10 Internet Security Myths that Small Businesses Should Be Aware Of

Most small businesses don’t put as much focus on internet security as they probably should. If you are a small business owner or manager, not focusing on internet security could put you in a bad spot. Are you believing the myths about internet security or are you already using best practices? Here’s a few of the most common myths…take a look to see where you truly stand:

Myth – All You Need is a Good Antivirus Program

Do you have a good antivirus program on your small business network? Do you think that’s enough? Unfortunately, it’s not. Though an antivirus program is great to have, there is a lot more that you have to do. Also, keep in mind that more people than ever are working remotely, and odds are good that they are working on a network that is not secured.

Myth – If You Have a Good Password, Your Data is Safe

Yes, a strong password is essential to keeping your information safe, but that alone is not going to do much if a hacker is able to get it somehow. Instead, setting up two-factor authentication is essential. This is much safer. Also make sure that your team doesn’t write their passwords down and keep them close to the computer or worse, use the same passwords across multiple critical accounts.

Myth – Hackers Only Target Large Businesses, So I Don’t Have to Worry

Unfortunately, many small business owners believe that hackers won’t target them because they only go after big businesses. This isn’t true, either. No one is immune to the wrath of hackers, and even if you are the only employee, you are a target.

Myth – Your IT Person Can Solve All of Your Issues

Small business owners also believe that if they have a good IT person, they don’t have to worry about cybercrime. This, too, unfortunately, is a myth. Though having a good IT person on your team is a great idea, you still won’t be fully protected. Enlist outside “penetration testers” who are white-hat hackers that seek out vulnerabilities in your networks before the criminals do.

Myth – Insurance Will Protect You from Cybercrime

Wrong! While there are actually several insurance companies that offer policies that “protect” businesses from cybercrimes, they don’t proactively protect your networks, but will provide relief in the event you are hacked. But read the fine print. Because if you are severely negligent, then all bets may be off. In fact, it is one of the strongest growing policy types in the industry.

Myth – Cyber Crimes are Overrated

Though it would certainly be nice if this was false, it’s simply not. These crimes are very real and could be very dangerous to your company. Your business is always at risk. Reports show as many as 4 billion records were stolen in 2016.

Myth – My Business is Safe as Long as I Have a Firewall

This goes along with the antivirus myth. Yes, it’s great to have a good firewall, but it won’t fully protect your company. You should have one, as they do offer a good level of protection, but you need much more to get full protection.

Myth – Cybercriminals are Always People You Don’t Know

Unfortunately, this, too, is not true. Even if it is an accident, many instances of cybercrimes can be traced back to someone on your staff. It could be an employee who is angry about something or even an innocent mistake. But, it only takes a single click to open up your network to the bad guys.

Myth – Millennials are Very Cautious About Internet Security

We often believe that Millennials are very tech-savvy; even more tech-savvy than the rest of us. Thus, we also believe that they are more cautious when it comes to security. This isn’t true, though. A Millennial is just as likely to put your business at risk than any other employee.

Myth – My Company Can Combat Cyber Criminals

You might have a false bravado about your ability to combat cybercrime. The truth is, you are probably far from prepared if you are like the majority.

These myths run rampant in the business world, so it is very important to make sure that you are fully prepared to handle cybercrime.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Top 10 Signs of a Malware Infection on Your Computer

Not all viruses that find their way onto your computer dramatically crash your machine. Instead, there are viruses that can run in the background without you even realizing it. As they creep around, they make messes, steal, and much worse.

Malware today spies on your every move. It sees the websites you visit, and the usernames and passwords you type in. If you login to online banking, a criminal can watch what you do and after you log off and go to bed, he can log right back and start transferring money out of your account.

Here are some signs that your device might already be infected with malware:

  1. Programs shut down or start up automatically
  2. Windows suddenly shuts down without prompting
  3. Programs won’t start when you want them to
  4. The hard drive is constantly working
  5. Your machine is working slower than usual
  6. Messages appear spontaneously
  7. Instead of flickering, your external modem light is constantly lit
  8. Your mouse pointer moves by itself
  9. Applications are running that are unfamiliar
  10. Your identity gets stolen

If you notice any of these, first, don’t panic. It’s not 100% that you have a virus. However, you should check things out. Make sure your antivirus program is scanning your computer regularly and set to automatically download software updates. This is one of the best lines of defense you have against malware.

