Oct, 2019

URL Manipulation and What to Do About It

Most people know what a URL is. It’s the address of a website, typically starting with http:// or https://, and it is essentially the location of a web page or application that can be accessed through a web browser or application. Nowadays, URLs are being manipulated by actors for both positive and negative means. Let’s take a look at URL manipulation and how it could affect you.

The URL

Before we get into the manipulation of the URL, let’s define its parts.

The first part of the URL is called the protocol, which tells the computing network which language is being used to communicate on said network. Most of the time, the URL will use the protocol “HTTP”. The HyperText Transfer Protocol makes it possible to exchange web pages. Other protocols that are used include File Transfer Protocol, News, and Mailto.

The second part of the URL is the ID and password, which makes it possible to access secure servers on the network. This part is typically removed because the password will be visible and transfer unencrypted over the computer network.

The third part of the URL is the server name. It allows users to access information stored on specific servers whether through a domain or the IP address associated with the server.

The fourth part of the URL is the port number. This number is associated with a service and tells the server what type of resources are being requested. The default port is port 80, which can be left off the URL as long as the information that is being requested is associated with port 80.

Finally, the fifth, and last, part of the URL is the path. The path gives direct access to the resources found tied to the IP (or domain).

Manipulating the URL

By manipulating parts of the URL, a hacker can gain access to web pages found on servers that they wouldn’t normally have access to. Most users will visit a website and then use the links provided by the website. This will get them to where they need to go without much problem, but it creates their own perimeters.

When a hacker wants to test the site for vulnerabilities, he’ll start by manually modifying the parameters to try different values. If the web designer hasn’t anticipated this behavior, a hacker could potentially obtain access to a typically-protected part of the website. This trial and error method, where a hacker tests directories and file extensions randomly to find important information can be automated, allowing hackers to get through whole websites in seconds.

With this method they can try searching for directories that make it possible to control the site, scripts that reveal information about the site, or for hidden files.

Directory traversal attacks, also known as path traversal attacks, are also popular. This is where the hacker will modify the tree structure path in a URL to force a server to access unauthorized parts of the website. On vulnerable servers, hackers will be able to move through directories simply.

What You Can Do?

Securing your server against URL attacks is important. You need to ensure that all of your software is updated with the latest threat definitions, and keeping a detailed configuration will keep users in their lanes, even those who know all the tricks.

The IT experts at NuTech Services can help you keep your business’ IT infrastructure from working against you. Call us today at 810.230.9455 for more information about how to maintain your organization’s network security.

Oct, 2019

Cybersecurity: An Origin Story

The way a business handles network security is directly related to what problems will arise from their use of information systems. Cybersecurity has become a major part of all businesses, of all geographic locations, and all sizes. Because the better your cybersecurity is, the less problems your business will have to overcome, cybersecurity has grown into a multi-hundred-billion dollar a year industry. Cybersecurity hasn’t always been a concern for businesses. After all, the internet hasn’t been around for THAT long. However, the history of cybersecurity has a fascinating story behind it, and today we’d like to share it with you.

Let’s start with where we are now. History is best told on a timeline, so let’s start from the present. Cybercrime today is profiting over $1.5 trillion each year, and that figure continues to climb. Some have predicted that this figure will nearly quadruple by 2021. Security breaches are up by 67 percent over just the past five years.

How is this figure climbing so quickly? Well, let’s examine the most popular form of cybercrime: phishing. The method that cybercriminals are using are able to deploy all types of malware, yet also has data-stealing abilities. Whether that data is your sensitive personal information, or login credentials to your bank account, phishing gives a cybercriminal direct access. The worst part for people who have fallen victim, is until something dramatic happens, they are clueless that they have even become a victim. Phishing attacks have led to billions of records being exposed, stolen, or corrupted each year.

Cybercrime has become a real concern for all business owners. So how did all of this start?

The Beginning

This information NuTech Services is about to reveal may be hard to believe, but cybercrime was Bob’s fault. This trillion-dollar criminal trend is the result of a research project held by a man named Bob Thomas. Bob Thomas made the observation that a program is able to move across a computer network, leaving a trail behind. He then proceeded to write a code that was named “Creeper”. This code resulted in a program that was designed to travel between Tenex terminals on the ARPANET. The message that came across? “I’M THE CREEPER : CATCH ME IF YOU CAN”.

The research project sparked the attention of email inventor Ray Tomlinson. Tomlinson altered this program into a self-replicating one. This resulted in the first computer worm. Immediately after this discovery, he wrote an additional code which was titled “Reaper”. This chased down the Creeper code, and deleted it; which resulted in what was effectively the first antivirus software.

So how did Bob’s experiment start all of this? Well, in the 1980s Soviet hackers considered the applications of this experiment. Academics designed applications that could be used to infiltrate other networks. This ideology quickly spread, and in 1986 German hacker Marcus Hess hacked into an internet gateway which was hosted at the University of California at Berkeley. This hacked connection was then used to piggyback onto the ARPANET. He hacked into a total of 400 computers, including mainframes hosted at the pentagon.

How did this turn into such a profitable “business”? Hess planned on selling the secrets found on these computers to the Soviet KGB. Before he was able to do so, he was caught by the group effort put forth by the FBI and the West German government. His conviction was the first of its kind — cybercriminal activity sentencing. The abnormality of the case resulted in a 20-month suspended sentence.

At the same time as this was occurring, computer viruses started to become a serious threat. With the exponential growth of the internet, there were more connections that viruses could infect. The virus started to become a real problem.

The Middle

In 1988, Robert Morris woke up and decided he wanted to see just how big the internet had become. Morris, a software engineering student at Cornell University, wrote a program designed to spread across various networks, work themselves into Unix terminals, and begin replicating. The software replicated so quickly that it actually slowed down the early Internet, which caused major carnage. This carnage become known as “the Morris Worm”. Morris’ worm resulted in the formation of the Computer Emergency Response Team, known as US-CERT today. Morris was the first person convicted under the Computer Fraud and Abuse Act (CFAA). This act was introduced with the intentions to protect against unauthorized access.

After Morris’ worm was handled, viruses began being developed at an absurd rate. The antivirus industry, which started in 1987, began to grow as a result. By the time the Internet was an accessible user-product in the 1990s, dozens of solutions were available to prevent devices from being infected. These solutions scanned the binaries on a computer, and tested them against a database of known virus-code. There were major problems with this protection method, such as the abundance of false positives. They also had a tendency to use a lot of the systems’ resources to scan for these viruses. Remember how slow dial-up used to feel? Your anti-virus could have been the culprit.

The mid-90’s to late-2000’s were a prospering time for the world of viruses. While the figure was estimated to be a few thousand known viruses in the mid 90’s, that figure was estimated to be around five million by 2007. These different malware strains were either worms, viruses, trojan horses, or other forms. By 2014, 500,000 different types of strains were being created daily. This time truly was the malware boom.

Who was stopping this boom? Well, nobody. Cybersecurity professionals needed to make an effort. Antivirus solutions simply couldn’t keep up, and while they might detect malware, they had a hard time preventing it. Innovations in cybersecurity developed quickly. First, endpoint protection platforms (EPP) that didn’t just scan for known code, they also scanned for code similarities. This meant that unknown viruses could be detected.

The End?

With advanced malware defeating endpoint protection regularly, it was time to further innovate cybersecurity measures. The timeline innovators had was cut short with the deployment of WannaCry. WannaCry was, at this point, the most devastating piece of malware that existed. WannaCry even shook the world of the most capable security professionals. It encrypted the data on a computer and forced the computer owner to pay in Bitcoin to regain access to these files. This deployment sparked an explosive increase in the cybersecurity industry. It was time for cybersecurity to surpass the capabilities of cybercriminals, instead of being constantly behind.

The only way anyone was able to determine if they were being infiltrated was to have a transparent network. Administrators began using endpoint threat detection and response (EDR) services to monitor their networks. This solution is still cutting edge by today’s standards. While this isn’t the end for cybersecurity, EDR services are extremely capable of keeping malware out of your network.

If you would like to learn more about cybersecurity, or are interested in keeping your business’ data safe, call NuTech Services today. Our professionals can be reached by calling 810.230.9455.

