Spam the bane of people’s lives

Editor’s note: This is the first of a three-part series on spam.

Spam (electronic junk mail) is a bane of most people’s online lives. While your spam filter does most of the heavy lifting, trawling for blacklisted email addresses and employing programs to check for suspicious content, it’s up to you as the consumer to keep an eye out for suspect emails as well. If you’re not alert, a seemingly innocent piece of spam can cause you lasting damage.

Start by checking out the email address for these warning signs:

An unrecognized sender, often with a strange email address.
A long string of numbers and letters before the @ sign;
Check after the @ sign as well. A well-known business won’t using an address from a free email service provider, but instead will have its name followed by .com.
Even if the email address is that of a friend of acquaintance, check the content of the message before deciding if it’s legitimate, as spammers can hack address books and send out mass e-mailings using actual email addresses.

Next move to the content of the email:

Spam is often laced with any of the following: misspellings, oddly-worded sentences, weird capitalization, strange punctuation and gibberish;
No one is going to offer you unclaimed riches. You haven’t won big in a contest. There’s no free electronics or medicine in your future;
If the email isn’t directly addressed to you, but rather “Dear Valued Customer” or “Special Member,” it’s likely spam;
Ignore any message stressing urgency, demanding that you must take action immediately;
Don’t provide passwords or personal or financial information via email. A legitimate business will ask you to log into your account to make any changes.
Think about who they are claiming to be. The IRS, Postal Service, UPS, etc. generally don’t send unsolicited emails, especially if you have never given them your email address.

Lastly, don’t click on any links in or download from any emails from a sender that you don’t recognize. That’s how malware and viruses can find a way into your computer.

Next: How to prevent spam.

STAY SAFE!

For help with a computer problem, visit http://www.hcp4biz.com/support-request/.

Data Privacy

Sensitive consumer and employee data is the lifeblood of many businesses.

That’s why it’s essential that companies properly secure or dispose of such data.

Raising additional compliance concerns would be financial data, personal information from children and material derived from credit reports. Your company also may have legal responsibilities to victims of identity theft.

A great resource on such issues is the Federal Trade Commission’s Bureau of Consumer Protection Business Center (http://business.ftc.gov/).

Among the topics the BCPBC can help with are:

Children’s privacy: Parents have control over what information websites can collect from their children thanks to the Children’s Online Privacy Protection Act. Any business collecting information from someone under the age of 13 must comply with COPPA’s requirements. (http://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule).
Consumer privacy: You need to stand by your company’s privacy policy. Reread it to be sure you are honoring the promises you’ve made. Consumers want to be sure that their personal information is secure, and smart businesses must be transparent about what they are doing with such data. (http://business.ftc.gov/privacy-and-security/consumer-privacy)
Credit reporting: If you use consumer reports or credit reports to evaluate customers or potential employees, you have responsibilities under the Fair Credit Reporting Act and other laws. (http://business.ftc.gov/privacy-and-security/credit-reporting)
Data security: Sensitive personal information about customers and employees requires a sound security plan. Such a system can help you meet your legal obligations to protect such data. (http://business.ftc.gov/privacy-and-security/data-security)
Information sharing: The Gramm-Leach-Bliley Act requires that financial institutions explain to customers their information-sharing practices and sensitive-data safeguards. (http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act)
Identity-theft prevention: Under the Red Flags Rule, companies must put in place a written identity-theft prevention program designed to detect warning signs of identity theft in their operations. (http://business.ftc.gov/privacy-and-security/red-flags-rule)

For more help on keeping data secure submit a request for a free consultaion at http://www.hcp4biz.com/consultation/

Stay safe!

Strong Passwords

Passwords are part of the lock which safeguards your computer and online world.

They control access to your personal and financial information and should be made as effective as possible, to keep intruders out.

Weak passwords are those that are easily guessed by hackers (such as “password123”). A password shouldn’t include your name, common names of people or places, technical jargon, repeating sequences or keyboard sequences.

But passwords need to be easily remembered by its creator. So the dilemma is coming up with a strong password that also can be simply recalled.

A strong password must be at least eight characters long. It must include a character from the following four character sets: lower-case letters, upper-case letters, numbers, and character symbols (+, =, (, ), &, %, !, ?, <, >). It shouldn’t include three or more consecutive characters from your login or full name.

