Category Archives: Cyber Crime

Top 5 Tips to Keep Your Website And Network Secure

imageEvery day, innocent websites are compromised by malicious hackers. Google identifies almost 10,000 malware-infected websites each day, and half of those are genuine websites belonging to legitimate companies. These companies haven’t done anything wrong, but they find themselves blacklisted by Google, and that’s only the edge of the brutal iceberg.

Hackers inject vicious malware into these sites to infect visitors. They confuse and lure users to dodgy websites and they break in and steal important and often sensitive customer information.

It’s a real and constant problem, but there are easy and simple steps you can take to guard against these attacks and keep your site, your network, and your customers safe and sound.

1. Use strong passwords, keep them secure and change them frequently

We all know that we should choose complex passwords, but sometimes laziness takes over and we slack off. This is a crucial mistake. Obviously, you want to choose exceptionally strong passwords for your server and website admin area, because a vulnerable password here is a free ticket for hackers to cripple your site and do untold amounts of damage.

It can be inconvenient to remember frequently changing passwords, but in the end, it’s a simple solution that can save a lot of headaches in the future. It’s also imperative that you enforce good password practices for your users.

Compromised user accounts are a special hell of their own. Demanding that minimum password requirements are met for registration will force users to make smart choices. Insist on eight characters, at least an uppercase letter and a number or special character. It’s a bit of a hassle, but it’s worth it.

Make sure that any passwords are stored as encrypted values. Ideally, you’ll use a one way hashing algorithm like SHA. This method means that during authentication, only encrypted values are ever compared. In a worst-case scenario, if someone hacks in and steals passwords, this will limit the damage.

They can’t decrypt them, and they will be reduced to attempting dictionary or brute force attacks, trying every single combination until a match comes up. It’s time consuming and computationally expensive and just not worth the effort for most people.

Your wireless network password should be seriously strong, and the network should be protected by Wi-Fi Protected Access 2 (WPA2) rather than WEP (Wired Equivalent Privacy). WEP encryption is brittle and hackable in minutes these days and should never be relied upon.

It’s also imperative to ensure that your PCs are well protected against viruses at all times to prevent password theft.

2. Be discreet with your error messages

Make sure your error messages aren’t giving away too much information. If your website requires a login, you should pay attention to how your error messages deliver the message that their login attempt has failed. A quick-and-simple, very generic message such as “incorrect login information” is your best bet.

It doesn’t tell the user if half the query is right (especially not which half!) When a hacker is attempting brute force attacks to gain access to usernames and passwords and the error message identifies one field as correct, that’s valuable information for him. He then knows that he’s halfway there and can concentrate all his attention and effort on the remaining field. Don’t make it easy for them!

3. Keep software up to date

Make sure that you’re consistently and quickly applying security updates to all of your software. From your personal PC’s virus protection, to your server operating system, and website software like content management systems, blogging, forums, and blogging platforms.

Hackers are quick to exploit any known holes and bugs, and you want to get there first. Sign up to the mailing lists and RSS feeds of all your software vendors. They’ll be the first to alert you to any security issues and their solutions. Find out and follow it up.

4. Limit Use of your Administrator Account

Keep your computer’s admin account for installing updates and software, or for reconfiguring the host when you have to. Don’t go online while logged into your admin account. Non-privileged user accounts are not just for guests and visitors: you should have one yourself for everyday use. If you browse the web and read your email with an admin account, you leave yourself open for an attacker to gain entry and access to your host.

5. Ask the experts

You don’t have to do it all on your own. There are good tools out there for monitoring your own website, but not everyone has the time or inclination to stay on top of security 24/7.

It’s possible to find monitoring services for very reasonable prices. These companies will check for malicious activity, give you an alert if your website shows up on a blacklist, scan your site for vulnerabilities, and be there for support and repairs if you do fall prey to a hack.

If you’re dealing with databases of sensitive customer information that are attached to your site, it’s probably worth it to get an expert in from the start, sweeping your code for bugs and building in extra lines of defense from the ground up. For small businesses, companies such as SiteLock and Stop the Hacker offer packages for under $100 a year.

This guest post was provided by Amanda Gareis on behalf of Drexel University Online. Drexel expanded into the online learning sector in 1996 and now offers its recognized curricula to a worldwide audience. Drexel Online offers degrees in Information Science, Information Technology, and Computing and Security Technology. The university also provides an Information Technology Career and Salary Guide resource for those looking to enter the industry.

2 Comments

Filed under Cyber Crime, Education, Guest Writers, Internet Safety

How To Avoid Online Scams – PC Tools Lays Out A Plan

From this morning’s Tech Thoughts Daily Net News column – “Some of these campaigns consist of emails that are so effectively crafted that they could fool even some of the more advance users, while others look so obviously fake that they are spotted by all but the most inexperienced ones.”

