Home » Blog » hacking

Tag: hacking

Https now

It’s Official: Your Business NEEDS to Use HTTPS

You may have noticed many business websites now have a green padlock in the address bar next to the letters ‘https’. Until recently, you’d only see that on shopping or banking sites, but it’s now become the expected norm for all business websites – even if you don’t ask people to log in or enter credit cards. Simply put, the ‘s’ in https stands for secure and means any data sent/received by the visitor is encrypted.

Clearly, it’s an essential feature for e-commerce sites, but why have all the info-only websites started using https too?

The New Google Rule

As of July 2018, Google will mark your page as insecure unless you’re using https. It’s a movement they started a few years ago to make the internet a more secure place by default. Since Google pretty much rule the internet search and increasing security is always a good idea, businesses have been gradually switching over. Without https protection, someone with access to your internet connection, whether from digital eavesdropping or hacking, could intercept the information. They could also place malware onto otherwise legitimate sites and infect innocent visitors. That’s why eighty-one of the top 100 sites online have already switched to https and a strong majority of the web is following suit.

The Browser Bar Says It All

In the same way a green padlock in the browser bar indicates a trustworthy site, you can expect non-https sites to be marked with a “not secure” warning. Previously, users had to click an information symbol to actively investigate non-secure sites. The shift to plain sight markers will be most noticeable on Chrome, however it’s expected that other browser developers will follow suit. Visitors may then be alarmed by landing on your site and seeing that the connection isn’t secure.

The fact that you may not be asking them to log in, enter personal details or payment is irrelevant. You may not be asking them to enter anything at all, but perceptions matter. Eventually that warning will be changed to an alarming red as Google declares war on unsecure sites. As the common understanding is that a warning = bad, you may get more visitors bouncing away within seconds or even contacting you to report that your site has a problem.

Boosts for Secure Sites

Google is taking its commitment to safe web browsing further by favoring https. That means the search algorithm is taking your site security into account, preferring to display results that it knows will protect users from hackers. Since https status gets the nod, you may find yourself climbing in the ranking while other businesses scramble to catch up. It really is a win-win situation.

What to Do Next

In an ideal world, your site would have a secret switch on the back-end you could flick over and suddenly be https, but it’s a little more complicated than that. In fact, you may have already noticed some sites experiencing trouble with the migration. When the setup goes wrong, users don’t see your website with a little warning in the corner, they’re blocked by a full page error and offered a return to ‘safety’ (away from your site).

The easiest way to make the move to https is to contact your IT technician or web developer, as they’ll be able to make sure you’re keeping Google happy and rolling in the green.

We can migrate your site to https – call us today at 570-779-4018

Getting tech new business

How to Securely Dispose of Old Computers

Getting new computers for your business is exciting, but what happens to the old ones? Depending on the age, some people sell them, others throw them out. That’s the easy part. The problem is the sensitive data on them. There are passwords, account numbers, license keys, customer details, medical information, tax returns, browser history…. the works! Each computer, whether laptop, tablet or desktop, contains a treasure trove of sensitive information that cybercriminals would love to get their hands on.

Unfortunately, hitting delete on your files doesn’t actually make them disappear, nor does waving a strong magnet over the drive. These mistakes have cost businesses millions of dollars over the years.

Most businesses are unaware that specialized data cleanup is necessary, others think calling someone to collect the computers will cover all the bases. A 2016 experiment proved just how dangerous the situation can be when they bought 200 used hard drives and found 67% held unwiped, unencrypted sensitive data, including sales projection spreadsheets, CRM records, and product inventories. Frighteningly, they didn’t need any special hacking skills to get this data, it was all right there and helpfully labeled. It’s also not surprising that with simple data recovery tools, people have also been able to access British NHS medical records and missile data, all waiting patiently on a discarded hard drive.

Why hitting delete doesn’t help

Data on a hard drive works like a book with an index page. Every time data is written, it pops a quick entry into the index so when you need it again, it knows where to look. The index is used for files you create as well as system files you can’t even see. Sensible, right? Except if you delete a file it’s more like changing the index to say nothing is on page 10 and you can write something else there when you’re ready. But if you manually flip to page 10, you’ll find the information is still there – the file still exists until it’s been written over – it’s the index reference that got deleted.

Wiping data before disposal

There are software tools you can get to do it yourself, as well as dedicated security firms, but your best option is to choose an IT business you know and trust. With that in mind, a methodical approach is required to ensure not a single drive is left untreated. You don’t want to leave data behind, or even clues that a motivated person could extrapolate any private information from. The approach might include using checklists to maintain security, or dedicated processes to guide each step in decommissioning. Careful records should also be kept, including who signs off on completion of the retirement, and where the computers are sent afterwards. A proper inventory and auditing process may slow the rollout of the new computers slightly, but it’s always better than having your old data come back to haunt you.

We can migrate any needed data, backup the information to your server or external drive, then wipe or destroy the hard drives for you. We can assess the age of your old computers and either dispose of them for you or point you in the right direction of computer recyclers. Plus, the quicker you dispose of your old computers, the easier the process will be. Recyclers will be able to send less of your equipment to landfill, and you’ll be less likely to forget how valuable the drive contents are.

