Online Shopping Safety Tips

Using Public Wi-fi

“If you are shopping on your phone or computer and using an unknown WiFi connection, save the purchases for later. Don’t enter any personal information such as name, address, or credit card number until you are on a secure and known connection.” – Loki Labs, www.lokilabs.io

Visiting a New Website

“Check the seller’s customer satisfaction ratings. Review other user’s comments and check out the seller’s rating on sites like Google Shopping. Low “star” ratings may provide a red flag that cautions you to find a more reputable seller.” – Diverse Concepts, www.dciits.com“Check the Better Business Bureau website to see if there are a large number of complaints about the seller. https://www.bbb.org/greater-maryland/” – Diverse Concepts, www.dciits.com

“Go directly to the seller’s site rather than clicking a “coupon” link that was sent to you by an unknown source. Scammers can often use a tactic called cross-site scripting to craft a hyperlink that appears to be the actual merchant site but actually relays your credit card information to the scammer when you put your payment information into the payment web form. Unless you can verify that a coupon came from the actual vendor’s site to which you have already subscribed, it’s best to avoid random coupons with unknown origins.” – Diverse Concepts, www.dciits.com

“Find out the seller’s physical address. If the merchant only has a P.O. box listed, then that may be a red flag. If his address is 1234 in a van down by the river, you may consider shopping elsewhere.” – Diverse Concepts, www.dciits.com

“Check the seller’s privacy policy. While we might not think about it, some sellers resell our personal information, buying preferences, and other data to market research companies, telemarketers, and spammers. Read carefully and always make sure that you are opting-out and not opting-in when asked whether you want to have your information shared with “3rd parties” (unless you like a lot of spam in your e-mail). You may also want to obtain a separate e-mail account to use while shopping online to avoid clogging up your personal e-mail box with the barrage of sale ads and other junk mail that is frequently sent out.” – Diverse Concepts, www.dciits.com

“If you’re buying something on a new website and they want you to sign up for an account, use a new password. Never use the same passwords for shopping sites as you do for anything else, such as email, bank logins, etc. (It’s a good idea to use a different password for every site you go to but this is especially important.) Even if the company you’re purchasing from is legitimate, you don’t know who might have access to their database now or in the future.” – Loki Labs, www.lokilabs.io

Resources:

FBI Warns of Dramatic Increase in Business E-Mail Scams


FBI officials are warning potential victims of a dramatic rise in the business e-mail compromise scam or “B.E.C.,” a scheme that targets businesses and has resulted in massive financial losses in Phoenix and other cities.

The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.

There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

  • Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
  • This amounted to more than $2.3 billion in losses.
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
  • In Arizona the average loss per scam is between $25,000 and $75,000.

If your company has been victimized by a BEC scam:

  • Contact your financial institution immediately
  • Request that they contact the financial institution where the fraudulent transfer was sent
  • File a complaint—regardless of dollar loss—with the IC3.

Tips for Businesses:

  • Be wary of e-mail-only wire transfer requests and requests involving urgency
  • Pick up the phone and verify legitimate business partners.
  • Be cautious of mimicked e-mail addresses
  • Practice multi-level authentication.

Resources:

Recognizing and Avoiding Spyware

What is spyware?

Despite its name, the term “spyware” doesn’t refer to something used by undercover operatives, but rather by the advertising industry. In fact, spyware is also known as “adware.” It refers to a category of software that, when installed on your computer, may send you pop-up ads, redirect your browser to certain web sites, or monitor the web sites that you visit. Some extreme, invasive versions of spyware may track exactly what keys you type. Attackers may also use spyware for malicious purposes.

Because of the extra processing, spyware may cause your computer to become slow or sluggish. There are also privacy implications:

  • What information is being gathered?
  • Who is receiving it?
  • How is it being used?

How do you know if there is spyware on your computer?

The following symptoms may indicate that spyware is installed on your computer:

  • you are subjected to endless pop-up windows
  • you are redirected to web sites other than the one you typed into your browser
  • new, unexpected toolbars appear in your web browser
  • new, unexpected icons appear in the task tray at the bottom of your screen
  • your browser’s home page suddenly changed
  • the search engine your browser opens when you click “search” has been changed
  • certain keys fail to work in your browser (e.g., the tab key doesn’t work when you are moving to the next field within a form)
  • random Windows error messages begin to appear
  • your computer suddenly seems very slow when opening programs or processing tasks (saving files, etc.)

