Author Archives: askwpadmin

How to Keep K–12 Distance Learners Cybersecure this School Year

As Featured on malwarebytes.com

With the pandemic still in full swing, educational institutions across the US are kicking off the 2020–2021 school year in widely different ways, from re-opening classrooms to full-time distance learning. Sadly, as schools embracing virtual instruction struggle with compounding IT challenges on top of an already brittle infrastructure, they are nowhere near closing the K-12 cybersecurity gap.

Kids have no choice but to continue their studies within the current social and health climate. On top of this, they must get used to new learning setups—possibly multiple ones—whether they’re full-on distance learning, homeschooling, or a hybrid of in-class and home instruction.

Regardless of which of these setups school districts, parents, or guardians decide are best suited for their children, one thing should remain a priority: the overall security of students’ learning experience during the pandemic. For this, many careful and considerable preparations are needed.

New term, new terms
Parents in the United States are participating in their children’s learning like never before—and that was before the pandemic forced their hand. Now more than ever, it’s important to become familiar with the different educational settings to consider which is best suited for their family.

Full-on distance learning
Classes are held online while students are safe in their own homes. Teachers may offer virtual classes out of their own homes as well, or they may be using their empty classrooms for better bandwidth.

This setup requires families to have, ideally, a dedicated laptop or computer students can use for class sessions and independent work. In addition, a strong Internet connection is necessary to support both students and parents working from home. However, children in low-income families may have difficulties accessing this technology, unless the school is handing out laptops and hot spot devices for Wi-Fi. Often, there are delays distributing equipment and materials—not to mention a possible learning curve thanks to the Digital Divide.

Full-on distance learning provides children with the benefit of teacher instruction while being safe from exposure to the coronavirus.

Homeschool learning or homeschooling
Classes are held at home, with the parent or guardian acting as teacher, counselor, and yes, even IT expert to their kids. Nowadays, this setup is often called temporary homeschooling or emergency homeschooling. Although this is a viable and potentially budget-friendly option for some families, note that unavoidable challenges may arise along the way. This might be especially true for older children who are more accustomed to using technology in their studies.

This isn’t to say that the lack of technology use when instructing kids would result in low quality of learning. In fact, a study from Tilburg University [PDF] on the comparison between traditional learning and digital learning among kids ages 6 to 8 showed that children perform better when taught the traditional way—although, the study further noted, that they are more receptive to digital learning methods. But perhaps the most relevant implication from the study is this: The role of teachers (in this article’s context, the parents and guardians) in achieving desirable learning outcomes continues to be a central factor.

Parents and guardians may be faced with the challenge of out-of-the-box-thinking when it comes to creating valuable lessons for their kids that target their learning style while keeping them on track for their grade level.

Hybrid learning
This is a combination of in-class and home instruction, wherein students go to school part-time with significant social distancing and safety measures, such as wearing masks, regular sanitizing of facilities and properties, and regular cleaning of hands. Students may be split into smaller groups, have staggered arrival times, and spend only a portion of their week in the classroom.

For the rest of students’ time, parents or guardians are tasked with continuing instruction at home. During these days or hours, parents or guardians must grapple with the same stressors on time, creativity, patience, and digital safety as those in distance learning and homeschooling models.

New methods of teaching and learning might be borne out of the combination of any or all three setups listed above. But regardless of how children must continue their education—with the worst or best of circumstances in mind—supporting their emotional and mental well-being is a priority. To achieve peace of mind and keep students focused on instruction, parents must also prioritize securing their children’s devices from online threats and the invasion of privacy.

Old threats, new risks
It’s a given that the learning environments that expose children to online threats and risk their privacy the most involve the use of technology. Some are familiar, and some are born from the changes introduced by the pandemic. Let’s look at the risk factors that make K-12 cybersecurity essential in schools and in homes.

Zoombombing. This is a cyberthreat that recently caught steam due to the increased use of Zoom, a now-popular web conference tool. Employees, celebrities, friends, and family have used this app (and apps like it) to communicate in larger groups. Now it’s commonly adopted by schools for virtual instruction hours.

Since shelter-in-place procedures were enforced, stories of Zoombombing incidents have appeared left and right. Take, for example, the case of the unknown man who hacked into a Berkeley virtual class over Zoom to expose himself to high school students and shout obscenities. What made this case notable was the fact that the teacher of that class followed the recommended procedures to secure the session, yet a breach still took place.

Privacy Issues. When it comes to children’s data, privacy is almost always the top issue. And there are many ways such data can be compromised: from organizational data breaches—something we’re all too familiar with at this point—to accidental leaking to unconsented data gathering from tools and/or apps introduced in a rush.

An accidental leaking incident happened in Oakland when administrators inadvertently posted hundreds of access codes and passwords used in online classes and video conferences to the public, allowing anyone with a Gmail account to not only join these classes but access student data.

