Tag: Privacy

Categories
Casserly Consulting Blog

Don’t Be Fooled When Scammers Threaten to Spill a Dirty Little Secret

dirty_little_secret_400.jpg

What would you do if a stranger claimed to have compromising webcam footage of you and threatened to share it with your contacts? A new, very convincing email scam is making some users very nervous.

The Sextortion Scam
It’s as screwed up as it sounds. A scammer emails you saying that they got access to your passwords, and then started to run amok to see how much trouble they could get you into. They even show you one of your passwords to prove it (the password will likely come from lists found on the dark web from online businesses and services that have been hacked and stolen over the years). Then the scammer admits they’ve been watching what you do on your computer and recording your webcam, and they happened to catch you at a very inopportune time… Well, let’s let the email explain it for us. 

“You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).”

The reader is then given the address to a Bitcoin wallet, where they are to send the ransom.

The email continues:

“Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately [sic]. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.”

This email comes in a few different versions in the wild, but all of them follow the same pattern and end with the same threat… fork over the cash, or everyone will see you in your most private moments.

Is This a Serious Threat?
This is a very real concern for many people, who will be relieved to hear that, no, there is no indication that these threats are for real. The first clue is the fact that the passwords that the email provides are usually a decade old, indicating that they came from some (relatively) ancient database from some long-forgotten hack.

However, in some ways, this is even worse news, because this threat has made a tidy sum of money: as of the 31st of July, the scam had brought in $250,000, as compared to just over $50,000 by the 19th. Clearly, this scam has been plenty effective for the perpetrators, and this won’t deter others from following its example.

Keeping Yourself Safe from an Actual Attack
Granted, this attack is just an unfair wager, but scams like this are more than possible for a criminal who actually means what they say/threaten. As a result, the security lessons we can take away from this particular attack still apply.

The first thing to remember is also the first rule of passwords – change them frequently. Again, this scam has made quite a bit of money based on a total bluff… a bluff that, paid in increments of $1,400, was worth $250,000 and counting. From this, we can infer that quite a few people who received this message had online activities that they wanted to hide, and more critically, that their passwords had remained the same for all those years.

This is an excellent example of why it is so crucial to regularly update your passwords, without repeating them – if an old database is hacked, as happened here, you won’t have to worry if your password is revealed – it won’t be any good anymore.

The second thing to remember? If you aren’t actively using your webcam, keep its lense covered up.

For more best practices to follow, including those that will improve your business’ security, make sure you keep checking back to this blog – and if you want to take more action, reach out to us at PHONENUMBER.

Categories
Casserly Consulting Blog

Using a QR Code to Log In

qr_code_log_in_scan_400.jpg

Passwords are still an incredibly valuable part of security, but it’s becoming quite difficult to maximize network security through passwords alone. Even if you somehow manage to sell the idea of network security to your staff, whether or not they follow through is another thing entirely. It’s critical that you make it as easy as possible for your employees to stay secure, and that’s where scannable QR codes come in.

Why QR Codes?
By using a QR code to connect to your business’ wireless network, you can improve security. There are several benefits to this approach compared to the traditional alphanumeric password. An alphanumeric password can’t be shared as easily as a QR code, and the last thing you want to do is share your specific Internet access credentials. The real kicker is that a QR code makes things much easier on the side of the end-user. Instead of using a touchscreen to plug in a PIN or password, you can simply use the right app on your mobile device to take a picture of a QR code. It’s a great way for businesses to allow guests access to a wireless network without carelessly handing out credentials.

How to Use a QR Code
If you want to use a QR code to access the Internet, you will need to have a system in place that generates a code. You can use any of various websites or applications that create QR codes for whatever network that you want to connect to, as well as its password. You’ll also want to review any terms of service or other policies before making sure that you want to share this information for any reason.

Once you’ve done this, you’ll be able to download the end result. You now have an easy way to access your Internet without creating a security risk for yourself. Do you have any other security concerns that need addressing? COMPANYNAME wants to help. To learn more, reach out to us at PHONENUMBER.

Categories
Casserly Consulting Blog

Encryption Helps Keep your Smartphone Secure

mobile_safe_encrypt_smart_phone_400.jpg

These days everyone has a smartphone; and, they can do some pretty incredible things. One place that the average smartphone may seem to be a little loose is in the arena of data security. Today’s smartphones do, in fact, come with encryption by default, so there is some semblance of device security on every device. What does this mean? We’ll break it down.

