What a Short-term, Long-lived Nightmare!

by Leave a Comment

I genuinely want to keep you safe and secure, but I realize it is a considerable task that gets more formidable with each passing day.

Last month, I sent you a brief email describing a threat posed by the ScreenConnect software. A researcher discovered a flaw that could allow unauthorized access to the software. While the vendor quickly confirmed and then fixed the problem, the true breadth of the issue soon became apparent. With two versions extant, ConnectWise had to ensure they patched the cloud version quickly and notified everyone who had purchased licenses for the server-based version to patch their instances.

I am grateful to use the cloud-based version because I didn’t have to lift a finger to install the patches. On the other hand, during a blizzard of pop-up webinars given by various security providers, including Huntress, I learned that hundreds of systems are running older versions of ScreenConnect, and ConnectWise has no contact information. Emails they sent to alert people were treated by Microsoft’s Exchange and Outlook as spam, thus not reaching the intended recipients promptly.

In some cases, servers were compromised, and bad actors accessed attached client computers. No one knows what information was exfiltrated, nor what hidden threats were left behind. I work in a world of acronyms, and one that I frequently heard last week was IOCs. That abbreviation stands for “indicators of compromise,” meaning the digital and informational “clues” that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks.

By the end of the week, a significant news story was that the healthcare giant UnitedHealth Group had to shut down the IT systems at its subsidiary Optum because of a ransomware attack. Optum Solutions operates the Change Healthcare platform, the largest payment exchange platform among doctors, pharmacies, healthcare providers, and patients in the US healthcare system. As more information came to light, analysts believe a group of bad actors took advantage of an unpatched ScreenConnect server and ran roughshod over the entire network.

I will assume an organization as large as UnitedHealth Group has a valid incident response plan (IRP) and that pulling the network plug on their computer systems was the first step. Next, of course, was to contact their insurance company and establish a remediation task force. But what about smaller organizations?

How does a one-person MSP or a 10-person firm handle this? I will spend the next few months making certain that my IRP is updated to account for such an incident. As I edited a penultimate version of this newsletter, an email arrived from the New Jersey Cybersecurity & Communications Information Cell (NJCCIC) about Russian SVR actors targeting cloud infrastructure. The email goes on to say:

The NCSC has previously detailed how SVR cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

Even though I don’t use a server-based version of ScreenConnect, I now feel it necessary to include additional “what if” scenarios in my IRP to ensure thorough coverage.

Thanks, and safe computing!

Email Protection is Essential

by Leave a Comment

For the past eight years, I have used a software product called Reflexion (from Sophos) to scan my email for threats. The product offered some wonderful features that enabled me to pursue my business without major threats of ransomware and business compromise emails. Regrettably, Sophos decided to retire the product earlier this year. I was not satisfied their replacement had all of the features and functionality I had become used to, so I searched for an appropriate replacement.

I found Proofpoint and, despite a significant effort on my part to transition, really like how this product is helping keep me and my computer network safe from email-based threats.

Proofpoint scans all incoming emails and rates them on a threat score. This cloud-based product holds the suspect emails in quarantine, and I receive an activity summary each morning. When I review this list, I can block or release (and approve) as needed. This functionality gives me great peace of mind that nothing malicious will hit my computer.

Another significant product feature, URL Defense, analyzes and re-writes hyperlink URLs. The feature scans and refactors all URLs to protect people from malicious websites. For example:

https://www.reddit.com/subreddit/article/topic

would become:

https://urldefense.proofpoint.com/v2/url?u=https-3A__click.redditmail.com_CL0.

The other day I received an email that made it through the standard filter. It was for “pre-approval of a $372K loan” for my company. I was surprised it made it through, but there was nothing inherently wrong with the email contents. I looked for and found the link to unsubscribe from their garbage. At this point, I was so grateful to be using Proofpoint because I received a pop-up window (shown below) indicating the link was for a malicious website.

Proofpoint block

Honestly, this is the first time I’ve seen Proofpoint pop up, and I was both thrilled and scared simultaneously. It was obvious that the bad actors had taken advantage of my normal human response to subject my computer to malicious software based on my decision to avoid getting more emails from this organization. I shook my head at the audacity of the threat and how I had circumvented it.

