by Felicien | Dec 14, 2018 | Education
A recent sextortion scheme highlights the vulnerability users face when their data is stolen and used against them.
The widespread threat made it seem as though a hacker had compromising video of a victim taken while visiting adult pornographic websites. The scammers threatened to release the video unless they were paid in bitcoins.
Here’s a closer look at the threat and how to prevent such ruses in the future.
What Happened in the Sextortion Case?
The latest fraud was different from earlier sextortion cases in one significant aspect. Victims were targeted with an email that appeared to come from their very own email account.
In the past, similar hacks used passwords to an adult website that had been stolen in a data breach. The scammer would threaten to release information about the victim’s activity in exchange for cryptocurrency.
Are These Schemes Successful?
The risk of public embarrassment is a powerful motivator for many victims who would rather pay than be exposed for visiting questionable websites. The recent scheme was first noted in the Netherlands, where it reportedly netted €40,000 in short order. That kind of quick cash is highly motivating to hackers looking to make a large amount of money fast.
What Did the Sextortion Email Say?
The English version of the scam had a subject line that included the victim’s email address and “48 hours to pay,” e.g. “username@example.com 48 hours to pay,”
In broken English, the scammer claimed to be part of an international hacker group that now had access to all accounts and gave an example of a stolen password.
Throughout several months, the email alleged, the victim’s devices were infected with a virus from visiting adult websites. Now, the hackers had access to a victim’s social media and messages.
“We are aware of your little and big secrets … yeah, you do have them,” the email continued. “We saw and recorded your doings on porn websites. Your tastes are so weird, you know.”
The email further claimed to have recordings of the victim viewing these websites and threatened to release them to friends and relatives. It demanded payment of $800 in bitcoin within 48 hours of reading the message. If the funds were received, the data would be erased. If not, videos would be sent to every contact found on the victim’s device.
For unsuspecting victims, receiving such an email could be terrifying. That’s why so many people succumb to such demands and pay up.
What Can Users Do?
While it’s easy to be scared into sending payment, the reality is that these emails can be ignored and deleted. It’s a good idea after doing so to run an anti-virus scan on all your devices to be sure that there is no malware installed.
Many of these scams occur because a domain has been hacked. However, these vulnerabilities can be eliminated by using some basic protections. Using domain name system (DNS) records designed for email validation and authentication are an essential first step. Here are three of the most common:
SPF. A sender policy framework (SPF) verifies that an email that claims to come from a domain is associated with an authorized IP address. An SPF can detect faked sender email addresses in spam filters. Hackers are less likely to target such domains for phishing attacks.
DKIM. DomainKeys Identified Email (DKIM) lets an email receiver verify that an email coming from a domain was authorized by that domain. Senders need to attach a digital signature to each outgoing message that’s linked to a domain name. The recipient’s system can compare that signature to a published key.
DMARC. Layered on top of SPF and DKIM is domain-based message authentication, reporting and conformance protocol (DMARC). Established in 2011, DMARC allows email senders to publish policies about unauthorized email. Also, email receivers can provide reporting to those senders. Both are designed to build a domain reputation and credibility about Domain-issued emails.
Your users and domains are vulnerable to hackers looking to exploit technology to shame people into paying. With the right technology assessments, security protocols and safeguards in place, your systems will be protected and dissuade hackers from attacking your sites in the future.
by Felicien | Dec 14, 2018 | Education
The fundamental difference between computer repair and network computer services is that computer repair is a very reactive concept. Something breaks, you call your trusted technician and they make the fix — and bill you for time and materials while your staff members wait for their technical problems to be resolved. With network computer services, the model is entirely different. You enter into a longer-term partnership with an organization which works closely with you to create a proactive support infrastructure which often allows your staff to continue working even while a problem is being solved. Businesses that are looking for a way to normalize their annual IT costs and provide predictable service levels should investigate network computer services.
Why Are Technology Fixes So Expensive?