In April 2020, a father filed a case against Google on behalf of his two kids for violating the Children’s Online Privacy Protection Act (COPPA) and the Biometric Information Privacy Act (BIPA) of Illinois. The father, Clinton Farwell, alleges that Google’s G Suite for Education service collects the data—their PII and biometrics—of children, who are aged 13 and below, to “secretly and unlawfully monitor and profile children, but to do so without the knowledge or consent of those children’s parents.”

This happened two months after Hector Balderas, the attorney general of New Mexico, filed a case against the company for continuing to track children outside the classroom.

Ransomware attacks. Educational institutions aren’t immune to ransomware attacks. Panama-Buena Vista Union School. Fort Worth Independent. Crystal Lake Community High School. These are just some of the total districts—284 schools in all—that were affected by ransomware from the start of 2020 until the first week of April. Unfortunately, the pandemic won’t make them less of a target—only more.

With a lot of K-12 schools adjusting to the pandemic—often introducing tools and apps that cater to remote learning without conducting security audits—it is almost expected that something bad is going to happen. The mad scrambling to address the sudden change in demand only shows how unprepared these school districts were. It’s also unfortunate that administrative staff have to figure things out and learn by themselves on how to better protect student data, especially if they don’t have a dedicated IT team. And, often, that learning curve is quite steep.

Phishing scams. In the context of the education industry, phishing scams have always been an ever-present threat. According to Doug Levin, the founder and president of the K-12 Cybersecurity Resource Center, schools are subjected to “drive-by” phishing, in particular.

“Scammers and criminals really understand the human psyche and the desire for people to get more information and to feel in some cases, I think it’s fair to say in terms of coronavirus, some level of panic,” Levin said in an interview with EdWeek. “That makes people more likely to suspend judgment for messages that might otherwise be suspicious, and more likely to click on a document because it sounds urgent and important and relevant to them, even if they weren’t expecting it.”

Security tips for parents and guardians
To ensure distance learning and homeschooled students have an uninterrupted learning experience, parents or guardians should make sure that all the tools and gadgets their kids use to start school are prepared. In fact, doing so is similar to how to keep work devices secure while working from home. For clarity’s sake, let’s flush out some general steps, shall we?

Secure your Wi-Fi
Make sure that the router or the hotspot is using a strong password. Not only that, switch up the password every couple months to keep it fresh.
Make sure that all firmware is updated.
Change the router’s admin credentials.
Turn on the router’s firewall.

Secure their device(s)
Make sure students’ computers or other devices are password-protected and lock automatically after a short period of time. This way, work won’t be lost by a pet running wild or a curious younger sister smashing some buttons.

For schools that issue student laptops, the most common operating system is ChromeOS (Chromebooks). Here’s a simple and quick guide on how parents and guardians can lock Chromebooks. The password doesn’t need to be complicated, as you and your child should be able to remember it. Decide on a pass phrase together, but don’t share it with the other kids in the house.
Ensure that the firewall is enabled in the device.
Enforce two-factor authentication (2FA).
Ensure that the device has end-point protection installed and running in real time.
Secure your child’s data
Schools use a learning management solution (LMS) to track children’s activities. It is also what kids use to access resources that they need for learning.

Make sure that your child’s LMS password follows the school’s guidelines on how to create a high entropy password. If the school doesn’t specify strong password guidelines, create a strong password yourself. Password managers can usually do this for you if you feel that thinking up a complicated one and remembering it is too much of a chore.

It also pays to limit the use of the device your child uses for studying to only schoolwork. If there are other devices in the house, they can be used to access social media, YouTube, video games, and other recreational activities. This will lessen their chances of encountering an online threat on the same device that stores all their student data.

Secure your child’s privacy
There was a case before where a school accidentally turned the cameras on of school-issued devices the students were using. It blew up in the news because it greatly violated one’s privacy. Although this may be considered a rare incident, assume that you can’t be too careful when the device your kid uses has a built-in camera.

Students are often required to show their faces on video conference software so teachers know they are paying attention. But for all the other time spent on assignments, it’s a good idea to cover up built-in cameras. There are laptop camera covers parents or guardians can purchase to slide across the lens when it’s not in use.

New challenges, new opportunities to learn
While education authorities have had their hands full for months now, parents and guardians can do their part, too, by keeping their transition to a new learning environment as safe and frictionless as possible. As you may already know, some states have relaxed their lockdown rules, allowing schools to re-open. However, the technology train has left the station.

Even as in-person instruction continues, educational tech will become even more integral to students’ learning experiences. Keeping those specialized software suites, apps, communication tools, and devices safe from cyberthreats and privacy invasions will be imperative for all future generations of learners.

