Coleman Technologies Blog

What Makes Spear Phishing Different?

As a rule, spear phishing is a much more precise and personalized process. To keep to the “fishing” analogy, a generalized phishing campaign casts a wide net, trying to snare as many victims as possible with their scam. Utilizing vague and generic language, the ‘typical’ phishing attack is made to appear to come from a large organization, informing the user of some need for the user to take action, resulting in the hacker gaining access to the user’s information. This methodology makes the typical phishing attack fairly effective against many people, while simultaneously easier to spot if one knows the warning signs.

By comparison, spear phishing is far more precise. Instead of trying to find value in the quantity of targets snared in a trap, spear phishing takes the opposite tack. Using a highly targeted approach, spear phishing attacks are directed toward a specific individual within an organization.

This specified approach means that the generic messages that many phishing attempts leverage simply won’t be enough to fool the intended target. Instead, the hacker has to play investigator, seeking out as much information as they can about their intended target. Where do they work? What is their position in the company? Who do they frequently communicate with? Once the hacker has collected enough information to create a convincing message, they will typically spoof an email to their target. This email will usually contain some reference to a known contact or some in-progress project to make it more convincing and will request that the recipient download a file via a provided link.

However, while the link will direct to what appears to be a Google Drive or Dropbox login page, it is just another layer to the deception. Entering credentials into this page will give them right to the hacker for their use, breaching the user’s security and putting the entire business at risk in one fell swoop.

What Methods Do Spear Phishers Use?

Due to how spear phishing works, the messages sent by hackers need to be as convincing as possible. Combining extensive research with some practical psychology, a hacker has more ammunition to power their attacks.

As mentioned above, spear phishing is far less generic than the average phishing attempt. By referencing specific people, things, and events that mean something to the target, or appearing to come from an internal authority (a manager, perhaps, or even the CEO), the hacker can create a message that is less likely to be questioned. If the hacker writes their messages without any spelling or grammatical errors, as many spear phishers do, it only becomes more convincing.

These hackers are so reliant upon their target being fooled; many will purchase domains that strongly resemble an official one. For instance, let’s say you owned the domain website-dot-com. If a hacker decided to pose as you to launch a spear phishing attack, they might purchase the domain vvebsite-dot-com. Without close inspection, the switch may not be noticed - especially if the hacker creates a good enough lookalike website.

Am I A Target?

Of course, the research that a hacker has to do to successfully pull off a spear phishing attack is extensive - not only do they have to identify their target, they also have to figure out the best way to scam this target. Generally speaking, a hacker seeking to leverage spear phishing will focus their efforts on anyone in an organization who could potentially access the information that the hacker wants but isn’t high up enough in the organization to question an assignment from above.

Or, in more certain terms, a business’ end users.

In order to minimize the chances that a spear phishing attack will be successful against your company, you need to make sure that everyone subscribes to a few best practices. For example:

• Pay attention to the finer details of an email. Is the message actually from This email address is being protected from spambots. You need JavaScript enabled to view it., or does the email address actually read This email address is being protected from spambots. You need JavaScript enabled to view it.? Did Christine/Kristine include any attachments? As these can be used to spread malware via email, you should avoid clicking on them unless you are certain the message is legitimate.
  
  
• Is the message written to sound overly urgent? Many phishing messages, especially spear phishing messages, will try to push an action by making it seem as though inaction will lead to a critical issue. Another warning sign to look out for: any deviation from standard operating procedures. Don’t be afraid to question a sudden switch from Google Drive to Dropbox - it may just be the question that stops a spear phishing attack.
  
  
• Speaking of questioning things, don’t hesitate to make sure that any messages you suspect may be spear phishing aren’t actually legitimate through some other means of communication. A quick phone call to the alleged sender will be well worth avoiding a data breach.
  
  

While spear phishing is a considerable threat to your business, it is far from the only thing you need to worry about. Coleman Technologies can help your business secure its IT solutions and optimize them for your use. To learn more, subscribe to our blog, and give us a call at (604) 513-9428.

Today, many of the largest and most lucrative companies in the world, Google, Apple, AT&T, Amazon, Verizon, Facebook and Microsoft are all, more than manufacturers of computer-based goods and services, data brokers. These data brokers create services that they then sell to advertisers that allow them to target you based on the information these companies have of you, which can accurately tell how and what to sell you.

Since nearly everyone has a near-ubiquitously-connected experience there is a lot of data collected, bought, and sold every year and it’s big business. Facebook, a company whose main revenue stream is from selling advertising, made a net profit of nearly $16 billion in 2017. This tells us that if you have people’s data, you have people’s hopes, fears, and dreams, which means you can pretty easily get someone to pay you for access to that information.

For small businesses it’s much less lucrative. In fact, all the data your organization needs to keep, is probably necessary to simply do business, not to sell to advertisers. Facebook voluntarily gets a lot of personal information from every one of their users, as where the typical small business often has to strategize to just get a name and a phone number. The information that is sensitive (mostly customer information that you collect) has a lot of value to the people looking to steal it. So while you aren’t making billions of dollars selling consumer profiles, it is still a mightily important part of doing business, and needs to be secured.

Is Data a Commodity?
Technically speaking, it isn’t. Since a commodity’s value is based namely on its scarcity and the amount of capital that needs to be put up to create it, in both resources and labor, the data that is being purchased isn’t really a commodity. In lieu of the dissolution of the U.S. Net Neutrality laws, this has created the argument in the U.S. that since now it’s up to the telecommunication companies how they want to manage (or more accurately bill) data consumption, that they would throttle and tier service, something that isn’t possible with a true commodity, where there are laws prohibiting those types of practices.

On the other hand, Internet access is something that a majority of the commerce requires, and delivering data is in itself an expensive endeavor (infrastructure spending, development, utility costs, etc.) so telecoms, who are seeing their would-be profits syphoned by over-the-top content providers, and publicly demonized as a result of a very public lobbying effort to gain control of the ability to implement some sort of prioritization strategy, have to find a strategy to sustain their ability to get a workable return on their investments.

Securing Your Organization’s Data
Regardless of what your view of data is, it’s an important resource for your organization, and as mentioned above, it needs to be secured. For one of your company’s most important resources, data can be lost relatively easily, so there needs to be a concerted effort to keep your network and infrastructure free from the threats that could put your data at risk. At Coleman Technologies, that’s what we do. We ensure organizations like yours get the professional IT expertise you need to work efficiently, effectively, and securely in what is the most turbulent time in computing history. With the litany of threats your business faces everyday, you need experts that have your back. We offer:

• Backup and disaster recovery: With a comprehensive backup and disaster recovery system in place, all of your organization’s data is safe, redundant, and able to be restored on demand.
• Proactive monitoring and management: By keeping a dedicated eye on your network and infrastructure, our technicians can be proactive.
• Patch management: By keeping all of your organization’s software up to date with the latest threat definitions, you can ensure that your software isn’t going to be a problem.
• Access control and threat detection: By having full control over who can access what, and a complete view of the entire network, we can keep people who aren’t supposed to see certain information from accessing it.
• Training: Most times, your own staff is responsible for data breaches and malware. We can train you all on what to look for to ensure that you are doing your best to keep your network and infrastructure free from threats.
• Around the clock support: If three out of every four businesses deal with phishing emails, and over 95 percent of all phishing emails deliver ransomware, chances are that if a mistake were to be made, you will need immediate IT support. Our support and help desk can remediate a lot of your security issues to keep downtime to a minimum.

