Quantcast
Channel: Cyber Security Consultant – Mike Foster, CEH, CISA, CISSP
Viewing all 113 articles
Browse latest View live

Protecting and Restricting iPads, iPhones, and Android Devices

0
0

Because many families, and business professionals, received new tablets for the holidays, it is important to consider security. Families, as well as businesses, may choose to restrict permissions on devices. Here’s how:

Set a passcode on the device. Even a 4-digit code is much better than nothing. Just avoid 0000, 1111, 1234, 2580, or other easily guessed codes. Keeping the device in your possession, or in a secure place, is just as essential since is can prevent the opportunity for someone to guess your password.

Keep the device backed up, and apply security patches as soon as they are released. The patches often protect against attacks that are already happening in the wild.

Do not connect to Wi-Fi networks without weighing the risk of convenience versus your potential benefits. When you connect to any Wi-Fi network, there is a chance that attackers can exploit your device in many ways. Because bad actors can trick your device into connecting to their malicious access points without your knowledge, consider using your device’s settings to disable Wi-Fi when you are not using it. Re-enable Wi-Fi only when you are at your office, home, or in another trusted environment.

At the office, there is technology that will allow your IT team to implement MDM, Mobile Device Management, to restrict your team members’ activity on their devices. This can help protect against one of your team members accidentally becoming a vector for attackers to access, and potentially interfere with, your entire organization’s network.

For families, keep these three possibilities in mind:

First, use the internal parental controls and restrictions that are built into the device. The settings and features are very effective, and well documented on the support sites. More features can be added with security and feature updates, so review the settings periodically. The best strategy for using these restriction settings is to use steps A, B, and C.

  • Step A: As you apply security and privacy restrictions to a device for a family member, keep reminding yourself that you are restricting that device for their, not your, needs. It is easy to think about how you might want to use wireless payment options, and then you avoid restricting the options accordingly. When in doubt, restrict. You can always re-enable features later.
  • Step B: Before applying parental control restrictions, first configure the other settings on the device. If you apply parental control restrictions first, you may find that you’ve restricted your own ability to adjust these settings.
  • Step C: Wait until you finish steps A and B before you apply the restrictions designed to protect family members. You’ll be prompted to create your own unique password so that, in theory, only you can adjust the parental controls.

Second, when protecting families, consider commercially available tools designed to enhance your ability to, not only restrict, but also monitor usage. Many reviews place a product named Qustodio at the top of the list. We receive no compensation in any way for recommending this, or any other product or service. We just want you to have a place to start. It seems that, for many of the control tools available, parents either love them or hate them, depending on their expectations. To help ensure a good outcome for you, research the features and read comments from other parents. Restrict your search to comments made in 2017. Each product’s features, and approval ratings, tend to change from year to year. Some products will even permit you to restrict laptops and desktop computers in addition to tablets and phones. Interestingly, you may find that third party software is able to restrict Android devices more than Apple devices. This is because Apple’s own internal controls are already so restrictive, they can partially block the parental control software too.

Third, consider restricting the Internet access at your home, too. For example, you may choose to set a time limit on usage duration or time of day. This can help ensure that youngsters get enough sleep. A very powerful tool is called Circle with Disney. Again, we receive no compensation for recommending products or services. This tool is widely accepted as being one of the best. If nothing else, check out its features to help you get an idea of what you may want to control. It has a feature that can restrict access even when the device uses a cellular connection or connects to a different network. That added protection can prevent family members from simply going to someone else’s house to operate without restrictions. Bear in mind that Internet filtering tools do not restrict the ability for family members to use apps, except for apps that need to connect to the Internet in order to function. The afore mentioned products can control both apps and Internet usage. But sometimes having two products can be helpful too.

When implementing family control tools, remember that all of them include privacy risks. While restricting apps and Internet usage, software is able to monitor your family members’ electronic behavior too. That information can be sold to marketing firms who already build a profile on each consumer. Do you want to contribute to what they know about your family members? What if bad actors gain access to information that helps them target a family member? You may decide the risks are worth the benefits.

