Why you are at risk if you use SMS for two-step verification

Do two-step verification the right way to keep hackers at bay.

Google this month began moving people away from receiving two-step verification codes via SMS. Starting last week when signing into your account, you may have received an invite from Google to start receiving prompts via the Google app instead of six-digit codes via your texting app.

Google is making this move because its new prompts are more secure than SMS. They also make the process of signing into your account quicker and easier. Time for a quick Q&A:

Wait, what is two-step verification?

Two-step verification (2SV if you are into the whole brevity thing, although it’s also called two-factor authentication or 2FA) adds a layer of security to your online accounts, from Amazon, Apple and Google to Facebook, Instagram, and Twitter. Instead of entering only your password to access an account, you need to enter your password — the first verification factor — and then a code sent via SMS or a prompt via an authentication app — the second factor. This means a hacker would need to steal both your password and your phone to break into your account.

So, why the move away from SMS?

For the simple fact that receiving 2SV codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your social security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your phone in order to gain access to your 2SV codes.

Also, if you sync text messages with your laptop or tablet, then a hacker could gain access to SMS codes by walking off with such a device of yours.

Then there are the weaknesses in the mobile telecom system itself. In what’s called an SS7 attack, a hacker can spy via the cell phone system, listening to calls, intercepting text messages, and seeing the location of your phone.

All of the above scenarios are bad news for those receiving 2SV codes via SMS.

What should I use instead?

An authentication app such as Google Authenticator, Microsoft Authenticator or Authy. It has the advantage of not needing to rely on your carrier; codes stay with the app even if a hacker manages to move your number to a new phone. And codes expire quickly, usually after 30 seconds or so.

In addition to being more secure than SMS, an authentication app is faster; you need only to tap a button to verify your identity instead of the hassle of manually entering a six-digit code.

What is Google Prompt?

Google Prompt lets you receive codes without using SMS or a separate authentication app. It’s baked into Google Now on Android and the Google Search app for iOS. Learn how to set up Google Prompt.

Do I even need two-step verification if SMS is so vulnerable?

Yes! In addition to creating strong passwords and using different passwords for each of your accounts, setting up two-step verification is the best move you can make to secure your online accounts — even if you insist on receiving codes via SMS. Two-step verification via SMS is better than one-step verification where a hacker needs only to obtain or guess your password in order to gain access to your data. Don’t be the low-hanging fruit with an account that is the easiest target for hackers.

But two-step verification is a hassle

That’s not a question, but my counter would be that it’s less of a hassle when done right and you are receiving codes via Google Prompt or an authentication app where you don’t need to enter six-digit codes. Sure, even then it does force you to take an extra step of grabbing and tapping your phone after entering your password to log into one of your accounts. I would argue, however, that the hassle of the second step of two-step verification pales in comparison to the hassle of getting hacked. At best, getting hacked is a hassle. More often, it’s a mix of anger, pain and confusion.

by Matt Elliott

July 31, 2017

5 privacy settings you should change in Windows 10

With its Windows 10 Creators Update, Microsoft is attempting to be more transparent with its privacy settings. It may have simplified some of the language of its policies, but there is still work to be done.

Here are five privacy-related settings you can change for a less invasive and more secure Windows 10 experience.

Stop Cortana from getting to know you

In order for Cortana to be the best virtual personal assistant ever, she’ll ask you early on if she can “get to know you” through the way you interact with your device — namely, your speech, handwriting and typing patterns. The “getting to know you” feature also allows Windows 10 to collect other information about you, including your calendar, contacts, location and browsing history, according to Microsoft’s privacy statement.

You can stop Cortana from getting to know you. If you do this, you will not be able to use voice dictation to speak to Cortana, and all personal information that Cortana has collected will be cleared.

To turn this off, go to Settings > Privacy > Speech, inking & typing. Under Getting to know you, click Turn off speech services and typing suggestions. This will turn off dictation and will clear any collected information from your device. You can also clear your collected information from Cortana’s settings menu, under Manage my voice data that’s stored in the cloud with my Microsoft account.

Turn off your location

If you’re using a mobile device, such as a tablet or a laptop, there are plenty of times when allowing Windows 10 and third-party apps to access your location is convenient. But that doesn’t mean that you should leave your location switched on at all times. When your location is switched on, Windows 10 stores your device’s location history for up to 24 hours and allows apps with location permission to access that data.

If you turn your location off, apps that use your location (such as the Maps app) will not be able to find you. You can, however, manually set a default location that apps can use as a stand-in.

To turn off your location, go to Settings > Privacy > Location. You can either turn off location for all users (under Location for this device is on > Change), or you can turn off location services for your account (under Location service). In this menu, you can also clear your Location history and allow certain apps to see (or not see) your exact location. Apps in the location list will have a note if they use location history data.

On mobile devices, you can quickly toggle your location services on and off in the Action center. You may need to expand the grid but you’ll find a Location button in there along with Airplane mode and the other quick action items.

Stop syncing

There’s a lot of syncing going on in Windows 10. If you sign in with a Microsoft account, your settings — including passwords — may be synced across other devices you sign into with the same account. Your notifications may also be synced across devices.

If you turn off syncing, your settings and passwords will not be synced across other devices when you sign in with your Microsoft account, so you’ll need to do things like enter passwords in manually.

To turn off settings syncing, got to Settings > Accounts > Sync your settings. You can either turn off all setting syncing at once, or you can toggle individual sync settings off.

To turn off notification syncing, open Cortana and go to Settings > Send notifications between devices. You can turn this off to turn off all notifications syncing, and you can also click Edit sync settings to manage your different signed-in devices.

Lock down your lock screen

The lock screen is the first thing anyone sees when they open up your device, and this screen can have a lot of information that you might not want strangers to access.

Here are three things you need to do to lock down your lock and log-in screens:

Make sure your notifications aren’t appearing on the lock screen. Go to Settings > System > Notifications & actions and turn off Show notifications on the lock screen. The downside to turning this feature off, of course, is that you won’t be able to see any notifications until you unlock your device.

Turn off Cortana on the lock screen by opening Cortana and going to Settings > Use Cortana even when my device is locked. The downside to turning this feature off is that you won’t be able to use Cortana while your device is locked. You can also limit her scope on the lock screen (instead of turning her off completely) by unchecking the box next to Let Cortana access my calendar, email, messages and Power BI when my device is locked. This way, you’ll still be able to ask Cortana to answer questions that don’t reveal any personal information while your device is locked.

Hide your email address on the log-in screen by opening the Settings menu and going to Accounts > Sign-in options > Privacy. Turn off the toggle under Show account details (e.g. email address) on sign-in screen. There’s pretty much no downside to turning this feature off, unless you really like seeing your email address.

Turn off your advertising ID

Each Microsoft account has a unique advertising ID that lets the company collect information about you and deliver a personalized ad experience across different platforms. If you sign into Windows 10 with a Microsoft account, those personalized ads will follow you onto your computer — you’ll see them in apps and possibly in the operating system itself (in the Start menu, for example).

To turn these ads off in Windows 10, go to Settings > Privacy > General and toggle off Let apps use advertising ID to make ads more interesting to you based on your app usage. You’ll still see ads, but they won’t be eerily personalized to your tastes and preferences.

Turning this feature off will prevent personalized ads from popping up in your Windows 10 experience, but won’t necessarily keep you from seeing personalized ads when you’re using your Microsoft account on other platforms. To get rid of ads on other platforms, such as in browsers, head to Microsoft’s advertising opt-out page.

Lastly, you can visit Microsoft’s privacy dashboard for your account to see what information it’s storing in the cloud about you, including your browsing and search history in Microsoft Edge and your location data.

by Sarah Jacobsson Purewal

July 20, 2017

Ransomware goes pro: How crooks are getting into customer service

The criminal operators are acting like legitimate firms, offering support services and even hiring graphic designers, researchers tell a Black Hat panel.

