Time to update your Exchange Server

Sam Harrelson on March 7, 2021

If your company or organization uses Microsoft Exchange for email, you’re going to want to run the latest update…

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

Source: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software — Krebs on Security

Why people quit Facebook

Sam Harrelson on December 22, 2018

Eric Baumer, an assistant computer science professor at Lehigh University, has found in his research on Facebook “non-use” that people who cite concerns about data privacy in relation to corporations or the government as their main reason for quitting are likely to stay away from the site. Meanwhile, those who wanted privacy from people they know online are more likely to return. “Oftentimes questions about why people should delete their Facebook accounts are framed in terms of privacy,” Baumer said. “However, that single word glosses over a lot of complexity.”

— Read on slate.com/technology/2018/12/delete-facebook-movement-lessons-on-quitting.html

Google To Start Marking Sites Without HTTPS as Not Secure in July

Sam Harrelson on June 26, 2018

If your nonprofit, church, or business website isn’t https:// with a reputable SSL certificate, Google’s Chrome browser update will start showing a warning message when visitors arrive. This will affect your site’s trustworthiness.

Get in touch if you need help or what to know more. You can also read a great take (and much needed insight) on this from blogging and podcasting visionary Dave Winer here.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

— Read on security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

The dangers of thinking “They’ll get it because they’re young”

Sam Harrelson on April 1, 2018

So very true despite the stereotypes (spoken as a former college / high school / middle school teacher turned tech consultant). Parents have a big burden to bear in helping their young and old children make wise decisions about how and why to use the web. Just assuming “they’ll get it because they’re young” is very dangerous.

What is surprising about this data is that while education is a factor in online security literacy, age is less so. Users aged 65 and older were seemingly just as knowledgeable as users in the age range of 18-29; while online literacy bias in general is weighted toward younger users, the Pew survey suggests that overall there is a shared standard of what we know and what we don’t know.

Source: Why did we give our data to Facebook in the first place? – Scientific American Blog Network

Why doesn’t turning off Bluetooth on iOS actually turn off Bluetooth?

Sam Harrelson on September 26, 2017

Another reason I tend to prefer Android is the ability to control things on a granular level. Does every user of a mobile device need that? Certainly not. Is Apple “wrong” for this “feature” design? That’s debatable.

But it’s interesting to see how Android and iOS continue to develop along their own trajectories when it comes to designing software for the Lowest Common Denominator of users…

Users can still completely turn off Bluetooth and Wi-Fi by digging into the devices menu settings, but essentially the button does not do what a user can reasonably assume Apple says it does, and that’s because Apple doesn’t trust you. This decision is the next logical step for what has always been Apple’s design ethos: It thinks it knows what you want more than you do.

via Apple Doesn’t Trust You – Motherboard

Pokemon Go snatches all of your Google data

Sam Harrelson on July 11, 2016

Pokemon Go

By signing up to play Pokemon Go through Google, many iOS users have unknowingly exposed all of their emails, chats, calendars, documents and more to the game’s developer and third-parties.

Source: Pokemon Go catches all your Google data (here’s how to stop it) | Cult of Mac

I’ve been thinking a good deal about this game over the last few days. I should have posted before, but I wanted to wrap my head around the whole thing (as much as I can).

I’ll have a post up tomorrow with my thoughts.

Until then… this report is insanely terrible and horrifying given our current police state / insurance state / corporatist overlords. Our privacy is our power. Don’t give it away so easily, people.

Update

Fixed with new update on iOS.

FBI Looking to Delay Tomorrow’s Hearing on Apple Encryption

Sam Harrelson on March 21, 2016

“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking [terrorist Syed] Farook’s iPhone,” federal prosecutors said in a filing Monday afternoon. “Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc. (“Apple”) set forth in the All Writs Act Order in this case.”

http://www.politico.com/story/2016/03/feds-move-to-cancel-iphone-hearing-221062

Please Enable 2FA For Your Own Good and Ours

Sam Harrelson on March 17, 2014

No one likes to take the time to make passwords online. When you’re setting up your CBSSports account to fill in your March Madness brackets, you just want to get to work. No one’s going to hack you, so you just use the same password there as you do for your Bank of America account and GMail. Who cares, right? You’ve got nothing to hide.

And then you get “hacked” and it’s no fun.

Being a “techy” person, I get lots of questions about how to avoid being “hacked” (it’s fascinating to me how that word has changed its usage as geek and tech culture has become mainstream).

My response is normally:

1) Never use the same password twice. Ever. Use a service such as LastPass if you’re into that (I am).

2) For each of the online services you use, make unique and long passwords that include random characters and even nonsense strings that only you know (I know, I know… this isn’t completely foolproof but it helps prevent the script kiddie hacks). Try to avoid common terms such as “password,” “changeme,” or “123456.”

3) Never use the same password twice. Ever.

4) If you can, enable 2 Factor Authentication.

5) Never use the same password twice. Ever.

Step 1 is usually when the person loses interest in my advice. But you should really enable Two Factor Authentication (2FA) as soon as possible if you’re at all concerned about your online accounts or just want to have a good lock on your doors to keep honest people honest.

TwoFactorAuthor.org has a nice list of major services that we all use, with links to relevant instructions, such as Google Accounts, Dropbox, Twitter, Facebook, even Steam or Etsy etc.

There’s no reason for you not to do this today.

Two-factor authentication! In this age of endless massive hacks we seem to be in the middle of, it’s one of the easiest ways you can dramatically boost security on your online accounts.

But which sites actually support it? It can be a pain to keep track. Fortunately, a new, community-driven list keeps a running list of all the big sites that have some form of 2FA enabled (and encourages you to nag at those that don’t).

via Here Are All The Sites You Should Enable Two Factor Authentication On (And The Ones You Should Yell At) | TechCrunch.