Blog

Archive for Security

Ransomware Can Destroy Backups in Four Ways

I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.

He started out with “The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.” I have added number 4 at the end as a bonus.

And then he described three bad guy tactics to ruin your backups:

  • Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
  • Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
  • Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
  • Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.

Wendt concluded: “Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk.

“To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.”

Excellent advice!

Sjouwerman.Stu. “Ransomware Can Destroy Backups in Four Ways” KnowBe4 CyberheistNews Vol7 #37 Sept 2017

Posted in: Security

Leave a Comment (0) →

Hey, Turn Bluetooth Off When You’re Not Using It

You intuitively know why you should bolt your doors when you leave the house and add some sort of authentication for your smartphone. But there are lots of digital entrances that you leave open all the time, such as Wi-Fi and your cell connection. It’s a calculated risk, and the benefits generally make it worthwhile. That calculus changes with Bluetooth. Whenever you don’t absolutely need it, you should go ahead and turn it off.

Minimizing your Bluetooth usage minimizes your exposure to very real vulnerabilities. That includes an attack called BlueBorne, announced this week by the security firm Armis, which would allow any affected device with Bluetooth turned on to be attacked through a series of vulnerabilities. The flaws aren’t in the Bluetooth standard itself, but in its implementation in all sorts of software. Windows, Android, Linux, and iOS have been vulnerable to BlueBorne in the past. Millions could still be at risk.

So, yeah, turn off Bluetooth if you’re not using it or if you’re near anyone you don’t trust. There might be some inconvenience when you bring your laptop to your desk and want it to connect to a Bluetooth mouse and keyboard. You might end up flipping the switch fairly often to use Bluetooth headphones. But you likely don’t use Bluetooth most of the time. Even if you lean on it all day at work, you can ditch it at a birthday dinner or when you’re asleep. And if you use it 24/7 on your phone because of a peripheral like a smartwatch, you can at least turn it off on your other devices, especially any Bluetooth-enabled internet of things gear.

“For attackers it’s Candy Land,” says David Dufour, vice president of engineering and cybersecurity at the security firm Webroot. “You sit with a computer with a Bluteooth-enabled radio—just scanning for devices saying, ‘Hey, is anybody out there?’ Then you start prodding those devices to look for things like the operating system and the Bluetooth version. It’s a hop, skip, and a jump to start doing bad stuff.”

BlueBorne

As overall device security improves, researchers and attackers alike have turned to ancillary features and components to find ways in. In July, researchers announced a bug in a widely used Broadcom mobile Wi-Fi chip that put a billion devices at risk before it was patched. And in 2015, researchers found a critical flaw in Apple’s Airdrop file-sharing feature over Bluetooth.

And then there’s BlueBorne. Apple’s iOS hasn’t been affected by the flaws since the 2016 iOS 10 release, Microsoft patched the bugs in Windows in July, and Google is working on distributing a patch (though this can take significant time). But in addition to endangering core devices such as smartphones and PCs, BlueBorne has implications for the billions of Bluetooth-equipped internet of things devices in the world including smart TVs, speakers, and even smart lightbulbs. Many of these devices are built on Linux and don’t have a mechanism for distributing updates. Or even if they do, they rarely receive them in practice. Linux is working on but hasn’t yet issued a BlueBorne patch.

“We wanted get the research community on board with this, because it didn’t take us a long time to find these bugs, one thing kind of led to another and we found eight really severe vulnerabilities,” says Ben Seri, the head of research at Armis. “Our assumption is there are probably a lot more. We want to get eyes and ears on this type of thing because it’s largely gone neglected by the research community and by vendors over the past years.”

When Bluetooth is on in a device, it is constantly open to and waiting for potential connections. So a BlueBorne attack starts by going through the process Webroot’s Dufour describes—scanning for devices that have Bluetooth on and probing them for information such as device type and operating system to see if they have the relevant vulnerabilities. Once an attacker identifies vulnerable targets, the hack is quick (it can happen in about 10 seconds) and flexible. The impacted devices don’t need to connect to anything, and the attack can even work when the Bluetooth on the victim device is already paired to something else. BlueBorne bugs can allow attackers to take control of victim devices and access—even potentially steal—their data. The attack can also spread from device to device once in motion, if other vulnerable Bluetooth-enabled targets are nearby.

