Tag Archives: internet

Taking Over…

a-woman-buries-her-face-in-her-hands

Last year, I visited Atlanta Airport seeking an incident report. The airport is a massive place and, after I found a very helpful airport employee, I wound up outside the emergency services offices. Fortunately, the staff was both friendly and helpful and, within minutes, the gentleman I was speaking with was asking his colleague to look up the incident in question in order to provide me with the information I needed for the next steps forward. It all seemed very easy until it wasn’t. His colleague looked at his screen and then stated that something seemed to be going on and his computer was not responding. After trying a few things without success, I was given a phone number to call and follow up. I was to get what I was looking for within the next couple of days.

I left and heard nothing for almost a month, which actually worked out for me because I was traveling a lot and would not have been able to do much with the information. When my call was finally returned, I learned that the reason it had taken so long was that the city of Atlanta had been taken down by a Ransomware attack. The day I was at the airport, was when the attack was happening! Imagine that, I was in the midst of a lot of drama and excitement and had no idea. The only story I have to tell is that I saw a blue screen of death and then it took three weeks for my call to be returned.

I will say this: if anyone is affected by a ransomware attack, my story is probably the best outcome to have. A couple of years ago I shared a story about my friend whose clients were victims of ransomware attacks where $300 to $600 was demanded of them. In that time, ransomware attacks have become more sophisticated and a lot more frequent. Cryptocurrencies have also contributed to the boom because it makes the attackers more difficult to track down. As I wrote in a piece on ransomware, the first known ransomware attack happened in 1989, where the attacker sent floppy disks to attendees at a conference. A program on that disk locked the computer on its 90th restart, demanding $189 of the user for a resolution. The Atlanta ransomware attackers demanded $52,000 (and it took over $2.5 million for the city to recover from the attack). The attackers may ask for what may seem as relatively small amounts when they attack but it adds up. In 2016, ransomware attackers made over $1 billion and that amount climbs every year. In addition to the upfront cost of the ransomware demand, often a victim has to spend a lot of time and money recovering from the attack. I mentioned before that Atlanta spent over $2.5 million and they are not alone. Ransomware damages are predicted to reach $11.5 billion this year.

As you can see from my friend’s experience and that of Atlanta, there is no victim too large or too small for an attack and so it is imperative for all of us to take steps to protect ourselves and do what we can to mitigate any damages should we be attacked.

  • The first easy step is backup, backup and then backup offline. Because I have had backups fail on me, I try to have two backups of information and itis important to make sure that your backup is separate from your computer. In this way, should your computer be attacked, your backup will be someplace else.
  • Then try to use two-factor authentication for your logins. Many applications and websites already insist on this but try to make it a habit for yourself, whether or not someone else is doing it.
  • Update your passwords regularly – yes, it’s a schlep but especially with very regular news about companies being hacked, companies that house your sensitive information and logins, it makes sense to keep changing these.
  • Be careful about opening up emails and clicking on attachments or links in those emails. I know we live in a world with way too many emails and way too little time, but think before you click. If you receive an email you are not expecting, check to make sure that it is a valid email. Just last week, I received an email from a fellow CPA and when I checked with her, it turned out that her email was hacked and was sending out malicious links. If the tone and language of the email are vague or don’t sound like the voice of the person you have dealt with in the past, double-check with the person. It doesn’t take long and can save a lot of pain.
  • Update your software. A lot of ransomware takes advantage of vulnerabilities in software and taking advantage of the fact that many people do not regularly update their software. Set your machine to update automatically, then you don’t even have to think about it.
  • If, unfortunately, you are a victim of a ransomware attack, think on it before you pay. You are dealing with criminals. Although it seems that more often ransomware attackers do restore machines after attacks (it’s better for business, apparently) it is not assured. Often people find that they have no option because they do not have a recovery plan. If you have the option of recovery, it is easier to make the decision on whether or not to take the chance of paying.

Ransomware is on the rise and so it seems that more of us are at risk than before. It is smart to take a few protective steps if only to keep you from taking weeks to return a call.