Sep, 2019

Essential Network Security Best Practices

Too frequently, we hear stories about cyberattacks, software vulnerabilities turned tragic, and other pretty terrible situations for businesses. In an effort to help fight this, we’ve put together a list of handy tips for you so that you can be prepared to ward off threats.

Leverage Authentication Measures

One of the first steps to securing your network against threats is to create strong authentication procedures. Most of the devices with permission to access your network will already have an authentication system in place, based on a password. If the passwords used are strong enough, this can actually mitigate most threats – but you still have to worry about the ones that this doesn’t discourage. Leveraging something called multi-factor, or two-factor, authentication can help minimize the chance of something slipping past your security.

Two-factor authentication works in a relatively straightforward way. As with most login systems, a username and password are entered – but instead of being granted access, the user is asked for another credential. This is usually a randomly-generated code that a specialized authentication app will generate. Mobile devices are popular to use with 2FA, as their convenient nature makes them more likely to be available when needed. In order for a user to leverage their mobile device, the 2FA system administrator has to authorize it.

Tip: Make sure that you don’t let your password best practices slip, even if leveraging 2FA. Your passwords still need to be sufficiently complex. If you are one of those who find remembering different passwords difficult, consider using a password management system in conjunction with your 2FA.

Protecting Your Business’ Computing Environment

Whether you use a Local Area Network or a Wide Area Network, the security practices that you need to deploy are fairly predictable. Once you’ve seen to your authentication needs, you need to combine three approaches to security into one all-encompassing strategy: your software-based security, your physical security measures, and your security awareness and best practice training.

Software-Based Security

There are many examples of how software can help keep your business’ network secure. From firewalls to content filtering to antivirus to spam detection, each of these tools protect your business data from a different kind of threat. You may even want to consider adding encryption to your email solution to make it a lot less likely that the contents of your messages will be intercepted.

Tip: If you aren’t sure which solutions are the right ones to implement, think about how your data moves about your business. The more insight you have into how your data operates, the more effectively you will be able to plan its protections.

Physical Security Measures

Somewhat ironically, we seem to have become so focused on our digital security that it can sometimes seem like we forget that there are very real reasons to protect our physical locations and infrastructure, as well. Consider the damage a bitter ex-employee could do in moments, should they manage to get into your server room. It has become fashionable to leverage biometric authorization measures to protect your server room – and there’s a lot to be said about a good, old-fashioned surveillance system, complete with alarms and cameras (as well as some updates to make this system considerably less old-fashioned).

Tip: Bring in a consulting professional to help you determine your physical security needs. Not only does this save you time by eliminating work you would otherwise have to do for yourself, it ensures that your system will be designed by an experienced professional that knows what will work best in different situations.

Security Awareness and Best Practice Training

Would you be surprised to hear that your employees are likely your biggest vulnerability? Of all of the pieces that make up your network security, the people who use your technology are the leading cause of security issues. With the number of ways that your business could be attacked, your staff needs to be educated on how to identify them and avoid them.

Tip: Both businesses and individuals have experienced difficulties with phishing and it adversely affecting them, so it makes sense to begin your training there. Not only is it a common issue, it is conceptually very simple to grasp, so it is a good starting point before moving on to increasingly complex concerns. The more your staff knows about how they can resist attacks, the more likely they’ll be able to do so if the needs arises.

Remote Solutions Via the Cloud

Modern organizations need to contend with potential threats to their network infrastructures, as businesses always have in some form. The difference is that issues can now come in on the mobile devices owned by their staff, and company resources can be routinely accessed from outside the business’ area network.

This has helped contribute greatly to the growth of cloud computing technologies – although the relative cost savings don’t hurt either. Using the cloud, your staff can access their work data and applications from a remote location, while the resources stored in the cloud are kept secure by the platform’s baked-in security and privacy.

Mobile devices have also been a disruptor to business-as-usual, which means that businesses need to plan on leveraging them if they don’t want them becoming a distraction. Designing a Bring Your Own Device policy and enforcing it through mobile device management solutions is an effective and secure way of reaching a compromise and minimizing the time wasted by mobile devices in the workplace.

Tip: Remember that cloud services are inherently scalable, so you don’t need to worry about overreaching your capabilities. However, you also don’t want to waste capital that doesn’t need to be spent. Auditing your resources is an effective way to identify and eliminate redundant costs leeching from your budget.

Network security can be complicated, but it is an absolutely crucial element to your technology strategy if you want to have any success. NuTech Services can help take care of the technical side of things for you, and help teach better habits to your staff. To learn more, keep reading our tips, and reach out to us at 810.230.9455.

Sep, 2019

Biggest Data Breaches Since May

Has your business’ network been breached? If not, you will need to continue to prioritize network security to keep hackers at bay. With 446 million records compromised in 2018 alone, businesses need to understand what threats they are currently under. Let’s take a look at some of the biggest data breaches that have happened since the beginning of May.

May

May 2, 2019 – Citrix

Conferencing and digital workplace software company, Citrix, revealed that hackers gained access to the company’s network between October 2018 and March 2019. Data stolen included Social Security numbers, financial information, and data of current and former employees.

May 3, 2019 – AMC Networks

1.6 million users of AMC Network’s Sundance Now and Shudder streaming services had their data left exposed through a database that was left unsecured. Names, email addresses, subscription details were compromised.

May 9, 2019 – Freedom Mobile

Freedom Mobile, a Canadian mobile provider had an estimated 1.5 million customers’ personal and financial information left exposed on a third-party server. The types of data left exposed included names, email addresses, mailing addresses, dates of birth, and credit card information.

May 13, 2019 – Indiana Pacers

The legal team behind the National Basketball Association’s Indiana Pacers was the victim of a major phishing attack. Employee and customer names, addresses, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, medical insurance information, card numbers, digital signatures and login information. No number of affected individuals has been given by the team.

May 14, 2019 – WhatsApp

WhatsApp has experienced a security flaw that provided access to an Israeli government surveillance agency, NSO Group. NSO Group had limited access to the microphone, camera, and WhatsApp message text of the app’s 1.5 billion users.

May 20, 2019 – Instagram

Facebook-owned Instagram, fell victim to a data breach that exposed more than 49 million Instagram influencers, celebrities, and brands’ Instagram information when an Indian-based social media marketing company left it exposed.

May 24, 2019 – Canva

The 139 million users of Canva, a cloud-based graphic design tool, had their names, usernames, and email addresses exposed when hackers infiltrated their server.

May 24, 2019 – First American Financial Corporation

First American Financial Corp., a leading title insurer for the U.S. real estate market, had 885 million customers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images compromised for all customers as far as back as 2003.

Other May breaches: Inmediata Health Group, Uniqlo, Wyzant, Flipboard, Checkers (the fast food chain).

June

June 3, 2019 – Quest Diagnostics

Almost 12 million patient records have been compromised when hackers took control of the payments page of AMCA, a major payment vendor for Quest Diagnostics. Data such as financial account data, Social Security numbers, and health information (ePHI) were left exposed.

June 4, 2019 – LabCorp

In the same hack, LabCorp announced that 7.7 million of its customers were impacted.

June 6, 2019 – Opko Health

In the same attack, Opko Health had 422.600 customer and patient records compromised.

June 10, 2019 – Emuparadise

The gaming website Emuparadise had their users’ IP addresses, usernames, and passwords exposed in a data breach.

June 11, 2019 – Evite

More than 100 million users of the Evite event planning app have had their information put up for sale on the dark web. Information that was stolen included names, email addresses, IP addresses, and cleartext passwords. Some even had their dates of birth, phone number, or postal address exposed.

June 11, 2019 – Total Registration

Kentucky-based Total Registration, a facilitator of scholastic test registrations had their entire service compromised. Victims, who were mainly students who had registered for PSAT and Advanced Placement tests, had their names, dates of birth, grade level, gender, and Social Security number exposed.

June 12, 2019 – Evernote

A security vulnerability in Evernote’s Web Clipper Chrome extension gave hackers access to the online data of over 4.5 million users. Exposed data includes authentication, financial, all private communications, and more.

June 20, 2019 – Desjardins

Over 2.7 million individuals and 173,000 businesses had their data stolen by a single Desjardins employee. Canada’s largest credit union, the hack resulted in the exposure of names, dates of birth, social insurance numbers, addresses, phone numbers, and email addresses of customers

Other June breaches: Oregon Department of Human Services, U.S. Customs and Border Protection, EatStreet, Dominion National

July

July 17, 2019 – Clinical Pathology Laboratories

Due to the AMCA breach that affected Quest Diagnostics, Opko Health, and Labcorp, Clinical Pathology Laboratories had 2.2 million patients’ personal and medical information exposed with an additional 34,500 patients’ credit card or banking information breached.

July 18, 2019 – Sprint

A still unknown number of Sprint customer accounts were hacked through Samsung.com’s “add a line” website. Some exposed information included names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, account numbers, and more.

Other July breaches: Maryland Department of Labor, Los Angeles County Department of Health Service, Essentia Health, Fieldwork Software, Los Angeles Personnel Department

August

August 5, 2019 – Poshmark

The online marketplace, Poshmark, has announced that they’ve been hacked. Usernames and email addresses of an unreported amount of clients have been exposed in the breach. Poshmark has nearly 50 million users.

August 5, 2019 – Stock X

The online fashion-trading platform had its over 6.8 million user accounts exposed. Data that was out there included customer names, email addresses, usernames and passwords, shipping addresses, and purchase histories.

August 9, 2019 – CafePress

A data breach at CafePress, a custom t-shirt and merchandise company, exposed the names, email addresses, physical addresses, phone numbers, and passwords of over 23.2 million customers.

August 15, 2019 – Choice Hotels

Hackers left over 700,000 guest records exposed in a coordinated extortion attempt on the Choice Hotel chain. Stolen information included names, addresses, and phone numbers.

August 16, 2019 – Biostar 2

VPNMentor and independent security researchers uncovered a data breach containing over a million individuals’ facial recognition information as well as the unencrypted passwords and usernames of 27.8 million individuals exposed from Biostar 2, a biometric security platform.

August 27, 2019 – Hostinger

Hostinger, a web hosting company sent out an email to their 14 million clients who had their information hacked through an API server. As a result, first names, usernames, email addresses, IP addresses and hashed passwords were exposed.

Other August breaches: Presbyterian Healthcare Services, State Farm, MoviePass

Before your business has its network breached, data stolen, and reputation irreparably harmed, call the security professionals at NuTech Services to do a full security assessment. We can help you keep your data and reputation intact. Call us today at 810.230.9455 to learn more.

Aug, 2019

How You Should Judge Potential Password Management Programs

Passwords are hard to remember – there’s no denying that. However, there is also no denying how important it is to use different ones for each account, all sufficiently complex, and all the rest. The point is, a lot of people use bad password practices because (to be frank) good password practices are too intimidating. There has to be some kind of acceptable middle ground… right?

Fortunately, there is: password management systems.

What Are Password Management Systems?

A password manager is effectively what it says on the box: it’s a program that keeps track of your passwords for you. While these are available for individual users, we are more concerned with those that are meant for businesses to leverage.

These solutions have a reputation for being complicated and time-intensive to set up. However, this no longer has to be the case, and it is now more important that you find a solution that offers the features that every business needs to prioritize.

What to Look for from a Password Manager

During your search, you will want to make sure your chosen password management system offers the following features:

Security

While this may seem obvious, not all of your password management options will necessarily offer the same protections or follow the same practices. For instance, standalone password managers are inherently more secure than those tied to another solution, like a built-in one in your browser of choice.

These separate solutions usually have additional features to assist your security as you use them. Good password managers will remind you of best practices if too many saved passwords are the same or too weak and will require multi-factor authentication to be accessed in the first place. It also wouldn’t hurt to find one that also notifies you when you’re due to update some of the passwords you have saved.

It should also never save one password: the master password used to access the solution itself. That is still the user’s responsibility.

As far as behind-the-scenes security is concerned, you should find a password manager that is itself protected by a variety of security features, like encryption, role-based access, and secure cloud storage.

Storage Considerations

Determining where your credentials are kept by the password manager is another important detail to keep in mind, largely as an extension of your security considerations. Does your password manager save your passwords to the cloud, or are they kept natively on the device? Either approach has its pros and cons.

If the cloud is leveraged, your credentials will be available to you on any of your devices… but this does put your credentials in the crosshairs if that cloud solution was ever breached. If you keep your credentials stored locally, you won’t risk losing them in a cloud storage breach, but they are still vulnerable. For instance, if that device fails, there go your passwords.

Generally, this won’t have much impact on the solution you choose, as most enable either option, if not a combination of both.

User Friendliness

As difficult as your password manager should make things for cybercriminals, it should make simple for your legitimate users – starting with adding and removing them to the business’ accounts. They should find it easy to change their password as needed, and your password manager should automatically log a user into a website or application. If it senses that there are not currently credentials for that site, it should offer to save them.

NuTech Services has plenty of experience dealing with password security, which means we’re familiar with password managers and maintaining them. If you’d like assistance with selecting, implementing, and utilizing one in your business, let us know! We’re just a call to 810.230.9455 away.

Aug, 2019

Think Before You Click: Spotting a Phishing Attempt

We’ve all caught the obvious spam email, like the message that is clearly bogus, or the offer that is definitely too good to be true.

We’re going to confidently assume none of our readers are getting tricked by Nigerian Princes or getting roped into order virility drugs from an unsolicited email. The real threat comes from the more clever phishing attacks. Let’s take a look.

Give Me the Short Answer – What’s Phishing?

Phishing is where you get an email that looks like an actual legit email. The goal that a cybercriminal has is to trick you into giving them a password or access to an account (like to PayPal, Facebook, or your bank) or to get you to download malware.

The problem with phishing emails is how real they can seem. A phishing attempt for your PayPal information can look just like an everyday email from PayPal.

Even worse, often phishing emails try to sound urgent. They make you feel like you have to take action quickly, or that a bill is overdue, or that your password has been stolen. This can lower the user’s guard, and force them into a sticky situation.

How to Spot a Phishing Attack

Like I said, it’s not always going to be obvious when you get phished. Even careful, security-minded, technical people can fall victim because phishing is just as much of a psychological attack as it is a technical one.

Still, there are some practices you and your staff should use:

Always Use Strong, Unique Passwords

This can solve a lot of problems from the get-go. If your PayPal account gets hacked, and it uses the same password as your email or your bank account, then you may as well assume that your email and bank account are infiltrated too. Never use the same password across multiple sites.

Check the From Email Address in the Header

You’d expect emails from Facebook to come from something@facebook.com, right? Well, if you get an email about your password or telling you to log into your account and it’s from something@faecbook.com, you’ll know something is up.

Cybercriminals will try to make it subtle. Amazon emails might come from something@amazn.com or emails from PayPal might come from something@paypalsupport.com. It’s going to pay off to be skeptical, especially if the email is trying to get you to go somewhere and sign in, or submit sensitive information.

Don’t Just Open Attachments

This is nothing new, but most malware found on business networks still comes from email attachments, so it’s still a huge problem. If you didn’t request or expect an email attachment, don’t click on it. Scrutinize the email, or even reach out to the recipient to confirm that it is safe. I know it sounds silly, but being security-minded might build security-mindfulness habits in others too, so you could inadvertently save them from an issue if they follow your lead!

Look Before You Click

If the email has a link in it, hover your mouse over it to see where it is leading. Don’t click on it right away.

For example, if the email is about your PayPal account, check the domain for any obvious signs of danger. Here are some examples:

Paypal.com – This is safe. That’s PayPal’s domain name.
Paypal.com/activatecard – This is safe. It’s just a subpage on PayPal’s site.
Business.paypal.com – This is safe. A website can put letters and numbers before a dot in their domain name to lead to a specific area of their site. This is called a subdomain.
Business.paypal.com/retail – This is safe. This is a subpage on PayPal’s subdomain.
Paypal.com.activecard.net – Uh oh, this is sketchy. Notice the dot after the .com in PayPal’s domain? That means this domain is actually activecard.net, and it has the subdomain paypal.com. They are trying to trick you.
Paypal.com.activecardsecure.net/secure – This is still sketchy. The domain name is activecardsecure.net, and like the above example, they are trying to trick you because they made a subdomain called paypal.com. They are just driving you to a subpage that they called secure. This is pretty suspicious.
Paypal.com/activatecard.tinyurl.com/retail – This is really tricky! The hacker is using a URL shortening service called TinyURL. Notice how there is a .com later in the URL after PayPal’s domain? That means it’s not PayPal. Tread carefully!

Keep in mind, everyone handles their domains a little differently, but you can use this as a general rule of thumb. Don’t trust dots after the domain that you expect the link to be.

Training and Testing Go a Long Way!

Want help teaching your staff how to spot phishing emails? Be sure to reach out to the IT security experts at NuTech Services. We can help equip your company with solutions to mitigate and decrease phishing attempts, and help educate and test your employees to prepare them for when they are threatened by cybercriminals.

Jul, 2019

Even Amazon Can Be Hacked

In 2018, Amazon was struck by a considerable attack, with hackers taking funds from approximately 100 seller accounts, according to a Bloomberg report. Between May and October 2018, Amazon sellers were struck approximately 100 times, draining funds from the seller control platform to augment their own funds. According to the investigation, the first fraudulent transaction took place on May 16, 2018, with an undisclosed amount being stolen. The hackers utilized phishing attacks in order to scam their targets.

“Unknown Hack”

On May 8, 2019, almost a year to the day after the first transaction was made, an Amazon spokesperson claimed that the company had completed investigating the compromised accounts, and had been the victim of an “extensive” fraud. The extent of the fraud was large enough where two banking companies, Barclays and Prepay Technologies (who is a partial subsidiary of Mastercard) are caught up in the crime.

Ultimately, Amazon neglected to disclose the true scope of the hack, but a report by Bloomberg indicated that over one billion dollars were dispersed to merchants in 2018 via Amazon Capital Services U.K. While there is currently no figure provided by the company, if large portions of that money was subverted, it could rank as one of the largest hacks in the history of online commerce, and certainly the biggest fraud that has involved Amazon.

Amazon, which has a business model built to be largely automated, has done a remarkable job of keeping personally identifiable information from being hacked over the years, but in today’s threat-persistent culture, even the most secure companies can have situations happen to them that jeopardize their ability to complete financial and information transactions, regardless of how much they invest in cybersecurity.

Phishing Attacks

Just because this article mentions a major fraud involving the world’s largest online retailer in no way means that hackers have moved on from trying to hack small businesses. Small businesses face the majority of hacking attacks, mainly because they have the least amount of security to thwart. In fact, if Amazon can fall victim to phishing attacks, it’s not a stretch to believe that your company is susceptible. With millions of phishing messages sent every day, many of which target small businesses, having a strategy to educate your staff is extremely important.

The best way to go about doing that is to be proactive. Getting your staff to understand that they are on the front lines of a never-ending cyberwar and what they need to learn in order to keep themselves, and your organization free from the serious risks that come from falling victim of phishing attacks. Some things you can prioritize:

Annual education and training – Have a comprehensive plan in place to educate new and current staff that is updated and required annually.
Having strong passwords – Since phishing is a form of social engineering, the hackers on the other end of the phishing attack are simply looking for access. Having strong passwords will keep them out much longer than weak ones.
Avoid shadow IT – Make it clear that all software has to pass through IT first, before it is downloaded onto a workstation. It may seem inefficient at first, but the company will be better off vetting a software solution before it gains access to your organization’s network.
Provide cloud storage – When people are constantly on the move and have a lot of responsibilities, they will often upload their work into their personal cloud-based file storage. This can be risky behavior, even if the employee’s motives are solid. Keep your company’s data hosted on its own infrastructure.

With these four tips you can go a long way toward protecting your business, and your staff, from the detrimental characteristics of a phishing attack.

If you need help with your organization’s cybersecurity, or if you simply want some help outlining a strategy to use, contact the IT professionals at NuTech Services today at 810.230.9455.

Jul, 2019

Windows 7 and Windows Server 2008 R2 is Finally Losing Support

Microsoft Windows has been a staple of modern computing, with each title in the series offering more innovative features. When it becomes time to retire one of their OSs, it can be troublesome for businesses. This coming January, two of the most utilized versions of the Windows OS–Windows 7 and Windows Server 2008 R2 will be losing support, effectively ending their viability. Businesses that still use these titles will have to come up with a plan about how they are going to proceed once Microsoft retires that software.

Support for these two titles ends on January 14, 2020. If your business has neglected to upgrade away from the technology after Microsoft ended mainstream support in 2015, time is finally running out in which to do so. It is important to have a strategy to move to a more up-to-date operating system. By not completing a full migration away from these titles your business will not have the protection it needs to keep your company’s data secure. Vulnerabilities will begin to present themselves pretty quickly and you will see your ability to maintain data security wane. Let’s take a look at these titles, and what needs to happen to successfully remain secure.

Windows 7

Windows 7 is one of Microsoft’s most popular operating systems of all time, and is still used by millions of people from all over the world. In fact, it wasn’t until last December that Windows 10, Micrsosoft’s latest OS, passed Windows 7 in number of users. The software giant has started a major ad campaign to inform people of how to upgrade away from Windows 7 as soon as possible.

The most obvious option is to upgrade your business’ workstations to Windows 10. Windows 10 is constantly supported, offers many features that Windows 7 is incapable of, and features a profile that isn’t significantly heavier so most systems that you have will run Windows 10 effectively. If you are in a position where you need to move over a lot of workstations, our consultants can help you calculate the best route forward.

Another option Microsoft provides is called Microsoft 365. This cloud-based service deliberately targets the millions of Windows 7 users as it doesn’t require huge capital costs to move to Windows 10. At NuTech Services, we can help you determine the pricing of a migration either to new onsite infrastructure or a hosted solution. Either way, your business will need to have upgraded before January 14, 2020.

Windows Server 2008 R2

In addition to Windows 7, in January 2020, Microsoft will be retiring the entire Windows Server 2008 R2 suite. If your business utilizes Windows Server 2008 R2 for data and application hosting, you will need to have a plan in place to upgrade prior to the end of support date. Just like Windows 7, Microsoft will stop delivering security patches to Windows Server 2008 R2, meaning that there is a very real possibility that your organization could go without security updates if you fail to upgrade.

Microsoft has since released two new versions of the Windows Server software, as well as implemented a cloud-based option in Azure. It might be able to help you save money with cloud-based server management, but you won’t know for sure if it’s the right call to make without talking to the IT professionals at NuTech Services. Call us today to find out more at 810.230.9455.

Jul, 2019

How Much Risk Can the IoT Cause?

The Internet of Things is rapidly growing in popularity, which makes it all the more likely that some IoT devices will make their way into your office. Also growing: the reputation that these devices have as vulnerabilities to your organizational security. In an increasingly connected world, it is important to remember how the IoT could quickly become a hindrance to your business if not managed properly.

Let’s explore some of the risks that the IoT can present.

The Security Issues of the IoT

The Internet of Things has added utility to many devices, expanding their potential in ways that would otherwise be impossible. This has only been further augmented by the access to personal devices that many employees enjoy through Bring Your Own Device policies.

However, these benefits have come with an assortment of considerable risks alongside them. Devices that are a part of the IoT are notoriously vulnerable to many cyberattacks, which means that they could potentially be used as a point of access to your business’ network. From there, a cybercriminal has plenty of opportunities to create issues – whether that’s by stealing your data, hijacking your devices to be used in a botnet, or whatever their goal may be.

This problem is only exacerbated by the tendency for IoT devices to go without updates, whether through the negligence of the manufacturer or of the consumer. Without these updates, security flaws go unresolved, and the devices are thereby left vulnerable.

Consider how many devices are now manufactured that connect to the Internet. Smart watches and other wearables, smart speakers and televisions – really, almost anything with the word “smart” in its name – we have more or less surrounded ourselves with the Internet of Things. This includes the time we spend in the workplace, despite many of these devices not being visible on the network to IT. As a result, it has become almost impossible to track all the devices that attach to a network, which has developed into a new issue for businesses.

Shadow IoT

Thanks to the public demand for convenience and advanced functionality, more and more IoT devices are being manufactured all the time. If any of these devices makes its way into your office without the knowledge and approval of IT, you have a shadow IoT problem.

If you do, you aren’t alone.

In 2017, 100 percent of organizations surveyed by an IoT security firm were found to have consumer IoT devices on the network that qualified as shadow IoT. Another report, from 2018, stated that one-third of United States, United Kingdom, and German companies have over 1,000 shadow IT devices on their networks every day. Combine this with the security shortcomings discussed above, and you have a recipe for a cybersecurity disaster.

You may remember the Mirai botnet, which struck back in 2016. This botnet was built up of over 600,000 devices at its peak and focused primarily on IoT devices. Once these devices were identified by Mirai, they would be attacked and infected, adding more computing power to the botnet. Mirai is far from the only example, too… cybercriminals have been known to hack into IoT devices to gain network access, spy and listen in on conversations, and otherwise prove themselves to be a nuisance.

How to Minimize Shadow IoT

Clearly, shadow IoT isn’t a good thing for any organization. There are a few things you can do to help protect your business from the security issues that shadow IoT can cause.

Accept IoT devices in the workplace. If your employees really want to use one of their devices at work, they’re going to. Instead of shooting down requests to bring in these devices, make it easier for your employees to do so through the proper channels – and make sure your employees are aware of these channels. Openness and cooperation can be effective tools as you try to get your team on the same page you’re on.
Keep IoT devices separate. To better protect your network, you will want to consider utilizing a dedicated Wi-Fi network for IoT devices, configured to allow them to transmit the information they generate while blocking any incoming calls to them. This will help prevent threats from being transmitted to IoT devices.
Seek out potential threats. Not all shadow IoT necessarily can be found on an organization’s network, as over 80 percent of the IoT is wireless. This means that you need to be monitoring your wireless signals for shadow IoT devices and networks.

Your business’ security is important – too important to be undermined by an insecure consumer device that was brought in without your knowledge. You need to get out ahead of shadow IoT, as well as the other threats that could do your business harm.

NuTech Services can help. Our professionals are well-versed in cybersecurity best practices and how to use them to your benefit. To find out more about what we can do for your business, reach out to us at 810.230.9455.

Jun, 2019

The Time Has Come for SQL Server 2008 and 2008 R2

Software solutions don’t last forever. While patches and security updates can stave off the inevitable for quite some time, it’s impossible to maintain a specific solution forever. Support is eventually cut off, and businesses are left exposed if they haven’t taken the time to prepare. In the case of Microsoft SQL Server 2008 and 2008 R2, you are running out of time.

Outdated software is an issue that all businesses have to deal with. The fact that so many organizations don’t routinely update their software solutions is pretty telling. For one, many businesses simply don’t have the resources at their disposal to make sure maintenance is performed on a regular basis. Granted, unless a business has taken substantial steps toward upgrading away from software that has reached its end of support date, they will have to suffer the consequences.

What Does “End of Life” Mean?

End of Life, also known as End of Support, is a term that is used to identify software that is not updated or patched after a specific period of time has passed. Certain Microsoft products can utilize the Extended Security Update, but only for a maximum of three years, meaning it’s more efficient and cost-effective to upgrade away from your old systems before they reach the end of support date.

What You Need to Do

How would your business be affected by a potential security breach? Since you won’t be receiving security patches or updates, you’ll need to consider this possibility. Following a major security breach, you’ll be forced to upgrade your systems anyway, so not only will you have those costs, but you’ll have to deal with the fallout of a data breach. It’s never too early to start taking preventative measures and think about the future of your infrastructure, as well as who will be responsible for the management, maintenance, and upgrading of your business technology.

Before Windows SQL Server 2008’s End of Support date arrives, consult this list of upcoming end of support dates and take the necessary steps to upgrade your technology. It’s better to do so now than wait until it’s too late.

We Can Help

Worrying about your business’s IT infrastructure is something that you simply don’t have time for. A managed service provider like NuTech Services can help you achieve affordable and accessible technology support, including the updates and patches needed to maintain network security. We can even help monitor your infrastructure for potential End of Support software that will soon be outdated. To learn more, reach out to us at 810.230.9455.

Jun, 2019

Even Small Businesses are Targets for Hackers

Do you ever think of your business as too small of a target to matter to hackers? Some organizations actually do believe this, and that notion is effectively a trap. The thing that all businesses need to keep in mind is that all organizations, regardless of which industry they fall into, as all companies have data that’s valuable to hackers. We’re here to prove it and ensure you know the best way to protect your data.

Profitable Types of Data

Believe it or not, even a small business with a handful of clients has data worth stealing. You’re in business to make money, and by virtue of this fact, you likely collect and store financial information. In fact, you collect a ton of valuable data. The type of data that hackers are looking for.

In addition to all of the financial details you collect, there is also all of the contact information regarding leads, clients, and customers. With so many emails and phone numbers stored on your infrastructure, hackers can have a field day. They will have all the information they need to steal funds, distribute malware, and create unpleasant situations for your business.

The Unpredictability Factor

Not all hackers have any specific goal in mind when they hack you. Sometimes all they want to do is make your life miserable. The unpredictability associated with hackers is one of the most dangerous parts of them, as they can take advantage of any overlooked vulnerabilities to create a problematic situation for you.

The Impact of Security Negligence

If your business falls victim to a hacker, it’s certain to affect your business’ operations. In some cases, it could be subject to compliance fines that could break your budget and put your business at greater risk. Furthermore, you could lose access to important data that makes your business work, threatening its future and all but guaranteeing that recovery can never happen. Therefore, the importance of protecting your network can never be overstated.

NuTech Services can help your business implement the security solutions needed to maximize protection from threats. To learn more about what we can do for your organization, reach out to us at 810.230.9455.

Jun, 2019

Staff Education Goes a Long Way in Preventing Security Issues

In a perfect world, keeping your antivirus updated and having a good firewall in place would be enough to protect your business from cybersecurity threats.

Unfortunately, most attacks still come in through email, and can slip by your users. Even the most complex cybersecurity platforms used by massive corporations and governments can be foiled by a simple phishing attack, and your end-users are your last line of defense.

How Can an Employee Fall Victim?

Phishing attacks are designed to look real. An email might come in looking like a valid message from Paypal, a bank, a vendor, or even from another employee or client. Hackers use several tricks to make the email look real, such as spoofing the address or designing the content of the email to look legitimate.

Unfortunately, if the user clicks on the link in the email or downloads the attachment, they could open themselves and your company up to whatever threats contained within.

Commonly, this leads to stolen sensitive information, or installs malware on the device, or grants the hacker the ability to log into the user’s bank account.

While having strong IT security can reduce the amount of these phishing attacks that come in, a percentage can be tricky enough to bypass your firewalls and content filters, exposing your staff to situations that could your whole endeavor in

Educate Your Employees

It’s important to teach employees how to catch a phishing attack. We recommend sharing the following steps with your staff, or even printing them out and posting them around the office:

Carefully hover (don’t click!) over links and see if they go to a legitimate URL. If the email is from Paypal, a link should lead back to paypal.com or accounts.paypal.com. If there is anything strange between ‘paypal’ and the ‘.com’ then something is suspicious. There should also be a forward slash (/) after the .com. If the URL was something like paypal.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a general rule of thumb:
1. paypal.com – Safe
2. paypal.com/activatecard – Safe
3. business.paypal.com – Safe
4. business.paypal.com/retail – Safe
5. paypal.com.activatecard.net – Suspicious! (notice the dot immediately after Paypal’s domain name)
6. paypal.com.activatecard.net/secure – Suspicious!
7. paypal.com/activatecard/tinyurl.com/retail – Suspicious! Don’t trust dots after the domain!
Check the email in the header. An email from Amazon wouldn’t come in as noreply@amazn.com. Do a quick Google search for the email address to see if it is legitimate.
Always be careful opening attachments. If there is an attachment or link on the email, be extra cautious.
Be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” be suspicious.

Phishing Simulation

Another great tactic is to have regular phishing simulations. This is where we create a series of fake phishing emails (don’t worry, it’s safe), and randomly send it to your staff. When someone falls for the attack, we send them educational information to help them prevent being tricked by a real one.

We’ve found this to be very effective, without taking a lot of time out of an employees already busy day.

Are you interested in helping to protect your staff from falling victim to phishing attacks? Give us a call at 810.230.9455.

