Browsers leak sensitive info to hackers

January 28th, 2017

2017January27_Security_AThe Autofill feature fills a void in the web browsing habits of many. It eliminates the need to enter all your details when logging on your social media accounts or when checking out your basket after e-shopping. On Chrome and Safari browsers, however, danger lurks when you rely too much on autofill. Without knowing it, you may be exposing personal information to hackers who have found a way to steal your credit card info and shop at your expense.

How do they do it?

By concealing other fields in a sign-up form, users are tricked into thinking they only have to fill out a few fields. The trickery at work is that upon auto-sign up, other fields, which could include your billing address, phone number, credit card number, cvv (the 3-digit code used to validate credit card transactions), and other sensitive information, are auto-filled with the user none the wiser.

This sinister trick is nothing new, but since there hasn’t been any countermeasure since it was first discovered, the threat it poses is worth emphasizing. Finnish whitehat hacker Viljami Kuosmanen recently brought to light how users of Chrome and Safari are particularly vulnerable, and he even came up with a demonstration of how this phishing technique is perpetrated. The technique is so sneaky, it’s enough to make one give up online shopping forever.

Using plugins and programs such as password managers is also fraught with the security risk, as having access to such a utility empowers cyberthieves to do more than just obtain your credit card info; it opens them up to a great amount of personal details.

Preventing an autofill-related theft

So what can you do to avoid falling prey?

Using Mozilla Firefox is one of the easiest available solutions. As of today, Mozilla hasn’t devised a mechanism that affords its users the same convenience that Chrome and Safari users enjoy with autofill. When filling web forms on Firefox, users still have to manually pre-fill each data field due to a lack of a multi-box autofill functionality – a blessing in disguise, given the potential for victimization in autofill-enabled browsers.

Another quick fix is disabling the autofill feature on your Chrome, Safari and Opera (for Apple mobile devices) browsers. This would mean that when filling out web forms, you'd have to manually type responses for every field again, but at least you'd be more secure.

It’s not exactly the most sophisticated form of online data and identity theft, but complacency can result in being victimized by cyber swindlers. Take the first step in ensuring your systems’ safety by getting in touch with our security experts today.

Published with permission from Why SMBs should use Google Posts. Source.

Topic Security
January 13th, 2017

2017january12_security_aCyber security is something you hear about a lot these days. Sometimes it’s thrown around to scare business owners, other times it has proven to be a cautionary tale, one that small businesses can learn from to fend themselves from online threats that can leave devastating impact. What’s certain is statistics don’t lie, and as much as you’d like to believe your business is safe, the worst could happen at any time. Because antivirus software alone can only do so much to protect your business, managed services has become the solution. To make our case, here are several statistics that prove you need managed services from a technology provider.

The numbers

Small businesses are not at risk of being attacked, but worse, they’ve already fallen victim to cyber threats. According to Small Business Trends, 55 percent of survey respondents say their companies have experienced cyber attack sometime between 2015 and 2016. Not only that, 50 percent reported they have experienced data breaches with customer and employee information during that time, too. The aftermath of these incidents? These companies spent an average of $879,582 to fix the damages done to their IT assets and recover their data. To make matters worse, disruption to their daily operations cost an average of $955,429.

The attacks

So what types of attack did these businesses experience? The order from most to least common are as follows: Web-based attacks, phishing, general malware, SQL injection, stolen devices, denial of services, advanced malware, malicious insider, cross-site scripting, ransomware and others.

Why managed services?

Managed services is the most effective prevention and protection from these malicious threats. They include a full range of proactive IT support that focuses on advanced security such as around the clock monitoring, data encryption and backup, real-time threat prevention and elimination, network and firewall protection and more.

Not only that, but because managed services are designed to identify weak spots in your IT infrastructure and fix them, you’ll enjoy other benefits including faster network performance, business continuity and disaster recovery as well as minimal downtime. One of the best things about managed services is the fact that you get a dedicated team of IT professionals ready to assist with any technology problems you might have. This is much more effective and budget-friendly than having an in-house personnel handling all your IT issues.

