About Geeks-r-Us, Inc.

About Geeks-r-Us, Inc.

The principals of Geeks-r-Us, Inc. have served the computing industry in SW Florida for more than 35 years... More »

Our Clients

Our Clients

We value our clients, and enjoy working with the premier legal, non-profit, and service sector organizations in the southeastern United States. More »

Our Services

Our Services

We offer a full range of proactive management and security services to protect your data, systems, and staff from cyber-intrusions and system failure. More »

Unified Communications

Unified Communications

Are you as \"connected\" as you need to be? Let the Professionals at Geeks-r-Us perform a Communications Services VoIP Assessment for your firm. More »

 

Category Archives: Blog

Data on the Loose: Recent Data Thefts Stealing Your History

While the news has been buzzing with the Garmin Ransomware debacle (a huge issue that we’ll tackle in a later, more thoughtful analysis), two other unrelated breaches have come to light that people need to be aware of and understand:

FAMILY TREE MAKER-   The geneology software maker had an unsecured database server exposed to the Internet and it has leaded more than 25Gb of data on users of their software. This information included geolocation data, IP addresses, and technical details of users systems.

This drives home our advice of discouraging users from browsing/using work computers for home use. Technical details of some users work systems (along with their email addresses, location, etc) were no doubt in the data hault.

GEDmatch-   This site aggregates DNA data from users and commercial DNA testing companies., and matches sequences to other users. Originally designed to assist researchers, amateur genealogists, and adoptees searching for birth parents, it has been referred to now as “the de facto DNA and geneology database for all of law enforcement.” 

DNA Sequencing

The latest breach of their internal systems, attackers were able to not only steal information on the almost 1.5 million users, but changed the settings on over 1 million accounts to make them accessible to law enforcement for searching against the express wishes of the GEDmatch site users. They also used information gleaned in the data theft to attack the Israeli partner of the company.

          ______________________________________________

The information stolen in these two thefts alone are highly targeted and high-value data on individuals and potentially data on their employers computer networks.  Anyone who has used either of these services should be on high alert for very targeted [phishing] emails trying to get you to click through to a web site, download a “new feature”, etc. Many computer and network security settings cannot adequately protect you from deliberately choosing to download and run malware, so user training and awareness is important.

The Eleven Critical Tips for Successful Videoconferencing: That’s a Wrap!

Whew. The last user has logged off, we’ve finished our post-meeting sprint to the bathroom, and now its time to get our notes together and think about what worked, what didn’t, and to get our actionable items documented and working, etc.

Lets review the tips that got us here:

PART 1: LOCATION, LOCATION, LOCATION

  • Lighting
  • Camera Positioning
  • Your “Set”: Background & Environment

PART 2: BE PREPARED

  • Practice, Practice, Practice
  • Dress for Success
  • Fine-Tune Your Camera Position
  • Avoid Common Screen Sharing Snafu’s

PART 3: IN THE MOMENT

  • Don’t be Distracted
  • Keep it Quiet
  • Excuse Yourself to Leave the Frame
  • Chat Etiquette

There’s an underlying theme to just about every one of these tips, and all the myriad others you’ll read online: Use common sense, don’t try to be overly cute or “cool”, and if you wouldn’t do it in the office conference room you should think long and hard before doing it in a virtual meeting. 

Remember that no matter the who the meeting is for, where you do it from, or the subject matter at hand, people innately want you to do well. It’s the rare individual (or ex-spouse) that is hoping for you to fail. Don’t be afraid to break the rules if you know it fits the audience and relax and enjoy!

The Eleven Critical Tips for Successful Videoconferencing: Part 3- In the Moment

OK! You’ve got your home studio set up (NBC ain’t got nothin’ on you!), you’ve staged your background, pressed your suit. Now it’s finally time to moderate your online meeting. It’s time to pay attention to how you look, what you say, and what you do – be engaged and in the moment. Please don’t take this as a downer chapter filled with “don’ts – think of them as cautionary tales of woe, and learn from the experiences and failings of those before you. In other words, don’t do these things!

Man on conference with other devices and dogs taking his attention.
Distracted Much?

HEY! LOOK UP HERE!
Don’t be distracted, but pay attention to the meeting and the content. That means you shouldn’t be being distracted by alerts on your phone. Make arrangements so you aren’t always looking into a corner of the room to shush your dogs or check on the sleeping toddler (or fighting teens). Also, you engaging in fidgety activities can distract everyone. Things like drinking, eating, smoking, trimming your nails; all are not only distractions to the meeting but project to the other participants your level of respect for their time and the meeting subject matter.

