Cat Tech Tips – Computer Updates

Cat Tech Tips - Computer Updates

Cat Tech Tips – Computer Updates

You’re merrily typing along or browsing Facebook when suddenly Windows informs you that it has updated and wants to restart – what’s that all about? If Windows needs to update this often, what ELSE needs to be updated?

The answer is: Quite a few things! And many of those things have probably gone without computer updates for years. Keeping your machine updated makes it run more smoothly, and keeps it more secure.

So what needs to be updated?

–          Windows Updates: Windows usually updates periodically on its own, but it doesn’t hurt to check and see what non-essential updates need to be installed, and to just tell everything to get it over with right now.

–          Antivirus Updates: Your antivirus software should be updating and scanning regularly on its own if it was installed properly, but it doesn’t hurt to check.

–          Driver Updates: Drivers are little programs that make your hardware play nice with the rest of the computer, and you rarely think to update them. Software like Device Doctor can get everything up to where it should be. Be sure to back up your computer first!

–          Browser Updates: Browser updates patch security holes and are essential – check to make sure your updates are turned on and if not, update those browsers manually.

–          Third Party Updates: Other programs like Flash, Java, and Adobe Reader will prompt you to update. They will nag, badger and annoy you with reminders, often times they will badger you to the point your antivirus program will question their motives. We may never know why a PDF reader needs more updates than everything else combined, but just let it do its thing.*

*IMPORTANT: Do read the text on what you are updating. Sometimes sneaky malware will masquerade as something legitimate, and sometimes McAfee will try to slip in with other programs such as taskbars. Uncheck those checkboxes if you don’t want a certain piece of software.

Proceed With Caution
As always, back up your computer or tablet before making major changes (such as the driver updates), and we are not responsible for any issues you may encounter, such as throwing computer out the window in frustration after finding McAfee sneaking in for the sixth time.

UPS Stores and Banks Were Hacked

UPS Stores were hacked

UPS stores were hacked in a data breach recently, with stores in 24 states subject to the data breach between March 26 and August 11. “No fraud has yet been discovered, UPS said, but customer names, postal addresses, email addresses and payment card information were compromised. ”

Banks hit by Hackers

Several large banks, including JP Morgan Chase & Co., which lead to theft of data associated with accounts.  The theft involved significant amounts of data which could potentially lead to serious financial fraud.

 

heartbleed

Heartbleed

What Heartbleed is, and What You Should Do

What is it?

Heartbleed sounds scary by the name alone. It’s all over the news, but just what is it? What should the average Internet user do about it? Heartbleed is complicated and involves some Internet security understanding, but here we’ll strip out most of those details and get to the essentials.

Heartbleed is a bug – a mistake in security code – that has potentially allowed in-the-know hackers to exploit the problem and grab unencrypted usernames, emails, passwords, and other random sensitive information a bit at a time through small packets of data, nicknamed “heartbeats.” The bug has been around for two years, but it was only just discovered by companies Codenomicon and Google.

Who is Affected

Any “secure” website using the security software OpenSSL which had the buggy code (an update within the last two years) could potentially be compromised. Nobody knows for sure if they HAVE been compromised. It is possible that up to two thirds of the web could have this bug. There are a lot of unknowns.

Some big websites may have been affected: Yahoo, Google , and Facebook. Though these websites have already updated their software, they suggest that users still take the time to change their passwords.

Some websites never used the vulnerable software: big banks were less likely to use the open source software, Microsoft said it was unaffected, and LinkedIn seems to have been safe.

Why Should You Be Worried?

You should be worried because if someone has exploited the bug, your usernames, emails, passwords, security questions, and other sensitive information could have been available to malicious users for the past two years. If you use the same passwords (or similar passwords) on multiple sites, this could give them access to those other websites as well.

If a website with the compromised code does not update, they are still an open gate. If a website has updated but you have not changed your password, someone might have that info to use when they see fit – if someone has grabbed that info in the past, they still have it.

We don’t know how extensive the problem is – entire website databases could have been compromised. The good news is that the bug was brought it to our attention rapidly after it was discovered, allowing word to get out before the bug was exploited on a wider scale.

