Blog

Archive for Security

Unsubscribing from Spam Only Makes It Worse

The last time I checked my spam folder, I noticed a few messages included an unsubscribe link. Well that’s nice, I thought. Maybe spammers realize that some people will never respond, so they want to trim their lists for efficiency. I clicked “unsubscribe.” That was a mistake.

While “legit companies” honor unsubscribe requests, says the McAfee Labs blog, “shady” ones just use the unsubscribe buttons to confirm your address and send you more spam. Sophos blogger Alan Zeichick says that clicking unsubscribe tells the spammer you opened their email, possibly because you were interested or suspected it was real. By visiting the spammer’s fake unsubscribe page, you’re giving them your browser info and IP address, and even opening yourself up to malware attacks.

If an email looks like truly shady spam (and not just a newsletter you’re sick of reading), don’t click any links. Just mark it as spam and move on.

Douglas, Nick. “Unsubscribing from Spam Only Makes It Worse” Lifehacker June 2017

Posted in: E-mail, Security

Leave a Comment (0) →

‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It

Internet scam artists are moving beyond your email inbox and targeting your text messages instead. With this new scam, called “smishing,” scammers are trying to get you to send them your personal information that could help them access your bank account or other online profiles.  Here’s what you should know.

What are smishing scams?
“Smishing” scams are so named because they’re like a phishing email, except sent via SMS, the technology underlying the typical text message. They often prey on people’s panic or sense of urgency, according to Jason Hong, associate professor at Carnegie Mellon University’s Human-Computer Interaction Institute. For example, one fraudulent message might appear to be a warning from your bank about an unauthorized charge.

“That’s one of the main ways they try to trick you,” says Hong. “There’s an urgency to the message. There’s something that needs your attention right now.”

How can you avoid smishing scams?
Hong says you should make sure to use different passwords for everything from your bank’s website and social media apps to your email account. Two-factor authentication and password managers like Dashlane and 1Password can also be useful. And in the hypothetical case outlined above, you should call you bank or credit card company directly to verify the alert, rather than clicking any links in suspicious text messages.

Unfortunately, there’s no foolproof way to block smishing messages entirely, says Steve Wicker, a computer engineering professor at Cornell University. Wicker says the best course of action is to be vigilant for suspicious text messages, just like you should watch out for strange emails. One tip: Look out for text messages from phone numbers that clearly appear fake or suspicious.

Another warning: Wicker says some scammers may be able to make their messages look like they’re coming from a person you know and trust. So if you get a weird message from a friend, it’s a good idea to call them back on the phone and check if they actually sent the text.

Why are scammers using smishing scams?
Scammers could have one of several motives, Hong says. They could be trying to steal a victim’s identity, to access their bank account, or to blackmail them into giving out personal or company secrets.

“That’s where the money is,” Hong added. “People are getting more suspicious of emails. Companies like Google and Yahoo are getting better at detecting fake accounts and shutting them down. So the next easiest thing for [a scammer] to do is to go to mobile.”

Is smishing a new phenomenon?
Smishing scams have been around since as early as 2008, but experts say they are becoming more prevalent. They’re also popping up on all sorts of messaging apps, not just simple text messages.

“This is impacting all systems in the mobile arena, it’s not just limited to one system,” says William Beer, who works on cybersecurity matters for professional services firm EY, previously known as Ernst & Young. “There’s never 100% security on any app, whether they be desktop or mobile.”

Segarra, Lisa Marie. “‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It” Fortune, Security July 2017

Posted in: Mobile Computing, Security

Leave a Comment (0) →

‘Major scale’ malware targets your Mac through email scams

Mac users are increasingly being targeted by malware after years of being relatively safe, and that means they’re facing attacks that other users have unfortunately come to expect for a while. Check Point researchers have discovered Dok, the first “major scale” trojan that targets macOS through an email phishing campaign. The bogus messages (usually aimed at European users) are meant to trick you into downloading a ZIP file that, if you launch it, gives the malware control over your system and lets attackers intercept your internet traffic to spy on your activity or impersonate websites. It’ll even delete itself when the intruders are done.

Like many attachment-based phishing attacks, you have to go out of your way to infect your system. You’re not going to get a Dok infection just by opening a message, thankfully. And if you do fall prey to the malware, iMore has instructions that will help you scrub your system clean. However, the rogue code also appears to rely on a faked certificate that bypasses Apple’s Gatekeeper screening, giving it carte blanche if you’re not careful. It might be easy to avoid, but it’s potentially very damaging if it gets through and you don’t look for warning signs.

