Blog

Archive for Security

‘Major scale’ malware targets your Mac through email scams

Mac users are increasingly being targeted by malware after years of being relatively safe, and that means they’re facing attacks that other users have unfortunately come to expect for a while. Check Point researchers have discovered Dok, the first “major scale” trojan that targets macOS through an email phishing campaign. The bogus messages (usually aimed at European users) are meant to trick you into downloading a ZIP file that, if you launch it, gives the malware control over your system and lets attackers intercept your internet traffic to spy on your activity or impersonate websites. It’ll even delete itself when the intruders are done.

Like many attachment-based phishing attacks, you have to go out of your way to infect your system. You’re not going to get a Dok infection just by opening a message, thankfully. And if you do fall prey to the malware, iMore has instructions that will help you scrub your system clean. However, the rogue code also appears to rely on a faked certificate that bypasses Apple’s Gatekeeper screening, giving it carte blanche if you’re not careful. It might be easy to avoid, but it’s potentially very damaging if it gets through and you don’t look for warning signs.

More than anything, Dok serves as a reminder that you can’t assume you’re safe just because you use a non-standard platform. Malware writers still tend to target Windows simply because it represents the largest potential target, but some of them are willing to aim at Mac users in hopes of cornering an untapped “market” for victims.

Posted in: Security

Leave a Comment (0) →

4 Ways to Lock Your Windows 10 PC

Many of us are responsible for not only our own data, but the data of our clients as well.  Whether  or not you are subject to compliance regulations such as those in the medical or financial services industry, it is vital that we take seriously the security of the data that is entrusted to us.

Most importantly, you should never leave your PC unattended. But if you have to leave your Windows 10 PC alone for a period of time and don’t want to shut it down, we have a few alternatives for you.

Give these tips a try!

  1. Windows-L

Hit the Windows key and the L key on your keyboard. Keyboard shortcut for the lock!

  1. Ctrl-Alt-Del

Press Ctrl-Alt-Delete. On the menu that pops up, click Lock. Easy as 1,2,3 –  done!

  1. Start button

Tap or click the Start button in the bottom-left corner. Click your user icon and then select Lock.

 

  1. Auto lock via screen saver

You can set your PC to lock automatically when the screen saver pops up. Go to Control Panel > Appearance & Personalization > Change screen saver and then check the box for On resume, display logon screen. You can also set a time for how long your PC should wait before starting the screen saver. Now, when you exit out of the screensaver, you’ll need to enter your system password to get back in.

 

With Windows 10 Creators Update, Microsoft moved this screen saver setting from the Control Panel to Settings. You can find it by going to Settings > Personalization > Lock screen > Screen saver settings.

 

Posted in: MS Office Tips and Tricks, Security

Leave a Comment (0) →

Thursday, May 4 – World Password Day

May 4 is coming up and has been designated as World Password Day to remind enterprise workers and consumers everywhere to use strong, updated passwords to protect cybersecurity.

World Password Day is a celebration to promote better password habits. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work and life communications.

Security firm BullGuard cited recent studies showing that 90% of all passwords are vulnerable to attack in seconds. Also, 10,000 common passwords like “qwerty” or “12345678” allow access to 98% of all accounts, BullGuard said. Amazingly, 21% of online users rely on passwords that are 10 years old, the company said.

So, why not jump on-board – here are some great tips to get you started!

How do I create strong passwords?

The key to a strong password is length. Your passwords should be 12 characters long at the very least, and difficult for someone to guess. Avoid using personal information, especially if someone can find the answer on social media, or by searching your name online.

In addition to length, secure passwords also use a mix of uppercase, lowercase, numbers and symbols.

This may seem daunting but there is a simple solution. Try using a passphrase instead of a password. A pass phrase is a short saying that you modify to become a strong password. For example, “Thund3r Sh0wers at Suns3t” would be a very strong password that’s also easy to remember.

Why use different passwords for each account?

Imagine if one key opened your front door, your car, your bank, and your safe. If someone got hold of your one key — poof — they have access to everything. That’s more or less your situation when you recycle passwords. If it’s someone has access to your one, key password, they have access to everything.

