(817) 439-3051

Technology

Small and Midsized Businesses Continue to to Be Common Targets in Ransomware Attacks

Ransomware attacks are still common and costly for small and midsized businesses. Discover how cybercriminals usually deliver these attacks and how to defend against them.

Ransomware continues to pose a significant threat to small and midsized businesses, according to a Datto survey of 2,400 managed service providers (MSPs). More than half of the MSPs reported that a least one of their clients experienced a ransomware attack in the first half of 2018. Although the average ransom was only $4,300, the attacks cost the businesses an average of $46,800 due to the downtime they caused.

How the Attacks Were Delivered

The Datto study explored how the ransomware was delivered to the small and midsized businesses. It found that the top three delivery methods were:

  1. Phishing emails. Cybercriminals often send phishing emails to employees at small and midsized businesses to spread ransomware. These emails use a convincing pretense to lure recipients into clicking a link or opening an attachment. All it takes is one employee to fall for the ruse to initiate a ransomware attack.
  2. Malicious websites or ads. To deliver ransomware, hackers build malicious websites or post malicious ads (aka malvertising) on legitimate sites. If employees visit one of these sites, code is installed on their computers without their knowledge. The code then kicks off a series of events that can ultimately lead to a companywide ransomware infection.
  3. Web pages often include clickbait — text links (“You won’t believe …”) and thumbnail image links designed to entice people to follow a link to web content on another web page. While clickbait is typically used to increase page views and generate ad revenue, cybercriminals sometimes use it to send people to malicious websites that spread ransomware.

Because all three delivery methods depend on someone performing an action (e.g., clicking a link), it is important for small and midsized businesses to teach employees about the hidden dangers associated with seemingly innocuous actions.

Key Elements to Cover When Educating Employees about Ransomware

While each company will want to customize its ransomware training program to meet the its unique needs, it is a good idea to cover the basics:

  • Let employees know what ransomware is and the methods cybercriminals commonly use to spread it (e.g., phishing emails, clickbait).
  • Discuss the elements commonly found in phishing emails, such as generic greetings, spoofed email addresses, and messages that try to create a sense of urgency (i.e., act now or pay the consequences). If employees know about these common elements, they will be better able to spot any phishing emails that make it through email filters.
  • Warn employees about the dangers of clicking links and opening attachments in emails, especially if they are from unknown senders.
  • Show employees real-world examples of clickbait and let them know the dangers that might be lurking if they are enticed into clicking the links.
  • Stress the importance of avoiding any web content flagged as a potential security threat by web browsers or security software, as it might contain malvertising or other malicious code.

Other Measures to Take

Businesses need take other measures as well, such as regularly updating their computers’ software so known vulnerabilities are patched. Equally important, they need to make sure they have restorable backups of their data in case a ransomware attack occurs.

We can make sure that your business has covered all the bases so that it will be protected from ransomware and other types of cyberattacks.

Office 2019 or Office 365: Which Is a Better Fit for Your Business?

It’s the new year and it’s a good time to evaluate operational needs. If you are in the market for an Office suite, you now can choose between Office 2019 and Office 365. Find out the main differences between these offerings so that you can make an informed decision about which is best for your company.

Do you want to replace an old version of Microsoft Office on your company’s computers or add this productivity suite to some new machines? If so, you might be wondering whether it is better to use Office 2019, which Microsoft released in the fall of 2018, or Office 365. Here is what you need to know to make the best decision for your business.

The Fundamental Differences

There are a few fundamental differences between Office 2019 or Office 365:

Office 2019. Office 2019 is an on-premises product that you purchase upfront for use on a single computer. You can use this suite’s apps for as long as you want – whether it is three years or three decades. However, Microsoft will not be offering any upgrade options for Office 2019 in the future. This means that if you want to upgrade to the next major on-premises Office release (say Office 2022), you will have to buy it at full price. (Despite rumors to the contrary, Office 2019 will not be the last on-premises version of Office, according to company officials.)

Microsoft offers three Office 2019 suites available through volume licensing: Office Professional Plus 2019, Office Standard 2019, and Office Standard 2019 for Mac. If you need fewer than five licenses, you can use Office Professional 2019 or Office Home & Business 2019, both of which are licensed for business use.

All these suites (except Office Standard 2019 for Mac) need to run on Windows 10 computers. So, if you are running older Windows versions on your computers, you will not be able to use Office 2019.

If you have Mac computers, you can use either Office Standard 2019 for Mac or Office Home & Business 2019. These suites are compatible with the three most recent versions of macOS, which are 10.14, 10.13, and 10.12 at the time of this writing. The next time Apple releases a new major version of macOS (say 10.15), Microsoft will drop support for the oldest of the three versions (10.12) and support the newest version and its two predecessors (10.15, 10.14, and 10.13). The Office apps will still work on computers running the dropped version (10.12), but the apps will not receive any updates.

