By: DAVID PIERCE for Wired
My Google Assistant is many things, but it’s mostly a meteorologist. I work 40 miles from my apartment, and the Bay Area’s many microclimates mean I’ll experience several weathers between my door and my desk. The questions come in the same order every morning: Hey Google, what’s the weather in San Jose? Hey Google, what about in San Francisco? Hey Google, what about tonight?
The new Google Home Mini suits this use perfectly. Google’s latest smart speaker emphasizes smart over speaker: it’s a small pebble of a thing, about the size of a crosswise slice of a softball. Unlike, say, the Home Max, which Google built to sound great, the Mini’s just supposed to be so small, so cheap, and so simply designed that you’ll put it somewhere and never notice it again. Google imagines you’ll maybe place one in every home, ensuring there’s always a mic close by to hear you ask for the weather, set timers, or control your smart home. Sure, it plays music, but you won’t like how it sounds. In short, this is a Google-made replica of Amazon’s Echo Dot.
After using the Home Mini for a few days, I think I get the use case. This is a complementary device: to a good speaker, so you can control Spotify with your voice; to a Chromecast, so you can demand the internet find you something good to watch; to a Home Max or even regular Home, so you can extend the range of your Google Assistant. Alone, it’s adorable and compromised. As a $50 add-on, like a repeater for your router or a universal remote for your TV, it’s excellent.
Can’t beat the price: at $49, the Home Mini becomes a killer holiday gift for anyone you even kind of like. To my eyes, at least, Google has successfully pulled off exactly the right kind of boring design. (Except for the coral model, which you can’t help but notice.) Sure, it looks like a futuristic metal donut, but you’ll set it up and never notice it again. It’s much more attractive and home-y than the Echo Dot. It only takes about two minutes to get up and running, and setup’s even easier thanks to a recent update to the Google Home app. Like any Home, the Mini does all the Google Assistant things, and does them all just as well as the original Home.
For such a small speaker, it’s pretty loud—you can hear it easily from across the room. You mostly won’t interact with the Mini itself, but its controls are handy. Tap on either side to turn the volume up or down; tap quickly in the middle to pause or play, or press and hold to get Assistant.
Most of what’s great about the Mini holds for all Google Home devices: the Assistant is impressively helpful, and getting better all the time. Using the Mini as a speakerphone works really well, and it’s a pretty handy remote control for my Chromecast-enabled TV watching. Voice Match works well (if not perfectly), and as far as I’m concerned multi-user support should be smart speaker table stakes. It does smart-home controls well, and the upcoming Routines feature—which lets you do a bunch of things with a single command—should make them even better. Even the new app makes finding stuff to do or watch better.
It may be loud, but the Home Mini sounds like crap. Absolutely no bass, clipped highs, just crummy sound quality all around. That doesn’t matter when it’s just the Assistant telling you traffic conditions, but listening to music on the Home Mini is barely better than listening through your phone’s speakers. Since there’s no AUX port, the only way to connect the Mini to a better speaker is through Chromecast, which certainly doesn’t work as well as a 3.5mm cable. You can’t even Bluetooth out to another speaker, which is odd given you can use the Home Mini as a Bluetooth speaker for your phone or laptop. Which, don’t.
You can’t really see the four LEDs on top of the Mini, so it’s hard to know whether the speaker heard you say “Hey Google.” I wound up turning on the audio alerts, which you can find in the accessibility section but should probably be on by default for the Mini. Also, Google needs to figure out how to better arbitrate devices, so I don’t get so many phones and speakers responding every time I ask a question.
The big debate is between the Echo Dot and the Home Mini. There’s not a clear winner. The Home Mini’s better-looking, but the Dot has a line-out jack. Google Assistant’s better at answering questions and making phone calls, but Alexa’s better for smart-home and music stuff. It’s an ecosystem question, really: If you already have a Pixel and drive with Android Auto, go with the Home Mini, and maybe buy a Max or Home as well. If you’re looking for killer music, buy a Dot, plug it into a real speaker, and enjoy. Neither’s perfect, but both are worth the $50.
7/10: A solid accessory, but not the centerpiece of your smarter home.
BY TODD CORILLO, WTKR, Norfolk, Virginia
October is National Cyber Security Awareness Month and it comes at a time when many major cyber breaches have folks worried.
Earlier this month it was revealed that a breach of Yahoo accounts in August 2013 affected every single customer account, more than three times the amount Yahoo originally reported.
