Danger:

Realize that using public networks via Wi-Fi or an Ethernet cable can be very dangerous. Your laptop is still exposed to network sweeps, vulnerability scans, and other network attacks. Threat actors don’t even need to be close to you; they can attack your laptop using other innocent people’s laptops.

Cellular Phones and Mobile Hotspots:

Instead of connecting to a public network at a hotel, coffee shop, or similar, use your phone’s data-sharing function to connect to the Internet while traveling. When you connect your laptop to your cellular network rather than the public Wi-Fi network, your laptop is not exposed to the dangers on the public network. Most phones permit you to connect your laptop to the Internet, and the connection speeds are usually very fast. Unless you are watching movies, the amount of data you consume may be less than you think.

Consider using a wireless hotspot from your phone provider. This option can be more convenient if you need to take your phone with you while stepping away, allowing you to leave your laptop connected to the internet.

What if a cell phone is connected to public Wi-Fi and then used as a hotspot?

If your phone allows you to connect it to public Wi-Fi and share that connection with your laptop, it could be beneficial. Your phone might act as a buffer, providing some protection for your laptop from direct exposure to the public Wi-Fi network. However, keep in mind that your phone would still be exposed to potential risks on the public network. Additionally, many phones do not support sharing a public Wi-Fi connection with a laptop; they typically only share the cellular connection.

Throttling:

Suppose you anticipate using lots of data, such as watching movies. In that case, your phone provider might slow your Internet connection to a crawl once you reach a specific data limit for that month, even if you have an unlimited data plan. They call this throttling your connection.

If you need a hotspot that will not get throttled in the USA, consider getting a hotspot by donating to https://calyxinstitute.org/ (We do not receive any compensation for mentioning them, and this is not an endorsement of Calyx Institute. We know many people who are very happy with their service, so it is important to tell you of a way to avoid throttling). Their website shows their coverage areas.

International Roaming:
If you are traveling outside your country, check with your phone service to see what International Roaming plans they offer. You can often use your phone and hotspot in other countries for a small monthly fee.

Portable Hardware Firewalls and Travel Routers:

If you are remote and away from your mobile phone providers’ coverage area, connecting to a public network might be your only option. Or perhaps you don’t want to use up minutes on your cellular data plan. You can help protect yourself on a public network by using a portable hardware firewall called a travel router.

Most travel routers have two radios to allow simultaneous Wi-Fi connections to your laptop and a public Wi-Fi network.

Note that some travel routers allow you to connect via Ethernet cables if you don’t want to use Wi-Fi. If you want to connect to the travel router via a cable, you will need an Ethernet port on your laptop or a USB to Ethernet adapter.

Here’s what to expect when setting up a travel router:

1. Connect your laptop to the travel router like any Wi-Fi or network cable connection.
2. Use your browser to put the router into “bridge mode.” Sometimes, the setting is named something similar. Then, connect the travel router to the public network at your hotel wirelessly or with a cable.
3. If required, log into the public network (e.g., entering your hotel room number and last name). If the public network has a login screen that doesn’t appear, you can try typing this address into a new tab in your browser: nossl dot com

The process usually takes about five minutes, even in new locations.

Remember, your connection speed depends on the speed of the public network and may vary throughout the day.

While travel routers can enhance security, proper configuration is crucial. Always consult with your IT team for setup, training, and best practices. The phone and hotspot recommendations are generally faster and simpler to connect.

If you plan to get a travel router, you should purchase it with a 30-day return policy and be sure to work on getting it up and running before you leave on your trip. Reliable travel routers are available for less than $100. I do not get any compensation for mentioning this brand, and this is not an endorsement: I have used the GL.iNet GL-MT3000 (Beryl AX) travel router successfully.

VPNs are Not a Shield:

This section is a bit technical, so feel free to skip it unless you believe a Virtual Private Network (VPN) is all you need to be secure on a public network.

Using a VPN is fine, but it does not shield your laptop from network sweeps, vulnerability scans, and other network attacks. You are still exposed to those attacks even if you use a VPN.

VPNs encrypt your data as it travels across the network. However, know that your data is encrypted anyway when you visit a website that starts with https:// whether you are using a VPN or not. The encryption may have been compromised or misconfigured on the site, but this is not common, especially on sites such as banks and other companies that are very careful about their site’s security.

A significant security advantage of using a VPN is that it helps protect against Adversary in The Middle (AiTM) attacks, where an attacker tries to insert themselves between you and the site you are visiting. These used to be called Man in The Middle (MiTM) attacks. Simplified, in an AiTM attack, the adversary convinces the bank that the adversary is you connecting to the bank. Then, the adversary tries to make your laptop believe the adversary is the bank. If the adversary is successful, they can read, change, insert, and delete data between you and the bank.

But keep in mind that if you are connecting via your phone or cellular hotspot, you needn’t be as concerned about an AiTM attack unless an attacker has compromised your phone carrier’s network, which is very unlikely. And, if you use a travel router as a firewall, many of them come with a VPN service if you want to enable it.

Outside of encrypting data in transit, the added benefits of using a personal VPN service, as opposed to your company’s, would be to hide what websites you visit, and you could disguise what country you’re in. However, many people avoid the VPN option since it doesn’t provide a shield against the attacks mentioned above, and using a VPN might make your data rate seem slower due to the VPN’s overhead and the network distance to the VPN server.

If your company uses a VPN, they might insist you use a VPN, or Secure Access Service Edge (SASE), to protect privacy.