KEEP IT QUIET:
While someone else is speaking you think you can whip off the quick instant message that just popped up in Messenger? Think again, Skippy – those keyboards make a lot more noise than you may think. If you have to make a comment to someone in the room with you or do something else that is going to make noise, hit the “mute” button for your conferencing software. You remembered to make that “cheat sheet” of shortcuts to cut your audio, your video, and screen sharing we mentioned in our earlier post, didn’t you?

EXCUSE YOURSELF IF YOU HAVE TO GET UP:
If you just can’t wait a few more minutes to you refill your coffee, or if you’ve had too many of them and need to de-fill, a quick excuse me and turn off your video feed before you get up and leave. A “live feed” that is unattended is just asking for trouble. But really, try to keep attentive and in your seat.

However, if you have a co-worker get up from their chair and leave the video live, you should screenshot their empty home office and use the image later as your virtual background. This is especially funny if you get them on a video call while they are away from home, and it looks like you’re sitting in their living room. 

CHAT ETIQUETTE:
 Every Video Conference system has the ability to type little asides to the group, the presenters, or to often to other individuals on the call. Unless you need to type something that is relevant to the meeting at the moment, resist the urge. It’s a little like passing notes in grade school.

The most important reason you don’t want to have sidechats about how scruffy the boss is looking these days of social distancing or what kind of cocktail is on the menu for dinner tonight is you want to concentrate on the meeting, its participants, and contents. The second reason is that many of these services record all of the chats along with the video-audio streams, and you can’t always be certain who can access those within the recording. 

WHEW! We’ve finished the meeting. In the next posting, we’ll recap and talk about what we’ve learned.

Previous:   Part 2: Be Prepared
Next: That's a Wrap!

The Eleven Critical Tips for Successful Videoconferencing: Part 2- Be Prepared

If you’re an attorney, I would hope that if presented with the opportunity to argue a case before the Supreme Court you wouldn’t just say “I’ll be fine, how hard can it be”, but rather you would study, prepare, and rehearse for your big day of oral arguments. Whatever your profession or video conference need, apply the same discipline to your online contacts.

Practice, Practice, Practice:
Practice Your Meeting, and I mean every part of the presentation and the technology. Can you start the software and sign in properly? Do you know how to quickly turn on (and off!) your camera, microphone, and any screen or document sharing you may have to do? Every meetings software has shortcut keys for all of these action, and until you do it enough to know them don’t be afraid to write them down or print out a “cheat sheet” of commands.

While you’re writing things down, it can’t hurt to have an agenda/timeline outline that has what you need to do when – do you need to mute or un-mute all of the participants for certain segments of the presentation? Write it down.

Whatever you do, don’t try to learn the tech on-the-fly. You may be a WebEx user from way back but if you’ve switched to Zoom (or never been the presenter/moderator of a meeting until now), you won’t give the smooth presentation that you’re hoping for and it will show.

Seriously, who even bought these for him?

Dress For Success: 
If you were attending the meeting in person, how would you look?  Showered, shaved, dressed appropriately for the event?  Why should this be any different? Slouching in your bunny slippers may be fun, but you are taking the most precious thing that these individuals have to give you; their time. Respect that and show that you do by looking the part. That includes sitting up straight rather than slumping over the camera.

Fine-Tune your Camera Position:
As you do your quick run-through of your presentation, this is a good time to pay close attention to camera position and background. Has anything changed like it’s now late afternoon and the sun is streaming through a window behind you, your camera is tilted at some weird angle which will drive some participants nuts, or did the dog poop in the corner (again!) and it’s just in camera range?

This is a good time to discover that yes, you do want to wear pants, even though “you’re certain” no one will ever see below your [whatever amount you choose to dress down to]. I could do another couple of hundred words on all the times I’ve seen more than I cared to of careless co-workers. Also, it just makes you feel more professional and ready for a meeting.

Avoid Common Screen Sharing Snafu’s:
As important as what is behind you when getting in front of the camera is what is on your desktop and open in your browser.

When starting and stopping screen, document, or browser sharing you have the chance to show more than you may have bargained for. The screen “wallpaper” photo of your buddies at the frat may not be the photo you want up for public consumption.

