GDPR and You

/in , , /by

Surprised that in the last month, between two small marketing list brokers, more than a billion personal records were found to have been leaked on the internet?1

That data then gets leaked and sold to potentially hold users’ computers or reputation for ransom. Or as in a 2018 hack, of DNA tester, MyHeritage, there is the ability to sell the data to the insurance and mortgage industries, revealing DNA disease susceptibilities, thereby making the user ineligible for coverage or a loan.2

GDPR to the Rescue!

Read more

Safer Internet Day!

/in , /by

Tuesday, February 5th is Safer Internet Day.  Being observed on the first Tuesday in February, what started out as a campaign to raise awareness about Internet safety is now celebrated in over 100 countries worldwide.

With Valentine’s Day just around the corner, many of us will go online for gifts such as flowers, candy, cute stuffed animals, a book, perhaps a gift card to a store or restaurant – whatever the choice may be, will you be shopping securely?  Online shopping is very convenient.

You can click here and there and order whatever product you desire and have it delivered to your front door.  You can compare pricing, look for deals, compare products, and it all can be done quickly and in the convenience of your own home, any time, night or day.  The downfall?  Wherever there is money and users to be found, there are malicious hackers roaming around.

Use familiar web sites.  You need to be aware of the safer online shops, like Amazon.  One tactic favored by malicious hackers is to set up their own fake shopping websites. Fake websites can either infect you the moment you arrive on them by way of malicious code. However, the most dangerous aspect you should be concerned about is the checkout process. Completing a checkout process will give cybercriminals your most important information: credit card data (including security number), name, and address. This opens you up to credit card fraud or social engineering attacks.

What are some key things to be aware of as you’re shopping?  Sticking with popular brands is as good as any advice when shopping online. Not only do you know what you’re getting by way of quality and price, but you also feel more confident that these well-established names have in place robust security measures.”1

 A few things to be aware of: 

  • Leery URL’s such as “coach-at-awesome-price.com” or “the-bestonlineshoppingintheworld.com”
  • A strange selection of brands – as an example, the website claims to be specialized in clothes but also sells car parts or construction materials
  • Strange contact information. If the email for customer service is “amazonsupport@gmail.com” instead of “support@amazon.com” then you should be suspicious that online shop is fake
  • Are prices ridiculously low?  An online shop that has an iPhone 7 at $75 is most likely trying to scam you

The old adage “if it seems too good to be true, it probably is,” rings true in this case, and it’s best to steer clear of these sites.

Use Secure Connections.  Wi-Fi has some serious limitations in terms of security. Unsecured connections allow hackers to intercept your traffic and see everything you are doing on an online shop.  This includes checkout information, passwords, emails, addresses, etc.

Before You Buy Online…

  1. If the connection is open and doesn’t have a password, don’t use it.
  2. If the router is in an exposed location, allowing people to tamper with it, it can be hacked by a cybercriminal. Stay away.
  3. If you are in a densely-crowded bar with dozens of devices connected to the same Wi-Fi hotspot, this can be a prime target for an enterprising cybercriminal who wants to blend in and go unnoticed. Continue to socialize, don’t shop.

Access secure shopping sites that protect your information. If you want to purchase from a website, make sure it has SSL (secure sockets layer) encryption installed. The site should start with https:// and you should notice the lock symbol is in the address bar at the top.

Update your browser, antivirus and operating system.  One of the more frequent causes of malware is unpatched software.  Online shoppers are most at risk due to the sensitive information involved. At a minimum, make sure you have an updated browser when you are purchasing online. This will help secure your cookies and cache, while preventing a data leakage.  You’ll probably fuss over having to constantly update your software because it can be a time consuming operation, but remember the benefits.

Always be aware of your bank statement.  Malicious hackers are typically looking for credit card data, and online shops are the best place for them to get their hands on such information.  Often times, companies get hacked and their information falls into the hands of cybercriminals.

For this reason, it’s a good habit to review your bank account and check up on any suspicious activity.