Cyber criminals know people reuse passwords, and after a major password leak, they’ll try using those passwords and email addresses to get into all kinds of sites. Often, it works.

Don’t get caught in this trap. The solution is simple: have different passwords for every online account. That way if one account is compromised you can rest easy knowing your other accounts are still safe.

If you think it would be difficult to remember all those passwords, move on to the next section for an easy solution.

Why get a password manager?

A good password manager safely stores all your passwords, remembers them and can generate strong passwords for you. This makes it incredibly easy to use different, hard-to-remember passwords for every account, so you only have to remember the one master password to get in. All the security – less hassle!

But what if someone gets your master password? Luckily, quality password managers have prepared for this by ensuring they only work on your registered devices. That way, if someone tries to log in from an unregistered device, the password manager will block access until the user completes a second, or third login step, like entering a secret code that is emailed or texted to you. If you get an email saying someone is trying to login from an unknown device, you’ll know you should change your master password as soon as possible.

In addition to emailed and texted codes, some password managers also let you add fingerprint, and face recognition options and devices you trust — this is called multi-factor authentication, and it offers convenient, powerful protection for your password vault.

What is multi-factor authentication and how do I use it?

How does multi-factor work?
If you’ve ever used a fingerprint reader on your phone, you’ve used multi-factor! For example, when you download an app from an app store, it first checks you’re on a trusted device (Factor 1) and then verifies you’re you with your fingerprint (Factor 2).

If you’re on a computer, usually it’s like this: when you enter your username and password, you’ll be asked for a verification code that will be texted to your phone. Pop in that single-use code, and you’re in. Ta-da! Multi-factor authentication!

Why should I use multi-factor?
Last year, 450 million passwords were leaked from major Internet companies. Adding an extra layer to your passwords significantly decreases the risk of someone accessing your account. Think of it like a second lock on your door, or a moat surrounding a castle.


One thing to realize is that two-factor authentication (2FA) is one of the best methods to protect the account you log into. If you are accessing your work systems remotely you should have a 2FA solution in place.

If you don’t, one of our experienced professionals would be a happy to discuss implementing this for you and your organization..

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: Security

Leave a Comment (0) →

7 Dangerous Subject Lines

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.

2 out of 5 people open emails from unknown senders!

7 dangerous subject lines to watch for

Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.

Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.

Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.

USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.

United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.

CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.

Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.

Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.

Read between the lines

  1. Enable an email spam filter
  2. Hover over links before you click
  3. Keep your cybersecurity software up to date
  4. Disable macros to avoid ransomware payloads
  5. Ignore unsolicited emails and attachments
  6. Be on the lookout for the top 5 tax season scams
  7. Educate yourself on social engineering attacks
  8. Check the Federal Trade Commission’s scam alerts

Help us create awareness around scams and phishing attacks with dangerous subject lines. Education to adopt safer online habits should be top priority. So, share this blog with your colleagues.

Rush, Mike. “7 Dangerous Subject Line” Webroot, April 2017

Posted in: E-mail, Security

Leave a Comment (0) →

How to Protect Your Privacy on Public WiFi Networks

So you’re at your favorite coffee shop and have hopped on to the free WiFi with your tablet to check your social networks and maybe take a quick peek at your bank balance while you’re enjoying your latte. We’re so used to having Internet access whenever and wherever we need it that we don’t often stop to consider whether logging into a public network is safe.

Here are three major ways these free, open hotspots could get you into trouble.

The risks of free WiFi

Using public WiFi isn’t unlike having a conversation in a public place: Others can overhear you. If you don’t take precautions, information your devices send over a public WiFi network goes out in clear text — and anyone else on the network could easily take a look at what you’re doing with just a few simple software tools.

Someone spying could easily pick up your passwords or other private information. If you use the same password on multiple sites, that could be a big problem. Mallon reports that this is the biggest concern with public hotspots.

The next potential problem is what is called a honeypot. Thieves might set up their own WiFi hotspot with an unassuming name like “Public WiFi” to tempt you to connect so they can grab up any data you send. These are easy to set up without any kind of special equipment — it could be done just using a laptop or smartphone — so you could run into them anywhere. News reports about honeypots pop up once or twice a year.

