Charlie Waters
, , ,

Extra! Extra!

Back to the future

Eight years ago around this time, I was busy in my secret lab cooking up my latest and greatest geeky tech project. A little scripting here, some hardware and networking there…not unlike the countless other times I’ve done this since my Dad bought my first computer (Commodore 64) when I was twelve. Except this time I was doing a proof of concept for a magazine article while working as the Senior Consultant for a Managed Service Provider. I guess that investment in my first computer paid off. Thanks, Dad!

Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA

I was asked by Hakin9 Magazine to write an article for their (then) upcoming “Guide to Kali Linux”. But before we get to that, some background first – Linux is a popular free and open source operating system developed by Linus Torvalds. He created the new platform because he did not want to pay the expensive licensing fees for Unix, which was the operating system used in his university computer science courses. Today, Linux is the operating system that runs most of the Internet services we use every day. While many in the community debate whether “free” means “as in beer” or “as in speech”, Linux can be downloaded at no cost which makes it perfect for tech-savvy IT professionals who are seeking to build low-cost systems for niche applications. Windows and Microsoft Office are the business standard so Linux is not a recommended alternative for general business computing.

Kali Linux is what is called a Linux distribution or “distro” for short. Basically, it is a version of Linux with preinstalled applications and tools. Distros run the gamut from general purpose computing to niche applications. Kali, for example, is a security distribution and comes with computer forensic, penetration testing, and vulnerability scanning tools. It is the latter that was the focus of writing the magazine article. Specifically, how a low-cost, distributed system running Kali Linux on top of Raspberry Pi hardware (low cost non-Intel PC) could be used in the Healthcare industry to support HIPAA compliance. I chose OpenVAS as the application for vulnerability scanning.

The results from the proof of concept demonstrated the RPi+(Kali) Linux+OpenVAS combination was viable as an ad-hoc tool and could be further developed into an integrated, distributed reporting system. The gory technical details from the article can be found here: Hakin9 Extra – Guide to Kali Linux: Kali Scanning for HIPAA.

Back to the present

So what’s changed in the last eight years? In some ways, not much. In other ways, everything. Tools like Kali Linux are still useful and part of the solution. What has changed is the ever-evolving threat landscape and the cost of doing business due to the added layers of security needed to maintain business as usual. We have written other articles on defense-in-depth so I won’t get in the weeds on that topic here, but it is no longer the medical and financial industries (or other regulated business), but all businesses large and small that must invest in security to reduce risk and protect their business operations and data. The phrase often attributed to Vince Lombardi comes to mind, “Hope is not a strategy.”

Call to action

Great, we’ve identified a business problem…so now what?! Here’s the high level recipe for building an effective security strategy:

  1. Discuss the need for addressing security with the top levels of the organization. This cannot be a bottom-up initiative. Too much is at stake.
  2. Work with a trusted technology/security partner to explore options.
  3. Invest in educating yourself and your team about the risks and how implementing security tools and best practices help mitigate these risks.
  4. Measure the effectiveness of your security program to understand residual risk.
  5. Rinse and repeat.

With an intentional focus on security and developing a plan to monitor and assess its effectiveness over time, your business can reduce risk of data loss and downtime. Much like how Linux is not for the faint of heart, Information Security can be tough to understand, so IT professionals are happy to work with you to formulate a winning game plan. Be like Lombardi and don’t just hope the problem will go away on its own!

/by
m.a.collins

There’s Something Phishy About This Email!

I’m sure you have all received an email with an urgent matter that needs to be settled today or you could lose money FAST!!! Yes, those emails should raise some serious red flags in your mind; because the sender is hoping to catch someone in a desparate situation and take advantage of them. 

These emails are known as Phishing scams, and they are not limited to emails. They occur on low-tech platforms in the form of phone calls, and they come in higher tech forms like games, social media and webpage ads, emails and texts. Here’s what you need to know about them:

How do phishing attacks work?

Phishing attacks work by presenting some sort of bait to a consumer in the hopes of scamming them for money or information. In emails, they tend to present an urgent situation where if not acted upon immediately will exact some level of harm or inconvenience. Check out this example:

Notice how the email presents an urgent situation – an important delivery was missed. The bait is presented in the form of a link – click this link to confirm delivery notice. HOWEVER, the link is fake!!! The link NOT will direct me to the UPS as suggested, but it will take me to an alternate Vietnam-based website in this example.

How can I protect myself?

You need to take the following steps to protect yourself (we’ll start with the obvious):

  1. Keep Windows updated with the latest security updates.
  2. Install an active malware protection suite on all your smart devices – YES, even your Apple devices. Contrary to popular lore, Apple devices can get viruses and malware.
  3. Be alert and learn to identify the bait! The bait can come in various forms, and these scammers are getting really clever! Sometimes, they will even deliver on the content or offer they presented, but in the process they obtained an important login credential or installed some bit of malware encoded in the delivery process. Remember: anything that looks too good to be true probably is, especially on the Internet.
  4. Don’t give out any important information over the phone, by email or text. 
  5. Don’t open attachments you haven’t personally requested. Even then, it’s not the best idea. It’s easy to share files from cloud accounts like OneDrive, Dropbox, DattoDrive and the like; and that’s safer than using attachments.

Note: Neither Microsoft nor Apple will call you and request control of your computer! That is a popular phishing scam.

Yield not to temptation!

Those ads can be so tempting, right? No, I’m not referring to girly ads, though they would apply. You know…those ads that offer you the latest unclassified intel on JFK’s murder, or behind-the-scenes Woodstock photos never before seen, or Marilyn Monroe secrets revealed (how old does FB think I am?!!!). It’s not worth the risk! Don’t click on those ads. At best, they will disappoint. At worst, you just got baited and hooked!

But you don’t understand, this could be REAL!!!

OK, so yesterday you didn’t buy local like you were supposed to and ordered something off of Amazon. Today, you get an email from Amazon (supposedly) stating your recent order didn’t process properly, and you are going to miss out on that new pair of boots without which you absolutely cannot live! 

Yes, I realize the importance – here’s what you DON’T DO: for the love of all that is good, DO NOT click on any links in that email! Instead, open a new browser session and navigate to Amazon’s website directly.  From there, you can look at your order history. That’s the safest way to know for sure you are not taking the bait.

Report scams!

Microsoft has provided these excellent options for reporting scams (a direct link to all this information is provided below):

How to report a scam

You can use Microsoft tools to report a suspected scam.

  • Outlook.Live.com – If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Outlook inbox. Click the arrow next to Security Options and then choose Phishing.
  • Microsoft Office Outlook – If you have a business email account and need next-level Anti-Phishing protection, contact TCS on how we can provide the best protection. We can also perform security awareness training drills that will help you score your employee security awareness levels with recommended training for those who need it.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

How to report tech support scams

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at Total Computer Solutions.

/by