Hacking – Axiom Cyber Solutions

FBI Recommends Home & Small Business Owners to Reboot Their Routers

As news has broken about the FBI’s warning to consumers and small business owners about rebooting their routers, many have reached out to Axiom to ask what do they need to do. Our advice to them is what the FBI has recommened: if you have one a cable modem or router at home, do a quick unplug/replug of the router (D-Link, NetGear, etc). The good news is the FBI has taken control of the domain that was harvesting the information so even if you were infected, the FBI is just collecting information to find how widespread the infection was (500,000 devices are suspected to be infected).

What is VPNFilter?

VPNFilter is a malware, that contains a killswitch for routers (meaning it can permanently shutdown your device) and it also could steal usernames and passwords. The infection appears to be hitting Ukraine hard but has been found in 54 countries.

Good News?

There is some good news for some users. If you have kept on top of firmware updates and changed the default credentials on your devices, you may be protected. But as we know, most of us never log in and update our cable modem’s firmware.

Axiom’s customers are protected from VPNFilter through a combination of rules that restrict access to our devices as well as addition of the known bad addresses to our blocklists.

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

Forget Everything You Knew about Safe Passwords

Last month, the father of the 2003 NIST password guidelines said that he got it wrong and the way we are creating passwords to be a completely random string of characters and the frequency we change our passwords is making it harder on all of us but easier for cyber-criminals to crack.

The complexity of the old password guidance led to many bad password habits such as just replacing letters with the equivalent in numbers (‘o’ for zeros, e for threes, etc) and letters for characters (@ for a, $ for s) so that they could more easily be remembered. In fact, it was found that the standard eight-character password with special characters could be cracked faster than a 20-character password without special characters.

The old requirement to change passwords so often also led to many users simply reusing their passwords on multiple sites which again, made things easy for cyber-criminals when there was a breach. There has not been any evidence that your password becomes more hackable because it’s in use for more than 90-days. Plus, when we were forced to change our password too frequently, many times users would just shift one letter in the password which cyber-criminals quickly caught on to.

And believe it or not, a completely random password that does not use words are actually easier for hackers to crack than long, weird words or phrases that you can easily remember.

New guidelines throw everything we’ve been told to the wind like using a mix of upper & lower case letters, the use of special characters, and changing your password frequently. Now the password experts say that we should make our passwords long and memorable. Using a phrase that is unique to you, in conjunction of special characters if you are forced to use them (within the phrase, not within words), will make it harder for hackers and their cracking software to compromise your passwords.

Also, think about the system you are accessing and whether or not it needs a strong, unique password or is it ok to reuse a password for a site that just has your name, email, and password? For instance, do you really mind it if a hacker got access to your online recipe lists?

You might think that the password to your online bank is the most important password but you may be surprised to find that your email and social media passwords may be more sensitive because of the “Forgot Password” feature in systems that would allow a hacker that compromised your email account to reset your online banking access.

But passwords and one-time multi-factor authentication (like a SMS), are not bullet-proof protection as they can be hacked and hijacked. A recent, terrible example of account take-overs has been in the crypto-currency space where hackers are compromising email and mobile telephone accounts and emptying crypto-currency wallets. Users will need to continue to be vigilant and take every precaution to secure their most sensitive accounts.

Online Social Media Security – How Safe Are You and Your Children?

In early December, I was asked to speak to a reporter from Univision Las Vegas about online social media security. The reason for the story was that an online scammer stole the pictures of a little girl and made up a story about how the little girl had been kidnapped. Thankfully, the little girl was at home safe with her family but the fake story aimed to raise funds to pay for a ransom to have her released and people were falling for the scam.

Another worrying trend with photos of children is what has been termed as “digital kidnapping” or baby role playing. In these cases, a person will steal photos of a child and repost the pictures claiming that the children are their own. Parents have found entire profiles filled with pictures of their children with another person claiming to be the person’s mother or father.

While there are risks to posting pictures of your little ones on social media, it does not mean that you should stop sharing those precious moments with far-away friends & family on social media although a survey from the University of Michigan found that 68% of parents are worried about their child’s privacy online and 67% are worried that the photos will be reshared.

There are things that you can do to increase your social media profile security when posting pictures of your children including:

Restrict who can see your child’s pictures
Restrict the ability to share your child’s picture
Use a watermark
Turn off location services when posting from your phone

Children aren’t the only victims

Remember the story about how now NFL star Manti Te’o fell for a girl who really never existed over a period of a couple of years? Online romance scams have become so prevalent that they account for higher financial losses than other internet-based crimes with victims typically losing tens of thousands of dollars according to the FBI Internet Crime Complaint Center. There have also been so many victims that there is now a support group called Scam Survivors, with a hotline and information resource center for those that have been duped by online scams.

