Monday, November 25, 2019

Juice Cleanse


While I am not educated in computer programming or repair I am knowledgeable and proficient enough to make computers do what I need and understand how that occurs. Because of my lack of formal training I never doubt what can be done with computers, I just assume that I do not know how to make it happen. Anything is possible. So when I hear of new smart devices or electronic conveniences that make our life easier, I figure it only a matter of time until someone compromises the security. 

In November 2019, the Los Angeles County District Attorney published a public service message warning travelers of using public USB charging stations.

How it works

Criminals either conceal a computer in charging stations or load malware onto the stations. Much like credit card skimmers at gas pumps. When someone plugs their device into the charging station via USB the criminals computer can access the device.  Or the malware is transferred to the device so that the criminal can access at a later time. 

There have been mixed reactions to the LA County DA report. But no one is saying that it can’t been done. More likely it is the effort versus the reward. Snopes.com reported, "While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread".

Best practice-Use your own charging cables with a transformer and plug directly into an AC outlet.

Lasers as keys

Another threat to smart devices or rather smart homes is lasers. Researchers at the University of Michigan have created attacks using focused light to manipulate smart speakers. From as far as one hundred yards researchers could transform their voice commands into light beams aimed at the speaker. Once beamed the speaker reacts as if someone were speaking to it.

The results of the discovery mean that criminals could trick smart speakers into opening garage doors, smart locks, lights, whatever security feature that is linked to the smart speaker.

In our brave new world one has to suspect that someone is always watching or listening. And no computer, mobile device, or now the things that charge them, are secure.

Find other posts on skimming, WiFi, and smart device security in my blog archive. 

Wednesday, October 30, 2019

Move the sign


Went to MVA to meet with a fingerprint services company. The local MVA is a smaller facility compared to the State headquarters. This location has two entrances at either end of a long single-story building. The original intent was that customers with registration issues would enter through one door and licensing through another. Over time the entrances have become generic and there is a check-in desk at the center of the building. So it doesn’t matter what entrance one uses. 

Outside of one entrance is a sign for the fingerprint services company. One would guess that customers would enter through the entrance next to the sign. Once inside customers find that the fingerprint office is at the other end of the building, closer to the other entrance.

I explain all of this because of what was observed while waiting. Inside the entrance opposite the fingerprint office is a Trooper stationed at a lectern. While waiting, I observed customers approach him several times with questions, some of which regarded the whereabouts of the fingerprint office. Appearing annoyed the Trooper would direct the customers to the other end of the building.

The Trooper is stationed there for building security, not information. But stationed at a lectern, in uniform, near an entrance is going to attract questions. It would not relieve all of the questions, but simply moving the fingerprint services sign to the building entrance outside of where the office is located would alleviate many.

Businesses large and small see this or don’t see it, a forest for the trees kind of thing. Simple solutions that will reduce stress on a job or person. Sometimes it is poor planning or the next great idea that wasn’t vetted at all levels.

Management makes changes for employee well-being or system improvement. If the people at the top are not completely familiar with the issue sometimes the change can actually cause problems. Management needs to see the problem from the source and get employee input at that level. Employees who identify problems have to be empowered to make “field” decisions that can quickly solve issues and improve service.

Sometimes simply moving a sign to a better position can make a world of difference. 

Thursday, August 15, 2019

Can you buy an AR15 in Maryland?




NOTE: This post was updated in 2019 with current information regarding Maryland gun laws.

After a mass shooting, attention is focused on the availability of the weapon used. Most times that weapon is a semi-automatic, assault style, rifle. How did the person obtain the weapon and why is it available to public, are the questions usually asked. As you probably have figured out gun laws in the U.S. are convoluted. Laws on gun possession and sale differ from state to state. Too many to try to explain in a single post. For this blog the question raised is-Can you buy an AR15 in Maryland? The short answer is no.

