SECURITY CORNER:  How to Know If Your Login Credentials Have Been Compromised in a Security Breach

This article is about how to know if your login credentials have been compromised in a security breach and what you can do about it.

As you continue to evaluate your options for using a password manager, and assessing your current security stance, we would like to share an industry-leading security website that tracks company breaches from across the world that will let you know if your email or password has been compromised in a security breach.

But first, let’s define “breach.” A breach is an incident where data is inadvertently exposed. This usually happens because there are insufficient access controls or there are security weaknesses in the software. In either case, it means your personal and/or business information is at risk for misuse.

Where To Check if Your Login Credentials Have Been Compromised in a Security Breach:

To check if your EMAIL has been compromised, go here: www.haveibeenpwned.com

To check if your PASSWORD has been compromised, go here: www.haveibeenpwned.com/Passwords

These web pages will check your addresses and passwords against known data that may have become compromised due to company breaches over the past several years. There is no login required and the web interface is easy to use.

What To Do If Your Login Credentials Have Been Compromised in a Security Breach:

After checking your common email addresses and passwords, if you find that your login information has been compromised, we highly recommend making some changes.  Review your logins and change the ones using compromised passwords to something unique for the specific site. If your email address was compromised, change the password for that email account too.

The best practice for creating a strong password is to include letters, numbers, special characters, and to make it at least twelve characters long.

How to Prevent Your Login Credentials from Being Compromised in a Security Breach:

Also, now would be an excellent time to start using a password manager, like LastPass, to help keep all these new passwords easy to track and secure.

If you would like guidance or assistance in setting up your firm with a password manager, please let us know. Your team at Sorted Solution is here to help.

If you think your login credentials have been compromised in a security breach, take a look on www.haveibeenpwned.com and follow the steps above.

Phishing Scam Notice

An increasing number of clients have contacted us about questionable emails that they are receiving, appearing to come from known contacts they do business with locally. These phishing emails appear to come from known contacts of the client and direct the recipient to the legitimate DropBox web site (See screen shots below). DropBox requests the recipient to download a PDF document, and when clicked, asks the user to enter their Office 365 Outlook login username and password to complete the request.

If you receive one of these emails, please forward a copy to us. We will review the email and direct you to delete it if it is considered phishing. If it is a phishing email and you know this business or contact, this means the sender’s email account has been compromised and you should contact them by phone to inform them. We have also learned the phone numbers in the phishing email’s footer has been changed, so please use a known phone number from your own contact database and use this fact as another indicator of a phishing email attempt.

Here is what to look for:

Clicking on the attached PDF brought them to a realistic-looking DropBox web page.

However, the three items that should make you pause are highlighted below.

  1. The filename listed in the “Attachment Download” box does not match the file name of the attached file in the original email.
  2. DropBox would not know that a file is an attachment. DropBox would actually display the attachment within your browser; or, would use wording like “download file.”
  3. The use of a term like “virus free document” is not something that DropBox would indicate. DropBox does not know if the file is virus free or not. That check is performed by your own anti-virus software on your workstation.

When clicking on the link, you were taken to a fake Microsoft site and asked to enter login credentials to access Outlook. However, as you can see, the address bar does not list office.com. My password manager LastPass (the highlighted icon on the right) does not attempt to automatically fill my office.com credentials because it does not recognize this site, regardless of what I see on the screen. And lastly, you would not be prompted to log into Outlook to open a file from DropBox when you are on the DropBox web site.

Help avoid becoming a victim of having your account hacked or accessing fraudulent sites by clicking on a link in an email you receive. Sorted Solution has three recommendations:

  1. Two Factor Authentication – Setup your web sites and accounts to use a passcode generator like Google Authenticator. Two Factor Authenticator (2FA) programs will randomly generate numeric codes that a user must supply when they are logging into your account, along with a username and password. At a minimum, you could also use SMS to have a text sent to your device from the web site when someone is trying to log in.
  2. Password Manager – Utilize a password manager like LastPass to store and manage your application and web site passwords. When you visit a web site with a password manager, the password manager will match the web site address and auto-fill your login information. If you visit a site and your password manager does not auto-fill the information, you are not be visiting the site you expect.
  3. Ask Us – Sorted Solution is a “no shame zone”. You can always contact us if you are unsure about an email you have received or if you clicked on a link. We will work with you to determine what happened and how to mitigate the possible effects.

