Riverbank Ruminations

Observations from the banks of the technology river

Stay home, cough into your elbow, keep your social distance, wash your hands

All of the above directions are in the news these days. As Covid-19 runs amok worldwide, health care experts are stressing some very basic health care steps that can be effective if implemented. News stories also show that people don’t seem to be listening very well yet (early April). Students on spring break, some churches still hold services and you can still see people having group picnics in the park.

Places that have been acting earlier and more strictly have so far fared far better than areas that did not. Kentucky, with one of the worst reputations for health care, has been much more proactive and successful in mitigating the effects of the virus.

Security During COVID-19

So how does this fit in with security? First of all, as with any crisis, the scammers are out to capitalize on the situation. This one is an especially ripe field because of the uncertainty surrounding what is being done and what can be done. Add that to the fact that an unprecedented number of people are now working at home, and you have a potential bonanza for scammers.

Let’s look at some basic security steps you can take to prevent being scammed.

Don’t Believe Everything You Read

“I want to help those affected by the pandemic” Many variations are out there, obfuscated by the fact that some legitimate efforts are being made by some, famous or otherwise. In this article, the victim responded when they found out “the uber-popular beauty influencer Jeffree Star tweeted that he’d be giving out $30,000 via payment service Cash App to a random person who retweeted him,”. She did so but was not chosen. Later she got a tweet saying if she sent $25, she would get $250. She didn’t.

• BASIC SECURITY RULE: If it sounds too good to be true, it probably is. DON’T DO IT. In this case, the legitimate offer did not require cash up front.
• From this article: Since the beginning of the year, the FTC has received more than 7,800 coronavirus-related reports from consumers, double what they were about a week ago….., consumers have lost $4.77 million to coronavirus-related scams, the Federal Trade Commission said Tuesday, with a median loss of $598.

Beware the Zoombomb

Defusing the Zoombomb. Zoom has gone from 10 million daily users to over 200 million daily users as more countries, states and counties issue stay at home orders. Consequently, Zoom has come under the microscope and be accused of some poor choices. Undisclosed data sharing, poor security design, and other issues have come up. Zoombombing is the situation where someone you didn’t invite joins your conference and creates havoc.

• BASIC SECURITY RULE: Use a password. Don’t share the password with anyone not entitled to it. This was not something that Zoom stressed very much and for most situations getting zoombombed is not the worst thing in the world. However, there have been reports of flashers joining conferences including children and that would be a disaster.
• This article has some good tips on how to secure your Zoom sessions.

Humans Cause the Majority of Security Problems

Protecting the company. Your company is having enough trouble without you adding to it. From this article, 90% of data breaches come from human error. 81% of the breaches resulted from weak or stolen passwords.

• BASIC SECURITY RULE: Passwords should be long (14 characters or more) and complex, but longer and not complex is better than short and complex. (Hence thisisanexampleofagoodlongpassword is better than P@55w0rd)
• BASIC SECURITY RULE: One account, one password. DON’T REUSE PASSWORDS. At some point, one of your accounts will get compromised. If you reuse a password, you are exposing other accounts.
• Get a password manager and use it.
• BASIC SECURITY RULE: Free wifi is worth what you pay and may cost you a lot. If you are working remotely, a VPN is a good friend. Even if you are connecting to work from home, you should be using a VPN. A VPN is one more roadblock to bad guys.
• BASIC SECURITY RULE: Two is better than one. This also applies to personal accounts. Don’t rely on just a password. Get 2FA (2-factor authentication), preferably an app like Authy or Google Authenticator. Better still is a hardware key like a Yubi key or Duo.

• • Authentication methods from least to most secure.

1. 1. 1. Password
      2. Password and KBQ (knowledge-based questions – mother’s maiden name, first high school, etc. ) KBQ is a weak method because this data can be obtained by almost anyone. If you need to answer these questions, makeup answers, and then record them in your password manager.
      3. Password, MFA (multifactor authentication). This is usually done by getting a text or email. If you have been victimized by a SIM swap, you won’t get texts. If your email has been compromised, you may not see the email.
      4. Password, 2FA. The app on you phone or computer will provide the code needed. Even if the attacker has the same app, it won’t provide the right code.
      5. Password, Hardware token. The downside to this is you need to have the token present to do business, but it is secure.

Looking to secure your network while allowing your team to continue to work efficiently and remotely?  Give the Ashton Technology Solutions team a call at 216 397-4080.