Safe, not sorry
While IT departments in educational institutions continue to wrestle with current cybersecurity challenges, parents and guardians have to step up their efforts and contribute to K-12 cybersecurity as a whole. Lock down your children’s devices, whether they use them in the classroom or at home. True, it will not guarantee 100 percent protection from cybercriminals, but at the very least, you can be assured that your kids and their devices will remain far out of reach.

Stay safe!

Sophos Intercept X Advanced with EDR

EDR Starts with the Strongest Protection
To stop breaches before they start, prevention is crucial. Intercept X consolidates unmatched protection and endpoint detection and response into a single solution. This means that most threats are stopped before they can ever cause damage, and Intercept X Advanced with EDR provides additional cybersecurity assurance with the ability to detect, investigate, and respond to potential security threats.

The inclusion of EDR into a consistently top-rated endpoint protection suite enables Intercept X to significantly lighten the EDR workload. The more threats that are prevented, the less noise that is created for security teams to investigate. This means teams can optimize key resources enabling them to focus on the business of IT rather than chasing false positives and an overwhelming volume of alerts.

Add Expertise, Not Headcount
Intercept X Advanced with EDR replicates the tasks normally performed by skilled analysts, so organizations can add expertise without having to add staff. Unlike other EDR solutions which rely on highly skilled human analysts to ask questions and interpret data, Intercept X Advanced with EDR is powered by machine learning and enhanced with curated SophosLabs threat intelligence.

Security expertise: Intercept X Advanced with EDR puts security expertise into the hands of IT by automatically detecting and prioritizing potential threats. Using machine learning, suspicious events are identified and elevated as the most important and in need of immediate attention. Analysts can quickly see where to focus their attention and understand which machines may be impacted.

Malware expertise: Most organization rely on malware experts that specialize in reverse engineering to analyze suspicious files. Not only is this approach time consuming and difficult to achieve, but it assumes a level of cybersecurity sophistication which most organizations don’t possess. Intercept X Advanced with EDR offers a better approach by leveraging Deep Learning Malware Analysis which automatically analyzes malware in extreme detail, breaking down file attributes and code and comparing them to millions of other files. Analysts can easily see which attributes and code segments are similar to “known-good” and “known bad” files so they can determine if a file should be blocked or allowed.

Threat intelligence expertise: When Intercept X Advanced with EDR elevates a potentially suspicious file, IT administrators can gather more information by accessing on-demand threat intelligence curated by SophosLabs which receives and processes approximately 400,000 previously unseen malware samples each day. This, and other threat intelligence is collected, aggregated, and summarized for easy analysis. This means that teams that do not have dedicated threat intelligence analysts, or access to expensive and hard to understand threat feeds, can benefit from one of the top cybersecurity research and data science teams in the world.

Guided Incident Response
Intercept X Advanced with EDR allows administrators to answer the tough questions about security incidents by providing visibility into the scope of an attack, how it started, what was impacted, and how to respond. Security teams of all skill levels can quickly understand their security posture thanks to guided investigations which offer suggested next steps, clear visual attack representations, and built-in expertise.

When an investigation is concluded, analysts can respond with a click of a button. Rapid response options include the ability to isolate endpoints for immediate remediation, clean and block files, and create forensic snapshots.

Intelligent EDR Use Cases
Intelligent endpoint detection and response means that security teams have the visibility and expertise they need to answer the tough questions that are asked as part of an incident response effort.

Answer the tough questions about an incident:

Understand the scope and impact of security incidents
Detect attacks that may have gone unnoticed
Search for indicators of compromise across the network
Prioritize events for further investigation
Analyze files to determine if they are a threat or potentially unwanted
Confidently report on your organization’s security posture at any given moment

Beyond EDR
To stop the widest range of threats, Intercept X Advanced with EDR employs a comprehensive defense-in-depth approach to endpoint protection rather than simply relying on one primary security technique. This is the “the power of the plus” – a combination of leading foundational and modern techniques. Intercept X Advanced with EDR integrates the industry’s top-rated malware detection, top-rated exploit protection, and intelligent endpoint detection and response (EDR).
Modern techniques include deep learning malware detection, exploit prevention, and anti-ransomware specific features. Foundational techniques include antivirus, behavior analysis, malicious traffic detection, data loss prevention, and more. Intercept X Advanced with EDR combines endpoint detection and response capabilities with the modern features in Intercept X and the foundational techniques in Sophos Central Endpoint Protection. This is delivered as a single solution, in a single agent.

Contact us today to try it now for free, with a free 30-day evaluation. 

Protection for Office 365

Simple, automated and secure backup of your cloud data

Protection for O365 ensures that your business can access, control, and most importantly protect the data that you entrust to the cloud. Protection for O365 is the leading cloud-to-cloud backup product offering an all-in-one backup, restore and export solution that covers Exchange Online, OneDrive and SharePoint Online.