Please forward this information to everyone you know who might want to place restrictions on Apple and Android based devices. Thank you for helping make the world a safer place to live and work! Happy New Year!


Major Flaw in Computer Processors Affects Security

0
0

A security vulnerability, that has existed for 10 years, has only recently been discovered.

A patch for Linux has been released and Microsoft plans to release a patch next Tuesday. Apple will release a patch for OSX.

For understandable reasons, many organizations are significantly behind schedule in applying patches. The patch won’t help protect your organization until the patch is applied to your computers.

A big concern is that the patch is predicted to have a major impact on performance. Estimates of the degradation in the performance range from 0% to 30%. If you have computers that are slow anyway, this will matter to you.

Additionally, this vulnerability affects computers in the cloud too. Amazon and Microsoft have announced that they are working on patching their cloud servers.

Ask IT what the status is of your patches for all of your operating systems, and make a plan for getting your patches up to date.

Three Serious Trends to Watch Out for in Cyber Security

0
0

First, are your servers backed up to the cloud? The use of online backup will continue to grow. Organizations are finding out, sometimes the hard way, the importance of being able to restore data quickly. Downtime can be extremely expensive for some organizations, so make sure you can restore quickly enough, especially if your data is stored in the cloud. Test your restore process.

Second, attackers will target, more than ever before, organizations who store protected health information. If you are in healthcare, or even if your company name makes it sound like you are in healthcare, ramp up security to unprecedented levels and have a plan of what to do when you are breached.

Third, more attackers will use trusted security software as a vector to infect networks. Attackers already infected the program called C-Cleaner, used by millions of people to, among other things, speed up slow Windows computers. C-Cleaner is a very useful, and trusted, security program. Unfortunately, this tool became a powerful attack tool when attackers took over the update server. What program, one that you trust, will attackers take over to use as a vector to hack your computer?

Please forward this to your friends who can be on the lookout too.

Patching Nightmare – Please Forward to Your IT Pros

0
0

Intel says, again, to stop deploying patches. Java and other new patches need handling.

Intel advises that IT Professionals stop deploying the current versions of patches for the recently discovered security flaws in CPU chips. Find details, just updated, by searching:
Root Cause of Reboot Issue Identified Updated Guidance for Customers and Partners site:intel.com

Do not insert a space after the colon.

For most of you, deploying Microsoft patches is easy compared to managing Flash, Java, and browser updates. Oracle is releasing multiple security patches for Java SE. Additionally, if you are upgrading Chrome to the 64 bit version, Google is releasing new patches for that browser.

For executives wondering what to do at home, you may find it best to download fresh versions of any non-Microsoft browsers you use, and reinstall the most recent versions of Flash and Java, if you still use either, from https://get.adobe dot com/flashplayer/ or java dot com . Your Microsoft and/or Apple patches are likely configured to install automatically.

For both organizations and home office users, if you can remove Flash and/or Java from some or all of your computers, then you can forget about patching them. If you haven’t already, try it on a few computers. You may find that all of the websites essential to your business no longer require either. Worst case, you can re-install the most recent version.

Executives, please forward this to your IT Professionals. Be sure to, if you have not already, have a conversation with them about how aggressive you want them to be with patching. They can share the pros and cons with you. These days, an aggressive posture related to patches can increase your security dramatically, when handled properly. Provide them time to test the patches, test un-installing the patches, and then to deploy the patches in stages. They will also need to contact your cloud providers to discuss how they are handling the flaws and patches.

How Buying a Spare Printer can Vastly Improve Your Cyber Security

0
0

Imagine a scenario when an IT professional knows there is an urgent security problem in your firewall that needs to be addressed. And at the same time, your multi-function printer is broken. What problem will the IT professional address first?

Most IT professionals will, and do, fix the printer first. They care about you and your organization. They want to ensure that your team can serve your customers.

But, postponing the repair to the firewall may significantly increase the risk of your organization experiencing a major cyber attack.