However, the weapon used in the Dayton, Ohio shooting could be sold in Maryland. The Anderson Manufacturing .223 caliber AM-15 used by the Dayton shooter is currently not approved for sale by the Handgun Roster Board (See Guns approved for sale in Maryland below). But a similar gun, the .300 caliber AM-15 is approved for sale in Maryland. A "loophole" to Maryland's assault weapons ban. 

Assault style weapons

The federal government and some states have strict laws regarding the regulation and availability of fully automatic weapons or machine guns. What is more readily available are assault style weapons that are similar to what the military uses but in a semi-automatic capacity (firing one bullet and automatically reloading with each depression of the trigger). “AR15” is a type of civilian rifle modeled after what the U.S. military issues. Although it is a specific product the name is also used incorrectly to identify a wider variety of assault style weapons. When, in fact, there are many different manufacturers and models.

The Federal government banned semi-automatic assault style weapons in 1994. However, the ban expired in 2004 and those guns became legal for sale once again. Maryland banned the sale of what is defined as an “assault rifle” or ”assault long gun” in the Firearm Safety Act of 2013. The types of weapons included are what are commonly known as “AR15”s and all variants or copies. However, persons that legally possessed these types of weapons prior to October 1, 2013 could continue to possess them. They just couldn’t be sold within the state.

The Maryland State Police is tasked with regulating firearm sales in Maryland. This link, Maryland State Police Firearm Search, explains what can and cannot be possessed and sold. Other states with bans on the sale of assault style rifles are: California, Connecticut, Massachusetts, New Jersey, New York, and the District of Columbia.

Guns approved for sale in Maryland

In addition to regulating the sale of firearms, Maryland law also determines what guns can and cannot be sold in the State. Handguns manufactured after 1985 can only be sold in Maryland if the Handgun Roster Board has specifically approved it for sale and placed it on the Official Handgun Roster. The Handgun Roster Board is part of the Maryland State Police and consists of eleven members-The Secretary of the State police and ten people appointed by the Governor for terms of four years.

You may search manufacturers to determine if a handgun is on the handgun roster and legal for sale in Maryland thru this link.  Handgun Roster search

Waiting periods

Waiting periods and firearm sale laws are also being discussed in the news. Maryland has some of the strictest firearm laws in the country. 1995, 2000, and 2013 saw major legislation packages passed that restricted the sale and types of firearms that could be sold in Maryland. Even before that, in 1966, Maryland was one of the first states to pass legislation regarding waiting periods for purchasing handguns. Since 1966, a firearm dealer must wait seven days before the gun may be transferred to the purchaser. During this time, the Maryland State Police conducts it’s background check of the prospective purchaser. The Responsible Gun Safety Act of 2000 expanded the waiting period and background checks to include the private sale of handguns between individuals.

Only nine states and the District of Columbia currently have waiting periods-California, Florida, Hawaii, Illinois, Iowa, Maryland, Minnesota, New Jersey, and Rhode Island. Waiting periods for gun sales received a boost on February 20, 2018 when the Supreme Court dismissed a 2nd Amendment challenge to California’s 10-day waiting period as a “reasonable safety” precaution.

Please feel free to share this post. See the blog archive for more information on buying guns in Maryland.








Monday, August 12, 2019

Synopsis of Maryland gun laws

Maryland gun laws 

The Federal government and each state all have different firearm laws. States do not necessarily have reciprocity. What is permitted in your home state may be a felony in another state. Here is a synopsis of Maryland’s firearm laws based on common concerns. 

