The leak exposed a tremendous amount of information about you, your personal and work history, your interests and hobbies, current and past contact information, and more all gathered and stored in one package. If someone knows your email address, they could immediately know your birthdate if you ever entered that date into a social media profile.

The data might also include your religion, financial information, members of your family, buying preferences, and more. It is alarming that your information is now more readily available than ever. Even more disturbing is that interested parties can access your data all in one place. Do you read the privacy policies when you install applications or sign up for services? You often agree that they can share some or all of your information with third parties. Those third parties may be data aggregation companies, called enrichment companies. This leak’s source was an Elasticsearch server. It contained data from two data enrichment servers called People Data Labs and OxyData.

What should you do? Now, more than ever, watch for fraudulent messages that seem very legitimate. Consider an example if your data set includes your phone provider. Social engineers might pretend to be your phone provider. They will demonstrate that they know real towns where you’ve lived. They’ll add legitimacy by including your accurate birthdate, one of your hobbies, and potentially your credit history. On the flip side, people that have your information can impersonate you to organizations. They might reset a password or change your listed email address so they can access your protected accounts. They might be more successful at tricking your relatives and friends into clicking a link because they’ll recognize personal details.

Use different passwords at different websites. Enable two-step verification as suggested and described in prior newsletters. Warn your friends that they must be more vigilant than ever for frauds and scams, even when the contact seems to know all about them.

The post A Huge Data Leak Exposed Your Personal Information appeared first on Foster Institute.

Any of your computers that you purchased six years ago came with Windows 7 installed. Unless you paid for new licenses and gave your team time to upgrade them, those computers run Windows 7 today.

Some of your options include:
– Buy new computers
– If the computer is strong enough, upgrade Windows 7 to Windows 8.1 or Windows 10
– You can ask your IT team if you use a technology called VDI. If so, they can uninstall Windows 7 completely. They can install Linux, or make a bootable thumb drive, or use a No Touch Desktop program. The computer can function as a screen and keyboard to a server where Windows runs

If, for any reason, you need to keep Windows 7 on some workstations, be sure to give your IT team time to implement compensating controls. For example, they can isolate the computers from the rest. Ask them to install Microsoft’s downloadable EMET security tool that works in Windows 7.

Support for Windows 8.0 ended in 2016.
Support for Windows 8.1 ends on January 10, 2023.

Please forward this to your friends and business associates, so they know January 14 is the when Windows 7 becomes a severe security risk to their networks.

The post Microsoft Will Stop Protecting Windows 7 on January 14, 2020 appeared first on Foster Institute.

Beware of additional fraud. Several sites are claiming to help you find out if you were part of the breach, but of course, the sites ask for personal information. Be safe: Use the contact information provided by Equifax. The Equifax FAQ says to visit: https://www.equifaxsecurity2017.com/

To find out if you are affected, that site points you to: https://www.equifaxbreachsettlement.com/

For identity theft, credit monitoring is helpful, so you know you are a victim, but by then, it is too late.

Placing credit freezes are a critical step in preventing your identity from being stolen.”

Freeze your credit, everyone in your family’s, at all major credit bureaus. To save you time, here are four and how to reach them:

Experian (888) 397-3742
https://www.experian.com/freeze/center.html

TransUnion LLC – To Freeze: (888) 909-8872
https://www.transunion.com/credit-freeze

Equifax Information Services, LLC (800) 685-1111
https://www.equifax.com/personal/credit-report-services/

Innovis – To Freeze: (800) 540-2505
https://www.innovis.com/personal/securityFreeze

Please forward this to your friends. If they don’t understand the importance of a credit freeze, The FTC provides more information at https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

The post Find Out if You Can Collect a Bundle from the Equifax Breach appeared first on Foster Institute.

If you want to find out if your passwords were released, visit his site called https://haveibeenpwned.com. If you elect to enter your email address, he will tell you if it is in the collection and give you more details.

What do you do if you are on the list? Reset your passwords. Use a password manager that will remember your passwords for you to make your life easier when you use a different password at each website from now on.

