Top Concern For Small Businesses? Cybersecurity

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While some might assume that fear of an economic recession would be at the top of the list of key issues small business owners concern themselves with, a recent survey found that another issue is of much greater concern: Cybersecurity.

This is no surprise.

For the past several years, cybercrimes and data breaches among companies large and small, governments, and even individual citizens have risen drastically.

While it’s true that many business owners still assume a data breach at their own company is highly unlikely, with the ultimate price tag of such attacks ramping up to the millions of dollars (and recovery being hardly successful), it makes sense that companies are taking notice.
[Read more…]

Do You Have A Blind Spot In Your Security?

Security is only as good as its weakest link — one blind spot and a company can be compromised. It is important that each aspect of a company’s security is understood and up to date.

With the following best security practices, it can be better understood what to be aware of and how to better advance a company’s security.

From remote hackers, to in-person social engineering, and even your own e-mail, there are different methods of attacks and means of defense to maintain a company’s integrity.

Physical Security
The basic defense that predates IT security is physical security. Locked doors, restricted access, and watch patrol are some of the oldest methods to prevent aggressive physical security breaches.

Technology has only made physical security even better with security cameras, alarm systems, RFID badges, and biometric systems that identify a person from their physical being. Having the appropriate physical security is key to preventing and deterring break-ins and stolen items.

Social Engineering
With the right words and story, some people gain access to compromising areas and information that can give a company a real bad time.

Without a physical break-in or even a computer, social engineering works against human psychology, finding the vulnerabilities of staff and workers to trick and deceive their way past security. The best way to defend from this is to have a strong and easily understood security policy that educates staff and workers not give out credentials and access to unauthorized personnel.

Phishing
Billions of emails are sent out every day — promising a vacation, warning people about their bank accounts, or asking for charity — that are entirely design to steal or compromise a person or company. Phishing targets everybody, asking for credit card numbers, asking a person to sign in to their account on a fake site, or taking something in other ways.

Do not open emails or download email attachments with suspicious or unknown origins. If an email looks odd or is too good to be true, call or check a website directly to confirm if an email is legitimate.

Clicking or falling for phishing could end with a stolen identity, stolen money, or a locked PC or network demanding ransom money. Be smart and wise about checking emails.

Hackers
There are people that spend most of their day trying to break security codes, finding software loop holes, and other abstract means to force their way through digital security to gain illegal access to computers.

There are just as many (if not more) people working together to prevent such people from ever gaining access with new security measures and patches. To protect a PC or a company from hackers, always update your security definitions on Windows and antivirus software. Knowing what software to trust and what updates are needed are important ensuring digital security. We at Tech Experts make it our business to keep digital security online and updated at all times, so that no one has to fall victim to the unseen security threat.

Being aware of these different security risk and knowing how to defend from them can give a strong basis in understanding and learning in what needs to be done to keep a company or person secure.

Security is always evolving and changing, but having a modern understanding with security in place can make the difference between a secure environment and a risky work place that could come to a grinding halt when security is breached. Be safe, be smart, and be productive with good security.

Don’t Pay A Ransom To Get Your Data Back

Michael Menor is Vice President of Support Services for Tech Experts.

Requesting a ransom from victims is an unfortunate trend gaining momentum in the hacking world. This is typically done using ransomware (where hackers encrypt data and request money for the key) and distributed denial of service attacks (where hackers threaten to overwhelm a system with traffic, thus knocking it offline).

In both scenarios, hackers are looking for the victim to pay up…or else. Should they?

The answer should be obvious: absolutely not.

However, when a person’s valuable data becomes encrypted or they receive a legitimate threat to take down their servers, emotions often get in the way and they’ll end up “paying the piper.” Hackers know this, which is why their ransom methods employ fear tactics.

For example, ransomware like CryptoLocker will lock the user out of their computer while the screen displays a countdown to when their data will be deleted.

With DDoS attacks, a hacker may contact the victim mid-attack and promise to cease the attack for a fee. Both of these situations play straight into a person’s irrational fear, causing them to cough up cash.

Before reaching for your credit card to pay a hacker’s demands… stop, take a deep breath, and think objectively about the situation.

