Cybercriminal: "I don't care how secure your authentication mechanism is. It doesn't even matter to me. I'll still convince your users to authenticate for me."
#CallMeIfYouNeedMe
If you’re an MSP and you’re interested in partnering with a qualified and well-referenced instructor to provide cybersecurity awareness training, let’s talk. We can both make money.
Some companies need cybersecurity awareness training to meet audit requirements. Wouldn’t it be great if that training was delivered by someone with a track record of making the training interesting and engaging – and effective?
Ask yourself, “Why am I doing this with a VM instead of a physical device?”
Ask yourself, “Why am I doing this in the cloud instead of on-prem?”
Ask yourself, “Why am I doing this with public Internet connectivity instead of private data circuits?”
If the best answer you can come up with is a reflexive, “Because it’s cheaper and more convenient,” then you’re not engineering systems, you’re copying what someone else did.
“Cheaper” and “convenient” aren’t the only design criteria.
First, you don’t know if it’s cheaper until you design and spec it more than one way.
Second, you don’t know if it’s more convenient until you actually think through the alternative business and operations processes that are influenced by the design.
Just because an operational solution is different doesn’t mean it’s less convenient. In fact, it may provide amazing new efficiencies.
Here are some design criteria for you to consider:
Security.
Performance.
Control.
Versatility.
Cost effectiveness (don’t confuse “cost effective” with “cheaper”).
Scalability.
Third-party vendor management.
Third-party vendor risks.
Compliance.
OPEX vs CAPEX
Yesterday I saw a clickbait article from a popular news source. It started with a headline that made it look like Signal's encryption has been compromised (it hasn't). The actual compromise is accomplished by downloading and installing a malicious trojan that takes screen captures of the decrypted message while it's displayed on your screen.
I’m not linking to the article because it’s an example of poor journalism.
Risks with end-to-end encryption have always included key logging and screen scraping. Nothing has changed. As always, be careful what you download and install on your phone.
And, as always, don’t believe sensational headlines without fact checking first.
Personal cybersecurity and privacy in the corporate world starts with your devices.
1) In the office: turn off Wi-Fi on your personal phone. Only use your carrier’s Internet connection at work for social media, personal email, everything personal. When you use the business Wi-Fi, everything can be monitored. The websites you visit, your unencrypted emails, and some other data is exposed to the company’s security systems.
2) At home: never conduct personal business on your work laptop, even when working from home. Use your own laptop, tablet, and phone for anything that’s not directly related to the company.
There are two kinds of contract reviews.
1) Legal review. For this you need a lawyer.
2) Content review. For this you need a subject matter expert.
When you want a content review for a contract related to any of the following areas, think of me.
Cybersecurity - Networks - Wireless – Telecom – VoIP
For example, because I was Director of National System Development for a cellular company, I get gigs with city governments reviewing contracts when tower management companies want to put new communications sites on city property.
Another example: I review cyber liability insurance contracts to help companies know if they’re complying with the policy’s conditions.
I’m not a lawyer, but there are important details in technology contracts that most lawyers can’t address. Do you need a subject matter expert?
Cybersecurity - Networks - Wireless – Telecom – VoIP
From my email to a prospect earlier this week, after reviewing the contract they sent me:
“I don’t accept contracts with binding arbitration requirements. If <company name redacted> behaves ethically, there will be no disputes. If there is a dispute, it can be settled in open court.”
Choose your clients carefully.
If you’re interested in a 1-hour training session on email safety for your non-technical staff, use the “Contact Us” page on my website to get in touch and learn more (link below).
Email safety education is one of the best preventive measures you can take to keep your company from being harmed by phishing attacks.
Online, Zoom or Teams.
Live, instructor-led.
Conversational, not just demo and lecture.
Any time zone, English language.
Question: “Bob, why don’t I just have my in-house IT staff conduct this training?”
Answer: “Sure, that’ll work. If they have the time. If they have the teaching skills to keep people interested and engaged.”
https://fifonetworks.com/contact-us/
Never sign a bad contract.
Never sign a bad contract.
Never sign a bad contract.
Never sign a bad contract.
In the hunting world, it’s called buck fever. In the entrepreneurial world, the equivalent is contract fever.