Check the names of the icons on your desktop or opened in your taskbar. They may be embarrassing or even leak vital information about you or your organization. Close every browser tab and program you don’t absolutely need to do your presentation. Brit Hume of FOX News gave a Master Class on this in March, 2020; just check out the browser tabs. 

Brit Hume Embarassing Browser Tabs
While Hackers appreciate knowing Brit Hume Banks with SunTrust, does he have “Sexy Vixen Vinyl Set” on DirectPay?

So, the moral of Part Two of this story is don’t just slide into this as some slapdash “oh darn I’ve got a presentation in 5” kinda thing, but get your room, your computer, and you prepared to meet your audience.

PREVIOUS: Part 1: Location, Location, Location
NEXT: Part 3: In the Moment

The Eleven Critical Tips for Successful Videoconferencing: Part 1- Location, Location, Location

The start of any good meeting (in person or virtual) always begins with your meeting preparation. And just like any good realtor will tell you, it’s all about “location, location, location.”

LIGHTS: Your computer should be positioned so there is no bright light behind you. Keep your light in front of you, and at no more than a 45 degree angle to being directly in front. If you are doing evening calls, be aware that your computer screen can add additional light to your face.

Many people have invested in “ring lighting” and other fancy attachments for their computer/cameras. If you want to invest $2-300 in upgrading your lighting (and camera, and maybe a newer computer to handle the higher resolution, oh and don’t forget faster Internet at home…) that’s great – but wait until you’ve done all our recommendations here and you know exactly what you need (and how often you’re going to need it) to be successful.

Man on toilet with laptop computer
This is not the best location for video conferencing.

CAMERA: Raise your camera up to just a smidge below eye level (yes, that is a technical term). Use books, a higher tabletop, or even a stool to place your computer on (assuming a notebook with a built-in camera) so that for others in the meeting their view of you is eye level. Always be certain that you center yourself on your camera frame, and that your head is slightly above center vertically in the view without cutting off the top of your head.

Find someplace quiet; while you may be used to the kids screaming, barking dogs, trash pickup day, and the neighbors deathmetal polka band rehearsing next door, they are all distractions to the rest of your meeting team. Be aware of the small things (air conditioner, dishwasher, etc) that may not seem loud to you but are right in line with your microphone. If you can’t avoid ambient distractions, consider using earbuds or headphones with your computer. While wireless is all the rage, if you have wired (since you won’t be moving away from the computer) will eliminate problems or interference issues with Bluetooth headsets.

ACTION: 
Remember that with children and spouses around, the kitchen may not be the best room in the world to set up for your meeting. Unless you need to channel your inner Julia Childs it’s best to be somewhere that isn’t likely to be heavily trafficked and you interrupted. If you didn’t hold budget meetings at work in the office lobby last year… well, you get the idea.

On the subject of “where” – think about what is showing in the frame behind you. That funny “fart” award that your crazy Uncle Bunky gave you when you were twelve may be a cherished family heirloom, but it will detract from the proceedings as it peers over your shoulder at the virtual board meeting of the Civic Betterment Society of Bedford Falls. If you need to, have a close friend check out the view for you. Sometimes we get so used to odd belongings, a frayed chair, or that door frame chewed up that time a raccoon wandered into the house, that we don’t realize they may not telegraph the image we want to present to our co-workers, clients, etc.

I can’t finish this section without reminding everyone that while we will make the appropriate noises of approval (no one wants to be “that” person, after all), interrupting the meeting to show off your pet, child, or spouse is annoying. You didn’t bring them into office conference room so they could run around the table barking (or yelling), so no one really needs to see them via camera, either. A quick introduction or acknowledgement if they happen to inadvertently wander into the frame (You’re not in the kitchen, right?) is all that is needed.

PREVIOUS: Introduction
NEXT: Part 2: Be Prepared

The Eleven Critical Tips for Successful Videoconferencing: An Introduction

Videoconferencing: A wonderful, almost magical technology that lets us stay home in our pajamas drinking rum coladas and playing with dogs during business meetings. There is a dark side, however, and that is the home, pajamas, rum, and dogs among a list of other no-no’s when conducting or participating in virtual meetings from your personal castle.

These tips apply whether you use RingCentral Meeting, Zoom, Skype, FaceTime, Google Meet, Hangouts, Microsoft Teams, or any of the other video chat services out there. If you’ve done any number of meetings so far during the pandemic isolation you’ve likely already encountered boorish video behaviours from your co-workers, and watched more than one meeting head suddenly south by the introduction of their “most precious and beautiful little poopsie-oopsie EVER!” (and we can only hope that was introducing an adored pet and not a spouse).

