Lipani Security LLC

A Security & Privacy Company

Category: blog

Spam And Phishing E-Mails How They Work

Posted on by admin

One thing to be careful about is if you are getting emails from sites, you have never used or sometimes do use that could be a phishing email. Phishing emails are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed or fake website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). the perpetrators then use this private information to commit identity theft.

Another thing to be careful about when using your email is spam. Spam email is a form of commercial advertising which is economically viable because email is a very cost-effective medium for the sender. If just a fraction of the recipients of a spam message purchase the advertised product, the spammers are making money and the spam problem is perpetuated. Spammers harvest recipient addresses from publicly accessible sources, use programs to collect addresses on the web, and simply use dictionaries to make automated guesses at common usernames at a given domain.

Spam is increasingly sent from computers infected by computer viruses. Virus-makers and spammers are combining their efforts to compromise innocent computer users’ systems and converting them into spam-sending “drones” or “zombies”. These malicious programs spread rapidly and generate massive amounts of spam pretending to be sent from legitimate addresses. Spammers use specially designed software to generate false email headers and from addresses. Several email users have been affected by falsified messages claiming to be from the service’s administrators, stating that users’ account is closed and require some action by the user to be reopened. Such messages often contain viruses and should be ignored or deleted.

The general rule of thumb is if an email is in your spam folder it’s probably junk and should just be deleted. Programs like Norton, McAfee, and AVG scan incoming emails when you are using an email client like Outlook or Thunderbird but when using email online like in Chrome or Firefox the software can’t protect for the safest email experience, I recommend using a client with a good antivirus.

When hijackers succeed in sending spam via an email service, it can be temporarily blocked by other services and private domains that try to protect themselves. It’s important that email users protect their own accounts with strong passwords to prevent their accounts from being hijacked. It’s important for all computer owners to install and maintain anti-virus software to avoid having their computer infected and possibly become a source of spam without their knowing. Enabling Two Factor Authentication on accounts is a good idea as we if you wanted added protection on your accounts.

Mac And PC Hard Drive Encryption

Posted on by admin

The one thing you could do to protect your computer in the case of theft is drive encryption. Many people say to me if they steal my laptop who cares its password protected but I always ask if the hard drive is encrypted. Just because it has a password does not mean a skilled hacker cannot hook your device to a computer and get the data this is where drive encryption comes into play.

Let me explain what exactly disk encryption is first. Drive encryption is a technology that protects information by converting it into an unreadable code that cannot be deciphered easily by unauthorized people. Drive encryption uses encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Now I know this seems very overwhelming but it’s not. Both Windows and Mac have disk encryption as built-in options in this modern era of computing. If you are using a Chromebook, you are lucky you don’t have to do anything the disk is always encrypted. Only the signed-in user can access their profile data. there is no administrator account that can access everything. So, your data on the Chromebook is always the safest.

Microsoft Windows has its own version of encryption called BitLocker.

To Enable Bitlocker just go to Control Panel – All Control Panel Items – BitLocker Drive Encryption. Just click Turn on BitLocker.

Follow the onscreen instructions they are easy.

On a Mac, it’s easy as well and with the integration of Apple iCloud its easier than ever to turn on the Apple version of drive encryption called FileVault.

Just click on System Preferences – Security and Privacy – Click on the FileVault Tab – Click Turn On File Vault

You will then be asked for your iCloud account info and that’s about it

Personally, I like to use a third-party tool called Symantec PGP Full Disk Encryption as it’s a third-party tool and the inventor of PGP Encryption Phil Zimmermann works for Symantec. Zimmermann is the creator of Pretty Good Privacy (PGP), the most widely used encryption protocol in the world. Symantec PGP Full Disk Encryption will be overkill for most, but you do get much more options than you do with Microsoft or Apple. But for just the average user the built options in Windows and Mac are more than secure enough.  Anyone dealing with sensitive data should use drive encryption.

Any questions about drive encryption contact us.

Password Management and How Passwords Work

Posted on by admin

Passwords are the lifeblood of the internet I mean everything you do online requires a password. A password is defined as a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource while is to be kept secret from those not allowed access. Before we can go over password management let’s explain how passwords work.

When you join a service, you create a username and password. The username and password are stored in an encrypted format either in a database or file. No two username and passwords are the same hash when they are stored.

