Is the Dark Web all bad?

Dark Web(noun) 

Part of the world wide web that is only accessible by utilizing special software, allowing users and websites to remain anonymous or untraceable. It exists on an encrypted network that uses masked IP addresses to maintain anonymity for users and site owners. This way, people who use the Dark Web for illegal purposes can’t be traced. 

As you can see by the above definitions, the Dark Web can be a shady place where illegal transactions take place. Things like drugs, guns, counterfeit money, and credit card numbers can all be found, bought, and sold. 

Chances are that if your business has been hacked, some or all of the stolen information is for sale on the Dark Web. This is why small to medium business owners need to make sure their security software is regularly updated against new and stronger threats.

But is the Dark Web only used for bad things? Surprisingly—no. It is estimated that only about a third of the people who visit the Dark Web do so for illegal activities.  

Before we go any further, I’d like to bring up a little more info on the Dark Web and some of its misconceptions. Did you know that the internet you use every day is actually just the Surface Web? Also called the Common Web, Visible Web, or the Indexed Web, it is just the portion of the web that the general public has access to. We assume that it is the majority of the internet because we’ve labeled it the world wide web, right? Well, the Surface Web is only about one-third of the entire internet. Everything we have access to is, in reality, just the tip of the iceberg. 

Underneath the Surface Web is the Deep Web. Also called the Invisible Web or Hidden Web. It is a portion of the world wide web whose contents are not indexed by standard search engines. 99% of the information on the Deep Web cannot be found through search engines like Google or Bing.  

But are there positive aspects to the Deep Web and Dark Web? 

The U.S. government uses both the Deep and Dark Webs to keep open channels to countries that are ruled by oppressive dictators, in case citizens of those countries want to send out news stories or ask for help. Media outlets, like the New York Times, host portals that allow people and whistle-blowers to send in news tips, anonymously.  

That anonymity helps give people who are in bad situations or have no one in their lives to talk to, a means of expression and channels of help. There are groups for survivors of abuse that allow victims to name their abusers and also to get support from other survivors. There are groups for people with every type of addiction, anything from food, drugs, to gambling. Some countries punish their citizens arbitrarily, for such reasons as sexuality or religion. The Dark Web offers opportunities for people to create communities where they can share stories and tips or plan to meet in person. 

You can even join a chess club and play with people from all over the world. There are chat rooms, dating sites, and gaming forums where you can talk about anything, anytime, without the fear of being monitored. People can freely share their feelings, express their challenges and even find help from these groups. 

Freedom of expression is alive and well in the crevices of the Dark Web. If you’re an artist, you can share your passion with people who truly enjoy creativity and self-expression. The same goes for writers, poets, and musicians. There’s even a site where origami lovers post their beautifully folded ornate creations, and some of them are so intricate it’s hard to believe they started as a flat piece of paper. 

You’re probably thinking, “With all the negative and scary stuff on the Dark Web, I’ll never even try to access it.” You want to stay safe and keep away from it, right? Well, sorry to tell you, but some of your daily excursions on the internet already access part of the Deep Web, and even the Dark Web, because of the anonymity they provide. 

For example, your company’s intranet is on the Deep Web so search engines cannot see it. There are sites you may have joined that exist behind pay-walls or require special registration. Many databases and webmail pages are also tucked away below the Surface Net, so your personal information is not exposed. 

If you belong to a Facebook group—guess what? Yes, that group is on the Deep Web. Otherwise, anyone can search for that page, read the posts, and request to join. If you use online banking, that information is also on the Deep Web. Sites that host medical information and legal documents are hidden there as well. As you can see, there is a need for the Deep and Dark Webs because of the security they offer. 

If you choose to go to the dark side of the web, be careful. You just might find something beautiful, or you could accidentally stumble upon the worst aspects of human nature. Like everything else the world has to offer; when you’re exploring, be safe. 

Written by: Emily Reynolds

August 9th, 2019

Posted In: Uncategorized

Passwords – Outdated and Dangerous, But Necessary?

Here’s a quick test – what do these seemingly random alphanumerical groupings have in common? 