Finally, using public WiFi puts you at risk for session hijacking, in which a hacker who’s monitoring your WiFi traffic attempts to take over an open session you have with an online service (like a social media site or an email client) by stealing the browser cookies the service uses to recognize who you are. Once hackers have that cookie, they can pretend to be you on these sites or even find your login and password information stored inside the cookie.

How to stay safe on public WiFi

Before you connect, be sure you know whose network you’re connecting to so you don’t fall prey to WiFi honeypots. If you’re not sure what the public network at a business is called, ask an employee before connecting.

Check to make sure your computer or smartphone is not set up to automatically connect to unknown WiFi networks — or set it to ask you before connecting — so you’re sure you know what you’re connecting to when you connect.

Make sure to connect to websites via HTTPS, which encrypts anything you send and receive from the website. While a VPN service encrypts everything you send, HTTPS ensures that communication to and from a particular website is secure. To verify if you’re connected via HTTPS, look at the address bar of your browser window; you should see “HTTPS” at the beginning of the web address (or, on some web browsers, a lock icon). Looking for HTTPS isn’t enough, though. Hackers have been able to acquire legitimate SSL certificates for site with names that are slightly off those of major financial institutions, as so bear the HTTPS at the front of the URL. Site names include banskfamerica.com, paypwil.com and itunes-security.net.

To encrypt all of the data you send, use a VPN service. Anyone trying to steal your data will see only encrypted data that they can’t get into. There are many services that can do this, including NordVPN and Buffered VPN. VPN services charge a fee for their use, with pay packages ranging from day passes to year-round protection. Keep in mind that services like Netflix many not let you connect if you’re using a VPN service.

Whenever you can, use two-factor authentication, which requires both a password and a secondary code that changes regularly, for websites. This makes it very difficult for hackers to get at your accounts because even if they can get your password, they won’t have the secondary code. Though not all services support it, many popular sites offer this level of security including Google, Facebook, Twitter, LinkedIn, Apple and Microsoft.

Make sure your computer isn’t configured to share access to files or be seen on public or guest networks. When you’re at home, it may be convenient to keep things in a folder you share with other members of the household, but that’s less safe when you’re connecting to public WiFi.

Disable sharing in:

  • Windows 10: Click on the Windows icon > Settings > Network and Internet > Wi-Fi> Scroll down to Advanced sharing settings Turn off file and printer sharing and network discovery> Save changes.
  • Windows 8: Go to Control Panel > Network and Internet > View network status and Tasks > Change advanced sharing settings > Turn off file and printer sharing and network discovery> Save changes.
  • Windows 7: Go to Control Panel > Network and Sharing Center > Change advanced sharing settings > Home or Work > Turn off file and printer sharing > Save changes.
  • Mac OS X: Go to System Preferences > Sharing and be sure that File Sharing doesn’t have a check mark by it.

Good luck, and safe browsing!

Harper, Elizabeth. “How to Protect Your Privacy on Public WiFi Networks” Techlicious, October 2016

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

9 Simple Ways to Protect Your Privacy

While you may think your personal information is actually personal you’d be surprised how much information about you winds up online. Just do a search for yourself on Pipl, a people search directory, to see the personal details out there. (Go on, we’ll wait.) Chances are the search came up with your name, social media profiles and possibly even your parents’ names, address and telephone number too.

Pipl isn’t some secret hacker database. It’s just a repository of publicly available online data about individuals, all of which businesses and advertisers are eager to get their hands on. That’s right: this sort of data collection is completely legitimate, and a lot of it is pulled from information you put online.

Whether you’re worried about identity theft or you just don’t like the idea of other people tracking your every move, there are steps you can take to keep your private data private.

1. Password-protect everything.

You may not think it’s necessary to password-protect your home computer, but all your digital devices should be password-protected. That includes your computers, tablets, smartphones and anything other gadgets with personal data on them. If it’s unsecured by a password, a lost or stolen gadget is a source of personal information for whoever has it, which can lead to identity theft and worse.

