Meltdown & Spectre

When You Hear About Meltdown & Spectre – DON’T PANIC! They have been around for years.

The fact is, the main chip in most modern computers has a hardware bug. Meltdown and Spectre are two related families of hardware flaws that are capable of negatively impacting the Central Processing Unit (CPU) of any computer. Both have been around for years but not everyone is familiar with them. They are only now becoming potential targets for attack.

The simple explanation of the problems that each creates are as follows:

  • Meltdown breaks down the separation between what you are doing (user app) and what the computer is doing (Operating System), enabling the app to steal data that it should be unable to access.
  • Spectre is more insidious, breaking the connection between different concurrently running apps to reach the same end.

By exploiting these vulnerabilities, hackers can gain access to passwords, emails, instant messages, and business-critical documents by reading data used by other programs operating concurrently Devices impacted by Meltdown and Spectre include desktop computers, personal computers, mobile devices, and the cloud.

This silent information thief cannot be detected by the average user and it is unlikely that traditional anti-virus software will detect the intrusion.

But, DON’T PANIC. There are patches against Meltdown for Linux, Windows, and OS X. Additionally, there is ongoing research to harden software against Spectre. The best route to take is to update and patch all machines on the computer network while educating all operators in the network to be vigilant and thinking before clicking.

An Important Article About Disaster Planning that appeared in NJBIZ

Business Conference

Think ahead for disaster planning: Business owners must have safeguards in place to prevent a costly Catch-22 situation

For New Jersey business owners, the series of hurricanes that recently struck Texas, Florida and other locations may have stirred painful memories of Superstorm Sandy, which rocked the Garden State in 2012.

If personal, income‐producing or business property is impaired or destroyed during a disaster, taxpayers may be able to claim a casualty loss deduction on their tax return, generally as an itemized deduction on Form 1040, Schedule A for individuals , and on Section B of Form 4684, Casualties and Thefts, for business or income-producing property.

But what if the books and records you need to compute and document your losses—not to mention carrying on your business post-disaster—get lost in the flooding, fire or other conditions that can accompany a disaster? Without the proper safeguards in place, a business owner could be in a costly Catch-22 situation.

“Some small businesses may have lot of paper-based documents that are at risk of exposure to fire and flood, yet they don’t have much in the way of backup copies,” warned Henry Rinder, senior forensic partner at the Fairfield-based CPA firm Smolin Lupin. “Most strategic plans incorporate some kind of offsite storage of critical, relevant documents and records. So if a fire, flood or another disaster occurs—like the time that Sandy slammed into New Jersey—and your records are destroyed, you will still be able to recover your vital data with offsite recordkeeping.”

In New Jersey, professional document service providers like Iron Mountain Inc. offer storage and protection of information assets like critical paper business documents as well as electronic and other information.

“If you transfer your records to the digital space, storage can be a lot easier,” added Rinder. “This way you can easily transfer data to an offsite cloud-based ‘storage facility’ like Google Drive, often in real time. Of course, when you’re talking digital, it’s important to protect your documents—as well as your entire network—from hackers.” October is National Cyber Security Awareness Month, he said, which is an annual campaign to raise awareness about the importance of cybersecurity, like being up to date with your antivirus software.

But putting backup and other security plans in place is only one step, Rinder said.

“Every business, regardless of its size, should have a strategic plan in place that’s communicated to all the employees,” he said. “Document the steps in your disaster recovery plan, and establish a chain of command in case of a disaster, like flooding or power outages. How will people communicate if phone lines are down, or if access to your office is blocked? Then test your plans, and run ‘fire drills’ with all of your staff to ensure that everyone understands what to do, and that the plan is effective.”

Cipolla & Co., a Franklin Lakes-based full-service CPA and financial services firm,  has back up generators that can power computers, lights and heat in an emergency, said Joseph Cipolla, the managing director. “We outsourced our record retention to a cloud-based provider, and everyone has a laptop and takes them off premises each night. Employees also have cell phones with their own ‘hot spot’ so they can work remotely regardless of where they’re located.”