When you go to log in again to the service you enter the username and password you created when you signed up for the service. The service again encrypts the username and password, then compares the hash against hashes in the file or database if it matches any of those hashes it knows you are a legit person and lets you into the service.

Passwords on good sites are stored encrypted so no one, not even the tell people can see what passwords stored in the file or database are plus if the company should have a security breach the attacker will not get the database just the database hashes. While this is still bad because someone can use a rainbow table attack to get the password it does take the severity of the attack down from just storing the passwords in cleartext.

A rainbow tables attack is a type of hacking wherein the perpetrator tries to use a rainbow hash table to crack the passwords stored in a database system. A rainbow table is a hash function used in cryptography for storing important data such as passwords in a database.

But sometimes your password can get compromised without the site ever getting hacked by something called a brute force attack. A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in.

Similar to a brute force attack a dictionary attack tries only those possibilities which are deemed most likely to succeed. Dictionary attacks often succeed because many people have a tendency to use short passwords that are ordinary words or common passwords, or simple variants obtained, for example, by appending a digit or punctuation character. Dictionary attacks are easy to protect against by using a passphrase or otherwise choosing a password that is not a simple variant of a word found in any dictionary or listing of commonly used passwords.

The best type of password to pick is one at least eight characters in length, has upper and lowercase letters numbers, and a unique character.

Any additional questions contact us.

Cloud Storage Security

Posted on by admin

I would like to take a second to explain more about cloud storage and the security of the cloud. When data is sent from your computer to your cloud storage provider (Dropbox, OneDrive, Google Drive) the data is sent encrypted across the internet to keep it safe from unwanted eyes. But after the data is on the server at your cloud provider it’s not as safe as you think from wondering eyes.

Let me explain when your data is transmitted and stored at the cloud provider it is encrypted but all cloud storage providers have said they can decrypt all your files and can view them whenever they want in particularly if any law enforcement agency comes calling. While I understand the need for this to me this is not real encryption. Encryption to me means that no one can decrypt the data that’s why I prefer Spider Oak for cloud storage and backups.

SpiderOak

SpiderOak is an online backup and files hosting service like Carbonite that allows users to access, syntonize and share data using cloud-based services. SpiderOak is supported almost all platforms’ Windows, Mac, Linux, Android, and iOS

According to SpiderOak, the software uses encrypted cloud storage and client-side encryption key creation, so SpiderOak employees cannot access users’ information. SpiderOak distinguishes itself from its competition like Carbonite, Dropbox, and others because of its encryption technique. SpiderOak does not have a web interface you must use a client for syncing files and folders across multiple devices. Whistleblower Edward Snowden recommended SpiderOak over Dropbox, citing its better protection against government surveillance.

As secure as SpiderOak is I have tried it and it lacks many of the features that Dropbox, Google Drive, and OneDrive have been known to have and be useful. While companies like Dropbox are focused on bringing you great new features SpiderOak is worried about giving you the most security or features that are the most secure. Unfortunately, sometimes you must sacrifice convenience for security.

takeaway

The big takeaway here is yes, your data is transferred securely to places like Microsoft OneDrive, Google Drive, and Dropbox. But when the data is sitting on their servers it’s encrypted but not from the company employees seeing it if they want to for any number of reasons. This is not true encryption. Encryption means the only person who can see your data is you. While your data is secure it can still be read by other people if needed.

If you have additional questions contact us.

Credit Card Online Fear

Posted on by admin

I have been out to dinner with so many people that say they

“I never put my credit card online”

Then in the next five minutes, they hand the waitress their credit card to pay the bill. This entire situation is miss guided by fear when the waitress takes your card how do you know she not taking it to the back to take a picture of or swipe for apps like Square or PayPal. The answer is you don’t know we have all been conditioned to think it’s ok behavior and safe behavior.

There was a news article a while back about this:

Oklahoma waitress has been arrested for skimming patrons’ credit cards at a Twin Peaks restaurant — and it happened during her first day back on the job after an extended hiatus. Rachael Tyler was arrested on June 7 for computer crimes, as well as several outstanding city warrants after a manager spotted her scanning customer’s credit cards with a skimmer at the lodge-style restaurant’s Oklahoma City location on 6500 SW 3rd St., Fox 25 reports.