For years now, fake profiles are created by scammers with duplicated names and profile pictures. And because people still fall for their scams, the fraudsters continue despite Facebook’s attempts to reduce the number of fake accounts. Once a fake profile is created the scammer may begin adding and contact family or friends. Then they start collecting information. And eventually, there comes a message claiming that they had been mugged, lost everything, and are stranded on the streets of a foreign city and in desperate need of help. Some years ago, this happened to my parents who received one such message from one of my brothers saying that he had been mugged in London which prompted my parents to question first how did he end up there and secondly, how did the scammer know to contact them to ask for help?

Other social media online safety tips include:

Don’t publicly post about going on vacation. It lets people know that your home will be vacant.
Never publicly post your address, home telephone or mobile number.
Manage your friends lists. Not all friends are created equal as Stay Safe Online eloquently puts it so categorize your social media friends into groups and restrict the information that you share with them.
Privacy settings exist for a reason, so use them! Use privacy settings (such as restricting posts to just select people or groups) when posting personal details.

Hackers Can Now Use Your Own Headphones to Spy on You

A few months ago, a photo of Mark Zuckerberg found its way circulating around the Internet. The image (left) features the Facebook CEO positioned in front of his laptop, posing with a huge frame to celebrate Facebook-owned Instagram reaching 500 million users earlier that week. What made this photo the talk of the Internet wasn’t due to “the Gram’s” success, rather everyone was focused on the tape covering Zuckerberg’s webcam and microphone.

Though some called him overly paranoid for believing hackers were really watching his every move and listening in on his private conversations, this fear has been realized as hackers have created a malware that spies on you, not through your webcam, but via your microphone.

A malware, dubbed “SPEAKE(a)R,” converts your headphones into makeshift microphones that can spy on you and record your conversations without you even knowing it.

SPEAKE(a)R, developed by researchers in the Cyber Security Research Labs at Israel’s Ben-Gurion University, was created to show how hackers who are determined to do so could find a way to slyly hijack a computer to record audio in secret. Those who find themselves even more mistrusting of their computer’s microphone than Zuckerberg have gone to such lengths as disabling or completely removing the microphone from their computers; however, this defense does not match up to this malware. The malware alters the speakers in headphones and repurposes them to be used as microphones, “converting the vibrations in air into electromagnetic signals to clearly capture audio from across a room.”

SPEAKE(a)R can infect those headphones with a built-in microphone channel on the wire, such as Apple’s EarPods, as well as the old school versions without such advancements. The way it is able to do so it that the malware capitalizes on a feature of RealTek audio codec chips that is not commonly known. Hackers use this vulnerability to subtly change the computer’s output channel into an input channel. This allows the malware to record audio through any headphones plugged into a computer–a scary thought because these RealTek chips are extremely common. So common, in fact, that researchers have found that the attack could potentially infect almost any desktop computer, regardless of its operating system.

You can see this malware in action below:

As you can see above, the sound is initially recorded via a connected microphone; however, with the microphone turned off while still plugged in and even when it was unplugged entirely as well, the computer can still pick up the music from across the room when the SPEAKE(a)R malware converts the output channel to an input one, all because headphones are still plugged in, continually eavesdropping.

Currently, there is nothing short of entirely disabling all audio input and output from a computer as far as a defense against this vulnerability is concerned. RealTek and other audio codec chip creators can only prevent this from happening in the future by redesigning chips with a higher level of security. Until then, even going to such lengths as removing microphones will not be effective if you leave your headphones plugged into the computer.

Hailey R. Carlson | Axiom Cyber Solutions | 12/28/2016

Social Media Security—Are Hackers Able to Steal Your Information?

Over 75% of US adults use some sort of social media—it’s a great way to keep in touch with friends, family, and even stay up-to-date on breaking news and the latest celebrity gossip. Many of us have accounts across several platforms, such as Facebook, Twitter, and Instagram, making it that much easier for us to keep in contact with people across the globe in a variety of ways.

With all of these connections, however, it is not only easier for us to see what our loved ones are up to, but it also centralizes all of our data for hackers, making it that much easier for them to steal our personal information to use for their own malicious gain. These cyber criminals are able to hack into individuals’ or business’ accounts and some have even been able to hit the majority of users on a single platform at once. With hackers so focused on attacking any and every one that they possibly can, it is important to educate yourself on the types of threats that these cyber criminals pose as well as to learn how to better protect your accounts against potential attack.

How They Do It—With the recent data breaches of LinkedIn, Tumblr, and the biggest of all (oddly enough) Myspace—consisting of 427,484,128 passwords and 360,213,024 email addresses from both active and dormant accounts (making it the biggest social media data breach to date), social media security has become a hot topic and the question at the top of everyone’s minds is, “Am I next?” While hackers seem to be fairly random in whom they target, there are ways to strengthen your own personal security for your online social networking accounts. Not only should you be prepared against massive platform data breaches, but targeted attacks on individual accounts as well.

