Tuesday, February 27, 2018



50% of SMBs have been breached over the past 12 months and, on average, companies have spent $879,582.”

• How many full-time employees are at your business?

• Are your employees, including executives, trained on cyber security?

• How many remote users do you have and what are the security measures in place for them?

• What specific security measures are in place before employees can access your IT infrastructure?

• What pieces of technology or what services do most of the heavy lifting for your company when it comes to security?

> Who manages that? Why?

• What types of threats is your network currently facing?

• When was the last time you were audited?

> What was the result of your last audit (if applicable)?

• When was the last time you completed a security assessment?

• Do you have an incident response plan?

> If yes: Tell me how you created that to be specific to your end users, your industry, and your customers. If no: Why not?

• Do you have any specific concerns, such as changing IT security and compliance regulations? If so, which ones?

• What regulatory requirements or compliance standards is your organization subject to?
> Does your network meet those standards, if not, tell me more about where it is lacking?

• Have you experienced any public or known business challenges, such as a data security breach or major outage?

• Do you have a disaster recovery (DR) or business continuity (BC) strategy in place?

• What is the state of your company’s current cybersecurity strategy and plan?

• What is the process for selecting the security solution or tool to address your cybersecurity challenges?

• With data breaches consistently on the rise, do you feel comfortable that any confidential data that resides on your infrastructure is completely secure?

• What should I know about your company’s environment when it comes to security that we have not already discussed?


Wednesday, January 24, 2018


Speaking at the IBM Security Summit in New York City last year, IBM's chairman, CEO and President Ginni Rometty said, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

According to Gartner, worldwide, organizations spent $81.6 Billion in 2016 on information security, an increase of 7.9 percent from 2015
Worldwide spending on cybersecurity is predicted to top $1 trillion for the five-year period from 2017 to 2021, - Cybersecurity Market Report, Cybersecurity Ventures.
“Nearly three in five Californians were victims of a data breach in 2015 alone.” - California Data Breach Report 2012-2015
“30% of phishing emails are opened. And about 12% of targets go on to click the link or attachment.” – 2016 Data Breach Investigations Report from Verizon
“80% of analyzed breaches had a financial motive.” 2016 Data Breach Investigations Report from Verizon

Friday, December 1, 2017

Verizon will launch 5G home internet access in 2018

Unfortunately, only in a few areas

FROM: www.endgadget.com

"Verizon's 5G wireless will soon become a practical reality... if not quite the way you might expect. Big Red has announced that it's launching residential 5G broadband (that is, fixed-in-place wireless) in three to five markets starting in the second half of 2018. Most details aren't nailed down at this point, but the rollout will begin in Sacramento, California.

It's no shock as to why Verizon is showing its cards so early. The carrier is in fierce competition with fellow incumbent AT&T, which has also been trialing 5G and hopes to deploy it nationwide by the end of 2018. Verizon wants you to know it's keeping pace and will have a real, publicly available 5G service ready to go within a matter of months.

No, this isn't the cellphone access you might be looking for, it's still an important milestone. It's not just that 5G is extremely fast, promising hundreds of megabits per second -- it's that its latency is low enough to improve very time-sensitive tasks like action gaming and multi-user VR. How well it works in real-world commercial service is yet to be determined, but home 5G may be the first fixed wireless that's about as responsive as a good landline connection."

Tuesday, October 31, 2017


Alert: New Ransomware "Bad Rabbit"


Good morning,

The U.S government has issued a warning about a new ransomware attack which is spreading through Europe and into other countries around the world.

The new cyber-attack known as 'Bad Rabbit' is believed to disguise itself as a Windows Flash update in order to convince innocent people (like you) to download the virus.

Once installed it quickly hijacks your computer encrypting your personal files and data demanding a ransom payment to decrypt.