Does this sound like “new” news to you? If, you’re a long time reader here – I suspect, not. Still, at the risk of sounding like a broken record – I’m reposting one of the most read posts from 2012, that can help users (especially less aware users), avoid being scammed online.

Yes, it’s repetitive – Yes, it’s repetitive – Yes, it’s repetitive! But that’s the point. In order to achieve a change in behavior (and, average users must change their online behavior) – repetition of the correct behavior, is fundamental to achieving that goal.

_______________________________________________________

imageCyber crooks and scam emails – a natural fit – aimed at the significant number of Internet users who remain unaware of the very real dangers that scam emails  hold for their safety, security, identity – and, their wallet.

Cyber criminals are experts at crafting “attention grabbers” designed to reel in the unwary and undereducated Internet surfer. Here’s a few attention grabbers that consistently pay off – targeted towards the blissfully unaware Internet user. Especially those users who seem to have a natural tendency to “just click”.

Online shopping offers e.g. bargains from unknown stores.

Get rich quick schemes/work from home offers.

Offers to download mobile protection software.

Offers to download antivirus software.

Offers to win a prize e.g. answer this survey ‘for your chance to win’…

Movie offers e.g. search for a popular movie such as Twilight and an offer comes up to download the movie for free.

Online donations.

Occasionally, I’ll post an article directed at the “just click” crowd and, I can say without any hesitation – users who fall into this category of Internet user are ripe for the taking – it’s like picking apples from a tree. It couldn’t be easier.

Here’s a couple of past articles which continue to draw huge numbers of the “just click” crowd.

Kate Middleton Nude – As If!

Nude Pics Of Your Wife/Girlfriend Attached – Click Here

Frankly, I fail to understand how anyone with a lick of common sense, would be drawn in by those nonsense article titles. On the other hand, maybe common sense has nothing to do with it.

It could just as easily be that innate sense of overconfidence that seems to have infected society as a whole – most particularly the “tech savvy” generation.

Mark Twain had it right, I think, when he said – “It aint what we don’t know that hurts us. It’s what we do know that ain’t so – that does.” The “tech savvy” generation in a nutshell – maybe.

My friends over a PC Tools, recognizing the continuing need to educate users, have put together a Top Tips article – How to Outsmart Online Scammers – designed to help the unwary (overconfident) Internet user, to identify online scams.

Richard Clooke, PC Tools online security expert reveals in this article – how to avoid being scammed online:

1. ASK – is this too good to be true?

$50 here, a holiday there, unlimited online offers from the world’s biggest brands – if you’re tempted by any of these free offers, then the answer is probably yes.

Many online scams trick us into revealing our personal information to secure something in return. It’s important to be aware of ‘fake offers’ to avoid being lured by savvy scammers.

2. DON’T – dish your details unless the site is secure.

Never provide personal or financial information in exchange for online offers.  Details such as your mobile number, address, and credit card or banking details should never be entered on a non-secure site. When in doubt:

  • Double check the URL before typing a link into your browser.
  • Check there is a padlock icon in your browser before using your credit card online.
  • Check you’re on a secure site and that the address starts with ‘HTTPS’.

3. THINK – it can happen to me.

Many of us think we are savvy online, but the reality is cybercriminals are cashing in on relaxed attitudes to sharing personal details online. Results from the PC Tools study also showed that most people think scams are more likely to happen to others, rather than themselves.

We need to educate ourselves about online scams and be aware of the risk.

4. DO – invest in scam protection software.

What most of us don’t realize is some online scams don’t involve malware and while traditional Internet security is still essential, we now require additional protection to prevent cybercriminals gaining personal information via other methods.

Regular readers here are familiar with this old request – still, it’s as pertinent as ever.

Be kind to your friends, relatives, and associates, particularly those who are inexperienced Internet users – let them know that there is an epidemic of this types of scam on the Internet. In doing so, you help raise the level of protection for all of us.

6 Comments

Filed under Cyber Crime, Cyber Criminals, Don't Get Scammed, Internet Safety, PC Tools

Voter Database Security Is A Myth

In this post, guest author David Maman, CTO and founder of GreenSQL – the database security company – questions the security reliability of voter databases.

imageSome of us spend days and months of indecision, hours in front of the TV watching campaign commercials and presidential debates, researching on the Net, mulling the options with family and friends, all ultimately to go to the polls to exercise our constitutional right to vote. For millions among us, this is a final decision and a terminal point.

Not for me.

As an information security specialist and database security researcher, I wonder where my vote goes, in what database it’s maintained, and, of course, how secure it is.

