EBay Passwords Compromised:

ebay break

A frequently heard topic on this blog is about passwords.  They are the entry point into protected systems, services, and devices that everyone uses.  Well, unfortunately this week, the online auction giant eBay has fallen victim to cyber-attacks that have compromised many of the user account passwords stored on the site.  Hackers were able to compromise a limited set of non-user but system account passwords to gain access to the eBay systems and internal network.  eBay has stated that no un-authorized activity has been detected for any users nor did any financial information get stolen as of yet.  eBay states that this information is kept completely separate from your initial login information and is stored encrypted.  The breach also appears to have been closed but it is not known how long the attackers were in eBay’s systems.  Today eBay is advising all users to change their passwords, regardless of how recently they have done so.  It would be a good time to change your PayPal account password if you have one, as the company is a subsidiary of eBay and in your account you can link your PayPal account to your eBay account.  Pick a strong password as always consisting of length and complexity using letters upper and lower case, numbers, and special characters.  Also again make it memorable for you.  The following site securely creates passwords called passphrases that would work for a good eBay password – https://xuntroubled.merchantquest.net/pwgen/ppgen.cgi

 While eBay doesn’t directly support two-factor authentication, you can enable this on PayPal to make sure your actual payments sent or received for eBay are that much more protected. 

Stay safe

Scam – Tech Support Call

If tech support is calling you rather than the other way around, beware!

Phone Scam

 

Scam artists have a new tool that they will use to break into your computer – a phone. Someone will call; claiming to be a computer technician associated with well-known tech companies such as Microsoft, and will prey on your concerns about viruses or malware on your computer to fool you into giving him or her remote access or paying for unnecessary software.

Such a “tech” will dazzle you with a barrage of technical terms, and may even ask you to perform a series of tasks on your computer. After the “problem” has been “located,” this scammer may: 

  • ask you to give remote access to your computer and then make changes to your settings that could leave your computer vulnerable;
  • try to enroll you in a worthless computer maintenance or warranty program;
  • ask for credit card information so you will be billed for phony services — or services you could get elsewhere for free;
  • trick you into installing malware that could steal sensitive data, such as user names and passwords;
  • direct you to websites and ask you to enter your credit card number and other personal information.
  •  

The upshot: the scammer is trying to make money, not fix your computer.

MS Phone Scam

Your best defense: hang up!

Other tips:

  • Don’t give control of your computer to an unsolicited third party.
  • Do not rely on caller ID alone to authenticate a caller, as criminals spoof caller ID numbers.
  • Online search results, which can be manipulated, isn’t the best way to find technical support or get a company’s contact information. Instead, if you want tech support, give HCP a call at 207-848-9888 or visit our website http://www.hcp4biz.com and submit a support request. To locate company information, look for a company’s contact information on their software package or on your receipt.
  • Never provide your credit card, financial information or passwords to someone who calls claiming to be from tech support.
  • Put your phone number on the National Do Not Call Registry (https://www.donotcall.gov).

 

If you think you might have downloaded malware from a scam site or allowed a cybercriminal to access your computer, don’t panic. Instead:

  • Update or download legitimate security software and scan your computer, and delete anything it identifies as a problem. 
  • Change any passwords that you gave out, especially if you use these passwords for other accounts.
  • Give HCP a call at 207-848-9888 or visit our website http://www.hcp4biz.com and submit a support request.
  • If you paid for bogus services with a credit card or see other charges on your statement that you didn’t make, call your credit card provider and ask to reverse the charges.
  • If you think someone may have accessed your personal or financial information, visit the FTC’s identity theft website (http://www.consumer.ftc.gov/features/feature-0014-identity-theft). You can minimize your risk of further damage and repair any problems already in place.

Stay Safe

 

Find us on thumbtack

promo_4

Look for HCP on Thumbtack

HCP is now on thumbtack follow the link above and give us a look.

