Posts

Keeping Your SMB Bring-Your-Own-Devices Secure

If you have a small or medium sized business, it is likely that you have staff who are bringing their tablets, phones, iPads, and laptops to work every day. However, all of this puts your business to risk as they can also bring malware into your network.

On top of this, any of these devices can be lost, misplaced, or stolen. Since its extremely likely that your staff are using these devices for their work, think about all of the information that could be on there about your company…and it happens because Joe in accounting left his cell phone on the counter at a local coffee shop, and a hacker picked it up.

Also, think about this: depending on how successful your company is, there also might be a list of clients found on the devices, or at least a few. Now, someone has access to your clients, and what is stopping them from contacting your competitors and sharing your sensitive company information…for a price, of course.

Hacking also often involves the act of phishing where an employee will open up an email and then click on a link or open an attachment. When this happens, malware is unleashed, and the device and network is at risk.

Here are some tips to keep devices secure that you can share with your staff:

  • Only use apps that have been purchased from a reliable source like iTunes or Google Play.
  • Do not reuse passwords and use a different password for each login that you have.
  • Keep all apps and operating systems updated. Any update that comes in should be downloaded and installed immediately. Don’t choose to update later, as this is a great opportunity for hackers to get into a vulnerable app.
  • Start using anti-virus software. These apps can be found in iTunes or in the Google Play store.
  • Be cautious when installing anything with a “free download.” Sometimes viruses and malware can be found there, and they can get out onto your network before you know it.
  • Choose the feature where device passwords are protected and wiped clean after a certain number of log-in attempts.
  • Make sure that all staff understands that free Wi-Fi spots are not secure. So, they should be using a VPN anytime they are trying to connect to a free Wi-Fi network.
  • Phishing scams are becoming more common than ever before, so make sure that your staff knows how to recognize scams like this.
  • Don’t trust email addresses that you don’t know and don’t trust any email that claims it is coming from the CEO or Board of Directors unless it’s an email that you can verify.
  • Do not use any device that is jailbroken. This opens it up to too many viruses.

Understanding MDM

Mobile device management software, or MDM, should be used. This software helps to protect devices, and it is a safety net for any type of business or personal device. For instance, if a mobile device is lost and the person who finds it tries to enter the passcode a certain number of times, the device will lock out the person doing it. You can also set it so that the entire device is erased if there are too many login attempts. MDM also offers firewall protection, encryption, and antivirus capabilities. Additionally, it can monitor the system to add another level of security. There should be a policy in place that every employee must use this software on their device, or they can’t use it.

Utilize Additional Experts

“Do it yourself” information security for small business in theory might seem to save a few bucks. But in the long run it might cost your small business a lot more. Engaging experts such as Managed Security Service Providers, or for smaller businesses, also known as a Virtual CISO’s (chief information security officer), can run the most comprehensive vulnerability scanning software among other ethical hacking tools, will make sure bad guy hackers can’t get in and make a mess of all you have worked for.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

SMBs Including Real Estate, Watch Out for these Cyber Security Threats!

There used to be a time when hackers only targeted retailers, but these days, they can target almost any business in any industry, especially those that are not aware of the best cyber security practices.

cyberattack

One of these groups is the real estate industry, and according to a recent survey, approximately half of all businesses in real estate are not prepared to handle any type of cyberattack. Though Federal law requires specific industries, like banks and hospitals, to have security in place, the real estate industry is not one of them. If you work in real estate, here are some common cyber security threats to keep an eye out for.

Business Email Compromise – BEC

A BEC, or business email compromise, is a type of cyberattack that tricks a company into wiring cash into the bank account of a criminal. Hackers do this by “spoofing” email addresses, and then then sending messages to recipients that look like they are coming from someone they trust, such as the CEO or the head of accounting.

This happens a lot; the FBI has found that billions of dollars have been lost due to BEC scams. Yes, this is pretty scary, but there is more. The FBI has also said that those in the real estate industry are targeted, and anyone who participates in a real estate transaction is a possible victim.

