Steps you can take to a Safe and Productive Zoom Session

There have been a number of articles in the Press concerning Zoom both for data privacy of its customer’s data as well as vulnerabilities in the Windows and MacOS clients.  There have several reports of Trolls joining in conferences and sharing questionable content, called “Zoombombing”.  The NY AG is posting inquiries, probably under the NY Privacy Shield, about Privacy concerns on the application.

https://www.theguardian.com/technology/2020/mar/27/trolls-zoom-privacy-settings-covid-19-lockdown

While this is not a panacea for all of Zoom’s ills, a lot of it can be averted by taking some time to configure options in Zoom that can improve your experience from a security perspective.

Suggested Setting for Configuring Zoom

General Suggestions

• Set up a separate account. Do not use Google or Facebook account.  It will try to access information that you might not want to share.  There are a lot of articles about Zoom sharing your information.
• Use the one-time meeting ID and the require meeting password. Random password is best.  Send the password in a separate message from the meeting.  Preferably in a different way.  (e.g. Invite via email, password via text)

Web Client

• Enable Waiting room functionality. It puts everyone in the waiting room where they are isolated.  The host has to then allow them into the meeting.  Downside is It does require the host to monitor the waiting room.
• Disable “Start Zoom when I start Windows” you can manually start it by launching the app when you need it.
• Disable / DO not enable “When closed, minimize window to the notification area instead of the Task Bar. This way, you will know when it is running.
• Do NOT Enable “Join before Host”
• Enable “Stop audio and video when my display is off and the screen saver starts”.

Image from the Web Client

 

• Disable “Start Zoom when I start Windows” you can manually start it by launching the app when you need it.
• Disable / DO not enable “When closed, minimize window to the notification area instead of the Task Bar. This way, you will know when it is running.
• Enable “Stop audio and video when my display is off and the screen saver starts”.

 

 

 

Setting up a meeting using the Web Client

• Click the Web Client Scheduler in the upper corner of your web browser . This will bring up the dialog bow to schedule or star a meeting.  Click Schedule a Meeting to set up a meeting.  It will bring up the the Zoom Scheduler Plug-in.

 

Below are the settings on the Scheduling Options screen you might want to set.

 

Click Continue.  It will bring you to the calendar invite where you can invite attendees and send the meeting invite.

By default, it will add the meeting password to the text of the meeting invite.  If you look at the message link, you will see  in As an additional Security measure, you can remove the meeting password from the meeting password outlined in Orange and send it in a separate communication, just to make sure that an unwanted attendee gets the meeting invite link, doesn’t get the password unless you mean them to attend.

Below is a link to Zoom’s website for suggestions on settings that can be applied in the application:

https://support.zoom.us/hc/en-us/articles/201362623-Changing-settings-in-the-desktop-client-or-mobile-app

 

The FCC Net Neutrality Act Pits Free Speech vs. Bots: The Machines are Winning!

Well, It looks like a free and Open Internet is looking like a Terminator Movie pitting average individuals ability to comment on lawa and regulations that are the life’s blood of Democracy vs.  un identifed Special actors that wish to skew the FCCs view of what the Public thinks by flooding it with comments submitted by automated bots.

The Humans

With an issue like this you would think that it would be some group like the EFF or ACLU.  No, the man leading the charge is John Oliver.

 

John’s  Last Week Tonight show on HBO presented a story on how Ajit Pai, new head of the FCC, is looking to reverse the Net Neutrality protections under the Obama Administration. Pai has open comment on ending the Title 2 provisions of the current regulations.  He place a form to elicit public comment on the FCC website buried several layers deep so that most people would be hard pressed to find it.

In his typical half satrical / half activist manner, John Oliver provided a short cut to the page under the domain www.gofccyourself.com imploring people to go and post against Pai’s move to allow Internet Service Providers to give preference to some company sites over others while you are looking at a spinning circle or hourglass waiting for your web page to come up.

The Machines

Within a couple of days of the show, news reports surfaced that the FCC site was under a Bot attack posting comments calling for the proposed changes.

Anti-net neutrality spammers are flooding FCC’s pages with fake comments 

There comment all 128,00 of them and counting say:

The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation,” the comment says. “I urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.”

The reason people are sure that it is a Bot attack is because the comments were exactly the same.

What is at Stake

As a strong proponent of Net Neutrality,
I see it as an extension of the right of free speech and free Enterprise on an individual level

Imagine calling your favorite pizza place getting a message to try later, but having no problem getting through to Domino’s or Papa John’s.  This analogy might be lost on the rest of the Nation, but New Yorkers know what I am talking about. Oh you know, you definitely know.