A new deer hunter, excited and eager, can scare off the buck just by breathing too heavily, or moving too fast.
When you’re starting your own business, you’re desperately hunting for those first few contracts. You need clients. You need income. There’s a strong temptation to sign a contract quickly, so you don’t risk scaring off the prospect.
With a bad contract, you can be owned. They can control you. They can refuse to pay because some point in the contract wasn’t kept to the letter. You can end up paying for expenses your client should be covering. You can miss an unreasonable deadline, and it’s all on you.
Those verbal explanations and email assurances don’t mean a single thing. They don’t count.
A new entrepreneur, like a new hunter, has the desire, but not the discipline.
Steady. Breathe.
After 23 years of owning my own business, I can tell you with certainty: there is always another client. There is always another contract.
Listen to me: a bad contract is worse than no contract. It’s easier to get a good contract than to recover from a bad contract.
Never sign a bad contract.
Never sign a bad contract.
Never sign a bad contract.
Never sign a bad contract.
Should someone who knows they’re not an AI expert express an opinion about AI?
Of course! Just don’t mislead people into thinking you’re a subject matter expert.
I’m no expert on AI.
Now that we’ve cleared that up, here’s my insight on malicious AI.
There are people in the world, right now, working on AI systems with no guardrails.
While the commercial AI enterprises are claiming to work on systems that won’t give you harmful advice, or misinformation, or assist with crime, there are other groups at work.
There are groups right now trying to optimize AI systems for finding heretofore unknown vulnerabilities in all types of networks. These systems will be lightning fast, and they’ll put bug bounty hunters to shame with their speed and productivity.
Some people are telling you that they’re working on AI defense systems to meet the rising new threat.
There is a much simpler answer.
Get sensitive information off the Internet. Use private data circuits.
(“Bob, private data circuits cost more!”)
Indeed, that was the historic motivation for moving away from private data circuits to Internet connectivity. It cost less.
Or at least, it used to.
But have you done the cost analysis recently? You might be surprised. Some of the money you’re spending on Internet security can be diverted to paying for private data circuits, which is – cybersecurity. It’s spending money on a more effective solution.
The Internet is for retail sales and social media, not PII, PHI, R&D, employee records, and so on. You get the idea.
The threat of malicious AI is real, and the cost effective solution is to make the important data inaccessible from the public Internet.
A few months ago I discovered a law firm’s financial information (specifically billing and payment information), online. It’s a nationally known law firm, and the records in question were for the Seattle office.
Broken down by customer.
Itemized hourly billing.
Hourly billing rate.
Other expenses.
Customer account number.
Customer payment information, including bank account number.
Law firm’s bank account number.
Amounts paid.
Payment dates.
Balance due.
The information did NOT include details of the services provided.
I found it entirely by accident, with a Google search that wasn’t targeted in nature.
No, I didn’t report it to the law firm. In Washington, “Good faith acquisition of personal information . . . is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.” (RCW 19.255.005(1))
I believe that protects me, but I don’t want to test it in court, and if the law firm knew about it, they might feel compelled to take some sort of action other than securing their information better.
THE LESSON
Do not store your company records, and host your website, on the same server. I can’t believe I have to write that sentence.
Concerned about AI-generated malware bringing down your company? Then get your critical data off the Internet.
This isn't rocket science. This is Occam’s Razor.
The Internet is for social media and retail sales.
PII, PHI, employee records, customer information - nothing important should ever be Internet accessible.
Ever heard of private data circuits? Private data circuits are a real thing. People quit using them because the Internet was cheaper.
"It'll be secure," they said.
No. The Internet has never been secure. The Internet cannot ever be secure, because authenticated users will always be tricked into doing stuff for cybercriminals.
If there was ever a time to rethink your business strategy as it relates to information storage and processing, that time is now.
It's going to get worse quickly. Your best defense is to get sensitive data out of the public cloud.
And speaking of change management processes...
There are generally two ways in which change management systems fail.
1) Apathy.
The participants in the change management meetings are tired of it all, don’t really pay attention, and sign off on things that shouldn’t be approved without further analysis.
Change happens too fast.
2) Ponderous detail.