Wire Scams During Mortgage Closings

There are also scams during closings. Here’s how it works. Before the sale of a home is complete, the buyer gets an email from their Realtor, a title attorney, or another trusted person in the industry with the details of the date, time, and locations where the closing will take place. Scammers know this, so they create a different email that tells the buyer where to wire the money. But it’s right to the bank account of the scammer. Within minutes of the transfer, the money is pulled out of the account, and the scammer is gone.

The Internet Crime Complaint Center, part of the FBI, shared statistics that from 2015 to 2017 there were more than 10,000 victims of these scams, and the losses here totaled more than $56 million…and it’s growing all of the time.

Ransomware

Another thing that those in the real estate industry need to be aware of is ransomware. This is a type of malware that shuts down a network or a device so that you can’t get into it until you pay up. This is a very profitable scam for hackers, and it is becoming very popular year over year. All it takes is one person on your team to click on a link, and the entire network could be compromised.

Keep in mind that ransomware attacks don’t just target computers. These attacks can target any devices that connects to the internet, including smart thermostats, smart lights, and smart homes. When a digital device gets a ransomware infection, they stop working.

Malware

Though most people have heard about ransomware, there are other forms of malware, too. For example, you have likely heard of spyware or Trojans, which are still out there. Specifically, these are used for cybercriminals to spy on those they are targeting. They can get access to a victim’s bank account, or even steal their email inbox. Hackers also use malware to steal personal info or employee information, and they can get things like personal client information Social Security numbers, credit card numbers, and more. Just knowing this, you can understand why those in the real estate industry are targets.

Cloud Computing Providers

If you work in the real estate industry, your livelihood is at risk thanks to cloud computing. This, you might know, is a more economical way to backup information, so while it is necessary, there are risks. However, hackers can get into these “clouds,” and if they do, they can get access to all of the data in there.

It may seem that by using a cloud computing company that you are actually lowering your risk of becoming a target, but the truth is this: there is still a risk because your devices are likely not as secure as you think, and your passwords are probably not as strong as you think. This means making sure you’re not using the same passcode for any other accounts and enabling two factor authentication for everything.

Don’t Let Your Real Estate Company Become a Victim of a Cyberattack

Now that you know your real estate company can be a target of a scammer, you may wonder how you can lower your risks. Here are some great tips:

  • Write New Policies – One thing you can do is to write new policies to keep things safe. For instance, when you think of BEC scams, if you have a policy in place where you ban wiring money to someone based only on information from an email, you won’t have to worry about BEC scams any longer. Instead, make it a rule that you must talk to the person sending the email, and you must be the one to make the call to confirm. Don’t call the number that is in the email, though. Confirm that it is correct. It could be the number of the scammer.
  • Teach Your Staff – You also want to make sure to have better training for your staff. Most of the attempts at hacking come from email, so when you train your staff to stop blindly opening attachments nor click on links in emails, you can protect yourself from these scams. You also should look into a Cyber, Social & Identity Protection Certification This is where you can learn more about the methods and strategies that you can employ to cut down on any incidents. You can also learn about developing procedures that help keep your clients safer.
  • Teach Your Clients – Speaking of clients, you want to help them, too. All wire scams having to do with closings can be prevented in most cases. Make sure your clients know that in the process of selling or buying a home, there are going to be a lot of emails floating around, including those from Realtors, mortgage companies, insurance companies, home inspectors, real estate attorneys, and more. Make sure they know that before clicking on anything or wiring money that they should first call their Realtor. They should never, ever send money unless they get the go-ahead to do it, and then they still need to make sure to confirm that the transfer is going to the right place.
  • Back Up Your Devices and System – Always make sure that everything is backed up, including your devices and your network. This way, if you do get hacked, you won’t have to pay a ransom, and the information is easy to get back.
  • Check on Cloud Computing Contracts – It is also a good idea to look into what you are getting from your cloud computing provider. They don’t like to take responsibility for a cyberattack, and there might even be something in your contract with them that says they won’t. So, you should start your own negotiations with the company in question about what you can do about something like this.
  • Buy Cyber-Liability Insurance – Finally, you should consider getting cyber-liability insurance. This could definitely help make things less risky for your real estate business. There are all types of different policies out there, so do some research or speak to a professional.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