As companies increasingly move data into cloud-based applications, many IT teams wrongly assume that Microsoft has a backup in place. After all, O365 is always available, accessible from anywhere, and highly redundant, so why is a backup needed?

An astonishing 1 in 3 businesses report losing data stored in cloud-based applications. In addition, out of all MSP reported SaaS ransomware attacks, 49% occurred in O365, up 17% from last year. Not only can the loss of the data itself be devastating to a company, but the time lost in attempting a recovery can be equally damaging.

The truth is that even data in cloud-based applications is vulnerable to:

End-user deletion, whether accidental or malicious
Malware damage or ransomware attacks
Operational errors such as accidental data overwrites
Lost data due to canceled user licenses
Misconfigured application workflows

With more and more businesses moving into O365 to run their productivity applications, like Word, Excel and Email, these risks are impossible to ignore.

Why Office 365 Backup is Insufficient

While O365 does include primitive restore capabilities for lost data, two major issues arise when using their tools: lost data and lost time. An independent data backup separated from the app itself is necessary to avoid the most common data loss pitfalls.

Data loss due to inactive licenses: As one would expect, an active O365 license is required to access data. Unfortunately, inactive or deprovisioned user data is permanently deleted, and there is no rollback option.

Data loss due to permanent deletion: When a SharePoint Online administrator deletes a site collection, all data will be placed in the Recycle Bin where it is kept for 93 days. At that time it is automatically and permanently deleted, and there is no rollback option.

Data loss due to ransomware: Microsoft recommends 3rd party backup as the only way to recover from data loss associated with ransomware encryption.

Data loss due to app outages: Uptime guarantees provide peace of mind…until an app outage occur. Planning for the unexcepted is key to recovering quickly should an outage occur.

Time lost in restoring files: Contacting Microsoft Support for assistance with any data loss issue can be time consuming, and still may not result in restored files.

Why Protection for Office 365? Trusted, Available Backup
Know that O365 data is backed up by the most reliable solution on the market today, Reduce risk, and spend more time and budget on strategic initiatives.

Point-in-Time Backups: Backups include daily snapshots of each users data, allowing you to browse through a user’s account as at specific point in time. Avoid data loss from ransomware by restoring entire accounts to a designated point in time before an attack occurred.

3X/day backup: Rest easy with automatic daily backups for O365’s Exchange Online, OneDrive and SharePoint Online.

On-demand backup: Perform additional backups as needed at any time. Running an on demand backup will not affect the three regularly scheduled backups.

Infinite Retention: Store an unlimited amount of data for no additional fees.

What Office 365 Protection Recovers

OneDrive: All files (including One Note) and folders with file structure in tact.

Contacts: All contact information excluding photos

Calendar: Events (including recurrence, attendees, notes, attachments and any calendars owned by users.

Mail: All emails, attachments, notes and folder structure.

SharePoint: Primary, custom, group and team site collections; Custom generic site lists, Folder structure, Document libraries and sets, and Site Assets, templates and pages.

Fast & Effortless Restore

One-click restore means you can avoid business downtime. Quickly identify and recover individual items or entire folders without overwriting existing files.

Quick and Painless Restore and Export: O365 Protection’s revamped architecture means data export and restore times have improved dramatically, making us the fastest backup and recovery solution.

Non-destructive Restore: Restore data without overwriting existing emails, files or site collections targeted at the same URL.

Item level restore: Retrieve data in the original format with file and label structure maintained in the backup.

No overwrites: Prevent data overwrites and differentiate restored data from current Exchange, OneDrive, and SharePoint production data for added protection.

Advanced search capabilities: Easily find data with the advanced search option and restore individual items or entire folders.

Security & Reporting

Balance security and transparency with powerful security controls and robust user lifecycle management. Protect valuable business data from accidents or malicious acts.

Security and compliance: O365 Protection backs up data in compliance with Service Organization Control (SOC 1/ SSAE 16 and SOC 2) reporting standards, GDPR and supports HIPPA compliance needs.

Custom Data Retention: Specify how long records should be maintained (days, years or infinite) to meet industry-specific compliance regulations.

Activity log: Maintain a detailed record of all administrator and user actions.

For more information please contact us today at (610) 617-0300. 

Security Risk Assessment

You have the oil in your car changed regularly. You have your HVAC system serviced every season. You installed an UPS. You are doing everything you can to keep things running smoothly because you realize a disruption can have disastrous effects. So when was the last time you had an information security risk assessment?

An information security risk assessment is the best tool you have to help you:
prepare for defending your information;
understanding the risks to your organization;
target your spending;
knowing where you are;
plan to where you want to go.

