now browsing by tag


#city | #ransomware | Don’t Pay the Ransom in a Cyberattack: FBI

Source: National Cyber Security – Produced By Gregory Evans

FLORIDA — As the FBI continues investigating the latest municipal cyberattack of Pensacola, the question for many officials is whether to pay or not to pay the ransom?

  • Pensacola dealing with cyberattack
  • 2019 bad year for cyberattacks in Florida
  • FBI and Cyber Florida experts say don’t pay ransom

FBI policy says no, but in the last year Florida attacks have netted millions in ransom.

The international statistics are even more alarming.

In 2019, reported payments made by six Florida municipal governments to hackers have totaled almost $3 million.

Most of these payments are covered by cyber insurance.

For example, Lake City officials said they paid $10,000 in deductible of an estimated $480,000 ransom insurance payment.

One city, Stuart, got off without paying the ransom because they had backed up their servers.

Over the summer, the Conference of U.S. Mayors passed a resolution to not pay ransomware.

They stated it “encourages continued attacks.”

Examples of other major cyberattacks the lesson learned is you end up paying anyways.

The City of Atlanta reportedly paid out $17 million while reportedly Baltimore paid $18 million.

Usually the cost to a city involves two categories.

There’s the cost of recovery and the cost of downtime of servers which studies show are 5 to 10 times the cost of ransom, according to a 2019 Coveware report.

 Cyber Florida, USF’s online security institute told Spectrum Bay News 9 there’s a reason not to pay, which is in line with FBI policy.

Cyber Florida officials said there’s no guarantee cities will recover completely after a cyberattack.

The Coveware report also found 2019’s cyberattacks have become more complex.

At the start of the year, downtime lasted about a week.

After the midyear, it’s up to a week and half.

Source link

The post #city | #ransomware | Don’t Pay the Ransom in a Cyberattack: FBI appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Dropbox Phishing Scam: Don’t Get Fooled by Fake Shared Documents

Source: National Cyber Security – Produced By Gregory Evans

Hackers use familiar brands like Dropbox to steal login
credentials and spread malware

It’s funny how hackers, phishers, and scamsters can be blatantly obvious and inexplicably unpredictable at the same time. I’m saying obvious because they target the most widely used services/platforms and lots of users know what they’re up to — not just security professionals, but many ordinary users know about these phishing scams and what to look for. Phishers might be predictable in going after big names but it’s the unpredictability in their approaches that makes them tick. Time after time, they come up with new ways that help them achieve exactly what they want and make them “successful.” The Dropbox phishing scam is a perfect illustration of this.

The Dropbox phishing scam surfaced around a
year ago and made headlines in many popular publications. It hasn’t gotten as
much attention recently, but even after a year, attackers are still targeting
users using this same-old trick. And therefore, you need to know about it.

Let’s hash it out.

Dropbox Phishing: It All Starts
with a Simple Email

This is how it all starts: You receive an
email (either text or HTML-based) from a person saying they have shared an
important document with you. The email looks a lot like an official Dropbox
email and has a link to access the document. To make it look authentic, some of
these emails include actual links to Dropbox in the footer of the email. These
are links to Dropbox’s Terms of Service, Privacy Policy, and Help Center.

Here’s a pretty simple example:

Check the “From” Details Carefully

As you can see in the screenshot above,
this phish email has “Dropbox” as its sender’s name. It’s easy to fall prey to
this as the sender name and the email style make it look like an actual Dropbox

However, if you look closely, you’ll see
that the from email address and the embedded link are clearly not Dropbox.

However, if you’re skimming through your
email (as many of us do), it’s easy to fall for this Dropbox phishing scam.
Once you click the link, the URL takes you to a web page that looks almost
exactly like an actual Dropbox login page.

More advanced Dropbox phishers take the
scam to the next level…

Check URLs Carefully — Even If They Include “Dropbox”

Some Dropbox scammers are carefully picking
URLs that look official at first glance.

For example, they will include common keywords such as “Microsoftonline” or “Dropbox” in the domain or subdomain to make it look like a genuine domain:

Email Security Best Practices - 2019 Edition

Don’t Get Phished.

Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can prove fatal: 60% fold within 6 months of falling victim to a cyber attack. Don’t be one of them.

HTTPS URLs Aren’t Always Safe

And the cherry on the top is how phishers
use fake HTTPS URLs. So, the link that you’re being redirected to isn’t an
HTTPS link. It has HTTPS in the link text, but not as the protocol. If an SSL
certificate protects a website, it will look like this: https://www.(website name).com/. The
fake Dropbox URL looks like www.https-(fake website
name).com. See the difference?

