MarKel Computers & Consulting

Throw-back Thursday Fun Fact: your keyboard and mouse are probably the grossest thing you touch. When's the last time you shook your keyboard upside down, vacuumed or disinfected it?

INITIATE CHUCKLE

Security Anecdote: A client submitted a support ticket to install software which they were told would allow them remote access to a new client of theirs. The attached chain of emails suggested their client wanted to show our client, the ins-and-outs of their system. ... Their client's tech support sent an install, which my client couldn't install, hence the support ticket. At a glance, things didn't appear quite right - and our preliminary research raised red-flags which we conveyed to our client, denying their request. We believed, innocent or not, the 3rd party was trying to install a full-fledged remote access tool on our clients' computer. This would allow whomever, not only 24/7 remote access to our clients computer, but potentially to make changes to other computers - (providing admin access to install software, gives that software a similar level of access) This all sounds fairly innocent, but imagine it from a social hacking perspective. You're willing to hack or be unethical, You find a target, perhaps a competitor You sequester their services You have them install a remote access tool so they can "help you" You now have access to all of their data - which includes their client's data. This may not have been the actual reality of the situation, but the probability was too great, there were too many inconsistencies, and we disagreed with their client's tech-supports approach to installing a remote access tool opposed to one-off remote viewing their conversation seemed to request. Why I'm (Oliver) sharing this: One of the more difficult changes our clients face after on-boarding with us is the lack of direct control our clients have-- there are some passwords and related functionality (like installing software) which they don't have - and generally, it takes us longer than they're used to, to respond (EG, they're used to installing immediately, but even with a 5 minute turn-around time on our side, can still be frustrating) -- that is in part what the unethical people are hoping for -- create a stress or high stakes situation in which you're pressured to accomplish things "to get it done" This is a prime, perhaps not wholly accurate example of such a scenario - and how it's somewhat benign to our end-users but can put team MK into 'red alert' as we scour public records of the actors involved and mine for other data. Our support is worth it, even though the procedure can be less direct and more frustrating than our users may be accustomed to - a simple "no, this is why, and here are some alternatives" can save your business, and it's what we're here for. Thanks for reading all this! I hope it was informative!

'Dozens of people working for Savannah College of Art and Design's security company are now suing for invasion of privacy. Alleging that the confidential information of 39 people including social security numbers pay rates and schedules was sent out from a supervisor's personal email account.'

Be weary of giving 3rd parties access to your systems, whether it's someone who walks in your office's front door, calls, e-mails, or you've approached online -- even if they're selling anti-spam or "encrypted e-mail" services (nearly all e-mail is encrypted by default, by the way!). We had a client switch e-mail providers without involving us, going through all the motions of domain verification and transfer at the instruction of an unknown (to us) company, after they recei...ved a cold-call. That's a huge risk to your business, data, and potentially would incur charges from MarKel to straighten it back out - if it's even possible. Not to mention the ramifications of reporting a breach if you're under the umbrella of PCI, HIPAA or other compliance requirements. Since the above incident, we've done a better job at assuming control of our client's domains - and conveying why it's important to be critical and guarded. This helps prevent the above avenue of compromise - but nothing is 100% fool-proof. The link attached is an **article about :-)** an exploit which encrypts your cloud-based e-mail using what I've described above as it's avenue of attack. _Oliver https://community.spiceworks.com//2104688-heads-up-new-ran

PSA: The person managing your computers can, at a glance, tell if you rebooted as part of troubleshooting. PSA: Turning off your monitor is almost always, not the same as rebooting your computer. To restart a computer:... A. 1. Click the start button 2. Click the power symbol or the arrow next to the word "shutdown" 3. Choose, Restart 4. Log back in. B. Tap the physical power button on your computers tower, wait for it to turn off, then tap the power button again to bring it back up. C. Startkey+R CMD shutdown /r -t 10 I prefer the cmd. Why? Because typing "t-minus" is cool!! These public service announcements brought to you by Oliver! (Serenity now!!)

Updating software & firmware, and ensuring default security options have been changed are great first steps. MarKel has found that most vendors work from a checklist and don't often have critical-thought regarding their products. Worse, some vendors know they're insecure or doing things the wrong way, but it's the most expedient for them in terms of labor and profit margin. ... I read a similar article which suggested that automated car washes could also be hacked and used to kill people or damage them. Basically, they'd use the automated features of the car wash to prevent the car from leaving, pin the doors closed and flood the interior of the car with high pressure water. It was a proof-of-concept attack paid for by the companies who own those types of car wash. _Oliver

It's ridiculously easy to spoof, or fake, phone numbers on caller ID. Which is why when people call us for access or password resets, we call them back. Always be weary of calls TO you requesting sensitive info - whether it be your tech support or your bank. Don't give your sensitive information away - tech support generally doesn't need your passwords - they can reset them or have you type them in. Your bank is not going to call for your credit card information, even if ...it says your bank is calling on caller ID. -Oliver

A text message isn't two factor authentication (2FA) when interlopers can have your phone number transferred to their control. Instead, try third party apps like Google or Microsoft's "authenticator" - google's is as simple as taking a photo of a barcode and works with many sites & services. Be forewarned, however, that should you change or lose your phone, or otherwise format it, you'll need to transfer your 2FA ahead of time - else you'll probably have to reset the accounts or wait 2-3 weeks for Google to review your case to let you back in.

Outlook search not working? Read below for a workaround until MS releases a follow-up patch! -Oliver