All in Tips & Best Practices

What Is Smishing And How To Spot This Attack

Smishing is not a new tactic but given that worldwide mobile device traffic is up 222% in the past seven years, it’s no wonder we’re seeing an increase in attacks targeted at mobile devices.

The term, smishing is a portmanteau that combines the term, SMS (text messaging) and the word, phishing (sms + phishing = smishing). As you may have guessed, smishing is phishing that uses SMS and similar types of text messaging.

What Is Smishing?…

Breachstortion

A breachstortion attack consists of a malicious email which claims that the sender has breached the victim’s website or company network, copied data from their databases and moved that data to an offshore server. The email then threatens to post the data publicly unless the victim pays the ransom.

Unlike sextortion, a breachstortion attack does not…

Backups: Easy As F-A-V-E-1-2-3

Backing up data is something we have been told to do for decades but it is not exciting nor fun and very easy to forget. Additionally, situations requiring the need to restore a file from backup can be rare so it’s easy to understand why many people don’t back up their files even though it’s an important part of life with computers. Think of backups like an insurance policy. You do it in case you need it and hope that you never need to use it.

As consumers and general computer and Internet users, we all have to be our own IT manager and system administrator which means that backups are an important part of our job. While we all know that we should back up our data, some of you may not know why we need these backups.

Domain Name Confusion

I don’t understand why companies, even tech companies, send email to employees and customers with links that use domain names that don’t match their normal, publicly known domain name. I have seen this happen in companies for years, where a department like HR finds a cloud vendor to do some training or to register for benefits. Instead of sending an email to employees from an internal email address, they let the vendor send email to employees with a link to an external, unfamiliar site. When you tell employees to not click on suspicious links, and then send them suspicious links, it undermines the whole security education program.

We can do better!

Phishing

Phishing is the attacker’s dependable, longtime friend. Around since at least 1995, phishing is used to trick people into providing credit card information, login IDs and passwords, and to gain access to your computer, protected systems and/or networks.

Today, Between The Hacks arms you with the following: phishing background, practical advice, realistic visual examples, and links to reliable resources.

Phishing Websites Use ReCAPTCHA To Thwart Detection

The world of cybersecurity is a constant cat and mouse game where attackers find new and creative ways to attack and the defenders discover those methods and figure out how to stop the attacks. The latest wrinkle in this spin around the hamster wheel was revealed by researchers at Barracuda Networks, who discovered that threat actors are now using, “reCAPTCHA walls to block URL scanning services from accessing the content of phishing pages.”

Is Working From Home A Threat To Your Home Network?

Your work computer might be the device that lets a threat actor into your home network. According to research conducted by cybersecurity companies, Arctic Security and Team Cymru, more than 50,000 U.S. organizations have sent their employees to a work from home environment with malware-infected computers.

On a corporate network, firewall rules and cybersecurity tools block certain types of traffic…

COVID-19 Cybersecurity Resources

These days it seems that all news stories are related to COVID-19, and that’s also true in the infosec/cybersecurity community. Over the past month, I have read many insightful articles about COVID-19 phishing attacks and scams, and I’ve weighed in on the topic myself. While “top ten” and other lists are popular news items, I realized I hadn’t seen many lists of resources for COVID-19-themed cybersecurity incidents. So, Between the Hacks spent part of this week researching and starting to compile a compendium of pandemic-specific cybersecurity resources. The goal it to raise awareness, to share tips to prevent becoming a victim, resources to get help if you, or someone you know does become a victim, and also, some ways to help others during this global pandemic. As I learn of new resources, I’ll add them to this page.

Zoom Security & Privacy Tips

Zoom has made a lot of headlines recently as it has become the video conferencing tool of choice for many companies and individuals who found themselves suddenly quarantined at home due to the COVID-19 pandemic. Zoom’s daily active users jumped from 10 million to over 200 million in 3 months. The appeal of Zoom is that it’s easy to install, easy to use, has some fun features like virtual backgrounds, and its basic version is free. The free version allows for up to 100 participants to meet for a maximum of 40 minutes. This is certainly enough time for quick meetings with colleagues or catching up with friends and family. And if you need more time, just…

Business Email Compromise (BEC)

In the world of cybersecurity, there are some pretty creative and interesting terms such as, phishing, juice-jacking, rainbow tables, credential stuffing, and botnet. However, there is one type of phishing attack that was given a name without anyone from a marketing team in the room. That is the Business Email Compromise (BEC) . I almost fell asleep while typing that last sentence!

While the name is not very sexy, the attack is simple to execute and can be very costly to the victim. In fact, according to a 2018 FBI report, BEC attacks have earned scammers over 12 billion dollars. BEC is a type of phishing attack with the goal of tricking the victim into sending money…

The Six Days of Cybersecurity Gifts

This is the time of year when many of us wind down our busy work schedules and focus a little more on family and giving. In the spirit of giving, here are six cybersecurity gifts that you can buy for family, friends, or yourself.

Obligatory Disclaimer: I will not benefit in any way if readers purchase these products, they are just suggestions based on my use and testing.

