Category Security & Spam

Verify Your Symantec SSL Certificates ASAP

The What:

Website owners who use SSL certificates purchased from Symantec prior to June 1, 2016 will need to replace them soon, or site users will begin seeing the warning show below. This includes SSLs issued from companies owned by Symantec, including Thawte, Verisign, Equifax, GeoTrust, and RapidSSL.

The When:

The Chrome v66 browser, which arrives mid-April, and Firefox v60, coming in May, will both display the above warning. Other browsers will most likely follow shortly. In October 2018, new versions of Chrome and Firefox will completely remove support of any kind for affected certificates.

The Who:

The major players in this scenario are Google (makers of Chrome) and Mozilla (makers of Firefox) on the browser side, and Symantec and DigiCert on the SSL side. DigiCert has purchased Symantec’s certificate-issuance division and is currently working with Google and Mozilla to repair the situation.

The How:

If your website’s URL begins with https:// then you are using an SSL certificate. To check it’s validity, you may visit the link below. Enter only your domain name (the www.name.com part) to see if your current certificate will remain valid, or if it will need to be replaced: The link is:

https://www.websecurity.symantec.com/support/ssl-checker

The Why:

A series of poor decisions and misplaced trust in 3rd party outsourcing resulted in Symantec issuing thousands of faulty SSL certificates. More than once. This isn’t a spur-of-the-moment event, rather it is a joint decision made by the major browser manufacturers, put in place over time, in an effort to maintain consumer confidence in the SSL certificate system in general.

The ‘What The Heck Do I Do’:

If you have a valid SSL, then you should be good to go. It wouldn’t hurt to re-check closer to October, though, just to be on the safe side.  If you get the dreaded ‘you must replace’ message, you have a couple of options:

  1. DigiCert is offering to replace all Symantec-issued certificates (including those issued by the subsidiaries listed above) for free. To claim your free replacement, visit this link (the sooner the better): https://www.digicert.com/replace-your-symantec-ssl-tls-certificates/
  2. If you prefer, you may request that your website host replace the SSL certificate with one from another company. There’s no guarantee that this will be free, however. Discuss your options with your hosting provider.

If all of this is more than you want to deal with, contact Diamond Mind Web Design for help at (417) 496-9905.

The Other Stuff:

For more information regarding the contents of this post, please view the following articles:

Beware the Google Listing Scam

Perky voice on my phone today….

“Hi! This is Sarah, calling about your Google listing? I’m looking at my system here, and it still looks like your listing is incorrect. Correct listings mean you’re much more likely to be ranked above your competition. So if you’ll call me back at (1-800-number) and get me the correct information, we’ll get it all updated! ”

Translation: “Hi, I’m a scammer! I have no relationship at all with Google — you’ll notice I never said I actually worked there. I’m really trying to get your name, social, and any password info you’re dumb enough to give me! Have a nice day!”

I’ve heard from several of my clients about similar calls within the last few days, all with the same basic question: Is this legit or bogus? The answer — ding ding ding! — is BOGUS.  I tell them that Google is like the IRS — they will NEVER call you to ask for personal details about you or your business (unless you have specifically requested them to).

In fact, 95% of the contacts you may receive about business listings, either via phone or email (or even text) are scams of some sort or another. They may be straight up phishing scams like this one, or if coming from places like YP.com, scams of the “technically we’re telling you the truth, but leaving out some really, really important details” variety.  But that’s a post for another day…

Anthem Breach Affecting 2 Million Missouri Residents

Yes, another data breach, from another big company. In case you haven’t figured this out by now, your personal identity data is no longer safe online. Think that’s an overstatement?  Try this list on for size:

  • Anthem Blue Cross/Blue Shield
  • Target
  • Niemann Marcus
  • Michaels
  • Dairy Queen
  • UPS
  • Home Depot
  • Goodwill
  • JP Morgan Chase
  • Jimmy John’s
  • KMart
  • Staples
  • Sony
  • The list could go on and on

In case you’re wondering what that hacker is holding, it’s called a “floppy disk”, which were in use the last time data encryption laws were updated.

Image courtesy of chanpipat at FreeDigitalPhotos.net.

All of these companies have suffered data breaches recently, in each case losing thousands, if not millions, of customer data sets to hackers. That data, depending on the case, could include your name, address, SSN, credit card number, birth date, telephone, email, and so on. With so many hacks occurring, odds are your information was included in one.

One of the most interesting things in the news about Anthem is that insurers aren’t required to encrypt consumers’ data under a 1990s federal law that remains the foundation for health care privacy in the Internet age.  This seems kind of strange at first, but consider that any law dated from the 1990s is as outdated as AOL dialup, and REALLY needs to be updated.