Office 365. Office 365 is a cloud service that you subscribe to on a per-user basis. Businesses have many subscription plans from which to choose, based how many employees need to use Office 365 and the apps, services, and other options those users will need. With most of the business subscription plans, each licensed user can install the Office apps on five desktop computers (Windows or Mac), five tablets, and five smartphones. With Office 365, you do not need to worry upgrading because users will always have the most up-to-date versions of the apps.

Office 365 is billed either monthly or annually. You pay a higher per-user fee if you choose to pay each month. When you stop paying, the users’ licenses to run the Office apps expire. The apps that are installed on users’ devices do not immediately stop working, though. They usually continue to work for 30 days thanks to a grace period.

Unlike Office 2019, Office 365 will work on computers running older versions of Windows. Office 365 is compatible with Windows 10, Windows 8.1, Windows 7 Service Pack 1, and the two most recent versions of macOS.

Functionality and Support

Not surprisingly, Office 2019 offers more functionality than its predecessor Office 2016. For example, in Office 2019, Microsoft added a text-to-speech feature to Word and funnel charts to Excel.

However, Office 2019 provides less functionality than the current Office 365 apps. The Office 2019 apps do not include many of the cloud- and artificial intelligence (AI)-based features that Microsoft has added to Office 365 apps the past few years. For instance, in Office 2019, Word does not include the Editor feature, even though it is available in the Word app provided through Office 365. This feature uses machine learning and natural language processing to make suggestions on how to improve your writing.

Further, with Office 2019, you will not get any new features delivered through updates. The updates will include only security and stability patches. In contrast, Microsoft will continue to add new features to Office 365 through updates. These updates will also include security and stability patches.

There is another difference in how Microsoft supports Office 2019 compared to Office 365. As long as you subscribe to Office 365, you will receive mainstream support. With Office 2019, Microsoft will provide only five years of mainstream support and two years of extended support.

The Bottom Line

What is best for your company will largely depend on your comfort level with cloud computing. If you are comfortable with using cloud services, subscribing to Office 365 might make more sense. It offers more features and better support than Office 2019. Plus, Office 365 apps work on older versions of Windows. However, Office 2019 is a viable alternative if using cloud services is not a good fit for your business. Contact us if you have any questions about Office 365 or Office 2019.

7 Reasons Why IT Projects Fail
7 Reasons Why IT Projects Fail

Projects frequently fail in businesses. Here are seven common reasons why IT projects fail and how you can avoid these pitfalls.

Having projects that fail is common in businesses. In one 2018 study, the Project Management Institute surveyed more than 5,500 companies and found that 15% of the projects they started failed. And these failures were costly — 9.9% of every dollar invested was wasted due to poor project performance.

Learning from other teams’ mistakes is one way to avoid failed projects. Here are seven common reasons why IT projects fail and how you can avoid making the same mistakes:

  1. Undefined Deliverables

While most project teams define the objectives for their IT projects, some teams do not define the projects’ deliverables. A common reason for this oversight is the belief that objectives and deliverables are referring to the same thing.

While objectives and deliverables are closely related, they are not synonymous. The objective describes what a team plans to accomplish with its project. Deliverables are things (e.g., reports, plans, processes, products) that the team will produce to enable the objective to be achieved. For example, suppose a project’s objective is to replace old printers with ones that will better meet the business’s needs. The deliverables might include a report detailing current and projected printer usage needs, an analysis determining whether it is best to buy or lease the printers, evaluations of at least three printer suppliers, a signed contract, installation of the printers, a training program for employees on how to use the new printers, and so on. A larger project might need separate objectives and deliverables for each phase in it.

Because deliverables often build on each other, they provide a roadmap that the team can follow to achieve the project’s objective. Deliverables also help the team more accurately estimate the time, resources, and funding needed to complete it.

  1. IT Project Too Large

Tackling IT projects that are too large in scope is a common reason why they fail. Large projects require large amounts of time, money, and resources to complete — all of which might be in short supply, especially in small and midsized businesses.

Projects with smaller scopes are typically more manageable and have a greater chance of success. So, for example, instead of undertaking a project to create a set of IT policies, it is better to narrow the scope by having the team create just the acceptable use policy. When that project is done, the team can then tackle the privacy policy, and so on.

It is important to note that an IT project might start out with a manageable scope, but then “scope creep” sets in. For instance, if a team is working on developing an intranet site for employees, having an ever-growing list of “must-have” and “nice-to-have” features might expand the project’s scope to the point where it is unmanageable. While changes to a project’s scope are sometimes necessary, they should be kept to a minimum. Significant changes might necessitate the need for the team to revise its deliverables, schedule, and budget.

  1. Unrealistic Schedules and Budgets

Sometimes, teams do not realize how much time or money will be required to complete IT projects. Other times, they are simply too optimistic.

Not taking the time to get accurate estimates of how much time and money a project will require can result in projects being late and overbudget. Even worse, it could lead to poor-quality deliverables. If a project’s schedule is unrealistic, people might rush to get things done or take shortcuts. Similarly, people might cut corners if a project’s budget is too small.

