Avoid holiday phishing attacks by taking these 3 precautions

3 ways to avoid phishingThe season for giving is also the season for taking. Lurking among the people exchanging gifts and glad tidings are shady characters whose only goal is to pluck opportunity from the well of goodwill filled each year during the holidays. For them, a Merry Christmas involves sending malicious messages via email.

Security researchers say these kinds of messages, while not unusual, flourish around Christmastime as family, friends, and workplace colleagues exchange kind thoughts in the spirit of the season. The main vehicle conveying most of these thoughts has been the e-card, which grows in popularity as we widen our circles of digital friends.

Cyber criminals relish this growth because it improves the likelihood they will reel in a sucker when they go “phishing” in this stream of e-correspondence. Recent reports on data breaches say an estimated one in 10 email users wind up getting hooked by a phishing lure.

“It’s easy for busy, distracted consumers to become victims of these schemes,” said Craig Young, a researcher at Portland, Ore.-based Tripwire, a cyber security provider. “But armed with a few basic security practices, they can drastically reduce their chances of being victimized.”

Among the practices that Young and others advocate:

  • Avoiding email from unknown addresses, or email with undisclosed recipients, and not opening the attachments in these emails. That includes e-greeting cards. If possible, confirm who sent the greeting before opening it.
  • Watching for bad spelling and poor grammar in email subject lines. Cyber criminals focus on results, not quality, because they send thousands of messages at once hoping for just a few responses. A subject line containing errors is strong proof that opening the email would be an even bigger mistake.
  • Running anti-virus software and keeping it up to date. The protections within these programs may be enough to ward off threats in emails that are opened by accident.

Businesses are particularly vulnerable due to multiple users in corporate accounts – and multiple approaches to answering email among those users. That is why employees must be made part of the solution, instead of being left to become part of the problem.

“Enterprises … need to place more reliance on employees to help them defend their organizations,” said Rohyt Belani, CEO and co-founder of PhishMe, a threat management company based in Leesburg, Va. “Consistent training turns employees into informants that can spot attacks before they turn into catastrophes.”

Dive into the Deep Web (but watch where you swim)

Deep Web Image

If you ever watched the rain fill a hole in the ground, then you can understand where the term Deep Web comes from.

For the past 10,000 days – the approximate age of the World Wide Web – we’ve poured gallon after gallon of content into that vast networking structure known as the Internet and watched as that content seeped into every crevasse of our lives. And the number of sources is as vast as the structure itself; none of us truly knows where all that content originates.

Now, imagine that, instead of overflowing, the hole gets deeper and deeper to contain the content pouring into it. You can see across the surface and maybe a little below it. But other content submerges to where you need special tools for access.

Search engines such as Google and Yahoo! and web browsers such as Firefox merely skim this surface, collecting indexed information from its source. These kinds of tools probe only about 5 percent to 10 percent of the Web’s content.

Deep-Web diving, on the other hand, reveals the immense amount of information not indexed by standard search engines. Much of it is exchanged through peer-to-peer networks and resides on databases, unregistered websites, query-sensitive dynamic pages, limited sites, non-HTML sites, broken or hidden web links and backlinks, scripted content, and web archives, among other sources.

The list of useful deep-diving tools is long, but among the most common tools are Freenet, IceRocket, I2P, SurfWax, the WWW Virtual Library, a series of search applications provided by Deep Web Technologies, and the Tails operating system. There are also customized tools targeting specific caverns nestled in the Deep Web.

A word of warning, however: The deeper you go, the darker the Web gets. This is why in recent years the terms “deep” and “dark” have become conflated regarding the Web. At Deep Web’s bottom layer, there be dragons who dabble in questionable or outright illegal behavior. Using Tor, a free browser designed to protect the user’s anonymity, deep divers can peer into portions of this darker area.

Granted, not everyone at this depth wears a black hat. Good guys dwell down there, too, such as journalists, law enforcement, the military, and whistleblowers. But like anywhere else, trouble can be found if you go looking for it. So, exercise the same caution swimming in the Deep Web as you would in deep water. Keep a lifeline handy like this one (accessible through Tor) and enjoy the voyage.

7 essential security tips for using free Wi-Fi networks

Image courtesy of iStockphoto

Fear is an excellent deterrent. It saps our confidence, curtails our energy and tempers our judgment. It forces us to change our direction and our thinking.

Rarely though do we let it change our behavior. The consequences of fear must be palpable, looming, for that to happen.

A recent article by Maurtis Martijn for the Dutch crowdfunded site De Correspondent reminds us however that even when a threat is real, our response to it can be irrational.

