Tag: Security

Categories
Alerts

Banks Enact New Security Solutions to Safeguard ATMs

b2ap3_thumbnail_atm_best_practices_400.jpg All across the United States, banks are rolling out ATM improvements to help boost the security of their members by utilizing mobile devices. While these measures will undoubtedly help, they aren’t enough to fix all of the vulnerabilities that ATMs suffer from without some vigilance on the user’s part.

What is Being Done
Wells Fargo launched an initiative that allows their members to access their accounts via automated teller machines, without the use of their ATM cards. By utilizing the bank’s mobile application, an account holder can receive a temporary code that will grant them access to a Wells Fargo ATM when paired with a personal identification number.

While Wells Fargo is the first bank to incorporate app-based access to all 13,000 of their ATMs, other banks aren’t far behind. Chase, Bank of America, and Citigroup have also begun to incorporate similar functions into some of their ATMs.

This isn’t the end of improvements to Wells Fargo’s ATMs, either. Wells Fargo is making the necessary additions to allow members to utilize near-field communication (NFC). By doing so, bank members won’t even need their card to access the ATM. Instead, their mobile device prompts them to scan their fingerprint and enter their pin. So far, about 40 percent of the bank’s ATMs are equipped for this functionality.

Why These Advancements Might Help
Advancements like these are sure to help boost the user’s account security while they utilize these machines to handle their finances. Criminals have been getting more clever in their schemes, and it shows. There were six times as many ATMs that were compromised in 2015 than in 2014.

Scammers now use spy cameras and card skimmers in tandem to collect the information they need to gain access to a bank member’s accounts. These skimmers are able to be inserted directly into the ATM’s card reading mechanism, where it is almost impossible to detect their presence. The same can be said of the pinhole cameras that criminals will use to capture a user’s PIN number. These tiny devices are remarkably difficult to spot.

Worse yet, criminals will often damage machines that don’t have their devices inserted, forcing users into their trap. If you see a row of ATMs with only one in working order, it’s best to give that one a pass.

If you think that a user is safe if they were to use a chip-based card, rather than the magnetic strip, you’d be mistaken. Much as they capture the information from a card’s magnetic strip, scammers have a method to do the same with the card’s onboard chip. Known as “shimming,” this approach is rare but will likely only increase in popularity as more transactions are made with the chip functionality. Plus, these chip-based cards still have the magnetic strip as well, tempting many to swipe away their security.

A Few Issues That Remain
Unfortunately, there are still factors that make ATM machines an effective vehicle for scammers. First of all, many of these new security features were added to the ones already present in the ATMs, rather than replacing them. For instance, while Wells Fargo ATMs will permit the use of a temporary PIN, they will still allow account access through the less secure methods as well. Not to mention that out of a total of 70 million members, there are only 20 million Wells Fargo app users. This means that there are 50 million bank members who aren’t even using the features.

This is assuming that those 20 million app users will make use of them, anyways. Habits are hard to break, so many account holders will likely continue to carry and swipe their ATM cards, despite having a more secure way to access their accounts.

What Should You Do?
Whether you’re dealing with the accounts for your business, or your personal finances, keep security in mind whenever you happen to use an ATM, and take advantage of the improved, more secure processes that are available to you. At the very least, shield your PIN number with your other hand as you input it into the machine.

Is it worth potentially allowing a criminal to access your (or your business’) accounts? Share your thoughts with us in the comments!

Categories
Best Practices

Tip of the Week: How to Be Active and Proactive With Your Network Security

b2ap3_thumbnail_net_security_tips_400.jpg Security troubles have many causes, but the only way to protect your business from any of them is to implement a comprehensive enterprise-level security solution. There are two other ways that you can work to protect your business, implementing software patches, and avoiding social engineering attempts.

Applying Software Patches
It should be clear that software patches are designed to fix security problems and improve the functionality of the software, but some organizations simply don’t have time to implement them manually, or they simply don’t understand the purpose for them. Part of the problem is that sometimes the developers aren’t necessarily clear that patches are available, while other times those within your organization may not even know how to administer them. Regardless of the reason, there are usually problems on a network that will go unattended for extended periods of time.

