Blog

Archive for E-mail

7 Dangerous Subject Lines

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.

2 out of 5 people open emails from unknown senders!

7 dangerous subject lines to watch for

Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.

Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.

Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.

USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.

United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.

CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.

Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.

Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.

Read between the lines

  1. Enable an email spam filter
  2. Hover over links before you click
  3. Keep your cybersecurity software up to date
  4. Disable macros to avoid ransomware payloads
  5. Ignore unsolicited emails and attachments
  6. Be on the lookout for the top 5 tax season scams
  7. Educate yourself on social engineering attacks
  8. Check the Federal Trade Commission’s scam alerts

Help us create awareness around scams and phishing attacks with dangerous subject lines. Education to adopt safer online habits should be top priority. So, share this blog with your colleagues.

Rush, Mike. “7 Dangerous Subject Line” Webroot, April 2017

Posted in: E-mail, Security

Leave a Comment (0) →

Make Important Email Standout in Outlook

 

To make sure emails from important contacts stand out and do not go unnoticed, you can set up a rule that makes the email appear in a specific color or a specific size and type of font. For example, you can make emails from your boss appear in a larger font or have emails from family members all appear in red. To set up the way emails are displayed for Outlook 2016, Outlook 2010 and Outlook 2007:

For Outlook 2016:

  • Go to the View tab

  •  Select View Settings

 

  • Choose Conditional Formatting

 

  •  Click add
  • Name your rule
  • Click on Font and pick a color, style and size and click OK

 

  • Click on Condition

 

  • Type in the email address of the sender or senders you want to highlight. For multiple people, separate the email address with a semicolon.

 

For Outlook 2010:

  • Go to View tab

 

 

  • Select View Settings

 

  • Choose Conditional Formatting

 

  • Click Add
  • Name your rule
  • Click on Font and pick a color, style and size and click OK

 

  • Click on Condition

 

  • Type in the email address of the sender or senders you want to highlight. For multiple people, separate the email addresses with a semicolon.

 

For Outlook 2007:

  • Go to the tools menu

 

  • Select Organize, using colors

 

  • Then choose specific colors for emails from specific people

 

  • More advanced automatic settings for applying font type and size to emails can be added by selecting Automatic Formatting in the top right corner of the Using Colors screen.

 

  • Click “Add” to create more rules
  • When you’re finished creating your rule, important email will stand out.

 

 

Kantra, Suzanne. “Make Important Email Standout in Outlook with Color Coding” Techlicious February 2017

Posted in: E-mail, MS Office Tips and Tricks, Tech Tips for Business Owners

Leave a Comment (0) →

What is Spearphishing? How to Stay Safe Online From this Effective Cybercrime Technique

Spearphishing? All it takes is a single click, but it doesn’t have to be this way.spear-phising

Hackers, spammers and cybercriminals have a multitude of methods they can use to infiltrate computer systems, steal data, plant malware or compromise your personal information. One of the most long-standing tactics is targeting ‘phishing’, also known as spearphishing.

It has endured because it works: unwitting web users continue to receive malicious messages and still fall victim to their charms. If you are wondering how dangerous they can be, just ask John Podesta: the US political player who lost tens of thousands of email with a single click.

When a spearphishing email lands in your inbox, it’s rarely a mistake. Using your personal information – either hacked from another source or lifted from public social media profile – spammers are able to produce slick, and highly-convincing, messages.

They will appear legitimate, but spearphishing emails usually contain malware, spyware or another form of virus – often hidden in a link. When clicked, the payload will usually download automatically onto your computer and go to work – stealing files, locking records or logging your keystrokes.

Using your own personal information against you, hackers can craft an extremely personalized email message. It will likely be addressed to you by name and will reference a specific event in your life, something that will make you believe the sender is real and trustworthy.

What information could they possibly know?

Using social media, the spammer will likely already know your age, where you work, what school you attended, personal interests, what you eat for dinner, what concerts you have been to recently, where you shop, what films you like, what music you listen to, your sexual preference, and more.

