Apple vs FBI image

The Case of the Department of Justice vs. Apple

In case you’ve been living on an island, there is a case with enormous repercussions brewing in the courts right now… it’s a showdown between the Department of Justice vs. Apple on iPhone privacy.

The Story – FBI vs Apple

For those with an interest in privacy/encryption as well as the role of private industry in supporting law enforcement, there is a potentially precedent-setting case being fought right now in federal court and in the court of public opinion. The issue? Whether the United States Government can compel Apple to “hack” its own iPhones. Well, specifically one iPhone: the iPhone 5c in question was used by Syed Rizwan Farook, one of two shooters in the Dec. 2 San Bernadino attacks that killed 14 people and wounded 22.

You may remember one Edward Snowden, who in 2013 revealed the extent of the US Government’s spying on technology users. Pursuant to the consumer/industry reaction to this, in 2014, Apple released iOS 9 for its mobile devices (iPhones, iPads), which is arguably their most secure and was designed from the ground up to provide unparalleled security and privacy to the owner. This version of the iOS “marries” the user’s chosen password with a hardware key built into the device, creating a key that is stored only on the iOS device. There is no known way, even for Apple, to obtain that key without guessing.

But guessing has its limitations. Apple is fighting a recent federal court order compelling it to design software that would disable a feature on the phone that wipes all the data after 10 incorrect tries at guessing the password. The court order further orders that Apple modify the phone’s software to allow passwords to be attempted through an electronic connection, rather than through the keypad, so that the FBI can more easily “brute-force” the process of guessing the password (there are potentially 1 million combinations of letters and numbers).

For you nostalgia fans, the DOJ actually used the All Writs Act, a law relating to law enforcement searches passed in 1789, to compel Apple.

A Very Public Fight

The fight has gone “public,” with Apple claiming in an open letter that they should not be required to weaken their own device security and that, although this request is for one phone only, that this potentially opens a “backdoor” for other spying activities. The FBI responded that they have no interest in “breaking anyone’s encryption” and that Apple is putting its marketing in front of law enforcement concerns. There was another volley when it was revealed that the Government changed Farook’s iCloud password in order to access the data in it, which may have inadvertently prevented Farook’s iPhone from syncing its data to the cloud (something iPhones can be configured to do). Apple took the Government to task on this, and the Government responded by saying that there is even more data on the iPhone than is ever backed up to iCloud.

One to Watch

The case could set enormous precedents and is evolving day-by-day, minute-by-minute. It’s possible that Congress could pass emergency legislation to further compel Apple. Battle lines have been drawn, with privacy advocates taking Apple’s side and law enforcement/antiterrorism personnel supporting the Government’s side. Of course, politicians and aspiring presidential candidates are weighing in as well. What side are you on? An informal survey taken by InfoStructures among industry colleagues and clients indicates that this issue elicits strong responses on both sides. Keep an eye out for this as it evolves.

Google logo

Six Things That Google Knows about You

Google gathers a huge amount of data about its users. Find out what the tech giant knows about you and see what it is doing with this information.

Have you ever visited a shopping site followed by a news site and found that most of the ads you see are from that shopping site? That did not happen by accident. Google has been tracking your activities and using the data it collects to make money.

Google has one of the largest collections of consumer data on the planet. Besides capturing the information that users freely give when they sign up for a Google account, Google tracks its users’ web activity so it can display ads that better match their interests. Even users without Google accounts have their web activity tracked, though Google is unable to connect it to a specific person.

Google uses the data it collects to develop profiles about its users. Many people do not realize just how shockingly detailed these profiles can be.

If you are a Google user, here are six things that Google knows about you:

1. Your Account Details

Google knows your name, phone number, and all the other information you provided when you signed up for a Google account.

2. Your Usage of Google’s Tools

Google provides users with many tools, including a word processor, web browser, and contact list. The tech giant keeps track of how you use these tools. This means that it knows how many documents you have in Google Docs, how many bookmarks you have in Chrome and what they are, and how many people you have in your contact list.

3. Your Gmail Inbox Contents

If you have a Gmail account, Google knows how many messages are in your inbox. It also scans your messages for keywords. It uses this information to tailor the ads and search results it shows you.

4. Your Searches

Besides tracking your web browsing activity, Google keeps tabs on your web search history. This is one of the main ways in which it develops an advertising profile about you. By knowing what you are searching for, Google can determine what types of products and services you are likely to buy.

5. The Videos You Watch

Google owns YouTube, so it is able to track your activity on that site as well. The information about your YouTube activity is used for advertising purposes.

6. Your Location

It is likely that Google knows where you live. It might even know where you are located right this minute. If you have used Google Maps to get directions from your home to somewhere, Google knows where you live based on that information and your IP address. If you have an Android phone and have not disabled the Google Location History feature, Google knows where you are located right this minute. Location tracking lets the company offer you geographically specific results when you search for something.

Check Your Profiles

There are several ways you can find out the types of information that Google is collecting about you:

  • You can review your Google account profile by going to the My Account web page. There you can see what personal information you gave Google when you signed up. Plus, if you click the Account History option, you can see if Google is tracking your location, web search history, YouTube search history, or browser activity.
  • Google has developed a dashboard designed to increase transparency about the data it collects about you. The Google Dashboard summarizes the data collected for each Google tool that you use.
  • Google’s advertising profiles include guesses about its users’ ages, genders, and interests. You can see your advertising profile on the Control Your Google Ads web page and find out just how right (or wrong) the tech giant is about you. You can also use this website to stop Google from tracking your web activity by opting out of its interest-based advertising program.
Secure computing image

Three Myths about Data Breaches Debunked

Most data breaches are the result of cyberattacks, right? Well, not really. A researcher has debunked this common myth and several others.