While these data breaches are able to target millions of people at once, the most common social media cyber-security crimes are directed attacks on individuals, and are primarily done via sophisticated online phishing. Hackers hack into existing accounts or create secondary accounts of individuals and pretend to be them—going as far as to steal pictures, birthdays, and ‘liking’ the same pages the victim likes. Then, these criminals add friends and family of the victim, posing as him or her and then making odd requests such as needing cash immediately in order to help them out of a tight spot. It is the modern version of the Nigerian prince scheme, only more people fall for it because it appears to be an actual loved one in trouble. With hackers becoming more creative and shifty, it is growing to be more and more challenging to protect against these threats, and all the more important to protect your social media accounts.

Ways to Protect Against Attack—I originally titled this article “Are Hackers Trying to Steal Your Information?”—but the answer to that is always ‘yes.’ Hackers are consistently looking for ways to steal and corrupt as much information as they possibly can. The proper question is, “Is it easy for them to do so?” While there is no silver bullet when it comes to cyber-security, especially regarding social media, here are a few ways to make it harder for these cyber criminals to get your personal information:

Use different, stronger passwords—By making your passwords longer and more complex, as well as using a different password for every account you have, you can reduce your chances of being hacked significantly. Even if your information from one site was compromised, for example in a data breach, by having different passwords for your other social platforms, you reduce your risk of having more information exposed, which aids in your overall cyber-security. Facebook CEO, Mark Zuckerberg, had to learn this the hard way when his Pinterest and Twitter accounts were hacked after the LinkedIn breach provided hackers with his login information, including passwords, which were not only weak, and therefore easily hackable, but he used the same one for both sites. Thankfully he didn’t have the same password for his Facebook account, but it just goes to show you that no one is safe from attack if they use the same, easy-to-crack password for every social media site.

Two-factor authentication—otherwise known as two-step verification, requires users to login not only by entering their password online, but a second, unique verification code sent via text. When there are multiple security steps necessary to sign on to social media, it is harder for these hackers to get to your valuable information. This has proven to be one of the most vital steps in protecting social media accounts; Facebook, Google, and Twitter are currently utilizing this technology, and hopefully more catch on soon (Since their data breach, LinkedIn has implemented this feature as well and encourages its users to take advantage of it).

Do not add people you don’t know—While this may seem obvious to some, many people add ‘friends’ online all the time who they have never even heard of before. With people hacking into the accounts of people you actually know and pretending to be them in order to extort something out of you or another loved one already, why increase your chances of phishing and hacking by adding a complete stranger?

Be wary of suspicious messages and posts—Many hackers utilize vulnerable accounts to hack into in order to send friends and family members messages either asking for money or some other odd request. If you receive a message like this from someone you know, contact them in a way other than social media to see if it is really them, especially if the message looks like something out of the ordinary.

Don’t have sensitive information on your accounts—Most social media platforms give you the option to make certain information private, even from people you know and accept online as ‘friends’ and doing so can really help you strengthen your cyber-security; sensitive information such as your home address or cell phone number can be dangerous to have readily available on social media because it acts as an open door to finding other information about you that could potentially be used by cyber criminals to steal your identity.

There is no surefire way to guarantee your social media accounts won’t be hacked—hackers are working every day to find new ways to get your information. By taking multiple precautionary steps, however, you can make it harder for hackers to get to your information and the information of your loved ones.

—Hailey Carlson, Marketing Intern 6/13/2016

DIY Hacking (or “How to Build a Better Meth Lab”)

A few years ago I sat in an audience a bit shocked as I watched an Albuquerque Police Department officer show us how to build a meth lab. Systematically, he explained what parts were needed, where they could be purchased, the ingredients required, dangers to watch for, and then the actual steps to cook the meth.

To the typical law abiding citizen, it might seem inappropriate that something so harmful could be presented so casually. It also seemed a bit ironic to hear this from a police officer who works in the city recently made famous by the series Breaking Bad. However, he went on to explain that everything he had talked about was readily available on the internet and that accessibility is only contributing to the exponential growth of this serious problem.

Unfortunately, the same situation is true for cyber-crime. Today, you can Google “How to hack a network,” “How to DDOS a website,” or “How to crack a password” and easily find step-by-step instructions for doing so. For those who are more visual learners and would prefer videos, they are readily available on YouTube and even sub-titled for your convenience. All of this is freely and easilyaccessible on-line to everyone.

Of course, some people don’t want to learn all of the technical stuff and just want an “off the shelf” program to do it. These guys are known as “script kiddies” and have at their disposal a large number of effective, easily downloadable programs capable of breaching other’s networks and computers. Even more alarming is that now on the “dark net” they can launch a ransomware attack against the targets of their choice and hold computers locked and data encrypted until a ransom is paid.

