Info Advantage Blog

If we told you that automated teller machines, or ATMs, were susceptible to hacking attacks, would you believe us? You should; there are a plethora of ways for hackers to infiltrate and steal money from ATMs, with the latest being so dangerous that even the Secret Service has issued warnings about it.

ATMs in Connecticut and Pennsylvania have recently become complicit in identity theft schemes issued by hackers. The machines themselves have been found to be equipped with periscope skimmer devices attached inside, particularly in machines which have openable lids that provide easy access to their inner workings. The device is installed so that it can probe the magnetic strip on the card as the machine reads it. Users might only need to withdraw $20, but they have so much more to lose.

It’s estimated that the device’s battery can last for up to 14 days per charge and that it has enough storage capacity to steal 32,000 card numbers. The one good thing about this device is that it doesn’t seem to collect PIN numbers. Instead, this scam may be part of a preparation for a real heist.

There may not be a PIN collection device on this version of the skimmers, but it’s still a good habit to cover the PIN pad with your free hand while you plug in your code. You never know who could be watching. Scammers are crafty and may have hidden cameras on the device to steal information, or they have hacked into the native camera remotely to spy on you while you input your credentials. Even if you don’t suspect that you’re being watched, it’s always better to err on the side of caution.

What’s worse is that those chip cards that your bank replaced your old cards with probably won’t be of much use, as most ATMs still need magnetic strips in order to accept and process the card as legitimate.

These skimmers can’t usually be identified by sight, as they’re often installed internally to avoid the prying eyes of cautious users. The most practical advice for avoiding ATM scams is to consider the thought process of a criminal who may try to exploit one of these machines. Consider its location--if the ATM is surrounded by people at all times, like those that are found in supermarkets or public places, chances are that it won’t become a target. Now, if it were located in a secluded rural gas station tucked away in the back hallway, it’s more likely that someone would tamper with it. Consider if it’s top-accessible, allowing cybercriminals access to its innards. These are all variables that you should be on the lookout for.

Therefore, it’s recommended that you use only ATMs that are placed in high-traffic areas where there are plenty of witnesses who might notice if someone tampered with the machine. It’s also important to avoid ATMs that are easily accessible; rather, just use one which is embedded into the wall, like the one in your bank’s drive-thru. These are great for multiple reasons: 1) They’re well-lit, 2) They are high-surveillance zones, and 3) Hackers have a hard time getting into them.

If you’re dealing with your business’s finances, it’s probably best that you handle your financial services through the tellers that aren’t automated. Another option is to go about your business online, shielded by the safeguards that Info Advantage can prepare for your organization. To learn more about our cybersecurity services, reach out to us at (585) 254-8710.

You’ve heard it said that it’s a best security practice to routinely change your passwords. The idea here is that, if a password were stolen, then it would lose its value when the user goes to change it. While this sounds like solid logic, new research shows that it may actually be better NOT to change your passwords.

This may be a hard pill to swallow for IT administrators who have always required users to change their passwords every few months or so. However, seeing as this practice could make accounts less secure, it’s worth considering.

The idea behind this theory is that, whenever a user goes to change their password, they’re often rushed or annoyed and end up creating a new password that’s less secure. The Washington Post puts it like this: “Forcing people to keep changing their passwords can result in workers coming up with, well, bad passwords.”

Think about it, how often have you changed your password, only to change it from a complex password to one that’s easier to remember? Or, have you ever kept the same password and just added a number at the end of your new password? This covert move will do little to deter a hacker. Carnegie Mellon University researched this topic and found that users who felt annoyed by having to change their password created new passwords that were 46 percent less secure.

Plus, let’s consider the hypothetical situation of a hacker actually stealing your password. Truth be told, once they’ve gotten a hold of your login credentials, they’ll try to exploit the password as soon as they can. If they’re successful, they’ll pose as you and change the account’s password, thus locking you out of it. In an all-too-common situation like this, the fact that you’re scheduled to change your password at the end of the month won’t change anything.

Additionally, ZDNet points out yet another way that regularly changing passwords can make matters worse: “Regularly changed passwords are more likely to be written down or forgotten.” Basically, having a password written down on a scrap piece of paper is a bad security move because it adds another way for the credentials to be lost or stolen.

Whether you do or don’t ask employees to change their passwords is your prerogative. However, moving forward it would be in everybody’s best interest to focus on additional ways to secure your network, instead of relying solely on passwords. This can be done by implementing multi-factor authentication, which can include SMS messaging, phone calls, emails, and even biometrics with passwords. With additional security measures like these in place, it won’t matter much if a hacker stole your password because they would need additional forms of identification to make it work.

To maximize your company’s network security efforts, contact Info Advantage at (585) 254-8710.

Email is (and has been) a prime method of communication for businesses of all sizes. With email comes a whole slew of issues that are essentially synonymous with the technology; spam, information overload, phishing, and information privacy. Even Rochester small businesses that only do business locally are at risk of these issues. Personal email accounts are equally at risk. Employing proper precautions and practices whenever communicating via email is very important to prevent the risk of security compromises, monetary loss, and even legality issues.

Spam Inundation

If you've been using email for a while either professionally or personally you have almost certainly gotten email from people you don't know. Most of these emails are blatantly unwanted while others can look 'almost' legit, as if a real person is trying to contact you. Often (and unfortunately) spammers can get your email address when you put it online or use it to register for accounts on sites on the internet. The good news is standard spam protection is getting better these days, and more advanced spam protection is cost effective for businesses that need the extra layer of protection. Spam can cause a lot of harm for a business network if it isn't kept under control - spam can bog down email servers and eat up network bandwidth and plus it drastically slows down employee productivity because they need to sift through it all just to find their real email. If you and your staff are getting more than a few spam emails a day, contact us at (585) 254-8710 and ask about our anti-spam solutions.

Don't Open Attachments from Unsolicited Emails

This has been a golden rule for general email usage for a very long time. If you received an email from a stranger and there is an attachment, don't touch it. If you receive an email from a contact and there is an attachment, but anything is suspicious, don't touch it. This goes the same for links - if the email was unexpected and just seems fishy, it is possible your contact's email may have been compromised. Use your judgment on this, but remember it isn't your contact trying to trick you, they are merely the victim of a similar hoax from one of their contacts. If you have any doubt, simply reply or pick up the phone and ask them about it before continuing.

Keep your Computer Safe

Be sure to keep antivirus definitions up to date, and run scans regularly. Running adware and spyware removal software at regular intervals is important too. Be sure your Windows Updates are up to date as well. For businesses, you'll want to invest in network protection to keep external threats from leaking in. Even for small Rochester businesses, security and threat management is important to keep operations running smoothly and to prevent expensive downtime and data theft.

Don't Rely on Email for Storage

Everyone has done this at least once; you are working on a report or document on one computer and you email it to yourself in order to pull it up on another computer. That's fine as long as you mind your inbox capacity, but you shouldn't rely on email for storing files, not even as a reliable backup. Imagine having to painstakingly pick through all of your email to restore your most important files. It doesn't sound like a good idea now, does it? On top of that, email isn't any less prone to data corruption or loss than any typical storage solution, and unless the server hosting your email is backed up with a reliable solution, it could be here today and gone the next.

Encrypt Sensitive Data

If you send sensitive data to other recipients, you will want to consider email encryption. Some industries require this. Email encryption simply scrambles the message while it is being sent, and depending on what type of encryption, will descramble itself or allow your recipient to log in to a secure location to view the data. Although email encryption services vary, most of them are very cost effected especially when put beside the risks of sensitive data getting leaked and stolen. Give us a call at (585) 254-8710 to learn more about email encryption and what solution is right for your business needs.

Congress recently voted to do away with Obama-era regulations that were intended to protect consumer data from being sold to advertisers without the user’s consent. As of April 4^th, President Trump has officially signed the legislation that will dismantle the internet protection that had originally been approved in October 2016.

What Was Voted On?

Congress voted on whether or not to keep a set of Internet privacy rules approved back in October during the end of the Obama administration. The measure, which was passed by a 215-205 vote according to NBC News, blocks the FCC from being able to enforce new privacy rules that had been passed last year by the Obama administration last year before the election. The legislation, which was recently signed by the President, also bans the FCC from issuing any similar online protections in the future.

What Information Can Be Bought?

The original policy would have banned Internet providers from collecting, storing, sharing and selling user information. They would be allowed to collect and sell information such as your web history and app usage, according to The Washington Post. The rules also required Internet providers to use stronger security safeguards to protect customer data against hackers. Now that the policies have been brought down, providers are able to monitor their customer’s online activity and use the data they’ve collected to create highly targeted ads. It also allows them to sell the information to advertisers, financial firms, and other for-profit companies.

How Can I Protect My Data?

As of now, there are no real changes being made to the Internet security policy, so not much is expected to change right away. However, experts suggest a few methods that users can use to keep their data to themselves. First, security experts suggest that you use a virtual private network, or VPN. VPNs will hide your location so they cannot verify your identity, and hides your Internet traffic so that no one will be able to see your browsing history. Security professionals also suggest that users make use of HTTPS sites, which ensure users that their data is secure and will not be shared.

Contact Info Advantage today at (585) 857-2644 to learn more ways you can protect your personal data from being shared or sold.

Does the U.S. Constitution allow the American government to access the electronic devices of its citizens? According to FBI Director James Comey’s statements at Symantec’s Annual Government Symposium, it certainly does.

This situation was birthed from the tussle between Apple and the Federal Bureau of Investigation after Apple refused to grant the FBI the information necessary to unlock an encrypted iPhone linked to a terror case. In the end, the FBI managed to unlock the device without assistance from Apple after threats of lawsuits and other unpleasantries were thrown around.

Reacting to this issue, as well as the trend towards more encryption in mobile devices causing complications during investigations, Comey clarified the bureau's stance on the privacy of the American citizen. Conceding that there is a reasonable expectation of privacy in houses, vehicles, and mobile devices, Comey asserts that there are other considerations to take into account to justify revoking that expectation, going on to say: “With good reason, the people of the United States--through judges and law enforcement--can invade our public spaces."

This statement, however, begs the question: how does a personal device really qualify as a public space? Again, according to Comey, it does in the U.S. “Even our memories are not absolutely private in the United States,” Comey said. “Even our memories are not absolutely private in the United States. Even our communications with our spouses, with our lawyers, with our clergy, with our medical professionals are not absolutely private. A judge in certain circumstances can order all of us to testify about what we saw or remembered or heard. There are really important constraints on that, but the general principle is one we’ve always accepted in the United States, and it’s been at the core of our country. There is no such thing as absolute privacy in America. There is no place outside of judicial authority.”

Comey also made a point of saying that, while the FBI has no business telling American citizens how to live and govern themselves, the tech companies have no business doing so either. This came as a direct response to the open letter many tech company higher-ups signed last April that demanded the US government end the mandates that would require access to encryption keys for the interests of law enforcement and national security.

Naturally, these Silicon Valley leaders don’t agree with Comey, and neither do all of his peers. Nuala O’Connor, who holds the titles of president and CEO of the Center for Democracy & Technology as well as the first Federal Chief Privacy Officer for Homeland Security, had little good to say about the ideas of her respected peer. According to O’Connor, “He could not be more wrong on encryption.”

What are your thoughts on Director Comey’s views? Do you think any government has the inherent right to access a digital device--arguably invading the privacy of the citizen--even if it's ultimately for the greater good? Share your thoughts in the comments, and be sure to keep checking back to Info Advantage’s blog.

In response to the increasing danger of cyber attacks against computerized cars that are currently in production, Volkswagen has partnered up with three Israeli experts in cybersecurity to form a brand new cybersecurity company dedicated to designing solutions intended to protect such advanced cars and their passengers.

While ownership and investments made by each party have not been made public, the mission of Cymotive--as the new entity is called--is perfectly clear.

As Yuval Duskin, who formerly sat at the helm of the Israeli Security Services and now serves as Cymotive chairman, said: "Together with Volkswagen we are building a top-notch team of cyber security experts. We are aware of the significant technological challenges that will face us in the next years in dealing with the cyber security threats facing the connected car and the development of the autonomous car."

These cyber security threats are far too real. Features like Bluetooth connectivity and computerized dashboards have made modern automobiles tempting targets for tech-savvy criminals. Quite recently researchers discovered that an attacker armed with an inexpensive radio kit could clone their way into any wireless-entry-equipped Volkswagen, potentially opening any of the automobiles equipped with this feature sold since 2000--the number of potential cars at risk reaching into the millions.

Volkswagen, of course, is not the only car maker whose systems are under threat of attack. A few seasoned car hackers recently proved that--by attaching a laptop to the controller area network (or CAN bus) of a Jeep Cherokee--they could take full control of the vehicle’s brakes. Posting proof of their method in a YouTube video, the duo used a local attack but stated that with some more effort, a similar attack could be executed remotely.

However, after submitting their findings to Fiat Chrysler Automobiles (producer of the Jeep brand) the automotive manufacturer waved away the findings, questioning their validity and how appropriate it was for the hacking duo to share “how-to information” that could potentially put public safety in jeopardy. Fiat Chrysler Automobiles also declared that such an attack takes “extensive technical knowledge” and that any security flaws present in the demonstration had since been patched.

However, hackers of a more malicious nature are always seeking out new vulnerabilities that the manufacturers and programmers of whatever system (automotive, computing, or otherwise) may have overlooked. As a result, there is an ongoing (and most likely never ending) race between hackers and developers to come out on top… At least until the next revolutionary technology emerges and starts the race over.

Does the ability of computer hackers to infiltrate your car make you consider downgrading during your next automotive purchase? Let us know in the comments.

Verizon has taken to publishing a compilation report analyzing data breach statistics with the help of industry partners, a report that is widely regarded as a must-read for the industry. A brief review of the latest edition’s executive summary revealed where information security vulnerabilities lie in industries worldwide and, even more helpfully, what shape those vulnerabilities took. The Data Breach Investigations Report, or DBIR, pulled no punches in outlining what kind of attacks happened in the past year, and how.

The DBIR has its own system of outlining breach types that divide events and incidents into nine categories. Information-based companies appeared predominantly in four of them, with helpful tricks to prevent such breaches from happening again.

Crimeware: Perhaps unsurprisingly, one of the industries crimeware targeted most was the information industry, with the DBIR citing a rise in ransomware (39 percent of all analyzed attacks in 2015 involved ransomware). While the scope the DBIR funnels under the Crimeware title is fairly large (“This covers any use of malware that doesn’t fall into a more specific pattern”), this by no means cheapens the risks - it arguably compounds them, as it only goes to show how many pieces of crimeware exist. To defend against them, the DBIR recommends frequent patches and backups as well as monitoring changes to configurations.

Web App Attacks: Considering that 95 percent of web app attacks were financially motivated in their reports, it’s no surprise that e-commerce platforms were among the most targeted by these intrusions. These attacks are often the result of a successful phishing campaign or the infiltration of a vulnerable site. The other side of web app attacks, content management system breaches, saw plenty of digital graffiti and the repurposing of infiltrated sites as phishing sites. To avoid this kind of breach, the DBIR again recommends timely patches to remove vulnerabilities, as well as utilizing two-factor authentication and input monitoring.

Cyber-espionage: Usually hunting for intellectual property, cyber-espionage attacks prefer sticking to tried-and-true methods of breaching networks, only utilizing more sophisticated methods if the simple ones don’t work. Therefore, at least in this case, basic protections may be enough to divert many of these attacks, and should not be bypassed in favor of more specialized protection. As far as avoiding issues further, keeping patches up-to-date and monitoring changes to configurations will help monumentally, as will isolating compromised devices and separating them from the rest of your network.

Miscellaneous Errors: This category took all of the “Whoops!” issues that lead to compromised security into one bundle to deal with them. While Verizon reports that 40 percent of them were caused by a server issue, many others were triggered by employee mistakes - a full 26 percent included sending a message filled with sensitive data to the wrong recipient. The DBIR suggests strengthened controls on your network as a possible way to keep away from errors, such as data loss prevention software to lock down sensitive info. Additionally, Verizon recommends thorough disposal procedures to any aged-out equipment, as well as to stay focused and learn from the mistakes from your past.

Helpful information, certainly, with all that and more being available for free download at the Verizon Enterprise webpage. But big picture - what takeaway can you not afford to leave on the table? Ultimately, an overwhelming percentage of incidents reported in the DBIR pointed blame, or at least prime responsibility, for many of the errors that led to security breaches to one thing: human error.

Between the willingness to exploit the natural fallacies of human nature by cyber criminals and the human tendency to make mistakes independently, human beings are placed solidly as the weakest link in any cyber security chain. So, if humans are the problem, what is the solution?

In short, vigilance. Strongly enforce best practices regarding security in the workplace, and follow them yourself as an example. Be aware of current trends in cyber security attacks, and prepare yourself and your company accordingly. Identify and install security measures that best fit your needs and abilities.

For help with any of this, be sure to call Info Advantage at (585) 254-8710 first. Our ranks of professionals are here to help you when you need guidance concerning your business’ security solutions. With Info Advantage, you have a much greater chance of being a success than being a statistic.

Your identity has quite a lot of value, especially in the wrong hands. Security firm ZoneAlarm put together some numbers in 2011 concerning identity fraud, and it even shocked us. Let's talk about a few of these statistics and what it means.

Hackers have always gone after industries that are profitable, or hold sensitive information that can be lucrative when sold under the table. As such, retailers that accumulate financial credentials are often hit by hacks. The entertainment industry is no different, and hackers continue to grow craftier in their pursuit of wealth and power. Not even Steam, the PC gamer’s most valuable software solution, is safe from the dangers of hacking attacks.

How private are your emails and other digital communications? Can the government go through your digital files without you knowing about it? As you may have suspected, they can, thanks to a loophole in an outdated law--a loophole that U.S. lawmakers are trying to close.