Cyber Warfare

photo courtesy of pablo amargo/boston globe

"Cyber warfare represents the next frontier for organized crime, state-sponsored espionage, hacktivists, and anarchists", according to Microsoft's Principal Researcher and Partner, Dr. Chris White. This was his assertation at the 2018 Global Business Forum held in Banff on September 27th.

And like many other cyber related crimes, he states that too many companies remain blissfully ignorant of the risks, only finding out after an attack has been successful and their proprietary technology, financial information or customer data has been exposed.

Five years ago there were only about 5 countries that had the capability to conduct cyber warfare, but that number has grown to over 60 countries, states Roy Boisvert of the Canadian Security Intelligence Service. He believes that "our infrastructure could be a target" yet thinks that "firms responsible for these systems are lacking in effort to defend against such attacks". 

If you think about it, hackers could cripple a country if they gained access to things like the power grid, water service, and other such critical infrastructure. I'm actually amazed that this hasn't already happened to some degree. or maybe it has and we just don't know about it, since the government tends to keep these things under wraps in an effort to catch the criminals. 

The Canadian federal government is concerned about cyberattacks perpetrated by state-sponsored agents targeting critical infrastructure and is quietly and steadily working on improving defenses in this area.

Esteban Diacono

Esteban Diacono is an Argentina based motion graphics desigener who does major work for companies like the Discovery Channel and  FX. Diacono also does a lot of experimentation on the side and produces some amazing animations, as shown in the video below.

You're about to have your mind blown!!

Do You WannaCry or Shall I Petya?

If you've never heard of Malware and things like WannaCry or Petya, it's time to learn and understand just what they are, how they work, and what you can do to avoid an infection.

There were several key crypto attacks involving malware in 2017 and WannaCry and Petya were two of the biggest. It seems the rates of cybercrime are rising and we can't emphasize enough about the importance of awareness and education when it comes to preventing yourself, your family, and your business from being victimized. 

For example, WannaCry (titled so because of the append .WCRY) was a form of ransomware that used a cryptoworm to infiltrate and take control of infected computers, holding them for ransom until payment was made in bitcoins. Similarly, Petya was another form of ransomware delivered to unsuspecting victims via attachments loaded in e-mails. 

Best Practices To Prevent Malware Attacks On Your Business

Use a reputable IT company with whom to work.

Much of what is required to protect you and your computes and website will be best advised and implemented by experts who understand the ins and outs of your computer system.

Back up your web server!

This is actually s step that will help you should you suffer an attack, rather than one to prevent it from happening. However, should your computers become infected, having everything backed up will allow you to recover quickly and avoid loss of use. Of course, back ups need to be done regulalry, even daily.

Minimize access.

User access should be restricted to only those who need it, including those within specific areas in the system itself, and ensure that all users have strong passwords which are changed regulalry.

Track users.

Trust of your employees is important, but your server should still track all users log-ins and actions taken within the system.

Ensure file transfers are encrypted.

Use of Secure File Transfer Protocol (SFTP) and Secure Copy protocol (SCP) tools to transfer files.


Be wary of what information you provide to web users.

Avoid error codes that show your server type or type, or log-in error notices that only indicate a mistaken password which lets hackers know that the user name may be correct.

Educate employees on social engineering scams.

Criminals find it easier to hack an unsuspecting person than an actual computer and use a multitude of tricks to impersonate persons of authority in order to get money or passwords.

Don't use the web server for anything but your web site.

Browsing the web or posting about personal activity on the same web server as that of your web site just opens the door to hackers looking to get in.

Update frequently.

Keeping your programs and software updated will prevent hackers from exploiting vulnerabilities.

Remove all unused programs from your system.

Popular programs often have weaknesses that hackers can exploit, so if you don't use the program it's best to remove it from the mix.

Keep software inormation off your server.

Store software documentation and information such as names of programs and version numbers off the server and keep it elsewhere, to avoid hackers using the information to gain access.

There are many practices and protocols that will help keep malware off your computer but along with backing up your system, having an emergency plan to deal with possible infections will help minimize damage and reduce the impact on your clients.
 

Motorcycle Therapy

So, motorcycle season is wrapping up for those of us living up here in the cold, cold north, but that doesn't mean you can't get your riding fix via some cool tales from the road in Jeremy Kroekers book, "Motorcycle Messengers". 

We had several copies of this book and gave them away as prizes

The book is a series of stories, written by those who ride and chronicling their various adventures while exploring teh world on two wheels. Jeremy himself has a story but there are plenty of others, male and female, of various ages and taking place on every continent.

And, Jeremy is currently putting together the next version, with a working title of "Motorcycle Messengers 2", so watch for that getting published in the next little while.

And, watch for a copy of this current book to be given away as a little prize for an upcoming giveaway when we get closer to the Calgary and Edmonton Motorcycle Shows in January 2019.

This photo was used for the cover of the book "Through Dust And Darkness" and says it all.

Jeremy's second book, chronicling his travels in Central America

You need 'motorcycletherapy.com'!!

Jeremy rode through the Middle East and wrote a book about his adventures titled "Through Dust And Darkness"

Bionic Runner

Check out this crazy rig, the Run4 Bionic Runner, designed to simulate the mechancis of running while reducing the impact and associated injuries or strains relating to training.

Might be a great cross training tool for those who want to run longer distances but don't want to risk injury. There are several videos on this model, as well as the ElliptoGo brand, and some inteesting comments about the "bikes', if you can call them a bike!

Broken Record?