But this is enough. Using the information, a fictitious hacker could easily pose as your friend and ask for further information about you – your phone number, password, even bank details? Not everyone would fall for the scam, but many still do if the recipient believes the identity of the sender.

A hacker using spearphishing may pose as a retailor, online service or bank to fool you into resetting your credentials via a spoofed landing page. The email may ask you to reset your password or re-verify your credit card number because suspicious activity has been monitored on your account.

If the email tempts you to click an embedded link, it could also download a keylogger or Remote Access Trojan (RAT) onto your computer to steal bank details or social media passwords as you type them. Many people re-use passwords across multiple websites, so the danger of hacking is high.

How to stay protected

Stay protected by being aware of the threats and remaining extremely careful about what personal information you put online. Limit what pictures to post to Facebook or Twitter, check where your email is listed and ensure your computer’s security is kept up to date.

Ensure the passwords you use are original, lengthy and, most importantly, unique to every online website or service. A strong password will contain a mixture of characters, numbers and symbols. If possible, enable two-step authentication on every account that offers it.

Finally, know the signs and stay vigilant. If you receive an email from a close friend that asks for personal information – think twice before replying and send them a reply asking them to verify their identity. Also, know that any real business or bank is unlikely to request sensitive data via email.

Unfortunately, it only takes one click of a mouse for the hacker to access your system and despite advanced spam filters on current email providers spearphishing emails will continue to slip through the cracks.

Murock, Jason. “What is Spearphishing? How to stay safe online from this effective cypbercrime technique”. IBT. December 2016

Posted in: E-mail, Mobile Computing, Security

Leave a Comment (0) →

There’s now one less excuse not to use a password manager

password-manager

LastPass becomes a great free option.

LastPass is making its password manager a much better option for people who don’t want to pay. As of today, it’s opening up to everyone the ability to sync passwords between an unlimited number of devices — something that used to be available only to subscribers.

Free users were previously limited to syncing LastPass to a single app, which is pretty limiting in a world where you very possibly need to access those passwords across multiple PCs, a phone, and a tablet. Now, there are no longer any big restrictions on the free version of LastPass (though it’s still offering a $1 per month subscription with some additional features).

Like other password managers, LastPass can be used to generate strong and unique passwords, keep track of which sites and services they belong to, and then enter them when needed. LastPass stores all passwords in the cloud, making them accessible from anywhere. That makes syncing simple, though it also opens the service up to some security concerns (ones that its competitors face as well).

Still, using LastPass or any other password manager is going to be a significant step forward for most people when it comes to security. We’ve seen a steady stream of hacks this year that have compromised usernames and passwords from major sites. Using a password manager lets you use a different password in every location, minimizing the potential fallout of a password leaking out. Password managers can be a bit of a hassle to use (compared to typing in a single memorized password), but it’s worth the effort.

Kastrenakes, Jacob. “There’s now one less excuse not to use a password manager.” The Verge. N.p., 2 Nov. 2016. Web.

Posted in: E-mail, IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

3 Simple Rules That’ll Make Your Emails 10X Better

email

3 Simple Rules That’ll Make Your Emails 10X Better

I’ve been a member of the five-sentence club for about a year now. Anyone can become a member, but staying in? Well, that’s much harder. To remain eligible, you can’t send an email longer than five sentences.

As you can imagine, being in the club requires a lot of work. But it’s worth it: The first month I joined, my response rate tripled. Plus, my recipients’ average response time plunged by an entire day.

I like how straightforward the five-sentence rule is, but you can reap the same benefits simply by writing less. These three strategies will turn you into a master of short emails.

1) Slim Down Your Sentences

Most sentences are far more fluff than substance. Take this excerpt from an email I got yesterday:

I got your contact information because I’m looking to connect with remote workers as I am one myself. I’ve built a great app that allows you to keep headphones on while working with colleagues and I just want to get it into the hands of people that want to use it.

Reading this made my head spin. What if he’d instead written:

I’m a fellow remote worker, and I’ve built an app that lets you keep your headphones on while working with coworkers.