“Major data breaches – which, like the Yahoo event, can affect billions of people—remind us that we must be vigilant in protecting our personal online information,” said Michael Kaiser, executive director of the National Cyber Security Alliance. “An easy first step for everyone to better secure all email, social media and financial accounts, is to ‘lock down your login’ with security tools such as multi-factor and strong authentication, which provide an additional layer of protection. Most email, major financial and social media companies now provide stronger authentication that can be easily implemented on their websites. Email accounts in particular are extremely important to protect as once breached, hackers can use them to reset passwords and break into other accounts, steal identities, target contacts and put an individual’s data and reputation at risk.”
The National Cyber Security Alliance has these tips to stay safer and more secure online:
- Lock Down Your Login. Use Strong authentication—more than a username and password to access accounts—to protect your most valuable accounts including email, social media and financial.
- Make better passwords. If passwords are the only option, change and make them better. Length and ability to remember passwords are the two most important factors. A phrase of multiple words you can remember makes a good password. Important accounts should have unique passwords not used to access any other accounts.
- Clean and keep all machines clean. Immediately update all software on every internet-connected device. All critical software—including PCs and mobile operating systems, security software and other frequently used software and apps—should be running the most current versions. Delete all unused apps.
- Monitor activity on your financial and credit cards accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website: http://www.identitytheft.gov.
- When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts and get information only from legitimate sources.
Content courtesy: Vangie Beal, Managing Editor of Webopedia.com.
Enterprise resource planning (ERP) is business process management software that allows an organization to use a system of integrated applications to manage the business and automatemany back office functions. ERP software typically integrates all facets of an operation—including product planning, development, manufacturing, sales and marketing—in a single database, application and user interface to improve the flow of data across the organization.
ERP can be customized across varying business sizes
ERP software can be designed for larger businesses which would require a dedicated team to customize and analyze data and handle upgrades and deployment, or for small business—solutions often customized for a specific business industry or vertical.
Is your organization ready to implement an ERP system?
When your organization grows, so do your IT assets, expanding beyond a couple of servers, workstations and network devices; you and your employees want real-time access to information, regardless of where you are, in order to maximize productivity and customer service; and, you are embracing mobile applications for reports, dashboards, and to conduct key business processes that empower employees with accurate information at the moment it is most needed. What once only required simple IT management—putting PC names, printers, network subnets, antivirus definition dates, and installed applications into a few spreadsheets—has become overwhelming. If this sounds familiar, your organization needs a solution.
Statistics indicate your company isn’t alone: a 2016 study by Panorama Consulting Solutions, LLC, indicates that organizations implement ERP for the following reasons:
- To replace out-of-date software (49%)
- To replace homegrown systems (16%)
- To replace accounting software (15%)
- To replace other non-ERP systems / had no system (20%)
ITG has the software applications and solutions to help you implement this methodology into your business activities: define business-specific server requirements, meet security compliance regulations and manage mobile devices. Our application was built from the ground up as a true, multitenant software-as-a-service (SaaS) platform. Our solution is continuously monitored and maintained, and is designed with redundancy in every sub system. Let us help you leverage all that ERP can provide in analyzing data to move your company soundly forward.
Call us today at 518-479-3881 or email firstname.lastname@example.org to get started.
Courtesy of WhatIs.com
A dark post is an inexpensive sponsored message on a social media website that is not published to the sponsor page timeline and will not display in follower feeds organically. Although dark posts are clearly labeled sponsored, they often appear in contextual formats that make them blend in with organic posts.
The process of buying and placing sponsored messages on social media websites is keyword-driven and relatively inexpensive when compared to other advertising channels. Dark posts, also known as unpublished posts, allow marketers to programmatically target specific demographics and conduct A/B tests without cluttering up their own brand’s newsfeed. Platforms that support unpublished posts include Facebook, LinkedIn, Twitter and Pinterest.
Dark posts have become controversial for a number of reasons, including the form’s inherent lack of transparency and their alleged use in the distribution of fake news. To combat the abuse of dark posts, Facebook is changing its policy to make it possible for anyone to see which page is paying for a particular ad and what other ads the advertiser is currently running on Facebook. Twitter has announced it is not changing policy, but emphasizes that all sponsored Tweets will continue to be clearly identified as such.
Effective incident response policies must be detailed, comprehensive and regularly updated — and then ’embedded in the hearts and minds’ of infosec team members.
