The Threat of Apple Malware – Does Your Mac Need Protection?

For many years Apple users have not worried about malware to the extent Microsoft Windows users have.  Has the immunity to malware finally come to an end? Some might say yes, while others disagree. Apple computers no longer hold the niche market they did years ago.  As the sales of iPad and iPhones has risen, so has the sales of Apple computers. In the last quarter of 2011, Apple sold more than four million desktop and laptop computers.  This increased market share has not gone unnoticed by malware developers.

Consider the fake AV attacks of 2011 when Mac Defender was discovered and the release this year of the OSX.Flashback.K trojan.  It’s believed to be the largest Mac infection to date and was designed to steal page views and advertising revenue from Google.

The issue that Apple faces is that the more success Apple has with Macs, the higher the cyber security risk will be for users who don’t have protection.  Even while there has not been many Mac viruses, the risk of attack is rising and the malware might not even be directly targeting the Apple computer.  According to a report by Sophos, one in five Macs currently harbor malware made for Windows computers.

The best way to deal with this threat is to practice basic security protections.

  • Make sure that your Mac is up-to-date and all software is current.
  • Consider enabling the built-in host firewall.
  • Install anti-virus.
  • Understand that many attacks are social in nature so users should practice caution before clicking on links or opening attachments.

While the threat of attack on an Apple devices remains low, the threat is real. Why take any chances when there are several free AV products available. Just by installing AV and practicing a few basic best practices you can drastically reduce the possibility of ever having any trouble with malware on your Mac.

Posted in Hacking, Smart Phone Hacking, Training and Education | Tagged , , , , , , , , , | Leave a comment

My 5 Tips for Passing the New ISC2 Electronic Based CISSP Exam

Did you know that ISC2 is planning a big change to the CISSP exam?  Anyone studying for or planning for the CISSP exam needs to be aware of the upcoming change. Starting September 1, 2012, ISC2 will offer the CISSP exam in an electronic format.  This will be a big change for those attempting this certification exam.  Previously, exam candidates had to search for exam locations and then schedule training that mapped up to available exam dates. The change to an electronic format will make it much easier to schedule the exam.
Tip 1 – You still need to plan for the exam.  In my experience, students that plan for the exam well in advance and prepare a written study schedule typically place higher passing scores and lower failure rates. One of the big changes with computer based testing is that there will be a rapid turn around of exam results. With the paper-based exam, test candidates had to wait weeks to be notified of their exam results.   With computer based testing, exam candidates will be able to find out immediately if they have passed or failed.  Those that do not pass can quickly turn their attention to areas where they tested poorly.
Tip 2 – Don’t wait until the test day to find out the areas where you are weak.  Download a copy of the ISC2 CBK and use it as a checklist.  Review each item to determine what areas you need to study and then focus on these areas before you attempt the exam. While ISC2 may be moving to an electronic test, exam scoring remains the same. The exam is pass/fail and you must still answer 250 questions. Candidates typically complete computerized tests faster than paper-based exams as there is no need to transfer answers to a scantron. So, the real difference with computer based testing is the test delivery system.
Tip 3 – Six hours offers plenty of time to complete the exam; however, after 100 to 150 questions, you may start to get a little fatigued.  Prepare for the exam in the same way you would prepare for a race; when using practice exams, get used to attempting 200 to 250 questions at a time. One item exam candidates need to be aware of is the CISSP retest policy. It will change once ISC2 migrates to electronic testing.  From the date of the candidate’s first exam attempt, candidates cannot reattempt the exam for 30 days.  If for some reason the candidate failed on the second attempt, candidates cannot retake the exam for 90 days.  If anyone had to attempt the exam a fourth time, a 180-day waiting period is required.
Tip 4 – Take your time and think about test logic.  Each question will have four possible answers and only one will be correct.  Read each question carefully and even if you don’t know the answer, try to eliminate wrong answers.   Don’t make the mistake of clicking through questions too quickly.  Look for key words such as least, most, best, worst, or not. One word can make all the difference between a right and wrong answer.  No one wants to fail by one or two points and be forced to retake the exam. There are some big advantages to ISC2 moving to an electronic exam.  Exam candidates will find it much easier to schedule the test.  Rescheduling will also be easier as candidates will be able to do so online 48 hours before the scheduled date/time or by phone 24 hours before.  Also, most candidates will be able to find a testing center close by so they will not have to travel to attempt the exam or spend money on a hotel.
Tip 5 – Don’t equate easy access with an easy test.  Some  individuals preparing for the exam may feel compelled to rush and schedule the test before being fully prepared.  Most rate the CISSP exam as a moderately difficult exam and as the exam costs more than $500.00, it would be wise to insure you are fully prepared before scheduling the test date.  A study plan of 30 to 90 days is not unreasonable. I hope these five tips for passing the new CISSP electronic based exam offer you some insight into the test and offer some ideas on how to best adapt to this changing test environment.  Planning and preparation is the key to success. 
Good luck on the exam!

