Cyber Security is Everyone’s Job
[September 2023] Every company has its policies on cyber security. Depending upon the size of the company and network, procedures can be relatively simple and rely on each user, or there is an IT department with policies that can make things easier or harder. Seeing the purpose of the policies and working with them makes everyone safer.
In the “real old days,” there was a password of the day that needed to be used to get past the guards. Forgetting the password could be fatal.
In broadcast, many of us remember the red envelopes that contained the EBS validation codes – and hoped we would never have to open one of them.
Today, the average person holds something like 27.6 passwords. Trying to keep up with them can be a difficult task. Meanwhile, bad actors worldwide are trying to break in, steal information, destroy data, or threaten blackmail.
And, yes, you must watch out for yourself and your company. If you get breached, it could affect everyone. Cyber security is everyone’s job.
Some days, it is enough to want never to touch a computer again!
THE LATEST SCAMS
We will talk about passwords in a minute, but let us first consider the other scams that are being used to try to harm you.
Among them are bad URLs, vishing, fake invoices, and AI. If you do not know how important it is not to click on a link – even if it appears to come from someone you know – that you are unsure if it is valid, you should probably stop reading here and turn off your computer.
You may not like your organization requiring 2FA (two-factor authorization – usually a code sent to a phone), but it might catch some bad actors before they break in.
WHAT WAS OLD IS NEW AGAIN
One of the latest scams is one of the oldest. Perhaps you heard about the Las Vegas casinos that had their systems hacked recently, confusing everything and making life miserable for hotels and their customers.
The key seems to have been someone who “socially engineered” – sometimes called “vishing” or voice phishing – an entry to an account. By talking to the Help Desk, they managed to get enough information to penetrate the network and insert ransomware. Everything from the hotel room digital keys to slot machines was “off-line” while this was going on, and you can imagine the chaos at the Front Desk as clerks tried to assist guests without a computer system.
One report said one hotel paid the ransom demanded while another did not.
If your organization has a Help Desk support group, you will likely notice they are tightening up on what they will do when you call.
THE FAKE INVOICE
While not an instant “hack,” there are numerous websites where hitting their URL – even by a typo – brings up the “you have a virus and need to call this number at Microsoft so we can help you fix it.”
Of course, it is not Microsoft. There usually is no virus (although in recent years, that may be a bit harder to know, for sure), and what they want is your credit card number so that they can put it “into use” by their gang.
Deleting the browser window is the best solution, followed by a security check (your anti-malware is up to date, right?) to be reasonably sure you are OK. True, some of the new hacks seek to get around this, but most problems stop as soon as you close the browser.
In a variation on the bad URL, many folks are reporting that they get emails telling them their subscription to something has renewed at some crazy rate, and if it is not correct, you should click on the link or call the number in the message.
What could this be? Yep, it’s a scam. As people are becoming alert to the typical phone calls from scammers, this is a way to make you contact them!
The first thing is not to panic and click on a link. Check the address of the sender. It will usually be something close to but different than the company “sending an invoice.” Do not call the phone number. You will be “worked” by the person to give them data, including credit card numbers.
If you have been around a while, you will know that anything good will be used quickly for ill purposes.
Maybe you saw the 60 Minutes program recently demonstrating how AI can be used to impersonate someone you know and potentially manipulate you into sending money to scammers. They used the voice of the reporter’s assistant, and neither caught the scam.
One of the significant uses of AI voicing is to try to scam older folks who are begged to help a relative who “got into trouble and desperately needs some cash.” The voice does not always have to be perfect, but it can be dangerous if the bad guys can get a sample of someone you know.
JUST REFUND THE DIFFERENCE
One scam that has been reported a lot to “For Sale” sites has to do with someone sending a check larger than the agreed price.
The scammer says, “Oh, we made a mistake. Just ‘refund’ the difference, and all will be well.” That is a tipoff that the check received is a fake. Never send a refund, even if your bank accepts the incoming check.
When it bounces, you will be out the ‘refund’ money and what you sold.
WHAT IS THE PASSWORD?
This brings us back to securing your computer and the local network (LAN).
The bad guys can attack you from several different directions. If you were to look at your server logs for your email, you would see constant dictionary attacks and other attacks, from simple phishing to plain old brute force attacks.
Even if you know the dangers and feel relatively safe, there are two ways to be targeted before you even know it.
First, the problem is that many people use the same password on multiple sites: 73.6% admit to reusing the same password for multiple accounts. An interesting discussion of America’s Best and Worst Password Security Habits can be found here. It might motivate you to make some changes in your cyber security activities.
Why is this bad? If a hacker gets your password, he will try every other site he can find – banks, credit cards, etc. – with the same credentials. He does not need to know where you bank; he will try them all. Does that worry you? It should.
But maybe you do not reuse the same password as much as many. Perhaps you have developed a password protocol where you use phrases and/or other ways to build something that would withstand dictionary attacks (two words will not long survive a dictionary attack – and less than 40% use passwords of less than 12 characters).
Digital Alert Systems
HASHING IT OUT
Sadly, you do not have to do anything dumb yourself to have a password compromised.
The issue is how hackers work: once they crack one person’s account and password, if they can penetrate the server and find the file with all the passwords encrypted with a hash code, there is a danger. Once they decode enough of the hash file to find the known password, they can use the same decode to find others on that site and could find you, even if you had nothing to do with it.
This generates news stories of half a million or twenty million persons’ data being stolen. Among the uses are blackmail threats.
The solution: either ensure your passwords are lengthy – with non-letter characters in them – or utilize one of the password managers, who can generate long (scores of characters) passwords and bring them up when needed. This can be a file on a flash drive or a full password manager that encrypts your data, making it nearly impossible for bad guys to decode.
The downside of a password manager? Do not forget the master password! Really!
BEING SECURE TAKES EVERYONE’S ATTENTION
But, still, perhaps you have had a warning from your browser (many people allow Chrome, Edge, etc. to save their password) that you have a compromised password.
What to do? Consider changing it now!
Furthermore, there are sites on the Internet, like Gibson’s, where you can enter your username and/or password to see if it is “known” somewhere. You should do this. It is an “early warning signal,” Some of these sites will generate a password for you. And, of course, as noted, there are password managers, some free, some with a price. Investigate and see what fits your needs.
Remember: watching out to protect yourself and your company is everyone’s job. Be alert, and everyone benefits.
– – –
Return to theBDR.net HOME