Your organization needs an incident response policy (IRP). You may have one, you may not, and either way it is a good time to review what should be covered by your IRP, because having a bad policy can be worse than having none at all.
Many common cybersecurity frameworks and regulations—including the National Institute of Standards and Technology’s Special Publication 800-61 Revision 2, the New York State Department of Financial Services Section 500 and the International Organization for Standardization cybersecurity framework—specifically require organizations to have a documented incident response policy. Determining what goes into such a policy can be difficult, though. It’s almost impossible to create a detailed, specific policy for coping with what is effectively unknown. Cybersecurity attacks, in a very real sense, represent Donald Rumsfeld’s famous “unknown unknowns.” We can’t predict what the hackers will come up with next. If we could, ensuring cybersecurity would not be such a challenge.
There are some clear steps an organization can take to ensure that when—not if—it experiences a security incident, the team is ready to respond as effectively as possible. These steps include the following:
- Defining incident. An organization’s incident response policy needs to include a precise definition of a security incident. For example, “an event or anomaly that has been determined with high probability to indicate a breach.”
- Defining risk-based prioritizations of incidents. Responders need to classify incidents based on severity. Classification should be simple (high, medium and low) and based on the scale and scope of the attack as well as the impact on confidentiality, integrity and availability of information and operations in the context of enterprise risk.
- Describing the security response organization. The description should do the following:
- include staff roles, responsibilities and levels of authority;
- address compliance and regulatory requirements;
- include overarching guidelines for external communications; and
- describe handoff and escalation points in the incident management process.
- Determining plans and procedures of the policy.These cover the specific nuts and bolts of response, including metrics for measuring the incident response capability and its effectiveness, checklists, detailed processes and forms the incident response team uses.
- Having a battle-tested approach to internal and external communications. Incident response policies should include plans and timeframes for communicating proactively with both internal stakeholders—including legal, human resources and client services—and external ones, such as customers, the press and law enforcement. Where possible, the plan should include scripts the team can build on when issuing statements and updates.
- Having a templated approach for incident detection, analysis, containment and remediation. The more cookie-cutter the response, the faster and more effective it is. The incident response policy should quickly classify incidents into categories—denial of service, data exfiltration and so on—and prescribe broad-based approaches to responding to each category.
- Generating an auditable log that can serve as proof of chain of evidence. A security breach is a disaster, but it is also very likely a crime. That means that data is evidence—and the best way to protect that evidence is to have in place automated logging systems that track and document how evidence has been captured and preserved. Logs can serve as technical documentation for post-mortems and should include a variety of information:
- identifying information—e.g., the location, serial number, model number, hostname and message authentication code and IP addresses of a computer;
- name, title and contact information for each individual who collected or handled the evidence during the investigation;
- time and date—including time zone—of each occurrence of evidence handling; and
- locations where evidence was stored.
- Conducting effective post-mortems. The incident response policy should call for holding a “lessons learned” meeting with all involved parties after a major incident. This is critical when it comes to improving security measures and the incident response process. The National Transportation Safety Board (NTSB) provides a good model that focuses on fact-finding rather than fault-finding. Senior management should consciously create an NTSB-like culture, even going so far as to name its team the Information Safety Board. The post-mortem should generate two things: an incident report, which serves as institutional knowledge for future reference, and a list of any changes needed in the policy and the security infrastructure. These two documents ensure that future responses are faster and more effective.
The incident response policy should be embedded in the hearts and minds of the response team via regular drills, practice and repetition—particularly including creative war-gaming exercises.
Once an incident response policy is in place, the organization should engage in regular reviews —even if there have not been actual incidents to respond to—and should conduct war games. War games are creative exercises in which the incident response team reacts to a set of hypothetical scenarios. The military has long conducted war games because they work. The trick in conducting effective war games is to develop scenarios that incorporate multiple unplanned events to generate “perfect storm” scenarios. For instance: What if the attack vector is some internet of things device, and a lateral attack on the heating, ventilating and air conditioning system brought the data center down? Or what if a Session Initiation Protocol man-in-the-middle attack compromised sensitive voice calls at the same time that a distributed denial-of-service attack took down the email server? Or even: What if a key person is out with the flu?