The 34-year-old had previously worked at the sports bar within the last year, quit, and been re-hired last week, the manager told police, according to NewsOk. It remains unclear currently if she was skimming credit cards during her original period of employment.

The same applies to people who say “I won’t put my card online” then call up the infomercial 1 -800 number and give the person at the other end their credit card number. How do you know that person is not writing all these numbers they collect all day and going home at night and hitting every card for a bonus dollar or 99 cents times that by 100 cards 5 days a week that’s a very nice bonus?

Listen I know it sounds like I am being paranoid, but the sad part is I have seen it or heard of it happening. For additional information contact us.

Dumpster Diving

Posted on by admin

A very common way to get data from a company is what we call old-school dumpster diving. Garbage picking is the practice of sifting through commercial or residential waste to find items that have been discarded by their owners, but that may prove useful to the garbage picker. Garbage picking may take place in dumpsters or in landfills. When in dumpsters, the practice is called dumpster diving in American English and skipping in British English.

Since dumpsters are usually located on private premises, divers may occasionally get in trouble for trespassing while dumpster diving, though the law is enforced with varying degrees of rigor. Some businesses may lock dumpsters to prevent pickers from congregating on their property, vandalism to their property, and limit potential liability if a dumpster diver is injured while on their property.

Dumpster diving is often not prohibited by law. Abandonment of property is another principle of law that applies to recovering materials via dumpster diving. Police searches of dumpsters, as well as similar methods, are also generally not considered violations; evidence seized in this way has been permitted in many criminal trials. The doctrine is not as well established regarding civil litigation.

Companies run by private investigators specializing in dumpster diving have emerged because of the need for discreet, undetected retrieval of documents and evidence for civil and criminal trials. Private investigators have also written books on “P.I. technique” in which dumpster diving or its equivalent “wastebasket recovery” figures prominently. If you can get into a dumpster, it’s a great source of information you can find passwords written on paper you can find phone directories financial information. In the modern era of paper shredders, it’s a lot less common but those pieces of shredded paper put together lead to information a lot of patients and some tape goes a long way.

One thing I tell people is don’t throw all your important shredder trash into the same garbage pickup when I clip a credit card it three, I will put 1 piece in each garbage pickup for the next three weeks. When you’re picking out a shredder don’t pick the cheap staples model that just shreds in one direction pick the shredder that does crisscross and up and down the more way the documents get shredded the better. Pick a shredder as well that cut things into small pieces the smaller the pieces the better. It makes putting the document back together much harder.

One thing I see people do all the time is they will shred a document put throw their backup CDs in the garbage remember those are digital documents those CDs should be put through the shredder as well. Most shredders nowadays come with a document, credit card, and disk shredder. When you’re going through your closet, and you pull out those floppy disks remember those still can be read. If you need to dispose of them, get a good scissor and cut them up into pieces or scrape them with sandpaper.

If you have questions about data disposal contact us.

Two-factor authentication

Posted on by admin

Two-factor authentication also known as 2FA also referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. Authentication using two or more different factors to achieve authentication include

  • something you know (e.g., PIN, password)
  • something you have (e.g., cryptographic identification device, token)
  • something you are (e.g., biometric)

For example, if you have a Two-factor authentication setup on your laptop you would need to enter your password then you would need to scan your fingerprint to log in. If you have a Two-factor authentication set up on Gmail, you will need to put in your password then you will need to put in a pin code that you got texted to you or by using the code generated by the Google authenticator app.

This need of using two means to authenticate provides extra safety say you are in the car on your way to work and you get a text message from one of your services like Gmail with a login code and you did not just try to login to Gmail this would tell you two things.

One that someone has your password, and you should change it and two since they have no way of getting the code off your phone, they were unable to log in thanks to the Two-factor authentication you set up on your account.

There is software solution in the business world like Duo that before you can log in to your computer you first enter your password on your computer then you must open the Duo app and hit ok on your phone to allow you to log in to your computer. I know sounds at times this sounds like a lot, but password theft is one of the top security issues on the internet today.

For personal use companies like Microsoft and Google provide free authentication apps for iPhone and Android that you can use to secure and add Two-factor authentication to your accounts.

What accounts should you secure? Any important account with a password. Things like email, bank accounts, social media, and any account that has any kind of personal information.

If you need help or think this is something, you or your company want to do please contact us.