Category Archives: Internet

Strengthening the Weakest Link – The Ultimate Spear Phishing Defense

Not convinced your employees need the training?

Late in 2012 Trend Micro reported that 91% of targeted online attacks involved spear phishing, making this the most favored type of APT (Advanced Persistent Threat) attack. When spear phishing, attackers make use of information about prospective victims to increase their credibility, and the likelihood that recipients will “bite” (click a URL) in an e-mail or social media post. That’s why spear phishing attacks yield a 70% open rate because people extend trust to the putative source, if not to the actual attacker. Because of the portability and ease of spear phishing, its popularity will only continue to grow. Traditional methods don’t stop spear phishing because individual employees and customers open the doors to attackers. In these circumstances, the employee/victim becomes the weak link in IT security.

Today’s employees need next-generation security awareness training on a regular basis to keep them informed and your network protected.

“A staggering 91 percent of targeted attacks begin with a spear phishing email”

 

Introduction

Spear phishing is a CSO’s worst nightmare because it is the most di cult attack to protect against. The use of targeted social engineering, practically undetectable malware and zero-day exploits are just some of the reasons why this is so. Clever hackers use legitimate-looking emails from organizations like the IRS, local banks, or Internet portals, targeted directly at CEO’s and other executives and employees.

One such incident occurred in 2012 when business executives received personalized emails informing them that their company was under investigation for criminal fraud. The email looked like a legitimate email from the IRS, and the link in that email directed the recipient to a website that looked exactly like an IRS webpage. But when the target clicked on a link, a Trojan was loaded into their computer which would steal everything interactive in the person’s email account before it could be securely encrypted. The result of such attacks is that customers are 42% less likely to do business with a company that has fallen victim to spear phishing and a resulting data breach. Even worse, phishing costs brands and corporations more than 98 billion dollars a year.

A Sorry Security Situation

CSOs are responsible for a company’s entire security. As such they oversee network security and are the first person everyone turns to whenever there is a breach. People expect CSOs to protect the company and prevent such breaches, but spear phishing makes even a CSO more likely to be blindsided. Once a breach occurs it is up to CSOs to act quickly and protect the company before any damage is done. Hackers count on this and act quickly to get every ounce of information they can before a breach is closed. Those who don’t understand how spear phishing works may blame the CSO or the security software in use. However, even the best CSO and best security software on the planet can’t stop an intelligent and motivated hacker.

If CSOs are to do their jobs well, then not only must they have the best security hardware and software, they also need the support of well-educated staff, and the ability to test their staff and find any weak links in need of strengthening. With all possible ‘defense-in-depth’ components properly in place, an organization becomes a very hard target, causing hackers to move on to pursue easier game.

The Missing Link

Several missing components can prevent employees from unwittingly opening the door to hackers:

How do you make sure your employees are getting the best education?

How do you make sure after your employees are educated that they don’t make security mistakes anyway?

If you could find out if they might be vulnerable to spear phishing, how can you enlighten them?

If existing methods for educating employees were effective, then spear phishing wouldn’t remain problematic for so many companies. Thus, it is obvious that a different approach is called for.

Hackers aren’t just looking to get at a company’s financial records and information. They are also after source code and intellectual property. In fact, they are literally trying to steal the future of your company. Years of work in your R & D department could end up in the hands of a Chinese competitor thanks to a single click of a mouse from an untrained employee.

Spearphishing has become so endemic in corporate and government networks that there is a joint government operation in effect to counteract it. Per the FBI: “Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, [or] order merchandise from the same website. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive…

Law enforcement takes this kind of crime seriously, and we in the FBI work cyber investigations with our partners, including the U.S. Secret Service and investigative agencies within the Department of Defense.”

During a recent Microsoft TechEd conference, held in June 2012, Proofpoint surveyed 339 IT professionals about their concerns regarding targeted phishing attacks and enterprise data loss risks. Half of all respondents (51%) believed that their organization were targeted by a phishing email in the past year designed specially to compromise their users.

Dramatic examples of recent spear phishing attacks include:

The White House – China-based hackers breached a network used by the White House Military Office. According to their website, this office provides military support for White House functions, including food service, presidential transportation, medical support and hospitality services. There is no clear report on what the hackers were trying to access. An Obama administration national security official simply said: “This was a spearphishing attack against an unclassified network.”

Google, Inc. – A US official says that the same group that attacked the White House also broke into Google. Among those targeted were people who work at the White House. It is presumed that they were hoping these people would discuss secure information or conduct administrative business using their personal Gmail accounts.

