Tech Friday


  • Determine the legitimacy of a web site:
    • A recent study found 100,00 malicious sites are posing at well known retailers
    • While it's best to be skeptical and stick to reputable, well known websites this holiday shopping season, there are some things you can do try to determine the legitimacy of a site
    • Use WhoIs (https://www.whois.com) to see who owns the URL and how long it has been registered. If a site has recently popped up, that can be a red flag
    • Use Google Safe Browsing to research a site:https://transparencyreport.google.com/safe-browsing/search
    • Use Norton Safe Web to research a site:https://safeweb.norton.com
    • Use HpHosts to research a site:https://www.hosts-file.net
    • Use Unmasked Parasites to research a site:https://www.unmaskparasites.com
    • Look up the company/site at the Better Business Bureau:https://www.bbb.org
    • Many security suites will check URLs. If yours doesn't, try the AVG LinkScanner:https://www.avg.com/product-avg-linkscanner-free-edition
    • Carefully examine the URL (link) to ensure it's spelled correctly and has no subtle changes such as a number one (1) for the letter "l" or a zero (0) for the letter "O"
    • Check the information on the Contact page vs WhoIs
    • Check the Privacy Policy and Terms of Service
    • Look for https in the URL, but note that the presence of a certificate is NOT a guarantee of legitimacy
    • Look for obvious mistakes and red flags
    • Be wary of shortened links, check them here:https://checkshorturl.com/
    • Click the Lock icon to see the details on the certificate issued to the site
  • Android smartphones from 29 vendors ship with 146 vulnerabilities:
    • Kryptowire, a security company and participant in the US Department of Homeland Security mobile security research and development program, recently revealed a total of 146 new vulnerabilities in Android devices
    • Focused on preinstalled software, it found the flaws across 29 Android smartphone vendors, including Asus, Samsung, Sony and Xiaomi
    • Sadly, these vulnerabilities don't require a user to download anything, they are embedded in the software when you purchase the phone
    • Millions of users could be impacted these vulnerabilities
    • Kryptowire indicated that many of the vulnerabilities are very difficult to fix
    • The reported vulnerabilities include system properties modification, app installation, command execution, wireless settings modification, audio recording and dynamic code loading
    • Kryptowire CEO Angelos Stavrou told Wired: "If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases, the user cannot do anything to remove the offending functionality"
    • Kryptowire said "Our primary focus was exposing pre-positioned threats on Android devices sold by United States carriers"
    • Impacted devices include Samsung A3, A5, A7, A8+, J3, J4, J5, J6, J7, S7, S7 Edge, Sony Xperia Touch, Asus ZenFone, Xiaomi Redmi 5, and other lesser known vendors
    • What can you do about it?
      • Remove unnecessary apps
      • Install Android and app updates as soon as possible
      • Ditch Android, the sooner the better
  • Scammers use human nature to steal billions:
    • Business email compromise (BEC) attacks are a nasty and growing threat
    • Barracuda released a new report "Spear Phishing: Top Threats and Trends Vol. 3 – Defending against business email compromise attacks" highlighting the latest tactics used by cybercriminals to launch these targeted attacks
    • The most common BEC scams use bogus emails to trick employees into sending money to the wrong accounts
    • Barracuda detailed how these attacks combine a number of tactics including impersonation, targeting, timing and social engineering to steal money or PII
    • 91% of BEC attacks occur on weekdays during typical business hours so they seem more realistic
    • The bogus emails may include graphics and text stolen from real websites, and may contain the names of real people criminals find using sites like LinkedIn
    • 85% of these attacks are urgent requests
    • There have been some huge scores for cybercriminals such as the $37 million lot by Toyota Boshuku and the $11 million lost by a UK office of Caterpillar
    • In the past 12 months the average loss was $270,000, and the FBI has reported these attacks have cost businesses more than $26 billion dollars over the last 4 years
    • The FBI has also said that only 10%-12% of cybercrime is reported
    • This type of attack is known as "Social engineering" which exploits human vulnerabilities
    • "What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering" said Patrick Peterson, CEO of Agari
    • Peterson said: "It's not so much having the most sophisticated, evil technology. It's using our own trust and desire to communicate with others against us"
    • Cincinnati Crane and Hoist CEO Tony Strobl made the courageous decision to do a video interview about a BECthey suffered in 2017
    • I encourage you watch and share Tony's video:https://www.facebook.com/NISTMEP/videos/2481386492141433/
    • Read the Barracuda report here:https://www.barracuda.com/spear-phishing-report-3