Fear of mistakes is the predominant emotion in some corporate cultures. Survival, rather than success, is the driving factor for the change management committee. More people are included than need to be. Seeking additional outside scrutiny is common. Scheduling the extra time, work, and meetings for further analysis becomes sand in the gears.
Change happens too slow.
There are a variety of cures, depending on the company size and culture, the number of inter-dependent systems, and so forth. Some examples:
PEOPLE SOLUTIONS
1) Different change management teams for different types of change.
In complex, interdependent environments, having only one change management team that handles everything is counterproductive, and actually increases the likelihood of bad decisions.
2) Proper selection of change management team members.
Don’t overlook Legal, Finance, Safety, Sales, and Marketing for certain types of change. Technical changes can have non-technical consequences.
SYSTEM SOLUTIONS
1) Fewer inter-dependent systems, so changes have a smaller area of effect.
The downside of centralization is that it increases the risk of catastrophic failure.
2) Architecture that includes rapid roll-back by design.
Confidence in the ability to reverse a mistake can reduce anxiety and hesitance to move forward.
3) Incremental changes.
While not always possible, it’s worth asking the question: “Can we do this in smaller steps?”
I just did a tech support session with a client who had been switched to Edge from Chrome and didn’t know it. Microsoft pushes so hard to get people to change their default browser. Every update is a new risk. It’s immoral to trick people into accepting changes when they don’t even know it’s happening.
The presenting problem for the support call was that every time she opened a browser tab for Facebook she had to reauthenticate. She told me she was using Chrome. When I walked her through the steps to get to Settings, that’s how we discovered it was a different browser.
When you have no choice but to conclude, "I have to take these social media threats seriously," I can help.
Licensed and insured.
Personal Cybersecurity: Evading the Stalker, Ditching the Ex
https://fifonetworks.com/personal-cybersecurity-evading-the-stalker-ditching-the-ex/
The cough is not the disease. Let's use DNS misconfiguration as an example. The root cause may be poor employee training, a poor change management system, or both. In either case, we can correctly say that DNS worked exactly as it was designed to work.
Simply by separating your data from your domain, you'll improve your security posture by orders of magnitude.
A lot of the work I do is in high security systems where sensitive data isn’t connected to the Internet, and isn’t hosted on commercial public cloud platforms, because such an architecture can’t meet the design criteria.
A recurring issue I face is educating new decision makers who get ill-informed notions that they can reduce costs (thereby becoming heroes, or so they think), by centralizing information storage or processing on rented commercial platforms. So I go through it all again, patiently, politely, with the new person.
The other recurring threat I deal with is C-level people who want what I refer to as Data Ubiquity: “I want access to all of the data, at any time, from any location, on any of my devices.”
Data Ubiquity = Maximum Vulnerability.
Even “perfect” authentication won’t prevent this vulnerability. Why? Phishing. The authenticated user will be tricked into opening the door for the cybercriminal.
When the data is in no way Internet connected, how does the victim deliver the data to the cybercriminal? Do they print it out and ship reams of paper in boxes to the criminal via FedEx?
Offline Data = More Secure Data.
The cloud is for retail sales and social media, NOT for PHI, PII, corporate secrets, intellectual property, employee records, industrial controls...
This week I fixed a laptop for a client. It was the second time this client has had me do work for her. The first invoice was in 2016.
2016. It’s been nine years. Her husband isn’t in IT, but he’s a tech-savvy person, so he provides most of her tech support. But when he couldn’t resolve the issue, she still remembered me and came back to me for service in 2025.
That’s customer loyalty. Treat them right. They remember. They’ll come back.
A Training Manager at a company (who shall remain nameless) requested the course description for my CompTIA Network+ boot camp. It’s been a minute since the last time I got a request for that. There’s so much study material available online now. But in this situation, the company has a need to get several current employees certified in a hurry.
CompTIA’s current version is V9, N10-009. The course is five days, on site, instructor-led by yours truly. No, there’s no guarantee that everyone will pass the exam. On the other hand, I’ve trained hundreds of students at community colleges (semester-long version) and in corporate training rooms (the 5-day boot camp). Most people who complete the course without stepping out of the room to take phone calls, and show up every day, and do the homework, and follow my study tips, will pass on the first try.
So, something to think about, if your company needs several people certified all at once.
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst