Clients      Employees

April 28, 2014

No Comments

The Heartbleed Bug: What You Should Know



There has been extensive media coverage of the so-called “Heartbleed” bug, a flaw in the OpenSSL software that is used to encrypt data on the Internet. You likely have used OpenSSL without realizing it — it is found in websites that use the HTTPS protocol for secure communications, indicated by a padlock icon in the browser.

The Heartbleed bug is a serious issue affecting most Internet users and businesses. If a website uses OpenSSL with certain settings turned on, portions of the server’s memory could be exposed. As a result, the Heartbleed bug can compromise the secret keys used to identify trusted systems and encrypt information, enabling hackers to steal sensitive data.

The good news is that the bug has been fixed. However, it is up to individual website owners to implement the change within their systems. Many major websites have done so, but smaller organizations may take more time. It doesn’t help to change your password or take other action until the specific website has eliminated the bug.

Check with your service provider to determine if any of your websites are vulnerable. You should also take the following actions for other web sites and web-based services you may use:

  • Immediately change your password on these sites: Facebook, Instagram, Pinterest, Tumblr, Yahoo, Amazon Web Services, Box, Dropbox, Github, IFFT, Minecraft, OKCupid, SoundCloud and Wunderlist. (Google and PayPal were not affected.)
  • Check this list of popular sites to determine the status of other sites you may use. (Note that only 48 of the 1,000 sites tested were found to be vulnerable.)
  • Set your browser to check for revoked site certificates. Once a vulnerable site has fixed the security issue, they will revoke their old certificates and implement new ones. Your web browser must be configured to reject the old certificates. Call ICG if you need assistance.
  • Share this information with your business partners, customers and others with whom you exchange sensitive data. Their sites may be vulnerable, which could impact your business. If they do not have an IT provider, we will be glad to assist them.
  • Once a vulnerable site has been fixed, change your password immediately. If you change your password before the vulnerable site has been fixed, you will need to change it again after they fix it.

This is also a good opportunity to review your password policy and ensure that your team is following best practices:

  • Use strong passwords at least eight characters long with a mixture of letters, numbers and special characters.
  • Use a different password for each website and application.
  • Don’t write your passwords down or share them. Instead, use a good password manager to keep track of your various passwords.

ICG is here to help keep your business secure. Please let us know if we can answer any questions or be of further assistance.

April 9, 2014

No Comments

Email Security Threats Are More Prevalent and Dangerous than Ever



There’s a reason why 95 percent of targeted security threats originate in email. Human beings are the weakest link in the security chain. If an email gateway is like a brick wall that surrounds the network and only lets in a small percentage of threats, a human being is often like a turnstile that only requires a gentle push to gain entry.

In a previous post, we discussed spam, which has been curbed significantly by the elimination of prominent botnets but still represents 70 percent of all email. Spam drains productivity, wastes network resources and provides hackers with a vehicle for phishing and spear phishing scams that use malware capable of bringing down entire networks. The rise of social media, web-based applications and mobile devices has made it easier for hackers to make their scams more believable and circumvent defense systems.

Most people are familiar with phishing, which occurs when cyber criminals, posing as a legitimate company, try to acquire sensitive information. This information can range from usernames and passwords to bank and credit card account numbers to social security numbers. Phishing scammers can also pose as disgruntled customers or claim that you’ve won a contest. They typically lure people to bogus websites, where they’re tricked into providing personal or sensitive information. Otherwise, malware is automatically activated when a link is clicked.

Spear phishing is a more sophisticated, focused approach that targets specific organizations, and very often specific individuals, with a goal of stealing financial information, trade secrets and even confidential military data. It’s a more customized form of hacking. The sources of most phishing emails appear to be well-established websites and organizations. The sources of spear phishing emails, on the other hand, often appear to be executives and authority figures within the recipient’s organization. This increases the likelihood that the email will be opened and links will be clicked.

There has been no more widely publicized security breach than the one involving Target that compromised the credit card and personal data of more than 100 million customers. Reliable sources revealed to one reporter that the breach has been traced to an email phishing attack targeting a HVAC contractor that did business with Target.

