Photo: Meghan Moravcik Walbert

We’ve all got a lot of big feelings right now, what with *gestures around.* It can be challenging for even the most self-aware among us to pinpoint how we’re feeling from moment to moment. It’s even harder for our kids, who are still learning to put words to all their big feelings.

It’s always important for parents and kids to talk about their feelings, and for parents to model healthy stress management, but even more so when so much feels overwhelming. Part of talking about feelings is first developing the vocabulary needed to have the conversation, that’s why Matthew Utley writes for Fatherly that we should create a “feelings chart” for our kids:

A feelings chart is really any tool that helps a child expand their emotional vocabulary. It helps kids reflect on their feelings and describe them with more precision. “It can be a list of feeling words or a picture chart of words and expressions—whatever the child finds easier to use,” says Ellen O’Donnell, Ph.D, pediatric psychologist at MassGeneral for Children in Boston, instructor at Harvard Medical School, and co-author of the book Bless This Mess: A Modern Guide to Faith and Parenting in a Chaotic World. “It’s a fairly intuitive idea, as anyone who has sent an emoji in a text, rather than a prolonged description of their emotions, can attest to.”

For my feelings chart, I opted to print out this chart that I remember from my own childhood. But there are many other (more modern) options, if that’s your style. Emoji charts are especially helpful because they may already be recognizable to little kids.

G/O Media may get a commission

After I printed my feelings chart, I framed it—an idea I borrowed from this post on the Kids Activities Blog. Once it’s framed, kids (and adults—we have feelings, too) can use dry erase markers to identify their feelings. Encourage them to pick more than one feeling. We can be both frustrated and overwhelmed at the same time, after all.

Photo: Meghan Moravcik Walbert

The dry erase marker easily wipes off with a tissue or other soft cloth, and then it’s ready for the next time you need a Family Feelings Status Update.

Set a regular time or two throughout the day to talk about feelings, such as during breakfast, after school, or at bedtime. But also be flexible and prepared to pull it out if you notice your child is struggling to work through an emotion and could use a little support.

---

Meet the smartest parents on Earth! Join our parenting Facebook group.

from Lifehacker https://ift.tt/36kVnu4

In a perfect world, we could download apps from a centralized, secure app store on our phones, and these apps would allow us to connect to other services we enjoy without any extra hassle. In the real world, you’re going to have to employ some clever workarounds if you want to get game streaming to work on the tighter-than-Scrooge-McDuck iOS operating system.

That’s all thanks to Apple’s insistence on getting paid for everything that happens within the apps that it hosts on its digital storefront. While Apple did recently make it slightly easier for game streaming services to exist on the App Store, the company has still created a lot of difficulty for those looking to, say, fire up Google Stadia and do some gaming. So much so, that I wouldn’t expect to actually see a service like Stadia ever grace the App Store in its current condition—at least, not in a way that lets you stream your account’s games on an iPhone or iPad.

The solution? Grab the browser app “Stadium,” which allows you to run Stadia through a “full screen, mostly single page serving, browser.” It’s a fun little workaround that works somewhat well. The process isn’t perfect, but it’s the best you’re going to get right now on your Apple device. (Here’s hoping that device is an iPad, by the way, which seems to provide a better Stadium experience than an iPhone.)

As The Verge describes:

We were able to download Stadium and to play a couple of games, but our results were a little mixed. Stadia’s interface didn’t scale properly to our iPhone’s display (perhaps understandable given it’s not officially supported), and the DualShock 4 controller we used disconnected in the middle of a game, with seemingly no way to reconnect. However, from the Reddit comments, it seems like the iPad’s screen aspect ratio offers a much better experience, with multiple users reporting that the workaround works “perfectly” for them.

G/O Media may get a commission

I don’t subscribe to Stadia, so I can’t test Stadium fully. However, it’s free to download, and launching it gives you two prompts to deal with:

For the first, you’ll want to enter https://stadia.google.com/home. Easy enough. For the second, you’ll want to enter your user agent as: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36(I recommend copying and pasting that one.)