“Smartphone encryption” describes the state in which the data on the device is scrambled so that people that don’t have the proper security clearance, won’t be able to see the device’s contents. While this is extraordinarily helpful for device security and personal privacy, it has nothing to do with protecting actual data transmission.

Without entering the credentials or biometric data that allows for a device to open, many of the features a device has are not able to be accessed. In fact, most modern smartphones won’t actually connect to a Wi-Fi network without the proper credentials. This is handled differently on the different mobile platforms.

Apple
The iPhone ships with 256 AES encryption. It is not stored on the phone (which could result in more successful hacks), a correct passcode combines with data stored on the Secure Enclave chip to generate a key that unlocks the device. This chip also holds biometric data (fingerprint and facial recognition) that can be used to open the device or use Apple Pay. Any Apple product that is repeatedly unsuccessfully opened will lock, stopping unwanted parties from getting into your iPhone.

Android
Since so many more people use the Android mobile OS, Google did not make device encryption standard until devices that run their Android 6.0 Marshmallow mobile OS. If your new Android device runs 6.0 Marshmallow or better, it now ships with encryption enabled. Since Google’s implementation of encryption depends on the manufacturer, some phones will use a key generation system similar to the iPhone’s, while others will use a more complex system called file-based encryption. File-based encryption allows for varying levels of decryption and provides unauthorized users access to a limited number of the features on the device.

In the News
Over time, there has been a push for mobile OS developers to build in “backdoors” to ensure that law enforcement can get into a device if/when they need to. Companies like Apple, Microsoft, and Google have had to field their fare share of criticism, but strongly defend their position. Apple CEO Tim Cook states the following, “In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks – from restaurants and banks to store and homes. No reasonable person would find that acceptable.”

Encryption is for your benefit. If you would like more information about modern digital cryptography or any other mobile security, visit our blog.

Categories
Casserly Consulting Blog

Preventing Identity Theft Should be a Priority, But Do You Know How to Handle It?

identity_theft_Security_400.jpg

The more people use technology, the more they have to deal with the negative aspects of doing so. One of the most prevalent problems users experience today is cybercrime that leads to identity theft. What can you do to prevent this from happening to you?

How You Can Work with Identity Thief
There are numerous ways that a potential identity thief can gain access to the information they want. Since businesses often collect a lot of data, would-be identity thieves have both more data to steal, and typically more access points in which to get into the network. Additionally, a lot of companies may say that they have hackers as a top-of-mind threat, but since a comprehensive cybersecurity strategy requires that everyone within an organization buy into it, there are usually some holes left open though a lack of employee diligence; or, worse yet, blatant employee indifference. Since throwing employee regulations out there won’t stop someone who is hell-bent on getting the information, knowing how to protect your business becomes critical.

One-way hackers can get sensitive information is though the trash. You’ve seen it in movies and on television: organizations go through the mail and recreate shredded documents to get sensitive information. That’s why doing what you can to create a paperless office can go a long way toward protecting against the dumpster-diving thieves of the world.

Your Responsibilities if You Allow Your Clients’ Identities to Be Stolen
No matter how diligent you are about your data protection, there can be a time where your network is breached, and your clients’ sensitive information could be stolen. To help your clients out, you’ll want to provide them with the following information:

  • Notified Banks or Creditors – If it was financial information that was stolen it is their responsibility to notify their financial institution and see what services they can offer to help rectify the situation. Most banks have been proactive in the quest to limit identity theft and can walk your clients through what they need to know to ensure that any personal information hackers make off with will be of little consequence. If you do this promptly they can report this breach and ensure that they will be protected. Unauthorized charges within two days of any complaint limits individual liability to a mere $50; a huge savings in some identity theft cases.
  • Credit Reports – Any client that has his/her data potentially stolen has to monitor their credit reports. Setting fraud alerts will help automate this process, although they should still constantly check for warning signs of fraud. If reports come back conclusive for identity theft, considering a credit freeze until everything returns to normal may be a good option.
  • Theft Reports – In the U.S. the Federal Trade Commission (FTC) only has the resources to follow up on larger-scale fraud cases, but they will monitor identity theft cases to identify suspicious patterns that suggest the involvement of organizational wire fraud. The FTC’s website has a form that will file a complaint. Once that is done, it may be best to secure a police report to dot all the i’s and cross all the t’s. This report needs to be sent to all creditors and credit reporting agencies to ensure that you aren’t on the hook for malicious or unauthorized access.
  • Lock It Down – Immediately updating passwords is a great way to lock down your accounts after a potential breach. Furthermore, not only should you report any false use of your Social Security Number, you should also ensure that no additional accounts have been opened in your name.