Most hackers only want to take advantage of the issues they can detect. Thus, there could be countless threats out there designed to target countless unpatched vulnerabilities on your network that not even the hackers can know about. It makes sense for a hacker to use just one exploit to target a handful of vulnerabilities. Therefore, it’s important to make sure that all software that you use is updated and patched.

Additionally, your systems shouldn’t be running unused programs. The more software you have, the more ways hackers can take advantage of your organization’s network vulnerabilities. Moreover, you might even be wasting revenue on renewing software licenses that you don’t even need, so it’s best perform a network audit from time to time to get the worthless software off your infrastructure.

Dodging Social Engineering Attempts
Social engineering is broadly categorized as any method that takes advantage of unprepared users or those who are ignorant of solid network security practices. Examples include a phone call or email message claiming that the network has been breached by a foreign entity and that “tech support” needs to remote into the computer and resolve the issue. There are other, more subtle methods as well, such as targeted spear phishing attacks that go after specific users with personal information that convince them that the hacker is someone in authority.

These types of attacks vary in sophistication, but they can range anywhere from an employee receiving a message claiming that they’ve won a prize, to the intruder physically following your employees into the office and stealing sensitive data manually. In instances like these, a little bit of employee training can go a long way. Teach them to look for anything suspicious, and inform them that vigilance is incredibly important in the workplace.

These two security improvements barely scratch the surface of what your organization should be focusing on for network security. If you want to fully protect your business to the best of your ability, give us a call at PHONENUMBER.

Categories
Alerts

Alert: 33.7 Millions Records Released to Public Due to Leak of Massive Marketing Database

b2ap3_thumbnail_do_you_have_a_data_leak_400.jpg In recent news, millions of records containing personal information were made available to the public in a sizable data leak, providing potential scammers with plenty of information to utilize in their schemes. These records were all part of a 53 GB database that was available for purchase from Dun & Bradstreet, a business service firm.

The database contained information that could be of great use to hackers and marketers alike, as it outlined corporate data for businesses within the United States, providing professional details and contact information for members at every level of the businesses included.

Dun & Bradstreet released a statement via email in an attempt to remove the firm from any responsibility. According to the firm, there was no evidence of a breach on their systems. The email also pointed out that the leaked data was sold to “thousands” of other companies, and that the leaked data seemed to be six months old. In essence, Dun & Bradstreet’s position was “not our fault.,” and that there was little cause for worry, as the list only contained “generally publicly available business contact data.”

However, not everyone feels that the responsibility for this event can be passed off so easily, especially considering the nature of the data found on the database.

Troy Hunt manages Have I Been Pwned, a data leak alert site that allows a user to reference one of their accounts to determine if their credentials have been compromised. He offered up his own take after reviewing the database for himself. Hunt’s analysis revealed that the organizations with the most records in the database were:

  • The United States Department Of Defense: 101,013
  • The United States Postal Service: 88,153
  • AT&T Inc.: 67,382
  • Wal-Mart Stores, Inc.: 55,421
  • CVS Health Corporation: 40,739
  • The Ohio State University: 38,705
  • Citigroup Inc.: 35,292
  • Wells Fargo Bank, National Association: 34,928
  • Kaiser Foundation Hospitals: 34,805
  • International Business Machines Corporation: 33,412

If this list alarms you, you have the right idea. In his comments, Hunt brought up a few concerns that he had with the contents of the database out in public.

First of all, this list is essentially a guidebook for someone running a phishing campaign. A resourceful scammer could easily use the information contained in this list (including names, titles, and contact information) to create a very convincing and effective campaign. Furthermore, the most common records in the leaked database were those of government officials and employees. Hunt went so far as to mention which personnel records could be found in the database for the Department of Defense: while “Soldier” was the most common, the list also included “Chemical Engineer” and “Intelligence Analyst” entries.

In his response, Hunt asked a very important question: “How would the U.S. military feel about this data – complete with PII [personally identifiable information] and job title – being circulated?” With the very real threat of state-sponsored hacking and other international cyber threats in mind, Hunt brought up the value this list would have to a foreign power that isn’t fond of the U.S.

Finally, Hunt cited the chances of this data being recovered to be at a firm “zero” percent.

In short, despite the reassurances from Dun & Bradstreet, this database going public could present some very real dangers to any businesses included in it.