Monday, October 23, 2017

On Premise Vs Cloud-Based Voice

The definition and difference:

A premises-based PBX solution (also known as an IP PBX) is
dependent on a voice server kept on-site in the
equipment/server closet. Physical phones are located
throughout the office. Calls can route through a traditional
phone company as well as over the internet using SIP trunking.
Hosted PBX is a cloud voice solution where the provider
manages/maintains the voice server in a cloud data center.
The only equipment in the office are physical phones. Calls
route over the internet using SIP trunking.

On-Premise PBX
• Cost – higher upfront costs and set-up fee. Above certain
threshold it might be cheaper to own equipment than pay a
monthly fee, but servicing and maintenance can get expensive.
When using only basic call features with >25 phones per
store, total cost of ownership is less over 5-year period

• Scalability – purchase phones to expand (in addition to any
licensing required). PBX needs to be able to accommodate
growth and possibility of complexity with added features
• Failover – if issue with PBX in store, calling is affected and
potentially down until PBX can be repaired via service

• Features – find Me / Follow Me feature requires adding a
mobility server to each PBX – can become expensive
• Presence, tablet/mobile apps for wireless calling can be
added– usually works together with Find Me / Follow Me for
seamless use across devices

• Maintenance – managed services contract (with phone
vendor) required for software patching and maintenance to
ensure security and uptime.

• Changes to system settings require PBX in store to be
adjusted on-site by phone vendor or internal IT team

• Can leverage traditional phone company service (PRI) for
inbound/outbound calling, or SIP trunks over the internet
> PRI is not affected by quality or busyness of internet

• Handsets do not contain a lot of features/functionality –
providers push users to use the desktop application.

Hosted PBX
• Cost – usually low upfront costs, monthly fee per user.
Typically low total cost of ownership as hosted provider
takes care of server configuration, maintenance and
software patching.

• Scalability – purchased or leased IP phones added to
service plan, picking and canceling numbers and moving
phone system is easy and quick.

• Failover – calls can be rerouted to cell phones if issue with
SIP trunk quality, power at store or catastrophic event.
Safeguards at off-site facility includes back up power
sources, geographic redundancy of data centers,
active-active failover of servers, etc.

• Features – can integrate into CRM for advanced customer

• Can integrate contact center-life features for advanced call
routing or call analytics for advanced reporting.

• Dedicated internet bandwidth required to maintain high call
quality of SIP trunks.

• Tablet/mobile app allows users to make/receive phone calls
from app over wifi/cellular connections.

• Presence allows users to see who is available and on the
phone within store.

• Find Me / Follow Me feature included – will ring desk
phone, tablet, cell phone all at once or in order.

• Maintenance – no managed services contract required –
provider performs software patching, maintenance, upgrades
of PBX in the cloud.

• Changes to system settings performed through online portal
for remote management.

• Handsets do not contain a lot of features/functionality –
providers push users to use desktop/mobile app

Saturday, July 29, 2017

Web Security Action Plan for Artists and Activists Under Siege (part 1)

By: Candace Williams Head of Community Operations by day. Poet by night (and subway ride). Forever @TeacherC.

It’s imperative that folks under siege (POC, LGBTQ+, Indigenous folks, immigrants, Muslims, folks with disabilities, etc), especially artists and activists, take steps to protect their data and privacy online.

These are just suggestions This list is not exhaustive or the only way to secure your data.
Web security is like a tree. A young tree can be snapped by a fist. As trees grow layers and roots, they require knowledge, equipment, and energy to cut down. I’m trying to help you add layers of security to your daily routines. I don’t like the words “secure” or “safe” because nothing fits into those categories. The only thing we can do is become safer and more secure. Each bullet point is a layer, a step another person or agency has to take, to access and trade your information. I’ve tried to choose the layers that have the highest return on your investment in time and money. Think about your situation and resources and create your own action plan.

