All in Tips & Best Practices
Pharming is a type of cyberattack that redirects a website’s traffic to a malicious site that appears to be the real site. Pharming is used frequently in phishing attacks to trick a victim into sharing login credentials, banking information, or other sensitive data with the attacker…
Phone scams are almost as as old as the telephone itself. In fact, most of us have likely been the target of a vishing attack but were not aware of the term, vishing. According to Proofpoint’s 2020 State of the Phish Report, only 25% of those polled were able to accurately define the term, vishing.
The term, vishing is a combination of the word voice, and the word, phishing (voice + phishing = vishing).
Vishing is a form of phishing that uses voice calls rather than email, to trick a victim into divulging personal, sensitive or confidential information to an attacker...
Smishing is not a new tactic but given that worldwide mobile device traffic is up 222% in the past seven years, it’s no wonder we’re seeing an increase in attacks targeted at mobile devices.
The term, smishing is a portmanteau that combines the term, SMS (text messaging) and the word, phishing (sms + phishing = smishing). As you may have guessed, smishing is phishing that uses SMS and similar types of text messaging.
What Is Smishing?…
A breachstortion attack consists of a malicious email which claims that the sender has breached the victim’s website or company network, copied data from their databases and moved that data to an offshore server. The email then threatens to post the data publicly unless the victim pays the ransom.
Unlike sextortion, a breachstortion attack does not…
Annual cybersecurity reports are a rich resource of statistics and information for cybersecurity professionals, academics, journalists and anyone who is interested in cybersecurity. Below is a categorized list of many of these reports…
Backing up data is something we have been told to do for decades but it is not exciting nor fun and very easy to forget. Additionally, situations requiring the need to restore a file from backup can be rare so it’s easy to understand why many people don’t back up their files even though it’s an important part of life with computers. Think of backups like an insurance policy. You do it in case you need it and hope that you never need to use it.
As consumers and general computer and Internet users, we all have to be our own IT manager and system administrator which means that backups are an important part of our job. While we all know that we should back up our data, some of you may not know why we need these backups.
I don’t understand why companies, even tech companies, send email to employees and customers with links that use domain names that don’t match their normal, publicly known domain name. I have seen this happen in companies for years, where a department like HR finds a cloud vendor to do some training or to register for benefits. Instead of sending an email to employees from an internal email address, they let the vendor send email to employees with a link to an external, unfamiliar site. When you tell employees to not click on suspicious links, and then send them suspicious links, it undermines the whole security education program.
Phishing is the attacker’s dependable, longtime friend. Around since at least 1995, phishing is used to trick people into providing credit card information, login IDs and passwords, and to gain access to your computer, protected systems and/or networks.
Today, Between The Hacks arms you with the following: phishing background, practical advice, realistic visual examples, and links to reliable resources.
The world of cybersecurity is a constant cat and mouse game where attackers find new and creative ways to attack and the defenders discover those methods and figure out how to stop the attacks. The latest wrinkle in this spin around the hamster wheel was revealed by researchers at Barracuda Networks, who discovered that threat actors are now using, “reCAPTCHA walls to block URL scanning services from accessing the content of phishing pages.”
Your work computer might be the device that lets a threat actor into your home network. According to research conducted by cybersecurity companies, Arctic Security and Team Cymru, more than 50,000 U.S. organizations have sent their employees to a work from home environment with malware-infected computers.
On a corporate network, firewall rules and cybersecurity tools block certain types of traffic…
These days it seems that all news stories are related to COVID-19, and that’s also true in the infosec/cybersecurity community. Over the past month, I have read many insightful articles about COVID-19 phishing attacks and scams, and I’ve weighed in on the topic myself. While “top ten” and other lists are popular news items, I realized I hadn’t seen many lists of resources for COVID-19-themed cybersecurity incidents. So, Between the Hacks spent part of this week researching and starting to compile a compendium of pandemic-specific cybersecurity resources. The goal it to raise awareness, to share tips to prevent becoming a victim, resources to get help if you, or someone you know does become a victim, and also, some ways to help others during this global pandemic. As I learn of new resources, I’ll add them to this page.
