Phishing Attacks: Real-World Examples and How to Protect Yourself

/in , , , , /by

At Connect4 Consulting, we’ve seen phishing attacks evolve from obvious Nigerian prince scams to sophisticated deceptions that can fool even the most tech-savvy professionals.

Phishing attacks work because they exploit human nature – our trust, our curiosity, our desire to help. The best defense is a combination of skepticism, knowledge, and good security habits.

Let’s break down the most common types of attacks we’re seeing today and show you how to protect your business.

The Classic Email Phish: Still Swimming Strong

Remember when even tech giants Google and Facebook fell victim to a sophisticated email scam? That’s right – if it can happen to them, it can happen to anyone. Today’s email phishing attempts are increasingly sophisticated, using clever domain spoofing and social engineering to appear legitimate.

Spear Phishing: When Attackers Take Aim

Think of spear phishing as the sniper rifle of cyber attacks. Instead of casting a wide net, attackers carefully research their targets. The Colonial Pipeline attack is a perfect example – attackers specifically targeted key employees with messages so convincing, they appeared to come from trusted sources.

The Colonial Pipeline Attack: A Case Study

The Colonial Pipeline attack, which occurred in May 2021, serves as a prime example of spear phishing in action. Attackers targeted key employees within the organization, sending emails that appeared to come from trusted sources. These messages were designed to look legitimate and often included urgent requests or critical information that prompted the recipients to act quickly.

Key Elements of the Attack:

  1. Targeted Research: Attackers conducted thorough research on the Colonial Pipeline employees, identifying key personnel and understanding their roles within the company.
  2. Convincing Communication: The emails sent to the employees were crafted to mimic trusted communications, often using familiar language and references that would resonate with the recipients.
  3. Exploitation of Trust: By appearing to come from a trusted source, the attackers exploited the natural tendency of individuals to trust communications from known contacts, leading to a higher likelihood of engagement.
  4. Consequences: The successful spear phishing attack led to a ransomware incident that disrupted fuel supply across the Eastern United States, highlighting the severe implications of such targeted attacks.

Spear phishing is a sophisticated and dangerous cyber threat that requires vigilance and awareness. The Colonial Pipeline attack exemplifies how attackers can leverage detailed research and psychological manipulation to achieve their goals. Organizations must implement robust security measures, including employee training and awareness programs, to defend against these targeted attacks. By understanding the tactics used in spear phishing, individuals can better protect themselves and their organizations from becoming victims of this sniper rifle of cyber attacks.

Smishing: When Texts Turn Toxic

That “urgent” text about your package delivery? It is likely a trap. We’ve seen a surge in SMS-based phishing (smishing) attacks, with criminals impersonating everything from delivery services to banks. The USPS impersonation campaign was particularly clever, using our natural curiosity about packages to steal Google credentials.

How Smishing Works

  1. Deceptive Messages: Attackers craft messages that mimic legitimate communications. For example, a message may claim that there is an issue with your bank account and urge you to verify your information immediately.
  2. Malicious Links: The text often includes a link that directs users to a fake website designed to look like a legitimate one. Once on this site, users may be prompted to enter sensitive information.
  3. Data Harvesting: If the victim falls for the scam and provides their information, the attacker can use it for identity theft, financial fraud, or sell it on the dark web.

Recognizing Smishing Attempts

To protect yourself from smishing, it’s essential to recognize the signs of a potential attack:

  • Unexpected Messages: Be cautious of unsolicited messages, especially those that ask for personal information or prompt you to click on links.

  • Urgency and Threats: Smishing messages often create a sense of urgency, claiming that immediate action is required to avoid negative consequences.

  • Poor Grammar and Spelling: Many smishing attempts contain grammatical errors or awkward phrasing, which can be a red flag.

How to Protect Yourself from Smishing

  1. Do Not Click Links: Avoid clicking on links in unsolicited text messages. Instead, visit the official website of the organization directly by typing the URL into your browser.
  2. Verify the Source: If you receive a suspicious message, contact the organization directly using a known phone number or email address to verify its legitimacy.
  3. Report Smishing Attempts: If you receive a smishing message, report it to your mobile carrier and the relevant authorities. In the US, you can forward the message to 7726 (SPAM).
  4. Use Security Software: Consider using mobile security applications that can help detect and block potential smishing attempts.