Conclusion:

Connecting to a public network can be very risky. You are more secure if you connect to the cellular network via phone or cellular hotspot. If you must connect to a public network, strongly consider using a portable hardware firewall, commonly called a travel router.

Wishing you cyber-safe travels!

The post Vacations: Connecting at Coffee Shops, Hotels, and Airports Can be Dangerous to Cybersecurity – Here are Alternatives appeared first on Foster Institute.

A Real-World Example from the Workplace: Recently, a new employee at a company received a fraudulent text message on her personal phone, supposedly from the company’s president. The president had not sent any text, and the company had not stored her personal phone number. How did the threat actor know? It’s possible that a data broker linked the new employee’s private phone number with the president’s name at the new company by eavesdropping on a conversation, such as her telling a friend about her new job. Upon investigation, the employee found that some unexpected apps had access to her microphone.

A Real-Word Family Example: Last week, a husband and wife discussed dental options for their child at the breakfast table with their phones nearby. They hadn’t typed anything into a computer or searched online, yet less than an hour later, one received a text message from a company offering dental aligners. How could this happen? An app on their phone might have accessed the microphone, listened to the conversation, and shared the information with a data broker. The data broker then provided this information to a company selling dental aligners, prompting them to send a targeted text message. Have you or someone you know had similar experiences?

How It Happens: Some apps collect data, including audio data from a microphone, and sell it to data brokers, also known as Marketing Data Aggregation Warehouses. These brokers aggregate and sell data to various businesses, including marketing and advertising firms. These businesses then use the information to send targeted advertisements or, in the case of threat actors, perform sophisticated phishing attacks designed to extract sensitive information or commit fraud.

Apps are supposed to request your permission to access your microphone. However, this “user’s consent” often comes from clicking “Do you agree to the privacy policy” during installation. Most users do not read these policies and agree just to use the app. Privacy policies can be vague, stating that the user allows the app to collect information and share data with third parties.

Several types of apps can gather information for sale to data brokers and request microphone access in their privacy policies. These include:

• Social Media and Communication Apps: Use microphone access for features like voice messaging and video recording, sharing collected data for advertising.
• Virtual Assistants: Require microphone access for functionality, collecting voice queries and background noise for service improvement and advertising.
• Gaming Apps: Mobile games with voice chat request microphone access for communication, sharing user data for advertising.
• Productivity Apps: Note-taking and voice recorder apps request access for audio notes and transcriptions, collecting valuable user data.
• Health and Fitness Apps: Fitness trackers and health apps request microphone access for voice input, collecting sensitive health data.
• Utility Apps: Simple apps like flashlights and calculators sometimes request unnecessary permissions, including microphone access, to gather user data covertly.
• Marketing and Rewards Apps: Request location and microphone access to collect user data, which is then sold to data brokers.

These apps often include clauses in their privacy policies that allow microphone data collection, which users might unknowingly grant, leading to targeted advertising and other uses by data brokers.

For further reading, refer to articles like “FTC Cracks Down on Mass Data Collectors” by the Federal Trade Commission.

Protecting Your Privacy: To protect against such risks, Apple, Google, and Microsoft have all implemented ways to help ensure your microphone’s privacy even if users agree to the privacy policy. Instructions for disabling access to your mic are listed below. It’s crucial to regularly review and update app permissions on your devices, ensuring that only essential apps have access to sensitive data like the microphone.

Beyond Annoying Ads: Threat actors can use similar tactics to perform targeted attacks and commit fraud against individuals and their companies. For instance, the fraudulent text message received by the new employee could lead to more sophisticated phishing attacks intended for extracting sensitive information, transferring money, or other financial fraud.

Follow the instructions in the following draft memo you can send your workers and tell your family:

Memo to All Employees: Securing Your Microphone Privacy Settings

Dear Team,

We are committed to ensuring the privacy and security of our employees’ personal and professional information. Recent reports have highlighted the risks associated with apps accessing device microphones without explicit consent, potentially leading to targeted fraud and privacy breaches.

To protect your privacy and our organization’s security, we ask all employees to take a few moments to review and update the microphone privacy settings on their devices. Below are step-by-step instructions for various platforms:

For Apple Devices:

1. Go to Settings > Privacy > Microphone.
2. Turn off the microphone for all applications that do not need access to your mic.

For Android Devices:

1. Go to Settings > Type Microphone, Privacy, or Permission Manager in the search box. If you do not see the privacy settings, you might need to use a search engine or chatbot to find specific instructions for your device model and version of Android.
2. Turn off the microphone for all apps that do not need access to your mic.

For Windows:

1. Go to Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

For Macs:

1. Click on the Apple symbol > System Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

Practical Steps:

• Revoke Unnecessary Access: Disable microphone access for all apps that do not need it. Allow exceptions for essential apps such as video conferencing tools and browsers if you use them for meetings. If you are uncertain, restrict access; the app will request permission if it needs access in the future.
• Test Essential Apps: Before your next meeting, verify that the apps you frequently use for video conferencing and other essential functions work correctly with the microphone settings you have configured.
• Restrict Other Permissions: While adjusting your microphone settings, you’ll see other settings. To further protect your privacy, consider restricting access to your camera, location, contacts, and other sensitive data.

We live in a world where protecting our privacy is increasingly our responsibility. Threat actors are becoming more sophisticated, so it’s crucial to stay vigilant and proactive in securing our devices.