As with virtually all Bluetooth remote exploits, attackers would still need to be in range of the device (roughly 33 feet) to pull off a BlueBorne attack. But even with the extensive and productive BlueBorne patching that has already happened, there are still likely plenty of vulnerable devices in any populated area or building.

The Best Defense

The importance of Bluetooth defense has become increasingly clear, and the Bluetooth Special Interest Group, which manages the standard, has focused on security (particularly cryptography upgrades) in recent versions. But attacks like BlueBorne that affect individual implementations of Bluetooth are attracting attention as well. “Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized use of Bluetooth devices and other systems or networks to which the devices are connected,” the National Institute of Standards and Technology noted in its extensive May “Guide to BluetoothSecurity” update.

You can’t control if and when devices get patched for newly discovered Bluetooth vulnerabilities, and you’re probably not going to stop using Bluetooth altogether just because of some possible risks. But apply every patch you can, and keep Bluetooth off when you’re not using it. “With security everything is kind of like the flavor of the week,” Webroot’s Dufour says. “So this week it’s Bluetooth.”

Security’s often a matter of weighing risk and reward, defense versus convenience. In the case of Bluetooth, it’s an easy call.

Hay-Newman, Lily. “Hey, Turn Bluetooth Off When You’re Not Using It” Wired September 13, 2017

Posted in: Security

Leave a Comment (0) →

6 Easy Opt-Outs to Protect Your Privacy

How to shrink your exposure to telemarketers, bulky catalogs, and online data mining

Marketers want your personal data and they’re willing to work hard to get it. The result can be a barrage of unsolicited mail, telemarketing calls, and pop-up ads.

You can cut down on those offers by signing up with the Do Not Call Registry and other services, some set up by industry groups. The World Privacy Forum’s Top 10 Opt Outs is a comprehensive resource of websites and organizations that help consumers reduce the amount of marketing material coming their way.

But you can also accomplish a lot, more quickly, with the whittled-down data-collection cleanse outlined below.

Not all of the online forms you’ll be accessing are equally simple to navigate. Follow these tips for cutting through the clutter and the whole six-step exercise can take under 10 minutes to complete. (I got it down to 9 minutes, 8 seconds.) That’s less time than it takes to do the dishes, and it will help make your inbox equally sparkly and clean.

Let’s start with pesky telemarketing calls.

1. National Do Not Call Registry

You know those annoying calls from “Heather at account services?” The National Do Not Call Registry helps you prevent such unsolicited intrusions from telemarketers.

Where to go: The FTC’s National Do Not Call Registry provides one-stop shopping for telemarketer opt-outs.

How it works: Once you get to the Registry you’re given two options: 1) to register or 2) to check to see if you’re registered. The straightforward form allows you to provide up to three lines, I registered my cell, my home landline, and my office line in just seconds.

What you’ll need: You have to provide a valid e-mail address to receive confirmation e-mails—one for each phone number you register—those confirmations arrived in my inbox almost instantly. When I clicked on the link in each e-mail, I was done.

2. Prescreened Credit Offers

Is your mailbox filled with “pre-approved” credit card offers? Lenders send out those solicitations after buying lists of potential borrowers from major credit reporting firms such as Equifax, Experian, and TransUnion. You can stop that cycle at the source. (This Federal Trade Commission FAQ page explains pre-screened credit.)

Where to go: The Consumer Credit Reporting Industry website, or call 888-567-8688.

How it works: The online form lets you opt out for five years. If you want to opt out permanently, you need to print out, fill out, and mail back an old-school paper form. Maddeningly, to get access to the paper form you first need to fill out another form online. You might want to do the quick-and-easy online opt-out first, and then go back and do the paperwork for the permanent opt-opt later.