Woman at desk videoconferencing

But, oh newbie to the work-from-home movement, be not discouraged: There are lots of tactics you can use to make sure that you’re contributing positively to your video chat or videoconference.

We’ve gathered the most critical of these tips (which we’re posting over the next three days) and grouped them as follows:

  • Be Aware of your Location
  • Be Prepared for the Meeting
  • Be Attentive to the Meeting

We’ll also wrap up with a How-to-Wrap-Up at the wrap-up. by the end of this series, you’ll  be ready to vidconf like a pro!     Stay Tuned!

NEXT: Part 1: Location, Location, Location

 

Is it Bad When Security Companies Leak Data? You Betcha…

This morning being The Dawning of the Age of GDPR (the European Union’s new regulations regarding privacy and data retention by businesses) I was glad to get an early start into all of the emails requiring my assent for them to keep sending me “stuff”, (I hope that about 80% take me off their email lists, but that’s another for another post).  I did, however, decide I wanted to read the latest white paper on Cyber Security from well-known Security and Compliance services firm AlienVault.  Oops…

Imagine my surprise when, after clicking on the new GDPR-mandated website box saying that yes, I know they’ll keep my data and relentlessly spam and call me, their marketing system popped open a new screen that dropped me into their SalesForce interface and started spewing 1,000+ emails of their clients and prospects from the system.  There’s no telling if this error was caused by SalesForce, the marketing automation platform Marketo, or just bad coding on the part of AlienVault employees, as all three company platforms were exposed in the code and data dump that took place. It should be noted that this wasn’t a web page that acted up and started showing its source code, it opened up an unencrypted form on the AlienVault web site that appeared to allow queries and posting to their SalesForce leads database via Marketo. I did not query their system for any information, the long, long list of emails were already displayed on the page. While I understand that “stuff” happens, for a security company to have such an egregious issue on the very first day of heightened regulation looks bad.

For the record, we do not use AlienVault (or any of the other companies mentioned above) in our service offerings.

New Ransomware Looks Like Your Office Copier

A second wave of the Locky ransomware variant called IKARUSdilapidated has been identified by security experts. The source of the ransomware is a botnet of zombie computers coordinated to launch phishing attacks that send emails and attachments appearing to come from a targeted recipient’s trusted business-class multifunction printer.

This is the second wave of IKARUSdilapidated ransomware spotted in the past month, according to Comodo Threat Intelligence Lab. The original attack, first identified on Aug. 9 and lasting three days, utilized spam messages that contained little to no content along with a malicious Visual Basic Script attachment.

 “This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” said Fatih Orhan, director of technology at Comodo, in an interview with Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”

Emails part of the campaign use a popular printer model in the subject line to trick users into thinking the messages are legitimate. One such message reads, “Scanned image from M-2600N”. MX-2600N is the model of a leading enterprise-class Sharp multifunction printer. Messages contained malicious JavaScript attachments that if clicked on initiated a dropper program that downloaded the IKARUSdilapidated ransomware.

An easy solution to this is to always involve your trusted IT professional in the purchase and configuration of these devices, so that the subject line can be changed from the default and your staff and trading partners know what is and [more importantly] is not a legitimate email from your multi-function scan devices.  Your copier technician is rarely trained in these matters. We recommend that you limit scan and email to only off-site personnel, and using file-share delivery whenever possible.

 

[Threatpost: New Locky Variant ‘IKARUSdilapidated’ Strikes Again – 30 AUG 2017]

Election Equipment Vendor Exposes Voter Data Online

[EDITORS NOTE: This manufacturer is the same firm that makes the voting equipment used in Lee County, Florida]

Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an unsecured cloud “data bucket” configured for public access.

The data was a backup stored in the cloud by Election Systems & Software (ES&S), a voting machine and election management systems vendor based in Omaha, Ne.

Researchers from UpGuard made the discovery last Saturday and privately reported the leak to a government regulator who connected them to the Chicago FBI field office. The FBI then notified ES&S, which immediately pulled down the data from the Amazon Web Services system.

Amazon buckets are configured to be private by default and require some kind of authentication to access what’s stored in them. For some reason, ES&S misconfigured its bucket to public months ago, opening the possibility that others had accessed the data before UpGuard.