When it comes to data breaches, it can be hard to sort fact from fiction. Fortunately, a Trend Micro researcher scrutinized a decade’s worth of data breach information in an effort to debunk the myths. Knowing the facts about data breaches can help you develop better strategies to defend against them.

Here are three common myths that have been debunked:

1. Most Data Breaches Are the Result of Cyberattacks

The Myth: If you were to ask people about the leading cause of data breaches, they would likely tell you that cyberattacks are to blame. After all, the news is full of stories about cybercriminals stealing millions of data records from the U.S. Office of Personnel Management, Anthem, Premera Blue, and other organizations.

The Truth: Most data breaches are not due to cyberattacks. The leading cause of data breaches is the loss or theft of portable devices (e.g., thumb drives, laptops), physical records (e.g., files, receipts), and stationary devices (e.g., desktop computers, servers). They account for 41 percent of all reported data breaches between 2005 and 2015. In comparison, cyberattacks are to blame for only 25 percent of the data breaches during this timeframe. Other causes include sensitive data being accidentally exposed through mistakes or negligence (17.4 percent), insider leaks (12.0 percent), and payment card data stolen with physical skimming devices (1.4 percent). The cause was unknown in the remaining 3.2 percent of the data breaches.

The Takeaway: While defending against cyberattacks is important, you need to implement other types of security measures as well. Creating policies that govern how employees should handle sensitive data and educating employees about those policies can go a long way in preventing data breaches caused by lost or stolen devices, mistakes, and negligence. It is also a good idea to take advantage of data encryption software, remote wiping technologies, Global Positioning System (GPS) tracking, and other tools to protect data on mobile devices.

2. Most Cybercriminals Seek Personal Information Because It Is in High Demand

The Myth: Cybercriminals mainly try to steal personal information because it pays the most in the underground markets where criminals purchase breached data.

The Truth: In the underground markets, personal information is commonly sold on a per-record basis, where each line contains a victim’s name, address, birthdate, identification number (e.g., Social Security number), and other information. Criminals often purchase these lines to commit identity fraud. Cybercriminals are not getting much money for this personal information anymore. The price has dropped significantly, from $4 a record in 2014 to $1 a record in 2015. A big surplus of this type of data is responsible for the drop in price.

Bank account credentials command some of the highest prices in the underground markets. The credentials for one bank account can cost between $200 and $500 if they come with the account’s balance. The larger the available balance in an account, the higher the selling price. Other account credentials are also desirable, including those for PayPal, FedEx, and Google Voice.

The Takeaway: While protecting personal information is crucial, you also need to protect the credentials you use to access systems, services, and bank accounts. For maximum security, you and your staff should use strong account passwords and change them periodically. Using a password manager will help everyone avoid the temptation of writing them down.

3. Retailers Are at the Highest Risk for Data Breaches

The Myth: Retailers experience the most data breaches because they handle a lot of credit and debit card transactions.

The Truth: Between 2005 and 2015, many prominent retailers have experienced data breaches, including Target, Neiman Marcus, Home Depot, Staples, and eBay. However, it is the healthcare sector and not the retail industry that has experienced the most data breaches during this time. Here is the breakdown of the data breaches by sector:

  • Healthcare (26.9 percent)
  • Education (16.8 percent)
  • Government (15.9 percent)
  • Retail (12.5 percent)
  • Financial (9.2 percent)
  • Service (3.5 percent)
  • Banking (2.8 percent)
  • Technology (2.6 percent)
  • Insurance (1.6 percent)
  • Media (1.4 percent)
  • Other industries (6.8 percent)

The Takeaway: Organizations in just about every sector are susceptible to data breaches. Thus, you need to take data breaches seriously and develop strategies to defend against them.

More Myths Debunked

Learn about other data breach myths in the Trend Micro researcher’s report “Follow the Data: Dissecting Data Breaches and Debunking the Myths.” The researcher analyzed data breach incidents that occurred between January 2005 and April 2015. Information about these incidents came from the Privacy Rights Clearinghouse. This nonprofit group compiles this data from a variety of sources, including media coverage, Office of the U.S. Attorney General press releases, company press releases, and privacy websites.

Jogging image

Fitness Tracker Vulnerabilities and How to Deal with Them

Cybercriminals have successfully hacked Fitbit user accounts. Learn about the vulnerabilities related to fitness trackers as well as what you can do to keep your data secure.

If Fitbit Charge users were wearing their fitness trackers when they heard the news about Fitbit user accounts being hacked, they probably saw their heart rates increase. On January 6, 2016, BuzzFeed News broke the story on how cybercriminals hacked multiple Fitbit user accounts. They changed email addresses and usernames as well as tried to swindle Fitbit out of replacement items under warranty.

The cybercriminals also gained access to Fitbit users’ data, according to BuzzFeed News. The data includes activity-related metrics, such as the number of steps taken and calories burned. It also includes where users are performing those activities and what time they usually go to sleep if their devices have Global Positioning System (GPS) and sleep-tracking functionality.

This cyberattack begs the question: What are the fitness trackers’ vulnerabilities and how can you deal with them? To answer it, you first need to know how they work.