My SonicWall firewall would have prevented malicious code from being downloaded. SentinelOne would have reacted immediately had any unwarranted programs started taking abnormal actions and reaching out to websites out of my ordinary purview. The bottom line is: I dodged a bullet, and my computing environment is still safe.

I have to wonder: What would have happened in an unprotected computer? What might have occurred in a small business that didn’t have a firewall or SentinelOne? I’m guessing the results would not have been good. The business owner would have called some IT person or company asking if they could help recover a computer — because someone thought they were doing the right thing.

I have blocked the sender’s address to ensure I don’t receive any more emails; however, countless other bad actors will continue to attempt to gain access and run roughshod over any willing victim.

My final words on this are simple: If you do not know the sender of an email, you must consider them suspect. In the past, I would have assured you that clicking the Unsubscribe link was sufficient to remove your name from a mailing list. Now, I’m changing that advice. If you don’t know who sent it, delete it. That will save you endless heartache and grief from potential problems.

For small business owners who own their web domain or email accounts, even if you use Google Workspace or Microsoft Office 365, I recommend you add Proofpoint to your existing SHADE subscription. This low-cost, high-value offering is something that could help prevent problems from occurring on your network.

Thanks, and safe computing!

Breaches at Password Manager LastPass Cause Concern

by Leave a Comment

Password managers are programs that let you store an ever-growing list of online credentials in a safe location. These programs remove the need to record this information insecurely, such as by emailing them and writing Post-it Notes.

Many security experts advise clients to use these programs as part of best security practices because they also let you create strong and unique passwords for each online account you have. Additionally, some programs alert you if you duplicate a password across different accounts and can notify you if your password has appeared in a known data breach.

However, if your program’s secure vault is compromised, it potentially puts every one of your online accounts at risk of compromise. This issue drew my attention following last year’s extensive LastPass breach incident.

In 2022, there were multiple breaches at LastPass. In addition to putting the response and actions of LastPass under the spotlight, the incidents have raised questions over the safety of storing multiple login credentials on password managers altogether.

LastPass announced in late August 2022 that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This enabled the attacker to take portions of source code and some proprietary LastPass technical information.

After conducting an investigation and forensic review, LastPass said it found no further evidence of activity from the threat actor. The unauthorized access was limited to its development system, which is “physically separated” from its production environment.

At the end of November, they made another announcement that an unauthorized party had gained access to a third-party cloud storage device. This new breach was enabled by the information gained by the attacker during the original August incident.

And a few days before Christmas, the firm informed users that attackers had accessed encrypted customer data (username, password, and notes) and unencrypted data (the website addresses of customers’ online accounts).

Do I believe you should keep your LastPass account following this last episode? No, but the damage has already been done. There is a high likelihood that your account may have been compromised. But if you want to continue to use LastPass, there are three things you must do to continue using the service.

  • First, you must strengthen your master password and ensure it is unique, long, and complex.
  • Second, as an extra security precaution, you should change the passwords for the websites you have stored in the service.
  • Third, you should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing your unencrypted contact information and websites.

I have reviewed these services over the years and have not found one I have felt entirely comfortable using – and I have not only my accounts to manage but many of my client’s accounts. I hate to say it, but the safest and most secure way of managing your passwords is to use a notebook and write them down.

If you use a document or spreadsheet and your computer is ever compromised, you will lose that information, and bad actors will use it against you.

What is the best way to implement this Luddite approach? Have one page per account, and write the name and website address at the top. Have a one-line entry per password, preferably with the date you first used it. If you must change a password, cross out that line, and write a new one along with the date, you created it.

The more complex we have made our lives by thinking that computers would make things easier for us, the more I think we need to use simple methods to maintain our security.

A Fresh Approach to Cyber Security

by Leave a Comment

Owners of and partners in small businesses, please take heed: It’s time to revisit your cyber policy.

Most of you think, “Thanks for the advice, but that won’t be necessary.”