Smishing is a growing threat in the realm of cybercrime, leveraging the convenience of mobile communication to exploit unsuspecting individuals. By understanding what smishing is, recognizing its signs, and taking proactive measures to protect yourself, you can reduce the risk of falling victim to these deceptive attacks. Stay informed and vigilant to safeguard your personal information in an increasingly digital world.

Vishing: The Voice You Can’t Trust

Phone scams have gone high-tech. Modern vishing attacks use sophisticated social engineering and often spoof legitimate phone numbers. We’ve seen cases where attackers pose as bank security teams, complete with background call center noise and professional scripts.

Common Techniques Used in Vishing

  1. Caller ID Spoofing: Attackers can manipulate caller ID information to make it appear as though they are calling from a legitimate source. This tactic increases the likelihood that the victim will answer the call and engage with the scammer.
  2. Urgency and Fear Tactics: Vishing attacks often create a sense of urgency or fear. For example, the caller may claim that there is a problem with the victim’s bank account that requires immediate attention, prompting the victim to act quickly without thinking.
  3. Pretexting: Attackers may create a fabricated scenario or pretext to justify their request for information. For instance, they might pose as a bank representative conducting a security check and ask for personal details to “verify” the victim’s identity.
  4. Social Engineering: Vishing relies heavily on social engineering techniques, where attackers exploit human psychology to manipulate victims. They may build rapport or use flattery to gain the victim’s trust before asking for sensitive information.

How to Protect Yourself from Vishing

  1. Be Skeptical: Always be cautious when receiving unsolicited calls, especially if the caller requests personal information. Verify the caller’s identity by hanging up and calling back using official contact numbers.
  2. Do Not Share Personal Information: Never provide sensitive information over the phone unless you are certain of the caller’s identity. Legitimate organizations will not ask for sensitive information in this manner.
  3. Use Call Blocking Features: Many smartphones and telecom providers offer call blocking features that can help reduce the number of unwanted calls you receive.
  4. Report Suspicious Calls: If you receive a suspicious call, report it to your local authorities or the relevant consumer protection agency. This can help raise awareness and potentially prevent others from falling victim to similar scams.

Vishing is a growing threat in the realm of cybersecurity, leveraging voice communication to deceive individuals into divulging sensitive information. By understanding the tactics used by attackers and implementing protective measures, you can significantly reduce your risk of becoming a victim of vishing. Stay informed and vigilant to safeguard your personal information against these types of scams.

Social Media: The New Phishing Ground

Platforms like Twitter have become hunting grounds for phishers. Remember the fake Domino’s Pizza accounts offering refunds? That’s just the tip of the iceberg. Social media phishing thrives on our trust in branded accounts and our desire for deals.

Techniques Used in Social Media Phishing

  1. Impersonation: Attackers often create fake profiles that mimic legitimate users or organizations. These profiles may use similar names, photos, and information to gain the trust of potential victims.
  2. Malicious Links: Phishing messages frequently contain links that lead to fraudulent websites designed to steal personal information. These links may be disguised as legitimate URLs, making them difficult to identify.
  3. Social Engineering: Cybercriminals exploit social dynamics by crafting messages that appeal to emotions or urgency. For example, they may pose as a friend in distress or a company offering a limited-time promotion.
  4. Direct Messaging: Phishing attempts can occur through direct messages on social media platforms. Attackers may send unsolicited messages that prompt users to click on links or provide sensitive information.
  5. Fake Contests and Giveaways: Scammers often create fake contests or giveaways that require users to provide personal information to enter. These schemes can lure users into sharing sensitive data.

Implications for Users and Organizations

The use of social media for phishing poses significant risks, including:

  • Data Breaches: Successful phishing attacks can lead to unauthorized access to personal and organizational data, resulting in data breaches and financial losses.

  • Reputation Damage: Organizations that fall victim to phishing attacks may suffer reputational harm, leading to a loss of customer trust and loyalty.

  • Increased Security Costs: Organizations may need to invest in enhanced security measures and employee training to combat phishing threats, incurring additional costs.

As social media continues to grow in popularity, so too does the risk of phishing attacks. Users and organizations must remain vigilant and educate themselves about the tactics employed by cybercriminals. By fostering a culture of awareness and implementing robust security practices, individuals can protect themselves from the dangers of social media phishing.

