(817) 439-3051

Monthly Archives: June 2018

Watch Out for GDPR Phishing Scams
Watch Out for GDPR Phishing Scams

Hackers are sending out GDPR phishing emails, trying to trick people into entering the kinds of data that the General Data Protection Regulation is designed to protect. Learn about this scam and how to protect your business from it.


Companies that must comply with the EU’s General Data Protection Regulation (GDPR) have been busy emailing customers with information about updated privacy policies, consent forms, and other GDPR topics. These companies are not the only ones sending GDPR-related emails, though. In May 2018, security researchers discovered that hackers were distributing GDPR phishing emails designed to trick people into entering the kinds of data that the regulation protects.

The Scam

Pretending to be from Airbnb, the hackers sent phishing emails, mainly to businesses’ email accounts. The hackers took the time to make the emails look like they were from Airbnb and even included its logo. Perhaps they got the idea and the logo from the email that the real Airbnb sent to customers about its privacy policy changes.

The phishing emails noted that Airbnb had updated its privacy policy. The recipients were told they had to accept the new privacy policy before they could log back into the Airbnb website. To accept it, they had to click a link in the email. The link led to a spoofed Airbnb website, where the victims were instructed to enter their account credentials, payment card information, and other personal data. If they did so, it fell right into the cybercriminals’ hands.

How to Protect Your Business

Phishing attacks like the Airbnb scam are not going away any time soon since hackers have successfully used them to steal money, obtain credentials, and spread malware. Thus, you need a strategy to protect your business from these attacks. You might consider using a strategy that is based on three lines of defense.

The First Line of Defense

The first line of defense is your email filtering tools and security software. By keeping them up-to-date, fewer phishing emails will reach employees. You also need to make sure that your security software is on every computing device in your business, including smartphones.

The Second Line of Defense

Email filtering tools and security software won’t catch every phishing email, so the next layer of defense is your employees. You should educate them about phishing emails. Besides warning them about the dangers of clicking links and opening attachments in emails, you should teach them how to spot phishing scams. Elements to look for include:

  • A deceptive email address. Phishing emails often include a deceptive email address in the “From” field. For example, in the GDPR phishing email, the Airbnb email address was “@mail.airbnb.work” and not a real Airbnb address.
  • A request for personal information. If an email asks recipients to enter a password, credit card number, bank account number, or other sensitive information, it is most likely a scam. In the Airbnb phishing scam, recipients were asked to enter their account credentials and payment card information. The email sent out by the real Airbnb did not ask customers to enter any personal information.
  • A sense of urgency. Cybercriminals like to create a sense of urgency by telling the potential victims there is problem that requires their immediate attention and that there will be unfortunate consequences if they do not take action. In the Airbnb phishing email, the potential victims were told that they wouldn’t be able to log in to their accounts if they did not accept the new privacy policy.

The Third Line of Defense

The third line of defense is to take a few preemptive measures in case an employee falls for a phishing scam, despite your best efforts to prevent it. You can help mitigate the effects of a successful phishing attack by:

  • Using a unique strong password for each business account. As the Airbnb scam illustrates, obtaining login credentials is the goal of many phishing scams. Once cybercriminals get the password for one account, they will try to use that password (or a similar version of it) to access other accounts because hackers know that people like to reuse passwords. If you use a unique strong password for each business account, cybercriminals will not be able to use the compromised password to access other accounts.
  • Keeping operating systems and applications up-to-date. Hackers often exploit known vulnerabilities in software to install malware. By making sure your software has the latest security patches, you might be able to stop a malicious program that was released by a successful phishing attack.
  • Performing backups regularly and making sure they can be successfully restored. Backups can save the day if an employee falls for a scam that unleashes ransomware. You will be able to restore your data and systems from backups taken before the attack.

What’s Your Strategy?

Although developing a strategy to protect your business from phishing attacks takes some effort, it is important to have one. Using the three lines of defense presented here is a good starting point. We can help you create and then implement a strategy tailored to your company’s needs.

Hackers Infected a Half Million Routers with Powerful Malware
Hackers Infected a Half Million Routers with Powerful Malware

Cybercriminals infected small office and home office routers with the VPNFilter malware. Here is what you need to know about VPNFilter, including what to do if you think router might be infected.


Routers are easy targets for hackers. These devices connect directly to the Internet, so accessing them takes little effort. Plus, most routers do not include built-in protection against malware. Further, known vulnerabilities in routers are often not patched by users since updating their firmware takes some know-how. Because it is so easy to hack routers, cybercriminals were able to infect a half million of these devices with a malware variant known as VPNFilter.

Here is what you need to know about VPNFilter, including what to do if you think one of your routers might be infected with it.