“Don’t wait for your bill to come at the end of the month. Go online regularly and look at electronic statements for your credit card, debit card, and checking accounts. Make sure you don’t see any fraudulent charges, even originating from sites like PayPal. If you do see something wrong, pick up the phone to address the matter quickly. In the case of credit cards, pay the bill only once you know all your charges are accurate. You have 30 days to notify the bank or card issuer of problems.”2

Using a credit card vs. a debit card is safer.  Credit cards have additional legal defenses built in that make them safer to purchase online compared to debit cards.  With credit cards, you aren’t liable if you are a victim of a fraudulent transaction, so long as you report the fraud in a timely manner. Secondly, credit cards give you leverage when it comes to disputing transactions with a seller. If you pay with a debit card, you can’t get your money back unless the seller agrees to it. With credit cards, the money you paid for a product isn’t counted against you until due process is complete, debit card holders however can only get their money back after this step.  Ultimately, banks are much more protective of credit cards since it’s their money on the line, not yours.

Additional tips for safety:

  • Never let someone see your credit card number – it may seem obvious, but never keep your PIN number in the same spot as your credit card
  • Destroy and delete any statements you have read
  • Notify your credit card issuer of any address change. Doing so will prevent them from sending sensitive files to the previous address
  • Keep confirmation numbers and emails for any online purchases you may have done
  • Immediately call your credit card company and close your account if you have lost or misplaced a credit card

Use antivirus protection.  The most frequent tip on how to be safe online is to use a good antivirus tool. It will keep you safe against known malware.  ”Before you begin shopping, outfit your phone or tablet with mobile security software. Look for a product that scans apps for viruses and spyware, blocks shady websites, provides lost-device protection and offers automatic updates.”3

Do not purchase from spam or phishing emails.  A phishing email with a fake offer for a desirable product is a hard thing to resist for many shoppers, so they make an impulsive decision and click on the “Order Product” or “Buy Now”, and that’s when the malware attack starts.  A phishing email is not like a standard email. The cybercriminal simply wants your click, and nothing else. The Unsubscribe button won’t stop the email spam.  The best solution in these cases is for you to simply mark the email as spam, this will remove the mail from your inbox and block the sender from sending more spam.

Keep a record of your transactions.  If you are a frequent online shopper, it may be difficult to remember from which site you bought a certain product.  So, write it down: what you bought, when and from what website.  Compare your spending details with the banking records from your online banking account, keep track of which websites you use for shopping and buying stuff online.

Hold on to your receipts and destroy them when you no longer need them.  Keep the receipt for your purchase, just in case you need to confirm it again, as well as for warranty and return issues.  If you want to get rid of receipt, make sure to destroy it completely, so that any possible identity thief won’t be able to find any information about you.

Don’t give out more private information than you need to.  ”In order to shop online you need to provide two types of information: payment information, such as credit card data, and shipping location, which is usually your home or work address. Be suspicious of online shops that ask for information such as: date of birth, social security number or any other similar information. They don’t need it in order to sell you things.”4

Don’t keep too much information on your smartphone.  These days, everybody stores a lot of important personal information on their phone, and most of us rarely take the time to secure them.  These devices are now much less about calling people, and more about photos, social media, etc.  Increasingly, people shop online using their smartphone, but this carries its own risks. Fake online shops can infect your smartphone with malware, and then have access to information such as phone numbers, notes, photos, and even app contents.  Be careful what information you store on your smartphone.

“Safer Internet Day is a great reminder that Internet security is something that needs constant vigilance. It’s also a great reminder that a lot of bad things can happen on the Internet if you don’t properly take precautions against them. With that in mind, be sure to have a safe and happy Safer Internet Day.”5

References:

1 https://www.welivesecurity.com – ESET Security Forum
2 https://www.pcmag.com
3 http://www.trendmicro.co.uk/home/internet-safety-for-kids/smart-mobile-tips-for-online-shopping/ – TrendMicro
4 https://bettermoneyhabits.bankofamerica.com/
5 http://www.holidayscalendar.com/event/safer-internet-day/

https://staysafeonline.org – Powered by National Cyber Security Alliance
https://www.americanbar.org – American Bar Association
https://www.foxnews.com
https://www.usatoday.com

Cryptojacking: Are you funding cybercrime without even knowing?