Some, if not all, will say, “Cybersecurity is a concern. We’ve seen how ransomware has been in the news and affected local organizations. But don’t worry; we have it under control.”

I’m sorry to say that willful ignorance will not work.

Why? Because despite frequent newsletters and emails from Managed Services Providers (MSPs) like myself, many business owners disregard the hard work required to ensure their business remains operational.

Also, last year’s cyber program will not be enough to address tomorrow’s cyber challenges. Even if your business has successfully addressed cyber-attacks and ransomware threats, newer, more vicious dangers will arise. Sadly, the bad actors are improving as fast or faster than the good guys.

Neglecting cybersecurity can:

  • Undermine the reputation of your business with your clients.
  • Force unacceptable expenditures associated with cleaning up after security breaches.
  • Cripple your ability to conduct your daily business until the threat has been identified and remediated — costing you thousands, if not hundreds of thousands, of dollars.

So, what steps can you take?

To begin, I’ve never met a business owner who said that cybersecurity is unimportant. While true, I’m exaggerating. Most business owners don’t necessarily consider it a priority, if at all. But they acknowledge actions I take, like patching their servers and desktop computers and offering business continuity and incident response plans, are essential.

However, their actions often don’t match their words. I frequently encounter a business owner who checks off the box when their insurance comes up for renewal without giving more thought to the problem.

My job is to make cybersecurity a priority and a core part of everyone’s business environment. In some cases, you will hear me discuss cyber protections more than I have in the past — only because I’ve seen some ramifications when businesses fail to heed common sense measures. Business owners should want advisors on how to lower the risk to their business. Often, that’s not the case.

Next, some business owners think cybersecurity is just a minor aspect of technology. But cybersecurity is a business risk issue that will either strengthen or harm your business. Security experts agree that what is needed is a robust system of training, followed by understanding and actions that start with the business owner and that all employees or staff follow.

There are many ways to improve cybersecurity risk management. These methods include identifying, protecting, detecting, responding to, and recovering from inevitable cyberattacks. But irrespective of your procedures, your employees, clients, business partners, vendors, and others you interact with need to see you — as a business owner — step up and lead those cybersecurity measures.

The start of a new year is a perfect time to realign — or even start over — on cybersecurity. Theodore Roosevelt once said, “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.” Just make sure you do something!

Thanks, and safe computing!

The Calendar Year has Changed, but Scams Haven’t

by Leave a Comment

In 2017, there was a security breach at the credit reporting firm, Equifax. This breach was significant news at the time, and by 2019 the company agreed to a $425 million settlement of several class action lawsuits. They offered credit monitoring or a cash award of up to $125. At the time, I recommended the former.

In the closing days of December 2022, Equifax began to issue those cash awards. Many people found the amount they received laughable (e.g., most claimed to receive less than $10). However, scammers immediately went on the alert and into action. The website DomainTools.com reported several new domain names, which closely resembled the legitimate one, had been registered in just a few days. The valid website name is equifaxbreachsettlement.com. Fake versions include equifaxbreechsettlement.com, equifaxbreachsettlementbreach.com, and equifaxsettlements.co.

If you get an email notification about payment, do not click on the link in the email. It would be best if you went directly to the legitimate website and manually entered the keycode shown in your email. These instructions also apply if you get a letter in the mail.

Of course, because everyone’s information was made publicly available, scammers know who you are. If you get an email that seems slightly off and want to learn if it is “real,” please forward it to me for verification. Doing so is not an intrusion on my time. I would much rather spend a minute or two to review the contents of an email, than spend several hours — or days — working to restore your stolen identity.

Thanks, and safe computing!

How I Prepare for the Security Threats of Tomorrow

by Leave a Comment

There is little doubt that cybercrime is becoming more complex, and ransomware and data breach events are becoming more frequent. As a result, many small business owners have become concerned that they will soon be victims. Some have looked to IT solutions providers, like Heliotropic Systems, to help deal with these evolving threats. That is why it is vital for me to understand the current state and emerging trends of that threat landscape and what tools I can use to combat them.

