Archive for May, 2014

Phishing – Don’t take the bait

Posted by

Phishing

Fishing can be an enjoyable outdoor activity. Phishing is a computer tactic that can wipe you out financially. Phishing happens when fraudsters, either by email or text, impersonate a business to trick a consumer into giving out personal and financial information. Even if the organization listed is one you trust, remember that legitimate businesses don’t ask you to send sensitive information through insecure channels, such as emails or texts. Phishing can take several forms. The message, which likely include a call for urgent action, may indicate that there’s an unauthorized transaction on your account, or that information must be verified, or that your account has been overcharged. These may seem like legit reasons, but it’s all a scam to grab your information for fraudulent purposes. The best way to deal with phishing scams is to eliminate any suspicious emails or texts. Also don’t click on any links or call any phone numbers provided, even if they have an appropriate area code. If you’re concerned that the message might be real, call the number on your statement or the back of your credit card. There are several steps you can take to head off a phishing attack:

  • Only use trusted security software, set to update automatically.
  • Don’t provide personal or financial information through non-secure channels such as email or texts.
  • Provide information only through an organization’s Web site if you typed in the web address yourself and you see a URL that begins https (the “s” stands for secure), though even that isn’t foolproof, as some phishers have forged security icons.
  • Check for unauthorized charges on credit-card and bank account statements. If statements are late by more than a couple of days, call to confirm billing addresses and account balances.
  • Attachments and downloadable files in emails may contain viruses or other malware, so be cautious before opening or downloading.

Phish2

Phishing emails can be reported to spam@uce.gov, the organization impersonated in the email, or reportphishing@antiphishing.org, which is the Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies that uses these reports to fight phishing.

Stay safe!

 

SPAM – Some tips to help avoid it.

Posted by

SPAM 1

 Everyone with an email account is unfortunately familiar with “spam,” that electronic cousin of junk mail.

But with a little prevention, you can limit the amount of this unwanted commercial email in your in-box.

Cutting your spam

Here’s some easy ways to limit the spam you receive:

  • Email filter – See if your email account provides a tool to filter out potential spam or to channel spam in a bulk email folder. Keep such a tool in mind when choosing an ISP or email service.
  • Limit exposure – Use two addresses, one for personal messages and one for shopping, newsletters, chat-rooms and coupons, or set up a disposable email address that forwards messages to your permanent address. Also don’t display your email address in public, as spammers harvest the web for email addresses.
  • Utilize privacy policies – Read privacy policies before signing up for a web site, to see if that company sells your email address to others. Also uncheck pre-checked boxes to opt out of mass email updates.
  • Create a unique email address – Instead of your name with numbers behind it, make it more difficult, perhaps using a nickname or an abbreviated version instead. Don’t make it too difficult, though, as you need to remember it.

 SPAM 2

Protecting others from spam

Hackers and spammers try to locate computers without up-to-date security software, which they can control remotely by installing hidden software, or malware. Thousands of such computers linked together become a “botnet,” a network used by spammer to send out millions of emails at once. Most spam is sent this way.

Your first defense would be to keep spammers out of your computer. Steps you could use include disconnecting your computer from the internet when not in use and being cautious about opening attachments and downloading free software, which could be hiding malware.

Signs of malware include weird emails which friends receive from you, email messages in your send folder that you didn’t send, and your computer operating more sluggishly. Disconnect from the internet if you feel your computer has been hacked or infected, then follow these steps to remove malware (http://www.onguardonline.gov/articles/0011-malware).

Report spam

Forward unwanted or deceptive messages to the Federal Trade Commission at spam@uce.gov, your email provider and the sender’s email provider. If you try to unsubscribe from an email list and your request is not honored, file a complaint with the FTC (http://www.ftc.gov/complaint).

Stay Safe

EBay Passwords Compromised:

Posted by

ebay break

A frequently heard topic on this blog is about passwords.  They are the entry point into protected systems, services, and devices that everyone uses.  Well, unfortunately this week, the online auction giant eBay has fallen victim to cyber-attacks that have compromised many of the user account passwords stored on the site.  Hackers were able to compromise a limited set of non-user but system account passwords to gain access to the eBay systems and internal network.  eBay has stated that no un-authorized activity has been detected for any users nor did any financial information get stolen as of yet.  eBay states that this information is kept completely separate from your initial login information and is stored encrypted.  The breach also appears to have been closed but it is not known how long the attackers were in eBay’s systems.  Today eBay is advising all users to change their passwords, regardless of how recently they have done so.  It would be a good time to change your PayPal account password if you have one, as the company is a subsidiary of eBay and in your account you can link your PayPal account to your eBay account.  Pick a strong password as always consisting of length and complexity using letters upper and lower case, numbers, and special characters.  Also again make it memorable for you.  The following site securely creates passwords called passphrases that would work for a good eBay password – https://xuntroubled.merchantquest.net/pwgen/ppgen.cgi

 While eBay doesn’t directly support two-factor authentication, you can enable this on PayPal to make sure your actual payments sent or received for eBay are that much more protected. 