More than anything, Dok serves as a reminder that you can’t assume you’re safe just because you use a non-standard platform. Malware writers still tend to target Windows simply because it represents the largest potential target, but some of them are willing to aim at Mac users in hopes of cornering an untapped “market” for victims.

Posted in: Security

Leave a Comment (0) →

4 Ways to Lock Your Windows 10 PC

Many of us are responsible for not only our own data, but the data of our clients as well.  Whether  or not you are subject to compliance regulations such as those in the medical or financial services industry, it is vital that we take seriously the security of the data that is entrusted to us.

Most importantly, you should never leave your PC unattended. But if you have to leave your Windows 10 PC alone for a period of time and don’t want to shut it down, we have a few alternatives for you.

Give these tips a try!

  1. Windows-L

Hit the Windows key and the L key on your keyboard. Keyboard shortcut for the lock!

  1. Ctrl-Alt-Del

Press Ctrl-Alt-Delete. On the menu that pops up, click Lock. Easy as 1,2,3 –  done!

  1. Start button

Tap or click the Start button in the bottom-left corner. Click your user icon and then select Lock.

 

  1. Auto lock via screen saver

You can set your PC to lock automatically when the screen saver pops up. Go to Control Panel > Appearance & Personalization > Change screen saver and then check the box for On resume, display logon screen. You can also set a time for how long your PC should wait before starting the screen saver. Now, when you exit out of the screensaver, you’ll need to enter your system password to get back in.

 

With Windows 10 Creators Update, Microsoft moved this screen saver setting from the Control Panel to Settings. You can find it by going to Settings > Personalization > Lock screen > Screen saver settings.

 

Posted in: MS Office Tips and Tricks, Security

Leave a Comment (0) →

Thursday, May 4 – World Password Day

May 4 is coming up and has been designated as World Password Day to remind enterprise workers and consumers everywhere to use strong, updated passwords to protect cybersecurity.

World Password Day is a celebration to promote better password habits. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work and life communications.

Security firm BullGuard cited recent studies showing that 90% of all passwords are vulnerable to attack in seconds. Also, 10,000 common passwords like “qwerty” or “12345678” allow access to 98% of all accounts, BullGuard said. Amazingly, 21% of online users rely on passwords that are 10 years old, the company said.

So, why not jump on-board – here are some great tips to get you started!

How do I create strong passwords?

The key to a strong password is length. Your passwords should be 12 characters long at the very least, and difficult for someone to guess. Avoid using personal information, especially if someone can find the answer on social media, or by searching your name online.

In addition to length, secure passwords also use a mix of uppercase, lowercase, numbers and symbols.

This may seem daunting but there is a simple solution. Try using a passphrase instead of a password. A pass phrase is a short saying that you modify to become a strong password. For example, “Thund3r Sh0wers at Suns3t” would be a very strong password that’s also easy to remember.

Why use different passwords for each account?

Imagine if one key opened your front door, your car, your bank, and your safe. If someone got hold of your one key — poof — they have access to everything. That’s more or less your situation when you recycle passwords. If it’s someone has access to your one, key password, they have access to everything.

Cyber criminals know people reuse passwords, and after a major password leak, they’ll try using those passwords and email addresses to get into all kinds of sites. Often, it works.

Don’t get caught in this trap. The solution is simple: have different passwords for every online account. That way if one account is compromised you can rest easy knowing your other accounts are still safe.

If you think it would be difficult to remember all those passwords, move on to the next section for an easy solution.

Why get a password manager?

A good password manager safely stores all your passwords, remembers them and can generate strong passwords for you. This makes it incredibly easy to use different, hard-to-remember passwords for every account, so you only have to remember the one master password to get in. All the security – less hassle!

But what if someone gets your master password? Luckily, quality password managers have prepared for this by ensuring they only work on your registered devices. That way, if someone tries to log in from an unregistered device, the password manager will block access until the user completes a second, or third login step, like entering a secret code that is emailed or texted to you. If you get an email saying someone is trying to login from an unknown device, you’ll know you should change your master password as soon as possible.

In addition to emailed and texted codes, some password managers also let you add fingerprint, and face recognition options and devices you trust — this is called multi-factor authentication, and it offers convenient, powerful protection for your password vault.

What is multi-factor authentication and how do I use it?