Recommendations

There is only so much a user can do. The biggest problems lie on the website side of things, and it is the responsibility of those website owners to update their keys. If the website has not run updates on their side, the bug can still be exploited even if you change your passwords.

Most big companies updated their software right away and recommend changing your passwords. Unfortunately, not all companies are being clear about whether or not they were vulnerable to the problem, and if they have since patched the bug.

Our recommendations are to do the following:

  • Update your passwords on all of the websites you use, especially ones where you store sensitive or personal information.
  • Make sure all your passwords are different – do not use the same one for each website.
  • Be prepared to change your passwords again in case a site has been slow to update.

Best Practices Going Forward

It’s hard to remember many complicated passwords (and complicated passwords are the most secure), so we recommend using a program like LastPass or KeePass to keep track. While nothing is entirely failsafe, they are a lot more secure than trying to remember many simple passwords or even worse, using the same password everywhere.

It is also good practice to update your passwords periodically.

When, Not If

The internet is complex and only getting more so, and for better or worse much of it is unregulated. When it comes to any kind of security breach or data theft, expect that something could potentially happen, and work out a plan for what to do when it does.

Follow Appletree Mediaworks on Twitter or like us on Facebook. Visit our website for more information on data and security and what to do about breaches, and about what’s happening on the web.

—–

Common Sites You Should Change Your Passwords For

Password Changes Suggested (They have updated their SSL)
Facebook
Tumblr
Google/Gmail
Yahoo
Turbotax
Dropbox
SoundCloud

Okay/Don’t need to change passwords*:
LinkedIn
Amazon
AOL
Outlook/Hotmail
Paypal
Target
Most big banks
Taxes/Accounting sites (except Turbotax)
Evernote

Unclear: (Have not made an official statement – they claim to be okay, in some cases)
Twitter
Apple
Ebay
Netflix

* It can’t hurt to change your passwords anyway. Just be prepared to do it again if necessary.

Technical Details of Heartbleed: http://heartbleed.com/

 

Hacking for password

How Do You Prevent Your Email From Getting Hacked?

Duplicating Usernames and Passwords is Risky

Database vulnerability

The truth is many online databases do not encrypt your username and password at all. So one dishonest employee can have thousands of passwords in one quick database export. If one online shop gets compromised, then all of the places you use that username and password are now vulnerable. Use a different password for every website login you create and use a specialized program to store those big beautiful passwords.

Brute force attacks

Many attacks are brute force attacks in which a computer program is used to try lots of combinations of passwords rapidly. The simpler your password, the easy to ‘guess’ by the program. Again, if your password is figured out and you use the same on multiple websites, your risk is increased exponentially. Use different passwords to prevent getting your email hacked.

  • Use different login credentials and complex passwords on every website you use. We featured an article on our blog featuring more information and tips about passwords.
  • Just say no to browsers storing passwords! When Internet Explorer or Mozilla asks to store a password for you, ALWAYS say NO.
  • To remember all your new passwords, use a service like 1Password or KeePass to create and store login information. KeePass is free!

Keep Your Software Updated

Out of date software is risky, especially web browsers and other web-based programs including browser plugins. Usually updates are released for software in response to a security hole or technology expansion. Many programs update automatically, but set your phone or calendar to remind you to check on these things every few weeks.

  • Keep Windows and your antivirus software up to date.
  • Run updates for your programs when they ask. If a program is asking to access your computer that you don’t recognize, choose No for now and check out Google to see what is suggested for that update name.

Pay Attention to Login Sessions

Some sites will tell you the last time you logged in successfully. Change your passwords if things seem fishy. Some programs such as Facebook and Gmail monitor your logins, other programs will let you setup verification by text messages.

  • Use verification by text message, if a program asks if you’re using a public computer to login, say yes if you are.
  • Do not create obvious security questions in which people can find the answers by searching Facebook or other sites.

Think Before You Click

If you receive an ambiguous or unexpected email, even from a relative or close friend telling you to click a link. Don’t do it. Contact the person over the phone and ask what the email message. Same goes for attachments. If the email does not look like something your contact would send you, QUESTION it!! Email spoofing is common too, for example there have been very real looking emails floating around that appear to be from the IRS, but the attachment is a virus.