Much better, right?

If you need some practice cutting out superfluous words, great news — Write On Par is a fun, quick game that helps you turn rambling sentences into short, tight ones. Play for five minutes every day to hone your writing skills.

2) Make Every Line Count

Once you’ve shortened the length of your sentences, it’s time to cut altogether the unnecessary ones. When I’m trying to whittle down an email to five lines, I go through each one and ask, “Does this add value to my recipient’s life?” If not, I cut it.

To give you an idea, here’s the first draft of a follow-up email:

Hi David,

I hope your week is going well. It was great meeting you at the conference last night — I especially enjoyed hearing your thoughts on beacon applications in health care.

Since you mentioned you enjoy hiking, I thought I’d pass along this article on the 10 best hikes in the Bay Area. I’ve been on almost all of them and would be happy to share my recommendations. In any case, thanks again for the insights!

Best,

Aja

This email isn’t horrible, but there are a couple generic phrases that don’t add value to David’s life: Specifically, “I hope your week is going well,” “It was great meeting you,” and “In any case, thanks again for the insights!”

Here’s the email without these phrases:

Hi David,

Thanks for telling me your insights on beacon health care applications at the conference last night. Also, you might like this article on the 10 best hikes in the Bay Area — I’ve been on almost all of them and would be happy to share my recommendations.

Best,

Aja

As you can see, focusing on value naturally leads to shorter emails.

 3) Focus on the Goal

Are your emails still too long? You’re probably trying to accomplish too many things in one message.

For example, I got a four-paragraph email last week that included four questions, three “quick clarifications,” and a lot of unnecessary context. I’ll be honest: I still haven’t responded.

To avoid this mistake, first identify the primary reason you’re sending the email.

That could be requesting or confirming a meeting, asking or answering a question, sharing an article or report — you get the drift.

Once you’ve figured out your goal, return to your message and delete everything that doesn’t forward that goal.

If you’re confirming a meeting with your boss, for instance, cut the question about next week’s presentation. (You could always send a separate email, or ask her in person.) Or if you’re sending the prospect some price and feature information, delete the links to several blog posts they “might be interested in.”

Short messages show respect — after all, you’re telling the other person that you know their time is valuable. So, if you want better relationships and better response rates, join the (five-sentence) club.

Frost, Aja. HubSpot “3 Simple Rules That’ll Make Your Emails 10X Better” June 2016

Posted in: E-mail, Tech Tips for Business Owners

Leave a Comment (0) →

Unsubscribing From Unwanted Email Carries Risks

Unsubscribe-email-risks

We all receive loads of unwanted email solicitations, warnings, and advertisements. The number can be overwhelming to the point of obnoxiousness. Some days it feels like an unending barrage of distracting deliveries that require a constant scrubbing of my inbox.

Beyond being frustrating, there are risks. In addition to the desired and legitimate uses of email, there are several shady and downright malicious uses. Email is a very popular method for unscrupulous marketers, cybercriminals, and online threats to conduct social engineering attacks. Spam, phishing, and fraud are common. Additionally, many attackers seeking to install malware will use email as a delivery channel. Electronic mail can be an invasive communication mechanism, so we must take care.

Unfortunately, like most people, I tend to make my own situation even worse. In my professional role, I devour a tremendous amount of industry data, news, and reports to keep my finger on the pulse of change for technology and security. This attention usually requires me to register or provide my email address before I get a “free” copy of some analysis I desire. I could just give a false email, but that would not be ethical in a business environment. It is a reasonable and expected trade that benefits both parties. I get the information I seek and some company gets a shot at trying to sell me something. Fair enough, so I suffer and give my real work email. In this tacit game, there is an escape clause. I can request to no longer be contacted with solicitations after the first email lands in my inbox. Sounds simple, but it is not always that easy.

The reality is I receive email from many more organizations than I register with. Which means someone is distributing my electronic address to many others. They in turn repeat and the tsunami surging into my inbox gains strength. I become a target of less-than-ethical marketers, cyberattackers, and a whole lot of mundane legitimate businesses just trying to reach new customers.