Tap “Done,” and you’ll be taken to the primary Stadia web page. You’re almost done, too. Tap on the triple-dot icon in the lower-left corner, tap on “Authenticate,” and enter the following: https://accounts.google.com/

You should now be able to sign into your Google account, access Stadia, and start streaming. And, yes, you can use some controllers for your games, as the app’s author describes:

Any controller that your iOS device can recognize should work. This includes MFi controllers, Xbox One S (and Elite Series 2) controllers, and DualShock 4 controllers. Pair them in your device Settings.

You’ll note that the actual Stadia controller is not on that list; such are the nuances of workarounds. We never said Stadium was perfect, but it’s still the best you’ll get on an Apple device for the immediate (and possibly long) future.

from Lifehacker https://ift.tt/3n7NttY

Sweet cheese blintzes are the stars of the stuffed pancake pantheon, but they are, if not difficult, at least somewhat tedious to make and fill. And while I will always choose a homemade blintz over a store-bought frozen one, the less precious nature of frozen grocery store blintzes makes them ideal candidates for waffling.

There’s no need for oil, no need for a pan, no need for anything other than a nonstick waffle iron, and perhaps some sort of berry-based topping and/or sour cream. The waffle iron creates texture—there are soft spots and crunchy spots—while it warms the cheese filling. I really do enjoy texture.

Much like frozen pound cake, frozen pierogi, and frozen onion rings, frozen blintzes do not need to be defrosted before they are waffled. But, like frozen egg rolls, you have to be careful to not apply too much pressure as you waffle them. Otherwise the filling comes spilling out onto the plateaus and into the valleys of your waffle maker, where it caramelizes into quite the mess.

To waffle a cheese blintz, start out just below medium heat. Place your blintz parallel to the waffle maker’s hinge to help keep the applied pressure and heat as even as possible across the length of the blintz. Place the blintz in the waffle maker, and let the top plate rest on top of it. Do not press down. Let the waffle maker warm the blintz for a 2-3 minutes until the filling starts to soften.

G/O Media may get a commission

Once the blintz has softened and flattened a little under the weight of the top plate, turn the heat up to medium-high, give it a slight press, and cook for a few more minutes until the outer layer is golden brown and crunchy in spots. Don’t worry if you get a little bit of spillage; that little bit will turn into what can only be described as “sweet cheese caramel,” and I don’t think that’s a bad thing.

from Lifehacker https://ift.tt/34cHmfj

Screenshot: Brendan Hesse

Disney+ just launched its GroupWatch feature for US customers, which lets up to seven people watch the same Disney+ show or movie together remotely and complete in sync. Plenty of other streaming apps and media companies offer similar watch party features, but Disney+’s GroupWatch is more streamlined—and more limited—by comparison.

For starters, each viewer will need their own Disney+ account (one account per device). You can watch on any device that supports Disney+, but you’ll need a PC or mobile phone to create or join GroupWatch links.

The feature is also disabled for Disney+ Kid profiles, so you’ll need to give your child permission to use the main account if they want to watch with their friends.

Unlike watch party features for Netflix, Facebook, or Movies Anywhere, Disney+ doesn’t have text or voice chat options, though users can react to scenes with a limited selection of emojis. Get that frown emoji ready though, because Disney+ lets every viewer in the little watching party control the content—that means anyone can pause, rewind, or fast forward at any time, which could get confusing (and annoying).

G/O Media may get a commission

To create a GroupWatch link:

1. Open DisneyPlus.com in your desktop or mobile browser.
2. Sign in, then click the content you want to watch.
3. Click the GroupWatch icon under the title.
4. Click the “+” button next to your profile picture in the GroupWatch screen.
5. Copy the GroupWatch link and send it to the other viewers via your messaging app of choice.
6. At this point, you can also swap over to another Disney+ device if you’d rather watch there.
7. Once everyone’s in, press “Start Stream” to begin watching.

