Blog

Archive for Security

How to export saved passwords from Chrome to a CSV file

This process shows you how to export your passwords stored in Chrome into a CSV file, so that you are able to import your account credentials into a password manager. However, there’s one big caveat.

At first blush, you may think I’ve lost my mind. Wouldn’t exporting passwords to a text-based CSV file be insecure? Although that may be true, when you want to migrate your passwords from Chrome to a password manager (especially when you have a large number of passwords), the last thing you want to do is rely upon your memory to recall all the URLs, usernames, and passwords. And if you’re migrating away from Chrome—which you might be so inclined to do after reading this piece—you’ll want to export those passwords, such that they can be imported into your password manager of choice.

I’m going to walk you through the process of exporting your password information from Chrome. How you then import that information into your password manager will depend upon the tool you use. Fortunately, many of the better password managers are capable of importing CSV files.

With that said, let’s take care of this.

What you’ll need

You’ll need a working version of Chrome. That’s it. As long as you’ve stored your passwords with that browser, you should be good to.

A word of warning (IMPORTANT!!!)

This exported CSV file stores all your information in plain text. The idea here is to export the file, import it into a password manager, trash the exported CSV file, and then undo the process. If you leave that CSV file on your hard drive, you run the risk of leaving yourself exposed. If you don’t undo Chrome’s ability to export, someone could come along and export the file (more on that danger in a bit). Because of that, it is very important you delete that file after you’ve imported it into your password manager. Or you can always save that file to a USB drive, and then lock that drive up in a safe. Either way you go, make sure to protect that file at all costs.

Exporting

The first thing to do is enable password exporting. To do that, open Chrome and type chrome://flags/ in the address bar and hit Enter. In the resulting window type Password export in the search field. When the search result appears, select Enable from the drop-down.

You will then be prompted to restart Chrome. When Chrome restarts, click on the menu button (three horizontal lines in the upper right corner) and click Settings. In the Settings window, click Advanced and scroll down to Manage passwords. Click the three vertical dots associated with Saved passwords and then click Export.

When prompted, click the EXPORT PASSWORDS button and save the .CSV file.

You can now import that newly downloaded file into your password manager.

Undoing your work

First off, remember to delete that file or tuck it away for safekeeping. Once you’ve done that, go back to Chrome, type chrome://flags in the address bar, search for Password export, and disable the feature (set to Default). Relaunch Chrome and the feature will no longer be available.

THE BIG CAVEAT (IMPORTANT!!!)

Unfortunately, Chrome no longer allows the browser to use a password for profile locks. Because of this, you might consider deleting Chrome from your desktop, if you are migrating to Firefox for example and aren’t planning on using Google’s browser. Otherwise, someone with the understanding of how to export passwords could gain access to that data by following the above process.

In the end, the last thing you should do is allow Chrome to save your passwords. If you do, and a malicious user has access to your browser, there’s nothing keeping them from exporting your passwords to a file and using them to gain access to your accounts. Lock those passwords away in a password manager, and remove the passwords from chrome (Chrome | Settings | Advanced | Manage Passwords).

Consider this a word of warning.

Wallen, Jack. “How to export saved passwords from Chrome to a CSV file” TechRepublic, March 22, 2018

Posted in: IT Support, Mobile Computing, Security

Leave a Comment (0) →

How to Lock Down Your Facebook Privacy Settings

Facebook deserves a lot of the flack it gets, be it for providing Russian propaganda with a platform or gradually eroding privacy norms. Still, it has some genuine usefulness. And while the single best way to keep your privacy safe on Facebook is to delete your account, taking these simple steps in the settings is the next best thing.

Remember, it’s not just friends of friends you need to think about hiding from; it’s an army of advertisers looking to target you not just on Facebook itself, but around the web, using Facebook’s ad platform. In the video above and the post below, we’ll show you how to deal with both.