Having well-defined deliverables will help in the creation of realistic schedules and budgets. It’s important to build in a little extra time and money, though, in case any surprises pop up.

  1. Not involving the Right People

An IT project can run into trouble if the people involved do not have the necessary skills and knowledge. For example, having a technician head a project because he is knowledgeable in the project area can lead to failure if that person has no experience in managing projects or teams. Conversely, if no one on the team is knowledgeable about the latest IT technologies, the team might not consider a technology that could potentially be a good fit for the company.

It is important to make sure that each person involved in the project is capable of completing their assigned role. It is also important to make sure that at least one person on the team has sufficient IT knowledge in the project area. If no one in the company has the necessary know-how, the team should consider bringing in an outside expert.

  1. No Central Repository for Communications

For a project team to be successful, its members must be able to communicate effectively with each other and with other people inside their companies. To do so, they need good communication skills as well as effective communication tools.

Besides holding team meetings, project team members often use email to communicate with each other. While this is an effective tool, the emails are stored in the members’ inboxes, making it hard for other people (e.g., a new team member) to access the information discussed in them. Plus, if a team member forgets to copy the entire team on an email, some people might be inadvertently kept out of the loop.

A better approach is to have a central repository for project communications. This could be as simple as having project members store copies of their project-related emails in a shared folder on the company’s network. Ideally, though, teams should use collaboration software that enables them to communicate and collaborate with each other and that stores their communications and work in a central location.

  1. Not Monitoring and Tracking Progress

It is important monitor and track a project’s progress in terms of deliverables met, costs, and schedule. If a team fails to do so, a small glitch could turn into a big problem later on.

While manually monitoring and tracking a project is possible, it would be time-consuming. A better solution is to use project management software. That way, the team will always know exactly where the project stands and how much time and money has been spent on it thus far.

  1. Not Enough Testing

IT projects often include deliverables such as IT systems and IT products. Failure to thoroughly test these types of deliverables can result in their failure once they are implemented.

The team should not wait until the end of the project to conduct the tests. Testing needs to start early and be done often. This will allow small problems to be fixed before they grow into significant problems that will take much more time and money to fix.

 


Two PHP Versions Are Being Terminated, Putting Millions of Websites at Risk
Two PHP Versions Are Being Terminated, Putting Millions of Websites at Risk

In December 2018, PHP 7.0 and 5.6 are reaching the end of their lifecycles. Find out what PHP is and why it is so important to upgrade it.

Even though you might not have heard of PHP, you probably have seen it in action. Websites use this coding language to dynamically generate web pages, retrieve the data people enter into web forms, and perform numerous other tasks. Almost 80% of websites use PHP because it is quick, works well on sites of any size, and is open source. However, most of these websites are using versions that will soon become a security liability.

In December 2018, two PHP versions are reaching the end of their lifecycles, which means security updates will no longer be issued for them. Here are the dates to remember:

  • On December 3, PHP 7.0 is being terminated.
  • On December 31, PHP 5.6 is reaching the end of its lifecycle. The security support for this version was extended an extra year due to its popularity. More than 40% of websites use PHP 5.6. There are currently around 200 million active websites, so about 80 million of them are using PHP 5.6.

Note that PHP went directly from version 5.6 to version 7.0. There was never an official release of PHP 6.

Why It Is Important to Upgrade

WordPress, Joomla, Drupal, and other content management systems (CMSs) use PHP, so your business’s website might be using PHP without you realizing it. If your site is using PHP 5.6 or 7.0, you should upgrade it to a more recent version as soon as possible. At the time of this writing, PHP 7.2 is the most current version, with PHP 7.3 scheduled for release sometime in December 2018.

Upgrading is important. If your website is using PHP 5.6 or 7.0, it will be more vulnerable to new attack vectors because security updates will no longer be issued for these PHP versions. To make matters worse, hackers often keep track of when versions of popular technologies like PHP reach the end of their lifecycles. Once that day arrives, they intentionally launch new attacks that target the unsupported technology.

Besides being more secure, your website will also be faster if you upgrade, thanks to performance enhancements in the newer versions. For example, PHP 7.2 runs 20% faster than version 7.0 and 260% faster than PHP 5.6, according to Phoronix.

What to Do

Upgrading to a newer version of PHP is not always an easy task, which could explain why so many websites are using older versions. There are several reasons why an upgrade might be complex.

For starters, PHP is a server-side coding language, which means it runs at the server level. So, you need to make sure your hosting provider or your web server is running the PHP version you want to use. If you have a hosting provider and it does not support the desired PHP version, you will need to ask them to do so. If they refuse, you might consider switching to a provider that does offer it. If you have a web server and it is not running the desired PHP version, the PHP software will need to be updated.

You also need to make sure that your website’s software is compatible with the desired PHP version. This includes not only the CMS software but also other programs, such as plugins, themes, extensions, and templates. Any noncompatible software will need to be upgraded. If the software developer does not support the PHP version you want to use, you will need to ask them to update the software or switch to a program that does support it.