Upgrading your business computers should be a happy time for you and your employees, so with a little forward planning, you’ll be able to keep everyone smiling and all your data secure.

Need help with your old hardware? Call us today at 570-779-4018

6 Simple Tips to Protect Your Customer Data

As cyber-attacks continue to make headlines, hackers are exposing or selling customer data files in record numbers. But just like with any threat, there are actions you can take to minimize risk and ensure your business retains a positive reputation among customers.

  1. Stop using the same password on repeat. Set a mandate for all staff that passwords must be unique for each user and for your workplace. That means it can’t be remotely like the one on their home PC, tablet or online banking. Passwords are hacked more than ever, so when you’re prompted for a password change, dig deep and really think about what goes into a hacker-proof password. If remembering them is a problem, consider one of the latest password management tools.
  2. Go on a shredding spree. How much sensitive data is being dumped into the recycling bin? Valuable customer data is often taken from the bins of small businesses and quickly sold or published. It’s not just good practice to shred sensitive documents, it’s the law. Take 5 seconds to run documents through the shredder or book in the services of a secure shredding company.
  3. Ditch the accounting spreadsheets. Still using an Excel doc for all your number-crunching? Besides making your accountant’s job harder (and more expensive), you’re opening your business to a massive range of vulnerabilities. Even with password-protection, spreadsheets aren’t designed to safeguard your financials or those of your clients. Upgrade to a proper accounting solution with built-in customer data protections and security guarantees.
  4. Train staff explicitly. You can’t rely on common sense because what you think is a given might be news to someone else. It can be extremely beneficial to hold special data-safety training sessions once or twice a year as a reminder, as well as take the time to induct new staff into the way things are done.
  5. Limit access to data. Just like the bank manager who guards the keys to the vault, you can limit who accesses your data. Revoke employee access as soon as they leave your business for good, and set rules around who can access what – and when. Do they need access to sensitive information while working from home? Should they be able to change the files, or only view them?
  6. Keep your software updated. Possibly the most preventable hack, having outdated software can be an open invitation for cyber-criminals. They look for known weaknesses in business software and waltz right in. While the nagging pop-ups and reminders to update can feel like a selling ploy, they’re actually helping your business to stay in the safe zone. Updated software gives you protection against new viruses and hacking techniques, plus closes off those nasty weaknesses.

If you would like to make sure your business is secure from data breaches, give us a call!

How to Make Computer Issues A Thing of the Past

We repair many computers and laptops each week, but unfortunately this is often ‘closing the barn door after the horse has bolted’. Computers have a habit of dying at the worst possible time – like when an important project is due tomorrow, or before you copy family photos to a backup. We’ve combined our repair services with preventative measures to ensure this doesn’t happen to you. Our managed IT services can remotely take care of all the computers in your house, protecting you against both threats and system failure.

Anti-virus always up-to-date: While many homes have anti-virus software installed, they don’t often have the latest virus and threat definitions. These systems are at risk every minute they spend online, as the anti-virus simply will not pick up and stop an unknown threat.

New viruses and hacking threats arise every day, and there are entire companies dedicated to creating anti-virus updates to catch them. We can make sure your anti-virus definitions are always up-to-date, keeping your computer secure against even the newest viruses.

Software patches: Hackers like to spend their time figuring out new ways to break into computer systems. Software companies like Microsoft and Apple release regular patches to close these security holes. The patches are supposed to be applied automatically, but we often find that isn’t the case – patches didn’t download, were canceled or produced an error. Our services involve remotely checking that each patch has been applied successfully, and troubleshooting if required. As an added advantage, any time new features are packaged into an update, you’ll find them already installed for you.

Early failure detection: Some parts in your computer send out alarm bells when they’re about to die. Unfortunately, they’re not literal alarm bells (that would be too convenient), but information in the background that needs to be interpreted or manually checked. We can monitor these and advise repairs as required.

Data protection: Hard drives which store your information do eventually wear out, but they’re one of the parts that send out early failure warnings. We can monitor this and give you ample warning so that you have time to back up your important files. When it’s time, we’ll work with you to arrange drive replacement, making sure to either clone or re-install your operating system, whichever suits your needs best.

Tune-ups: Even the most cared for computer will slow down over time. Hard drives become cluttered, operating systems corrupt and ghosts of uninstalled programs still remain. We can remotely schedule and run a regular maintenance routine that will keep your system running in top condition and lightning speeds.

Our managed IT service happens entirely behind the scenes, so there is no disruption to your experience. You simply enjoy the benefits of having your own IT specialist team at one flat, low cost. You and your family continue to use your computer/s as normal, the only difference is problems are fixed BEFORE they happen and your system has the very best security against threats.

Start with managed IT services today. Call us at 570-779-4018

Ransomware: It is not just a scare tactic

It is not just a scare tactic, and it is not going away

Ransomware activity continues to rise, and it doesn’t appear to be slowing down for 2017. In 2016 it spiked by 6000%, and it is on track to be a 1 billion dollar a year “business.” IBM study.

