Category : Security

Shopper Safety – Beware of Fake Apps and Wifi Hotspots

shopper

Now that holiday shopping is upon us, security researchers are handing out advice on how to protect yourself and your information from cyber hacking. More and more shoppers use their smartphones while they are shopping, to compare prices and deals at other stores or online. Reports by RiskIQ, an enterprise security firm, estimates that 30 percent of Cyber Monday and Black Friday shopping will be done on a mobile device.

Cyber criminals are well aware that shoppers are relying heavily on their smartphones this holiday season. Noticing that many consumers often connect to free wifi hotspots while shopping, hackers have taken to setting up fake wifi zones to entice people into connecting. Consumers may see a wifi network available named “Macysfreewifi” and connect without even second guessing – often times the store isn’t even in the mall! If you see a wifi network labeled with a store name that is nowhere nearby, do not connect. The same goes for wifi networks set up with the word “free”, often these are bogus as well. Hackers will also monitor communications over legitimate networks that are poorly secured and not properly configured, but this is a more difficult process than getting an unsuspecting shopper to connect to a malicious network.

Hackers are also known to repackage legitimate applications so that the fake application they create looks almost identical to the real thing, in the hopes you will choose theirs instead. Sometimes hackers will create a completely fake application from scratch, such as “Amazon Rewards” that does not exist in the official app stores. Many times these fake apps will promise rewards or points for downloading. The fake Amazon Rewards app was found to be a trojan, spread by using fake Amazon vouchers and a link to a fake website sent via SMS text messages. The fake app even accesses the user’s contacts to send the vouchers to more mobile phones without permission.

This is not the first fake application, and it most certainly will not be the last. RiskIQ found 1 million applications that have been blacklisted for using brand names in the title or description of the application to trick consumers. The only real way to avoid such applications is to go directly to official application stores such as Google Play and Apple App Store to download applications.

Things To Remember:

  • Download applications only from official app stores

  • Beware of apps that ask for permissions to contacts, text messages, stored password or credit card information

  • Question applications that have rave reviews, they are easy to forge

  • If you do not understand the warning on your device, do not click continue

  • Update your device to the most current operating system

  • Disconnect from the network if your phone begins to act up or crash

 


If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.computerworld.com 

 

Two Factor Authentication – What is it?

two factor authentication

Two Factor Authentication, or 2FA, takes a combination of generally accepted forms of authentication to further secure your login to big sites and applications such as Facebook, Microsoft, Google, Apple iCloud and others. This is an extra layer of protection that utilizes something you know such as a password, and something only you has, such as a cell phone or fingerprint. This is not necessarily a new idea, many of us use this everyday when making purchases with a credit card and asked to enter a zip code for verification.

There are 3 generally accepted factors of authentication:

  1. Something you know – such as a password

  2. Something you have – such as a hardware token like a cell phone

  3. Something you are – such as your fingerprint

Two Factor Authentication takes two of the above in order to secure your log in. Such that if you have 2FA enabled on Facebook for instance, when you attempt to log into Facebook on a new device or browser you will be asked to confirm this log in with a second form of authentication which can be any of the three described above.

This form of authenticating is especially advised for sites and applications that house your personal information, credit cards, location information, are tied to other accounts, and could otherwise affect your personal life such as email, social media – the list is endless!

A few big names have taken head to this advice by employing 2FA, although the process is not entirely seamless, great strides have been taken to make using 2FA as easy as possible. Look for 2FA on your favorite big name sites and applications.

Set up Google 2FA here 

Set up Apple 2FA here 

Set up Microsoft 2FA here


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit :

Windows 10 Vulnerability – Edge Browser users Safe

windows-10-cyber-threat-bug-558378

The vulnerability is called Strontium, found in Windows code. Google stumbled across the flaw, and wrote a blog post in late October stating the affects on Adobe’s Flash media player. Google’s policy concerning such critical vulnerabilities is to publish them actively seven days after Google has reported them to the software’s creator.

According to Google, the flaw exists in the Windows kernel and can be used as a “security sandbox escape”. Sandboxes are use in software in order to stop malicious or malfunctioning programs from reaching or otherwise damaging other parts of the machine.