1. 123456 

2. password 

3. 123456789 

4. 12345678 

12345 

5. 111111 

6. 1234567 

7. sunshine 

8. qwerty 

9. iloveyou 

That is a list of the Top Ten Passwords used in 2018. Recognize any of these? If you don’t, you’re not necessarily in the clear, but your chance of becoming compromised or hacked is far less than someone who uses one of these passwords. If you do recognize these, you’re certainly testing your luck.  

These days, creating and remembering passwords has become increasingly more challenging. If we had only one device that required a password, we could probably manage it quite easily. But with every device we use, most programs we need to do our jobs, and sites that require you to change your password every few months, it is estimated that the average person must memorize up to 191 different passwords. No wonder we often choose to take shortcuts! 

The problem is, over 80% of hacks are due to compromised credentials, otherwise known as stolen username and password information that are often traded on the dark web. In fact, in one month alone in 2018, Microsoft blocked 1.3 million attempts to steal password data, which would have led to dangerous phishing attacks, and other hacking attempts.  

These harrowing statistics are why you hear the recommendations:  

  • Never use the same password twice (IT Managers report 73% of all passwords used are duplicated in multiple applications opening up multiple avenues for attack)  
  • Never write down your passwords 
  • Never share your passwords with anyone else 
  • Never use real words or known information about yourself in your passwords 
  • Avoid commonly used passwords (50% of all attacks involved the top 25 most used passwords)  

Pay attention to that last stat: 50% of all attacks involved the top 25 most used passwords. See what I meant when I said if you recognized anything on that list you’re testing your luck? 

Following all these rules and regulations, you’ll end up with passwords that are about 16-characters long, impossible to memorize, and, unfortunately, are still completely hackable (much more difficult, of course, but where there is a will, there is a way). So, what do we do now? 

Password Manager 

The first shortcut is a password manager. You can store all your passwords in one place. This makes remembering all your passwords much easier, but there is one challenge. The password manager is also protected by a password. If you’re utilizing a software like this, make sure that this password is especially complex, so that hackers aren’t even tempted, especially in the case of a brute force attack. If possible, turn on multi-factor authentication, especially on your password manager. 

Multi-factor authentication 

Many sites utilize multi-factor authentication. This extra layer of protection connects to your phone, email, or other authentication source, rather than relying solely on a password. We recommend enabling multi-factor authentication wherever possible. Only caveat here is make sure your secondary authentication source is equally secured with a strong password. No sense in double protecting yourself with a wide-open source.  

Random Password Generators 

These sites come up with secure passwords for you, but are typically a random jumble of letters, number, and symbols that are darn near impossible to memorize. If you’ve got a strong memory, this might be a good starting point, but if you’re like most of us this may be more challenging than it’s worth.  

How to craft the best password 

Use a “Password Phrase” in place of random letters, numbers and symbols. Create something that’s easy for YOU to remember, but has no meaning to anyone else. For example I<3Fh@ck3rs43v3r!. Breaking this down, you get: 

  • I –                  I 
  • <3 –               Love 
  • F –                 fooling 
  • h@ck3rs –    hackers 
  • 43v3r –         forever 

Easy for you to remember because you understand the phrase, but difficult for a hacker to decipher because it’s not real words. There’s no time like the present to get started and change your easy-to-hack passwords to something safer, because it’s always better to be safe than sorry. 

Work at creating passwords that will be difficult to hack. Make sure to change them regularly. Never write them down, (especially on a Post-it Note stuck to your computer!). But most of all, make passwords an important part of your life. Don’t consider them a nuisance or a thorn in your side. Make a game out of creating passwords. Challenge yourself to be more creative each time you create one. Beat the hackers at their own game by making your password too time intensive to try and crack, and you’ll reduce your chance of your information showing up on the dark web. Worried about your information already being available due to past weak password use? Contact us. We’ll run a scan that reveals your vulnerabilities. 