Being proactive when it comes to cyber security is the only way to protect what you’ve worked hard to built. If you’d like to know more about how managed services can benefit your business, just give us a call, we’re sure we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
December 29th, 2016

2016december28_security_aPopcorn Time is taking ransomware to a new level of devilish trickery by asking victims to give up two of their friends for a chance to rid their own computers of the virus. In cyber security this level of diabolical blackmail represents a new and scary trend for hackers. For more information on how Popcorn Time works and what you can do to keep it off your system, keep reading.

Ransomware is nothing new. Cybersecurity miscreants have been taking advantage of online users for years by requiring payment to "unlock" a victim's computer. What Popcorn Time does differently is give users the option to spread the virus to two other victims in the hopes that they will pay the ransom -- a tactic that promises to double their money at the expense of your sense of morality (and at the expense of your friendships as well).

The Cost of Popcorn

When you inadvertently download this ransomware, you will be met with a screen that explains that your files have been hijacked/encrypted, and that to get them back you will need to pay one Bitcoin for a decryption key that they keep stored remotely. The Bitcoin fee is usually more than $700, a hefty price to pay during any season but particularly difficult for those infected during the holiday season.

Spread the "Holiday Cheer" and Hope they Bite

What makes Popcorn Time unique is the option victims have to take their cost away by allowing the ransomware to affect two of their friends for a chance to get a free decryption code. Of course, it works only if both friends pay the ransom, which leaves you looking (and feeling) like the Grinch.

Avoiding Popcorn Time this Season

The easiest way to avoid downloading ransomware is to stay off of sites that might contain questionable files. However, this is nearly impossible for modern users, and many hackers are getting good at making their files look legitimate. Limit your exposure to potential ransomware by keeping your software up-to-date and your computer protected with a security program from a reputable company (for example Norton or Symantec). If you need to learn more about how to avoid running into ransomware while you're online, give our professional cybersecurity consultants a call. We'll keep you away from the popcorn this season.
Published with permission from TechAdvisory.org. Source.

Topic Security
December 14th, 2016

hackerscybersecurity-170px-01As 2017 rolls in, the threat of more formidable cyber attacks looms large. Hackers and the cyber police will spend a lot of time outsmarting each other, while consumers of technology, individuals and businesses alike, anticipate the best security plan that can guarantee they sleep soundly at night. When it comes to defending against cyber-attacks, forewarned is forearmed. Here are some of the threats we predict in the coming year.

Increased threats on cloud technology

Cloud service has numerous benefits to businesses. They make data storage, collaboration, and processing more efficient; they enable employees to work faster; and they help operations flow smoother. Cloud technology’s popularity is expected to rise well into the next few years, but as demand increases, so does the dangers presented by cyber attackers.

Ransomware will be more complex

Ransomware incapacitates computer systems by locking down files and preventing access for ransom. In its 2016 Threat Predictions report, security software company McAfee predicts a peak in ransomware attacks next year. Although they also predict it to recede by mid-year, damages to vulnerable cloud-dependent infrastructures can be great and costly. Most alarming in the prediction, however, is that in the coming year ransomware attacks will be more complex due to new elements.

Ransomworms, which use advanced victimization techniques to mine further data within an already compromised network, are expected to put an even crueler spin to an already formidable malware. Doxing, on the other hand, affects avenues such as social media and any place where sensitive, easily identifiable information can be extracted to serve the ultimate purpose of extorting money. Yet another wicked ransomware to watch out for is Backup Deletion, which destroys the very mechanism that can otherwise help you recover from a compromised system or files: your backup data.

More threats to IoT (Internet of Things)-enabled devices

It is also predicted that 2017 will see attacks made on IoT-powered devices, which will make life harder for those who depend on technology that makes life easier. It targets medical devices and Electronic Medical Records, “connected cars”, basic domestic tools, and tech-driven wearables, such as smartwatches and fitness trackers. The danger posed by this intrusion is fully capable of corrupting information stored in your devices.

