Smartphone Security: Protecting Your Pocket

Smartphone Security: Protecting Your Pocket

The first mobile phone call was made on April 3, 1973 from a device that offered a mere 30 minutes of talk time for each 10-hour battery charge. Though this was completely groundbreaking for the time, mobile phones have come a long way since then.

Now, we can do far more than just make phone calls — we can contact each other via text, email, social media, and even video chat with one another; access our bank accounts; shop for and sell virtually anything; control our TVs, tablets, and other devices; and much, much more, all on a device no bigger than a postcard. While this technology would’ve been unthinkable at the time of that first phone call, today, people of almost every age know how to use a smartphone.

Though a large amount of the population uses these devices, common knowledge of keeping them protected is not so common, as is made evident in the Pew Research Center chart (left), where more people fail to use any sort of screen lock than the number of those who use the simple PIN code lock. Before we even access our favorite apps on our phone, many of us are failing when it comes to cybersecurity. To make matters worse, not only is there a dishearteningly low level of user understanding of the cybersecurity needs for these devices, on the other end of the spectrum, cyber criminals and hackers are among the most skilled when it comes to the latest technology, as well as the vulnerabilities found in within them. Along with this knowledge imbalance, there are additional reasons why smart, yet vicious techies target our little pocket computers.

Why Cyber Criminals Target Smartphones

1.) Information stored on smartphones is plentiful and valuable. Unlike their more primitive ancestors (brick and flip phones), the information stored on smartphones is far more valuable and sensitive than the simple blurry photos or text and call history that could be found on these older models. Because of all of the advancements that make them so useful, we can do almost anything on or from our smartphones; however, these advancements are the very reason why cyber criminals target our smartphones. Though no one in their right mind would dream of writing down their bank account information or Social Security numbers, many of us store this highly sensitive information right on our phones.

How to protect against: Utilize the passcode lock feature on your phone; this is the first line of defense in protecting against someone accessing your data physically from your phone. In addition to this, avoiding storing sensitive data on your phone can help save you from stressing about your security.

2.) Autofill gives hackers access to anything not already stored in the phone. Those of us who are fortunate enough not to make the mistakes brought up in the last bullet point could still be making this huge, yet incredibly common mistake: autofill. Though you may not have a note on your phone listing your passwords to various accounts, having the password forms fill themselves out automatically is equally as bad, if not worse. Because we always have our phones on us, and they have the ability to make simple tasks easy, we have filled them with even more information, making them extremely valuable to any malicious actors.

How to protect against: This one is simple: Don’t. Use. Autofill. At least not on something as vulnerable as your phone.

3.) Location Services tracks you & gives hackers real time knowledge of where you are physically. Where you live and work

How to protect against: Limit your use of location tracking services only to those applications for which it is entirely necessary. If an app is asking for permissions such as this, which you believe are unnecessary to the use of the app, it is likely that it is illegitimate and malicious. Avoid those apps that require extensive permissions. When not needed, turn off your phone’s location services, bluetooth, and WiFi in order to avoid unwanted tracking. If you are very worried about this, leave your phone at home.

4.) Bluetooth & WiFi connections are insecure. Criminals have been quick to capitalize on a smartphones many points of entry and exit, such as Wi-Fi, 4G and Bluetooth. For several years now, Bluetooth has been a regular feature on smartphones and other mobile devices, and WiFi is provided in virtually every single public and private location; however, these features, like the Location Services features, are seen as potential entry points for cyber criminals due to their insecure connections.

How to protect against: Turn off Bluetooth and WiFi features when not in use; do not use unsecured WiFi connections when in public, as these are a battleground for hackers to gain access and take control of your phone.

5.) Companies are left vulnerable by BYOD and lax work cybersecurity. B.Y.O.D., or Bring Your Own Device, is a policy that some companies use in order to cut down on the costs of having to purchase technological equipment for employees; however, because of the lack of security used by most people, this can actually turn out to be even more costly in the long run due to a security breach or cyber attack.

How to protect against: Do not allow employees to bring personal devices to work or to access personal accounts while on company devices. Also, do not allow professional work to be done on personal phones/devices.

Most of us have these pocket-sized computers in our possession at all times, and just as we would take precautions to protect our computers and laptops, we need to take action against the vulnerabilities presented by our smartphones. To stay up-to-date on current threats to your smartphone or any other devices being targeted, follow Axiom Cyber Solutions on social media and keep up with our blog to stay educated on what threats are out there and how to protect against them.