How Fitness Trackers Work

Fitness trackers use various sensors that continuously generate data about the wearer. Because the devices need to be small and lightweight, they do not store or process this data. Instead, they typically use short-range wireless transmissions to send the data to smartphones (or computers) for storage. Apps on these devices analyze the data and display the results. Oftentimes, these apps also send a copy of the data to cloud-based servers hosted by the fitness tracker vendors. Besides storing the data, the vendors sometimes offer additional services, such as more detailed analyses.

Because fitness trackers work this way, there are security vulnerabilities on several fronts:

  • When the data is sent to the smartphone
  • When the data is sent to the vendor’s cloud servers
  • When the data is stored in the cloud

Problems That Can Occur When the Data Is Sent to the Smartphone

Just about every fitness tracker uses a Bluetooth connection to send its data to the user’s smartphone. If fitness trackers do not take the appropriate measures to secure this connection, problems can arise.

To see whether fitness trackers were taking the necessary precautions, AV-TEST researchers tested the Bluetooth connections on nine fitness trackers. They discovered that two of the fitness trackers adequately secured the connections, but the rest fell short. Common problems included no authentication process or an inadequate one between the fitness tracker and smartphone. Another common problem was that the Bluetooth connection was always active and thus visible to other Bluetooth-enabled devices. The worst offender let any Bluetooth-enabled device connect to it. Once the connection was made, it voluntarily handed over the user’s data, which was not encrypted or protected in any way.

While the AV-TEST researchers pointed out common Bluetooth vulnerabilities, other researchers have proved that those vulnerabilities can be exploited:

  • A Kaspersky Lab researcher proved that it is possible to connect to fitness trackers, execute commands, and even extract data when the devices have inadequate authentication methods.
  • A Fortinet researcher developed a way to deliver malware to a fitness tracker through its Bluetooth port. However, only a small amount of malicious code (up to 17 bytes) can be delivered, according to the NewsFactor Network. This limits the types of attacks that could be carried out.
  • Symantec researchers proved that fitness trackers using Bluetooth Low Energy (LE) connections were susceptible to location tracking. When in use, a Bluetooth LE-enabled device broadcasts a signal to advertise itself to nearby devices. The Symantec researchers built Bluetooth scanners to find these signals. They then successfully used the scanners to locate some fitness trackers and track their owners’ whereabouts at a major European running event and in public areas in Dublin, Ireland, and Zurich, Switzerland.

Problems That Can Occur When the Data Is Sent to the Vendor

Just like any other type of application, fitness tracker apps are susceptible to attacks if they are not properly secured. One major area of concern is how the apps send data to the vendor’s servers.

AV-TEST researchers found that all nine of the fitness tracker apps they tested properly secured any data sent through the Internet. Besides using a secure connection, the apps encrypted the fitness data as well as the users’ credentials.

Unfortunately, that is not always the case. When Symantec researchers analyzed some popular smartphone health and fitness apps, they found that 20 percent of them transmitted users’ login credentials in plain text. This gives cybercriminals the opportunity to access users’ account information as well as their health and fitness data. If the app users re-use their login credentials for other online accounts, the cybercriminals could potentially gain access to those accounts as well. Further, transmitting credentials in plain text makes users more susceptible to other types of attacks, such as Denial of Service (DoS). In a DoS attack, cybercriminals try to prevent users from accessing a service by overwhelming it with service requests.

Problems That Can Occur When the Data Is in the Cloud

Fitness tracker vendors commonly store users’ fitness data in their cloud-based servers. This can be problematic in two regards.

First, if the vendors do not properly secure their servers, there could be data breaches. Cybercriminals will likely be interested in this data, particularly if it is collocated with other personal information such as payment card data.

Perhaps a more imminent threat is the sale of fitness data. In the United States, there are currently no federal regulations preventing vendors from selling fitness data to marketing firms, employers, health insurers, and other third parties. They can even sell it without the users’ consent or knowledge. One U.S. senator has asked the U.S. Federal Trade Commission to institute regulations that require fitness-tracker and fitness-app vendors to inform users of such sales and give users the chance to opt out. In other words, these vendors would need to post a privacy policy.

When Symantec researchers were researching smartphone health and fitness apps, they found that 48 percent of the app vendors had posted privacy policies. Most of these policies used generic privacy statements with vague promises of keeping user data private.

What You Can Do to Protect Your Fitness Data

Although fitness trackers have security vulnerabilities on several fronts, you can take some precautions to keep your data secure:

  • Do some research on the fitness tracker to see if there are any known problems.
  • Make sure there is an adequate authentication process used in the communications between the fitness tracker and the smartphone.
  • Verify that the fitness tracker sends out a Bluetooth signal only when needed.
  • Confirm that the fitness tracker app uses secure protocols (e.g., HTTPS) when transmitting data over the Internet.
  • Use full encryption if available.
  • Check to see if the fitness tracker vendor has a privacy policy that states it will not sell users’ data to third parties.
  • Make sure that the fitness tracker vendor uses adequate security measures to protects its servers.
  • Use strong passwords for your online accounts.
  • Do not use the same password for different accounts.
  • Install updates for your smartphone’s operating system and fitness tracker app as soon as they are available.
Secure data image

What You Need to Know about Dorkbot to Keep Your Organization Safe

More than 1 million computers running Microsoft Windows have been infected by the Dorkbot botnet. Here is what you need to know about this threat so that you can keep your company’s online account credentials safe.

The U.S. Computer Emergency Readiness Team (US-CERT) — a division within the U.S. Department of Homeland Security — issued a security alert about Dorkbot in December 2015. This botnet has infected more than 1 million computers running Microsoft Windows in over 190 countries, according to Microsoft. A botnet consists of a large number of computers and other devices under a cybercriminal’s control. Cybercriminals use botnets for a variety of nefarious reasons. By learning what cybercriminals hope to accomplish with Dorkbot and how Dorkbot infiltrates computers, you can better understand how to protect your computer from this threat.