Microsoft has acknowledged the flaw, but also criticized Google for releasing it before a fix was available, stating to a member of VentureBeat,

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” said a Microsoft spokesperson.  “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”

Microsoft Executive Vice President Terry Myerson, explained the vulnerability in more detail in his blog post on Tuesday. In order for the computer to be affected with the malware, it must first infiltrate Adobe;s Flash to gain control of the web browser. After which privileges are elevated in order to escape the browser’s sandbox. Finally the malware would be able to install a backdoor to provide access to the victim’s computer.

Those that are using Microsoft Edge browser are protected, as the browser prevents the installing of the backdoor. Everyone else is left to wait for the next available patch to solve the issue, which should be November 8th.

 


If you would like to educate yourself in more detail about the information presented in this blog post please visit: www.pcmag.com 

 

DDOS Attack: Mirai botnet hacks devices with default passwords

miraiWeak default usernames and passwords spawned the massive DDOS attack against internet connected cameras and DVRs. Most botnets use infected PCs to generate an attack. This botnet, Mirai, was of a different breed, specifically programmed to scan the internet searching for poorly secured products, and proceeding to try redundantly obvious and easily guessed passwords. When a poorly secured device was found the botnet attempted to log into the product with a login similar to “admin” and a password with some derivative of “12345”.

The botnet’s maker released the source code, which is programmed to try a list of over 60 password and username combinations. This list gained the botnet access to over 380,000 devices. Mirai also took down the website of security researcher Brian Krebs last month in a DDOS attack.

Unfortunately this could become a bigger problem, as devices connected to the internet, such as cameras and DVRs are not created with security in mind. Passwords are not required to be changed once installed, and on a hunch I can assume that most users are not using their strongest password for their DVR. Security researchers have noticed an upward trend in DDOS attacks, as botnets continue to attack poorly secured devices and infect the devices with malware.

Krebs went online and looked up default usernames and passwords and matched them to devices, creating a list of possibly susceptible devices to the Mirai botnet. Check it out and change your passwords.


If you would like to educate yourself in more detail about the information presented in this blog post please visit: www.techconnect.com 

 

 

Do this and not that – Mobile Malware

mobile-malware1

The three best practices to avoid mobile malware is to use an official app store, resist temptation to jailbreak your device, and keep updates current. Apple and Google app stores remain the most vigilant about mobile malware concerns. Google uses Verify Apps that runs in the background of modern Android systems to scan for spyware, ransomware, and fraudulent apps. The company also checks mobile apps that are submitted to the Google Play Store. Less than one out of every 10,000 devices that only downloads from the Google Play Store has a program in the malicious category.

Jailbreaking your device undermines much of the already pre-installed security on the phone. In addition to this, the ability to restrict applications from accessing personal data on the phone as well as validate applications is disabled. Basically, if you jailbreak your device you better have a pretty good understanding of technology, because you just became the sole provider of security for that device.

This may be a surprise to most, but vulnerabilities actually do not increase the likelihood on malware on mobile devices. Symantec’s Internet Security Threat Report released Apple iOS had nearly 8 times as many vulnerabilities as Android in 2014, but near all malware for that year were targeted at Android devices.

The reliance and increased functionality of mobile devices leads developers to push out updates and bug fixes as fast as possible. Users should pay attention to this and keep their applications and software updates current. Android users often wait to update because of the lengthy process involved, but the benefits usually out whey this inconvenience, especially considering Android devices are most susceptible for malware.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: www.pcworld.com 

Cisco PIX firewall and IOS software security vulnerabilities

security

Cisco has released reports that a high priority security hole in its IOS software could have allowed hackers access to memory contents, and therefore confidential information, from more than one product in their lineup.

Cisco has pinpointed cause of the vulnerability to  “insufficient condition checks in the part of the code that handles [Internet Key Exchange] IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests.”

Network World 

IKEv1 is used in VPN applications such as LAN-to-LAN VPN, remote access VPN, Dynamic Multipoint VPN, and Group Doman of Interpretation. To address the vulnerability Cisco plans to release software updates and currently there is no workaround available.

The list of Cisco products is as follows:

  • Cisco IOS XR Software versions 4.3.x through 5.2.x.  are affected

  • Cisco IOS XR Software released 5.3.x and newer are not affected

  • PIX versions 6.x and prior are affected

  • PIX versions 7.0 and after are unaffected

Back in August Cisco was alerted to information posted on the internet that had been exploited from firewall products from multiple vendors. The potential for exploitation of Cisco PIX firewalls was considered, and Cisco began an investigation into reports of the “BENIGNCERTAIN” exploit.