If you would like assistance setting up Two Factor Authentication or a Password Manager like LastPass, please send us an email. And as always, if you have questions about suspicious emails you receive or links you might have clicked on, we’re here to help.

Security Corner: LastPass – a great solution for passwords and personal information

Are you looking for an easy and cross-device solution to save and remember your passwords, credit card information, and other crucial personal information? Have you become more concerned about your computer and device security state as you start saving and accessing more company and client data outside of the office? Sorted Solution would recommend LastPass from LogMeIn, as a well-balanced, secure, and easy to use solution.

What is LastPass?
LastPass has been the biggest name in password management for several years, and it is easy to see why. It is one of the most feature-packed of the best password managers and offers the best free tier. Even at the Premium tier of $36/year, the value proposition for this feature-packed password manager is solid.

Read more

Goodbye, Flash

You may have noticed for a while now that Adobe has blocked Flash content from working on your computers and devices, that’s because Flash has officially been retired. Adobe stopped supporting Flash on December 31st and as of Tuesday (Jan 12, 2021) it’s blocking all Flash content. Adobe is suggesting users uninstall Flash Player to help protect their systems as there will be no more security patches moving forward. You’ll find instructions on how to do this, as well as the reasoning behind it here.

Basically, Flash had been on the chopping block since 2017 as it was no longer as frequently used and was being phased out across major web browsers. While the retirement has mainly been a minor inconvenience, it posed a real problem for some people, particularly in the city of Dalian in China — that’s because they were using Flash to run their railroad system!

Slashdot reports commuters were late to work at first but the railroad’s technicians were able to get back up and running using a knockoff version of Flash.

Security Corner: Beware of Fake Emails

We have all seen it, those emails that appear in our inbox that have a subject of “Your service will be disconnected unless you act now,” “Reset your password now,” and “There’s a problem with your account.” Some of these look like the real thing and your instinct might be to immediately address the request but BE CAREFUL. Before you click a link, open an attachment, or respond, to the email, be sure to check a few things:

  • Are there blatant misspellings in the subject line or body?
  • Does the company font or logo not match what you would typically see online from that specific company?’
  • Does the From email address appear to be from a non-company domain (i.e. yahoo.com, gmail.com, outlook.com, etc.)
  • Does the From email address appear to excessively long or doesn’t make sense (i.e. support@client.support.helpdesk.aeafb.intuit.com or support@chase.us.com)

Here’s a real-world example of a scam email:

Imagine you saw this in your inbox. Do you see any signs that it’s a scam? Let’s take a look.

The email looks like it’s from a company you may know and trust: Netflix. It even uses a Netflix logo and header.
The email says your account is on hold because of a billing problem.

The email has a generic greeting, “Hi Dear.” If you have an account with the business, it’s unlikely you’ll see a greeting like this.
The email invites you to click on a link to update your payment details.

While, at a glance, this email might look real, it’s not. The scammers who send emails like this one do not have anything to do with the companies they pretend to be. This is a phishing email, where scammers are looking to obtain your personal information and can have real consequences.

If this does pass the “sniff” test and you click on a link, and you are sent to what appears to be a company website, but your password manager software doesn’t auto-populate the login, you might be at a scam site. Close your browser, and don’t go any further.

If you suspect you’re the recipient of a scam or phishing email, go directly to the web site from a new browser session and log into your account. Type in the website you know or Google it, don’t paste the link from the email. Banks, credit card companies, service providers will mostly likely send you a notice within your account if there is a problem or if they need something from you. Or, you may call the customer service department of the company and inquire about the request directly.

Alternatively, you can always forward your questionable emails to us at hello@sortedsol.com and we’ll help determine if it’s legitimate or not.

Security Corner: Time to Check Google Chrome is Up to Date

Google has released a critical patch to address new Zero-Day vulnerabilities that can impact Google Chrome. By default, Chrome is set up to auto-update but if when you first installed Chrome you happened to select to manually update, you’ll need to that now. If you’re unsure where you stand, here’s how to check:

  1. Launch Google Chrome
  2. On the top right of the Web browser, click the three vertical dots
  3. In the drop-down menu click Help
  4. Then choose About Google Chrome

If you see a message that reads: Google Chrome is up to date, you’re up-to-date.