Zoom has made a lot of headlines recently as it has become the video conferencing tool of choice for many companies and individuals who found themselves suddenly quarantined at home due to the COVID-19 pandemic. Zoom’s daily active users jumped from 10 million to over 200 million in 3 months. The appeal of Zoom is that it’s easy to install, easy to use, has some fun features like virtual backgrounds, and its basic version is free. The free version allows for up to 100 participants to meet for a maximum of 40 minutes. This is certainly enough time for quick meetings with colleagues or catching up with friends and family. And if you need more time, just…
In the world of cybersecurity, there are some pretty creative and interesting terms such as, phishing, juice-jacking, rainbow tables, credential stuffing, and botnet. However, there is one type of phishing attack that was given a name without anyone from a marketing team in the room. That is the Business Email Compromise (BEC) . I almost fell asleep while typing that last sentence!
While the name is not very sexy, the attack is simple to execute and can be very costly to the victim. In fact, according to a 2018 FBI report, BEC attacks have earned scammers over 12 billion dollars. BEC is a type of phishing attack with the goal of tricking the victim into sending money…
This is the time of year when many of us wind down our busy work schedules and focus a little more on family and giving. In the spirit of giving, here are six cybersecurity gifts that you can buy for family, friends, or yourself.
Obligatory Disclaimer: I will not benefit in any way if readers purchase these products, they are just suggestions based on my use and testing.
Your home router is the one device that protects your home’s digital assets from the dangers of the Internet. It is a very busy little device; constantly fighting off attacks and managing your…
There are few things in everyday life that instill panic in us more than seeing the low battery indicator on our mobile phone. This is especially troubling during travel, when your mobile device might be frequently switching between cell towers and Wi-Fi and chewing up more battery than usual. To help us with this problem, charging stations have graciously been made available for free, in many public places. While this free charge can breathe life back in our digital existence, it can also be the point at which your device becomes victim to a cyber attack called juice-jacking.
What is Juice-Jacking?
Juice-jacking happens when someone connects their mobile device to a USB charging station that has been modified to not only charge the device, but to also copy data from…
With the rapidly changing world of connected devices, known as the Internet of Things (IoT), many people do not realize that these “things” are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.
It is important to realize that these “things” are computers because you need to protect them from cybersecurity attacks the same way that you protect a standard computer. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. Left unpatched, the IoT device is vulnerable to attack.
Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems that push patches out to vulnerable computers running their software, but most IoT devices do not. Even many home routers are not patched automatically which leaves home networks vulnerable to attack because they are directly connected to the Internet and are not behind a firewall.
So why would someone want to attack your IoT devices? Do attackers really want access to your light bulbs? You may be surprised that the answer is yes.
In the forth and final post in this series on passwords, I’ll talk to you about rainbow tables. I think the best way to get people to create and use good passwords is to teach them how passwords are cracked.
Long ago, when UNIX-like systems were used as shared servers and most people logged into them with “dumb terminals”, users could see who else had accounts on the system. This was convenient, especially in work or academic environments and acted as a directory of sorts. So if Alice wanted to send an email message to Bob, she would just log on to the system and look at a file called /etc/passwd. This file showed each person’s username, name, and other information. This file also contained each users password in the form of something called a hash. Trend Micro explains that, “Hash values can be thought of as fingerprints for files”. The hash is a mathematical representation of the password that cannot be reversed or
In part 1 of the Password Conundrum, we talked about how we all hate passwords and how we can never remember a strong, unique password for every website, system, and application that we use.
In part 2, we talked about how a password manager can solve this problem and make your digital life much easier and more secure.
In part 3, I’ll explain multi-factor authentication and how to use it.
You don’t need an MFA (Master of Fine Arts) degree to use MFA (multi-factor authentication). Sorry for the acronym humor. MFA requires a user to provide an additional means of authentication or verification, in addition to entering a username and password.
Before we delve into MFA, let’s talk quickly about authentication.
Almost every day we see headlines about some sort of data breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.
This is likely not good enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.
So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!
In part 1 of the Password Conundrum, we talked about how we all hate passwords and how the crazy cybersecurity wonks tell us that we have to do unreasonable things like:
Make passwords that are so complex that you can’t possible remember (long and multiple character sets)
Make a unique password for every one of the 10’s or hundreds of sites and applications that we use, oh, and they all have to be long and strong which means we won’t remember them.
Today we are going to explain how you can achieve this and actually make your life more secure and much easier than back when you had to remember all of those passwords or look them up on a spreadsheet on your computer’s desktop. Enter, the Password Manager!
