Hello fellow travelers on the Internet, this is Nate Abbott trying to be helpful, as usual. We are going to answer a couple of questions here, and then provide some helpful advice.

What is Multi-Factor Authentication, or MFA?

In case you haven’t heard about this, it is a way to increase the security of your access to websites and Internet accounts that could cause you personal or financial harm if they were compromised. Most major websites now offer MFA to users, and it is best thought of this way:

• Single-factor authentication is generally something that you know, namely a unique password that you keep secret.

• Multi-factor authentication requires more than one thing to gain access, something that you know, plus something that you have, or something that you are.

  • MFA requires at least two of the following: a password is something that you know. Your fingerprint is something that you are. Your Mobile Phone is something that you have.

  • Any two of those things provides you with good Multi-Factor authentication because it is much harder for a hacker to get those two things rather than just the thing that you know, which might leak out somehow.

  • Example 1: Your password, plus your cell phone number. After you provide your password, the website sends you a text or a call with a code that you must enter.

  • Example 2: Your password, plus an authenticator app. It provides an orchestrated time-based code that you may only use once in a 30 second time window.

  • Example 3: Your password and a fingerprint scan.

How are the hackers cracking this system?

First, they must gain access to your password. This happens very frequently because of the history of massive data breaches that have occurred in the last decade around the world, and because people tend to re-use passwords to make their lives simpler.

Once the hackers have your password, if they find that you are using MFA, then they trigger a massive number of prompts to your cell phone in the hopes that you will acknowledge one in order to quiet down the annoyance. Once this is done, they can register their own device as an MFA factor and they own your account. I won’t go on at length about how hackers can leverage a single account breach into comprehensive control of all of your accounts and an effective and difficult-to-resolve identity theft. If you are trying to do any substantial financial transaction, then you will find yourself in some prolonged pain. Over time, an attacker can ruin your credit rating and your reputation, even implicating you in crimes if they are persistent and successful enough. You do not want this to happen.

What can you do?

1. Use a password manager and make sure that all of your passwords are random, strong, and used for only one account. You have to have a different, strong password for each account that you have. I recommend LastPass as a password manager, but there are now many good ones.

2. Enable MFA on as many accounts as you can tolerate. The more the better. Use the app based authentication wherever possible, and familiarize yourself with Google Authenticator, Microsoft Authenticator, and any other Authenticator that you may want to use. You may need two or three to cover all of your MFA accounts.

3. Make sure that you only respond to MFA requests when you are trying to access an account that requires the specific access requested. There should be only a one-to-one relationship between your login attempts and your MFA prompts. If you start to receive unexpected MFA prompts, do not approve them. Put your phone on Do Not Disturb if you have to. Once a lull comes in the requests, log into your account and change your password. Understand that you will have to be sure that you are approving only the MFA request for your own login and not for the attackers. This may require patience.

In Summary…

Yes, MFA is a good thing, please use it. Adopt and master your password manager. Watch out for MFA bombing, and never authorize anything that you haven’t explicitly requested yourself. Don’t be tricked by false claims that the company is testing security or similar words. There can only be a one-to-one relationship between your login requests and your MFA authentication responses. Never for any reason other than your own need to access your online account.

If you want to read more, you may find this story interesting: https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/

The Biden Administration is ADVISING the business community to invest in companies like Datto and in MSP partners like Abbott Business Networks.

 “It encouraged them to regularly back up data, and segregate those backup systems from the rest of their networks so that cybercriminals cannot easily find them. It urged companies to hire firms to conduct “penetration testing,’’ essentially dry runs in which an attack on a company’s systems is simulated, to find vulnerabilities.” 

If you are uncertain how to comply with Federal guidelines for defending against Ransomware attacks, please contact us immediately through this website’s contact form. We can provide solutions that give you confidence that your business is protected from ransomware threats.

Our policy: Never pay ransom!

Five Ways To Protect Your Business and Your Employees From the Pandemic

We have been following news and advice from the scientific community regarding the spread of the COVID-19 Coronavirus pandemic. This has now grown to the level where all of us have been impacted one way or another. We at ABN felt that our clients and friends should hear from us about our own policy during this time, and some ways that we can help our clients get through this trying problem.

See our own ABN Pandemic Policy on our main page.

Go Virtual Wherever Possible.