Finally, while configuring a website to use the desired PHP version is just a matter of selecting it in the appropriate spot in the site’s settings, the site needs to thoroughly tested afterward to make sure it runs smoothly. It is essential to have a backup of the site before the upgrade in the event there are significant problems encountered during or after the update.

Don’t Let Your Business’s Website Become an Easy Target for Hackers

Upgrading to a newer PHP version can be a lot of work, but we can handle the hassle for you. That way, it won’t become an easy target for hackers.

Why Cryptojacking Is More Dangerous Than Many Businesses Realize
Why Cryptojacking Is More Dangerous Than Many Businesses Realize

Compared to ransomware or data breaches, cryptojacking might seem like a minor annoyance.  Learn how it is changing and what you can do to guard against it.

Cryptojacking might not seem as dangerous as ransomware or data breaches since cybercriminals are stealing a computer’s processing power rather than money or data. However, companies that dismiss this threat might be putting their businesses at risk. Cryptojacking malware is becoming increasingly sophisticated, which could spell trouble for companies unprepared for it.

The Changing Face of Cryptojacking

Cryptojacking was born from people’s need for more computing power so they could mine (aka earn) cryptocurrencies such as Bitcoin and Monero. These “miners” typically used website scripts that siphoned processing power from a visitor’s computer, without that individual’s knowledge or consent. When the person left the site, the siphoning stopped.

It wasn’t long before cybercriminals started using these scripts to get computing power for their exploits. Sometimes, they added these scripts to their own malicious web pages. Other times, they hacked into legitimate sites and insert the scripts there.

Since cybercriminals have entered the scene, cryptojacking malware has become more sophisticated. In addition, the hackers are becoming more creative in ways to deliver it.

Take, for example, the cryptojacking malware known as PowerGhost. When it was first discovered in July 2018, Kaspersky Lab researchers found that cybercriminals used phishing emails to gain initial access to a computer. Once the machine was infected, the malware used credential-stealing and remote-administration tools to spread itself to other machines in the local network. To make matters worse, some newer versions of PowerGhost have the ability to disable antivirus programs such as Windows Defender.

Another sophisticated program is PyRoMine, which Fortinet researchers found in April 2018. Besides stealing processing power, it creates a backdoor account with administrator-level privileges, enables the Remote Desktop Protocol (RDP), opens the RDP port in the Windows Firewall, and makes several other system changes so that the cybercriminals can remotely access the computer at a later time. The program even configures the Windows Remote Management Service to allow the transfer of unencrypted data.

As PowerGhost and PyRoMine illustrate, cryptojacking malware can create footholds in computers that hackers can later exploit. They could, for example, use these footholds to infect the computers with a different kind of malicious program, such as ransomware.

This might already be taking place. Companies infected by cryptojacking malware were found to have a larger number of other types of malware infections compared to businesses that did not experience any cryptojacking attacks, according to Fortinet’s “Quarterly Threat Landscape Report” for Q3 2018. However, this is only circumstantial evidence that cryptojacking leads to other malware attacks, which the Fortinet researchers acknowledged. They noted, “We attempted to establish a definitive causal relationship, and while those tests showed statistically significant results, they fell short of the burden of proof needed for a guilty conviction.” The researchers are planning to further explore this relationship in future reports.

How to Guard against Cryptojacking

In the past, you just had to prevent malicious scripts from running in web browsers to guard against cryptojacking. Nowadays, a more widescale approach is needed, including:

  • Making sure that computers’ operating system software and apps are updated so that known security vulnerabilities are patched. Both PowerGhost and PyRoMine exploit unpatched security vulnerabilities in Windows operating system software to create their footholds.
  • Making sure your security software is up-to-date. This can help guard against known cryptojacking code. It can also help protect computers from other types of malware that might be installed through footholds created by cryptojacking malware.
  • Educating employees about phishing emails and unsafe web browsing habits. As PowerGhost demonstrates, phishing emails can be used to gain initial access to a computer. So, employees need to know the dangers associated with clicking links in emails and opening files attached to them. Similarly, they should be taught about unsafe browsing habits, such as clicking links without knowing where they lead and visiting questionable websites.
  • Using ad or script blockers in web browsers to prevent malicious scripts from loading. There are also third-party tools available that are designed specifically for blocking cryptojacking scripts.
  • Inspecting your website. If your business hosts a website, you might want to make sure that hackers have not placed a cryptojacking script on it.

There are also other measures you can take, such as monitoring your computer systems and network for unusual activity. We can evaluate your business and provide specific recommendations on how to defend against cryptojacking and other types of malware.

Find Out Whether You Are a Data Breach Victim in a Minute or Less
Find Out Whether You Are a Data Breach Victim in a Minute or Less

Mozilla has introduced Firefox Monitor, a free tool that you can use to see if your email address has been compromised in any data breaches. Discover how simple it is to use this tool.

Anyone can use this free tool to see whether their email address has been compromised in any publicly known data breaches. If so, details about that data breach are included, such as when it occurred and the types of personal data exposed.