The same advice goes for online accounts. Since most of these need a password to set up, the challenge is making strong passwords. Use our tips for strong passwords to be sure yours is a good one. Don’t use the same password for more than one site, because one hacked account could result in all your accounts being compromised. To help you remember all of these passwords, use a password manager such as LastPass or RoboForm.

Turn on two-factor authentication for any site that supports it, which protects your account even if a hacker does get your password. And those security questions designed to help you recover a lost password or forgotten user name? They aren’t very secure, because some of them are very easy for hackers to find out. We recommend making up answers instead and keeping that information in your password manager.

Change the default passwords for anything connected to your home network. Your router is the most important device to secure, because your router could give a hacker complete access to your home network. Don’t forget other connected devices like baby monitors.

2. Keep your computer virus-free.

Digital security has a lot to do with digital privacy. If your computer is infected by a virus or malware, not only can hackers dig through your data to steal your identity, but they may lock up your files and ask for a ransom to get them back. The solution? Run an antivirus program to watch for viruses, and keep your other software up to date to close security holes. This applies not only to your computer but your mobile devices as well.

Our favorite antivirus is Webroot, which offers protection for Windows, Apple and Android devices. If you’d rather use a free app, try Avast. It doesn’t have as many features as Webroot, but it’s a solid antivirus scanner, and the price is certainly right.

Make sure your operating system is up to date with the latest security patches. To make that process easier, we recommend turning on auto-update features. Here’s how:

  • Turn on automatic updates for Windows.
  • MacOS automatically checks for updates by default, but you can check manually with these instructions.
  • Android typically notifies you of updates, but you’ll need to install them manually. Instructions will vary depending on your device and the version of Android you’re currently running; check with your device manufacturer for details.
  • iOS will nag you incessantly about updates, so there’s no chance you’ll miss them. Here’s a walk-through of how to update.

3. Secure your browser.

Your browser is how you interact with the digital world, and if you aren’t careful, you could be leaving a trail of footprints behind you as you browse. Whether it’s websites and marketers tracking you or a hacker spying on what you’re doing, there are ways to keep your browsing habits private.

The first step for keeping advertisers out of your browser is turning off third-party cookies. Advertisers use cookies to see where you’ve been and tailor the ads they show you appropriately. Here’s how to block cookies in ChromeEdgeInternet ExplorerFirefox and Safari.

To go a step farther, you can disable JavaScript. This cuts off another common way advertisers (or hackers) track you, but it can render some web pages nonfunctional. If you want to turn JavaScript off anyway, here’s how to do it in ChromeEdgeInternet ExplorerFirefox and Safari.

Don’t want to worry about any of this? Try the Privacy Badger browser plug-in for Chrome, Firefox and Opera, which shuts down many potential trackers automatically. HTTPS Everywhere is another good browser plug-in that forces your browser to use secure, encrypted sites when they’re available, which helps keep snoops out of your data.

Private browsing mode deletes your cookies, browsing history and other temporary files whenever you close the window. Here’s how to use private browsing mode on ChromeEdgeInternet ExplorerFirefox and Safari. If you’re serious about discreet browsing, though, read this article on browsing the web anonymously.

4. Switch search engines.

Most search engines keep tabs on what you’re looking for so they can target ads to your tastes. If you don’t like the idea of your search history being used to sell you things, DuckDuckGo is the search engine for you. The site doesn’t track any of your personal data, so you can search without anyone watching over your shoulder.

5. Be careful what you share on social media.

Social media can feel like a conversation with your closest friends — except it may be a conversation the whole world can see. If you post enough on social media, the information can be used to track where you are and what you’re up to.

The first line of defense is to lock down your social media accounts. Share only with the people you want to see the information you’re sharing, like your friends and family. On Twitter, your account is either completely open or locked down to people you invite to follow you; changing that setting is as easy as clicking a checkbox. Facebook allows more granular control over who sees what you post. Read How to Keep Facebook Privacy Private to configure your profile.

Don’t want to lock down your account? Then be choosy about what you share. Take special care with personal information that could be used to identify you or track your location. Don’t fill out your complete profile in order to prevent being easily identified or to give someone enough personal details to steal your identity. Consider dialing down what you share. Do you really need to check in to every business you visit, making yourself easy to track? Maybe not.