Thank you for your attention to this important matter. If you have any questions or need assistance, please ask.

(In the last sentence, you can give them more specific guidance on what to do if they have a question)

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Are Threat Actors Listening to Your Phone? Secure Your Mic to Reduce Security Risks and Protect Your Privacy appeared first on Foster Institute.

Credit Freeze

If you haven’t already, consider freezing your credit to prevent new credit accounts from being opened in your name without your permission. Here are in-depth instructions and details: Help Protect Your Financial Future: Freeze Your Credit – Foster Institute

Monitor Financial Accounts

Keep a close watch on your financial accounts for any unauthorized activity or transactions. Consider subscribing to an identity theft protection service, which can help monitor your information and alert you to potential misuse of your personal data. If you didn’t place the credit freeze mentioned above, doing so is essential.

Beware of Fraud and Scams

Beware of email, text, phone calls, or messages popping up on your computer that claim you are hacked and offer tech support help. Familiarize yourself and your family with the latest fraud techniques. Be skeptical of emails, phone calls, or messages that request personal information or direct you to websites asking for personal or financial data.

Be Cautious with Search Engine Results that are Ads

Threat actors can purchase ads so that, if you search for keywords such as ‘My phone provider database was hacked,’ the ad, disguised as a helpful search result, will appear at the top. This can lead you to a page designed to defraud you or compromise your computer

To help protect yourself, when you search, scroll down and click on the organic search results rather than the ads. You are more likely to access safer websites.

Malicious advertising is not limited to search engines. Advertisements on websites can be just as dangerous. These attacks are called malvertising and trick millions of users each year.

Change Passwords Immediately

If you haven’t recently, change passwords for all your accounts including phone provider, social media, banking, and other sensitive accounts, especially if you’ve used the same password for multiple accounts.

Use a Password Manager

Consider using a password manager to manage your unique passwords on every website. Detailed information about using password managers: Password Managers Speed Your Workflow – Foster Institute

Set Up Unique Security Questions

When setting up security questions, avoid real answers that are easy for a bad actor to research. Instead, use fictional answers like, “The fourth crater on the moon.” Save your secret answers in a randomly named file such as “socks.docx,” and consider encrypting this file for added safety.

Enable Two-Step Verification

Enable two-step verification for accounts. Prioritize setting this up on sensitive websites and services where it’s available.

Update Operating Systems and Software

Ensure that all your devices have the latest security software, web browsers, and operating systems updates and patches. This is one of the best defenses against viruses, malware, and other online threats.

Secure Your Tax Identity with an ID.me Account

Given that social security numbers were compromised, there’s an elevated risk of someone attempting to file a fraudulent federal tax return in your name. To combat this, consider registering for an ID.me account which provides access to IRS services. With this account, you can also apply for an IRS Identity Protection PIN (IP PIN) that adds an extra layer of security to your tax filings by requiring this unique six-digit number on your tax return.

Protect Your Property Records

With personal details like your SSN in the wrong hands, even your home ownership documents could be targeted. It’s advisable to monitor and possibly register your property deeds with services that alert you to any unauthorized filings or changes. While a universal solution for this isn’t available yet, taking initial steps such as contacting your local county clerk’s office to inquire about protective measures can be beneficial.

Awareness for Business Impact

Businesses, particularly those utilizing services from the breached provider, should be acutely aware of the implications this breach can have on their operations. It’s crucial for business owners to assess their exposure and strengthen their internal security measures, including employee training on data privacy and regular security audits to prevent further damage.

Register for Online Tax Accounts in All States

To prevent the misuse of your personal information for fraudulent state tax filings, consider registering for an online tax account in each of the 50 states. This pre-emptive registration can block identity thieves from creating accounts in your name, a tactic increasingly used to commit tax fraud across state lines.

Digital Footprint and Data Sharing

Be vigilant about the information you share online and through mobile applications. It’s crucial to minimize data sharing and scrutinize the permissions you grant to apps, especially those that request access to sensitive personal information. Educate yourself and limit exposures to safeguard against unauthorized data usage. The less information threat actors can gather about you, the more difficult it will be for them to misuse your identity.

Review and Update Privacy Settings

Regularly review and update your privacy settings on social media and other online platforms to ensure minimal public exposure of personal information. This proactive measure can significantly deter fraudsters from using accessible data to facilitate identity theft or scams.

Legal and Financial Consultation

Consult with legal and financial advisors to explore additional protective measures tailored to your personal or business circumstances. Discuss setting up legal structures such as trusts to shield assets, or other strategies that may offer enhanced security against identity theft and financial fraud.

Emergency Contacts and Protocols

Prepare an emergency contact list and establish protocols for immediate action if you suspect identity theft or if a data breach occurs. Include the contact information for essential services such as credit bureaus, your bank, and legal advisers, to ensure a swift and organized response to security threats.

Forward this message to your friends so they can follow these steps can help mitigate the damage from the breach and protect their personal information.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Protecting Your Financial Interests in the Wake of a Major Data Breach appeared first on Foster Institute.

The Risk: When Convenience Becomes a Liability

Imagine this: You’ve visited a coffee shop and connected your smartphone to their Wi-Fi network. Your device remembers this network to connect automatically next time. Seems harmless, right? Here’s where the risk creeps in.