Who’s Winning?

That is how important this issue is, but you can’t when you go to the link, you receive this message which refers to the this FCC announcement:

 

GUIDANCE ON THE FCC’S SUNSHINE PERIOD IN THE RESTORING INTERNET FREEDOM PROCEEDING

You can only email or call your comments to:

ECFSHelp@fcc.gov  or at 202-418-0193.

The Machine are Winning!

Privacy Awareness Week: A time to learn | Consumer Information

https://www.consumer.ftc.gov/blog/privacy-awareness-week-time-learn

Senate Votes 50-48 To Allow ISPs To Sell Your Data

The U.S. Senate voted 50-48 to eliminate the FCC’s new privacy rules, which were supposed to go into effect soon. Killing these rules would mean that ISPs will be able to freely track your online behavior and then sell your data to advertisers.

Source: Senate Votes 50-48 To Allow ISPs To Sell Your Data

 

In a continuing trend of the loss of individual control of Data Privacy, the Senate has voted to overturn the FCC rules requiring your Internet Service Providers to get your permission to use your data such as email address, browsing activity, and location so that they can sell it to whomever they want.

What Was Overturned?

Below are the basic premises that the vote overturned:

• Require internet service providers (ISPs) to ask for permission before collecting sensitive information such as content of communications, precise geo-location, financial information, and more

• Allow users to opt-out of giving ISPs non-sensitive information such as email addresses

• Only allow ISPs to collect basic service information without which the service couldn’t be provided without any kind of consent from their customers

• Notify customers within 30 days that their data has been stolen in a data breach

When you read this list, it seems pretty reasonable. It primarily said that you pay for a service and the information about you using that service can’t be collected and distributed you saying so, and if that data is stolen, you are told about it.

The Cable companies claimed they are on unequal footing with companies like Google and Facebook who are held to less stringent FCC requirements.  I find this argument weak in two respects.

 1) Most of those services are “free” services in that they do not charge you a monetary fee.  They make their money on your data, and are somewhat up front about it.  Your internet provider charges you a fee based on a level of service.  Why should they get to double-dip on their captive audience?

2) While you might find it difficult, you can avoid those services if you wish to. They offer you the option to “opt-out’ , although you probably won’t be able to access the service   There are other search engines, and social media services you can choose.    You can even employ Tor browsers and VPN services to anonymity your online activity.  Changing your internet provider is a difficult , if you have options in your market.

Fifty Senators voted to remove these protections from individuals.  Thankfully, neither of my Senators did.  Now many will argue, but I believe that you pay for that Right to Privacy.  If it is not under the 9th Amendment, it probably is under the 4th Amendment (the right of a person to be secure within their home).  If you don’t think that  you are entitled, look at your Cable/Internet and Cellphone Bill (that’s right your phone activity is included in ruling as well).  You Pay for that right and the freedom to give information about yourself when you see fit.

 

What do this Mean to Us?

What this means to the average consumer?

• More Spam mail
• More advertisements
• Greater risk of your data exposed to data breaches

Will costs go Down?  Not likely.  Even though the data is your asset, there is nothing to compel your internet service provider to pay you back.  Even the power company has to pay you, by law, if your generate .  Your data is powering the on-line business economy.  Shouldn’t these utility providers be held to the same standard?

 

 

 

The Cloud Does Not Cure All Ills.

Not everything is calm in the Cloud

 

Well, it was bound to happen.  Amazon S3 US East Region experienced a massive failure of its S3 storage service, and the News feeds lit up reporting a massive Internet problem yesterday. Some reports state that over 100,000 websites were impacted. While the outage was supposed to have been corrected within 2 1/2 hours, reports are the outage was up to 4 hours.  That’s an eternity in businesses processing on-line real-time transactions.  It’s even worse when all you can do is wait for an update from your vendor.

Amazon AWS S3 outage is breaking things for a lot of websites and apps

While the issue is reported to be in One Region (US East) and only the S3 Storage service in one Region (essentially loosing your hard disk(s) on your workstation / server), the question is now becoming where is the Redundancy that is so much touted in Cloud services?  Amazon maintains that S3 storage in its other Regions were unaffected.  They are also quick to point Microsoft’s February 19th incident of 5 hours as a way to show that Amazon is “better”.  Is that an answer?  It depends on which side of the SLA agreement you stand.

The day Amazon S3 storage stood still

What is the Really the Root Cause?