With data such a major part of doing business today, ensuring you have the right solutions and support in place to be confident that any situation you face will be managed before it becomes a problem is in itself a benefit. Call Coleman Technologies at (604) 513-9428 for more information.

As we begin, it is important that we acknowledge that the Android operating system has been granted FIDO2 certification. In other words, the FIDO (Fast IDentity Online) Alliance has given the Android OS their seal of approval in regard to the authentication standards that the Alliance has set.

What Does This Mean?

In very simple terms, any Android device running 7.0 or higher with the latest Google Chrome update installed can be used as part of a two-factor authentication strategy - more specifically, as a security key. This includes the support that FIDO2 offers for onboard fingerprint scanners as a means of identity authentication. Currently, this authentication standard is only supported by Android, with no indication of Apple devices incorporating it.

In no uncertain terms, this all means that passwords may soon be phased out.

Abandoning Passwords

Passwords have been the standardized form of authenticating one’s identity for quite some time, despite the potential issues that are present with them. How often have we seen just how many ways a determined cybercriminal has to obtain a password? Between insecure databases filled with credentials and unfortunately successful phishing schemes, millions of accounts have been exposed - and that isn’t even taking all the times an insecure password was guessed into account.

The biggest weakness that any password has is the fact that it can be shared at all, that someone other than the owner can use it. Over any other reason, this is why FIDO2 is likely to become as popular as it is expected to be. When was the last time you successfully shared a thumbprint with someone, after all? Furthermore, FIDO2 keeps all of the information that is pulled from its biometrics onboard the device, keeping it safe from being stolen on the Internet.

As an added bonus, FIDO2 won’t allow the user to input their fingerprint’s biometric data into websites that don’t have sufficient security measures in place.

How to Use Your Android Device as a FIDO2 Security Key

In order to leverage your Android device as a security key, you need to make sure that it meets a few benchmarks. First and foremost, you’ll need to be running at least Android 7.0, with the latest version of Chrome installed. You will also need to have Bluetooth activated, and a Google account with two-step verification enabled.

This is somewhat simple to do. Logging into your Google account, access the Security section. Here, you’ll find the option to activate 2-Step Verification. After a short process, your smartphone will work as a security key.

Authenticating Google Sign-Ins with Your Phone

As long as you have enabled both Bluetooth and Location on your mobile device, any Google service you try to access will prompt you to confirm the sign-in attempt via your phone. This process is exceptionally simple - all you have to do is press Yes on your phone and wait. Once you’ve done so, you can confidently access your Google account, securely. As more developers adopt FIDO2, this enhanced security will only appear more often.

What do you think of this new authentication method? Share your impressions in the comments! While you’re there, let us know if there are any other tips you’d like us to cover!

The GDPR (In a Nutshell)

Under the GDPR - which came into effect on May 25, 2018 - any companies that have collected data on a resident of the European Union are then responsible for protecting that data. Furthermore, the GDPR grants these residents a far higher level of access and control over the data that organizations possess.

How United States Citizens Have Reacted

According to a poll, data privacy has become a bigger priority for 73 percent of respondents, 64 percent stating that they felt the security of their data was worse than it has been in the past. 80 percent want the ability to learn who has purchased their data, while 83 percent want the ability to veto an organization’s ability to sell their data in the first place. 64 percent also stated that they want the ability to have this data deleted.

How the Government Has Reacted

Governing bodies at different levels have had different reactions to these demands. For instance, the state of California has already passed the Consumer Privacy Act (CCPA) - a piece of legislation that the House of Representatives' Consumer Protection and Commerce Subcommittee isn’t too fond of, as its position is that there needs to be a singular piece of legislation at the federal level to protect data. As of right now, data privacy is addressed in a combination of state laws and some proposed federal laws.

One of these proposed laws, the Data Care Act, spells out that (in addition to promptly alerting end users to security breaches) a service provider cannot legally share a user’s data without the receiving party also being beholden to the same confidentiality standards. Others include the Information Transparency and Personal Data Control Act, which requires transparency and personal control over data, the Consumer Data Protection Act, which could throw executives in prison for abusing data, and the American Data Dissemination Act, which sets a deadline for the government to enact privacy requirements upon businesses.

However, when the Consumer Protection and Commerce subcommittee met to discuss the prospect of a federal privacy law (which it was agreed was necessary), there weren’t any representatives for the average consumer - the ones whose data is really at stake. This reflects the hearings held last year by the Senate, also without consumer representation. Instead, technology companies were invited to participate during both sessions.

Small Business Concerns

That being said, there is very little support among the committee for any regulations that are at all similar to the GDPR. One reason for this: the fear that small businesses will not find themselves able to afford the added cost of compliance.

For instance, there are a variety of potential burdens that such a measure could potentially impose upon small and medium-sized businesses. These burdens include:

• All-encompassing overhauls that would result in lost business
• Business failure due to inadequate budgets to make the demanded changes
• Impeded growth after regulations are put in place
• Prerequisites becoming too great to start a business in the first place
• Costs passed down to SMBs from larger companies for technology services

It is worth noting that if your organization does business with people from the EU, you are responsible to adopt the privacy rules of the GDPR.

What do you think? Are laws like these necessary, especially given the cost they could put on small businesses? Have you had any data privacy concerns in the past? Share your thoughts in the comments.

Birth of the Internet

The first Internet was born on college campuses. It was built by intellectuals, for academics, without the massive list of considerations that now accompany software development. It spread quickly, of course, and somewhere, pretty early on, it was decided that by being able to support commerce, the Internet could become one of the west’s greatest inventions.

This came to fruition in 1984 when the first catalogue was launched on the Internet. This was followed by the first e-store (at books.com) in 1992, and the first software to be sold online (Ipswitch IMail Server) in 1994. Amazon and eBay launched the following year and the Internet has never been the same.

By then, the academic uses for the Internet had multiplied, as well. By the time Amazon launched, many colleges and universities were offering students access to the Internet as an important part of their continuing education. Boy, was it ever.

Today, you’ll be hard pressed to find a classroom (outside of the poorest school districts in the country) where every classroom isn’t Internet-ready.