6. Ask why others need your information.

Whenever you’re asked to provide personal information, whether in person, on the phone or online, consider whether you really need to give it out. Sometimes information like your email address and ZIP code is used purely for marketing purposes; in that case, expect your real and virtual mailboxes to be packed with junk mail.

To maintain your privacy, never give away more information than you have to. This is doubly true of sensitive personal information like your social security number — even just the last four digits. Unless it’s your bank, a credit bureau, a company that wants to do a background check on you or some other entity that has to report to the IRS, chances are they don’t really need it.

7. Don’t fall for scams.

Beware of websites, phone calls and emails that try to part you from your personal information. Scammers are getting better at mimicking legitimate businesses, so be on your guard. A common tactic with scammers is to pressure you into giving up your personal information by presenting dire consequences if you don’t. For example, a scammer may tell you that you’re being audited by the IRS or that your computer has a dangerous virus they can fix if you hand over your personal information.

These high-pressure tactics can spook you into giving up plenty of personal details, but don’t be fooled. Legitimate businesses don’t make unsolicited calls to ask for your social security number or computer password. If you’ve received a call or email like this you think may be legitimate, contact the business it claims to be from. Don’t use the link or phone number provided by whoever contacted you; instead, contact the company directly using contact information you personally look up on the company’s website. If the matter is legitimate, the company will confirm so and help you resolve the issue while making sure your personal information stays safe.

8. Only use software you trust.

Whether you’re installing new software on your phone or your computer, make sure you’re getting it from a source you trust. Legitimate-looking software can sometimes turn out to be a complete scam, like the scandal over the Meitu photo app, which collects a mountain of data on its users. Make sure anything you download comes from a trusted developer and a trusted source.

If you don’t know where your software comes from, you don’t know what it’s really doing — and that means there’s no telling where your information is going.

9. Only use secure Wi-Fi connections.

Sure, it’s convenient to use the free Wi-Fi service at your local Starbucks, but there’s no telling who is watching that internet traffic. If you use public Wi-Fi, don’t use it to convey private information. Browsing your favorite website is fine, but take extra security measures if you’re logging into an account. Use a VPN service to encrypt all of the data you send. There are many services that can do this, including NordVPN and Buffered VPN. VPN services charge a fee to use, from day passes to year-round protection.

Harper, Elizabeth. “9 Simple Ways to Protect Your Privacy” Techlicious January 2017

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Ransomware: Legal Breach Notification Cheat Sheet

Incidents of ransomware are on the rise and it’s a growing concern for all of us. We have been well versed on what not to open or click on. But it is equally important to be informed on what actions you need to take if you fall victim to a ransomware attack.

If your business falls under breach notification rules, here is a cheat sheet that presents information without all the legalese.

Breach Notification Rules for Ransomware

The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

We present for your ransomware breach response edification the following:

  1. Healthcare– HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. HHS has put out a helpful guideline explaining more of the complexities involved in a determination of a PHI breach.
  2. Consumer banks and loan companies– Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
  3. Brokers, dealers, investment advisors– The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
  4. Investment banks, national banks, private bankers– With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.

Green, Andy. “Ransomware: Legal Cheat Sheet”. Inside Out Security Blog – Data Security, January 2017

Posted in: Disaster Recovery, Security

Leave a Comment (0) →

What is Spearphishing? How to Stay Safe Online From this Effective Cybercrime Technique

Spearphishing? All it takes is a single click, but it doesn’t have to be this way.spear-phising

Hackers, spammers and cybercriminals have a multitude of methods they can use to infiltrate computer systems, steal data, plant malware or compromise your personal information. One of the most long-standing tactics is targeting ‘phishing’, also known as spearphishing.

It has endured because it works: unwitting web users continue to receive malicious messages and still fall victim to their charms. If you are wondering how dangerous they can be, just ask John Podesta: the US political player who lost tens of thousands of email with a single click.

When a spearphishing email lands in your inbox, it’s rarely a mistake. Using your personal information – either hacked from another source or lifted from public social media profile – spammers are able to produce slick, and highly-convincing, messages.