What you’ll need: Your Social Security number. I’ll admit I felt a little uncomfortable entering my SSN, but the reality is that if you’re getting these offers, the credit reporting agencies have this information anyway.

How long it took: 1 minute, 24 seconds (not including the time to fill out and mail the permanent opt-out form).

3. DMA Choice

I like the fall Pottery Barn catalog as much as the next guy—until I have to carry 20 pounds of mixed paper to the curb on recycling day. The opt-out program set up by the Data & Marketing Association won’t solve that problem completely, but it will reduce the volume of mail coming in.

Where to go: Head to DMA Choice.

How it works: This is a two-stage process. First, you register with DMA, providing an e-mail, password, and credit card information, including your zip code. Once you’re logged in, you get steered to a menu with three options. Clicking on the Catalogs/Magazines/Other Mail Offers link opens a daunting alphabetical list of companies. Ignore it. Head instead to Stop All Catalogs and click on Remove My Name. The site will ask you if you’re sure, at which point you click on Yes, Take Me Off and confirm your address.

What you’ll need: A credit card. You have to pay $2 for the online opt-out and $3 if you mail in the form. There are free opt-outs for caregivers and those with a deceased relative.

How long it took: 3 minutes, 12 seconds (including the time spent entering my credit card information to pay the small fee).

4. FERPA

Public school enrollment information about your children doesn’t have to be public. FERPA, the Family Educational Rights and Privacy Act, gives parents and students the right keep a range of directory-style information private, such as the student’s address, place of birth, and dates of attendance at the school. The catch is, you have to request this.

Where to go: Since the FERPA opt-out procedure is district-specific, there’s no national online clearing house. You need to request a form from your local school district or print out the generic one on the WPF website, which you can then submit to local officials.

How it works: The WPF form is reasonably straightforward. You enter a little info about your student, along with your opt-out preferences. Many school districts only accept FERPA opt-outs at the beginning of the school year, so don’t delay.

What you’ll need: The forms vary somewhat, but there’s a good chance you’ll need to provide a student ID number.

How long it took: 40 seconds (not including the time to fill out the printed form and return it to the school).

5. Banks and Other Financial Institutions

The information collected and distributed by banks varies widely. Since that information can include very sensitive information such as account balances, it’s worthwhile to take the time to protect it.

Where to go: The Federal Deposit Insurance Corporation explains your rights and opt-out options, but does not provide a universal opt-out for financial institutions. The WPF site, however, includes an opt-out list for many large institutions, including Bank of America, Chase, Wells Fargo, and Citibank (1-888-214-0017)

How it works: I bank at Chase. So using the link above, I entered my account information and checked off all the options provided, instructing the bank not to share information about my creditworthiness or other personal information with affiliates and third parties for marketing purposes.

What you’ll need: Your account number and your Social Security number. If you have multiple accounts, you only need to enter the info for one. Don’t forget about your mortgage and investment accounts.

How long it took: 52 seconds.

6. Data Brokers

Data brokers are clearing houses for much of the information that’s gathered about you online and used by marketers. Most don’t have easy opt-outs. But Acxiom, one of the biggest data brokers, is an exception.

Where to go: Acxiom’s website includes an opt-out page.

How it works: I checked Acxiom’s About the Data site, and discovered that the company knows quite a lot about me, ranging from my family status to my income and political affiliations. Some of the information was surprisingly accurate, while other parts were flat-out wrong. You can, however, skip this step and go straight to the opt-out form.

What you’ll need: A little advance research. You’ll want to register your name, but also common misspellings, any maiden name, names from previous marriages, addresses dating back as far as you can recall, and all of your e-mail addresses.

How long it took: 1 minute, 30 seconds. The form itself is quite simple to use, but the dropdown menus slow things down a bit, as does the CAPTCHA confirmation that you’re a human, not a robot.