If you’re worried that your business may be vulnerable, there are two things you should do. First, you should see if your data has been exposed by checking Hunt’s site, Have I Been Pwned . Second, you should reach out to us at COMPANYNAME, so we can help keep you secured against threats like this and others. Give us a call at PHONENUMBER.

Categories
Miscellaneous

How Vizio Got Busted for Spying on Its Customers

b2ap3_thumbnail_vizio_smart_tv_spying_400.jpg What have you watched on TV lately? Actually, never mind; if you don’t want to tell us, we can just ask Vizio. Relax–we’re not actually going through with this, but the fact remains that 11 million owners of Vizio televisions had their viewing habits tracked by the manufacturer. Were you one of them?

A fine by the Federal Trade Commission, totalling $2.2 million, was issued to Vizio following its actions of collecting data on users. This data included what the televisions were displaying, regardless of what the input was; whether it was smart TV apps, DVD players, air broadcasts, the TV’s IP addresses, or cable boxes. Whatever the TV had on it, Vizio could gather the data and do with it as it pleased. A federal court ordered Vizio to delete any data that they collected before March 2016 because their customers were not told of the company’s data sharing practices.

To remedy this, Vizio now makes its data collection practices available through the TV’s settings. Also part of their settlement, Vizio now sends notifications directly to the user’s screen. Jerry Huang, Vizio’s General Counsel, issued a statement regarding the incident: “Instead, as the complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors. Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and Vizio now is leading the way.”

Of course, the question of what Vizio did with all of that data needs to be asked. Perhaps the company used the data to understand how customers were using its hardware, such as how frequently it was used and what kinds of devices were used in conjunction with it. This way, Vizio could use the data to better their products and make them more useful. Of course, that’s an optimistic view.

Another way that Vizio could have used this data is by collecting it to distribute to paying partners for marketing purposes. This type of data collection would be very lucrative for Vizio, a practice that could be difficult to ignore.

Was this collection of data a clear violation of generally-accepted ethics? That’s debatable, but the truth of the matter is that Vizio would have had a better time of it if they gave their customers the choice of being involved these data collection practices. If anything, it should make you consider how you’re using your own Internet-connected devices. You never know if and how they might be spying on you.

What are your thoughts on this development? Let us know in the comments, and be sure to subscribe to our blog.

Categories
Best Practices

Tip of the Week: Worried About Identity Theft at Work? Follow These Tips for Peace of Mind

b2ap3_thumbnail_protect_your_workers_identities_400.jpg The Bureau of Justice estimated that five percent of the entire U.S. population were victimized by identity thieves, a total of 11.7 million people. While the methods of collecting the data that identity thieves need to commit their crime vary from dumpster diving for carelessly discarded documents, to email phishing scams, there is a particular target that can easily supply them with the data they will need: the workplace.

While many businesses must collect a lot of personal data from their clients for billing purposes, their employees are also made vulnerable if some of that data was to be absconded with. After all, in order to properly pay an employee for their work, an employer will need a lot of their personally identifiable information on record. As a result, a workplace becomes a high-value target for someone seeking the data necessary to complete fraudulent actions in someone else’s name and becomes the responsibility of the entire business to safeguard that data, for the sake of their employees and their clients.

To that end, every employee should be educated in the best practices for protecting a company’s trove of sensitive information, and policies need to be implemented and enforced to ensure that these best practices are followed. To get you started with securing your office, make sure these four best practices are followed by everyone associated with your company.

Don’t Leave Workstations Unattended
Computers need to be locked and only accessible by its user’s password. Otherwise, anyone (be it a less-than-trustworthy employee or someone off the street stumbling across an opportunity) could access that workstation and any company documents available to that employee.

Go Paperless
Identity thieves love paper trails. Whether it be copies of sensitive files that make their way to the trash, or even documents that get left lying around the office, the fact of the matter is that having paper copies of sensitive information only increases the risk that this information will get stolen. Going paperless is a way to minimize this risk entirely.

Train Employees to Know What Email Scams Looks Like
Scams targeting email inboxes are some of the top ways that identities are compromised. Therefore, in addition to having a good spam blocking solution in place, you’re going to want to make sure that every worker knows what an email scam looks like so they won’t fall for one. You may know how to spot an obvious email scam, like an unsolicited email requesting sensitive information, but how sure are you that your staff knows what a scam looks like as well?