Fine-Tuning Friends

Limiting who can see which of your posts is an easy first step. On a desktop, go to the little dropdown arrow in the upper-right corner, and click Settings. From there, click on Privacy on the left-hand side. This is where the magic happens.

Under Who can see my stuff, click on Who can see your future posts to manage your defaults. You can make public to anyone at all, limited to your friends, or exclude specific friends. You can quarantine your posts by geography, or by current or previous employers or schools, or by groups. Just remember that the next time you change it, the new group becomes the default. So double check every time you post.

This section has other important privacy tools you can fiddle with, including who can look you up with your email address or phone number. We’d recommend not listing either in the first place, but if you do, keep the circle as small as possible. (If you do have to share one or the other with Facebook for account purposes, you can hide them by going to your profile page, clicking Contact and Basic Info, then Edit when you mouse over the email field. From there, click on the downward arrow with two silhouettes to customize who can see it, including no one but you.)

But pay special attention to the option to (deep breath) Limit the audience for posts you’ve shared with friends of friends or public? If you ever had a public account, taking it private wasn’t retroactive. If you want to hide those previously viewable posts, lock this setting down.

Over on Timeline and Tagging you can control over what shows up on your own Facebook timeline. Basically, you can’t stop your friends from tagging you (sorry!), but you can stop those embarrassing photos from popping up on your page. At the very least, you should go to Review posts you’re tagged in before the post appears on your timeline, and enable that so that you can screen any tags before they land on your page.

To test out your changes, go to Review what other people see on your timeline. You can even see how specific people view your page, like your boss or your ex or complete strangers. It also never hurts to take stock of you present yourself to the world. (Looking at you, people who haven’t updated your cover photo since the Obama administration.)

That should about cover your friends. Now onto advertisers, which are like friends, except they never leave you alone, even if you ask nicely.

Ad It Up

In that same Settings panel, head down to Ads. As you probably realized, Facebook knows what you do pretty much everywhere online. So does Google, so do dozens of ad networks you’ve never heard of. You’re being tracked pretty much all the time, by everyone, thanks to this here internet.

You can still limit how Facebook uses that information, though. Tired of that lawnmower you looked at following you to Facebook? Turn off Ads based on my use of websites and apps. Saying no to Ads on apps and websites off the Facebook companies does the same, except for all the sites Facebook serves ads to around the web. Which is most of them.

Lastly, for some fun insight into how advertisers think of you, click on Your Interests. There you’ll find all the categories Facebook uses to tailor ads for you. You can remove any you don’t like, and marvel at the ones that don’t make any sense. This won’t make the ads go away, but it’ll at least you can banish all those off-brand kitchen gadgets from your News Feed.

And you’re good! Or at least, as good as can be expected. It’s still Facebook, after all.

Barrett, Brian. “How to Lock Down your Facebook Privacy Settings,” Wired, Security, November 14, 2017

Posted in: Security, Social Media Marketing

Leave a Comment (0) →

Ransomware Can Destroy Backups in Four Ways

I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.

He started out with “The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.” I have added number 4 at the end as a bonus.

And then he described three bad guy tactics to ruin your backups:

  • Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
  • Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
  • Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
  • Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.

Wendt concluded: “Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk.

“To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.”

Excellent advice!

Sjouwerman.Stu. “Ransomware Can Destroy Backups in Four Ways” KnowBe4 CyberheistNews Vol7 #37 Sept 2017

Posted in: Security

Leave a Comment (0) →

Hey, Turn Bluetooth Off When You’re Not Using It

You intuitively know why you should bolt your doors when you leave the house and add some sort of authentication for your smartphone. But there are lots of digital entrances that you leave open all the time, such as Wi-Fi and your cell connection. It’s a calculated risk, and the benefits generally make it worthwhile. That calculus changes with Bluetooth. Whenever you don’t absolutely need it, you should go ahead and turn it off.