  • Ignore and delete strange emails even if they’re from friends, family, and banks. Don’t click the link or open the attachment – it’s a surefire way to get a virus.
  • If you find out your account has been hacked and an email was sent from your account, first change your password. 2nd follow up with those that received your hacked email message. Tell them your email was hacked and that they should DELETE the email they received from you.

Watch Where You Login From

Be careful if you are logging in from a public computer or a network that is not secure. Do not stay logged in, when you are done with the website be sure to log out. Connecting to public WiFi can open the door to hackers.

  • Be sure your computer has a strong firewall. The annoying extra click to allow something to access or update your computer is better than a hacking mess from keeping the door open.

How do you prevent your email from getting hacked? As identity theft and account hacking becomes more rampant, there is no foolproof way, but you can minimize risks by using our suggestions. It is best to set up your accounts so that if one gets compromised not all of them do. Have a plan set up on what to do if an email gets hacked or a credit card gets stolen, and know that it is extremely common, if problematic.

If You Do Get Hacked

  • Change your password if you can still get in to your account.
  • Follow the directions in the help center of the website you’re trying – most sites have guides on what to do.
  • Scan your computer for viruses and malware, then schedule future scans to happen weekly.
  • Let people know you got hacked and not to click on links, and pass along info on what to do if they did.
  • Report the incident to the website. You may get access to identity protection services through the hacked site.

Extra Credit

Protecting your credit card information online goes hand in hand with your email getting hacked. We suggest using a payment service such as Paypal to store your credit card number rather than typing your credit card number directly into a website. Websites and stores are not supposed to store credit card numbers in their databases….but there are no internet police enforcing this.

Follow Appletree MediaWorks on Facebook or subscribe to our website blog RSS feed to keep up on topics like this.

How to Secure Your Social Media

Social media has become an undeniable reaching out to the public, spreading news and info among thousands of fans. If one post can spread so rapidly, what happens when this pervading force in communication falls into the wrong hands? How can you be sure to secure your social media?

As social media security becomes essential to businesses, following basic guidelines will help circumvent the worst of the traps people fall into when it comes to keeping intruders out of their media and followers. These guidelines will also improve damage control if the worst does happen.

1) Strong Passwords

Believe it or not, many people still use ‘password’ or ‘1234’ as their password, even in business situations. Instead of the old standbys, complex passwords that include numbers, letters, and symbols are harder to crack. It’s rough keeping track of those complex passwords, especially in a business setting: that’s why a password manager like Keypass or LastPass can become essential. Not only does this take the guesswork out of creating a good strong password (both programs have features that will create passwords for you, including ‘pronounceable’ ones people can remember) but manage them so sensitive passwords are not visible to those who don’t need long-term access to sensitive information.

2) Education

Even big companies have fallen into the trap where one employee clicks on a bad link in a decoy email, where they submit valuable username and password data, only to lead to a security breach within the whole company.  The easiest way to circumvent this problem is to sufficiently educate everyone on safe practices. These include:

–          Be suspicious of clicking on links; if you’re not completely sure where they come from, they make take you to unexpected and invasive websites.

–          Be watchful of official-sounding emails providing a link and asking you to update your info. When in doubt, type the url to the website you want by hand. Links can be cloaked to take you to unexpected websites.

–          Do not open a suspicious or unknown attachment, even if it appears to be from someone you know. Ask first if you need to.

–          Be cautious of questionable software and downloadable games which can contain malware that is quick to infect a system and difficult to get out again.

3) Utilize a Social Media Manager

Social Media Managers like Hootsuite not only keep track of and schedule media interaction but have software designed to look for misuse of links and posting. They act like an extra firewall, creating a buffer between you and intruders. Further, these Social Media Managers allow for permissions, requiring specific contributors to post drafts to be reviewed but only allowing administrators to approve final posts.