Identifying assumptions that underlie this article:
  • Taking a small, first step lowers your mental barriers.
  • Changing workflows is hard and takes practice. Go at your own pace and be easy on yourself.
  • COINTELPRO (and similar programs) didn’t just “happen”. It’s been happening and will ramp up.
  • Government and non-governmental bodies already have you on their radar: They know you disagree with some element of the status quo and that you’re a person under siege (black, POC, Muslim, queer, a person with physical or intellectual disabilities, a recent immigrant, indigenous, etc).
  • Many of your private communications are sitting on the email accounts and devices of your friends and family.
  • Surveillance capitalism is dangerous. We don’t know the implications of how tech companies extract value from their customers’ data. Most people don’t understand what corporations like Facebook and Google know about them, how the data is used/bought/traded/aggregated/sold/deployed, and if corporations have already handed over information to government groups. 
  • Lack of transparency + colonialism/capitalism + technological supremacy = STRANGER DANGER.
  • Withdraw $10–$40 of cash from your bank.
  • Buy a Starbucks gift card with the cash.
  • Use the gift card to purchase 1 month to 1 year of VPN access on https://www.privateinternetaccess.com (or a comparable service of your choosing. Ask around or read online reviews. Make sure the service doesn’t keep logs of your activity). Keep in mind: It’s better to purchase VPN with a credit/debit card than to purchase none at all. Furthermore, this is just a small layer and it’s still possible to figure out which VPN service you’re using.
  • Download and start to use Tor as your primary browser. Be sure to follow the instructions and security warnings here: https://www.torproject.org/download/download-easy.html.en#warning
  • Since it’s impossible to follow all of the warnings and there are limitations to Tor, it’s a good idea to also use a VPN. If you don’t use a VPN, using Tor + Chrome/Firefox with the HTTPS Everywhere extension is a good start.
  • Download Signal on your phone and encourage all folks you communicate with privately to use it as well. Use it instead of iMessage, SMS, WhatsApp, Facebook Message, etc. You can also make calls. The desktop version can be used in lieu of Skype, Slack, etc.
  • Enable 2 Factor Authentication on all email, financial, etc services.
  • Do an info security audit — Begin to brainstorm how you use social media, email, mobile devices, and cloud storage. How do you use these services? Which communications need to be moved to secure channels? Are sensitive documents saved in the cloud? Can you quit Facebook, Twitter, Google, and Amazon altogether?
  • Choose strong and distinct passphrases. The Intercept has a handy guide here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
  • @AllBetzAreOff recommends using non-cloud-based password manager to generate and secure your passwords. More info here: https://securityinabox.org/en/guide/keepassx/windows
  • It’s important to turn on software auto-updates so you’re protected from known software vulnerabilities. (Thanks to Dan Sullivan, Ph.D. for this advice! Check out his excellent comment for more information.)
  • Encrypt your mobile devices. iPhones are automatically encrypted but many use access codes that are inadequate. Reset your code to a long, random string of numbers (make sure you write this down while you’re committing it to memory). Android users can enable encryption in the Settings app.
  • Encrypt your computer using BitLocker (Windows) or FileVault (Mac).
  • If you have (or want) a website, database, or app, join an encrypted hosting service like MayFirst.
  • Purchase a physical safe (like the SentrySafe SFW123DSB) for your important documents, hard drives/USB keys, and artwork. You can split this cost with folks who live nearby. If your artwork is larger than a common household safe, and you’re interested in chatting, ping me. We need to brainstorm how to help artists under siege keep their art safe from destruction. Research the safe to make sure electronics won’t oxidize or buy Silica Gel Dehumidifier Desiccant packets/special sleeves.
  • Purchase a hard drive that can store your digital files. Encrypt it. In the future, consider purchasing multiple drives and keeping your most valuable information in multiple places. If you bought a safe, keep your hard drive there. You should also prepare for a time when Internet access or your information stored online is completely unavailable to you.
  • Audit your cloud storage. Where are you files stored? What kind of information is stored? Where’s the most sensitive information?
  • Begin to break your dependence on cloud storage (when possible): iPhoto, Google Photos, Google Drive, DropBox, etc. Structure your filesystems in ways that are easy to navigate without Google’s search capabilities.
  • See if you can minimize your use of Chrome/Firefox/Safari/etc by the end of the month. Dennis Cahillane says:
NOTES:, Using a Firefox add-on you install yourself is not recommended. Recommend downloading the Tor Browser bundle directly from the Tor Project here https://www.torproject.org/download/download Using the Tor Browser bundle is easy for non-technical users, but you will quickly become frustrated by its limitations. When you aren’t using Tor, Also recommend Firefox or Chrome with the following add-ons: HTTPS Everywhere, uBlock Origin.”
  • Download all of your files to your computer + external hard drive. This might take awhile so you can do a batch a day. Start with the most sensitive information. (This is just a start. There are ways to have access to encrypted cloud storage, I think folks can consider this after the New Year after they’ve done the initial transfer and have broken their dependence on easy to use cloud services).
  • If you’d like, choose an activist email provider you’ll use instead of Gmail (or a service like ProtonMail). You’ll also need to loop in your friends and family. Jamie McClelland, Co-Founder of MayFirst/PeopleLink says:
NOTES: “Using Gmail is definitely a bad idea. Under Obama we had a huge
expansion in the federal government spying infrastructure and they
definitely target the big corporate providers — either by compromising
them or simply sending them a subpoena. And now all of that will belong
to Trump.