Minimizing your Bluetooth usage minimizes your exposure to very real vulnerabilities. That includes an attack called BlueBorne, announced this week by the security firm Armis, which would allow any affected device with Bluetooth turned on to be attacked through a series of vulnerabilities. The flaws aren’t in the Bluetooth standard itself, but in its implementation in all sorts of software. Windows, Android, Linux, and iOS have been vulnerable to BlueBorne in the past. Millions could still be at risk.

So, yeah, turn off Bluetooth if you’re not using it or if you’re near anyone you don’t trust. There might be some inconvenience when you bring your laptop to your desk and want it to connect to a Bluetooth mouse and keyboard. You might end up flipping the switch fairly often to use Bluetooth headphones. But you likely don’t use Bluetooth most of the time. Even if you lean on it all day at work, you can ditch it at a birthday dinner or when you’re asleep. And if you use it 24/7 on your phone because of a peripheral like a smartwatch, you can at least turn it off on your other devices, especially any Bluetooth-enabled internet of things gear.

“For attackers it’s Candy Land,” says David Dufour, vice president of engineering and cybersecurity at the security firm Webroot. “You sit with a computer with a Bluteooth-enabled radio—just scanning for devices saying, ‘Hey, is anybody out there?’ Then you start prodding those devices to look for things like the operating system and the Bluetooth version. It’s a hop, skip, and a jump to start doing bad stuff.”

BlueBorne

As overall device security improves, researchers and attackers alike have turned to ancillary features and components to find ways in. In July, researchers announced a bug in a widely used Broadcom mobile Wi-Fi chip that put a billion devices at risk before it was patched. And in 2015, researchers found a critical flaw in Apple’s Airdrop file-sharing feature over Bluetooth.

And then there’s BlueBorne. Apple’s iOS hasn’t been affected by the flaws since the 2016 iOS 10 release, Microsoft patched the bugs in Windows in July, and Google is working on distributing a patch (though this can take significant time). But in addition to endangering core devices such as smartphones and PCs, BlueBorne has implications for the billions of Bluetooth-equipped internet of things devices in the world including smart TVs, speakers, and even smart lightbulbs. Many of these devices are built on Linux and don’t have a mechanism for distributing updates. Or even if they do, they rarely receive them in practice. Linux is working on but hasn’t yet issued a BlueBorne patch.

“We wanted get the research community on board with this, because it didn’t take us a long time to find these bugs, one thing kind of led to another and we found eight really severe vulnerabilities,” says Ben Seri, the head of research at Armis. “Our assumption is there are probably a lot more. We want to get eyes and ears on this type of thing because it’s largely gone neglected by the research community and by vendors over the past years.”

When Bluetooth is on in a device, it is constantly open to and waiting for potential connections. So a BlueBorne attack starts by going through the process Webroot’s Dufour describes—scanning for devices that have Bluetooth on and probing them for information such as device type and operating system to see if they have the relevant vulnerabilities. Once an attacker identifies vulnerable targets, the hack is quick (it can happen in about 10 seconds) and flexible. The impacted devices don’t need to connect to anything, and the attack can even work when the Bluetooth on the victim device is already paired to something else. BlueBorne bugs can allow attackers to take control of victim devices and access—even potentially steal—their data. The attack can also spread from device to device once in motion, if other vulnerable Bluetooth-enabled targets are nearby.

As with virtually all Bluetooth remote exploits, attackers would still need to be in range of the device (roughly 33 feet) to pull off a BlueBorne attack. But even with the extensive and productive BlueBorne patching that has already happened, there are still likely plenty of vulnerable devices in any populated area or building.

The Best Defense

The importance of Bluetooth defense has become increasingly clear, and the Bluetooth Special Interest Group, which manages the standard, has focused on security (particularly cryptography upgrades) in recent versions. But attacks like BlueBorne that affect individual implementations of Bluetooth are attracting attention as well. “Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized use of Bluetooth devices and other systems or networks to which the devices are connected,” the National Institute of Standards and Technology noted in its extensive May “Guide to BluetoothSecurity” update.