College Internet Needs and Cybersecurity

This stands true in university and college circles, as well. Campuses today are almost completely connected. You’ll be hard pressed to find a place on a modern campus that, as long as you have security credentials to do so, you can’t gain access to an Internet connection. In a lot of ways, it is the demand for access that makes network security a major pain point for the modern college. Firstly, having to protect computing networks from a continuously variable amount of mobile devices is difficult. Secondly, the same attacks that plague businesses, are also hindering IT administrator efforts at colleges.

Colleges themselves aren’t doing anyone any favors. According to a 2018 report, none of the top 10 computer science degrees in the United States require a cybersecurity course to graduate. Of the top 50 computer science programs listed by Business Insider only three require some type of cybersecurity course. Moreover, only one school out of 122 reviewed by Business Insider requires the completion of three or more cybersecurity courses, the University of Alabama. Regardless of the metric, it’s clear that learning cybersecurity is not a priority for any school.

Are There Cybersecurity Problems Specific to Colleges?

The short answer is no. That’s why it's so important to get people thinking about cybersecurity any way they can. No industry can afford to have the skills gap between people that hack and the people looking to stop them grow any wider. This is why, no matter what you do (or plan on doing) for a living it’s important to understand what your responsibilities are and how to get them into a place that can help your organization ward off these threats from outside (and sometimes inside) your network.

Many colleges have turned to companies like Cyber Degrees to help them not only educate the people utilizing the college’s networks to why cybersecurity awareness is important, but also help people understand that with the rise of cybercrime and hacking-induced malware, that cybersecurity has become a major growth industry with many facets. In 2015, the Bureau of Labor Statistics found there were more than 200,000 unfilled cybersecurity jobs in the U.S. With curriculums not prioritizing cybersecurity, and with threats growing rapidly, imagine how many are unfilled today. As demand rises for competent individuals to fill a multitude of jobs in the computer-security industry, colleges need to do a better job prioritizing cybersecurity training.

For the business looking into protecting itself, look no further than the cybersecurity professionals at Coleman Technologies. Our knowledgeable technicians work with today’s business technology day-in and day-out and know all the industry’s best practices on how to keep you and your staff working productively, while limiting your exposure to risk. Call us today at (604) 513-9428 to learn more.

As a result of this increase in phishing attacks, endpoint security has grown much more focused, but the issue with phishing isn’t necessarily an issue with the strategies surrounding your technology--rather, it’s an issue relating to your organization’s users and their tendency for failure. Now, we know this sounds a little harsh, but it’s been proven time and again that employees need security training on how to handle credentials and other sensitive information. Let’s take a look at a couple different types of attacks you can be exposed to, and what you can do to keep your organization from becoming just another company that has suffered from a data breach.

Deceptive Phishing
Deceptive phishing is one of the most common types of phishing scams, and it aims to fool unsuspecting users into handing over sensitive information. This happens when the hacker sends a message to users that impersonates an actual person or company that the organization has some sort of relationship with. These hackers use deceptive phishing to convince users to hand over information like passwords, usernames, account numbers, etc. Since official credentials are being used to access these accounts, it doesn’t immediately become a security concern.

For the most part, these deceptive phishing messages are either ignored by the users, caught by filtering technology, or disregarded when they’re accessed. Unfortunately, the handful that actually do fool the end user are worth the hundreds-of-thousands that are sent to others. To keep your business from making this fatal mistake, you need to focus on increasing awareness of what makes phishing attacks so much different from your average legitimate email.

Some of the telltale signs of phishing messages include misspelled words, problems with sentence structure, and suspicious attachments or URLs. Always hover your mouse over a link before clicking on it to determine its location, and never download an attachment unless you know who’s sending it. Another thing to look out for is any financial institution or vendor demanding payment or access to your account--there are other, more official methods of outreach for methods such as these; and no bank or similar institution will ever, ever ask you for passwords.

Spear Phishing
Spear phishing attacks are targeted attempts against a specific user. For example, someone who sees a message from a coworker might let their guard down, but this doesn’t necessarily mean the message is safe. It just means that some hacker managed to find a way to mimic the sender in a way that is extremely convincing. Spear phishing attacks will often know the target’s name, title, company, work phone number, and much more--all to seem as authentic as possible so the user will click on a malicious attachment or URL.

Even social media isn’t safe from this trend. LinkedIn, for example, is one of the most common places where spear phishing is leveraged. It might be used for connecting with other business professionals, but it’s not hard for a hacker to imitate a business professional. We aren’t saying that you need to avoid social media like the plague, only that you should approach it with some sensible caution.

Pharming
That being said, more people are learning about these attacks by the day, meaning that some hackers have ceased these types of attacks for fear of their efforts being for naught. Instead, they turn to a practice called pharming, which is using an organization’s DNS server to change the IP address associated with the website name. This gives them a way to direct users to malicious websites to steal their legitimate credentials.

To prevent this from happening, it’s very important that you tell your staff to be sure they are entering their credentials into a secured site. The best way to make sure this happens is to look for the “https” in the hyperlink, as well as a padlock icon next to the address. It also never hurts to have an antivirus solution on each endpoint within your organization.

Coleman Technologies can help your business stay as secure as possible. To learn more, reach out to us at (604) 513-9428.

What Are Biometrics?
Biometrics are a method of authentication that uses some sort of physical attribute or qualifier rather than a password or a key code. Some examples include fingerprints, voice patterns, typing rhythms, and so much more. They are easier to use than your typical passwords or key codes, and even better, they can be used in conjunction with traditional security measures and practices.

Let’s take a closer look at what some of these biometrics are, as well as the most practical way to implement them.

Biometric Types
There are two major categories for biometrics: physical identifiers and behavioral identifiers. Physical identifiers are by far the most common:

• Signatures: Signatures are one of the unique ways you can identify an individual, and you’ve surely seen this biometric used at least once somewhere or another. Whether it’s a transaction or an agreement, a signature can do much to guarantee someone’s authenticity.
• Fingerprints/Physiological Attributes: This particular biometric is often used to secure smartphones. Fingerprints can be used to determine the identity of the user, as well as various other physiological attributes, like palm scanning, retinal scanning, and facial recognition.
• Voice: Voice-based authentication is common all over the place these days, whether it’s a personal user issuing commands to a virtual assistant or a business using voice authentication to navigate automated answering systems.
• DNA: The technology to implement DNA sequencing into authentication is still a ways off, but it’s closer than you might think.

There are other behavioral identifiers that are used for biometric authentication. While these methods are still in development, here are a few examples of them:

• Typing Patterns: People all write in different ways, and the same goes for typing. Therefore, this can be used to determine the authenticity of the user based on their keystrokes and the pressure applied to the keys.
• Navigation and Engagement: In a similar fashion, the way that people navigate applications and systems can also determine identity. Mouse movements are quite showing, as well as how we hold devices.