Implement Enterprise-Level Security Solutions
Without proactive solutions in place to protect your company’s sensitive data, it could easily fall into the wrong hands if a hacker breached your network. Every business needs to have security tools in place like antivirus, firewalls, spam-blocking, and content filtering. Thankfully, a solution like a Unified Threat Management tool offers businesses an easy way to get this kind of comprehensive protection in one easy-to-implement package!

Of course, there are many other steps to take to prevent your workplace from becoming an identity thief’s jackpot. COMPANYNAME can help advise you on the other steps your business needs to take in order to keep the identities it deals with properly protected. Call us today at PHONENUMBER for more information on the steps you need to take to prevent identity theft.

Categories
Security

The “S” in HTTPS is More Important Than You May Think

b2ap3_thumbnail_secure_web_browsing_400.jpg It would be an understatement to say that security, particularly encryption, is important while browsing the web. Though it was only recently that encryption became a major pain point for government regulation, encryption has been around for a very long time. The average user can get a taste of online encryption through the average website security certificate.

Hypertext Transfer Protocol, with an S on the end for “security,” is designed to protect a website visitor’s privacy by encrypting information sent from the website to a receiving server. Ordinarily, the connection wouldn’t be private, so data can be accessed while it’s in transit. This is why HTTPS is commonly used on pages that require sensitive credentials, like passwords, usernames, credit card numbers, Social Security numbers, and so on. For example, banking institutions and other accounts that are linked to financial credentials (like any payment pages on websites) need to be using a security certificate to guarantee the user’s security.

One good way of describing online encryption is like a pipe. A normal HTTP connection is like a transparent pipe that you can see through. Hackers can collect data while it’s in transit because the pipe is see-through. Now, imagine the same pipe, only with an opaque hue to it. You can still see the insides, but they’re hidden and jumbled to the point where you can’t get a clear image. This is what it’s like for hackers to see encrypted data; they may have stolen it, but it’s locked down and indecipherable, making it essentially worthless.

The main thing that the average business owner must understand about HTTPS and online encryption is that you need to drill best practices of handling data into your employees as early and as often as possible. Before entering sensitive information into any website, be sure to look for the following abnormalities:

  • A lack of a security certificate: Before you enter any information into a website, make sure that it’s protected by a security certificate. You can verify that a website is secure by clicking on the green padlock icon next to the URL’s name in the address bar. It’s important to keep in mind that, while SSL and TLS might largely seem like the same thing, SSL is an antiquated security protocol that, thanks to vulnerabilities like POODLE (a man-in-the-middle exploit), could be dangerous.
  • Suspicious URLs or domain names: Sometimes hackers will create a site that looks exactly like a banking institution’s website, and use it to steal credentials. They will use sneaky tactics to make you think that what you’re looking at is the real deal, but look for out-of-place letters, numbers, or symbols in the domain before thinking you’re in the clear. Basically, the site that you’re on should be the institution’s official site. If something looks out of the ordinary, contact the organization through the information that you have on file.

For more great tips and tricks on how to stay safe online, be sure to contact COMPANYNAME at PHONENUMBER.

Categories
Security

Let the 80/20 Rule Be Your Guide for IT Security

b2ap3_thumbnail_eighty_twenty_rule_for_it_400.jpg IT security is something that businesses of all shapes, sizes, and varieties have to be concerned about. You’ll be faced with the question of whether you have adequate security practices on a daily basis. For help with understanding why the smallest vulnerabilities often result in the most data loss, look no further than the 80/20 rule.

This rule, often called the Pareto Principle , is defined as such by Investopedia: “[the Pareto Principle] specifies an unequal relationship between inputs and outputs. The principle states that 20 percent of the invested input is responsible for 80 percent of the results obtained. Put another way, 80 percent of consequences stem from 20 percent of the causes.”

In other words, the Pareto Principle is a strategy that attempts to explain how you should delegate your organization’s security resources in order to maximize the security you get. In this case, you are using your assets to protect your network from online threats. However, you might realize that even if you search and search for network vulnerabilities, you won’t find all of them. There are simply too many threats out there to identify. Instead, you use the Pareto Principle to identify where you can do the most good for your organization’s network security.