/in , /by

In 2017 we saw cybercriminals adopt a whole new approach to generating value from malware. Rather than stealing information or encrypting a victim’s files and demanding a ransom, cybercriminals started discretely hijacking computer systems and using them to generate cryptocurrency. In 2018, cryptojacking became one of the most prevalent forms of malware on the internet. The question to ask yourself in 2019 is “can I spot such an attack and, if I can, what do I do about it?”

Read more

Tis The Season for Porch Pirates – Don’t Let a “Would Be” Thief Ruin Your Holiday

/in , , /by

Technology has made it very convenient to purchase just about anything and have it delivered at our doorstep. Online buying and package delivery has really become the norm for retail shopping. However, especially during the holiday season, there’s an unfortunate piece of news – “porch pirates” – those modern day thieves who steal packages from doorsteps. In a report from Package Guard, it claims that 11 million US homeowners have had packages stolen from their front door or porch in 2017, and those numbers are due to be higher by the end of this year.

Read more

Holiday Shopping Online. It’s Convenient, but Buyer Beware…

/in , , /by

With black Friday just around the corner, many of us are starting to think about holiday shopping. We all love the convenience of being able to be at home in front of a computer vs the hassle of crowded malls and searching for parking spots. You can click here and there and order whatever product you desire and have it delivered to your front door. You can compare pricing, look for deals, compare products, and it all can be done quickly and in the convenience of your own home, any time, night or day. The downfall? Wherever there is money and users to be found, there are malicious hackers roaming around.

Read more

Cybersecurity – Don’t Overlook These Risks Within Your Organization

/in , /by

It’s easier than you think for organizations and their leaders to overlook cybersecurity.  Unfortunately, the nature of the threat means some of the biggest worries for your organization might actually be out in plain sight. Here are five cybersecurity risks that are regularly overlooked.

  1. Inconsistent or Nonspecific Cybersecurity Training. In many cases, people are the weakest link.  “From falling for phishing emails, and clicking on links or downloading documents that turn out to be malware, to being a victim of business email compromise scams that end up losing the company a lot of money, employees are a company’s greatest liability when it comes to cyber security.”1   More specifically, it’s how well and how consistently they’re trained on security essentials.  Since you don’t want to assume any one employee is automatically better versed on digital security than another, it makes good sense to standardize the training. Everybody should be on the same page about the reality of the risks and how necessary a good human element is these days, even with all the anti-virus and anti-malware software available.  The understanding of what a phishing email looks like comes in handy just as much at home as it does in the office.  Even though most employees don’t like the idea of extra meetings, specific cybersecurity training helps employees feel a greater sense of ownership over the company and its processes and assets.
  2. Passwords.  Ensure that any accounts associated with your organization are secured by a strong password, and two-factor authentication, if possible. It is always recommended that employees cannot reuse passwords from other online accounts for any of their work accounts. You can make it part of your IT policy that employees must change their passwords within a specific time limit.  Communicate with your team that they should not share their passwords with anyone else.
  3. Patch Management. Keeping software patches up-to-date is a critical component to keep your company network safe from newly discovered vulnerabilities. The importance of keeping software updates current was underlined in a dramatic way during the WannaCry and Petya outbreaks.  The primary way both of those attacks were spread was by exploiting a critical vulnerability in the Windows operating system known as Eternal Blue. Eternal Blue allowed the malware to spread within corporate networks without any user interaction, making these outbreaks particularly virulent.“The WannaCry outbreak occurred in May; the patch for the Eternal Blue vulnerability had been released by Microsoft in March. If the patch had been widely applied the impact of WannaCry, which mostly hit corporate networks, would have been greatly reduced. You would imagine that a high-profile incident like WannaCry, which underlined the importance of keeping patches up to date, would have ensured people and companies did just that. However, despite all the publicity the WannaCry outbreak received when it occurred in May, the Petya outbreak in June was still able to use the same Eternal Blue vulnerability as one of the ways it spread.”2“To be fair to the IT managers in the various companies that were hit due to the Eternal Blue vulnerability being exploited, updating software on company networks is not always entirely straightforward. IT managers can often be fearful that updating one part of the system could cause another part of it to break, and this can be a particular concern in, for example, healthcare organizations, which were heavily impacted by WannaCry.” 3 However, incidents like the above do underline the importance of protecting vulnerable systems, and patching is a key way to do that. The point is not that clicking refresh on software updates all day long will prevent every possible instance a cybercriminal could exploit a vulnerability or back door.  Setting everything you can to auto-update at a convenient time, daily, does stand a chance of keeping you safer.
  1. Other Companies. A problem that many businesses encounter in the current business climate is that it is not just their cyber security practices that they have to worry about: they also have to worry about the cyber security protocols of other businesses they work with. Your company may have stringent cyber security practices implemented, but if a third party your company deals with is compromised then attackers could potentially gain access to your network. Network segmentation, or dedicated servers that vendors can use so that they do not connect directly into your company’s network, can help safeguard against weak links in third parties’ cyber security. If that isn’t possible, it is wise to at the very least have a conversation with potential vendors before doing business with them to ensure they take cyber security seriously, and have appropriate practices in place.
  2. Unsecured Personal Devices. “BYOD culture — or bring your own device — is a great thing for employees and employers alike. It lets employees perform their duties in a digital workspace they already know and feel comfortable in. On the employer side, the lack of a serious learning curve and the small bump in productivity are welcome.   What’s less welcome are the cybersecurity risks that BYOD culture brings. It’s possible to permit and even encourage your teams to work on their own laptops and tablets, but this shouldn’t be done without a comprehensive and robust BYOD policy drawn up by your IT team. At a minimum, you should require that users access on-premises internet connections using VPNs and that all accounts are equipped with two-factor authentication.”4

