Password Protection

Password Protection

Password management is one of the most basic ways of securing your network and data. However, a surprising number of people do not practice password protection, leaving their computer systems vulnerable to hackers.

Hackers are constantly searching for passwords with which to penetrate your computer network. Phishing attacks, for example, will urge your people to log into a fake site using their passwords, recording them if they comply. Some use a brute force method using common words and phrases. Unsecured devices such as a personal computer or mobile device or a hotel kiosk can be infected with malware that captures passwords.

With that in mind, here follow some suggestions for sound password management.

  • Use long strings of characters, a good mix of alphanumeric and special characters. Avoid common words and phrases. Do not use familiar phrases such as birthdays, anniversaries, favorite TV shows, etc.
  • Never write down your passwords and leave the document in an unsecured location. A surprising number of people will write down a password on a post it note and leave it attached to their work station.
  • Never share your password, especially with someone outside your organization.
  • Be wary about logging into the system with a personal device from offsite. Always use a device that has been secured against malware by your data security people.
  • Never respond to phishing attempts. Do not open suspicious emails, and do not comply when they ask you to log into a website using your password. If you think you have fallen for such a scheme, change your password immediately, and contact your data security department,
  • Change your password periodically, at least every quarter.
  • Never use the same password for different devices.
  • Make sure that no one is looking over your shoulder when you key in your password,
  • Run antivirus software periodically to clean your computer of malware, such as a keylog virus that can pick up your password.

For more information contact us.

Cyber Security Roundup for the First Half of 2018

Cyber Security Roundup for the First Half of 2018

Each day tens of thousands of people from all over the world are hacked. Not just sent run-of-the-mill phishing emails, but legitimately hacked. This has made the cyber security industry grow at a rate only surpassed by the Internet of Things (which ironically may be one of the largest threats to cyber security in the world).

We thought it would be good to go over some of the largest cyber crimes of the first half of 2018, and some telling statistics that will give you an idea of what exactly you are up against.

In trying to establish what were the most devastating hacks, we’ve combed through this year’s records and have decided to break it down by public and private hacks. Public hacks have to do with individuals and municipalities, while private hacks are the ones that infiltrate businesses and make available thousands and millions of records for sale. Without further ado, here are the biggest hacks so far in 2018:

Private

January

  • 280,000 Medicaid records were exposed when a hacker broke into Oklahoma State University Center for Health Sciences. Patient names and provider names of these individuals were exposed.

February

  • FedEx had customer records leaked after an unsecured server owned by a company acquired by FedEx, Bongo International, was hacked. Over a hundred thousand files, including names,drivers’ licenses, national ID cards, voting cards, and utility bills were exposed.

March

  • Travel booking site, Orbitz, had a security vulnerability that resulted in upward of 880,000 customers’ payment card information, or about two whole years of customer data, taken off their server.
  • French news site L’Express exposed reader data by leaving a database up for weeks without a password needed for access. After being warned, the Paris-based periodical left the database exposed for weeks.
  • Hackers gained access to 134,512 patient and financial records after a malware attack at St. Peter’s Surgery and Endoscopy Center in Albany, NY.
  • Under Armor, one of the largest sports apparel brands in the world, had their mobile application, MyFitnessPal, hacked, exposing around 150 million people’s personal information.
  • Aerospace giant Boeing was hit by the WannaCry ransomware that affected “a few machines” that weren’t protected with Microsoft’s 2017 patch.

May

  • Twitter forced its hundreds of millions of users to change their passwords after admitting that, at one time,user passwords were stored in plain text, and may have been exposed to internal company staff.
  • An unauthenticated API found on T-Mobile’s website exposed the personal information of all of their customers,by simply using their cell phone number. Information that was available included full name, address, account numbers, and in some cases, tax IDs.
  • A bug found in Atlassian development software titles Jira and Confluence allowed hackers to infiltrate the IT infrastructures of several companies and one U.S. government agency.
  • The predominant way for American travelers to secure European rail tickets, Rail Europe, had a three-month breach of credit cards. It’s thought that thousands of users’ credit card information was taken in the breach.

June

  • Around 340 million records were stolen from marketing company Exactis. It may be amazing to you that a company that you have never heard of leaked what amounts to the personal information of nearly every American. The company, which aggregates and compiles business and consumer data, has been hit with a class action lawsuit in response to the breach.
  • Apparel giant Adidas had their website hacked, resulting in the loss of a few million people’s personal and credit card information.
  • At least 800 e-commerce sites,including Ticketmaster, had consumer card information skimmed in a huge campaign by a hacker collective named Magecart. Targeting third-party developers, they are able to alter code and syphon off the information they wanted.