Jun, 2019

Is Blockchain a Shield for Cybercrime?

Blockchain technology is all the rage these days. Business owners are going to start hearing this buzzword as a bullet point in software solutions. Developers from all over the world are trying to harness the power of encrypted, distributed data, mainly due to the reputation that blockchain has regarding the “unhackable” permanence of the data stored upon it. However, it as powerful as blockchain is purported to be, it isn’t totally infallible.

How Blockchain Has Been Shown to Be Vulnerable

Let’s face it… blockchain technology is a human invention, which means that there are going to be some flaws.

Admittedly, the concept behind the blockchain makes this hard to believe: every transaction made through the blockchain, financial or data-based, is given a permanent, designated “block” in the chain. Before the transaction is completed, the rest of the network needs to approve this new block’s validity. The block is then added to the chain, where it cannot be altered and provides an unchangeable record of the transaction – to undo it, a new block would be created. It is only then that the transaction is completed.

While this method may seem foolproof, even “unhackable”, this just isn’t the case. In March of 2014, cybercriminals managed to steal $450,000,000 worth of Bitcoin through a transaction mutability vulnerability, and in June of 2016, cybercriminals managed to steal approximately $60,000,000 by leveraging a recursive calling vulnerability.

Additional Blockchain Vulnerabilities

Again, as a human creation, there are going to be some flaws in blockchain platforms. One investigation revealed that some blockchain and cryptocurrency platforms had over 40 vulnerabilities.

51% Vulnerabilities

Many of blockchain’s vulnerabilities have more to do with the nature of the platform as well. One such vulnerability is known as a 51% vulnerability, and is associated with mining cryptocurrencies. Let’s assume you are a cryptocurrency miner. If you manage to accumulate hashing power that exceeds more than half of what the blockchain contains, you could leverage a 51% attack to manipulate the blockchain to your own advantage.

Naturally, more popular blockchains, like Bitcoin, are far too expensive to be practical targets, but smaller coins are much more affordable to attack and can be lucrative for hackers. In 2018, 51% attacks were leveraged against less popular cryptocurrencies, netting the attackers approximately $20 million.

Security of Private Keys

Using a blockchain requires a user to have a private key. Naturally, if this key were to be stolen, those cybercriminals who stole it would be able to access and tamper with that user’s blockchain. What’s worse, because the blockchain is decentralized, these kinds of actions are difficult to track and even harder to undo.

Breach Examples

As you might imagine, most breaches involving a blockchain are in some way tied to an end user. In 2017, a fraudulent cryptocurrency wallet service was left up for months as the cybercriminal responsible allowed people to funnel their cryptocurrencies into it before stealing $4,000,000 – out of a reported total of $2 billion being stolen since 2017 began. In January 2018, it was disclosed that hackers stole private keys with malware, taking over $500,000,000 in NEM coins (a now-effectively-worthless cryptocurrency established by a nonprofit).

If hackers are able to steal from a purportedly “unhackable” technology, what’s to stop them from stealing from your business?

Cybersecurity solutions from NuTech Services, that’s what. We can set up the security solutions your business needs to protect its data, and monitor your systems to detect breaches preemptively, preventing a security issue from happening. To learn more about what we can do, reach out to us at 810.230.9455.

May, 2019

Taking an Exploratory Stab at Spear Phishing

Chances are, you’ve heard of “phishing” – a cybercriminal’s scam that steals data, access credentials, and other sensitive information by fooling a user into thinking they are providing this information to someone who is supposed to have access to it. However, there are a few different kinds of phishing, based on how it is carried out. Here, we’ll discuss the realities of spear phishing, and the risks it poses to your business.

What Makes Spear Phishing Different?

As a rule, spear phishing is a much more precise and personalized process. To keep to the “fishing” analogy, a generalized phishing campaign casts a wide net, trying to snare as many victims as possible with their scam. Utilizing vague and generic language, the ‘typical’ phishing attack is made to appear to come from a large organization, informing the user of some need for the user to take action, resulting in the hacker gaining access to the user’s information. This methodology makes the typical phishing attack fairly effective against many people, while simultaneously easier to spot if one knows the warning signs.

By comparison, spear phishing is far more precise. Instead of trying to find value in the quantity of targets snared in a trap, spear phishing takes the opposite tack. Using a highly targeted approach, spear phishing attacks are directed toward a specific individual within an organization.

This specified approach means that the generic messages that many phishing attempts leverage simply won’t be enough to fool the intended target. Instead, the hacker has to play investigator, seeking out as much information as they can about their intended target. Where do they work? What is their position in the company? Who do they frequently communicate with? Once the hacker has collected enough information to create a convincing message, they will typically spoof an email to their target. This email will usually contain some reference to a known contact or some in-progress project to make it more convincing and will request that the recipient download a file via a provided link.

However, while the link will direct to what appears to be a Google Drive or Dropbox login page, it is just another layer to the deception. Entering credentials into this page will give them right to the hacker for their use, breaching the user’s security and putting the entire business at risk in one fell swoop.

What Methods Do Spear Phishers Use?

Due to how spear phishing works, the messages sent by hackers need to be as convincing as possible. Combining extensive research with some practical psychology, a hacker has more ammunition to power their attacks.

As mentioned above, spear phishing is far less generic than the average phishing attempt. By referencing specific people, things, and events that mean something to the target, or appearing to come from an internal authority (a manager, perhaps, or even the CEO), the hacker can create a message that is less likely to be questioned. If the hacker writes their messages without any spelling or grammatical errors, as many spear phishers do, it only becomes more convincing.

These hackers are so reliant upon their target being fooled; many will purchase domains that strongly resemble an official one. For instance, let’s say you owned the domain website-dot-com. If a hacker decided to pose as you to launch a spear phishing attack, they might purchase the domain vvebsite-dot-com. Without close inspection, the switch may not be noticed – especially if the hacker creates a good enough lookalike website.

Am I A Target?

Of course, the research that a hacker has to do to successfully pull off a spear phishing attack is extensive – not only do they have to identify their target, they also have to figure out the best way to scam this target. Generally speaking, a hacker seeking to leverage spear phishing will focus their efforts on anyone in an organization who could potentially access the information that the hacker wants but isn’t high up enough in the organization to question an assignment from above.

Or, in more certain terms, a business’ end users.

In order to minimize the chances that a spear phishing attack will be successful against your company, you need to make sure that everyone subscribes to a few best practices. For example:

Pay attention to the finer details of an email. Is the message actually from christine@contactcompany.com, or does the email address actually read kristine@companycontact.com? Did Christine/Kristine include any attachments? As these can be used to spread malware via email, you should avoid clicking on them unless you are certain the message is legitimate.
Is the message written to sound overly urgent? Many phishing messages, especially spear phishing messages, will try to push an action by making it seem as though inaction will lead to a critical issue. Another warning sign to look out for: any deviation from standard operating procedures. Don’t be afraid to question a sudden switch from Google Drive to Dropbox – it may just be the question that stops a spear phishing attack.
Speaking of questioning things, don’t hesitate to make sure that any messages you suspect may be spear phishing aren’t actually legitimate through some other means of communication. A quick phone call to the alleged sender will be well worth avoiding a data breach.

While spear phishing is a considerable threat to your business, it is far from the only thing you need to worry about. NuTech Services can help your business secure its IT solutions and optimize them for your use. To learn more, subscribe to our blog, and give us a call at 810.230.9455.

May, 2019

Tip of the Week: Your Phone Can Work as Your Security Key

If you’re like most people nowadays, your mobile phone is currently well within your reach (and that’s assuming you aren’t reading this blog on it). The fact that most people keep their phone on them at all times has greatly contributed to these devices becoming a part of any given work-related process. One major way is the implementation of two-factor authentication, which we’ll discuss as a part of this week’s tip.

As we begin, it is important that we acknowledge that the Android operating system has been granted FIDO2 certification. In other words, the FIDO (Fast IDentity Online) Alliance has given the Android OS their seal of approval in regard to the authentication standards that the Alliance has set.

What Does This Mean?

In very simple terms, any Android device running 7.0 or higher with the latest Google Chrome update installed can be used as part of a two-factor authentication strategy – more specifically, as a security key. This includes the support that FIDO2 offers for onboard fingerprint scanners as a means of identity authentication. Currently, this authentication standard is only supported by Android, with no indication of Apple devices incorporating it.