By connecting local professionals directly with new clients,
thumbtack enable these talented pros to work independently so they can grow their businesses.
Thumbtack is empowering more than 250,000 pros across all 50 states to achieve their personal and professional goals. 

 A great service.

 Mark

Social Engineering – What is it?

Social Engineering

Social Engineering – What is it?

Everyone probably has heard the term social engineering in the news a lot lately with the various cyber attacks, viruses, and scams going on. 

What is social engineering, one may ask?  While your first assumption would probably be that it has something to do with a social network such as Facebook or Twitter, this is not the case.  Social engineering is the deliberate and crafty attempts by hackers to gain access to your data by either tricking you or those that protect your data into handing it over. 

Social engineering is one of the biggest attack vectors these days, with security ever increasing.  It is the most often overlooked part of security and one of the easiest ways a hacker can gain access to your data with limited effort. 

How does it work?  A hacker tries to pose as a corporation, user, technician or someone else with a company or service to which you trust your data.  Usually attempts come in the form of an email or commonly a phone call.  What the hacker is looking to get is your access to the data, in the form of your passwords or the way you can reset these passwords, such as your private email address.  Often times these cyber-criminals will actually even try to pose as you, when calling a bank for instance. 

One of the recent cyber-frauds which are happening is domain name registration theft.  What happens here is a cyber-criminal scours the Internet usually by social networking to find out personal details on an individual that owns or controls a domain name.  This information is then very handy for the cyber-criminal to use in calling the domain-name registrar in order to have an account password reset or to have an account email change processed.  At this point it’s really up to the customer support agent to be the last line of defense. 

In most cases hackers have been able to have an account reset processed by only knowing an email address or last four digits of a credit card number on file because they were able to gain the trust of the customer-support agent.  Once the hacker has been able to have a password reset processed and gains access to your account, it’s then an uphill battle, depending on the company, to get your access back.  If you own a business and rely on your unique domain name, this could be a disaster.

The simple way to stop this is to mark on your account by calling and verifying who you are, that under no circumstances are phone call account resets allowed.  Most companies and services will allow an individual to request this.  In most cases this puts an end to it and hackers will not be able to social engineer your account any longer.

Stay Safe

Apple has a hole

Apple HoleApple is now scrambling to create a patch for a security flaw in iOS7, discovered by researcher Andreas Kurtz, which leaves email attachments unencrypted on iPhones and iPads, so that those can be accessed by attackers using “well-known techniques,” Kurtz wrote.

This isn’t considered a major problem, as it seems that an attacker can’t use the bug to read your email attachments remotely, but Apple is working on a fix now.

To keep your iDevices secure, enable data protection and use a passcode, the longer the better, to lock the device.

The iPhone 5 offers the option of fingerprint authentication instead of a passcode. But the fingerprint scanner can be hacked, as researchers have proven that it’s possible to create a fake fingerprint from a photo of the victim’s print.

A more effective kind of data protection would be two-factor (or two-step) authentication. In addition to a passcode, the institution responsible for the site being accessed will email or text a second, six-digit code which must be entered as well to allow access.

For more information about Apple security updates, visit http://support.apple.com/kb/ht4175

 Stay Safe

Passwords Passwords Passwords

PasswordPasswords

By Greg Gagne

In today’s digital world, passwords are often the most neglected first line of defense against data and security breaches.  They can be a hassle, to be secure you shouldn’t repeat passwords, or even ways of generating passwords between sites and services to maintain absolute security for yourself.  The most secure passwords are long, with randomized letters, numbers, and special characters.  In addition, frequent changes of passwords are needed to keep your data secure.  Depending on how many sites, services, or software you have to use daily, a list of passwords to remember correctly and change on a frequent basis could grow to be unbearable and even impossible. 