What guarantee do you have that these hackers will actually make good on their promise to turn over your data or cease the attack?

This guarantee is only as good as a hacker’s word, which is pretty worthless seeing as they’re, you know, criminals. Therefore, whatever you do, DON’T GIVE MONEY TO A HACKER!

By paying hackers money, you’ll only add fuel to the fire and help fund the spread of their devious acts.

Plus, there are several reported cases where a victim pays the ransom, only to still have their data deleted or the attacks on their site continue.

What’s it to them if they go ahead and follow through with the attack? They have your money, so who cares? It’s a classic case of adding insult to injury.

Need proof? There’s a recent example of this happening to ProtonMail, a Switzerland-based email encryption service.

On November 3rd, ProtonMail was threatened with a DDoS attack by the hacking group Armada Collective.

Like many companies would do, they ignored the threat, deeming it to not be credible. Soon afterward, their servers became overloaded to the point where they had to cease operations. After paying the ransom, the hackers continued the attack.

Now, consider your own situation. How much would it cost your company if you lost revenue for a full day of work, and you still had to make payroll?

For a medium-to-large sized company, losing a full day’s work would likely come to much more than a few thousand dollars. In fact, hackers understand how downtime can be so costly, which is why they feel justified asking for such an exorbitant fee.

What are you supposed to do if you were asked to pay a ransom by a hacker? The first thing you’ll want to do is contact the IT professionals at Tech Experts. We’re able to take an assessment of the attack to determine how bad it is and restore your data to a backed up version that’s not infected with malware.

When facing a hack attack, we can present you with all the options you can take – none of which will include paying a hacker money.

Can Your Car Really Be Hijacked?

On your daily commute, imagine your car suddenly not responding to your driving cues. Turn the steering wheel, and nothing happens. Push the brake, and you don’t stop. Few things could be more frightening than hurdling through space at any speed and not knowing what will happen. This scenario may sound like a scene from a science fiction or adventure movie, but it is certainly possible. Wired reporter, Andy Greenwood, recently proved that today’s smart vehicles can be remotely accessed and controlled by hackers.

While the likelihood of someone with the means and know-how to hack your personal vehicle may be low, the mere possibility of it happening shakes our very foundation of how we see the world. After all, there’s enough to worry about when driving: from animals suddenly crossing in front of you to weather conditions with the potential to send you careening off the road. Now, there’s this. Pretty much any device with a CPU is at risk to being hacked and controlled from afar, whether it is a pacemaker or a washing machine.

This is what Andy Greenburg set out to illustrate when he arranged for his Jeep Cherokee to be hijacked by two car-hacking researchers. The researchers were able to gain control of Greenburg’s vehicle, transforming his role from driver to passenger in little time. They turned the steering wheel, jerked on the reporter’s seat belt, and even disabled the brakes using the Internet. Much of the not-so-amusing shenanigans were controlled through Fiat Chrysler’s “Uconnect” feature, which electronically manages a vehicle’s navigation, entertainment features, and more. Basically, a vulnerability in this system let the hackers in.

While it is possible to remotely hijack vehicles without this Uconnect feature, this vulnerability is now well-known and puts certain Chryslers at an even greater risk to this new technological danger. The Uconnect package is an option offered for 2013 through 2015 Chrysler and Dodge cars and trucks, including the Jeep Cherokee, Dodge Ram, and Dodge Charger. The good news is that, if you have a vehicle featuring the Uconnect package, there is a fix that can be installed. Although it is possible to do it yourself by visiting the Chrysler website and downloading it onto a USB drive, this is a job perhaps best left to the dealership.

Tips For Defending Against Social Engineering Attacks

c481198_mby Michael Menor, Network Technician
I just got yet another email from my bank. Or, at least it looked like the bank that had issued one of my credit cards. The email included my correct name and mailing address, as well as a variety of other quality information such as the last four digits of my credit card number.

This may not seem like it is great information, but I regularly change details in my name for accounts, such as using different middle initials, including or omitting part of my first name, or using one of the three different street addresses that will get mail delivered to my home. So when someone gets it all correct, it really is a big deal to me.

According to the email, I needed to log on (yes, convenient link included) and check a fraud alert that was being issued on my credit card by my bank because of suspicious activity.