Centralizing social media accounts within your company helps prevent miss-posts and leaks. Also consider hiring an outside agency to manage your social media accounts, employees at Appletree MediaWorks, LLC are trained professionals that can help you with your social media maintenance. This also introduces a formality to social media for business, which employees might otherwise approach in a more casual way.

4) Review & Update

Assess and review your security on a regular basis. Who has access to passwords and social media accounts?  Who has permissions to what? Do passwords or accounts need to be changed in the case of departing employees? Finally, ensuring that software is up to date on browsers, operating systems, and all virus/malware protection can keep software more secure.

5) Prepare for the Worst

If all goes well you will never have to resort to contingency plans for reclaiming hijacked accounts or covering for bad posts that have gone viral on the internet. However, making plans in the event of a crisis will make it a little more manageable.  Preparing employees on what to do if they receive a cloaked email can halt a social media hijacking intrusion in its tracks. Keep an unassociated email as emergency to reach all employees or users if needed. A plan for damage control speeds up the process and reduces the damage that a security breach can cause to a business’s reputation.

We do hope that your company takes the tips above into consideration. Social media can be good for business when it is properly maintained and analyzed. Reach out to Appletree MediaWorks, LLC for more tips and to have a social media analysis done for your business today.

The Five Step Guide to Better Social Media Security”, MarketingProfs, http://www.marketingprofs.com/store/product/2183/the-five-step-guide-to-better-social-media-security

Monitoring Your Brand Online

No matter how big or small your company, monitoring your brand online is an essential task that must be done on a regular basis.  With the prevalence of social media, it’s far too easy for one person’s bad experience to go viral.  Watching for and correcting these issues is the only way to ensure your brand remains in a positive light.

There are many tools out there to assist you with monitoring your brand, and most of them are free.

The easiest tool to use is Google.  You can set up a Google Alert (sent right to your email) that searches regularly for whatever you want – in this case, your best bet would be your brand name.  You can also refine it to just send you news, video, discussions, blogs, etc.

Another great tool is Twitter – using the Twitter search, you can monitor your name, your company’s name, or even your competitors, and have the results fed into an RSS reader for your convenience.  And since Twitter posts are so rapid, you may want to use TweetDeck or HootSuite to keep a closer eye on things.

While not free, Trackur is an excellent tool for small business to keep tabs on social media.  You can “monitor your reputation, your news mentions, your PR campaigns, your employees, or your competition. Trackur’s social media monitoring tools are easy to use, yet offer a surprising number of features.”  With plans starting at just $27 a month, any small business can easily afford to sign up.

If your business is booming and you’ve got a little more to spend, try out UberVu.  Their dashboard monitors and analyzes mentions on Facebook, Twitter, Flickr, YouTube, and more.  You can also perform a “sentiment analysis” to find out what the general feeling is towards your brand, and you can even use UberVu to compare your brand to your competitors.

These are just a few tools that are available for monitoring your brand online – more in-depth research may uncover something perfect for your organization.

CISPA

vector-glass-globe-913-1883The Cyber Intelligence Sharing and Protection Act, or, CISPA, is a proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies.  The aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.

Its predecessors, SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) were blocked earlier this year; however, CISPA has been passed in the House of Representatives and is now awaiting attention in the Senate.

Overview of CISPA

While SOPA and PIPA were meant mostly for stopping pirated material from being transferred over the internet, CISPA is an entirely different can of worms.  Succinctly put, it allows both the government and private businesses to share information about cyberthreats.  (Cyberthreats are anything making “efforts to degrade, disrupt or destroy” vital networks, or anything that makes a “threat or misappropriation” of information owned by the government or private businesses.)  CISPA rewards companies for collecting data from internet users, intercepting or modifying communications, and providing this information to the government.

What does this mean to you, as a company with a website?

CISPA mostly affects individual internet users, however, its intent is to allow companies to protect their computers and networks against global cybersecurity threats.  Information-sharing with the government is voluntary; however, data anonymity is encouraged and not required (from “CISPA Will Improve U.S. Cybersecurity” by Matthew Eggers at the US News and World Report).