Reliability (and Risks) of Biometrics
Biometrics are proving problematic to an extent, mostly because they can be inconsistent. Voices can vary depending on the user’s health or age, and faces can change based on a clean-shaven (or bearded) face, a haircut, or a pair of glasses. There are ways to work around this system, and with biometric authentication, there is much that needs to be taken into account.

Security is a Major Concern
This kind of data needs to be heavily protected, as it not only exposes sensitive information, but personal information as well. These kinds of credentials are also not easily changed, as they are heavily based on physical traits. For these reasons, biometrics may take some time to be adopted as the norm.

What are your thoughts on biometrics? Let us know in the comments.

Microsoft’s Dedication to Security

Microsoft has as good of a handle on the nature of cybersecurity as any other major software company. The sustainability of their business and the effectiveness of their products are dependent on it. If their security software didn’t work well, there is no way they could sustain their place as the world’s most important software company, right?

One problem they are running into is that their security is SO effective, that hackers had to shift the ways they tried to infiltrate networks and steal data. The establishment of phishing is a social engineering term for duping a victim into downloading software that’s only purpose is to gain access to their personal data, which leads to data and identity theft, and in the case of business computing, access to much more.

Businesses Have Trouble with Security

Today’s business has to deal with a lot of different security issues. First, they are responsible for having the technology protections connected to each part of their computing infrastructure. This can be as simple as having the router-supplied firewall and an antimalware program loaded on their server. It’s likely, however, that the average business will need more coverage over their network to secure it, and the data stored behind those security platforms.

Next, and maybe most crucially, it is the business’ responsibility to train its staff on what kind of issues to look out for. Today, most malware infections and other infiltrations are the result of a mistake made by a person that has credentials and access to data. If your organization doesn’t properly train your staff on how to eliminate these threats, there is a fair chance that your network will be inundated with some type of malware at some point.

Microsoft 365 Security and Compliance

Microsoft, acknowledging the need for an enterprise product that combines the power of their Windows 10 operating system, the productivity options presented from Office 365, and powerful security and compliance controls, has launched Microsoft Office 365. The cloud-based solution presents the core computing resources that any business could use in a product that is available right now from Coleman Technologies.

Our knowledgeable technicians can help you find the right security platform for any of your business’ computing needs. Call us today at (604) 513-9428.

Your Computer Can Make You Money?
Certainly you’ve heard of cryptocurrency, which is a type of currency that is “mined” from a computer. The most common cryptocurrency is Bitcoin. Bitcoin is generated by computers that crunch through numbers. Some organizations have warehouses full of high-end servers that are constantly mining for Bitcoin. The average computer can’t really handle this task, but with enough of them, hackers can start to receive a considerable sum.

Why Is This Dangerous?
Cryptomining is dangerous particularly because of how intensive the process is. It can take a toll on the average device if it’s left unchecked. As previously stated, it takes an exceptionally powerful machine to effectively mine cryptocurrency. This causes the device to experience an abnormal amount of wear and tear. Over time, you’ll notice that your device will start to decrease in efficiency and slow down.

Other ways that this might affect a business is through the immediate costs associated with cryptomining affecting your hardware. You might notice an abnormally high electricity bill from a server being influenced by cryptomining, or a cloud-based service working too slowly. Either way, the end result is a negative effect for either your employees or your customers.

How You Can Protect Your Business
If you’re looking for cryptomining on your network, be sure to keep an eye out for suspicious network activity. Since the malware will be sending information over a connection, you’ll be able to identify suspicious activity during times when there shouldn’t be as much activity on your network. In this particular case, the data being sent is small, making it difficult to detect for businesses that transmit a lot of data.

Security professionals are turning toward machine learning to detect and eliminate cryptomining troubles on networks. Machine learning can analyze a network’s traffic for the telltale signs of cryptomining software. Another method is to use a SIEM solution that gives network administrators the power to discover consistent or repetitive issues from potential malware.

To keep your business safe from the looming threat of cryptojacking, you should implement measures to ensure all common methods of attack are covered, including spam, antivirus, content filters, and firewalls. To learn more, reach out to us at (604) 513-9428.

What is Encryption?
Encryption is a security measure meant to thwart any would-be hackers from using your stolen data to further their ambitions. Think about it like this; without encryption, hackers would gain access to your files, plain as day. Encryption provides a measure that keeps hackers from using your organization’s data even if they were to gain access to it. It essentially scrambles data to everyone who doesn’t have the decryption key, rendering it useless.

One particular technology that uses encryption to a considerable degree is a virtual private network, or VPN. A VPN can connect your employees to your infrastructure regardless of their location in a secure way. Think of it like this; the connection between your employee’s device and your network is normally a clear tube that can be observed by anyone ambitious enough to look for it. Rather than leave it as is, encryption makes the tube opaque--enough to obscure what’s inside so it’s not quite clear for any unwanted onlookers.

Why is it Important?
You can imagine the immense importance of encryption in today’s data-oriented business world. If you’re not taking every measure possible to secure your data, you could be making a huge mistake. Encryption in particular is important for assuming the absolute worst. You can never know when your data will be stolen, so it’s best to take preventative measures to ensure that it will cause a minimal amount of damage should it occur. If your encrypted data is stolen, it will simply be unusable without spending far too much effort to get the data into a readable state.

Coleman Technologies can equip your business with encryption services that you can count on to keep your data as safe as can be. To learn more, reach out to us at (604) 513-9428.

Shadow IT
In a lot of ways, productivity is a lot like the thing it produces, money. People will do anything to get more of it. Businesses, have a plan; and, while they also want to maximize productivity and money, they typically don’t put their whole enterprise in jeopardy to get a little bit more of it. Shadow IT is the process in which an employee will download and use a piece of software that hasn’t been tested or passed by a company’s IT administrator to try and get a little more done.

Often times, the employee is just showing initiative, with no real knowledge that by downloading and utilizing a certain off-brand software that they have just put their whole business in danger. This wouldn’t be such a major deal if it was an isolated incident, but studies show that nearly 80 percent of all employees admit to utilizing software that wasn’t selected, tested, and released for use by their IT administrator. These apps may have vulnerabilities that would-be infiltrators can take advantage of. That is why it is important to utilize the software that has been vetted by the company, even if that means losing out on a bit of productivity.

Cryptojacking
There are well over 1,500 different cryptocurrencies, and in 2018 crytojacking, the strategy of using malware to use a target computer’s resources to mine for cryptocurrency was a major problem for businesses. Since this is a computationally complex task, it significantly reduces the computer’s effectiveness and longevity. As a result, cryptojacking has become en vogue for hackers and others looking to mine cryptocurrency without the investment necessary to do it.

Most studies show that the effect of cryptojacking could get way worse in 2019 since the value of cryptocurrency has fallen significantly over the past year. This means more machines mining for crypto are necessary, and thus more attacks. Users are just learning how these attacks are carried out and how to protect their business against them.