But another option also exists. Just like the guy who wanted Walter White to do all the dirty work for him, you can now simply hire someone else to hack a password, destroy a website, or launch a DDOS attack (for which you pay by the hour) all while you sit comfortably in your own home and watch reruns ofBreaking Bad.

My point is, we shouldn’t think that cyber-crime is going to get any better because it’s only becoming easier to do. There will always be the nation-states and organized crime syndicates (the “Walter Whites” so-to-speak) orchestrating massive cyber-attacks. But more and more there will be the “little neighborhood meth labs” – the DIYers – popping up and taking advantage of the ill-prepared.

Cyber-crime is not going to get any better because it’s only becoming easier to do.

So it’s important to have an effective, layered cyber-security defense in place – one that includes a powerful next-generation firewall, regular system updates and back-ups, current virus and malware protection, data encryption, network monitoring, and an interactive employee education program so that they are aware of the real and growing threat that exists.

If you would like more information on how we at Axiom Cyber Solutions can help you do this, email me at info@axiomcyber.com or call 1-800-519-5070.

The Top 5 Cyber Hacks of 2015

2015 was a busy year for cyber criminals. As the year comes to a close, we are reviewing the top 5 cyber attacks. Unfortunately, by the looks of it, this seems to be just the beginning.

1. Office of Personal Management (OPM)
The United States Office of Personal Management announced that they were victims of a data breach in June, 2015. The breach began in March, 2014 and remained undetected until April, 2015. This is one of the largest data breaches to occur in the federal sector, affecting approximately 18 million government employees. Information such as Social Security numbers, names, birth dates, addresses, military records, pension information, and more was leaked. 5.6 million sets of fingerprints were also stolen, putting secret federal agents in harms way. The Wall Street Journal reported that US government officials suspected Chinese hackers were responsible for the data breach. Since this hack, China and the US have had numerous discussions on this issue and are currently their discussing cybersecurity issues.

2. Vtech
Hong Kong toy manufacturer VTech was hit with a very serious data breach in November 2015. VTech is known as a children’s toys manufacturer. Their items include tablets, phones, and baby monitors. This hack was reported by the hacker himself. who gave his findings to Motherboard. Approximately 10 million VTech customers were affected by the data breach. According to VTech’s website, a total of 4,854,209 customer (parent) accounts and 6,368,509 children’s profiles were affected. Customers around the world were affected but the USA saw the highest number of parent accounts, approximately 2 million. The hacker was able to collect photos of children and their parents, including audio recordings, by breaking into VTech’s servers through a SQL injection. VTech immediately began a thorough investigation for this cyber crime. As of December 16th, the authorities in the UK arrested a 21 year old man in connection with the VTech data breach. The investigation is still ongoing.

3. Ashley Madison
Perhaps the juiciest data breach of 2015, the Ashley Madison website was hacked by a group named the Impact Team. More than 32 million users had their personal e-mail addresses leaked. Ashley Madison, a website that encourages extramarital affairs, found itself in the middle of a huge headache. According to the hackers, the reasoning behind the breach was simple: to prove that Ashley Madison was corrupt and lied to their users for money. Ashley Madison charged their customers a $20 fee for those who wanted to have their profile deleted fully. The hackers were able to prove that the $20 fee did nothing to protect customers and was just a scam for more revenue. This specific hack raises many ethical questions on user data and how companies are handling the user data. Currently, as of December 2015, Ashley Madison hack victims are starting to receive blackmail letters and people are still being affected.

4. T Mobile
This past October, T-Mobile announced that they fell victim to hackers by way of Experian, a credit reporting service. 15 million applicants applied for credit at TMobile and ended up having critical data such as social security numbers, license information, passport info, and more stolen. While no banking or credit card information was leaked, the information that was released can easily allow for identity theft. Although TMobile is offering two years of free credit monitoring to those affected, any cyber criminal could simply wait for the those two years to pass before attempting to do anything.

5. Hacking Team
In July 2015, the Hacking Team, a company who sells surveillance software to law enforcement agencies, had over 400 gigabytes of crucial information stolen. Surveillance data, contracts, emails, and invoices were leaked. Revealed in the leaked data showed the Hacking Team used poor passwords which only assisted the hackers to gain access into the Hacking Team’s servers. Much worse however, was the data that showed the Hacking Team was not afraid to sell their surveillance software to any government worldwide, creating lasting effects by giving cyber criminals better tools to commit their crimes.

How can Axiom Cyber Solutions help your business?
Axiom Cyber Solutions is offering Managed Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own.

Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

Category Archives: Hacking

Category Archives:
Hacking