·     Maryland has been regulating handguns with background checks and requiring a seven-day waiting period since 1966. Firearms designated as “regulated” (handguns and 45 enumerated rifles) require background checks and a waiting period for being transferred. This includes private sales as well.Shotguns and some rifle sales are not regulated by the State and therefore require no State level background check. 
·     Sales and transfers between private citizens and at gun shows are regulated by the State and require a background check and seven-day wait before transferring.
·     Gun buyers must possess a license before purchasing a firearm, which includes a firearm training course
·     One handgun purchase is allowed every thirty days
·     All new handguns manufactured after January 1, 2003 must include an integrated mechanical safety device
·     Red Flag Law-Enables families and law enforcement to ask courts for an order to temporarily restrict firearms from people found to be a risk t themselves or others. 
·     Assault rifles or “AR15” variants are prohibited from sale
·     Bump stocks are banned in Maryland
·     Convicted domestic abusers are required to surrender guns to law enforcement or a firearms dealer. Law enforcement is permitted to remove firearms from the scene of an alleged act of domestic violence
·     Ammunition: If a person is prohibited from possessing firearms they are prohibited from possessing ammunition
·     Child access- A person may not store or leave a loaded firearm in a location where an unsupervised child may gain access
·     Concealed carry is prohibited unless issued a concealed carry permit regulated by the State
·     Transportation- A person may transport a firearm in a vehicle if unloaded and in an enclosed case or enclosed holster-to and from the place of purchase or repair; shooting range; sporting activities; hunting; dog training.

See also:


Monday, July 29, 2019

CONVICTED? NEVER CONVICTED.


Note: This article was originally posted in 2014. It has been updated with new information.

Owning a business investigation company we often had clients who would come to us to perform self-background checks. They had had an indiscretion long ago and wondered if it would appear during an employment background check. Or they had records expunged and wanted to make sure that searches would not reveal the records. Every now and then we would find records that the client swore had been expunged.

The search techniques used and the diligence of the background check company can often uncover records thought to be vaporized by the delete key. As records become more digitized it is increasingly more difficult to erase yourself from the digital world. Just like the picture from a sophomore year party that a friend posted on your favorite social media page, once it’s out there-it’s out there. Removing it can be difficult and time-consuming.

EXPUNGED?

Similar to those unwanted pictures, records of your past, even expunged records, can be found in the digital world. The legal term “expunged” has different definitions in different States. Some allow for the records to be sealed and treat the case as it never happened. Some change the conviction to “dismissed” but the other details of the case are the same. In Maryland, it means to remove from public inspection. Although records are expunged, they are filed somewhere.  

Once you receive an order to have your record expunged and it is served, the judicial system possessing the record will remove it from its online court access. Anyone searching your name would not see the record. Contrary to what the fast working TV detectives would have us believe, there is not one government sourced database of criminal records. Records of arrests and adjudications are kept at the local courthouses and county jurisdictions. The closest to any semblance of a national database is the FBI’s fingerprint database, to which only law enforcement has access. See “National” record checks  Third-party vendors must rely on court reported data offered by State and local governments. 

As with your personal information and shopping habits, court data is downloaded, bought, and sold every day. Vendors collect the data from several sources. As the data is shared and stored and stored again it ends up in narrower access points allowing for the production of a single report.  If the vendor then resells that report, the record moves to another database. You get the idea. Just like the unwanted picture, although expunged from the government files, your record is sitting in who knows how many vendors databases waiting to be accessed.  

REMOVING THE RECORD 

The criminal record you had expunged was downloaded, bought, shared, compiled, stored, all the digital speak long before the record was expunged. The best, and least expensive, way to rid the record from existence is to deal with the source vendor directly. Most companies that deal with personal information are forthright about the data that they dispense and pride themselves on the accuracy, which means they are more than willing to help. Sending them a copy of the expungement order along with a request to have the record removed usually will suffice. The problem is finding all the places where the record is stored. This can be a tedious and long process for the individual. There are companies that will chase the record and do the work for you, but of course, fees are involved.

DISCLOSURE

Cities and states throughout the U.S. have enacted laws banning the criminal history question from employment applications. See Ban the Box 

In October 2018, a Massachusetts criminal justice reform bill went into effect that included further Ban the Box regulation. The new regulations include disclosure of misdemeanor convictions for three years (Previously was five). Also, employers cannot inquire about expunged records. Applicants that have had records expunged may legally answer “no record”.