The printer being broken is a visible condition. It is possible that nobody, other than members of your IT team, knows that the firewall is broken.

Your IT team will receive approval for fixing the printer. But, if they spend time fixing the firewall first, everyone will think they are wasting time, sitting around, doing nothing.

What device or activity consumes your IT team’s time? What do they have to invest a lot of time fixing, when there are perhaps more critical, often invisible, cyber security issues that must be addressed?

If it is the printer that takes up their time, buy a spare printer. If one printer goes down, everyone can use the other printer.

Do what you need to do in order to ensure that your IT team will have time to take care of your IT security. You will reap the benefits if they stop an attack.

A New Opportunity for Your IT Pros to Protect your Servers

0
0

Attackers can take advantage of a large attack surface on your servers. Your IT professionals can drastically reduce the attack surface, and potentially save you money.

When your IT team logs onto a server, the server’s screen looks similar to what you would experience looking at a Windows workstation’s screen. The display on the server’s screen would remind you of your desktop or laptop computer’s screen.

Your IT professionals can remove this desktop experience and produce significant benefits. Your servers need less storage space, are faster, need fewer security patches, and are more reliable. Additionally, there is a smaller attack surface for attackers to exploit. Those benefits will help you, as an executive, sleep better at night.

Your IT team will install the server’s core software, and omit all of the programs that produce the desktop experience.

For your IT team to control and configure the server, they can use a server manager program that runs on their computers. Your IT team might use Windows PowerShell or even Project Honolulu too.

Please forward this message to fellow executives who want to make changes that will help them sleep better at night and, in the future, save money too.

New York City is Providing Automatic Protection for all iPhone Users, and So Can Your City

0
0

As the City of Atlanta is still recovering from the massive ransomware attack on March 22, NYC is launching a program that provides secure Internet access for residents and visitors at no charge.

NYC’s Mayor Bill de Blasio signed an executive order to establish the New York City Cyber Command. The command has developed the initiative called NYC Secure.

NYC is setting the fantastic precedence of protecting citizens, and visitors, from cyber-attacks. The system protects both iPhone and Android users.

Yesterday, I sought out and met, one on one, with the lead developer of the security app that is one component of NYC Secure. I quickly steered the conversation to the technology behind the protection mechanisms.

After conversing with this security guru, a mathematical genius, for almost an hour, I’m happy to report that the level of protection is unprecedented.

In fact, most corporations do not provide some of the powerful features built into the NYC public system.

Please forward this message to your mayor, and ask them to follow this model and protect the citizens of your city too!

A Simple Change Can Help Protect Your Family, and It Works on Apple and Windows

0
0

There is a setting on your computer that can help protect your family.

You don’t need to know this part: There is a service called Domain Name Service, DNS, that is a massive index for the Internet. If someone in your family, or at work, types in make a wish dot com, DNS looks up those letters and finds that the Make a Wish server is at address 184.168.221.30. Since computers think in numbers, it can then take you to that website.

Your internet service provider provides you with DNS lookups. So, if someone clicks on terrible dot com or infected dot com, your computer will take you to those sites.

However, there are DNS services that will help protect you. When someone clicks on an address, those DNS servers will look up the address and, before sending you there, do its best to make sure it is a good site.

There is nothing to install, and there are no charges for the services. All you need to do is tell your computer to use the new DNS servers, and all the sites show you how to do that. Check out:

Clean Browsing

Norton ConnectSafe

OpenDNS

Quad9

Yandex.DNS

Additionally, you might even notice a boost in speed!

Please forward this to everyone you know who would like added protection when they click on a link or even type in an address while surfing the web.


How to E-Mail Encrypted Attachments

0
0

E-mail messages can be intercepted or read by an unauthorized individual.

When you want privacy, one way is to encrypt your documents before you attach them to your email message.

Microsoft Office, for Windows and Mac, has a feature on the File menu called Protect Document. Choose that option, and enter a secret password.

Use a phrase such as: the chairs are in a row.

E-mail that file to your recipient.