Hackers behind some of the most notorious ransomware around are taking some hints from legit Wall Street companies.

Malware strains like Locky and Cerber helped make ransomware a $25 million industry in 2016 and its operators are starting to operate like conventional corporations with “customer” service staff and outsourced resources, researchers explained Wednesday at Black Hat.

Ransomware has devastated hospitals, universities, banks, and essentially any computer network with weak security over the last 10 years, but attacks have become even more prevalent as infection rates and payments grow. The malware encrypts files on a victim’s computer and demands payments — one that reached $1 million — if the victim ever wants to get data back.

Researchers at Google, Chainalysis, New York University and University of California San Diego followed the money trail and got a look at the evolving ecosystem of ransomware. During the presentation at the Las Vegas conference, the team showed a new professional side to ransomware.

Instead of working as criminals, ransomware attackers are treating their victims as “customers” and bringing in support staff to deal with their “sales.” Yes, just like how your phone providers and banks have customer service, now, so does ransomware.

“It’s become a well-oiled machine,” said Elie Burzstein, Google’s anti-abuse research team lead. “It operates like a real company, that shows how mainstream it’s become and how much it’s here to stay.”

Customer service reps help victims find out how to buy cryptocurrency, like bitcoin, to pay the ransom and negotiate with victims to decrypt specific files. They also offer immunity packages to ensure victims can’t get hit again.

Burzstein said the development has been staggering, as ransomware has evolved into organized crime. Cybercriminals have even hired graphic designers to give their websites and malware a more inviting aesthetic.

Google’s research team also found that ransomware attackers have been outsourcing much of the heavy lifting to massive botnets to get people infected. Locky and Cerber both rented out the Necurs botnet to spam millions of emails in the hopes of spreading its ransomware around the world.

The outsourcing paid off, as Locky made $7.8 million in 2016, while Cerber raked in $6.9 million that year.

Cerber also lets criminals who can’t code malware get in on the cut by renting its ransomware out, Burzstein said. Low-tech crooks can buy Cerber’s ransomware as a service and rake in crumbs off the table based on how many people they’ve infected.

The strategy helped Cerber earn more than $200,000 a month and become the fastest-rising ransomware of 2017.

“Ransomware as a service has become a dominant model,” Burzstein said. “All you have to do is infect people, and then you get a cut.”

The researchers also found new variations of the Cerber ransomware that have been tweaked to get past anti-virus scanners. In 2017, there had been 23,000 new binaries for the Cerber ransomware, while Locky had 6,000 new variations.

Hackers are working around the clock to keep ahead of the competition to make as much money as possible. These sophisticated attacks, with business-minded infrastructure, make ransomware like WannaCry and NotPetya — which last month locked up devices at multibillion-dollar companies — look like imposters.

While Locky and Cerber pull in millions of dollars every year, WannaCry and NotPetya have struggled to break five figures. It’s more likely that WannaCry and NotPetya are covers for wipeware, attacks disguised as ransomware that are really after just destroying your data. They don’t have a supporting network, and in NotPetya’s case, the email to pay the ransom didn’t even work.

Google researcher Luca Invernizzi said the organization of ransomware in the last two years should be a “wake-up call.” He found that only 30 percent of people back up their data, making the majority vulnerable to ransomware attacks. As ransomware dives into organized crime, the rate of infection will only increase.

“This has become a full ecosystem where you have people who write the ransomware, people who manage the botnet, customer service, and people designing their payment sites,” Invernizzi said.

BY ALFRED NG

JULY 26, 2017

Computers are back on the list for Florida back-to-school tax holiday

On Aug. 4-6, consumers will pay zero tax on hundreds of items, from clothes and shoes ($60 or less) to school supplies ($15 or less) to computers ($750 or less), according the Florida Department of Revenue.  According to the FAQ sheet, if a person buys a computer valued at more than $750, the first $750 is NOT tax-exempt. Other computer related accessories including keyboards, monitors, routers, non-recreational software, scanners, some printers, print ink, and digital data storage devices.