An effective policy should cover not just the broad-stroke, big-picture outlines of how the team should respond to an issue, but should also include detailed checklists and procedures that make the response as swift and automatic as possible. It should also be a living document, updated through regular reviews and post-mortem “close the loop” revisions. Most importantly, the incident response policy should be embedded in the hearts and minds of the response team via regular drills, practice and repetition—particularly including creative war-gaming exercises
ITG’s business continuity solution provides comprehensive and affordable business continuity and disaster recovery. Contact us at email@example.com or call 518.479.3881 to learn how your business can survive an environmental disaster or cyber attack.
Apple claims iPhone Face ID has better security than Touch ID
Apple announced the new iPhone Face ID system, which replaces Touch ID in favor of facial recognition and may offer 20 times fewer false positives than fingerprint scanning.
With the announcement of the premium Apple iPhone X, the company left behind what it called the “gold standard” of smartphone security in Touch ID to focus on facial recognition with Face ID.
Phil Schiller, senior vice president of worldwide marketing for Apple, said during the iPhone event in Cupertino, Calif., that the iPhone Face ID system was built on a new system called TrueDepth. This system combines a traditional camera, an infrared camera, a depth sensor and a dot projector — which projects 30,000 infrared dots onto the user’s face — to create a “mathematical model of your face.”
This model is then run through the Neural Engine — a part of the new A11 Bionic system-on-a-chip — to compare the new scan against past models. The system will be able to learn over time to adapt as a person’s appearance changes with new hairstyles, facial hair, glasses, etc. All Face ID data will be stored in the Secure Enclave on the user’s device and not transmitted to the cloud.
According to Schiller, the chance of random person being able to unlock another device with the Touch ID fingerprint scanner was 1 in 50,000, but the iPhone Face ID should have a 1 in 1,000,000 chance of a false positive — a 20 times improvement. Schiller did note this likelihood would be higher if people share DNA, but claimed it should be able to tell the difference between a user and their “an evil twin.”
The iPhone Face ID security system was tested against realistic masks designed by Hollywood special effects teams, Schiller said, and was not fooled. And, iPhone Face ID unlock requires the user’s attention and will not work if the user is looking away or has his or her eyes closed. The Face ID security feature will be available exclusively on the iPhone X premium model and not for forthcoming iPhone 8.
September 8, 2017
By: Emily Sullivan, News Assistant, NPR Business Desk
Even before Hurricane Irma arrived at Florida’s doorstep scammers geared into action.
A GoFundMe campaign purporting to be from Miami-born singer Jason Derulo set a fundraising goal of $1 million for Irma victims before being shut down by the website. Robocalls set up by scammers are telling people that their insurance premiums are overdue and that they must pay up immediately or else risk losing their coverage.
Amazon suspended 12 third-party vendors for attaching questionable fees to flood essentials. A case of water arrived at a home accompanied with a surprise $100 delivery fee. Florida Attorney General Pam Bondi told the Palm Beach Post that she has been in touch with Amazon, among other firms, about cracking down on abuses.
Such scams are pretty common during times of distress. In fact, less than two weeks after Harvey made landfall in Texas, the Office of the Texas Attorney General received nearly 3,000 complaints of storm-related fraud.
It’s likely that scammers will redirect their targets to Irma relief efforts. As Irma continues to accumulate damage in the Caribbean and is expected to ravage parts of Florida, the generosity of people living elsewhere unaffected is much needed. But it is crucial to exercise caution in donating to relief efforts.
Here are tips from legitimate sources on how to donate safely to Irma relief, and how to report instances of price gouging and fraud.
Know where your money is going
The Center for Internet Security reported that over 500 domain names associated with Harvey were registered as the storm approached Texas, noting that “the majority of these new domains include a combination of the words ‘help,’ ‘relief,’ ‘victims,’ ‘recover,’ ‘claims’, ‘donate,’ or “lawsuits.'”
It’s crucial to exercise caution with dubious Irma websites and dubious crowdfunding accounts. See a crowdfunding page that looks suspicious with a faceless organizer—or purported to be run by a celebrity who has not endorsed the page? Report it. GoFundMe has a policy of returning donors’ money if fundraising pages are shown to be fake.
Contribute to organizations that have an experience assisting in disaster relief, and be skeptical of charities that pop up solely in response to Irma. You can check out charities with the Better Business Bureau’s (BBB) Wise Giving Alliance, Charity Navigator, Charity Watch, or GuideStar.
Think twice about texting a donation
Confirm that the charity has authorized donations via text message — and keep in mind that your contribution may not reach the charity until after your phone bill is paid. It may be faster to donate directly to the charity.
