Blue Scream of Jeff: 2021

Friday, December 31, 2021

Same Auld, same Auld Lang Syne

This New Year’s Eve instead of singing Auld Lang Syne, I’m going to sing same old anxiety.

Not only does it NOT feel like 2021 has come to end, but it feels like 2020 and to some extent 2019 hasn’t ended either. And with yet another new variant of the Coronavirus spreading throughout the world, it’s beginning to look like things will be very much the same in 2022.

I’m usually an unabashed optimist and always try to look on the bright side of life. (Go ahead and sing it. I know you want to.) But the events of the last few years have left me so very tired that even I am having trouble giving people the benefit of the doubt. I’m beginning to think that Eric Idle was right and not only is life “quite absurd, and death's the final word” but that people are treating life like a piece of $h!t and are making death a joke by listening to pundits and politicians instead of scientist and doctors, who actually know what they’re talking about.

I’m also exhausted by all excuses people give like “the government can’t tell me what to do” or wearing a mask or vaccine mandates “violate my rights.” I’m tired of trying to explain to people that even in a democratic society, government DOES in fact have the right to tell you what you can and can’t do. If it didn’t, we’d be living in anarchy not a democracy! Furthermore, with the rights we have as Americans, comes responsibility to others, yet no one is talking about that!

Contrary to what some pundits would have you believe, the government isn’t saying you must wear a mask at all times and get a vaccine shot or you will be arrested and sent to a gulag somewhere.

No. The choice on whether you want to do that still resides with you. All it’s saying is that if you want to go into public places, you will need to abide by certain rules designed to help protect others. It’s your choice. Don’t want to mask up or get the jab? Fine. The government doesn’t care. You can stay home and do what you want. But if you want to venture out into public, where you can potentially spread the virus to your fellow citizens – or worse yet catch it yourself – then you have mask up or get vaccinated. The choice is entirely yours.

I don’t understand why people can’t seem to grasp this concept. Growing up, I never heard one complaint about the “No Shirt, No Shoes, No Service” signs on restaurant doors. If you wanted to eat out, everyone knew you had to put on a shirt and at least wear some sandals before entering an establishment. Same thing about the 25 MPH speed limit through residential neighborhoods. No one ever screamed that the government was violating their rights by making them drive their car slowly through streets kids play on instead of driving it however fast they want.

These are THE SAME TYPES OF RESTRICTIONS as the mandates that people are now screaming about! And despite a year’s worth of proof that masks and vaccines drastically slow the pandemic’s progress, there’s still a large minority of the population who doesn’t believe this.

That’s why I’m no longer optimistic that 2022 will be any different than 2020 or 2021. If this keeps up, the pandemic will drag on and on and drawing ever closer to my friends and family until it finally claims someone close to me.

So that why at midnight (with apologies to Scotland’s national poet, Robert Burns ) I’ll be singing:

For old anxieties, my dear

For old anxieties!

We'll need a jab o' vaccine yet

To put to rest old anxieties!

Tuesday, November 30, 2021

Starting a new chapter, literally

You’d think that after spending over a decade trying to finish one novel, I’d be anxious to get it edited and published.

And you wouldn’t be wrong.

I am.

It’s just that now that’s its done, I’ve become more intrigued with the idea of finding out what happed to my characters after the story ended then revisiting events I’ve already written about.

When I grew up, most sequels to stories I loved always seemed to begin with the characters “reset” back to a state near to where we first met them. What they’d been through didn’t seem to change them much at all, so they were ready and willing to take on the next great threat or go out on a new set of adventures.

This was especially true of genre TV shows of the time -- “Star Trek,” the original “Battlestar Galactica” and classic “Doctor Who” as well as films featuring characters like Indiana Jones, James Bond or any comic book character.

Sure, sometimes the writers would pay lip service to the things characters went through in previous stories, but more often than not, it was only used as a plot device to propel the characters into the new story, then all but forgotten.

The problem is things don’t work that way in real life. People just don’t “move on” or reset themselves after experiencing life-threatening events. Just ask any military veteran or first-responder who’ve been through a harrowing event.

It changes them, whether they’ll admit it or not, and while my characters may not be real people to you, they are to me. I figured they’d be suffering some sort of PTSD, and what kind of friend would I be if I didn’t help them through it? So, for the last three months, I’ve been taking them to therapy, helping them explore what they must be feeling and trying to help them figure out how to live with what they’ve gone through.

I have no idea where this is going. I just have a couple of vague ideas banging around in my head, and a handful of characters I really enjoy spending time with. Like my first story, I’m just feeling my way through this, with no set plot in mind. I figure I’ll just keep writing and rewriting scenes until hopefully a coherent story emerges.

And if I get stuck -- which I know I inevitably will -- I can always go back to edit the first story until new inspiration hits.

Sunday, October 31, 2021

Sneak Peak at my new book, Tears of Phoenix

Welcome to the world of Phoenix, a desert planet in orbit of a red dwarf star, it's it's inhabitants call Fornax

Over the last two months, I’ve told you a bit about the novel I it has taken me half my life to finish, Tears of the Phoenix, and while it still needs to be thoroughly edited, I’m anxious to share it with the world.

That’s why I decided to publish the prologue from it, which takes place in the distant past, but whose events sets the whole story in motion.

So, without any future ado, here it is. Let me know what you think of it in the comments below:

PREFACE: Betrayal

“Who are you to betray the prophecy?! To betray G-d?! To betray me!”

Three women knelt before the angry king. They wore tattered white robes with red sashes, their hands bound behind their backs, their bald heads bowed.

The woman on the left, the eldest of the three, looked up, hatred turning her eyes a deep red. “The Tears of The Phoenix are too powerful for any one man to possess,” she spat.

The king back-handed her across the face, hard. “I will have none of that witch!” he said. “Do you take me for a fool? Do you think I would not have taken precautions against your powers?” he asked nodding to two women standing behind him, their eyes glowing red from beneath their hooded white robes. “For far too long we have been ruled by you Tyrs and your constant rivalries! All you have brought us is war after bloody war. I am so near to ending at that…”

He turned to face the woman in the center.