Posted in Security Certification, Training and Education | Tagged , , , | Leave a comment

Where Did You Leave Your Smart Phone?

Did you know that over 5.6 billion people own/use at least one cell phone? In the United States alone, over 91% of the population owns and/or uses a cell phone. (In Russia, that number is actually over 147% – indicating that almost half of the people there own at least 2 cell phones).

Our cell phones are important to us. They are so important to us that most people will know if their cell phone is missing within 2 minutes while the same people might not notice that their wallet is missing for over 2 hours. If you’ve ever lost your cell phone, you’ve felt both the panic and helplessness that millions of people experience every year. Thankfully, many cell phones now have the technology to protect and to find your lost cell phone.

Here are a few tips to provide you with some security and peace of mind:

1) Enable PIN security on your phone. This is your first and best line of defense to prevent unauthorized use on your lost or stolen phone.

2) Backup your phone. Most cell phone providers will now offer an online service that will wirelessly backup your phone to their online servers. If your provider doesn’t offer an online service, your phone may have a built-in backup to SD/micro-SD storage or you may be able to purchase an application to backup your contacts and pictures directly to your PC.

3) Sign up for a GPS-enabled locator service. There are applications and/or services – like Find My Phone and iCloud – that can be used to find your missing or stolen cell phone. Some people may worry about the privacy issues but those concerns will fade quickly the first time your cell phone goes missing.

These suggestions certainly apply to both personal and business cell phones. With the data transmitted and stored on today’s smartphone devices, there is a clear and present danger to your company’s network resources. Cyber security at the device level should be a key element in protecting your valuable information.

Posted in IT and Computer Security, Smart Phone Hacking, Uncategorized | Tagged , , , , | Comments Off on Where Did You Leave Your Smart Phone?

What Color is Your Cyber Hat?

Ethical hacking is not for everyone.  In fact, most people tend to key in on the word “hacking” and immediately think of computer crime or criminal activity just as people associate the term “hacker” with an individual who has malicious and/or criminal intent.  Sometimes, they might be right.  Sometimes, they couldn’t be farther from the truth.  It really just depends on what color hat that individual wears.

As an example, a black hat hacker is generally considered a person who hacks computers, programs, and networks out of malicious intent and/or for personal gain.  These hackers are generally considered cyber criminals.  The media and the general public typically identify black hat hackers as dangerous individuals that make use of very sophisticated technology or good old fashion social engineering to hack into corporate networks.  Their goal might be to steal data or disrupt network communications.  As technology and security protocols improve, the black hat hacker’s toolset improves and evolves with it.  Just consider how yesterday’s ping of death has evolved into today’s fast-flux botnet.

Another type of hat is the white hat hacker.  A white hat hacker is a person who attacks, breaks, and/or investigates computer systems without malicious intent and only with the written permission of the network owner.  The goal is to look at the network the same way an attacker would and to answer the following questions: What can the attacker see? What can they do with the information found?  Would anyone notice the attack?  White hat hackers or ethical hackers are the “good guys” trying to find the potential bugs, weaknesses, and gaps in cyber security defenses.  These ethical hackers can train to be cyber security experts and can also obtain professional certifications such as CASP or CEH in the areas of network security and cyber defense.

One place that you might see many different colored hats is at security conferences. Security conferences offer individuals who are interested in security to meet and discuss IT security issues.  One such conference is DEF CON.

The DEF CON convention is scheduled this year between July 26 and July 29 in sunny Las Vegas.  Every year, between 8,000 and 12,000 people attend this conference. The conference is open to everyone and anyone, especially to those interested in the field of cyber security, hacking, and/or security technologies.  Each year, this conference attracts hackers, members of government agencies and law enforcement, and cyber security professionals.  Are you planning on attending?

Since 1999, Superior Solutions has been at the forefront of “ethical hacking” and white hat cyber defense practices.  Our experienced IT security consultants can help you protect your business in the on-going battle for online safety and cyber security.