HTTPS Doesn’t Mean “Totally Safe”

Here’s something that surprises many of our clients: that little padlock icon doesn’t guarantee a safe site. The Scarlet Widow group proved this by creating convincing HTTPS-enabled fake sites. Remember: HTTPS only means your connection is encrypted – not that the site is legitimate.

Limitations of HTTPS

  • Not a Complete Security Solution

HTTPS only secures the data in transit. It does not protect against vulnerabilities on the server side or in the application itself. If a website has poor security practices, such as outdated software or weak passwords, HTTPS cannot prevent data breaches.

  • Phishing Attacks

Cybercriminals can create fraudulent websites that use HTTPS to appear legitimate. Users may mistakenly trust these sites, believing that the presence of HTTPS means they are safe. This can lead to phishing attacks where sensitive information is stolen.

  • Malware and Exploits

HTTPS does not protect users from malware or exploits that can occur after they have accessed a secure site. If a user downloads malicious software from a secure site, their device can still be compromised.

  • Certificate Authorities

HTTPS relies on Certificate Authorities (CAs) to issue SSL certificates. If a CA is compromised or issues a certificate to a malicious actor, HTTPS can be rendered ineffective. Users may not be aware that they are communicating with an untrustworthy site.

  • User Behavior

Even with HTTPS, user behavior plays a significant role in security. For example, if users reuse passwords across multiple sites or fail to recognize suspicious links, they can still fall victim to attacks.

While HTTPS is an essential aspect of online security, it is not a foolproof solution. Users must remain vigilant and adopt a multi-layered approach to security that includes strong passwords, regular software updates, and awareness of phishing tactics. Understanding the limitations of HTTPS is crucial for navigating the digital landscape safely.

Phishing Protection Toolkit

Here is what we recommend:

  • Trust But Verify: Urgent request from your CEO? Pick up the phone and confirm.
  • Check Those Details: Look closely at sender addresses – “paypal.secure.com” isn’t the same as “paypal.com”
  • Guard Those Links: Hover before you click. Better yet, manually type known URLs.
  • Enable MFA: Yes, it takes an extra few seconds. No, that’s not too much time to protect your accounts.
  • Stay Updated: Both your software and your knowledge need regular updates.
  • Train Your Team: Security awareness isn’t a one-time thing – it’s an ongoing process.

Conclusion

Remember: if something feels off, it probably is. Take the extra minute to verify before you click, share, or respond. That minute could save your business from becoming another phishing statistic.

Protecting Your Business: Cybersecurity Essentials You Can’t Ignore

/in , , , /by

At Connect4 Consulting, we’ve seen too many small businesses learn about cybersecurity the hard way. Let’s be clear: cyberattacks aren’t just a big business problem anymore. Small businesses are increasingly becoming targets, often because attackers see them as easier marks. But here’s the good news: you can significantly reduce your risk with some fundamental security measures.

Know Your Enemy: Common Cybersecurity Threats

cybersecurity threats to small businesses

First, let’s talk about what you’re up against. These are the threats we most commonly see targeting small businesses:

  1. Phishing Attacks: Those deceptive emails and text messages that look legitimate but aim to steal your information. We’ve seen sophisticated attacks that could fool even tech-savvy users.
  2. Malware: Think of it as a digital virus that can infect your entire system. One wrong click can compromise your whole network.
  3. Ransomware: This is particularly nasty – it locks up your data and demands payment. We’ve helped businesses recover from ransomware attacks, and trust us, prevention is much better than cure.
  4. Data Breaches: Your customer data is gold to cybercriminals. Once it’s stolen, the damage to your reputation can be irreparable.
  5. Insider Threats: Sometimes the risk comes from within – whether intentional or accidental.

Your Security Foundation: Essential Steps

Let’s get practical. Here are the fundamental security measures we recommend to all our clients:

Strong Passwords and Multi-Factor Authentication: Your First Line of Defense

Make complex passwords mandatory and enable multi-factor authentication everywhere you can. Yes, it takes an extra few seconds to log in, but those seconds could save your business.

Update Everything

Think of software updates like maintenance for your car – skip them at your peril. Set up automatic updates wherever possible, and make regular updates part of your routine.

Antivirus: Your Digital Security Guard

Install reputable antivirus software on every device and keep it updated. This isn’t optional anymore – it’s as essential as having locks on your doors.