An information security risk assessment includes:
CIS Framework Assessment
Asset Inventory & Patch-Management Health-Check
CIS Benchmark Assessment for Network & Endpoints
Vulnerability Assessment
Logging Health-Check
Next-Gen Firewall and VPN Health-Check
Malware Defense Assessment
Data Protection & Recovery Assessment
Threat Detection & Response Assessment
Active Directory Services Health-Check

Contact us today to learn more or to schedule your assessment.

Want to know what your employees know about information security? Contact us today for a free survey.

ASK Recognized as an Industry Leader Once Again

ASK TECHNOLOGIES, INC. is once again a proud recipient of the Philadelphia Business Journal prestigious awards for “Top Tech Employers”. This marks the seventeenth consecutive year that ASK TECHNOLOGIES, INC. has been recognized as an industry leader in the Philadelphia and Metropolitan Area. ASK provides our clients the ability to transform current information technology into productivity. Whether utilizing technology to bridge the gap between employees, business workflow and computers, or using technology to supply access to data, regardless of connection, location and time, ASK offers the solutions you need to survive in a very competitive world.

COVID-19

While there is currently no health or safety concern within ASK, we want to make sure you are aware that we are taking every precaution available and necessary as outlined by the CDC to ensure the well being of our valued team members.

In the event that there is an outbreak in our area, we have an emergency plan of action in place that would enable us to work remotely and continue to provide IT services to your company.

I urge you to reach out to ASK to discuss your current IT remote access plan. Your plan should include the ability for your staff to work from home with secure access to critical data, applications, and systems in the event of a mandated quarantine situation. If you do not have a plan in place, we recommend you immediately consider a Virtual private network (VPN) solution or another remote access solution to ensure your employees are using a secure, encrypted connection at home to gain access to corporate information. This will enable your company to continue critical business operations.

While we cannot predict what to expect during this unsettling time, rest assured ASK is taking every step possible to ensure our business continuity. We are strongly advising all of our clients do the same.

ASK Recognized as an Industry Leader Once Again

ASK TECHNOLOGIES, INC. is once again a proud recipient of the Philadelphia Business Journal prestigious awards for “Top Tech Employers”. This marks the sixteenth consecutive year that ASK TECHNOLOGIES, INC. has been recognized as an industry leader in the Philadelphia and Metropolitan Area.

ASK provides our clients the ability to transform current information technology into productivity. Whether utilizing technology to bridge the gap between employees, business workflow and computers, or using technology to supply access to data, regardless of connection, location and time, ASK offers the solutions you need to survive in a very competitive world.

Support for Windows 7 is Ending January 14, 2020

All good things must come to an end, even Windows 7. After January 14, 2020, Microsoft will no longer provide security updates or support for PCs running Windows 7. But you can keep the good times rolling by moving to Windows 10.

You have questions, we have answers:

Can I upgrade my existing PC to Windows 10?

Yes, you can upgrade compatible Windows 7 PCs with the purchase of a Windows 10 license. However, depending on the age of your PC, performance can suffer after Windows 10 is installed. To take advantage of the latest hardware capabilities, we strongly recommend moving to a new PC with Windows 10.

What happens if I continue to use Windows 7?

You can continue to use Windows 7, but once support ends on January 14, 2020, your PC will no longer be security compliant, and will be highly vulnerable to security risks effecting not only your PC but your entire network.

Can Windows 7 still be activated after January 14, 2020?

Windows 7 can still be installed and activated after support has ended. However, to avoid security risks and viruses, Microsoft recommends that you install Windows 10.

Will Internet Explorer still be supported on Windows 7?

Support for Internet Explorer on Windows 7 devices will be discontinued on January 14, 2020. As a component of Windows operating system, Internet Explorer follows the same support life-cycle.

Moving to Windows 10

Whether you are upgrading an existing device, buying a new one, or just need help deploying, we have the help you need. Please contact your ASK sales rep today at (610) 617-0300.

The Lazy Person’s Guide to Cybersecurity: Minimum Effort for Maximum Protection

as featured on Malwarebytes.com

Are you tired of that acquaintance who keeps bugging you with computer questions? Do you avoid visiting certain people because you know you will spend most of the evening cleaning up their machine?

My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s not just an accident waiting to happen—he’s an accident waiting to become a catastrophe. To keep Uncle Bob’s computer safe without blowing up the Internet, we need to give him the simplest of instructions that result in protecting him against as much as possible. Uncle Bob needs a lazy person’s guide to cybersecurity.

It’s not that Uncle Bob is lazy. It’s that he’s overwhelmed by the amount of stuff he has to do to keep his data and devices secure. Multiple passwords, reading through EULAs, website cookies that he clicks “agree” to without really paying attention—they’re giving him a serious case of security fatigue. And as his helper, you’re probably pretty over it, too.

The funny thing is, with adequate cybersecurity, Uncle Bob’s—and by extension all of our—problems would be much less frequent and less severe. So, let’s see if we can work out a system of minimum effort that renders reasonable results.