What Cybercriminals Hope to Accomplish with Dorkbot

Cybercriminals are mainly using Dorkbot to steal online account credentials and other types of private information. This is possible because Dorkbot monitors and intercepts communications between web browsers and various websites.

In an effort to keep the infected computers under their control, cybercriminals sometimes instruct Dorkbot to block access to certain security software websites. That way, the computers will not receive any anti-malware definitions that might rid them of the infection. Some cybercriminals also have Dorkbot install additional malware on victims’ computers.

Cybercriminals even use Dorkbot-infected computers in denial-of-service (DoS) attacks. These attacks prevent people from accessing a service by overwhelming it with service requests.

How Dorkbot Infiltrates Computers

Dorkbot can be spread multiple ways. One method uses phishing emails that try to get the recipients to click a link that will lead to a Dorkbot infection.

Another method uses drive-by downloads, which exploit known vulnerabilities in web browsers, plug-ins, and other components that work within browsers. Cybercriminals create exploit kits that infect computers with Dorkbot through these vulnerabilities. They place the kits on websites they build or legitimate websites they hack into. If computers connecting to these websites have not received the patch that fixes the exploited vulnerability, Dorkbot will be automatically installed on those computers without the users knowing about it.

After Dorkbot infects a computer, it automatically tries to spread to other machines. One way it does this is through social engineering attacks. For example, Dorkbot might send instant messages to the Skype contacts listed in an infected computer. The messages usually try to trick them into clicking a link that will download Dorkbot onto their computers. Similarly, Dorkbot might carry out social engineering attacks through social networks such as Facebook and Twitter.

A further way Dorkbot tries to spread to other machines is through removable drives, such as USB drives. If users of Dorkbot-infected computers plug a removable device into their computers, Dorkbot copies itself to the device. When the device is plugged into a different computer, Dorkbot will automatically spread to that computer. Fortunately, this method is not very effective anymore due to changes in how the Autorun feature in Windows works, according to Microsoft.

How to Protect Your Computer from Dorkbot

To help protect your computer from Dorkbot and other malware, follow these recommendations:

  • Use anti-malware software. Anti-malware software providers regularly update their product to protect computers from the most current threats.
  • Install software updates promptly, such as those for Windows and web browsers. If you keep your operating system, web browser, and other software up to date, cybercriminals will not be able to install malware like Dorkbot through known vulnerabilities.
  • Be cautious when you receive instant messages, social media messages, and emails that contain links, even if they are from a trusted source. If possible, verify that your contact actually sent you the link before you click it.
  • Do not download software from websites other than the software developer’s website if possible. The software might have been modified so that it infects your computer with Dorkbot or other malware.

If you want to make sure that your computer is not infected with Dorkbot, ensure your anti-malware software is active and up-to-date. If your computer was infected, be sure to change your online account passwords immediately, as they might have been compromised.

Wed, 20 Jan 2016 07:00:32 -0500 <![CDATA[

Before getting rid of an old computer, you need to make sure that all the personal and sensitive data on the hard drive is irretrievable. If personal or sensitive data falls into the wrong hands, your business could incur staggering direct and indirect expenses. The average total cost of a data breach in 2015 was $3.8 million, according to the Ponemon Institute’s report, “2015 Cost of Data Breach Study: Global Analysis”.

An organization does not even need to experience a data breach to incur expenses due to the improper disposal of data on hard drives. In 2014, Visionworks failed to secure the personal information of more than 72,000 Maryland residents after it misplaced two old unsecured servers. They might have been accidentally taken to landfills. Both servers contained encrypted credit card data. They also contained customers’ names, addresses, birthdays, and purchase histories.

Even though there was no evidence that any of the data had been compromised, the Consumer Protection Division of Maryland’s Office of the Attorney General sued Visionworks. The company agreed to pay Maryland $100,000. It also agreed to provide identity theft insurance and an additional year of credit monitoring to Maryland customers requesting these coverages. Visionworks had already offered all affected customers a year of free credit monitoring immediately after the incident.

How to Make Sure the Data on an Old Hard Drive Is Irretrievable

When getting rid of an old computer, you might be tempted to simply reformat the hard drive. However, formatting a hard drive does not destroy the files on the drive. It only destroys the information that the operating system uses to find those files. Anyone can easily retrieve the files using a data recovery tool.

There are several proper ways to make sure the data on a hard drive is irretrievable. Common methods include:

  • Overwriting: You can use data destruction software to overwrite a hard drive’s data with a pattern of meaningless characters. You may need to run the software multiple times to fully overwrite a drive’s data.
  • Degaussing: You can erase data using a magnetic field. There are different types of degaussers, so you need to make sure you pick the right one for the job. The National Security Agency/Central Security Service (NSA/CSS) discusses the different types of degaussers in its Degausser Evaluated Products List. This document also lists the degaussers that meet the NSA/CSS requirements for erasing magnetic storage devices containing classified or sensitive data.
  • Crushing: You can use a hard drive crusher to pierce, bend, and mangle hard drives beyond physical repair. The data on the crushed hard drive is still intact, but it is difficult to retrieve.
  • Shredding: Similar to paper shredders, hard drive shredders cut hard drives into randomly sized strips. The data is still intact, but it is even more difficult to retrieve than the data on crushed drives.
  • Disintegrating: Disintegrators cut hard drives into smaller and smaller pieces until they are unrecognizable and not reconstructible. Disintegrating is usually done after shredding.

