter, it is a good idea to have a checkbox stating that by clicking it the user understands how you are going to use and store their data. If you want to use that email for promotional materials, you can’t without their consent. You can offer a checkmark box for this option during the sign up, but it cannot be pre-checked or a requirement to sign up. The user must check it themselves.
  • Google Analytics — Not surprisingly, Google has already done a lot to bring themselves into compliance, but the tools they offer are not in complete compliance since most are meant to collect personal data. So what can you do to fix this without sacrificing all that valuable data? You need to turn on IP Anonymization. Google made this process easy for users by anonymizing all but the final set of numbers in users’ IP addresses. This means you will lose some geographic data, but generally only in local areas. You will still know the country and city of origin.
  • Opt-Out — All users must have the option to not only request all the data you collect on them but to ask you to change or delete the data if they wish. This process should be made clear in your privacy policy and quickly implemented upon request. It’s important to keep a record of all contact with users about their personal data and log when data was modified or deleted. 
  • Privacy Policy — It is important that you have a privacy policy on your website that explains in easy-to-understand, non-legal terms all aspects of your data collection and retention. This is intended to present users with the what, when, how, and why of your data collection, and to inform them of their rights over the data. This is also a good place to display a list of cookies used on your site and their functions. Many of the cookie consent bar plugins provide a short code that will generate this list for you. Your privacy policy should also explain how the user can contact you in order to exercise their rights over the data you collect on them. All communication should be simple to perform and recorded by your business. If you don’t have a privacy policy yet or aren’t sure what needs fixing on an existing policy, NIBusiness Info has a free, fully explained and customizable example available for download.
  • Notification of Breach — Perhaps the biggest change from current data practices is the GDPR’s requirement that if your data has been breached, it must be reported within 72 hours of you learning of it. The GDPR also states that the individual whose data is compromised as a result of the breach must also be notified “without undue delay” if the data poses a considerable risk on the rights the GDPR provides EU citizens. This is not required, however, if the data has been made unusable to unauthorized access through means such as encryption.

GDPR may be frustrating to implement, but its goal is to change the way companies look at data collection and retention. It’s just as important in GDPR to know how you protect your customers’ data as it is what data you collect. Security, accountability, and understanding are goals every business should strive for when handling user data. Even if you don’t do business with the EU, it’s a good idea to perform a network security audit to see how safe your company’s data is and if there is room for improvement.

If you’d like help making your website GDPR compliant, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Don’t Hold the Door Open for Cyber Criminals

/in , /by

Here in St. Louis, you’re likely to hear people saying they’re heading to Bread Co. for lunch, even if Panera is the sign above the restaurant. That’s because to St. Louisans, Panera will always be Saint Louis Bread Company. But recently, residents were relieved the St. Louis name wasn’t attached to Panera’s recent cyber security blunder.

On April 2, Brian Krebs of security news website KrebsOnSecurity broke the story that customer data from Panera’s loyalty program—including names, email and physical addresses, birthdays, and the last four digits of credit card numbers—was available through an insecure API on their website. Worse yet, Panera had been notified about the defect eight months prior in August 2017 and did nothing to resolve the problem.

Cyber security researcher Dylan Houlihan found the flaw in Panera’s API and, after confirming the extent of the problem, contacted Panera’s cyber security team. He notes that reaching out to Panera was difficult as there was no information available for who to contact if security holes were found. Panera’s response was less than stellar. In Houlihan’s detailed account of their communication, Panera’s director of information security, Mike Gustavison, was suspicious of him, and after receiving proof of the problem, took several days to reply that they would work to resolve it.

Except they didn’t.

Every month, Houlihan checked to see if the flaw was fixed, only to see that customer data was still unprotected. Finally, in April 2018, he contacted Krebs to make the matter public and force Panera to respond. They did. Within two hours Panera claimed they patched the problem.

Except they hadn’t.

Krebs continued to monitor the website and found that, while the information was no longer accessible to the public, if a member logged into their free Panera account, they could still exploit the flaw. He also discovered that it extended to other parts of Panera’s business, such as the catering website.

After the negative media coverage, Panera took down its website and patched the problem properly. In a tweet following the incident, Krebs estimates that up to 37 million accounts could have been made public because of this flaw. While there is no evidence yet that malicious agents accessed the data, this was still a terrible security breach.

How Often Does This Really Happen?

It’s easy to lose the details in light of Panera’s poor response and subsequent inaction, but accidental data breaches from misconfigured hardware or software happen far more often than you might imagine.