 

Advertisements
Tagged , , , , , ,

Even When You Don’t Want To…

9ea73231-a8e0-4d06-9589-da7f1dc5e372

Linda Kadzombe

Linda was not my friend. I was in high school, sitting in the car, in the school parking lot, with my father, waiting for my little sister to show up. She ran up, with a friend and they stood by the car, smiling and sporting matching nose rings. My father looked up and the two girls, and their matching noses, and exclaimed – “I suppose nose rings are part of the school uniform now.” That is my first significant memory of Linda, who was my sister’s friend. Along with a great group of friends, Linda and I rang in 2000 in Victoria Falls. We talked about the fact that we were both moving the United States and we promised to keep in touch with each other. This vague promise turned into a relationship that the word “friend” does not do justice. With our families far away, we checked in with each other almost every day and often the conversation started this way: “Just checking in. I’m alive.” Once, I called Linda when I stuck in a dress I had ordered online and that I was trying on. She was living in Boston and I was in New York City and yet, she was the first number I thought of dialing. We were travel buddies and talked about becoming the sweet old lady travelers that we often came across during our trips. We shared a love of European chocolate and I was a person she taught, and gave permission, to stab her with an EpiPen should the need arise.

On March 6th, I received a call that had never even drifted into my imagination. While flying back home from an epic vacation with her cousins, Linda passed away. The news was devastating; it still is. At the same time, there was a lot to do. Whether or not you have planned for death, when death happens, there is a lot that needs to be done, not only to put your loved one to rest but also to sort out your loved one’s affairs. Friends and family came together for Linda and, as we navigated various issues, we were frustrated, energized, and touched, often all at the same moment. It made me think about the importance of planning, not only for the workplace, but also for one’s personal life.

The first step is the dreaded will. No one wants to ever think about their mortality but, even when you think you have nothing, you always have enough to put in a will. At the very least, you have your wishes. Even when you think to yourself – oh, I am single, and/or I don’t have children – you still should have a will. Remember that a will is a legal document and you should be sure to comply with the law, or your will may not be accepted as binding. For instance, the rules about whether or not a handwritten will is recognized varies by state. You should also see if your financial accounts can be set up to be transferrable or payable upon death, as this will save survivors the headaches of dealing with probate court. In addition to letting people know what you want done with your stuff, you should also think about how and where you wish to be laid to rest, if that is something that is important to you.

We live in an age of paperless billing and most business being transacted through online accounts. This means that, for many of us, all our accounts have a login and information about accounts and their existence may only exist in our email accounts. To questions about what accounts and liabilities Linda might have, we could only shrug and guess. Dashlane estimates that the average user has 90 online accounts! Consider making a list of your accounts that you will keep safeguarded in a safe, or with a lawyer, if you keep your will with a lawyer. There are various ways in which to work to both safeguard your personal information and also ensure that your accounts are known and closed correctly, after passing.

If you don’t already have it, get life insurance. The policy doesn’t have to be a big one; just enough to cover the costs that may come up due to death. These include:

  • Payment of final expenses;
  • Taking care of your loved ones, if you have loved ones that depend on you;
  • Payment of debts, so that your next of kin are not on the hook for them;
  • Payment of estate taxes

It may seem horribly morbid to talk about death and it is certainly no fun to deal with the affairs of a loved one. In the midst of grief, you don’t want to deal with some of the headaches that can pop up around the administration of everything – dealing with hospitals, funteral homes, airlines or whatever. Fortunately, Linda had an amazing network of people who loved her (and some incredibly kind strangers who saved the day more than once). All worked hard to get her home and laid to rest near her family. We also were able to spend a lot of quality time with friends and family that we had long promised to spend time with you. You know how that happens – next week, next month or next summer turns into ten years. However, through it all, we had a lot of figuring out how to do something or where to find things because we had never even thought about navigating this terrain.

Take some time to think about what you have and what you want done about it. Talk to your loved ones and tell them to make plans, if they have not already. Remember that it is never too early to plan and, unfortunately, often too late.