How does multi-factor work?
If you’ve ever used a fingerprint reader on your phone, you’ve used multi-factor! For example, when you download an app from an app store, it first checks you’re on a trusted device (Factor 1) and then verifies you’re you with your fingerprint (Factor 2).

If you’re on a computer, usually it’s like this: when you enter your username and password, you’ll be asked for a verification code that will be texted to your phone. Pop in that single-use code, and you’re in. Ta-da! Multi-factor authentication!

Why should I use multi-factor?
Last year, 450 million passwords were leaked from major Internet companies. Adding an extra layer to your passwords significantly decreases the risk of someone accessing your account. Think of it like a second lock on your door, or a moat surrounding a castle.


One thing to realize is that two-factor authentication (2FA) is one of the best methods to protect the account you log into. If you are accessing your work systems remotely you should have a 2FA solution in place.

If you don’t, one of our experienced professionals would be a happy to discuss implementing this for you and your organization..

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: Security

Leave a Comment (0) →

7 Dangerous Subject Lines

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.

2 out of 5 people open emails from unknown senders!

7 dangerous subject lines to watch for

Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.

Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.

Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.

USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.

United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.

CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.

Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.

Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.

Read between the lines

  1. Enable an email spam filter
  2. Hover over links before you click
  3. Keep your cybersecurity software up to date
  4. Disable macros to avoid ransomware payloads
  5. Ignore unsolicited emails and attachments
  6. Be on the lookout for the top 5 tax season scams
  7. Educate yourself on social engineering attacks
  8. Check the Federal Trade Commission’s scam alerts

Help us create awareness around scams and phishing attacks with dangerous subject lines. Education to adopt safer online habits should be top priority. So, share this blog with your colleagues.

Rush, Mike. “7 Dangerous Subject Line” Webroot, April 2017

Posted in: E-mail, Security

Leave a Comment (0) →

How to Protect Your Privacy on Public WiFi Networks

So you’re at your favorite coffee shop and have hopped on to the free WiFi with your tablet to check your social networks and maybe take a quick peek at your bank balance while you’re enjoying your latte. We’re so used to having Internet access whenever and wherever we need it that we don’t often stop to consider whether logging into a public network is safe.

Here are three major ways these free, open hotspots could get you into trouble.

The risks of free WiFi

Using public WiFi isn’t unlike having a conversation in a public place: Others can overhear you. If you don’t take precautions, information your devices send over a public WiFi network goes out in clear text — and anyone else on the network could easily take a look at what you’re doing with just a few simple software tools.

Someone spying could easily pick up your passwords or other private information. If you use the same password on multiple sites, that could be a big problem. Mallon reports that this is the biggest concern with public hotspots.

The next potential problem is what is called a honeypot. Thieves might set up their own WiFi hotspot with an unassuming name like “Public WiFi” to tempt you to connect so they can grab up any data you send. These are easy to set up without any kind of special equipment — it could be done just using a laptop or smartphone — so you could run into them anywhere. News reports about honeypots pop up once or twice a year.

Finally, using public WiFi puts you at risk for session hijacking, in which a hacker who’s monitoring your WiFi traffic attempts to take over an open session you have with an online service (like a social media site or an email client) by stealing the browser cookies the service uses to recognize who you are. Once hackers have that cookie, they can pretend to be you on these sites or even find your login and password information stored inside the cookie.

How to stay safe on public WiFi

Before you connect, be sure you know whose network you’re connecting to so you don’t fall prey to WiFi honeypots. If you’re not sure what the public network at a business is called, ask an employee before connecting.

Check to make sure your computer or smartphone is not set up to automatically connect to unknown WiFi networks — or set it to ask you before connecting — so you’re sure you know what you’re connecting to when you connect.

Make sure to connect to websites via HTTPS, which encrypts anything you send and receive from the website. While a VPN service encrypts everything you send, HTTPS ensures that communication to and from a particular website is secure. To verify if you’re connected via HTTPS, look at the address bar of your browser window; you should see “HTTPS” at the beginning of the web address (or, on some web browsers, a lock icon). Looking for HTTPS isn’t enough, though. Hackers have been able to acquire legitimate SSL certificates for site with names that are slightly off those of major financial institutions, as so bear the HTTPS at the front of the URL. Site names include banskfamerica.com, paypwil.com and itunes-security.net.