Mozilla partnered with Troy Hunt, who runs the “Have I Been Pwned?” website, to create this tool. Hunt is providing the database against which entered email addresses are checked. The database contains more than 5.5 billion email addresses that have been exposed through real-life data breaches. It is updated regularly.

When you use the tool, your email address and privacy are protected by means of a data anonymization technique known as k-anonymity. Your email address is not saved unless you specifically allow it.


How to Use the Tool

Using Firefox Monitor is quick and easy. To find out whether your email address has been compromised, you just need to:

  1. Go to https://monitor.firefox.com/.
  2. Enter your email address.
  3. Click the “Scan” button.

You will then see the results. You have the option of signing up for the free Firefox Monitor service. If you subscribe to this service, Mozilla will check your email address against those exposed in any newly reported data breaches and will notify you by email if it was compromised. When you sign up for this service, Mozilla stores your email address. (If you just use the tool, Mozilla does not save it.)


What to Do If Your Email Has Been Breached

If Firefox Monitor reports that your email address has been compromised in a data breach, you should take steps to protect yourself. A good starting point is to:

  • Change your password for that account. Make sure it is strong and unique.
  • Change your security questions and answers (Q&As) if you set them. Giving incorrect or nonsensical answers is best. If you do not feel comfortable doing this, be sure to select questions whose answers are not easily found on social media sites or through web searches.
  • Make sure you did not use the same email address-password combination for other accounts. If you did, change those passwords and Q&As as well.
  • Consider using two-factor authentication, especially for financial accounts. Many websites now offer this feature.

Contact us if you have any questions or specific concerns.

4 Misconceptions about Tech Support Scams
4 Misconceptions about Tech Support Scams

Despite being common, there are many misconceptions about tech support scams. Not knowing the truth can result in falling victim to this type of fraud. Here are four misconceptions set straight.

Tech support scams are common and costly. In 2017 alone, around 11,000 victims filed complaints with the Internet Crime Complaint Center (IC3). They reported losing nearly $15 million, which represents an 86% increase in losses compared to 2016.

Even though tech support scams are common, there are many misconceptions about them. Knowing the truth can help you become more adept at recognizing and avoiding this type of fraud. Toward that end, here are four misconceptions set straight:

  1. Tech Support Scammers Always Call

In the past, scammers frequently cold-called potential victims. They often identified themselves as tech support staff from a well-known tech company such as Microsoft. They then spun a tale of how they detected a problem on the person’s computer that should be fixed immediately, which they offered to do.

Nowadays, scammers are more apt to use other means to reach potential victims, including:

  • Pop-ups. When people visit a website, a message pops up that says their computers are infected with malware, have an expired software license, or have some other problem. The visitors are then urged to call a bogus hotline or go to a fake online tech support center to get the problem fixed.
  • Phishing emails. People receive emails that do not mention anything about their computers having a problem. Instead, some other pretense is used to try to get them to click a link. For example, security researchers found that some phishing emails were made to look like notifications from online retailers (e.g., Amazon) and professional social-networking sites (e.g., LinkedIn). Clicking the linking sent people to a malicious website that mimicked the legitimate one that supposedly sent the email. The site then deployed various scare tactics (e.g., pop-up messages saying there is a malware infection) to trick people into calling or visiting a phony tech support center.
  • Redirects to bogus tech support websites. In some cases, malicious ads (or links in other types of web content) redirect visitors to tech support scam sites. According to security researchers, these malicious ads are usually found in questionable websites, such as those that host illegal copies of media and software.
  1. If It’s Free, It Isn’t a Scam

The goal of many tech support scams is to make money. Scammers try to con you into paying for bogus software or services. Having someone notify you, out of the blue, that your computer has a serious problem, which they can fix — for a price — is a classic sign of a tech support scam.

However, you cannot assume the person is legitimate if they offer to fix the problem for free. Sometimes scammers have different goals. For example, they might want to change the settings on your computer so that it becomes part of a botnet. Or, they might want you to install their free software because it contains spyware.

  1. Baby Boomers Are Most Likely to Fall Victim to Tech Support Scams

A common misconception is that Baby Boomers are most likely to fall victim to tech support scams because they are less familiar with technology. However, a 2018 Microsoft study found that Gen Z’ers and Millennials are twice as likely to initially fall for a tech scam (e.g., click a link in a phishing email or call the number given in a pop-up) than Baby Boomers. And the Gen Z’ers and Millennials are five times more likely to lose money to tech support scammers (e.g., pay the digital con artists for bogus software or services).