Public

January

  • Department of Homeland Security was affected by a data breach that exposed 247,167 current and former employees and other individuals.

March

  • The City of Atlanta, Georgia was hit with a ransomware attack, dubbed SamSam, that caused a massive problem for their municipal infrastructure. Hackers asked for $51,000 to release the encrypted files, a number Atlanta’s leaders were unwilling to meet. It has subsequently cost the city more than 10x that. In fact, as of early June, there were still some parts of the city that were using analog or manual systems.Some experts believe that the total cost to taxpayers will be nearly $20 million.
  • India’s national ID database, Aadhaar, leaked data on over a billion people. In one of the largest-known breaches in history, a user could pay 500 rupees ($7) and get the login credentials that allowed anyone to enter a person’s 12-digit code and get their personal information. An additional 300 rupees ($4.20) gave users access to software through which anyone could print an ID card for any Aadhaar number.
  • It came to the forefront that Cambridge Analytica, the data analytics company that U.S. President Donald Trump used to help his campaign had harvested personal information from over 50 million Facebook users without their permission. While Facebook denied this was a “data breach”, Cambridge Analytica was banned from the service over the ordeal.

June

  • A major hack at a U.S.Government-funded active shooter training center exposed the personal data of thousands of U.S. law enforcement officials, while also exposing that many police departments are ill equipped or unable to respond to an active shooter situation.

These are just the most major of the hacks of 2018. There is still major fallout from 2017’s major breaches, including the Friend finder hack that exposed 412 million user accounts and the Equifax data breach that affected 148 million people. In fact, even though the hacks referenced above cover a lot of ground, hundreds of organizations have their cyber security compromised each day.

According to billionaire investor Warren Buffet, there is reasonable evidence that there could be a major cyber attack that could cost insurers tens of billions of dollars. The statistics back this up:

  • In 2017 over 130 large-scale breaches were reported, a 27 percent increase over 2016.
  • Nearly 1-in-3 organizations have experienced some sort of cyberattack in the past.
  • Cryptojacking (stealing cryptocurrency) increased 8,500 percent in 2017.
  • 100,000 organizations were infected with the WannaCry ransomware (400,000 machines).
  • 5.4 billion WannaCry attacks were blocked in 2017.
  • The average monetary cost of a malware attack for a business is $2.4 million.
  • The average time cost of a malware attack for a business is 50 days.
  • Ransomware cost organizations over $5 billion in 2017.
  • 20 percent of cyber attacks come from China, 11 percent from the United States, and six percent from the Russian Federation.
  • Phone numbers are the most leaked information.
  • 21 percent of files are completely unprotected.
  • 41 percent of companies have over 1,000 sensitive files left unprotected.
  • Ransomware is growing at 350 percent annually.
  • IoT-based attacks are growing at about 500 percent per year.
  • Ransomware attacks are expected to quadruple by 2020.
  • 7.7 percent of web requests lead to malware.
  • There were 54 percent more types of malware in 2017 than there were in 2016.
  • The cyber security market will be worth over $1 trillion by 2025.

Cyber security risk is high, and it’s just getting more and more risky. By assessing your company’s cyber security health the IT professionals at WheelHouse IT can put you with the solutions and services needed to keep threats at bay.

If you are looking to improve your cyber security, or if you would like to know how to, contact us today at (877) 771-2384.

Artificial Intelligence May Give Hackers Their Greatest Weapon Yet

Artificial Intelligence May Give Hackers Their Greatest Weapon Yet

Artificial intelligence has been making waves in the world of cyber security, as machine learning could potentially make the solutions we have today smarter and better at their intended jobs.

However, artificial intelligence has also appeared on the other side of cyber security, as cyber criminals have begun to leverage A.I. as well.

This only makes sense. After all, a computer can work a lot faster than a hacker can, with a lot less of a chance of human error. Hackers have discovered this, and have put A.I. to work deploying phishing attacks.

A study conducted by the security firm ZeroFOX in 2016 found that an AI that they programmed, called SNAP_R, was able to send simulated spear-phishing tweets at a rate of 6.75 per minute, successfully tripping up 275 victims out of 800 targeted users.