St. John, Allen. “6 Easy Opt-Outs to Protect Your Privacy” Consumer Reports September 2017

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Scrap Everything You Know About Creating Strong Passwords And Do This Instead

You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically – or just ignore change alerts until a hacking scandal suddenly arises.

You may want to rethink your strategy.

Bill Burr, the man behind how we commonly think of devising passwords, recently told The Wall Street Journal, “much of what I did I now regret.”

The password creation shakeup

The retired 72-year old was reportedly a manager at The National Institute of Standards and Technology (NIST) back in 2003 when he wrote “NIST Special Publication 800-63. Appendix A,” featuring the password guides we’ve held true for years now.

According to The Wall Street Journal, this included, namely, the rule that passwords should be a combination of numbers, special characters, and uppercase letters, which you change every 90 days.

Why is Burr changing his tune years later?

He reportedly had to produce the rules quickly and wanted them to be based on research, but he had no “empirical data on computer-password security.” So he turned to a white paper from the 1980s.

Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too difficult to crack.

In June, the NIST released new guidelines, which don’t call for “special characters” or changing passwords frequently anymore. Instead, the NIST says the rules now preach “long, easy-to-remember phrases” and just coming up with new ones “if there is a sign they may have been stolen.”

A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password “Tr0ub4dor&3” would take three days to solve, according to the cartoonist’s calculations, compared to the words “correct horse battery staple” typed as a single word, which would take a staggering 550 years to solve. Computer-security specialists found this to be true.

Be careful changing passwords

You may also want to rethink how often you update your password. This practice can place us at risk if we take the wrong approach.

When we repeatedly change passwords, we don’t always change them properly.

Professor Alan Woodward of the University of Surrey told BBC News that NIST publications have a far reach, giving the rules “a long lasting impact.” But he also mentioned “a rather unfortunate effect”:

For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. . . . And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.

Steer clear of these password options

So if you’re looking to change your password soon, don’t pick these.

SplashData, which supplies password management applications, released the 2015 version of its “Worst Passwords List.” Here are the top 10 worst ones featured:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball

Morgan Slain, CEO of SplashData commented on the findings in a statement.

We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers…As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.

Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm’s way.

Burnett, Jane. “Scrap everything you know about creating strong passwords and do this instead” Ladders (theladders.com) August 2017


You can go to the site www.HaveIBeenPwned.com, put your login names one at a time (ex: Jkalli, JohnKalli, Jkalli@trinityww.com, etc. – whatever login names you might have) and it will tell you if it has ever been part of a hack.  If so, change the login/password combination wherever you might have used it.

Also, go to www.passfault.com to see how long it would take a hacker to crack your password.

Posted in: Security

Leave a Comment (0) →

Unsubscribing from Spam Only Makes It Worse

The last time I checked my spam folder, I noticed a few messages included an unsubscribe link. Well that’s nice, I thought. Maybe spammers realize that some people will never respond, so they want to trim their lists for efficiency. I clicked “unsubscribe.” That was a mistake.

While “legit companies” honor unsubscribe requests, says the McAfee Labs blog, “shady” ones just use the unsubscribe buttons to confirm your address and send you more spam. Sophos blogger Alan Zeichick says that clicking unsubscribe tells the spammer you opened their email, possibly because you were interested or suspected it was real. By visiting the spammer’s fake unsubscribe page, you’re giving them your browser info and IP address, and even opening yourself up to malware attacks.

If an email looks like truly shady spam (and not just a newsletter you’re sick of reading), don’t click any links. Just mark it as spam and move on.

Douglas, Nick. “Unsubscribing from Spam Only Makes It Worse” Lifehacker June 2017

Posted in: E-mail, Security

Leave a Comment (0) →

‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It

Internet scam artists are moving beyond your email inbox and targeting your text messages instead. With this new scam, called “smishing,” scammers are trying to get you to send them your personal information that could help them access your bank account or other online profiles.  Here’s what you should know.

