In Case You Missed It: Yahoo Got Hacked Again

It was only last year that Yahoo fessed up to TWO events of data breaches to hit their records. One of the two breaches occurred in 2013 and the hackers gained access to over 1 billion Yahoo user accounts. This included their private information and other sensitive details that may have included credit card information and home addresses.

Yahoo assured their users that they had beefed up their security measures and recommended that users replace their passwords. Account users grumbled but ultimately followed Yahoo’s recommendation. The world moved on and hoped it wouldn’t happen again. Well, imagine that–it happened again.

Emails from Yahoo started reaching their users this month about a data security issue. One of our readers happen to be one of such people. The email that was forwarded to us reads something like this:

“Dear (our reader),

We are writing to inform you about a data security issue that involves your Yahoo account. We have taken steps to secure your account and are working closely with law enforcement.

Our outside forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account. We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016. Those users targeted by the state-sponsored actor were sent an additional notification like the one found here: https://help.yahoo.com/kb/SLN26995.html

We invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

We encourage you to follow these security recommendations:

  • Review all you accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information

For more information about this issue and our security resources, please visit the Yahoo Account Security Issue FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo”

Our reader informed us that they changed their password once more and is increasingly inclined to delete their Yahoo account altogether. They also expressed severe misgivings and doubt over the Yahoo Account key which forgoes the need for a password. Our reader said, “The hacker–whoever it is, gained access to my account without my password to begin with. So doesn’t that suggest that going password-less won’t really do anything?”

Forged cookies are digital keys that allow access to accounts without re-entering the password. Think of the ‘remember me’ option in your browser. That is what the “state-sponsored actor” used to gain access to the Yahoo accounts. This is a rather disconcerting blow to a still recovering user base. So far, the total number of customers affected by the cookie based breach is still unknown.

How You Can Strengthen Your Business’ Cyber Security

2016 was a year where there pretty good examples of cyber security breaches. A lot were small and didn’t warrant any headlines but one such event did occur around November where millions of of client information was harvested from the adult website FriendFinder. The company estimates that over 400 million records were comprised–much like the Ashley Madison client information leak.

Since the new year has just started, it’s good to take this as a good opportunity to enact some protocols to boost your business’ cyber security.

1.) Establish Cyber Security Training For All Employees

Information is a great weapon. One which can be used to protect your company if used properly. A good way to avoid any cyber security mishaps is to fully train your employees about how to protect the sensitive information your company deals in. Developing protocols for protecting your business’s data is a smart start. Have refresher courses every six months as knowledge fades and protocols can always change.

Training should include constant reminders regarding their social networking sites. This is important since employees often make use of company devices to use social networks and some business deals are done through these sites. So it’s important to educate them on safety protocols like making sure their posts well thought through. You can never truly take back anything you’ve posted as screen captures preserve such things.

If your business has an employee run Facebook page, make sure that they do not present any trade secrets you’d want out. Be mindful and respectful when they engage with clients, even those whose queries border on the inane.

2.) Apply Encryption Protocols

Encryption technology makes use of advance algorithms to make data unreadable to those who do not possess the right keyword or phrase. Encryption will better help your business protect the sensitive information you may be trusted with like client information and credit card information.

3.) Secure your Wi-Fi Network Security

One of the biggest mistakes that a business can do is not change the default password of their chosen router or network provider. When it isn’t changed, the password can be looked up after doing a simple search engine inquiry. This case was true for one company in Ohio who were constantly billed higher than the data that they thought they consumed–it turns out the business next door Googled their network provider’s default password and has been piggybacking on their internet usage all this time.

After securing the network password, make use of firewalls and hide your network name from broadcasting itself. These are some security measures your business can do to further its cyber security.

4.) Update All Software and Browsers

For software to be truly effective, it needs to be up to date. It is important to be abreast of any periodically released updates for programs which often include security updates. As cyber criminals are always changing up the ways to breach your security, software companies are always trying to keep up with them and constantly improve their security measures to keep their clients well-protected.

It’s your duty then as a user to make sure these efforts are not in vain and put in place all the updated measures. Always make the most of these updates, don’t leave your operating systems, browsers, and data vulnerable to attacks.