Some include an unsubscribe link at the bottom of the message. This link holds an appealing lure of curbing the flood of email destined for the trash folder. But be careful. Things are not always as they seem. While attempting to reduce the load in your inbox, you might actually increase the amount of spam you receive, and in the worst case you could be infecting your system with malware by clicking that link. Choose wisely!

Recommendations for unsubscribing from email

Rule #1: If it is a legitimate company, use the unsubscribe option. Make sure the link points to a domain associated with the purported sender. Legit companies or their marketing vendor proxy will usually honor the request.

Rule #2: If it is a shady company, do not unsubscribe, just delete. If your mail service supports it, set up a block or spam rule to automatically delete future messages from these organizations.

If the message is seriously malicious, the “unsubscribe” link may take you to a site configured to infect or compromise your system. This is just another way bad guys get people to click on embedded email links. Don’t fall for this ruse! It may result in a malware infection or system compromise.

If the message is semimalicious, like a spam monster that will send mail to any address it can find, then clicking the “unsubscribe” link tells them this is a valid email address and that someone is reading the mail. This knowledge is valuable for them; they will sell that email address as “validated” to others and use it for future campaigns. Result: more spam.

Rule #3: Some spam and solicitations don’t offer any unsubscribe option. Just delete. Probably not a company you want to patronize anyways.

If you are in a work environment, be sure to know and follow your corporate policies regarding undesired email. Many companies have security tools that can inspect, validate, or block bad messages. They may also have solutions that leverage employees reporting of bad email to better tune such protections. Open attachments only from trusted sources.

Just remember, if you are not sure the email is legit, do not open or click anything, and NEVER open any attachments, including PDFs, Office documents, HTML files, or any executables because they can be used by attackers to deliver Trojans to infect your system with malware, ransomware, or other remote manipulation tools. Cybercriminals often pose as real companies with real products. Make your email life easier by unsubscribing with care and forethought.

Rosenquist, Matthew. “Unsubscribing From Unwanted Email Carries Risks”, McAfee Labs April 2016

Posted in: E-mail, Security

Leave a Comment (0) →

How to Deal With the Rising Threat of Ransomware

ransomwareOf all the money-making schemes hackers employ, the most prevalent is perhaps ransomware, a malware that is usually delivered through infected email attachments and hacked websites or websites featuring ads. Ransomware encrypts files on a user’s computer and renders them unusable until the victim ransoms the key for a specific amount of money.

Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon, schools in South Carolina schools and several medical centers in California and Kentucky, one of which ended up paying the attackers 40 bitcoins (approximately $17,000).

Attacks on individuals seldom make the headlines, but in 2015 alone, the FBI received some 2,500 complaints related to ransomware attacks, which amounted to approximately $24 million in losses to the victims.

Technologies such as modern encryption, the TOR network and digital currencies like bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace.

In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.

The problem with traditional security solutions

Most security practices rely largely on regularly updating your operating system, software and antivirus tools, which are effective to protect yourself against known ransomware viruses — but are of no use against its unknown variants.

The other safeguard against ransomware is to keep offline backups of your files, which will enable you to restore your hostage files without paying the crooks. This is a very effective method, but for many organizations, the downtime of a ransomware attack is more damaging than the ransom itself, which warrants the need for methods that can help avoid ransomware altogether.

Prevention through behavior analysis

The high success rates of ransomware attacks are directly attributed to the shortcomings of antivirus software that rely on static, signature-based methods to detect ransomware. With several variants of ransomware being developed on a daily basis, there’s simply no way signature-based defenses can keep up. Udi Shamir, Chief Security Officer at cybersecurity firm Sentinel One, explains, “With minor modifications a cybercriminal can take a well-known form of ransomware like CryptoLocker, and make it completely unknown and undetectable to antivirus software.”