If you would like to educate yourself in more detail about the information presented in this blog post please visit: www.networkworld.com 

 

Teenage hacker grabs massive data from 800,000 open FTP servers

hacker

Not all teenagers are sneaking out in the middle of the night, one is sneaking into nearly 800,000 open FTP servers. The story begins with a security researcher, Minxomat, scanning IPv4 addresses to find nearly a million open FTP servers needing no authentication for access. This scan revealed that not only is no authentication needed but that 4.32 percent of all FTP servers in the IPv4 space can be accessed by an anonymous user login with no password. Seriously!!

Shortly there after this report was released, reports surfaced that a young teen hacker by the name of “Fear” had gained access to and downloaded massive amounts of data from every state with a domain on .us, as well as some .gov domains. (In a report to Network World)

“I gained access to an FTP server that listed access to all the FTPs on .us domains, and those .us domains were hosted along with .gov, so I was able to access everything they hosted, such as public data, private data, source codes etc.,” Fear told DataBreaches.net. It was “very simple,” he said, “to gain access to the first box that listed all the .us domains and their FTP server logins.”

Network World

He later added to this claim, stating that the attack was a SQL injection (poorly coded web database that leaks information). Fear gained access to credit card information, social security numbers, email address, home addresses, phone numbers, and web-banking transactions. Fear claims there was no encryption to protect the data and that he could “read all of it in plain text form”

His message to those responsible for securing state and government FTP servers is: “5 char passwords won’t save your boxes.”

On Sunday, someone in Florida attempted to secure the data, taking down the FTP server before password-protecting it and bringing it back up, but Fear said, “Too bad they don’t know its backdoored LOL…. they legit suck at security.”

Network World

Security professions are questioning the reliability of the claim.

“We can’t state unequivocally that he did not hack something, but only because it’s impossible to prove something didn’t happen,” said Neustar Senior Vice President Rodney Joffee.

But as Fear states “It only takes 13 hours and 23 minutes and 12 seconds for somebody to finish gathering data on every US citizen,”

The Hill 


If you would like to learn more about the infomration presented in this blog post please visit: www.networkworld.com  www.thehill.com 

 

Pegasus Spyware Detected – Upgrade to iOS 9.3.5 ASAP

Pegasus2Pegasus

Malware that spies on user phone calls and text messages, has been alleviated thanks to the latest iOS mobile operating system upgrade, and the wise proceedings of a human rights activist. Canadian cyber security research group, Citizen Lab, published a report that a human rights activist, Ahmed Mansoor, received a text message with a malicious malware link attached. Thankfully Mansoor was not tempted to click on the link.

Rather he passed the link to Citizen Lab where researchers identified the correlation between the link and the NSO Group, an Israeli company notorious for selling a government-exclusive spyware product, Pegasus, that is described as a “lawful intercept”. Most have dubbed this the most sophisticated spyware software detected and Apple, Android and Blackberry smartphone users are the target. The main difference between this malware and others is Pegasus’s ability to infect the powerhouse of the operating system, the kernel of the phone. This allows the software to intercept any conversation before encryption ever takes place, so encrypting such apps proves pointless against Pegasus. The link would have been capable of jail breaking the iPhone and installing surveillance software used to access the camera and microphone. Mansoor’s WhatsApp and Viber calls would have been especially vulnerable in addition to his GPS location services.

Citizen Lab wrote in its report that “[w]e are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign.”

Last Thursday Apple released the latest version of iOS 9.3.5, which I highly advise upgrading to if you have not already done so. The update improves how iOS devices access memory and adds a patch that prevents visits to maliciously crafted websites from remotely executing arbitrary code.

Phew.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.pcmag.com 

Security Alert – Hide your IP Address

ipaddress

IP address is the identifier that allows information to be sent between devices on a network. It contains location information and makes devices accessible for communication. IP addresses are mathematically assigned by the Internet Assigned Names Authority (bet you didn’t know that!). This might be fine and dandy news for the non-technical, but odds are you still have no idea why hiding your IP address is advised. Since your IP has location information, it can be used to discern your physical location. The accuracy of determining your location via IP address information is actually extremely accurate. Another reason to hide your IP is the increase in cyberattacks as of late. IP addresses can often be used to target attacks.

