If your small business is using any but the latest, just-patched version of Firefox, you need to update now. That directive comes from no less than the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Whether you use Windows or Mac, older versions of Firefox for desktop contain a critical vulnerability that allows attackers to take control of a user’s entire operating system. This nightmare scenario is already playing out, hence the urgent warning from Homeland Security.
Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.
Mozilla itself says: “We are aware of targeted attacks in the wild abusing this flaw.”
To upgrade your Firefox browser:
On a Mac: launch Firefox and click About > Firefox and click the “Restart to update Firefox” button.
On a PC: launch Firefox and go under either Options > Firefox Updates or Options > Advanced > Update to update Firefox.
The version you want to be running is Firefox 72.0.1 and Firefox ESR 68.4.1 or higher. Firefox browsers for mobile devices are not known to be affected.
If you use Windows 7, you need to be aware that Microsoft is ending support for your operating system today – January 14th, 2020. Now is the time to upgrade to Windows 10.
Windows 7 is an operating system that still has plenty of users – in fact, it was only earlier last year that the market share for Windows 10 moved past Windows 7. Impressive, considering that Windows 10 was released in 2015. But nothing lasts forever in technology, and Windows 7 is no exception.
With Microsoft ending support for Windows 7, the operating system will become much more difficult to keep up and running effectively. Worst of all, a loss of support means Windows 7 will be more vulnerable to security threats.
What Does “Loss of Support” Mean?
There are several things that will happen when support ends for your Windows 7 operating system, including:
Loss of tech support. Right now, if something goes wrong with your Windows 7, you can contact Microsoft and get somebody to help you with the problem. They can run you through troubleshooting steps and try to get things going again. But when support ends, you won’t have the option of contacting Microsoft about it.
No more software updates. Microsoft is always working to improve their operating systems – at least the ones they currently support. But once they stop support, they stop putting resources into improving an OS. That means there will be no more updates to make Windows 7 secure and stable.
Loss of security. This is the big one. There are always people out there looking to compromise Windows operating systems, even ones as old as Windows 7. When you lose support for your OS, it means that Microsoft will no longer be trying to identify threats and upgrade your OS to defend against those threats.
Loss of compatibility. Over time, the software you rely upon will stop working with Windows 7, effectively spelling the end of your computer’s functionality.
Fortunately, getting support for your OS is easy enough – you just have to upgrade to Windows 10.
Luckily, the solution is equally simple: don’t abbreviate 2020.
The reason? Scammers could easily alter a date reading 1/1/20 to read 1/1/2000, 1/1/2021, or even 1/1/2099.
Ira Rheingold, the executive director of the National Association of Consumer Advocates, says scammers could use this method to attempt to cash an old check or establish an unpaid debt.
“Say you agreed to make payments beginning on 1/15/20. The bad guy could theoretically establish that you began owing your obligation on 1/15/2019, and try to collect additional monies,” Rheingold told USA Today.
“In the future, post-dating could be a problem too. For example, a check dated 1/1/20 could become 1/1/2021 next year, possibly making the uncashed check active again,” Rheingold says.
The solution, again, is simple: write out the full date. Instead of 1/18/20, use 1/18/2020 or January 18, 2020.
Want to know more about protecting your business from fraud? Call us at 678-389-6200 or contact us online.
If users in your organization use Google Chrome, there is a high chance that several of those systems are creating an opportunity for hackers to install malware. Google recently identified a major security flaw with its Chrome browser that impacts Windows, Mac, and Linux-based devices. Although Google has released a security patch to correct the security vulnerabilities, the patch fixes two separate problems.
One of the security vulnerabilities Google identified is Chrome’s audio component. The other vulnerability is tied to the browser’s PDF library. Both allow unwanted modifications or corruptions to memory data. This allows hackers to elevate privileges on the device or within applications installed on the device. If someone is able to gain administrative access to a system or software on a system, the individual could make unwanted changes or wreak havoc on the device’s operating system. There is also a high chance that a hacker could install malware or execute malicious code on the device.
The version of the browser that fixes the security issues is 78.03904.87. Although the Chrome browser may be configured to automatically update itself in the background upon launch, it is a good idea to manually check each device. The browser can be manually checked by selecting the Help menu and then “About Google Chrome.” If there is an update available, the browser will automatically search for it and find it. The browser’s version will also be displayed in the “About” section. If the listed version is 78.03904.87 or later, then the device has received the necessary security patch.