When you think about it, it makes sense why it’s so expensive to have a consultant or team come into your business and resolve a problem. Not only are they taking on a fair amount of liability for a short-term relationship, but they also have a substantial ramping up time and effort each time you need to have a problem resolved. This methodology is called “break-fix” for a reason: something breaks, and you invite someone to come fix it. This is especially problematic when you consider the costs of a break-fix solution include internal IT or management time, additional contracts or scoping of a work project, lost productivity for business staff . . . Plus the additional upcharge for the services that are rendered by your consultants. All of these items can quickly add up to make a small issue become a much larger cost than initially expected. What’s worse is that it’s nearly impossible to budget for specifically when something is going to break.
How Can I Accurately Project IT Costs?
Holding a pattern in your technology costs can be a challenge. Business units are always looking for additional functionality for their budget dollars, and it can be difficult to justify why that project didn’t get completed due to lack of funds. When you have to divert dollars from an upcoming project to pay for an unexpected problem resolution, it can raise eyebrows and cause questions from leadership. One of the most effective ways to ensure that you’re able to accurately predict the costs to maintain your business infrastructure is to work with a network computer services partner. This type of relationship comes with a variety of benefits, such as the assurance that patches are resolved and applied quickly and accurately to your software and hardware.
Can Network Computer Services Improve My Security?
Internal technology leaders or teams are nearly always overworked, with more projects than they can possibly accomplish in a year. Unfortunately, this can mean that there are difficult decisions to be made: do you schedule a security review and patch your software or do you get started scoping that new website that marketing desperately wants? Both activities require time from the technology team, but there are risks down either path. If you decide to put off a new projects for a security review, you take the chance that teams will begin doing their own development and open up security risks. If you take on the new project, you’re risking a cybercriminal finding a way to infiltrate your network security. This is the type of challenge that is tailor-made for a network computer services team, as they can help resolve your infrastructure security challenges and provide internal teams with an opportunity to support new business requirements. Ongoing, scheduled maintenance and robust security procedures help protect your organization and your sensitive customer data. These updates and proactive monitoring are crucial to ensuring that your organization does not fall subject to the latest malware or phishing tactics.
Working with a managed services provider has a range of benefits: more predictable technology costs over time, improved network security and technology maintenance and better overall experience for your business users. Working with a network computer services organization provides your team with the in-depth knowledge and additional skill sets to supplement their own expertise. Your trusted services provider is able to leverage best practices from across various industries to offer you superior remote service and ongoing support, depending on your particular contract levels.
by Felicien | Dec 13, 2018 | Education
It seems computer hackers will go to any length to complete their scams and wrestle money out of the hands of their victims. In one of the latest scams to come to light, hackers are finding real passwords and then using them to send emails threatening to expose people for watching porn. The unsuspecting victims receive an email disclosing part of a password associated with the email account that states the sender has set up a camera and filmed the recipient using a legitimate porn website. Unless the victim pays a ransom using Bitcoin, the sender of the email threatens to disclose the video to people closest to the victim.
Sextortion: A New Twist on an Old Plot
Many people receive so many scam emails that they no longer bother to open them. The scammers behind the sextortion scam hope to catch people’s attention by disclosing some or all of their email password immediately. If that works, the email goes on to describe how the hacker installed malware on a porn site while the email recipient was viewing it. However, it does not stop there. The hacker claims to have collected all of the victim’s contacts from Facebook, the Messenger application, and his or her email address as well.
As the email continues, the hacker threatens to send the supposed video of the recipient viewing porn to everyone on the contact lists mentioned above. The only thing the person receiving the email can do to stop this is to pay a ransom within 24 hours. The threatening language continues by informing the reader that the sender of the email knows the message has been read and not to waste time replying to it. In short, the reader should send the money or else.
Hackers Using Old Information
There is an element of truth in the sextortion email people receive in that some recipients have reported that the password is one they have used in the past. However, no one who said this scam had used the exposed passwords in more than 10 years nor have they used them on their current computer. The most likely explanation for the scam is that hackers obtained passwords from a security breach at a well-known website more than a decade ago. They merely added scripts to go with the passwords to make the scam seem more legitimate.
The Ruse is Getting More Sophisticated
Hackers have learned from this attempt at so-called sextortion that they must use more current information and a believable script to get anywhere with their intended victims. They now search for as much personal data as they can find online to convince the email recipient that the threat is real. Some have gone so far as to use illegal password lookup services associated with email addresses. The people behind that data breach have reportedly stolen billions of username and password combinations that they then sell to other scammers.
