Skip to main content
Cogent Technology Solutions

Blog

Do you need an IT Consultant?

Written by Larry Strunk

If you own a computer, you have most likely experienced some “tech pain” on occasion.  Yes, at times Tech is a Pain!  When forging ahead with a “self-help DIY’ approach, results can be a simple fix or catastrophic case of making the problem worse.  Either way you may be at a crossroads where a technology support provider would improve your success rate in tech fixes and make a world of difference in your daily business routine.  

So why is it so tempting to fix our business computers instead of getting the help of experts? It could be because computers are so common and many of us use them all day. That familiarity makes it tempting to try to handle business computer maintenance and repair on our own.  There is a huge amount of help available on the internet that can even help us figure out how to fix a problem. 

However, there are several issues with a DIY approach to business computers systems;  

  • Time spent fixing a computer problem is time not spent doing business 
  • When maintenance and update tasks are an add-on to daily work, they end up not being done 
  • Frequent crashes or lockups are tolerated instead of being fixed 
  • Problems are only found when the system quits working 
  • Every time you have a problem, you need a lot of research on how to fix it. 

When you use Cogent Technology Solutions as your IT consultant, we allow you and your staff to focus on core business tasks.  We can also reduce the amount of time you are down or unproductive when there are problems.  Our 24/7 remote monitoring even makes it possible to identify a problem before it causes downtime.  

The technology best practice for your business is a planned approach that considers short and long-term strategic planning. These plans consider budget realities, company culture and current system status.  Increase your company’s productivity and focus on the business of doing business. Avoid Tech Pain with Cogent Technology Solutions. We will focus on maintaining a stable and secure technology environment.

Uncategorized

New Credential Phishing Campaign is Hitting Inboxes

Written by Larry Strunk

We have seen a few instances of a new credential phishing email that has been going out today. It is a classic example of a fake “password expiration” phish bait. While email services will start recognizing this soon and start to block them, it is a good example of what these look like so you can recognize them.

If you get an email telling you your need to reset your password, it is 99.99999% fake, and an attempt to steal your credentials. Don’t click on the link or button and delete the email.  If you can’t decide if an email is legitimate, forward the email to us and we can take a look at it.

In the graphic below, I have highlighted features of the email that tip off that is a phishing attempt.

Example of a credential phishing email with text bubbles

As this example shows, the bad guys are very sophisticated in crafting phishing emails.  As a result, employees are the weak link in an organization’s network security, circumventing anti-virus software, firewalls, etc.  In fact, 91% of successful data breaches started with a spear phishing attack. Employees need to be trained and remain on their toes with security top of mind.  Please visit our Get Started page to start the conversion about our platform for training your employees and testing them on an ongoing basis.

Uncategorized

Password Best Practices

Written by Larry Strunk


Passwords have become an essential part of our daily lives. We use passwords for everything from social media accounts to online banking. With your banking and medical information available online, the need for secure passwords is more important than ever.

Here are our top 5 password practices.

  1. Use a unique password for each account. This way, if one of your passwords leaked in a data breach, it will not affect your other accounts. Don’t cheat, the bad guys know all about substituting a 3 for B and adding numbers or special symbols at the end.
    If your “ILoveSummer!” password is leaked, any variation can be tried in fractions of a second. In no time, the identity thief will find that you used “!lov3summer2” for your bank account password.
  2. Enable multi-factor authentication (MFA) whenever possible. MFA adds an extra layer of security by requiring you to enter a code or use another device to verify your identity when logging in to an account. At a minimum, your primary email account, banking, financial, health care and password manager accounts should require MFA.
  3. Make your passwords long and complex. Use at least 12 characters and include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. Consider using a passphrase where possible if you don’t use a password manager. A passphrase is a very long (over 20 characters) list of words that resemble a sentence. Passphrases are much easier to remember than 15 random characters.
    Avoid using common words, phrases or quotes that can be easily guessed or cracked by hackers when creating your passphrase.
  4. To make long complex passwords easier to deal with, use a password manager. A password manager will save and encrypt your passwords in a vault that only you can access (and is protected with MFA.) Password managers also help you create strong and random passwords for each account and warn you of re-use.
  5. Don’t use personally identifiable information (PII) in your passwords. This includes your name, date of birth, address, phone number, email address or any other information that can be linked to you.