Regardless of who is at fault, Anthem is at least attempting to give aid to the 2,000,000+ Missourians affected (and those in other states as well), by providing 2 years of free credit monitoring and identity theft repair through AllClearID. To read more about the hack from Anthem, click here to visit AnthemFacts.com. I highly suggest you sign up!

 

Online Safety Tips for Your Family

sanford-lea-online-safetyThe latest issue of “In The Loop”, from Sanford, Lea & Associates, has a terrific article on tips for keeping your family safe online.  Everyone is a computer user these days, from your child playing online games to grandma learning to use Facebook.  There are security and privacy concerns with any type of online activity, so be sure to read up and familiarize yourself with what you can do to be more secure.  (And if you need accounting services, you can’t go wrong with Sanford, Lea & Associates!)

Read the entire article here.

eBay Hacked, So Time To Change Passwords… Again!

ebhackYesterday, eBay reported that hackers had access to a stored password database sometime between February and March of this year. The company says no financial data was revealed — but it’s urging its users to update the passwords on their accounts anyway. (And if you use the same password for other sites, change them as well!)

Unfortunately, the hacked database DID include, in unencrypted format, eBay customers’ names, email addresses, physical addresses, phone numbers and dates of birth. Which means even if your eBay password is never cracked, hackers still have all the information needed to attempt identity theft.

Although the company did not release the number of people affected, if you do belong to eBay, expect to receive fake deals and offers. Be very aware of getting duped into revealing even more sensitive information, like your bank details or Social Security number. And, as always, keep an eye on banking and credit card transactions for anything that looks suspicious.

You can read the official post from eBay here: http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

HeartBleed Vulnerability No Laughing Matter

By now you have probably heard about the HeartBleed security vulnerability — news about this bug has been so widespread in the last few days that it even made the Tonight Show monologue.  But HeartBleed is no joke — it is potentially the most serious issue to ever have affected the Internet.

A quick technical explanation of HeartBleed: This bug allows remote attackers to read 64k of memory of systems running affected versions of OpenSSL. That means an attacker can potentially pluck out usernames, passwords, the secret keys of SSL/TLS encryption to crack secure communications and other sensitive information, and so on.

hblogoOne important thing to know about HeartBleed is that it does NOT affect every website where you may have stored a password.  It DOES, however, have a good chance of affecting all the most important, sensitive websites, such as your bank, your credit cards, anywhere it is necessary for secure communications on the Web.

What should you do, then?  IMMEDIATELY log in to all of your critical websites (PayPal, bank, credit cards, loans, etc.) and change your passwords.  You can do this for all stored-password sites if you want, but for those less critical, it may be wise to wait around a week, to be sure the vulnerability has been addressed.  After a week, though, you should log in to all of your sites, including the critical ones, and change your passwords AGAIN.

A brief note on passwords: NEVER use the same password across multiple sites, especially critical ones.  Passwords should NEVER be words that can be found in the dictionary, proper names, easily identifiable dates (such as birth dates, anniversaries, phone numbers, etc.).  Passwords SHOULD be at least 13 characters in length, and consist of some combination of numbers, letters (lower- and upper-case), and punctuation.

If you are interested, you can find a Random Password Generator here: https://identitysafe.norton.com/password-generator/

There are also many password-storage programs out there, if you have trouble keeping track.  One free service that comes highly-recommended is Dashlane.  (Thanks, Preston.)

Finally, for an in-depth technical explanation of the bug and what’s being done about it, visit Heartbleed.com.

WordPress Brute Force Attack Underway

One of the largest distributed brute force attacks on WordPress installations ever seen is currently going on, as reported by Mark Maunder of Wordfence Security on his blog. You can read the full post here. The attempts at hacking are running 30 times more frequently than average.

A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.

If you have a WordPress-based site, I highly recommend that you pay close attention to it until these brute force attempts have waned.  If you suspect that you’ve been hacked, and need help recovering, you can always contact us here at Diamond Mind Web Design.

‘Tis The Season… For Spam

It seems when the holiday season arrives every year, the usual trickle of spam email starts rising until it reaches a flood stage around Christmas.  Perhaps the spammers are playing on the “do good” feelings that come with the season, perhaps they’re just trying to earn a little extra illicit cash to buy things for their own little spammer boys and girls.  Whatever the reason, it’s always wise to be extra suspicious of any phishing-type emails you might start to receive.

Not that this one is all that tricky, but I though I’d share an email that I just received a few minutes ago, to show you an example (if a rather obvious one) of a phishing attempt.  And one that gives us web-folk a bad name, as well, as you’ll see:

Subject line:  RE:  (Wow, that’s imaginative.)