  • March 6, 2017: River City Media left more than a billion email accounts exposed to the public, some with personal information. Also exposed were detailed records of their own illegal spamming activities. The problem—no password protection on the backups.
  • June 19, 2017: Deep Root Analytics left millions of Americans’ addresses, birthdays, phone numbers, and political views on a variety of topics open to the public. The problem—misconfigured user permission settings.
  • October 3, 2017: A National Credit Federation cloud storage bucket was found to be open to public access, revealing personal, credit, and financial information of tens of thousands of its customers. The problem—misconfigured user permission settings.
  • October 6, 2017: An Alteryx cloud storage bucket was found to be accessible to anyone with a free Amazon Web Services account. It exposed personal data, Experian marketing data, and US Census data for more than 123 million American households. The problem—misconfigured user permission settings.
  • April 9, 2018: A flaw similar to Panera’s was discovered in P. F. Chang’s rewards website. The problem—an insecure API.
  • April 23, 2018: After rebuilding their website following a ransomware attack, MEDantex’s new customer portal contained abilities intended only for employees, including accessing confidential patient records without authentication. The problem—a bug on the website.
  • May 17, 2018: LocationSmart’s demo feature is found to be able to track the location of almost any cell phone without the user’s consent. The problem—an insecure API.

What Does This Mean for a Small Business Owner?

These examples of private, financial, and personal information leaked unintentionally serve as a warning to all business owners. While there’s a sense of poetic justice that River City Media revealed their own criminal activities by forgetting to add a password, the truth is, not all data you could reveal belongs to other people. You can be a cyber threat to your own business.

Few businesses can run day to day without some amount of personal, customer, or vendor data stored either on their network or in cloud storage. The technicalities of properly configuring security for these electronic databases can be daunting, but even when things appear to be simplified for you, all it takes is one open port, one missing password, or one unsecured application for the door to your data to be left wide open.

This is why it’s vital for businesses to have their systems set up by IT professionals and to perform network security audits routinely to ensure both the hardware and the software are configured correctly. It’s not enough to simply hire an IT consultant once and assume your system is secure. Files get moved, employees are hired, and new hardware is installed—all leaving room for new settings to supersede old ones, or worse, be forgotten all together. A network security audit performed at least annually gives you peace of mind that your cyber doors are tightly closed and locked.

What Should You Do to Protect Your Business?

While it’s crucial to know how to avoid opening the door to criminals, knowing how to respond to a breach is just as important. Here are a few simple steps you can take to avoid or address an accidental data breach.

  1. Hire IT professionals to set up all hardware and software. Your customers trust you to be the expert in your field, so trust the IT professionals to be the experts in theirs. Make sure all your hardware and software have been properly configured from the start.
  2. Perform annual network security audits. Just because you configured everything correctly, doesn’t mean it will stay that way. Your business changes all the time, so it’s best to check the doors and windows before someone else notices they’re open.
  3. Know your hardware. Many business owners don’t realize what’s in their hardware closet. Can you point to your hardware firewall with confidence? Are you certain it’s the correct type for your business? Ask an IT professional to review your hardware with you so you understand what you need and how it works. Doing so will improve your ability to spot potential problems.
  4. Have a way people can contact you about problems they find. One lesson learned from the Panera breach is how important it is that people can contact you with problems they’ve noticed. Many security researchers who find flaws due to misconfiguration just want you to know about the issue so it can be resolved. Make sure they can get in touch. Larger companies should have separate contact information specifically for security issues to keep them from being lost with other routine technical issues customers might have.
  5. Respond quickly to any problems found. Don’t wait eight months or for public embarrassment to sound the alarm before responding to an accidental data breach. If you act swiftly, your data may still be kept safe. In many accidental breaches, the problem was found not by criminals but cyber researchers.

No company wants to find themselves in a situation like Panera’s, so make sure your network security is done right. If you’d like to learn more about configuring your systems or to schedule a network security audit, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Don’t Have a Meltdown: Shedding Light on the Spectre/Meltdown Vulnerabilities

/in , /by

Researchers are beginning 2018 with a bombshell as they publicize information about Meltdown and Spectre, two hardware vulnerabilities that affect millions of machines around the world.

This tech news story is breaking, but until it evolves and more comprehensive solutions become available, we’ll give you the information you need to understand how you could be affected by these vulnerabilities.

What Are Meltdown and Spectre?

