Texas Geeks

01/22/2021

Phishing is a constant threat.............*CONSTANT*! You have to be vigilant and here's a good warning to read through. Microsoft and DHL are at the top of the list of brands most likely to be spoofed for phishing. The article talks about the others as well as red-flags to look for.

Cyber criminals know how many of us are working from home and are looking to exploit that situation with phishing emails designed to copy big brands.

11/13/2020

Hi there! Here's another dose of Security Awareness Training from your friendly nerds here at Texas Geeks......

'Tis the season for Holiday Shopping. Gonna be a little different this year though courtesy of COVID and it just being 2020 in general. It's expected that online shopping will be HUGE this year due to social distancing protocols at malls, the possibility of capacity limits, and people just wanting to not hit the malls out of safety concerns.

That also means that the BAD GUYS know you're likely to be shopping online more this year. The malicious shopping scams are already popping up and we haven't even gotten to Black Friday yet.

Bringing back an article from last year that focuses on Online Shopping Safety. Please give it a read and arm yourself so that you don't get scammed this holiday season. Also, you should probably get shopping done as early as possible this year. Lots of shipping delays due to COVID protocols, so the last minute shipping options won't be there like they have been in the past.

11/09/2020

Time for your monthly dose of Security Awareness Training!

From SANS Institute:

Overview
A common misconception about cyber attackers is that they use only highly advanced tools and techniques to hack into peoples’ computers or accounts. Cyber attackers have learned that the easiest ways to steal your information, hack your accounts, or infect your systems is by simply tricking you into doing it for them using a technique called social engineering. Let’s learn how these attacks work and what you can do to protect yourself.

What is Social Engineering
Social engineering is a psychological attack where an attacker tricks you into doing something you should not do through various manipulation techniques. Think of scammers or con artists; it is the same idea. However, today’s technology makes it much easier for any attacker from anywhere in the world, to pretend to be anything or anyone they want, and target anyone around the world, including you. Let’s take a look at two real-world examples:

You receive a phone call from someone claiming to be from the government informing you that your taxes are overdue and that if you do not pay them right away you will be fined or arrested. They then pressure you to pay over the phone with a credit card, gift card, or wire transfer warning you that if you don’t pay you could go to jail. The caller is not really from the government, but an attacker attempting to trick you into giving them money.

Another example is an email attack called phishing. This is when attackers create an email that attempts to trick you into taking an action, such as opening an infected email attachment, clicking on a malicious link, or giving up sensitive information. Sometimes phishing emails are generic and easy to spot, such as pretending to come from a bank. Other times phishing emails can be highly customized and targeted as attackers research their targets first, such as a phishing email pretending to come from your boss or colleague.

Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form including text message, over social media, or even in person. The key is to know what clues to look out for.

Common Clues of a Social Engineering Attack
Fortunately, common sense is your best defense. If something seems suspicious or does not feel right, it may be an attack. The most common clues include:

A tremendous sense of urgency or crisis. The attackers are attempting to rush you into making a mistake. The greater the sense of urgency, the more likely it is an attack.

Pressure to bypass or ignore security policies or procedures you are expected to follow at work.

Requests for sensitive information they should not have access to or should already know, such as your account numbers.

An email or message from a friend or coworker that you know, but the message does not sound like them - perhaps the wording is odd or the signature is not right.

An email that appears to be from a coworker or legitimate company, but the email is sent using a personal email address such as .com.

Playing on your curiosity or something too good to be true. For example, you are notified your package was delayed, even though you never ordered a package or that you’ve won a prize in a contest that you never entered.

If you suspect someone is trying to trick or fool you, do not communicate with the person anymore. Remember, common sense is your best defense.

https://www.sans.org/security-awareness-training/resources/social-engineering-attacks

09/23/2020

Seeing this question pop up quite a bit since iOS 14 was released last week. If you upgraded and are wondering what the orange and green dot above the cell signal meter is..........it's a privacy notification.

Think of it like the light that comes on when the we**am on your laptop (if you have one) is in use.

In this case, the orange dot means the microphone is being used. If you see a green dot the camera is being used, you should also assume the microphone is being used when the camera is on.