Then, phone, or text, the password to your recipient. If you email the recipient the password, even if it is in a separate email message, whoever is reading your email messages will receive both the attachment and the secret code.

Please forward this to any of your friends who may want to send sensitive email attachments.

Ask IT Pros to Check Your Routers and Firewalls

0
0

We audited a company last week and discovered that their web filtering tools, designed to stop users from accidentally landing on malicious websites, was not blocking dangerous sites. In these days with ransomware and bad actors tricking users into clicking on dangerous links, it is essential to have web content filtering in place.

Even if a user does click a link, a good web content filter can often protect your network when user training fails.

We notified the company’s outsourced IT providers, and they determined that the web protection gateway failed and was permitting all traffic into the network. Were it not for the audit, it would still be allowing clicked links to take users to malicious websites.

This firewall appliance is a well-known brand that starts with a B, but it could be any manufacturer. Computer hardware is far from perfect. A big concern is that the firewall failed and no one knew it. As auditors, it is common to find malfunctioning security equipment. Just because all the green lights are flashing on the outside of the firewall does not mean it is working correctly.

Now is an excellent time to ask your IT professionals, even outsourced companies, to devote time to checking your firewalls, routers, wireless network access points, and other devices. They need to apply all critical security patches, verify the filtering rules, and be sure the devices are working fast without hindering the flow of your information. If you want to, have them reach out to us for more technical recommendations.

You can even update your routers and devices at home if you have some extra time. An excellent place to start is at the device manufacturer’s website. There will be instructions to download and install the most recent firmware. Look at the support site about ways you can enable supported security features in your home devices including web content filtering. Be sure to leave time to tweak the settings. Depending on how familiar you are with the settings, this process might take you ten minutes or, if things get a little crazy, it could take an hour or more at home.

Please forward this to everyone you know so they can ask their IT professionals to make sure the firewalls and other devices are up and running correctly. Let’s keep your networks safe.

Stop Hidden Attacks Buried in Email Attachments

0
0

When you receive an email attachment, even when you are expecting the document and know the sender, the attached file can be poisoned. 
And the friend or associate who sends you the attachment probably does not know that the file is infected.

A term to know is macro. It is a set of automated instructions like a program. Emailed Attachments may contain macros.

Macros can contain malicious code that will infect your computer, and give an attacker full access to your computer and network.

If you ever see a message on your screen instructing you to enable macros, refuse.

Your IT department, or IT provider, can disable macros.

At home – you can do it yourself. Find step-by-step instructions by searching the web using the search terms: Disable Macros Office.

On a Windows computer, open each Office application, choose File, Options, Trust Center, Trust Settings, and choose the option to disable all macros with notification.

On a Mac, choose Preferences from the menu in each Office application. In Word, the preferences settings will show up when you pull down the menu labeled Word. Then select Security and Privacy settings. Choose to disable macros with notification.

Forward this message to users who use their computers to work from home, so they can make sure their computers are safe. That will protect your network.

Please forward this to your friends, so they know how dangerous macros are too.

Watch for Threatening Email Messages that Contain Your Actual Passwords

0
0

You may receive a threatening email message that shows you your actual username and password. The attacker may demand you pay them 2900, or some other significant amount. They threaten horrible things if you do not pay.
They may show you other information they have stolen including where you work, your date of birth, names, and ages of family members, and more.

Do this now: Be sure none of your email programs displays graphics or images when you open a message. On your iPhone or iPad, go to Settings > Mail and turn off “Load Remote Images.” In Outlook, choose File > Options > Trust Center and check the box that says: Don’t download pictures automatically. Take similar steps for every device you use to check your email. This step will usually prevent the attacker from knowing you opened the email message, but you have to change the setting before receiving the message.

Cover up the cameras on your computers, tablets, and phones if you do not use the camera often.

If your do receive one of these messages, print it out and save it in case you need it for evidence in the future. Do not forward the message unless you are confident that the transmitted message contains no graphics.

Assuming that the accusations are false, do not respond at all. Behave as if you never received the message.