When it comes to tax planning for a disaster, business owners may find that preparing for disasters is the biggest takeaway.

Things That We Think You Should Know But Are Too Busy to Research

ATON Computing continually provides technology “breaking news” that may be of value to employees of government agencies.

 

NJ GMIS Cybersecurity Awareness Event

Thursday, November 2 from 8:00 A.M. to 12:00 Noon

For the second year, New Jersey GMIS will be hosting a four-hour cyber incident case study.

There is no fee for public sector employees, however you must register to attend.

For more information and to register, click here.

 

Cyber Security Act of 2015 from Segal McCambridge Singer & Mahoney

For a brief overview of The Cybersecurity Act of 2015, click here.

 

Enterprise Architecture and how it can increase IT efficiency & lower costs from IT Today

The goal of enterprise architecture (EA) is to create a unified IT environment (standardized hardware and software systems) across all computer-related elements, with links to the business side of the organization. More specifically, the goals of EA are to create alignment and standardization, reuse of existing IT assets, and the sharing of common methods for project management and software development. The end result, theoretically, is that the enterprise architecture will make IT cheaper, more strategic, and more responsive.

For the full article, click here.

 

 

 

Can Fantasy Prepare Officials for Reality

In 1990, all the candidates for mayor in Providence, Rhode Island, played a game of SimCity—why don’t we make all our politicians do the same?

 

Read original article here.

Top 5: Tech tips for disaster preparedness

by: TechRepublic

No matter where you live there’s always the potential for the weather to go bad. Very bad. I’m talking hurricane, tornado, or even earthquake bad.

So before you’re glued to the weather app watching the onslaught build, if you even get that much notice, you need to put together your disaster data plan.

Here are five tips for tech disaster preparedness:

1. Have a backup phone in your emergency kit.
A cheap Android phone can give you access to important communications and data if your main phone is damaged.

2. Get a solar charger.
Battery life will be critical if the power goes out. A solar charger can help you keep connected in situations where wireless is still up but the electricity where you are isn’t.

3. Store important notes offline.
Whether it’s Evernote or SimpleNote, list all your critical information in a file you can access even if connectivity is down. You don’t want to get caught needing to know one thing to get the Internet back to working but need the Internet working to find out what it is.

4. Keep redundancy in mind.
This is the more widely applicable principle behind the extra cell phone. Host data in multiple locations, preferable places with different geographic risk factors.

5. Plan and test.
Get your team together and make sure you have a plan for what happens. Then test it. Find out if your redundant system will kick in and remain seamless. Do this twice a year minimum. Make it simple for people to remember what to do in a crisis and make sure it’s going to work!

Now all this is assuming you and your team are physically safe. This is also assuming you already put together your 72-hour kits and all the other essential emergency preparedness you need as a human! If you haven’t done that, that’s the most important tip. Do it. Now.

ATON Celebrates 25 Years Supporting Government IT Needs

SOMERVILLE, NJ – ATON COMPUTING, INC, a Somerville, New Jersey Information Technology firm, is celebrating 25 years serving the private and public sectors of the state with the launch of a new and more concise web site.

“ATON has been at the leading edge of the IT revolution for the past 25 years, supporting the needs of county and municipal governments,” according to ATON principal Walter Hansen. “The changes that have taken place over that time are incalculable, but with perseverance and a dedicated staff of
professionals we have kept pace.”

ATON focuses the expertise of its 9-person professionally trained staff on computer networking, business continuity, cloud computing solutions, and cyber security/risk management, providing hands on hardware & software integration specifically configured to meet the technology needs of government and the private sector.

The easily navigated web site at www.atoncomputing.com focuses on the core values instilled in the staff by Hansen who stresses that providing comprehensive Information Technology services has earned the confidence of a broad client base. The range of services includes custom Microsoft network design and installation, software program implementation, cyber security, and training that enhances efficiency, provides protection, and results in a positive return on investment.