Once you tell a device to automatically reconnect to a remembered network in range, your device will continuously send out “probes” or signals looking for that network, typically one to four times a minute and more often when other events can trigger a probe. A threat actor can set up a Wi-Fi access point with a common SSID name, such as “home.” And what if your device is configured to automatically connect to a network you trust named “home?” When your device, say your smartphone or laptop, is within range, it might automatically connect to this rogue Wi-Fi network without your knowledge.

The Trap: A Deceptive Doppelgänger

This rogue network, set up by the threat actor, is a doppelgänger of your trusted network but with nefarious purposes.

Remember: Your device connects to the rogue access point automatically and often without alerting you at all. (see “what about passwords” below). This attack does not need you to make any mistakes to succeed, and it can happen without your knowledge.

Ten common network names threat actors can use that will often lure devices from unsuspecting users to connect include:

• xfinitywifi
• linksys
• Marriott_Guest
• Hyatt
• hhonors
• NETGEAR
• Guest
• dlink
• FreeWifi
• Home

To make it even easier to connect, there are commercially available devices that listen for the SSID name in a probe from an unsuspecting user’s device and then broadcast that name in an effort to capture the device’s connection. In that case, it doesn’t matter how unique your SSID is, an automated device can attempt to establish a connection without your knowledge. If you are technically minded, you can read the section at the bottom of this article for a detailed explanation of how probing works.

Once connected, the attacker can intercept your device’s data. This interception could be called a “Man-in-the-Middle” attack. Thanks to encryption technology, the attacks are more complicated than they used to be, but they are still possible in some circumstances. If the attacker successfully establishes the Man-in-the-Middle connection, imagine sending confidential emails, accessing your company’s financial data, or even logging into your personal banking app, all while an unseen cybercriminal is potentially recording every keystroke and data transfer.

Another serious concern is if threat actors know of undiscovered vulnerabilities that will allow them to hack into your device. This is one of the most important reasons to always apply security updates when they are released and always keep backups for the unlikely scenario of an update causing a problem on your device. Even if you applied all of your security updates, sometimes attackers know of ways to break in that haven’t been discovered by the device’s manufacturer, operating system producer, or app developer yet. Thus, there are no updates written. Bad actors can use tools to scan your device and exploit vulnerabilities quickly. Their ultimate goal would be to take control of, or pwn, your device. This isn’t always easy if you have all your updates in place, but it isn’t impossible either.

The Consequences: A Digital Pandora’s Box

The consequences from attackers successfully tricking your device into connecting to their rogue access point and exploiting vulnerabilities can range from private information exposure to significant breaches:

1. Personal Data Theft: Sensitive personal information can be stolen.
2. Corporate Espionage: Confidential business information could be compromised.
3. Identity Theft: Your digital identity could be used for fraudulent activities.
4. Network Infiltration: Once a device is compromised, it can serve as a gateway to your business’s entire network.

Prevention: Turning Awareness into Action

As executives, instructing your workers to implement security measures is crucial. Here are some actionable steps you can take in the Wi-Fi settings of your laptops, phones, and tablets:

1. Forget Networks: In your device’s Wi-Fi settings, examine the network names identified as “remembered” or “my networks.” Tell your device to ‘forget’ networks by removing them from the ‘my networks’ list, except those you use frequently. Were any of the ten listed above remembered on your device? To establish the unauthorized connection, the threat actor would need to use the name of one of the networks you leave remembered or use the device mentioned above that responds to probes for names your device sends.
2. Avoid a False Sense of Security: If your device has the “Ask to Join Networks” setting, read the fine print. The device will still join known network names without asking. The setting is usually more about asking before joining new or unknown networks, rather than known ones.
3. Turn off Wi-Fi When You Aren’t Using it: To reduce your exposure dramatically, disable Wi-Fi when you are not using it. Your device will stop probing, stop listening for access points broadcasting their name, and won’t connect to any Wi-Fi networks. Some devices have a quick shortcut to turn off Wi-Fi from an easily accessible menu, but they might turn Wi-Fi back on again after a while or when you move to a new location. On those devices, if you go into “Settings” to disable Wi-Fi, it should stay off until you manually change the setting to “on” again.

What about Wireless Passwords?

If the original remembered network you connected to, such as the coffee shop network, had no password, your device would join the network automatically and not alert you. This is a common risk with some remembered networks. You may have noticed that many hotels and some coffee shops and restaurants now require no Wi-Fi password; this is undoubtedly to reduce guest frustration and the number of calls from hotel rooms to the front desk asking for the password. The prevalence of public networks without passwords makes it especially important for you to tell your device to forget networks and be sure to forget the ones with no passwords.

However, if the “remembered” network did have a password, then to get your device to connect automatically without warning you, the threat actor will need to set the same password on the rogue access point. It is simple for an attacker to know the password for coffee shops and other networks that share the password with guests.

Many companies will set passwords on networks and hopefully don’t write the password on dry-erase boards in the meeting room. Even if the passwords are configured at the company, and users do not know the password since the IT Professionals configure their computers, if an attacker is able to access one computer, in-person or remotely, there is a chance they can run a script to find out the wireless password for the company. This is why some companies use enterprise-level Wi-Fi authentication that does not rely on a shared password.  Or, attackers can use social engineering to successfully trick a user into providing the network password. If a user’s device doesn’t detect any anomalies between the rogue access point and the access point it is used to connecting to, the user will not be alerted they are connecting to a rogue access point, and their device will connect automatically.