The researchers attribute the higher vulnerability of Gen Z’ers and Millennials to several factors:

  • They engage in more risky online activities (e.g., use torrent sites, download movies, music, and videos) than the older generations.
  • They tend to be overconfident in their online abilities, causing them to be less cautious and more susceptible to scams. In the study, the Gen Z’ers and Millennials gave themselves high ratings in web and computer expertise.
  • They are more likely to believe that it is normal for reputable tech companies to make unsolicited contact than the older generations. In the study, 33% of the Millennials and 30% of the Gen Z’ers said unsolicited contact was normal compared to 18% of the Baby Boomers and 22% of the Gen X’ers.
  1. It’s Difficult to Defend against Tech Support Scams

Fortunately, the notion that it is hard to defend against tech support scams is a misconception rather than the truth. Besides understanding how tech support scams work, you can take some surprisingly simple measures to protect yourself.

For starters, you should not disable your web browser’s pop-up blocker. Most modern browsers automatically block pop-ups. For example, Google Chrome blocks not only pop-ups but also redirects by default. Manually disabling this functionality might result in you seeing more messages that try to scare you into calling or visiting a bogus tech support center.

Equally important, you should not visit questionable websites. Plus, you should heed the security warnings issued by your web browser and security software. These programs often flag or block content they know or suspect is unsafe. Resisting the urge to visit questionable sites and access flagged or blocked content can help reduce the number of tech support scam pop-ups and malicious ads in your web browser.

Another measure you can take is making sure your email app, web browser, and security software are being updated regularly. These programs are typically configured to automatically update, but it is a good idea to make sure that is the case. With the updates installed, they will be better able to identify and deal with security issues. For example, email apps usually include filtering tools that help weed out phishing emails. The more current the filtering tools, the more effective your email app will be at snagging phishing emails. Similarly, your browser and security software will be better able to identify unsafe content when they are updated.

You also might consider using ad blockers to eliminate the malicious ads that could send you to bogus tech support sites. These programs remove or alter all advertising content on web pages. Some ad blockers replace ads with content, such as news. Others simply leave holes where the ads would have been. However, there is one caveat with ad blockers. They might inadvertently block non-ad content, causing web pages to display improperly or not at all.

There are other, more-advanced measures you can take to protect yourself from tech support scams, such as using advanced email filtering solutions. If you would like to learn about these measures, contact us.

IoT Devices Might Not Look Like a Computer, But They Can Be Just as Dangerous
IoT Devices Might Not Look Like a Computer, But They Can Be Just as Dangerous

Installing an IoT-ready security camera or outfitting a crucial production system with IoT technology can put a business in harm’s way. Learn about the security risks that IoT devices can pose and how to mitigate those risks.

On October 9, 2018, security researchers at SEC Consult revealed that millions of security cameras and other video surveillance equipment could be easily hijacked by cybercriminals. And just a few days later, numerous PlayStation 4 (PS4) owners reported that their gaming consoles were crashing after receiving a malicious message on them.

These events might seem unrelated, but they are the result of a common problem: inadequate security in devices that connect to the web, which are referred to as Internet of Things (IoT) devices. These devices connect to the Internet so that they can transmit and receive data. In some cases, products have IoT technology built into them, like security cameras and gaming consoles. In other cases, IoT technology is added to existing equipment or systems. For instance, IoT devices can be added to production processes and heating and cooling systems.

Companies are increasingly using IoT devices to monitor and control various elements in their businesses. However, many of them do not realize they need to protect those devices from cyberattacks. That’s because people usually envision computers and smartphones, not security cameras or thermostats, when thinking about cybersecurity.

Businesses taking advantage of IoT devices need to know about the security risks they can pose and how to mitigate those risks.


The Risks

IoT devices often have security vulnerabilities that make them easy targets for hackers. For example, the devices might ship with default passwords that are easy to crack or the manufacturers might issue firmware updates that are easy to spoof.

Sometimes, devices have multiple security issues. This is what the SEC Consult researchers found when they investigated the video surveillance equipment manufactured by Hangzhou Xiongmai Technology. They discovered that the company’s IoT-ready video surveillance devices have several vulnerabilities, many of which are related to a feature called the XMEye P2P Cloud.

Th XMEye feature enables device owners to view video feeds in a web browser or mobile app in real time. To take advantage of it, the owners have to create XMEye accounts. These accounts are riddled with problems, including:

  • All new accounts are admin accounts that have the default username of admin with no default password set. Device owners are not prompted to change the default username or add a password during the initial account setup process. Owners who do not change the username and add a password are leaving their accounts wide open to cyberattacks. Besides viewing video streams, hackers would be able to change the device’s configuration and issue firmware updates. Since Hangzhou Xiongmai Technology does not sign its firmware updates, cybercriminals could issue bogus updates that contain malware.
  • A second undocumented account exists. The account’s username is default and the password is tluafed (the word “default” spelled backward). Anyone logging in with this undocumented user account can view the device’s video streams.

These vulnerabilities are present in all the security cameras, digital video recorders, and network video recorders manufactured by Hangzhou Xiongmai Technology. However, the manufacturer’s name is not on any of the devices. Hangzhou Xiongmai Technology sells its devices to other companies, which put their logos on the equipment. Thus, people who have these IoT devices might not even realize they are at risk. (You can find a list of the 100+ brand names the devices are sold under on the SEC Consult researchers’ blog.)