An exhaustive explanation of the vulnerabilities and how they work can be found here, but both threats work similarly by abusing an exposure in CPU cache timing. Meltdown allows an unauthorized application to access information from other programs via side channels in the operating system. Spectre fools more secure programs into giving up information from their own caches and overriding authorization to the caches of other programs.

Meltdown is the lesser of two evils; this hardware vulnerability only affects certain Intel processors, and Windows, Linux, and macOS have already released initial patches that prevent the unauthorized access of your sensitive information. Spectre, however, is proving to be a much trickier adversary. It removes the barriers between concurrently running applications, allowing information like passwords, messages, and other sensitive data to be accessed by a third party without permission.

Who Is Affected by These Vulnerabilities?

These particular vulnerabilities leave no trace in a system’s code, which makes the exposures easier to exploit for cyber crime. Meltdown has only been verified on Intel processors (all models produced since 1995, excluding Itanium and Atom), while Spectre affects almost every modern processor. Research has confirmed the vulnerability on Intel, AMD, and ARM processors, but devices like your smartphone could also be at risk.

Cloud servers are especially vulnerable because of the amount of data living on a single server.

Amazon and Google reported that their respective cloud services are no longer vulnerable against Meltdown, as both companies patched their server infrastructures  against this vulnerability.

US-CERT has not found any active exploitations of these vulnerabilities, even though researchers have been able to successfully replicate these bugs in lab settings. However, with the public release of this data, expect hackers to begin taking advantage of this hardware weakness. It is important to take the necessary steps to protect your devices and your data.

What Can I Do to Protect Myself?

Unlike most technical vulnerabilities, Meltdown and Spectre can’t be fully resolved with a simple software or firmware patch. These threats are caused by a fault in the physical hardware of most modern processors, making replacing your hardware the only 100% fix. Meltdown patches are available for affected machines, but the catch is they may do more harm than good for some users. Older processors (or ones that run more complex CPU processes) are reportedly experiencing performance issues, anti-virus flaws, and stop errors. Consult your managed IT services provider to determine whether the most current security patch will help or hinder your particular machine.

Mozilla recently issued a browser security patch and a Safari patch was just released today, but if you’re a Chrome user, Google recommends utilizing site isolation to stay safe for the time being until the release of Chrome 64 due on January 23, 2018. It’s best practice to update your devices and programs as soon as they become available. Keep an eye out for new updates in the coming weeks and stay in contact with your cyber security expert.

While Meltdown and Spectre seem alarming—and their potential for harm is quite vast—these vulnerabilities existed undetected for years. Google reported their discovery of the threats to Intel and AMD months ago, and since then the companies have been collaborating to develop and test fixes. New hardware should no longer contain these vulnerabilities.

The cyber security experts at Anderson Technologies do everything possible to keep you apprised of the latest digital threats. (Read our articles on the Equifax hack and the Wi-Fi vulnerability KRACK.)

We’ll let you know more about Meltdown and Spectre and how they could affect you as information becomes available. In the meantime, to learn more about our managed IT services action plan and how to mitigate against vulnerabilities like this in the future, contact us at 314.394.3001 or info@andersontech.com.

Equifax Hack Updates: What You Can Do NOW to Keep Your Credit Safe

/in , /by

It has been over six months since the massive hack of credit monitoring company Equifax, and over three since the attack was disclosed. We now know that 145 million Americans (and 15.2 million Europeans) have been affected.

Due to the data stolen—names, social security numbers, addresses—the victims  of the Equifax hack must be wary of their credit for the rest of their lives. Attackers can use leaked data to create profiles for spear phishing attacks or round out existing profiles, making identity theft even easier to perpetrate.

We covered the data breach in a previous blog post, “Equifax Hack 101: What You Need to Know to Keep Your Credit Safe,” but the news hasn’t stopped rolling in. In this post we address new developments, and additional actions you, as an individual or as a small business owner, can take to mitigate the hack.

Protecting Your Personal Data

Our initial post details credit monitoring and credit freezes. Some agencies recently introduced a “credit lock,” which they claim is easier and less expensive for the user while also more effective. The difference between a lock and a freeze is that a freeze is state-monitored, and a lock is controlled by the company only. “I take strong exception to the credit bureaus’ increasing use of the term ‘credit lock’ to steer people away from securing a freeze on their file,” says Brian Krebs of Krebs On Security. Don’t be fooled by credit lock offers.

You can also talk to lenders (mortgages, banks, etc.) about what steps they are taking to prevent someone from misusing leaked information. Challenge these organizations to take additional steps like providing internal credit monitoring alerts to keep customers safe.