Why Your System Needs Anti-Phishing Software

In today’s world where people are comfortable with doing purchases or even their banking online, it is to be noted that the criminal elements will want a piece of that pie. It is not just our banking information that they target anymore. It is our identity, in its entirety, that they will aim for. Scammers will try to get just that through phishing scams that systematically target us through different ways like emails, social media, or even through our search engine. It is important to be aware of the most common signs of a phishing email or spoofed website.

However, as criminals seek to evolve and come up with even more believable fake websites, it’s equally important that you, as a user, step up your cyber defenses by making use of anti-phishing software.

How Does It Work?

Regardless of the type of anti-phishing software you run (browser integrated or a separate program altogether), it should work in a similar manner. Constantly updated data regarding the known phishing scams and phishing sites are stored within the software. You, the user, is then sent a notification or an alert should you ever access a dubious and potentially dangerous website. In a browser integrated program, a small notification prompts you at the top of your screen or the entire page is blocked off with a warning. In standalone software, the notification pops up at the lower right portion of your screen (something which is common in other programs).

How Effective Is It?

Like all computer programs, not all are created equal. Some anti-phishing software (usually the free ones) can erroneously tag legitimate websites as harmful ones. This can be quite the pain as you may have to manually list the website as ‘safe’. This is where you need to be discerning about the different anti-phishing programs available. The more highly rated programs like SpoofGuard come with a higher success rate in sending relevant notifications when threats are detected.

In-Browser Anti-Phishing Options

Most users utilize either Firefox or Chrome when doing your internet activities. They usually come pre-equipped with some decent anti-phishing protection like Google Safe Browsing. Gone are the days where that used to be a separate application that needed to be downloaded manually. Add-on toolbars are also viable for in-browser software. However, do endeavor to study which add-ons are effective and which ones are dead weight or even a phishing app. A good way to do this is by looking up reviews in blogs or forums.

Standalone Anti-Phishing Software

This refers to programs that you’ll need to install into your system. There are several pop-up blockers commercially available—this is useful as a lot of phishing attacks are done through pop-up windows and tabs. You may even look for an antivirus program that comes with its own anti-phishing features. It is to be noted that this may be a pricier option and should be perused carefully.

It is crucial that you constantly keep in mind that should criminals ever get a hold of your personal information through phishing, you can be open to some serious damage. Phishing scams are becoming smarter and harder to detect each day so it’s important that you arm yourself and your system with a good anti-phishing program.

8 Traits of Your CRO

A Chief Risk Officer is that guy that protects your organization from danger.

We’ve all experienced being placed in a team whether it was during our past school days or in more recent years, in a professional setting. Whenever there is a team, there is a leader.  It is pretty common knowledge that a leader can actually make or break a team. If you are ever placed in a leadership position, always remember that there are key traits that are intrinsic in being a leader.

One of the traits of a leader is Self-Confidence. No one wants to follow a person that does not have faith or assurance of themselves and the choices they may have to face. Timidity is not a trait that a team will want in someone that has to lead them on what to do. On the flip side, having too much confidence may irk team members. Even if you’re well meaning, the surplus in confidence will work against you. It is important to strike a balance between being confident and having grace to effectively establish the leader’s authority without ruffling any feathers. Calmness and presence of mind that come with self-confidence helps show that a person is worthy of filling the leadership post.

Empathy is a trait that is important in a leader. Empathy refers to the ability to understand and share the feelings of others. Humans have a basic need to have their point of view be understood by others. When tackling an issue that arises, a leader is able to place his or herself in the other party’s shoes. It is by far the easiest way to smoothen out any misunderstandings and promote goodwill between team members.

Decisiveness is another trait of a leader.  It always come hand-in-hand with confidence. When you are sure of yourself and what needs to be done, decisive decisions follow. Having a leader that second-guesses everything lowers the morale of the team.

Adaptability and Flexibility are traits that a leader also needs to possess. Circumstances may shift or unforeseen events may occur, so it is crucial that a leader be able to take these in stride and be able to adapt to events as they occur. Conversely, one of the good things about being in a team is that you get to hear other people’s varying input and opinions. As a leader, it is important to be flexible regarding suggestions that may, in fact, be a better fit to the activity on hand.

