A weak password is still one of the most common ways hackers break in.

Thanks to sophisticated brute-force-attack software readily available online, hackers can try tens of millions of possible password combinations per second. For example, hacking software can guess a five-character password in under three hours. If you only use lowercase letters, it’s 11.9 seconds.

You KNOW you need to have a better password than “password” or “letmein” if you have any hope of keeping hackers out of your PC.  But what does a “strong” password mean?

A good password should be at least eight characters long or longer! It should contain a combination of uppercase and lowercase letters, numbers and symbols that are hard to guess. Don’t use dictionary words with proper capitalization because they’re easy to guess (like Password123#). Even though it meets the requirements we just discussed, it’s easily hacked; remember, hackers have sophisticated password-hacking software that will run 24/7/365.

Cybercrime is at an all-time high, and hackers are setting their sights on small and medium businesses who are “low hanging fruit.” Don’t be their next victim! Click here to download this free report that reveals the most common ways that hackers get in and how to protect yourself today.

Phishing Email

Phishing EmailPhishing emails look surprisingly legitimate when you don’t know what you’re looking for.  74% of targeted cyber attacks come from email.  In a recent FBI report, ransomware and phishing scams are increasing rapidly with over 246 million dollars compromised in 2015.

Email used to be a much safer exchange.  Spam firewalls kept the bad stuff out and Sandboxing stopped zero-day threats, but gateways are blind to social engineering.  Attacks are now coming in through the “back door” and able to get around security gateways.

Think of cyber criminals like super spies who watch you online.  They know who you are, where you work, your online habits, and who you know.  This information allows them to send you emails from a “trusted” source whether it be from a financial institution or a co-worker.

Phishing Emails

Phishing emails are designed to obtain information by having you click on a link to update financial information.  Check out the example below outlining what you should be looking for.

Phishing Email Example
It’s important to thoroughly check your email to make sure it says the correct information and websites. Often times, the website link will be misspelled (ie: faceboook.com, citybank.com).  It’s best to hover over the link to see what it says.  If you do happen to click on it, make sure it’s the correct website in the browser.  If not, close the browser immediately.

Spear Phishing

In spear phishing, cyber criminals do more digging and spend time researching their highly targeted victim.  The criminal stalks your personal social media profiles and websites you access before baiting you with an email that looks legitimate.  The more time they spend observing your actions, the more they can send you a convincing scam you’ll fall for.

Spear Phishing example

Clara was tagged in her boss, George’s photo on Facebook.  The criminal then finds Clara on LinkedIn and finds out information about her job and company.

Anatomy of spear phishing email

Using the information the criminal found out on social media, he sends an email to Clara from “George” mentioning the party they were both at the previous night.  The criminal follows that up with a request for a money transfer.

Facts

Poor employee behavior is a greater email security concern than inadequate tools.  This is why it’s imperative to educate and test your employees about proper protocol on company network, email, and devices.

Interested in training your employees and learning how to protect your company?  Ask about our managed IT services, which includes cyber-security, employee training/testing as well as back-up and recovery options.

Sign up for our cyber security newsletter to receive more tips to keep you safe.









Graphics & info provided by Barracuda.

Google security researchers have revealed last week that the immensely popular Fortnite Android app is vulnerable to man-in-the-disk (MitD) attacks.

This vulnerability allows low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite app’s installation process and install other malicious apps that have a higher permissions level.

Fortnite’s developer, Epic Games, has released version 2.1.0 that fixes this problem.

What are MitD attacks?

Simply put, MitD attacks can happen when an Android app stores data on external storage mediums, outside its highly-secured internal storage space.  An attacker can watch a specific app’s External Storage space and tamper with the data stored because this space is shared by all apps.

The Fortnite app is vulnerable to these types of attacks because the app doesn’t contain the actual game, but is merely an installer. Once users install the app, the device accesses the external storage space to install the actual game.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” a Google researcher wrote in a recent public bug report.

“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” the researcher added.

In their defense, Epic Games’ CEO Tim Sweeney claims Google released this information prematurely.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Google refused Epic Games’ request and made the bug report public in late August, a week after Epic Games released its patch.  This made many people believe this was payback after Epic Games pulled the Android app from the Play Store so the game developer could keep 100% of the games’ profits.

The move was criticized by many security experts, who warned about possible security flaws that might go under the radar because the app wasn’t scanned by Google’s Bouncer service before reaching users’ devices.

“Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining,” Sweeney said.

In conclusion…

Whether Epic Games or Google is in the right or wrong is up to you decide, but security risks are happening all around us… at the office, at home, free public Wi-Fi… The question is: how secure are your devices and how much of your personal identity information is at risk?

Contact us for questions, concerns, and how you can protect yourself, your family, and your business from cyber-criminals.

 

*Original Source: BleepingComputer.com