Written by: Emily Reynolds

August 1st, 2019

Posted In: Uncategorized

What is the Dark Web and Why Should We Care

You’re happily humming along on the Internet thinking you’ve got a pretty good understanding. You can navigate your way around Google, Facebook, Amazon, and news sites. You’re actually only visiting four percent of the Internet. There’s a whole world (96% of the Internet) hiding beyond these safe surface-level sites, known as the Dark Web. It’s a much less hospitable place.

What exactly is the Dark Web?

The Dark Web is a conglomeration of websites that cannot be found on search engines or accessed via traditional web browsers because their location and identity is hidden through encryption tools, like TOR. TOR was originally created to protect military communication but now has much broader utilization for both Dark Web purposes and for highly secure communication. You have to access Dark Web sites utilizing TOR, typically.

People create sites on the Dark Web in order to hide where they’re operating from, as well as to remain anonymous (TOR hides all IP information, identifying information, as well as data transfers). Over half of the sites on the Dark Web are used for criminal activities.

Why Do People Use the Dark Web?

One of the most prevalent uses of the Dark Web is buying and selling illegal goods, such as recreational drugs, weapons, fake identities, and organs. The proliferation of cryptocurrency, like Bitcoin, has facilitated these sales. People living within totalitarian societies that restrict communication also take to the Dark Web to share their thoughts freely.

The most dangerous use of the Dark Web for businesses is the exchange of credentials (usernames and passwords) and identities. An individual’s stolen credentials can typically be sold on the Dark Web for the low price of $1 to $8. Hackers utilize these purchased credentials to:

  • Gain access to important financial information and steal identities (access to a Bank of America account holding $50,000 can be purchased for $500)
  • Access accounts for further phishing attacks What is Phishing & How are Hackers Using it?
  • Threaten people with exposure of sensitive information (Remember the Ashley Madison hack from a few years back? Those credentials were dumped onto the Dark Web and hackers leveraged them to expose users).
  • Compromise other accounts using the same passwords and perpetuate the sale of personal Information

What can you do about it?

The average citizen will never have a reason to access the Dark Web, but their credentials could easily be floating around, endangering their offline livelihoods. Once your credentials are released on the Dark Web, there is precious little you can do to have them removed. However, you should, at the very least, know when you’ve been compromised; so that you can immediately act, like changing passwords and activating two-factor authentication. We recommend utilizing a full Dark Web monitoring service that alerts you if credentials appear on the Dark Web.  These services constantly scan the Dark Web for your information and alert you whenever something suspicious appears. These alerts don’t necessarily mean a breach has occurred, but they are very good heads up that something bad may be coming. You can then create a plan of attack before any damage is done. Granted, there will be your fair share of false positives, but we firmly believe in operating in the better safe than sorry camp.

RESOURCES:

https://www.techadvisor.co.uk/how-to/internet/dark-web-3593569/

https://www.nst.com.my/opinion/columnists/2019/06/493114/battling-dark-web

https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html

https://www.techrepublic.com/article/dark-web-data-monitoring-6-questions-to-ask/

Written by: Chartec

July 30th, 2019

Posted In: Uncategorized

Are you protecting the right data?

You’re ready to purchase a BDR. You’ve done all of the research, found a company you’re confident in and are excited to finally have peace of mind. Now, you start thinking about exactly what you need to back up. Is all of your data necessary or should you salvage a little server room? Most businesses want to back up everything – you never know when you’ll need it, but sometimes that is cost prohibitive.    

Depending on what kind of BDR you’ve purchased, you will first need to delegate what data is stored, is not stored, and how often. There are three different kinds of backup in today’s tech world: straight to cloud services, software-based products, and a hybrid approach that combines on-site hardware and software with the cloud. The amount of data you can back up, how you can segment that data, how often it’s backed up, how it’s backed up (all the data every time creating enormous backups, versus incremental backups that key-in on changes) and how easy it is to access will be affected based on the solution you chose.  It’s not always necessary to back up everything daily, but there are some things you will want to consider. 

 First is credit card transactions or receipts. Your accounting software should keep an eye on this and automatically back up this data. This also includes things like invoicing, receivables, payroll and just about anything that is financially related. All financials are incredibly important, even one lost invoice could really hurt your business.   