An exception that might generate an alert is when there is a discrepancy between the security settings of the known network and the one to which the device is trying to connect. An example is when the rogue access point does not have a password, but the remembered network does. In this case, some devices will prompt you: “Are you sure you want to join this network?” The default button, “join,” is preselected. Unless you are on the lookout for this kind of message and know the seriousness, you might click “join” and not think anything of it. Sometimes, the device will connect and not alert the user but will quietly list the word “open” or “insecure” under the network name on the list of networks under settings. Most people do not periodically look at the Wi-Fi settings, so the label often goes unnoticed. Even if a user does notice the label, there is a good chance the attacker already probed for weaknesses and exploited any vulnerabilities they discovered.

However, if you ever see a prompt asking you to re-enter a password, that is a huge red flag, and you need to assess the situation carefully to determine if your device is attempting to connect to a rogue access point with an inaccurate password.

And to be sure you don’t have a false sense of security, remember that devices do not prompt the user if the security settings of the new network match those of the remembered network, and the device will quietly automatically connect even if it’s a rogue access point.

What about a VPN?

A Virtual Private Network (VPN) is a technology that encrypts data as it moves to and from your device. This encryption can prevent attackers from reading your data. However, it’s important to note that a VPN doesn’t protect you from attackers who scan for unpatched vulnerabilities, search for open ports, and exploit weaknesses on your device. Even if you use a VPN, you’re still vulnerable to such attacks. Follow the instructions above to help ensure your online safety.

Final Thoughts: Balancing Convenience with Caution

In today’s fast-paced digital world, convenience often beats caution. However, in the realm of cybersecurity, this trade-off can have dire consequences. As leaders, our role extends beyond making decisions; it includes understanding and mitigating the risks associated with the technology we use every day. Stay safe, stay informed, and lead your organization confidently in this digital age.

Technical Details About the Probing Process

For the more technically minded, here is more information about the probing process. When we say that devices are constantly probing, they are, and the probing might be once every 15 to 60 seconds. The probing frequency can vary, for example, if you put your device in low battery mode.

In addition to devices probing, know that Wi-Fi access points, including rogue access points attackers use, broadcast their network name, a process called beaconing, sometimes as often as ten times every second. The rate of beaconing is usually configurable by your IT Professionals.

If you look at “available networks” in “settings” on your device, you might notice that the list takes a few seconds to build because your device is cycling through multiple Wi-Fi frequencies, listening for the beacons.

An interesting setting not everyone is familiar with on wireless access points is that you can instruct the access point to be “hidden.” If you do, then the access point will not send out beacons. However, hidden networks, while not broadcasting their SSID, will still respond to direct probes that contain their SSID name. So, as soon as your device sends out a probe looking for the remembered hidden network, which it does regularly, as described above, the access point will respond, and your device will connect. Just because a network you “remembered” is hidden at your home or office doesn’t affect a threat actor’s ability to lure your device into connecting to their rogue access point, even if the hacker’s access point is not hidden.

Additionally, to reduce the delay in connecting, your device will send immediate probes in certain circumstances, such as when it wakes from sleep, when you open your laptop’s lid, or if you just disabled airplane mode. Your device will quickly find access points, even rogue ones, especially if they are “remembered.”

A significant benefit to attackers of your device probing periodically, such as every 15 to 60 seconds, is when the attacker doesn’t already know the network names your device has remembered. The attacker tools wait for the probe, then know the name, and the rogue access point automatically claims to have that network’s name. This is a very powerful way for attackers to capture as many unsuspecting users as possible without needing to predict the names of remembered networks.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Outsmarting the Invisible Threat: How Cyber Attackers Hijack Your Wi-Fi Connections and How to Protect Yourself appeared first on Foster Institute.

Realize Even Photos Can Give an AI Attacker All they Need to Know:
AI-based facial recognition enables bad actors to link you to locations, people, and your daily activities. Some photos you take with your phone contain exact location data. Protect yourself and inform your friends:
-Adjust privacy settings on social media, making profiles private and sharing only with trusted connections.
-Be cautious when posting photos that reveal sensitive details about you and your loved ones.
-Disable geotagging on your smartphone’s camera app to prevent automatic location embedding.

Verify the Identity of the Caller:
Attackers can change their Caller-ID to match whomever they’re impersonating. When receiving a suspicious call, verify the caller’s identity by asking a question that only they would know the answer to. Avoid questions that could be answered with information on social media or online. If you receive a call from a loved one in distress, hang up and call them back on a known number.

Set a Code Word with Loved Ones:
Set a ‘code word’ with your kids, family members, or trusted close friends that only you and they would know. They can use this code word to confirm their identity in a genuine emergency and contact you.

Educate Yourself About Deepfakes:
Deepfakes are AI-generated videos or audio that can convincingly mimic real people. Familiarize yourself with the signs of a deepfake, such as suspiciously good voice recording quality, no discernible background noise, unnatural blinking patterns, poor lip-syncing, or anything that seems a little off. People can use AI to put your face on a scantily clad body doing embarrassing things. The deepfake videos look convincing, and the bad actors will threaten to share the pictures online or with your friends or family and demand money. Cyberbullying is real.

Be Aware of Current AI Scams:
Common scams include a caller claiming they are from the IRS or that you have a warrant out for your arrest. The IRS provides an updated list of scams here: https://www.irs.gov/newsroom/tax-scams-consumer-alerts. One of the most prominent organizations in the UK that provides information and guidance on scams is the “Action Fraud” website: www.actionfraud.police.uk

Recognize AI Hallucinations:
Another red flag is inconsistency in the story or information provided. Like when using a chatbot, you sometimes identify responses sounding goofy. If you notice contradictions or a seemingly confused train of thought, that is a clue that AI might be generating the audio.

