Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Foster Institute.

To end this security nightmare, Adobe set Flash’s official termination date to December 31, 2020. Expect your browsers, Firefox, Chrome, Edge, etc. to disable and remove Flash on or before that date.

That helps security, but Flash’s demise could negatively impact your organization. If one of your websites requires your customers to use Flash, it is time to convert the content asap. Unless you are sure, meet with your web development team and confirm your visitors and customers do not need Flash to use your sites. If so, your developers can convert your content to use supported technologies.

Additionally, ask your IT professionals if your team members rely on sites that require Flash. If so, now is the time to work with those providers to spur them to transition away from Flash. If they refuse to move, you need to find other options.

While frustrating to many, especially frustrating to attackers, the ultimate demise of Flash helps make the world a safer place!

Please forward this to your friends in case they aren’t aware that Flash’s termination date is December 31, 2020.

The post Adobe Flash Stops on December 31, 2020. Are You Ready? appeared first on Foster Institute.

Of course, large service providers are expected to do much more for their security. But what about your service providers that have 10 or fewer employees and cyber-security has never been appropriately addressed? The chances are that they are hungry for some detailed security guidance. Once they implement some or all of the following recommendations, they can sleep better at night too.

None of these are unreasonable for you to request. And, a massive benefit to your service provider is that they can improve their cyber-security and that helps their own company and other customers, too. Everyone wins!

If you want to, send your contractors and service providers something like this. You may want to ask your IT team to review and perhaps edit it since your organization may already have security measures in place that eliminate the need for your providers to perform some of these recommendations:

Dear – you fill in the blank,

Cyber-security is a big concern these days, and we are checking in with all of our valued service providers, including you.

Our cyber-security depends to some degree on your level of cyber-security.

Below are cyber-security recommendations for you to follow in your organization. You may fall under laws and regulations that are even more stringent than these.

If you have any questions or decide not to follow the recommendations for any reason, please say so, and that will start a dialogue that can be beneficial for all parties.

First and foremost, you should always have great backups, and the ability to restore, because you accept full responsibility if you experience any problems as you implement these recommendations.

Unless you use patch management, and maybe nobody ever told you what that is, then to help ensure you are receiving protective patches from Microsoft and Apple, strongly consider enabling the automatic update feature in Windows and Mac OSX. There is a good chance it is activated already, but be sure. Installing critical security patches is essential since it increases security dramatically. There is always a small risk that a security patch could cause problems, but not installing a critical security update can put you at a much higher risk.

Patch your browsers too. Browser security patches are critical since, if a user clicks a malicious link in an email message, the attack usually makes a mad dash to poison that user’s browser quietly.

Uninstall all programs on each computer that you don’t think you will use. It is ok to start with the programs that are easy to recognize and skip the rest for now. That speeds and simplifies implementing this recommendation. Every program installed on a computer is a potential toe-hold for an attacker to gain access to a system. Worst case, if you delete an application now that you need later, you can usually re-install it quickly and easily.

In particular, remove Java and Flash. These are two tools that are frequently hacked and are likely unnecessary for your organization. Leaving them installed creates a significant security risk in your organization. If you later discover that you do need either, you can reinstall them with the newest version. Make sure to only get Java from java dot com and Flash from get dot adobe dot com forward-slash flash player Do not insert the space between the words flash and player.

If you do leave Java or Flash installed, investigate the click-to-play option that could protect you from unauthorized attacks based on Java and Flash.

Make sure to make your user accounts a “standard user” on your computers. Implementing this recommendation is slightly more complicated, especially if you are unfamiliar with creating new users. But it is included in these recommendations because it can increase your security immensely. If you use a third party IT company, you may choose to ask them to do this part for you.
The necessary steps for Windows and Mac: 1) Create a new local user account 2) Promote that user to be a local administrator 3) Demote the computer user’s current account to a standard user and use that account. Perform this change on each computer separately. It is rare that a user will notice there has been a change. If you ever need administrative access to a computer, you can use the new user account that you created and promoted to have administrative access. In rare circumstances, a program you use may require each user to be a local administrator. Needing to configure users to be local administrators is unfortunate indeed since it is so damaging to security.

The previous recommendation is all about local user accounts. Larger organizations especially will use something called the Active Directory. However, even when using the Active Directory, this recommendation about local administrators still applies.

Enable two-step verification on all the websites that require a login. In its most basic form, once two-step login is turned on, then when a user enters a username and password, their phone will receive a text message with a code to use to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website.

Even if your screen is set to lock after a brief period automatically, an insider can easily bypass that will artificially jiggle the mouse. The computer will think you are there, even if you are not, and the computer will not lock automatically. Before you ever move away from your computer, manually lock the screen. One way to quickly accomplish locking the screen in Windows is to hold down the Windows key and then tap the L key. On Macs, utilize the hot-corners feature to lock the screen when you move the mouse to one of the corners of your screen. Require a password to unlock the screen.