A number of other phishing scams have made headlines within the past few months:

  • Hackers created a bogus landing page for Google Drive in an attempt to steal usernames and passwords of Gmail users. With “Documents” in the subject line, the email included a link to a page with a fake portal intended to make users think they needed to sign in to access Google Docs.
  • Apple users are receiving phishing emails that claim the user’s Apple ID has been disabled because someone attempted to log in from a different IP address. Users are then told to verify their identity by clicking a link that takes users to a fake Apple website.
  • Phishing emails from hackers claiming to be the Coinbase Team emerged in January, telling people that they’ve just received money from an external Bitcoin account. To view the bogus transaction, people have to click a link and sign in.

While more modern, sophisticated threats can be difficult to detect, there are steps you can take to avoid becoming the victim of a phishing scam and compromising your own or your employer’s private information.

  • Use common sense. For example, why would an anonymous person give you money out of the blue and provide no details? How could you have won a prize if you didn’t enter a contest? If it’s suspicious, delete it.
  • Look for obvious warning signs. Phishing emails often include a greeting with “Dear” or “To” and no name after them. If you received an email from a legitimate, established company, it wouldn’t come from a Gmail or Yahoo address, and the name of the company would have been spelled correctly. For example, a hacker may use an email address with “PeyPal” instead of “Paypal.”
  • Hover or “mouse” over links. This will usually show you the URL without having to click the link. If it looks the least bit suspicious, don’t click it, or call the organization’s customer service line for verification.
  • Make sure your operating system, browser, applications and security are up to date. You reduce the risk of a security breach when your online tools are current.

The first line of defense is your network’s automated security system. The final line of defense may be you. Be cautious, be skeptical and be careful.

April 3, 2014

No Comments

How to Fight Back against Spam



Spam. The name attached to unsolicited commercial email seems almost silly, born as it was from a Monty Python skit. But spam is serious business, costing organizations millions of dollars each year and creating severe headaches for network administrators.

Spam comes to mail servers from two primary sources: commercial spammers and “botnets” consisting of millions of infected PCs running malicious software without their users’ knowledge. These networks of “zombie” computers are revenue-generating businesses for organized, professional criminals, and by far the most significant source of spam.

The elimination of several huge botnets caused spam volumes to decline in recent years. The world’s largest, Rustock, was taken down by security experts and the U.S. Marshals Service in 2011. At the time of the takedown, Rustock was estimated to have upwards of 2 million zombie computers under its control capable of sending 30 billion spam emails daily. The third-largest, Grum, was taken down in 2012. It was thought to be responsible for 17 percent of spam.

Still, about 70 percent of all email is spam, according to the latest research, accounting for more than 100 billion messages daily. Spam remains a significant threat, sapping productivity, consuming valuable network resources and providing a conduit for the distribution of malware and phishing scams. The CryptoLocker malware is spread through phishing emails with a malicious attachment, just as one example.

Experts recommend a two-pronged approach to spam prevention. The first step is to close any security holes that might enable spammers to use your mail server for their illegal activities. The second prong involves filtering email at the gateway and preventing spammers from “harvesting” legitimate email addresses.

While no spam protection solution is foolproof, the latest offerings use state-of-the-art technology to keep up with ever-changing spam and malware exploits. This is critical as spammers use increasingly sophisticated techniques to dupe unsuspecting users into opening malicious attachments.

Five Steps You Can Take

The best way to have an immediate impact on the amount of unwanted email received by your organization is to establish clear policies and educate users about spam risks. Network security firm Sophos offers the following tips:

Never make a purchase from an unsolicited email. If spamming weren’t economically viable, it would be obsolete. Making a purchase from a spam email supports spammer activities, puts you at risk of a potentially fraudulent sales scheme and virtually ensures that your email address will be sold within the spamming community, leading to even more junk emails.

Never respond to any spam messages or click on any links in the message.  Replying to a spam message, even to “unsubscribe,” only confirms to the spammer that you’re a valid recipient and a target for future spamming.

Avoid using the preview functionality of your email client software. Many spammers use techniques that can track when a message is viewed, even if you don’t click on the message or reply. This tells spammers you’re a valid recipient, which can result in even more spam.

Never display your email address on social media, discussion boards or other public web sites. Many spammers utilize web bots to harvest email addresses from public forums.

Have and use one or two secondary email addresses. If you need to fill out web registration forms or surveys at sites from which you don’t want to receive further information, consider using secondary addresses to protect primary email account from spam abuse.

In our next post we will discuss some of the other security threats that could be lurking in your email inbox.