They will appear legitimate, but spearphishing emails usually contain malware, spyware or another form of virus – often hidden in a link. When clicked, the payload will usually download automatically onto your computer and go to work – stealing files, locking records or logging your keystrokes.

Using your own personal information against you, hackers can craft an extremely personalized email message. It will likely be addressed to you by name and will reference a specific event in your life, something that will make you believe the sender is real and trustworthy.

What information could they possibly know?

Using social media, the spammer will likely already know your age, where you work, what school you attended, personal interests, what you eat for dinner, what concerts you have been to recently, where you shop, what films you like, what music you listen to, your sexual preference, and more.

But this is enough. Using the information, a fictitious hacker could easily pose as your friend and ask for further information about you – your phone number, password, even bank details? Not everyone would fall for the scam, but many still do if the recipient believes the identity of the sender.

A hacker using spearphishing may pose as a retailor, online service or bank to fool you into resetting your credentials via a spoofed landing page. The email may ask you to reset your password or re-verify your credit card number because suspicious activity has been monitored on your account.

If the email tempts you to click an embedded link, it could also download a keylogger or Remote Access Trojan (RAT) onto your computer to steal bank details or social media passwords as you type them. Many people re-use passwords across multiple websites, so the danger of hacking is high.

How to stay protected

Stay protected by being aware of the threats and remaining extremely careful about what personal information you put online. Limit what pictures to post to Facebook or Twitter, check where your email is listed and ensure your computer’s security is kept up to date.

Ensure the passwords you use are original, lengthy and, most importantly, unique to every online website or service. A strong password will contain a mixture of characters, numbers and symbols. If possible, enable two-step authentication on every account that offers it.

Finally, know the signs and stay vigilant. If you receive an email from a close friend that asks for personal information – think twice before replying and send them a reply asking them to verify their identity. Also, know that any real business or bank is unlikely to request sensitive data via email.

Unfortunately, it only takes one click of a mouse for the hacker to access your system and despite advanced spam filters on current email providers spearphishing emails will continue to slip through the cracks.

Murock, Jason. “What is Spearphishing? How to stay safe online from this effective cypbercrime technique”. IBT. December 2016

Posted in: E-mail, Mobile Computing, Security

Leave a Comment (0) →

How to Safely Delete Private Data Forever

delete-data-foreverIf you’re erasing sensitive files from a computer, you probably want them gone forever and far beyond the reach of data recovery tools. Unfortunately, that’s not what happens all of the time. Here are some simple steps you can take to make sure your files are deleted permanently.

When you hit delete on a file, in most cases, those 1s and 0s aren’t actually erased. The operating system just marks the space they’re taking up as free for new stuff, so until something new shows up, that data can often be recovered.

What third-party eraser tools do is wipe over your sensitive files with random data, so not even the best recovery utility on the planet can bring them back. It’s a bit like scribbling over a handwritten note with thick black marker pen.

df-1

Or at least that’s true for traditional hard drives. Modern solid-state drives (SSDs), and the flash memory in mobile phones, don’t work in the same way. That’s primarily because applications don’t have the same control over where data is written and overwritten.

If you’ve got an SSD fitted, deleted files are harder to recover once they’ve gone beyond the Recycle Bin or Trash anyway (see the end of this note from Apple). On top of that, the safest option for ensuring they’re gone forever is to keep your drive encrypted. With those caveats in mind, read on.

Permanently deleting files on Windows

If you want a file on Windows to be immediately trashed without a visit to the Recycle Bin first, it’s easily done. Just hold down Shift as you tap Delete in File Explorer.

The file could still be recovered by someone smart enough to install a professional data recovery tool though, so on a traditional, mechanical hard drive you’ll need a more comprehensive tool to make sure the 1s and 0s have been well and truly wiped.

deleting-filles-screenshot

Eraser is a simple but effective tool that’s been around a long time on Windows. Point it towards a file or folder and it overwrites it with random data that should be enough to stop it from ever coming back.

There’s a scheduler tool too that you can use to wipe certain sections of your hard drive regularly. If you want to, you can add the program to the right-click menu in File Explorer, giving you even easier access to it.

df3

Blank and Secure is a very similar, lightweight tool that perhaps has a more friendly user interface and is portable as well, so you can run it from a USB drive if you need to.