You can’t control if and when devices get patched for newly discovered Bluetooth vulnerabilities, and you’re probably not going to stop using Bluetooth altogether just because of some possible risks. But apply every patch you can, and keep Bluetooth off when you’re not using it. “With security everything is kind of like the flavor of the week,” Webroot’s Dufour says. “So this week it’s Bluetooth.”

Security’s often a matter of weighing risk and reward, defense versus convenience. In the case of Bluetooth, it’s an easy call.

Hay-Newman, Lily. “Hey, Turn Bluetooth Off When You’re Not Using It” Wired September 13, 2017

Posted in: Security

Leave a Comment (0) →

6 Easy Opt-Outs to Protect Your Privacy

How to shrink your exposure to telemarketers, bulky catalogs, and online data mining

Marketers want your personal data and they’re willing to work hard to get it. The result can be a barrage of unsolicited mail, telemarketing calls, and pop-up ads.

You can cut down on those offers by signing up with the Do Not Call Registry and other services, some set up by industry groups. The World Privacy Forum’s Top 10 Opt Outs is a comprehensive resource of websites and organizations that help consumers reduce the amount of marketing material coming their way.

But you can also accomplish a lot, more quickly, with the whittled-down data-collection cleanse outlined below.

Not all of the online forms you’ll be accessing are equally simple to navigate. Follow these tips for cutting through the clutter and the whole six-step exercise can take under 10 minutes to complete. (I got it down to 9 minutes, 8 seconds.) That’s less time than it takes to do the dishes, and it will help make your inbox equally sparkly and clean.

Let’s start with pesky telemarketing calls.

1. National Do Not Call Registry

You know those annoying calls from “Heather at account services?” The National Do Not Call Registry helps you prevent such unsolicited intrusions from telemarketers.

Where to go: The FTC’s National Do Not Call Registry provides one-stop shopping for telemarketer opt-outs.

How it works: Once you get to the Registry you’re given two options: 1) to register or 2) to check to see if you’re registered. The straightforward form allows you to provide up to three lines, I registered my cell, my home landline, and my office line in just seconds.

What you’ll need: You have to provide a valid e-mail address to receive confirmation e-mails—one for each phone number you register—those confirmations arrived in my inbox almost instantly. When I clicked on the link in each e-mail, I was done.

2. Prescreened Credit Offers

Is your mailbox filled with “pre-approved” credit card offers? Lenders send out those solicitations after buying lists of potential borrowers from major credit reporting firms such as Equifax, Experian, and TransUnion. You can stop that cycle at the source. (This Federal Trade Commission FAQ page explains pre-screened credit.)

Where to go: The Consumer Credit Reporting Industry website, or call 888-567-8688.

How it works: The online form lets you opt out for five years. If you want to opt out permanently, you need to print out, fill out, and mail back an old-school paper form. Maddeningly, to get access to the paper form you first need to fill out another form online. You might want to do the quick-and-easy online opt-out first, and then go back and do the paperwork for the permanent opt-opt later.

What you’ll need: Your Social Security number. I’ll admit I felt a little uncomfortable entering my SSN, but the reality is that if you’re getting these offers, the credit reporting agencies have this information anyway.

How long it took: 1 minute, 24 seconds (not including the time to fill out and mail the permanent opt-out form).

3. DMA Choice

I like the fall Pottery Barn catalog as much as the next guy—until I have to carry 20 pounds of mixed paper to the curb on recycling day. The opt-out program set up by the Data & Marketing Association won’t solve that problem completely, but it will reduce the volume of mail coming in.

Where to go: Head to DMA Choice.

How it works: This is a two-stage process. First, you register with DMA, providing an e-mail, password, and credit card information, including your zip code. Once you’re logged in, you get steered to a menu with three options. Clicking on the Catalogs/Magazines/Other Mail Offers link opens a daunting alphabetical list of companies. Ignore it. Head instead to Stop All Catalogs and click on Remove My Name. The site will ask you if you’re sure, at which point you click on Yes, Take Me Off and confirm your address.