South Carolina Department of Revenue – According to an official report, “A malicious email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password.” These attackers then gained access to “millions of Social Security numbers, bank account information and thousands of credit and debit card numbers” SearchSecurity’s coverage notes that, “In addition to the 3.8 million people whose data were exposed, the breach included information on 1.9 million dependents. It also included data on 699,900 businesses. Information on 3.3 million bank accounts were also stolen.”

The New York Times – The same China-based hackers who have wreaked havoc on the White House, Google, and others have been named as the responsible parties for this breach, too. In this particular case, the newspaper blames Symantec’s antivirus software for not foiling a malware installation.

Attacks against Google, Adobe and at least a dozen other advanced persistent threats (APT) that have been publicly documented have been initiated at least in part through targeted spear phishing emails. By itself, software alone is not a completely effective defense.

SC Magazine reports:

“Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails. The HLP files are embedded in attachments that appear to users to be ZIP files. Once the ZIP files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users’ passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.”

Strengthening the Weakest Link

There is an important conclusion to be drawn from all this recent news. Security products continue to become more advanced and sophisticated, and that will certainly help. But to cope with the current situation and future attacks, end-users must be educated and informed. The more knowledge they possess, and the better informed those users are about attacks, the less likely they are to fall prey to scammers, online or off.

We are also starting to see an increase of social engineering over the phone. Hapless users are being called on behalf of ‘Microsoft’ or well-known security software companies and directed to allow access to their computers. Educated end-users do not fall prey to such scams.

But how do you train jaded users? Users who think they know everything. Users who have heard it all and are more sophisticated than average users. It’s not good enough that the trainer is a highly regarded security expert. You need that training to come from someone who understands hacker culture and how hackers think.

Contact us to learn how you can protect yourself from these types of phishing scams. Call 920-885-0141.

Internet Privacy Squashed, or Not?

President Trump signed a bill on Monday, May 1 repealing internet privacy rules passed last year by former President Obama’s team at the Federal Communications Commission (FCC). How does this affect you?

The rules were adopted last year, but not taken effect. The President’s signature comes a few days after the Senate and House barely passed a measure to stop the new rules. The FCC regulations would have required broadband companies to get permission from their customers in order to use their browsing history, apps, geolocation, financial and medical information — to create targeted advertisements.

WHY WE LIKE THOSE RULES: Those FCC regulations were the strictest ever been imposed to protect consumer online privacy. We agree there is value to have more privacy as we work online. Our data should be our data, unless we agree to release it.

WHY WE NEED DIFFERENT RULES: The rules Congress and the President killed only applied to broadband and wireless providers. Other internet companies like Google and Facebook, freely track this data and flood you with advertisements based on it.

NOTE: Google, Facebook, and other internet companies do not ASK you for permission to user your sensitive data. They DEMAND it. In essence, you can accept their terms or not use their product.

Is it just us, or does that fail Google original motto of corporate conduct, “Don’t be evil?” (They dropped this in 2015 when forming their Alphabet startup.) Was it was only for other people? Or does their forcing us to give up our data violate their current motto, “Do the right thing?”

You make the call.

Democrats complain Republicans do not care about internet privacy. Republicans, on the other hand, seem to want no restrictions. (This makes no sense to us either.) It seems both parties are playing to big donors.

Why not just have the same standards for all?

But back to you… How does the repeal of this bill affect you?

We suggest not at all. The reason is because if you use Google, Facebook, etc. and they are tracking your data even if your internet provider is not.

Some people like the fact advertisements change in their browser, on Facebook, or other sites due to the website pages they view online. Others hate it. For instance, if you are browsing the internet for one of your children, a friend, or client, the ads on subsequent webpages are selected based on searches you did for others. This can go on for months. Can you stop them from tracking you? Supposedly you can, IF you have an account.

If you just use Google’s Chrome browser without a Google account, then in Settings there is a Do Not Track option. However, it has a big disclaimer:

Enabling “Do Not Track” means that a request will be included with your browsing traffic. Any effect depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren’t based on other websites you’ve visited. Many websites will still collect and use your browsing data – for example to improve security, to provide content, services, ads and recommendations on their websites, and to generate reporting statistics.

This article explains how to turn-off tracking in Google if you have a Google account. Our disappointment is we would like to see tracking as a universal opt-in, not something you have to opt-out of.

