Posted by on

The morning of Saturday the 25th of April, our technicians woke up to see an email in our boxes about a zero-day security breach of Sophos firewalls.  A novice might read it and think “another boring security email” – we read it and thought immediately “this isn’t good”.   

This was a successful attempt en-masse to steal VPN credentials.  You need to let the severity of that soak in for a moment – if a hacker has access to your VPN, they have access to your network – usually with lots of soft targets inside.  Many companies have added additional VPN users recently with the current WFH situation, so it was the ideal time for them to strike. 

All of us mistakenly tend to operate on the assumption that our firewall will keep us safe, and we don’t need to worry about strong passwords, updates, and security inside our networks – this should be a reminder to everyone this isn’t the case.   Read more...


Posted by on

used with permission from Tektonika (HP)

Information security breaches are becoming so commonplace, they’re seen as the cost of doing business—but they don’t have to be. Promoting internet safety and device security isn’t as hard as it might seem. By making small changes to online behavior, IT professionals and users can do a lot to keep their business safe. And the first way you can start is:

Stop using passwords

Wait, what? You read that right: The National Institute of Standards and Technology (NIST) recently came out with new guidance on password best practices. According to Mike Garcia, former director of NIST’s Trusted Identities Group, the gist of these guidelines is, “Simply put: Use passphrases, not passwords.”

This is great news for any users who spend a lot of time in “Forgot Your Password?” purgatory. For years, the advice for keeping passwords hacker-proof was to make them more complicated. But that made them user-proof, too.  Read more...


Posted by on

used with permission from HP Tech@Work

Is my password still enough, or do I need more?

Without question, security is critical these days. Whether it’s device, online, or mobile security, the need for protection is obvious, and the risk can’t be ignored. For years, that protection has centered on a login…and a password. But has that changed?

Oh, that password. We’ve been reminded us for years not to write it down. Not to keep it anywhere that someone could find it. Which has made more than a few people prone to forgetting it. Show of hands, anyone?

Then there’s the issue of using a unique password for every account. Considering we have an ever-increasing number of password-protected accounts, for everything from banking to gaming – and the apps that go with them – this can be exhausting.

Add to that the known problems with public networks, and the risks you and your mobile workers face daily when trying to do business from the road and you have a recipe for sleepless nights.  Read more...


Posted by on

You may have heard about a recent vulnerability that has affected Cloudflare, and therefore certain sites that use cloudflare services.  Cloudflare is a “Content Delivery Network” or CDN, and is used to speed up websites by acting as a “cache” that sits between your web browser and the certain sites you may visit.

SpireTech does not use Cloudflare services, so none of our data or customer data would have been exposed.  However, some customers that host websites with us use Cloudflare – typically this is setup and managed by your web developer.  If you fall into that category, you should contact your site developer or SpireTech for advice, which would vary depending on the function of your website.

Despite this not affecting our data directly it may effect many of the sites you frequently visit. If you have accounts with Uber, Yelp, Fitbit, OKCupid, 4Chan, or sites listed at the end of this bulletin, it would be a good idea to go and change those passwords now.   Read more...


Posted by on

At SpireTech, we’ve noticed an increase in certain types of “Brute Force” attacks on Microsoft Windows operating systems, particularly those allowing Remote Desktop.  A ‘brute force’ attack is a repeated automated attempt to gain unauthorized access by guessing at username/password combinations.

What does this mean to our clients?  Here are a few key takeaways:

  1. Obscurity is not security.  Using an uncommon port, redirected from a firewall, to a machine inside your network, is not going to prevent your system from being probed by bots and hackers.  Instead, use an SSL VPN to add a second layer of security to your network.
  2. Use truly complex, random, and lengthy passwords.  We see lots of passwords that people think are secure, but they really aren’t that great.  Also, because your network password is often used for your company email password or Office 365, it opens up yet another vector people can use to try and guess your password.
  Read more...

Posted by on

used with permission from Norton by Symantec, by Christina Schubert

 

980 data breaches occurred in 2016. That left an approximate 35,233,317 known records exposed. Over the years, data breaches have become more sophisticated, and cybercriminals target both large corporations and small businesses.