How can you prevent spyware from installing on your computer?

To avoid unintentionally installing it yourself, follow these good security practices:

  • Don’t click on links within pop-up windows – Because pop-up windows are often a product of spyware, clicking on the window may install spyware software on your computer. To close the pop-up window, click on the “X” icon in the titlebar instead of a “close” link within the window.
  • Choose “no” when asked unexpected questions – Be wary of unexpected dialog boxes asking whether you want to run a particular program or perform another type of task. Always select “no” or “cancel,” or close the dialog box by clicking the “X” icon in the titlebar.
  • Be wary of free downloadable software – There are many sites that offer customized toolbars or other features that appeal to users. Don’t download programs from sites you don’t trust, and realize that you may be exposing your computer to spyware by downloading some of these programs.
  • Don’t follow email links claiming to offer anti-spyware software – Like email viruses, the links may serve the opposite purpose and actually install the spyware it claims to be eliminating.

As an additional good security practice, especially if you are concerned that you might have spyware on your machine and want to minimize the impact, consider taking the following action:

  • Adjust your browser preferences to limit pop-up windows and cookies – Pop-up windows are often generated by some kind of scripting or active content. Adjusting the settings within your browser to reduce or prevent scripting or active content may reduce the number of pop-up windows that appear. Some browsers offer a specific option to block or limit pop-up windows. Certain types of cookies are sometimes considered spyware because they reveal what web pages you have visited.

How do you remove spyware?

  • Run a full scan on your computer with your anti-virus software – Some anti-virus software will find and remove spyware, but it may not find the spyware when it is monitoring your computer in real time. Set your anti-virus software to prompt you to run a full scan periodically
  • Run a legitimate product specifically designed to remove spyware – Many vendors offer products that will scan your computer for spyware and remove any spyware software. Popular products include Lavasoft’s Ad-Aware, Microsoft’s Window Defender, Webroot’s SpySweeper, and Spybot Search and Destroy.
  • Make sure that your anti-virus and anti-spyware software are compatible – Take a phased approach to installing the software to ensure that you don’t unintentionally introduce problems

Torrent poisoning allows big companies to track your IP

Torrenting is mostly associated with software or content pirating. Big companies are aware of the threat this process has to their profitability, so sometimes they employ unusual methods to fight back against torrenting.

One of these is torrent poisoning. Basically, they infect a torrent with software that then tells the company the IP of the user who downloaded the file. After this, the company might send you a cease and desist letter, or in the (very) worst case scenario, demand reparations for any damage inflicted.

“Locky” ransomware – what you need to know

The rise of ransomware is one of the biggest cybersecurity trends of the past few years, and out of all the variations out there, Locky is the most widespread one.

It is technologically impossible to decrypt, so once you get hit you either abandon the files or pay up the ransom to get them back.

“Locky” feels like quite a cheery-sounding name.

But it’s also the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.

Of course, it doesn’t just rename your files, it scrambles them first, and – as you probably know about ransomware – only the crooks have the decryption key.

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”

  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.

WHAT TO DO?

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.

Source/Reference

What is digital signature? – Definition from WhatIs.com

A digital signature (not to be confused with a digital certificate) is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.

A digital signature is a type of encryption used to ensure that a certain file, message or document is genuine and safe to open. A good digital signature is difficult for a malicious hacker to duplicate, so all around it is a great positive addition to your online security.

The digital equivalent of a handwritten signature or stamped seal, but offering far more inherent security, a digital signature is intended to solve the problem of tampering and impersonation in digital communications. Digital signatures can provide the added assurances of evidence to origin, identity and status of an electronic document, transaction or message, as well as acknowledging informed consent by the signer.

In many countries, including the United States, digital signatures have the same legal significance as the more traditional forms of signed documents. The United States Government Printing Office publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures.

How digital signatures work

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash — along with other information, such as the hashing algorithm — is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time since hashing is much faster than signing.

The value of the hash is unique to the hashed data. Any change in the data, even changing or deleting a single character, results in a different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash. If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. If the two hashes don’t match, the data has either been tampered with in some way (integrity) or the signature was created with a private key that doesn’t correspond to the public key presented by the signer (authentication).