“Morwyn, my wife! How could you of all people betray me?” he half sobbed. “How could you lead this rebellion against me when it was you who first foresaw that I would find and unite all eight Tears and with them our people under one banner?”

“You mean unite them under one tyrant!” the third woman hissed. Her small narrow eyes, flat nose and thin mouth twisted into a bitter expression.

“Jethric…” Morwyn said softly. “My sisters and I were just trying to do our g-d’s will. The Great Phoenix split The Tears for a reason. It knew their power would be too much of a temptation! Look at you, husband. Your desire to find the final three Tears has clouded your mind. Can you not see you do not need them? You were so very close to victory. Had it not been for your lust to complete the set, you would have already achieved your goal! The Tears changed you, Jethric. They have driven you mad!” she wept now. “The rebellion was the only way we could protect our people! We had no choice!”

“Of course you had a choice!” he yelled, taking her chin in his hand. “You could have trusted me! Please, tell me where they are and all will be forgiven.” Tears filled his eyes now.

“I am sorry,” Morwyn whispered, looking into the face of a man she no longer knew. “I cannot.”

Jethric released his wife’s face, stepped back and drew an ornate sword he wore on his side. With a single quick thrust, he plunged it into each woman’s chest. His expression was strangely blank as he watched a crimson pool slowly ooze from beneath the bodies and run in streams down the seams in the stone floor. For a long time he didn’t move or speak. Finally, he turned to his castellan. “Bury them,” he ordered, his voice flat, emotionless.

“Sir? You mean burn them? Traitors or not, they are – were – Tyrs.”

“They were nothing!” Jethric growled, some life creeping back into his voice. “They never existed. I am erasing them from history.”

The castellan’s jaw dropped in horror as he realized what his king was asking. He just didn’t want them dead. He wanted them annihilated. Burying them would trap their souls in their bodies forever. He was wiping them from existence for all of time.

“Sir…” he hesitated.

“Do as I ordered castellan, or your body will join theirs.”

The castellan shivered, nodded once and ordered the bodies removed. The king turned from the carnage in front of him and walked over to a nearby window, and just stared out into the desert.

“The price of betrayal,” he muttered when the castellan joined him a moment later. “I will fulfill the prophecy and unite our people. Then all this bloodshed can finally end.”

“And what of the eight Tears?”

“It is my destiny to unite them too.”

A white mist began to swirl around the men, who suddenly seemed to be receding, though they were not moving. Soon they were completely obscured. Then through the fog emerged two balls of flame. They burned through the mist, finally transforming into a set of glowing red eyes.

“Never forget what they did to us, Malise. Never forget.”

“Yes mother,” Malise said.

Thursday, September 30, 2021

Presenting my novel: Tears of the Phoenix

Last month I mentioned that I’d finally finished writing a novel I’ve been working on for nearly 40 years but never mentioned the title nor what it was about.

That was on purpose. You see I wanted to whet your appetite and build suspense this month’s big reveal.

Okay. Not really.

I just wanted to give myself a topic for this month’s post.

So now that I’ve done that, I’m finally ready to tell you what my epic-in-the-making is about.

As you can see from the preliminary cover pictured above, it’s called “Tears of the Phoenix” and it’s what I’d like to think of as space opera grounded in reality. I call it this because I tried to make the characters, settings and situations feel so familiar and plausible that all the space opera tropes just fade into the background.

I was inspired to do this by stories like George RR Martin’s “A Song of Ice and Fire” series which read like a history text on medieval Europe if medieval Europe just happened to feature dragons and magic, or some of the Marvel movies such as “Captain America: The First Avenger,” which was really ’40s-era World War II flick that just happened to be about a superhero or “Ant-Man” which was really a heist film in the vein of the “Ocean's 11” or “The Italian Job” rather than another superhero origin story.

Whether I succeeded in doing this will be up to you, but here’s the back-of-the book synopsis:

After a chance meeting with a shy, young graduate student at a prestigious Upstate New York university, medical student Dawn Amanda finds herself drawn into a galactic civil war between two alien factions racing to find and control eight crystals which hold the power of creation itself.
But she soon finds that she is no innocent bystander to events she thought beyond her control and soon realizes that she is an integral player in a crusade whose outcome will determine the fate of both their races.

Let me know in the comments below if this blub would make you want to pick up the book or if you like the cover.

Tuesday, August 31, 2021

Never Can Say Goodbye

While the start of a novel of a thousand pages begins with the typing of a single word, it often ends with both a bang and a whimper.

The bang, of course, comes from both the climax of a hopefully exciting plot/character arch and the elation of finally finishing a long-awaited masterpiece, while the whimper comes from having to let go of a work you’ve poured so much time and effort into.

I discovered this odd dichotomy earlier this month when I finally finished writing a story I’ve been working on for almost 40 years. It’s taken many forms over the past four decades and while the plot and setting have changed many times, the main characters have mostly remained the same.

They’ve been with me for so long that they feel like real, flesh-and-blood people who have seen me though all the major changes in my life. They were my constant companions, with me day and night, whispering their secrets into my ears and keeping mine. And now that their story has concluded – at least for now – I feel like I’m leaving them behind.

Only I don’t want them to go.

I know. There is still the long and arduous editing process where I’ll need to do some rewrites to trim the bloat, streamline the plot and fix any continuity errors caused by writing the story out of sequence over such a long period of time. And then there are the enviable sequels that are already swirling around in my head. But it’s still kind of strange and sad knowing I’ve finished with them and their main story for now.

At the moment, I’m not sure how I’m supposed to spend my future summer vacations. I used to spend them in the pool, in my floaty-chair, pad of paper and pencil in hand scribbling away to finish this story. It was my way of removing myself from any distractions or temptation to do something else and let me concentrate on just writing. Every year, I’d tell myself, “This is the summer I’m going to finish it!” and inevitably I’d struggle to overcome writer’s block or my imaginary friends would stop whispering in my ears and my progress would slow to a crawl.

That seemed to change last year with the pandemic. Suddenly, they couldn’t shut up and I spent both this and last summer just trying to keep up with them. Not everything they told me turned out to be true, because I needed to rewrite some sections two or three times before they told me I’d gotten it write… er… I mean right. But at least they were filling in the remaining holes in their story. I guess they’d gotten tired of being locked down too.