Bonus Tips

  • Change your passwords only when necessary. Changing your passwords too frequently can make them harder to remember and more likely to be reused or written down. A good rule of thumb is to change your passwords only when you suspect a breach or when prompted by a legitimate service provider.
  • Don’t share your passwords with anyone else. Not even with friends or family members who may have good intentions but may compromise your security unintentionally.
  • Don’t send your passwords by email, instant message or any other means of communication that are not securely encrypted. Hackers can intercept these messages and steal your passwords easily.
  • Avoid using public computers or networks to access your accounts online unless absolutely necessary as they may have malware installed that can capture keystrokes.

Following password best practices will help keep your online accounts safe and secure. By using strong passwords, avoiding common mistakes, and being cautious of cyber threats, you can significantly reduce the risk of your accounts being compromised. Remember to enable two-factor authentication wherever possible for your important accounts.

Security,

The LastPass Data Breach

Written by Larry Strunk

LastPass the popular password manager, has suffered yet another major breach.  This has put customers’ online passwords at risk and endangered their data.  

In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data 

If you were a “LastPass” subscriber, what should you do? 

LastPass estimates it would take “millions of years” to guess your master password — if you’ve followed its best practices. If you used a complex master password that was only used for LastPass, your LastPass vault is fairly safe. 

The vault is encrypted, and your master was not stored at LastPass, so the thieves did not get a copy of your master password. 

The problem is that the threat actor has two strategies to guess your master password. The quickest and easiest method is to search password databases from other data breaches for your LastPass account name and then try every combination they have. This is known as Credential Stuffing. It would take only seconds to try the combinations. The threat actor will even search for minor variations like adding numbers to the end of the password or changing the one special character at the end of the password. If you don’t re-use passwords, credential stuffing doesn’t work.

The second method is a brute force attack that uses a trial-and-error approach to systematically guess login info, credentials, and encryption keys. The cyber-attacker submits combinations of usernames and passwords until they finally guess correctly. If you used the LastPass recommended complexity combined with their encryption, brute force would take too long to be useful. If you didn’t use a long complex password, or your master password has been leaked through re-use, your password might be guessed in something between minutes and millions of years. 

The safe approach is to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions, and they are working at trying to unlock your vault. 

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. You might want to transition away from LastPass while you update your passwords. 

With that in mind, here’s what you need to do immediately if you’re a LastPass subscriber: 

  • 1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now is a great time to seek an alternative. 
  • 2. Change your most important passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information.  
    Don’t forget the email account that you use for resetting your forgotten passwords is one of those ‘important passwords’ 
    Make sure these new passwords are strong and unique. 
  • 3. Enable two-factor authentication wherever possible. While you are changing your passwords, make sure to enable two factor authentication on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone). We will be posting an article soon about multi-factor authentication.
  • 4. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical. 
  • 5. Change your master password If you choose to stay with LastPass.  This doesn’t change the threat level to the stolen vaults, it will still help mitigate the threats of any potential future attack.   

If you find that your data has been breached or you are experiencing unusual functionality with your business computer systems, contact your IT Department. If you are a business owner, Cogent Technology Solutions can assist in remediating a Cyber Attack. Contact us immediately at http://www.cogent-ts.com/get-started/ 

Security, Tips and How To, ,

Who We Are – Larry Strunk

Written by Editor

Larry Strunk with Cogent Technology Solutions has extensive knowledge in CAD drafting, Civil site design, and CAD Standards, in addition to his long experience working with servers, networks, and firewalls. In addition to his full-time position as Senior Systems Administrator since we began, Larry has been an Adjunct Instructor of Civil Drafting and Civil Site design using Bentley PowerGeoPAK and Autodesk Civil 3D at Lansing Community College for 13 years and is a certified online instructor. We feel fortunate to have his expertise on our team.

Cogent in the Community

Cogent in the Community at Caberfae Peaks

Written by Editor

Cogent in the Community! Rich Houk has been involved in youth, high school, and club racing since his kids began racing in 2002. Rich helps out with the technology in use for ski racing and even cameras for monitoring the race courses. He has served as a race official for high school races serving in a variety of roles up to including Chief of Course. Shown here, Rich is running the timing for the MHSAA Division 2 Region 5 regional tournament recently held at Caberfae Peaks. Big congratulations to the Cadillac Ski Teams at the state finals, Boys Team 3rd place! Girls are the state Champions!

Cogent in the Community

Cogent in the Community! Tim Anderson

Written by Editor

Tim Anderson has been a member of the Cadillac Lions Club for 20 years.
He is currently serving his 2nd term as club President. Tim has been a member of their board for 19 years and has provided leadership for many projects.
The Cadillac Lions Club was recently featured in the Lions Club International Magazine. Cadillac Lions Shack

Cogent in the Community

Happy Holidays

Written by Larry Strunk
Happy Holidays from Cogent.