Network Security

Your network needs a good firewall and encrypted Wi-Fi. If you’re still using the default password on your router, change it right now. We mean it – right now.

Your Backup Strategy is Your Safety Net

Follow the 3-2-1 rule: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. Test your backups regularly – a backup you can’t restore is just a false sense of security.

Your Secret Weapon: Employee Training

Here’s something we’ve learned from years of experience: your employees can be either your biggest security weakness or your strongest defense. Regular training is crucial. Focus on:

  • Spotting phishing attempts (they’re getting cleverer by the day)
  • Safe browsing habits
  • Proper data handling
  • Password best practices
  • How to report security concerns

When Things Go Wrong: Recovery Planning

Even with the best precautions, you need a plan for worst-case scenarios. Develop and regularly test:

  • A detailed disaster recovery plan
  • Clear steps for breach response
  • Communication protocols
  • Backup restoration procedures

Moving Forward

Cybersecurity isn’t a one-and-done task – it’s an ongoing process. Start with the basics we’ve outlined here, then build on that foundation. Remember: the cost of preventing a cyber attack is always less than recovering from one.

Take action today. Review your current security measures against this list. Where are the gaps? What needs immediate attention? Your business’s future could depend on the steps you take right now.

Looking to strengthen your cybersecurity? These guidelines will help get you started. Keep checking back for more insights on protecting your business.

Ten ways to protect yourself online

/in , , /by

Any time you are online you are vulnerable to hackers. Whether you are a sole proprietor or a massive corporation like Sony, your chances of being hacked, scammed, or infiltrated in some way, are unfortunately about the same. Hackers can steal your credit card numbers, tax records and passwords, erase your hard drive, disable your entire computer, and even use your built-in webcam or microphone to spy on you. The most complete way to protect yourself online would be to get offline and disconnect yourself immediately, but that solution is no longer an option for any of us.

To protect yourself online, you should take these 10 steps very seriously:

1. Fortify your passwords

Don’t reuse your passwords. If an attacker gets your password she might try it on all of your accounts. This means that a given password is really only as secure as the least secure service where it’s used. Use a single master password or passphrase along with a password manager like LastPass. Choose strong passwords – short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY are not strong enough today.

2. Use a password manager

Check out LastPass. This is what I use. There’s a free version that syncs between devices but doesn’t allow you to sync with your mobile phone. The premium version costs just $12/year!

3. Secure your security questions

Beware of security questions. Honest answers to many security questions are often publicly discoverable facts. If you do use factual information in the security questions, make them more secure by adding numbers and other characters. Your cat Fluffy can be F1uff7 instead.

4. All HTTPS all the time

HTTPS will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can’t glean your login data. Never work at a coffee shop or other public wi-fi without it.

5. Turn on Two-Step Verification

Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It’s a complete and utter pain in the ass whenever you’re logged out, but it’s also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.

6. Use a secret email address

Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don’t give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn’t be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.

7. Set up  login notifications

Facebook will allow you to receive a text message anytime an unrecognized IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.

8. Put passwords on your devices

This is a no-brainer and should not require explanation. All of your phones, tablets, laptops, and desktops should have a password.

9. Don’t save your credit card information in your browser

Another no-brainer.

10. Keep an offline backup

Just in case your online backup provider is ever hacked, it’s probably a good idea to have your most important documents backed up using a physical hard drive connected to your computer.

11. Don’t link your accounts

Facebook sign-on certainly makes life easy for you, but imagine what happens when someone steals the phone that doesn’t have a password or hacks your password on your computer.

12. Use email wisely

Email is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, however, your friends and family might not have the same protection. Be careful about what information you submit via email. Never send your credit-card information, Social Security number, or other private information via email.

Conclusion

Those of you who are very perceptive will note that I couldn’t resist and actually gave you 2 extra tips for protecting yourself online. Data shows that a blog post titled “ten ways to protect yourself online” will do better than the same post titled “twelve ways to protect yourself online”. If I had to hone in on one or two particularly important ways to protect yourself online, I would pick number 1/2 – fortify your passwords/use a password manager and number 12 – use email wisely as the most important ways to protect yourself online.

Do you all agree with me? Did I miss anything?