Some other password no-no’s:

If you must write down your passwords, keep them in a secure place, away from your computer;
Don’t use the same password on multiple accounts, because if one account gets breached, they would all be at risk;
Don’t enter passwords when others can see what you’re typing;
Don’t share your password with anyone;
Don’t walk away from a shared computer without logging off;
Don’t leave an application unattended if it is logged in or unless a password-protected screen saver is in place.
Do not store your passwords on your computer in an unencrypted format. Saved password options in many browsers are not encrypted.
Do not store your passwords online in an unencrypted form

There are several programs that can be used to store your passwords in an encrypted form. Two that are highly recommended are LastPass, and Dashlane. The biggest advantage/disadvantage is that you only have to use one password to access all your passwords. These programs rate the passwords you enter, so make sure to make them complex enough not to guess, but easy enough to remember using the guidelines listed above.

Developing multiple strong passwords may take some time and effort, but it beats the alternative of trying to restore your ruined financial record.

Stay safe!

Wireless Network Security

It’s beneficial for society when people share. Still, you shouldn’t be sharing your wireless network with others, especially the unscrupulous who you don’t know.

A wireless network consists of an internet “access point’’ – a cable or DSL modem – connected to a wireless router. This yields a signal sent through the air, as far as several hundred feet, which any computer with a wireless card within range can use to access the internet.

Without taking precautions, your network can be used with anyone nearby with a wireless-ready computer or mobile device. Such a person could “piggyback” on your network, or worse access vital personal and financial information on your computer. If your network is used to commit crime or send spam, that activity incorrectly could be traced back to you.

The most effective method to secure your network is encryption, which scrambles the information you send over the internet into a code so that others can’t access it.

All your system equipment must use the same encryption. The choices are Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA2 is the strongest, and you should use it if you have the choice, as it should protect against most hackers.

WEP encryption is sometimes found on older routers, and doesn’t protect against some common hacking programs. Consider upgrading to a new router with WPA2 capability.

Wireless routers often arrive with encryption turned off, so you must turn it on. Directions which come either with the router or from the manufacturer’s web site should tell you how to do so.

A few simple steps should help to keep your computer and router secure:

Use anti-spyware and anti-virus software and a firewall, basic security practices that you would use for any computer connected to the internet.
Change the name of your router. Switch from the service-set identifier (or SSID), the standard default ID assigned by the maker, to something unique that only you would know.
Change the router’s pre-set password. These default passwords are often known by hackers, so change it to something only you would know, at least 8 characters, but the longer the better.
Limit your wireless network to specific computers. Every computer on a network is assigned a unique Media Access Control address, and wireless routers usually have a mechanism to allow only machines with particular MAC addresses to access the network.

Also don’t assume that public wireless networks are secure. On such hotspots, log in or send personal information only to web sites you know are fully encrypted. Always log out when you’re finished using an account. Don’t use the same password on different sites. Pay attention to browser warnings, and keep your browser and security software up to date. Installing browser add-ons and plug-ins can help to encrypt sites as well.

If you need help with your wireless network configuration submit a request at http://www.hcp4biz.com/support-request/ and we’ll schedule a tech to work with you.

Stay safe!

HTTPS or Not

Many of you know about the popular website called LinkedIn. It’s a sort of social network for businesses and people looking to make contact with each other. You can post your detailed resume to the site so potential employers can easily see things about you. It also allows you to network with others, which could be beneficial in landing that job that you want.

Well, just as other sites have fallen victim to cyber-attacks recently, it has been brought to light that LinkedIn had been particularly vulnerable from past years till earlier this year and it had been up to the end-user to make it not vulnerable. By default your login had started with an HTTPS connection and ended with a non-HTTPS connection. What this means is if there was someone on your home network, the local coffee shop you like to frequent, or any other open network, wireless or wired, that you had been using, they could have easily grabbed your login name and password without you even knowing.

While no financial data is on your LinkedIn account, a would-be attacker could gather quite a lot of information on you that would be very helpful in breaking into other accounts you have elsewhere. LinkedIn has stated that all customers in the U.S. and E.U. have been now protected against these types of attacks, called “man in the middle,” starting in February of this year, with HTTPS connections always on by default. What is unclear and why this has been brought to light is that customers from any other area of the world maybe still unprotected with no HTTPS connections by default.

While this is a fairly standard issue in terms of security, it brings up a good point. You should always be checking sites that you log into that store personal information or are otherwise critical always use HTTPS connections, not just when you login. This type of connection encrypts any and all traffic that is sent from your computer browser to the hosting server of the site. You have to make it that much more difficult for attackers to successfully gain access to your information.

To do this on most sites, including LinkedIn (if they don’t use HTTPS already automatically), you simply go to your account and settings looking for the option to enable HTTPS connections. Most sites these days do this automatically but even some that you wouldn’t expect (LinkedIn in this case) still do not and leave this up to you, the end user, to do. However it is still good to make sure this is working for you.

Stay Safe!

XP – The Real Cost

You wouldn’t leave your car or house unlocked for thieves to break into.