So again, I spent every hour I could this summer either in my pool or on a hammock swing in my backyard away from all distractions, dutifully recording what my imaginary friends were telling me before they stopped talking again. Then, before I knew, it I was done.

At first, I couldn’t believe it. Part me of never thought I’d actually finish. I was ecstatic!

Then came the letdown, depression and listlessness. For a week or two after that, I didn’t have the motivation to type those last hand-written sections into the computer to complete the initial draft or do anything even remotely creative.

Fortunately, the feeling has faded and last weekend I began typing in those final sections, so that by the end of Labor Day weekend, I’m pretty sure I’ll have that initial draft assembled and truly know if that single word did indeed begin a journey of a thousand pages.

Saturday, July 31, 2021

Cybersecurity wrap up

For the last six months, I've been writing about how to keep yourself safe online. I concluded the series -- for now -- last month, and for your convenience, I'm creating a index of all those articles here so you have one-handy place to reference all of them.

When it comes to Cybersecurity, humans are the weakest linkJust trying to using technology to protect data won't keep people safe from cyber criminals. In fact, it may actually make matters worse. Adding complexity to existing security systems will only make it harder for regular folks to use and understand it. The key to keeping people safe is to change their behavior.

Cybersecurity speak: Is it all geek to you?

When IT folks start talking about cybersecurity we often use many terms people don't understand. So in this article, I explain what much of that jargon means.

Is there something phishy going on in your inbox?

In this article, I show you how you can identify scam e-mails that enter your inbox. And the key to protecting yourself is deceptively easy – trust nobody. Assume every message you get is fake until you can confirm it’s not.

Pass the word about good passwords

You hear IT folks saying it all the time. You need to create complex passwords and should have a different one for every account you have. The problem is remembering them all. This article will give tips on how to do that.

2FA or not 2FA? That’s the question…

No matter how unguessable you think your password is or how careful you are about avoiding online scams, your credentials could still be stolen by hackers who target the companies who store those passwords. That’s why you need to further secure your important accounts by using something called Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

Focus on the people, not the technology

IT folks need to get users to think about cybersecurity in same way they think about their safety and security in the real world. Because when it comes down to it, keeping safe online is nothing more than following the same common-sense safety procedures we were all taught as kids and no longer even have to think about.

Wednesday, June 30, 2021

Cybersecurity: Focus on the people, not the technology

Over the last few months, I’ve written a lot about cybersecurity, yet many of you may have noticed that I didn’t talk a lot about technological defenses such as software that you can install on your devices to detect and block viruses and malware, or things like VPNs, which can help anonymize you so hackers – or even the companies you do regular business with – can’t track you across the web.

Neither did I talk about rules you could set up to prevent spam and fraudulent e-mails from reaching your inbox or browser add-ins you could install to block you from going to malicious websites which try to trick you into revealing your personal information or downloading spyware.

It’s not that these things aren’t important – because they are – but I’ve noticed that when you start taking about stuff like that, a lot of people’s eyes start to glaze over. It all sounds very complicated, and many people don’t understand it or lack the confidence or competence to set it up themselves.

Another reason I avoided talking about these things is because having all the best security technology in the world doesn’t guarantee you won’t become a victim of cybercrime.

Just ask the folks who run the Colonial Pipeline and JBS Foods. Both these big companies have a
department full of IT folks equipped with some pretty sophisticated equipment, yet both got hit with ransomware attacks in May and both had to pay a huge amount of money to get their data back.

You see, technological defenses can only go so far in keeping you safe. As I talked about in my January post, it’s the human factor that always proves to be the weakest link. Inevitably, when a cyber attack succeeds its because some user, somewhere, clicked on something they shouldn’t have.

Look, I’m not laying the blame solely on intentionally careless users. Most folks I know try to be careful, but either don’t understand why they need to follow the guideless their IT folks say they should or find all the procedures and checklists too complicated or hard to remember. And frankly this is the fault of us IT folks for making things way more complicated than they need to be.

Instead of concentrating on the technical aspects of keeping people safe, we IT folks need to take a more people-centric approach to cybersecurity. We need to make its concepts more tangible to what people do in the real word without really thinking about it.

For example, if you asked most folks if they would leave the key to their house under the door mat where every burglar in the world knows to look for it, or ask them if they’d leave their wallet or purse unattended in a public place or if they’d give a complete stranger their credit card, social security number or bank account number, I’m sure 99.999999 percent of them would say no.

It’s just common-sense safety procedures we were all taught as kids and don’t think twice about. We just do it without thinking because it’s so ingrained in us.

And that should be the goal of every IT professional. Get users to think about cybersecurity in same way they think about their safety and security in the real world.

For example, no one would secure their valuables with a padlock which only had a one-digit combination. Anyone could open that lock in seconds by just trying every number from 0 to 9 until they got the right one. Furthermore, they wouldn’t use that same one-digit combination on every lockbox they owned. That would be crazy, right?

Yet in 2020, over 2 million people used “123456” as their password!

But having so many passwords is hard to remember, they’ll say. To which I’d answer: So, it is remembering what all the different keys on your keyring are for, but you don’t have a single key that opens all the doors in your house, car, office, or deposit box do you? It would be too dangerous if you lost it.

The key (if you’ll excuse the analogy) is to get people to see that cybersecurity isn’t some new nebulous thing they need to master but just an extension of their everyday, real-word safety habits that they’ve been practicing all their lives. There’s no need to master any new skills. They just need to apply the skills they already have to the virtual world as well as the physical.

I really believe that this people-centric approach to online security is vastly superior to any technological solution we could come up with. If we can get people to view that fake e-mail from a bank with the same suspicion they’d give to a stranger who just knocked on their door and claimed to be representative from their bank, then there would be little need for all that super-complicated technology.

I hope that this series has helped you to better understand this and see that keeping yourself safe out there in cyberspace isn’t as complicated as you might have thought.

Saturday, May 29, 2021

Cybersecurity: 2FA or not 2FA? That’s the question…

Graphic courtesy of Marshall University IT Department

Okay, you’ve learned how to spot fraudulent e-mail and text messages and have followed my advice about creating different, strong passwords for each of your online accounts. Now you can relax, knowing all your important information is safe and secure, right?