Bitcoin Scams Up the Ying Yang

If you are thinking of jumping onto the Bitcoin bandwagon, or any type of cryptocurrency, you have to make sure that you are watching out for scams. There are a ton of them out there, including the following:

Fake Bitcoin Exchanges

You have to use a Bitcoin exchange if you want to buy or sell Bitcoins, but not all of them are legitimate. Instead, many of them are created for the sole purpose of taking people’s money. Only use well-known exchanges.

Ponzi Schemes

Bitcoins are not exempt from Ponzi schemes, and you have to look out for these. These are like pyramid schemes, and you definitely don’t want to get caught up with this, as you will certainly lose your money.

Fake Currency

You have certainly heard of Bitcoin, but there are other cryptocurrencies on the market, too, as alternatives to Bitcoin. However, there are also fake ones. For instance, one of these, My Big Coin, was fake, yet the people behind it managed to take more than $6 million from customers.

Well-Known Scams

Bitcoin scammers also rely on old school, well-known scams to trick people. They might, for instance, send emails pretending to be the IRS or even having some type of Bitcoin sale. People fall for these scams every day. If it seems weird, like the IRS emailing about Bitcoin, it is most definitely a scam.

Malware

Malware is another associated scam with Bitcoin. Most, or all wallets are connected online, scammers can use malware to access the account and take your money. Malware can get on your computer in a number of ways, including from websites, social media sites, and even through email.

Fake News

We live in an era where online news is the most popular method to get news, but it’s also very easy to create news stories that seem totally legitimate, yet they are absolutely fake. Basically, scammers create these stories to bait victims, so always think before you start clicking.

Phishing

These Bitcoin scammers also use phishing scams to try to get money from people who are trying to buy and sell Bitcoin. These scams are often done by clicking malicious links.

It doesn’t matter if you join the Bitcoin craze or not, you can also use these tips to keep yourself safe from other scams. Here’s some final tips:

  • Always do a security scan on your laptops, computers, phones, and tablets on a regular basis.
  • Do your research before investing in any cryptocurrency website. Make sure it is trustworthy and secure.
  • Store all of your cryptocurrency in a wallet offline, which keeps it protected from scammers.
  • Always monitor all of your banking, credit card, and cryptocurrency accounts.
  • Always insist the crypto site has two step or two factor authentication.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Top 10 Signs of a Malware Infection on Your Computer

Not all viruses that find their way onto your computer dramatically crash your machine. Instead, there are viruses that can run in the background without you even realizing it. As they creep around, they make messes, steal, and much worse.

Malware today spies on your every move. It sees the websites you visit, and the usernames and passwords you type in. If you login to online banking, a criminal can watch what you do and after you log off and go to bed, he can log right back and start transferring money out of your account.

Here are some signs that your device might already be infected with malware:

  1. Programs shut down or start up automatically
  2. Windows suddenly shuts down without prompting
  3. Programs won’t start when you want them to
  4. The hard drive is constantly working
  5. Your machine is working slower than usual
  6. Messages appear spontaneously
  7. Instead of flickering, your external modem light is constantly lit
  8. Your mouse pointer moves by itself
  9. Applications are running that are unfamiliar
  10. Your identity gets stolen

If you notice any of these, first, don’t panic. It’s not 100% that you have a virus. However, you should check things out. Make sure your antivirus program is scanning your computer regularly and set to automatically download software updates. This is one of the best lines of defense you have against malware.