From the top to the bottom, direction from our Government and scientific leaders challenges us to avoid direct contact with those outside our homes. We all know that this is the antithesis of what we generally must do to conduct business, so we are advocating for video conferencing as an alternative to in-person meetings. Each key employee in your organization should have access to a computer at home from which they can access their work, and also video conference with others inside and outside the organization in place of in-person meetings. If work must be conducted in person, then precautions must be taken to avoid person-to-person contact; contact by hand with surfaces should be avoided, and accessible surfaces should be cleaned with disinfectant cleaners frequently.

Cancel or Postpone Larger Group Meetings

If you plan to attend or hold a significant public meeting in March or April, there are few options at this point but to cancel. You will find that a majority of your business community is following suit with major sports and entertainment leagues and venues such as NBA Basketball, NCAA Basketball, PGA Golf, Casinos, Cruises, etc. Our study of this issue tells us that the more that we reduce group meetings now, the more likely that the US will have fewer problems with medical treatment capacity when COVID-19 infections are expected to peak in the next week or two. The more that the peak can be delayed, the lower the peak will be, and the best shot we have at reducing the harm to the families of our employees and loved ones, which is always our first priority.

Establish and Communicate your Company Policy

Determine what your company will do should a member of your staff become infected with COVID-19. Consider risks to your clients within your place of business and how you may minimize them. Think about impacts to hourly workers and contractors that may be important to the success of your business. How will you continue to receive their services, and how can they help you get through the pandemic?

Follow Scientifically Legitimate Sources of Information and Stay Calm

There has been a coincident explosion of scams appearing on the Internet offering high-demand items like COVID-19 test kits, Surgical 3M n95 masks, and other items at exorbitant prices with dubious terms and likelihood of delivery. Masks turn out to be a less valuable item than originally thought for most people, and should be avoided unless advised by your physician. Use caution in searching for anything related to the pandemic on the Internet and think twice before clicking a link that you have any doubt about in your web browser.

Enjoy This Time With Your Family If You Can. Find People to Connect With If You Don’t Have Family.

In all probability, the time of “social distancing” will be short. Keep your spirits up with people who you love and who appreciate you. If you are isolated for any reason, reach out for help. There are many who want to help you get through the crisis.

Here are some helpful links for this last problem:

https://www.hrsa.gov/enews/past-issues/2019/january-17/loneliness-epidemic

https://www.unionleader.com/news/health/coronavirus/declaring-emergency-puts-nh-in-covid--mainstream/article_9f6f51bb-f159-5713-bf1b-1cdce8ee1534.html?utm_medium=social&utm_source=email&utm_campaign=user-share

Its time for a little fun. If you are older, you remember an epic band called Chicago. They gained a reputation for being a soft-rock staple of the early seventies. Kind of a bland horn-band to back up Peter Cetera, one of their pop-star front men. This is the most unkind description that I can think of, and not my opinion at all.

Chicago, for a time, owned the American top 40 pop charts, and the original band members created original music that has been folded into the fabric of our culture. They had, and still have millions of fans, who love their music more than ever.

Over time, the general population of music lovers tired of Chicago. There was a serious case of heavy rotation radio overplay during their heyday, and in those days, AM car radios and cheap boom-boxes really couldn’t do justice to the complexity and subtlety of the arrangements that they created, not to mention the absolute virtuosity of their players. It was all a pleasant “wall of sound” creation that served as background to all of our lives in the malaise-ridden, drug-addled 70’s.

I have rediscovered the music of Chicago through a tribute band from an unlikely place: Moscow, Russia. Yes, Leonid and Friends is a band formed by bassist and audio engineer and producer Leonid Vorobyev, and you can find much of their musical product on YouTube here: https://www.youtube.com/channel/UCD5ZsXiIFlrWrbOCM6rEDKQ.

The tech angle, (and make no mistake, I am just indulging myself here with a bit of fun about something that has captured my fancy), is that they have followed the example of Pomplamoose in publishing “video songs”, which show all of the parts being played on the instruments used in real-time. Kind of a “look-ma-no-hands” mode of musical presentation which is original to YouTube and online video. These days, much of the music that I enjoy, I “watch” on YouTube, partly because it is available there for free, and partly because there is this added benefit of an edited, visible performance. On-demand music videos that aren’t stupid movie shorts for tweens.