Before we begin, we will should note that lazy cybersecurity should not apply to devices used to store sensitive data, conduct financial transactions, or communicate confidential or proprietary information. Lazy security is a good way to protect those who prefer to do nothing rather than be overwhelmed by 50 somethings, but it shouldn’t have severe consequences if it goes wrong.

User education

Your first step should always be user education. So many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data or downloading the malware themselves from an infected email attachment. Therefore, knowing what not to click on and download can keep a good portion of threats off a lazy person’s device.

With most people, it helps to know why they shouldn’t download or click on links in emails that look like they came from a legitimate institution. Just telling them “don’t do that” may help for a bit, but advice is better retained if it’s grounded in practical reasoning. Therefore, each item in this list is accompanied by a brief explanation.

Do not click on links asking to fill out your personal information. Your financial institutions will not send emails with links to click, especially if those links are asking you to update personally identifiable information (PII). If a website promises you something in return for filling out personal data, they are phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.

Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, game, or other tantalizing option for free, and it is unclear how the producers of said service or item are making money, don’t take it. Chances are, you will pay in ways that are not disclosed with the bargain, including sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.

Don’t believe the pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do so are tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antivirus software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers to call you as soon as they notice a virus on yours.

Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of pop-up ads. While not technically dangerous themselves, they let a lot of riff raff in the door.

Consider disabling web push notifications. These can be easily spoofed and used for social engineering/obtrusive advertising purposes.

Beyond staying away from “allow” and “download” buttons, and steering clear of links asking for PII, users who conduct any kind of financial transaction on their machines should approach them with extreme caution. Here’s where we ask users to take action, looking for security clues and doing a little research before paying that bill or buying that new book.

Use a designated browser you trust. This needn’t be for all surfing, but for purchasing especially, research the different browsers and see which one you feel safest with, whether that’s because they have few vulnerabilities, don’t track your surfing behavior, or encrypt all communication. Major browsers such as Firefox, Safari, and Chrome have strengths and weaknesses they bring to the game, so it’s a matter a personal preference. We do suggest staying away from older browsers rife with security holes, such as Internet Explorer.

Look for HTTPS and the green padlock. No, it’s no longer a guarantee that the site is safe just because it has a green padlock, but it does mean the communication is encrypted. If you combine that with being on the true website of a trusted vendor, you can breathe easier knowing your payment details cannot be intercepted in transit.

Use a password manager. Simple as that. Passwords are a real problem, as users tend to re-use the same ones across multiple accounts, keep old ones laying around because they’re the only ones they can remember, or write them down somewhere they can be easily found. No need for 27 different passwords. Just one manager, preferably with multi-factor authentication. (Bonus points for healthcare or bank organizations with logins that use physical or behavioral biometrics.)

This could turn out to be too confusing for the Uncle Bobs of this world, however. If so, best to point them in the direction of brick-and-mortar stores for shopping, the checkbook for paying bills, and the actual bank to conduct other financial business.

How to set up a system for a non-tech-savvy person

Perhaps Uncle Bob can only manage so much security education before feeling overburdened with technical knowledge. In that case, it helps for a tech-savvy friend or relative to pitch in and tighten up a few things on the backend.

Hardware

First of all, if someone is looking for a new computer for non-sensitive purposes, such as browsing, social media, games, and some basic email or chat functions, you can chime in with recommendations. For someone not invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus any browser-based gaming. However, someone with an interest in PC gaming will likely need an entirely different OS and an intense graphics card (and therefore lots of protection against cryptominers). Meanwhile, Macs are good options for users looking to get into graphic design.

Software

 Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software programs that Uncle Bob selects should minimize the potential pitfalls.

When Uncle Bob is shopping for software, recommend he finds programs that have a self-updating function. We know this isn’t always recommended in a work environment, but for the lazy security person, it’s perfect. One less thing to worry about.

In addition, selecting software that allows users to minimize notifications to only dire warnings will keep Uncle Bob from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

  • They don’t understand to which program they belong, which takes away the context for them.
  • The text in the notifications is designed to be short, not always maximized for clarity.
  • Technical terms used in the notification are unknown to the receiver.
  • Their reactions may vary. Some will simply click until they disappear. This is the behavior that usually gets them into trouble, so you don’t want to give them another reason to click–click–click away. Others may get worried and call for backup immediately, asking what’s wrong and why they are getting this “pop-up.” So, any software that can be set to only issue a warning when something is really amiss deserves another plus.

Browser add-ons

There are some secure browsers out there that value your privacy, but I’m pretty sure my Uncle Bob does not like using them. There is a learning curve involved that may not seem steep to you and me, but my uncle Bob…you know what I mean. But there is hope on the horizon. Some of the more user-friendly browsers can be equipped with extensions/add-ons/plugins that boost security by adding an extra protective layer.