The Hackers Smell Blood Now, Not Silicon

Steve Morgan wrote an excellent post with the Top 5 cybersecurity facts, figures and statistics for 2017. These predictions and observations provide a 30,000-foot view of the cybersecurity industry. The comment about hackers smelling blood caught my eye…

“These top level numbers summarize the cybersecurity industry over the past year and indicate what’s in store for the next five years.

1. Cyber crime damage costs to hit 6 trillion dollars annually by 2021. It all begins and ends with cyber crime. Without it, there’s nothing to cyber-defend. The cybersecurity community and major media have largely concurred on the prediction that cyber crime damages will cost the world 6 trillion dollars annually by 2021, up from 3 trillion dollars just a year ago. “Cyber theft is the fastest growing crime in the United States by far,” according to U.S. President Donald Trump.

2. Cybersecurity spending to exceed 1 trillion dollars from 2017 to 2021. The rising tide of cyber crime has pushed cybersecurity spending on products and services to more than 80 billion dollars in 2016, according to Gartner. It’s not clear if that includes an accounting of IoT device protection and total consumer spending on security. Global spending on cybersecurity products and services are predicted to exceed 1 trillion dollars over the next five years, from 2017 to 2021.

3. Cyber crime will more than triple the number of unfilled cybersecurity jobs, which is predicted to reach 3.5 million by 2021. Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure and people. The cybersecurity workforce shortage is even worse than what the jobs numbers suggest. As a result, the cybersecurity unemployment rate has dropped to zero percent.

4. Human attack surface to reach 4 billion people by 2020. As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals. Microsoft estimates that by 2020 4 billion people will be online — twice the number that are online now. The hackers smell blood now, not silicon.

5. Global ransomware damage costs are predicted to exceed 5 billion dollars in 2017. That’s up from 325 million dollars in 2015—a 15X increase in two years, and expected to worsen. Ransomware attacks on healthcare organizations—the No. 1 cyber-attacked industry—will quadruple by 2020.

What does it all mean? Last year, Ginni Rometty, IBM’s chairman, president and CEO, said, “Cyber crime is the greatest threat to every company in the world.” And she was right. During the next five years, cyber crime might become the greatest threat to every person, place and thing in the world.

Security Flaw Exposes Millions of Verizon Customers’ Information

The personal data of as many as 14 million Verizon Wireless customers was recently discovered on an unprotected Amazon Web Services (AWS) server operated by Nice Systems, a Ra’anana, Isreal-based software company, according to ZDNet.

Nice, whose overall revenue in 2016 topped $1.01 billion, is a software analytics firm that counts 85 of Fortune’s Top 100 companies as customers, and primarily works in two key factions of the enterprise software market: customer engagement and financial crime & compliance. Overall, the company serves upwards of 25,000 clients in over 150 countries, including several government agencies and major financial services entities including telecom-giants like Verizon.

The data, which included call records of Verizon subscribers who phoned into the company’s customer service department between January and June, 2017, was discovered in late-June by Chris Vickery — director of cyber risk research with security firm UpGuard, who privately informed Big Red of the data shortly after its discovery. While the data was ultimately secured within the week that followed, during the time it was unsecured was easily downloadable by anyone who could guess the server’s web address.

What Data Was Obtained?

Records stored on the unsecured server included automatically-generated call logs containing information such as the customer’s name, cellular phone number, and account PIN. According to a Verizon call center representative who spoke to ZDNet on condition of anonymity, this information, if breached, could grant unauthorized users access to a subscriber’s account.