Though we won’t ever eliminate malware, as it is always being created and evolving, by using antivirus software and other layers of protection, you can be one step ahead. Here are some tips:

  • Run an automatic antivirus scan of your computer every day. You can choose the quick scan option for this. However, each week, run a deep scan of your system. You can run them manually, or you can schedule them.
  • Even if you have purchased the best antivirus software on the market, if you aren’t updating it, you are not protected.
  • Don’t click on any attachment in an email, even if you think you know who it is from. Instead, before you open it, confirm that the application was sent by who you think sent it, and scan it with your antivirus program.
  • Do not click on any link seen in an email, unless it is from someone who often sends them. Even then, be on alert as hackers are quite skilled at making fake emails look remarkably real. If you question it, make sure to open a new email and ask the person. Don’t just reply to the one you are questioning. Also, never click on any link that is supposedly from your bank, the IRS, a retailer, etc. These are often fake.
  • If your bank sends e-statements, ignore the links and login directly to the banks website using either a password manager or your bookmarks.
  • Set your email software to “display text only.” This way, you are alerted before graphics or links load.

When a device ends up being infected, it’s either because of hardware or software vulnerabilities.  And while there are virus removal tools to clean up any infections, there still may be breadcrumbs of infection that can creep back in. It’s generally a good idea to reinstall the devices operating system to completely clear out the infection and remove any residual malware .

As an added bonus, a reinstall will remove bloatware and speed up your devices too.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Computers perfectly forge Handwriting

Handwriting analysts really have their work cut out from them now, thanks to the development of new software that can forge—better than a human can—a person’s handwriting. So if you are worried about identity theft, add one more element to the kettle: a crook getting ahold of this software (developed at the University College London) and perfectly duplicating your signature.

Computer crime concept

Previous attempts to create computer generated forgery that looked real have flopped, a la, “This looks like a computer did it!”

A new algorithm has been invented that very much simulates the way a human creates handwriting. One of the tell-tale signs of computer generated signatures or other cursive is that it looks too perfect, particularly the linking of characters to each other.

The new algorithm captures the human qualities of penmanship, including:

  • The joining of the characters. Note that with those fancy fonts that look handwritten, the joining of each letter is so perfect that you can tell it is computer generated.
  • Varying degrees of thickness of the characters—which results from continuous changes of pressure that a person exerts on the writing implement, as well as varying flow of ink from the pen.
  • Horizontal and vertical spacing of characters.

These variations mimic the handwriting of a human, not robot. All the algorithm needs is one paragraph of someone’s handwriting to calculate and deliver the replication.

And you are probably wondering why this algorithm was developed, aside from maybe the researchers’ hunger for finally figuring out the puzzle to replicating handwriting with a computer. Obviously, this technology can get into the wrong hands, such as those of identity thieves, plaintiffs in personal injury lawsuits who want to forge a doctor’s signature, and other litigants in legal cases.

But this algorithm has a place in the world of good. For instance, for those whose ability to physically generate cursive is impaired can use this tool to create stylish handwriting or writing that looks like theirs used to.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Don’t pick up that USB Drive!

What a very interesting experiment: Researches randomly deposited 297 USB drives (aka USB stick, flash drive, thumb drive) around the University of Illinois Urbana-Champaign campus. They wanted to see just how many, and how soon after dropping them off, they’d be collected by people.

2DTurns out that 48 percent of the drives were taken and inserted into computers. The report at theregister.co.uk says that in some cases, this was done minutes after the drives were left in the public spots.

Picking up a USB drive off the streets and plugging it into your computer is akin to picking up discarded food off a sidewalk and eating it. You just never know what kind of infection you’re going to get.

And what you might get is a virus crashing your computer or stealing your data. That USB stick could contain malware—either left in public as a prank, or innocently lost or discarded without the original owner knowing it’s infected.

Or…it might have been left in a public spot by a hacker with full intent of gaining control of your computer to collect your personal data and committing fraud, such as opening lines of credit in your name or emptying out your bank account.

The USB sticks for the study contained HTML files with embedded img tags. The tags allowed the researchers to track the USB activity, which is how they new that, for instance, one of them was plugged into a computer only six minutes after it was left to be “found.”

Only 16 percent of the people who picked up the sticks actually scanned them to check for viruses before plugging them into their computers. And 68 percent simply inserted them without any regards to what they could get transferred into their computers.