You can also hide your IP with the goal of watching blocked content in your region.

Changing your IP can be done, but this is a more detailed process. Hiding it is a much easier option.

A Virtual Private Network creates an encrypted tunnel between your device and the service’s server rather than connecting to a website directly, adding a layer of protection. The VPN allows you to connect to the internet as normal and retrieve the information but through the tunnel created. This ensures that your web traffic cannot be intercepted, and furthermore anyone looking at the IP will only see the IP address of the VPN.

What you can also do is use a series of computers that are distributed across the globe. Rather than a request made between two points, your computer will send out layered requests that are each encrypted. You will be relayed from Tor node to Tor node before exiting the network and reaching the desired destination. Each node only knows the previous jump and the last jump. This method of Tor will make your movements much harder to track, making you much less susceptible to attack. In order to complete this method, download the Tor Browser, or talk to your IT professionals.

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.pcmag.com

Protect your HR department against Cyber Attack

Human resources management concept business man selecting virtual interface

Human Resources is often the target of malicious attacks via hackers and fraudulent email, simply because of the wealth of information available in your HR department. Employee names, birth dates, Social Security numbers, W2 forms and addresses will snag a high price tag on the dark net. The most common means for obtaining this information is phishing emails that appear to be from a trusted employee or head executive asking for sensitive company data, financial records, or access to employee information. In most cases the employee on the receiving end of the email cannot recognize that the email is fraudulent, and will pass on the information without hesitation. HR departments from numerous organizations have reported W-2 tax form whaling scams. After receiving a spoof letter from a company executive requesting employee information, Seagate Technology said employees handed over thousands of current and past employee W-2 forms. Snapchat has reported a similar story, stating that a scammer posed as CEO Evan Speigel and asked for payroll data and an employee in the payroll department complied thinking the request was legitimate.

The hackers are not going to stop asking for your information so you might as well protect your company from vulnerabilities. This means educating employees, storing data in the cloud, encrypting such data in the cloud storage, and bringing in Identity Management Software. As always I recommend a highly capable IT department as well.

Train your employees about the elements and characteristics of company emails. Teach them to pay attention to the person requesting the information as well as the information in question. Let them get used to asking “Why?” before pressing send. For example, the head of the financial department has access to all financial data and probably does not need to email employees in the financial department for additional access. This may sound like pure common sense, but it never hurt to reiterate the importance. Let employees see what a fraudulent phishing email lots like. Cybersecurity training company KnowBe4, has taken a hands on approach to teaching employees to recognize phishing emails. Sending over 300,000 fraudulent emails to employees at 300 client companies over the course of the year, using the example emails to educate staff on key elements to spot an attack email. According to KnowBe4 founder and CEo Stu Sjouwerman, before the training 16 percent of employees clicked on links in the simualted phishing emails, after a year of education only 1 percent of employees clicked on the links.

Regardless of how much training you provide for your employees, all it takes to create chaos is one simple mistake.

A viable way to double the protection in this case would be to encrypt data and store it in the cloud, rather than in document folders on the desktop or laptop. If an employee were to accidentally release information to a non-credible source, the hacker would be lead to a link they could not open because additional information needed to open the link would not be in the hands of the hacker.

San Francisco identity management company, OneLogin, has banned the use of files in their office entirely. CEO Thomas Pedersen gives us his reasoning, “It’s for security reasons as well as productivity,” said David Meyer, OneLogin’s cofounder and Vice President of Product Development. “If an employee’s laptop is stolen, it doesn’t matter because nothing’s on it.” Not a bad idea.

Identity Management Software that controls log-ins and passwords is a great tool to protect your HR department. Rather than trusting that HR staff are protecting usernames and passwords for each platform they use for payroll, benefits, recruiting, scheduling and such, the single log-in allows access to everything. This helps the employees, as only one password needs to be remembered, eliminating the need to write down passwords or save them elsewhere. The identity management software you choose should use a multi-factor authentication, which ensures even if the password got into the wrong hands, additional approval from another device will be needed to access the log-in. Companies can also employ geofencing to restrict log-ins so admins can only sign in from specified areas, such as the office.

HR tech platforms and cybersecurity firms are working together to improve the security of HR departments, fingerprint log-in is one of the safer means of logging in, but that technology is not available across all platforms. Until these needs can be met, the best protection is prevention.

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit : www.pcmag.com