Identity theft is serious business. COMPANYNAME’s IT experts can do their best to keep unwanted entities out of your network. For more information about cyber security and data theft, call us today at PHONENUMBER.

Categories
Casserly Consulting Blog

Tip of the Week: ‘Secure’ Browsing Doesn’t Mean ‘Private’

secure_browsing_doesnt_private_400.jpg

Internet browsers, by in large, provide enough security for the average user to come out unscathed. Nowadays, people deal with many more threats than they once did, but by in large, users stay secure when using today’s most popular browsers. Privacy, however, is a whole different matter.

Nearly every brand of browser offers some of supposedly covert browsing options. Google Chrome has Incognito mode, Microsoft Edge allows you to access the web using “InPrivate” mode, and Apple’s Safari browser also offers users private browsing. Each of these platforms, however, are a would-be nightmare for privacy advocates. For this week’s tip, we will discuss some things you can do to keep yourself private while online.

Privacy in Browsing
Shielding your online identity inside your browser may prevent your browser’s history from tracking your online activity, but your ISP doesn’t have those kind of restrictions. Your ISP is capable of tracking every site you go to no matter what browser you use. Additionally, websites you visit when you are browsing privately, can also track your IP address regardless of your use of private browser settings. Since your path is left unprotected, it leaves your website activity open for inspection.

On that note, it also should be mentioned that no matter what kind of in-browser private setting you use, your employer, who typically owns the network you are working on, can still see what sites you access. For business owners that are serious about lost productivity from employee web surfing, there are solutions to ensure that you control what your workers can see. If you are serious about keeping your web browsing private, your best bet is to use your own virtual private network (VPN).

Virtual Private Browsing
Using a VPN will keep the connection between your system and your destination hidden, allowing you to choose the location you are browsing from. In hiding your connection under the encryption afforded by the VPN, you can get the privacy you need from anywhere on any Internet connection.

For assistance in implementing a VPN for your business’ browsing needs, reach out to COMPANYNAME at PHONENUMBER.

Categories
Casserly Consulting Blog

Do You Use 2FA? If So, You’re in the Minority

two_factor_authentication_400.jpg

Two-factor authentication, also known as 2FA, is a very beneficial addition to consider for your cybersecurity. However, a research study unearthed a few surprising takeaways that indicate that 2FA may not be adopted as much as one might expect it to be.

Researchers at Duo Labs, using data compiled by Survey Sampling International, designed a survey that would mimic the patterns that could potentially be seen in different regions concerning the adoption rate of 2FA. The results of this survey were striking, as they revealed that only 28% of those surveyed–designed to match up to the entirety of the US population–had adopted 2FA. Over half of the participants had never even heard of 2FA before the survey was administered.

The researchers were also surprised to find that, of those who knew about 2FA, 54% were voluntary adopters, and only 20.8% had been introduced to 2FA in their work environments. However, reflecting upon the number of applications and services that now prompt users to set up some form of 2FA, this is hardly surprising. Yet despite the relatively high number of voluntary adopters, less than half of these respondents used 2FA wherever they could.

However, there were a few results that showed a bit more hope for the utilization of 2FA. First of all, an analysis of the state of 2FA that compares the authentication options in 2010 to those in 2017, shows that more people are relying on more secure methods. For instance, the use of hard tokens (or a physical device used to confirm the bearer’s identity) decreased by half in the span of time the analysis covered. This indicates an increased awareness in the potential security risks that a hard token presents–all it would take is for one of these tokens to be lost or stolen to render 2FA ineffective.

The real takeaway from the results of this research is an insight into user behavior. Namely, convenience and simplicity were important factors when a user formed an opinion of the different approaches to authentication. This helped to contribute to security tokens being ranked as the most trustworthy form of 2FA by 84% of respondents. While there was an awareness that these tokens had their issues (including the risk of losing them, as referenced above) there was still a demonstrated trust in their reliability.

Despite all this, the sad truth persists that too few people are utilizing 2FA to secure their personal and business devices. With any luck, this will change in the near future, as network security has been thrust further into the public consciousness due to the repeated breaches and attacks that have made headlines as businesses rely more heavily on computing resources.

Do you have 2FA in place to protect your business resources? For help implementing it and other crucial security measures, reach out to COMPANYNAME at PHONENUMBER.