To encrypt all of the data you send, use a VPN service. Anyone trying to steal your data will see only encrypted data that they can’t get into. There are many services that can do this, including NordVPN and Buffered VPN. VPN services charge a fee for their use, with pay packages ranging from day passes to year-round protection. Keep in mind that services like Netflix many not let you connect if you’re using a VPN service.

Whenever you can, use two-factor authentication, which requires both a password and a secondary code that changes regularly, for websites. This makes it very difficult for hackers to get at your accounts because even if they can get your password, they won’t have the secondary code. Though not all services support it, many popular sites offer this level of security including Google, Facebook, Twitter, LinkedIn, Apple and Microsoft.

Make sure your computer isn’t configured to share access to files or be seen on public or guest networks. When you’re at home, it may be convenient to keep things in a folder you share with other members of the household, but that’s less safe when you’re connecting to public WiFi.

Disable sharing in:

  • Windows 10: Click on the Windows icon > Settings > Network and Internet > Wi-Fi> Scroll down to Advanced sharing settings Turn off file and printer sharing and network discovery> Save changes.
  • Windows 8: Go to Control Panel > Network and Internet > View network status and Tasks > Change advanced sharing settings > Turn off file and printer sharing and network discovery> Save changes.
  • Windows 7: Go to Control Panel > Network and Sharing Center > Change advanced sharing settings > Home or Work > Turn off file and printer sharing > Save changes.
  • Mac OS X: Go to System Preferences > Sharing and be sure that File Sharing doesn’t have a check mark by it.

Good luck, and safe browsing!

Harper, Elizabeth. “How to Protect Your Privacy on Public WiFi Networks” Techlicious, October 2016

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

9 Simple Ways to Protect Your Privacy

While you may think your personal information is actually personal you’d be surprised how much information about you winds up online. Just do a search for yourself on Pipl, a people search directory, to see the personal details out there. (Go on, we’ll wait.) Chances are the search came up with your name, social media profiles and possibly even your parents’ names, address and telephone number too.

Pipl isn’t some secret hacker database. It’s just a repository of publicly available online data about individuals, all of which businesses and advertisers are eager to get their hands on. That’s right: this sort of data collection is completely legitimate, and a lot of it is pulled from information you put online.

Whether you’re worried about identity theft or you just don’t like the idea of other people tracking your every move, there are steps you can take to keep your private data private.

1. Password-protect everything.

You may not think it’s necessary to password-protect your home computer, but all your digital devices should be password-protected. That includes your computers, tablets, smartphones and anything other gadgets with personal data on them. If it’s unsecured by a password, a lost or stolen gadget is a source of personal information for whoever has it, which can lead to identity theft and worse.

The same advice goes for online accounts. Since most of these need a password to set up, the challenge is making strong passwords. Use our tips for strong passwords to be sure yours is a good one. Don’t use the same password for more than one site, because one hacked account could result in all your accounts being compromised. To help you remember all of these passwords, use a password manager such as LastPass or RoboForm.

Turn on two-factor authentication for any site that supports it, which protects your account even if a hacker does get your password. And those security questions designed to help you recover a lost password or forgotten user name? They aren’t very secure, because some of them are very easy for hackers to find out. We recommend making up answers instead and keeping that information in your password manager.

Change the default passwords for anything connected to your home network. Your router is the most important device to secure, because your router could give a hacker complete access to your home network. Don’t forget other connected devices like baby monitors.

2. Keep your computer virus-free.

Digital security has a lot to do with digital privacy. If your computer is infected by a virus or malware, not only can hackers dig through your data to steal your identity, but they may lock up your files and ask for a ransom to get them back. The solution? Run an antivirus program to watch for viruses, and keep your other software up to date to close security holes. This applies not only to your computer but your mobile devices as well.

Our favorite antivirus is Webroot, which offers protection for Windows, Apple and Android devices. If you’d rather use a free app, try Avast. It doesn’t have as many features as Webroot, but it’s a solid antivirus scanner, and the price is certainly right.

Make sure your operating system is up to date with the latest security patches. To make that process easier, we recommend turning on auto-update features. Here’s how:

  • Turn on automatic updates for Windows.
  • MacOS automatically checks for updates by default, but you can check manually with these instructions.
  • Android typically notifies you of updates, but you’ll need to install them manually. Instructions will vary depending on your device and the version of Android you’re currently running; check with your device manufacturer for details.
  • iOS will nag you incessantly about updates, so there’s no chance you’ll miss them. Here’s a walk-through of how to update.