Though we won’t ever eliminate malware, as it is always being created and evolving, by using antivirus software and other layers of protection, you can be one step ahead. Here are some tips:

  • Run an automatic antivirus scan of your computer every day. You can choose the quick scan option for this. However, each week, run a deep scan of your system. You can run them manually, or you can schedule them.
  • Even if you have purchased the best antivirus software on the market, if you aren’t updating it, you are not protected.
  • Don’t click on any attachment in an email, even if you think you know who it is from. Instead, before you open it, confirm that the application was sent by who you think sent it, and scan it with your antivirus program.
  • Do not click on any link seen in an email, unless it is from someone who often sends them. Even then, be on alert as hackers are quite skilled at making fake emails look remarkably real. If you question it, make sure to open a new email and ask the person. Don’t just reply to the one you are questioning. Also, never click on any link that is supposedly from your bank, the IRS, a retailer, etc. These are often fake.
  • If your bank sends e-statements, ignore the links and login directly to the banks website using either a password manager or your bookmarks.
  • Set your email software to “display text only.” This way, you are alerted before graphics or links load.

When a device ends up being infected, it’s either because of hardware or software vulnerabilities.  And while there are virus removal tools to clean up any infections, there still may be breadcrumbs of infection that can creep back in. It’s generally a good idea to reinstall the devices operating system to completely clear out the infection and remove any residual malware .

As an added bonus, a reinstall will remove bloatware and speed up your devices too.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Malware Hack Attacking the Grid…BIGLY

For more than four years, malware has been posing as legitimate software and infecting industrial equipment across the globe.

The malware, which looks just like the Siemens control gear software, has affected at least seven plants in the US. According to security experts, the malware was specifically designed to attack this industrial equipment, but what it does is not totally known. It is only described as a type of “crimeware.”

The malware was first hinted at in 2013, but at that time, it was not seen as dangerous, and many anti-virus programs were flagging it as dangerous, but it was considered a false positive. Eventually, it was seen as a type of basic malware, and upon further inspection, it was found that there are several variations. The most recent flag was in March 2017.

This particular infestation is only one of many malware infections that target industry. Approximately 3,000 industrial locations are targeted with malware each year, and most of them are Trojans, which sometimes can be brought in by staff on found or compromised USB sticks.

Most of these programs aren’t extremely harmful, meaning they won’t shut down production. However, what they could do is pave the way for more dangerous threats down the road. It also allows for sensitive information to be released.

It is not easy for hackers to infiltrate an industrial plant, and it takes good knowledge of layout, industrial processes, and even engineering skills to pull something like that off. This goes way beyond a simple malware attack.

However, these attacks have also brought to light the issue of how many legitimate files are being flagged as malware and vice versa. This means that the files can be used by the bad guys, who can then target a specific industrial site. There are thousands of these programs out there, ripe for the picking by observant hackers.

What can they do if they get this information? They could find out where the site is, who operates it, the layout and configuration, what software they have, and even what equipment they are using. Though this wouldn’t give them everything they need, it would be enough to plan a bigger, more dangerous attack.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Pokemon Go a Network Malware Nightmare

Pokémon Go has taken the world by storm, even though it is nothing more than a silly little game that people play on their mobile device. And it is not just child’s play, either. Plenty of adults are hooked on Pokémon Go—including college degreed professionals who conduct business on company owned devices as well as mobile devices of their own that they bring to work.

6DPokémon Go is chockful of security risks, says the International Association of IT Asset Managers. If you run a company in which employees use your mobile devices, and/or you permit or know that employees conduct your company’s business on their personal phones, you’d better take this warning seriously.

Employer solution: ban the Pokémon Go application from mobile devices: those given to workers by the company, and those personally owned by the workers who bring them to the workplace.

Pokémon Go malware is on the upswing, and it poses a security threat to company e-mail. It also presents a possible malware threat to cloud storage.

Company decision makers must not be swayed by the popularity of this game, and instead, must see it for what it truly is: just a game. So yes, it just might be one of the smartest moves a company may make to outright prohibit this app for BYOD and company owned mobile phones. Or, at least, abolish it on just the company owned devices. But something needs to be done, urges the IAITAM.