Martijn wrote at length this month about the danger we face when joining unsecured public wi-fi networks — those that do not require a password to join. To demonstrate that danger, he strolled through central Amsterdam with self-described “ethical hacker” Wouter Slotboom — not the snooper’s real name — looking for cafés that provide free wi-fi.

At each location, Martijn and Slotboom sat at any table. Then Slotboom pulled from his backpack a small black device that he placed on the table and obscured with a menu. He then linked to the device with his laptop and in moments discovered the identities of every other laptop, smartphone and tablet used by every customer in the café.

Moments later, Slotboom obtained the network identity of those customers and with that was able to discover personal information about each.

“All you need is 70 euros (for the device), an average IQ, and a little patience,” Slotboom told Martijn.

The marketplace affords Slotboom and shady sorts of his ilk plenty of potential. More than half the U.S. population of 316 million owns a smartphone or laptop, and the number of tablet owners is catching up to both. All of those devices have connected to an open wi-fi network at least once, often without a device owner’s knowledge (the default on mobile devices is set to discover available networks).

And as the mobile market grows, more doors open for hackers. The threat intelligence firm Risk Based Security, Inc. estimates nearly 1 billion records — credit card information, medical records, passwords, social security numbers, etc. — were breached in 2013, with 65 percent of the activity occurring in the United States.

Risk Based Security says we’re on a pace to suffer well over 1 billion breaches this year.

The numbers are new but the rationale for them is not; stories about wi-fi security predate the advent of public hotspots. Yet many of us disregard the threat or expect strangers to respect our personal security. We choose convenience over caution. We invest trust where none was earned.

Such behavior today borders on irresponsible; lax personal security compromises the security of others if their information is on our devices. And the threat is not looming or imminent — it’s here, happening now, via unsecured wi-fi networks across the country.

It may even be happening to you now while you sip your latte.

So, curtail the risk and subdue your paranoia by taking these small, simple steps:

Choose the correct network — During Slotboom’s staged “man-in-the-middle” attacks, he created fictitious wi-fi networks on his computer for café customers to join, and dozens did. This simplified the task of discovering passwords and account numbers; people typed them directly into his network thinking it was legitimate. Slotboom often named the networks after real businesses to make them appear authentic. He urges users of free wi-fi to verify the network, either by asking the proprietor or checking the address on signs that promote the service, to avoid joining rogue networks by mistake.

If the option exists to pay for access to a secure network, take it. A little fee trumps a big headache.

Choose ‘htpps’ — That “s” extension after the “http” at the beginning of a Web address indicates the connection is secure and the connection to the Web server is authentic. Not all websites have this; still others provide both. Even so, only certain amounts of traffic are encrypted, not all of it. Regular users of unsecured networks help themselves by doing homework on whether the sites they visit have this layer of security before surfing in public, and they should never, ever, shop or do anything online involving a credit card while using unsecured wi-fi.

On some sites, you can add the “s” yourself. The Electronic Frontier Foundation distributes a browser extension called HTTPS Everywhere that encrypts communications between major websites and is available for Windows, Mac and Linux.

Use ‘two-step’ authentication — Many email providers and commercial websites have the option of a second login, where users receive a texted code they must type after their initial login to gain access. Two-step or two-factor authentication reduces the chance a hacker can gain access to an account with just the password.

Use a password manager — Sometimes we feel as though there is only enough RAM in our heads to get us through the day. This leads us to concoct simple or repeated passwords for the many websites we use that require a login. A password manager program generates unique and complex passwords for each site and keeps them locked up with one master password. Password managers also guard against keylogging — the surreptitious recording of keystrokes by hackers — by automatically filling in a site’s password field.

Turn off sharing; turn on firewalls — The sharing feature allows mobile devices to connect with other devices and networks. Free wi-fi users should disable this feature when not in need of sharing. (The instructions are different for Windows and Mac.) At the same time, make sure the device’s firewall (Windows/Mac) is active and working.

Invest in a VPN — A virtual private network, or VPN, encrypts traffic between devices and designated VPN servers, thus creating a private network across a public network. VPNs run shared data through a point-to-point connection that shields the data from unwanted interference much like an umbrella shields you from the rain. Many businesses employ VPNs to let employees access company networks remotely.

The best VPNs cost a small fee for full protection. VPNs also slow down page-load speeds somewhat. Still, they add an element of confidence in an uncertain environment.

Update all software — Finally, make sure your antivirus and anti-malware programs are up to date, and install all the latest operating system upgrades. These upgrades not only enhance overall performance, they also contain patches and fixes that help hold back the most recent security threats lurking across the Web — or across the room.

(Editor’s note: This post first appeared on Net Worked, the technology blog for the Society of Professional Journalists.)