Stay safe

Scam – Tech Support Call

Posted by

If tech support is calling you rather than the other way around, beware!

Phone Scam

 

Scam artists have a new tool that they will use to break into your computer – a phone. Someone will call; claiming to be a computer technician associated with well-known tech companies such as Microsoft, and will prey on your concerns about viruses or malware on your computer to fool you into giving him or her remote access or paying for unnecessary software.

Such a “tech” will dazzle you with a barrage of technical terms, and may even ask you to perform a series of tasks on your computer. After the “problem” has been “located,” this scammer may: 

  • ask you to give remote access to your computer and then make changes to your settings that could leave your computer vulnerable;
  • try to enroll you in a worthless computer maintenance or warranty program;
  • ask for credit card information so you will be billed for phony services — or services you could get elsewhere for free;
  • trick you into installing malware that could steal sensitive data, such as user names and passwords;
  • direct you to websites and ask you to enter your credit card number and other personal information.
  •  

The upshot: the scammer is trying to make money, not fix your computer.

MS Phone Scam

Your best defense: hang up!

Other tips:

  • Don’t give control of your computer to an unsolicited third party.
  • Do not rely on caller ID alone to authenticate a caller, as criminals spoof caller ID numbers.
  • Online search results, which can be manipulated, isn’t the best way to find technical support or get a company’s contact information. Instead, if you want tech support, give HCP a call at 207-848-9888 or visit our website http://www.hcp4biz.com and submit a support request. To locate company information, look for a company’s contact information on their software package or on your receipt.
  • Never provide your credit card, financial information or passwords to someone who calls claiming to be from tech support.
  • Put your phone number on the National Do Not Call Registry (https://www.donotcall.gov).

 

If you think you might have downloaded malware from a scam site or allowed a cybercriminal to access your computer, don’t panic. Instead:

  • Update or download legitimate security software and scan your computer, and delete anything it identifies as a problem. 
  • Change any passwords that you gave out, especially if you use these passwords for other accounts.
  • Give HCP a call at 207-848-9888 or visit our website http://www.hcp4biz.com and submit a support request.
  • If you paid for bogus services with a credit card or see other charges on your statement that you didn’t make, call your credit card provider and ask to reverse the charges.
  • If you think someone may have accessed your personal or financial information, visit the FTC’s identity theft website (http://www.consumer.ftc.gov/features/feature-0014-identity-theft). You can minimize your risk of further damage and repair any problems already in place.

Stay Safe

 

Find us on thumbtack

Posted by

promo_4

Look for HCP on Thumbtack

HCP is now on thumbtack follow the link above and give us a look.

By connecting local professionals directly with new clients,
thumbtack enable these talented pros to work independently so they can grow their businesses.
Thumbtack is empowering more than 250,000 pros across all 50 states to achieve their personal and professional goals. 

 A great service.

 Mark

Social Engineering – What is it?

Posted by

Social Engineering

Social Engineering – What is it?

Everyone probably has heard the term social engineering in the news a lot lately with the various cyber attacks, viruses, and scams going on. 

What is social engineering, one may ask?  While your first assumption would probably be that it has something to do with a social network such as Facebook or Twitter, this is not the case.  Social engineering is the deliberate and crafty attempts by hackers to gain access to your data by either tricking you or those that protect your data into handing it over. 

Social engineering is one of the biggest attack vectors these days, with security ever increasing.  It is the most often overlooked part of security and one of the easiest ways a hacker can gain access to your data with limited effort. 

How does it work?  A hacker tries to pose as a corporation, user, technician or someone else with a company or service to which you trust your data.  Usually attempts come in the form of an email or commonly a phone call.  What the hacker is looking to get is your access to the data, in the form of your passwords or the way you can reset these passwords, such as your private email address.  Often times these cyber-criminals will actually even try to pose as you, when calling a bank for instance. 

One of the recent cyber-frauds which are happening is domain name registration theft.  What happens here is a cyber-criminal scours the Internet usually by social networking to find out personal details on an individual that owns or controls a domain name.  This information is then very handy for the cyber-criminal to use in calling the domain-name registrar in order to have an account password reset or to have an account email change processed.  At this point it’s really up to the customer support agent to be the last line of defense. 

In most cases hackers have been able to have an account reset processed by only knowing an email address or last four digits of a credit card number on file because they were able to gain the trust of the customer-support agent.  Once the hacker has been able to have a password reset processed and gains access to your account, it’s then an uphill battle, depending on the company, to get your access back.  If you own a business and rely on your unique domain name, this could be a disaster.

The simple way to stop this is to mark on your account by calling and verifying who you are, that under no circumstances are phone call account resets allowed.  Most companies and services will allow an individual to request this.  In most cases this puts an end to it and hackers will not be able to social engineer your account any longer.

Stay Safe

Apple has a hole

Posted by

Apple HoleApple is now scrambling to create a patch for a security flaw in iOS7, discovered by researcher Andreas Kurtz, which leaves email attachments unencrypted on iPhones and iPads, so that those can be accessed by attackers using “well-known techniques,” Kurtz wrote.