The idea with the two dots is to raise awareness of the devices' activity when you are not using an app/function that should have the camera or microphone on. Spyware is the main concern as it's designed to use the camera and/or microphone when you don't think they are.

08/26/2020

Heads up for anyone using VPN or other business network remote access options while working from home:

The FBI, Cybersecurity and Infrastructure Security Agency, and other experts are warning users of a spike in "vishing" or Voice Phishing where the malicious actor tries to impersonate a corporate help desk employee to convince users to change their VPN/Remote Access settings by visiting a malicious website. It'll look very similar to the business systems you're used to, so be VERY careful. It's classic a social engineering tactic, and unfortunately an effective one.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity pub...

08/17/2020

THIS!! Everything about this. Read it, share it, shout it from the top of a mountain. If you follow every step in here ANYTIME an email requests you do ANYTHING your odds of not falling victim to a phishing scam increase dramatically.

One bit of terminology some might need help with: SOC = Security Operations Center, aka a room full of security nerds at a corporate office. For my non-corporate folk, I'm your SOC ;-)

Wear that tinfoil hat proudly!!

Thank you LogRhythm for publishing this!

08/05/2020

This is why we preach longer passwords. The industry standard is unfortunately only 8 characters long. Focus on length over complexity and aim for 15 characters. It's even safe to use dictionary words if you're mixing cases and adding spaces. That's the idea behind passPHRASES vs passwords. Doesn't need to be a random set of 15 characters. Pick four to five random words you'll remember. Capitalize a few of them and add spaces.

07/06/2020

Ransomware.....***shudder***

Ransomware is mostly targeted at businesses now. However, anyone can get hit with it if you're not careful.

This month's OUCH! newsletter from the SANS Institute dives into steps you can take to prevent, mitigate, and minimize the impact of ransomware's impact.

Gain key insights and practical information in security awareness program building from experts in the field with our Summits and training courses.

06/22/2020

For all the iOS fans out there! keynote is in full swing and the iOS announcements have already dropped. Biggest updates (IMO) will be the redesigned home screen experience and threaded conversations in iMessage.

Here are all the new features coming to iPhones and iPads later this year.

06/22/2020

If you're running Microsoft Windows 10 and recently started having printing problems.......there's a new patch for that.

June's monthly patch release is causing minor printing issues for some. This isn't a security related patch, so don't rush out to install it unless you're having printing issues.

Windows message center

06/15/2020

Verizon's annual (data breach investigations report) for 2020 just dropped. Here are a few key takeaways:

1. End users are the biggest threat to businesses. This also directly translates to how you behave at home.
2. Credential (username and password) theft by way of is the primary threat vector.
3. The majority of breaches were financially motivated.

What does this mean for you? You HAVE to be weary of anyone, any website, any caller, ANYTHING asking for your password. Phishing sites are strategically designed to psychosocially trick you in to believing you're at a website you trust. If link in an email takes you to a site where your username and password are required, take your hands off the keyboard and count to 10. In that time you should be able to look around the site to see if there are any red-flags that indicate a problem. Maybe the URL looks like your bank, but the 'i' is replaced with a '1', or something else very subtle. Maybe there's a security warning that pops up? Don't ignore those!

Also, STOP using the same password for everything. If I can trick you in to giving me your password what are the odds I can log in to sensitive sites? Use a password manager that generates strong passwords and helps store them safely.

Turn on /2FA everywhere you can. That extra security step will save your bacon!

Have any other questions? Don't hesitate to reach out.

Stay ahead of threats with the insights in the 2020 Data Breach Investigations Report (DBIR) from Verizon Enterprise Solutions. Read the official report now.

06/11/2020

***InfoSec PSA***

If you’re using the same password for Facebook and your bank account (or anywhere else for that matter) get out there and chose something unique AND complex ASAP! Then, go turn on MFA/2FA where you can.

Mobile banking app fraud is on the rise due to bank lobbies being shut down still.

https://www.scmagazine.com/home/security-news/fbi-warns-hackers-targeting-mobile-banking-app-users-during-pandemic/

Hackers are increasingly taking aim at mobile banking app users in an effort to steal credentials and commander bank accounts, the FBI warned today. “The