Advanced cyber espionage

Cyber espionage is by no means a novelty. In 2017, it’s expected to hold sway in cyber-threat prevention measures as it becomes even more complex. It encompasses all sectors of society, including individuals, private organizations, government institutions, and entire countries. Perpetrators will have the means to bypass networks by attacking firewalls and wreak havoc in their victims’ network. Fret not, for there will be measures in place to detect this threat also in the coming year.

Hackers are one of the most cunning criminals to have ever existed. While the cyber-police and the defenses they put up are no slouches, threats to security systems can still make technology-dependent individuals and businesses quiver. Although damaged networks can be repaired, compromised privacy restored, and stolen data returned, the amount of damage that hackers can cause might be irreparable and/or result in a significant dent in your IT infrastructure and budget. The value of a network security system makes itself known when you least expect it, which is why security should be a top priority.

Are your systems protected from these predicted remarkable feats of hacking? Call us if you want to discuss security services that are best for you.

Published with permission from TechAdvisory.org. Source.

Topic Security
November 26th, 2016

2016november25_security_aIf you’ve read this blog before, you already know security is paramount to the success of any small business. We cover the ever increasing cases of security violation in big and small businesses, as well as national and international organizations where data, applications, networks, devices and networks have been illegally accessed by unauthorized people. But today we want to look at simple preventative measures to ensure these risks never befall your organization.

Limitation of lateral data transfers

Employees not being educated on data sharing and security is one of the biggest reasons for internal data breaches. It’s a good idea to limit access to important data and information by restricting access privileges to only a small number of individuals. Also, you can decide to use network segmentation to cut unnecessary communication from your own network to others.

Keeping your machines and devices updated

Internal breaches might also occur when employees work with unguarded or unprotected machines. They might unknowingly download malware, which normally wouldn’t be a problem if machines were properly managed. Updating your operating systems, antivirus software, business software, and firewalls as often as possible will go a long way toward solidifying your defense systems.

Use monitoring and machine learning to sniff out abnormalities

It’s not all on your employees, however. Network administrators should employ monitoring software to prevent breaches by analyzing what is “normal” behavior and comparing that to what appears to be suspicious behavior. Cyber criminals often hide in networks to exploit them over a long period of time. Even if you miss them the first time, you should monitor suspicious activity so you can recognize impropriety and amend security policies before it goes any further.

Creating strong security passwords and credentials

No matter how often we say it, there’s always room for improvement when it comes to your passwords and login procedures. In addition to text-based credentials, you should require other methods whenever possible. Great for fortifying your network, fingerprints and smart cards, for example, are much harder for cyber criminals to fake. Regardless of which factors are used, they must be frequently updated to prevent breaches, accidental or otherwise.

Security Insurance

In the end, no system is perfect. Zero-day attacks exploit unknown gaps in security, and human error, accidental or otherwise, can never be totally prevented. And for this reason, small businesses need to start embracing cyber insurance policies. These policies help cover the damages that might occur even under a top-of-the-line security infrastructure. Considerations for selecting a policy include legal fees, first and third-party coverage, and coverage for reputation rehabilitation.

The field of cyber security is overwhelming -- even for seasoned IT professionals. But not for us. We spend our days researching and experimenting to craft the best security solutions on the market. If you're interested in one of our cutting-edge cyber-security plans, call us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
November 11th, 2016

2016november10_security_aThe old cold-call scam is still a popular way for fraudsters to dupe people out of their money. But now they're taking their tactics to the computer generation, and it can be surprising just who is falling for the new tech-related fraud. Read on to find out how scam artists are targeting the younger generation -- and succeeding.