If You Aren’t Using a Password Manager, It’s Time To Start Using One Now

/in , , /by

Online merchants and secure websites aren’t doing a very good job of keeping your personal information safe. Not a week goes by without news about a major online retailer being hacked. To make matters worse, even those websites that use decent security practices may have been compromised by the recently discovered Heartbleed bug. If the bad guys got your password, you’re in trouble. But if you used that same password at other sites, then you’re really in trouble. The only safe thing to do is to use a different strong password on every site, and the only practical way to do that is with a password manager.

If you aren’t using a password manager, it’s time to start using one now. This is important stuff, well worthy of major procrastination because setting up a password manager involves a considerable amount of time and planning. If you are starting from scratch, chances are good that you are using your browser’s built-in password management feature. There are a variety of password managers but we recommend LastPass and will help walk you through the process. LastPass will import those passwords, delete them from the browser, and turn off the browser’s password management. LastPass goes for a clean sweep, importing from all major browsers.

Beyond The Master Password

Most password managers support authentication using a master password. Since it’s protecting all of your other passwords, that one password needs to be really strong. But if that’s the only protection for your data, a crook who manages to steal your master password can access all of your data. The best password managers offer two-factor authentication.

LastPass 3.0 Premium can be configured for fingerprint-based authentication. LastPass supports authentication via the Google Authenticator mobile app.

Password Capture and Replay

Most, but not all, password managers integrate with the browser to capture login credentials as you enter them and replay those credentials when you revisit the site. LastPass goes a step beyond, actively detecting and managing password change events and capturing credentials as you sign up for a new service.

Quite a few password managers let you log in to your password storehouse from any browser, so you can look up credentials even when using someone else’s computer. Among these are Norton Identity SafeRoboForm Everywhere 7, and Keeper 5.0; LastPass and Dashlane also offer this feature. F-Secure, by contrast, doesn’t allow any online access, considering it a potential security risk.

Form Filling and Personal Data

Given that most password managers already have the ability to fill your username and password into a login form, it’s not surprising that many also serve as form fillers for personal data. LastPass will cleverly offer to capture what you’ve entered if it sees that you are filling a form manually.

LastPass can store various types of ID data such as passports and driver’s licenses.

Free Protection

The free edition of LastPass has almost everything found in the premium; support for mobile devices is the big exception. LastPass Premium costs only a dollar a month. That’s not a lot, considering what LastPass is protecting.

Security Checkup

Virtually every password manager will report the strength of your master password.  And virtually every product will generate strong, random passwords for you on demand.

LastPass takes this concept a step further by offering a security report listing all of your passwords and rating the strength of each. They also report on duplicates—passwords you’ve used on more than one site. And they make it easy to upgrade all your passwords to improve security.

 

 

 

 

10 Reasons Your Site Should Be HTTPS

/in , /by

If you have a website that is still HTTP, you should seriously consider upgrading to HTTPS. While it’s true that historically HTTPS websites were limited to e-commerce websites, HTTPS is now the standard. This post will explain what HTTPS is and give you 10 reasons to make sure that you upgrade to HTTPS as soon as possible.

What is HTTPS?

HTTPS is a way to encrypt information that is sent between a browser and a web server. This protects users of your website from man in the middle attacks, where someone steals information that is being sent to a website, like credit card information or logins.

What is an SSL Certificate?

An SSL Certificate is a set of data files that you add to your server to secure an encrypted connection between a browser and your server. When installed, a green padlock will display in when users visit your site to indicate that the site is secure.

Are SSL and HTTPS the same thing?

These terms are two sides of the same process of creating an encrypted website. An SSL certificate is the product that is needed and HTTPS is the result of having that certificate on your server. You cannot have one without the other.

If your website isn’t secure yet, it definitely should be. 

Reasons why you should upgrade to HTTPS immediately:

  1. Improved Google Rankings
  2. HTTPS alerts by Google Search Console
  3. Browsers Increasing Alerts for Non-secure Sites
  4. Better Security
  5. Visible Security Signals for Visitors
  6. Increased Conversions
  7. Increase in Average Transaction Value
  8. Boost in Customer Confidence
  9. Required for any type of e-commerce transaction
  10. There Is No Reason Not To Have One

Improved Google Rankings/strong>

Google wants to ensure that its customers have the best online user experience. Understandably, Google doesn’t want browsers to search insecure websites. Because of that, Google’s ranking algorithm now favors HTTPS sites. If your website isn’t secure, it could be getting outranked by your competitors that are secure.