Experts agree that fighting ransomware needs a new approach, one that should be based on behavior analysis rather than signature comparison. “Behavior-based detection mechanisms are now playing a key role in detecting and preventing ransomware-based attacks,” Shamir says. “While there may be many ransomware variants in the wild, they all share a common set of traits that can be detected during execution.”

Most ransomware can be detected through a set of shared behavioral characteristics. Attempts at deleting Windows Shadow Copies, disabling Startup Repair or stopping services such as WinDefend and BITS are telltale signs of ransomware work. “Each of these actions are behaviors that, if detected, translate into a ransomware attack,” Shamir explains.

This is the general idea behind some of the newer security tools — instead of making signature-based comparisons, processes are scrutinized based on their behavior and blocked if found to be carrying out malicious activity. “Once detected, any malicious processes are killed instantly, malicious files are quarantined, and endpoints are removed from the network to prevent any further spread,” Shamir says.

Aside from Sentinel One, other big players such as TrendMicro, Cisco and Kaspersky Labs are also offering behavior-based security tools.

“These new ‘next-generation’ endpoint protection solutions have proven to be effective against all variants of ransomware,” Shamir says.

Prevention without detection

One of the methods ransomware developers use to evade detection is to force their tool to remain in a dormant state while it is under examination by security tools. This enables new variants of the virus to get past antiviruses and even some behavioral-based security solutions without being discovered. Once out of the sandbox, the ransomware is in the ideal environment to unpack its malicious payload and deal its full damage.

The workaround to this technique, as discovered by an Israeli cybersecurity startup, is to trick the ransomware that it is always in the sandbox environment, which will convince it to remain in the “sleeping” state and never wake up to deploy itself.

Minerva Labs, which came out of stealth this January, presented a solution that uses the ransomware’s own evasion techniques against it. “We figured that in order to fight malware, we have to think like the hackers that develop it,” says Eddy Bobritsky, CEO of Minerva Labs.

Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses.

Minerva has introduced the concept ofa low footprint endpoint protection platform that “prevents targeted attacks as well as ransomware before any damage has been done, without the need to detect them first or to have prior knowledge,” Bobritsky explains.

By simulating the constant presence of different sophisticated cybersecurity tools, such as Intrusion Prevention Systems (IPS), the ransomware becomes trapped in a loop that prevents it from knowing where it is. The malware cannot differentiate between the simulated environment and real security environment that it tries to evade, and thus it stays inactive, “waiting for conditions that will never materialize,” Bobritsky says.

Prevention through a multi-pronged approach

“Per se, new products, tools or technology and processes may not solve the challenges individuals or organizations face when infected with ransomware,” says Jens Monrad, consulting system engineer at security firm FireEye. “Above all we need a fundamentally new way of thinking about cyberattacks.”

Monrad suggests the Adaptive Defense model, which instead of focusing on total prevention recognizes that some ransomware attacks will get through and aims at reducing the time to detect and resolve threats.

“In the adaptive model, security teams have the tools, intelligence, and expertise to detect, prevent, analyze, and resolve ever-evolving tactics used by advanced attackers,” Monrad explains.

Adaptive defense should encompass three core interconnected areas of technology, intelligence and expertise, which, according to Monrad, are fundamental for enterprises, governments and organizations that want to develop their capabilities to minimize the time it takes to discover a threat and recover from it.

At the technology level, Monrad proposes the use of sophisticated security tools. “Simple sandbox solutions aren’t enough though,” he explains, “because in many cases a piece of malicious code and an attack can happen over multiple stages, which makes detection and prevention more challenging, if your sandbox is just relying on a single object.”

This includes viruses that download and execute their malicious payload after getting past the sandbox. That’s why sandboxing should occur at the network level, Monrad argues, where you can “focus on the entire stream of packets, in order to analyze what is happening, in a similar way, as normal users are exposed to the code when they browse the Internet, click on a link in an email or open an attached file.”

At the intelligence level, “data should be gathered and shared across many endpoints and should be managed by a dedicated research team that knows attackers and how they operate,” Monrad says. The right solution should “provide intelligence before a ransomware attack happens, while it is happening and also explain why it did happen,” he says.