What you’ll need: A credit card. You have to pay $2 for the online opt-out and $3 if you mail in the form. There are free opt-outs for caregivers and those with a deceased relative.

How long it took: 3 minutes, 12 seconds (including the time spent entering my credit card information to pay the small fee).

4. FERPA

Public school enrollment information about your children doesn’t have to be public. FERPA, the Family Educational Rights and Privacy Act, gives parents and students the right keep a range of directory-style information private, such as the student’s address, place of birth, and dates of attendance at the school. The catch is, you have to request this.

Where to go: Since the FERPA opt-out procedure is district-specific, there’s no national online clearing house. You need to request a form from your local school district or print out the generic one on the WPF website, which you can then submit to local officials.

How it works: The WPF form is reasonably straightforward. You enter a little info about your student, along with your opt-out preferences. Many school districts only accept FERPA opt-outs at the beginning of the school year, so don’t delay.

What you’ll need: The forms vary somewhat, but there’s a good chance you’ll need to provide a student ID number.

How long it took: 40 seconds (not including the time to fill out the printed form and return it to the school).

5. Banks and Other Financial Institutions

The information collected and distributed by banks varies widely. Since that information can include very sensitive information such as account balances, it’s worthwhile to take the time to protect it.

Where to go: The Federal Deposit Insurance Corporation explains your rights and opt-out options, but does not provide a universal opt-out for financial institutions. The WPF site, however, includes an opt-out list for many large institutions, including Bank of America, Chase, Wells Fargo, and Citibank (1-888-214-0017)

How it works: I bank at Chase. So using the link above, I entered my account information and checked off all the options provided, instructing the bank not to share information about my creditworthiness or other personal information with affiliates and third parties for marketing purposes.

What you’ll need: Your account number and your Social Security number. If you have multiple accounts, you only need to enter the info for one. Don’t forget about your mortgage and investment accounts.

How long it took: 52 seconds.

6. Data Brokers

Data brokers are clearing houses for much of the information that’s gathered about you online and used by marketers. Most don’t have easy opt-outs. But Acxiom, one of the biggest data brokers, is an exception.

Where to go: Acxiom’s website includes an opt-out page.

How it works: I checked Acxiom’s About the Data site, and discovered that the company knows quite a lot about me, ranging from my family status to my income and political affiliations. Some of the information was surprisingly accurate, while other parts were flat-out wrong. You can, however, skip this step and go straight to the opt-out form.

What you’ll need: A little advance research. You’ll want to register your name, but also common misspellings, any maiden name, names from previous marriages, addresses dating back as far as you can recall, and all of your e-mail addresses.

How long it took: 1 minute, 30 seconds. The form itself is quite simple to use, but the dropdown menus slow things down a bit, as does the CAPTCHA confirmation that you’re a human, not a robot.

St. John, Allen. “6 Easy Opt-Outs to Protect Your Privacy” Consumer Reports September 2017

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Scrap Everything You Know About Creating Strong Passwords And Do This Instead

You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically – or just ignore change alerts until a hacking scandal suddenly arises.

You may want to rethink your strategy.

Bill Burr, the man behind how we commonly think of devising passwords, recently told The Wall Street Journal, “much of what I did I now regret.”

The password creation shakeup

The retired 72-year old was reportedly a manager at The National Institute of Standards and Technology (NIST) back in 2003 when he wrote “NIST Special Publication 800-63. Appendix A,” featuring the password guides we’ve held true for years now.

According to The Wall Street Journal, this included, namely, the rule that passwords should be a combination of numbers, special characters, and uppercase letters, which you change every 90 days.

Why is Burr changing his tune years later?

He reportedly had to produce the rules quickly and wanted them to be based on research, but he had no “empirical data on computer-password security.” So he turned to a white paper from the 1980s.

Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too difficult to crack.

In June, the NIST released new guidelines, which don’t call for “special characters” or changing passwords frequently anymore. Instead, the NIST says the rules now preach “long, easy-to-remember phrases” and just coming up with new ones “if there is a sign they may have been stolen.”