If there are problems with the browser updating, it may need to be removed from the system and reinstalled. Some organizations have an automatic process to uninstall and reinstall applications from the server once the devices connect to the organization’s network. Reports can be run to see which systems still have outdated versions and technicians should manually check those systems to diagnose why automatic updates are not going through.
A system that is not receiving automatic updates from Google Chrome may have other issues. Technicians should check for the following:
Is the anti-malware program up to date and running correctly?
Is the OS receiving approved updates and are these updates installing?
When was the last time the system pinged the network?
Has the system been restarted recently?
If the system has been disconnected from the organization’s network, how long has it been offline?
Has a malware scan recently been run? Were any malicious items identified and removed?
Are there are any suspicious executables or unauthorized programs installed?
Sometimes wiping a system and completely reinstalling the OS are the best courses of action. Signs that a device may be too infected, corrupted, or outdated include the presence of unauthorized or suspicious applications, more than 100 pending OS updates or a previous update date that is more than a month old, and an anti-malware program that will not update or run a scan correctly. Before wiping a system and reinstalled the OS, a technician should check for and back up any user data that may be installed on the device’s hard drive. However, the data should be carefully scanned for any malware infections prior to transferring it back onto the system.
Have questions about vulnerabilities within your system? Call us at 678-389-6200 or contact us online.
The U.S. Secret Service and the Cybersecurity & Infrastructure Security Agency, (both are under the oversight of The Department of Homeland Security) are offering their annual tips for staying secure online this holiday season. With U.S. retail e-commerce spending expected to top $135 billion this season, online criminals will be looking to take advantage of unprepared consumers and businesses alike.
Tips For The Consumer
Keep operating systems and antivirus software up-to-date.
Change passwords for online retailers regularly, and take advantage of multi-factor authentication if available.
Use credit cards online instead of debit cards – credit cards typically offer better fraud protection to the consumer.
Never shop online using public wifi.
Avoid opening attachments and clicking on links from senders you do not recognize.
When shopping from your phone, use only apps from trusted businesses, and only download apps from your device’s designated app store.
As always, if it’s too good to be true, it probably is.
For The Online Merchant Or Business
In addition to utilizing the above recommendations for the consumer, be sure to:
Segregate your payment system processing from other network applications such as email
and non-payment system related processes.
Use firewalls and properly configured and monitored intrusion prevention and/or detection system for added defense of your network.
Remote access into your network should be limited, secured and monitored for unusual activity.
Utilize Payment Card Industry Data Security Standards (PCI DSS) protocols for your online
transactions. This includes encrypting (SSL encryption) your customer’s payment card data whether it is being stored, processed or transmitted. In addition, verification of the cardholder’s address and requiring the Card Verification Value 2 (CVV2) code (3 or 4 digit number on the front or back of the card) can help authenticate the transaction and validate the cardholder and account.
Online holiday shopping is fun and convenient –– as long as you don’t put yourself or your business at risk! For more information about keeping your information secure, call us at 678-389-6200 or contact us online.
Neglecting to conduct a HIPAA risk assessment could cost you.
In the first week of November, the Office of Civil Rights (OCR) announced two big HIPAA penalties.
A $3 million settlement with the University of Rochester Medical Center for HIPAA violations in 2013 and 2017.
A $1.6 million civil penalty imposed against the Texas Health and Human Services Commission for HIPAA violations between 2013 and 2017.
In both cases, the organizations failed to perform an adequate risk assessment beforehand, according to the OCR’s parent department, the U.S. Department of Health and Human Services.
Failure To Comply Results In Big Penalties
The Texas Health and Human Services Commission is of particular interest. A data breach occurred when one or more employees moved an internal application from a private, secure server to a public one. The application included a security flaw and the ePHI (electronic protected health information) of more than 6,600 patients. When moved to a public server, the flaw exposed those records to the world.
The department responsible for the breach filed a report with OCR in 2015. This triggered an investigation, which revealed the organization also failed to:
Conduct an enterprise-wide risk analysis
Implement access and audit controls as required by HIPAA
These are costly, time-consuming, and embarrassing mistakes – and they erode trust with clients and patients. Luckily, an ounce of prevention goes a long way toward avoiding these violations.
Free HIPAA Risk Assessment Tool
OCR recently announced an update to its HIPAA Security Risk Assessment Tool. This tool is designed for small-to-medium sized businesses and is free to download.