Wrong!

Doing this creates an extra step to prove your identity when you go to login to a website, device or application, by having you enter a second piece of information completely separate from your username or password.

Yes, this extra step may be inconvenient, but it provides an extra layer of security because the more time and hoops you make a hacker jump through, the more likely it is that he or she will just give up and move on to another victim whose account is easier to crack.

Even for cyber criminals, time is money, and the goal of any good cybersecurity strategy shouldn’t be to
stop every attack. Frankly, that’s not possible. It should be to put so may barriers up between you and the hackers, that it’s simply not worth their time to victimize you.

So how exactly does all this work? And isn’t that second piece of information just as vulnerable to being stolen as a password?

No.

You see the way 2FA/MFA typically works is that the site or device you are trying to log in to either sends that second piece of information to another device in your possession or prompts you to enter information from an app you have on that second device. Either way, that information – usually a six-digit code – constantly changes and is only good for a few minutes. So even if a hacker manages to get ahold of the code, they can’t keep using it over and over again to gain your account like they could a stolen password.

Like all things, this method is not fool-proof, and there are ways around it even without direct access to your second device. But those methods are harder to do and hackers may decide it’s not worth the time and trouble and move on to someone else.

Currently, most people usually use their cell phone as that secondary device to setup multi-factor authentication, and that’s what I’d recommend doing if you have one. It’s more secure than having messages sent to an e-mail account which is easier to hack than a device you almost always have with you anyway.

If you decide to use your cell phone for this, I’d also recommend registering another mobile device -- if you can -- as a backup. This way if you lose your phone, you can have your cell phone provider help you remotely wipe it, disabling its ability to do MFA, yet still be able to authenticate with the other device.

There are several different ways MFA works. Here are the five most common ones:

‘Push’ Notification to a Mobile Device

With this method, the account that you are trying to log into will create a popup message on your cell phone or other mobile device notifying you that someone is trying to log in and ask you to either allow or deny the attempt.

It’s called a “push” notification because the website that’s being logged into initiates the communication and allows you to hit a big red or green button to either allow or deny the login right from that notification.

What makes this method so secure is that A) you get real-time notification when someone is trying to log in to your account and B) any bad guy trying hack into your account must have physical access to your mobile device to be able to log in.

The downside to this is not all websites that support MFA support push notifications which leads us to…

Text or SMS Notification

Similar to a push notification, the account that you are trying to log into will initiate communication, but this time, instead of giving you the yes/no option in a quick popup message, it will send you a text message with a six -or eight- digit code you will need to manually enter on the website’s login page to continue.

It has the same advantages of a push notification but does have the additional downside of having to manually enter a potentially long code from your phone.

Mobile App on your device

The third method, involves you having to download a mobile app such as Google Authenticator , Duo Mobile, Microsoft Authenticator or LastPass Authenticator. Each of these apps constantly generates changing codes based on an algorithm that only it and the site you are trying to login to know.

So when you go to login to that website, the website will only let you in if the code its algorithm creates matches the code the algorithm on your phone produced. Since the codes are set to change every minute or two, it’s extremely unlikely a cyber crook could guess that password in so short a time.

Again, the main advantage here is that the attacker has to have physical access to your mobile device, but does come with the disadvantage of not getting any real-time notifications should someone else try to log into your account.

If you don’t know which one of these apps to use, PC Magazine’s recent review of The Best Authenticator Apps for 2021 can help you decide. And don’t feel like you have to choose only one of them. I use two different ones on my phone without issue. (However, having only one does make things easier to manage).

Physical Token

Physical tokens are small key-chain sized devices that do exactly the same thing as the mobile apps. They were prevalent in the days before smart phones became ubiquitous and have the same advantages and disadvantages of those mobile apps. There are also versions that look like a USB thumb drive that plug into your computer and provide the second form of authentication automatically.

Email Code Method:

This method works similarly to the text/SMS code method except that the code is sent to an e-mail account that you told the website to use. This is perhaps the least secure method of them all, because cyber criminals do not need physical access to a device in your possession and assuming you haven’t secured this account with 2FA, only need to guess your password to get in.

Does it mean you should not use it?

As a primary authentication method, I’d advise against it, but it’s not bad to have it set up as a backup or third way to authenticate should your phone be unavailable. (Some sites allow you to set multiple ways to authenticate while others only allow one way, which is why it’s called either Two- or Multi- factor authentication.) Just be sure to make sure you have the strongest possible password on that account.

Setting up 2FA/MFA

How you set all this up will differ with each website you use. But the options you will need to configure will often be found on the settings page under either the security or login sections.

Here are two examples of how to access them in Facebook and Google:

FACEBOOK:

Click on the account dropdown button next to your profile picture and from the dropdown menu and select the Settings and Privacy option.
When the dropdown menu changes, click on the Settings option
When the settings page loads, click on Security and Login on the left-hand rail and look for the Two-Factor Authentication section and switch it to ON to begin setting it up.

GOOGLE/GMAIL:

Make sure you are logged into your Google or Gmail account, and click on the button that looks like checkerboard on the upper right of the page and from the dropdown pick menu that appears click the Account button.
Click on the Security link in the left-hand rail, then scroll down the page until you come to the Signing in to Google section. Under that click on the arrow next to 2-step verification to begin setting it up.

Is going through all this on every site you use worth it?

The answer depends on how much time and aggravation it will take you to recover a hacked social media account, or how much money you could potentially lose if a cybercrook gains access to your online financial accounts.

But one thing you should always keep in mind is that 2FA/MFA isn’t perfect and cyber cooks are constantly coming up with ways to circumvent security. So just because you set this up doesn’t mean you can now relax your guard. If anything, it should only make you more vigilant about cybersecurity than ever.

Friday, April 30, 2021

Cybersecurity: Pass the word about good passwords

Comic courtesy of xkcd.com. You can see the full comic here

One of the many things I’ve discovered while working in IT is that most people treat passwords like vegetables on their dinner plate.