There are numerous online services and offline software that generate very secure passwords and will remember and/or auto-fill these passwords for you.  These services/software usually range from being free but ad-supported to more than $50, depending on the features you may want.  The problem is that consumers are putting all their eggs in the same basket.  As happened recently with the Heartbleed vulnerability outbreak, the behind-the-scenes security that should keep this bundle of passwords securely stored was broken.  Who’s to say that someone out there doesn’t have access to all your passwords that you put into one of these convenient services?  This entirely negates the convenience of this software when you have to regenerate your passwords again and trust that in fact they are secure from anyone but you. 

For me, I use the following method to generate passwords that are secure enough.  I say secure enough because most sites, ironically enough most banking sites for example, do not let you use truly secure passwords.  For instance my bank only allows an eight-character password using only capital and non-capital letters and numbers.  I can’t use any special or extended characters such as an asterisk or spaces which would make the password all that more secure.  Their password policy is the bare minimum truly to be somewhat secure

So I do the following for creating a password.  I come up with an easy-to-remember sentence that is meaningful to me, for instance “I am graduating in 2014.”  To make this into a password, I take the first letter of each word and combine them.  This would be Iagi2014.  I then randomly add a special character if it is allowed.  I make sure to make a sentence with frequent upper-case and lower-case letter usage and it has to have some numerical value in it. 

I also try to make a nonsensical sentence that would be very grammatically incorrect, as this helps to spoil the efforts made by hackers using dictionary libraries.  What makes a password secure is if you combine length, inability for words to be found in a dictionary, and complexity which comes with upper case, lower case, numerals, and special characters.  In order to remember all these passwords, I write them down and carry them on a sheet of paper in my wallet.  Before anyone says this is totally insecure, I encrypt these by changing around the ordering depending on the site/service and add an indication of what site or service it pertains to.  For example I used the phrase “The Moon is blue tonight!”  The password would be TMibt2014* and I’m using it on amazon.com I write down on the paper *4102tbiMTamz (the amz letting me know its Amazon).  This isn’t totally foolproof but it would keep the casual person confused as I don’t directly write down Amazon.com User name: xxxxx Password: xxxx on this sheet of paper.  Figure out an “encryption” that works for you. 

Unfortunately passwords are only as secure as you make them and how long they’ve been used.  For me, as much as a hassle as it is, I tend to change passwords on a frequent basis depending on how critical the service, site, or system is.  For anything financial, I change on at least a monthly basis if not more often. For that kind of data, frequent changes are really the only true-and-tried security in addition to the password being complex and long.  This adds another barrier to entry on your accounts.  Again do not share like or exact passwords between sites; this is the biggest reason accounts, services and systems get hacked, directly after easy- to-guess passwords.

Also, when it comes time to set up your methods of recovering a password, such as putting in your mother’s maiden name or high school friend, do not actually use an answer that is true.  For instance, my high school friend’s name was Dustin Johns.  Nowadays finding out this piece of information through scalping of social networking or any various forms of social engineering is too easy.  I’d change this to something I could remember but makes no sense, such as Marvin the Martian or something along those lines.  This is an often-neglected area of password security – how easy you make it to recover a password.  Another good thing to do is to make a note if possible, on any account that allows it, to not allow password resets of any kind through a telephone call. This is a far-too-easy venue for hackers to capitalize on using social engineering to gain access to your accounts. 

Make access to your accounts about as difficult as possible on all avenues, including passwords, password resets, and frequent password changes to spoil any attempts by attackers.  Unless you’re being specifically targeted for a reason, if you make it difficult enough, an attacker will give up after a certain amount of time.  They are looking for the most gains with the least amount of work.  

Stay Safe

Internet Explorer Vulnerability: How safe are you?

IE IconA recently disclosed Zero day vulnerability (“Zero day” indicates a vulnerability that was already being exploited when it was discovered) has put those using Internet Explorer at risk.  This vulnerability affects those using IE versions 6 through 11, although only attacks against IE 9 through 11 have been documented. Microsoft has described such attacks as “limited and targeted.”