What will the Root Cause be for those AWS clients? Lack of Planning might be the answer for many of the firms that experienced an outage.  The Cloud is becoming IT Management quagmire that IT managers who said “You can’t go wrong choosing…” fell into with IBM in the 70’s and 80’s or Microsoft in the 90’s and 00’s.    To be fair, the pressure IT Managers to reduce their infrastructure costs and staffs is great.  When they are getting promises that they can leverage the data centers of Amazon, Microsoft, and Google it is hard to argue against it.  The reality is that whether a firm uses external services, it must design a solution mitigates the loss of that service.

Ultimately,  The Cloud providers will point their legal agreements, availability statistics and other product documents in their “mia cupla” that while regrettable, they delivered on their obligation.  They will look to point to an architectural deficiency in their client’s implementation as the cause of “their” outage.  Who will bear the brunt of the costs might be a point for debate.  No matter the outcome, the financial and reputational impact will be borne by the company.

One Person’s Travail, is another’s Opportunity

Zerto, VM management and migration software company that operates in the Disaster Recovery space was quick to point out that just because a firm has moved to the Cloud, its IT Technology Stack is not necessarily resilient.

Amazon S3 Outage: What About Cloud Resilience 

I am sure at this point that Amazon and many disaster recovery, and redundancy providers of the are spinning this incident from a failure to a selling opportunity.  These firms contacting their clients to go in, assess where the gaps are  provides services and support to make sure “this never happens again!”  While they might address this issue, we know that the next issue with a different root cause will render the same effect.

The Lesson Learned

The take away for IT managers is that no matter how big or comprehensive, the company’s management whose customers were impacted are the one’s held accountable.  management.  The goal is to get prepare for these issues before they happen.  It is incumbent on IT Managers to identify and help quantify the risks in layman’s terms.  This requires periodic reviews of the environments and the agreements for those outsourced services and active management as if it were an internal department.  It is Senior Management’s responsibility to acknowledge ,understand, and act upon those risks.

The lesson is that the company bears the responsibility to provide a secure and stable offering for its customers.  The Regulators no longer interested .  Many have put in regulations that state it is the company’s obligation and will expect the company to resolve the issue and pay the fine.  Neither are the customers.  The penalties that customers will impose will be more expensive and much longer lasting.

 

 

 

NYS DFS Bucks the Trend to Keep NY Residents Cyber-Secure

NYS DFS Bucks the Trend to Keep NY Residents Cyber-Secure

In a political environment that is talking about massive de-regulation, New York State is proceeding with one of the most comprehensive CyberSecurity regulations.   Starting next month, the New York State Department of Finance (NYSDFS) finalized its new CyberSecurity Regulation (Article 24 Part 500), which was finalized on February 1st. The Regulation covers any entity operating under the Banking Law, the Insurance Law, and the Financial Services Law which covers entities such as Banks, foreign bank branches, insurance companies, and mortgage bankers.  To see which firms are covered under the new Regulation, you can search the DFS website at http://www.dfs.ny.gov/about/whowesupervise.htm .

The Regulation calls for the institution to design a full cybersecurity program, including risk assessment, monitoring, intrusion detection, data retention for forensics, and reporting the program’s health to the Entity’s board of directors.  While the regulation makes allowances for entities, such as Foreign Bank Branches, to outsource or leverage resources outside their entity’s defined boundaries in order to meet the regulations, the entity is still responsible and accountable to meet them.  Below is a summary of the components of the regulation:

• Develop a cybersecurity program (500.02)
• Implement a cybersecurity policy (500.03)
• Assign a Chief Information Security Officer to oversee the program (500.04)
• Conduct annual penetration testing and bi-annual vulnerability assessments (500.05)
• Maintain an audit trail of activity (500.06)
• Limit access privileges to information systems (500.07)
• Develop written procedures and guidelines around application security (500.08)
• Conduct periodic risk assessments to test and improve the cybersecurity program (500.09)
• Provide awareness training and intelligence to personnel (500.10)
• Develop third-party service provider assessment program (500.11):
• Implement multi-factor authentication for accessing information systems and nonpublic information
• Call for limitations on data retention (500.13)
• Training and Monitoring for General Staff (500.14)
• Encryption of Nonpublic Information (500.15)
• Develop an Incident Response Plan (500.16)
• Notify the superintendent of a Cyber Event (500.17)

Click on this link to see the full regulation: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

 

Small Firm Exemptions

What would a good regulation be without some exceptions to the rule!  The NYS DFS acknowledges that a full program could be too burdensome for smaller organizations so there are exempted from some of the regulation’s requirements. To be able to claim an exemption, the client entity must:

1. If a covered entity meets one of the followingcriteria:

• fewer than 10 employees including any independent contractors, or
• less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
• less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.

it is exempt from the Management Oversight (500.04), Vulnerability Assessment (500.05), Audit Trail Collection (500.06), Application Security Guidelines (500.08), Personnel Training for IT / Security Staff (500.10), Establish Multi-factor Authentication (500.12), Security Training for General Staff (500.14), Encryption of non-Public Information (500.15), and Encryption of Nonpublic Information (500.16).