A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password “Tr0ub4dor&3” would take three days to solve, according to the cartoonist’s calculations, compared to the words “correct horse battery staple” typed as a single word, which would take a staggering 550 years to solve. Computer-security specialists found this to be true.

Be careful changing passwords

You may also want to rethink how often you update your password. This practice can place us at risk if we take the wrong approach.

When we repeatedly change passwords, we don’t always change them properly.

Professor Alan Woodward of the University of Surrey told BBC News that NIST publications have a far reach, giving the rules “a long lasting impact.” But he also mentioned “a rather unfortunate effect”:

For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. . . . And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.

Steer clear of these password options

So if you’re looking to change your password soon, don’t pick these.

SplashData, which supplies password management applications, released the 2015 version of its “Worst Passwords List.” Here are the top 10 worst ones featured:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball

Morgan Slain, CEO of SplashData commented on the findings in a statement.

We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers…As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.

Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm’s way.

Burnett, Jane. “Scrap everything you know about creating strong passwords and do this instead” Ladders (theladders.com) August 2017


You can go to the site www.HaveIBeenPwned.com, put your login names one at a time (ex: Jkalli, JohnKalli, Jkalli@trinityww.com, etc. – whatever login names you might have) and it will tell you if it has ever been part of a hack.  If so, change the login/password combination wherever you might have used it.

Also, go to www.passfault.com to see how long it would take a hacker to crack your password.

Posted in: Security

Leave a Comment (0) →

Unsubscribing from Spam Only Makes It Worse

The last time I checked my spam folder, I noticed a few messages included an unsubscribe link. Well that’s nice, I thought. Maybe spammers realize that some people will never respond, so they want to trim their lists for efficiency. I clicked “unsubscribe.” That was a mistake.

While “legit companies” honor unsubscribe requests, says the McAfee Labs blog, “shady” ones just use the unsubscribe buttons to confirm your address and send you more spam. Sophos blogger Alan Zeichick says that clicking unsubscribe tells the spammer you opened their email, possibly because you were interested or suspected it was real. By visiting the spammer’s fake unsubscribe page, you’re giving them your browser info and IP address, and even opening yourself up to malware attacks.

If an email looks like truly shady spam (and not just a newsletter you’re sick of reading), don’t click any links. Just mark it as spam and move on.

Douglas, Nick. “Unsubscribing from Spam Only Makes It Worse” Lifehacker June 2017

Posted in: E-mail, Security

Leave a Comment (0) →

‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It

Internet scam artists are moving beyond your email inbox and targeting your text messages instead. With this new scam, called “smishing,” scammers are trying to get you to send them your personal information that could help them access your bank account or other online profiles.  Here’s what you should know.

What are smishing scams?
“Smishing” scams are so named because they’re like a phishing email, except sent via SMS, the technology underlying the typical text message. They often prey on people’s panic or sense of urgency, according to Jason Hong, associate professor at Carnegie Mellon University’s Human-Computer Interaction Institute. For example, one fraudulent message might appear to be a warning from your bank about an unauthorized charge.

“That’s one of the main ways they try to trick you,” says Hong. “There’s an urgency to the message. There’s something that needs your attention right now.”

How can you avoid smishing scams?
Hong says you should make sure to use different passwords for everything from your bank’s website and social media apps to your email account. Two-factor authentication and password managers like Dashlane and 1Password can also be useful. And in the hypothetical case outlined above, you should call you bank or credit card company directly to verify the alert, rather than clicking any links in suspicious text messages.

Unfortunately, there’s no foolproof way to block smishing messages entirely, says Steve Wicker, a computer engineering professor at Cornell University. Wicker says the best course of action is to be vigilant for suspicious text messages, just like you should watch out for strange emails. One tip: Look out for text messages from phone numbers that clearly appear fake or suspicious.