ES&S confirmed in a statement that the copy of the backup file, a .bak or Microsoft SQL backup file, contained 1.8 million names, addresses, dates of birth, partial Social Security numbers and in some cases, driver’s license and state identification numbers. Jon Hendren, director of strategy at UpGuard and the person who found the exposed data, said that the databases also included fields indicating whether a voter was active. About 1.5 million of the records belonged to active voters.

There were two folders in the AWS bucket, Hendren said, containing about a dozen backup files, about 12GB in all. Also in the folder was some information on ES&S security procedures that included the hashed email passwords of ES&S employees. While the personal information of voters exposes them to fraud via phishing and other scams, the employee data poses a serious threat in another direction.

“There’s no telling how far a nefarious actor could get if they’re willing to use those credentials,” said Chris Vickery, UpGuard director of cyber risk research who has found other similar leaks via Amazon buckets. “There’s no way to tell if they would be able to infiltrate ES&S networks or systems, but the potential is there.”

ES&S sells a number of different electronic voting systems and vote tabulators. The City of Chicago is a customer of theirs, and it’s unknown what type of work was being done with the data or why it was being stored in a publicly accessible bucket.

“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ES&S said in a statement. “These backup files had no impact on any voters’ registration records and had no impact on the results of any election.”

The City of Chicago Election Board said it was notified of the breach by the FBI last Saturday afternoon at 5:37. By 9:44 p.m., the board said ES&S had taken the server offline. The board said in a statement that no systems, websites or servers managed by the board were affected and that none of its sites or networks reside on AWS.

“We were deeply troubled to learn of this incident, and very relieved to have it contained quickly,” said Chicago Election Board Chairwoman Marisel A. Hernandez. “We have been in steady contact with ES&S to order and review the steps that must be taken, including the investigation of ES&S’s AWS server. We will continue reviewing our contract, policies and practices with ES&S. We are taking steps to make certain this can never happen again.”

Vickery said it’s unknown whether anyone else accessed the data, nor whether ES&S had logging configured and enabled.

“Given the bucket name was easy to guess (“Chicago DB”) and had been up many months before I noticed it, I would say the chances of me being the first one are slim,” Hendren said.

Vickery added that ES&S websites do not have SSL enabled. A web-scanning and ranking service called CSTAR run by UpGuard determined the ES&S also falls short in that it does not have HSTS turned on, nor does it use HttpOnly cookies, secure cookies, DMARC or DNSSEC. It also displays the server information header.

 

[Threatpost: Vendor Exposes Backup of Chicago Voter Roll via AWS Bucket- 22 AUG 2017]

Lawyers E-Discovery Error Leads to Release of Confidential Client Information

A lawyer representing Wells Fargo in a lawsuit subpoena request has explained how she inadvertently turned over confidential information about thousands of bank clients.

Lawyer Angela Turiano of Bressler, Amery & Ross had overseen the e-discovery conducted by a vendor and turned over the documents to a lawyer for a defamation plaintiff without realizing she was releasing information about wealthy Wells Fargo clients, the New York Law Journal (sub. req.) reports.

The plaintiff and his lawyer told the New York Times about the release. According to the Times, the information consisted of “a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients,” including customer names, Social Security numbers and financial data.

The information was turned over in a suit filed by former Wells Fargo employee Gary Sinderbrand against his brother Steven Sinderbrand, also a Wells Fargo employee. Gary Sinderbrand had sought emails between Steven and the bank through a third-party subpoena request.

In an affidavit, Turiano said she used an e-discovery vendor’s software to review what she believed to be a complete set of results and marked some documents as privileged and confidential. She did not realize she was using “a view” that showed a limited set of documents.

“I thus inadvertently provided documents that had not been reviewed by me for confidentiality and privilege,” she said.

Turiano also said the documents she flagged for redaction were not redacted before they were produced. “I realize now that I misunderstood the role of the vendor,” she said. “Finally, I now understand that I may have miscoded some documents during my review.”

According to the New York Law Journal, “The event highlights the increasing risks of relying on unfamiliar e-discovery technology—and the potential liability exposure to lawyers.”

Judges in New York and New Jersey have issued orders barring further release of the documents, requiring the plaintiff to delete any document copies, and requiring the plaintiff to give the digital file to the court for safekeeping.

 

[ABA Journal: Lawyers e-discovery error led to release of confidential info on  thousands of Wells Fargo clients- 27 JUL 2017]