This principle can also work in reverse; only 20 percent of the vulnerabilities on the Internet lead to 80 percent of the data loss. When you think about it, this makes sense. How often do you hear about major data breaches in which multiple vulnerabilities were exploited? Instead, it’s usually just one major hack that led to many compromised accounts.

Yet, the biggest part of effectively using the 80/20 rule is determining what your priorities should be, and which threats are the most dangerous. After all, if everything is a priority, then nothing can get done. This results in all-around subpar security that leaves large threats unchecked.

A penetration test can help COMPANYNAME  to find where your organization’s most important security flaws lie. We can locate and resolve your most critical security flaws through a process called Remote Monitoring and Management (RMM), which allows us to connect to your office’s technology solutions and issue the required patches and security updates without an on-site visit. In fact, most situations will only call for remote access, so you can save both time and money with an RMM tool.

In fact, there’s one solution that is capable of protecting the majority of your network without much effort at all. It’s called a Unified Threat Management solution, and it includes all of the major components of network security in one convenient package. With an enterprise-level firewall, antivirus, spam blocker, and content filter, you can know with certainty that one solution covers the majority of the challenges presented by network security.

With COMPANYNAME’s managed IT services, you’re creating many opportunities for enhanced network security, improved network performance, and optimized operations. To learn more about how we make technology work for you, reach out to us at PHONENUMBER.

Categories
Best Practices

Tip of the Week: 4 Scams to Look Out for and What You Can Do to Prevent Them

b2ap3_thumbnail_basic_net_security_400.jpg There’s no question that cybersecurity is an important part of managing a business, especially with so much technology in your office. Yet, the real challenge comes from making sure that your employees know and understand best practices, and are willing to adhere to them. Here are some easy ways that you can help your employees understand just how important IT security really is.

Change Passwords Frequently
Password security is a big problem for both the commercial and domestic computer user. Too often you see stories about users having passwords like “password” or “123456.” To help your team avoid this, create a handout that has the following best practices on it:

  • Make your passwords long (at least 16 characters). The longer, the better, as this makes the passwords more difficult to guess.
  • Make your passwords complex. Use a plethora of special characters, numbers, and both upper and lower-case letters.
  • Never use the same password twice. When a hacker steals a password, they may try to use it on other related accounts.

Of course, a password manager makes these tips much easier to accomplish; particularly one that allows you to share passwords across your organization’s network. You can group together users and distribute credentials as they’re needed, synced in real time to their devices. As a bonus, you can use complex passwords without the frustrations of forgetting and remembering them.

Watch Out for Spam
Hackers will often spread spam in the hopes that someone will slip up and offer important credentials or personally-identifiable information via email or phone call. We’ve outlined a couple of common spam situations below, so that you know what to look for:

  • A big congratulations: If you get an email saying that you’ve won the lottery or a big winner who needs to claim the prize, you can disregard it as spam. In general, if something is urging for immediate action, you might want to think twice about what it is.
  • Fake law enforcement threats: Hackers know that people are intimidated by the authorities, so they will create messages claiming to be from the FBI or local law enforcement. They will then declare that you have done something wrong and that there is a fine. Messages like this use fear against you, so be careful not to fall into the trap.
  • Spear phishing tactics: These are tactics in which hackers will target specific users and tailor their attacks to the individual. Details to look for could include customized phone numbers, addresses, and personal information regarding their schedule or workplace. Since the attacks don’t look like generic spam, they can fool users.
  • Whaling schemes: These are top-tier social engineering threats that almost don’t classify as spam due to how dangerous they are. Whaling schemes, or CEO fraud, is when a hacker impersonates the business owner in an attempt to get financial departments to wire transfer funds to offshore bank accounts. Look for inconsistencies with email addresses, or simply ask the one who has sent the message, if it’s a real request or not.

Many of the above email threats can be mitigated with an enterprise-level spam blocking solution. Spam blocking keeps suspicious messages from hitting your inbox in the first place, which increases the chances that your employees won’t see them at all. However, there are still some that might manage to squeeze past filters. Therefore, the only real way to prevent these problems is by taking proactive security measures.

To learn more about cybersecurity, reach out to COMPANYNAME at PHONENUMBER.