Second, protect all intellectual property. Unless you’re rocking an amazing vault to store a famous recipe like Coca-Cola or KFC, make sure that you back up everything that brings you a competitive advantage in the marketplace. Anything with hackable data or items that could be compromised need to be backed up daily as well. 

Next, you will want to back up any client files. Not only is it invaluable to keep this information safe, but it would certainly affect your client confidence if anything was lost or stolen. In addition to client files, make sure you’re backing up your client and prospect lists (anything that you’re storing in your CRM, really). You spend a great deal of time developing your list for marketing purposes. Losing this information is one of the major reasons companies go out of business within six months of experiencing data loss.  

Finally, you must back up all project management software. Anything that your business uses to keep track of daily activities and work being done needs back up to make sure that you can maintain progress in the event of a data loss and you maintain a “paper trail” on project communication. 

When it comes to BDR, you ideally want to back up every piece of data that you have. Sometimes, though, this is impossible based on the cost involved in maintaining that hefty data chain. At the bare minimum, keep these items in mind and you should never have to deal with a business killing disaster.  

Written by: Emily Reynolds

July 8th, 2019

Posted In: Uncategorized

Should’ve seen it coming…

You’ve invested in a BDR and now sleep more soundly at night, but the hardware itself is really only part of the solution. You want to ensure your provider does preventative maintenance, periodic testing, multi-location storage, and staff training. Having these things in place will help avoid downtime if the worst happens.  

Preventative Maintenance: In addition to the hardware itself, a solid backup solution also has its own backup including generators, backup batteries, cooling systems, fire detection, suppression systems, and redundant cloud storage. You can’t necessarily head to your provider’s office to see for yourself, but you can read the fine print on your contracts as well as have meaningful conversations with potential providers. 

Periodic Testing: Consistently ensuring everything is running as it should will allow you some peace of mind as well as lay the groundwork for successful backup. This goes beyond simply testing backup software or cloud storage. A good backup provider will run regular testing and provide reports on the health of the backup, size, and any glitches that you might be facing.  This testing should also include 24/7 monitoring and alerting of any potential issues including cyberthreats or outages.  

Multi-Location Storage: Regardless of how safe a location may seem, data needs to be stored in more than one location. Think about it; if the backup server for your company is sitting in a location that sees seasonal hurricanes or is located on top of an active earthquake fault, your data is still in danger. It’s about backing up your backup.  

Team Training: Don’t leave it all to your IT company. When it comes to backup, security, and other breaches, employees truly are the weakest links. Cybercriminals are going after these individuals rather than attacking at a network level because they are easier to infiltrate. Make sure you have regular cybersecurity training in place for all employees to limit these potential breaches. Creating a strong disaster recovery plan is not all about the recovery part, prevention is equally important too.  

Written by: Emily Reynolds

July 8th, 2019

Posted In: Uncategorized

What Could Happen Without a Plan

Backup Disaster Recovery is one of those things that all businesses need to have in case of disaster. Whether it’s a natural disaster such as a tornado, a hardware failure, or even an attack from a hacker. Anyone of these could permanently disable your business if you aren’t prepared or have a proper backup plan. For those of you still backing up data manually on tapes or *cringe* not at all, here are some reasons why you need a BDR solution and should stop tuning out potential disasters.  

First of all, a data disaster is more common than you might think. Currently, 58% of SMBs are not prepared for data loss. Even worse, 60% of SMBs that lose their data will shut down within six months. Something that could have been prevented could potentially wreck your business, especially scary to think about when 29% of hard drive failures are caused by accident. It would be silly to have human error or a simple mishap put your company out of business.  

You may have security protocols in place and your employees are well versed on avoiding things like malware. Well done. However, you’re still not protected. Human error is a large culprit in data loss. It could be unintentionally deleting items or accidentally overwriting data, but these “oops” can hit hard. Human error can result in other kinds of hardware damage like liquid damage from spills or even accidental reformatting. All of these things are possible and have happened to many SMBs before you. Sometimes recovery is possible from the software platform you were using, maybe your computer has your back and caught these things. It’s still a time consuming and money wasting error to fix, even if you are lucky to recover some of what you lost.  