Before you send us a file that contains sensitive information, encrypt the file. It is straightforward to encrypt Microsoft Office and PDF documents using settings within the software. If you are emailing a file, do not email the password too, not even in a separate email message. If an attacker has access to the email accounts, they will have both the file and the password. Instead, exchange the passwords via a phone call or a text message. Unless required by regulation or law, use a passphrase at least 15 characters long, but you do not need to use the upper case, lower case letters, numbers, and symbols. Making passwords complex interferes with productivity and doesn’t help as much as using longer passphrases. An example passphrase could be: thanks for being secure. Just be sure you still comply with rules and regulations.

Know that it is an excellent practice to avoid connecting to Wi-Fi services at hotels, airports, coffee shops, etc. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.

Please forward this to your smaller service providers; it can help prevent some big heartaches and expenses for you and them both.

The post Updated: Forward these 7 Minimum Security Requirements for Your Small Service Providers appeared first on Foster Institute.

Be sure the “automatic update” feature is turned on in Windows and in Mac OS. Students must have the critical security patches installed to dramatically increase security. They’ll need to patch their browsers separately.

Uninstall all programs that they don’t think they will use. Start with the programs that are easy to recognize and skip the rest for now. Each program is a potential toe-hold for an attacker to gain access to a system. Worst case, if they delete something now that they need later, they can re-install it. In particular, remove Java and Flash. These are two tools that are frequently hacked and may be unnecessary. If a student finds they need either, he or she can reinstall them with the newest version. Make sure they get Java only from java dot com and Flash from get.adobe dot com/flashplayer/

Make sure they make their user account a “standard user” on their computer. This helps block attackers. Steps for Windows and Mac: 1) Create a new user 2) promote that user to be a local administrator 3) Demote your account to a standard user and use your own account.

Turn on two-step verifications on all the websites they visit. The setting is usually in the security settings of the website.

They need to keep their computer physically secure. Someone could access their files, social media, and e-mail accounts easily and without their knowledge. Passwords aren’t that helpful. It is usually trivial to bypass passwords on computers once an attacker gains physical access to a computer.

And though they may not heed this last step, it is a really good idea to avoid connoting to Wi-Fi services at school, coffee shops, etc. It is better if they use their phone or personal hot-spot to connect their computer to the Internet when they need to. The phone charges may be lower than you expect, especially if you call your phone provider and check about new data plan options.

Please forward this to your friends who have students; it can help prevent some big heartaches.

The post Moms, Dads, and Friends: Take 7 Steps to Secure Your Students’ Computers appeared first on Foster Institute.

Instructions for Windows and Apple home users are listed below the numbers. For organizations, here are 10 Steps To Avoid Incidents Including the Massive Ransomware Attack:

1. The reality is that most organizations are missing critical security patches and there is a very strong likelihood that yours is too.

2. Provide your team with extra time, and perhaps additional personnel, to test and then deploy patches ASAP. Some organizations are adding a new IT professional to their team whose sole responsibility is to manage patches. If the patch fails testing, then time must be invested to resolve the issue or implement compensating controls.

3. Prioritize critical security patches for the operating system, all the browsers, Flash, Java, your PDF Reader, and Microsoft Office. They are usually the easiest to attack and form your first line of defense.

4. Many IT teams are very reluctant to apply patches for fear of breaking your systems that are already running. Help remove their fears by reassuring them that you take on responsibility if the patch causes a problem. Encourage them to follow a procedure that mitigates risks:

5. Test Patches in a test environment that uses the same applications as the rest of your network. For very small companies, your test environment might be a single computer. For larger organizations, and organizations that stand to lose a great deal in the event of an attack, create a separate testing environment that is isolated from the production environment.

6. Have a pre-tested rollback plan so that, if the patch does cause a problem, your IT team will already know what they need to do right away to roll back a patch that causes an unexpected problem. They will then go back to the testing phase.

7. Deploy the patches in stages rather than patching all machines simultaneously. That way, even if the patch does cause a problem, not all your machines will be affected.

8. You may decide to empower your IT team with a patch management tool such as Ninite, LANGuard, Shavlik, or others. Allow them to test and choose a tool, and provide them with the means and time to do so, ASAP.

9. Ask IT, perhaps weekly and at least monthly, to provide you with a list of missing patches, not a pie chart.

10. You must upgrade from older operating systems, any of the ones that Microsoft no longer supports. If some machines cannot be upgraded, then they must be isolated or some other compensating control put into place. Microsoft clearly states when they stop producing patches for old operating systems.  So, there was no patch available for Windows XP and others.

Call me if they are not able to apply patches. Let’s team up to help prevent this.