Company decision makers can ask themselves a classic question: “Is my company better with Pokémon Go or without it?” Or, to put it another way, create a risk-benefit ratio. How can this game possibly benefit employees? How can this game harm the business? See which list is longer or has more compelling answers.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

What is Malvertising?

Malevolent advertising is called malvertising. The “ad” is placed on a website by cybercriminals who want control of your computer for financial gain.

11DAnd the real scary thing about malvertising is that these trick-ads have appeared on trusted, popular websites like the Weather Network, BBC, NFL and the New York Times.

Oh, and it gets worse: The malicious ad can be hidden, unseen by the site visitor, thanks to a special html code that allows the bad ad to be inside legitimate content. This trick-code is usually hidden in what are called iframes—without affecting the rest of the site appearance.

The type of cybercriminal who succeeds at this needs to be patient and clever.

  • Legitimate advertisers place their ads with ad networks, bidding for ad placement.
  • Ad networks, which handle the bidding, serve the ads to websites.
  • Crooks may place legitimate ads with these networks to gain a good reputation, or, crooks run networks.
  • After building trust with placement of legit ads, the crooks graduate to ad placement on high traffic sites, and then they put in their malicious code in the iframes: malvertisements.
  • When you’re on one of these infected pages, the ad will release malware to your computer that can do a whole host of damage.

What to do?

  • Keep all your software and systems up to date.
  • Install an ad blocker, but be judicious, because ad blockers can disrupt the presentation of some sites, e.g., blocking some content, not just the ads. You may not mind this inconvenience, but also realize that an ad blocker will not block every malvertisement, either.
  • Install antivirus software or an anti-exploit kit that will snuff out exploit kits, a favorite tool of the malvertiser.
  • Exploit kits prowl your computer for vulnerabilities, and the right software will detect and neutralize them.
  • Uninstall browser plugins you have no use for, especially if they’re the vulnerable Adobe Flash and Java.
  • Set the remaining plugins to click to play, which will give you the option to run a plugin when a site you’re visiting wants to load one.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

32 Million Twitter Pass for sale Add two-factor NOW

The Dark Web, according to LeakedSource, got ahold of 33 million Twitter account details and put them up for sale. Twitter thus locked the accounts for millions of users.

5DTwitter, however, doesn’t believe its servers were directly attacked. So what happened? The bad guys may have created a composite of data from other breached sources. Or, they could have used malware to steal passwords off of devices.

Nevertheless, the end result meant that for many Twitter accounts, there was password exposure—leading to the lockdown of these accounts. The owners of these accounts had to reset their password after being notified of this by e-mail.

Some users who did not receive this e-mail notification will find that their accounts are locked.

An Ounce of Prevention

  • Go through the passwords of all of your vital accounts, and see which ones are unique, long and strong. You’ll likely need to change many passwords, as most people use simple to remember passwords that often contain keyboard sequences and/or words/names that can be found in a dictionary, such as 890Paul. These are easily cracked with a hacker’s software.
  • Who’d ever think that Facebook’s chief executive Mark Zuckerberg’s Twitter account could be hacked? It was, indeed, and it’s believed this was possible due to him reusing the username of his LinkedIn account several years ago.
  • So it’s not just passwords that are the problem; it’s usernames. Not only should these be unique, but every single account should have a different username and password. However if a username is an email address, you can’t do much here.
  • Passwords and usernames should be at least eight characters long.
  • Use more than just letters and numbers-use characters if accepted (e.g., #, $, &).
  • So Paul’s new and better password might be: Luap1988($#.
  • Sign up with the account’s two-factor authentication. Not all accounts have this, but Twitter sure does. It makes it impossible for a crook to sign into your account unless he has your cell phone to receive the unique verification code that’s triggered with every login attempt.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Yes, Macs Can get Malware

So Macs can be infected with malware. Who would have ever thought? The malware at issue here is the dreaded ransomware. Ransomware scrambles up your files, and the hacker at the helm says he’ll give you the cyber “key” in exchange for a handsome payment.