Yet another modern twist on sextortion is for hackers to email everyone with the information listed on a newly hacked customer database. In addition to demanding large sums of money, some of these scammers are demanding that the victims send nude photographs of themselves and other sexually explicit material. Some are so bold as to demand an in-person meeting where the victim must provide them with sexual favors to avoid having their private information exposed to everyone they know.
How Internet Users Can Protect Themselves from Sextortion
The FBI has received enough of these complaints to create an official document warning people of its dangers. It recommends that anyone who accesses the Internet regularly follow these steps to protect themselves from sextortion scams:
Make sure the web camera is turned off or covered when not in use
Never send a compromising image to anyone regardless of who they claim to be
Do not open email attachments unless the sender is well-known and trusted
To add even greater pathology to this scam, perpetrators are often adults disguising themselves as teenagers. They depend on younger recipients to be more naive about online scams and to fall for their demands without question. Anyone who feels they have been targeted for a sextortion scam via email should forward the email to the FBI as well as contact them immediately.
by Felicien | Dec 13, 2018 | Education
Attending the top tech events in 2019 is mandatory for managed IT service companies. While it may be impossible to stay ahead of cybercrime, IT professionals should invest time and money to stay proactive to help their clients plan for unidentified threats.
Keynote speakers at these top teach events provide valuable insight on how to communicate the very real threats that continue to evolve for every business so that your clients invest in technology to help protect themselves from security breaches.
Calendar of Tech Events
Find top events in the United States and abroad. Make plans to attend several.
January 15, 2019 – January 18, 2019, Austin, TX.
RStudio Conference 2019. Host and RStudio Chief Scientist Hadley Wickham and confirmed keynote speakers David Robinson, Felienne and Joe Cheng will be updating attendees with the state of the art and future of data science.
February 25, 2019 – February 28, 2019, Barcelona, Spain.
MWC Barcelona. This is the “original” World Congress of mobile. Explore mobile topics from AI to Digital Wellness and Digital Trust.
March 4, 2019 – March 8, 2019, San Francisco, CA.
RSA Conference USA. Industry expert keynote speakers and seminars on the latest cybersecurity enhancements.
March 8, 2019 – March 17, 2019, Austin, TX.
SXSW. The mother of all conventions – from music and culture to technology. You’ll find coding, cryptocurrency, medical technology and VR/AR/MR.
March 18, 2019 – March 21, 2019, Orlando, FL.
Enterprise Connect. Discover your options when replacing or upgrading a legacy system. Get unbiased, vendor-neutral advice on implementing next-gen communications.
March 18, 2019 – March 20, 2019, Ponte Vedra, FL.
AGENDA19. Especially designed for C-level, VPs, Directors and Managers as they plan to lead their businesses in changing times.
April 9, 2019 – April 11, 2019, Las Vegas, NV.
Atlassian Summit. From training and certifications to a diverse group of speakers, you’ll change the way your teams work.
April 9, 2019 – April 11, 2019, San Francisco, CA.
Google Cloud Next. Google shares its latest cloud technology so you can choose the appropriate cloud-native devices for yours or your clients’ needs.
April 23, 2019 – April 25, 2019, San Francisco, CA
Slack Frontiers 2019 (SF). Attend this event to study teamwork development skills you can use to lead your team toward more productivity.
May 28, 2019 – June 1, 2019, Taipei, Taiwan.
Computex Taipei. This giant Asian show is especially for those interested in ICT supply chain and IoT ecosystems.
July 14, 2019 – July 18, 2019, Las Vegas, NV.
Microsoft Inspire. All of Microsoft’s partners in one place at one time.
August 3, 2019 – August 8, 2019, Las Vegas, NV.
Black Hat USA. Arrive early for four days of hands-on security training followed by a two-day conference concentrating on security development and trends.
October 22, 2019 – October 24, 2019, Los Angeles, CA.
MWC Americas. Emerging technologies and trends as “mobile” changes the world.
November 19, 2019 – November 22, 2019, San Francisco, CA.
Dreamforce. Annual symposium for Salesforce customers. See the newest devices and apps that connect to your client’s customers.