If you want more privacy online, there are some options.

WHAT YOU CAN DO NOW

First, realize that deleting your browser history does not help. It is not only time consuming, but impractical. It may save you from the prying eyes of people in your I.T. department or others who live with you, but erasing your online activities does nothing to hide your tracks from your ISP, Google, Facebook, etc. from doing whatever they want with your data.

Second, your other options are what we recommended in our last newsletter. Here they are again:

If you are a business, then you need to have a proactive I.T. managed service provider responsible for protecting your network and systems. They should also have security awareness training available for your employees, volunteers, consultants, and others.

Inter-Quest is a highly qualified, diverse, 20-year-old I.T. services team with offices in Beaver Dam and Madison, Wisconsin. We have protected central Wisconsin businesses, government agencies, and nonprofits from cyber hackers for decades.

Here are some of the key areas where we help Clients implement technology and train their people better public Wi-Fi habits.

Avoid Free Anti-Virus Software

Sensitive data about your personal life and career reside on your computer and possibly mobile devices such as tablets and phones. Free antivirus software has fewer capabilities than robust antivirus and firewall solutions sold by reputable providers. The cost of high-quality protection is microscopic compared to the financial loss, time waste, and stress of identity theft, ransomware, and other cybercriminal-induced pain.

Keep Software Updated

At home or work always make certain your software has the latest updates. A lot of the effort and coding in updates these days involves making certain your software has the best protection against cybercriminals. Do NOT update your software on public Wi-Fi.

Confirm the Real Network

Ask an employee for the specific name of the retail store’s Wi-Fi network and the password. Only use networks where you are 110 percent confident it is real. For instance, “Free Airport WiFi” may be a trap set by hackers and thieves.

Turn-off Sharing

Part of the process to access the public Wi-Fi network involves confirming whether you want to be sharing and seen on the network, or you want to be hidden. Turn off sharing. Do not be seen. Allowing sharing may enable evil people to access your system.

This may be a two-step process: First, you may need to go into the settings of your system to turn-off File Sharing. Second, as part of the public Wi-Fi network connection you may be asked if you want to be seen, or share while using the network. Always say “no” / be hidden.

Use a VPN

A VPN is a virtual private network. Private WiFi did a recent survey where 79 percent of respondents do not use a VPN, even though they should. The major benefit of a personal VPN is that it encrypts your data so even if any of your data gets into the hands of nefarious characters they cannot use it. There are a variety of VPN options available at a reasonable cost. Again, we advise against a free version. Get real protection, or don’t.

Avoid Sensitive Information

Do not access any online account unless you absolutely have to, and if you do, only accounts with two factor authentication.

If you are not familiar with two factor authentication, it is a two-step process to confirm who you are rather than simply entering your password (a one step process). Typically the second step is you either are texted a code, which when you see it on your phone can be entered into the website; or you are required use of tools such as Google Authenticator or Microsoft Authenticator to access a code that you enter into the website.

Look for a Secure Connection

Check the web address of the sites you are visiting, particularly if you feel you need to do some transactions, to confirm the beginning of the address is “https” rather than simply “http.” This indicates the site has a secure, encrypted connection.

Turn It Off

Turn-off the public Wi-Fi connection on your computer or mobile device when you are done. Do not leave a gate in your fortress open for the enemy to attack.

After you turn it off, forget the network on your system. The process varies based on your computer or mobile device. On a Windows system you can do this in Network Settings, which can be accessed from the network icon in the lower right of your bottom task bar. In iOS go to Settings, select Wi-Fi, find the network, and select Forget this Network.

You can learn more in these articles:

https://www.cnet.com/news/trump-signs-bill-repealing-us-internet-privacy-rules/

http://www.reuters.com/article/us-usa-internet-trump-idUSKBN1752PR

http://fortune.com/2017/03/29/white-house-trump-internet-privacy/

https://consumerist.com/2017/04/03/president-trump-signs-resolution-killing-internet-privacy-rules-allowing-isps-to-keep-selling-your-data/

We encourage you to support internet privacy standards that are without exemptions for big donors to political parties and government officials. It would be a safer and less intrusive online world if everyone had to play by the same standards.

WHAT TO DO NOW

Take inventory of what technology you have in place to stop internet providers, wireless companies, and internet app providers (Google, Facebook…), plus the ever-present cyber thieves from accessing your computers, mobile devices, storage, and networks.