This may sound like a broken record but the recent Facebook security breach is yet another reminder of just how serious people need to be about cyber crime.

photo courtesy of Consumer Reports

Yes, this particular breach by hackers was huge and affected as many as 90 million users. But, it's the insidious nature of the hack and what kind of information that was taken that may have more serious repercussions down the road.

Read this interesting article by Allen St.John, which he wrote for Consumer Reports on October 5th. Particulalry notable, since this is Cyber Security Awareness Month!

For more information on Cyber security, check out these other posts

"Malware And Ransomware"
"Oh So Many Types Of Phishing Scams"

Or, simply go to "On The Road With Paul" and type in Cyber Security on the search tool.

Also, check out the BlueCircle Blog page for additional cyber security information, including insurance coverage for this risk.

Government Cyber Security Action

Since october is Cyber Security Awareness Month, most of this month's posts are focussed on various aspects of cyber crime, including some of the terminolgy, as well as the ways criminals use technology to scam people and some of the ways you can protect yourself, your family, and your business. 

Photo courtesy of Get Cyber Safe

Information and understanding are a big part of avoiding being the next victim. Here's a quick link to the Get Cyber Safe website published by The Government Of Canada

Malware and Ransomware

I just read a interesting article about Malware and Ransomware that was in a newsletter sent to me by Alberta based "Enviro-Shred", who look after certain elements of our document security here at the office.

They were discussing a series of attacks on Canadian companies, describing the circumstances and how they were dealt with, in  some cases involving payouts to cyber criminals.

There are plenty of examples of how this form of cyber crime occurs, but what's more important about the article were the suggestions on how to protect ones' self and ones' business from becoming a victim.

5 tips to protect you against ransomware attacks

1. Invest in a trusted security solution.
   The detection and removal of malware is essential not only to protect you, but also to prevent these threats from spreading further afield.
2. It is essential for companies to make regular backups of files.
   Not just backups in the cloud only, but physical backups stored outside your network, which are less likely to be reached. Automated online backups could be affected by cyberattack, as criminals have a stake in overwriting them or making them inaccessible.
3. Do not underestimate the usefulness of backup media that are not rewritable or reusable.
   
    If you can’t change what’s written there, criminals can’t either. Check if your backup works correctly and that your media (read-only, write off or write) are still readable (and that writable media are not always readable). And save your backups.
4. You should already have in place a process to activate in case of a cyberattack.
   Remember that apart from the direct impacts on your business, a security breach can affect your customers’ trust. the plan should include communication strategies, in addition to other measures you should put in place following an attack. Of course, since your backups protect your data against ransomware and other malware, they must be part of your disaster recovery plan.
5. Some people might decide to pay the ransom in the hope of recovering their data, even knowing that this encourages cybercrime.
   Before paying, however, check with your security software provider to see whether recovery might be possible without paying the ransom. You also need to know whether the payment of the ransom might actually allow recovery for a particular ransom variant, as this is not always the case.

Oh So Many Types Of Phishing Scams

Despite the ever increasing frequency of "phishing" scams, and the amount of time, energy and money lost to this crime, it seems that too many people and businesses are blissfully unaware of how to recognize and react to these threats. 

Here's a few terms that explain the nature of phishing.

E-mail Spoofing: An e-mail that appears to be from a legitimate or known person or business but has been forged and is actually from a different sender.

Before opening an e-mail, always place your cursor over the address without clicking it and you can see the actual sender details.

Social Engineering: Criminals, representing themselves as authority figures, business leaders or IT personal, then manipulate or coerce individuals to divulge personal information or carry out specific acts that compromise security or finances.

Develop e-mail and phone call protocols for yourself and your family, as well as your business partners, associates and employees, and follow the "slow down and think before you act philosphy".

Here's a few types of phishing scams and ways to avoid being "caught"

Deceptive Phishing: as mentioned in the description of E-mail spoofing, criminals send e-mails that appear to come from recognized and trusted sources, asking for you to verify account details and information, or asking you to make a payment. With this information, scammers can access your bank account or use your credentials to get credit cards.

Knowing that banks and other legitimate businesses do not ask for this type of information helps, but also watch out for generic greetings, incorrect grammar or spelling mistakes. 

Spear Fishing: Similar to "deceptive phishing" except criminals have gathered personal infomation about you from social media and other easily available sources and use that to earn your trust by making a personal connection.

Again, this type of messaging will likely contain spelling mistakes and grammaticaal errors, as well as contain some sort of sense of urgency or an ultimatum if not acted on immediately. 

C.E.O. Fraud: Using the same techniques as those in "spear fishing", scammers impersonate a business leader, such as the C.E.O. or company president, and request an employee to make a payment or transfer funds on their behalf.

As with any company security, protocols must be establshed, and education and training implemented, to help employees recognize these types of attacks.

Pharming: Hackers poison a website's Domain Name System ( DNS) and redirect users to a false site which is under the scammers controlin order to intercept payments.

When using a website for payments and other financial transactions that require security, always check the URL and look for the secure certificate. Use only HTTP s protected sites.

Dropbox or Google Phishing: E-mails invite recipients to recieve a shared file or download a document that appears on an official website but are actually redirected to one controlled by the fraudsters.

Use two step verification for entering secure sites and accounts.

• As already mentioned, being aware of the ways and means that scammers use to phish will go a long way in protecting yourself. 
•  Always be wary when clicking on links and opening unsolicited e-mail invites. 
•  Check websites for the HTTPS designation and consider using anti-phishing tools that analyze websites and check against know phishing sites. 
•  Keep your browser up to date and check your accounts regulalry. 
•  Use anti-virus software and firewalls. 
•  Be wary of pop ups online. 
•  Best practice is to not give out personal information.Better to research the institution you are wanting to do business with, contact them yourself and set up a secure account.