It walks users through a series of modules and questions to help evaluate and document potential threats and vulnerabilities to ePHI in their organizations.
Users enter lists of important items, such as assets, vendors, and business associates. Items can be entered manually or uploaded via CSV.
A series of questions walk users through the process of identifying threats and vulnerabilities, scoring their likelihood of occurring, and their impact if they occurred.
A summary report provides risk scores, areas for review, and a total number of vulnerabilities identified as applicable to the organization.
The tool is worth a look – especially for smaller healthcare organizations and their IT providers.
One way or another, you must complete a security risk assessment to comply with HIPAA. For more information, call us at 678-389-6200 or contact us online.
Hackers Now Using HTTPS To Trick Victims Via Phishing Scams
Everything you’ve heard about the safety of https sites is now in question. According to a recent FBI public service announcement, hackers are incorporating website certificates (third-party verification that a site is secure) when sending potential victims phishing emails that imitate trustworthy companies or email contacts.
These phishing schemes are used to acquire sensitive logins or other information by luring people to a malicious website that looks secure.
Can You Still Count On HTTPS?
The “s” in the https along with a lock icon is supposed to give us an indication that a website is secure. And your employees may have heard this in their Security Awareness Training. All training will now need to be updated to include this latest criminal tactic.
What Should You Do?
Be Suspicious of Email Names and Content
The FBI recommends that users not only be wary of the name on an email but be suspicious of https links in emails. They could be fake and lead you to a virus-laden website. Users should always question email content to ensure authenticity.
Look for misspellings or the wrong domain, such as an address that ends in “com” when it should be “org.” And, unfortunately, you can no longer simply trust that a website with “https” and a lock icon is secure.
If you receive a suspicious email that contains a link from a known contact, call the sender or reply to the email to ensure that the content is legitimate.
If you don’t know the sender of the email, the FBI warns that you shouldn’t respond to it.
Don’t click links in any emails from unknown senders.
If You Run A Business Ask Your IT Service Company About New-School Security Awareness Training For Your Employees
This will give your staff the latest information about cyber threats and exploits. They’ll learn what they need to know to avoid being victimized by phishing and other scams.
Why Use New-School Security Awareness Training?
Your employees are the weakest link when it comes to cybersecurity. You need current and frequent cybersecurity training, along with random Phishing Security Tests that provide a number of remedial options if an employee falls for a simulated phishing attack.
New-School Security Awareness Training provides both pre-and post-training phishing security tests that show who is or isn’t completing prescribed training. And you’ll know the percentage of employees who are phish-prone.
New-School Security Awareness Training…
Sends Phishing Security Tests to your employees to take on a regular basis.
Trains your users with the world’s largest library of security awareness training content, including interactive modules, videos, games, posters and newsletters, and automated training campaigns with scheduled reminder emails.
Phishes your users with best-in-class, fully automated simulated phishing attacks, and thousands of templates with unlimited usage, and community phishing templates.
Offers Training Access Levels: I, II, and III with an “always-fresh” content library. You’ll get web-based, on-demand, engaging training that addresses the needs of your organization whether you have 50, 500 or 5,000 users.
Providesautomated follow-up emails to get them to complete their training. If they fail, they’re automatically enrolled in follow-up training.
Uses Advanced Reporting to monitor your users’ training progress, and provide your phish-prone percentage so you can see it reduce as your employees learn what they need to know. It shows stats and graphs for both training and phishing, ready for your management to review.
Your employees will get new learning experiences that are engaging, fun and effective. It includes “gamification” training, so they can compete against their peers while learning how to keep your organization safe from cyber attacks.
Add New-School Security Awareness Training To Your Current Employee Training
The use of https is just the latest trick that hackers are using to fool victims into falling for malicious emails. Hackers have many more “up their sleeves.” This is why regular, up-to-date New School Security Awareness Training is so important for any organization.
Nearly every site or service we use online requires a username and password. Remembering hundreds of unique passwords is just about impossible, and reusing passwords across multiple sites can be dangerous. If one account is compromised in a data breach, any other account using that same password is at risk.
Today’s username and password convention is a difficult system to manage well, but it remains important to create strong, unique passwords for your various accounts. Here are a few ways to create unique passwords that are strong and memorable.
Base Your Password on a Familiar Phrase
One way to make a password easier to remember is to base it on a phrase or term that’s familiar to you. Notice we didn’t say to use a term that’s familiar to you: “ilovesarah”, “sparky”, and “gocowboys” are all terrible passwords because they’re easy to guess. Anyone who knows that your wife’s name is Sarah, that your dog’s name is Sparky, or that you love the Cowboys might guess these easily.