Teach Your Youngsters:
Teach them that AI can allow attackers to figure out lots about them, and they should not share their real names, family members’ names, city names, addresses, phone numbers, school names, or birthday information. They must assume that every person they chat with or meet in games may not be who they claim to be, even if they sound like friends from school, due to knowing accurate details. You don’t want to terrify your young people to the point that they cannot sleep, so you might choose to limit the number of and how frequently you share horror stories.

Use Verified Communication Channels:
Whenever possible, use verified communication channels, especially for sensitive conversations. For example, use your bank’s official app for financial transactions instead of a link sent via email. Use encrypted email to communicate sensitive information.

Keep Your Cool:
Scammers often impersonate trusted individuals or organizations in some crisis or drama to trigger your brain into fight or flight mode. Attackers try to freak you out so you make poor choices. Beware of urgent, unexpected, or out-of-character phone calls.

Please forward this to your friends and coworkers so they know these top strategies to protect themselves from falling victim to AI-generated scams.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post AI Scams in the Spotlight: Essential Tips to Protect You and Your Family appeared first on Foster Institute.

Passkey authentication can be configured to be very secure based on four conditions:

1. You must have your mobile device with you. (An attacker is unlikely to have the device with them.)
2. You must be able to log in to your mobile device using facial recognition, a fingerprint, PIN, pattern, USB token, etc. Some people call passkeys a “Face” or “Fingerprint” sign-in.
3. Your device must have a unique key assigned to you that ties to a unique key at the site or application.
4. If you log into a site or application from a computer, the mobile device must be physically close to the computer where you’re logging in.

Passkeys are new, and there is varying support for specific browsers, operating systems, and devices.

Tips for Using Passkeys:

1. Start setting passkeys up on your mobile device, such as a smartphone, before you use your computer.
2. If the website or application does not allow you to set up a passkey on your computer:
   • Look for and select an option on the computer that says, “Use a passkey to log in,” Your computer will display a QR code image.
   • Use your phone’s camera to scan the QR code image displayed on your computer.
   • After scanning the QR code, your phone completes the passkey login process.
3. It’s essential to confirm that passkeys work on all devices and browsers before disabling the old login method for each website or application. This way, you can avoid problems accessing your account if the passkey login method doesn’t work on some of your devices or browsers.

As the adoption is just starting, you might discover limitations or frustrations, but they’ll disappear soon. Some people have great luck experimenting with setting up their first passkey at best buy dot com even if they don’t shop there.

Apple uses the Apple Keychain to store a passkey that should work on all your Apple devices after enrolling one. Google uses the Google Password Manager in the Chrome browser and Android. Microsoft uses Microsoft Hello. Some password managers store keys.

Mobile device backups and some password managers are designed to back up the passkeys in case you lose your phone. If you do lose your phone, it is a good idea to go to the apps and sites to set up a new key and disable your old key. One concern is that, if an attacker can access your backups or the passkey manager and obtain a key from there, they might find a way to bypass passkey protection. But that doesn’t necessarily make passkeys less secure than other authentication methods; they may well be the best protection available when implemented properly since they offer so many benefits:

1. Users cannot be tricked into giving away passkey values they do not know in social engineering and phishing attacks.
2. Since passkeys come in unique pairs, users cannot re-use passwords, another user mistake that leads to compromised passwords.
3. Keyloggers cannot capture passwords since users are not typing passwords.

Your IT team might choose to eliminate your existing Multi-Factor authentication process since using passkeys involves multiple factors already. Unlike SMS text messages, passkeys cannot be redirected to attackers. Passkeys are immune to MFA Fatigue addressed here https://fosterinstitute.com/mfa-fatigue-the-hidden-danger-and-how-to-combat-it/

Please forward this to your friends so they can explore eliminating passwords and eventually start adopting passkeys as Passkey support expands.

Prepare yourself for what would happen if an attacker steals a phone containing passkeys: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Technical Details – If You are Interested

You do not need to know this to use passkeys. But if you wonder how these keys can be so secure, read on.

Passkeys are much more secure because passkeys come in key pairs. When you use one key of the pair to lock something, you must use the paired key to unlock it. Only the paired key can unlock what the first key locked.

So for each site or application you set up to use a passkey, your mobile device generates a pair of keys:
– A unique private key for that site or application is stored on your device.
– A paired key that your device sends to the site or application which stores the key just for you.

If you have a passkey set up for 100 sites or applications, your device will store 100 keys. Sites that have 100 million users will have 100 million keys. Each key is half of a pair. The private key must be kept secret on your device to be secure. Even if attackers access all the keys for a site or application, your account is still protected since they won’t have the second key stored solely on your device.

If you want to get more technical and understand why passkeys are so resistant to person-in-the-middle attacks: Websites that start with https:// and most web applications use PKI encryption to protect data during transit. SSL (deprecated) and TLS (use the newest version) protocols use public-private key pairs to initiate a multi-step process to secure traffic to websites or web applications. Attackers can use person-in-the-middle attacks to defeat that encryption. They generate key pairs to make the user’s connection think the attacker is the website and make the website believe the attacker is the user’s connection. Bad actors insert themselves between the user and the website and can access the data as it goes through their connection.