It is up to you to decide if you want to warn family, friends, and everyone else in your address book in case the attacker follows through with their threat. Reassure your contacts that the contents of the message are false.

Make a detailed log, and make copies of all email messages, phone calls, and text messages you receive from them. Submit a complaint at ic3.gov. Contact the police if you fear that your life is in danger. If the email message came from Gmail, notify Google and they can investigate.

Reset sensitive passwords and enable two-step verification on websites where you log in. Be sure you are current on all security patches on all of your devices.

Please forward this to your everyone that you know so that they will prepare for a threatening message that contains their real password.

The Insanity of Your Network – Storing Keys in the Same Place as Everyone Else

0
0

Imagine that you have a fleet of dozens of expensive vehicles, and you keep all of their keys in a locked cabinet. There is a master key that opens the cabinet.

You assign your IT team the responsibility to secure and manage the keys to the vehicles, so you give each member of your IT team a copy of the master key.

Here is where it gets crazy: Suppose that there is a well-known tradition, in all companies, for IT professionals to store their master keys in the top drawer of their desks. Unfortunately, if someone wants to steal a vehicle, they know right where to find a master key. They can take all the cars once they gain access to the master, and they know exactly where to find it.

In the real world, your IT team has the responsibility to secure and manage your most sensitive data. In doing so, they have the master keys that unlock all the other keys. It is a tradition to give all IT professionals, and even outside consultants, keys to the master lockbox. The shocking part is that all IT professionals are encouraged to store the master keys in the same place, in the default well-known security groups named schema, enterprise, and domain admins.

Your IT team must create new security groups, with different names, in which to store the master keys. It is crucial that the new groups only provide specific privileges to member users on a need to know basis. It is ok if this strategy is new to them.

To measure this, ask your IT professionals to show you what users are members of those default security groups. Discuss moving those users into specific groups that provide the least amount of access they need to perform their work. Depending on the complexity of your system, this may take more time. IT professionals are always busy, so discuss with them their current projects, then prioritize this essential security improvement accordingly.

Storing master keys in a well-known location is absurd, and it is likely that you are doing that now.

Can you Trust the Kindness of Tech Support Strangers?

0
0

If you place a call to tech support for your online accounting software or any program, and if the technical support representative on the phone asks you to download a diagnostic program to test your computer, think twice.

Their program already installed on your computer should be able to give them all the information that they need. Even if the tech support person does require you to install another program, there is a possibility that the diagnostic program has an undiscovered security vulnerability.

If you do decide to install the program, at least make sure that the file location they offer you is on their main website, not a misspelled version such as qickbooks.com or abode.com.

Additionally, refuse to permit tech support to log in to your computer, even if you were the one who called them. Do you want to trust the security of your computer to a stranger?

Ask if there is some other way to provide them with the information they need.

Beware of imposters asking you to provide remote access or asking you to download diagnostic software.

Stealing Tesla Cars, and Stealing Your Network with Agent Tesla

0
0

The 3 minute Tesla car stealing video is fun, and keep reading the next paragraph about your organization’s security too.First the theft. Wired magazine published an article you can find by searching the title: Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob. Then, you can watch a security cam video of two men stealing a Model S in real life on YouTube. The thieves had to use Google to find out how to unplug the car. To see the short video, search: Tesla Model S Being Stolen Antony Kennedy or click here.

Now, what affects you directly whether you own a Tesla or not. Many IT Professionals, consultants, and outsourced IT firms access your network remotely using tools designed to help them help your users solve technical issues. Example programs include GoToMyPC, TeamViewer, LogMeIn, VNC, and Splashtop. Some outsourced companies use a product called Agent Tesla to support their customers. If you visit the website agent tesla dot com, you will see that the product has additional features including stealing keystrokes, breaking passwords, and spreading itself like a virus through a network. It appears that some bad actors have been using this tool to infect computers at companies without the company’s permission. And the tech support representatives at Agent Tesla were more than willing to assist the bad actors.

A key takeaway is that user-friendly tools can permit non-technical people to hack your network without needing any technical know-how.