HTTPS alerts by Google Search Console

Google has been sending notices to webmasters via the Google Search Console if a login page or any page collecting any password is not secured over HTTPS. Anything in Google Search Console should be considered important in the eyes of Google and their algorithms.

Browsers Increasing Alerts for Non-secure Sites

Since January 2017, Google provides security warnings in Google Chrome for users if there is no valid SSL certificate on a web page. Google marks these sites as non-secure. Other browsers are following Google Chrome’s lead on this.

Better Security

This is an obvious benefit for everyone. HTTPS protects user information from potential hackers. Better security is a better experience for all.

Visible Security Signals for Visitors

Security is one of the biggest concerns visitors have, preventing many of them from shopping or providing their information online. One of the key benefits of having an SSL certificate is the sign that you can display on your website indicating it is secure.

Increased Conversions

This is another relatively straightforward benefit of having a secure website. The more secure your site is, the more people will feel comfortable interacting with the site. Those interactions may be filling out contact forms, registering for events, signing up to be notified about something in the future, becoming a member, or buying something online.

Increase in Average Transaction Value

There is often also an increase in the average transaction value on an ecommerce site once a site is more secure. With online purchases, part of the concern that users have with security has to do with the impact on the amount being paid. The higher the transaction amount, the greater the fear of being scammed.

Boost in Customer Confidence

A secure connection gives website visitors peace of mind that your website can be trusted and their information is safe. This is particularly important in fields where trust is paramount – lawyers, doctors, financial services, insurance, real estate.

Required for Any Type of E-Commerce Transaction

If you sell anything online, you have to have HTTPS. Most credit card processors won’t even let you sell anything online without it. But if you own a website and you sell anything online, and you don’t have HTTPS, make sure you upgrade immediately.

There Is No Reason Not To Have One

The only issues experienced with SSL certificates occur when they expire or when implementation is incorrect. To that end, be sure to keep your subscriptions active and be sure to update the primary domain for your website to force the https version. That is, whether www or non-www (pick your preference), all other versions should both 301-redirect to and point to the https version with any canonical tags.

How Do You Switch Your Site To HTTPS?

If you’re reading this article and your website is hosted by Connect4 Consulting, contact us and we can easily fix this for you.

 

A PIN is Better Than A Fingerprint For Protecting Private Data on Your Phone

/in , /by

A PIN is better than a fingerprint for protecting private data on your phone. Most modern smartphones now have fingerprint scanners. They are great for adding an extra level of security to your phone and make it really convenient to log into accounts and pay for purchases. But it turns out that in the United States, they don’t help you maintain your privacy in front of law enforcement.

In October 2014, a Virginia court ruled that suspects can be asked to unlock their phones using their fingerprints. Apparently this wasn’t tested until this February, when a judge in Los Angeles issued a warrant requiring a woman accused of identity theft to unlock her iPhone with her fingerprint.

The key in this case is that had the woman used a pin instead of her fingerprint to lock her phone, she wouldn’t have had to unlock it for the police. This is because the Fifth Amendment, which protects people from incriminating themselves during legal proceedings, prevents government agencies from forcing people to turn over memorized codes. However, a fingerprint or any other biometric identifier, can be collected.

There are several ways to fool fingerprint scanners, including the use of tape, so if someone could find you, they could make a copy and use it to access your phone.

 

Cyber Security – Will Our Risk Decrease If We Have Fewer Devices?

/in , /by

This is a good question but I don’t think it’s immediately a cyber security question. There is definitely a correlation between the number of devices you have to manage and potential risk. And it’s possible there’s a cost savings by having a laptop instead of multiple devices as there are fewer computers that need to be serviced. But I think your actual cyber security risk goes up when you give people mobile devices. Laptops can be used in many unsafe places and their versatility might actually increase security problems.

The real answer is the educational one. If people make the right choices, then cyber security risks can be minimized.