In no uncertain terms, this all means that passwords may soon be phased out.

Abandoning Passwords

Passwords have been the standardized form of authenticating one’s identity for quite some time, despite the potential issues that are present with them. How often have we seen just how many ways a determined cybercriminal has to obtain a password? Between insecure databases filled with credentials and unfortunately successful phishing schemes, millions of accounts have been exposed – and that isn’t even taking all the times an insecure password was guessed into account.

The biggest weakness that any password has is the fact that it can be shared at all, that someone other than the owner can use it. Over any other reason, this is why FIDO2 is likely to become as popular as it is expected to be. When was the last time you successfully shared a thumbprint with someone, after all? Furthermore, FIDO2 keeps all of the information that is pulled from its biometrics onboard the device, keeping it safe from being stolen on the Internet.

As an added bonus, FIDO2 won’t allow the user to input their fingerprint’s biometric data into websites that don’t have sufficient security measures in place.

How to Use Your Android Device as a FIDO2 Security Key

In order to leverage your Android device as a security key, you need to make sure that it meets a few benchmarks. First and foremost, you’ll need to be running at least Android 7.0, with the latest version of Chrome installed. You will also need to have Bluetooth activated, and a Google account with two-step verification enabled.

This is somewhat simple to do. Logging into your Google account, access the Security section. Here, you’ll find the option to activate 2-Step Verification. After a short process, your smartphone will work as a security key.

Authenticating Google Sign-Ins with Your Phone

As long as you have enabled both Bluetooth and Location on your mobile device, any Google service you try to access will prompt you to confirm the sign-in attempt via your phone. This process is exceptionally simple – all you have to do is press Yes on your phone and wait. Once you’ve done so, you can confidently access your Google account, securely. As more developers adopt FIDO2, this enhanced security will only appear more often.

What do you think of this new authentication method? Share your impressions in the comments! While you’re there, let us know if there are any other tips you’d like us to cover!

Apr, 2019

United States Citizens Demand Data Privacy… How Will It Impact Your Business?

With over 90 percent of people in the United States feeling as though their data is out of their hands, it should come as little surprise that many are looking towards the European Union’s General Data Protection Regulation as inspiration. However, how close is the United States to passing this kind of legislation… and how will smaller businesses fare if (or when) some is passed?

The GDPR (In a Nutshell)

Under the GDPR – which came into effect on May 25, 2018 – any companies that have collected data on a resident of the European Union are then responsible for protecting that data. Furthermore, the GDPR grants these residents a far higher level of access and control over the data that organizations possess.

How United States Citizens Have Reacted

According to a poll, data privacy has become a bigger priority for 73 percent of respondents, 64 percent stating that they felt the security of their data was worse than it has been in the past. 80 percent want the ability to learn who has purchased their data, while 83 percent want the ability to veto an organization’s ability to sell their data in the first place. 64 percent also stated that they want the ability to have this data deleted.

How the Government Has Reacted

Governing bodies at different levels have had different reactions to these demands. For instance, the state of California has already passed the Consumer Privacy Act (CCPA) – a piece of legislation that the House of Representatives’ Consumer Protection and Commerce Subcommittee isn’t too fond of, as its position is that there needs to be a singular piece of legislation at the federal level to protect data. As of right now, data privacy is addressed in a combination of state laws and some proposed federal laws.

One of these proposed laws, the Data Care Act, spells out that (in addition to promptly alerting end users to security breaches) a service provider cannot legally share a user’s data without the receiving party also being beholden to the same confidentiality standards. Others include the Information Transparency and Personal Data Control Act, which requires transparency and personal control over data, the Consumer Data Protection Act, which could throw executives in prison for abusing data, and the American Data Dissemination Act, which sets a deadline for the government to enact privacy requirements upon businesses.

However, when the Consumer Protection and Commerce subcommittee met to discuss the prospect of a federal privacy law (which it was agreed was necessary), there weren’t any representatives for the average consumer – the ones whose data is really at stake. This reflects the hearings held last year by the Senate, also without consumer representation. Instead, technology companies were invited to participate during both sessions.

Small Business Concerns

That being said, there is very little support among the committee for any regulations that are at all similar to the GDPR. One reason for this: the fear that small businesses will not find themselves able to afford the added cost of compliance.

For instance, there are a variety of potential burdens that such a measure could potentially impose upon small and medium-sized businesses. These burdens include:

All-encompassing overhauls that would result in lost business
Business failure due to inadequate budgets to make the demanded changes
Impeded growth after regulations are put in place
Prerequisites becoming too great to start a business in the first place
Costs passed down to SMBs from larger companies for technology services

It is worth noting that if your organization does business with people from the EU, you are responsible to adopt the privacy rules of the GDPR.

What do you think? Are laws like these necessary, especially given the cost they could put on small businesses? Have you had any data privacy concerns in the past? Share your thoughts in the comments.

Apr, 2019

Colleges Have a Lot of Data to Protect

Colleges and universities are part-time homes to more than 16 million people, and employ over 1.5 million more. Most of them utilize the networks set up by the college’s bevy of IT administrators. If you consider that most people have difficulty keeping viruses and other malware off of their personal computers, opening up networks that facilitate this kind of user demand can be tricky. Today, we ask: can a campus’ network every truly be secure?

Birth of the Internet

The first Internet was born on college campuses. It was built by intellectuals, for academics, without the massive list of considerations that now accompany software development. It spread quickly, of course, and somewhere, pretty early on, it was decided that by being able to support commerce, the Internet could become one of the west’s greatest inventions.

This came to fruition in 1984 when the first catalogue was launched on the Internet. This was followed by the first e-store (at books.com) in 1992, and the first software to be sold online (Ipswitch IMail Server) in 1994. Amazon and eBay launched the following year and the Internet has never been the same.

By then, the academic uses for the Internet had multiplied, as well. By the time Amazon launched, many colleges and universities were offering students access to the Internet as an important part of their continuing education. Boy, was it ever.

Today, you’ll be hard pressed to find a classroom (outside of the poorest school districts in the country) where every classroom isn’t Internet-ready.

College Internet Needs and Cybersecurity

This stands true in university and college circles, as well. Campuses today are almost completely connected. You’ll be hard pressed to find a place on a modern campus that, as long as you have security credentials to do so, you can’t gain access to an Internet connection. In a lot of ways, it is the demand for access that makes network security a major pain point for the modern college. Firstly, having to protect computing networks from a continuously variable amount of mobile devices is difficult. Secondly, the same attacks that plague businesses, are also hindering IT administrator efforts at colleges.

Colleges themselves aren’t doing anyone any favors. According to a 2018 report, none of the top 10 computer science degrees in the United States require a cybersecurity course to graduate. Of the top 50 computer science programs listed by Business Insider only three require some type of cybersecurity course. Moreover, only one school out of 122 reviewed by Business Insider requires the completion of three or more cybersecurity courses, the University of Alabama. Regardless of the metric, it’s clear that learning cybersecurity is not a priority for any school.

Are There Cybersecurity Problems Specific to Colleges?

The short answer is no. That’s why it’s so important to get people thinking about cybersecurity any way they can. No industry can afford to have the skills gap between people that hack and the people looking to stop them grow any wider. This is why, no matter what you do (or plan on doing) for a living it’s important to understand what your responsibilities are and how to get them into a place that can help your organization ward off these threats from outside (and sometimes inside) your network.

Many colleges have turned to companies like Cyber Degrees to help them not only educate the people utilizing the college’s networks to why cybersecurity awareness is important, but also help people understand that with the rise of cybercrime and hacking-induced malware, that cybersecurity has become a major growth industry with many facets. In 2015, the Bureau of Labor Statistics found there were more than 200,000 unfilled cybersecurity jobs in the U.S. With curriculums not prioritizing cybersecurity, and with threats growing rapidly, imagine how many are unfilled today. As demand rises for competent individuals to fill a multitude of jobs in the computer-security industry, colleges need to do a better job prioritizing cybersecurity training.