Ransomware
While there was a reported reduction in the number of ransomware cases in 2018, it still remains a major concern for any business looking to build a comprehensive network security strategy. Ransomware, of course, is a strain of malware that encrypts parts of or entire computing systems and then demands payment in cryptocurrency in a set amount of time for safe return of the files/access.

Hackers using ransomware have taken to targeting healthcare organizations’ networks for the breadth of the sensitive data they hold on them. They’ve also began to target operational technology systems, since, as with healthcare, costs of restoration of these systems (rather than payment) are prohibitive. This produces a little more urgency to get the problem resolved.

Unsecured Internet of Things
The Internet of Things keeps expanding, but so does the security threats to networks as a result of security-light devices. With more and more devices presenting security problems for businesses and individuals alike, it becomes important to ascertain exactly what devices are present on your network at any given time. Remember, even if a security-less IoT device is connected to a network-attached smartphone, it still offers up a major vulnerability.

While this is a major threat, there has been a push to improve the security of IoT devices as of late. With more security-minded companies developing useful smart products, these concerns will begin to take a back seat. But until that shift has been well documented, you’ll want to be diligent in the manner in which you utilize IoT devices.

Phishing
No business goes very long without getting some type of phishing email. In fact, it is estimated that 156 million phishing emails are sent every day, making it the most used practice by hackers everywhere. The way it works is that since most accounts are secure enough not to be guessed outright, hackers search for ways for people to help them gain access to the accounts they want to get in to. Nearly every successful cyber attack begins with a successful phishing scheme.

A specific example called business email compromise (BEC) which targets specific members of an organization is responsible for over $12 billion in losses across the globe. Once thought to be an email scam that could be mitigated with strong spam filters, today’s phishing scam is taking on a new shape by utilizing text messaging, instant messaging, phone calls, and even the seemingly-benign social media quiz to gain access to business networks.

2019 is lining up to be another stellar year for business technology, and as more tech is used, more threats come with them. If you would like any more information about how to prioritize network security, give our IT experts a call at (604) 513-9428 today.

The Smartwatch
The smartwatch market as we know it today has existed for almost a decade, surprisingly enough, but the first smartwatch was developed in the late ‘90s. A smartwatch is seen today as more of a peripheral for a smartphone. They come in several different shapes, sizes, and styles, but they all tend to provide some kind of utility to the user. Here are some of the main benefits of using a smartwatch:

• Convenience: You can’t beat the convenience of checking your watch and getting access to all kinds of information, like notifications, calendar events, and so much more. Modern smartwatches also give users the ability to search for information, and the processing power of these devices gives smartwatch users the ability to perform several actions that a smartphone can accomplish.
• Functionality: The latest smartwatches have several features that give users lots of functionality. They can integrate with applications and take advantage of other practical functions, making them as useful as you want them to be. In this way, smartwatch manufacturers continue to push the boundaries of what’s possible with wearable technologies.
• Discretion: Discretion is probably the most important part of using a smartwatch, as it’s much easier and more discreet to use it than pulling out a smartphone. Most smartphones have the capability to push notifications to your smartwatch, including those from social networks, messages, weather, and so on. More than anything else, it at least keeps you from being rude and checking your smartphone in the middle of a conversation.

Security Issues
The primary issue that comes from wearable technology is that it connects to your mobile device through a Bluetooth connection. Since they also connection to Wi-Fi networks, they are being exposed to two potential ways of being breached. Businesses that prioritize security (read: all businesses should prioritize security) need to be particularly wary of wearables, especially in regard to a Bring Your Own Device policy.

The modern hacker will use any opportunity they can find to hack into a device, and since wearables are particularly vulnerable to this due to the modes of connection they contain, they provide additional access points that create issues for businesses. If a hacker can gain access through an application at the wearable level, it could potentially compromise even the connected device and any network it’s attached to.

Industry experts might agree that the lack of wearable security isn’t a major concern overall, but it’s still something that you should be addressing with your business’ mobile device policy. Here are some ideas to think about:

• If you are accidentally collecting electronic Protected Health Information (ePHI), you could be putting your organization at risk of breaching healthcare standards set by HIPAA. You should limit your employee’s fitness and wellness data collection on company-owned wearables and devices whenever possible.
• Be wary of what can happen if you fail to educate your employees about the importance of protecting wearables. Be sure to remind them that they aren’t just putting business data at risk, but also their own individual data. It’s imperative that your employees understand how to best protect these devices.
• Focus on the management of these devices, as there are no proper anti-malware solutions for IoT devices.

For assistance with planning out a wearable strategy for use with your Bring Your Own Device policy, be sure to reach out to us at (604) 513-9428.

If you don’t have guards or security cameras in place, you’re more likely to suffer from a physical security breach, which can be just as devastating as a digital breach. Ask yourself how comprehensive your security really is. After all, the new year has just hit, so why not use it as an opportunity to protect your business’ physical assets? With so many cyber threats out there these days, it’s no surprise that organizations focus on the digital aspect of security, but some people are just old-fashioned and would rather infiltrate a business the traditional way.

It’s also important to keep in mind that not everyone is going to be the perfect employee. You might have a couple of bad apples in the bunch that see technology and want it for themselves. In this case, digital security might not mean much, but physical security like locked doors and so on could make all the difference in keeping them from making decisions that are bad for both themselves and your business.

Basically, you need to take this two-pronged approach--one that considers both digital security and physical security--for the following reasons:

• Data access is restricted to those within your organization, but even the best employees make mistakes.
• A tiered approach means that employees only have permission to access data they need for their immediate work responsibilities.
• Knowing who is accessing devices and data, as well as when they are doing so, can help you to resolve issues as they occur.

Let’s consider a couple of scenarios where it helps to have physical and digital security. Access control limits who can access specific information, so if the data is corrupt or missing, then you’ll have a clear idea for who is responsible for it. On the off-chance that it wasn’t the employee, then you know their credentials have been stolen and abused by a cybercriminal. Access monitoring is helpful for this, as it can also determine when someone is accessing data, as well as where they are located. Thus, if someone from another country is accessing data in the wee hours of the morning, it’s likely that you have a digital security problem on your hands.

As far as physical security goes, consider what would happen if you didn’t keep track of who checks out devices. For example, let’s say you have company laptops that can be checked out for use by your employees. If you’re not keeping track of who checks out what device, you’ll never know who currently has the devices in their possession, as well as when they were last taken out. It makes it astonishingly easy to get away with stealing a device.

Therefore, in order to make sure that you’re keeping your data as secure as possible from all avenues of attacks, we recommend you work with the folks from Coleman Technologies. We can help you ensure security. To learn more, reach out to us at (604) 513-9428.

Today, we aim to fix that. We will review why a Google account is so important to keep secure, as well as a few means and methods of doing so.