Let’s look at the cybersecurity landscape and analyze the threats, trends, and opportunities.

Protecting Small Businesses from Ransomware Attacks

Cybercriminals are increasingly targeting small- to medium-sized businesses (SMBs). In 2021, more than 40% of all cyberattacks were against small businesses. Digging deeper into that statistic, researchers have found that of those attacked, approximately 60% will go out of business six months following an attack. The primary reason is that so many SMBs don’t have the resources to support an internal IT and data security operation.

In almost all of my security vendor recent annual reports, the most common threat was ransomware. The second tier threat was data breach. To combat these insidious hazards, I must be proficient in three areas.

Prevention

The primary goal is to eliminate the threat of an attack in the first place. While I fully acknowledge there is no “right” way to do this, there are measures I take to help keep my clients from becoming ransomware victims. I recently added Huntress (a threat detection tool) to my portfolio. You subscribe to SPF+ (for consumers) and SHADE (for small businesses), which enables automated patch management to fix potential vulnerabilities as soon as they are discovered.

Another significant measure is to constantly remind clients that rather than click on a link or respond to a suspicious email, you should call me for confirmation. The other day, someone said they received an invoice for three years of Norton Lifelock. No, they didn’t — they received a scam email. It was de-
signed to obtain sufficient information to make fraudulent charges on their credit card.

Detection

I’d be remiss if I didn’t acknowledge that ransomware can still get through the protection layer despite my best efforts. That’s why I have measures in place to identify when ransomware is present, rather than assuming an attack will never be successful. The earlier I can detect it, the sooner I can take action to eliminate it.

Response

When ransomware is detected, responding to the attack, and eliminating it must be done with the utmost efficiency. Some of the steps I must take include:

  • Scan the network for confirmation of an attack unfolding.
  • Identify the infected computers and isolate them from the rest of the network.
  • Secure all backup data or backup systems immediately.

I feel good knowing I have a significantly positive affect on my clients’ businesses by optimizing ransomware prevention and detecting and quickly responding to attacks. Ransomware attacks were estimated to cost roughly $20 billion in 2021. My aim is to save my clients from suffering any financial damages that would hurt their business.

Finding the Right Tools to Combat Ransomware

All my small business clients trust me with access to critical systems and data. They feel protected because they know I will act swiftly and effectively when a threat arises. To accomplish this, I have – over the years – sought to obtain the necessary tools that will facilitate quick and decisive action.

For example, remote monitoring and management (RMM) provides me with access to your computers so I can keep them secure, patched, and operational. I can proactively fix any vulnerabilities before you are attacked with automated patching, whether it is from Microsoft or third-party vendors, which helps optimize ransomware prevention efforts.

But, again, the idea is always to be prepared if ransomware attacks are successful. SentinelOne takes the next step of ransomware defense by including native ransomware detection. It constantly monitors for crypto-ransomware and attempts to kill the malicious software, thus reducing the impact of an attack. You (and I) get alerts at the first detection of crypto-ransomware, and I can automatically isolate any infected computer.

The ability to detect ransomware immediately enables me to execute an action plan sooner rather than later. And I know ransomware infections can cause extensive damage, which may prove too costly for many small businesses to overcome.

Of course, no ransomware response plan is complete without a system to protect the most vital company resource – its data. Regularly backing up data can reduce the risk of downtime when a ransomware attack is successful, but the backup system must be secure and reliable. The Datto Vaults I deploy at client sites are designed to protect physical, virtual, and cloud infrastructures and data. The data is well protected and easily accessible, so I can recover it rapidly when needed. The Vaults also have software that detects ransomware within backups, saving me (and my clients) time locating the last clean system restore point.

Leveraging Security Services to Help You Grow Your Business

Most of my colleagues will tell you that they are all focused on security on many levels, whether securing computers and networks, protecting data, or understanding how to be better against the threat of ransomware. Security threats will never go away – we can only keep them at bay. I believe I can effectively protect my clients and ensure their businesses thrive with the multi-layered security tools I have deployed.

Thanks, and safe computing!