For even better protection, you can use more than one method. You might first degauss or overwrite the data. Afterward, you can crush, shred, or disintegrate the hard drive.

New Technologies – SSD

Newer technologies such as Solid State Drives (SSDs) pose new challenges to destruction since many of the old “wiping” approaches simply do not apply. Shredding or disintegrating of SSD drives are the most advisable approaches.

Factors to Consider When Deciding on a Method

There are several factors to consider when deciding how to make sure the data on your old hard drives is irretrievable. Two important considerations are cost and how many hard drives you need to get rid of.

Data destruction software is cheap. Some programs are even free. However, using this software can be time-consuming because you need to run the program several times to be effective. It is not uncommon for a single pass to take eight hours. So, if you have many drives to get rid of, this might not be the best option.

You can get the job done much quicker with a machine that degausses, crushes, shreds, or disintegrates hard drives. These machines, though, can be expensive. If you do not want to buy one, there are firms that offer hard drive destruction services. Some firms will transport a client’s hard drives to their facilities, where the drives are destroyed. Other firms will destroy a client’s hard drives at the client’s site.

Another important consideration is whether your organization falls under any industry or government regulations. Some laws call for the proper disposal of protected health information, such as names, addresses, social security numbers, and medical histories. Depending on the regulation, you may or may not be able to select who will dispose of the data — your employees or a hard drive destruction firm. If done in-house, the employees tasked with this job must receive training on the proper way to dispose of the data. Their supervisors must also receive this same training. If you hire a firm, you need to enter into a contract that requires the firm to safeguard the data during its disposal.

Other industry and government regulations may require you to properly dispose of data on old hard drives. Each regulation has its own requirements.

Qualified IT professionals at InfoStructures can help you determine the best way to meet all applicable requirements.

Clean key

How to Protect Your Bank Accounts from Dridex Malware

Hackers have stolen more than $40 million from U.S. and U.K. victims using a new strain of Dridex. Here is how you can protect your business from this malware.

A new spin on an old hacker favorite might be lurking in your email inbox. Hackers released a new strain of the Dridex malware as part of a large phishing campaign that was discovered in October 2015. The phishing emails try to lure you into opening an attached file. If you do, the malware-laden file will attempt to infect your computer if it is running Microsoft Windows. Once infected, hackers will try to get your banking credentials so that they can steal money from your bank accounts. Hackers have already stolen more than $40 million from U.S. and U.K. victims using this new Dridex strain, according to Tripwire.

A successor to the Cridex banking malware, Dridex was first discovered in July 2014. Dridex creates HTML fields that ask you to enter additional personal information when you log into an online bank account. The July 2014 version usually hid the malicious code that creates these fields in executable (EXE) files. In fall 2014, hackers started hiding the malicious code in macros in Microsoft Word files. Hackers made even more changes to the malware in fall 2015, making it harder for anti-virus software to catch it.

Once a computer is infected with Dridex, hackers can use it for more than just obtaining banking credentials. They can also use the computer to send spam or partake in attacks designed to shut down websites or web services. If you suspect your computer is infected, you should use an anti-malware tool to try to remove it. There are many free tools that identify and remove malware, such as Trend Micro’s HouseCall and Microsoft’s Safety Scanner. You should also change your passwords, including your banking credentials.

To help prevent a Dridex infection, you can take several measures:

  • Disable Word macros. Since Dridex uses Word macros to deliver its malicious code, disabling them can help defend against it. If these macros are disabled and you open a Dridex-ridden Word file, Word will display a message telling you that they must be enabled to open the file. The malicious code cannot run until you do so. If Word macros are enabled and you open a Dridex-ridden Word file, the malicious code will run without any notification from Word. In most versions of Word, macros are disabled by default.
  • Keep your anti-virus software up-to-date. Anti-virus software providers constantly update their software to thwart threats like Dridex. Thus, you need to make sure that your anti-virus software is always up-to-date.
  • Keep your applications and operating system software up-to-date. It is important to install application and operating system patches. That way, hackers cannot take advantage of known problems and vulnerabilities.

For more advice on how to prevent Dridex and other types of malware infections, talk to your IT service provider.

Tue, 24 Nov 2015 07:31:35 -0500 Major Examples of Email Mistakes One notable example of an email mistake that caused a data breach involved the Goldman Sachs investment management firm. In June 2014, a Goldman Sachs contractor accidentally sent a message to a email address instead of the corresponding email address. The latter email address is connected to the company’s in-house email network. The email contained a confidential document, and the mistake sent Goldman Sachs scrambling for a solution. To prevent the recipient from opening the message, Goldman Sachs took Google to the New York State Supreme Court. In its petition, the investment management firm said that the message contained "highly confidential brokerage account information" and asked Google to help it prevent a "needless and massive" data breach. The case was unprecedented, in that Goldman Sachs argued that email senders should have the right to "unsend" an email if it was sent by mistake. In the end, however, the court did not have to rule on the case, since Google voluntarily blocked the recipient’s access to the email. Another noteworthy email mistake occurred in April 2014. An employee at the risk advisor and insurance brokerage firm Willis North America accidentally sent a spreadsheet to a group of employees enrolled in the company medical plan’s Healthy Rewards Program. The spreadsheet contained confidential information, including employees’ names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans. Willis North America agreed to pay for 2 years of identity theft protection for the 4,830 people affected by the breach. Although the leaked information did not include details about the victims’ health conditions or the health information of their dependents, Willis North America was still cited for violating the US Health Insurance Portability and Accountability Act (HIPAA).