The expertise discipline includes experience in responding to data breaches, unique insight into how attacks are happening and knowledge on what sort of operational methods attackers employ in order to carry out successful attacks.

Dickson,Ben. “How to Deal with the Rising Threat of Ransomware” TechCrunch April 2016

Posted in: Business, E-mail, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Your Clever Password Tricks Aren’t Helping You From Today’s Hackers

clever

Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.

Background: Passwords Are Easier To Crack Than Ever

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

Take the password “Sup3rThinkers”—a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Web site How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a 4 billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars says:

Passwords such as “mustacheehcatsum” (that’s “mustache” spelled forward and then backward) may give the appearance of strong security, but they’re easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou […]and similar lists. For [security penetration tester] Redman to crack “Sup3rThinkers”, he employed rules that directed his software to try not just “super” but also “Super”, “sup3r”, “Sup3r”, “super!!!” and similar modifications. It then tried each of those words in combination with “thinkers”, “Thinkers”, “think3rs”, and “Think3rs”.

In other words, hackers are totally on to us!

What You Can Do: Strengthen Your Passwords By Making Them Unique and Completely Unpredictable

We’ve suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.

  1. Avoid Predictable Password Formulas

The biggest problem is we’re all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:

Use a name, place, or common word as the seed, e.g., “fido” (Women tend to use personal names and men tend to use hobbies)

Capitalize the first letter: “Fido”

Add a number, most likely 1 or 2, at the end: “Fido1″

Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: “Fido1!”

Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers (“F1d01!”) or appending another word (“G00dF1d01!”) wouldn’t help much, since hackers are using the patterns against us and appending words from the master crack lists together.

Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.

The solution: Don’t do what everyone else is doing. Avoid the patterns above and remember the basics: don’t use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it’s only secure if no one else is using that rule. (Check out IT security pro Mark Burnett’s collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)

  1. Use a Unique Password for Each Site

We’ll get back to password creation in a minute, but first: this is the most important security strategy of all. Use a different password for each site. This limits the damage that can be done if/when there’s a security breach.

If you use the same password for everything, and someone gets a hold of your Facebook password, they have your password for every site you visit. If you have a different password for every site, they only have access to your Facebook account—so at least all your other accounts are protected.

  1. Use Truly Random Passwords

You’ve probably heard that a random, four-word passphrase is more secure and more memorable than complicated but shorter passwords, as web comic xkcd pointed last year. This is true, but often irrelevant, because like we said: you need to use a different password for every account. If you can remember 100 different four-word passwords, be my guest. But for most of us, it doesn’t matter how easy your passwords are to remember—there’s just too many of them. (Though the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password.)

Using a variation on the same password for each site isn’t a good idea, either. Say you have a password like ro7CSfac2V3p1 for Facebook, and you use the variation ro7CSlif2V3p1 for Lifehacker, and so on for all your other sites. If a hacker gains access to one of those passwords, they can easily guess the others by replacing “fac” with the letters that might match other sites (or figuring out whatever your algorithm is). It’s more difficult, but far from impossible, and it isn’t secure enough to rely on—if you can remember it, someone else can probably figure it out.

So: The most secure option is to use a password generator and manager. If you want to keep your accounts safe, you need to use a truly random, long, and complex password, and use a completely different one for each account. How do you accomplish this? Use a password manager like LastPass, KeePass, or 1Password. Not only will they save all your passwords for you, but they can generate random passwords for you. It’s easier to use and set up than you may think.

For more information, read our guide on how to audit and update your passwords with LastPass for detailed instructions. Remember, the only secure password is the one you can’t remember—and this is the only way to achieve that. Those clever password tricks we used to use just don’t cut it anymore.

Lastly, make sure you turn on two-factor authentication for all sites that support it! It is, by far, one of the best ways to secure your accounts against hackers—even if they get your password, they won’t be able to get access to your account.