Results Conclude Youth is more Gullible

Microsoft recently conducted a survey of 1000 computer users of all ages and from many of the largest countries in the world to find out how many of them had been scammed by phony "technicians" claiming to be employees of Microsoft or other major computer conglomerates. The results were startling when studied demographically. Researchers discovered that seniors, who were traditionally viewed as the major victims of such fraudulent schemes, were not the most likely group to fall for the scam.

Research indicated that although seniors were most likely to buy into a telephone scam, they still did not fall for the act as much as younger age groups. The study found, in fact, that between the ages of 18 and 24, people were 2.5 times more likely to fall for the scam than seniors. Those between the ages of 25 and 34 were three times more likely than seniors to be tricked.

The scam that the Microsoft company recently studied involved the following scenario: Either a person calls claiming to be a technical support technician, or an email or pop-up alerts you that your computer is locked or otherwise compromised. In order to fix the problem, you need to call someone and pay for a program or provide access to your computer so some purported technician can solve the problem "remotely."

If you fall for this scam, you are giving them funds for a false program or access to your computer -- which also allows them access to your personal data and the ability to install malware onto your system. The study revealed that two-thirds of those surveyed (around 660 people) had experienced the scam first-hand. One in five had listened long enough to hear the story, and 1 in 10 actually gave the scammer money.

Why the Younger Demographic Became Easy Victims

While older adults often respond more to phone calls, younger people have learned to ignore phone calls, saving them from being phone victims. However, because younger adults spend the majority of their time online and often remain acutely aware of the status of their computer and online presence, they are more prone to react to a pop-up or email claiming that their computer is in danger. Nearly 60% of the adults aged 18-24 in the study say they were exposed to the scam through pop-up ads or online correspondence.

The takeaway here is simple: Cybersecurity is about more than just firewalls and antivirus software. You need to shore up the human side of your protection protocols. The best way to start is by doing some quick research on social engineering in our previous blogs, but ultimately you’ll need something a little more thorough. Contact us today for more tips and to ask about scheduling a cybersecurity training for your employees.

Published with permission from Why SMBs should use Google Posts. Source.

Topic Security
October 26th, 2016

2016october25_security_aCyber security is becoming more and more important in an increasingly digital age. While many people and businesses know how important their online security is, they may not know what types of online security are best, nor the differences between the most commonly available options. There are two security authentication measures that are quite similar in name and that are often used. These are known as two-factor authentication and two-step authentication. Read on to get to know some of the key differences so you can be sure you understand your cyber security better.

If you are seeking out a way to improve your business's cyber security, both for your business itself as well as for your customers, you are likely looking at your authentication process. Two-step and two-factor authentication are two of the most commonly used options in cyber security. And in current cyber security, many businesses use the terms two-step and two-factor authentication interchangeably.

There are, however, subtle differences between the two. A two-step authentication process requires a single-factor login (such as a memorized password or biometric reading) as well as another of the same type of login that is essentially sent to the user. For example, you may have a memorized password for your first step and then receive a one-time-use code on your cell phone as the second step.

Two-step authentication does function to add an extra step in the authentication process, making it more secure than a single-step authentication (i.e. just the password). However, if a person or business is hacked, it will do only a little to stop hackers from getting a hold of whatever they are looking for.

On the other hand, there is two-factor authentication (sometimes referred to as multi-factor authentication), which is significantly more secure. This type of authentication requires two different types of information to authenticate. For example, it could be a combination of a fingerprint or retinal scan as well as a password or passcode. Because the types of information are different, it would require a hacker a great deal more effort to obtain both forms of authentication.

In essence, every two-factor authentication is a two-step authentication process, but the opposite is not true. With this information in mind, you can be certain that you are using the right type of authentication in your business to keep your business and customer information as secure as possible.

Your network needs the best security technology has to offer. What type of authentication that results in is just one of hundreds of choices that must be made to achieve that end. To take the stress out of securing and protecting your network, call us today for all the help you could ever ask for.

Published with permission from Why SMBs should use Google Posts. Source.