For the business looking into protecting itself, look no further than the cybersecurity professionals at NuTech Services. Our knowledgeable technicians work with today’s business technology day-in and day-out and know all the industry’s best practices on how to keep you and your staff working productively, while limiting your exposure to risk. Call us today at 810.230.9455 to learn more.

Mar, 2019

Getting to Know About Phishing Attacks Can Keep Your Business Safe

There’s a big reason why phishing is a primary threat to businesses, and it’s because this method gives hackers a relatively risk-free way of gaining access to a network or other resources. Even being aware of the issue is often not enough to prevent it, as hackers are known to get quite aggressive and crafty with their phishing campaigns. If only a fraction of the 57 billion phishing emails that go out every year are taken seriously, hackers make quite a bit of profit off of users.

As a result of this increase in phishing attacks, endpoint security has grown much more focused, but the issue with phishing isn’t necessarily an issue with the strategies surrounding your technology–rather, it’s an issue relating to your organization’s users and their tendency for failure. Now, we know this sounds a little harsh, but it’s been proven time and again that employees need security training on how to handle credentials and other sensitive information. Let’s take a look at a couple different types of attacks you can be exposed to, and what you can do to keep your organization from becoming just another company that has suffered from a data breach.

Deceptive Phishing
Deceptive phishing is one of the most common types of phishing scams, and it aims to fool unsuspecting users into handing over sensitive information. This happens when the hacker sends a message to users that impersonates an actual person or company that the organization has some sort of relationship with. These hackers use deceptive phishing to convince users to hand over information like passwords, usernames, account numbers, etc. Since official credentials are being used to access these accounts, it doesn’t immediately become a security concern.

For the most part, these deceptive phishing messages are either ignored by the users, caught by filtering technology, or disregarded when they’re accessed. Unfortunately, the handful that actually do fool the end user are worth the hundreds-of-thousands that are sent to others. To keep your business from making this fatal mistake, you need to focus on increasing awareness of what makes phishing attacks so much different from your average legitimate email.

Some of the telltale signs of phishing messages include misspelled words, problems with sentence structure, and suspicious attachments or URLs. Always hover your mouse over a link before clicking on it to determine its location, and never download an attachment unless you know who’s sending it. Another thing to look out for is any financial institution or vendor demanding payment or access to your account–there are other, more official methods of outreach for methods such as these; and no bank or similar institution will ever, ever ask you for passwords.

Spear Phishing
Spear phishing attacks are targeted attempts against a specific user. For example, someone who sees a message from a coworker might let their guard down, but this doesn’t necessarily mean the message is safe. It just means that some hacker managed to find a way to mimic the sender in a way that is extremely convincing. Spear phishing attacks will often know the target’s name, title, company, work phone number, and much more–all to seem as authentic as possible so the user will click on a malicious attachment or URL.

Even social media isn’t safe from this trend. LinkedIn, for example, is one of the most common places where spear phishing is leveraged. It might be used for connecting with other business professionals, but it’s not hard for a hacker to imitate a business professional. We aren’t saying that you need to avoid social media like the plague, only that you should approach it with some sensible caution.

Pharming
That being said, more people are learning about these attacks by the day, meaning that some hackers have ceased these types of attacks for fear of their efforts being for naught. Instead, they turn to a practice called pharming, which is using an organization’s DNS server to change the IP address associated with the website name. This gives them a way to direct users to malicious websites to steal their legitimate credentials.

To prevent this from happening, it’s very important that you tell your staff to be sure they are entering their credentials into a secured site. The best way to make sure this happens is to look for the “https” in the hyperlink, as well as a padlock icon next to the address. It also never hurts to have an antivirus solution on each endpoint within your organization.

NuTech Services can help your business stay as secure as possible. To learn more, reach out to us at 810.230.9455.

Mar, 2019

Biometric Authentication Becomes More Commonplace

Biometrics are a common sight in futuristic or science-fiction settings, but they are increasingly entering the real world in practical ways. In fact, similar technologies are being implemented every day for businesses all over the world. Let’s take a look at some of them, as well as what benefits they provide these organizations.

What Are Biometrics?
Biometrics are a method of authentication that uses some sort of physical attribute or qualifier rather than a password or a key code. Some examples include fingerprints, voice patterns, typing rhythms, and so much more. They are easier to use than your typical passwords or key codes, and even better, they can be used in conjunction with traditional security measures and practices.

Let’s take a closer look at what some of these biometrics are, as well as the most practical way to implement them.

Biometric Types
There are two major categories for biometrics: physical identifiers and behavioral identifiers. Physical identifiers are by far the most common:

Signatures: Signatures are one of the unique ways you can identify an individual, and you’ve surely seen this biometric used at least once somewhere or another. Whether it’s a transaction or an agreement, a signature can do much to guarantee someone’s authenticity.
Fingerprints/Physiological Attributes: This particular biometric is often used to secure smartphones. Fingerprints can be used to determine the identity of the user, as well as various other physiological attributes, like palm scanning, retinal scanning, and facial recognition.
Voice: Voice-based authentication is common all over the place these days, whether it’s a personal user issuing commands to a virtual assistant or a business using voice authentication to navigate automated answering systems.
DNA: The technology to implement DNA sequencing into authentication is still a ways off, but it’s closer than you might think.

There are other behavioral identifiers that are used for biometric authentication. While these methods are still in development, here are a few examples of them:

Typing Patterns: People all write in different ways, and the same goes for typing. Therefore, this can be used to determine the authenticity of the user based on their keystrokes and the pressure applied to the keys.
Navigation and Engagement: In a similar fashion, the way that people navigate applications and systems can also determine identity. Mouse movements are quite showing, as well as how we hold devices.

Reliability (and Risks) of Biometrics
Biometrics are proving problematic to an extent, mostly because they can be inconsistent. Voices can vary depending on the user’s health or age, and faces can change based on a clean-shaven (or bearded) face, a haircut, or a pair of glasses. There are ways to work around this system, and with biometric authentication, there is much that needs to be taken into account.

Security is a Major Concern
This kind of data needs to be heavily protected, as it not only exposes sensitive information, but personal information as well. These kinds of credentials are also not easily changed, as they are heavily based on physical traits. For these reasons, biometrics may take some time to be adopted as the norm.

What are your thoughts on biometrics? Let us know in the comments.

Mar, 2019

Microsoft Launches Office 365 Advanced Threat Protection

Microsoft has been at the forefront of security through their numerous operating systems for decades. As the security of computing systems and communication gets more important, and with threats to that security growing exponentially, the world’s leading software company has made it a point to introduce a new security platform to help people in many walks of life keep their endeavors secure. Today we’ll look at the new security & compliance services that are bundled with the Microsoft 365 cloud platform.

Microsoft’s Dedication to Security

Microsoft has as good of a handle on the nature of cybersecurity as any other major software company. The sustainability of their business and the effectiveness of their products are dependent on it. If their security software didn’t work well, there is no way they could sustain their place as the world’s most important software company, right?

One problem they are running into is that their security is SO effective, that hackers had to shift the ways they tried to infiltrate networks and steal data. The establishment of phishing is a social engineering term for duping a victim into downloading software that’s only purpose is to gain access to their personal data, which leads to data and identity theft, and in the case of business computing, access to much more.

Businesses Have Trouble with Security

Today’s business has to deal with a lot of different security issues. First, they are responsible for having the technology protections connected to each part of their computing infrastructure. This can be as simple as having the router-supplied firewall and an antimalware program loaded on their server. It’s likely, however, that the average business will need more coverage over their network to secure it, and the data stored behind those security platforms.

Next, and maybe most crucially, it is the business’ responsibility to train its staff on what kind of issues to look out for. Today, most malware infections and other infiltrations are the result of a mistake made by a person that has credentials and access to data. If your organization doesn’t properly train your staff on how to eliminate these threats, there is a fair chance that your network will be inundated with some type of malware at some point.

Microsoft 365 Security and Compliance

Microsoft, acknowledging the need for an enterprise product that combines the power of their Windows 10 operating system, the productivity options presented from Office 365, and powerful security and compliance controls, has launched Microsoft Office 365. The cloud-based solution presents the core computing resources that any business could use in a product that is available right now from NuTech Services.

Our knowledgeable technicians can help you find the right security platform for any of your business’ computing needs. Call us today at 810.230.9455.