Posted in Ethical Hacking, Hacking, IT and Computer Security, Security Certification, Training and Education, Uncategorized | Tagged , , , , | Leave a comment

The Evolution of Cybercrime – Bluetooth Credit Card Skimmers

While you might not think of cyber criminals as business professionals; they face the same economic pressures as legitimate organizations.  As an example, consider the product lifecycle and how manufactured goods go through a sequence of stages from introduction, growth, maturity, and decline.  Case in point: credit card skimmers.  Traditional credit card skimmers required the criminal to return to the scene of the crime to retrieve stolen credit card data.  To overcome this shortcoming, cyber criminals have undertaken several product innovations.  One innovation is the addition of wireless connectivity.  Providing wireless connectivity allows the crook to remove credit card data and pin numbers without having to physically remove the device.

There are several options available for wireless connectivity

  • WiFi – While it’s a potential option, there’s a large number of tools available to detect rogue wireless devices.
  • Cellular – Offers the ability to move data easily yet requires an ongoing contract and can potentially be tracked by law enforcement.
  • Bluetooth – Cheap, can be purchased as a standalone card and most importantly, can be difficult to locate and detect.

Just as Bluetooth skimmers have become more popular, they are also much more difficult for the average consumer to detect.   These devices can be hidden inside of gas pumps, point of sale terminals, and other pen entry devices (PEDs).  Common techniques include placing the skimmer inside of the gas pump electronics bay or removing PEDs from retail locations and replacing them with tainted versions modified to specifically skim payment card numbers and PIN information.  Notice the gas pump shown below and how there is no external sign of tampering.

Credit Card Skimmer

Bluetooth Credit Card Skimmer Placement

Inside the gas pump’s electronics bay, the criminal places the Bluetooth skimmer inline with the card reader so it is system powered and may reside there for months without detection.  The hacker must only drive by the location once a week or so and inquire the Bluetooth device to retrieve the stolen credit card data.

Card Reader

What can be done to prevent and detect these types of crimes?  Some gas stations have started placing seals on gas pump card readers to detect tampering.  Credit card companies have urged retailers to scan for Bluetooth devices.  While its possible to scan for Bluetooth addresses, the BD_ADDR, a combination of 12 alphanumeric characters, is going to be very hard to identify if the device is in non-discoverable mode.  This means these devices are not easily detactable and that consumers must practice care any time they are using card readers.  Consumers should consider using credit cards instead of debit cards when possible.  Credit cards offer a much greater level of protection should the credit card data be skimmed or exposed.

Posted in Ethical Hacking, Hacking | Tagged , , , , , | Leave a comment

Cyber Security At Home – Are Neighbors Pirating Your Wi-Fi?

To a growing number of Internet piggy-backers, the sweet sound of pirating their neighbor’s wireless network sounds like a good way to get free Internet and this could be a real problem for you.  Imagine a normal situation where you are setting at home on your couch watching TV.  Your wife is sitting at the family computer in the den while your two children are upstairs sleeping.  Suddenly, there is a loud knocking at the door – “POLICE!!!   Alarmed, you jump up to open the door and less than 10 seconds later you are being held down on the floor and being placed under arrest. You are being charged with downloading illicit and illegal files from the Internet.

Over the next 48 hrs, authorities are able to determine that you and your family are not guilty of breaking the law. It turns out that your neighbor has been using your wireless Internet connection to access the family’s personal files and ‘borrow’ your cable modem and Internet bandwidth to download illicit content that law enforcement officials detected and then tracked back to your IP address.

While this may seem far fetched just last year a Minnesota man was sentenced to 18 years in prison for hacking into his neighbors’ wireless network and framing them for distributing child pornography and email threats against Vice President Joe Biden and other officials. These threats are real and there are a few tips to keep your family’s important files, personal information, pictures, and home computer safe from cyber theft and prying neighbors eyes .

1.  Wireless or Not? – If you are not using wireless devices in your home, it’s best to either use a wired (not wireless) network router or change your network router’s configuration so that the wireless radio is turned off.  With your Wi-Fi connection turned off, it won’t be possible for your neighbor to ‘borrow’ your Internet connection without being in your house.

2.  Password protection – If you are using Wi-Fi, you should change the router’s password to something that only you know.  As an example many Linksys routers ship with a default password of “admin.” Good cyber security begins by changing any wireless pass-phrases from their factory defaults to something only you know.