Here are some pointers to help you create an action plan to strengthen your company’s defenses against hackers:

1) Failure to cover cyber security basics – software and operating system updates

2) Not understanding what generates corporate cyber security risks

3) Lack of a cyber security policy

As part of their cyber security policies, companies should:

  • identify risks related to cyber security
  • establish cyber security governance
  • develop policies, procedures and oversight processes
  • protect company networks and information
  • identify and address risks associated with remote access to client information and funds transfer requests
  • define and handle risks associated with vendors and other third parties
  • be able to detect unauthorized activity.

4) Confusing compliance with cyber security

5) The human factor – the weakest link

6) Bring Your Own Device (BYOD) Policy and the Cloud

7) Funding, talent and resource constraints

Think of this security layer as the immune system of your company that needs funding and talent to ensure that you don’t experience severe losses as a consequence of cyber-attacks. A good approach would be to set reasonable expectations towards this objective and allocate the resources you can afford.

8) No information security training

Employee training and awareness is essential when covering your base in terms of information security.

Another quick look at the most common file types that hackers use to penetrate your system and trigger attacks that can lead to data leakage tells you what types of actionable advice you could include in your employees’ trainings on cyber security.

9) Lack of a recovery plan

Being prepared for a security attack means to have a thorough plan of what can happen to prevent the cyber-attack, but also minimize the damage if is takes place.

10) Constantly evolving risks

Polymorphic malware is harmful, destructive or intrusive computer software such as a virus, worm, Trojan or spyware that constantly changes, making it difficult to detect with anti-malware programs. That is why you should take into account that your company might need an extra layer of protection, on top of the antivirus solution.

The first line of defense must be ensured by a product that can act proactively to identify malware, block access to hacker controlled servers and stop data leakage, but also keep your system protected by patching vulnerabilities (usually, applications that are not up to date, such as Flash or Java).

 

Ten Tips For Spotting Phishing Emails

/in , /by

Every day millions of phishing emails are sent to unsuspecting victims all over the world. I know because I receive five or six myself in my spam folder every day. While some of these messages are so outlandish it’s obvious they are fraud, others can be a bit more convincing. So how do you tell the difference between legitimate emails and phishing emails? Unfortunately there is no single way, but this post provides ten tips for spotting a phishing emails.

Ten Tips For Spotting Phishing Emails

#1 URLs contain a misleading domain name

People who launch phishing scams often rely on victims who don’t know much about technology or how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.gabeseiden.com would be a child domain of gabeseiden.com because gabeseiden.com appears at the end of the full domain name (on the right-hand side). Conversely, gabeseiden.com.maliciousdomain.com would clearly not have originated from gabeseiden.com because the reference to gabeseiden.com is on the left side of the domain name.

This happens all the time, especially when the phishing criminal uses a trusting name like Microsoft or Apple or even the IRS. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

#2 The message is poorly written with grammar and spelling mistakes

Whenever a company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

#3 The message asks for personal information

This is usually a major red flag. No matter how official an email message looks, it’s always a bad sign if the email asks for personal information. Your bank or credit card company already know your account number and social security number.

#4 The message contains a mismatched url

One of the first things you should check in a suspicious email message are any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid but if you hover your mouse over the top of the URL, you see the actual hyperlinked address (at least in Outlook) and if the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

#5 The message looks too good to be true

If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

#6 You’re asked to send money to cover expenses

You might not get hit up for cash in the initial message. But sooner or later, phishing criminals will ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

#7 You didn’t initiate the action

If you get an email congratulating you on winning the lottery, but you never bought a ticket, you can bet that it’s a scam. If you didn’t do something to initiate the action, it is probably a scam.

#8 The message makes unrealistic threats

Most phishing scams try to trick people into giving up cash or sensitive information by promising instant money. However, some phishing scams use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

I once received an email from what looked like the IRS. Everything looked legitimate except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my social security number) along with two picture IDs, my assets would be seized.

I knew this was a scam because the IRS doesn’t send out emails like this. The IRS sends out its threats via snail mail.

#9 The message appears to be from a government agency

Government agencies in the U.S. don’t normally use email as an initial point of contact.

#10 Something is fishy

If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message. On the off chance that it’s a real message, usually the real person will find another way to contact you.

How to stay ahead of cyber criminals

/in , , /by

It’s no secret that cyber attacks are becoming more increasingly sophisticated, stealthy, and, as a result, commonplace. We have seen high profile security breaches at Target, JP Morgan, Home Depot, and the US Government. Attackers can infiltrate practically any “secure” environment and maneuver undetected for months at a time while they scope out the best practice (for them) for a cyber attack. So the question for us is – how do we stay ahead of cyber criminals?