Categories
Miscellaneous

This Hacker Messed With the Wrong Transportation Agency

b2ap3_thumbnail_san_francisco_transportation_hack_400.jpg While San Francisco residents might not be happy that they’ll again have to pay fares to ride the city’s rail system, the reason they again have to do so is understandable. Plus, it provides an excellent example of the importance of maintaining a backup and using complex passwords.

A hacker or group of hackers, operating under the moniker Andy Saolis, managed to halt the collection of fares by the San Francisco Municipal Transportation Agency (or Muni) by hacking their station computer system and introducing a strain of ransomware into it. As a result, Muni employees were unable to access their workstations and some of the agency’s systems were disabled.

However, the hacker claimed to have accomplished more, as ticketing kiosks across the city would only display “you hacked. ALL data encrypted.” The ransom demand for the decryption key was approximately $73,000 in Bitcoin. Despite the hacker’s apparent confidence in their accomplishment, Muni elected to not pay the ransom, deciding instead to restore their systems from a backup and allowing cybersecurity experts to strike back against the hacker, not just once, but twice.

Two independent vigilante hackers managed to access the email account of “Andy Saolis” to collect information that helped to stop the attack, both by correctly guessing the answer to the account’s security question. It would seem that the hacker(s) known as Andy Saolis had been active for a while, but had never before targeted anything other than private companies, which very well may have led to their downfall.

Once the attack was thwarted it came to light that seemingly no data, including that from Muni’s customer payment systems, had been accessed, despite the attack affecting 25 percent of Muni’s network. Saolis, unsurprisingly, gave a considerably different account online.

Claiming to have stolen data from the payment kiosks, as well as 30 gigabytes of data from Muni’s system on their employees, customers, and technical matters, Saolis wasn’t shy about casting himself (or themselves) in the light of the vigilante against an unjust system.

According to an email sent through Russian service Yandex.com, “They give Your Money and everyday Rich more! But they don’t Pay for IT Security and using very old system’s !”

Shortly after the attack ended, security experts were also able to establish that the emailer was based in Iran, and had gained access to the hacker’s servers.

Though Muni never had to pay a ransom for their data, this attack wasn’t cheap, costing them the combined total of the free rides they granted to commuters as their systems were compromised. However, this total would certainly be less than the actual cost of the Bitcoin ransom, and so a good general rule to follow is to never give in to a hacker’s possibly insincere demands.

On the topic of the hacker, whose password was guessed by two separate strangers, how weak must this password have been? While nobody should ever complain about a hacker being foiled, it goes to show how a complete stranger could find their way into your accounts if you aren’t being careful..

This case is far from over, as the Federal Bureau of Investigation and the U.S. Department of Homeland Security are still investigating the matter, which provides proof that public systems are still unable to be fully trusted.

There is a lot for SMBs to learn from this story. How confident are you in your IT security? If you feel it’s time for a security audit in order to determine how protected your business is from all kinds of threats, reach out to COMPANYNAME at PHONENUMBER.

 

Categories
Security

How 2 Keystrokes Can Bypass the Security of Windows

b2ap3_thumbnail_shift_and_f10_400.jpg Usually, when a troubleshooting feature is put in place, it is meant to assist the user in resolving an issue. However, one such feature in Windows 10 could ultimately lead to more problems, as it also can serve as a free-ride vulnerability for an opportunist bystander.

Security expert Sami Lailo discovered that if someone keys in Shift + F10 during a ‘Feature Update’ in Windows 10, they are able to access a Command Prompt window with Admin privileges. Compounding this with the fact that Microsoft updates disable BitLocker while they are in progress, means that someone could feasibly access the hard disk without the aid of any external device.

If that someone happened to be ill-intentioned, they could potentially wreak havoc through the command-line interface. Admittedly, the perpetrator would have to move quickly, but if they had come in with a plan and the foreknowledge of a Feature Update being implemented, they would have plenty of time to do what they had come to do.

Lailo reached out to Microsoft, and the company is now working to resolve this issue.

The current fix? Don’t leave an updating workstation unattended, despite the long periods of time updates can sometimes take.

Once Microsoft releases a patch, businesses and organizations will want to apply it. Keep in mind, any COMPANYNAME clients on our managed services will have the update applied once it is tested. Give us a call at PHONENUMBER to learn more.