Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Foster Institute.

When you want privacy, one way is to encrypt your documents before you attach them to your email message.

Microsoft Office, for Windows and Mac, has a feature on the File menu called Protect Document. Choose that option, and enter a secret password.

Use a phrase such as: the chairs are in a row.

E-mail that file to your recipient.

Then, phone, or text, the password to your recipient. If you email the recipient the password, even if it is in a separate email message, whoever is reading your email messages will receive both the attachment and the secret code.

Please forward this to any of your friends who may want to send sensitive email attachments.

The post How to E-Mail Encrypted Attachments appeared first on Foster Institute.

Instructions for Windows and Apple home users are listed below the numbers. For organizations, here are 10 Steps To Avoid Incidents Including the Massive Ransomware Attack:

1. The reality is that most organizations are missing critical security patches and there is a very strong likelihood that yours is too.

2. Provide your team with extra time, and perhaps additional personnel, to test and then deploy patches ASAP. Some organizations are adding a new IT professional to their team whose sole responsibility is to manage patches. If the patch fails testing, then time must be invested to resolve the issue or implement compensating controls.

3. Prioritize critical security patches for the operating system, all the browsers, Flash, Java, your PDF Reader, and Microsoft Office. They are usually the easiest to attack and form your first line of defense.

4. Many IT teams are very reluctant to apply patches for fear of breaking your systems that are already running. Help remove their fears by reassuring them that you take on responsibility if the patch causes a problem. Encourage them to follow a procedure that mitigates risks:

5. Test Patches in a test environment that uses the same applications as the rest of your network. For very small companies, your test environment might be a single computer. For larger organizations, and organizations that stand to lose a great deal in the event of an attack, create a separate testing environment that is isolated from the production environment.

6. Have a pre-tested rollback plan so that, if the patch does cause a problem, your IT team will already know what they need to do right away to roll back a patch that causes an unexpected problem. They will then go back to the testing phase.

7. Deploy the patches in stages rather than patching all machines simultaneously. That way, even if the patch does cause a problem, not all your machines will be affected.

8. You may decide to empower your IT team with a patch management tool such as Ninite, LANGuard, Shavlik, or others. Allow them to test and choose a tool, and provide them with the means and time to do so, ASAP.

9. Ask IT, perhaps weekly and at least monthly, to provide you with a list of missing patches, not a pie chart.

10. You must upgrade from older operating systems, any of the ones that Microsoft no longer supports. If some machines cannot be upgraded, then they must be isolated or some other compensating control put into place. Microsoft clearly states when they stop producing patches for old operating systems.  So, there was no patch available for Windows XP and others.

Call me if they are not able to apply patches. Let’s team up to help prevent this.

At home, or if your organization is so small that you do not have an IT team or have an outsourced IT company that takes care of your patches, be sure that the option that provides automatic updates to Microsoft is enabled. The instructions are easy to find – just google the phrase: configure automatic updates site:Microsoft.com

Apple computer users, google: Automatic security updates os x site:apple.com

iPhone and iPad users, google: Automatic security downloads ios site:apple.com

Additionally, manually check for updates in Microsoft Office to be sure those are applied. Be sure that automatic updates are enabled in your browsers. Regularly download and apply patches to, or new versions of, Flash, Java, and your PDF reader.

Please forward this to everyone you care about and want to help stay secure.

The post Patching – 10 Steps to Seal the Holes in Your Armor appeared first on Foster Institute.

This kind of stuff happens all the time, not just to Google, but to other unsuspecting people.

If someone receives an email that appears to have been sent by you, and the email contains a malicious link, lots of people would think it was your fault. There is a good chance that you did not get hacked, just like Google did not get hacked, but you may get blamed anyway. What probably happened is that one of your friends, or at least someone who has you in their contact list, got hacked. Then the attacker chose to send the malicious message, that appeared to be from you, to all the other contacts stored in that person’s contact list.

Spread the word encouraging the people you know to be sure they are secure, since, if someone you know gets hacked, it can make you look bad too.

And, tell others that, when they receive a malicious email message that appears to be from someone they know, that person they know may not have been hacked.

For your own protection, forward this message to everyone who may have you in their address book.

The post The Google Scam Shows How, If someone You Know Gets Hacked, it can Make You Look Bad Too. appeared first on Foster Institute.

An Australian Web Security Specialist, Troy Hunt, has compiled a database containing usernames that have been stolen in hacks and then published or sold. Some people use his site to look up their own email address or username.
His website is haveibeenpwned dot com. (In this case, Pwned refers to a condition of someone else having access to your login credentials.)

At his site, people enter their email address or any usernames they’ve used for online logins. Sometimes, they look up addresses of their family members. If there is a hit, the details of the breach are displayed on the site.

Even if not on the list, there is no guarantee that person’s credentials haven’t been stolen, but it still helps to know.

If you ever suspect that your login credentials to any website have been exposed, it is very important that you reset the password on that site, as well as any other sites where you may have used the same password.

There are other strategies to protect yourself. Enabling two-step-logon is very important these days since it can thwart attackers who know your username and password. Using a password manager, as opposed to letting your browser store passwords, can help make password security more convenient, but it still needs to be used carefully. These strategies are explained in detail elsewhere in this blog.

Forward this to anyone who might want to know if their username and password has been hacked.

The post More than 1 Billion Passwords Stolen – What to Do appeared first on Foster Institute.

Yesterday, someone told me their security was good since they only get infected by a few viruses each year.

Even a single infection means there is a possibility that their machines are already infected.

If one virus can get in, other undetectable viruses can too.

Unless security protections are very poor on a network or computer, visible virus infections are rare these days.

People who see virus infections need to act, including patching their Internet facing applications and enabling click-to-play. Those features already come with Windows and applications so there is nothing to buy or download. For more information, see foster institute dot come slash blog.

If you know someone whose computers on their network catch viruses, tell them the viruses are more like chest pain, not like the common cold. Infections are the sign of some greater damage that is about to, or already has, occurred.

The post Only One Virus is a Huge Problem appeared first on Foster Institute.

Immediately change your password on Facebook.

If you haven’t done so, and every Facebook user should do this, turn on login approvals.

Go to Facebook dot com slash help and find the box at the top of the page named: Ask a question. Enter these words: How do I turn on login approvals.
Then follow the instructions.

Next, again at Facebook dot com slash help and, in the search box, enter: report an imposter account. The guide literally walks you through the process of what to do.

Please forward this to anyone you know who uses Facebook.

The post If Someone Impersonates You on Facebook appeared first on Foster Institute.