Again, this did make some sense, because this account was compromised, and I do have fraud triggers set to alert via email and text. Despite the fact that I pretty much always view these emails as suspicious, all in all, it seemed like the type of email that I might not want to ignore.

Except for the fact that the email came to a valid email address which I have never registered with this particular bank. Oddly enough, I have seen this with increasing frequency, and have received both Facebook and LinkedIn notifications with friend/connect requests – with people I actually know – but, both sent to email addresses which I have never registered with Facebook or LinkedIn.

Social Engineering?
Getting a few emails doesn’t necessarily mean I am in the middle of a social engineering attack. The catch here is that the emails contained real information that could only be gathered if someone was working it, so I tend to look a little beyond random phishing. The sender had good information.

A more recent complexity in social engineering is the use of this type of good information in an Advanced Persistent Threat (APT). In this role, social engineering is used in concert with other attack vectors. Information gathered from social engineering is used to target technical attacks, and in turn, information from technical attacks is used to help target further social engineering attacks as an attacker learns more about a set of individuals as well as the entire organization.

The availability of information from public sources like social media allows online research about specific people to be very targeted, further enabling more specific social engineering attacks.

Part of the social engineering attacks that are the most dangerous are those attacks that also try to get targets to execute malicious links or applications, potentially installing malware.

You may recognize a random external email attack that includes a virus or a malicious link. But, how would you respond to an email from your daughter’s college that appears to claim she was being ejected, or an email from a well-known pharmaceutical company that announced recently discovered potentially fatal side effects of a prescription drug that you are currently taking? Personal attacks like this which are tailored to a specific individual have become more common, and we should expect this trend to continue.

Can We do Anything About It?
Since there is no such thing as a personal firewall to help filter out attacks, the single best thing you can do to minimize the chances of a successful social engineering attack is proper awareness. At the same time, some technical controls can help. I have no “magic list” of five things to do, and I know 16 controls can look like a daunting task, but any or all of these things can help reduce the chances of a successful social engineering/phishing attack.

Even starting with one thing that you are currently not doing can help.

1. You should know that social engineering attacks exist. You should also know that attackers are interested in getting personal information as well as corporate information, and that individuals may be attacked through any phone, email or social media account – both work and personal – since personal knowledge can help make targeted attacks more successful.

2. You should be very careful about the type of information you leave in your voicemail greeting. A good default is to leave your first name, and state that you will return the call, without identifying your group.

3. “Extended absence” messages may be necessary, but should be used with care. Consider leaving a “fake” alternate contact name so that a coworker can easily identify that the call came from your out-of-office message. When you’re out and you want callers to reach “Betty Brown” for assistance in your absence, you might leave an outgoing message that says “Beth Brown” instead of “Betty Brown.” Then, when a caller asks for “Beth,” Betty will actually know that this call came as a result of your out-of-office message.
4. To help minimize the ease with which an attacker can identify valid email addresses at your organization, your email server should be configured so that it does not respond to inbound invalid addresses.

5. Make sure that corporate email addresses have little to no relationship with the employee’s user ID. Never make the name in your email address the same as the user ID you use on your internal network. If the user ID that you use to log onto your corporate network is bsmith, do not make your corporate email address bsmith(at)yourcompany.com.

6. You should be filtering attachments on your email and removing attachments with potentially hostile contents, such as executable files. Distributing Trojan horses or viruses via email is a common attack technique.

7. Be aware of company specific jargon. Anyone who uses improper or general information about your company can be regarded as an outsider. Maybe you work for Tech Experts, but everyone calls it “TE.” Using incorrect terminology is a clue that a call may not be genuine.

8. Someone who acts irate or angry and attempts to rush you through a questionable process should be regarded as suspicious. Bullying someone is a common technique to keep a target off balance.

9. Many (not all) data gathering emails come from temporary or “throw away” accounts, such as an account at Gmail or Yahoo. Your staff should be aware that there are a number of reasons an attacker would like to clearly identify valid email addresses and that your staff should consider this in all external responses.

10. Your company should not use or allow the use of external web-based email accounts through the normal course of your business. Do not let employees get used to seeing official email from such accounts (like @gmail.com instead of @yourcompany.com).