So why do so with one of your business’s most important pieces of equipment – your computer network?

That in essence is what you are doing when you continue to run Windows XP two months after Microsoft discontinued its support of that operating system.

(Systems with Microsoft Security Essentials and its aligned Malicious Software Removal Tool will continue to receive anti-malware signature updates through July 14, 2015. But that shouldn’t be confused with the operating system itself being protected.)

What does end of support mean for the 25 percent of businesses still using XP? No new security updates, non-security patches, fee or paid support options or online technical content updates starting April 9, 2014.

The wisest solution is to upgrade to a machine with Windows 7, 8 or 8.1 (Windows Vista will hit the end of its life in 2017, making it not a viable long-term answer).

But that means substantial upfront cost, an option that’s unattractive to many business owners. So they will stick with what they have, cross their fingers and hope for the best.

While running XP until the hardware it is installed on fails may seem like the least-expensive short-term solution, other potential problems need to be factored into the cost.

Security should be uppermost among those concerns. Without critical security updates, your network may become more vulnerable to harmful viruses, spyware and other malicious software which can steal or damage business data. Even before the loss of updates, XP already had a significantly higher infection rate than other operating systems.

Second, businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.

Finally, software vendors will stop supporting their products running on XP and hardware manufacturers will stop supporting XP on existing and new hardware.

So keeping XP becomes more expensive, not just in terms of maintenance, but also from potential infections and lost productivity.

HCP recommends migrating to a newer machine preloaded with a newer operating system (OS). This is usually more cost effective than trying to upgrade an old machine with a newer OS and avoids the risk of slowing down your machine with a more modern version of Windows.

Stay safe.

Cryptolocker – What is one to do?

Unfortunately, as discussed in the last blog entry, Cryptolocker and the new variants of it are an encryption-based infection. This type of infection requires a preemptive and proactive approach to keeping your data safe. This is because once you have discovered the infection is on a system or systems, it is already too late in most cases. You may or may not have lost any or all of your files to the infection, depending on how quickly it is found.

This infection and its variants spread through spam emails mostly. It will usually present itself as a link for you to click in an email that has been crafted to look legitimate to an end user. The file is usually contained in a zip archive either directly in the email or through a cloud storage account such as Dropbox. It is critical to frequently tell your end users the dangers of spam mail and to never click links to files in emails unless you know for sure that it is safe. A good policy in place would be to disallow any .zip or .exe files to be used at all in company emails, therefore getting rid of one avenue of infection. For some business or end users, this may not work.

Education for these types of infections is key because they rely heavily on successful social engineering. Now even the best-educated users will at times make mistakes and you have to plan for this with these types of encryption infections.

It is only a matter of time before a system or network of systems will get one of these ransomware-type of infections no matter the security in place. Therefore it is absolutely critical to have a backup system in place to retrieve lost data. A variant of the Cryptolocker infection called Cryptowall takes the infection to a new level by deleting what is called the system-restore files in Windows that allow you to take your computer back to an earlier time and date. It also deletes the shadow copies that Windows keeps of files. Again this means you need to have a secure and effective backup system in place for your systems. The most critical thing is you need to know that the backups will work. Regular testing is mandatory to make sure you can get your data back. A good system means nothing if the restore process doesn’t work or work well.

Now one would ask is there more that can be done other than educating users on where this infection comes from and having a good backup system in place. As of right now, the industry is scrambling to come up with good defensive approaches to these types of infections. The regular antivirus scanners have been ineffective so far at stopping the infections or even detecting that it’s on a system. Once it’s on a system, it’s almost too late. Here at HCP Computers, we are drafting up a few proactive and on-demand measures to help keep these types of infections from happening in the first place. Contact us and we will schedule a time to discuss these measures. http://www.hcp4biz.com/contact/

First and foremost; educate, educate, educate and backup, backup, backup.

Stay Safe

Cryptolocker – What is it?

As many of you have probably heard, there is a security exploit out in the open called the Cryptolocker virus or Cryptolocker infection.

What is it? It is unlike normal viruses or malware that you may have had experience with before. The Cryptolocker virus is a piece of malware that holds your computer and its data at ransom. When you get the cryptolocker package installed on your machine, the first thing it does is look over your computer for user-created data files. These include all the typical files one would create with Microsoft Word, Excel, Powerpoint, text documents, documents created with any of the open source office replacement suites, PDFs, and just about any type of picture, video, or music files. Before, viruses would simply render these files useless by corrupting the file or deleting it. Cryptolocker is different in this regard. It quickly and efficiently encrypts these user data files with a public/private encryption key set.