In today’s connected workplaces, here’s no single department within an organization whose job it is to ensure cybersecurity.  In fact, that’s the major message all across the digital landscape: No matter how large or small the organization, it’s vital to speak and act as one when it comes to protecting digital assets and company property.  As with so many of the issues mentioned on this list, employee education is key: employees need to understand what good cybersecurity practices are, and the potential consequences for the company if they are not followed.

 

References:
1-4:  Symantec Security Response Team:  Cybersecurity Weak Links. www.symantec.com/security-center – Bryley Systems is an SMB Specialized Symantec partner.
www.bitsighttech.com
https://www.us-cert.gov/

October is National Cybersecurity Awareness Month

/in , , /by

Connected devices are essential to our professional and personal lives, and criminals have gravitated to these platforms as well. Many common crimes—like theft, fraud, harassment, and abuse—are now carried out online, using new technologies and tactics. Others, like cyber intrusions and attacks on critical infrastructure, have emerged as our dependence on connected systems revealed new vulnerabilities.

Read more

FTC Warning: Beware of Card Skimming at the Gas Pump

/in , , /by

The Federal Trade Commission recently posted an article advising consumers to keep an eye out for card skimmers when paying for gas at the pump.

Skimmers are discrete devices which can be attached to payment terminals, allowing criminals to capture your credit card information.  Once they have your information they will either sell it to another party, or use it to make purchases on their own.

Unfortunately these devices are hard to spot and tend to blend in, especially when our attention is focused on pumping gas.

By educating yourself on what to look for, however, you stand a good chance to avoid becoming a target of criminals employing this technology.

The FTC has several examples posted on their website of what to look for.  They also advise:

  • Look for a seal (sticker) on the gas pump.  If the seal is broken or appears to have been tampered with, use a different pump and alert an attendant.
  • Check to see if the card reader at your pump looks different than the readers at other pumps.  If it does, move to a different pump and let an attendant know.
  • Keep a close eye on your credit card statements.  Be sure to report any fraudulent charges to your bank or card issuer.

Click here to read the full article on the FTC’s website.

Let Trusted Eyes Watch Over Your Network

/in , , /by

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and an untrusted external network, such as the Internet.  Firewalls block unauthorized access to your computer network from hackers, malware and viruses. They monitor data as it passes between your computer, your server, and the Internet to make sure that nothing harmful or unintended slips through. A firewall may block certain downloads, or require system administers to grant authority before opening files that fail to meet their security standards.