Viruses and malware can be a significant cause to software or hardware damage depending on what kind of bug found its way in. Usually, this can be avoided with proper employee training as well as an awesome firewall that will help filter malicious attacks. Yet another prey in the night is social engineering – the art of conning people. Hackers have been known to get into server rooms and other data-centric areas of the business. Employees may not even notice their mistake until it’s too late. I guess the “HVAC guy” turned out being a hacker in disguise. 

Sometimes software corruption can come from unknown viruses lurking around your computer. However, most of the time it is due to improper usage. Things like not shutting down the computer properly or leaving unsaved documents open. Sometimes even a power outage can trigger corruption. Once the software processes are interrupted and damaged, it’s virtually impossible to recover data stored in the software.  

Did you know that 140,000 hard drives crash every week? With that kind of number, it’s just a matter of time until it happens to you. That is not a comfortable position to be in if you know you don’t have backup. Unfortunately, hard drive corruption is usually due to mechanical issues. Things like age and dust build up can (and will) cause technology to fail. We’ve all used the old laptop we still have that’s been on its deathbed for months, freezing frequently, taking for-ever to load a webpage, and of course, acting as a heater for your lap or desk. All of these things are signs leading to a crash. You may not care if it’s an old hand-me-down laptop from the ’90s, but you will care when it’s your pricey equipment with all of your product data and client information stored on it. 

Finally, good old-fashioned acts of God. You can’t necessarily prepare for a natural disaster. Even if you hear the tornado siren, backing up your servers to tape will take longer than it will for the tornado to hit your business. Then what? That tape is left amongst the rubble, destroyed. This may seem like an exaggeration, but it has really happened to businesses. And even if only hypothetical, it makes for a great metaphor for any other crash within your business. This is also proof that on-site BDRs may not always be the final protective cover to your business. You may want to consider off-site or cloud data storage to ensure protection, so your data is safe even if your equipment is destroyed. 

Protect your business and keep it running smoothly and successfully. Backup Disaster Recovery options are available for all kinds of SMBs and their needs. Don’t wait to be taught a lesson by the “big one” (as most California residents say). Protect your important data and enjoy the peace of mind that comes along with it. You’ve worked too hard to get your business where it is. Protect your hard work. 

Written by: Emily Reynolds

July 1st, 2019

Posted In: Uncategorized

3 Ways Cybercriminals Use Social Engineering to Steal Your Info

Cybercriminals use social engineering every day to attempt to hack into people’s personal information.  Social engineering preys on the human condition to gain trust, manipulate people and get people to willingly give out personal information. In general, there are three major ways that cybercriminals use social engineering to steal your info.

Email

This is one of the most prominent ways that information is stolen. This side of social engineering has been around nearly as long as emails have, and it’s guaranteed that anyone with an email account has seen at least one of the many phishing scams that come from cybercriminals. Perhaps a Nigerian Prince would like to wire you a ton of money because his inheritance is wrapped up in the bank for some reason. All you need to do is pay a few fees to receive the money and you get to keep a portion of his millions. Totally legitimate right? Or maybe the bank needs you to confirm your account number and social security number because of an “account breach”.  Why not, right? The bank is a legitimate business, it must be real, even the email looks real. Better yet, wouldn’t you love to be a secret shopper? Receive a check for $1000, cash it, and perform a job. Innocent enough, right? Not after you wire initial fees and attempt to cash a bad check. These are just some of the ways social engineers prey on unsuspecting and trusting people. If sending money or willingly giving up information isn’t involved, then there is usually malware within the email. The links in the email will deploy malware to infect your computer files and obtain information about you. It’s amazing how prevalent these scams are.

Posing as Someone You Know

Another email scam involves cybercriminals posing as someone in your company, particularly the CEO or someone high up in the financial department. They send an email that looks like it’s from your boss asking you do something really quick or process a PO immediately. Usually, something about the email address will be a bit off, if you’re paying attention. Letters are swapped around or a .net becomes a .com at the end of the email. As soon as you open it or click on a link, malware infects your computer. This scam is usually highly effective because it gets sent to everyone in the company, and people often take it as important because it came from the “boss”.