Hard experience has taught me that right now, somewhere, a hacker is trying to penetrate the voter databases “just for fun,” “to prove something,” or if I really want to be paranoid, “because he’s part of a powerful, international organization that seeks to dictate our political process by determining elections.”

Paranoia? I wish. One only has to read the news… last year, the databases of major companies were hacked: LinkedIn, Visa, KT Mobile, Sony, Zappos, etc. Of course, that tally doesn’t include the organizations who don’t know they were hacked.

Want news on voter databases being hacked in the last few years? Take a look at the list below, the result of a two-minute Google search:

July 15, 2012: Florida Allowed to Access Citizen Database for Voter Purge

July 27, 2012: Obama Administration to Open Voter Database

March 26, 2012: GOP’s Voter Vault Database Hacked, Candidates’ Identity Altered

August 2011: No Personal Information Compromised After Voter Database Hacked

At a time when databases are being constantly penetrated by unauthorized users and personal information is being stolen, misused or just maliciously exposed, the question remains: How secure are voter databases?

As if selecting a candidate isn’t vexing enough, now, I have a bigger concern: “How can I be sure my vote ultimately goes to the candidate of my choice?” “Will my vote be manipulated in any way, whether by foreign or domestic entities?” “Will my voter information be used to make it easier to have my identity stolen? (Even the FBI says identity theft represents a more serious threat than drugs.)”

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

1 Comment

Filed under Cyber Crime, Guest Writers, Point of View

What to Do When You Find Yourself a Victim of Identity Theft

Guest writer Marcia Cleighbourne lays out a step-by-step recovery process should you fall victim to identity theft.

imageBeing a victim of identity theft can be an intensely painful experience. Not only does it cost the victim financially, but they also have a lot of work to do to fix the situation.

Identities can be stolen because of bad luck, or because of carelessness. Typically when someone’s identity is stolen, the thief will open up credit cards and other accounts in their name. Even with the most careful planning, one’s identity can be stolen with ease. Here, are 5 things you need to do when you find yourself a victim of identity theft.

Credit Report

The first thing that should be done is to get a credit report. This can show the victim what damage has been done so far. They then should immediately put a fraud report on all of their credit reports. This will prevent more accounts from being opened. By calling one the credit agencies, by law are required to contact the other two. By placing an alert on one’s credit report, it becomes virtually impossible to open an account in their name.

Contact FTC

Though it is unlikely that a case will be prosecuted, the FTC should be contacted. They do pursue cases when they have the ability to do so. At the very least, by contacting the FTC, they will be able to identify trends, and possibly catch larger rings. There is a convenient online complaint form that can be used.

Closures

Now that, the updated credit report has been obtained, it is time to close accounts. This would entail calling each company individually and explaining the situation. Large credit card companies have departments for just this purpose. Fill out fraud dispute reports for the fraudulent transactions. A police report can also be filed to help the process along as well as protecting the victim. Once the issue is resolved, get confirmation in writing.

Follow-Up

After 3-6 months of fixing the situation, follow up and get a copy of all three credit reports. Sometimes they are slow to remove items, or new accounts may have appeared. If the credit agencies did their job correctly, it should be free of any fraudulent accounts. This is so crucial because a credit score can suffer tremendously when contains incorrect information. One should also leave the fraud alerts on their account open for a few more months. The inconvenience when opening an account, will be well worth it.

Prevent Again

Once an identity has been stolen, the damage has been done. It is vital to take steps to ensure this does not happen again. Make sure that all paperwork is shredded, and the computer is not vulnerable. Update all anti- virus software on the computer. In addition, passwords to bank accounts and credit card accounts should be changed. A shredder should be purchased so all sensitive information can be destroyed safely.

Identity theft is more of a pain than anything. Though, it can have serious implications if not taken care of thoroughly. It is necessary to keep notes of every phone call, and to send all mail via certified mail. There are a lot of resources online that can help anyone who has had their identity stolen. Do remember that taking a few steps to prevent identity theft will go a long way.

Marcia Cleighbourne writes about law, personal finance & more at www.dentalinsurance.net.

Comments Off on What to Do When You Find Yourself a Victim of Identity Theft

Filed under Cyber Crime, Guest Writers, Online Safety

Scan a QR code – Expose yourself to mobile malware

Guest post by David Maman – CTO & Founder of GreenSQL.

imageA single poisoned link is all it takes to expose an entire organization to a full-scale attack.

Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they’re going after our mobile phones, which are soon to be the number one way we access the web.

As QR codes have evolved, they now can offer users – and thieves – unlimited information within seconds of scanning.

And we scan them voluntarily.

We’ve already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it’s embedded in looks tempting enough.