Every project has an end-goal. Being Goal-Oriented is a trait that a leader needs to have in order to direct the team somewhere. A leader needs to have a clear vision of what the aimed result needs to be. That way, the team will not be an episode of the blind leading the blind. A leader that is goal-oriented can effectively set milestones for the teams to aim for and standards to adhere to.

One trait of a leader that is often overlooked is the trait of Patience. You can have the best team but they aren’t immune to human fallibility. They will have errors and there may be parts where they have trouble understanding why certain things need to be done in a certain way. A leader needs to be patient in addressing the needs of his or her team. The last thing any member wants is to be chewed out for asking a question.

In that same vein, Being a Good Communicator is a trait that is crucial in a leader. In order to minimize misunderstandings and delays in action, a leader needs to be able to effectively relay what needs to be done in a succinct and concise manner. A good communicator takes into consideration the comprehension level of his audience and tweaks his delivery to suit them. In other words, a good communicator is able to adjust his technique to what suits his or her team the best. A good communicator is also able to smoothen out any conflicts that arise between team members.

All in all, being a leader is tough. Leaders have to shoulder the responsibility of seeing a project through and carrying their members beyond the expected result. The traits of self-confidence, empathy, decisiveness, adaptability, flexibility, goal-oriented, patience, and good communication all serve as stepping stones for a leader to accomplish their tasks and further hone their skills for the future.

Different Viruses That Threaten Your Cyber Security

Different Viruses That Threaten Your Cyber Security

Crime has been an ever-present factor in our lives. It certainly has been the bane of our existence. With the advent of computer systems and working remotely, it was inevitable that criminal intent would evolve to meet our technological advancements. From the street to the cyber age, crime has definitely caught up. Our physical selves are no longer the target; it is our information that is at risk.

 

Cyber security or computer security is the fortification of information systems from malicious intent or damage to the hardware, software, and the information the system holds. Disruption and misdirection of the normal process of the service provided by our computer system is also a form of attack that strong cyber security processes prevent. One of the many forms of cyber threats is a virus. A good way to protect yourself and your system from any real damage is to have a basic knowledge of the different viruses that threaten your cyber security.

 

The more common type of virus that attacks your cyber security is called a Macro Virus. It is a virus that is made in a programming language that is usually placed inside a software application. Most common targets are word processors and spreadsheet applications. We all do documents and accounting spreads in Microsoft Office which is why this is a common target of those will ill intent. A macro virus is usually embedded within a document and runs the moment a document is opened. This is why you should never just open attachments in e-mails. One of the key foundations of cyber security is having antivirus programs in place. They can detect a macro virus yet newer and stronger types of this virus are constantly being made so detecting them can still be difficult.

 

Another type of virus is called an Overwriting Virus. It is program that actively infects and destroys the original program coding of a system’s memory. They are designed to attack the operating system (OS) and to overwrite the set information. This sort of virus is determined to be more harmful as they target parts of a user’s system. This virus is acquired usually through file transfers and e-mails.

 

The Directory Virus does its damage by changing the paths that specify the location of a file. Often, when your system has been hit by this virus, it becomes difficult or impossible to locate the original files.

The Boot Virus attacks the boot sector of a hard disk or a bootable drive. The boot sector is a crucial part wherein the data on the disk or USB is stored along with the program that allows it start up. The best way of avoiding boot viruses that compromise your cyber security is to ensure that your portable memory drives are protected and constantly scanned. Also, never start your computer with an unknown drive attached to it.

 

A Direct Action Virus selects one or several files to infect every time its code is executed. Its intent is to replicate itself and to spread to other files whenever its program is activated. It often chooses files that are at the root directory of the system’s hard drive. That is the part that is responsible for doing particular actions when the system is started. In most cases, a direct action virus will not delete your system files or attempt to lower the overall performance output of your computer. It will, however, block access to certain applications and files. The most effective defense that cyber security has is a constantly running virus scanner that will not only locate and detect the virus but will destroy it as well.