What You Need to Know

Security researchers at Talos recently discovered that cybercriminals had implanted the VPNFilter malware into networking devices used by small offices and home offices around the world. Devices found to be infected include Linksys, MikroTik, NETGEAR, and TP-Link routers as well as QNAP network-attached storage (NAS) devices.

VPNFilter turned the routers and NAS devices into a giant botnet. Security researchers and law enforcement surmised that the cybercriminals were planning to use the botnet to carry out a cyberattack in Ukraine since some of the code in VPNFilter was found in a malware strain used to cripple Ukraine’s power grid back in December 2015.

Fortunately, in May 2018, the US Federal Bureau of Investigation (FBI) seized the website that the hackers used to control the botnet, crippling their ability to carry out the planned attack. However, the danger is far from over. A half million devices are still infected with VPNFilter. The Talos security researchers found that one of VPNFilter’s code modules would allow cybercriminals to collect any data passing through a router or NAS device, including sensitive data such as passwords. Even worse, they discovered another code module designed to overwrite portions of the devices’ firmware, which would make the devices unusable. The situation is so serious that the FBI issued an alert about what the owners of small office and home office routers should do to protect themselves.

What You Need to Do

Symantec has compiled a list of routers and NAS devices known to be affected by VPNFilter. However, there is no easy way to tell if a device is infected. So, if your device is on Symantec’s list, it is highly recommended that you implement four security measures. Some security experts are even advocating that anyone with a small office router, home office router, or NAS device take these measures, even if their device is not on the list.

Here are the security measures:

  • Reset the device to its factory defaults. This will remove VPNFilter from your device if it is present and reboot the device. Note that simply rebooting the device removes some but not all of VPNFilter’s code. So, the device will still be infected.
  • Update your device’s firmware. The hackers exploited known security vulnerabilities to infect routers and NAS devices with VPNFilter. Updating your device’s firmware will patch those vulnerabilities and prevent your router from being re-infected in the future.
  • Disable the device’s remote management feature. Many routers and NAS devices have a remote management feature. While this feature offers convenience, it also makes it easier for hackers to break into your network.
  • Change the device’s default admin password. It is relatively easy for cybercriminals to find the default passwords for routers and NAS devices, so you should change the default password. Be sure to select one that is unique and strong.

Give us a call if you need assistance with implementing any of these measures.

4 Gmail Enhancements That Can Help Your Business
4 Gmail Enhancements That Can Help Your Business

Google is totally revamping Gmail. Here are four enhancements that can help you and your employees be more secure and work more productively when using Gmail.


Despite being the flagship offering in Google’s G Suite, Gmail has not received a major update since 2011. That is changing, though. Google has overhauled Gmail to help businesses operate more efficiently and securely. The updated version — which Google refers to as the “new Gmail” — is available through G Suite’s Early Adopter Program. In addition, some of the features are already generally available.

Here are four Gmail enhancements that can help you and your employees be more secure and work more productively:

1. Confidential Mode

Google has added a new confidential mode that is designed to help protect sensitive information in emails. When you use the confidential mode to send an email, the options to forward, copy, download, and print are disabled. This makes it harder (but not impossible) for the recipient to share the information. (If the recipient is determined to share the contents, he or she could, for example, take a screenshot of the email and share the screenshot.)

To further protect sensitive data, you can set an expiration date for the email. After that date, the email’s contents will disappear. The recipient will still be able to see the subject line, though. By setting an expiration date, you can rest assured knowing that your email won’t be sitting around in the recipient’s inbox for a long time, which could be problematic if the person’s email account is hacked.

You can also use two-factor authentication (a.k.a. two-step verification) to protect an email when in the confidential mode. To view your email, the recipient will need to verify his or her identity with a passcode. This passcode is sent via text message to the recipient’s phone.

2. User-Friendly Security Warnings

Hackers like to use emails to spread malware, steal data, and con businesses out of money. While Gmail has flagged suspicious emails for some time, Google has redesigned the security warnings. Besides being bigger and bolder, they are easier to understand.

For example, a security warning might state “This message seems dangerous. It might be trying to steal your personal information. Don’t click any links unless you trust the sender.” A warning might also include a “Delete now” button that employees can use to easily remove the suspicious email from their Inboxes.

3. Nudge

If you often have to reply to emails, the Nudge feature can save you time and possibly keep you from dropping the ball. Nudge scans your Inbox, looking for important emails to which you have not yet responded. When it finds one that is older than two days, it moves the email back to the top of your inbox and flags it with a message such as “Received 3 days ago. Reply?” Thus, Nudge not only reminds you to reply to emails but also saves you from having to hunt through a long list of emails to find those needing your attention.

Nudge also scans your Sent Mail folder, looking for emails for which you are awaiting a response. If a recipient has not replied to your email within three days, Nudge places a copy of the email you sent in your Inbox and flags it with a message such as “Sent 4 days ago. Follow up?”