When a user creates a passkey, the user’s device generates a key pair. It stores one key locally on the device and sends the other to the site or application for passkey authentication. The site or web application stores a unique key for each passkey a user generates. The secret key never leaves the user’s device during the authentication process, and the unique paired key is stored at the website or application. Hence, passkeys are extremely resistant to person-in-the-middle attacks.

Where supported, consider using passkeys. Hopefully they’ll be the common standard soon.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post The Rise of Passkeys: A Paradigm Shift in Authentication Technology appeared first on Foster Institute.

When you eliminate passwords:
– You don’t need to worry about creating, forgetting, or re-using passwords because you don’t use passwords.
– IT Helpdesk Professionals save time since they don’t have to help users who forget their passwords.
– Hackers will not try to trick users into disclosing passwords because the user won’t know passwords.

Microsoft, and others, continue to make their big push for people to go passwordless.

Alternatives to Passwords:

Today, determine where and how you can eliminate passwords from your life. Focus on using:

Something you have:
– A USB Token such as a YubiKey
– A proximity badge you wear around your neck or carry in your pocket
– An authenticator app on your smartphone or tablet
– A text message, phone call, or email with a one-time code

Or, something you are:
– A fingerprint scan
– Facial recognition
– Eye recognition

And the real magic is when you combine two for multi-factor authentication (MFA) without passwords.

Note that USB tokens can include fingerprint scanners for built-in MFA. Your IT Team might need to get creative using mobile phone technology to accomplish both. If you decide to use push notifications, be sure to refer to https://fosterinstitute.com/mfa-fatigue-the-hidden-danger-and-how-to-combat-it/

There are few ways attackers can exploit some of these login methods, and your IT Team can help you shore up weaknesses. Visit with your IT Team about ways you can eliminate passwords. Be sure they’ve seen this post: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Know About Passkeys:

Be sure you, and your IT team, know about passkeys. Passkeys are the future, and the future is arriving now: https://fosterinstitute.com/the-rise-of-passkeys-a-paradigm-shift-in-authentication-technology/

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Ditch Passwords for Good: The Ultimate Guide to Passkeys and Passwordless Authentication appeared first on Foster Institute.

Most people I encounter talk about their fun with ChatGPT, and I can relate. Type “Write a Valentine’s day note to my lover who likes (activities). I’m attracted to their (attractions) and want them to know (details).” Keep adding details. And, of course, you can say, “Make it rhyme” or “write it like Shakespeare.” You’ll have a smile on your face.

Be sure to select “New chat” whenever you change topics. After you get a surprisingly fun Valentine’s message, open a new chat to ask, “Remind me of the Excel formula to return the first twenty characters of a string.” ChatGPT remembers conversations in chat segments, so avoid mixing topics to get the best results.

AI has given a new meaning to the term Virtual Assistant. Sometimes I compose long email messages and want to shorten them. I first compose the message with no sensitive information, give it to ChatGPT, and say, “Write this shorter.” It is stunning how capable it is at combining sentences and summarizing ideas while mostly keeping the whole meaning. Sometimes it elaborates and incorporates new ideas into the message. I find that amusing and occasionally helpful. I must re-read the output carefully and often make changes since ChatGPT is not perfect at knowing precisely what I mean, but for long messages, it sometimes helps me make them concise, saving the recipient time.

Do not be duped – AI does not know everything and can accidentally produce inaccurate information that sounds very convincing.

When I hear people discussing the risks of ChatGPT, they usually focus on students using it to write their essay assignments for them. They have not considered more severe concerns. If you are interested, search the web for: chatbot ai can be used to create ransomware video.

Fortunately, ChatGPT is implementing safeguards to help prevent malicious use, and there are ways to trick it. Values and ethics vary from person to person, and some people, or governments, might feel justified in using AI to help create weapons, influence elections, or help them with strategies to harm.

Before his death, the famous physicist Stephen Hawking warned that AI could “end mankind.” Elon Musk has donated millions of dollars to OpenAI but intensely voiced concerns about the dangers of AI.

Some of our clients now block access to ChatGPT on company networks and devices. Some won’t.

Please forward this to your friends so they will consider the risks and enjoy AI-related fun. ChatGPT is impressive, and the business world will never be the same.

The post Cybersecurity Concerns and Fun with ChatGPT appeared first on Foster Institute.

If you know what MFA is, you can skip this paragraph. The most common first step of MFA is for users to enter their username and password. They receive a text message with a code to complete the login process. Alternatively, the user might have an authenticator app on their phone that provides a code. Another option is for the user to receive a “push” notification asking the user to approve the login through the app. The latter is sometimes referred to as one-tap login. There are other options for the factors, including approving specific computers, geo-location, USB hardware keys, and biometrics, including fingerprints, facial recognition, and iris scans. There are pros and cons to each.

Summarized steps you can take to help protect yourself from attackers bypassing multi-factor authentication:

= Know how to protect yourself against a thief stealing a phone if MFA uses text or email messages as the second step.
= If supported, instead of a code number from a text message or authenticator app, consider using a USB token, fingerprint, or facial recognition for the second factor.
= Reduce the duration a code is valid. For example, perhaps change the code every 60 seconds so an older code won’t work.
= Limit the number of failed login attempts in a specific period.
= Implement web content filtering to help protect users from being exposed to fake login screens.
= Limit logins to specific countries.
= If users primarily use the same device, restrict logins to specific devices.
= Train users to beware of fraudulent login prompts.