The bottom line is, job seekers cannot be 100% sure that an expunged record will not turn up in a background search. If unsure, be honest about the existence of a record with the requester. Provide copies of the expungement order when the record is requested. However, know your rights within your state and handle the criminal records question per the law. You may not be required to answer.

Refer to the blog archive for more articles about criminal records in Employment



Monday, July 15, 2019

Communication is Key

Customer communication can solve many problems
Readers of this blog know that one of my customer service pet peeves is communication. Many headaches can be avoided by keeping customers informed. Even if it’s bad news, getting “in front” of the problem will result in better customer interaction and build trust in your business.

Communication with a company in which I’d completed business caused both irritation and satisfaction. Thompson Creek Window Company had installed windows. Touch-up work was necessary after the job was completed. Although scheduled for a month later the process was smooth and painless. There had been quoted a two-hour arrival window in a confirmation email. On the appointed day, the scheduled timeframe passed. I called to check. The two-hour window surprised the customer service rep as their policy is usually four, but at this point, that wasn’t the issue. When was the tech arriving? The representative made a call and I was told that the tech had been delayed due to a problem at another site. I would be the last call of the day and the tech would call a half-hour before arriving.

The end of the [business] day came and no call-no repair tech. Well, sometimes they arrive after hours to finish the scheduled jobs. That didn’t happen. Day wasted. The first thing the next morning I’m on the phone to work it out.

The customer service representative was empathetic and apologetic. Good start. She said she would “investigate” and get back to me. I put investigate in quotes because I found that an interesting choice of words. Regardless, it made me (the customer) feel that she took the matter seriously and would actually get answers.  (Read I’m in your way, to see how simple words can change a customer’s experience)

It took a couple hours but the customer service rep did get back to me. And she had really investigated what had happened.  She explained the company’s internal communication process and policies. She then explained where the failure occurred. In my case, the repair tech had been delayed beyond the appointment time and emailed the service coordinator. However, that email was after hours and the coordinator was out of the office the next day. 

She offered the explanation not as an excuse but as factual reporting. I thanked her for the explanation and for being so thorough. She said that she tries to respond to customers the way she would like to be treated. While I understood their process, I explained that a call directly to the customer at the time of the missed appointment would have helped; it would have been more welcome than no communication. The customer service rep sincerely took my suggestion. She then scheduled my repair for the first available date, which was within three business days.

Not offering excuses and providing a thorough answer definitely deescalated my situation. I’m sure some customers would have been more irate and would not have accepted the answer, but hey, the appointment had already come and gone, what could the representative have done at that point. Except for provide-Customer Service.

Another positive experience that started out as an inconvenience occurred at a Chick-Fil-A. I had placed an order using the mobile app for pickup. The order went through and the payment processed.  When I arrived at the restaurant, it was closed for remodeling. Now what. Luckily, I’m in an area that pretty much has two of everything in a short drive. I hop over to the next nearest restaurant ready to tell my story. Once inside I ask for the manager. A sentence into my dilemma and she asks to see my mobile order to confirm. Without further explanation from me, she processed my order. I complimented the manager for being on top of the issue and her reply was, “Thanks, but we’re really not on ‘top of it’ if the app is still accepting orders”. She immediately got on the phone and I could overhear her speaking to someone about the problem. 

Both of these examples exemplify how communication is essential to customer service. My experiences started out poorly due to a lack of communication but both ended positively. In both instances, the problem was identified, what was suppose to happen explained, and the problem fixed with little effort on the part of the customer. 

Read more articles on Customer Service 

Monday, June 10, 2019

HIring in the Gen Z age



Look out workforce there's a new generation on the horizon. Employers are, hopefully, getting comfortable with the changing hiring landscape that Millennials have cultivated. But not too comfortable. For the first time since Millennials took over the top spot in the workforce, the next wave is coming of age. Gen Z, those born after 1996, are entering adulthood and will be submitting resumes.