What are smishing scams?
“Smishing” scams are so named because they’re like a phishing email, except sent via SMS, the technology underlying the typical text message. They often prey on people’s panic or sense of urgency, according to Jason Hong, associate professor at Carnegie Mellon University’s Human-Computer Interaction Institute. For example, one fraudulent message might appear to be a warning from your bank about an unauthorized charge.

“That’s one of the main ways they try to trick you,” says Hong. “There’s an urgency to the message. There’s something that needs your attention right now.”

How can you avoid smishing scams?
Hong says you should make sure to use different passwords for everything from your bank’s website and social media apps to your email account. Two-factor authentication and password managers like Dashlane and 1Password can also be useful. And in the hypothetical case outlined above, you should call you bank or credit card company directly to verify the alert, rather than clicking any links in suspicious text messages.

Unfortunately, there’s no foolproof way to block smishing messages entirely, says Steve Wicker, a computer engineering professor at Cornell University. Wicker says the best course of action is to be vigilant for suspicious text messages, just like you should watch out for strange emails. One tip: Look out for text messages from phone numbers that clearly appear fake or suspicious.

Another warning: Wicker says some scammers may be able to make their messages look like they’re coming from a person you know and trust. So if you get a weird message from a friend, it’s a good idea to call them back on the phone and check if they actually sent the text.

Why are scammers using smishing scams?
Scammers could have one of several motives, Hong says. They could be trying to steal a victim’s identity, to access their bank account, or to blackmail them into giving out personal or company secrets.

“That’s where the money is,” Hong added. “People are getting more suspicious of emails. Companies like Google and Yahoo are getting better at detecting fake accounts and shutting them down. So the next easiest thing for [a scammer] to do is to go to mobile.”

Is smishing a new phenomenon?
Smishing scams have been around since as early as 2008, but experts say they are becoming more prevalent. They’re also popping up on all sorts of messaging apps, not just simple text messages.

“This is impacting all systems in the mobile arena, it’s not just limited to one system,” says William Beer, who works on cybersecurity matters for professional services firm EY, previously known as Ernst & Young. “There’s never 100% security on any app, whether they be desktop or mobile.”

Segarra, Lisa Marie. “‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It” Fortune, Security July 2017

Posted in: Mobile Computing, Security

Leave a Comment (0) →

‘Major scale’ malware targets your Mac through email scams

Mac users are increasingly being targeted by malware after years of being relatively safe, and that means they’re facing attacks that other users have unfortunately come to expect for a while. Check Point researchers have discovered Dok, the first “major scale” trojan that targets macOS through an email phishing campaign. The bogus messages (usually aimed at European users) are meant to trick you into downloading a ZIP file that, if you launch it, gives the malware control over your system and lets attackers intercept your internet traffic to spy on your activity or impersonate websites. It’ll even delete itself when the intruders are done.

Like many attachment-based phishing attacks, you have to go out of your way to infect your system. You’re not going to get a Dok infection just by opening a message, thankfully. And if you do fall prey to the malware, iMore has instructions that will help you scrub your system clean. However, the rogue code also appears to rely on a faked certificate that bypasses Apple’s Gatekeeper screening, giving it carte blanche if you’re not careful. It might be easy to avoid, but it’s potentially very damaging if it gets through and you don’t look for warning signs.

More than anything, Dok serves as a reminder that you can’t assume you’re safe just because you use a non-standard platform. Malware writers still tend to target Windows simply because it represents the largest potential target, but some of them are willing to aim at Mac users in hopes of cornering an untapped “market” for victims.

Posted in: Security

Leave a Comment (0) →

4 Ways to Lock Your Windows 10 PC

Many of us are responsible for not only our own data, but the data of our clients as well.  Whether  or not you are subject to compliance regulations such as those in the medical or financial services industry, it is vital that we take seriously the security of the data that is entrusted to us.

Most importantly, you should never leave your PC unattended. But if you have to leave your Windows 10 PC alone for a period of time and don’t want to shut it down, we have a few alternatives for you.

Give these tips a try!

  1. Windows-L

Hit the Windows key and the L key on your keyboard. Keyboard shortcut for the lock!