According to Microsoft, this Internet Explorer Vulnerability would allow a cyber-criminal to remotely take control of your computer. A security advisory from the computer giant said, “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

HCP Computers supports the recommendation of the U.S. Department of Homeland Security’s Computer Emergency Readiness Team to switch to a different browser, such as Google Chrome  or Mozilla Firefox, at least until such time as Microsoft issues a fix. Downloads can be found at http://www.google.com/chrome/ and http://www.mozilla.org/en-US/firefox/new/ respectively.

Such a cyber attack would be initiated through Adobe’s Flash Player. As a result, Adobe has issued patches covering IE and also Google’s Chrome browser for Windows, Macintosh and Linux.  (http://helpx.adobe.com/security/products/flash-player/apsb14-13.html) However, for Internet Explorer, the Adobe patch only applies to IE10 and IE11 on computers running Windows 8, Windows Server 2012 and Windows RT, and Windows 8.1 Windows Server 2012 R2 and Windows RT 8.1 respectively.  That leaves vulnerable any users running IE10 on Windows 7 and higher, and IE9 running on Windows Vista and higher – although they could upgrade their browsers.  An additional problem affects the 20 percent of PC users still running Windows XP, for which Microsoft ended support on April 8. This means that no fix will be forthcoming for those using that operating system. The solution that Microsoft recommends is to migrate to a modern operating system, such as Windows 7 or Windows 8.1. 

Stay Safe

Heartbleed: What it means? What you should do?

 

safe_imageAs you probably all know there is a major flaw out in the wild called Heartbleed.  It’s been all over the news.  So what is heartbleed one might ask?  It’s a flaw in the security framework called open ssl.  The name comes from a technical term related to the programming framework.  The flaw has been discovered to have been open since 2012 when the newest version of the Open SSL technology was released.  Normally this wouldn’t be such a big issue, but this underlying technology is used everywhere in today’s world to keep communications related to the web secure.  The flaw allows an attacker to get into a server and retrieve critical information that would allow them to easily get to your passwords and eventually personal data on the server.  It would also allow an attacker to monitor communications and grab anything newer on a server that hasn’t been patched for the flaw.  The biggest problem is normally an attacker leaves some type of trace on a server that something has happened no matter how insignificant, but with this flaw in how it works there is no trace left whatsoever.  You therefore have to assume things are compromised.  Now what is one to do about this flaw.  Unfortunately you are at the hands of the site, provider, company, or whoever holds your information to update their server to fix this flaw.  The biggest recommendation is to change all your passwords especially if you use common passwords between sites or even common ways of generating passwords for sites.  We recommend not doing this though until the site(s) are patched because if they aren’t patched yet you’ll just have to do this again after they are.  Also if any of your sites contain financial information it is strongly recommend to keep an eye on your accounts for fraudulent activity and/or at the very least run a credit report every so often.  While it isn’t the end of the world, as most companies at this point are working towards or have patched this flaw, it is something to take seriously.  In order to find out if a site or service has been patched enter the name of the site into this website. https://filippo.io/Heartbleed/ It checks the underlying technology to see if this flaw applies or if it does if it has been patched.

Stay Safe.

Kickstarter.com gets hacked

In the news recently many of you have learned that the very popular crowd funding site kickstarter.com has been hacked into. According to reports no credit information was stolen. What was stolen was email addresses, phone numbers, physical addresses, and other account details that consumers have listed in their kickstarter.com accounts. Are you at risk? While no financial information was stolen the information that was stolen could certainly be a gateway to more. Kickerstarter recommends changing your password upon logging in. HCP recommends you do the same and if you happen to be using common passwords any other sites that share the password you used on kickstarter.com.

Read more

Social Engineering of Twitter.com @N Hacked

Recently on the popular social networking site Twitter.com the owner of the username @N fell victim of a successful social engineering hacking of his account. Long of the short the owner gave up ownership of his widely popular @N user name. For many of you this means nothing but it brings up a good point. Part of the success on part of the hacker was that one service that the owner of @N used was the weak point in what he believed to be good enough security.

Read more