The Phishing Gallery – September 2013

Posted on September 2, 2013 by Scott Aurnou

By Scott Aurnou

‘Phishing’ attacks are designed to steal your personal, financial and/or log in information. This can be done in a few ways, including via email or text message (referred to as ‘smishing’). They often contain links to websites that look legitimate but are really there to steal your account log in information or host malware ready to attack your computer as soon as you click on the link. These emails and messages can also be used to lure you into contact with scam artists posing as potential clients or officials offering to release substantial funds to you if only you would be so kind as to give them detailed personal information and/or a sum up front. Phishing attacks are generally designed to make you take action by either frightening or tempting you. Some of them are actually very well crafted. Some not so much. And some border on the ridiculous. Each month at The Security Advocate, we will present a few examples, along with explanations of what to look out for to avoid falling victim to one of the scams.

Fake 'Registration' MessageFirst up, we have a confirmation message for something you don’t recall signing up for. The subject line is “Your registration was successful” and it reads as follows:

Addison Jenkins, Users Support Service
Your registration was successful.
An email containing confidential personal information was sent to you.
Click here to obtain more information.

The idea here is simple: you receive the email, wonder what service sent it (as that information is conspicuously absent), click on the link, and your computer will be immediately attacked by malware and/or you will be take to a website with a form you can fill out (with account and/or detailed personal information) to ‘opt out’ of the service you never signed up for. This will give the scammers who actually sent the message enough data to break into your online accounts and possibly impersonate you, as well. Any message like this is a fake. Simply put: you should never click on any links contained in an email (or text message) coming from someone you don’t know.
Read more ›

Tagged with: , , , , , , , , , , , , ,
Posted in Fraud & Scams, Laptops & Desktops

Too Many Passwords to Remember? Use a Password Manager

Posted on August 30, 2013 by Scott Aurnou


Computer Security Tip of the Week

Scott Aurnou – Security experts will always tell you to use different, hard to break passwords for every website you log into, but it can be pretty hard to remember all of them. Password management software solves that problem for you. Here’s how…

Websites referenced in this video include:
Roboform Everywhere
Kaspersky Password Manager
DataVault
KeePass
LastPass

If you enjoyed this video, you can see more on TheSecurityAdvocate YouTube channel (and subscribe if you like).

Tagged with: , , , , , , , , , ,
Posted in Cloud Security, Laptops & Desktops, Network Security, Security Tip of the Week, Smartphones & Tablets

What is Endpoint Security?

Posted on August 27, 2013 by Scott Aurnou

Endpoint SecurityBy Scott Aurnou

Literally speaking, ‘endpoint security’ refers to protecting the various electronic devices that can connect to a computer network. Each device that can access a network creates a separate endpoint that has to be secured. This can include anything from cameras to printers or anything else connected to the network though, for most people, endpoint security means protecting laptops, smartphones and tablet computers against various electronic threats, as well as physical ones (like being stolen). In practice, this means trying to put in place an equal minimum level of protection for every device capable of accessing the network. To enforce this, a network may be configured to only allow access to devices that have certain specific security measures in place before connecting to the network and potentially accessing proprietary information and/or sensitive data. If an infected laptop, smartphone, tablet or portable storage – like a USB thumb drive – does connect to the network, it could upload malicious software (aka malware) or expose sensitive data from the network once it’s downloaded to the improperly secured phone, etc.

While this may sound like a relatively straightforward process, it’s often one of the weakest spots in any computer network. This is because of an increasingly common workplace concept referred to as Bring Your Own Device (aka BYOD). Employees, guests, consultants, students, doctors, co-counsel, family members, etc. frequently use their own laptops, phones and tablets and generally expect to be given access without the ‘hassle’ of having them checked first or downloading security software before exposing the network to whatever unfriendly software is lurking on their devices. An infected device can easily spread malware like a computer worm that, by design, will self-replicate, spread throughout a system and create openings additional malware like rootkits and Trojans (all things you would definitely rather not have on your network).
Read more ›

Tagged with: , , , , , , , , , , , , , , , , , , , , ,
Posted in Laptops & Desktops, Network Security, Smartphones & Tablets

How Can You Email Clients (or Patients) Securely?

Posted on August 23, 2013 by Scott Aurnou


Computer Security Tip of the Week

Scott Aurnou – Given the current climate of (understandable) suspicion over who can access email in transit and the client and patient privacy provisions of rules and laws like the American Bar Association’s Model Rules or HIPAA, what steps can you take to safeguard the emails you send? Here are a few suggestions…

Websites referenced in this video include:
Cubby

If you enjoyed this video, you can see more on TheSecurityAdvocate YouTube channel (and subscribe if you like).

Tagged with: , , , , , , , , ,
Posted in Privacy Issues, Security Tip of the Week

Changes to HIPAA Breach Notification Rule: What Providers Need to Know Now

Posted on August 20, 2013 by The Security Advocate

By Catherine G. Patsos, Esq.

Changes to the Health Insurance Portability and Accountability Act (HIPAA) Rules are here,[i] and covered entities and business associates have until September 23, 2013 to comply with them. Many changes have been made to the Breach Notification Rule, as well as the Enforcement Rule, Notice of Privacy Practices and marketing requirements. One of the most significant changes for providers is that a business associate’s discovery of a breach is imputed to the covered entity, so that the covered entity is presumed to have knowledge of the breach at the time the business associate discovers it, regardless of when the business associate notifies the covered entity of the breach. These changes to the HIPAA rules require covered entities to take a closer look at their business associate agreements, and revise them to implement as many safeguards against liability as possible.
Stethoscope & ComputerModifications to the Breach Notification Rule

The definition of a breach has been modified to clarify that an unauthorized use or disclosure of protected health information (PHI) is presumed to be a breach unless the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised. This definition eliminates the previous harm standard (i.e. that the breach caused no significant risk of harm to the individual), and substitutes it with a low probability test. Breach notification is now required in all situations where there has been an unauthorized use or disclosure of PHI, except where the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the PHI has been compromised, or another exception applies.
Read more ›

Tagged with: , , , , , , , , ,
Posted in Guest Posts