Why is SSL Becoming a Necessity?

What is an SSL certificate? An SSL Certificate or Secure Socket Layer certificate is a way of securing a connection to a website to prevent eavesdroppers from collecting and stealing the personal information you give to a website. Many people know this certification as the https:// at the beginning of a website’s address.

For years, most website visitors and webmasters alike have viewed an SSL certificate as something only ecommerce sites needed. Now, this field is changing as a major movement is in progress to make a more secure internet by requiring that all websites have SSL certificates. With the growing market of free WiFi hotspots almost everywhere you go, you want anything you do and send online to be secure. Being able to see other people’s personal information from any website is something anyone can do without much work at any public hotspot, if the users are using unsecured connections to websites. This alone is enough for every website viewer to want to be able to visit their favorite sites over a secure connection and encourage webmasters to start implementing SSL on their websites.

Current websites are already being penalized if they are not using an SSL certificate.  Starting in 2014, Google started taking into account whether or not your website has an SSL certificate into the ranking procedure for your website to appear in search results. This means that if you are not using SSL on your website and your competition does they are gaining an edge on your online searchers. Google and other organizations are now taking this even further by planning on making active warnings whenever users come across a non-secure website in their browsers. These warnings could potentially scare off some viewers who just see a warning and decide to leave the website. The Internet Engineering Task Force has even gone as far as approving new standards, called HTTP/2, that will become the new norm over the next few years for website traffic and require that all sites have an SSL certificate in order to be reached by future browser versions.

So, if some of this implementation still hasn’t happened why should you care? Already, many people look for a secure site when submitting anything on the web, and there is a chance if you don’t have an SSL that you have lost at least one customer. By getting an SSL certificate for your website now you are preparing for the future, as SSL certificates will be required to be on all websites. The cost for SSL certificates is extremely inexpensive and come in many varieties from a basic website encryption all the way up to extend validation certificates that prove to your web viewers that you are a government registered company. If you are ready to hop on board and get an SSL certificate for your website, give us a call and we will help you not only purchase the SSL certificate that is right for you but help you install it, as well.

What Goes Around Comes Back Around

By the time we reach 20 or 30 years old most of us have seen one trend or another come, go, and come back again. Sometimes these trends are great, and we are glad that they came back; others are like a bad penny you just cannot get rid of. In the world of viruses and malware, the same holds true — old exploits sometimes come back and just will not go away. Lately, I have been reading about an old, in technology terms, exploit that has recently come back with a vengeance using a new method of infection. This old virus turned new go-to exploit is a Trojan called Zeus, released in 2006, it is used to steal passwords and turn computers into zombies to be used or rented out by hackers to send spam, store pirated content, and attack other systems.

Variants based on Zeus are popping up most notably on Facebook. Facebook is becoming one of the top vehicles for infecting computers using new and old exploits. Fake Facebook profiles are being created with links to servers for downloading these Trojans directly onto your machine. One of the things that makes the Zeus Trojan horse so dangerous is that it will hide dormant on your PC until you visit a bank website. At this point, it steals your logon information then proceeds to drain funds from your accounts.

Zeus is not the only Trojan out there on the world ‘wild’ web and it is important to protect yourself from these threats. Educate yourself and be observant. Attacks are very tricky and becoming more sophisticated and efficient at fooling the unaware. Make sure you have an antivirus suite that protects against unknown or zero day malware. Update your machine. Run your updates, update your browser, Java, & Adobe programs. These are common applications that if not updated attackers can use to remotely infect your machine. If you do a lot of online banking with large sums of money, a secure browser that is isolated from other activities on your computer, also known as sandboxed is recommended. Kaspersky Internet Security offers a Safe Run for websites that works in this sandboxed environment. Use strong passwords and change them regularly. Following these steps will go a long way toward keeping you and your bank account safe from threats new and old like Zeus.

Biometrics – You are the Password

The weakest link in a chain is always the one that breaks, everyone knows this. Several popular TV shows are built on the concept of the weak link, finding it, and eliminating it each week to find the strongest competitor. Hacking a system is, in a lot of ways, the same. Run some test, poke the system with a stick, push on it, pull on it, and see where it gives – where it breaks. Securing a system is the same basic idea; however, instead of using that weak point to get inside, you eliminate it. Time and again, in system after system, network after network the human element is the most easily exploited point in a system’s security. I am not talking about users opening infected email or browsing infected web sites. I am talking about passwords. People always look for a way to use the simplest password to connect to a network, or email, or web site. I am as guilty as anyone else, but what if humans were not the weakest link anymore? What if we could forget about remembering a password to access a system?

If I don’t use a password how do I log in to my computer you ask? Biometrics… Bio-what? Oh yeah all that spy stuff that evil fictional governments use to protect their secrets and weapons. That’s all just fake, right? No, it’s real and it has been available in some form or other for years. There are thousands of laptops in use today with fingerprint readers on them. Several mouse manufacturers have sold mice with fingerprint readers on them at one time or another. USB fingerprint readers are available online right now for $20-$30. So, if this is old news that you can log into your computer with your fingerprint, what’s the big deal?