The numbers

Millennials are persons born between 1981 and 1996. The Pew Research Center estimated that Millennials surpassed baby Boomers in 2016 and now are the "Old Salts" in the labor force. While Baby Boomer numbers are declining and Millennials are taking the mantel, Gen Z has been sneaking up. Bloomberg estimates that Gen Z will surpass Millennials in 2019 comprising 32% of the world's population. By 2020 they will be the majority in the workforce.

Millennials hit the workforce in such numbers and such differing personalities from Gen Xers and Baby Boomers that they changed the way business was done. Both in marketing and hiring. In order to court new hires from this generation employers had to change practices. The marketing world has gone to great lengths to shape campaigns to attract Millennial customers.  A generation literally changed the way business was done. Just as the business world had things were figured out it appears that changes will again have to be made. 

Who is Gen Z?

Millennials seemed to get a bad rap in the workforce but by sheer numbers were able to change how business is done. Every generation has its own idiosyncrasies. Technology advanced so quickly over the past thirty years children and grandchildren grew up much differently than their parents and even from each other. Gen Z is the first post 9/11 generation and the first generation in which smartphones are bodily attachments. According to Buzzfeed, here are a few things that Gen Z never heard of or are curious about: Payphones, Floppy discs, VHS and cassette tapes, The phrases-"Roll down the window" or "Hang up the phone", pound sign, pencil sharpener, film or film canisters, Gameboys or game system cartridges. At least some early Millennials may have come across these things or their remnants.

Generational differences

A Cultural trends report by Endeavor Global Marketing lists three major differences between Millennials and Gen Z. Gen Z is described as having non-binary beauty or gender fluid beauty concepts. They are a progressive foodie culture in which stories are part of the experience. The report says, "Expect to see a shift from photogenic, Instagrammable, food to the emergence of the stories of those behind the dishes". Gen Z will expect a more connected theater experience in which shows are releasing soundtracks early and streaming shows which generate more viral interest.

According to Inc.com, Gen Z prefers conversation to mass communication. Instead of being absorbed in social media they are more interested in quality, personal relationships. While Gen Z is less interested in their friend count, they are interested in getting their news via social media or the Internet. Compared to Millennials Gen Z is more interested in entrepreneurship.

Hiring Gen Z

What does all this mean to employers and hiring? Knowing what is coming next and how to adjust. Just as you know the qualities you are looking for in an employee you need to know what qualities the employee pool has to offer and is expecting. As you and your business age, the hiring pool is getting younger. Gen Z has aged in a different time from Millennials. Knowing about what will soon become the largest generational workforce is how employers will attract and retain employees.

Concordia University-St Paul released a study on what to expect from Gen Z in the workforce. Gen Z tends to be more like their grandparents when it comes to privacy and practicality. As mentioned, they have never known life without a digital connection at their fingertips. They are multitaskers, using on average of five screens. They believe that social media is a big part of their lives but crave more personal relationships and worry that social media erodes this. They are frugal shoppers and distrust big brands. 35% plan to start retirement savings in their 20's. 

The study continues with an assessment of Gen Z in the workplace. This generation is hard working. They are deeply driven by security and are motivated by salary and health benefits. They are willing to put in the extra hours if they are rewarded for it. They prefer to work independently and value skills and self-improvement. They feel that they are responsible for driving their own career. They view technology as a tool. They want to be coached and trained.

There you have it. Everything you need to know about hiring the perfect young candidate and providing them with a long and successful career. Well, not everything. But it's a good jump on knowing who will be sitting in your interview chair. The point is, there is so much more than just putting up the Help Wanted sign. Knowing your candidates will go a long way in making the proper hire and saving everyone a lot of headaches.  

More blogs on generations and the workplace at https://mazzellainvestigations.blogspot.com/search/label/millennials

Monday, May 27, 2019

Millennials are changing everything



The year 2019 will see Millennials overtake baby boomers as the largest generation. They already make up the majority of the U.S. workforce and are considered the world’s most powerful consumers. They are also the most technologically engaged. If your business has been overlooking them as potential employees or customers, you may be making a big mistake.