This is ultimately a cat and mouse game and it’s clear that the cyber criminals play the cat in this game. As cyber attackers become increasingly aware of cyber security measures, both large and small organizations must be on the defense and continuously learn about potential warning signs. Here are a few helpful tips to help you stay ahead of cyber attacks and reduce the risk of data breaches.

Constant Change

There’s one thing that cyber criminals and the rest of us have in common – none of us like change. We want to keep systems and processes static because it makes life and work easier. Attackers love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change.

Monitor for Usage of Irrelevant Information

Cyber criminals do their homework before launching an attack. Sometimes their data is misinformed or incomplete. You should monitor for activity that doesn’t make sense for your organization.

A typical example of an irrelevant information scenario is the “former employee” situation. In this case, an attacker targets a specific user from your list of employees, not knowing that the person no longer works for your organization. Because the employee no longer works for you, that employee should not be taking actions within the company’s network and the network shouldn’t be contacting them. Spotting this suspicious activity can help you prevent data breaches.

Avoid Alarm Fatigue

Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.

It is impossible to launch a full-scale investigation every time your security appliances send a notification. Instead, you must monitor your organization for signs of alarm fatigue and resolve them as soon as possible. If you stop monitoring for serious notifications, you are sure to miss the real issues as they come up.

Invest in Cyber Security Education

Did you know that human error is the leading cause of data loss? Cyber security training and education teaches employees the importance of changing passwords and monitoring for suspicious activity to cut down on the amount of human errors.

One major part of training employees for better cyber security is preparing them for phishing schemes. In Phishing attacks, cyber criminals often send out seemingly legitimate emails, mimicking companies like PayPal or eBay in an attempt to lure readers to click on a fake link. While the link seems real and the landing page is set up with real logos, the site is built to filter sensitive data to cyber criminals. The email might mention an issue with the user’s account and lead them to a site that requests PIN numbers, credit card data and more. These can be tough to spot, but there are warnings to look out for.

All of the security solutions in the world can’t protect your network if your workforce is willingly (but unknowingly) giving cyber criminals access to it. Creating a truly secure workforce requires ongoing education and training.

 

Apple vs. The FBI – What’s At Stake?

/in , , /by

Apple and the FBI spent more than five hours on Monday testifying before Congress over the ongoing San Bernadino terrorist iPhone saga. While there weren’t any conclusions, it was a chance for both sides to lay out their case.

To recap, the FBI wants Apple to help it unlock an encrypted iPhone tied to the San Bernardino case by building a customized version of iOS. Apple, on the other hand, argues that doing so would compromise security of every iPhone moving forward.

The problem is that allowing the government to unlock a single device has huge implications for the future of privacy. This case is not about the San Bernadino terrorists. I don’t even think the FBI thinks it will gain any new information pertinent to their case. This is all about establishing precedent for future cases.

The Department of Justice is not asking Apple to turn off the phone’s security or bypass the pin. It wants Apple to make it easier for the FBI to get into the device by guessing the passcode, without destroying the encrypted data on the phone. Specifically, the order signed by US magistrate judge Sheri Pym says Apple “shall assist in enabling the search” of the suspect’s iPhone by creating a special firmware that would only work on that particular device.

The firmware that the judge wants Apple to create would disable the security feature that erases the phone’s contents after 10 unsuccessful login attempts. It would also disable the time limits that grow longer after each failed attempt and allow authorities to connect the phone to a computer to “brute force” the passcode so that officials don’t have to tap it into the phone by hand.

Apple isn’t arguing about technical feasibility; it’s concerned with legal precedent. “The implications of the government’s demands are chilling,” Cook says in his letter. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data.” The company is afraid that once a backdoor is created, other agencies and governments will come demanding access in the name of global security.

Given what we now know about the government’s technological abilities, I find it hard to believe that the NSA or CIA doesn’t already have the capability to unlock the phone.

A hearing on Apple’s appeal is scheduled for March 22nd. It’s almost certain that the the decision will be appealed by the losing side. The case could go then to a district court judge, and if challenged there, to the U.S. Court of Appeals for the Ninth Circuit. Ultimately, as many legal experts have predicted, the case could end up in the Supreme Court.