Tell Me What I Need to Know, Not What You Want to Say

by Leave a Comment

So, if you are going to make a presentation about cybersecurity to a group of small business owners, what are some things you would do to prepare for the event? That question came to mind when I attended a webinar co-sponsored by the Chambers of Commerce of Fort Lee and Hackensack earlier in May.

A local IT company offered to have a speaker come in and talk about cybersecurity, but I do not know what kind of homework this speaker did before that session. The answer seemed “minimal” because when the speaker began, he spoke in a language I understand, but not one these attendees would know or use. He was talking about endpoints, EDR, SOC, and SIEM. In English, that means computers, Endpoint Detection and Response, Security Operations Center, and Security Information and Event Management. Those acronyms didn’t help because he had to stop and explain everything. He might have considered preparing a glossary to distribute before the presentation — that would have been helpful.

What else might he have done? As part of the preparation, he might have obtained the list of attendees. He might have looked up their businesses on the internet to focus on topics that may have been pertinent. If there was sufficient time, he might have even called the Chamber’s directors and asked to speak to some of those business owners to get a feel for what they were interested in understanding.

After a 45-minute talk, it was clear that this speaker’s presentation was geared toward much larger organizations than those he was addressing. And he was going to say what he came to say.

I don’t mean for this to become a rant, but it seems that by not preparing, he did a disservice to his audience and the topic of cybersecurity. His intent was to educate so that he could potentially sell his company’s services. But he couldn’t make it clear to the attendees the problems they potentially face.

One person asked: Why would anyone want to ransom my computer? He went off on a long discussion that never really answered the question. Instead, he should have asked probing questions of the person who asked it: What information in your computer is valuable? Do you have a list of all the Hackensack Chamber members? If so, is there contact info on that list? And does it have any other information that someone could use to find detailed data with additional searching and cross-referencing? The attendee would have learned more from those questions — and thinking about her responses — than the answer she got.

There might not be any need to put ransomware software on a computer if it was possible to copy the entire list and leave no trace of the intrusion behind. The data itself is valuable when correlated with other information. Now, if you were the bad actor, you could find some of the larger companies on the list, see if they bank at some of the Chamber’s member banks, and pretend that you’re an employee of one company and send an email like this:

BEC Example

This type of email is called BEC (business email compromise) and is extremely common. Sure, says Joe, and takes a copy of the invoice attached to Taylor’s email, contacts the appropriate individual, and sends the money. It takes training (or perhaps a keen eye) to realize the attachment is a fake invoice, this is a fake email account, and a fake Taylor. Usually there is no recourse to get the funds back.

That’s because it is relatively simple to spoof (pretend) the email address so it appears as if it is legitimately from within a company. Social engineering skills make it easy to convince one person in an organization to go out of their way to help out a co-worker or boss. However, it is only with proper training about the likelihood of this scam that bad actors can be shut down with a quick delete of the fake email.

What about the question one participant asked: What should I do if I see a ransom notice on my computer? The answer they received was not altogether too helpful: Call the police.

My response is: Call your IT support company and find out exactly what to do (at the very least disconnect the computer from the internet). The police department should not be your “go to” strategy when it comes to ransomware attacks. Yes, you’ll need to contact them eventually to file an insurance claim — if that is even possible under the circumstances — but it isn’t the first thing you should do. But what if you don’t have an IT support company? The presenter should have shared the web address or the name of an organization that has a list of steps for small business owners and their staff to take.

It doesn’t take much to cover the three or four critical aspects of cybersecurity for small business owners. It would be best to understand your audience, tailor your presentation by asking about their concerns, and then provide relatable and understandable answers. That approach doesn’t take a lot of effort, but it does give attendees much more information.

Thanks, and safe computing!

All Scams. All the Time.

by Leave a Comment

In this particular “scammers” edition of Sun Spots, I will share a few recent emails from clients asking about the validity of the contents. I also want to direct your attention to a feature-length article from Wired magazine’s March 2022 issue that contains a third-party discussion of what happens when someone is an unwitting victim of a phone call.

One client forwarded me an email about urgent warning about his Norton anti-virus license.