3.  Availability – If you are not home to use your internet connection, does it really need to be available to others?  Some network routers have Time-of-Day settings that allow you to restrict network/Internet access on certain days and in certain time periods.  This limits outside visibility and access to your personal network.  If you have an older router without this option or just don’t want to have to set this up, you could always power down the router when it’s not needed.

4.  Newer security and firewall technology – Wireless routers manufactured more than 2-3 years ago contain only weaker encryption technologies such as WEP.  WEP is insecure and has been broken.  Wireless hackers can access a WEP protected network in just a few minutes. If you are using onlder wireless gear you should replacing these Wi-Fi routers with one that supports WPA2 and/or AES encryption.

5.  Location – When possible, you may be able to maximize the wireless signal within your house and simultaneously minimize your vulnerability outside the home just by placing your wireless router centrally within your house and as far away from external walls/windows as possible.  While placing the access point by the front window may seem okay you may be transmitting a strong signal to others in surrounding houses and or passers-by on the street.

Keep in mind that the same practices that apply to your home networking environment may be even more important when it come to your small/medium size business and that the overall goal is develop a defense in depth strategy.  While business networking environments are usually much more complex, it’s still critical layer in security controls to minimize risk and eliminate vulnerabilities.  Superior Solutions‘ expert IT professionals and cyber security specialists are ready to help your protect your business from cyber crime and network intrusions today.

Posted in IT and Computer Security, Uncategorized | Tagged , | Leave a comment

Tips to Protect Your Customer’s Payment Information

Did you know that your unexpired credit card is worth as little as $0.06 and as much as$1000 on the black market?  Cyber security experts explain that the “street value” of a stolen credit card number can vary widely depending on the status of the account, credit limit available, expiration date, and whether there is a physical-issued card to be sold as well.  In bulk, untested credit card numbers can cost as little as $600 for a set of 10,000 while some “high-limit” card accounts are sold for $300-$1000.  It’s no wonder that credit card theft is on the rise with merchants and processors being the prime targets.

Global Payment Systems, an international payment systems processor, just reported a data breach that put over 1.5 million card holder accounts at risk.  Cyber security experts estimate that, while this intrusion was the largest in almost 2 years, over 3.4 million credit card numbers were stolen in the last 12 months alone.  Visa, MasterCard, and other issuers in the credit card industry have worked to establish a set of rules for both merchants (consumer-facing businesses) and credit processors like Global Payments.  These Payment Card Industry (PCI) rules have been in place for over 5 years but their content and their application have been evolving and becoming more complex.  The latest PCI version 2.0 standards are even stricter and apply to smaller businesses than ever before.

In order to meet these new rules or guidelines, smaller businesses have to implement new payment devices, update their network infrastructure, and to provide evidence that they are protecting customer’s credit card data.  It’s important to understand that this data is valuable to both cyber criminals outside your company or small business and possibly to malicious insiders and disgruntled employees.  It is critical to implement third-party IT security assessments and to periodically test your company’s internal and external (internet) security defenses.  Here are a few key actions that your company and/or small business can take to protect your customer’s data and payment information:

  • Establish regular communication with your credit card processor – Your credit card processor should publish regular security updates and provide key actions necessary to ensure that your business complies with the latest PCI guidelines/standards.
  • Schedule regular vulnerability assessments of your internal Information Technology (IT) – This would include a review of IT security risks, cyber threats, anti-virus, IDS/IPS, and firewall protection.
  • Educate your business leaders and employees on cyber security – Obtain training and establish security policies that will implement a culture of cyber security awareness.  Where applicable your IT Security resources should be trained to identify and prevent cyber intrusions and advanced persistent threats from both internal and external sources.

Superior Solutions has both the tools and the expertise to help you secure and enhance the integrity of your information technology resources.  Whether you are in need of a security assessment, PCI audit, or user security training we can help. Contact us today and we’ll work with you to implement the right security network service plan for your business.

Posted in IT and Computer Security, Training and Education, Uncategorized | Tagged , , , , , , , , , , | Leave a comment

6 Tips for Online Tax Services

The deadline for your Federal Tax Returns this year is Tuesday, April 17th and is less than a month away.  More and more people are taking the opportunity to file their taxes online over the internet.  It’s not only quicker and easier – the Internal Revenue Service (IRS) actually encourages you to do this and you may actually get a refund faster when you e-file.