Another warning: Wicker says some scammers may be able to make their messages look like they’re coming from a person you know and trust. So if you get a weird message from a friend, it’s a good idea to call them back on the phone and check if they actually sent the text.

Why are scammers using smishing scams?
Scammers could have one of several motives, Hong says. They could be trying to steal a victim’s identity, to access their bank account, or to blackmail them into giving out personal or company secrets.

“That’s where the money is,” Hong added. “People are getting more suspicious of emails. Companies like Google and Yahoo are getting better at detecting fake accounts and shutting them down. So the next easiest thing for [a scammer] to do is to go to mobile.”

Is smishing a new phenomenon?
Smishing scams have been around since as early as 2008, but experts say they are becoming more prevalent. They’re also popping up on all sorts of messaging apps, not just simple text messages.

“This is impacting all systems in the mobile arena, it’s not just limited to one system,” says William Beer, who works on cybersecurity matters for professional services firm EY, previously known as Ernst & Young. “There’s never 100% security on any app, whether they be desktop or mobile.”

Segarra, Lisa Marie. “‘Smishing’ Is Internet Scammers’ New Favorite Trick. Here’s How to Avoid It” Fortune, Security July 2017

Posted in: Mobile Computing, Security

Leave a Comment (0) →

‘Major scale’ malware targets your Mac through email scams

Mac users are increasingly being targeted by malware after years of being relatively safe, and that means they’re facing attacks that other users have unfortunately come to expect for a while. Check Point researchers have discovered Dok, the first “major scale” trojan that targets macOS through an email phishing campaign. The bogus messages (usually aimed at European users) are meant to trick you into downloading a ZIP file that, if you launch it, gives the malware control over your system and lets attackers intercept your internet traffic to spy on your activity or impersonate websites. It’ll even delete itself when the intruders are done.

Like many attachment-based phishing attacks, you have to go out of your way to infect your system. You’re not going to get a Dok infection just by opening a message, thankfully. And if you do fall prey to the malware, iMore has instructions that will help you scrub your system clean. However, the rogue code also appears to rely on a faked certificate that bypasses Apple’s Gatekeeper screening, giving it carte blanche if you’re not careful. It might be easy to avoid, but it’s potentially very damaging if it gets through and you don’t look for warning signs.

More than anything, Dok serves as a reminder that you can’t assume you’re safe just because you use a non-standard platform. Malware writers still tend to target Windows simply because it represents the largest potential target, but some of them are willing to aim at Mac users in hopes of cornering an untapped “market” for victims.

Posted in: Security

Leave a Comment (0) →

4 Ways to Lock Your Windows 10 PC

Many of us are responsible for not only our own data, but the data of our clients as well.  Whether  or not you are subject to compliance regulations such as those in the medical or financial services industry, it is vital that we take seriously the security of the data that is entrusted to us.

Most importantly, you should never leave your PC unattended. But if you have to leave your Windows 10 PC alone for a period of time and don’t want to shut it down, we have a few alternatives for you.

Give these tips a try!

  1. Windows-L

Hit the Windows key and the L key on your keyboard. Keyboard shortcut for the lock!

  1. Ctrl-Alt-Del

Press Ctrl-Alt-Delete. On the menu that pops up, click Lock. Easy as 1,2,3 –  done!

  1. Start button

Tap or click the Start button in the bottom-left corner. Click your user icon and then select Lock.

 

  1. Auto lock via screen saver

You can set your PC to lock automatically when the screen saver pops up. Go to Control Panel > Appearance & Personalization > Change screen saver and then check the box for On resume, display logon screen. You can also set a time for how long your PC should wait before starting the screen saver. Now, when you exit out of the screensaver, you’ll need to enter your system password to get back in.

 

With Windows 10 Creators Update, Microsoft moved this screen saver setting from the Control Panel to Settings. You can find it by going to Settings > Personalization > Lock screen > Screen saver settings.

 

Posted in: MS Office Tips and Tricks, Security

Leave a Comment (0) →
Page 1 of 6 12345...»