According to an article from the Electronic Frontier Foundation, “One of the scariest parts of CISPA is that the bill goes above and beyond information sharing. Its definitions allow for countermeasures to be taken by private entities, and we think these provisions are ripe for abuse… These countermeasures could put free speech in peril, and jeopardize the ordinary functioning of the Internet… These countermeasures could even serve as a back door to enact policies unrelated to cybersecurity, such as disrupting p2p traffic.”

Additionally, “Heritage [Foundation] discussed how CISPA gives private entities ‘clear legal authority to defend their own networks.’ While we think private entities should be able to defend their networks, they should not be able to do without accountability in a manner that threatens free speech or disrupts the Internet.”

Where do you stand?

Appletree MediaWorks believes privacy is of the utmost importance, however, in a democratic society such as ours, we recognize the need for discourse on all topics of this nature.  Please feel free to comment with your opinion on CISPA.

 

Joe Job

How to Survive a Joe Job

To a budding or established company on the web, the possibility of cyber attacks is very real and can be damaging to your reputation if not handled correctly. One of the worst of such online threats is the all-too-common “Joe Job” attack.

Essentially, a Joe Job attack happens when an attacker sends fake (spoofed) spam email that appears as though it originated from your domain. Email has always been one of the most insecure protocols on the Internet – anybody with even a minimal knowledge of technology can send email “from” whoever they want, without much effort.

Usually you become aware of such an attack when you begin receiving a flood of angry email replies to the spam (since the Reply-To address is often your own). Now begins the long arduous task of saving face amongst the onslaught of defamation. It seems daunting, but we have compiled a comprehensive guide to surviving a Joe Job attack, should you be unfortunate enough to become a victim:

1. Create abuse@yourdomain.com and postmaster@yourdomain.com if these do not already exist. These should either be set up to forward to you, or you could configure your email client to also receive email from these addresses. This is so that information sent from SpamCop and other blacklist services is not missed. Whenever somebody submits one of the spam emails to SpamCop, real time reports will be forwarded to abuse@yourdomain.com. Fortunately, SpamCop is smart about these things and will realize that the emails are not originating from your domain.

2. Set up a spam information page with information about the attack and a form where victims can submit the header information from the offending emails to help you expedite the investigation. In cases where the attack is being carried out by a devious competitor, this will have the benefit of letting them know you’re onto them, and they need to stop. It also helps the people who are receiving the spam. They may be hearing about your company for the first time by receiving the defaming spam, and the proactive ones will almost certainly be browsing your site looking for answers. It will help immeasurably to provide them with the information they are looking for, letting them know that the email did not come from you and that there is something they can do to help end the attack. As you begin to receive more information it will also help with your own investigation. Appletree’s Joe Job information page is an excellent reference.

3. Create an alert link from your home page that directs people to the spam information page without distracting the customers who are there under normal circumstances. The point is that you need to address the issue with an official response and a way for proactive victims to do something meaningful to help stop the attack.

4. Once people begin sending you full header information thanks to step 3, you can begin doing some research to find out where the attacks are coming from. As you view the full headers, the only line which cannot be faked is the “Received” line, which usually contains the originating IP address. This may or may not be useful because a smart attacker will often bounce their emails off of several “open relay” servers, effectively hiding their original location. This information will still be very valuable to SpamCop, however, in building up a blacklist of known “open relay” servers, which will be beneficial in the long run. Make sure to create a SpamCop account and submit all of the spam emails you receive.

5. Notify your web host about what is going on. Even though the emails are not being sent from their servers, it is good for them to know what is happening. Sometimes web hosts will help with the investigation.

6. Utilize your social networks – blogs, Facebook, Twitter, etc – to send out helpful “security” reminders, while being sure not to instill fear. The people in your own network will appreciate the information even though they most likely did not receive the spam email. The spammer usually has different targets and goals, separate from your own. It is always a good idea, though, to make sure your own customers are aware of your spam policy and that you are actively on top of keeping them safe while doing online business with you.

Other than that, be very gracious and kind to the victims who complain about getting spam from your company. Being knowledgeable enough to briefly explain the nature of the problem will go a long way towards turning potentially bad press into a network of allies.