HOME ROUTER

Your home router is the one device that protects your home’s digital assets from the dangers of the Internet. It is a very busy little device; constantly fighting off attacks and managing your…

Juice-Jacking: Trading Your Data for Power?

There are few things in everyday life that instill panic in us more than seeing the low battery indicator on our mobile phone. This is especially troubling during travel, when your mobile device might be frequently switching between cell towers and Wi-Fi and chewing up more battery than usual. To help us with this problem, charging stations have graciously been made available for free, in many public places. While this free charge can breathe life back in our digital existence, it can also be the point at which your device becomes victim to a cyber attack called juice-jacking.

What is Juice-Jacking?

Juice-jacking happens when someone connects their mobile device to a USB charging station that has been modified to not only charge the device, but to also copy data from…

Attack Of The Light Bulbs: How IoT Devices Are Used As Internet Weapons

With the rapidly changing world of connected devices, known as the Internet of Things (IoT), many people do not realize that these “things” are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.

It is important to realize that these “things” are computers because you need to protect them from cybersecurity attacks the same way that you protect a standard computer. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. Left unpatched, the IoT device is vulnerable to attack. 

Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems that push patches out to vulnerable computers running their software, but most IoT devices do not. Even many home routers are not patched automatically which leaves home networks vulnerable to attack because they are directly connected to the Internet and are not behind a firewall.

So why would someone want to attack your IoT devices? Do attackers really want access to your light bulbs? You may be surprised that the answer is yes.

Rainbow Tables: The Password Conundrum Part 4

In the forth and final post in this series on passwords, I’ll talk to you about rainbow tables. I think the best way to get people to create and use good passwords is to teach them how passwords are cracked.

Long ago, when UNIX-like systems were used as shared servers and most people logged into them with “dumb terminals”, users could see who else had accounts on the system. This was convenient, especially in work or academic environments and acted as a directory of sorts. So if Alice wanted to send an email message to Bob, she would just log on to the system and look at a file called /etc/passwd. This file showed each person’s username, name, and other information. This file also contained each users password in the form of something called a hash. Trend Micro explains that, “Hash values can be thought of as fingerprints for files”. The hash is a mathematical representation of the password that cannot be reversed or

Multi-Factor Authentication: The Password Conundrum Part 3

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how we can never remember a strong, unique password for every website, system, and application that we use.

In part 2, we talked about how a password manager can solve this problem and make your digital life much easier and more secure.

In part 3, I’ll explain multi-factor authentication and how to use it.

You don’t need an MFA (Master of Fine Arts) degree to use MFA (multi-factor authentication). Sorry for the acronym humor. MFA requires a user to provide an additional means of authentication or verification, in addition to entering a username and password. 

Before we delve into MFA, let’s talk quickly about authentication.

How Attackers Access Your Accounts Using Credential Stuffing

Almost every day we see headlines about some sort of data breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.

This is likely not good enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.

So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!

Password Managers (The Password Conundrum: Part 2)

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how the crazy cybersecurity wonks tell us that we have to do unreasonable things like:

  1. Make passwords that are so complex that you can’t possible remember (long and multiple character sets)

  2. Make a unique password for every one of the 10’s or hundreds of sites and applications that we use, oh, and they all have to be long and strong which means we won’t remember them.

Today we are going to explain how you can achieve this and actually make your life more secure and much easier than back when you had to remember all of those passwords or look them up on a spreadsheet on your computer’s desktop. Enter, the Password Manager!

The Password Conundrum: Part 1

Long Passwords, Short Memories

The password is something we all love to hate. Many of us have to create hundreds of passwords and we are told by the paranoid cybersecurity experts to make them long and use all of the character sets on your keyboard so that they are not easy to guess. This also makes them difficult to remember, so what do most people do? They re-use passwords—which is also a big no-no.

While we all know these general rules, most people don’t know why they exist and what the real risks are. In this blog, I will help you understand the importance of following the rules when developing your list of passwords. 

Three Tips for Creating a Good Password

Below are three tips for creating complex and hard-to-hack passwords. 

  1. Make them long: There is some debate over the best minimum length of a password. Analysis from security expert, Troy Hunt, has shown that many of the sites we use, do not require very long passwords. However, research from Georgia Tech Research Institute (GTRI) shows that the

Sextortion Revisited

Lately, a handful of friends and colleagues told me they received an email that claiming that a malicious hacker had installed malware on their computer through a porn site. The email showed one of the recipient’s passwords and explained that the hacker has access to the recipient’s webcam and has a log of all of their keystrokes. Then the hacker gives the recipient two choices: 

  1. Ignore the email and a video of the recipient, visiting the porn site will be sent to all of the recipient’s contacts.

  2. Or, pay a ransom in bitcoin, and the hacker will delete the video.

This email scam that has been a popular phishing attack in 2018. As cybersecurity reporter, Brian Krebs, blogged about back in July, “Here’s a clever new twist on an old email scam that could serve to make the con far more believable.” 

If you happen to receive one of these emails…