 

Your cyber security must always have these key ingredients: an anti-virus program, an anti-spyware program, a running firewall, constantly updated system software, an anti-spam program, and up-to-date back up of your data. Having these is sure to help protect your important data from those who wish to profit from your systematic loss.

Tips on Computer Security

The world is full of scammers today that are going to try and trick you in a phone call or steal your information online.  As such, sometimes it can be hard to tell who is the real deal and who is trying to hurt you.  One of the places that you need to be most careful is your computer, and this is often the place that people are the most liberal.  If you’re looking for ways to clean up your technological life and its potentially dangerous parts, here are some great tips on computer security.

Get good quality protection

These are tons of free anti-virus software programs out there that you can look at for your computer.  While no one is arguing against the fact that free = awesome, there are some things that free programs won’t do that paid ones will.  So, strongly consider the paid anti-virus software programs with the free ones and make sure that you are getting the exact same service.  If you see differences, make sure you go with the one that is going to actually help you out the most.  Free might be awesome, but it’s not worth anything if it doesn’t properly protect your computer.

Actually use it

This is the point right here.  When you get the anti-virus software installed on your computer, you have to make sure that you actually, you know, use it.  That means you need to keep the firewall on, and allow the computer to do its scans and updates regularly.  It’s understandable that you want to simply say “do later” when you have the option to allow it to happen, but that’s how you get into situations of vulnerability.  So, you need to make sure that you allow the scans and other tasks to happen on schedule.  One great option that doesn’t interfere with your day would be to allow it to do scans when you have finished your work and are done with your computer.  That way it can do its jobs without interfering in your day.  There are plenty of options to explore this idea properly.

Use discretion when visiting new websites

Even with your anti-virus in place, you must be careful when you are using new websites, even if they look fine and dandy.  Computer viruses are sneaky now days and it doesn’t take much to allow one through your firewall into your computer.  So, make sure you are on a good website and don’t click on anything unless you know for sure what you’re clicking on.

If something seems fishy, get out of there

On that same note, you have to remember to trust your gut as well as your computer skills.  If you are on a website and something seems fishy or strange, just close the browser and immediately do a scan.  It could be a new toolbar that pops up, or something strange that makes your computer sluggish all of a sudden…whatever this is, you have to make sure that you are careful in watching how everything comes together around you.  So, no matter what leads you to believe so, trust yourself to know when something is off, and get your computer safe from that website as quickly as possible.  You know so much about computers that the odds are that you’ll notice something is out of whack pretty soon after it happens.

Get a browser that will protect you

There are several browsers to choose from when you are picking the one that you use as your main one, and don’t be afraid to shop around and take a look at what’s out there.  Check online and compare them against each other.  The goal is to pick one that is going to take care of you in a rough patch, security wise.  There are browsers out there that aren’t good for protecting you against a strange website (Internet Explorer, Safari) and others that tend to have a better understanding of the fact that you’re looking for protection against the weird websites that you may not detect as dangerous right away (Chrome, Firefox).  These browsers will automatically redirect you before you can go to strange websites and will let you know why and how they are doing this so that you can learn from the experience, too.  These are the ones that you are going to want to allow your computer to use for further protection.  Remember, it only takes one wrong click to potentially jeopardize your computer and all of your personal information.

Do deep scans regularly

The last thing about computer safety when it comes to your anti-virus protection is remembering that you need to make sure you allow your system to do the deep scans on a regular basis.  That is, those deep scans will want to go into every single file on your computer to make sure there is no virus hiding out and waiting to strike.  These take a while and tend to slow your computer down, so many people don’t allow them to happen very often.  This isn’t a good idea, however, and you need to make sure that you do, in fact, allow it to happen so that you can keep your computer protected.  These are critical for making sure that nothing is corrupted at all and your information is kept private and completely safe.

Computer security is getting harder to enforce as hackers get smarter and faster, and kids of the internet get sloppier.  No one wants to think that way, but is the way that the world is headed without question.  So, use these tips to keep yourself safe and feel free to send them on to your friends and family so that they can get in on the idea, too.  There will be some who read this and think that it’s overkill, but you have to remember that your personal information is worth a lot more than you want to think, so take the extra precautions to keep yourself safe.