  1. Ctrl-Alt-Del

Press Ctrl-Alt-Delete. On the menu that pops up, click Lock. Easy as 1,2,3 –  done!

  1. Start button

Tap or click the Start button in the bottom-left corner. Click your user icon and then select Lock.

 

  1. Auto lock via screen saver

You can set your PC to lock automatically when the screen saver pops up. Go to Control Panel > Appearance & Personalization > Change screen saver and then check the box for On resume, display logon screen. You can also set a time for how long your PC should wait before starting the screen saver. Now, when you exit out of the screensaver, you’ll need to enter your system password to get back in.

 

With Windows 10 Creators Update, Microsoft moved this screen saver setting from the Control Panel to Settings. You can find it by going to Settings > Personalization > Lock screen > Screen saver settings.

 

Posted in: MS Office Tips and Tricks, Security

Leave a Comment (0) →

Thursday, May 4 – World Password Day

May 4 is coming up and has been designated as World Password Day to remind enterprise workers and consumers everywhere to use strong, updated passwords to protect cybersecurity.

World Password Day is a celebration to promote better password habits. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work and life communications.

Security firm BullGuard cited recent studies showing that 90% of all passwords are vulnerable to attack in seconds. Also, 10,000 common passwords like “qwerty” or “12345678” allow access to 98% of all accounts, BullGuard said. Amazingly, 21% of online users rely on passwords that are 10 years old, the company said.

So, why not jump on-board – here are some great tips to get you started!

How do I create strong passwords?

The key to a strong password is length. Your passwords should be 12 characters long at the very least, and difficult for someone to guess. Avoid using personal information, especially if someone can find the answer on social media, or by searching your name online.

In addition to length, secure passwords also use a mix of uppercase, lowercase, numbers and symbols.

This may seem daunting but there is a simple solution. Try using a passphrase instead of a password. A pass phrase is a short saying that you modify to become a strong password. For example, “Thund3r Sh0wers at Suns3t” would be a very strong password that’s also easy to remember.

Why use different passwords for each account?

Imagine if one key opened your front door, your car, your bank, and your safe. If someone got hold of your one key — poof — they have access to everything. That’s more or less your situation when you recycle passwords. If it’s someone has access to your one, key password, they have access to everything.

Cyber criminals know people reuse passwords, and after a major password leak, they’ll try using those passwords and email addresses to get into all kinds of sites. Often, it works.

Don’t get caught in this trap. The solution is simple: have different passwords for every online account. That way if one account is compromised you can rest easy knowing your other accounts are still safe.

If you think it would be difficult to remember all those passwords, move on to the next section for an easy solution.

Why get a password manager?

A good password manager safely stores all your passwords, remembers them and can generate strong passwords for you. This makes it incredibly easy to use different, hard-to-remember passwords for every account, so you only have to remember the one master password to get in. All the security – less hassle!

But what if someone gets your master password? Luckily, quality password managers have prepared for this by ensuring they only work on your registered devices. That way, if someone tries to log in from an unregistered device, the password manager will block access until the user completes a second, or third login step, like entering a secret code that is emailed or texted to you. If you get an email saying someone is trying to login from an unknown device, you’ll know you should change your master password as soon as possible.

In addition to emailed and texted codes, some password managers also let you add fingerprint, and face recognition options and devices you trust — this is called multi-factor authentication, and it offers convenient, powerful protection for your password vault.

What is multi-factor authentication and how do I use it?

How does multi-factor work?
If you’ve ever used a fingerprint reader on your phone, you’ve used multi-factor! For example, when you download an app from an app store, it first checks you’re on a trusted device (Factor 1) and then verifies you’re you with your fingerprint (Factor 2).

If you’re on a computer, usually it’s like this: when you enter your username and password, you’ll be asked for a verification code that will be texted to your phone. Pop in that single-use code, and you’re in. Ta-da! Multi-factor authentication!