So how do they do? I regard their performances as very much comparable to the original Chicago recordings, and make no mistake, Chicago was an awesome band. The horn section was a match for the best of James Brown or Tower of Power, and the arrangements were deft and intricate. Having been a wind player, I watch the horn section that Leonid has assembled with amazement. The trumpet player, Andrey Zyl, looks like his neck is going to explode, but they are as tight and smooth as the original band was, if not more so.

The beauty of the “video song” mode of performance is that it shows all the parts being played when featured. Technically, Pomplamoose’s mode of presentation was very different from Leonid and Friends, using overlaid video montages and background clips that portrayed design and assembly of their many synthesizers and synthesized instruments. Leonid and Friends do straight-up studio recordings with head-phones and sound-damping barriers between the different sections of the ensemble. There are enough cameras that everyone gets a turn on-screen during their featured moments. This detailed video capture and editing serves to show you just how many parts are being played, and how well they are playing together. Really, the vocal performances alone are worth the watch, with a special shout out to Vasilii Akimov, who absolutely shreds “I’m a man”; Sergey Kashirin, who plays lead guitar like he was born with the instrument in his hand, and takes lead vocal on several songs; the Ukrainian Serge Tiagniryadno, who covers Cetera’s counter-tenor on songs like “If You Leave Me Now”, and “25 or 6 to 4”; and the stunning Ksenia Buzina who floats her soprano above it all when the ensemble sings.

But, perhaps the best part of all in watching Leonid and Friends play these beloved chestnuts is the look on their faces as they accomplish their work. Every one of them is a picture of joy almost the entire way through each song, and when they finish, well they look like they could all use a cigarette. It is so much fun to watch such great musicians re-create a work that none of them was ever able to see performed by the original Chicago, and Leonid has created all of the arrangements by ear from listening to his record collection. This is truly miraculous, and a reason to hope for friendship between peoples. No doubt, an American band and their music is beloved wholeheartedly by this group of Russians (and a Ukrainian). Of that there can be no doubt.

This is an open letter to Steve Gibson of grc.com, author of many books and articles, and co-host with Leo LaPorte of “Security Now”, a TWIT network podcast on computer and Internet security.

I am posting this to provide a relevant, real-world case regarding a topic in episode 692 of “Security Now”, “SNI Encryption” https://twit.tv/shows/security-now/episodes/682?autostart=false.

I operate a small, two man IT support and Managed Service Provider business in central New Hampshire. This post is in the blog section of my website. You will see that my website is on Squarespace, and this is primarily a personal, consultative business for small business owners.

Yesterday, I took a support call from a long-standing medical client who was having trouble using a cash management system in conjunction with their company financial software package. It turned out that the problem was not something that I could help them with, but rather a matter for their accountant or service provider.

While I was working with the clinic manager in a remote assistance session, viewing and operating her computer desktop remotely, I noticed that she was using Google Chrome, and that there was an unusual icon in the upper right-hand corner of her browser window. I checked, and the icon was the image upload for a Google account ID that Chrome was logged into. I clicked on the icon, and the identity that came up was the business name of a competing medical clinic. I asked the clinic manager how the ID came to be there, and she replied in very anxious tones that she had no idea. She is not technical at all, but rather a very responsible administrator who can follow clearly documented procedures to the letter, but does not have much depth of perspective on most computer and Internet technology. She did not know what a Google account was, nor did she know that Chrome could be associated with a Google account and logged into.

As you can imagine, I became alarmed at this discovery, because if there had been some deliberate corporate espionage done against this person’s computer, this manager’s Chrome settings could easily be exfiltrated to another device logged in under the same account. Fortunately, the user was very clear that she never allows Chrome to retain user accounts and passwords to autofill login forms. She always responds “never” when prompted to save a password for a website, so I think that in this case, she is in the clear.

So, you can imagine my surprise when I caught up with my Security Now podcasts today, and you were discussing Matthew Green’s post about Chrome version 69, and Google’s decision to automatically log users into Chrome after logging into any Google service (https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/). However it came to be that my client became logged into a competing clinic’s Google account, and there are plausible explanations that do not involve corporate espionage, a few things are clear:

1. My client had no understanding of what was going on.

2. Exfiltration of credentials could have persisted for an indefinite period of time.

3. Had an attacker wanted to exploit the access to the financial and medical web accounts that this manager was using, an amazing amount of damage could have been done to the business. It could truly have been an existential threat.