Categories
Casserly Consulting Blog

Would Your Users be Tricked by Social Engineering?

social_engineer_earth_400.jpg

The term social engineering may not seem nearly as intimidating as other cybersecurity terms like ransomware or denial of service. Don’t be deceived! Some of the biggest threats to your company’s data and network security use social engineering to manipulate targets into taking a specific action – like disclosing personal information that can be stolen and exploited.

Often overlooked by the media in favor of major data breach events, there are few types of social engineering hacks that have the capability to devastate a business.

  1. Vishing: Given the fact that the number of people who fall for phishing attacks and other email scams has declined significantly, it was only a matter of time before hackers found an alternative avenue to exploit their targets. After abandoning it a few years ago in favor to digital scams, vishing – a fraudulent voice call that seeks personal information – have once again returned as a favorite among hackers and thieves.
  2. HTTPS: SSL certificates used to ensure that a website was legitimate and secure enough to protect your personal information. Websites that have ‘https’ no longer signifies security, as hackers have begun using websites that give away SSL certificates for free and using them to lull victims into a false sense of security. To make sure a website is secure, you’ll want to look for indication of an extended validation SSL (EV-SSL) which are not offered for free! EV-SSLs are signified with a green bar.
  3. Website Copy-Cats: Scammers have become very skilled at making spoof websites that look and feel just like the authentic website but are actually littered with all typesof malware. For example, after the Equifax data loss event in June 2017, Equifax set up a website to help their clients who had their information compromised with the URL: equifaxsecurity2017.com. A spoof of that website, with the domain securityequifax2017.com, was so convincing – it even tricked Equifax themselves! A few things to keep an eye out for when trying to determine if a website is legitimate, include:
    1. Make sure the URL is correct.
    2. Avoid giving out information unless a site has an EV-SSL.
    3. Look for seals of trust from other IT security websites.
    4. Beware of misspellings, typos and broken English.
  4. Every Word Password Theft: There are a lot of hacking tools that will scan through databases – including every word in the dictionary. These tools significantly increase the likelihood that a password that includes an actual word will be cracked and exploited. The best practices are ones that mix numbers, letters and symbols that make no sense.

When it comes to digital threats, for every exploit or hack that is prevented, a few, more advanced ones are developed. The best way to keep your business, and it’s data, safe is to take proactive measures and execute safe internet practices all times – and that goes for your employees, as well! Would you like to learn more about how you can stay ahead of hackers? Call us at COMPANYNAME.

Categories
Casserly Consulting Blog

Boosting Your Security Only Takes Another Layer of Authentication

two-factor_authentication_400.jpg

Data breaches are so common nowadays that you’re lucky not to see one in the breaking news section of any news outlet. How is your business preparing for the inevitable data breach of intellectual properly and sensitive information? You need to start considering preventative measures, like two-factor authentication, to keep your data secure.

The main issue that two-factor authentication can solve is the decreasing amount of security provided by passwords. Technology has become so advanced that even complex passwords that maximize security can be cracked under the right conditions. Users tend to use easy-to-remember passwords which come with their own set of complications, so we’ll talk about ways that your organization can use two-factor authentication to solve common password troubles.

It’s a best practice to change your password every so often, and users might scratch their heads at how to remember some of these more complex passwords. Passwords should be at least 12 characters long, and must use special characters, upper and lower-case letters, numbers, and symbols. All of this must be done in a seemingly random string of characters, but users might try to use these characters in a way which makes it easier to remember. In fact, they may just use a password for another account, or one that includes information from a social media account, like the name of their dog or first-born child.

Generally speaking, it’s best to keep information that could easily be found in public records out of your password fields. This includes the names of your children, parents, or other important individuals, as well as any information that you store on your social media accounts, like your favorite TV show or movie. Hackers have more tools than ever before to find out all sorts of information about you, so you have to be very careful about how you use this information in passwords. Plus, there’s always the chance that you’ll use this information for security questions, which doesn’t do you any favors when hackers can just find the information at their own leisure.

Although password managers do make passwords easier to remember, the primary problem with them remains the same. If a hacker can find out what that password is, they can access all of your accounts easily enough. Two-factor authentication makes things much more difficult for a hacker, requiring that they have a secondary credential to access any account associated with it. This acts as a secondary security level, and it’s one that requires the use of a mobile device, email account, or other access method. It’s a great way to take full advantage of next-level security, and since it’s easy to set up, you can do it quickly and efficiently.