Whenever a Verizon subscriber calls into customer service, the interactions are recorded, transmitted, and analyzed by Nice Systems, which says it can “realize intent, and extract and leverage insights to deliver impact in real time” to help the company improve the quality of its customer service. Records spanning from January to June also contained “hundreds of fields of additional data,” including home and email addresses, additional Verizon services a customer is signed up for, and their account balance — just to name a few. Interestingly, the records also included each customer’s “frustration score,” which is determined based on whether they spoke certain keywords during their call.

While logs referenced “customer voice recordings,” ZDNet was able to confirm there were in fact no audio files discovered on the unsecured server — but for the most part, key customer data was still visible in written form.

Democratic Congressman Ted Lieu (D-CA), who’s both a Computer Science major and a Verizon Wireless subscriber, himself, described the exposure as “highly troubling.”

“I’m going to be asking the Judiciary Committee to hold a hearing on this issue because Congress needs to find out the scale and scope of what happened and to make sure it doesn’t happen again,” he told ZDNet.

Meanwhile, a Verizon spokesperson said the company is currently investigating how its customer data was improperly stored on the AWS server, as part of its “ongoing project” to improve customer service. “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” the spokesperson said, while adding that “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

The silver lining in all of this, according to Verizon, is that the “overwhelming majority” of information stored on the server has “no external value.” “There is some personal information in the data set,” the spokesperson said, “but as indicated earlier, there is no indication that the information has been compromised.”

On Monday, Verizon followed-up claiming that an investigation determined “no other external party accessed the data.” However, when pressed for additional details, the company wouldn’t say how it came to that conclusion, citing security concerns.

A friendly word to the wise: if you’ve personally called into Verizon customer service at some point this year, you might want to change your account PIN just in case.

ByTroy Thompson

July 12, 2017

ARE YOU PROTECTED?

Last year, SonicWALL detected over 64 million pieces of new and unique malware, much of which was focused at recently announced application and system vulnerabilities. These new software weaknesses are often referred to as zero-day vulnerabilities. Also known simply as “zero-days,” these vulnerabilities either don’t have a patch available or have one that is not being widely used.

Hackers understand this and write malicious code to exploit these issues to either access systems (Trojans) or encrypt contents to be held for ransom (ransomware) as we’ve seen in the most recent exploits including Wannacry and Petya that have set off waves of alarm and recovery efforts around the globe. Despite the anxiety however, active SonicWALL customers using up-to-date security services were largely unaffected by these security breaches since SonicWALL blocked all vectors of the attacks before they began.

Having a firewall is the first step, but it is critical to have active security services in order to stop attacks. Our current generation of firewalls can inspect SSL/SSH/TLS traffic and take advantage of network sandboxing to discover and stop unknown threats in ways previous generation firewalls cannot.

The Client Server would welcome the opportunity to discuss your SonicWALL network to ensure the full array of security services are being taken advantage of, and maximize your organization’s protection.

Please let us know if you have any questions at all.

Contact Us @ The Client Server 239.495.8702 ask for Rob Cruz.

SonicWall.com

3 Often Overlooked IT Security Measures

Cybersecurity is a must in business today. Over the past few years, attacks have become more sophisticated and leverage common services such as web and email to gain access to secure networks. There are some basic security measures every company should utilize to combat threats including regular patching, anti-virus and of course, a perimeter firewall. However, we also recommend the following often overlooked IT security measures that can make a difference in combatting potential attacks to your system:

A Written IT Policy

Creating an IT policy can seem overwhelming, especially for small businesses, but it doesn’t need to be overly complex. A written IT policy can serve as the cornerstone of your security program and should reflect the policies and procedures necessary for your IT security strategy. It should outline acceptable use of technology, hardware and software standards, backup protocols, disaster recovery strategy and support services. It should be clear how to escalate problems or concerns so they can be addressed in a timely manner. Ultimately, implementing a written policy will reduce risk and increase productivity.

Access Rights and User Education

Training is a crucial aspect of securing your systems. The human element cannot be ignored, so it’s necessary to educate your employees on how to identify and address suspect emails to prevent phishing attacks, viruses and malware from compromising your systems. This action can be further reinforced by limiting access and user rights. This will help to prevent the installation of unwanted and malicious software.