How a Google Account Can Be So Valuable
The purpose of the Internet has evolved greatly in the relatively few years it has been around. Today, the Internet is largely used as a communications and information sharing tool - true to its roots. This is where the name Internet comes from: inter (reciprocal or shared) and network (a system of connected things). However, as new purposes for the Internet emerged over time, circumstances changed, and the view of the Internet shifted.

The Internet was always meant for sharing information, from the very first inklings of an idea. In 1962, J.C.R. Licklider of MIT wrote up a series of memos that illustrated a system of interconnected computers, intended to share programs and data the world over, that he coined the “Galactic Network.” This idea of sharing information was also the driving force behind Sir Tim Berners-Lee’s development of the World Wide Web. As Sir Berners-Lee said:

“Had the technology been proprietary, and in my total control, it would probably not have taken off. You can’t propose that something be a universal space and at the same time keep control of it.”

In many ways, these ideals are retained in today’s environment. Online sharing is at its peak, social media and collaboration fulling leveraging a network that is, for the most part, still free of control by any central source. These are ideals that have developed into the demand for net neutrality and open-access information. However, while these ideals have been largely upheld, there are a few notable caveats that give us a more accurate view of today’s Internet.

As the Internet grew in capability, it also grew in utility… many of which featuring the need for greater security and privacy. With the confidential information that only select users should be accessing growing in popularity within Internet-based communications, this spurred a balance to the Internet that both individuals and businesses can appreciate, and that Google has shaped its offerings around.

From its beginnings as a dissertation project by two Stamford doctorate students, Google has grown into the dominant force online today. Businesses use its G Suite applications every day, as private users leverage some of their other services to their own benefit. Many people, both for business and personal use, leverage Gmail. Let’s face it, Gmail is just useful, whether you use it for work, or just maintain an account to open accounts with other web services.

It is this last point that makes your Google account’s security so important to maintain.

How many of your online accounts are accessible by Google? On the subject, how many of your accounts would be compromised if your Google account was first?

The Impact
This is the double-edged sword of a Google account. On the one hand, it only makes sense to use a Google account to create others, either using your associated Gmail address or linking it directly. The convenience is inarguable, and Google does equip these resources with reasonable security standards. So why not use a Google account?

Unfortunately, there’s one critical consideration that doing so adds into your security equation, that many overlook:

Linking an account to your Google account ties your Google account’s security to it directly.

This means that, if your Google account was to be compromised, all of the accounts you had connected to it are also compromised by association. Depending on what you had saved in this way, that could have some devastating ramifications.

Finding Out How Devastating
If you’re on your desktop right now, you can access your Google account by clicking here. In the Security section, you can review all the devices that your Google account has been active on, all the third-party applications with access to your account, and all the websites that are utilizing Google Smart Lock.

Is this list longer than you would have expected? Does it include your bank?

If it does, all it would take for someone to defraud you would be to access your Google account--or even lock you out of your own bank, resetting your bank credentials by using your Gmail account to activate an account recovery process.

A Solution
Again, this creates a conflict between two priorities: convenience against security. While the convenience could make anything that you use online more efficient in both your professional and personal life, nothing is worth compromising the security of either. So… where do we stand?

Like any conflict between two interests, the ideal place to meet is in the middle. In this case, it is the conclusion that you can have the best of both worlds--you just have to make sure that your Google account is secured properly.

While it would be great if there was, there just isn’t an option somewhere in Google you can select to make everything perfectly secure, just like that. Having said this, it is just a matter of taking a few precautions.

Securing Your Google Account
The first thing to securing any account is to understand that it isn’t a one-time activity and will need to be revisited periodically to make sure that everything remains secure. You should keep an eye out for news stories that discuss breaches among any of the organizations you have an account with, as you will still need to alter your credentials for these accounts.

Once this is set, there are a few best practices that it would be in your best interest to follow.

Passwords and Account Security
While all of your accounts should have the protection of a strong password, the fact that your Google account serves as a repository for your others make it only more crucial to implement one to its authentication measures. To accomplish this, make sure the password or passphrase you select is well in keeping with best practices, and that your Google account is the only account secured with it.

You should also be careful about what you are using to access your account. Any device that is available to the public should be avoided, as they are not only magnets for viruses and other digitally-based cyberthreats, but a cybercriminal could potentially retrieve your credentials from the device you used and thereby gain access to your account. Public Wi-Fi signals can have very similar issues, so use a secured, private connection whenever possible.

Two-Factor Authentication (2FA)
There is also the option to make your Google account ask more of someone trying to access it, a secondary code sent to you in a text message, delivered in the Google Authenticator application, or dictated through a direct call to your mobile device. By enabling 2FA, you can greatly decrease the likelihood that a cybercriminal will have everything they need to get in, assuming they don’t have access to your phone as well. We generally recommend that you utilize Google Authenticator, as it is the most secure of those three options.

You can also use your Google account to access a list of one-time authentication codes that you can print out and keep with you. This way, if you need to access your account and don’t have your phone handy, you can reference these to get in. If you run out of codes or lose the list, you can easily reset them and start over.

To set up these features, log in to your Google account.

At the end of the day, you don’t have to sacrifice the convenience of Google, as long as you have protected it responsibly. Coleman Technologies has the expertise to help you manage this security, as well as the rest of your business’ IT solutions and infrastructure. Call (604) 513-9428 to learn more.

What Apps?
First, we’ll start with a complete list of the apps that had been infested with this nefarious code:

• Sparkle FlashLight
• Snake Attack
• Math Solver
• ShapeSorter
• Tak A Trip
• Magnifeye
• Join Up
• Zombie Killer
• Space Rocket
• Neon Pong
• Just Flashlight
• Table Soccer
• Cliff Diver
• Box Stack
• Jelly Slice
• AK Blackjack
• Color Tiles
• Animal Match
• Roulette Mania
• HexaFall
• HexaBlocks
• PairZap

What Did These Apps Do?
SophosLabs found a cache of apps that feature what they call “Andr/Clickr-ad” malware. These applications are engineered with maximum flexibility in mind. They could contact a common attacker-controller server to download what is called an ad-fraud module. It does this every 80 seconds. The malware simply opened a non-visible window and would repeatedly click on ads, making the network look like it was getting more traffic, fraudulently enhancing the developers’ revenue.

No specific ad network was specified by Sophos, but users who had downloaded these applications would see a decrease in the battery life and/or an increase in the amount of data their device would use. One strange part of this is that some of the ad traffic was able to identify itself as from coming from iPhones, despite this appearing on Android-only apps. They came from “Apple models ranging from iPhone 5 to 8 Plus and from 249 different forged models from 33 distinct brands of Android phones.” This ploy was used as a way to increase revenues further as some advertisers will pay a premium to get their ads onto Apple devices. iOS versions of the apps, largely by the same developers, didn’t have the malicious code integrated.