For a limited time you can schedule a no cost, no obligation full network security assessment that includes an assessment of each computer, mobile device, and most of your connected equipment from Inter-Quest.

It is better to assess your security BEFORE there is a privacy violation or data loss you have to explain to a boss, board of directors, shareholders, or the public.

Inter-Quest does the work so the assessment does not interrupt your schedule.

Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers. She will help you get your complimentary network security assessment scheduled quickly.

Public Wi-Fi Done Right

We love public Wi-Fi, particularly in certain coffee shops where we can sit there for a couple of hours and not worry about our access timing out.

The problem is every day public Wi-Fi gets more dangerous.

The bottom line:  You need to change the way you use public Wi-Fi now, or suffer the consequences.

There are dozens of YouTube videos supporting this conclusion, and a recent Harvard Business Review titled, Why You Really Need to Sop Using Public Wi-Fi (May 3, 2017).

But… you don’t want to stop using public Wi-Fi, do you?

THE GOOD NEWS

There is a way to use public Wi-Fi safely, but first, let us give you a summary of common attack methods from the HBR article.  Then we will explain what you must do to use public Wi-Fi safely.

First, two of the most popular attack styles are, “Man in the Middle” and “Evil Twin.”  The basic objective of these approaches is the cybercriminal wants to fool you into thinking their computer is the Wi-Fi network of your public space, hotel, airport, or other location.

You mistakenly connect to the Internet through them.  From that point forward they can track everything you do AND retain your usernames, passwords, and other confidential information your system processes to access your sensitive data and financial records.

Have you heard of wire fraud?  Man in the Middle and Evil Twin are enabling criminals to do more than just access your system.  They stay there.  It is creepy!  Hackers access your business computing device, and then stay on it.  For days, weeks or even months they study the way you communicate.  When they are confident of their ability to communicate on your behalf – talk just like you – then they instruct someone else to wire funds to their foreign account.  Wire fraud is growing astronomically specifically due to this type of theft.

You still do not believe hackers are after you?

Read about “Dark Hotel” in a Wired Magazine article.  Dark Hotel was a sophisticated, 7 year hacking campaign uncovered by Kaspersky Lab in 2014.  It targeted CEOs, government agencies, U.S. executives, NGOs, and other high-value targets while they were in Asia.  The executives connected to their luxury hotel’s Wi-Fi network and downloaded what they thought were regular software updates.  Instead their devices were infected with malware.  This malware could sit inactive and undetected for several months.  Then the hackers would access it remotely to obtain sensitive information on the device.

WHAT CAN YOU DO

If you are a business, then you need to have a proactive I.T. managed service provider responsible for protecting your network and systems.  They should also have security awareness training available for your employees, volunteers, consultants, and others.

Inter-Quest is a highly qualified, diverse, 20-year-old I.T. services team with offices in Beaver Dam and Madison, Wisconsin.  We have protected central Wisconsin businesses, government agencies, and nonprofits from cyber hackers for decades.

Here are some of the key areas where we help Clients implement technology and train their people better public Wi-Fi habits.

Avoid Free Anti-Virus Software

Sensitive data about your personal life and career reside on your computer and possibly mobile devices such as tablets and phones.  Free antivirus software has fewer capabilities than robust antivirus and firewall solutions sold by reputable providers.  The cost of high-quality protection is microscopic compared to the financial loss, time waste, and stress of identity theft, ransomware, and other cybercriminal-induced pain.

Keep Software Updated

At home or work always make certain your software has the latest updates.  A lot of the effort and coding in updates these days involves making certain your software has the best protection against cybercriminals.  Do NOT update your software on public Wi-Fi.

Confirm the Real Network

Ask an employee for the specific name of the retail store’s Wi-Fi network and the password.  Only use networks where you are 110 percent confident it is real.  For instance, “Free Airport WiFi” may be a trap set by hackers and thieves.

Turn-off Sharing

Part of the process to access the public Wi-Fi network involves confirming whether you want to be sharing and seen on the network, or you want to be hidden.  Turn off sharing.  Do not be seen.  Allowing sharing may enable evil people to access your system.

This may be a two-step process:  First, you may need to go into the settings of your system to turn-off File Sharing.  Second, as part of the public Wi-Fi network connection you may be asked if you want to be seen, or share while using the network.  Always say “no” / be hidden.

Use a VPN

A VPN is a virtual private network.  Private WiFi did a recent survey where 79 percent of respondents do not use a VPN, even though they should.  The major benefit of a personal VPN is that it encrypts your data so even if any of your data gets into the hands of nefarious characters they cannot use it.  There are a variety of VPN options available at a reasonable cost.  Again, we advise against a free version.  Get real protection, or don’t.