  • Some users trusted that there was no harm.
  • Some plugged in the drive to seek out the owner.
  • Some intended to keep the stick.
  • Conclusion: A cybercriminal could easily take control of a business’s system by leaving a rigged USB drive in the parking lot, let alone get control of a personal computer by leaving the stick in any public place frequented by lots of people.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

2016 Information Security Predictions

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

4WWearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Eight security tips for travelers with laptop

These days, who doesn’t travel with their laptop? But commonality doesn’t make it inherently safe for your sensitive information that’s stored in the device. In fact, traveling with your laptop is inherently unsecure.

1DWhether you’re traveling for business or to visit family this holiday season, here are some ways to protect your laptop and your personal data:

  • Get a cable lock for your laptop. It’s a great way to deter a potential thief, especially if there are lots of people around.
  • Register with an anti-theft service to track your laptop should it get stolen or “lost.”
  • Carry your laptop in a bag that’s made specifically for these devices. If it’s awkward for you to carry a suitcase in one hand while the laptop bag is slung over the opposite shoulder, consider packing the laptop with lots of tight padding in your suitcase. (But only if the suitcase will be a carry-on that you’ll be gently handling.) This way it’ll be invisible to thieves.
  • If you go with the special laptop bag, don’t leave it unattended while you make a trip to the bathroom or food court. The same goes for a carry-on suitcase. Either belonging should be with you at all times.
  • Whenever you leave your hotel room, hang the “Do Not Disturb” sign. You never know what hotel employee would be tempted to get into your laptop should they enter your room upon thinking nobody’s in it.
  • Never let a stranger use your laptop, even if that stranger looks innocent. The need to protect your sensitive data is more important than the feelings of a stranger.
  • And back up your data—before the trip. Cloud backup such as Carbonite will update your data based on custom settings as frequently as you require.
  • If you absolutely must conduct personal or sensitive online transactions on a public Wi-Fi, use a virtual private network (VPN), as this will scramble your transaction and make it worthless to hackers snooping data streams. One of these snoopers could be sitting in the same coffee house or hotel lobby as you are. Or, they can be a thousand miles away.

Robert Siciliano is a personal privacy, security and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

What is a Cache?

Perhaps someone has told you that you need to “clear your cache,” but what does this mean and why should you do it? A cache is a folder of recently visited webpages, which is stored on your computer’s hard drive, and maintained by your Internet browser.

1DThe purpose of a cache is to speed up the loading of webpages. Your computer’s hard drive collects data from websites that you visit, so that when you visit them again, certain aspects of the previously visited pages (such as graphics) don’t have to be reloaded the next time, and this makes the loading time a little bit shorter.

But the space your cache has on your hard drive is limited, and over time, it can get congested. Data that hasn’t been accessed for a while gets tossed out to make room for new data from the new pages that you visit.

And sometimes, the cache process doesn’t work properly. The result is an incompletely loaded page, or a page that looks odd because it’s supposed to load new content but it’s showing old content. (Sometimes, page loading problems aren’t caused by a faulty cache, but this is such a common cause that you’ve probably heard people say, “You need to clear your browser’s cache.”)

So, now you know what a cache is, here are some specific steps to clear it on different browsers:

How to clear your cache in Chrome:

  • In the upper right of the browser click the little icon that says “Customize and control Google Chrome” when you hover over it with your cursor
  • Click History
  • Click “Clear browsing data”

How to clear your cache in Internet Explorer:

  • In the upper right of Internet Explorer, click the gear icon or “Tools”
  • Click Internet Options
  • Under “Browsing History” you’ll see a delete button; click that.

If you use another browser, and there are a few, search online for instructions on how to clear your cache.

Another option you have is to use software (free or paid) designed to clean the clutter from your computer and devices. These programs often work well, but sometimes they work too well and clean more than they are supposed to. It’s always a good idea to backup your information before cleaning your computer.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Attention Lenovo PC Owners: Something’s Fishy with Your Computer

Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

13DThis Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.

Browser-based traffic that’s encrypted gets intercepted, unscrambled and recrypted to one’s browser by a man-in-the-middle attack. Due to the trusted root CA, the user’s browser will not show any warnings that there’s something very fishy going on (i.e., an attack).

The private key of the Superfish software can be easily recovered. This enables a hacker to produce certificates for any website that’s trusted by a system that has the Superfish adware installed.

The hacker can then replicate websites, or spoof them, without the user ever knowing it because the browser won’t know it. The type of attack is called SSL spoofing.