Hailey R. Carlson | Axiom Cyber Solutions | March 27, 2017

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Despite IRS warnings and tons of news, tax season phishing scams have taken in an incredible number of businesses this year. Early in January, I wrote about the dangers of phishing, particularly for W-2’s during the tax season and it seems that each day there is news of another company that has unwittingly exposed sensitive employee data to hackers.

A year ago, the IRS warned companies of falling for the W-2 scams but companies are continuing to fall for email scammers posing as the company CEO or other high ranking executives asking for employee summaries and W-2’s. The W-2 information is valuable to hackers because they can take the information and file false tax returns with a diverted refund before the real person can.

Already last month four companies in Indiana have fallen for the trick. 17,000 employees of American Senior Communities were notified that their payroll processor had fallen for the W-2 phishing scam in mid-January but it wasn’t until employees started having their tax returns rejected in February that the breach was discovered.

Another company in Indiana, Monarch Beverage, discovered that they had fallen for the W-2 phishing scam two years in a row while investigating this year’s breach. During the investigation, the company found that the same information had been erroneously disclosed in April 2016 to a hacker posing as the company CEO.

The stories go on and on about unfortunate employees and companies have fallen victims to increasingly more sophisticated phishing attempts. Phishing actually topped the IRS’ Dirty Dozen list of tax scams for 2017 and the IRS has seen a 400% increase in phishing scams since 2009.

So, what can businesses do to combat phishing scams and protect their employee’s data?

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor, although phishing scammers often send their emails stating there is urgency in the response. But will an extra five minutes to get verbal confirmation from the sender be too much?

Two school districts (Groton, Glastonbury) in Connecticut were victimized by a phishing scam that divulged W-2 information for nearly 3,000 employees. The school district manager in Groton was placed on administrative leave and the Superintendent expressed his dismay in the disclosure stating “We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred.” But in a related incident, the town of Groton also received a similar email asking for the W-2 information for all the town employees but the employee who received the email was suspicious of the request and reported the fraudulent request. You don’t ever see the success stories published in the news, but this employee truly saved the day by being suspicious of unusual requests for sensitive data.

Lastly, sensitive employee data should never be transmitted unencrypted, even internally.

Cybersecurity Stress-Testing: Don’t Stress About Your Company’s Safety

Cybersecurity Stress-Testing: Don’t Stress About Your Company’s Safety

The rates at which cyber crimes have been growing in the past year are astronomical. Ransomware cases more than doubled in the last half of 2016 alone, over 29 million personal records were stolen in data breaches, and half of all phishing scams were targeted at stealing people’s personal financial information; the persistence with which cyber criminals are trying to attack the public is most definitely not in question any longer.

With these hackers trying to get to your information on a daily, if not hourly, basis, it is important to implement strong cybersecurity defenses. But it isn’t enough to simply install some type of security and not test its strength. How do you know just how strong those defenses are anyway? You can’t know what you don’t know, and because of this, conducting a cybersecurity stress test can make your company far more secure.

Why conduct a stress test?

Before discussing some of the things to test for within these stress tests, there is the question of why you should conduct this test in the first place, as it is something that will cost your business time and money to complete? First off, the cost of recovering from an attack is far greater than the costs that go into preventing one. Not only are there the monetary costs involved, but the hit to your public image can take a drastic toll on your customer base as well. Yahoo, for example, has disclosed multiple, separate data breaches within the past six months totaling more than 1.5 billion users whose accounts were left exposed to hackers because of the company’s lack of cybersecurity.

In addition to the monetary and secondary costs of cleaning up the security mess of undergoing a cyber attack, whether it is apparent to you or not, your company has sensitive data that is valuable to hackers. When a company is hit by some cyber attack, as with the Yahoo breaches, there are negative repercussions that can affect the customers of that entity. Many victims of data breaches find that their identities have been stolen as a result of being involved in an insecure breach. When the costs expand outside of your company’s wallet, it can seriously damage others in drastic ways.

How to conduct a cyber stress test

Now that we know a couple of reasons as to why it is important to stress test, it is important to discuss how to stress test your company. There is not set-in-stone, mapped out way of completing this process, however, there are a few basics which most companies adhere to when conducting such a test, as well as some tips to keep you secure.