TBA. San Jose, CA.
WWDC. Experts expect a spring meeting to showcase new hardware and software, perhaps with a focus on Apple TV and media-related hardware including new AirPods or over-the-ear headphones.
TBA. Mountain View, CA.
Google I/O. Developers worldwide look forward to this annual conference for hands-on learning and seminars with Google experts. Attendees also get the first look at Google’s newest developer products.
TBA. Seattle, WA.
Microsoft Build. Everything Microsoft all in one place – over 350 sessions that cover Azure, Visual Studios and Microsoft 365 plus emerging technology.
Begin planning now. Book hotels and flights early to ensure a stress-free tech event. Register early to earn early-bird discounts on fees. Follow these 13 tips to get the most of every tech event you attend.
by Felicien | Dec 13, 2018 | Education
Your employees may understand that they risk identity theft every time there’s a major cyber breach at a store they’ve patronized. But do they know that even more of their personal information is available to hackers via their employee benefits plans? It’s a risk that an increasing number of business owners and CEOs have had to confront. How to safeguard employee data — and avoid the significant expense of a managing a breach response — are just some of the questions that business leaders face around this issue.
Why are benefit plans so attractive to hackers?
Virtually any type of employee benefit plan is vulnerable to hackers. These include pension plans, health and welfare plans, and retirement savings accounts. All represent a rich source of personally identifiable information (PII).
First, hackers can gain access to the employee’s personal health information. Armed with that information, cyber thieves can do everything from file fraudulent insurance claims, get prescription medication, and even blackmail the employee.
Hackers may also gain access to the actual employment benefit accounts, potentially using the accrued amounts as fraudulent assets to obtain lines of credit under the employee’s name.
Of course, being able to completely steal the employee’s identity is one of the most concerning threats. And given that employee enrollment forms will have birthdates, email addresses, official residence addresses, and social security numbers — at a minimum — there’s a strong potential for wide-scale identity theft using the PII.
What makes the plans so vulnerable to hacking?
The average worker assumes that accessing his or her employer’s cash reserves and financial information would be the more attractive target than that of its employees. But a company is one entity and can move quickly to protect its holdings after a firewall is breached. A business’ large number of employees, however, represent better odds for a cyber attack. Even if many of them are able to protect their PII after a breach is discovered, the odds of capturing at least some employees’ personal data are still high.
Employee benefit planning is often handled by the third-party provider. And even when these plans are managed internally, the business may be using software that’s vulnerable to attack. For convenience, the employee plan programs are designed to be accessible to more than one agency or company, and by using different platforms.
Yet the same technology that makes the software so easy for multiple parties to access is also what can make it more vulnerable to cyber attack.
Why do employee benefit plan breaches keep happening?
Unfortunately, pension planners, insurance companies and other partner providers still rely on “old school” tech to stop hackers. While anti-virus software might be helpful to stop non-corporate cyber attacks, it’s not always up to the task of more sophisticated hackers.
Also, federal regulations don’t consider employee benefits information as sensitive as personal health records. For that reason, regulations aren’t as strong on the pension side of benefits as they are on the medical records aspect.
What can be done to protect your employees?
The threat to employee benefit plans information is ever-growing. But the good news is that business leaders can put several safeguards in place, protecting that information on several fronts.
If you use an outside provider to oversee your employee benefits programs, it’s essential to carefully examine what safeguards those partner providers have in place to protect the information they handle. If your own staff is handling the benefits program, it’s essential that they receive the most advanced and up-to-date training available. Even staffers proficient in software and administrative safeguards may not be aware of the latest viruses and scams by which hackers may gain entry.
Perhaps most crucially, you’ll need to set up a chain of command and strict protocol about how all information is handled. From your own IT specialists and human resources administrators to outside benefit plan providers, access should be limited to the scope of that department’s work. The more sensitive the information is, the fewer people should have access to it.
What’s the best way to implement these safeguards?
Hiring a reputable firm of cybersecurity experts will immediately put technological safeguards in place to protect employee PII. These experts can also train business leaders and relevant staffers about how to administer their employee benefits plans accounts safely — and how to select third-party benefit program providers that also put cybersecurity first.