Firewalls are a critical component to effective security, and so is the configuration. A poorly-managed firewall can block legitimate activity, causing workflow errors and excess frustration for the end user. Or, a firewall with overly lax restrictions could miss harmful data packets, lending the user a false sense of security while malware and viruses penetrate your network.  If firewalls are not managed and implemented properly, it can leave gaping holes in your security and give hackers the keys to your kingdom.

A firewall should always be properly configured.  Knowing when to override its rules and let data through, as well as to understand how to respond in case of an alert, are judgement calls that require specialized knowledge and experience.  Fortunately, a trusted IT partner like Bryley Systems will not only recommend the proper firewall, but configure, manage, and support it so that your network is locked down.

Regardless of your organizations size, no business owner wants the horrible consequences that a security breach can bring.  Larger organizations often have greater resources to dedicate towards security. If you are a small to mid-sized organization, you generally have fewer resources and smaller budgets, and having your IT network brought down by a cyberattack can bring an organization to its knees.

Unauthorized access to your system files can result in the loss of important data, the leak of confidential client information, or the compromise of other security features.  A properly managed firewall can nip this problem in the bud.

Internet usage has become a surprising sore point in employer-employee relations, as they are often used to block access to certain sites online. While some employees feel that blocking access to popular social media sites and other types of Internet browsing during work hours is simply a way to micromanage personal habits, many business owners feel it is necessary to cut down on the type of distractions that eat up productivity, as well as open up security issues at the office.

There are definite pros and cons to each side, but by prohibiting access to all but a select group of websites (or by using strict controls to determine what other websites are permissible) business owners can safeguard against employees accidentally visiting a dangerous website by mistake. This type of protection can prevent an unsuspicious employee from falling victim to a phishing scam or from entering important information into an insecure website.  A managed firewall/Internet-security solution that provides website filtering can help your organization identify which websites your employees need to be able to access, based upon the type of organization you are, and what the employee’s job role is.  It can even create a custom configuration of settings to block problematic websites for safer Internet browsing.

Having your firewall and Internet-security solution managed properly by an IT partner dramatically reduces the disruption of your day-to-day business tasks while providing you with the protection you need. Your managed IT service provider will maintain proper system configurations and monitor your network for potential security threats and will respond to alerts in a timely manner. Furthermore, your managed IT provider should be up-to-date with new technology, proper certifications, and security compliance regulations that might affect your organization. While you focus on running your business at peak efficiency, your managed IT provider also ensures your software and hardware remains up-to-date.

Educate your staff about the importance and significance of firewall protection and other Internet-security measures. This training can also help your employees spot potential scams before they fall victim to them.

Your organization should also consider other safeguards, such as monitoring software that can spot suspicious activity, or programs designed to detect and remove viruses from your system.

One of the most secure ways to protect your most valuable data is by limiting user access. Make sure to store your most secure files in as few locations as necessary. Only allow access to those employees who need it, and protect it with encryption and strong passwords.

If you would like a more thorough audit of your current security network strategy and needs, please Contact us at 978-562-6077, or by email at ITExperts@Bryley.com to learn more. We are here to help.

Another Annoying Robocall. Help!

/in , , /by

How many times have you answered your phone only to hear a recorded message instead of a live person?  It’s annoying, it’s illegal and it’s known as a robocall.  “The FTC has seen a significant increase in the number of illegal robocalls because internet-powered phone systems have made it inexpensive and easy for scammers to make illegal calls from anywhere in the world, and to hide from law enforcement by displaying fake caller ID information.

To date, the FTC has brought more than a hundred lawsuits against over 600 companies and individuals responsible for billions of illegal robocalls and other Do Not Call violations.