Now is a great time to enable two-step verification. A basic form of two-step verification is when you enter a username and password, and you receive a text message code to type in. Enable two-step verification on PayPal, LinkedIn, Dropbox, Facebook and every other web service you use. On each website, look for Settings > Security. You may need to dig down, but more reputable sites now support two-step verification, but you must enable the feature.

Some bad news is that, about a week ago, a tool called Modlishka shows how to break two-step verification so it isn’t that secure, but two-step verification is still more secure than a simple username password combination. If it allows, have a website use some other method than texting you a password. Using an app on your phone or calling you via a voice call are options that are often more secure than the text message. Microsoft, Google, and a service called Duo offer these options and more. Having a hardware key is even better unless your laptop users leave the key stored in the laptop case, and their password written on the bottom of the laptop.

The post 773 Million Passwords Exposed – Were You Exposed? appeared first on Foster Institute.

Encourage and provide time to your team to keep your systems up to date with all critical security patches for operating systems, Office, browsers, Flash, Java, and Reader. Ask them to show you a list, not a pie chart, of missing critical security patches. If they haven’t checked lately, this is an excellent time for them to be sure the firmware is up-to-date in the firewall and other infrastructure devices.

Thank you for all you are doing to protect against ransomware and all types of cyber threats. You are helping make the world a safer place to live and work!

The post Happy Computer Security Day! appeared first on Foster Institute.

Then, the unexpected happened. Some of Nick’s business associates, customers, and friends complained, “Hey Nick – Why haven’t you replied to that email message I sent you last week?” His associate named Tony felt snubbed because Nick stopped replying to his messages. Nick had no idea Tony was sending messages because Nick never received any of them.

The cause of this problem is that, unbeknownst to most people, when a bad actor sent the fake email with a made up email address, the recipient’s computer stores the phony email address to be used in the future to auto-fill the “To:” address field.

Check your computer. When you start to compose an email message and begin typing the name of the person to whom you are sending the message, does their name show up automatically on a list before you finish typing?

A bad actor might have impersonated you by spoofing your email address with a fake one: Nick Stark <Nich0las @yahoo.com>. But your real email address may be Nick Stark <NStark @yourcompany.com>. While your name is the same, the addresses are different.

From now on, when someone sends an email to you, their address book will auto-fill “Nick Stark” as they type your name into the “To” box in the email message. Unless they pay special attention, their email program may send the email message to the fraudulent email address. You will not receive the email, and the sender expects that you will.

One way you can solve this is to alert people that, when they send you an email message, to verify that, as they fill in your name as the recipient, the email address that shows up is Nstark @yourcompany.com. If they see your name with the wrong email address in their auto-fill list, they should click the option to delete the record with the fake address.

If you have ever been the victim of spoofed email messages sent in your name, you should notify your contacts. If people complain that you do not receive email messages they send you, you should advise your contacts as well.

The auto-fill feature is helpful when sending email messages, but it can come back to bite you if an attacker ever impersonates you in an email message.

Send this message to your friends, especially if anyone ever fakes their email address, so they can help ensure that they receive legitimate email messages.

The post You Might Stop Receiving Essential Email Messages, and What to Do About It appeared first on Foster Institute.

Now, what affects you directly whether you own a Tesla or not. Many IT Professionals, consultants, and outsourced IT firms access your network remotely using tools designed to help them help your users solve technical issues. Example programs include GoToMyPC, TeamViewer, LogMeIn, VNC, and Splashtop. Some outsourced companies use a product called Agent Tesla to support their customers. If you visit the website agent tesla dot com, you will see that the product has additional features including stealing keystrokes, breaking passwords, and spreading itself like a virus through a network. It appears that some bad actors have been using this tool to infect computers at companies without the company’s permission. And the tech support representatives at Agent Tesla were more than willing to assist the bad actors.

A key takeaway is that user-friendly tools can permit non-technical people to hack your network without needing any technical know-how.

