Archives: Technology News

When a big data breach makes the news, there’s one thing that can get lost in the noise — the harm that hacking causes regular people like you. Experts tend to focus on the number of people whose records hackers stole, or whether the breached company could have prevented the hack. Those are important questions, but you can be forgiven for wondering what they have to do with you. What, really, is the worst that could happen to you personally?
Plenty, according to consumer advocates. That’s because data breaches make crimes such as identity theft and other scams much easier for criminals to carry out. That includes the blockbuster data breaches of 2018, like when sophisticated attackers breached millions of Facebook accounts in September, or when a hacker accessed information from 27 million Ticketfly accounts in May or when a database of information on 19.4 million California voters held by the Sacramento Bee was stolen and held for ransom.
After your data gets stolen, it often goes up for sale on black market websites, where criminals can buy it and then pretend to be you.
“With the invention of the internet, we’ve built this Amazon for fraudsters,” said Eva Velasquez, president of the Identity Theft Resource Center.
But you don’t see that part of the equation happen. Maybe you hear about a data breach, and then later you experience identity theft. What happened in between is anyone’s guess.

Call or email us for free advice and recommendations

Most Windows networks, including yours, have a number of security holes. Fortunately, though, many of these holes can be filled quickly and easily before they pose a major threat to your business-critical data. In this tip, learn what security expert Kevin Beaver feels are the 10 most common and correctable Windows security vulnerabilities.

We all know that Windows-based systems have plenty of potential security risks. But are your systems vulnerable? Likely so. Any given network is chock full of Windows vulnerabilities. It’s a law of nature and a side effect of doing business using networked computers. But with the thousands of Windows vulnerabilities in the wild, what do you really need to focus your efforts on? Well, let me share with you the Windows-based weaknesses I’m seeing most often in my work — things that can get you in a bind if you ignore them.

Here’s my top 10 list:

• File and share permissions that give up everything to everyone — This is easily the biggest vulnerability I’m seeing with Windows systems regardless of the type of system or Windows version. Users who create shares to make their local files available across the network are typically the culprits. Sometimes it’s careless admins; other times they’re honest mistakes. Unfortunately, all too often the “Everyone group” is given full access to every file on the system. Then, all it takes is for an insider to search for sensitive keywords stored in .pdf, .xls, .doc and other file formats using a text search tool such as Effective File Search or FileLocator Pro. Odds are — nearly 100% of the time — the attacker will come across sensitive information (SSNs, credit card numbers, you name it) that they shouldn’t have access to. Best case scenario, this is an identity theft in the making. Worst case, this becomes a serious breach that makes the headlines.
• Lack of malware protection — I know, I know, it’s really basic but I’m seeing it more now than ever. I’ve seen antivirus and antispyware software both disabled and not installed at all with no one being aware of the problem.
• Lack of personal firewall protection — This is another basic security control that’s still not enabled on many Windows systems. Even the basic (and free) Windows Firewall can prevent connections to the IPC$ and ADMIN$ shares that are often open and providing information and access that they shouldn’t be divulging. Personal firewalls can also block malware infiltrations, wireless intrusions and more. I can’t think of a good reason not to use a personal firewall on all workstations and most servers.
• Weak or nonexistent drive encryption — The drive encryption marketing machine is working its magic, but I’m still seeing the majority of organizations (large and small) not using encryption. I’m of the belief that whole-disk encryption is the only way to go. If a laptop or desktop machine is lost or stolen, the only way to prevent someone from cracking the Windows password and gaining full access to the hard drive is to encrypt everything using reasonable passphrases. Relying on Windows Encrypted File System (EFS) or other file/directory/volume-level encryption puts too much security control in the hands of users and is a breach waiting to happen.
• No minimum security standards — Users with wireless networks, especially, need to follow secure company policies at their homes, like requiring SSL for Outlook Web Access, a PPTP VPN connection for remote network connectivity or WPA-PSK with a strong passphrase to help ensure everything is safe and sound. This can be tough to enforce without a workstation-based wireless IDS/IPS (typically a component of an enterprise wireless management system) or a well-configured Network Access Control (NAC) system. Nevertheless, make it your policy and enforce it wherever possible.
• Missing patches in Windows as well as third-party software, such as VNC, RealPlayer and others — This is a big problem that often gets overlooked. I’m not saying you should try to find these types of holes just to claim that patches are missing. Using Metasploit or its commercial alternatives CANVAS and CORE IMPACT, many missing patches can actually be exploited by a rogue insider or outsider who’s gotten into your network via other means. Full remote access anyone?
• Weak Windows security policy settings — Some examples of this include audit logging that is not being enabled for failed events; no password-protected screensavers; not requiring Ctrl+Alt+Del for login; not requiring password complexity; and displaying the last user name that logged in. Polices to control these issues are easy to implement locally on each Windows system for smaller Windows shops not running Active Directory. It’s even easier for larger enterprises via Active Directory Group Policy.
• Unaccounted for systems running unknown, and unmanaged, services such as IIS and SQL Server Express — These are often legacy Windows systems that aren’t within the scope of enterprise security and compliance. Sometimes, they’re not even supported by third-party security management apps so they get pushed aside. These systems (typically Windows 98, NT and 2000) are often unhardened and unpatched and are waiting to be exploited. Inevitably there’s going to be some random training or test system that everyone forgot about. But such a system is all it takes for someone with ill intent to get onto your network and do bad things.
• Weak or nonexistent passwords — I can’t tell you how many systems (especially Windows laptops) I see that do not have a password assigned to the Administrator account or the default user’s password is the same as the user name. The password problem has been around since the dawn of time, so there’s no excuse for this one.
• Windows Mobile and other mobile device weaknesses — In today’s mobile world, I’d be remiss to not at least mention the vulnerabilities associated with Windows Mobile and similar mobile devices. Some mobile-specific issues are essential to have on your radar. In a tip called Windows mobile security: Get it locked down, I outline several things to consider.