Some manufacturers act responsibly and include security measures in their IoT devices. However, even these devices can be risky because of the actions (or inactions) of the device owners. For instance, IoT device owners might create weak account passwords or not install firmware updates. The PS4 incident provides a good example of the latter. Sony quickly released a firmware update to fix the bug that allowed the malicious message to crash the gaming console. However, users who do not have their consoles configured for automatic updates will still be at risk if they fail to manually install this update.


Help Is on the Way

Steps are being taken to address the fact that many IoT devices have security vulnerabilities. For instance, in September 2018, California became the first US state to pass an IoT security law. It mandates that IoT devices manufacturers include reasonable security features that protect the devices and any data contained in them. The law goes into effect on January 1, 2020.

Similarly, in October 2018, the UK government published the finalized “Code of Practice” for IoT security. It contains 13 guidelines for IoT device manufacturers to follow to ensure that their devices are secure by design and compliant with the European Union’s General Data Protection Regulation (GDPR).


How to Protect IoT Devices in the Meantime

Although steps are being taken to encourage IoT device manufacturers to build more secure devices, many IoT devices have been and will continue to be built with no security features in place. If these devices are not secured properly, they can put a company at risk, especially when they are connected to the network that hosts the business’s critical data and applications.

As a result, companies need to secure their IoT devices, just like they secure the computers in their IT environments. A good place to start is to:

  • Change each IoT device’s default password to a unique, strong one.
  • Disable any features that are not being used in the IoT devices.
  • Place the IoT devices behind firewalls so that they do not connect directly to the Internet.
  • Isolate IoT devices from the business network.
  • Install patches or upgrades when the manufacturer provides them.
  • Use a virtual private network (VPN) if remote access to the IoT devices is required.
  • Include IoT devices in IT policies.

If your business is using any IoT devices, we can determine whether they are posing a risk to your business and help you develop a comprehensive strategy to protect them from cybercriminals.

5 Things to Try in Windows 10 after the October 2018 Update Is Installed
5 Things to Try in Windows 10 after the October 2018 Update Is Installed

The Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones that you might find useful.

Microsoft officially released another major update for Windows 10 on October 2, 2018. Like previous updates, the Windows 10 October 2018 Update includes many new features and enhancements. Here are five notable ones you might want to try once the update is installed on your computer:


  1. Souped-Up Clipboard

The October 2018 Update soups up the Windows Clipboard with new history and syncing features. Thanks to the history feature, you can now copy and store multiple items (text and images) on the Clipboard. When you want to paste one of those items, you simply press Win+V to open up the Clipboard’s history window and select the item you want to paste. (If you are unfamiliar with keyboard shortcuts, Win+V indicates that you press the Windows key and the letter v on your keyboard at the same time.)

With the syncing feature, you can copy text and images on one Windows 10 computer and paste them on another one. This can come in handy if you regularly use multiple devices, such as a Windows 10 desktop computer and a Windows 10 laptop computer.

Before you can take advantage of the history and syncing features, though, you need to enable them in in Windows 10’s Settings app. You can find them by clicking “System” in the Settings app and selecting the “Clipboard” option.


  1. “Make text bigger” Slider

Before the October 2018 Update, you could make text bigger in Windows 10 by changing the overall scaling. This made everything bigger, including text and images. With the new “Make text bigger” slider introduced in the October 2018 Update, you can make just the text larger. The overall scaling remains the same. (You can still change the overall scaling, though, if desired.)

You can find the “Make text bigger” slider in the Settings app. After you open the app, select “Ease of Access” and click the “Display” option.


  1. Snip & Sketch App

The new Snip & Sketch app lets you capture and mark up screenshots. It combines the functionality found in Windows 10’s Snipping Tool and the Screen Sketch app (which was originally part of Windows Ink Workspace).

Snip & Sketch lets you take rectangular, freeform, and full-screen shots of items on your screen. Once created, you can use a stylus (on touch-enabled devices) or a mouse to annotate the screenshot. There are various markup tools, such as a pencil and a marker, which you can customize by changing their color and thickness.

Although Snip & Sketch was designed to replace the Snipping Tool, the Snipping Tool will still be present after the October 2018 Update is installed, according to Microsoft. In the future, though, the Snipping Tool will likely disappear from Windows 10.


  1. Your Phone App

After the October 2018 Update is installed, you will have an app named Your Phone on your Windows 10 computer. The app lets you link and sync a Google Android smartphone with your Windows 10 computer. When you do so, you can view and send Android text messages from your computer. You can also access your phone’s photos, which means you do not have to email photos to yourself to get them on your computer.

If this seems familiar, you are not having a case of de ja vu. Your Phone has been available in Microsoft’s App Store since August 2018. Plus, since the Fall Creators Update (which was released in October 2017), you have been able to link an Android phone or Apple iPhone to a Windows 10 computer in order to send web pages from your phone to your computer. This enables you to see the web pages on a larger screen without having to email yourself a link or manually search for the sites. You can continue to do this through the Your Phone app introduced in the October 2018 Update.