Why should I use multi-factor?
Last year, 450 million passwords were leaked from major Internet companies. Adding an extra layer to your passwords significantly decreases the risk of someone accessing your account. Think of it like a second lock on your door, or a moat surrounding a castle.


One thing to realize is that two-factor authentication (2FA) is one of the best methods to protect the account you log into. If you are accessing your work systems remotely you should have a 2FA solution in place.

If you don’t, one of our experienced professionals would be a happy to discuss implementing this for you and your organization..

Give us a call at (732) 780-8615 or send us an email at support@trinityww.com to schedule a consultation.

Posted in: Security

Leave a Comment (0) →

7 Dangerous Subject Lines

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. But you can avoid such attacks by being patient, checking email addresses, and being cautious of sketchy-sounding subject lines.

2 out of 5 people open emails from unknown senders!

7 dangerous subject lines to watch for

Cybercriminals initiate their attacks through hyperlinks or attachments within emails. Most of these attacks use urgency or take advantage of user trust and curiosity to entice victims to click. Here are examples of subject lines to be cautious of.

Remember me? It’s Tim Timmerson from Sunnytown High! Criminals use social engineering tactics to find out the names of the people close to you. They may also hack a friend or relative’s email account and use their contact lists as ammo. Next, they research and impersonate someone you know, or used to know, through chats and emails. Not quite sure about a message you received? Hover your mouse over the sender address (without clicking) to see who the real sender is.

Online Banking Alert: Your Account will be Deactivated. Imagine the sense of urgency this type of subject line might create. In your panicked rush to find out what’s going on with your account, you might not look too closely at the sender and the URL they want you to visit. At the end of March, a Bank of America email scam just like this was successfully making the rounds. Initially, the email looked completely legitimate and explained politely that a routine server upgrade had locked the recipient out of their account. At this point, when clicking the link to update their account details, an unsuspecting victim would be handing their login credentials and banking information over to cybercriminals.

USPS: Failed Package Delivery. Be wary of emails saying you missed a package, especially if they have Microsoft Word documents attached. These attacks use the attachments to execute ransomware payloads through macros. Senior Threat Research Analyst Tyler Moffitt walks us through what it’s like to get hit with a ransomware payload from a USPS phishing email.

United States District Court: Subpoena in a civil case. Another common phishing attack imitates government entities and may try to tell you that you’re being subpoenaed. The details and court date are, of course, in the attachment, which will deliver malware.

CAMPUS SECURITY NOTIFICATION: Phishing attacks have been targeting college students and imitating official university emails. Last month, officials at The University of North Carolina learned of an attack on their students that included a notification email stating there was a security situation. The emails were coming from a non-uncg.edu address and instructed users to “follow protocols outlined in the hyperlink”. Afterward, the attacker would ask victims to reset their password and collect their sensitive information.

Ready for your beach vacay? Vacation scams offer great deals or even free airfare if you book RIGHT NOW. These scams are usually accompanied by overpriced hotel fees, hidden costs, timeshare pitches that usually don’t pan out, and even the theft of your credit card information. Check the legitimacy of offers by hovering over links to see the full domain, copy and pasting links into a notepad to take a closer look, and by researching the organization.

Update your direct deposit to receive your tax refund. The IRS warns of last minute email phishing scams that take advantage of everyone’s desire for hard-earned refunds and no doubt, their banking credentials.

Read between the lines

  1. Enable an email spam filter
  2. Hover over links before you click
  3. Keep your cybersecurity software up to date
  4. Disable macros to avoid ransomware payloads
  5. Ignore unsolicited emails and attachments
  6. Be on the lookout for the top 5 tax season scams
  7. Educate yourself on social engineering attacks
  8. Check the Federal Trade Commission’s scam alerts

Help us create awareness around scams and phishing attacks with dangerous subject lines. Education to adopt safer online habits should be top priority. So, share this blog with your colleagues.

Rush, Mike. “7 Dangerous Subject Line” Webroot, April 2017

Posted in: E-mail, Security

Leave a Comment (0) →
Page 1 of 6 12345...»