Download Legit Apps
How can you go about making sure that you aren’t part of this problem? Download legitimate applications. Some of the best ways to make sure the apps you are downloading are legit, include:

• Read a lot of reviews - Much of the information you will need to see the legitimacy of an application can be found in the review of the app in the store. If you make a point to read eight or more reviews, you will quickly get a good idea about how functional the application is.
• Check app permissions - Applications need permission from a user to use the core functions of the phone. If the application in question tends to need access to functions that it shouldn’t, you should be skeptical about the application.
• Check the terms and conditions - Most people don’t go through the terms and conditions of anything, let alone an application for their smartphone. Even if you do make a point to read them, the amount of legalese found is akin to a lullaby or a warm glass of milk. The problem for users is that there is a lot of good information about the applications, and specifically how it uses data. If you do set aside some time to read about it, check out some language that is relevant to the way you use the application.
• Research the developer - Nowadays, software development is filled with people that are looking to make a name for themselves. This type of ambition can lead to bad decision making. If you take some time to do some basic research about the developer of an app you have reason to question, you’ll likely find the truth of whether they can be trusted or not. If they want to be known, they likely promote their work via social media, so, start there.

Android has millions of legitimate applications on the Google Play Store, so worrying whether or not you’ve downloaded one that will put your data at risk shouldn’t be too worrisome as long as you stick to our best practices. To learn more about technology, security, and mobile strategies, call Coleman Technologies today at (604) 513-9428.

The Now:
It’s the holiday season, which means that many will find that themselves traveling, either to visit family and friends or to seek out more agreeable climates. However, business being what it is, many will also still be trying to get work done during their travels.

Thanks to the incredible capabilities of the mobile devices we have today, this is made much easier. A business that leverages cloud solutions offers mobile users an exceptional amount of maneuverability, and the popularity of Bring Your Own Device policies have made it so that the resources needed to accomplish work goals are never too far away. Yet, this access is a catch-22, as it also means that data can be easily lost, far from the business’ location and the protections it should have in place.

Resultantly, there are a multitude of ways that a cybercriminal can come into possession of your data, either personal or professional. Fortunately, there are some ways to help prevent this from happening as well.

• Public Wi-Fi is Too Public: When out in public, you’ll want to avoid connecting to public Wi-Fi networks when shopping or accessing sensitive information. We all know that hunting for the best deals is made much easier when you can look up prices online, but you’ll want to use your data instead. Public signals make hackers’ jobs that much easier with their typically insufficient security standards.
• Charity Good, Charity Scams Bad: These phishing variants can come in via all avenues, but very commonly take the form of calls and text messages. A scammer pretends to be working for some charity, but in actuality, just wants your money and data for themselves. If you receive what you believe to be a charity scam attempt, you’d be wise to do some research into who is asking for it before handing over your data, payment information or otherwise.
• Charge Carefully: Whether you’re at the airport during a layover and trying to eke a few more minutes out of your device, or you’re deal-hunting online as you’re wandering the mall, you need to make sure you’re being smart about how you’re keeping your device charged. Many attackers will hide attacks in charging stations, waiting to strike whomever connects.

The Then:
Of course, these hacks and threats aren’t going to end after the holiday season is over. Moving into 2019, the above threats are still going to be just as large of a problem, along with many other threats. Much of this will be in part due to our reliance on mobile devices.

Hackers will still be able to intercept data exchanged on an unsecure network, more devices will become outdated and insecure (you may want to peek at some of those holiday deals for an upgrade), and yes, more people will enable these threats through uninformed decisions. You need to make sure that your business isn’t influenced by threats like these.

Coleman Technologies can help. Get your business a holiday gift by calling (604) 513-9428 and speaking to us about our managed IT services.

Chances are, you’re all too familiar with exactly the kind of scam I’m describing. The one that makes the Do Not Call List sound like wishful thinking, that makes it look like someone from your area - or even your contacts list - is trying to reach you.

Chances are, you’ve answered one of these calls, only to hear silence, broken after you say “Hello?” As soon as you do, a (likely prerecorded) voice launches into its tirade, being a nuisance and bothering people.

Chances are, you may have even received angry phone calls from people you’ve never met, let alone called, claiming that your number has been the source of repeated calls just like these.

You aren’t alone.

Unfortunately, the scammers responsible are talented at skirting rules and regulations.
Calls like these have been harassing users for quite some time, simply because the scammers understand how to cheat and find loopholes. This is all despite the efforts of regulatory bodies like the FCC (the Federal Communications Commission).

In November of 2017, the FCC enabled telephone providers to block calls that were presumably fraudulent. This was based on many factors, like the calls coming from invalid numbers or numbers with no service provider attached.

However, the rules outlined in the 2017 Call Blocking Order weren’t enough to stop scam robocalls for long.

Now, we all have had to deal with the huge nuisance of neighbor spoofing. Neighbor spoofing has almost certainly affected you directly, and if you’ve been lucky enough to avoid it, it’s happened to someone you know.

But you may be asking, what is neighbor spoofing?
If your phone rang, and you have caller ID enabled, you’ve probably developed the habit of checking the number before you answer it - after all, a local number is probably safe to pick up.

Neighbor spoofing has made it so that assumption is no longer the case.

Instead of using a fake number to call their targets, scammers using neighbor spoofing will actually use someone’s real number to call someone relatively nearby - sometimes literally next door. If you’ve ever received an angry phone call from someone demanding an explanation for someone with your number repeatedly calling them and harassing them, your number just so happened to be the one that these cybercriminals spoofed.

There have even been reports of people receiving calls from their own number, claiming to be from the phone company as an attempt to “verify a hacked account.”

Neighbor spoofing is also a very effective method for scammers because it can bamboozle the automated protections already in place to stop scam calls, just like it fools the targeted phone’s user. This also keeps the Do Not Call list from affecting these scammers’ attempts (as if it ever stopped them before).

Additionally, many apps may add some unwanted complications, even if they are effective.
There are mobile applications available that are intended to stop robocalls from ringing your smartphone in the first place. One such application, the aptly-named RoboKiller, does this in two ways. First, RoboKiller references a list of numbers identified as spam, and blocks these calls completely. Second, it uses a patented analysis of the call’s audio fingerprint to compare it to those of other spam calls. Regardless of the number it appears to come from, RoboKiller can identify if it is a match to a known attempt.

You’ll only know that you were targeted after you read the notification that RoboKiller provides.

Meanwhile, RoboKiller responds to the scammer with a time-wasting prerecorded message. You can then review the calls that RoboKiller blocked by opening the app on your phone. There, you can listen to a recording of blocked calls to determine which calls were spam, and which were legitimate attempts to reach you. From there, you can whitelist a number by pressing the Allow button.