4. Since the user had not stored any passwords in their Chrome browser, I preemptively logged the browser out of the account, and I am taking measures to ensure that other Chrome users in the business will be prevented from using personal Google accounts on their work computers. If we had chosen to do forensics and investigation, the cost of that process could have mounted up fairly quickly.

Thanks again for your great and tireless work keeping the public informed on this complex and tricky subject area. I love the show, and I am a loyal SpinRite user for many years.

Nate Abbott, Abbott Business Networks, LLC

For the purposes of this article, I am naming Facebook, but I include any social media outlet that you feel has wronged you, whose practices you can no longer abide, whose reputation now affects your own. 

My feeling is that Facebook has abused our trust.  They promoted the idea that sharing more improved our experience and our lives.  All the time they were luring us into their plan to monetize our activity, fattening us like piglets for the slaughter.  It should come as no surprise that this resulted in disaster.  An American election with an asterisk; billions lost in market capitalization; no accountability for the information they publish. 

Friends and relatives have just shut it down.  They have downloaded their information and deleted their account.  We know that many are doing this.  Good for you, friends, you are the smart ones.  Me, I am an IT guy.  I tell people how to get the most out of their technology, whatever it is.  I am the Bodhisattva, delaying nirvana to lead others out of their darkness.  I thought that the right thing for me to do was run down the road to see where it led.  Then I could come back and tell everyone.  What I can tell you now is that this road has no end. It is a treadmill.

I started invested my data in Facebook many years ago.  I posted photos and videos, played the games where I answered all the questions about books and movies and hobbies and all of my likes and dislikes.  Family reunions, new babies, puppies, kittens, prom dates, marriages: all documented with easy and wonderful photos and videos from our ever-improving smartphones.  When the Facebook IPO happened, everyone questioned whether Facebook could monetize mobile.  Mobile was like gasoline on the Facebook flame. Facebook toyed with the idea of creating their own mobile phone.  They never needed to.  The iPhone and every Android phone became Facebook phones once the app was installed.  Go ahead and see how different your phone becomes after you remove the Facebook app.

Every step of the way, Facebook lulled us into a false sense of confidence in them.  When they made an overt anti-privacy move, they rolled it back if the up-roar was too great in the user community.  They weathered wave after wave of these scandals starting with early amendments to their terms of service, to their unduly invasive “Beacon” service, to ever more subtle and inscrutable betrayals.  First it was just your data, then it was your friends of friends’ data, and so on.  Opting out was possible, but the un-private default settings roped in millions as the capture of new, uninitiated users accelerated.  Facebook could not have played their cards more perfectly to maximize their own rights with respect to your information and minimize their own obligation.  Unless you are savvy and diligent, the drift in your Facebook experience shared ever more of your information.   So, ask yourself, how many of your friends are both savvy AND diligent?

Because I feel that I have been presented with incontrovertible evidence that Facebook is essentially not a benign influence in our society, I am moderating my account.  Because I communicate with so many of you, I do not want to punish our relationship by withdrawing from a medium that you may like, and not forgoing everything I have written here, I still value Facebook.  I will be posting less, and my interests in Facebook will be more commercial and less personal.  I have deleted the Facebook app from my smartphone.  I encourage you at a minimum to do the same.  My participation in Facebook will now be a dissident one. 

It is apparent that the culture within Facebook is arrogant, insular, and elite.  I have spoken with a former employee with a position of some importance in Facebook Human Resources, and this person told me that they were frustrated when they recruited a brilliant candidate, and the Facebook managers would ask why the candidate had not attended Harvard or Stanford.  It is apparent that the Facebook organization is an Ivy League club, with all of the myopia and dysfunctional discrimination that implies.

Today, there are millions of businesses that operate almost entirely within the confines of the pages of Facebook.  Products and services are offered, specials advertised, messages exchanged, appointments made, and payments arranged.  There are millions of people around the world who find Facebook to be so convenient that they never look anywhere else for news or other information.   There was an online property that was in that position many years ago when the Internet was young.  It became one of the most powerful companies on Wall Street before it was merged with one of the biggest media companies of the day.  With any luck, we may be looking at a repeat of that story. What was the property?  It still exists.  It is called “AOL”.