In order to find these vulnerabilities, you’re going to need good tools, including port scanners and system enumeration tools, such as SuperScan or, ideally, vulnerability scanners that do it in one fell swoop, such as QualysGuard. An easy-to-use network analyzer such as OmniPeek or CommView is a must, and so is a good hex editor. Last, but certainly not least, you’ll have to use your own expertise to manually analyze your systems to check for weaknesses. It’s easy to verify whether malware protection is installed but not so simple to determine just how weak file permissions, missing Group Policies and the like can be exploited.

Now that you know what to focus on, you can start finding out what’s what. The bottom line is to know what’s on your systems and what can be done with your systems. This is the recipe for a secure Windows environment.

Hackers swiped personal information associated with at least a half billion Yahoo accounts, the internet giant said Thursday, marking the biggest data breach in history.

The hack, which took place in 2014, revealed names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers, Yahoo said in a press release. Encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also taken.

The internet pioneer, which is in the process of selling itself to Verizon, said it’s “working closely” with law enforcement. It called the hackers a “state-sponsored actor,” though it didn’t identify a country behind the breach.

Yahoo urged users to change their passwords if they haven’t since 2014. The company has 1 billion monthly active users for all its internet services, which span finance, online shopping and fantasy football. Its mail service alone has about 225 million monthly active users, Yahoo told CNET in June.

The hack serves as a reminder of how widespread hacking is and highlights the vulnerability of passwords. Cybersecurity specialists recommend using a different password for each account you have on the internet. Other experts are working on alternatives to passwords, such as biometrics like your fingerprint or retina.

“Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud,” said Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. “We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether.”

Verizon, which is paying $4.83 billion for Yahoo, said it was notified of the massive breach within the last two days. The telecommunications giant had “limited information and understanding of the impact,” according to a statement.

“We will evaluate, as the investigation continues, through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.

B. Riley & Co. analyst Sameet Sinha told The Wall Street Journal the breach was unlikely to affect the sale to Verizon.

Virginia Sen. Mark Warner, a member of the newly formed Senate Cybersecurity Caucus, criticized Yahoo for not discovering the breach when it originally happened in 2014.