For email, stick with activist providers. And *everyone* has to do it.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.

If everyone is on MF/PL, then it never leaves our servers and it is far
more difficult to intercept. If some people are on Riseup and some are
on MF/PL it’s also good — since MF/PL and Riseup will encrypt messages
between servers.

However… even with all of these protections, I would advise against
relying on email for anything sensitive.

If you haven’t already, I would suggest replacing whatever program you
use to send SMS messages with Signal (https://whispersystems.org/). It’s
on both iPhone and Android. It’s easy to use and it’s very secure.
I would also suggest using Jabber (see the MF/PL page here:

Both signal and jabber work on your phone and provide much better
encryption and privacy than email ever will.

A note about email: Dan Sullivan, Ph.D. left a relevant criticism of activist email accounts in the comments:

Also, infosec is largely a battle of technical skills and resources. Google has more of both than any email or other cloud provider I know of. I use Gmail with two factor authentication and will stick with it. Sure, an agency may get a warrant for emails at Google but there is less chance of successfully hacking the Google infrastructure to get those emails than hacking another provider with fewer resources.

Email seems impossible to secure. I’m already starting to drift away from email as my primary means of communication. Although I might use an end-to-end encrypted service, PGP, etc. 95% of my contacts do not have access to this technology. So the question is: where do I want my unencrypted emails and metadata to sit? Who do I trust more — Google or activist groups? Although activist groups draw attention to themselves, I trust Riseup and MayFirst’s track record of resisting subpoenas from US grand juries, US agencies, and many other governments/legal systems around the world. Because of the identity and ideologies of dissident artists, the government already knows we’re activists. I’d rather collaborate with groups that have been working on this issue for quite some time. I’m also leery of surveillance capitalism because it goes hand in hand with the surveillance state. COINTELPRO and other surveillance projects that impacted POC-led movements is in the back of my mind as I make these decisions. Google has the money and the know-how but they don’t give a shit about me or my struggle. They aren’t going to go to the mattresses for me. I don’t like the demographic and psychometric data providers like Google and Facebook gather (and the lack of transparency for how that information is used). I’m a dissident artist who is willing to spend the effort to divest as much as I can and become a contributing member in political tech groups.
Here’s a short clip of a training given at at Eyebeam about email encryption.
There are a countless number of situations where Tails could be an invaluable tool for your privacy. Activists looking to organize in spite of government surveillance can use Tails to effectively communicate. People being tracked by predatory abusers can use Tails to access the internet without risking their physical location or data. Someone that wants to utilize public computers or internet networks can do so while still having their privacy protected. Any time you want to be maximally private in your activity and your data, Tails is an incredible tool to have at your disposal!