The big deal is facial recognition. At the Consumer Electronics Show earlier this year, several developers were showing off software that would let you log into your computer with your face. Cool, huh? Sit down, look at the camera, and your computer recognizes you and logs you in. Microsoft has integrated this feature into its new Xbox One — just look deeply into its cold digital eye and Xbox recognizes you. It logs you into the system and loads your preferences, and you are ready to enjoy the system. Well this is a far cry from logging into my workstation at the office, isn’t it? Again, the future is here. There are companies today that have software that they will install on your computer — for example, KeyLemon has a free application that will log you into Windows using your face. KeyLemon can also manage your other passwords for sites like Facebook or Twitter. Face it — this is the evolution of computer security. At least that’s what I think. I think this technology will continue to evolve and that with Microsoft using it in their Xbox One to identify system users, we should expect to see this feature become part of the Windows login experience out of the box within the next year or two.

The Latest Facebook Scam

Facebook is a fantastic resource for collaboration, reconnecting with old friends, meeting new people, and discovering products and services from around the web that have a presence on Facebook. With all this new- found “connectedness” come many new ways for unscrupulous individuals to try and take advantage of the less vigilant. The latest of these attacks comes in the form of, what is called in the security world, social engineering. Social engineering is when an attacker tries to convince you of something in order to take advantage of you. An example in the real world would be an investment scam: “‘Give me money for this great company that doesn’t exist and you can’t lose!”

On Facebook, social engineers are making copies of profile pictures and creating dummy accounts using the same name as the person whose profile picture they have copied. These individuals then turn around and begin sending friend requests to the victim’s friends. Once the victim’s friends accept the request, the attacker begins posting ads and links to all manner of sites, hoping that the trust the victim’s friends have in them will lead them to click the links they post, thereby snaring their real target, the victim’s friends. This kind of attack could not only be detrimental to those who click on the links, but could also ruin the victim’s reputation with friends, clients, and colleagues they have connected with through Facebook.

To protect yourself from these profile hijackers, it is important to understand Facebook’s privacy settings and to know who can see your posts. Facebook has a resource in their help center to help users understand and use privacy settings to protect their profiles and identities on Facebook. The privacy section of the Facebook help center can be found here: https://www.facebook.com/help/privacy. Remember to always check out the profile of someone before you add them as a friend, and if you get a friend request from someone you know you have already accepted, check with them before accepting the request. As a general rule of thumb, you should never add anyone as a friend who you don’t know personally.

Employee Security Awareness

http://www.staysafeonline.org/

http://www.microsoft.com/security/resources/default.aspx#Free-materials

In many cases, the first line of defense against a digital security breach is not your antivirus or firewall, but your employees. Your employees play a vital role in dealing with and preventing potential security breaches. It is my strong belief that every computer user should be taught how to be safe when using a computer on the internet and to know what to look for in order to avoid potential risk. I am going to discuss some basic issues that your employees should know in order to be safe on-line, based on my experiences and tips from the security industry.

Frequently, I find that many small businesses have no way to manage software updates and ensure updates are done on every computer. This lack of update management leaves the task of regularly updating the computer to the user. It is important for users to allow their computer to update when updates are available. A better option is to set Windows and any other software that is capable of automatic updates to update on a schedule without user intervention. If scheduled automatic updates are not possible, it is important for each user to be trained to update software on a regular basis.

I also find that most employees know very little about their computers outside of the applications they use every day. This lack of knowledge and familiarity with other software running on the machine has resulted in users blindly trusting fake antivirus alerts, as well as other Trojan style attacks such as fake updates and hard drive crash messages. There are a number of viruses out today that pretend to be Microsoft Antivirus updates or claim that your hard drive is crashing and if you download the tool from Microsoft and pay a small fee it can be fixed. These are all scams, and it is important to be familiar with antivirus and other software on your machine and how they communicate problems to you.

Research online and recreational browsing at work can lead users to all kinds of information on the web. Try to avoid sites that use pop-ups. Many sites allow advertisers to run ads that pop up in new windows. These ads can be dangerous because they can contain code that is designed to take advantage of security flaws on your computer’s software. Check your browser settings to make sure the pop-up blocker is turned on; and if you do encounter a site that still pops up ads, you should close the ad and leave the site to avoid any more potential risk.

Be aware of other types of scams called “phishing.” Email and websites will try to lure you into giving them information about yourself such as passwords or credit card information to verify who you are or your eligibility for some reward. Reputable companies will never ask you for this kind of information.

It is in a company’s best interest to make sure that their employees know how to safely use their computers and navigate the internet. A little time spent now could save a lot of money and headache later. At the beginning of this article I have included two links to sites that can help you understand how to develop a training program for your employees. I also recommend working with a computer or IT Security professional to help you develop and deliver this information to your employees.

The Modern Trojan War

Much like the ancient world, the internet is filled with wonder and danger. Cities fought and wars raged. One such war was that of the war between Troy and Sparta. Most of us know the way that story ended, with the fall of Troy. The ultimate weapon…the Trojan Horse, a gift to the Trojans to signal the end of the war. The horse was a wonder, filled with danger.