Be wary of clicking on links or opening attachments in e-mails
Don’t assume that emails you get — or social media messages you see — have really been posted by the legitimate source. The Center for Internet Security recommends that people exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source.
Report suspicious organizations
Find out if a charity or fundraiser is registered in your state by contacting the National Association of State Charity Officials. If the organization is not registered, consider donating to one that is.
Be skeptical if an organization will not send you information about their programs and finances: any legitimate organization will be glad to provide you with this information. The Better Business Bureau Wise Giving Alliance has charity reports on thousands of U.S. charities. If you believe a scam may be taking place, you can contact the BBB to report what you know.
Report instances of price gouging
Florida governor Rick Scott declared a state of emergency last Monday, meaning business were subject to fines of up to $25,000 for price gouging on items like food, ice, gas and lumber.
“You’ve got vendors trying to trick people,” said Bondi. “It’s sickening and disgusting and we’re not going to have it.”
[Residents were instructed that if they] suspected price gouging, [they were to] obtain as much information as possible in the form of estimates, invoices, receipts or bills. When comparing products, note as much information as possible, including the product name, size or quantity, manufacturer, item number and unit price. [They were to] report this information to Bondi’s office through the Florida Attorney General’s Price Gouging Hotline at 1.866.966.7226.
When your anti-virus software poses a security risk, it can be a devastating blow to your organization. At Integrated Technology Group, we provide network security software designed to safeguard your data, and make sure that you and your staff are able to enjoy the breathtaking opportunities that technology offers.
We will help build a more secure digital world for your company by providing a comprehensive network security audit able to define potential vulnerabilities and performance limitations. We will explain any found security threats and offer necessary remediation suggestions. Contact us today for more information on our internal and external scans and our new Perimeter Scan. firstname.lastname@example.org or 518.479.3881.
September 13, 2017
Heard on NPR’s All Things Considered – Transcript follows
David Welna, National Security Correspondent, Washington Desk, NPR on Twitter
The acting secretary of homeland security has banned the U.S. government from using Kaspersky software. The Russian company’s software — widely used throughout the world — has been deemed an unacceptable security risk.
ARI SHAPIRO, HOST: Kaspersky Labs is a big Moscow-based company that makes antivirus software. It’s used worldwide, even by some American government agencies. Now that may be over, at least for the U.S. government. The Department of Homeland Security issued a directive today that effectively bans all federal entities from using Kaspersky software or even having any products tied to it. NPR’s David Welna reports.
DAVID WELNA: The directive banning Kaspersky products was issued by acting Homeland Security Secretary Elaine Duke just hours after the U.S. Senate began debating a defense bill with a similar ban that applies only to the Pentagon. New Hampshire Democratic Senator Jeanne Shaheen has led the effort in Congress to forbid federal agencies from using Kaspersky products, and she says she’s pleased the Trump administration is also taking action.
JEANNE SHAHEEN: I applaud the department and acting Secretary Duke for issuing this directive that calls on all departments and agencies to identify any use or presence of Kaspersky products on their systems and to develop plans to get rid of them.
WELNA: The DHS gives agencies up to 90 days to start implementing its plan to discontinue use of Kaspersky products, then remove them from all federal government information systems. Senator Shaheen says there are ample grounds to impose such a ban.
SHAHEEN: Certainly there have been concerns raised publicly. There are concerns on record and some that suggest there has been direct collaboration with certain officials from Kaspersky and from the FSB, which is of course the successor to the KGB. There is also classified information that raises concerns.
WELNA: Those concerns about Kaspersky went public in May when Florida Republican Senator Marco Rubio posed this question to the chiefs of six U.S. spy agencies.
MARCO RUBIO: Would any of you be comfortable with Kaspersky Lab software on your computers?
WELNA: All six answered no. Shaheen says that for her, it was a key moment.
SHAHEEN: They were not comfortable with Kaspersky software on their computers. And if they’re not comfortable, then I don’t think the rest of the federal government should be comfortable.
WELNA: In an emailed statement, Kaspersky Labs said it was disappointed by the decision to ban its products. It said the company has never helped any government anywhere with cyber-espionage and added that it’s, quote, “disconcerting that a private company can be considered guilty until proven innocent due to geopolitical issues.”
In its directive, the DHS invites Kaspersky to address the department’s concerns. Kaspersky Labs says it looks forward to showing that the allegations made against it are without merit. -David Welna, NPR News, Washington.
SHAPIRO: And we should note that Kaspersky Labs is among NPR’s corporate underwriters.