The most obvious way to pose as someone you know is through copycat Facebook profiles. Cybercriminals use this prominent scam to trick people into thinking they are receiving a friend request from someone they know. The profile will often contain a few photos from the original person’s profile, so it looks a tad more real. As unsuspecting friends add this profile, it begins to look more legitimate because of similar friends and associates. This profile can ask for money or send links containing malware to infect your computer, or even corrupt your Facebook profile by gaining access to personal information.

Advertisements

Finally, a newer way for cybercriminals to target people is through advertisements. Considering ads are pretty much everywhere online now, creating ransomware ads is incredibly easy and a bit difficult to spot among the hundreds of ads people see every day. For this type of social engineering, cybercriminals literally deploy ad campaigns showcasing a product or a service. When you click on the ad, it downloads malware or ransomware onto your computer. Most of the time these ads are for anti-virus software, or a pop-up will come on your computer saying your computer has been infected and instruct you to click the link to clean the virus. Tricky, tricky cybercriminals. The key to spotting these three general social engineering styles is to become educated on them and keep an eye out for anything that seems off. If something seems strange or wrong, avoid it until you are certain it is safe. Try not to click on any links inside of emails unless you confirm and absolutely trust the sender. If you’re asked to click a link and update account info, type in the web address to the real site rather than click the link. If you get a friend request from someone, look over their profile and ensure its real. Check out their friends, photos, and posts to ensure they aren’t fake. Check to see if you already have that friend on your list. Finally, don’t trust any anti-virus pop-ups or ads. Stay safe out there!

Written by: Emily Reynolds

June 17th, 2019

Posted In: Uncategorized

Why are you so popular?

You’ve heard about many of the scams that exist on the internet now. It’s tough to simply look at your emails without noticing several phishing emails sitting in your inbox. Lately, the largest influx of social engineering scams has come from social media.  As of right now, worldwide social media users total 2.34 billion according to Statista. That is a lot of people to target, and hackers are taking advantage. How? Fake accounts. Forbes estimates that there are over a half billion fake social media profiles in circulation today. There are four main ways these cyber-criminals are utilizing social engineering via social media.

Swaying Public Opinion

The most recent large-scale example of utilizing fake accounts to sway public opinion was meddling in the 2016 election. When investigating, Facebook not only found millions of fake Facebook accounts, but they also found that there were Facebook ads created to sway American voters. The ads and posts came from profiles that looked legitimate, but in all reality were conjured up simply to create influence with minimal effort. In addition to their obvious desire to affect election results, if people clicked on the ads, their computers were often infected with malware that would give away valuable personal info.

Fake Advertising

Have you seen the pages that say a celebrity talk show host is giving away XYZ prize or a big-name brand is handing out free gift bags if you share and like the page? All scams. The perpetrators hide behind names that look similar to the authentic celebrity or brand and rely on unwitting people to click, share, and like. These hackers then follow-up by selling your information to third-parties or targeting you with malware advertising to get you to keep coming back.

This technique goes all the way back to 2011 after Steve Jobs passed away. A fake FB ad claimed that Apple was giving away iPads in honor of his passing. Well, that ad went viral and thousands of people clicked on the link, which in turn infected their computers and devices.

Minimally Invested Profiles

Social engineering has gotten more complicated with (MIP) minimally invested profiles and (FIP) fully invested profiles, found mostly on Facebook and LinkedIn. MIPs are created in bulk, and they usually have very little original content on them, as well as a sexy or provocative profile photo. These hackers go around making friend requests willy-nilly in hopes that their picture will intrigue people to add them. They’ll eventually send you malware via FB messenger or put rogue posts on your Facebook wall.

Fully Invested Profiles

The FIPs that get created take a little more time and effort, however, they are more efficient because they really look the part. To an untrained eye, a profile like this could pass as an acquaintance. The best way to crack this mystery profile is by looking at their friends, seeing if you already have a friend by that name, as well as scouring the content of their posts. If this raises even one red flag, it’s likely it’s a fake profile.  People using this technique target you on Messenger with infected content, usually videos that lure you in because you “know” the sender.