If you learn you’re not up to date, then please click the Update option on the About Google Chrome page to initiate the Chrome update process.

Google recently found security vulnerabilities in Chrome and this update patches those security vulnerabilities. It’s important to keep software up to date all the time, and particularly around the holidays when scammers tend to up their efforts. As an aside, please remember to not open any emails, click on links, or open any attachments from people that you don’t know. Also, even if you do know the sender, if something feels off, call or email that person from a new email that you create, to check if they’ve indeed contacted you.

Using Deepfake Artificial Intelligence Technology to Protect

Sorted Solution is working with Special Effects Supervisor of Welcome to Chechnya and creator of the Digital Vail software Ryan Laney to make this new technology available to documentary filmmakers.

From Academy Award-nominated director David France comes Welcome to Chechnya, a powerful and eye-opening HBO documentary about a group of activists risking their lives to confront the ongoing anti-LGBTQ persecution in the repressive and closed Russian republic of Chechnya.

Further complicating the production of the film was the need to protect the identities of interviewees. Director France wanted to put a real human face on the story, so conventional techniques of disguising one’s appearance, such as blurring their faces, filming them in darkness or hiring actors to stage re-enactments were not enough. Eventually he opted for advanced facial replacement techniques using Artificial Intelligence and novel visual effects technology, so the viewer could see real faces displaying real emotions, while still protecting the identities of the speakers. The approach is a “game changer in identity protection,” according to Documentary Magazine, and a brand new tool for documentary filmmakers.

See the HBO trailer, read The NY Times and Vox articles.

Section 179 deduction – technology

As the end of the fiscal year approaches, now is the time to ‘use it or lose it’ when it comes to your firm’s hardware and software wish list. As you likely already know, you’re allotted funds toward technology purchases thanks to the Section 179 deduction. Technology that qualifies for this tax break includes servers, computers, tablets, networking equipment and off-the-shelf software, among other items, per BizTech.

While you don’t have to spend your money on technological upgrades, you might want to since unspent funds are collected as tax! Schedule a free consultation now to discuss your tech needs for the coming year and re-invest those resources to better support your plans for 2021. To schedule a meeting to review your specific tech goals, email hello@sortedsol.com or call us at (206) 316-9990.

Apple releases their next version of macOS Big Sur; plus new M1 chip coming soon

Apple released their next version of macOS Big Sur on November 12th. We know the new features are exciting. It has a new design and aesthetic, a customizable control center, and the rest, well, it could be a big Sur-prise.

As such, Sorted Solution recommends you wait to upgrade production workstations. In a few months, Apple will release initial updates with bug fixes and the software developers such as Graphisoft, AutoDesk, BlueBeam, Adobe, etc. will release updates that address compatibility issues with the new MacOS. That will be a much better time to consider an upgrade, on the software side.

Apple will also be releasing new hardware with its own designed M1 chip shortly. Should you upgrade your hardware?

Good question. While this new chip is impressive, it will be the first of its kind, and again, Sorted Solution would recommend waiting. Developers won’t have their software ready for the new chip for a while. Have all of your 3rd party software vendors released updates to support the new chip? We would imagine it will take them around a year to support it fully. Then M2 will likely be released by Apple.

If you’re in the market for new Apple hardware at this time, we would recommend purchasing hardware with Intel chips as opposed to the new Apple M1 chips. The Intel chips are now the most mature of its product line and will be for a couple of more years.

Remember, you want your production workstation to be stable, mature, and supported by 3rd party vendors.  Being on the cutting edge of any technology can be a risk to your productivity; not the challenge to add on to an already taxing year.

Look out, Bay Area: Seattle rises to 2nd best tech city in the U.S., passing Washington D.C. – GeekWire

Seattle is now one of the top two tech markets in the nation, according to a new report from real estate services company CBRE, behind only San Francisco, thanks to booming homegrown companies and a vast roster of out-of-town companies setting up shop here to recruit the city’s highly educated talent base.CBRE’s annual Scoring Tech Talent report uses 13 metrics like number of tech employees, population trends, wages, education levels, housing and business costs to rank the top metro areas for tech. Seattle came in third last year behind San Francisco and Washington, D.C.

Source: Look out, Bay Area: Seattle rises to 2nd best tech city in the U.S., passing Washington D.C. – GeekWire