What if a disgruntled or unscrupulous worker in your company installs GoToMyPC, LogMeIn, or similar easy-to-use software on computers in your private offices? They could overhear private conversations without anyone knowing. One of our clients experienced millions of dollars of embezzlement because a trusted worker used one of those programs on the computer that was in the conference room. The embezzler was not technically savvy at all, and he heard enough confidential information to embezzle millions and wreak all kinds of havoc. He did not need to use the additional user-friendly features that Agent Tesla provides including password cracking and automatic infection of other computers, but he could have.

Visit with your IT professionals. What are you, as an organization, doing to protect yourself from someone intentionally utilizing a readily available program, such as Agent Tesla, to infect your network, spy on your workers, steal information, and break your passwords?

The CEO, Owner, President, and other chief executives suffer the most when an attack devastates an organization. Most of them wish they’d have taken more of an active role in security. Learn from their mistakes, before it is too late.

The post Stealing Tesla Cars, and Stealing Your Network with Agent Tesla appeared first on Foster Institute.

Their program already installed on your computer should be able to give them all the information that they need. Even if the tech support person does require you to install another program, there is a possibility that the diagnostic program has an undiscovered security vulnerability.

If you do decide to install the program, at least make sure that the file location they offer you is on their main website, not a misspelled version such as qickbooks.com or abode.com.

Additionally, refuse to permit tech support to log in to your computer, even if you were the one who called them. Do you want to trust the security of your computer to a stranger?

Ask if there is some other way to provide them with the information they need.

Beware of imposters asking you to provide remote access or asking you to download diagnostic software.

The post Can you Trust the Kindness of Tech Support Strangers? appeared first on Foster Institute.

You assign your IT team the responsibility to secure and manage the keys to the vehicles, so you give each member of your IT team a copy of the master key.

Here is where it gets crazy: Suppose that there is a well-known tradition, in all companies, for IT professionals to store their master keys in the top drawer of their desks. Unfortunately, if someone wants to steal a vehicle, they know right where to find a master key. They can take all the cars once they gain access to the master, and they know exactly where to find it.

In the real world, your IT team has the responsibility to secure and manage your most sensitive data. In doing so, they have the master keys that unlock all the other keys. It is a tradition to give all IT professionals, and even outside consultants, keys to the master lockbox. The shocking part is that all IT professionals are encouraged to store the master keys in the same place, in the default well-known security groups named schema, enterprise, and domain admins.

Your IT team must create new security groups, with different names, in which to store the master keys. It is crucial that the new groups only provide specific privileges to member users on a need to know basis. It is ok if this strategy is new to them.

To measure this, ask your IT professionals to show you what users are members of those default security groups. Discuss moving those users into specific groups that provide the least amount of access they need to perform their work. Depending on the complexity of your system, this may take more time. IT professionals are always busy, so discuss with them their current projects, then prioritize this essential security improvement accordingly.

Storing master keys in a well-known location is absurd, and it is likely that you are doing that now.

The post The Insanity of Your Network – Storing Keys in the Same Place as Everyone Else appeared first on Foster Institute.

A term to know is macro. It is a set of automated instructions like a program. Emailed Attachments may contain macros.

Macros can contain malicious code that will infect your computer, and give an attacker full access to your computer and network.

If you ever see a message on your screen instructing you to enable macros, refuse.

Your IT department, or IT provider, can disable macros.

At home – you can do it yourself. Find step-by-step instructions by searching the web using the search terms: Disable Macros Office.

On a Windows computer, open each Office application, choose File, Options, Trust Center, Trust Settings, and choose the option to disable all macros with notification.

On a Mac, choose Preferences from the menu in each Office application. In Word, the preferences settings will show up when you pull down the menu labeled Word. Then select Security and Privacy settings. Choose to disable macros with notification.

Forward this message to users who use their computers to work from home, so they can make sure their computers are safe. That will protect your network.

Please forward this to your friends, so they know how dangerous macros are too.

The post Stop Hidden Attacks Buried in Email Attachments appeared first on Foster Institute.