Everyone knows veggies are good for them, but hate eating them. So they either rush through creating a password as if trying to wash down a forkful of spinach with a glassful of milk, or, worse yet, try to hide the fact they haven’t changed a weak, default password, like they were trying to disguise the fact they didn’t eat all their peas by pushing them under some left-over mashed potatoes.

And like avoiding eating your veggies, ignoring good password practices can have a disastrous impact on your (financial) health.

SOURCE: cybintsolutions.com

In 2020, IBM calculated that the average cost of a data breach to be as much as $3.86 million. In prior
years, about 80 percent of beaches were caused by stolen passwords.

Sure, a vast majority of those breaches happened to big businesses. But don’t think for a moment that those breaches don’t affect your personal finances or that hackers don’t target the average Joe, because they do. According to a recent AARP study, fraud due to identity theft could cost the average person anywhere from about $200 to over a $1,000 assuming it’s detected quickly.

This is hardly news to most people, yet when I broach the subject with folks outside the IT world, the most common excuse I get for not having or keeping strong passwords is that they are hard to remember.

Well of course they should be! That’s kinda of the point.

If your password is easy to guess, it’s not doing its job in keeping your data safe from prying eyes. You might as well not have a password at all and that’s not a viable strategy these days with more and more of our personal and financial data moving online.

There are many ways to come up with a good strategy for creating and remembering complex passwords, but most cybersecurity gurus agree on the following tips:

USE A LONG PASSWORD

The longer a password, the harder it is for hackers to figure out. Even if hackers use a fast computer to run through every possible combination of letters, numbers, and symbols, the longer the password, the more time it will take them to crack your account. And the longer it takes a hacker to do that, the more likely it is that they will give up on you and move to an easier target.

For instance, a simple eight-character password with all lowercase letters can be cracked in about five hours, where a password with 12 all lowercase characters would take slightly over 200 years. (Times are based on Tulane University's Brute Force Calculator)

USE A PHRASE AS YOUR PASSWORD

When I tell people they should have a long password, they naturally think about using a phrase or
passage of text they’ll remember. The problem is that hackers are well aware of this tactic and will also try using common or well-known quotes from literature, the bible, TV shows and movies to crack your password.

So while you might think “OpenThePodBayDoorsHal” maybe a good password because it long and has a mix of upper and lowercase letters, it’s also probably on the list of top five phases hackers will try because it's so obvious.

Your best bet here to use a nonsensical phrase or phrase that contains random words. Also do not use characters that are sequential on a keyboard, numbers in order or the widely used “qwerty” because those are also on the list of default passwords hackers will try to get into your account.

INCLUDE NUMBERS, SYMBOLS, AND MIXED-CASE LETTERS

By now we are all familiar with this as many sites require you to use symbols, numbers and letters in your passwords. One of the things I will do is come up with some phrase then substitute numbers or symbols for the following letters:

A =@ S = $ or 5 E =3 i =! or 1 O = zero

So if I decide to use the not-so-nonsensical phrase like: New Pair of Shirts

I can make it more secure by using the substitutions like I mentioned above to turn it into this: N3wP@1r0f$h1rt$

If you use one of these as your password, you really need to change
it immediately! (Source: zdnet.com)
AVOID USING PERSONAL INFORMATION IN YOUR PASSWORDS

This is a big one, especially in the age of social media quizzes that often ask you for seemingly harmless information like the month you were born, your favorite food, color or movie. Hackers can use this information to help guess your password, because they know people often use that kind of information for their passwords. They also know people tend to use important dates and names in their passwords, so don’t use birthdays, anniversary, addresses, city of birth, high school, and relatives’ and pets’ names in your passwords either, because that information is often easily discoverable online. On that note, if you are required to choose security questions and answers when creating an online account, select ones that are not obvious to someone browsing your social media accounts.

DO NOT REUSE PASSWORDS

If you only take away one thing from this post, remember this. Don’t use the same password on all your accounts!

Yes, I know it’s hard to remember just one password and now I’m telling you that you should have 20. But hackers know people are lazy and if they crack your e-mail or social media account password, the very next thing they are going to do is start trying to use that password on various banking and financial sites to see it if works.

I often council my employees at work to also change the passwords on their personal accounts whenever we detect that their work account password was compromised. I do this because even though our employees seldom use their work e-mail address as their username on personal sites, hackers are smart enough to try the password they cracked for Mary.Jones@MyCompany.org on accounts for mary.jones@gmail.com, mjones@gmail.com, etc.

USE A PASSWORD MANAGER

Okay, you’ve followed all my rules and created several strong passwords, but what good will they be if you can’t remember them when you need them?

The answer is simple. Stop trying to remember them and start using a password manger.

Password managers are small programs which you can install on your computer and phone which not only keep track of all your passwords, but also helps you create strong and different passwords for every site you visit. The beauty of using one is that you only have to remember a single, strong password and many can be unlocked by a finger print so you don’t even have to remember a password if you don’t want to.

Yes, some most modern browsers like Chrome and Firefox have features similar to this, but they are much less secure than dedicated password managers. So if your gmail account ever gets hacked, then all the passwords you have stored on your Google account will be exposed.

In my job, I use LastPass and have come to rely on it a lot. It works on both my phone and computer and integrates with Chrome pretty painlessly. I highly recommend it, but it’s not the only one out there. Here are a few others recommended by PC Magazine and CNET are worth checking out.

If you don’t want to spend money on one of these programs you can always do what Mrs. BlueScreamOfJeff does and turn one of those old-fashioned pocket phone/address books into an offline, physical password manager. Instead of using it to keep track of all her friends, family members and acquaintances, she uses each section to store the username and password for all her various accounts. For example on the “A” section pages, she has entries for her AOL, AirB&B and Applebees.com. Under the “B” section she has her Bank of America, Barnes and Noble and BBC.com login info.

Yes, this does go against “the rule” of not writing your passwords down, but it is OK to write them down as long as you store them in a secure location like a locked drawer when you’re not using it.

CHECK ON YOU PASSWORDS

Finally, you should periodically check to make sure your passwords are still secure and haven’t been hacked.

Sites like Have I Been Pwned?, BreachAlarm and Dehashed all let you check on whether your account has been compromised by a past data breach.