These are just a few of the main ways that social engineers are using social media to target people. While snooping on your co-workers, checking to see what crazy Uncle Larry just posted, or simply browsing through memes, always be diligent and aware of your internet surroundings. In addition, make sure your firewall and antivirus are up to par! Don’t let a social engineer manipulate you into surrendering your information.

Written by: Emily Reynolds

June 11th, 2019

Posted In: Uncategorized

Breaking Down Social Engineering

Most people are aware of terms like phishing and malware, but did you know those are a part of a larger scheme called social engineering? This is not a new kind of fraud. In fact, it’s been used for many years to manipulate a wide range of people into giving up important data about themselves or their workplace. A prime example of social engineering goes back to Greek mythology with the Trojan horse. They infiltrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war. With technology at the forefront of our lives, social engineering has entered a new era. Physical human interaction is not necessarily required anymore. These criminals can gain information through emails, pop-ups, and public Wi-Fi networks, to name a few. The main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you’re not paying attention you might be a victim of this, as well.  

External Threats 

With technology at the forefront of most businesses, external threats are becoming the benchmark for social engineers. They can hack into core business processes by manipulating people through technological means. There are so many ways for social engineers to trick people. 

Baiting 

First of all, baiting can be done both in person and online. Physical baiting would be a hacker leaves a thumb drive somewhere at a business, then an employee picks it up and plugs it into a computer. Could be curiosity, or simply thinking a co-worker left something behind. However, as soon as the thumb drive gets plugged in, it will infect your computer with malware. Online baiting could be an enticing ad, something to pique interest, things like “Congrats, you’ve won!” Also, there is scareware, in which users are deceived to think their system is infected with malware, with pop-ups like “Your computer has been infected, click here to start virus protection.” By clicking on it, you unintentionally download malware to your computer. If you understand what you are looking for, you can usually avoid these situations.  

Phishing 

This is probably one of the most popular social engineering attacks. Fairly generalized, this usually comes in the form of an email. Often, they ask the user to change their email, or log in to check on a policy violation. Usually the email will look official and even take you to a site that looks almost identical to the one you may be used to. After that, any information you type in will be transmitted to the hacker. You just fell for the oldest online hack in the book.  

Spear Phishing 

Similar to generic phishing, spear phishing is a more targeted scam. This does take a little more time and research for hackers to pull off, but when they do it’s hard to tell the difference. They often tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. This could be in the form of an email, acting as the IT guy with the same signature and even cc:s to co-workers. It looks legitimate; but as soon as you click the link, you are allowing malware to flood your computer.  

Internal Threats 

Originally, social engineering took place in a physical setting. A hacker would do some preliminary research on a company structure or focus on behaviors in order to get that initial access into a building, server room or IT space. Once they have a “foot in the door” so to speak, obtaining pertinent data or planting malware becomes that much easier.  

Tailgating 

Often, hackers will enter a building without an access pass by simply acting like an employee. This technique is known as tailgating. The only credential they need is confidence. This can also include a hacker posing as an IT person and conning people so they can gain access to high-security areas. This is far easier than it sounds. Hackers might find company shirts at the local thrift store, exude confidence and gain access.  

Psychology 

Another interesting process hackers use to con their way into a business is by creating a hostile situation. According to PC World, people avoid those that appear to be mad, upset or angry. So, a hacker can have a fake heated phone call and reduce the likelihood of being stopped or questioned. Human psychology really is a tricky thing, isn’t it? 

Public Information 

Then, of course, the more you know about someone the more likely you are going to gain the information you need from them. This involves everything from scoping out parking lots, observing the workspace and even dumpster diving. Nothing is safe anymore and your life is not always as secure as you’d like to think. Something as innocent as a bill can be used to harvest more information about a person. 

Pretexting 

Similar to online phishing, pretexting is a popular fraud tactic for phone calls. Often, they will disguise themselves as an authority such as a bank, tax official or even police. They will probe you with questions that could lead to giving up information that could compromise your identity. This personal information can be used to find out a whole slew of things. Not only can they get away with your money immediately, they can easily steal your identity with pertinent information like social security numbers or banking information. 