11. Your employees should know that no one from corporate IT (or anyone else) would ever call them and ask for their password. Simply put, no employee should ever divulge his or her password to anyone else. Never.

12. You should maintain an accurate and current employee directory with phone numbers. Anyone receiving a suspicious call can ask the caller who they are and consult the phone directory for the name and phone number.

13. Dispose of sensitive material in an appropriate manner. Either use an office shredder or contract with a reputable “secure disposal” company to dispose of sensitive information for you. Yes, “dumpster diving” is real, does happen and does work.

14. The Help Desk can take steps to reduce the number of invalid password resets and snooping attempts.

a. If a user calls from an outside number, the Help Desk’s first response should always be to consult a corporate phone directory for an official work, mobile or home phone number to return the user’s call. Any number not on the list should be considered suspicious.

b. The Help Desk should verify the employee’s full name, with proper spelling, phone extension, department or group. You are trying to add enough information that an attacker would have to be very prepared for the request.

c. The Help Desk should ask the caller for a number at which they can call the user back, regardless of from where the user is calling. A call from anyone who will not provide a callback number should be considered an attack.

d. You may consider having the Help Desk leave a user’s new password in the employee’s corporate voicemail. A valid user should have no trouble retrieving the password. An attacker would have to compromise the voicemail system to get access to the password.

15. If you are being asked to release or reveal something that is clearly sensitive, such as your strategic plan, passwords, pre-release earnings, source code and other such internal information, it should be automatically regarded as suspicious.

16. You should have a plan for how you will communicate internally if you identify that a social engineering attack is taking place against your company.

Does every employee get an email stating that an attack is in progress, and that everyone should exercise additional care? Who should send the email, and what is the final triggering event before a company-wide alert is distributed?

Conclusion
A good social engineer can extract sensitive internal information very quickly, and can then help ensure they make the best use of that information to further additional attacks.

Knowing this, you should understand that a social engineering attack can happen at any time. They don’t happen because you have poor security, they happen because someone else decided you were a target.

(Image Source: iCLIPART)

Tech Support Calling? It’s Probably A Scam Or Hacker

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

For business computer users, the threat of a security breach is a constant worry. The thing is, many systems are secure enough from outside attacks, and many scammers know this.

As a result, scammers have switched tactics and have taken to pretending to be Windows technicians, hoping to get users to give up their credit card information.

This isn’t a new scam. Despite news reports and emailed reminders, some people still fall for the ruse.

Social engineering
These social engineering tricks generally follow the same formula: A person calls you pretending to be from the Windows technical team at Microsoft.

The scammer usually tells you that you need to renew your software protection licenses to keep your computer running.

Most of the time, these scammers spread the conversation out over a number of phone calls and emails, the goal being to gain the trust of the user.

Once trust is established, or the user seems interested enough, the crook will offer a seeming sweet deal: They offer a service that makes your computer run like new, usually for a reasonable price.

The scammer will then use remote PC support software to show you ‘problems’ your computer is having.

They will usually show you the Windows Event Viewer – a part of the OS that shows errors, usually harmless, that your computer has generated.

The scammer will then convince the user that these errors are harmful, and if you have paid, they will make it look like they are cleaning your computer.

If you give them your credit card number, you will likely see ridiculous charges, or even have people trying to access your accounts.

What’s being done?
Governments are aware of this increasingly common trick, and some organizations, like the FTC, have taken measures to shut down scammers.

What can we do?
While action is being taken, these scammers are working hard to steal your credit card and other personal information. To ensure you don’t fall prey to this trickery, these five tips should help you identify when an attempted scam is at play:

  • Microsoft doesn’t call people.
  • Windows Event Manager is a log of errors for ALL programs.
  • Microsoft employees will never ask for your passwords.
  • Most of these scammers operate out of call centers in India, but bill from the US.
  • Microsoft employees won’t usually ask you to install software that’s not made by Microsoft.

As a rule of thumb: If you get an unsolicited call about your computers and IT security, it’s likely not genuine. If these criminals provide you with a website, do a quick Google search to see if there have been any scam reports.

If you’re concerned your credit card or other information may have been compromised, please call us right away for a complimentary security assessment.