Topic Security
October 8th, 2016

2016october7_security_aSocial engineering is the ability to manipulate people into willfully giving up their confidential information. The data varies, but in terms of cyber security this usually means passwords and bank information. Criminals are using social engineering to gain access to your business and its network by exploiting employees who often don’t have a clue about what is happening. Avoiding it is a matter of training, and we’re here to educate you on the subject.

As more and more of our information moves into the digital realm, criminals are turning to social engineering to trick people into trusting them with their delicate information. People often trust others too easily and make themselves the targets of easy attacks from criminals. These attacks may come in the form of messages, baiting scenarios, fake company responses, and many others.

Most often, messages are sent to users in the form of an email that might contain a link or something to download. Although they may look legitimate, these emails often contain viruses; once the link is opened or you attempt to download it, a virus latches onto your computer, giving its creator free access to your email account and personal information.

Emails such as these can also come with a compelling story about needing help, winning the lottery, or even paying taxes to the government. Under the veil of legitimacy, criminals will ask you to trust them with your account details so they can either reward you or help you avoid fines and punishments. What you actually get is a bad case of identity theft.

In another scenario, criminals will bait their targets with “confidential information regarding their account.” This may come in the form of fake company messages that appear to be responses to your claims, which are followed up by a request for login details. While victims believe they are slamming the door on a crime by providing their information, they’ve actually provided their attackers with the keys.

There are several ways people can avoid becoming victims of social engineering. First, always ensure that you delete all spam from your email, and thoroughly research sources before responding to claims from a company -- even if it seems like the one you normally use.

The same applies for links. Confirm the destination of any link before clicking on it. Sites like bit.ly are often used to shorten long and cumbersome links, but because users have grown accusomted to them they are often used to hide malacious misdirections.

Never give out sensitive information that includes your password, bank information, social security, or any other private details. No respectable financial institution will request this type of information through email or a site other than their own. If you’re unsure, navigate away from the page you’ve been sent to and visit the page you believe to be making the request. If the address doesn’t have the letter ‘s’ after ‘http,’ it’s likely a scam.

Last but not least, check that all your devices are protected by the most recent antivirus software. While the strength of social engineering lies in the fact that it’s people-driven rather than technology-driven, antivirus software can help detect and prevent requests from known cybercriminals.

Cyber security is essential to the success of any modern business. Don’t let yourself become victim to criminals who have mastered the art of social engineering. While we’re proud of our extensive experience as technology professionals, we also have more than enough expertise to keep your business safe from those who are using people-based exploits. Get in touch with us today for all your security concerns.

Published with permission from Why SMBs should use Google Posts. Source.

Topic Security
September 22nd, 2016

2016september21_security_aAs with all technology, trendy phrases come and go with the passing of every IT conference and newly released virus. And when dealing with cybersecurity, keeping up with them all can mean the survival -- or demise -- of a business. If you’re looking for a list of the industry’s most relevant terms, you’ve come to the right place.

Malware

For a long time, the phrase ‘computer virus’ was misappropriated as a term to define every type of attack that intended to harm or hurt your computers and networks. A virus is actually a specific type of attack, or malware. Whereas a virus is designed to replicate itself, any software created for the purpose of destroying or unfairly accessing networks and data should be referred to as a type of malware.

Ransomware

Don’t let all the other words ending in ‘ware’ confuse you; they are all just subcategories of malware. Currently, one of the most popular of these is ‘ransomware,’ which encrypts valuable data until a ransom is paid for its return.

Intrusion Protection System

There are several ways to safeguard your network from malware, but intrusion protection systems (IPSs) are quickly becoming one of the non-negotiables. IPSs sit inside of your company’s firewall and look for suspicious and malicious activity that can be halted before it can deploy an exploit or take advantage of a known vulnerability.

Social Engineering

Not all types of malware rely solely on fancy computer programming. While the exact statistics are quite difficult to pin down, experts agree that the majority of attacks require some form of what is called ‘social engineering’ to be successful. Social engineering is the act of tricking people, rather than computers, into revealing sensitive or guarded information. Complicated software is totally unnecessary if you can just convince potential victims that you’re a security professional who needs their password to secure their account.