To determine which emails should be flagged, Gmail uses artificial intelligence technologies, including machine learning. As time goes on, Gmail should more accurately determine what is truly important to you. If you find that is not the case, you can disable the Nudges feature.

4. Native Offline Support

Google has fulfilled customers’ requests for native offline support in Gmail. The offline version works exactly like the online version. This means that you can, for example, write emails, search your Inbox, and delete unwanted messages even if you are on a plane. When you are back online, Gmail will automatically sync the two versions.

These Password Recommendations Might Surprise You
These Password Recommendations Might Surprise You

The US National Institute of Standards and Technology (NIST) has some surprising recommendations that might prompt you to rethink your business’s password policies. Learn why change is needed and what NIST is recommending that companies do.


It’s time for a pop quiz. Is the following statement true or false?

It is best for businesses to require that employees create long, random passwords that include mixed-case letters, numbers, and symbols.

For a long time, the prevailing belief was that this statement was true, so many companies included composition rules in their password policies. However, the US National Institute of Standards and Technology (NIST) now believes these rules are hurting rather than helping businesses.

In a perfect world, employees follow their companies’ password policies and create long, random passwords that include mixed-case letters, numbers, and symbols. The passwords are strong and thus much harder to hack. However, these complex passwords are also much harder to create and remember, especially if employees are required to frequently change their passwords. As a result, in the real world, employees tend to create shorter passwords and often use tricks such as letter substitution. For example, they might use a zero for the letter “o” and an @ sign for the letter “a” to create passwords such as “MyP@ssw0rd”. Cybercriminals know these tricks, so passwords like “MyP@ssw0rd” are far from strong, even though they contain mixed-cased letters, symbols, and numbers.

Because of these issues, NIST now recommends that organizations follow different password practices. They include using passphrases, eliminating periodic password changes, and validating passphrases.

Use Passphrases

Instead of forcing people to create complex passwords that include numbers, symbols, and mixed-case letters, NIST recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.

When creating memorized secrets, people do not have to follow any composition rules. They can use any characters they want (including spaces), as long as the passphrases are very long. Longer passwords are cryptographically harder to break than shorter ones, even if the shorter ones include special characters, according to Paul Grassi, a senior standards and technology advisor at NIST.

Plus, passphrases without special characters are much easier to remember. For example, “potbellied puppies rule” is more memorable than “mN8b%Rc7”. Plus, “potbellied puppies rule” is much harder to crack. On an average computer, it would take more than 10,000 centuries to hack using a brute-force password-cracking tool, according to Kaspersky Lab’s password strength checker. Even the shorter passphrase “potbellied puppies” would take 11 centuries. In contrast, it would take only 12 days to crack “mN8b%Rc7” and just 3 minutes to hack “MyP@ssw0rd”.

While the passphrase needs to be something that the creator will readily remember, other people should not be able to guess it. For example, an employee should not create a memorized secret consisting of family members’ names. This information often can be gleaned from publicly available data sources such as social networking sites.

Plus, it is important to keep in mind how many passphrases employees will need to remember. Having to remember a bunch of them might prove difficult, prompting some people to write them down. A better option would be to use a password manager. Employees could create and use a passphrase to access the password manager and then use the tool’s random password generator to create strong passwords for their business accounts.

Eliminate Periodic Password Changes

Businesses often require employees to change their passwords periodically (e.g., every 90 days). NIST recommends that this practice be eliminated. Here’s why: An expired password usually does not motivate people to create a brand new strong password, according to Grassi. Instead, it motivates them to change a few characters in the old password or follow the next logical progression in a password system they developed. Frequent password changes can also compel people into using another account’s password so that they have one less password to remember. All of these actions can result in weak passwords.

The bottom line is that memorized secrets should not have an expiration date. The only time a passphrase needs to be changed is if it has been compromised or an employee requests a change.

Validate Passphrases

NIST recommends that organizations validate passphrases when people initially create or change their memorized secrets. After an employee enters a new passphrase, it should be checked against a list of passwords known to be compromised, expected, or commonly used. If the employee’s passphrase is on the list, the validation system should reject it and prompt the employee to enter a different one.

Each company needs to determine what to include on the list. For instance, the list might include the following:

  • Passwords exposed in known data breaches (e.g., entries in the Pwned Passwords database).
  • Passwords consisting of repetitive characters (e.g., “zzzzzzzzzzzzzzzzzzzzzzzzz”)
  • Passwords consisting sequential characters (e.g., “123456890987654321” or “qwertyuiop”)
  • Passwords containing context-specific terms (e.g., a username or email address)

Not Sold? There Are Other Options

NIST’s recommendations represent a significant divergence from current password practices. If you are not sold on the proposed changes, there are other ways to mitigate the risks brought about by weak passwords. For example, you might consider using two-step verification. We can go over all your options and help you implement the solution you feel is best for your business.