Tagged , , , , , , ,

Oh, Not So Much Fun…

ice-sculpture-1935357_1920

On Christmas day, I was chatting with my niece, during family celebrations. My phone buzzed and I saw a notification that she had just sent me a message. That was truly odd, because, as I mentioned, we were chatting and, unless she was using her telepathic skills, she was not texting at the same time. Nevertheless, I asked her if she had sent me a message. She looked at me as though I had lost my mind, but double checked her phone and shrugged. It wasn’t me, she said and carried on with her day. Since she was engaging with people and not her phone, and because we were having a fun time with family, I decided that the likely bad news could wait.

I attended a talk earlier in the year where the speaker told us – There are two types of people: those who have been hacked, and those that don’t know it yet. By the time we got home, my niece had gone from being in the latter group to being a panicked person in the former. Often, a person finds out that they have been hacked when, as happened to my niece, their contacts complain about spam messages that they have received from that person. However, more and more often, people don’t know that they have effectively been hacked because the party hacked is a company that is holding people’s information.

In 2017, the most notorious example was, on 17 September, when the credit reporting agency, Equifax was hacked. Initially, the information was that about 143 million people might have been impacted. However, that number has climbed and what kind of information was accessed was vague. When people tried to check with Equifax, they often got different responses each time that they tried. Also, as the months have gone by, the number of people impacted has climbed. If Yahoo! is anything to go by, who knows what the final count will be. The best advice to take right now, is to assume you have been impacted and to take preventative steps and, if you have not already done so, freeze your credit with all four of the major credit reporting agencies.

What is unsettling about how companies announce that they have been hacked is how long it takes for the news to come out. Equifax claimed that it discovered their breach at the end of July but they only made a public announcement in the middle of September. It was only in October 2017 that Yahoo announced that all of its accounts were hacked in 2013. That’s not a typo; they are telling us that if you had Yahoo, Flickr, Tumblr, or any other account owned by Yahoo, you were hacked in 2013. What is anyone supposed to do with that information, four years later? This is worse than a “Look out for falling ice” sign. In November, we found out that Uber had been hacked in 2016 and that the company had opted to pay off the hackers to destroy the information and keep the hack quiet.

The big takeaway is that it may be a while before anyone lets you know that you have been hacked and, unless you live completely off the grid, it is smart, and safe, to assume that you have been hacked. That said, there are steps that you can take to try to minimize the damage that can be caused by hacking:

  • Freeze your credit with the major credit bureaus. Learning about the Equifax breach was especially frustrating because people do not choose to share their information with the credit bureaus. I rolled my eyes at a headline that referred to “customers” being compromised. The best one can do right now (beyond not having a credit history of any kind) is to try to limit how much information gets out.
  • Check your credit regularly. Do this at least quarterly, to make sure that cards have not been opened in your name and without your permission. Annual Credit Report is the only website, authorized by federal law to provide you with a free credit report from a credit reporting agency every twelve months. A great way to spread out the checking over the year is to get a report from one of the agencies every 4 months (instead of getting all three in one fell swoop).
  • Use two factor authentication. This gives extra security over only using a password. The most common method of two factor authentication is having a company send you a text with a unique code, before you can complete logging into an account.
  • Don’t click on every link you come across. If you receive an email with a link and it is not something you have been expecting (and sometimes even if it is something you have been expecting) don’t click on a link because it is there. Check the email to make sure you recognize where the message is coming from.
  • If you trust the link and have clicked on it, still be careful about what information that you share. If you start to feel as though a company is asking for too much – either over the phone or through a website, stop sharing information. Find out, independently, if you really need to share that information and, again, make sure you know who you are sharing your information with and why.

Try to include these in your list of New Year’s resolutions. It won’t stop you from being hacked but at least, it may improve your chances of finding out about it early and taking appropriate steps.

Tagged , , , , , , , , ,

Makes You WannaCry

ransomware

A couple of years ago a lawyer friend told me about clients who were coming to her office, panicked because their computers had been locked by parties claiming to be the FBI. In order to get their machines unlocked, these fake FBI agents demanded to be paid a ransom. On Friday, over 200,000 machines were locked by people (I assume it was more than one person) who did not even pretend to be good. They encrypted the information on these machines and demanded $300 to $600 per machine or, they threatened, all the data on those machines would be destroyed. This type of attack is called a ransomware attack. A program is introduced into the machine, and it locks and encrypts all the data on the machine. A message pops up on the infected machine demanding that money be paid, almost always via bitcoin. Once the ransom has been paid, the message says, a method to unlock the machine will be sent. If the ransom is not paid within the time demanded, all the data on the machine will be erased. So much of our lives, both personal and business, is stored on computers; can you imagine what would happen if your computer was locked? The mere thought makes my heart speed up.