The FTC also is leading several initiatives to develop technology-based solutions. Those initiatives include a series of robocall contests that challenge tech gurus to design tools that block robocalls and help investigators track down and stop robocallers. They are also encouraging industry efforts to combat caller ID spoofing. Here’s the FTC’s game plan to combat robocalls:

  • continue aggressive law enforcement
  • build better tools for investigating robocalls
  • coordinate with law enforcement, industry, and other stakeholders
  • stimulate and pursue technological solutions

There are options for blocking robocalls and other unwanted calls.

Mobile Apps.  Call blocking apps let you create blacklists – lists of numbers to block from calling your cell phone. Many of these apps also create their own blacklist databases from numbers that have received significant consumer complaints and some even use complaints to the FTC as a source.  They also let you create whitelists – numbers to allow – that are broader than just your personal contacts.

Some mobile apps let you choose which types of calls you want to block. For example, you might block all calls except contacts, or all calls except your contacts and numbers on a whitelist that you have created. Some apps offer additional features: reverse call look up, providing data on incoming numbers (like community-based reviews or data about the number from a search engine), blocking unwanted texts, logging the number of calls received from a number, and silent ringers for unknown callers. Some mobile apps give you choices about how to respond to an incoming call. For example, you can send a prewritten text message to the caller or file a complaint with the Federal Trade Commission. And some apps let you block calls based on the geographic location or area code of the incoming call.

Many call-blocking apps are free or only cost a few dollars. However, some apps may upload your contact information, along with information about what numbers you call or call you. The app’s privacy policy should explain how it gets and uses your information.

Features Built Into Your Mobile Phone.  Many mobile phones come equipped with features built into the device that can block calls from specific numbers. These features can let consumers block specific contacts, identify unwanted incoming calls for future blocking, and set “do not disturb” hours. You must manage these lists on your own, and the device may limit the number of calls you can block.  Since these features are built into the phone’s operating system or come pre-installed, you may not need to download an app unless you want some more sophisticated features, like tapping into a database of blacklisted numbers.

Cloud-Based Services.  Cloud-based services can block unwanted calls for mobile phone lines or phone lines that operate over the internet, like phone service provided by a cable company. Your carrier may give you information about a cloud-based service operated by another company. The service might be a mobile app or a service that requires you to register your phone line. Cloud-based services reside on large, shared computer systems that can collect data from lots of users and use it to build crowd-sourced blacklists.  These services rely on accessing your call data to add to their databases. Some cloud-based services and mobile apps require all calls to be routed through their service, where they are instantly analyzed.  You may have choices about how unwanted calls are handled – for example, they might ring silently, go straight to a separate voicemail, or go to a spam folder. Some cloud-based services are free and some charge a monthly fee.

Call-Blocking Devices.  Devices that block unwanted calls can be installed directly on a home phone. Some devices use blacklist databases of known spam numbers and allow you to add additional numbers to be blocked. Other blocking devices rely on you to manually create and update your own blacklist. Some devices divert the call after one ring, and some show a blinking light when an unwanted call comes in. Other devices connect the unwanted caller to a recording with options that allow legitimate callers who were mistakenly blacklisted to ring through.

Some devices rely on a whitelist that limits incoming calls to approved numbers.  Some also allow you to set up “do not disturb” hours. You’ll have to pay to buy a call-blocking device, and not all devices work on all types of home phones and carriers.

Carrier Services.  You may consider using services provided by your phone service carrier. Carriers typically have solutions for all phones – landline, cable, internet and mobile devices. Many carriers allow you to block between 10-30 numbers, but you are responsible for identifying the numbers to block. Robocallers frequently shift the numbers they use, so the robocaller may still be able to get through by changing the number they use.

 

Many carriers also allow you to block calls from anonymous callers – those who prevent their phone number from appearing on a CallerID device, or whose number shows up as “ANONYMOUS” or “PRIVATE.” But robocallers often show fake numbers on your CallerID. Some carriers also offer services that allow you to block calls or divert them to voicemail for periods of time. This lets you set up quiet or “do not disturb” hours.”1

Some carriers provide these services for free; others charge a fee. You can check your carrier’s website or call customer service for more information.

Reference:
The Federal Trade Commission (FTC) is the nation’s consumer protection agency.
Federal Trade Commission, Privacy, Identity and Online Security.