What if a disgruntled or unscrupulous worker in your company installs GoToMyPC, LogMeIn, or similar easy-to-use software on computers in your private offices? They could overhear private conversations without anyone knowing. One of our clients experienced millions of dollars of embezzlement because a trusted worker used one of those programs on the computer that was in the conference room. The embezzler was not technically savvy at all, and he heard enough confidential information to embezzle millions and wreak all kinds of havoc. He did not need to use the additional user-friendly features that Agent Tesla provides including password cracking and automatic infection of other computers, but he could have.

Visit with your IT professionals. What are you, as an organization, doing to protect yourself from someone intentionally utilizing a readily available program, such as Agent Tesla, to infect your network, spy on your workers, steal information, and break your passwords?

The CEO, Owner, President, and other chief executives suffer the most when an attack devastates an organization. Most of them wish they’d have taken more of an active role in security. Learn from their mistakes, before it is too late.


You Might Stop Receiving Essential Email Messages, and What to Do About It

0
0

If someone ever impersonates you via email, you may stop receiving legitimate email messages too. Computers belonging to people who received a fake email message may automatically send all new messages to the phony address instead of yours. Senders don’t realize what is happening, and you stop receiving essential email messages.
Consider Nick. One day, one of his friends notified him that they received an email message that appeared to be from Nick saying he was in a predicament and wants them to send money. Of course, Nick did not send the message. Someone is impersonating him! The recipient was aware enough to realize the request for payment was counterfeit.

Then, the unexpected happened. Some of Nick’s business associates, customers, and friends complained, “Hey Nick – Why haven’t you replied to that email message I sent you last week?” His associate named Tony felt snubbed because Nick stopped replying to his messages. Nick had no idea Tony was sending messages because Nick never received any of them.

The cause of this problem is that, unbeknownst to most people, when a bad actor sent the fake email with a made up email address, the recipient’s computer stores the phony email address to be used in the future to auto-fill the “To:” address field.

Check your computer. When you start to compose an email message and begin typing the name of the person to whom you are sending the message, does their name show up automatically on a list before you finish typing?

A bad actor might have impersonated you by spoofing your email address with a fake one: Nick Stark <Nich0las @yahoo.com>. But your real email address may be Nick Stark <NStark @yourcompany.com>. While your name is the same, the addresses are different.

From now on, when someone sends an email to you, their address book will auto-fill “Nick Stark” as they type your name into the “To” box in the email message. Unless they pay special attention, their email program may send the email message to the fraudulent email address. You will not receive the email, and the sender expects that you will.

One way you can solve this is to alert people that, when they send you an email message, to verify that, as they fill in your name as the recipient, the email address that shows up is Nstark @yourcompany.com. If they see your name with the wrong email address in their auto-fill list, they should click the option to delete the record with the fake address.

If you have ever been the victim of spoofed email messages sent in your name, you should notify your contacts. If people complain that you do not receive email messages they send you, you should advise your contacts as well.

The auto-fill feature is helpful when sending email messages, but it can come back to bite you if an attacker ever impersonates you in an email message.

Send this message to your friends, especially if anyone ever fakes their email address, so they can help ensure that they receive legitimate email messages.

Happy Computer Security Day!

0
0

November 30th is Computer Security Day. Today is a great day to remind your team members to continue to be extra vigilant as they watch for spam email messages. 

Encourage and provide time to your team to keep your systems up to date with all critical security patches for operating systems, Office, browsers, Flash, Java, and Reader. Ask them to show you a list, not a pie chart, of missing critical security patches. If they haven’t checked lately, this is an excellent time for them to be sure the firmware is up-to-date in the firewall and other infrastructure devices.

Thank you for all you are doing to protect against ransomware and all types of cyber threats. You are helping make the world a safer place to live and work!

Attackers are Targeting High Net Worth Individuals

0
0

An experienced high-level executive shared his concern about how attackers are investing more time targeting high net worth individuals. If you fall into that category, especially now, you must be extra vigilant to protect yourself, your family, and your organization.