Earlier this year, a hacker crew called Shadow Brokers released several tools used by the National Security Agency (NSA). Among these tools was one called EternalBlue and this tool exploited a flaw in Microsoft Windows. Armed with the information that was leaked, Microsoft created a patch to fix this flaw and released this patch in March. Perhaps you have now read this far and you are wondering, if the patch was released in March, how did this massive attack happen in May? How many times has a message popped up on your machine while you are in the middle of something. The message tells you that an update is available for your machine. You see it, but you are in the middle of something important. You close the window and delay the update. This can happen over and over again. Some people, irritated by the notices, turn off the alerts altogether. Now, these automatic alerts are only available on versions of Windows that Microsoft is still actively supporting. So, if you have an older version of Windows, such as XP, Windows 8 or Windows Server 2003, you no longer receive alerts for updates. Either way, there are millions of machines that were vulnerable to attack on Friday. And on Friday, ransomware aptly called WannaCry, wreaked havoc all over the world.

It is believed that the attackers gained access to computers and systems using infected zip files attached to emails. People opened emails and clicked on attachments. These emails did not come from friends and the people clicked on attachments, not knowing what they were opening. Taking advantage of the fact that many organizations store their computer information on servers, making all users interconnected. The WannaCry ransomware, once released by one user, made its way through the interconnected systems and attacked other machines, even those belonging to people who did not click on the infected attachments.

This attack has made many things apparent:

  • Keeping secrets can sometimes go very wrong. The NSA knew that there was a vulnerability in Microsoft Windows. If it was not for the Shadow Brokers leak, Microsoft may not have discovered this vulnerability and they would not have developed a patch to fix it. One can also argue that, if Shadow Brokers had not leaked this information, the hackers may not have known to create WannaCry and none of this would have happened in the first place. I have found, though, that generally speaking, secrets are not kept that way forever.
  • When I wrote about the fake FBI attacks, I stated the importance of keeping your computers up to date. I cannot stress this enough. When the reminders pop up on your machine to update your software, update your software. Install the security fixes. If you don’t want to be disturbed, set up a timetable so that your machine will automatically check for and install updates on a regular basis. Remember, also, to restart your machine on a regular basis. Many installations are not complete without a restart and some updates are triggered by a restart.
  • We live in a time where everyone receives more email than they want to deal with. We run the risk of making careless mistakes, opening up emails and clicking on attachments when we have no idea who sent the email and what is in the attachment. Nowadays, you are almost lucky if the only thing that the attachment does is send out a lot of spam to your friends. More often, click on that attachment can lead to hackers stealing information from you or holding your machine hostage. Sometimes, even when I receive an email, with an attachment, that appears to be from a friend, I will double-check with the friend to make sure that they have sent the email and their account has not been hacked. The extra step may seem tedious but, enough times I have found out that my friend was hacked, so I keep asking when I am suspicious.
  • If your operating system is no longer supported, you should consider getting new software that is. I say this with mixed feelings. Like most people, I hate being forced to buy something when what I already have has been working well for me and when I don’t like the new version. I feel scammed being made to spend that extra money and if the world only contained righteous people I would tell you to keep your software and change it when you are ready. But, we live in a world where people are ready to take advantage of an opportunity to get money out of you. Microsoft stopped providing support for Windows XP in 2014. This ransomware is specifically taking advantage of this fact. It’s a shame, but it is the way it is.
  • Back up, Back up and back up some more. If you are regularly backing up your machine and keeping the backup either in the cloud or on an external drive, you know what you can do when your machine is held for ransom? You can ignore the ransom demand because you have your data saved some place safe. The clock can tick down, the files on your machine can all be delete and, even though it will suck to restore everything, you can do so.