He continued, “Our staff of IT engineers is committed to anticipating next generation solutions within a network, on a mobile platform, and in the cloud.”

The staff of IT professionals maintain current technical credentials including: Microsoft MCSE, MCSA, MCTS & MCP; Cisco CCNA, VMware’s VCP, A+ Core Services; numerous hardware & software product certifications.

The site is also geared to educating and informing visitors with regular posting of news and information that has the potential to impact government and business including expert opinions on issues from ATON staff.

For information on ATON Computing, Inc. services, access the web site at www.atoncomputing.com or call 908-725.3700.
PRESS CONTACT: Rich Reitman 908-526-1390 or rreitman@thereitmangroup.com

Equifax Data Breach

Equifax, one of the three largest consumer credit reporting and financial services providers in the United States, released a statement announcing a data breach that involves the personal information of an estimated 143 million US consumers. The company stated that it discovered the breach on July 29 and further forensic analysis revealed it resulted from the exploitation of a web application vulnerability that was used to gain unauthorized access to files containing sensitive consumer information. This access reportedly occurred from mid-May through July 2017. The information accessed includes names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers.

Credit card numbers for 209,000 US consumers and dispute documents with personally identifying information for 182,000 US consumers, were also accessed. Rick Smith, the Chairman and CEO of Equifax, released a YouTube video and a FAQ sheet regarding the breach and is asking consumers to contact their call center at 866-447-7559, which the company set up to assist consumers who have additional questions. Equifax also launched the website which outlines the details of the data breach and provides additional resources for consumers. Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents were impacted. Equifax is offering free credit monitoring and identity theft protection for one year through TrustedID Premier to those affected by the breach.

Recommendations

The NJCCIC recommends all of our members assume their sensitive personal information was compromised in this breach or one of the many incidents that have occurred in recent years and take immediate action to protect themselves against identity theft. If you were affected by a recent data breach, we strongly urge you to enroll in the free credit monitoring service provided by the victim organization. While credit monitoring is helpful in detecting suspicious or malicious activity, consumers should also consider identity theft insurance, which covers losses incurred as a result of successful fraud. The NJCCIC also recommends our members consider placing a security freeze on their credit, closely monitor bank and credit card accounts using SMS or email alerting options, and report any fraudulent activity to the Federal Trade Commission and your local law enforcement agency as soon as possible. While it may be an inconvenience, a credit freeze will prevent unauthorized loans and lines of credit from being opened in your name and it can be lifted whenever legitimate credit inquiries are necessary.
Additionally, the NJCCIC encourages all organizations that use web applications to access and manage sensitive data review the NJCCIC threat analysis titled, “Web Apps: Vulnerable to Common Threats, Firewalls Recommended”, consider deploying a web application firewall, and regularly perform security audits of all web applications.

https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628

Botnet of Things

The relentless push to add connectivity to home gadgets has introduced a new risk into our society – the Botnet of Things. In October, 2016, a botnet of up to 100,000 hacked gadgets knocked-out Internet infrastructure provider Dyn, resulting in major website failures throughout the Internet.

Hackers are taking advantage of the growing number of webcams, DVRs, refrigerators, etc. that are connected to the Internet. These devices are not designed with security in mind and cannot be patched. The Internet of Things (IoT) is an insecure platform on which bad guys can initiate attacks for both profit and disruption. The BoTs will become larger and more powerful as the number of vulnerable devices increases.

In a perfect world, our devices would run only secure software and they would be connected only to secure networks. That’s not going to happen anytime soon so we are just going to have to live with our desire to have everything talk to everything.

For the complete story, see the article by Bruce Schneier in the MIT Technology Review https://www.technologyreview.com/s/603500/10-breakthrough-technologies-2017-botnets-of-things/