Hiring

My July 2018 post, A generation changes hiring explains how business has had to adjust their hiring process to attract this pool of candidates. Millennials are not shy about talking to bosses or jumping jobs. They’ll move until they find the right fit and expect salary increases and better working environments. 

Declines or poor planning

As far as consumers, they are driving the marketplace and causing change. A variety of recent studies regarding business and products have claimed that Milliennials are to blame for their decreased sales. A few examples are fabric softener, bar soap, canned tuna, casual dining, and department stores.

Proctor & Gamble believes that Millennials are unaware of what is the intent of fabric softener. Market research company Mintel found that 18 to 24 years believe that bar soap is full of germs. The Wall Street Journal reported in December 2018 that canned tuna sales have declined due to this generation’s decision that the cans are too difficult to open. There was also a report that breakfast cereal sales are declining due to claims of the product being too messy. This may also explain the lack of interest in casual dining restaurants, which have claimed that Millennials are not interested in sitting down for longer periods of time to dine. They’d rather eat on the go. Department stores may have trouble blaming a generation more than a technology phenomenon. While it’s true that Millennials are less interested in brick and mortar stores, e-commerce is probably more to blame. Consumer goods companies that have not adjusted are filing Chapter 11.

All of these products or services have seen sales decline. They’ve had to resort to price reductions, closings, or even bankruptcy to adjust. Are they looking for something to blame for declines or excusing poor planning? Some of the reports and research were based on interviews while others were based on declining sales and attributed to Millennials. Of course, claims run rampant on the Internet further fueling Millennials as scapegoats.

Reviews

They read them and they give them.  Online reviews and apps like Yelp cannot be ignored. Millennials make informed decisions about large purchases and where they are going to eat. How many stars and positive reviews your business has can drive business as well as detract. If you’re noticing a decline of business from a certain demographic, check your reviews. 

Make sure your business has listings set up on Google, Yelp, and any other app that may service your industry. Encourage reviews and be interactive, for the good and the bad. If there are bad reviews try to respond in a way that shows empathy and what is being done to correct the problem.

Home delivery

Even fast food restaurants are getting into the home delivery game. Partnering with services like Grub Hub and Door Dash major franchises are providing home delivery. More than likely another way commerce is changing to accommodate a generation of buyers. To keep up or ahead, delivery or some sort of convenience offered to customers may be another consideration in your business model.

It is yet to be seen if the largest generation will become the next greatest generation, but, currently, they are a powerful economic force. Recognizing this and adapting could literally mean the future of your business. 

Visit the blog archives for more articles on how Millennials have affected the marketplace. http://mazzellainvestigations.blogspot.com/search/label/millennials

Monday, May 13, 2019

What Real-ID means to Maryland drivers

Maryland Real ID
You may have seen news reports about the need for Maryland drivers to further document their identification and citizenship or risk confiscation of driver’s licenses. This isn’t hype. It is true and deadlines are fast approaching. If affected drivers do not update their status with the MD MVA, their license will not be considered valid. Which means a police encounter could result in the confiscation of your license and TSA will not accept the license as proper ID.

REAL ID Act

The REAL ID Act was passed in 2005 setting the benchmark for personal forms of identification and establishing minimum security standards for driver’s license issuance and production. The act prohibits federal agencies, like the TSA, from accepting driver’s licenses from states that do not meet the standards. The deadline set by the Act is October 1, 2020. After that date residents of all states will need a Real ID Act compliant driver’s license to pass through airport security. 

How does this affect Maryland?

Maryland began issuing Real ID Act compliant licenses in 2016 and is listed as a state compliant with the Act. The licenses feature the state flag as the backdrop and the Real ID star logo. The license has multiple security features to guard against counterfeiting and was touted at the time as the most secure license in the U.S. 

The problem? While Maryland issued a license that met all of the Real ID Act physical security features the MVA did not always require the license holder to submit proper documentation for proof of identity or citizenship. Now those with the new “Flag” license are in danger of either losing their license or not being able to pass through federal security. 