On Monday morning, people are going to go to work and turn on their machines and many machines running Windows XP or that have not been updated in months will be open to attack. Many of those that are attacked will want to pay the ransom because their data has not been backed. Just weeks ago, articles were written about how British hospitals spent nothing on cyber-defense.  On Friday, they could barely function. Maybe they had started having meetings and started discussing taking steps to protect their systems. But, like we all do when that warning popped up, they put it off. I am sure right now they are wishing they had done something to protect themselves because they had to scramble to fix a disaster.

Tagged , , , , , , , ,

Regular Check-Ups

Image

Several years ago, I received a phone call from my bank. I was surprised to receive this phone call as I was probably this bank’s least profitable customer. I had recently moved to New York, it was my first bank account there and the account was remarkable only in how low its balances could get, especially just after I paid my rent check. The very nice woman on the line was calling to let me know that the bank believed that they had discovered fraudulent activity in my account. The bank noticed that, at least once a week, between $9.95 and $14.95 was being withdrawn from my account. The withdrawals were regular and, every time it happened, the name of the company making the withdrawal was slightly different from before. The regularity of the withdrawals, along with the amounts and the slight name changes, were all red flags for the bank. I was very grateful that the bank had spotted this and, quite frankly, rather shocked. I had assumed two things – first, that I was too poor to rob and, second, that the small transactions going through my account, on the rare occasions that I actually noticed them, were trips to the pharmacy or a lunch that I had forgotten about. It turned out that I was wrong on both accounts and an unscrupulous party took advantage of the lax attitude I had toward my finances. For over three months, at least once a week, money had trickled out of my account. Luckily for me, the bank helped me trace the amounts and credited my account. It seems that, in more recent times, banks are more likely to allow this kind of fraud to continue. They have decided to earn fees from these transactions instead of alerting their customers of these possible frauds.

After this incident, feeling violated by this invasion of my space (and funds) I became very diligent about checking my money. I had been very lucky. Yes, my money was being taken without my knowledge, but I was able to recover most of the funds and I had the bank looking out for me. Not many are so fortunate these days. It is important, therefore, to take steps to minimize the chances of unauthorized access to your bank account or, at the very least, to be able to quickly spot, stop and dispute transactions that you don’t recognize.

  • Be very careful about who you give your personal and financial information to, especially when this request comes via a cold call. Even if the person on the line sounds official, check the credentials. If need be, hang up and call up the organization that claims to be on the phone, using the contact number that you have in your records. If the person on the phone is a valid representative, they will not mind you checking to make sure things are above-board.
  • Check your bank and credit card balances often – at least once a week, if you can. Just about every bank has online banking facilities available to customers. Here, you can review recent transactions and make sure you know what happened with each one.
  • Be aware of the risks to seniors that you know, be they relatives or friends. Because of programs that tend to affect seniors, such as medicare and social security, they are particular targets for the unscrupulous. Fraudsters will call senior citizens and either cajole or scare them into giving up their information. Check in with those who may be vulnerable, either because of advancing age or lack of computer savvy, and make sure no one is raiding their accounts.
  • Safeguard the physical information you have on your accounts. Keep statements and account numbers in a safe place. The last thing you want is to find out that a guest or someone who has worked in your home, has taken your information and used it to gain access to your money. Don’t leave the temptation out in the open – that is only asking for trouble.
  • Should you come across odd activity in your account, be sure to call your financial institution and look into the matter. Time is of the essence here as, often, after a time, it becomes near impossible to reverse a transaction, even if you can show that it was unauthorized.

Once keeping track of your money becomes a habit, it also becomes a very simple exercise. If you check-in regularly, there are only a few transactions to remember at a time. Also if you check-in regularly, you will also become more familiar with your own spending patterns and be better able to spot irregularities. As a bonus, if you check-in regularly, you may also realize that you have bad spending habits that need some rehabilitation. It doesn’t matter how much or how little money you believe you have, there is always enough for someone to take away from you. All of this monitoring of finances may sound a touch paranoid, but paranoid is often better than broke.

Tagged , , , , , , , , , ,
Advertisements