Avoid Sensitive Information

Do not access any online account unless you absolutely have to, and if you do, only accounts with two factor authentication.

If you are not familiar with two factor authentication, it is a two-step process to confirm who you are rather than simply entering your password (a one step process).  Typically the second step is you either are texted a code, which when you see it on your phone can be entered into the website; or you are required use of tools such as Google Authenticator or Microsoft Authenticator to access a code that you enter into the website.

Look for a Secure Connection

Check the web address of the sites you are visiting, particularly if you feel you need to do some transactions, to confirm the beginning of the address is “https” rather than simply “http.”  This indicates the site has a secure, encrypted connection.

Turn It Off

Turn-off the public Wi-Fi connection on your computer or mobile device when you are done.  Do not leave a gate in your fortress open for the enemy to attack.

After you turn it off, forget the network on your system.  The process varies based on your computer or mobile device.  On a Windows system you can do this in Network Settings, which can be accessed from the network icon in the lower right of your bottom task bar.  In iOS go to Settings, select Wi-Fi, find the network, and select Forget this Network.

WHAT TO DO NOW

Take inventory of what technology you have in place to stop cyber thieves on your computers, mobile devices, storage, and networks.  Also consider what training you are doing to educate your people how to avoid cyber risk, particularly on public Wi-Fi.

For a limited time you can schedule a no cost, no obligation full network security assessment that includes an assessment of each computer, mobile device, and most of your connected equipment from Inter-Quest.

It is better to assess your security BEFORE there is a loss you have to explain to a boss, board of directors, shareholders, or the public.

It is kind of ironic.  An employee may cause the theft of digital assets from your company by accessing a public Wi-Fi network, and one of your greatest concerns is the public finds out about it.

Inter-Quest does the work so the assessment does not interrupt your schedule.

Contact Inter-Quest online or call (608) 571-3071 to schedule a conversation with Lisa Fichter, one of our Senior Problem Solvers.  She will help you get your complimentary network security assessment scheduled quickly.

Anti Virus Myths Debunked

Top 5 Antivirus Myths Debunked

Top Five Myths about Antivirus Software

Antivirus is software that every computer user should have on their computer regardless of the computing platform. However, for some reasons, this becomes hard to wrap the mind around due to some myths and untrue information about the antivirus software. This makes some users afraid of installing the software on their machines. The most common myths include;

You will only visit safe websites

This is among the main excuses that people use to avoid antivirus software. However, the truth is that there is no safe site and there is no website that is 100 percent secure and not prone to potential threats. In fact, most of the most secure sites have become prey to viruses and hackers.

The attackers are working around the clock looking for means to exploit and improve their techniques so that they can match the security level. With this said you should not consider ruling out the idea of having antivirus for your computer as you are aware that no website can be termed as entirely safe.

Antivirus will slow down your machine

This idea has misled a lot of people who believe that security solutions like antivirus can slow down their computer. Although there is some truth in the argument, the fact is that antivirus can only slow down a computer if it does not meet the system requirements for it to run smoothly. Moreover, this happens if many scans are running concurrently or if you have installed more than one antivirus program or if there are too many activities happening simultaneously which leads to an overlap which slows down your computer. With the advanced encryption, an antivirus program should not cause any changes in the speed of the system.

You do not need a Mac protection

The Mac owners think that they do not need antivirus protection and that they are safe. However, the truth is that they need the protection as much as the window users do. No system is completely safe, and they are all prone to security threats.

Hackers are not interested in your system

Some people feel like their machines are not carrying any information that can draw the attention of hackers, but what they fail to understand is that as long as they are using the Internet, any information is useful to hackers. Thus no one should ignore their computer’s security.

You do not need to use the Internet

Some people tend to think that they will not log into any systems thus they are not at risk. But what would be the use of having a computer if you are not going to use the Internet from time to time? Time will come when you will not have a choice, and for this, it is better to be safe always.

You need to invest in getting quality antivirus software due to many reasons which include:

    You can never predict when virus will attack your PC

    Once the damage is done, it may cost you a lot to repair. Thus it is wise to avoid the future repair costs

    Protecting personal data

    Protecting others

Just like in everything else, there is a lot of false information about antivirus software, and it is essential to be knowledgeable about it no matter how convincing it may sound.