Please see the details below:

If MFA to sends a text message to a stolen phone, the thief might see the text message. For websites or services that only support text messages for the second step, consider investing in an inexpensive flip phone with a different phone number to receive text messages. Similarly, if MFA involves an email, and the thief can easily access your email on the stolen phone, it defeats the purpose of MFA. Therefore, if you set up the two-step login with email as the second step, use an email address that requires some other form of authentication on the phone to access email messages. Ensure email messages do not pop up on the preview screen when received.

Another way attackers bypass MFA:
Step 1: Trick the user into clicking a link that takes the user to a fake login screen for Microsoft 365, LinkedIn, or any other valuable site.
Step 2: The user enters their username and password into the fake login form. Now the attacker knows the user’s login name and password.
Step 3: The attacker’s computer pulls up the genuine login form and enters the username and password the victim just provided.
Step 4: The legitimate website sends the user the text message, sends a push notification, or performs another second factor the user is used to. The user expects this, and the process seems normal to them.
Step 5: The attacker can create a fake form for the user to enter the code from their text message or app. When the victim enters the data, the attacker’s computer inserts the data into the genuine website. If the user received a push notification, they could approve the login because the user believes they are indeed logging into the site.
Step 6: The attacker is logged in and has the user’s full access. The attacker needed no previous knowledge of the user’s username, password, or text key.

One strategy to fight his kind of attack is to use a second factor that isn’t a text code. For example, a user doesn’t need to enter a code if the second factor is a fingerprint or USB token plugged into the computer. The user cannot enter that information into a fraudulent login screen.

Another common strategy attackers use to bypass MFA is to reduce the time an OTP (One Time Password) code can work without the user requesting and receiving a new text message or generating a new code in the authenticator app. Shorter expiration times mean the attackers must use the stolen credentials and second factor to log in more quickly.

Another strategy, though slightly less effective but can be used in conjunction, is to limit the number of failed login attempts within a period. An example rule is if there is a failed login attempt for a user account three times in a row within five minutes, lock their account so they cannot try logging in again for ten minutes.

A useful cybersecurity control that is underutilized is conditional access by country. If your users will always log in from specific countries, block logins from all other countries. That will make it more difficult for foreign adversaries to compromise your users’ accounts. Identifying a user’s location is sometimes referred to as geolocation.

Another method to bypass MFA is to use social engineering to trick the user into disclosing their username, password, and code or another second factor. A typical example is for a bad actor to contact a user, impersonate a technical support person, and ask the user to provide the information to help prevent some fake problem that doesn’t exist. Some trusting users walk the attacker through the login process, bypassing the protection of MFA.

Another strategy bad actors use is called MFA fatigue. The hacker will make so many attempts to log on that the user finally tires of receiving push notification alerts. The fatigued user approves the login to make their phone be quiet, and the attacker is in the system.

Attackers could use SIM Swapping to reroute calls and text messages to their phones. Therefore, text and callbacks can be less secure than other second factors. However, many sites only offer those two options.

As your IT team can tell you, there are more technical ways for attackers to bypass MFA by creating person-in-the-middle attacks using something called a proxy. Another strategy attackers can utilize is captured authentication cookies or tokens. Authentication can rely on digital key values that must be kept secret inside servers. If attackers get access to the keys, they can gain access.

Your IT Team can implement some form of web content filtering and configure it to block communications with known malicious sites and attacker command-and-control servers. This isn’t perfect because attackers frequently change command servers, but it helps.

Using SSO (Single Sign On) reduces the number of opportunities an attacker has to trick the user. Of course, the flip side is that if an attacker successfully gains access to the single sign-on, the attacker won’t need any other credentials to access everything the user can access.

User training is essential, as is keeping the computer safe.

As you can see, using MFA does not mean your authentication process is secure. Whenever a new security control is invented, someone finds a way to break it. The strategies above will help you be more secure.

Alert your friends to some of the ways attackers can bypass MFA. They might decide to consider using USB keys, biometrics, or cryptographic codes stored in a computer or hardware.

The post How Attackers Break Your Multi-Factor Authentication Protection and 7 Strategies to Protect Yourself appeared first on Foster Institute.

This so-called cyber-flashing is a growing problem with Apple’s AirDrop feature and Android’s Nearby Share feature that allow you to send and receive images, videos, and files from other users nearby.

Yes, you get prompted to decline or accept the image, but you cannot unsee the preview image in the prompt.

To protect yourself on your Apple device, Click on Settings, General, and AirDrop to choose Receiving Off, Contacts Only, or Everyone. I recommend you select Receiving Off. Temporarily enable receiving when you wish to exchange photos. Apple provides a detailed explanation of AirDrop at https://support.apple.com/en-us/HT204144

To protect yourself on an Android device, choose Hidden your Nearby Share settings. The steps will differ depending on your device and version: Settings, Connected Devices, Connection preferences, Nearby Share, and choose Hidden. Or your device might have you go to Settings, Google, Devices & Sharing, Nearby Share, and set Use Nearby Share to Off. You can learn more about Nearby Share at https://support.google.com/android/answer/9286773?hl=en

Bad actors strive to find ways to affect users of any brand and type of device and service. Please forward this to your friends, so they don’t receive shocking images via AirDrop or Nearby Share!

The post How to Avoid Receiving Disturbing Photos via Apple AirDrop and Android Nearby appeared first on Foster Institute.