Many Lenovo users, hence, have the perspective of, “How DARE Lenovo preinstall this software?!” Lenovo has received harsh backlash and has claimed they’ve discontinued these installations. But this doesn’t reverse the vulnerability of the PCs that already have the adware.

To find out if your Lenovo has this adware, see if it has an HTTP GET request to superfish.aistcdn.com. And then if it does, uninstall it, along with the root CA certificate—don’t just uninstall the adware only; that certificate is what gets the hackers in.

The Microsoft Windows certificate store, and the Firefox and Thunderbird certificate stores, can guide you in managing and deleting certificates.

Right now, the best thing to do is head to this site: https://lastpass.com/superfish/ and then this site: https://filippo.io/Badfish/ to confirm your device doent have the superfish. If both check out OK, you’re good.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

PC Hard Drive Maintenance 101

Keeping your hard drive in tip-top shape is key to a well-running computer. A crashed hard drive means smacking a big wet-one goodbye to all of your data.

7WEliminate Unnecessary Data

  • De-clutter the drive to make its workload easier.
  • One way of de-cluttering is to uninstall programs you never use (go to the control panel).
  • Review your files and folders and rid the ones you’re done using.
  • Store the ones that you rarely use but don’t want to delete on a flash drive.
  • Also use your computer’s disk clean-up program (go into “Computer,” right-click the hard drive, hit “Properties” and click “disk cleanup”) to help get rid of junk.

Keep the Drive Hopping

  • There are many freeware utilities that can help your hard drive provide you feedback of its integrity. You should use one of these, as they will tell you how your hard drives are performing—kind of like going to a doctor to get your cholesterol numbers—you want to nip any potential problems in the bud.
  • Go into “Computer,” then right-click the drive, and then hit “Properties.” Once here, click the “Tools” tab. You will see an option for checking errors. It is important for Windows to perform recurring checkups of your drive. So hit “Optimize” to get this task done.
  • Next up, go to the control panel. Click “Hardware and Sound” and hit “Power Options.” This choice will keep the hard drive feeling young.
  • Don’t let physical clutter engulf the perimeter of your computer; it needs room to breathe.
  • Make sure your computer doesn’t get too hot. One way this can happen is if you use it while in bed. You also don’t want your computer to get cold, either, but chances are, you won’t be doing computer work outside in 40 degree weather.

Reinstall your operating system

  • Google “How to reinstall Windows.. (your OS)” or same with Mac. This is not all that hard to do. I do this every 2-3 years and I know others that do it every year. This is the single best way yo keep your hard drive tight.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

What is an Advanced Persistent Threat?

If you’ve ever seen a movie where the bad guys are using ongoing, invasive hacking to spy on their “enemy,” you have some familiarity with an advanced persistent threat (APT).

11DThis term usually refers to an attack carried out by a group that targets a specific entity using malware and other sophisticated techniques to exploit vulnerabilities in the target’s systems. It is often done for intelligence gathering with political, financial or business motives.

For example, an APT aimed at a corporation could take the form of Internet-based malware that is used to access company systems, or a physical infection, such as malicious code uploaded to the system via a USB drive. These kinds of attacks often leverage trusted connections, such as employee or business partners to gain access and can happen when hackers use spear phishing techniques to target specific users at a company.

Remaining undetected for as long as possible is a main objective with these attacks. It is their goal to surreptitiously collect as much sensitive data as they can. The “persistent” element implies that there is a central command monitoring the information coming in and the scope of the cyberattack.

Even though APTs are not usually aimed at individuals, you could be affected if your bank or another provider you use is the target of an attack. For example, if attackers secretly gather intelligence from your bank, they could get access to your personal and financial information.

Since you could potentially be affected by an APT attack on an entity or company that you do business with, it’s important that you employ strong security measures.

  • Use a firewall to limit access to your network.
  • Install comprehensive security on all your devices, like McAfee LiveSafe™ service, since malware is a key component in successful APT attacks.
  • Don’t click on attachments or links you receive from people you don’t know.
  • Keep your personal information private. Be suspicious of anyone who asks for your home address, phone number, Social Security number, or other personal identifying information. And, remember that once you share personal information online it’s out of your control.
  • Check to see if the websites you share sensitive information with use two-factor authentication. This is a security technique that uses something that you know, such as your password, and something you possess, such as your phone, to verify your identity. For example, your bank may ask for your password online, as well as a code that it has sent via text message to your phone. This is a 2nd layer of protection and should be enabled for sensitive information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.