To join someone else’s GroupWatch link:

Click or tap the link on your smartphone or PC. If you’re signed into Disney+ on another device, Disney+ will ask if you want to watch there or keep watching on the device you’re already using.

from Lifehacker https://ift.tt/3ji5VxY

Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves.

Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.

The cybercrime threat

In the past year, cybercriminals:

• Were quick to exploit the fear and uncertainty associated with COVID-19 as a lure in phishing emails, and the popularity of some SaaS offerings and other services
• Exploited the lack of basic security hygiene and well-known vulnerabilities to gain access to enterprise systems and networks
• Exploited supply chain (in)security by hitting vulnerable third-party services, open source software and IoT devices and using them as a way into the target organization

More often than not, phishing emails impersonate a well-known service such as Office 365 (Microsoft), Zoom, Amazon or Apple, in an attempt to harvest login credentials.

“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP,” Microsoft noted.

The attackers’ reason for exploiting these legacy authentication protocols is simple: they don’t support multi-factor authentication (MFA). Microsoft advises on enabling MFA and disabling legacy authentication.

Cybercriminals are also:

• Increasingly use cloud services and compromised email and web hosting infrastructures to orchestrate phishing campaigns
• Rapidly changing campaigns (sending domains, email addresses, content templates, and URL domains)
• Constantly changing and evolving payload delivery mechanisms (poisoned search results, custom 404 pages hosting phishing payloads, etc.)

One of the biggest and most disruptive cybercrime threat in the past year was ransomware – particularly “human-operated” ransomware wielded by gangs that target ogranizations they believe will part with big sums if affected.

These gangs sweep the internet for easy entry points or use commodity malware to gain access to company networks and change ransomware payloads and attack tools depending on the “terrain” they landed in (and to avoid attribution).

“Ransomware criminals are intimately familiar with systems management concepts and the struggles IT departments face. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks,” Microsoft explained.

“They’re aware of when there are business needs that will make businesses more willing to pay ransoms than take downtime, such as during billing cycles in the health, finance, and legal industries. Targeting networks where critical work was needed during the COVID-19 pandemic, and also specifically attacking remote access devices during a time when unprecedented numbers of people were working remotely, are examples of this level of knowledge.”

Some of them have even shortened their in-network dwell time before deploying the ransomware, going from initial entry to ransoming the entire network in less than 45 minutes.

Gerrit Lansing, Field CTO, Stealthbits, commented that the speed at which a targeted ransomware attack can happen is really determined by one thing: how quickly an adversary can compromise administrative privileges in Microsoft Active Directory.

“Going from initial infiltration to total ownership of Active Directory can be a matter of seconds. Once these privileges are compromised, an adversary’s ability to deploy ransomware to all machines joined to Active Directory is unfettered, which explains how an adversary can go from initial infiltration to total ransomware infection in such a short period of time,” he noted.

Finally, to counter the threat of supply chain insecurity, Microsoft advises companiessupply to:

• Vet their service providers thoroughly
• Use systems to automatically identify open source software components and vulnerabilities in them
• Map IoT assets, apply security policies to reduce the attack surface, and to use a different network for IoT devices and be familiar with all exposed interfaces

Nation-state threats

The company has been following and mapping the activities of a number of nation-state actors and has found that – based on the nation state notifications they deliver to their customers – the attackers’ primary targets are not in the critical infrastructure sectors.

Instead, the top targeted industry sectors are non-governmental organizations (advocacy groups, human rights organizations, nonprofit organizations, etc.) and professional services (consulting firms and contractors):

Microsoft found the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits. Web shell-based attacks are also on the rise.

The report delineates steps organizations can take to counter each of these threats as well as to improve their security and the security of their remote workforce.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling MFA. Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” the Microsoft Security Team concluded.

from Help Net Security https://ift.tt/3jifCfA

Really interesting conversation with someone who negotiates with ransomware gangs:

For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) ­ and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination ­ almost like a cost-benefit analysis.

The arguments for rendering a ransomware payment include:

• Payment is the least costly option;
• Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
• Payment can avoid being fined for losing important data;
• Payment means not losing highly confidential information; and
• Payment may mean not going public with the data breach.