They are pretty simple to use. Just go to the page, enter your e-mail address and click the search button and these sites will then look through a list of accounts known to have been breached by hackers show you if your address was possibly compromised.

If it was, you should change that password immediately.

I know I’ve made it seem like creating and keeping your passwords safe is a lot of work. But like your mother always told you when you complained about having to eat your vegetables: You may not want to do it, but it's good for you.

Wednesday, March 31, 2021

Cybersecurity: Is there something phishy going on in your inbox?

SOURCE: Jeffrey L. Price, 2020

Have you ever noticed how many fishing lures are shiny and brightly colored?

It’s because fish can’t resist them, and it seems we humans also have this same flaw. Send someone a flashy message promising them some reward or a vaguely worded threat and we just can’t resist clicking on the link or attachment in that message to see what it is.

Cybercriminals know this and depend on your trust and curiosity to make their scams work. And just like that poor trout who goes to investigate that shiny thing floating around in the water, it doesn’t end well.

So how do you avoid becoming some cyber-fisherman’s catch of the day?

The answer is deceptively easy. When it comes to e-mails -- and even text messages – trust nobody. Assume every message you get is fake until you can confirm it’s not.

And how do you go about confirming a message isn’t fake?

By following some simple precautions I outline below. While this list isn’t exhaustive and doesn’t guarantee you will never be fooled, you will be surprised how often it can save you from being hooked.

Skepticism is your best defense

First and foremost, be skeptical of any message you get. Are you expecting a message from this person and what are they asking you to do? If they are asking you to download an attachment or requesting you to sign into some site – even one that seems legitimate – ask yourself if this person really needs to know that information.

If a stranger came up to you on the street and introduced themselves as a friend of a friend then asked you for your social security number, would you give it to them? Probably not. So you shouldn't do it with an e-mail from some stranger either.

If the message appears to be from a bank or other institution you do business with and they are requesting you verify information they should already have, then don’t give it to them. Again, you wouldn’t give the keys to your safe deposit box to some Joe on the street who introduces himself as the VP at your bank, would you?

Remember hackers are extremely good at what they do. They are experts at creating seemingly valid email addresses, language, and mimicking brand logos. So be skeptical when it comes to your email inbox – if an email looks even remotely suspicious, do not open it. Instead, delete it. It is always better to be safe than sorry.

Look closely at the display name and email address

Faking or forging the display name on an email (or even a text message) is a classic phishing ploy. Many times hackers will intentionally misspell a name betting you won’t notice the difference between something like CityBank and Citibank to get you to think their message is real.

Another trick they use is to slightly change the name of a person or colleague they might think you regularly communicate with. So instead of getting a message from a Michael Smith, hackers might try to disguise themselves as Micheal Smith, Mike Smith or even Mika Smith, again betting your familiarity with their name will make you overlook the misspellings. Also be on the lookout for names in the wrong order. At my company display names from internal employees are always listed as LastName, FirstName. So when I see a message from our CFO with a display name of FirstName Lastname, I know it is fake.

Next take a look at the email address following that display name. Does it match and appear to come from the right organization? A message from Citibank for example, should come from someone@citbank.com and not Citibank@abc.com.

The tip here is to always look at the part of the email address that follows the @ sign. Remember that no legitimate organization will send an email using a public domain like email address like ones ending with @gmail.com, @comcast.net, @yahoo.com, @aol.com, etc. Every organization will have its own email domain (the part of the address that follows the @ sign) and only send from official company accounts. The best way to find out what an organization’s real domain name is is to type that company’s name into a search engine.

Also be on the lookout for domain names that mimic real ones. Hackers are betting that you will overlook misspellings like @citbank.com (missing the second “i”), @citybank.com (using a “y” instead of an “i) or even wrong endings like citibank.net instead of citibank.com.

Finally, watch out for is mismatched display names and e-mail addresses. If the display name says Michael Smith, then the e-mail address should not give another name like marcia.brown@gmail.com. If the first part of the address is a random string of numbers or letters – such as 1234VZE@verizon.net – then it’s a good bet the message is from someone trying to hide their true identity from you and you should automatically treat that message as fake.

Review the salutation

Who is the email addressed to? Is it to a vague “Valued Customer?” Legitimate businesses will often use a personal salutation with your first and last name, so beware if it doesn’t. Likewise if you get a message that has your name misspelled or appears to be from someone you know and they use your formal name rather than the nickname they’ve always used with you, then again, you can bet the message is a fake.

Be warry of urgent or threatening language

Cyberscammers often try to put you off guard by using fear or the threat of legal or financial action against you or play on your emotions by creating a false sense of urgency in their messages. Commonly, they will have subject lines such as “urgent payment request” or make claims that your “account has been suspended.” Others will say you have won an expensive prize in a contest you don’t remember entering telling you you must claim the prize now or it will go to someone else.

These messages will often direct you to click on some link or download an attachment that could infect your device with malware or trick you into revealing usernames and passwords to important accounts.

Guard your confidential information as if your life depended on it

Legitimate businesses will never ask for personal credentials through an email.

Ever.

These types of phishing scams often proport to be from a bank or other financial institution, the IRS or even online shopping sites like Amazon.

Again, ask yourself if you would give up that information to some guy on the street who just came up to you saying they were from your bank or the IRS and didn’t show you any hard proof of who they were.

So ignore any requests you get to “reset,” “sign in,” or input username or password through email – it’s almost always a scam.

The one exception to this rule is if you get a password reset message immediately after clicking the “I forgot my password” link on a site you usually do business with.

Also remember that legitimate businesses will never ask you for your account numbers, social security numbers, dates of birth or other information that could be used to personally identify you via an email. They should already have this information on file. If they ask you for it in an e-mail or text message, it’s either a phish or it’s a company you should stop doing business with immediately!

Think before you click

Note the link in the body says one thing, but when you hover

over it, the real link shows a different address!

Hackers love to embed malicious links in what look to be legitimate messages. To expose this fraud,
hover your mouse over the link. If the link address looks weird, DON’T click on it. If you’re skeptical about the link, call an IT pro to have them check it out. If you don’t have a favorite IT person you can bug, then look up the business’ contact information via a google search or go old-school and use a phone book, and call the company and ask them about the message.