 

Indirect Control

The NYS DFS also recognizes some firms do not have any control over their Information Systems or does not possess any non-Public information below is the

A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

is exempt from everything except the following:

• Conduct periodic risk assessments to test and improve the cybersecurity program (500.09)
• Develop third-party service provider assessment program (500.11)
• Call for limitations on data retention (500.13)
• Notify the superintendent of a Cyber Event (500.17)

While I think it is possible that a firm could be able to demonstrate, it is difficult

 

What Must A Firm Actually Do?

When you boil it down, all firms need to do the following to comply with the regulations.

• Conduct periodic risk assessments (500.09)
• Develop third-party service provider assessment program (500.11)
• Call for limitations on data retention (500.13)
• Notify the superintendent of a Cyber Event (500.17)

To perform those tasks, a firm needs to demonstrate.  It is curious that the Cybersecurity standards and policy because ultimately there need to be some sort of policies and procedures that the examiners will measure against.

What’s Next

Each firm must do a risk assessment as to whether it is in they fit one of the exempt categories, and if so, is it in their best interest to claim the exemption and do the minimum.  While it might be cost effective in the short run, not taking precautions against cyber-attack carries its own costs in terms of loss of business and productivity, civil penalties, and reputational risk.  The first Cyber-Security filings are scheduled for February 1, 2018, less than a year away, it is not much time considering the amount of work that you might need to me done

 

There’s an app for that (but it might be fake) | Consumer Information

Last night the Department of Homeland Security posted an Alert concerning the Rise of “Fake” Mobile apps and the risks they pose to Consumers.

The Federal Trade Commission (FTC) has released an alert on fraudulent mobile apps designed to exploit consumers. Some fake apps may steal personal information such as credit card numbers. By taking precautions, users can protect themselves and their private data.

US-CERT encourages users and administrators to refer to the FTC Scam Alert and background article on Understanding Mobile Apps. For more information, see the US-CERT Tip on Cybersecurity for Electronic Devices.

Here is the Link the FTC Article.   There’s an app for that (but it might be fake) | Consumer Information  .

I would also suggest reading their Background article on Mobile Apps.  Understanding Mobile Apps

Before going to the App Store, the FTC suggests going to the website of the the company or organization who the app is supposed to belong to, verifying that they publish an app, and follow their link for it to the Store.

The FTC also suggests a web search with the Company’s name and “fake app”.  I did a couple of searches and I came across articles and published statements, and White papers but nothing in terms of a resource that the average consumer could use.  I looked to see if there a list of the fake apps out there.  I have yet to come across hopefully, because they are taken down as soon as they are identified. Also, I yet to find anything yet on what happens to remediate devices that already have fake apps loaded on to them.

It will be interesting to see if Google and Apple’s respond to this since both claim that they review the apps.  I listed their policies below:

Apple App Store Review Guidelines.

Google Play App Deployment Policy Guidelines

In my post on The Value of Augmented Reality, I touched up how we give up Privacy for convenience.  Nowhere is that more prevalent than with Mobile Apps.  Many of us will either be in a store, mall, or by word of mouth download an app and use it.  Now you might not just be giving up your information, but your hard-earned money.

A little checking might go a long way in keeping your Holiday Season Happy.

 

In 2017, your phone’s camera will have superpowers

 

Commentary: if you’re wondering where phones are heading next year, think magic 3D-scanning cameras. Here’s what I learned from using Google Tango for a few weeks.

Source: In 2017, your phone’s camera will have superpowers

Introducing VR and 360° Content for All WordPress.com Sites — The WordPress.com Blog

Create and publish 360° videos and photos right on your site.

via Introducing VR and 360° Content for All WordPress.com Sites — The WordPress.com Blog

2 Weeks Before Google’s Naughty List Starts

      

If you celebrated Christmas, there was always the twinge of doubt as a kid whether you were on Santa’s Nice list, (or Naughty perish the thought).  Now, you get to have that same feeling, but this time it’s Google making the list starting in January.  And whether you are involved in managing a website or just “colateral damage”, you might get the digital equivalent of coal in your stocking.