The Costs of Email Mistakes

According to the Ponemon Institute, data breaches caused by careless human error cost companies on average $117 per compromised record. If an email mistake affected thousands of people, as was the case for Willis North America, then it could result in sizable losses. Several issues can cause these high costs. As the Cisco case showed, losses in productivity can cost a company a significant amount of time and money. Another cost stems from paying for identity theft protection for the victims. Additionally, if the email mistake led to a data breach, then the company could find itself facing lawsuits or punitive fines. Data breaches like these could also reveal sensitive company information to the general public. Email mistakes, especially those that cause data breaches, can also tarnish a company’s reputation, which can lead to lost business opportunities. As one example, Goldman Sachs faced substantial damage to its reputation after its email-related data breach in 2014.

Avoiding Careless Mistakes

To prevent any mistakes, create clear-cut policies and procedures about sending emails, especially those with sensitive information. You’ll also need to educate your staff members about the problems caused by carelessly sending emails. Employees are more likely to think twice about sending a message when they know just how costly a mistake can be. By the same token, you should develop a workplace environment in which employees feel comfortable talking about their IT concerns. By making your staff members feel comfortable about discussing these issues, you can improve the odds that one of them will ask a question that could avert a mistake. Data loss prevention (DLP) software can also help in this regard. This software can stop employees from sending confidential information intentionally or by accident. Look to your IT staff or service provider for help when searching for a DLP solution that matches your individual needs. ]]>
Thu, 29 Oct 2015 11:40:11 -0400 <![CDATA[

Since Windows XP, the Windows operating system has included an application known as Remote Desktop. Remote Desktop lets you remotely control Windows computers through a local area network or the Internet. With Remote Desktop you can run programs, access files, and even manage network resources on any Windows computer.

To get started, you’ll need to set up the computers you want to remotely control. Remote Desktop requires your user account to have a password, so you’ll want to do that first. Click the Windows “Start” button and select “Control Panel.” Click the “User Accounts” option and then click “Change your password.” Enter a password for your account. From this point on, your computer will prompt you for a username and password at login time, whether the computer is accessed locally or remotely through Remote Desktop.

Next, you’ll need to enable access for Remote Desktop. Click the Windows “Start” button and right-click “Computer.” A drop-down menu appears. Click the “Properties” option. In the window that opens, click “Remote Settings.”

You’ll probably want to check the box labeled “Allow connections from computers running any version of Remote Desktop.” This option is convenient if you have multiple versions of Windows running in your home or office, as each version of Windows is slightly different in handling Remote Desktop connections.

Finally, you need to choose which users you’ll allow to connect via Remote Desktop. Administrative users automatically have access to Remote Desktop. If you want to give other users access, click the “Select Users” button, select the users in the following window and then click “OK.”

After you’ve set up Remote Desktop on your computers, you can connect to them from anywhere in your home or office.

Click the Windows “Start” button and type “remote desktop” in the search text box. Type the name or IP address of the remote computer and click “Connect.” Your computer will connect to the Remote Desktop computer, and you’ll be prompted for the appropriate username and password. Correctly entering the username and password will give you access to control the computer.

Connecting to your Remote Desktop computer through the Internet is also possible, but extra settings are needed on your router. You’ll want to Google specific instructions for your router in order to get things working, but it’s usually a straightforward process.

Internet of Things image

How the Internet of Things Is Changing Cybersecurity

Over the next few years, companies will be connecting billions of unconventional devices to the Internet. Find out how this wave of web-connected devices will affect the security of your business’s data.

The Internet has radically changed society over the last few decades. It will continue to shake things up in the years to come as consumers are starting to connect thermostats, lights, refrigerators, and other unconventional devices to the web. This phenomenon is known as the Internet of Things (IoT).

The IoT is not limited to consumer devices. Companies are also beginning to connect devices such as security cameras and heating, ventilation, and air conditioning (HVAC) systems. Gartner predicts that 26 billion devices will be online by 2020.

Some devices have IoT technology built into them, whereas other devices have the technology added to them. Either way, the IoT technology collects data about the devices and sends it to applications by means of the Internet. People often use the applications to not only monitor devices but also control them.

Using IoT devices has its advantages, but it also exposes companies to security risks. Hackers are already beginning to exploit IoT devices.

The Advantages

Both business owners and home owners can benefit from IoT technology. They can control IoT devices from just about anywhere using their smartphone or tablet. They can lock doors, turn off lights, check appliances, dial down the thermostat, and monitor areas when no one is around.

Business owners can also benefit from outfitting crucial equipment and systems with IoT technology. The data returned from them is priceless. It can give business owners early warnings about problems before they turn into costly mechanical and system failures. The data can also help business owners make better decisions about equipment and energy usage.

The Security Issues

Using IoT devices can expose companies to security problems. IoT-ready devices often have security vulnerabilities such as default passwords that are easy to crack and firmware updates that are easy to spoof. Plus, unauthorized users can often bypass the security measures in the devices’ web applications.

Just as troublesome is that many users do not realize they need to protect their IoT devices. After all, when the average person thinks of cybersecurity, they are usually picturing computers, not web-connected refrigerators. As a result, they do not use anti-malware programs and network security tools to protect their IoT devices. These insecure devices can put a company at risk since they are usually connected to the network that hosts the company’s critical data and applications.