MD MVA estimates that over a million drivers have the new license but not the necessary documentation on file. Trying to alleviate a renewal nightmare Maryland officials have set staggered renewal dates in June and November 2019 to clear the backlog before the federal October 2020 deadline. Over sixty-six thousand drivers have deadline dates in June 2019 to provide documentation. 

Is your license compliant?

Those holding the older licenses with the blue banner and crab logo are not required to update their records and may maintain their licenses until they expire. However, after October 1, 2020, these style licenses will not be accepted by TSA or other federal agencies. Even if you have been issued a flag design license you may still need to update your documentation with MVA.

You should get a notice by email and/or mail notifying of the MVA need for documentation. Rather than wait for the MVA renewal notice you can check if your license is compliant at this link RealID Lookup . After searching your license number you will be told if anything further is required and what to do next.

Documentation

If you are required to update your records you will need,
1) Proof of age and identity-Original or certified copy of your birth certificate OR a valid U.S. passport
2) Proof of Social Security-Original Social Security card or W-2 form, or SSA-1099
3) Proof of Maryland residency-Two documents required: insurance card, vehicle registration, credit card bill, utility bill, or bank statement. Any must have your name, Maryland address and be from two separate entities.

This link has further information on Real ID FAQs .

Good luck!

Previous blog about licenses at "Real" ID .

Tuesday, May 7, 2019

Shut down Apps?


The thought for this blog post started with the idea of security regarding remaining logged in to mobile apps. The question being does that open any doors for hackers to access data on either other apps or your phone? It ended up going down quite a rabbit hole of security and hacking techniques that only go to show that cybercrime and security is ever-present and evolving.

Cross-Site Request Forgery (CSRF) has been a known vulnerability since 2001. According to The Open Web Application Security Project CSRF is defined as:
A type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. 

If you are logged in to sites and the cybercriminal can get you to visit one of their web sites or open an infected email or IM they then can make your browser send requests to the other sites posing as you. Thus, gaining access to whatever you have open. This kind of attack generally only occurs within the same browser. In other words, having clicked on a malicious site the attack could flow across any other sites you have open within that browser. Not jump to another browser say Safari to Firefox. An open browser could not transfer the attack to an open app as the two store their own credentials or cookies and do not share. The same goes for apps themselves. They store their own data. The malware would need a conduit to access other apps or your phone.

Heck of an opening to a business blog. Why do you need to know this? It is why it is important to log out of company websites and software either on your desktop or your mobile.

Developing security

Over the years sites and apps have become more security conscious. Shutting down your logon after a period of non-activity and/or making you log in every time. Sometimes a pain to log back in but it’s for your own security. With the addition of biometric features on mobiles, even the pizza ordering apps require a fingerprint to gain access. Games and social media apps/sites tend to keep you logged in. The term being “frictionless” because the developers want you to have easy access, at all times, to keep you engaged in their product.

We do a lot of browsing and an increasing amount on our mobile devices. Lots of times your thumbs get fat and you errantly click on the wrong thing. It doesn’t take much to click on the wrong link, even if you close it right away it may be too late. The same goes for links within emails. We get a ton of email to business accounts. It’s hard to distinguish every email between real and spam. Spam emails and links get opened. When employees are accessing company databases and files they are using those same computers to access their company email. Depending on computer use policies or adherence to the policy, employees may also be accessing their personal email accounts and browsing the web. This is when the company system becomes vulnerable to CSRF attacks and others.

Watering hole attack

It is what the name implies. A cybercriminal monitors a company’s employees to determine where they congregate, e.g.-restaurants, bars, etc. The criminal bets that one or more of the employees will access the “watering hole’s” website for menu information, reservations, etc. The criminal places malware on the establishment’s site. When an employee does visit the site the criminal then has access to the employee’s computer or phone. Any company files or databases that are open (logged in to) are now free game for the criminal.