Don’t click attachments either

Just like malicious links, hackers like to embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your passwords, damage files on your computer, or spy on you without you ever knowing. Curiosity killed the cat, so don’t open any email attachments you weren’t expecting.

Texts messages aren’t any safer

Almost all of these rules can apply to text messages too. So don’t think that just because you don’t use e-mail that much, you’re safe.

You’re not.

Cyber criminals know more and more people are ditching e-mail for texting and are quickly adapting their tactics to target all you thumb-typers out there, so you need to heed these guidelines too.

Now, after reading all this, if you’re beginning to feel paranoid, and think every e-mail or text message you get could be bomb ready to go off in your face, good. I did my job! You should feel paranoid these days! Because that old saying is true. Just because you’re paranoid, it doesn’t mean the world isn’t out to get you.

Sunday, February 28, 2021

Cybersecurity speak: Is it all geek to you?

When IT folks like me start talking about cybersecurity we often throw around a lot of terms we just assume everyone is already familiar with. I mean in this day and age, who could possibly NOT know what phishing, ransomware, smishing, vishing, spear-phishing or even malware is?

Yet according to a 2020 report from the e-mail security firm, Proofpoint, quite a few non-IT people don’t.

So before I start telling you how you can better defend yourself against online threats, I’d like to spend some time defining the terms we IT folks often use to make sure everyone understands what I’m talking about from here on out.

MALWARE

Let’s start with the most generic term, malware.

As the name implies, malware is any program or application that does bad things to your device (Mal = malicious or bad / Ware = an abbreviated form of software). It’s also not just something that can get installed on your computer or laptop. Malware can infect your cell phone, tablet, smart TV or any other internet-connected device. And contrary to what you might have heard, users of Apple devices are just as vulnerable to malware as those running Microsoft or Android-based software.

The writers of this bad software go where the users are and will target their programs to take advantage of the most popular platforms. So if iPhones are the most popular type of cell phones, you can bet that cyber crooks are working on ways to exploit these devices.

To get users to download these bad programs, criminals will often disguise this software as something desirable, often a “free” or heavily discounted version of a legitimate program like Microsoft Office, Adobe Photoshop; a game or pirated copy of a popular TV show, movie or music.

RANSOMWARE

Ransomware is a particularly nasty subset of malware which seeks out a user’s data, encrypts it so it cannot be opened by any program until the user pays a cyber criminal a fee to unlock it. What makes this type of malware so insidious is that the malware not only effects the device that it’s downloaded on, but can also spread to other devices the infected machine is connected to.

Ransoms can be as “small” as $100 or range into the millions. It’s often demanded in bitcoin, a type of virtual or electronic currency that is hard to trace, and there is no guarantee that even if you pay the ransom, the hostage taker will give you the key to unlock your data.

Most people have probably heard about the recent ransomware attacks on big hospitals and municipal governments, but do not let that fool you into thinking that cybercriminals only target big institutions with deep pockets.

They don’t.

You are just as vulnerable to this type of attack as they are, as this type of infection is often spread through bogus e-mails where the sender tries to get you to open an infected attached file or click on a link to website that will download the malware to your device.

PHISHING

SOURCE: Jeffrey L. Price, 2020

Unlike, malware, the goal of phishing (pronounced “fishing”) isn’t to put any malicious software on
your computer or lockup your data. It’s to trick you into willingly reveal your sensitive information or data to an attacker. Attackers will do this by trying to impersonate someone you know or an institution you trust to not only get you to reveal your usernames, passwords and/or financial information, but also trick you into sending money to some fake account they have control of. Phishers also use these types of attacks to gather other background information on you such as your birthdate, social security number, previous employers, salary, etc. so they can use that information to open fake credit accounts in your name.

These types of attacks come in the form of e-mails, but have been branching out to other types of electronic communications as well

SPEAR-PISHING

Spear-phishing is a phishing attack where the cyber crook is directly targeting someone or some company, using information specific to the targeted victim, rather than sending out a more generic-sounding message aimed at everyone on the Internet. It is designed to make the victim think they are communicating with a known or trusted colleague. An example of this type of attack is a fake e-mail purporting to be from a company’s chief financial officer, directing some low-level staff accountant to transfer money to some new or unknown account.

SMISHING

While phishing attacks generally take place over e-mail, smishing happens through text messages. So instead of getting an e-mail from someone masquerading as a trusted friend, colleague or institution, the fake message comes in the form of text. This type of text often asks you to click on a link which takes you to fake website which will then ask you for things like a username or passwords.

VISHING

While the term vishing maybe new, this type of attack has been around for a long time. It’s just a fake phone call from someone saying they are from a company you might do business with or government agency demanding money or other information. Examples of this might be a recorded call from the IRS saying you are behind on your taxes and will be audited unless you call a certain number.

SOCIAL ENGINEERING

The one thing almost all these different types of “ishing”-attacks have in common is that the attackers are trying to fool you into thinking they are someone you already know or someone you can/should trust. In the pre-internet days, we would have called this people Con Men or Con Artists, because their game is exactly the same as their online counterparts. Only instead of trying to talk you out of your money face-to-face by putting on some great performance and pretending to be someone they aren’t, they substitute in-person contact with e-mail (phishing), texts (smishing) and phone calls (vishing). But that’s not the only way social engineers ply their trade. Many hang out on social media sights trying to lure you into revealing information that could be used to impersonate you by creating quizzes to see which celebrity you are most like or buddying up to you by claiming to be some half-remembered high school acquaintance or friend of old friend you haven’t talked to for a while.

AGE DOESN’T MATTER

SOURCE: Proofpoint 2020 State of the Phish report

While it’s easy to believe that social engineers and other online fraudsters only target less tech-savvy
and older folks, you’d be dead wrong. “Digital natives” – the generation who has never known a world without all this technology – aren’t immune from falling victim to cybercrime.

In fact, it’s they appear even more clueless about the dangers lurking out there in cyberspace than their older counterparts.