Users of RoboKiller can also add numbers to their list of permitted callers to allow them to come through. RoboKiller is a subscription-based application that charges $2.99 each month ($24.99 for an annual subscription), which may be seen as a relatively low cost if you’ve received enough of these calls.

As RoboKiller states on their website, “With RoboKiller, you don’t stop neighbor spoofing. You take action in the fight against the robocall epidemic.”

However, this approach isn’t without some worries.

For one, consider the cost of admission for this app. Yes, $2.99 may seem like a bargain if you have a smartphone, but what about all the people who still don’t? Furthermore, many mobile users today are of older generations, and may not understand how to work the application (or again, may not have a device that is compatible with the app). Yet, these worries may not be necessary for long.

Both the government and the telecom industry have had enough.
It wasn’t long after the 2017 Call Blocking Order was released that the attorneys general from a full 40 states came together to form the Robocall Technologies Working Group. This is a bipartisan commission intent on collaborating with service providers to learn about robocalling technology with the ultimate goal of stopping it.

On October 8th, the attorneys general of 35 of those states signed a letter to the FCC stating that the efforts of law enforcement had not and would not be sufficient to stop abusive scam attempts and robocalls. In this letter, the attorneys state some chilling facts:

• 30.5 billion illegal robocalls were made in 2017 alone, up from the estimated 2016 total of 29.3 billion.
• Estimates have placed the total calls made by the end of 2018 to be somewhere near 40 billion.
• Phone scams allowed cybercriminals to steal an estimated $9.5 billion in 2017.
• August of this year saw 1.8 billion scam attempts in the 4 billion illegal robocalls made that month.

Facts like these only highlight the pervasiveness of these scams, and how important it truly is to eliminate them as much as possible. In fact, the Federal Communications Commission has gone on the record to demand that mobile providers figure out a standardized system to help prevent these calls from reaching mobile users, echoing the demands made by the attorneys general.

This system would rely on call authentication to ensure that only legitimate calls would make it though, and that spoofed calls would be caught by requiring all calls be verified as coming from the correct source.

Not only did Commissioner Ajit Pai release a statement to the press demanding that this system be created, he sent a letter to 14 telecom CEOs, including AT&T’s John Donovan, Charter’s Tom Rutledge, Verizon’s Hans Vesterburg, T-Mobile’s John Legere, Comcast’s Brian Roberts, and Google’s Sundar Pichai.

Pai demanded that these changes be ready to deploy in one year, giving telecoms a ticking clock to establish what they call the SHAKEN/STIR framework (Secure Handling of Asserted information using toKENs/Secure Telephone Identity Revisited). This move was met with the approval of the attorneys general, who went on to encourage the FCC “to implement additional reforms, as necessary, to respond to technological advances that make illegal robocalls and illegal spoofing such a difficult problem to solve.”

As the attorneys general said: “Only by working together, and utilizing every tool at our disposal, can we hope to eradicate this noxious intrusion on consumers’ lives.” Fortunately, this will also benefit the businesses that have been affected.

With any luck, we’ll only have to deal with the robocalling nuisance a little while longer. For assistance in keeping other scams from interrupting your business and putting it at risk, reach out to Coleman Technologies. We have the experience to stop the other threats you would otherwise deal with on a daily basis. Call (604) 513-9428 today.

What’s the Problem?
What’s the first thing that anyone who prefers Google Chrome does when they open Microsoft Edge? Simple--they download Google Chrome. Since Chrome isn’t available by default on Windows 10 devices, users have to download it, which means that they are reliant on Bing’s search results to find Google Chrome. The problem with this is that some malware sites have disguised themselves as sponsored ads for Google Chrome in Bing’s search results.

These sponsored ads would appear when a user searches for Google Chrome in the Bing search engine. Basically, instead of a legitimate sponsored ad leading to the Google Chrome download page, the malicious ad would instead bring the user to a phishing site disguised to look like the Google Chrome download page. This page would have a URL of ‘googleonline2018.com.’ If you try to access this page through Google Chrome, it’s actually blocked, but Bing and Edge don’t do this, making it a huge security issue.

These Issues Aren’t the First
Making the situation even worse is that this isn’t the first time Bing has encountered issues like this. Even as far back as April of this year, this same threat was reportedly identical to the recent version. The ad has been pulled as of this writing, but it’s strange that no explanation has been issued regarding this threat by Google, or even a confirmation that the issue has been resolved. All of these factors combine to create a situation where it’s not that unbelievable a situation like this could happen again.

Other Bing Problems
There are other problems related to Bing that have caused issues in the past, including a history of providing offensive or alarming content through its image search. For example, if you were to search for objectively neutral terms, there is a chance that, even with SafeSearch on, the image search will deliver racist search suggestions or other similarly-offensive content. Bing has also been known to push conspiracy theories through its suggested searches. Searching for the wrong thing could potentially expose users to material that they didn’t want to view in the first place, or content that could land viewers in hot water with the law.

To remain updated on similar situations to those explained above, as well as the latest security breaches and threats, subscribe to Coleman Technologies’s blog.

Applying Software Patches
It should be clear that software patches are designed to fix security problems and improve the functionality of the software, but some organizations simply don’t have time to implement them manually, or they simply don’t understand the purpose for them. Part of the problem is that sometimes the developers aren’t necessarily clear that patches are available, while other times those within your organization may not even know how to administer them. Regardless of the reason, there are usually problems on a network that will go unattended for extended periods of time.

Most hackers only want to take advantage of the issues they can detect. Thus, there could be countless threats out there designed to target countless unpatched vulnerabilities on your network that not even the hackers can know about. It makes sense for a hacker to use just one exploit to target a handful of vulnerabilities. Therefore, it’s important to make sure that all software that you use is updated and patched.

Additionally, your systems shouldn’t be running unused programs. The more software you have, the more ways hackers can take advantage of your organization’s network vulnerabilities. Moreover, you might even be wasting revenue on renewing software licenses that you don’t even need, so it’s best perform a network audit from time to time to get the worthless software off your infrastructure.

Dodging Social Engineering Attempts
Social engineering is broadly categorized as any method that takes advantage of unprepared users or those who are ignorant of solid network security practices. Examples include a phone call or email message claiming that the network has been breached by a foreign entity and that “tech support” needs to remote into the computer and resolve the issue. There are other, more subtle methods as well, such as targeted spear phishing attacks that go after specific users with personal information that convince them that the hacker is someone in authority.

These types of attacks vary in sophistication, but they can range anywhere from an employee receiving a message claiming that they’ve won a prize, to the intruder physically following your employees into the office and stealing sensitive data manually. In instances like these, a little bit of employee training can go a long way. Teach them to look for anything suspicious, and inform them that vigilance is incredibly important in the workplace.

These two security improvements barely scratch the surface of what your organization should be focusing on for network security. If you want to fully protect your business to the best of your ability, give us a call at (604) 513-9428.