Lately, the fight to keep computers safe has felt much like the Trojan War, seemingly endless. Another similarity is the use of a type of virus to infect these machines, known as a Trojan. According to SC Magazine, the Zero Access Trojan, also known as Sirefef is the number one attack used today by hackers around the world. Recent experience would tend to confirm this data, as nearly every virus infection we have dealt with at B.I.T.S. has been this Zero Access Trojan.

The Trojans would have saved themselves a lot of trouble if they had just burned the horse, like many had suggested. As much fun as it sounds sometimes, we are not suggesting that you set your computer on fire and watch it burn. We are suggesting you find the gates the horse could be dragged in through and shut them. Plug-ins for your browser may be vulnerable if they have not been updated and are an opening that is frequently exploited. As we have discussed before, unpatched software is one of the easiest ways for a hacker to infect your computer. Some applications to make sure you update often are Java, Adobe Reader (which installs a plug-in that allows you to read PDF files inside the browser), and Adobe Flash Player. Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) can help make this task easier by scanning your machine for out-of-date applications and updating them for you. This tool isn’t a magic fix, but it does help. This virus is distributed via infected websites and pop-up ads. Be aware of the sites you are visiting, and if they have pop-up ads, these ads may be infected, even without them knowing it. Following basic security best practices such as using a firewall and having up-to-date antivirus software will reduce the risk of infection.

The Trojans may have had no way of knowing what was in that horse, but we can learn from their misfortune and keep our systems safe on the internet by remembering to always “beware Greeks bearing gifts,” by staying wary of pop-ups, and staying away from links promising the wonders of the world,” if you just click here.” Follow these suggestions and security best practices it is likely this and other modern day Trojans will never breach your defenses.

iOS Security

Do you check email from your iPhone? Do you review or edit documents on your iPad? What about checking your bank account online from your device? Mobile devices like traditional computers are not immune to attacks that can compromise their security. iPhones and iPads are stolen every day, making the data on them available to the thief. iOS can even get viruses. The good news is that there are a few things you can do to help make your device more secure.

At the front line of your defense is a passcode. This is the easiest security measure you can add to the device. You may choose a simple four digit code; however, the better option is to turn off simple passwords and use an alphanumeric password with special characters that is at least 8 characters long. On the passcode lock screen, you should also turn on the erase data feature. After ten failed attempts to unlock the phone all data will be erased. Setting the auto lock to the shortest time of one minute will increase the likelihood that your device will be locked if someone picks it up or it is found in the back of a cab.

Setting up and installing the iCloud service on the device has a number of benefits, as well. The iCloud service can act like a digital LoJack. If your device is lost, you can log into the iCloud Site and see where your device is on a map within one hundred yards. You can then have it make a noise until it is found and display a message on the screen. If all hope of recovering the device is lost, you can use the iCloud service to send a command to the device to wipe it, removing all of your data and apps so the thief has no hope of accessing it.

IT can further manage devices that connect to the company network using mobile device management software to enforce company passcode policies, manage email accounts, and remotely wipe a device.

Securing your mobile device is important and could save you or your company from a catastrophic loss of data. Taking these few simple steps can help protect you, your company, your data, and your device from loss, theft, and theft of data.

Protecting Your Computer Systems From Threats

Chances are that the last thought on your mind as you make your way to the office, is the question, “Are my computer systems secure?” Small and medium-sized business owners and their staff generally have far more pressing and immediate concerns demanding their attention. However, if your computer system is not secure, this issue can quickly turn into the most pressing matter. Gone are the days when simply updating your antivirus was considered “good enough.” Computer hackers are more sophisticated, and perhaps most alarming is their increasing focus on smaller businesses. In July, Symantec reported that the number of attacks targeted at small and medium-sized organizations had doubled over the previous six months to equal roughly one-third of all targeted attacks daily (http://bit.ly/MW0pNf).

 

So what can you do to ensure that your computers are not as vulnerable to those attacks? The answer is . . . nothing. There is absolutely nothing you can do to guarantee your systems will not be attacked, but you can reduce the risk greatly by actively making sure your systems are secured, using the right tools and the best practices.

 

Here are a few basic steps to help keep your computers safe:

 

  • Make sure that all of your software is up-to-date, not just Windows updates. Get in the habit of pressing the update button often to make sure that you have the latest updates installed. In addition, check often for updates.
  • Make certain that you have antivirus and that it is up-to-date, as well.
  • Use a firewall on your computer. Most antivirus packages have one, but if your system does not, make sure that the Windows firewall is turned on.
  • Use strong passwords to log on to your computers.
  • Make sure your network has a correctly configured firewall and that the server is secured.

 

The last and most important measure when securing your computers and servers is to review all the measures taken on a regular basis to make sure that they have been implemented and continue to be the best prescribed methods for securing your systems.

 

Remember: Any program on your machine can have a security flaw just waiting to be exploited.

 

While the task of ensuring that your computer systems are safe may seem a bit daunting, the good news is that it doesn’t have to be overwhelming. Having someone on staff with the skills and knowledge to manage IT security or working with a consultant or vendor to help you become more aware of the importance of actively engaging in computer security measures will in turn provide a level of confidence for all businesses and their employees.