Today’s post sponsored by Newton Fire and Flood, the top fire damage repair company in Boston, MA.  They’re great people to work with!

Just Like Spotify

A close friend sent me this from his son – from YEARS ago.  Sounds a lot like Spotify doesn’t it?

The Rock Rhythm was founded by Luke, an intelligent entrepreneur, on December 26, 2005.  Luke was listening to the radio one day when he realized that he hardly liked anything that was played because none of it was rock.  On that day, he would create a business that sold solely rock music online.  The Rock Rhythm promises to provide high quality rock music at a low price (only fifty cents).

The Rock Rhythm is run by Luke and John.  This music business is an in-home business for both individuals.  John’s computer provides for the music storage because of its 250 GB hard drive.

From his house, John tracks the customer usage and purchases of songs to determine what type of songs appeal most to the customers.  Then, he creates a report with usage statistics of the music, through the use of Microsoft Excel 2003, and sends it to me.  I review the reports, and then search the internet and listen to the radio for new rock songs that the customer may enjoy, according to the reports.  After finding suitable music for our business, I send emails to the artists of those songs in order to obtain their permission to use and sell their songs.  In return for using their songs, I pay a small royalty, or fee to them.  If the artist accepts the deal, I give John the go-ahead to retrieve the music and download it to his computer for our businesses’ usage.  In order to sell our music, we purchased a domain name from www.godaddy.com for only $8.95 per year, and used Yahoo’s free web-page builder to create the site.  After obtaining permission to use the songs, I immediately create a list of all of the new songs that I now have permission for.  I use Microsoft Excel 2003 to create the report, and in the report, I include the following: song name, artist, type of music within the rock genre, and what where on the web the song can be found.  After John receives my report, he downloads all of the music to his computer, scanning them for viruses as they are completed.  He then uses a program called Gold Wave to copy each song and trim them into 30 seconds clips.  He then uploads the 30 second clips onto our website, so the customers can preview the songs before they buy them.  If a customer chooses to buy a song, he can pay for it using a credit card.  The customer’s billing information is sent directly to my computer, and I bill that customer for the songs he purchased.  Directly after I bill the customer, part of the money is automatically transferred to the account of the song’s artist (which I have on record), and the rest is divided evenly among our businesses multiple Key Bank accounts.  Another job of mine is very quick and easy; I am billed $8.95 each year to keep our domain name, so I send in a check.    Once the customer has paid for the song, the song is automatically unlocked for that customer to download from John’s computer.  The security programs on John’s computer protect him and his music so that the customer can not upload anything harmful, but only download the song (one time).  Finally, at the end of each year, John and I get together and analyze our profits and our business in general.  We then decide together if we need to make any software or hardware purchases for our business.

This computer-based system provides for all of our company’s needs at the moment because our business is very small.  The only employees are John and I.  I take care of money and he takes care of the music, as explained above.  Computers make our jobs a lot easier because we can do almost all of the work on them.  One of the best features is the program Microsoft Money 2007, which we configured to automatically pay royalties, and bill accounts of the purchasing customers.  Also, since we have Road Runner internet connections, anything that needs to be done online, like management of the company website, or management of our bank accounts at Key Bank, can be done very efficiently.  Software and hardware purchases that John and I deem necessary can be also purchased online at reduced prices.  If necessary, we can also buy cheap software and hardware from COMP USA which is only about a mile from my house.  Really, the computer-based system allows John and me to remain in our houses.  In turn, this allows both of us more free time to maintain our company.  Lastly, at the end of each year, John and I review the most recent song usage reports that he created to decide which songs can be taken off our site.  The process of looking of looking through the inventory and deleting songs takes about 3 work-days.  We usually work from 8 a.m. to 12 p.m. and from 1 p.m. to 3 p.m., Monday through Friday.