To protect your IoT devices and your network, you need to make sure that:

  • Each IoT endpoint in your network is a legitimate device and not one being run by a hacker
  • The data being sent over the Internet is not being spied on, changed, or stolen
  • Personal and sensitive data remains hidden from prying eyes, even if those eyes belong to authorized users

In short, you must authenticate your IoT devices, ensure data integrity, and set users’ permission levels in way that preserves confidentiality. The massive scope of the IoT phenomenon makes managing these issues especially challenging.

How Bad Actors Exploit IoT Devices

As the number of IoT devices increases in a network, so does the likelihood that a hacker will be able to find one with weak security. After taking over one IoT device, the hacker can access the rest of the network. At that point, the hacker is free to steal information or install malware.

Hackers can also use IoT devices as part of a botnet. A botnet consists of a large number of computers and other devices under a hacker’s control. Hackers use botnets to send large amounts of spam and malware. The cybersecurity firm ProofPoint discovered one of these attacks in January 2014. The botnet included more than 100,000 devices, including routers, televisions, multimedia centers, and at least one refrigerator. Over a two-week period, the hacker used the devices to send 750,000 malicious emails to companies and individuals around the world.

Hackers can also use botnets to bombard networks and websites with service requests or messages. When the network or website can no longer cope with the onslaught, it shuts down.

Much more troubling is the fact that hackers are starting to use IoT devices to inflict physical damage. For example, in December 2014, German officials revealed that a steel manufacturing plant had fallen prey to hackers. After breaking into the plant’s network, the hackers disabled the controls on one of the blast furnaces. Due to the attack, the furnace was unable to shut off and caused massive damage to the facility.

In the government and in industry, there is much hand-wringing and concern for organizations that provide Critical Infrastructure, such as power-generation plants and water utilities, since much of the equipment used to control the pumps, motors and other key devices was designed decades ago prior to the Internet age, with little or no security. Many of these devices were subsequently “plugged in” to the Internet and are now susceptible to attack.

Cybersecurity experts are also concerned about the possibility of hackers taking control of Internet-connected cars. After hacking into a car’s system, the attackers could steal it. Worse yet, they could hijack a car while the owner is driving it, as demonstrated by a cybersecurity expert in a “60 Minutes” news report.

It’s not just hackers – last year researchers demonstrated how they gained access to a Nest “smart” house thermostat. This thermostat is designed to “watch” movement patterns in a house to see when it is occupied and to heat/cool it at the right times. So a bad actor could use this data to determine the best time to burglarize the house.

The Future of Cybersecurity

No one doubts the value of IoT devices. There are questions, however, about the ways in which companies can safely implement them. To answer these questions, companies should look to their trusted IT partners. These experts can offer guidance about the best ways to safely capitalize on the opportunities offered by the IoT phenomenon.

6 Reasons to Use Remote Monitoring to Keep an Eye on Your Systems

Many IT service providers use remote monitoring tools to gather information and send reports about their clients’ computer systems. Almost anything can be monitored, from routers and firewalls to virus detection and email services.

Here are five benefits of using remote monitoring to keep an eye on your systems:

1. Reduce the Chances of Downtime

In order to operate smoothly, your company needs its computers up and running. If they stop working, you could end up losing a lot of money.

Remote monitoring can reduce the chances of such an event. Your service provider can set alerts that trigger when a problem starts to develop but before it impacts system performance. This early notification means the issue can be resolved before it develops into a crisis.

2. Respond to Problems Instantly

An IT service provider’s remote monitoring team can protect your computers around-the-clock. This 24/7 service means that providing a solution to your tech troubles doesn’t have to wait until the morning.

3. Handle Problems Anywhere

Because of remote monitoring, it doesn’t matter where you are, where your systems are, or where your people are. A remote monitoring team can contact you, find out how you want a situation handled, and then take care of it for you.

This means that you don’t even need to leave the comfort of your own home in order to take care of a problem. This aspect of remote monitoring is especially appealing to companies with facilities in distant or rural locations.

4. Track System Health

Remote monitoring collects system statistics over time. When viewing this data in monthly or quarterly reports, long-term trends can be identified, even before they reach levels that would trigger an alert.

Using these reports, you can address potential problems as they develop and prevent them from ever impacting your computer system. Trend analysis can also identify needs for system expansion and help with technology budgeting.

5. Monitor and Support Every Device You Use

Remote monitoring is comprehensive. Every device can be monitored and supported remotely, whether it’s a server, a desktop, or a mobile device.

Additionally, a remote monitoring service can provide for automatic updates. Configuration files and other changes can automatically be deployed without users needing to take any action.

6. Have Support Staff That Show Rather than Tell

If one of your employees ever has a computer problem, an IT expert can use remote control tools to take control of the employee’s desktop while they are watching. Remote control is different from remote monitoring, although the two are closely related. When it comes to IT support, remote control tools let technicians teach your employees about the issue at hand and explain to them how to address it in the future.

The Bottom Line

Businesses today rely on their computers. They need their IT infrastructure up and running at all times. They need to know about problems before they happen, and they need support regardless of their locations. Remote monitoring provides a cost-effective way for companies to fulfill these needs.

How to Create a More Effective Data Center

IT managers are constantly on the lookout for more efficient — and effective — ways to run their data centers. You can try different tools and setups to help things run more smoothly, but at the end of the day, sometimes you just need to let go and automate.

System administrators who do everything manually are wasting their time — and yours. Tasks that are performed repeatedly can, and should be, automated. Doing so can save you money and prevent mistakes due to human error.