Software teams are building ransomware kits to sell on the Dark Web. RaaS (Ransomware as a service!) is a thing. This means there are illegal companies making money from designing kits to build ransomware. So, not only are criminals making money from ransomware, the distributors don’t even have to be good at programming or hacking to do it. There is enough of a demand that a small team of programmers is making money from selling the software to commit the crime. It is also making it extremely hard for old fashion virus scanners to catch the activity because each criminal is adding their own twist.

How it happens

  • Phishing email
  • user clicks on link or attachment
  • ransomware makes contact
  • C&C server generates & retrieves an encryption key
  • ransomware scans infected a machine, looking for files
  • ransom demand
  • connects to other machines and infects them
  • ransomware builds an inventory of encrypted files
  • scan other machines over the network

Business Targeting

It used to be consumers or simplistic shotgunning techniques. Now there is more and more direct targeting. Business targets make sense to the bad guys. Consumers or individuals might just start from scratch, but businesses are more likely to pay a ransom. It is much more lucrative form them to target small business.

Spearphishing

Spearphishing is direct targeting your personal account using techniques to fool you into trusting the source. The criminal could use social media sites to gather information. The email may be crafted specifically for you and may even look like it comes from a person you know. One click is all it takes. And it isn’t just email anymore. Messaging, texting, and other apps can lead to infection.

 

 

What do you do about it?

Backup! Backup! Backup!

Step number one should be making sure your backup is up to date and ready to be restored. One “newer” option is DRaaS (disaster recovery as a service) but even a simple disk backup is better than nothing. Regardless, you need to spend time analyzing your current setup and determining if you need to take further steps to protect your data. If you have multiple, granular, safe and secure backups and can restore your data, you don’t have to pay the ransom.

Updates!

Keep your devices and systems on the latest version and patches. This should include firmware. Less exploitable software and devices mean that if you do get infected, it is less likely to spread.

Endpoint Protection!

Yes, you still need endpoint protection. While signature based isn’t what it used to be, companies are making strides and it is still worthwhile. You should look for something with anti-malware, anti-ransomware, and anti-exploit features. And you should protect all your devices: Mobile, desktops, laptops, physical and virtual servers.

Network/Gateway Security 

This should include some type of email protection even if you are using an outside source (Gmail, Office 365, Hosted solution) to host your email. You should also have a firewall with a strong IPS/IDS (intrusion protection system/intrusion detection system). Use VPNs whenever possible. This includes cloud and virtual. Do not make the mistake of assuming that these technologies make your network safer.

Also, please do not use a consumer class gateway/firewall. And if you insist on using one, change the default password!

Establish a Security Policy

This one may sound simple but it is possibly the most important and hardest to implement. You need to train your users. You need to train yourself. You need to have plans in place in case something does happen.

Ransomware: It's is not just a scare tactic
Ransomware: It is not just a scare tactic

What to do if you think you have been hacked

What should you do if you think you have been hacked? Is there a new big site that has been hacked in the news? Not a surprise. What about those small sites that don’t even know they have been hacked that never make the news? Is something strange going on with one of your accounts?

First and foremost, change your passwords. If you use the same password for your e-mail as your hacked account, change it immediately before you doing anything else. You should use different passwords for different accounts. Especially your e-mail account!

 

How do you know?

Check your account activity. Does your account say you have done something or purchased something that you know you did not? Has your contact information or any other settings been altered in any way?

Check your inbox and deleted items.  Have you signed up for new services that you don’t remember signing up for?

Is your computer or device running slower than usual or behaving in odd ways? Use a malware scanner and virus scanner to check your devices thoroughly.

These could all be signs that you have been hacked. Even if these don’t appear in your accounts or computer, but you know you logged into one of those big sites in the news, reset your passwords anyway.

 

Reset your passwords

Make sure you use different complex passwords at each site.  Especially your e-mail account! Did I type that already?  Of course, I did! It is important. One of the easiest ways to keep track of and generate complex passwords is with a password manager.  Check our password manager article out here. Password managers like LastPass can be integrated into your workplace.  I still love LastPass and even use it on my phone now. If you used unique complex passwords at all your sites, you would only have to worry about the hacked one.

Not sure what password to use or what is a complex password?  Try these links:  Microsoft password checker, Password Generator

Use two-factor (2FA) authentication whenever possible. You should be thinking about your email here! Most of the big free email providers offer some level of 2FA. Also, consider using biometrics to ease the pain of entering passwords.

If it is too late and someone else changed your passwords, most of the major services have a system to recover your accounts. Rember that part about 2FA and using a different password for your e-mail? Well here is where it can really help since most of these services send a link to your email.

 

Let other people know

You should let your contacts know you think you have been hacked. One the way hackers attempt to use your hacked accounts is by sending messages or e-mails to people that trust you. They are more likely to follow a link or believe something you sent.

 

De-Authorize your apps

If you were hacked, there is a good chance the hacker logged into a device and authorized apps too.  This means even if you change your password, they will still have access.  You can usually find this feature under the security settings of the service you allowed access too.  Here are links to the big ones: Google, Facebook, and Twitter.