At home, or if your organization is so small that you do not have an IT team or have an outsourced IT company that takes care of your patches, be sure that the option that provides automatic updates to Microsoft is enabled. The instructions are easy to find – just google the phrase: configure automatic updates site:Microsoft.com

Apple computer users, google: Automatic security updates os x site:apple.com

iPhone and iPad users, google: Automatic security downloads ios site:apple.com

Additionally, manually check for updates in Microsoft Office to be sure those are applied. Be sure that automatic updates are enabled in your browsers. Regularly download and apply patches to, or new versions of, Flash, Java, and your PDF reader.

Please forward this to everyone you care about and want to help stay secure.

The post Patching – 10 Steps to Seal the Holes in Your Armor appeared first on Foster Institute.

A drastic solution is to uninstall all browsers. Browsers can’t get hacked when they don’t exist. You can switch to hosted browser service that runs browsers in the cloud, not on your computer.

To see how this works, watch the short videos at authentic8 dot com and Citrix dot com/virtualization/secure-browser

This newsletter is targeted to executives who don’t need to understand technology, so you may choose to forward the following technical information to your IT Department.

And please forward this to anyone whose cybersecurity you care about.

For our more technical audience: As of today, only authentic8’s solution supports general web browsing, but both support web applications.

Since these services put security first, and functionality a close second, you may still need a local browser for some applications if they don’t function properly in the hosted browser environment. But, if that is the case, you may be able to remove Flash and Java from your systems to make your local browsers more secure.

The biggest problem with both products is that they do not have a way to be set as the default browser to be used if a user clicks inside an email message. So, if you must leave a local browser installed, your users will still need to be careful about clicking links in email messages. The solution may be available soon.

Hosted browsers still protect your computers during web browsing sessions. And it becomes practically impossible for an attacker to use a hosted browser to access the sensitive data stored on your network drives.

Investigate using a hosted browser for added protection against the many threats on the Internet that exploit browsers and plugins such as Flash and Java.

The post Finally, a Solution to Solve What May Be the Biggest Cyber Security Risk at Your Organization appeared first on Foster Institute.

An Australian Web Security Specialist, Troy Hunt, has compiled a database containing usernames that have been stolen in hacks and then published or sold. Some people use his site to look up their own email address or username.
His website is haveibeenpwned dot com. (In this case, Pwned refers to a condition of someone else having access to your login credentials.)

At his site, people enter their email address or any usernames they’ve used for online logins. Sometimes, they look up addresses of their family members. If there is a hit, the details of the breach are displayed on the site.

Even if not on the list, there is no guarantee that person’s credentials haven’t been stolen, but it still helps to know.

If you ever suspect that your login credentials to any website have been exposed, it is very important that you reset the password on that site, as well as any other sites where you may have used the same password.

There are other strategies to protect yourself. Enabling two-step-logon is very important these days since it can thwart attackers who know your username and password. Using a password manager, as opposed to letting your browser store passwords, can help make password security more convenient, but it still needs to be used carefully. These strategies are explained in detail elsewhere in this blog.

Forward this to anyone who might want to know if their username and password has been hacked…

The post How to Find Out if Your Password Might Have Been Hacked appeared first on Foster Institute.

The application inventory shows how many machines have a specific program installed on them, such as:

Qty – Application
18 – Adobe Flash Player version 11
22 – Adobe Flash Player version 16
79 – Adobe Flash Player version 20
29 – Mozilla Firefox version 38.0.1
99 – Mozilla Firefox version 44.0.2

Your list will be longer.

Notice that there are three versions of Adobe Flash Player and two versions of Firefox.

As you can imagine, more recent versions of software are generally the most secure. Most organizations such as Adobe and Mozilla recommend that you always use the most recent versions of their tools.

Using the most secure versions of applications is especially important for programs that interface directly to the Internet, such as Flash, Java, and your browsers.

Ask your IT Professionals to update, when possible, those kind of applications. Then, they can show you an updated application inventory report, one that shows the machines being all up-to-date. And, you’ll be able to sleep better at night.

Please forward this email message to everyone you care about…

The post Security Version 2.0 appeared first on Foster Institute.

Flash is a tool used on web-sites to, among other things, play videos.

When people visit websites, they can be vulnerable to what is referred to as a drive by download. Just by visiting a site, even a legitimate site, their computer may be exposed to an attack.

That attack can happen via a Flash video within an advertisement that was surreptitiously posted by an attacker.

It is always a good idea to use “click to play” functionality that prevents Flash content from running automatically.

Now, when Google stops accepting advertisements with Flash content, that will significantly diminish the Flash vector of attack.

The post No Flash Attacks After June 30 appeared first on Foster Institute.

Google’s VirusTotal.com is an online service that checks websites for viruses using 54 antivirus products. Before you click – check that website!

FYI, the site also allows you to upload program files. The file is checked against all of the antivirus products too.

So, before you open a file, get a second opinion from Google by using Virus Total. Forward this to everyone you care about, including your IT Pro – and they may want to send it to everyone in the organization!

The post Know Before You Click appeared first on Foster Institute.