On the other hand, a staff writer from Forbes who participated in the study could only produce these tweets at a rate of 1.075 each minute, only fooling 49 out of a total of 129 attempts.

More recently, a team from IBM was able to create programs that use machine learning to create programs capable of making it past some of the best defenses out there.

This only shows that we’ll soon see malware that is powered by A.I., assuming it isn’t out there already and it just hasn’t been discovered yet.

IBM’s project, nicknamed DeepLocker, was able to demonstrate how a hacked videoconferencing software was able to activate itself when a target’s face was detected in a photograph. The lead researcher for the IBM team, Marc Ph. Stoecklin, called this kind of attack the next big thing, going on to say, “This may have happened already, and we will see it two or three years from now.”

Other researchers have also demonstrated how A.I. can be leveraged in an attack, going so far as to only use open-source tools intended for training purposes to do it.

What do you think? Are there already artificially intelligent attacks being played out, or do you think the big reveal is yet to come?

Let us know what you think in the comments!

When a Security Breach Happens at Home

When a Security Breach Happens at Home

These days a security breach is all too common and happens fairly often, for the most part. For the most part, these breaches tend to happen in the workplace or are directed at certain high-end servers or security systems.

However, a lot of these systems that have been breached are also located in people’s homes. Unfortunately, despite a large number of breaches that occur today, many people have managed to convince themselves that it will never happen to them which can result in it being rather shocking when they do inevitably experience a security breach in their own life.

With that in mind, here are a few things that can CyberArk currently uses to help customers deal with these security problems.

Loosely Connected Devices

Employing a method of organizing files and computer systems that has the various parts of the network and file systems organized in such a way that it keeps the pieces only as connected as it needs to be rather than having every little piece of the system connected to every other piece will be extremely helpful. It will make it much more difficult for any potential hacker to access the data that they are after if you don’t have every single piece of data connected to each other.

Credential Theft

Regardless of what you do to try and prevent it, data thieves will find their way into your system eventually and you need to be prepared for when this happens.

The new Endpoint Privilege Manager can help with this by blocking the theft of vital data containing credentials and prevent hackers from gaining free movement across your network.

If a new spree of cyber security attacks have you questioning your ability to defend your data from hackers then contact us today to get the answers you need on how to deal with this problem.

Managed Security Services: Don’t Be a Victim of Search Engine Hacking

Managed Security Services: Don't Be a Victim of Search Engine Hacking

Search engines such as Google are useful tools for quickly finding web pages that best match the searcher’s needs, but managed security services will save you from getting hacked.

Search engines are highly versatile in that they aren’t limited to finding web pages. By using the right search operators in a search query, documents such as PDF files and spreadsheets can be found and downloaded.

This makes search engines ideal for the hacker looking for easy access to sensitive information or to gather general information about potential hacking targets.

Any type of file with Internet exposure can be accessed provided it has been indexed by the search engines. It’s a simple matter of using the file type search operator followed by a file extension that corresponds to an Excel spreadsheet, OpenOffice spreadsheet, word document, text file, backup file, database file, and so forth.

If the hacker is after passwords, his search query would include any words that would likely be found in such a file including the words “username” and “password.”

A good file type for finding sensitive information might be an Excel spreadsheet, since businesses and individuals make extensive use of them for information records, including passwords.

Many camera devices are controlled from web browsers. These can be found by searching for words commonly used on these pages, or URL strings commonly used for specific camera devices. Controlling the camera amounts to visiting the web page and using the controls to view the area that’s surveilled.

A hacker with good tech knowledge can contrive hundreds of search queries targeting files and web pages containing sensitive data or information that reveals easily exploited vulnerabilities.

Protecting Your Website From Search Engine Hacking

  • Use the robots.txt file. Use the robots.txt file to request that search engines not crawl portions of your website. Search engines should honor this request but you shouldn’t completely count on it.
  • Don’t expose sensitive information to the Internet. Don’t store sensitive information on servers accessible by the Internet. This includes cloud services that lack strong security procedures. Vet your cloud service provider carefully.
  • Password protect web pages not meant for public viewing as well as your spreadsheets and other documents. If such protection isn’t available for a particular document type, don’t use it.
  • Use a modern website. Some of the earlier websites stored login passwords in unencrypted form in text files.

Finally, get help from professional security experts such as those at WheelHouse IT. To learn more about keeping your data safe and about our managed security services, contact us.