Now the encryption keys that Cryptolocker uses are just about unbreakable. This is because it uses a key anywhere from 2,048 bits to 4,096 bits. A key space this large would take a supercomputer many months if not years to break by trying one guess at a time. The creators of the Cryptolocker infection therefore hold your computer files at ransom with this encryption and demand money in order to get the decryption key and program you need to decrypt these files. This ransom fee has been anywhere from $1,000 to $3,000 depending on what the current rate of bit coins is to U.S. dollars and how many they demand. Paying the ransom is not a recommended choice obviously because it is expensive and you don’t want to be sending the creators your hard-earned money.

Cryptolocker is the original widespread infection that operates as an encryption ransomware. It was only a matter of time but Cryptolocker has started a trend in the virus/infection way of doing things. At this time and day, there has been an additional 10-plus similar but different encryption-based ransom infections found in the wild. Each have varying degrees of similarity to Cryptolocker, however some are even more dangerous and damaging. There’s even a version that has been discovered to run on android phones; currently Gingerbread os and above versions. Unfortunately this looks to be a trend for the future as hackers/malware creators these days look to make the most money for the least amount of effort from their actions.

Check our next blog entry for directions on how to combat Cryptolocker.

Stay Safe

Phishing – Don’t take the bait

Fishing can be an enjoyable outdoor activity. Phishing is a computer tactic that can wipe you out financially. Phishing happens when fraudsters, either by email or text, impersonate a business to trick a consumer into giving out personal and financial information. Even if the organization listed is one you trust, remember that legitimate businesses don’t ask you to send sensitive information through insecure channels, such as emails or texts. Phishing can take several forms. The message, which likely include a call for urgent action, may indicate that there’s an unauthorized transaction on your account, or that information must be verified, or that your account has been overcharged. These may seem like legit reasons, but it’s all a scam to grab your information for fraudulent purposes. The best way to deal with phishing scams is to eliminate any suspicious emails or texts. Also don’t click on any links or call any phone numbers provided, even if they have an appropriate area code. If you’re concerned that the message might be real, call the number on your statement or the back of your credit card. There are several steps you can take to head off a phishing attack:

Only use trusted security software, set to update automatically.
Don’t provide personal or financial information through non-secure channels such as email or texts.
Provide information only through an organization’s Web site if you typed in the web address yourself and you see a URL that begins https (the “s” stands for secure), though even that isn’t foolproof, as some phishers have forged security icons.
Check for unauthorized charges on credit-card and bank account statements. If statements are late by more than a couple of days, call to confirm billing addresses and account balances.
Attachments and downloadable files in emails may contain viruses or other malware, so be cautious before opening or downloading.

Phishing emails can be reported to [email protected], the organization impersonated in the email, or [email protected], which is the Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies that uses these reports to fight phishing.

Stay safe!

SPAM – Some tips to help avoid it.

Everyone with an email account is unfortunately familiar with “spam,” that electronic cousin of junk mail.

But with a little prevention, you can limit the amount of this unwanted commercial email in your in-box.

Cutting your spam

Here’s some easy ways to limit the spam you receive:

Email filter – See if your email account provides a tool to filter out potential spam or to channel spam in a bulk email folder. Keep such a tool in mind when choosing an ISP or email service.
Limit exposure – Use two addresses, one for personal messages and one for shopping, newsletters, chat-rooms and coupons, or set up a disposable email address that forwards messages to your permanent address. Also don’t display your email address in public, as spammers harvest the web for email addresses.
Utilize privacy policies – Read privacy policies before signing up for a web site, to see if that company sells your email address to others. Also uncheck pre-checked boxes to opt out of mass email updates.
Create a unique email address – Instead of your name with numbers behind it, make it more difficult, perhaps using a nickname or an abbreviated version instead. Don’t make it too difficult, though, as you need to remember it.

Protecting others from spam

Hackers and spammers try to locate computers without up-to-date security software, which they can control remotely by installing hidden software, or malware. Thousands of such computers linked together become a “botnet,” a network used by spammer to send out millions of emails at once. Most spam is sent this way.

Your first defense would be to keep spammers out of your computer. Steps you could use include disconnecting your computer from the internet when not in use and being cautious about opening attachments and downloading free software, which could be hiding malware.

Signs of malware include weird emails which friends receive from you, email messages in your send folder that you didn’t send, and your computer operating more sluggishly. Disconnect from the internet if you feel your computer has been hacked or infected, then follow these steps to remove malware (http://www.onguardonline.gov/articles/0011-malware).

Report spam

Forward unwanted or deceptive messages to the Federal Trade Commission at [email protected], your email provider and the sender’s email provider. If you try to unsubscribe from an email list and your request is not honored, file a complaint with the FTC (http://www.ftc.gov/complaint).

Stay Safe