To create a better data center, consider automating the following system administrator tasks:

Security Sweeps

You probably know that you should be performing regular, automated security sweeps on your network. These sweeps will expose and fix any wire-borne vulnerabilities in your system; their frequency and intensity will depend on the complexity of your network. Automated security sweeps enable you to set up scheduled scans, send the output to a database, extract a post-scan report from the database, and create an HTML version of the report for online viewing. Nmap is a free network security scanner designed to scan large networks and report vulnerabilities.

Disk Usage Scans

System admins must always watch out for disk space gluttons — users who go beyond their allotted disk space. You can conduct scans, or regular audits of disk space usage by user. Offenders will receive a warning before personal contact from a system admin is necessary. Remedies include temporary account suspension, removal of files, or an extension of the user’s space quota. Perform these automated scans about once per week to keep users apprised of their disk use.

Performance Monitoring

Monitor performance by taking an occasional “snapshot” for a single point-in-time glance at your system’s performance. However, this peek is only a glimpse into the entire performance picture. For something with more depth and breadth that will show trends and predictive peaks and valleys, set up a monitoring system with Orca. This tool compiles performance data from disparate sources and creates performance graphs that are easy to read. Its automated system gathers data, performs calculations, and generates and displays graphs.

High-Level Administration

Save time and effort by performing housekeeping duties, service restarts, and maintenance notices through automation. You can set up scripts to fire during low-use hours to clear temporary file dumps, restart your favorite services, and send out any maintenance or downtime notices through email. Automating these duties will take some of the pressure off of you to remember which day certain tasks need to be done — no need to keep a calendar; just let the system handle it for you.

Do Not Assume Your Business is Too Small to Attract Cybercriminals

Many small businesses have a false sense of security when it comes to cybercrime. More than 75% of U.S. small businesses believe they are safe from it, even though 83% of them do not have formal cyber security plans, according to a study conducted by the National Cyber Security Alliance and Symantec.

Why Is There a False Sense of Security?

Many small businesses assume their size will keep them safe from cybercrime. They often believe that cybercriminals will only go after large companies because those companies have more money, email addresses, credit card numbers, and trade secrets to steal.

However, large companies also have more security experts and IT administrators to guard their assets. Many small businesses do not even have an IT administrator. A third of all small businesses rely on a nontechnical employee to manage their IT systems, according to an AMI-Partners study commissioned by Microsoft.

In reality, cybercriminals often target small businesses because they usually do not have the expertise or resources to fend them off. In 2014, more than a third of all reported targeted attacks were against small businesses, according to Symantec’s 2015 Internet Security Threat Report.

How to Protect Your Small Business from Cybercriminals

There are many measures you can take to help protect your business from cyberattacks. Some of them are fairly easy to put in place, even without the help of an IT administrator. Others measures are more involved. For these measures, you might want to get help from an outside security expert if your business does not have the necessary expertise.

Use security software and a firewall: In 2014, cybercriminals created 317 million pieces of new malware, almost 1 million per day, according to the 2015 Internet Security Threat Report. So, one of the first measures to take is to make sure you have software that detects malware, viruses, and spyware. This security software needs to be updated often. You will also want to make sure you have an operational firewall.

Create and enforce a password policy: A simple measure that can help keep cybercriminals at bay is to create a password policy. You can use this policy to make sure that employees use strong passwords and change them regularly. You can also use it to make sure that different system accounts have different passwords. To make the password policy effective, you need to enforce it.

Provide security training: Employees will not be able to use strong passwords if they do not know how to create them. This is where security training comes in handy. Besides teaching employees how to create a strong password, you can educate them about security threats, such as how attackers use phishing emails that contain malware to infiltrate companies. You can then tell employees about the best ways to thwart attacks. In the case of phishing, you can tell them to verify links in emails before clicking them and not open email attachments that look suspicious.

Dedicate a computer for online banking: If you conduct financial transactions over the Internet, the FBI, American Bankers Association, and Federal Reserve all recommend that you dedicate a computer for this purpose. You should not use this computer for any other online activities that might expose it to vulnerabilities. For example, you should not use it for emailing and surfing the web.

Use two-factor authentication: Using two-factor authentication during logins adds an additional layer of security. With two-factor authentication, employees need to verify their identity with something they have and with something they know. For instance, you might have them swipe a card through a reader and enter a security code. If you have remote employees, you might have them enter a randomly generated number from an electronic token card and enter a password.

Encrypt and back up your data: You can use encryption to protect your data when it is being transmitted over the Internet and when it is sitting in a database or file server. Encryption protocols such as Secure Sockets Layer, or SSL, enable you to protect your data as it is being transmitted over the Internet. Disk drives and databases usually include encryption technology that lets you encrypt data while it is at rest.

Encryption helps stop hackers from stealing sensitive data. It can also help prevent a ransomware attack. Ransomware is a type of malware that cybercriminals use to extort money from victims. They often use it to encrypt data and then demand a ransom to get the password needed for decryption.

There are other types of ransomware attacks. Cybercriminals sometimes use ransomware to lock a computer system and then demand a ransom to unlock it. The best way to defend against all types of ransomware is to regularly back up your data. That way, you can refuse to give in to the cybercriminals’ demands, knowing that you will be able to restore your systems and data if they cause harm.

Be Prepared for an Attack

The measures discussed here are only some of the ones you can take to fend off cybercriminals. Despite your best efforts, though, your small business might still fall victim to an attack. For this reason, you should create a contingency plan covering how to deal with an attack. You also might consider getting an insurance policy that protects you against any losses that you might incur from a cyberattack.