He uses AOL, which doesn’t let you see “behind” the email address unless you explicitly look for it; fortunately, Outlook does. But this is such a piss poor example of fraud it isn’t even funny.

The email return address is justforconsumers.com, which doesn’t resemble Norton at all! The links in the email route to http://aoolldearbox.bond, which is not a secure website. Worse yet, if you click any link, you are re-directed to a website hosted by aquaticbees.com (definitely not Norton). That page has a warning about an increase in “Malware and Viruses.” Click on any of the links on that page, and I’m certain your computer would be flooded by tons of the stuff they “warn” you about.

And, of course, he has SentinelOne with his SPF+ subscription, not Norton!

This email is fraudulent; it should be marked as “spam” and then deleted.

Another client returned from a recent vacation to find an email with the subject, “Your order has been confirmed.”

Attached was a PDF file that resembled an Amazon invoice indicating that a payment of $769.99 had been received for a “SAMSUNG 55-Inch Class QLED 4K UHD Dual LED Smart TV with Alexa built-in.”

It also included the following information:

If you want to cancel or modify this purchase and want to claim your money back. Please call us Immediately to our Billing Department : +1- 877-542-2099

Let’s forget, for a moment, the atrocious grammar and punctuation. Let’s ignore the email address that isn’t from Amazon.com. This email and invoice features one of the more insidious scamming aspects. It requires you to call them to ask for assistance. The moment you do that, you are an active (unwitting) participant, and — if you are not careful — will be providing con artists and thieves with your personal information. I cannot stress how important it is to DELETE garbage like this immediately!

This leads me to the Wired article: They Were ‘Calling to Help.’ Then They Stole Thousands. Take the time to read this, and if you have any questions afterward, please let me know.

Thanks, and safe computing!

Stop Phishing Attacks from Giving You Agita

by Leave a Comment

If you look at the number of security alerts sent to my Inbox, cybercrime seems to always be on the rise. I certainly know it is here to stay, and near the top of the list of malicious activities are phishing scams. Most believe that only dumb people fall victim to these types of attacks. That is not true. Anyone can fall victim to a phishing scam, making it more critical than ever for me to protect you.

According to the Federal Bureau of Investigation’s (FBI) 2020 Internet Crime Report, phishing was among the top three cybercrimes reported in 2020. Phishing incidents more than doubled between 2019 and 2020. More frightening than that is 90% of incidents that end with a data breach started with a phishing attempt. That FBI report shows US businesses lost more than $1.8 billion last year because of business email compromise (BEC) or spear phishing.

Email is one of the primary vectors by which cyber criminals distribute ransomware. And they often depend on phishing and social engineering to infiltrate an unsuspecting company. Traditional anti-virus software products cannot protect you from these cyber-attacks. Too often, small business owners fail to properly secure their environments because they don’t know any better or because they don’t want to spend money on something they can’t “see.”

One way to mitigate this problem is to increase security awareness. Simply training staff to be alert to what constitutes phishing emails can reduce a business’ chances of having a cybersecurity incident by up to 70%.

Let me give you a theoretical example. Assume there is a dental practice with 15 employees. How many dental practices are willing to pay every three months to certify every employee on security awareness training (which they view as “don’t click on links”)? In real life, the most common response I hear is, “Ah, it’s a pain. I don’t want to do it. No one’s going to come after us. We’re a dental practice.” Well, again, that is not true.

The bad guys know the dental practice is the one that’s probably going to react if threatened, so they’ll ransom them for $10,000 or $20,000. And what makes it hard for someone like me to get that message through to this dentist? I mean, they are probably a wonderful dentist. They’re great at fixing teeth. But they’re like, “Why would these Russians, or these North Koreans, or these people in Silicon Valley who are bad – why would they want to get me?”

The reality is the bad actors are brilliant and relentless. They know if they ransom, or if they attack, a dentist in Fort Lee, New Jersey, for $10,000 or $20,000, no one – other than the local police – is going to investigate. So now, small businesses are being targeted at a much faster rate than large companies. If the bad guys try to ransom ExxonMobil, Walmart, or some other large company, the FBI and Homeland Security will get called in. And they have serious capabilities, and they’re going to get the bad guys. But there are not enough resources to protect small companies down the road who get hit. What I am finding is more small business owners are starting to say, “Oh, maybe I should listen to my IT guy because they’re on to something.” And that thinking helps safeguard their business.

