I’ve been using Microsoft’s Authenticator App because not only does it support Azure Authentication (Office 365) but because it supports my Microsoft Account, Google account, and anyplace else that supports the OTP standard. Any site or service that supports RFC6238 is supported by MS Authenticator and I can scan a QR code (and in some cases enter a Secret Key instead of a QR code) to “provision” an account.
As my list of 2FA/multi factor authentication enabled assets grows, I had been thinking a lot about what would happen if I upgraded my iPhone or had a hardware failure and needed to replace it. Even restoring a new phone from an iPhone backup does not restore the accounts to MS Authenticator (and the same is true of other 2FA apps, although several offer their own export/import or backup/restore functions). And, while I do get push notifications to approve or deny access on my Apple Watch from MS Authenticator for my Office 365 account and my Microsoft Account, for other sites and services, since Microsoft does not (yet) offer a full fledged Apple Watch App, I need my phone when prompted to enter a code.
The technical press (like Engadget https://www.engadget.com/2017/03/05/wd-my-cloud-security-exploits/) is publishing info about a vulnerability that impacts WD Networked devices that have cloud access enabled. That’s great, but they aren’t providing info for non technical users on how to check their settings and turn off this access is needed. So here is that information:
1.Access the My Cloud Dashboard. To open your My Cloud Dashboard: Windows: Open a web browser and type in //devicename/ (or device IP address) to the browser address bar. If your device is named WDMyCloud, you’d type in //WDMyCloud/ and hit enter. The web page should open. You may need to login (hopefully you’ve password protected your device)
2.Click on the settings option on the top menu.
3. Scroll the page to Cloud Access and verify it is set to off (or turn off if it is on).
While you are on this page, check the Firmware Update tab on the left and make sure you are on the latest firmware. Upgrade if needed.
Microsoft is "suspending" emails (because of the Canadian SPAM law effective 7/1). I found these REALLY useful. I’m sure others did as well.
Notice to IT professionals:
As of July 1, 2014, due to changing governmental policies concerning
the issuance of automated electronic messaging, Microsoft is
suspending the use of email notifications that announce the
* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins
In lieu of email notifications, you can subscribe to one or more of
the RSS feeds described on the Security TechCenter website.
For more information, or to sign up for an RSS feed, visit the
Microsoft Technical Security Notifications webpage at
So then I looked at the page referenced above. My "quick and dirty" very basic ‘Security Notifications from Microsoft Feed Reader’ app is now available in the Windows Store. http://apps.microsoft.com/windows/app/security-notifications-from/f5459c09-6233-4100-bfe1-d198111fc30b
I hope that Microsoft reinstates the emails after they figure out how to exclude Canadian customers who don’t want to receive this important information.
A few days ago, I started receiving all kinds of strange notifications and friend requests in an account that I don’t use for Facebook. I started getting concerned because of the volume of requests. I wasn’t sure if this was a phishing scam or malware, but I was getting annoyed at the number of pieces of mail being generated. The owner had signed up as Why-do U-Care. The name alone made be wonder what kind of scam was about to happen.
Of course each of these had a link to whatever I was being notified about. So, first in a VM to be safer, I clicked one of the links (the source of the email message actually was a legit Facebook non spoofed header, but just to be safe…) and without any trouble at all, I was able to reset the password to this phantom account.
.Here is the password change email I received.
Now how this person signed up with one of my email addresses and was able to use the account for a few days without verifying that email address is troublesome indeed.
Anyway, I reset the password and logged in to the account to insure that there wasn’t anything else going on that impacted me. This is some guy in California. A really stupid one to boot.
Next I got a throw away email address elsewhere and added it to the account, verified it, then set it as primary and removed my own misused email address. I changed the account name to DoNot Use. I then attached the email address that *I* own to a different Facebook account that *I* own as a secondary address. (Not my main account). Verified it, etc.
I then went into Why-DO U-Care, now DoNOT Use account with the throw away account login and scheduled it for deletion.
I am now getting about six of the following an hour from Facebook that look like:
Each time I click the button didn’t initiate this choice. This joker keeps trying to claim MY email address.
Facebook has a problem, and there is a person out there that needs psychiatric help and needs to be restrained from using the Internet (or at least who needs to understand he just can’t make up any old email address).
Seriously, Facebook allowed me to access this account just by initiating a password reset because I happen to own the email address this stupid person used. There is a security issue here, and this person should have never been allowed to use the account without acknowledging an email sent TO the email address he was trying to use. If anyone knows anyone at Facebook, please relay.
In Part 3, I wrote about setting up dynamic DNS and port forwarding for my cameras and desktop controller as well as authentication for all exposed web servers. Once this is set up properly, camera output can be viewed in real time, any time I want to check in on what’s happening chez moi. If I were to get a motion detection email alert, I could immediately recheck camera output from all my cameras.
The Blue Iris web controller Windows software that I selected is viewable from any web browser. It detects mobile use and presents an iPxxx interface when I access it from my iPhone or iPad. I’ve added the URL to my bookmarks and to my Home screen on my iPxxx devices. Here is what I see from my iPad after I enter the proper credentials (since authentication was set up):
I can select an individual camera from the drop down menu or just tap a camera to see a larger view.
I added a bookmark for the Blue Iris web server and also added it to my iPad and iPhone Home Screens for easy and fast access.