Who’s in Your Electronic Wallet?

Complacency is likely to be the greatest threat to your online security. The FBI recently reported that the padlock icon and HTTPS:// in a website cannot be trusted all the time in letting you know a site is safe. With the cost of SSL-TSL certificates falling, it’s cheap for crooks to set up malware sites and lure you in. We’ve discussed on-line shopping security and keeping other transactions secure, but the FBI’s warning compels us to revisit a few ideas.

First, what is an SSL-TSL certificate? The certificate is an acknowledgement that the owner of a website has installed SSL or TSL technology provide secure communications over a computer network. The certificates are granted by third-party providers, such as VeriSign, which is now owned by Symantec. The certificate shows us HTTPS (Hyper Text Transfer Protocol Secure) in a secure website’s URL. You can view the certificate by clicking on the lock symbol on the browser bar.

What do SSL and TSL stand for? In short, SSL stands for Secure Sockets Layer, the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. It’s designed to prevent criminals from reading and modifying any information transferred, including potential personal details. TLS (Transport Layer Security) is just an updated, more secure, version of SSL. Symantec still refers to security certificates as SSL because it is a more commonly used term. SSL certificates can also cover other internet- based communications, and they come in various levels. If you are curious, you can click here to read more from Symantec than you might want to know.

What you should know, the FBI reports, is that cybercriminals are more frequently incorporating website certificates when they send emails that imitate trustworthy companies or email contacts. They’re typically phishing schemes used to acquire sensitive logins or other information by luring potential victims to a malicious website that looks secure.

We’ve published many articles that call for the internet industry to provide more safeguards, but as we’ve always noted, cybercriminals are working just as a hard to defeat current and developing security tools. One industry executive hit the nail on the head by noting that cybercriminals can’t work around an aware user, who has been trained to look for misspellings in the URL of a web page and knows not to trust a padlock icon. Addressing her firm’s corporate business targets, the executive called on organizations to invest in solid, continuing training programs.

We echo the FBI, which says the following (familiar) steps can help reduce the likelihood of falling victim to HTTPS phishing:

  • Do not simply trust the name on an email: question the intent of the email content.
  • If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact; do not reply directly to a suspicious email.
  • Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
  • Do not trust a website just because it has a lock icon or “https” in the browser address bar.

The FBI encourages victims to report information concerning suspicious or criminal activity to their local FBI field office, and file a complaint with the IC3 at www.ic3.gov. If your complaint pertains to HTTPS/SSL/TSL issues in a phishing expedition, write “HTTPS phishing” in the body of the complaint.

You can protect yourself by being prudent and deliberate when opening emails and clicking on links, and you can support your efforts by installing, updating and using anti-virus and anti-malware protection programs. We work with several trusted providers, including Symantec, and we can help you select and set up the programs that best meet your needs. Call us – 973-433-6676 – or email us if you think your security may have been compromised or if have any questions about online security verification.

SSL Certificates for Websites

When it comes to the security of your business website, size does NOT matter. Your business most likely either houses some bit of information about clients or customers or has access to information. That makes you a target for hackers. It also makes you a target for a Google search engine flag to warn that your website may not be secure because your security certificate isn’t current.

Starting July 1, Google will require that websites have current SSL certificates. SSL (Secure Socket Layer) is used to provide an extra layer of security for websites, and it’s added to each individual page on a site. You are most likely familiar with SSL as a computer user. When you go to a secure page for transacting business, you may have noticed that the secure page URL begins with https:address instead of http:address. You’ll also usually notice the image of a padlock.

Google is implementing the requirement for its Chrome browser, which is widely used worldwide. When someone uses the browser to visit a site without an updated SSL certificate, they’ll see the phrase “Not Secure” before your URL in the address bar. Most likely, they’ll leave the page immediately, and that will increase your site’s bounce rate and endanger your inbound leads. The increased bounce rate will hurt your overall Google ratings, and that will affect your Google page ratings on all browsers, such as Firefox, Edge and Safari.