Instead, come up with something creative, but that still has a connection to something you won’t forget. Something like “G1antsRool!” would be hard to guess since it runs counter to your actual interests, and it would be hard to crack due to the character variations. You’ll have an easier time remembering it, though, since it connects to one of your true passions.
Another variation on this theme is to take a poem or song lyric that’s meaningful to you and turn it into an acronym. “Row, row, row your boat gently down the stream” could turn into “RrrybGdtS”, for example. Easy to remember; hard to guess.
Use Long Passwords
Long passwords are hard to guess, but they’re even harder to crack using hacker tools. Use a memorable phrase in its entirety, or choose a series of seemingly unrelated words that mean something to you. You’ll create a password that’s easier to remember than the previous method and that’s even harder for a computer to crack.
Use Two-Factor Authentication Wherever Possible
You should enable two-factor authentication (2FA) on any site that offers it. 2FA adds a second method of authenticating that you’re who you say you are. Most 2FA methods involve sending a numeric or alphanumeric code to the account owner (that’s you). This code can be sent via email, text message, or even be displayed on a physical key fob. The code is only good for a short window (usually 1, 2, or 5 minutes). After supplying your username and password, you’ll be asked for this code.
Most consumer applications of 2FA involve sending the code via text message. Unless a hacker has stolen or cloned your phone, they won’t be able to view this code and thus won’t be able to log in to your accounts—even with your username and password.
Change Your Password Frequently
Changing your password frequently is another way to stay ahead of information thieves. A stolen password is only useful until you change that password to something else. It’s good practice to change your passwords frequently, such as every 3 to 6 months. We realize that can be a lot of work. Changing only your most sensitive passwords (financial, social, and email) is better than changing none.
Use a Password Manager
All this sounds like a lot of work, and it is. Thankfully, there’s a better way. Using a password manager, you can create long, unique, complex passwords for each account — but you don’t have to worry about remembering them! All your passwords are stored in the password manager. All you need to remember is the strong master password you create for this utility. Apple users have access to iCloud Keychain, Google offers a free password manager, and there are a host of paid, feature rich applications available such as Dashlane and LastPass.
For more information about staying safe online, call us at 678-389-6200.
As of January 14th, 2020, Microsoft will be ending all support for their hugely popular Windows 7 operating system, which has technology professionals strongly recommending businesses upgrade to Windows 10 in response.
This brief video on the subject discusses what the end of Windows 7 support means for users and the risks that come with choosing not to upgrade before January 2020.
If you have questions or want to find out how we can assist you with upgrading smoothly to Windows 10, give us a call at (678) 389-6200 or email us at firstname.lastname@example.org.
Thank you again for making the final push to the deadline on our website launch. I can’t tell you enough how much I appreciate your commitment to quality. Feels like I’ve got someone fighting by my side.Nicole B.
I cannot imagine trying to manage our tablets without your help.Peggy W.
In working with John Mamon (CEO) over the years, I have personally witnessed his commitment to making sure the customer comes first, consistently creating raving fans of his services. When we started thinking about a managed services partnership to help our education clients manage, secure, and control their tablets, mPowered IT was our first call. Our partnership was not only a great decision for PowerUp EDU, it is an even better decision for our customers!Jerry G.
Our experience during a recent project was great. Our engineer kept us informed as we went through the process. Even when we hit a snag, the team responded very quickly and got everything resolved. They even took care of a separate issue I was trying to get handled for some time. They really came through.Eleanor C.
I am impressed with the professionalism and courtesy of the mPowered IT technicians. We are thrilled!Stephanie C.
mPowered IT is extremely professional and dependable. They consistently deliver results and as an owner, I trust that they will take care of my business. Their attention to detail has earned my business.David B.
I have worked closely with John Mamon, CEO of mPowered IT, for the past 7 years. He understands the business advantage that well-managed IT can bring and has a sound understanding of what makes IT work for business. Many IT Service Providers talk a good talk, but they haven’t built the delivery capability to actually achieve what they promise. John has instilled in his team the discipline and knowledge necessary to keep IT running optimally for his clients, enhancing the client’s return from every IT dollar invested.John K.
I just called mPowered IT on an issue and they were fantastic and fixed the problem in a matter of minutes.Matthew J.