You can install the Your Phone app on an iPhone. However, sending web pages is pretty much all you can do at the present time. You cannot access photos or send text messages from your computer like you can with an Android phone. This might change in the future, though.


  1. Power Usage Tracking in Task Manager

You can now see how much power each app and process is consuming on your Windows 10 computer, thanks to the October 2018 Update. Two columns have been added to the “Processes” tab in Task Manager:

  • “Power Usage”, which conveys how much power each app and process is currently using
  • “Power Usage Trend”, which indicates how much power each app and process has used in the past two minutes

Task Manager does not give you an exact measurement but rather an indicator such as “Very Low” and “Low”. This information can be helpful when you want to get an idea of how much power your apps are consuming. Plus, the new power usage columns might flag when a cryptojacking script is siphoning a computer’s processing power. In this type of attack, cybercriminals steal computers’ processing power to mine cryptocurrencies.

1 Out of Every 101 Emails Is Sent by a Hacker
1 Out of Every 101 Emails Is Sent by a Hacker

Does your business receive hundreds of emails each day? If so, there is a good chance some of them have been sent by hackers. Find out how to protect your business from malicious emails.


Most businesses receive hundreds of emails each day — and there is a good chance some of them have been sent by hackers. After analyzing more than 500 million emails sent in the first half of 2018, FireEye researchers found that 1 out of every 101 emails sent is malicious. Spam is not included in this count. It includes only those emails sent by cybercriminals with the express purpose of pilfering money, stealing data, or compromising systems.

The vast majority (90%) of the malicious emails do not contain any malware, but they are far from being benign. They can be just as dangerous as those containing malware.

Hackers Are Using Both Old and New Tricks in Malware-Less Emails

Not surprisingly, around 80% of the malware-less emails were phishing attacks. In this type of attack, cybercriminals try to trick recipients into performing an action, such as clicking a link that leads to a malicious website. Phishing emails are generic so that they can be sent to a large number of targets, which is why the researchers found so many of them.

The remaining 20% of the malware-less emails were impersonation scams. These highly personalized emails try to con recipients into transferring money or revealing sensitive information. Cybercriminals spend a lot of time researching their targets in order to create legitimate-looking emails. Because these emails appear to be normal traffic, it is harder for email security solutions to detect them.

One of the cybercriminals’ favorite type of impersonation email is the business email compromise (BEC) scam. In this type of attack, cybercriminals masquerade as executives, supplier representatives, and other business professionals to con companies out of money. In 2017, hackers stole more than $675 million from US businesses using BEC scams.

While the researchers found that hackers were still using old favorites like the BEC scam, they also discovered a new type of impersonation scam: impersonation emails that led to phishing sites, where login credentials were harvested or malware was uploaded to victims’ computers. By including phishing links, hackers can send out vaguer emails to a larger number of targets. Because these emails still include some personalization, the recipients are more likely to think the emails are from trusted sources and click the link compared to generic phishing attacks. As a result, the email open rate for this new type of impersonation email is similar to that for highly personalized impersonation emails, according to the researchers.

Common Ways in Which Hackers Try to Deceive Recipients

In both the new and old types of impersonation emails, the cybercriminals typically manipulate the entry in the “From” field to trick recipients into believing the messages are from legitimate senders. The techniques include:

  • Spoofing the display name of an email address (e.g., Jane Doe)
  • Spoofing the username (the portion before the @ sign) of an email address (e.g., JaneDoe@)
  • Creating and using a domain (the portion after the @ sign) that is similar to a legitimate one (e.g., @paypa1.com, @secure-paypal.com)

How to Protect Your Business from Malicious Emails

To protect your business from impersonation and phishing attacks as well as emails containing malware, you can use the stop, educate, and mitigate strategy:

Stop as many malicious emails as you can from reaching employees. To do so, you need to keep your company’s email filtering and anti-malware tools up-to-date. They can capture many phishing and malware-laden emails. You might even want to explore getting an email security solution that uses advanced technologies to catch malicious emails. In addition, make sure that employees’ email addresses and other potentially sensitive information (e.g., job titles) are not publicly available.

Educate employees so they can spot any malicious emails that reach their inboxes. While email filters often snag phishing attacks, they are not as good at stopping impersonation emails. Plus, most anti-malware software is only effective against known malware strains. Thus, it is important to educate employees about the types of malicious emails they might encounter and how to spot them (e.g., check for spoofed names in an email’s “From” field). As part of this training, be sure to inform them about the risks associated with clicking email links and opening email attachments. Plus, let them know how hackers find the information they need to personalize impersonation emails (e.g., social engineering).

Mitigate the effects of successful email attacks. Cybercriminals keep coming up with new ways to pilfer money, steal data, and compromise systems using email, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful email attack. For example, since obtaining login credentials is the goal of many phishing emails, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link in an impersonation email.

The Individual Steps

The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against malicious emails.