2016 saw a string of data breaches that left sensitive information of millions of people at the mercy of cybercriminals. In addition to financial consequences, these data breaches ruined customer trust and the reputation of the companies in question.

As we look back at 2016 here are some of the most impactful data breaches that shook the world.

117 Million LinkedIn Credentials Breached

Even though the breach occurred in 2012, its intensity came to light in mid-2016. A Russian hacker going by the name of “Peace” claimed responsibility for the 2012 hack. In 2016 the hacker resurfaced, and set up shop on the Dark Web to sell a whopping 117 million credentials that were acquired from the same breach.  Read more...


Posted by on

used with permission from Norton by Symantec

gmail-steal-passwordsSophisticated cybercriminals have devised a way to steal email credentials that bypasses two-factor authentication security and doesn’t rely on otherwise easy-to-spot phishing methods. Here’s what you need to know to protect yourself from this email password stealing scam.

Who is affected?

Symantec researchers have found this scam largely targets Gmail, Hotmail, and Yahoo Mail users. However, everyone with an email account should be aware of how this scam works to avoid falling victim.

See how the scam works. In just a few quick steps, cybercriminals trick victims into disclosing email credentials.
gmailscam-infog.fnl_

 

How does the scam work?

To initiate this scam, cybercriminals need to know the email address and associated phone number of the user. Both of these contact details can often easily be obtained. With this information handy, an attacker can then capitalize on the password recovery feature that allows an email user to gain access to their account by a verification code sent to their mobile.  Read more...


Posted by on

used with permission from Norton by Symantec, by Nadia Kovacs

change-your-passwordIn 2012, LinkedIn suffered a data breach of six million user account names and passwords. Apparently, that breach is extremely larger than originally reported.

A Russian hacker going by the name of “Peace” has claimed responsibility for the 2012 hack. This hacker has now resurfaced, and instead of just the six million credentials, he is selling a whopping 117 million credentials on the Dark Web acquired from that same breach.

This hacker waited four years to release the data on the black market.

This just goes to show how important it is to use strong and unique passwords for each service and not to re-use passwords. Hackers tend to rely on repeat password usage and will try to break into other accounts with the credentials obtained from the breach. It can be a cumbersome task to have to remember so many unique passwords, however, with Norton Identity Safe, you can eliminate that hassle.  Read more...


Posted by on

used with permission from Norton by Symantec, by Nadia Kovacs

Isometric Infographic Biometric RecognitionBiometrics are part of the cutting edge of technology. Put simply, biometrics are any metrics related to human features. Fingerprinting is a very early and simple version of biometrics, like when you login to your phone using your fingerprint. As with any emerging technology, the first question you should ask is if they are safe.

How Do Biometrics Work?

If you’ve ever put your fingerprint into an device, you have a vague idea of how biometrics work. Basically, you record your biometric information, in this case a fingerprint. The information is then stored, to be accessed later for comparison with “live” information. Anyone else in the world can put their finger on your device’s touch circle and it’s not going to open your phone.

Fingerprints are just one form of biometrics. One of the emerging forms of biometric technology that you might have seen in science fiction movies is eye scanning.  Read more...


Posted by on

used with permission from FTC Business Center Blog
by Lesley Fair

password_combos On the old game show “Password,” the host whispered a word to contestants, who then gave clues to celebrities. The first to guess correctly advanced to the Lighting Round. The loser went home with a year’s supply of car wax.

The legacy of “Password” lives on, but in the 21st century version, hackers use tidbits they know about your employees to guess their passwords. The winner gets the grand prize: access to the information on your system. What can you do to help send hackers home with the car wax? There’s no one-size-fits-all approach to password security, but here are some easy-to-implement suggestions.

There’s one in every crowd. Employees are more attuned to security these days, but a walk around your office is still likely to yield a staffer or two with passwords readily visible on their desks. Fraudsters look for the low-hanging fruit.  Read more...

1 2