  1. Teach and test your employees — Taking the time to teach your employees about cyber threats, such as phishing which can only affect a company if an employees makes an error, is incredibly important if you want your test to be successful, and should be your first step. Employees are both your strongest asset and your greatest weakness when it comes to cybersecurity, dependent upon their awareness of cyber threats. As with sports or learning a musical instrument, once you learn the basics, practice makes perfect. J.P. Morgan is just one of the many companies that partakes in cybersecurity stress testing, and they do this by sending their employees fake phishing emails — they were even able to dupe 20% of their staff into falling for the scam. This highlights a very important part of stress testing: be sure to follow up and make sure your cyber defenses are working.
  2. Seek out expertise — For small businesses especially, cybersecurity can be an overwhelming, yet necessary, hoop to jump through when it comes to protecting your business. Oftentimes companies who do not have a very large staff on hand are not able to afford to keep an IT employee on the payroll, however, it can be much more economical for these businesses to reach out to someone outside of their business who specializes in cybersecurity. Stress tests don’t have to be stressful, especially when you don’t have to go it alone.
  3. Know your goal  The obvious overall goal of a stress test is to determine where vulnerabilities in your defenses lie and plug them before bad guys can get into your company’s network; however, it is also to minimize the impact of a potential cyber event, as cybersecurity professionals believe it is not a matter of if, but when, a company will be the next target. An important aspect of this step involves identifying the key people and functions that are mission critical to the business, and prioritizing the order in which they are addressed during incident response.
  4. Act on the findings — None of this work is worth it if you do not do something about it. If a stress tests’ results tell you that your store-bought firewall is not getting the job done as far as protecting you from attack, research further on things like managed firewalls and other defenses which you can implement in order to be more secure.

The point of a cybersecurity stress test is to find weaknesses and room for improvement in your company’s cyber defenses so that they can be repaired. This is such a prevalent issue that the European Union is planning on stress testing all of its banks in the neat future, as they believe that cyber attacks pose the greatest threat to their operations. If you are in need of assistance or have further questions about stress testing your company, contact Axiom Cyber Solutions at 800-519-5070 or email us at info@axiomcyber.com.

Hailey R. Carlson | Axiom Cyber Solutions | 03/07/2017

Image Source

The Dangers of Internet Connected Toys

Smart toys are pretty cool but they also come with some inherent cybersecurity vulnerabilities that could lead to your or your child’s sensitive information being exposed or even worse, a hacker interacting with your child. Internet connected (IoT or smart) toys like CloudPets, Hello Barbie, and Cayla have recently hit the news for all the wrong reasons; they’ve been hacked.

An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. So far, following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys has downplayed the severity of the incident but reportedly as of 2/28/17 has filed a breach notification with the California Attorney General.

In mid-February, Germany banned a doll called “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The connected doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmits the information to a voice recognition company. It is believed that the Bluetooth connection on the dolls were insecurely implemented which could lead to hackers being able to interact with children.

These are just two of the recent examples but they are not at all isolated. The Hello Barbie doll allegedly could have been turned into a surveillance device due to security vulnerabilities. A Fisher Price stuffed animal teddy bear also was found to be vulnerable to leaking sensitive information. And what parent could forget about the 2015 VTech data breach that exposed the data of 5 million parents and children?

And it not just smart toys that are being hacked and affecting children. There have been numerous stories of parents being woken in the middle of the night by strange voicestalking to their children or even strangers watching them through hacked baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or even failing to change the username/password.

So enough with the doom and gloom, what can parents do to allow their children to still have the latest and coolest toys without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys. IoT devices are continually being hacked to attack (5000 IoT devices attack university) or collect information on their owners (spy agencies plan to use IoT vulnerabilities to spy).

Here are a few things that parents can do to help secure their family and smart toys against hackers:

  • Immediately change the username and password of the device, if possible.
  • Review what personal information you share about your family. The less the better. Share only what is required.
  • Use privacy settings to adjust who has access to data.
  • Turn off location tracking or restrict as much as possible
  • See if there is a way to disable two-way communication
  • Tell your children to inform you of any unusual interactions with their toys. Talk to your children about sharing personal information, even with their toys.
  • Use strong passwords. Don’t trade ease of use for security.