XSolutions’ Security Post Roundup: Mar 22, 2021
Here are a select few of this week’s security LinkedIn posts by XSolutions:
iPhone App Allows Others Access To Conversations (Posted 3/11/2021)
A popular iPhone app Called “Automatic Call Recorder” with 4 star ratings and thousands of reviews had a serious flaw that was recently patched.
A security researcher was able to find the app’s storage on Amazon and, with a web proxy tool, access phone recordings for any user.
Apparently, the API did not run any authentication and gave access to recordings based on the phone number. Additionally, the researcher was able to access the user’s entire call history!
How could this happen? Well, as I’ve said many times, programmers need to program with security in mind first, then rigorously test their applications for flaws.
Remember: you can be judicious in in your own actions, but still get hacked because of others’ practices. In this case, an app that had a severe flaw.
To all iPhone users who have downloaded this app, make sure your app and Operating System are updated immediately.
How To Create Strong Passwords (Posted 3/16/2021)
With all of the advancements in technology today, passwords are, at least for the present, the way we keep our data safe. However, you’d be surprised at how many people still use “easy-to-guess” and common passwords, like “Pa$$word,” etc. The bad guys have dictionaries at their disposal containing commonly used passwords.
So, how do you create a good, hard-to-crack password? Here’s how.
* Use three unrelated words. For example, things that you see in your surroundings.
* Capitalize the first letter in the first word, a middle letter in the second word, and the last letter in the third word.
* Link the three words with two different symbols (%,&,*,~,^, etc.).
* Add a few numbers at the end.
* Make sure that the total length of your new password is at least 20 characters.
For example: Cherry%beNch^factoR38
According to the “How Secure Is My Password site, it would take a computer 3 Sextillion Years to crack the above example.
By the way, please don’t use the above password since it is published in this post!
To remember all of your unique passwords, use a Password Manager.
For Maximum Security You Need This (Posted 3/17/2021)
Have you ever received an email from an IT Company touting the latest “EDR Security” services? But, what is EDR, and is it the best security option?
EDR acts as a central hub to collect, correlate, and analyze data from endpoints and then coordinates alerts to threats it detects. What it doesn’t do, is remediate any threats found.
It reminds me of an old commercial where a bank is being robbed, and a customer asks the bank guard for help. The guard responds, “Oh, I’m just a monitor. I don’t do anything.” In my opinion, that’s EDR.
For maximum security, you need a system that monitors, detects, and CONTAINS threats. For that, you need a combination of EDR, SIEM, and SOC.
A SIEM (Security Information and Event Management) provides real-time analysis of security alerts, and a SOC (Security Operations Center) provides a proactive, human team to respond and contain threats. These services, working together, provide maximum security for your network.
Although EDR is a step above antivirus, you’re still vulnerable until the issue is contained. Remediation comes from a SOC, which monitors your network 24/7/365, and performs the necessary actions when threats are detected to keep your business safe.
How Hackers Can Steal Your Text Messages Without Your Knowledge (Posted 3/18/2021)
The security company, KnowBe4 recently reported that hackers could easily redirect a victim’s text messages. The attack IS NOT a SIM Swap. The victim is unaware that this happened. Many Two Factor Authentication systems use text messages to send access codes. This should make you very afraid.
Here’s how it works:
* A hacker first will sign up with a business text messaging service, generally used by legitimate companies to send text advertisements to users.
* By using a prepaid credit card, the attacker completes an online “Letter of Authorization.”
* Afterwards, the criminal adds the target’s cell number to the app.
* A few minutes later, the hacker gets all of the target’s text messages.
The target’s phone works as usual with no sign it has been compromised. The user is unaware that his/her text messages are being redirected.
Be very alert to what’s happening on your phone. If you suddenly stop getting text messages or start seeing weird messages that you did not send, it’s time to investigate.
Training Is Critical To Your Security (Posted 3/19/2021)
Professionals have long recognized that people are the weakest link in security.
Technological advancements make it difficult to penetrate a well-secured network. That is why criminals prefer social engineering as their way to big bucks.
Well-crafted phishing attacks, Business Email Compromises, and sometimes old-fashioned phone calls are tried and true methods.
That is why the National Institute of Standards and Technology (NIST) recently revised its protocols to include training, such as simulated social engineering testing, in their highly-regarded security standards followed by many US Government agencies and businesses.
The fact is that any well-rounded security program MUST include simulated phishing attacks and continuous education if your employees are to be adequately trained.
Insurance companies, smarting from significant losses due to ransomware attacks, require stringent protocols to be in place before approving cyber policies.
Proper security can only come with using the latest protection tools PLUS in-house cyber training for your employees.
Need help? Email us at [email protected] for a free security consultation.
XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions. We provide Disaster Recovery as a Service (DRaaS), Backup as a Service (BaaS), Cloud Data Protection (CDP), and Managed I.T. Services (MSP). Call (845) 362-9675 for a free consultation. Managed IT Services | Managed IT Security | Backup & Disaster Recovery| Cloud Data Protection