Once you’ve launched the executable, just drag and drop the files you want to get rid of into the Blank and Secure window. You can set a few basic options before deleting, and the utility can automatically shut down your PC afterwards if it’s going to be a lengthy job.

df4

CCleaner is a perennial Field Guide favorite and has a disk wiper tool built into it in addition to all the other clean-up jobs it does—though you’ll need to stump up for the premium version (a free trial is available).

It’s more suitable for wiping entire disks or all the free space on a disk at once rather than individual files, but in any case this is often a better way of securely wiping sensitive data, especially on the newer SSD drives as we’ve mentioned. You can find Drive Wiper in the Tools section

If you do have a solid-state drive, then encryption is probably a better option. BitLocker is available in the Pro versions of Windows 10, or you can use a third-party solution like VeraCrypt. You might also find the SSD manufacturer has provided utilities for encrypting and securely erasing the disk as a whole.

Permanently deleting files on macOS

Like Windows, macOS has a keyboard shortcut you can use to tell files to skip the Trash on their way to the digital graveyard: Option+Cmd+Delete. Alternatively hold down Option as you open the File menu and you’ll see a Delete immediately entry.

df5

As you’ve no doubt noticed, Macs have been moving towards SSDs for some years now, and that means conventional secure erase techniques don’t really apply. Instead, you should switch on FileVault, which will make deleted files very difficult to recover once they’ve gone from the Trash.

Head to the Security & Privacy section of System Preferences and open up the FileVault tab to make sure it’s switched on. The flip side is that even you will struggle to get your data back if you forget your system password or recovery key—but you’re not going to do that, are you?

df6

There were secure erase options in Mac OS versions of years gone by, but they’ve all been abandoned in Sierra.

While you will find ‘secure erase’ tools in the Mac App Store, they’re going to be largely ineffective for files stored on SSDs, and may even reduce the life of the drive with their persistent overwriting. Of course a standard mechanical external drive is different—by all means use a tool like FileShredder or Shredo.

Nielddavid, David. “How to Safely Delete Private Data Forever”. Gizmodo, Field Guide. December 2016

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

This Tool Tells You if Your Gmail Account was Infected with Malware

gmailCybersecurity Check Point discovered a new piece of Android malware called Gooligan that’s able to steal email addresses. More than 1 million Google accounts connected to older Android versions are at risk, but there’s a tool you can use to see if you’re one of them.

Users who downloaded Android apps containing the Googligan malware or who clicked on links in phishing messages are at risk. The software is able to access information in Gmail, Drive, and Photos, and the hackers can use the Google accounts to buy apps on the Google Play store and leave reviews for apps.

Check Point says that devices running Android 4.0 and Android 5.0 are at risk — that’s nearly 75% of Android users. The company developed an online tool that can help you check if your phone is infected with Gooligan. All you have to do is go to: gooligan.checkpoint.com, enter your Gmail address, and then find out if you’ve been hacked.

Some might dismiss it as a non-issue, but malware still affects plenty of Android devices. In July, the same security firm discovered a different malware that affected some 85 million Android phones. That malware strain was generating $300,000 per month in ad revenue, Business Insider notes.

The best way to defend yourself against malware is to avoid downloading apps from untrusted locations and stick to getting apps from the Google Play store if it’s available in your market. Clicking dubious links from emails and instant text messages is also not advised, as they may be phishing attacks targeting unsuspecting Android users.

Smith, Chris. “This Tool Tells You If Your Gmail Account Was Infected with Malware.” N.p., 30 Nov. 2016.


We know how overwhelming it could be if you think your email account has been hacked! However, there are several steps that can be taken to mitigate damage if the breach is addressed promptly. If you discover that your account has been compromised we recommend that you seek remediation immediately.

Our staff is well-versed in best practices that can help to restore and secure your data. Give us a call at (732) 780-8615 or send us an email at support@trinityww.com for more information or to schedule an appointment with one of our trained professionals.

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →
Page 1 of 6 12345...»