Another trick that phishers have recently adopted is using an HTTPS website. No, the previous sentence doesn’t contain any technical error; it’s a fact that most phishing websites feature HTTPS now. In such cases, users are more likely to fall for it as they’re trained to look for that secure padlock.

Phishers are a Poor Man’s Magicians: Here’s How to Catch Them

What do magicians and phishers have in common? Well, they both take advantage of our psychological limitations to distract us and make us look where they want us to.

However, the silver lining here is that the
phishers are far from good magicians. A great magician can take their secrets
with them to the grave. But with a bit of concentration and training, you can
catch almost every phisher.

So, here’s how you can CATCH the PHISHers
(Got it 😉 ?).

Check the Email Address

First of all, you should always check the email address of the sender. Is the email sent by someone you know? Is the email coming from Dropbox’s (or any service provider’s) list of official domains? This is the first thing you must check, and you should not proceed further if the email is not familiar and/or it’s been sent from a domain that’s not been mentioned in Dropbox’s list of its official domains.

In my
experience, doing this one check will protect you from most email phishing
attacks as hackers shouldn’t have access to Dropbox’s official domains.
However, you should be cautious even if the email appears to be from an
official Dropbox domain as some email servers are not configured to check
SPF/DKIM records, so spoofed emails will be let through.

Check the Link URLs

If the email
passes the first security check, then you should check the links in the email:

  • View the web page in your
    browser and check for “https” at the start of the URL. It should look like https://www.(website name).com/. (Note: Google Chrome
    hides the https:// until you double click in the address bar.)
  • Once this check is done, you
    should again go back to Dropbox’s list of official domains and then check if this
    domain is on the list.
  • To double-check the
    authenticity of the website, you should also check the SSL certificate Dropbox
    uses. As you can see in the screenshot, is protected by a DigiCert
    EV (extended validation) SSL certificate and this certificate has been issued
    to Dropbox, Inc.
Graphic: Avoid Dropbox phishing scams by checking validity of URLs and site SSL certificates

Extended validation
means that the certificate authority (DigiCert, in this case) did an extensive
verification of Dropbox, Inc before issuing the certificate. This way, you can
be sure that the website you’re on actually belongs to Dropbox.

Quite simple,
isn’t it?

What Could Happen If You Fall Victim to the Dropbox Phishing

Dropbox stores
the data of more than 500 million users and 200,000 businesses, and it’s the
most significant cloud sharing and storage company in the world. Putting a
malicious file in just one employee account could be a brutal blow to the
privacy of an entire organization. And it’s not just the privacy, but the
existence of a business could be at stake—that’s a good enough reason to take
your Dropbox security pretty seriously, don’t you think?

Unfortunately, that’s not where it stops. A phisher who has taken complete control over your account and associated data using malware could demand a significant ransom if you want your account back. In technical terms, this is called ransomware.

The consequences of Dropbox phishing could be even more brutal if you’re one of those persons who uses the same password pretty much everywhere. Every bit of information you have on the internet could be in the hands of the attackers. Just think about it!

Hackers may also
scan your account to automatically find valuable data in your saved documents.
This could include customer data, payment details, login credentials for other
platforms, or anything else you might have that’s sensitive.

Last Word on Dropbox Phishing

All scammers — whether in the real world or online — take advantage of our human limitations. Either they make us see and feel something that isn’t there, or maybe they give us some lucrative incentive to distract us (we’ve all heard of the Nigerian Prince scam, haven’t we?). With a little bit of awareness and concentration, you can be a step ahead of all the phishers.

Tip of the day: Remember to look where you want to, not where they want you to.

Recent Articles By Author

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Jay Thakkar. Read the original post at:

Source link

The post #cybersecurity | #hackerspace |<p> Dropbox Phishing Scam: Don’t Get Fooled by Fake Shared Documents <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | NCSAM is Over, But Don’t Let Cybersecurity Fade to Black

Source: National Cyber Security – Produced By Gregory Evans This Halloween season, we’ve explored the deepest, darkest corners of cyberspace in our National Cybersecurity Awareness Month (NCSAM) blog series—from cyber spooks and digital demons to deathly data breaches and compliance concerns. Our panel of cybersecurity experts assembled to tell you the spookiest things they’ve seen […] View full post on

#cyberfraud | #cybercriminals | Your Data Is Out There: Don’t Freak Out, Do Take Action

Source: National Cyber Security – Produced By Gregory Evans Equifax, Facebook, Capital One, Yahoo — every week seems to bring news of another data breach. Millions of consumers’ sensitive information, such as login credentials, bank account info and Social Security numbers, is floating around the internet just waiting to be exploited. And 2019 is on […] View full post on

#nationalcybersecuritymonth | Don’t let these scary cyber safety risks creep up on you | Features/Entertainment

Source: National Cyber Security – Produced By Gregory Evans THE CONCERN: October is National Cybersecurity Awareness Month, and the Better Business Bureau is scaring up the latest on cyber security risks and ways to avoid them. Watch out for these spooky dangers lurking in the corners of our everyday digital lives. HOW THE SCAM WORKS: […] View full post on

#deepweb | Please Netflix, don’t kill TV

Source: National Cyber Security – Produced By Gregory Evans

In this column, “Just putting this out there…,” we write about the odd ways we engage with tech and the unpopular opinions we form about it. You can read the rest of the articles in this series here.