3. Secure your browser.

Your browser is how you interact with the digital world, and if you aren’t careful, you could be leaving a trail of footprints behind you as you browse. Whether it’s websites and marketers tracking you or a hacker spying on what you’re doing, there are ways to keep your browsing habits private.

The first step for keeping advertisers out of your browser is turning off third-party cookies. Advertisers use cookies to see where you’ve been and tailor the ads they show you appropriately. Here’s how to block cookies in ChromeEdgeInternet ExplorerFirefox and Safari.

To go a step farther, you can disable JavaScript. This cuts off another common way advertisers (or hackers) track you, but it can render some web pages nonfunctional. If you want to turn JavaScript off anyway, here’s how to do it in ChromeEdgeInternet ExplorerFirefox and Safari.

Don’t want to worry about any of this? Try the Privacy Badger browser plug-in for Chrome, Firefox and Opera, which shuts down many potential trackers automatically. HTTPS Everywhere is another good browser plug-in that forces your browser to use secure, encrypted sites when they’re available, which helps keep snoops out of your data.

Private browsing mode deletes your cookies, browsing history and other temporary files whenever you close the window. Here’s how to use private browsing mode on ChromeEdgeInternet ExplorerFirefox and Safari. If you’re serious about discreet browsing, though, read this article on browsing the web anonymously.

4. Switch search engines.

Most search engines keep tabs on what you’re looking for so they can target ads to your tastes. If you don’t like the idea of your search history being used to sell you things, DuckDuckGo is the search engine for you. The site doesn’t track any of your personal data, so you can search without anyone watching over your shoulder.

5. Be careful what you share on social media.

Social media can feel like a conversation with your closest friends — except it may be a conversation the whole world can see. If you post enough on social media, the information can be used to track where you are and what you’re up to.

The first line of defense is to lock down your social media accounts. Share only with the people you want to see the information you’re sharing, like your friends and family. On Twitter, your account is either completely open or locked down to people you invite to follow you; changing that setting is as easy as clicking a checkbox. Facebook allows more granular control over who sees what you post. Read How to Keep Facebook Privacy Private to configure your profile.

Don’t want to lock down your account? Then be choosy about what you share. Take special care with personal information that could be used to identify you or track your location. Don’t fill out your complete profile in order to prevent being easily identified or to give someone enough personal details to steal your identity. Consider dialing down what you share. Do you really need to check in to every business you visit, making yourself easy to track? Maybe not.

6. Ask why others need your information.

Whenever you’re asked to provide personal information, whether in person, on the phone or online, consider whether you really need to give it out. Sometimes information like your email address and ZIP code is used purely for marketing purposes; in that case, expect your real and virtual mailboxes to be packed with junk mail.

To maintain your privacy, never give away more information than you have to. This is doubly true of sensitive personal information like your social security number — even just the last four digits. Unless it’s your bank, a credit bureau, a company that wants to do a background check on you or some other entity that has to report to the IRS, chances are they don’t really need it.

7. Don’t fall for scams.

Beware of websites, phone calls and emails that try to part you from your personal information. Scammers are getting better at mimicking legitimate businesses, so be on your guard. A common tactic with scammers is to pressure you into giving up your personal information by presenting dire consequences if you don’t. For example, a scammer may tell you that you’re being audited by the IRS or that your computer has a dangerous virus they can fix if you hand over your personal information.

These high-pressure tactics can spook you into giving up plenty of personal details, but don’t be fooled. Legitimate businesses don’t make unsolicited calls to ask for your social security number or computer password. If you’ve received a call or email like this you think may be legitimate, contact the business it claims to be from. Don’t use the link or phone number provided by whoever contacted you; instead, contact the company directly using contact information you personally look up on the company’s website. If the matter is legitimate, the company will confirm so and help you resolve the issue while making sure your personal information stays safe.

8. Only use software you trust.

Whether you’re installing new software on your phone or your computer, make sure you’re getting it from a source you trust. Legitimate-looking software can sometimes turn out to be a complete scam, like the scandal over the Meitu photo app, which collects a mountain of data on its users. Make sure anything you download comes from a trusted developer and a trusted source.

If you don’t know where your software comes from, you don’t know what it’s really doing — and that means there’s no telling where your information is going.