Data Encryption

Data encryption comes with a trade-off. While it offers an added layer of protection for your data and systems, it also reduces performance. Nonetheless, it is certainly worth consideration. Encryption technology is available on most operating systems, making it an affordable protective measure. Once data is encrypted, it helps prevent theft or exposure, even when a drive is lost or stolen. It is also more difficult to recover deleted data from an encrypted drive.

Each of these often overlooked security measures can make a difference in securing your data and systems and therefore, limiting your risk.

IMMED10N 07/11/2017

Hackers targeting US nuclear power plants, report finds

Malware discovered in fake resumes aimed to steal engineers’ credentials, according to a report seen by The New York Times.

For the past couple of months, hackers have breached the computer networks of companies that operate nuclear power facilities in the US, according to a new report from federal law enforcement officials.

One of the companies targeted was the Wolf Creek Nuclear Operating Corporation, which operates a nuclear facility near Burlington, Kansas, according to a joint report issued last week by the FBI and Department of Homeland Security and described by The New York Times. The report carried an urgent amber warning, the second-highest rating for the severity of the threat, the Times reported.

Organizations running the nation’s energy, nuclear and other critical infrastructure have become frequent targets for cyberattacks in recent years. In a 2013 executive order, President Barack Obama called cyberattacks “one of the most serious national security challenges we must confront.”

President Donald Trump signed an executive order in May designed to bolster the United States’ cybersecurity by protecting federal networks, critical infrastructure and the public online. One section of the order focuses on protecting utilities grids like electricity and water, as well as financial, health care and telecommunications systems.

The government report didn’t indicate whether the purpose of the cyberattacks was espionage or physical destruction, but researchers concluded that hackers appeared to be mapping computer systems for future attack. The origin of the attacks is also unclear, but sources told the Times that hackers’ techniques resembled those used by a Russian hacking group known as Energetic Bear, which has been linked to attacks on the energy sector since 2012.

The report comes amid heightened concern that the Russian government hacked the US presidential election in November to ensure a victory for Republican Trump.

Hackers sent fake resumes containing malware to senior engineers who maintain broad access to critical industrial control systems, the government report said. When the recipients clicked on the documents, hackers could then steal their credentials, the Times reported.

A spokeswoman for the Wolf Creek Nuclear Operating Corporation declined to comment on the cyberattack but said there was “absolutely no operational impact” on the facility because corporate and operational networks are kept separate.

“The safety and control systems for the nuclear reactor and other vital plant components are not connected to business networks or the internet,” Wolf Creek spokeswoman Jenny Hageman said in a statement. “The plant continues to operate safely.”

by Steven MusilJuly 6, 2017

Germany braces for cyberattacks at G20

A 24/7 special command center has been set up to defend against attacks via the internet.

Protests at next week’s G20 summit in Hamburg, Germany, could also come from all over the internet.

And that’s what’s worrying Germany’s top cybersecurity officials. Dozens of experts will stand by at a 24/7 command center among the 20,000 police with dogs, horses and helicopters there to deal with potential physical violence from the expected tens of thousands of protesters, reports Reuters.

“As the national cybersecurity agency … we’re concerned about everything from (persistent threats) to groups like Anonymous and Lulzsec that could be planning political protests using cyberattacks,” said Arne Schoenbohm, president of Germany’s Federal office for Information Security, in an interview with the news agency.

Besides political protests from hacker groups, Schoenbohm is also concerned about attacks from cells linked to foreign governments, including Russia, which have been targeting Germany’s political parties and think tanks ahead of the country’s national elections in September.

It’s not the first time such attacks and attempts by hacker groups linked to Russia have taken place. The US elections were meddled with, and more recently, Russian hackers appeared to have targeted campaign staff of French president Emmanuel Macron with phishing attacks.

by Aloysius LowJuly 3, 2017