Over the next five years, I see our business growing a lot.  Radio stations such as channel 103.1 and many other alternative and modern rock stations are becoming increasingly popular.  Because of the rapid rate at which the music industry is growing, John and I will have to hire other people to help us do our job.  We will also have to purchase new computers to allow for more music storage and to allow our newly hired employees to split up the workload we have and make our business even more efficient.  At the moment, John’s computer has sufficient storage space, but in the future we will need more.  A building might have to be leased in the near future depending on the number of employees that we hire.  It would be easier to communicate to everyone if we were all in the same place.  Another possibility some time in the future is The Rock Rhythm combining forces with Apple.  That may not be for a while though because I, as the company representative, have to speak to Apple’s company representative to see if this is a feasible option.

These new changes will have a significant effect on our computer-based system.  First of all, we need to purchase new computers for storage and other business use.  The new computers will need to have upgraded sound software, large hard drives, and our Road Runner internet connections.  A lot of RAM will also be needed to allow for fast processing of information.  Basically, our computer-based system will need to include many more computers, all having the ability to access to our company’s website and the capacity to do the work John and I have been doing by ourselves.  Security is going to be an issue with our larger computer-based system, so all of the computers will have to have multiple forms of security, including anti-spyware software, anti-virus software, and firewalls in order to protect our computers, music, and money.  All in all, our company is going to grow in size.  The profits of the past year will cover the expenses of the new workers, new computers, and the possible building that we will need.

10 Commandments of Security

Evaluating security in a corporation is a difficult task.  It’s an intense and continuous process involving technology and proper management.  However, it’s absolutely essential to staying alive in today’s business environment.  There are 10 commandments that one should follow that guide the decisions everyone should be making for the security of their businesses.  Let’s begin:

Define the policy

The security policy is a document that guides all data security in an organization.  It shouldn’t be a one-pager, but it can’t be 100 either – or no one will read it.  Write it; then present it.

Use security technology

Any network housing secure data (everything about your company and your people) needs to be protected.  That means installing the proper security measures, such as a firewall, spam filters, virus protection, etc.  The firewall blocks unknown connections to your system, the spam filters block garbage and pop-ups, and the virus protection gets rid of anything that happened to make it through.

Awareness

Everyone from the CEO to the janitor needs to be aware of how to use the system, how to avoid threats, and what they can do to prevent incidents.  Social engineering is becoming more and more difficult to spot, so it would be wise to implement training with examples of malware, email scams, and other things that corporations can face.  Numerous high profile companies like Target and Best Buy were hit in the past couple years due to poor awareness and poor security measures.

Monitor Data

Data is always stored.  The question is where.  Where are the servers located?  Who has access to that physical location?  What is your plan in case there is a breach at this location?  Even something as simple as the printer can be dangerous.  Many printers offer a secure-print feature; turn it on!

Upgrades

Keep your hardware and software up to date.  Security solutions from major providers like Norton, McAfee, and other industry players release frequent updates to ensure that you face less exposure to potential threats.  New issues are identified across the globe daily, and fixes are built into each release the company puts out.  Make sure you have the latest updates installed asap.

Everyone is accountable

The tech department is not the only one responsible for the company’s data, everyone is.  Provide the proper training and hold everyone in the organization accountable for safeguarding data.

Careful with access

Evaluate who should have what types of access.  Top access/administrator rights should be split among the IT leaders so that one person does not have full control of the system.  Additionally, system admin access should never be given to the average employee.  Carefully review and choose who should see what and create a policy that you will follow to the T.

Don’t be cheap

Security measures and products are put in place to protect the company.  Don’t sacrifice the security of the company because you were too cheap to buy the correct system.  Find a product/service that fits your needs and go with it.  Do not let money be the factor that causes you to pick a system that’s less than necessary.  The risk of loss is millions of dollars down the road with a poor system.

Security is continuous

Don’t leave security alone.  Security is a continuous process of monitoring how things are going, adjusting, and improving things going forward.  Continue to question processes and make them the strongest they can possibly be.

Understand the importance of information security

If you haven’t seen the news recently, you’ve missed high profile cases one after another where the CEO stated “I didn’t think it would happen to me” and the company loses millions of dollars.  Security breaches are very real and can happen to anyone.  For example, hackers managed to knock out the US governments Department of Transportation website for a good 15 minutes this past year.  The threat is real.  Be prepared.

These are the 10 commandments of information security.  We hope you enjoyed them.  Stay vigilant.