Please click here to view original article in it’s entirety.

All About Phishing

as featured on Malwarebytes.com 

What is phishing?

Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there’s more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgement by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence.

If users take the bait and click the link, they’re sent to an imitation of a legitimate website. From here, they’re asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.

“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.”

Unlike other kinds of online threats, phishing does not require particularly sophisticated technical expertise. In fact, according to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.” Phishers are not trying to exploit a technical vulnerability in your device’s operation system—they’re using “social engineering. From Windows and iPhones, to Macs and Androids, no operating system is completely safe from phishing, no matter how strong its security is. In fact, attackers often resort to phishing because they can’t find any technical vulnerabilities. Why waste time cracking through layers of security when you can trick someone into handing you the key? More often than not, the weakest link in a security system isn’t a glitch buried in computer code, it’s a human being who doesn’t double check where an email came from.

History of phishing

The origin of the name “phishing” is easy enough to trace. The process of performing a phishing scam is much like actual, aquatic fishing. You assemble some bait designed to deceive your victim, then you cast it out and hope for a bite. As for the digraph “ph” replacing the “f,” it could be the result of a portmanteau of “fishing” and “phony,” but some sources point back to another possible origin.

In the 1970s, a subculture formed around the practice of using low-tech hacks to exploit the telephone system. These early hackers were called “phreaks”—a combination of “phone” and “freaks.” At a time when there weren’t many networked computers to hack, phreaking was a common way to make free long-distance calls or reach unlisted numbers.

“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.”

Even before the actual “phishing” term took hold, a phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.

The use of the name itself is first attributed to a notorious spammer and hacker in the mid-1990s, Khan C Smith. Also, according to Internet records, the first time that phishing was publicly used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. At the time, America Online (AOL) was the number one provider of Internet access, with millions of log-ons daily.

Naturally, AOL’s popularity made it a target for fraudsters. Hackers and software pirates used it to communicate with one another, as well as to conduct phishing attacks on legitimate users. When AOL took steps to shut down AOHell, the attackers turned to other techniques. They sent messages to AOL users claiming to be AOL employees and asked people to verify their accounts and hand over billing information. Eventually, the problem grew so bad that AOL added warnings on all email and instant messenger clients stating “no one working at AOL will ask for your password or billing information.”

“Social networking sites became a prime phishing target.”

Going into the 2000s, phishing turned its attention to exploiting online payment systems. It became common for phishers to target bank and online payment service customers, some of whom—according to subsequent research—might have even been accurately identified and matched to the actual bank they used. Likewise, social networking sites became a prime phishing target, attractive to fraudsters since personal details on such sites are useful for identity theft.

Criminals registered dozens of domains that spoofed eBay and PayPal well enough that they passed for the real thing if you weren’t paying close enough attention. PayPal customers then received phishing emails (containing links to the fake website), asking them to update their credit card numbers and other personally identifiable information. The first known phishing attack against a bank was reported by The Banker (a publication owned by The Financial Times Ltd.) in September 2003.

By the mid-2000s, turnkey phishing software was readily available on the black market. At the same time, groups of hackers began to organize in order to orchestrate sophisticated phishing campaigns. Estimated losses due to successful phishing during this time vary, with a 2007 report from Gartner stating that as many as 3.6 million adults lost $3.2 billion between August 2006 and August 2007.

“In 2013, 110 million customer and credit card records were stolen from Target customers.”

In 2011, phishing found state sponsors when a suspected Chinese phishing campaign targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.

In perhaps the most famous event, in 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.

Even more infamous was the phishing campaign launched by Fancy Bear (a cyber espionage group associated with the Russian military intelligence agency GRU) against email addresses associated with the Democratic National Committee in the first quarter of 2016. In particular, Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

In 2017, a massive phishing scam tricked Google and Facebook accounting departments into wiring money, a total of over $100 million, to overseas bank accounts under the control of a hacker.

Types of phishing attacks
Despite their many varieties, the common denominator of all phishing attacks is their use of a fraudulent pretense to acquire valuables. Some major categories include:

Spear phishing
While most phishing campaigns send mass emails to as many people as possible, spear phishing is targeted. Spear phishing attacks a specific person or organization, often with content that is tailor made for the victim or victims. It requires pre-attack reconnaissance to uncover names, job titles, email addresses, and the like. The hackers scour the Internet to match up this information with other researched knowledge about the target’s colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phisher crafts a believable email.

For instance, a fraudster might spear phish an employee whose responsibilities include the ability to authorize payments. The email purports to be from an executive in the organization, commanding the employee to send a substantial payment either to the exec or to a company vendor (when in fact, the malicious payment link sends it to the attacker).