Prevention 

Social engineering can be prevented by educating yourself and your employees. With so many different ways to steal your important data, it’s imperative that individuals and businesses go through some sort of training regarding these issues. However, on a day to day basis, getting into certain habits can help. First of all, pay attention to your surroundings. Remember that physical social engineering still exists and you don’t want to be the one that causes your business’ corrupted data. Next, do not open emails or attachments from suspicious sources. Moreover, if a legitimate looking email seems slightly suspicious, go to the source and find out for sure if they sent it. Also, multi-factor authentication can curb fraud immensely. One of the most valuable pieces of information attackers seek are user credentials. Using multifactor authentication helps ensure your account’s protection in the event of system compromise. Furthermore, if an offer seems too good to be true, it probably is. Don’t click the link, you didn’t win a cruise. Finally, keep your antivirus and/or antimalware software updated at all times. This is the best line of defense if for some reason your system has been compromised. For the most part, use your best judgment and common sense. Social engineers have gotten very good at their jobs, but that’s okay because you’ve gotten very good at yours too and can combat these sneaky hackers.  

Written by: Emily Reynolds

June 3rd, 2019

Posted In: Uncategorized

What is the Dark Web?

What is the dark web? 

Have you heard of the ‘dark web’? You probably picture a guy in a hoodie, slumped over a keyboard peering at a screen of numbers with an evil smile upon his face. Oddly enough, it’s really not as dark and creepy as the media portrays. However, the scary part is the information you can find on the dark web. Don’t think the worse, I haven’t seen any body parts for sale on the dark web, I can assure you if any of your important data has been stolen. It’s likely for sale on the dark web. The dark web is named that because it’s part of the Internet that is not indexed by search engines. This certainly makes the anonymous illegal activity easier, but the dark web does host a few legitimate social networks. 

What’s on the dark web? 

As mentioned before, if you’ve ever had your data compromised, it is possible it’s floating around the dark web for sale. Or if you’ve heard of the latest malware attacks that have stolen millions of usernames and passwords (like the Collection #1 breach last January). There are a plethora of items to purchase. Some of the most popular are breached usernames and passwords that have been de-hashed. You can buy credit card numbers, drugs, and hacked accounts to name a few. I have personally viewed 6 stolen credit cards for the cost of $100. No guarantees they had money on them or were still valid, but I suppose it’s worth a try for a hacker. You can even hire a hacker to carry out a job for you. Most of the dark web takes some kind of crypto-currency and has boomed since currencies like Bitcoin have taken hold of the Internet. 

How do you access it? 

You can’t just type in “dark web” on Google and expect it to take you there. In fact, your network may even get flagged or the antivirus on your computer will prohibit it. The way people are accessing the dark web now it through a search engine named torproject.org. Now keep in mind, this organization created Tor in order to allow everyone privacy during their browsing experiences. Many countries are unable to access the Internet without someone eavesdropping on them or simply being unable to take part in free speech. Also, keep in mind that these dark web sites look just a normal as a regular website. Sometimes the only way you can see the difference is that dark web sites use a scrambled naming structure that creates URLs that are often impossible to remember. For example, a popular commerce site called “Dream Market” goes by the unintelligible address of “eajwlvm3z2lcca76.onion.” Its surprisingly easy to access, just remember what kind of people you’re dealing with. If they stole from other people, they’ll steal from you too.  

Staying ahead of the dark web 

Most people will never have the need or the courage to check out the dark web. However many IT industry experts peruse the dark side to look out for current and future hacking trends. It’s always good to know what is making money and what assets scammers are looking for. If by chance you stumble upon your own data, there’s little you can do about it. (Although, we’ve heard stories of people buying back their data). But at least you’ll know what’s compromised. Check out the dark web at your own risk, but whatever you do – save yourself the trouble – and don’t purchase anything. 

Written by: Emily Reynolds

May 28th, 2019

Posted In: Uncategorized

Next Page »