Maybe it’s because they just take this always-connected world for granted. Or maybe it’s a case of familiarity breeding contempt. Maybe it’s even a failure by us older folks to teach them the little we know about keeping safe online.

Whatever the cause, Proofpoint’s “2020 State of the Phish” report showed “Baby boomers outperformed everyone in their recognition of phishing and ransomware terminology. Millennials had the best recognition of only one term: smishing.”

The report showed that only 47 percent of adults between the ages of 18 and 22 correctly identified what phishing was compared to 65 percent of adults aged 39-54 and 66 percent age 55 and over. Older adults also scored 20 percent better than younger ones in knowing what Ransomware was too.

Some of this isn’t really that surprising as other studies have shown folks that between 18-22 prefer texting to e-mailing. However, it’s still no excusing for not knowing that the same types of scams you might see in a text can and do effect other online communications as well.

So next time you see a member of the Instagram-generation dissing an older colleague for not understanding the latest tech with one of their “OK Boomer” memes, remind them of this: Old-timers may not be as adept at using the latest tech as they are, but we older folk are better at something even more important – identifying cyberscams. (Then tell them to get off your virtual lawn before you ask them for the millionth time what a ‘hashtag’ is!)

2FA/MFA

We’ve talked a lot about jargon we tech-types use to describe the types of attacks you might see out there in cyberspace, but what about other jargon we use to describe defensive measures? Aren’t there things called firewalls? DMZs? E-mail protection gateways? VPNs? IP addresses?

Yes, and while they are important, I’d argue they aren’t as important to the average person as 2FA or MFA is.

These acronyms stand for Two (2) Factor Authentication or Multi Factor Authentication, and what it does is require you to prove who you are by providing two (or more) forms of identification before you can login to a website or application.

Think of this as having to provide both your ticket and driver’s license before boarding a bus or airplane. Or having to provide your birth certificate, passport, and a current utility bill in order to renew your driver’s license.

In the online world, 2FA/MFA works by sending you a text message, e-mail or phone call with a temporary code to a secondary device or account you own. Without entering this one-time-use code on the website on in the program, you won’t be able to log in, even though you’ve entered the correct password.

The idea is that while a cyber crook might have figured out your username and password, they won’t have access that second piece of information or device (often your cell phone), thus be unable to impersonate you.

Like everything else in life, this is not foolproof, but the more hurdles you make cybercriminals jump over, the more likely they are to abandon the attack on you in favor of easier targets. So if you are not using 2FA/MFA now, you should start.

Immediately.

Look these days we all carry a cell phone, and while having to grab it, look for that code and enter it every time you need to login someplace may seem like a giant inconvenience, the extra 30 seconds it takes will seem like nothing when trying to get your Facebook account back after some hacker has stolen it from you.

Ultimately this is what cybersecurity is all about: taking time now to prevent a lot of headaches later. And that now that you understand some of the jargon we IT folk use, I hope you’ll come back next month when we start discussing how to actually spot and defend yourself against these types of attacks.

Until then, stay safe out there!

Sunday, January 31, 2021

When it comes to Cybersecurity, humans are the weakest link

In my day job, I keep watch over my company’s computer systems, not only making sure everything is
working correctly, but also to make sure no one’s accessing them who shouldn’t be.

It may sound like a simple task, but with over 6,000 employees scattered across 70-plus offices in 10 states, it’s not as easy as it sounds. Especially the cybersecurity aspect of it.

Yes, we have firewalls and other gadgets and software watching our systems so I’m not the only guard at the virtual castle gate telling every visitor: “Halt! Who goes there?” But as 2020 showed us in perhaps the most dramatic way possible, our collective workplaces are no longer a physical place that can be defended by virtual fortifications.

Nor are they even like the Iron Ring of castles that King Edward 1st of England built to subdue Wales back in medieval times.

In 2021, the workplace can be anywhere and it can change not only from day-to-day, but even hour-to-hour. The old way of constructing permanent, impenetrable walls around our workplace computer systems is about as useful as Edward’s quaint old castles against a modern army using artillery firing high-explosive rounds.

The key to cybersecurity these days is to protect the data no matter where it is. So instead of focusing on building bigger and better walls, we should instead concentrate on protecting the messengers who carry the king’s missives between his castles and cities.

IT folks like me are already doing this, but the more I learn about how to protect these messengers from the brigands and bandits who lay in wait in the dark alleys off the information superhighway, the more I realize that just throwing more technology at the problem is NOT the answer. In my opinion, it may actually make matters worse.

Adding complexity to any system, means there are more things that can go wrong, and as we’ve learned time and again, hackers are adept at exploiting the tiniest of flaws they find in any system. Adding complexity also makes it harder for regular folks to use and understand it. Human nature being what it is, means that people will then try to find a “quicker and easier” and way to get their work done, often bypassing the thing that’s meant to keep them safe.

And that’s really the biggest challenge in Cybersecurity these days.

The weakest link has – and always will be – the human element.

The average person does not know (or really care) about how technology works. Most only want to know which buttons to press to get a particular task done. The rest to them is magic.

And therein lies the problem.

IT professionals like me need to help to demystify technology and help regular folks understand how the devices they have come to rely on work. I’m not saying the average Joe needs to know how to debug a kernel panic, install an operating system or even swap out a memory module before using a cell phone, sending a text message or ordering pizza or toilet paper online. However, they should be taught how to apply the same basic safety tips and skepticism they use in the real world to the virtual one so they can keep themselves safe.

I know this seems rather obvious, but then again, so does driving a car. The gas pedal makes it go, the brake pedal makes it stop and the steering wheel lets you make turns.

Every kid knows this.

Yet we’d never give car keys to a teenager on their 16th birthday and let them figure out the rest on their own. Instead, we make them learn the rules of the road from a (hopefully) more experienced driver.

And that’s what I want to do over the next 12 months with a majority of my blog posts. I want to help folks learn how to detect possible scams and view every online transaction with the same degree of suspicion they’d have if someone claiming to know them came up to them on the street and asked them for their house or car keys.

I’m hoping this can be an open and interactive discussion, so please feel free to ask any questions, no matter how basic they seem, in the comments below and I’ll do my best to answer them for you either in the comments or in the next month’s post.