Spear phishing is a critical threat to businesses (and governments), and it costs plenty. According to a 2016 report of a survey on the subject, spear phishing was responsible for 38% of cyberattacks on participating enterprises during 2015. Plus, for the U.S. businesses involved, the average cost of spear phishing attacks per incident was $1.8 million.

“A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet’s earliest and longest-running scams.”

Clone phishing
In this attack, criminals make a copy—or clone—of previously delivered but legitimate emails that contain either a link or an attachment. Then, the phisher replaces the links or attached files with malicious substitutions disguised as the real thing. Unsuspecting users either click the link or open the attachment, which often allows their systems to be commandeered. Then the phisher can counterfeit the victim’s identity in order to masquerade as a trusted sender to other victims in the same organization.

419/Nigerian scams
A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet’s earliest and longest-running scams. According to Wendy Zamora, Head of Content at Malwarebytes Labs, “The Nigerian prince phish comes from a person claiming to be a government official or member of a royal family who needs help transferring millions of dollars out of Nigeria. The email is marked as ‘urgent’ or ‘private,’ and its sender asks the recipient to provide a bank account number for safekeeping the funds.”

In a hilarious update of the classic Nigerian phishing template, British news website Anorak reported in 2016 that it received an email from a certain Dr. Bakare Tunde, who claimed to be the project manager of astronautics for Nigeria’s National Space Research and Development Agency. Dr. Tunde alleged that his cousin, Air Force Major Abacha Tunde, had been stranded on an old Soviet space station for more than 25 years. But for only $3 million, Russian space authorities could mount a flight to bring him home. All the recipients had to do was send in their bank account information in order to transfer the needed amount, for which Dr. Tunde will pay a $600,000 fee.

Incidentally, the number “419” is associated with this scam. It refers to the section of the Nigerian Criminal Code dealing with fraud, the charges, and penalties for offenders.

Phone phishing
With phone-based phishing attempts, sometimes called voice phishing or “vishing,” the phisher calls claiming to represent your local bank, the police, or even the IRS. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information or paying a fine. They usually ask that you pay with a wire transfer or with prepaid cards, so they are impossible to track.

SMS phishing, or “smishing,” is vishing’s evil twin, carrying out the same kind of scam (sometimes with an embedded malicious link to click) by means of SMS texting.

“The email makes an offer that sounds too good to be true.”

How to identify a phishing attack
Recognizing a phishing attempt isn’t always easy, but a few tips, a little discipline, and some common sense will go a long way. Look for something that’s off or unusual. Ask yourself if the message passes the “smell test.” Trust your intuition, but don’t let yourself get swept up by fear. Phishing attacks often use fear to cloud your judgement.

Here are a few more signs of a phishing attempt:

The email makes an offer that sounds too good to be true. It might say you’ve won the lottery, an expensive prize, or some other over-the-top item.

You recognize the sender, but it’s someone you don’t talk to. Even if the sender’s name is known to you, be suspicious if it’s someone you don’t normally communicate with, especially if the email’s content has nothing to do with your normal job responsibilities. Same goes if you’re cc’d in an email to folks you don’t even know, or perhaps a group of colleagues from unrelated business units.

The message sounds scary. Beware if the email has charged or alarmist language to create a sense of urgency, exhorting you to click and “act now” before your account is terminated. Remember, responsible organizations do not ask for personal details over the Internet.

The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.

The message contains links that look a little off. Even if your spider sense is not tingling about any of the above, don’t take any embedded hyperlinks at face value. Instead, hover your cursor over the link to see the actual URL. Be especially on the lookout for subtle misspellings in an otherwise familiar-looking website, because it indicates fakery. It’s always better to directly type in the URL yourself rather than clicking on the embedded link.

How do I protect myself against phishing?
As stated previously, phishing is an equal opportunity threat, capable of showing up on desktops, laptops, tablets, and smartphones. Most Internet browsers have ways to check if a link is safe, but the first line of defense against phishing is your judgement. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.

Once again from our own Adam Kujawa, here are a few of the most important practices to keep you safe:

• Don’t open e-mails from senders you are not familiar with.
• Don’t ever click on a link inside of an e-mail unless you know exactly where it is going.
• To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
• Lookout for the digital certificate of a website.
• If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.” It’s not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it’s more secure. HTTP sites, even legitimate ones, are vulnerable to hackers.
• If you suspect an e-mail isn’t legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
• Mouseover the link to see if it’s a legitimate link.
• As always, we recommend using some sort of anti-malware security software. Most cybersecurity tools have the ability to detect when a link or an attachment isn’t what it seems, so even if you fall for a clever phishing attempt, you won’t end up sharing your info with the wrong people.

All Malwarebytes premium security products provide robust protection against phishing. They can detect fraudulent sites and stop you from opening them, even if you’re convinced they’re legitimate.

So stay vigilant, take precautions, and look out for anything phishy.

Click here to view original article in it’s entirety.