The arguments against rendering a ransomware payment include:

• Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
• Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
• Payment can do damage to a corporate brand;
• Payment may not stop the ransomware attacker from returning;
• If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
• Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.

When confronted with a ransomware attack, the options all seem bleak. Pay the hackers ­ and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers ­ and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.

from Schneier on Security https://ift.tt/3cH38vN

Seasoned cybersecurity pros will be familiar with MITRE. Known for its MITRE ATT&CK framework, MITRE helps develop threat models and defensive methodologies for both the private and public sector cybersecurity communities.

MITRE recently added to their portfolio and released MITRE Shield, an active defense knowledge base that captures and organizes security techniques in a way that is complementary to the mitigations featured in MITRE ATT&CK.

The MITRE Shield framework focuses on active defense and adversary engagement, which takes the passivity out of network defense. MITRE defines active defense as ranging from “basic cyber defensive capabilities to cyber deception and adversary engagement operations,” which “allow an organization to not only counter current attacks, but also learn more about that adversary and better prepare for new attacks in the future.”

This is the first time that deception has been proactively referenced in a framework from MITRE, and yes, it’s a big deal.

As the saying goes, the best defense is a good offense. Cybercriminals continue to evolve their tactics, and as a result, traditional security and endpoint protections are proving insufficient to defend against today’s sophisticated attackers. Companies can no longer sit back and hope that firewalls or mandatory security training will be enough to protect critical systems and information. Instead, they should consider the “active defense” tactics called for in MITRE Shield to help level the playing field.

Why deception?

The key to deception technology – and why it’s so relevant now – is that it goes beyond simple detection to identify and prevent lateral movement, notoriously one of the most difficult aspects of network defense. The last several months have been especially challenging for security teams, with the pandemic and the sudden shift to remote work leaving many organizations more vulnerable than before. Cybercriminals are acutely aware of this and have been capitalizing on the disruption to launch more attacks.

In fact, the number of data breaches in 2020 has almost doubled (compared to the year before), with more than 3,950 incidents as of August. But what this number doesn’t account for are the breaches that may still be undetected, in which attackers gained access to a company’s network and are performing reconnaissance weeks, or potentially months, before they actually launch an attack.

As they move through a network laterally, cybercriminals stealthily gather information about a company and its assets, allowing them to develop a plan for a more sophisticated and damaging attack down the line. This is where deception and active defense converge – hiding real assets (servers, applications, routers, printers, controllers and more) in a crowd of imposters that look and feel exactly like the real thing. In a deceptive environment, the attacker must be 100% right, otherwise they will waste time and effort collecting bad data in exchange for revealing their tradecraft to the defender.

Deception exists in a shadow network. Traps don’t touch real assets, making it a highly valued solution for even the most diverse environments, including IT, OT and Internet of Things devices. And because traps are not visible to legitimate users or systems and serve only to deceive attackers, they deliver high fidelity alerts and virtually no false positives.

How can companies embrace MITRE Shield using deception?

MITRE Shield currently contains 34 deception-based tactics, all mapped to one of MITRE’s eight active defense categories: Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize and Test. Approximately one third of suggested tactics in the framework are related to deception, which not only shows the power of deception as an active defense strategy, but also provides a roadmap for companies to develop a successful deception posture of their own.

There are three tiers of deceptive assets that companies should consider, depending on the level of forensics desired:

1. Low interaction, which consists of simple fake assets designed to divert cybercriminals away from the real thing, using up their time and resources.

2. Medium interaction, which offers greater insights into the techniques used by cybercriminals, allowing security teams to identify attackers and respond to the attack.

3. High interaction, which provides the most insight into attacker activity, leveraging extended interaction to collect information.

While a company doesn’t have to use all of the deception-based tactics outlined in MITRE Shield to prevent attacks, low interaction decoys are a good place to start, and can be deployed in a matter of minutes. Going forward, CISOs should consider whether it’s time to rethink their security strategy to include more active defense tactics, including deception.

from Help Net Security https://ift.tt/3cHLnfK