Tax return filing fraud is one thing that credit freezes or monitoring cannot protect. File as early as possible to prevent your refund from going to a scammer. This is not a new problem. The IRS recently issued reminders and new alerts regarding tax fraud.

While most of the information obtained from the Equifax hack was actually already in the hands of tax fraudsters, remain vigilant because criminals are continuing to adjust their tactics. The IRS even reports instances of fraud targeting hurricane victims and tax professionals in addition to the average citizen.

The Troubling Behavior within Equifax

The hack itself isn’t the only problem with Equifax.

After a data breach, many companies are able to save face by being upfront with customers, providing adequate solutions, and cracking down on security. Unfortunately, Equifax missed these cues.

Even after fixing the questionable language in the Terms of Use initially included, in their TrustedID program Equifax continues to come under fire. Initially, the PIN numbers granted to customers seeking a security freeze consisted of the date and time the freeze was granted. This has since been corrected, but what an oversight! Many users have also had difficulty contacting the company to change their PIN.

The site Equifax set up for customers to check if they were affected by the hack continues to cause problems. Because Equifax failed to secure similar domains it was susceptible to phishing scams. Thankfully, the third-party sites (one actually directed to by Equifax itself) were benevolent—pointing out how easily scammers could use a similar domain to obtain your information. Then, in early October, Equifax temporarily took down a page about the hack because it, too, had been hacked. Criminals injected malicious code to trick users into downloading adware from fraudulent links.

As of November 3rd, Equifax’s internal investigation into allegations of suspicious trades made by top Equifax executives concluded that none of their employees were guilty of insider trading. These allegations are still under investigation by the House Financial Services Committee.

Moreover, Equifax was allegedly warned about the vulnerabilities to its systems one year ago in December by a security researcher. “These allegations, if accurate, reinforce indications that Equifax—which has a significant business selling data protection tools—was shockingly negligent and incompetent when it came to security,” says Jeff John Roberts of Fortune Magazine.

These problems have been a cause of concern for many consumers, however it is important to note that Equifax is continuing to offer credit freeze at no charge through January 31, 2018, and, through TrustedID, offers free credit monitoring and up to $1 million in identity theft insurance.

Can We Expect Any Changes to the Industry?

Beyond being proactive with your personal protection, customers must look to Congress and other government agencies to implement changes. Speak to your representatives about your concerns for the future. Many are already investigating reasons why the Equifax hack was possible and ways to prevent hacks like it in the future.

Laws also need to change regarding reporting compliance. Lawmakers and industry leaders agree that consumers should have been alerted to the Equifax hack far earlier.

In our initial article, we noted that several class-action lawsuits were being filed against Equifax; however, after an October 24 vote by Congress to disallow class-action suits against banks and credit companies, the future of these cases is unclear.

After initially trusting Equifax with a “bridge” contract for work on the IRS’s Secure Access program, the Government Accountability Office rescinded the contract, at least temporarily. They may work with another credit monitoring agency on the project, but some members of Congress are questioning the rationale behind trusting any credit bureau with so much data.

It’s possible we may be looking at the end of the social security number—or at least moving away from the strict reliance we now place on SSNs for identity. The best identity theft protection may be to stop using easily hacked information.

Tips for Small Businesses

Small businesses should look at the response from Equifax and at the controversy surrounding it and wonder what they can do differently when dealing with private information.

The first step for small businesses should be a thought experiment. Think about potential risk as well as known and unknown vulnerabilities in your internal network. Do you trust your current cyber security company to protect your data from a data breach? What are the consequences of a data breach like the Equifax hack in your company? What would the cost to your company be?

For many small businesses, investing in stronger cyber security protection is a clear solution. Your IT department or an outside cyber security company can help analyze your systems. If personnel are constantly putting out fires, as seems to be the case with Equifax, they may not be able to keep everything else up to standard.

Invest in security that provides monitoring, analysis, and dedicated attention. At Anderson Technologies, a St. Louis IT company, we often start with a full network audit, helping clients identify areas of concern and providing the path to a more secure network.

Beyond your network, take time to train and retrain employees on the technology used and best practices for staying safe, both online and off. The best identity theft protection is education. Get a free eBook from Anderson Technologies to teach your employees the foundations of cyber security safety now!

Anderson Technologies is a St. Louis cyber security company that specializes in protecting client data. For more information on our services, email info@andersontech.com or call 314.394.3001 today.

© - Anderson Technologies