The exploits may come in the form of attempts to get you to transfer money to a friend, someone threatening to send out defamatory information about you unless you pay them not to, or phony messages attempting to acquire some personally identifiable information from you.

Be sure to alert your family members that, even if an email message appears to be from you, it could be a forgery. Family members should verbally speak to you if there is ever a concern about any communications that are purportedly from you. No one should ever respond to a suspicious email or text message.

Additionally, there are crucial steps you must take to help protect your devices including iPhones, iPads, Androids, laptops, desktop computers, and all of your devices.

Keep the devices locked up when they are not in your possession. If someone gains physical access to your device, it is possible that they can steal information, both your history and real-time now and into the future.

Be sure to apply critical security updates to the operating systems and the browsers, when prompted. But watch out for fake requests. Update alerts should never come via email or text message; those are bogus and dangerous.

There are so many steps to take and, primarily, you must have a heightened awareness that you, as a high net-worth individual, are at an increased risk of attacks.

Please forward this to your friends, so that they are extra vigilant too.

773 Million Passwords Exposed – Were You Exposed?

0
0

Today Troy Hunt announced that a collection of 773 million usernames and passwords were released. This release of passwords, dubbed Collection #1, contains usernames and passwords

that have shown up on the dark web over the past two or three years. Think of Collection #1 as being a value pack of bundled old password lists.

If you want to find out if your passwords were released, visit his site called https://haveibeenpwned.com. If you elect to enter your email address, he will tell you if it is in the collection and give you more details.

What do you do if you are on the list? Reset your passwords. Use a password manager that will remember your passwords for you to make your life easier when you use a different password at each website from now on.

Now is a great time to enable two-step verification. A basic form of two-step verification is when you enter a username and password, and you receive a text message code to type in. Enable two-step verification on PayPal, LinkedIn, Dropbox, Facebook and every other web service you use. On each website, look for Settings > Security. You may need to dig down, but more reputable sites now support two-step verification, but you must enable the feature.

Some bad news is that, about a week ago, a tool called Modlishka shows how to break two-step verification so it isn’t that secure, but two-step verification is still more secure than a simple username password combination. If it allows, have a website use some other method than texting you a password. Using an app on your phone or calling you via a voice call are options that are often more secure than the text message. Microsoft, Google, and a service called Duo offer these options and more. Having a hardware key is even better unless your laptop users leave the key stored in the laptop case, and their password written on the bottom of the laptop.

Find Out if You Can Collect a Bundle from the Equifax Breach

0
0

There is a strong chance that hackers obtained your identity information in the Equifax breach. It exposed 148 million American’s sensitive information, and that sets you and your family up for identity theft. If you already suffered identity theft and can prove Equifax was the source, you might get up to twenty thousand dollars.

Beware of additional fraud. Several sites are claiming to help you find out if you were part of the breach, but of course, the sites ask for personal information. Be safe: Use the contact information provided by Equifax. The Equifax FAQ says to visit: https://www.equifaxsecurity2017.com/

To find out if you are affected, that site points you to: https://www.equifaxbreachsettlement.com/

For identity theft, credit monitoring is helpful, so you know you are a victim, but by then, it is too late.

Placing credit freezes are a critical step in preventing your identity from being stolen.”

Freeze your credit, everyone in your family’s, at all major credit bureaus. To save you time, here are four and how to reach them:

Experian (888) 397-3742
https://www.experian.com/freeze/center.html

TransUnion LLC – To Freeze: (888) 909-8872
https://www.transunion.com/credit-freeze

Equifax Information Services, LLC (800) 685-1111
https://www.equifax.com/personal/credit-report-services/

Innovis – To Freeze: (800) 540-2505
https://www.innovis.com/personal/securityFreeze

Please forward this to your friends. If they don’t understand the importance of a credit freeze, The FTC provides more information at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

The post Find Out if You Can Collect a Bundle from the Equifax Breach appeared first on Mike Foster, CEH, CISA, CISSP.

Viewing all 113 articles
Browse latest View live




Latest Images