The Cogent Technology Solutions Team wishes you a happy and healthy holiday season. 
Our offices will be closed on Friday, December 24th (Christmas Eve) and Friday, December 31st (New Year’s Eve..)

Emergency services will be available through our team on call.

Wishing you a prosperous New Year!   If you have not had an opportunity to complete the Cogent Technology Solutions 2021 Customer Survey, please consider taking it now. 

Uncategorized

Cybersecurity First

Written by Larry Strunk

Cybersecurity starts with you. Every time you use the Internet, you face choices related to your security. Is that really your friend on Facebook asking you to add them again? Is that oddly worded email really from the CEO asking you to confirm your social security number? Is the “Strong Coffee” wireless network really the coffee shops?
Your security and the security of your employer depends on everyone making secure online decisions. Making the Internet more safe and secure requires all of us to take responsibility for our own cybersecurity posture.

Cybersecurity awareness month is coming to an end, but we need to stay aware. Peak shopping scam season is coming.

Security

Fight the Fish!

Written by Larry Strunk

Phishing attacks have been around for a while, but they were responsible for 22% of all data breaches in 2020. While email is used in over 80% of phishing attempts, they can also use text messaging and phone calls. The methods crooks use continue to evolve, email attachments one day, disguised web links the next. They pose as your boss, your ISP, a business partner, a government agency or your bank. As phishing attacks evolve the bait is hiding the hook better. We can’t just rely on spotting spelling and grammar mistakes. Remember, the crooks only need to succeed once, and can keep trying.

  • Think before you click – Look closely, if you are at all suspicious attempt to verify with the sender
  • Verify before you enter credentials – If you do click on a link and are asked for credentials, close your browser and call the sender
  • Keep sensitive data off of free Wi-Fi networks – If the crook is listening in at the coffee shop, they can grab your data.
  • Don’t reuse passwords – Not re-using passwords is a damage limiting precaution. When you reuse your password, the bad guys have access to every site you use that password on

As phishing techniques get more sophisticated, they are getting harder to spot. Understanding the attackers methods may help you see new phishing methods quicker. The four main components of a phishing attack are;

Targeting – Phishing crooks use targeting to increase their odds of fooling you. It can be a broad group, like customers of a bank that has just merged. Or, it can be targeted at an individual, which is known as spear phishing. The target selection determines what type of bait gets used.

Bait Selection – Next, the crooks choose their bait. These are the emotional triggers that are designed to prompt you to click on the link or download the file. Her are a few common emotional triggers.

  • Curiosity – The ‘what happened next’ or ‘find out more’ approach. These are often tied to current events, celebrities or more normal events that can pull at you emotionally and reduce your level of care before clicking the link.
  • Hope – Hope phishing uses our aspirations to trick us. These can include high paying job offers, prize winnings, or health and fitness goals.
  • Necessity and Fear – The necessity trigger is very effective and really cranks up the urgency of a response. They can include warnings about large purchases on your amazon account or being locked out of your email or other account.

Hook Selection – After choosing their bait, the bad guys need to select the ‘hook’ or method they will use to collect your credentials or deliver malware or ransomware. Below are some of the more common hooks. One newer trick is to hide the phishing link in an unexpected place such as an unsubscribe link after the content.

  • A faked link that you will click on to reset your password or download a form or document.
  • A request for payment to a spoofed payment site
  • An attached file they are  pushing you to open

Casting the Line – Finally, the crook has to get the phishing message in front of you. They once again have multiple choices for delivery and methods to further hide the hook.

  • Spoofed email address – This can be a very effective method. The email looks like it came from you boss, a business partner, a government department or even your family.
  • Spoofed Domains – The bad guys often will register a look alike domain to make the content look more legitimate. They will use letter substitution and visual disuquises like adding an extra ‘l’ to a name that has two l’s (billling  vs billing) or using two ‘v’s for a ‘w’ (vvorldwide vs worldwide.)
  • Stolen email addresses – When the crooks have already stolen some credentials, they can use the compromised account making it very difficult to detect the sender is not legitimate.

Stopping phishing attacks look to be around for a while. Fortunately, they still require you, the recipient, to take action before the attack succeeds. Knowing what to look for and what to do if you see something suspicious is the best defense against phishing attacks. We can provide security training and ‘safe exposure’ to help you and your staff be better able to recognize scam and phishing emails. Please contact us to learn more.

Security