This isn’t considered a major problem, as it seems that an attacker can’t use the bug to read your email attachments remotely, but Apple is working on a fix now.

To keep your iDevices secure, enable data protection and use a passcode, the longer the better, to lock the device.

The iPhone 5 offers the option of fingerprint authentication instead of a passcode. But the fingerprint scanner can be hacked, as researchers have proven that it’s possible to create a fake fingerprint from a photo of the victim’s print.

A more effective kind of data protection would be two-factor (or two-step) authentication. In addition to a passcode, the institution responsible for the site being accessed will email or text a second, six-digit code which must be entered as well to allow access.

For more information about Apple security updates, visit http://support.apple.com/kb/ht4175

 Stay Safe

Passwords Passwords Passwords

Posted by

PasswordPasswords

By Greg Gagne

In today’s digital world, passwords are often the most neglected first line of defense against data and security breaches.  They can be a hassle, to be secure you shouldn’t repeat passwords, or even ways of generating passwords between sites and services to maintain absolute security for yourself.  The most secure passwords are long, with randomized letters, numbers, and special characters.  In addition, frequent changes of passwords are needed to keep your data secure.  Depending on how many sites, services, or software you have to use daily, a list of passwords to remember correctly and change on a frequent basis could grow to be unbearable and even impossible. 

There are numerous online services and offline software that generate very secure passwords and will remember and/or auto-fill these passwords for you.  These services/software usually range from being free but ad-supported to more than $50, depending on the features you may want.  The problem is that consumers are putting all their eggs in the same basket.  As happened recently with the Heartbleed vulnerability outbreak, the behind-the-scenes security that should keep this bundle of passwords securely stored was broken.  Who’s to say that someone out there doesn’t have access to all your passwords that you put into one of these convenient services?  This entirely negates the convenience of this software when you have to regenerate your passwords again and trust that in fact they are secure from anyone but you. 

For me, I use the following method to generate passwords that are secure enough.  I say secure enough because most sites, ironically enough most banking sites for example, do not let you use truly secure passwords.  For instance my bank only allows an eight-character password using only capital and non-capital letters and numbers.  I can’t use any special or extended characters such as an asterisk or spaces which would make the password all that more secure.  Their password policy is the bare minimum truly to be somewhat secure

So I do the following for creating a password.  I come up with an easy-to-remember sentence that is meaningful to me, for instance “I am graduating in 2014.”  To make this into a password, I take the first letter of each word and combine them.  This would be Iagi2014.  I then randomly add a special character if it is allowed.  I make sure to make a sentence with frequent upper-case and lower-case letter usage and it has to have some numerical value in it. 

I also try to make a nonsensical sentence that would be very grammatically incorrect, as this helps to spoil the efforts made by hackers using dictionary libraries.  What makes a password secure is if you combine length, inability for words to be found in a dictionary, and complexity which comes with upper case, lower case, numerals, and special characters.  In order to remember all these passwords, I write them down and carry them on a sheet of paper in my wallet.  Before anyone says this is totally insecure, I encrypt these by changing around the ordering depending on the site/service and add an indication of what site or service it pertains to.  For example I used the phrase “The Moon is blue tonight!”  The password would be TMibt2014* and I’m using it on amazon.com I write down on the paper *4102tbiMTamz (the amz letting me know its Amazon).  This isn’t totally foolproof but it would keep the casual person confused as I don’t directly write down Amazon.com User name: xxxxx Password: xxxx on this sheet of paper.  Figure out an “encryption” that works for you. 

Unfortunately passwords are only as secure as you make them and how long they’ve been used.  For me, as much as a hassle as it is, I tend to change passwords on a frequent basis depending on how critical the service, site, or system is.  For anything financial, I change on at least a monthly basis if not more often. For that kind of data, frequent changes are really the only true-and-tried security in addition to the password being complex and long.  This adds another barrier to entry on your accounts.  Again do not share like or exact passwords between sites; this is the biggest reason accounts, services and systems get hacked, directly after easy- to-guess passwords.

Also, when it comes time to set up your methods of recovering a password, such as putting in your mother’s maiden name or high school friend, do not actually use an answer that is true.  For instance, my high school friend’s name was Dustin Johns.  Nowadays finding out this piece of information through scalping of social networking or any various forms of social engineering is too easy.  I’d change this to something I could remember but makes no sense, such as Marvin the Martian or something along those lines.  This is an often-neglected area of password security – how easy you make it to recover a password.  Another good thing to do is to make a note if possible, on any account that allows it, to not allow password resets of any kind through a telephone call. This is a far-too-easy venue for hackers to capitalize on using social engineering to gain access to your accounts. 

Make access to your accounts about as difficult as possible on all avenues, including passwords, password resets, and frequent password changes to spoil any attempts by attackers.  Unless you’re being specifically targeted for a reason, if you make it difficult enough, an attacker will give up after a certain amount of time.  They are looking for the most gains with the least amount of work.  

Stay Safe