Ever since Netflix came along, TV stations have become pretty much pointless, right? I mean why go through the excruciating process of waiting a week for a new episode of your favorite show when you can simply stream the entire season in one day? While that’s a solid argument, it still comes with an awful problem: choice.

Now, you might think that “choice” isn’t much of a problem at all — but you’re wrong. With the choice that streaming services bring, comes the loss of not having to make a choice. Deep, right? 

Let me explain

First up, I’m a rather extreme case because, growing up in Iceland, I only had one TV channel for most of my life, but my situation is still applicable and you should take my opinion as fact.

I’ll paint you a word-picture of an eerily familiar scenario. You come home after a long tiring day at work, kick off your shoes, wolf down dinner, and then firmly plant yourself in front of the screen, hoping to transcend the mundanities of daily life and be spirited into a new world. 

But if you’re not currently knee-deep in binging a series, choosing the next show to watch is a pain. You see the thumbnails of series your friends have said YOU ABSOLUTELY MUST WATCH, but right now you’re not really in the mood to be challenged intellectually — it was a tough day. So you decide to definitely watch it sometime soon, and then end up rewatching The Office for the gazillionth time

Too many options mean tough decisions, which means returning once again to the familiar and safe bosom of a long-worn out show. No adventure or new discovery. No ticking a movie off your bucket list.

And this is a problem shared by many, judging by how many people read our guide on how to find something to watch on Netflix. There’s also a TED talk on how more choice can actually not happier but more dissatisfied, so I have double proof and you have to believe me.

This talk is actually from 2005, before Netflix become the hottest streaming service in the world, but I’m gonna forcibly apply it to Netflix to make my case. Psychologist Barry Schwartz’s argument basically boils down to this: when faced with too many options, it actually produces paralysis, and even if we overcome it, we’ll be less satisfied with our choice. 

Unlike watching linear TV,  streaming always puts you in the driver’s seat, forcing you to deal with the existential dread of making the right choice or feeling like a failure for having wasted an evening on The Holiday Calendar. With linear TV you might waste an evening, but it isn’t really your fault — or at least it’s easier to lie to yourself that it isn’t.

Linear TV’s greatest strength: Discovery

There’s so many films and documentaries I’ve enjoyed that I would never have consciously ‘put on’ Netflix, as it would’ve felt like too much of an investment. Will I really have the time and attention to sit through a two-hour documentary about the history of Italian bidets? Only the gods know. But finding it already playing when I turn on the TV is just the nudge I need. And while this isn’t necessarily the best content out there — the documentary on French bidets was far better — it does broaden my horizons. 

Then there’s also all the types of shows and segments that streaming just hasn’t been able to master as of yet. Daily and deep-dive news programs, talk shows on topics such as literature, arts, niche subcultures, and shows depicting local issues and interesting tidbits. Linear TV still has these in the bag.

I’m also a relatively smart person (my mom says so), which I owe in part to all the ‘knowledge’ I’ve randomly gleaned from TV, especially when I was a kid. Every day I’d plant myself in front of the ol’ picture box and absorbed the world’s collective knowledge like a sponge. 

But a lot of channels suck, right?

TV stations are of course incredibly diverse and different between countries and regions — basically, there’s a lot of crap out there (looking at you, US). There’s also an incredible amount to choose from, so mindlessly flipping through channels until I hit a rerun of The Office means I’m in the same predicament as I am with streaming. There’s also annoying ads, but that’s capitalism baby. I still maintain the linear TV viewing experience is much purer. 

There’s something so beautiful about tapping into a stream of content enjoyed simultaneously by masses of people around the country, whether it’s a quality program or a disruptive ad. There’s a sense of camaraderie and companionship, as you give up a certain amount of control to join them. Instead of being a lonely, cooped-up, omnipotent streaming god, where the time of day has no meaning and all of the world’s creation is at your fingertips, you decide to acknowledge the world around you, your place in it, and all its limitations. 

You might not get exactly what you wanted, but who says you knew what that was anyway? You open yourself up to discovery and new ideas as you plug yourself into a beam of emotions and a sense of time that you share with the rest of society. Basically, it keeps you anchored in the stormy seas of technological progress and societal disunity (damn I’m a good writer).