If you want to find out if your passwords were released, visit his site called https://haveibeenpwned.com. If you elect to enter your email address, he will tell you if it is in the collection and give you more details.

What do you do if you are on the list? Reset your passwords. Use a password manager that will remember your passwords for you to make your life easier when you use a different password at each website from now on.

Now is a great time to enable two-step verification. A basic form of two-step verification is when you enter a username and password, and you receive a text message code to type in. Enable two-step verification on PayPal, LinkedIn, Dropbox, Facebook and every other web service you use. On each website, look for Settings > Security. You may need to dig down, but more reputable sites now support two-step verification, but you must enable the feature.

Some bad news is that, about a week ago, a tool called Modlishka shows how to break two-step verification so it isn’t that secure, but two-step verification is still more secure than a simple username password combination. If it allows, have a website use some other method than texting you a password. Using an app on your phone or calling you via a voice call are options that are often more secure than the text message. Microsoft, Google, and a service called Duo offer these options and more. Having a hardware key is even better unless your laptop users leave the key stored in the laptop case, and their password written on the bottom of the laptop.

The post 773 Million Passwords Exposed – Were You Exposed? appeared first on Foster Institute.

Encourage and provide time to your team to keep your systems up to date with all critical security patches for operating systems, Office, browsers, Flash, Java, and Reader. Ask them to show you a list, not a pie chart, of missing critical security patches. If they haven’t checked lately, this is an excellent time for them to be sure the firmware is up-to-date in the firewall and other infrastructure devices.

Thank you for all you are doing to protect against ransomware and all types of cyber threats. You are helping make the world a safer place to live and work!

The post Happy Computer Security Day! appeared first on Foster Institute.

Then, the unexpected happened. Some of Nick’s business associates, customers, and friends complained, “Hey Nick – Why haven’t you replied to that email message I sent you last week?” His associate named Tony felt snubbed because Nick stopped replying to his messages. Nick had no idea Tony was sending messages because Nick never received any of them.

The cause of this problem is that, unbeknownst to most people, when a bad actor sent the fake email with a made up email address, the recipient’s computer stores the phony email address to be used in the future to auto-fill the “To:” address field.

Check your computer. When you start to compose an email message and begin typing the name of the person to whom you are sending the message, does their name show up automatically on a list before you finish typing?

A bad actor might have impersonated you by spoofing your email address with a fake one: Nick Stark <Nich0las @yahoo.com>. But your real email address may be Nick Stark <NStark @yourcompany.com>. While your name is the same, the addresses are different.

From now on, when someone sends an email to you, their address book will auto-fill “Nick Stark” as they type your name into the “To” box in the email message. Unless they pay special attention, their email program may send the email message to the fraudulent email address. You will not receive the email, and the sender expects that you will.

One way you can solve this is to alert people that, when they send you an email message, to verify that, as they fill in your name as the recipient, the email address that shows up is Nstark @yourcompany.com. If they see your name with the wrong email address in their auto-fill list, they should click the option to delete the record with the fake address.

If you have ever been the victim of spoofed email messages sent in your name, you should notify your contacts. If people complain that you do not receive email messages they send you, you should advise your contacts as well.

The auto-fill feature is helpful when sending email messages, but it can come back to bite you if an attacker ever impersonates you in an email message.

Send this message to your friends, especially if anyone ever fakes their email address, so they can help ensure that they receive legitimate email messages.

The post You Might Stop Receiving Essential Email Messages, and What to Do About It appeared first on Foster Institute.

Now, what affects you directly whether you own a Tesla or not. Many IT Professionals, consultants, and outsourced IT firms access your network remotely using tools designed to help them help your users solve technical issues. Example programs include GoToMyPC, TeamViewer, LogMeIn, VNC, and Splashtop. Some outsourced companies use a product called Agent Tesla to support their customers. If you visit the website agent tesla dot com, you will see that the product has additional features including stealing keystrokes, breaking passwords, and spreading itself like a virus through a network. It appears that some bad actors have been using this tool to infect computers at companies without the company’s permission. And the tech support representatives at Agent Tesla were more than willing to assist the bad actors.

A key takeaway is that user-friendly tools can permit non-technical people to hack your network without needing any technical know-how.

What if a disgruntled or unscrupulous worker in your company installs GoToMyPC, LogMeIn, or similar easy-to-use software on computers in your private offices? They could overhear private conversations without anyone knowing. One of our clients experienced millions of dollars of embezzlement because a trusted worker used one of those programs on the computer that was in the conference room. The embezzler was not technically savvy at all, and he heard enough confidential information to embezzle millions and wreak all kinds of havoc. He did not need to use the additional user-friendly features that Agent Tesla provides including password cracking and automatic infection of other computers, but he could have.

Visit with your IT professionals. What are you, as an organization, doing to protect yourself from someone intentionally utilizing a readily available program, such as Agent Tesla, to infect your network, spy on your workers, steal information, and break your passwords?

The CEO, Owner, President, and other chief executives suffer the most when an attack devastates an organization. Most of them wish they’d have taken more of an active role in security. Learn from their mistakes, before it is too late.

The post Stealing Tesla Cars, and Stealing Your Network with Agent Tesla appeared first on Foster Institute.

Their program already installed on your computer should be able to give them all the information that they need. Even if the tech support person does require you to install another program, there is a possibility that the diagnostic program has an undiscovered security vulnerability.

If you do decide to install the program, at least make sure that the file location they offer you is on their main website, not a misspelled version such as qickbooks.com or abode.com.

Additionally, refuse to permit tech support to log in to your computer, even if you were the one who called them. Do you want to trust the security of your computer to a stranger?