How Google Chrome is Pushing the Move to More Secure Web Browsing

In 2014, Google started putting forward the idea that all web communications should be secure.  They backed this up by using a pages security as a factor in its search ratings and called on the community to move to encrypted communications.  The goal of this proposal is to more clearly display to users that HTTP provides no data security.

We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure.

 

Back in September, Google announced that their upcoming release of Chrome 56 will start noting which sites were not secured by SSL. Chrome use is estimated at 74% browser Market.   Google’s announcement is only supposed to affect pages that contain credit card information and password fields. Supposedly, this will be posted page by page, but an insecure note will also appear on the top level page of the site.  In addition, Google is going to report insecure warnings on sites that looking for those sites that are secured by  Sha-1 due to the vulnerability of the algorithm. Now, the deadline is almost here.

 

This will be followed up by Google’s call that will report only digital certificates that meet it Certificate Transparency by October 2017 

For most larger companies, that run their own websites and have security programs, they probably already have updated their sites, although there are examples to the contrary. The people these enhancements might see a greater impact are small businesses, small non-profits and bloggers who might be running their own sites and have not thought about securing them, or it is not offered in their current hosting plans.

What our your options?

Do Nothing

Maybe you don’t care that your site will be branded as insecure, move down the search ranks, or you don’t do ecommerce.  That might be okay for now, Google’s plan is to eventually block all non-secure traffic.  So far, there has been no announced date when it will be implemented.

Purchase a Certificate

Depending on your hosting company, many hosting companies offer the .  I have seen them run from $50 to $300 per year.  If you have multiple domains, some of these vendors offer package deals .  There are also the traditional services like Verisign and Entrust who have been creating and verifying certificates for decades.  If you do purchase one, make sure that they will adhere to Certificate Transparency.

Obtain a free certificate from a Certificate Authority

There are several options to obtain a free  SSL certificate.  Let’s Encrypt one of the fastest growing options, is an open certificate issuing authority is run by the Internet Security Research Group (ISRG)  It is supported by a number of companies including Cisco, HP, Mozilla, Facebook, Shopify, GoDaddy, Squarespace, and Google Chrome.  The impact of Let’s Encrypt on the SSL certificate market on the SSL certificate market is having a sizable impact.  According to Let’s Encrypt, they have issued over 5 million certificates.  While there might not be an economic charge, it does not come without a cost.  The certificate is for non-commercial use and is only valid for 3 months meaning that you would need to renew it 4 times a year.  Let’s Encrypt says that this is by design to ensure that unused and unmanaged certificates are expired relatively quickly.

Installing and requesting a Let’s Encrypt Certificate

Usually, certificate installation requires some technical expertise.  To set up a Let’s Encrypt certificate you need to to install Git, the source code management tool.  I was doing this work on a Ubuntu test server that was set up to host websites.  The Git install was a little bumpy because a number the required packages that Git assumed would be on the server were not present.  Once I ironed out the issues with Git, I was ready to start the Let’s Encrypt install.

The Let’s Encrypt install comes down to three steps:

• Clone the Let’s Encrypt Git package

sudo git clone https://github.com/letsencrypt/letsencrypt

• Install the Lets’ Encrypt installation files

./letsencrypt-auto –help

• Request a certificate.

./letsencrypt-auto –apache -d your domain name

The command above is if you are installing on an Apache webserver.  There are options for nginx, webroot, and a standalone option as well.

You need to accept their Subscriber Agreement before the certificate request will continue.  Once accept the agreement, you will also have to make a decision whether you will force all traffic to be HTTPS or if you will allow a combination of HTTP and HTTPS. This decision is a little more complicated considering Google’s plans to ensure make the Internet more secure.

• Allowing HTTPS traffic only can be more disruptive to your users initially, but users who have bookmarked your site or hyperlinked to it might find that their links no longer work.  (You can makes changes to the .htaccess file on your server to re-point HTTP traffic to HTTPS). 
• Allowing a combination of HTTP and HTTPS traffic exposes your site to Google’s crackdown on HTTP and “insecure” algorithms, which there is no set schedule.

I liken it to whether you prefer to peel the band-aid off slowly with less pain longer or just rip it off and get the pain over with.

Let’s Encrypt recognizes that the most people  not really excited about having to manually renew their certificates every three months so there is a command line statement that can be set up as an automated job. They offer instruction on how to set it up in their User Guide.

How this affects You

Forewarned is forearmed .  If you are a Chrome user, you will most likely see this play out in some fashion.  It won’t happen all at once either.  It will roll out as people start to update their browsers .So whether its little red lines showing up on your browser or a security message on your browser where you expected page information to be, it is another little annoyance that we must endure in constantly connected, and always under attack world of Cyberspace.