Do you want to take full advantage of two-factor authentication? For more information about personal and network security, call us today at PHONENUMBER.

Categories
Casserly Consulting Blog

Google Is Increasing Security For High-Risk Users

explosion_computer_400.jpg

Wouldn’t it be great if you could take advantage of a built-in security feature that could lock down your Google services in the event of a potential data breach? Thanks to attacks on high-profile users, Google is now offering this service to those who are at considerable risk of having their accounts hacked. This type of advanced service, called the Advanced Protection Program, is only available to a select few, but it promises to assist in the challenge of protecting sensitive information.

Specifically, the Advanced Protection Program will be designed to help those who are most likely to experience troublesome hacking attacks, including those who work as election and campaign officials, those who are victims of domestic violence, and others who find themselves to be at risk. The service is marketed as greater security, while trading off some of the convenience that might be found with the base-level Google services.

Among the affected Google services are Gmail, Google Drive, and YouTube. Once someone has been onboarded into the Advanced Protection Program, their accounts will automatically be updated with all of the latest and greatest security solutions available for Google’s services. The implementation of this service is in light of the various high-profile hacking attacks associated with various officials during the 2016 United States presidential election. Google was forced to endure plenty of backlash in the aftermath of the John Podesta controversy in which his Gmail account was hacked via a phishing attempt. This new initiative by Google is an attempt to ensure that they don’t have to deal with this backlash again.

The tactic used by Google’s Advanced Protection Program is a security key. While a USB key is generally considered a better two-factor authentication practice, Google is also equipping users with a Bluetooth key verification process that can be used on both a smartphone or a laptop.

At the moment, Google’s Advanced Protection Program blocks access to information on your Google account by any third-party source–that is, any program that’s not developed by Google itself. Furthermore, it implements a slower account recovery process that’s more difficult for a hacker to replicate. While it takes away from some of the ease of recovery that Google users know and love, it makes for a more secure experience overall.

Would you take advantage of this new service from Google if need be? Let us know in the comments section below.

Categories
Casserly Consulting Blog

Tip of the Week: The Holidays Can Be A Time Of Work And Play, Even While Traveling

travel_computer400.jpg

The holidays are approaching, whether we are ready for them or not. With the holidays comes time off, which means that it’s awfully easy to fall behind post-vacation. Another concern is the amount of identity theft and credit card fraud that comes about during this time of year. We’ll discuss some of the many ways that your organization can take advantage of technology this holiday season without putting yourself in harm’s way.

Know Your Wi-Fi Options
You can’t be productive without an Internet connection. This includes either mobile data or Wi-Fi. Chances are you’d rather look for an open wireless network than waste your mobile data, but unsecured networks can put your data at risk. One option you have is to check the reviews on sites like Yelp! and Trip Advisor to see what other guests have to say about Wi-Fi connections. Ideally, you want a VPN to secure your data while it’s in transit.

Bring Along Extra Accessories
You never know when that extra LAN cable or micro-USB cord will come in handy. Furthermore, if you’ve ever done any traveling, you’ll know that buying new equipment from an airport can be more expensive than you’d like.

Carry On Your Devices
If you need to travel for business, be sure to put your devices into your carry-on baggage at any airport. The last thing you need is for a screen to get cracked while your luggage is rolling around the cargo area of a plane. Furthermore, you don’t want your luggage to be either lost or stolen while in-flight. It’s just safer for you to keep anything important in your carry-on luggage.

Be Wary of Free Wi-Fi
You should keep your device from automatically connecting to any open wireless connection that it latches onto. The reasoning for this is that hackers will literally lurk on them, waiting to steal any data that presents itself to them. This can put both your own data and that of customers at risk–all because you checked your email.

Turn Off Your Autofill and Password Management
A password manager keeps you from entering in the same information over and over, but it should be disabled while you’re traveling. What if someone steals your device? They would have access to anything that was auto-filled on it. It’s like leaving the keys to your car in the front seat without locking the door. It’s not impossible to go a few days without auto-populating passwords, and it sure beats the fallout of losing a device.

Use External Drives and USB to Back Up Data
What if you are working on a project while out of the office on vacation, and you misplace your device or it’s damaged beyond repair? All of that progress would be gone. Now, imagine that you have that data backed up to an external hard drive. Now you don’t have to worry about losing data or progress while working out of the office.

There are just a few practices that can keep your organization from succumbing to the dangers of traveling and working at the same time. If you have any questions, thoughts, or concerns about using technology while out of the office, reach out to us at PHONENUMBER.