Ask if there is some other way to provide them with the information they need.

Beware of imposters asking you to provide remote access or asking you to download diagnostic software.

The post Can you Trust the Kindness of Tech Support Strangers? appeared first on Foster Institute.

You assign your IT team the responsibility to secure and manage the keys to the vehicles, so you give each member of your IT team a copy of the master key.

Here is where it gets crazy: Suppose that there is a well-known tradition, in all companies, for IT professionals to store their master keys in the top drawer of their desks. Unfortunately, if someone wants to steal a vehicle, they know right where to find a master key. They can take all the cars once they gain access to the master, and they know exactly where to find it.

In the real world, your IT team has the responsibility to secure and manage your most sensitive data. In doing so, they have the master keys that unlock all the other keys. It is a tradition to give all IT professionals, and even outside consultants, keys to the master lockbox. The shocking part is that all IT professionals are encouraged to store the master keys in the same place, in the default well-known security groups named schema, enterprise, and domain admins.

Your IT team must create new security groups, with different names, in which to store the master keys. It is crucial that the new groups only provide specific privileges to member users on a need to know basis. It is ok if this strategy is new to them.

To measure this, ask your IT professionals to show you what users are members of those default security groups. Discuss moving those users into specific groups that provide the least amount of access they need to perform their work. Depending on the complexity of your system, this may take more time. IT professionals are always busy, so discuss with them their current projects, then prioritize this essential security improvement accordingly.

Storing master keys in a well-known location is absurd, and it is likely that you are doing that now.

The post The Insanity of Your Network – Storing Keys in the Same Place as Everyone Else appeared first on Foster Institute.

A term to know is macro. It is a set of automated instructions like a program. Emailed Attachments may contain macros.

Macros can contain malicious code that will infect your computer, and give an attacker full access to your computer and network.

If you ever see a message on your screen instructing you to enable macros, refuse.

Your IT department, or IT provider, can disable macros.

At home – you can do it yourself. Find step-by-step instructions by searching the web using the search terms: Disable Macros Office.

On a Windows computer, open each Office application, choose File, Options, Trust Center, Trust Settings, and choose the option to disable all macros with notification.

On a Mac, choose Preferences from the menu in each Office application. In Word, the preferences settings will show up when you pull down the menu labeled Word. Then select Security and Privacy settings. Choose to disable macros with notification.

Forward this message to users who use their computers to work from home, so they can make sure their computers are safe. That will protect your network.

Please forward this to your friends, so they know how dangerous macros are too.

The post Stop Hidden Attacks Buried in Email Attachments appeared first on Foster Institute.

Even if a user does click a link, a good web content filter can often protect your network when user training fails.

We notified the company’s outsourced IT providers, and they determined that the web protection gateway failed and was permitting all traffic into the network. Were it not for the audit, it would still be allowing clicked links to take users to malicious websites.

This firewall appliance is a well-known brand that starts with a B, but it could be any manufacturer. Computer hardware is far from perfect. A big concern is that the firewall failed and no one knew it. As auditors, it is common to find malfunctioning security equipment. Just because all the green lights are flashing on the outside of the firewall does not mean it is working correctly.

Now is an excellent time to ask your IT professionals, even outsourced companies, to devote time to checking your firewalls, routers, wireless network access points, and other devices. They need to apply all critical security patches, verify the filtering rules, and be sure the devices are working fast without hindering the flow of your information. If you want to, have them reach out to us for more technical recommendations.

You can even update your routers and devices at home if you have some extra time. An excellent place to start is at the device manufacturer’s website. There will be instructions to download and install the most recent firmware. Look at the support site about ways you can enable supported security features in your home devices including web content filtering. Be sure to leave time to tweak the settings. Depending on how familiar you are with the settings, this process might take you ten minutes or, if things get a little crazy, it could take an hour or more at home.

Please forward this to everyone you know so they can ask their IT professionals to make sure the firewalls and other devices are up and running correctly. Let’s keep your networks safe.

The post Ask IT Pros to Check Your Routers and Firewalls appeared first on Foster Institute.

When you want privacy, one way is to encrypt your documents before you attach them to your email message.

Microsoft Office, for Windows and Mac, has a feature on the File menu called Protect Document. Choose that option, and enter a secret password.

Use a phrase such as: the chairs are in a row.

E-mail that file to your recipient.

Then, phone, or text, the password to your recipient. If you email the recipient the password, even if it is in a separate email message, whoever is reading your email messages will receive both the attachment and the secret code.

Please forward this to any of your friends who may want to send sensitive email attachments.

The post How to E-Mail Encrypted Attachments appeared first on Foster Institute.

You don’t need to know this part: There is a service called Domain Name Service, DNS, that is a massive index for the Internet. If someone in your family, or at work, types in make a wish dot com, DNS looks up those letters and finds that the Make a Wish server is at address 184.168.221.30. Since computers think in numbers, it can then take you to that website.

Your internet service provider provides you with DNS lookups. So, if someone clicks on terrible dot com or infected dot com, your computer will take you to those sites.

However, there are DNS services that will help protect you. When someone clicks on an address, those DNS servers will look up the address and, before sending you there, do its best to make sure it is a good site.

There is nothing to install, and there are no charges for the services. All you need to do is tell your computer to use the new DNS servers, and all the sites show you how to do that. Check out:

Clean Browsing

Norton ConnectSafe

OpenDNS

Quad9

Additionally, you might even notice a boost in speed!

Please forward this to everyone you know who would like added protection when they click on a link or even type in an address while surfing the web.

The post A Simple Change Can Help Protect Your Family, and It Works on Apple and Windows appeared first on Foster Institute.