Phishing

Despite often relying on face-to-face interactions, social engineering does occasionally employ more technical methods. Phishing is the act of creating an application or website that impersonates a trustworthy, and often well-known business in an attempt to elicit confidential information. Just because you received an email that says it’s from the IRS doesn’t mean it should be taken at face value -- always verify the source of any service requesting your sensitive data.

Anti-virus

Anti-virus software is often misunderstood as a way to comprehensively secure your computers and workstations. These applications are just one piece of the cybersecurity puzzle and can only scan the drives on which they are installed for signs of well known malware variants.

Zero-day attacks

Malware is most dangerous when it has been released but not yet discovered by cybersecurity experts. When a vulnerability is found within a piece of software, vendors will release an update to amend the gap in security. However, if cyber attackers release a piece of malware that has never been seen before, and if that malware exploits one of these holes before the vulnerability is addressed, it is called a zero-day attack.

Patch

When software developers discover a security vulnerability in their programming, they usually release a small file to update and ‘patch’ this gap. Patches are essential to keeping your network secure from the vultures lurking on the internet. By checking for and installing patches as often as possible, you keep your software protected from the latest advances in malware.

Redundant data

When anti-virus software, patches, and intrusion detection fail to keep your information secure, there’s only one thing that will: quarantined off-site storage. Duplicating your data offline and storing it somewhere other than your business’s workspace ensures that if there is a malware infection, you’re equipped with backups.

We aren’t just creating a glossary of cyber security terms; every day, we’re writing a new chapter to the history of this ever-evolving industry. And no matter what you might think, we are available to impart that knowledge on anyone who comes knocking. Get in touch with us today and find out for yourself.

Published with permission from Why SMBs should use Google Posts. Source.

Topic Security
September 3rd, 2016

2016September2_Security_ARemember in 2012 when Dropbox’s data, which contained details of around two-thirds of its customers, were leaked? At the time, Dropbox reported that a collection of users’ email addresses had been stolen, but it wasn’t until recently that the company discovered that passwords had been stolen as well. So what does this mean for Dropbox users?

Despite the unfortunate incident, Dropbox has implemented a thorough threat-monitoring analysis and investigation, and has found no indication that user accounts were improperly accessed. However, this doesn’t mean you’re 100 percent in the clear.

What you need to do

As a precaution, Dropbox has emailed all users believed to have been affected by the security breach, and completed a password-reset for them. This ensures that even if these passwords had been cracked, they couldn’t be used to access Dropbox accounts. However, if you signed up for the platform prior to mid-2012 and haven’t updated your password since, you’ll be prompted to do so the next time you sign in. All you have to do is choose a new password that meets Dropbox’s minimum security requirements, a task assisted by their “strength meter.” The company also recommends using its two-step authentication feature when you reset your password.

Apart from that, if you used your Dropbox password on other sites before mid-2012 — whether for Facebook, YouTube or any other online platform — you should change your password on those services as well. Since most of us reuse passwords, the first thing any hacker does after acquiring stolen passwords is try them on the most popular account-based sites.

Dropbox’s ongoing security practices

Dropbox’s security team is working to improve its monitoring process for compromises, abuses, and suspicious activities. It has also implemented a broad set of controls, including independent security audits and certifications, threat intelligence, and bug bounties for white hat hackers. Bug bounties is a program whereby Dropbox provides monetary rewards, from $216 up to $10,000, to people who report vulnerabilities before malicious hackers can exploit them. Not only that, but the company has also built open-source tools such as zxcvbn, a password strength estimator, and bcrypt, a password hashing function to ensure that a similar breach doesn’t happen again.

To learn more about keeping your online accounts secure, or about how you can protect your business from today’s increasing cyber threats, give us a call and we’ll be happy to help.

Published with permission from TechAdvisory.org. Source.

Topic Security