6DRansomware historically has primarily impacted Windows users, but recently it got into OS X—its latest version, Transmission.

  • The virus cyber-incubates for three days.
  • Then with a Tor client, it connects to an Internet server and locks vulnerable files.
  • The cyber key costs $400.
  • Nevertheless, this attack, which doesn’t happen as easily as, say, being lured into clicking a malicious video, is easily spotted.
  • Apple quickly mitigated the problem before anyone’s data had a chance to get encrypted by the virus and held hostage for the bitcoin payment.
  • In summary, Macs are not immune to ransomware, but the circumstances under which the user is victimized are unique and rigid.
  • To avoid the crush of a ransomware attack, regularly back up your data!

It’s time to take precautionary measures, while at the same time, not allowing anxiety to creep in every time you use your device.

  • Be careful when downloading applications.
  • Never run apps that are unfamiliar to Apple. Go to System Preferences, then Security and Privacy, then General.
  • You will see three safety levels. Now, you should never download an app from a third-party vendor. One of the safety levels is called Mac App Store. If you choose this one, all the apps you get will only come from the Mac app store, meaning they will have been given the green light by Apple.
  • To widen the app selection, you can choose Mac App Store with identified developers. This will allow you to get applications created by developers whom Apple has endorsed. However, this doesn’t mean it’s as secure as the Mac App Store choice, because the identified developers’ product was not tested for security by Apple—but at least Apple will block it if it’s infected.

Updates

  • Never put off tomorrow what you can update today. Download updates the moment you are cued to do so.
  • Go into the App Store, hit Updates and then Update All to make sure you’re caught up on updates.
  • To avoid this hassle in the future, put your settings on automatic updates: System Preferences, App Store, Download newly available updates in the background.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Businesses Struggling to Keep Up with Latest Wave of Malware Attacks

Companies have been struggling for years to keep cyber-attacks at bay. Cyberthieves are working faster than ever before to send out their malicious attacks, and it’s become increasingly difficult for companies to keep up.

CNN reports that almost one million malware strains are released every day. In 2014, more than 300 million new types of malicious software were created. In addition to new forms of malware, hackers continue to rely on tried and true bugs because many companies simply haven’t found a fix or haven’t updated their systems to mitigate the threats.

In almost 90% of these cases, the bugs have been around since the early 2000s, and some go back to the late 1990s. The irony here is that companies can protect themselves and create patches for these bugs, but there tends to be a lack of effort and resources when it comes to getting the job done.

Some industries are targeted more than others. After hackers get information from these companies, such as proprietary data, they attempt to sell the information on the black market.

Cyberattacks are spreading quickly, and it takes almost no time after an email is sent for a victim to fall for the scheme. When a hacker is successful at breaking into a certain type of company, such as a bank or insurance firm, they will typically use the same exact method to quickly attack another company in the same industry.

New and improved cyber attacks

While old methods of cyber-attack can still be effective, it is the new scams that users should be nervous about. Here are some examples:

  • Social media scams
    Social media scams work and cybercriminals just love them because the people being scammed do most of the work. Cybercriminals release links, videos or stories that lead to viruses, and people share them with their friends because they are cute, funny or eye-raising. These tend to spread quickly because people feel as if they are safe.
  • Likejacking
    Hackers may also use a practice known as “likejacking” to scam people on social media. In this case, they will use a fake “like” button that tricks people into installing malware. The programs then post updates on the user’s wall or newsfeed to spread the attack.
  • Software update attacks
    Hackers are also focusing on more selective attacks. For example, a hacker may hide malware inside of a software update. When a user downloads and installs the update, the virus is set free.
  • Ransomware
    These attacks, where thieves steal or lock files on a person’s computer and then demand a ransom for access, climbed more than 110% in the last year alone. Once infected, the only way to regain access to the files is to pay a fee, usually between $300 and $500, for a decryption key.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.