Some of you may have heard about a newly discovered Wifi vulnerability called “KRACK”, which stands for “Key Reinsertion attACK”.  This vulnerability exposes a flaw in the WPA2 security protocol that virtually all Wifi networks use to keep them secure and prevent unauthorized access to a password protected Wifi network.  Most of you are affected by this vulnerability.

Here are the bullet points on this issue:

• Protocol flaw affecting all devices secured by WPA2.
• Newly disclosed, no known exploits in the wild.  (not super dangerous at this time)
• Two classes of remedy: “Client”, and “Router/AP”
• ABN Contract clients will receive remediation as it becomes available under contract terms automatically.
• Clients without ongoing monthly support contract with ABN must contact ABN for service to remedy this issue.
• Microsoft has already released a fix for Windows computers through Windows Update.
• Other manufacturers and software publishers have not yet published all required fixes at this time. 

Fortunately, the threat level of this vulnerability is not high, partly because it was caught before any exploits have come to light, which means that it was a secret to bad guys and good guys alike.

Now that it is known, vendors are working hard to close the hole in the WPA2 protocol implementation.  There are two general classes of fixes coming to us for this vulnerability.  The first is a class of “client” updates, which affect anything that connects to a wireless network.  This includes Wireless enabled PC’s, laptops, smartphones, tablets, printers, and other wireless devices such as security cameras, baby monitors, and the like.  The second class of fixes are for the Wireless Access Points and routers to which the clients connect.

The most critical class of updates is the clients class, and there is good news here.  Microsoft has already released a fix to their Wireless client software, and anyone remaining current on Microsoft updates through the Windows Update process will receive, or may have already received their update.  Apple is beta testing updates for iOS and MacOS, as is Google and the various smartphone manufacturers for Android.  So, anyone following the ABN standard procedure to maintain all device updates as current as possible will be well served to keep it up and make sure that everything you’ve got is up to date.  ABN performs this service for contract customers, so those of you in that position need not worry, and watch for us checking up on this issue as we go forward.

The less critical but equally important class of updates is for the Wireless Access Points and Routers.  To correct the protocol flaw on these devices, a device “firmware” update will be required, and we are receiving communication from our major vendors indicating that they are developing and testing firmware updates for their devices.  Again, as a matter of course, ABN updates device firmware on wireless access points and routers for our contract customers as part of the contract support entitlement.  As firmware updates become available for each of your various access points and routers, we will be contacting our contract customers to schedule a maintenance window to perform the firmware updates.

Those of you who are not contract customers of ABN, you will need to contact us and request a review of devices for remediation.  Please call our main support number to get this service scheduled.  At this time we can check Windows updates only.  As time goes on and more of our vendors have issued fixes for their devices, we will have more that we can do for you.

As a side note, we have received independent confirmation that companies served by managed service providers like ABN were almost unscathed by the WannaCry and Petya ransomware attacks.  This is partly because those attacks relied on out of-date-software on networked PC’s which had gone months and even years without regular updates.  We make sure that doesn’t happen.

https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

If you want to know what to do today to make yourself safer online, you could do worse than to watch this:

 https://gimletmedia.com/show/reply-all/all/, episodes #91, #93, and #97, https://www.lastpass.com/, https://www.dashlane.com/, referenced in the video.

One of our primary vendors just sent us this message:  

"We wanted to alert you to an industry-wide Dynamic Random Access Memory (DRAM) and Solid State Drive (SSD) supply shortage that’s impacting pricing across all vendors. The shortage has caused a 50–105% pricing increase and is expected to continue through the first half of 2017.

"The shortage is related to the high demand of NAND flash in the PC, smartphone and tablet markets, which has caused a decrease in availability of SSD and DRAM products."

We wanted to make clients, partners, and others aware of this news because a surprising amount of our business in the last year has been upgrading systems by installing additional RAM memory and replacing spinning hard drives with SSD Drives.  It has made many computers that were manufactured since the release of Windows 7 fully adaptable to Windows 10 and newer applications that require more memory and demand faster disk storage access.  

If you have not upgraded to Windows 10, it may still be useful to look at DRAM and SSD upgrades as a way to avoid a premature computer purchase, even with the higher prices for these items.  Use our feedback page if you want more information or you operate a New Hampshire business that may benefit from these upgrades.