Pinola,Melanie. “Your Clever Password Tricks Aren’t Protecting You From Today’s Hackers” lifehacker April 2016

Posted in: E-mail, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Beware – e-mail scamming is becoming more ingenious and dangerous!

We are sending this to warn you of this new scam.

This morning, I received a cleverly composed and very official looking email from Experian telling me that a “Key Change” has been posted to my account.

Many of us have learned to not click links on emails, especially on ones that look fishy. Many also know to hover the mouse pointer over a link to reveal the web address, which usually points to some spurious site.

Well, this email (screenshot below) looked very official. The link looked legit. And the message is psychologically powerful – something important happened to your credit and you need to look into it right away. How? The instructions tells you to click on the attached file. What a clever way to distract and get your guard down.

Pretty sure the attached zip file contains some kind of malware.

By the way, I went to Experian’s website directly and downloaded a free credit report. Nothing unusual was in my account.

image001

Posted in: Business, E-mail, Security, Tech Tips for Business Owners

Leave a Comment (0) →

5 Simple Ways To Avoid Getting An Avalanche of Spam

As you probably already know from firsthand experience, once you’re on a spammer’s list, it’s next to impossible to get off. Changing your e-mail address can be a major inconvenience especially if you rely on it to stay in touch with important business and personal contacts.

To reduce the chances of your e-mail address getting spammed, here are 5 simple preventative measures you can take that will go a long way in keeping not-so-delicious spam out of your in-box.

1. Use a disposable e-mail address.
If you buy products online or occasionally subscribe to websites that interest you, chances are you’re going to get spammed.

To avoid your main e-mail address from ending up on their broadcast list, set up a free Internet e-mail address with Hotmail or Gmail and use it when buying or opting in to online newsletters. You can also use a throwaway e-mail address when making purchases or subscribing to newsletters (see #4).

2. Pay attention to check boxes that automatically opt you in.
Whenever you subscribe to a website or make a purchase online, be very watchful of small, pre-checked boxes that say, “Yes! I want to receive offers from third party companies.”

If you do not un-check the box to opt-out, your e-mail address will probably be sold to every online advertiser. To avoid this from happening, simply take a closer look at every online form you fill out.

3. Don’t use your main e-mail address on your website, web forums, or newsgroups.
Spammers have special programs that can glean e-mail addresses from websites without your permission. If you are posting to a web forum or newsgroup, use your disposable e-mail address instead of your main e-mail address.

If you want to post an e-mail address on your home page, use “info@” and have all replies forwarded to a folder in your in-box that won’t interfere with your main address or better yet include it as a graphic.

4. Create throwaway e-mail accounts.
If you own a web domain, all mail going to an address at your domain is probably set up to come directly to you by default. For example, an e-mail addressed to anything@yourdomain.com will be delivered to your in-box.

This is a great way to fight spam without missing out on important e-mails you want to get. The next time you sign up for a newsletter, use the title of the website in your e-mail address. For example, if the website is titled “successsecrets.com”, enter “successsecrets@yourdomain.com” as your e-mail address. If you get spammed, look at what address the spam was sent to.

If successsecrets@yourdomain.com shows up as the original recipient, you know the source since that e-mail address was unique to that web site. Now you can easily stop the spam by making any e-mail sent to that address bounce back to the sender.

5. Don’t open, reply to or try to opt-out of obvious spam e-mails.
Opening, replying to, or even clicking a bogus opt-out link in an obvious spam e-mail signals that your e-mail address is active, and more spam will follow.

The only time it is safe to click on the opt-out link or reply to the e-mail is when the message was sent from a company you know or do business with (for example, a company that you purchase from or a newsletter you subscribed to).

If you are still absolutely fed up with the number of spam e-mails you get every day, the annoying pop-ups when you surf the net, and advertisers installing spyware on your computer to monitor your every move and serve up unwanted ads, Trinity Worldwide Technologies can help recommend the proper solution for your organization. Please call us at 732-780-8615 for more information.

Posted in: Business, E-mail, Security, Tech Tips for Business Owners

Leave a Comment (0) →