You can see if your certificate is up to date simply by looking to see if your URL starts with https:. If not, it’s an easy problem to fix with the services of website developer. They can help you purchase an SSL certificate through your website’s hosting company and then add the proper code to your pages. The certificate costs between $40 and $100 per year, and the coding can typically be added in two to four hours.

We are more than happy to refer you to one of our partners, Rachel Durkan at Paradigm Marketing and Design. You can email Rachel for specific information about getting your website in compliance. If you have any other questions or concerns about SSL certificates and website security, call us – 973-433-6676 – or email us to talk about them.

Cybersecurity Scorecard

Cybersecurity has dominated our conversation for the past year, and a report from SonicWall, which provides security tools worldwide for networks to email and everything in between, shows where we’re making progress and where new threats lie.

First, the good news. In data gathered in the past year from the SonicWall Global Response Intelligent Defense (GRID) Network, the good guys and the bad guys made advances. The most notable of the advances the company found were:

  • The number of new POS (point of sale – mostly credit and debit cards) malware variants decreased by 88 percent since 2015
  • SSL and TLS encrypted traffic increased 34 percent year-over-year
  • Major exploit kits Angler, Nuclear and Neutrino disappeared
  • Unique malware attack attempts dropped to 7.87 billion from 8.19 billion in 2015

On the other hand:

  • Ransomware attacks grew 167x from 2014 to 2016 to an astounding 638 million attacks during the year
  • SSL/TLS encrypted malware was exploited 72 percent more often in 2016 than in 2015
  • Internet of Things (IoT) devices were compromised to launch record-setting DDoS attacks
  • Despite significant efforts by Google to patch vulnerabilities, Android continued to be exploited by cyber criminals

SonicWall notes that the technology to solve many of the new challenges cyber criminals threw at victims in 2016 already exists.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs (next-generation firewalls), which are hardware- or software-based network security systems that detect and block sophisticated attacks by enforcing security policies at various levels. For any type of new advanced threat like ransomware, it’s important to understand that all network-based solutions should block network traffic until a safe verdict is reached before passing that traffic through to the intended recipient.

In 2017, there are two areas that SonicWall joins us in telling you to be particularly on-guard: ransomware and the Internet of Things (IoT).

Companies in the United Kingdom were 3x more likely to suffer ransomware attacks than in the United States, but don’t breathe easy. The US experienced the highest number of ransomware attacks in 2016 because of large volume of business.  While we as individuals and small businesses depend on companies like SonicWall to provide the tools to detect and stop ransomware, we need to follow strict security procedures – all of which should be well-known to us by now:

  • Install updates for all of your software for operating systems and apps. They contain the security patches and bug fixes that shore up the breaches in your systems.
  • Be extremely careful about the emails you open and the links you click.
  • Back up your data continuously to a system that is either not always online or that uses authentication. This will help ensure that you don’t accidentally revert to an encrypted back up if you’re hit.

The IoT has been massively compromised because of poorly designed security systems by device manufacturers. To protect yourself, SonicWall reminds you to make sure your devices are behind next-generation firewalls that scan for IoT-specific malware and that you segregate IoT devices on a separate zone to make sure they don’t affect the rest of your network if they’re compromised. To that, we add that you immediately change user names and passwords – and that you make those passwords strong. Some 70 percent of IoT breaches worldwide are in the US.

More protection was made available for Android mobile phones and devices, but they still remain vulnerable to overlay attacks. SonicWall recommends that companies using Android devices keep the option to “install applications from unknown sources” unchecked and both options to “verify applications” checked. They also recommend you avoid rooting and that you install anti-virus and other mobile security apps – and that you enable “remote wipe” in case your device is stolen or compromised with ransomware.

If you’re interested in a deeper dive and more technical explanations, we invite you to read SonicWall’s whitepaper on cybersecurity.

We can help you with a cybersecurity audit for your office or home and for all mobile devices. Call us – 973-433-6676 – or email us for an appointment.