There are many reputable online tax preparation web sites and packages – TurboTax Online, HR Block at Home, TaxAct, and others.  Any of these online tax web sites will need to collect personal information from you in order to complete the process and file your taxes with the IRS.  That personal information is extremely valuable to people looking to steal your identity and commit identity fraud.  The key question becomes:  How do you prepare your taxes online and keep your identity safe?

Tip #1 – “Never use a public computer to file your taxes”

Tip #2 – “Be on the alert for aggressive tax prep emails in your inbox”

Tip #3 – “If using online tax software, look for SSL encryption and security authentication services such as VeriSign”

Tip #4 – “Always use Internet security software and be sure to scan your computer before you begin your taxes to insure you do not have malware or spyware on your computer”

Tip #5 – “Don’t use public WiFi to file your taxes.  Hackers look for sensitive information on free WiFi networks.”

Tip #6 – “Make sure your anti-virus is up-to-date.  There are many free options available if you do not have anti-virus currently installed.”

Always be sure that you’re careful with any of your personal data when you go online. Superior Solutions is helping businesses everyday in an on-going fight with hackers and data thieves to protect themselves and their customers (you) from harm.  Contact us today to schedule your Security Vulnerability Assessment.

* You can find additional information on these online tax safety tips and more HERE.

Posted in IT and Computer Security, Uncategorized | Tagged , , , , , , , , | Leave a comment

Are You Practicing Safe Shopping?

These days we find the news filled with information about those who have been victimized in numerous ways.  Identity theft and stolen credit information are examples of attacks that can be prevented with knowledge and action on your part.  Here are some tips to help you practice Safe Shopping Online.

While not everyone is a cyber security expert, online security is something you should be very aware of.  Just as you would not go into a dangerous part of town without some sort of protection, or would avoid it all together – it is best to avoid websites you can’t verify how safe they are.  With common anti-virus/anti-malware software programs and by simply looking at the address bar of your web browser to spot the lock symbol and https in the browser bar, you can be reasonably sure that you are not heading down the “Scary Alley” of viruses or cyber attackers.

Major (brand name) websites like Amazon.com, Barnes & Noble and others spend a lot of time and money on security features for their sites.  When a purchase is made, you can be reasonably assured that your credit information is secure from prying eyes who want to do damage to your credit and potentially steal your identity.  That is not to say that lesser known retailers online should not be patronized, rather you should look for the same quality security in any online retailer.

Look for the signage on the site displaying information like “Secured by SSL.”  You can also look for trusted names in the payment industry like VeriSign and their “VeriSign Trusted Seal” or Authorize.net.  Authorize.net is another verification service that has a distinctive label their userscan/will usually proudly display.   These two payment gateways allow you to stay on the website where you started shopping.  However, there are other third-party payment gateways like PayPal.  A third-party gateway usually means that you will be taken away from the website you were shopping to complete the sale and make a payment.  PayPal is also a trusted payment processor in the industry, but keep in mind that caution should be used whenever you are taken away from a website that you know and trust.

Superior Solutions will be looking into more online safety issues in the coming weeks.  Online security is a high priority for Superior Solutions and the company believes in educating the public at workshops and events throughout the country.  Please contact us for more information on how we can work with your business to secure your infrastructure to provide your customers and employees with the safest online experiences possible.

Posted in IT and Computer Security, Uncategorized | Leave a comment

Advanced Cyber Training – CompTIA CASP

It is critical that companies take good care of their digital assets and keep them well protected from the cyber criminals. Cyber security requires special attention and care. The advantages of a company being on the Internet are many, yet there are threats that come with it and these can mean loss of revenue or even failure of the business if not properly addresses. It is thus, essential to take cognizance of the situation. Luckily, there are books that can help you gain these skills.  Also, there are experts in the field who offer network security training.

CompTIA CASP

If you are looking to increase your cyber security skills you many want to consider the new CompTIA CASP certification.  This certification is targeted to security professionals who either have their CompTIA Security+ certification or are looking to achieve an advanced hand-on security certification. The official CASP study guide by Sybex is written by veteran IT security expert and author Michael Gregg. He details the technical knowledge and skills you need to pass the exam and helps prepare readers for the certification exam.  If you are looking for your next certification challenge this may be for you. When it comes to the safety and security of your online business or corporation there is really no room for compromise, only the best will do.  In today’s environment that requires addition training.

Posted in IT and Computer Security, Security Certification | Tagged , , , , , | Leave a comment