The Experiment:

Over a three-day security conference in London, I created a small poster featuring a big security company’s logo and the sentence “Just Scan to Win an iPAD.” Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers.

Remember, this was a conference for security professionals.

As I’m a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated…

To make a long story short: QR codes are becoming more and more prevalent. And most of us don’t have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.

The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.

Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.

Think before you scan.

· Does this QR code seem to come from a reliable source?

· After scanning the QR code and seeing the link, is the link really from whom it claimed to be?

· Would I click on this link if it came through my email?

Even if you miss out on the iPAD or the free ice cream cone, you’re probably better off.

Author bio:

David Maman is CTO & Founder of GreenSQL, the database security company.

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

6 Comments

Filed under Connected Devices, Cyber Crime, Don't Get Hacked, Guest Writers, Internet Safety Tools

An IT Professional’s Internet Privacy Tips – Simple And Effective

https://i0.wp.com/it.sheridanc.on.ca/images/internetprivacy.jpgInternet privacy tips are often complex and mind numbing and, generally promote an overblown reliance on technology. In this guest article, IT professional Robert Coulter, cuts through the knarly knot of the usual wooden security tips with a range of suggestions designed to keep hackers and other nefarious types away from your important private data while online.

As revealed in Wired Magazine, every piece of electronic communication is able to be intercepted by someone, somewhere. Even Internet giants like LinkedIn can be compromised, as an estimated 6.5 million password were hacked earlier this month. With that in mind, the only real way to guarantee complete online security is to never go online at all. Since this is neither practical nor desirable, by most people, there are still steps you can take to protect your online security and protect your personal information while enjoying the benefits of the Web.

Don’t overshare.

This first tip is simply common sense. Don’t share more than is necessary on the Web, especially on social networking sites such as Facebook and Twitter. While it can be fun, consider the risks from sharing every last detail of your life with the world, such as birth date, where you go (check-ins), pictures of your children, details of your job and relationships.

All of these details make social engineering hacks easy to perform and open you up to identity theft. Do your bank accounts have common security questions like “Mother’s Maiden Name?” or “City of Birth?” protecting your passwords in the event you need to reset them? Well, chances are this information is easily found by snooping around your social media profiles, making it an easy matter to reset passwords on sensitive accounts.

If you do insist on sharing, at least tighten up your Facebook privacy settings and keep your circle of friends small and limited to those you actually know. Also, disable the most invasive features, like check-ins and photo tagging.

Use a cloud-based antivirus rather than a signature-based one.

Cloud-based antivirus solutions, such as those offered by Webroot and Symantec, do away with large signature file downloads, which eat up bandwidth and can take up to several gigabytes of hard drive space. Instead, all of the signatures reside in “the cloud” and every file and Web request gets run against this ever-growing, real time database using the provider’s resources rather than your computer’s, speeding things up greatly and providing the most up-to-date protection.

Set stronger passwords.

ElcomSoft recently did a study that estimates just 25% of people regularly change their password. Setting a strong password, and changing it frequently, is key to protect your identity. Many experts suggest using long strings of random gibberish with special characters for greatest safety, but these can become nearly impossible to remember, leading to the insecure solution of storing them in an unprotected spreadsheet or on little bits of paper which can get lost.

One way to get a strong password that is easy to remember is to use a four word phrase, such as “kayaking beats drudge work” and substituting the spaces for a special character, such as “#” or “_.” The length and randomness will take a hacker more time than it is worth to figure out, while also being easy to commit to your own memory.

Use a Mailinator account on potential spam sites.

Mailinator is a great tool for signing up for web offers without actually providing your real email address. Mailinator works by allowing you to invent a disposable email address, which you can check without a password and which keeps messages for only 24 hours before being automatically erased. This is great when signing up for a site which seems to offer something enticing, but which might be spammy or even a hacker site, as your real email address is never revealed.

Deactivate old or unnecessary accounts.

Old accounts might leave your information scattered across the Internet for anyone to mine, especially on sites past their prime and maintained very irregularly by their administrators, as they tend to have lax security measures. The answer is to delete these old accounts. Even Facebook now has a “delete” feature, rather than just the “deactivate” one, so take advantage of this to clean up your online traces and reduce the temptation for hackers to learn more about you in an unwholesome way.

In conclusion, online threats are constantly evolving, and the best guardian of personal data is truly the individual user himself. Be smart and be skeptical when online it just might save you thousands of dollars and countless hours of heartache.

Guest author Bio: Robert Coulter works in the security industry at authentify.com which offers two-factor verification solutions for companies who need increased security protection for their clients.

11 Comments

Filed under Cyber Crime, Guest Writers, Internet Safety, Privacy, Social Networks