None of this is or the precautions are new. The same security tenets we’ve heard over and over still hold true.  
Don’t open or click on suspicious emails or links in emails texts/IMs especially while logged into other accounts.
Don’t keep sites open-Logout
Change passwords frequently
Don’t use the same password for multiple sites
Don’t save passwords on your browser
Keep system security updated

I’m not a cybersecurity expert just a security conscious user. Hope that this information has been helpful.

Regarding the initial reason, I started doing this research, open mobile apps. It appears that it is OK to leave them open. Again most security conscientious apps like financial will time out and require login. So a criminal gaining access to your phone and then entering your bank account through your bank app is probably low.

Most risks to mobile apps occur at the server level or through poor app development, not actions by the user. Although using public WiFi (Wifi for dummies) is one of the biggest user faults to app security.
Research for the blog revealed information debunking an iPhone myth. Quitting apps does not help save battery life. The iPhone OS is designed for multitasking and places the app in suspension until needed. Closing and reopening the app actually causes the phone to use more power as it is starting the app from scratch. So keeping open frequently used apps doesn’t affect battery life.

Please feel free to share. Check the archives for other posts about privacy and online security.
Are you being watched? February 2018
Keys to the vault August 2015
There’s been a breach February 2015



Monday, April 15, 2019

Hey! That’s my WiFi!

Hey! That's my Wi-Fi!
Have you ever checked your home WiFi connection and noticed a long list of possible connections? Unless you live in the woods with few neighbors you’ll very likely pick up a lot. Sometimes you get a laugh at some of the crazy names your neighbors use and sometimes a start when you see NSA_Van_9.  The thing is, your router is also popping up on your neighbors' list.  

I did just that the other day and was wondering who else might be using my WiFi. Just like stealing cable in the old days, only not as personal a connection, someone close by could be sucking off precious signal strength. What I found wasn’t as shocking as much as a surprise.

Wi-Fi use

Slow WiFi is one indicator of someone using your signal. All depending on the plan you have with your provider and your own usage.  You can quickly check what devices are using your WiFi by logging in to your router. Once logged in you will be provided with a list of the devices currently logged on. A simpler way is to use a 3rdparty app such as Who’s on my Wi-Fi. This app will use your Wi-Fi signal and provide a list of devices currently using the signal. It is not necessary to provide any personal or router information. The list is comprised of IP and Mac addresses. Once you have the list the task becomes identifying the devices. 

I used this app to search for devices that returned a list of twenty-five devices currently logged on. After running down the list and doing some light deciphering I was able to determine good news and a surprise. The good news-No foreign devices were located. The surprise? All the devices were mine! The search revealed twenty-five devices that did not include the devices that were not currently logged on and had Wi-Fi disabled. If everything were in use the total would be over thirty.

Internet of Things (IoT)

As determined in the post Locking Down the Internet of Things we have, over time, without plan or intent, created our own IoT. That happens in most households. Excluding phones, 74% of U.S. homes have at least one smart device. Few people plan to set up a smart home system, it happens in bits and pieces. A security camera and/or alarm system, new appliance, TV, thermostat, one device at a time your IoT builds. Then a smart speaker is added that is able to control some or all of the devices and your IoT smart home comes to life. Added already to the phones, tablets, and eReaders your WiFi list expands. 

Security

With all of the security breaches that seem to be a monthly news item, we have become numb to the warnings of password and network security maintenance. It is important to perform regular checks of our home system. Especially as we add smart devices to our homes. (Are you being watched?) Properly setup new devices and be aware of what access you are granting them. 

The Wi-Fi usage check is yet another added security check but one that should be completed every so often. Just like changing your smoke alarm batteries at the seasonal time change it doesn’t hurt to set up some calendar reminder to review your home network security. This quick WiFi check not only reveals possible hacking but also helps you to get a handle on the number of devices in your home that are accessing the Internet.

Have you detected someone stealing your WiFi?  Tell us about your experience in the comments. 

Please share. Refer to the blog archive for more posts about Internet security.