Small business owners must be cautious because cybercriminals constantly adapt their techniques to find a way in. It is an unfortunate way of life in 2022, but maintaining a heightened level of security awareness while reading each email is a requirement of using email to communicate with staff and clients. There is no escaping the threats, so you must remain vigilant and stay alert. Security awareness training can go a long way to ensure your safety.

Thanks, and safe computing!

What You Should Know About Crypto Miners

by Leave a Comment

Let’s start with some basic facts. A crypto miner is a malicious software that uses the resources of your computer to generate cryptocurrency for someone other than yourself. It is, at its most basic level, theft of services.

In 2018, crypto jacking (the practice of using browser-based programs to mine cryptocurrency without your knowledge or consent) and crypto mining (malware that usurps your computer’s CPU to mine cryptocurrency) grew to be major threats. The only way you’d know something was amiss was when you realized your internet browsing was very slow and, after a while, your computer stopped working until you restarted it. After a few days, the malware would cause you to “lather, rinse, repeat.” The biggest player in this arena was Coinhive.

Why did Coinhive target browsers? Because it was relatively easy to slip in as an add-on since the code appeared to be innocuous. It was, until you restarted your browser. At that point, the program would run any time your browser was open, using up electricity and processing power to generate minuscule amounts of the cryptocurrency called Monero.

In February 2019, Coinhive publicly announced it was ceasing operations the following month. The service stated that it wasn’t “economically viable anymore” and that the “crash” (of Bitcoin) had severely adversely affected the business. That pretty much sent a death knell to browser-based crypto coin mining.

So why am I bringing this up at the start of 2022? I recently read two articles and learned that crypto mining is alive and well. And it is not being used solely by cybercriminals. Nope, no, siree. Given the pandemic, it seems marketing types have prevailed at Norton, the eponymous Security 360 product maker. A new feature is the inclusion of crypto mining. Avast, a European maker of security software, has announced it is doing the same.

Apparently we live in an upside-down world when security companies allow their crypto miners but claim they can keep out everyone else’s crypto miners. But what does this mean? Well, for one, you have to opt-in to use this feature; Norton doesn’t install it indiscriminately. Also, your computer has to meet some stringent hardware requirements before you’d even see the option. The critical condition is that your computer has an advanced video card (where the computing will take place) so that you can mine Ethereum.

And then comes the kicker: Norton is going to take a good percentage of the money generated. They get 85% while you get 15%. And if you want to obtain your portion — having donated your computing resources — you are faced with additional fees (one a transaction fee and the other a processing fee to cash it in), which reduce your overall take. But suppose that’s not enough to dissuade you. In that case, this money is considered extra income by the Internal Revenue Service, so you will be responsible for including it on your annual tax return.

But the biggest question (and complaint) from security-conscious netizens is: Why would any security company think of doing this? The answer is simple: They want more money from consumers than they get from the annual subscription to their products. Consumers have learned that when subscribing to Norton 360 for the first year, they get a terrific discount. Norton sets the subscription to auto-renew and keeps your credit card on file. Savvy users realize they can turn off the auto-renewal and remove the saved credit card. The day after the current subscription expires, they can purchase a new discounted subscription with a different email address (e.g., larry2022@gmail.com for the current year because it was larry2021@gmail.com for last year’s subscription). It seems Norton is simply fighting back in a very unusual manner.

Do I think this is a good idea? Absolutely not! Is it well-intentioned? Undeniably no. Should all consumers be extremely wary about this? Resoundingly yes! Are you (my clients) affected by this? Not at all, because your computer is running SentinelOne Vigilance, part of your SPF+ or SHADE subscription. But if you know of someone who thinks Norton has a terrific security product, I would urge you to let them know that’s not necessarily the case.

Thanks, and safe computing!