9. Only use secure Wi-Fi connections.

Sure, it’s convenient to use the free Wi-Fi service at your local Starbucks, but there’s no telling who is watching that internet traffic. If you use public Wi-Fi, don’t use it to convey private information. Browsing your favorite website is fine, but take extra security measures if you’re logging into an account. Use a VPN service to encrypt all of the data you send. There are many services that can do this, including NordVPN and Buffered VPN. VPN services charge a fee to use, from day passes to year-round protection.

Harper, Elizabeth. “9 Simple Ways to Protect Your Privacy” Techlicious January 2017

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Ransomware: Legal Breach Notification Cheat Sheet

Incidents of ransomware are on the rise and it’s a growing concern for all of us. We have been well versed on what not to open or click on. But it is equally important to be informed on what actions you need to take if you fall victim to a ransomware attack.

If your business falls under breach notification rules, here is a cheat sheet that presents information without all the legalese.

Breach Notification Rules for Ransomware

The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

We present for your ransomware breach response edification the following:

  1. Healthcare– HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. HHS has put out a helpful guideline explaining more of the complexities involved in a determination of a PHI breach.
  2. Consumer banks and loan companies– Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
  3. Brokers, dealers, investment advisors– The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
  4. Investment banks, national banks, private bankers– With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.

Green, Andy. “Ransomware: Legal Cheat Sheet”. Inside Out Security Blog – Data Security, January 2017

Posted in: Disaster Recovery, Security

Leave a Comment (0) →

What is Spearphishing? How to Stay Safe Online From this Effective Cybercrime Technique

Spearphishing? All it takes is a single click, but it doesn’t have to be this way.spear-phising

Hackers, spammers and cybercriminals have a multitude of methods they can use to infiltrate computer systems, steal data, plant malware or compromise your personal information. One of the most long-standing tactics is targeting ‘phishing’, also known as spearphishing.

It has endured because it works: unwitting web users continue to receive malicious messages and still fall victim to their charms. If you are wondering how dangerous they can be, just ask John Podesta: the US political player who lost tens of thousands of email with a single click.

When a spearphishing email lands in your inbox, it’s rarely a mistake. Using your personal information – either hacked from another source or lifted from public social media profile – spammers are able to produce slick, and highly-convincing, messages.

They will appear legitimate, but spearphishing emails usually contain malware, spyware or another form of virus – often hidden in a link. When clicked, the payload will usually download automatically onto your computer and go to work – stealing files, locking records or logging your keystrokes.

Using your own personal information against you, hackers can craft an extremely personalized email message. It will likely be addressed to you by name and will reference a specific event in your life, something that will make you believe the sender is real and trustworthy.

What information could they possibly know?

Using social media, the spammer will likely already know your age, where you work, what school you attended, personal interests, what you eat for dinner, what concerts you have been to recently, where you shop, what films you like, what music you listen to, your sexual preference, and more.

But this is enough. Using the information, a fictitious hacker could easily pose as your friend and ask for further information about you – your phone number, password, even bank details? Not everyone would fall for the scam, but many still do if the recipient believes the identity of the sender.

A hacker using spearphishing may pose as a retailor, online service or bank to fool you into resetting your credentials via a spoofed landing page. The email may ask you to reset your password or re-verify your credit card number because suspicious activity has been monitored on your account.

If the email tempts you to click an embedded link, it could also download a keylogger or Remote Access Trojan (RAT) onto your computer to steal bank details or social media passwords as you type them. Many people re-use passwords across multiple websites, so the danger of hacking is high.

How to stay protected

Stay protected by being aware of the threats and remaining extremely careful about what personal information you put online. Limit what pictures to post to Facebook or Twitter, check where your email is listed and ensure your computer’s security is kept up to date.

Ensure the passwords you use are original, lengthy and, most importantly, unique to every online website or service. A strong password will contain a mixture of characters, numbers and symbols. If possible, enable two-step authentication on every account that offers it.

Finally, know the signs and stay vigilant. If you receive an email from a close friend that asks for personal information – think twice before replying and send them a reply asking them to verify their identity. Also, know that any real business or bank is unlikely to request sensitive data via email.

Unfortunately, it only takes one click of a mouse for the hacker to access your system and despite advanced spam filters on current email providers spearphishing emails will continue to slip through the cracks.

Murock, Jason. “What is Spearphishing? How to stay safe online from this effective cypbercrime technique”. IBT. December 2016

Posted in: E-mail, Mobile Computing, Security

Leave a Comment (0) →
Page 1 of 6 12345...»