A digital signature can be used with any kind of message — whether it is encrypted or not — simply so the receiver can be sure of the sender’s identity and that the message arrived intact. Digital signatures make it difficult for the signer to deny having signed something (non-repudiation) — assuming their private key has not been compromised — as the digital signature is unique to both the document and the signer, and it binds them together. A digital certificate, an electronic document that contains the digital signature of the certificate-issuing authority, binds together a public key with an identity and can be used to verify a public key belongs to a particular person or entity.

Source

Top Ten: The Most Important Cyber Security Tips for all Users

  1. Realize that you are an attractive target to hackers. Don’t ever say “It won’t happen to me.”

  2. Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others, don’t write it down, and definitely don’t write it on a post-it note attached to your monitor.

  3. Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time—no matter how short—lock it up so no one can use it while you’re gone. If you keep sensitive information on a flash drive or external hard drive, make sure to lock it up as well.

  4. Always be careful when clicking on attachments or links in email. If it’s unexpected or suspicious for any reason, don’t click on it. Double check the URL of the website the link takes you to: bad actors will often take advantage of spelling mistakes to direct you to a harmful domain. Think you can spot a phony website?

  5. Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust. Whether it’s a friend’s phone, a public computer, or a cafe’s free WiFi—your data could be copied or stolen.

  6. Back up your data regularly, and make sure your anti-virus software is always up to date.

  7. Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones.

  8. Watch what you’re sharing on social networks. Criminals can befriend you and easily gain access to a shocking amount of information—where you go to school, where you work, when you’re on vacation—that could help them gain access to more valuable data.

  9. Offline, be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information, it’s okay to say no. You can always call the company directly to verify credentials before giving out any information.

  10. Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised.

Reference

Avoiding Social Engineering and Phishing Attacks

Author US-CERT Publications

Do not give sensitive information to others unless you are sure that they are indeed who they claim to be and that they should have access to the information.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

  • natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • epidemics and health scares (e.g., H1N1)
  • economic concerns (e.g., IRS scams)
  • major political elections
  • holidays

How do you avoid being a victim?

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don’t send sensitive information over the Internet before checking a website’s security.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features offered by your email client and web browser.

What do you do if you think you are a victim?

  • If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
  • If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Watch for other signs of identity theft.
  • Consider reporting the attack to the police, and file a report with the Federal Trade Commission.

Source

How you can contribute to stopping DDoS Attacks (Malware)

Protecting your devices against malware that will turn them into bots used for malicious purposes it not only important for you, but for the entire Internet.

Unless you want your laptop or fridge to power the next attack on Internet routers in Germany or another part of the world, here’s what you have to do:

  • Change default usernames and passwords on your devices and online accounts
  • Use strong passwords (set up a password manager) and NEVER reuse passwords for multiple accounts
  • Use basic security measures, such as antivirus
  • Keep your software up to date on all your devices (including your IoT gadgets – web cameras, fridges, etc.)
  • Regularly scan your devices for malware and keep an eye out for strange behavior
  • Unplug devices when you don’t use them (maybe not your fridge, but your toaster doesn’t need to stay plugged in – you get the picture).

These basic measures will help reduce your risk of infection and make the Internet a safer place for all!

Avoiding ‘open enrollment’ scams | Consumer Information


Open enrollment is here. Whether you’re eligible for Medicare, selecting a plan through the Affordable Care Act (ACA), or have private insurance, you have until December 15 to compare plans and make coverage changes. But as you’re keeping an eye out for the best options, also keep an eye out for scammers. Here are a few tips for avoiding scams this open enrollment season.

Eligible for Medicare?

  • Anyone that tries to sell you Medicare insurance while claiming to be an “official Medicare agent” is a scammer. There are no Medicare sales representatives.
  • The Medicare prescription drug plan (also known as Part D) is voluntary. Ignore anyone who calls saying you must join their prescription plan or you will lose your Medicare coverage.
  • Do not give any information over the phone to someone who tells you that you must provide information to keep your coverage.
  • If you need help with Medicare, call 1-800-MEDICARE or go to Medicare.gov.

Looking for coverage under the Affordable Care Act?

  • Only shop for coverage at HealthCare.gov. People who try to sign you up elsewhere may be scammers.
  • Need free assistance? There are people and groups in your community who can help you find coverage and enroll in a plan — and it’s free! To make sure they are legitimate, use the local help resource at HealthCare.gov

Buying private insurance?

  • Make sure insurance is what you’re really getting. There are many medical discount plans that pretend to be insurance, but they are not. Your state insurance commissioner’s office can tell you if a plan is insurance or not and whether the seller is licensed in your state.

Source