From name:  web upgrading  (Umm, who?)

From email:  web@parliament.gov.bd  (That darn parliament of ours, always spamming!)

Return path email:  webmailupgradingservice@mail.com  (In other words, could be anybody.)

Message text:

We are pleased to inform you that Our web admin Center is closing all
unused accounts because of the congestion in our mail server. To confirm
your account active, you are required to complete your details below and
send it to us. This information would be required to verify your account
to avoid being closed.

First Name: ________________________
Last Name: __________________________
E-mail Username: _____________________
E-mail Password: ____________________

>>> Warning!!!

E-mail owner that refuses to comply with this mail his or her Email ID
within 26 days of receiving this warning will lose his or her E-mail
permanently.

Thank you for your understanding.
Copyright ©web Admin 2013 All Rights

Okay, not even particularly well-thought out, and full of the usual phishing give-aways: bad grammar, bad capitalization, etc.  Just a straightforward scare tactic.  Hopefully all of our usual readers are spam-savvy enough to recognize this for what it is, but it’s a good idea to remind others (the young and the elderly, particularly) to never send personal information (of any kind!) to someone over the Internet, unless you’re absolutely sure you know where you’re sending it.  As a good rule of thumb, banks and other financial institutions NEVER ask for personal information via email.

This concludes our good samaritan post for today!

 

Special Bulletin: Adobe Hacked

Adobe-logoIn case you were not aware of it, Adobe has confirmed the user account data of 2.9 million Adobe users has been breached. You can read the full story in the Washington Post, here:

http://www.washingtonpost.com/business/technology/adobe-confirms-security-breach

What does this mean for you?  Well, first the good news:  if you use Adobe products (like nearly every other single person in the entire known world), you may not be affected. (More on this later.)

The bad news:  the attackers may have had access to its users’ financial information.  Which means if you purchased something from Adobe within the last few years, you will need to keep a close eye on your credit card or bank statement for illegal activity.

Adobe has issued an official statement covering with details about the incident, and what you should do.  You can find the official Adobe statement here:

http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert

Things to keep in mind:

1) Even though Adobe states it has already reset the passwords of the affected users, it would be wise, if you have any type of Adobe account, to immediately log in and change your password.

2) If you are in the (bad) habit of using the same password across multiple sites, and have used your Adobe password elsewhere, go to those sites and change your password there, as well.

The further bad news: Adobe has also said that parts of its source code were accessed, but that it was not aware of any exploits being used to target Adobe products. Yet.  To be on the safe side, you should verify that all of your Adobe software is up-to-date, and keep it up to date over the coming weeks, as it seems very likely (to me, at least) that Adobe will be releasing further updates as advance protection against the access of its code.

We hope you have found this information useful. If so, please share our blog and/or Facebook page with your friends and suggest that they subscribe to stay updated on the latest news from the World of the Web!

Why You Should NEVER Use ‘admin’ As Your WordPress Username

Actually, I wanted to title this post: “Why You Should Never, Never, Never, Never, Never, Never, NEVER Use ‘admin’ As Your WordPress Username”…  but that might have been a bit long for SEO reasons. 🙂  However, it’s certainly not overkill when it comes to getting the message across.  So, why is this such a bad thing?

WordPressLet’s start with the fact that, in most cases, a new WordPress installation will set the default site administrator username to ‘admin’, and all that is required is to choose a password.  Now, it might be said that humans are inherently lazy, but it’s true that many folks will just leave that default name as is.  (We’ll leave the discussion of using ‘password’ as your password for another day!)  With so many administrator names set to ‘admin’, it’s an obvious place for a hacker to start… 50% of the equation has already been solved for him!  Now he only has to determine your password to have access to your entire site.

What’s more, most hack attempts are made by automated ‘bots’ set to try as many combinations of ‘admin’ + (a password) as possible, often hundreds per minute, in what’s known as a brute-force attempt to gain access.  Other hack attempts are made in person, by someone who has studied you and your site, looking for clues to help guess your password.  (Pet name, anyone?)  And make no mistake, these attempts are numerous and ongoing, 24/7/365.  As a random example, one of our WordPress sites received well over 3,000 ‘admin’ hack attempts in the last 30 days, with an average across our sites being at least in the hundreds.  So why give hackers that head start?

So, what to do if you ARE using ‘admin’ and need to change it to something else?  Follow these steps, EXACTLY, and oh by the way you should probably back your site up first, just in case.

  1. Sign in as ‘admin’.
  2. Head straight to the Users tab, and “Add New”.
  3. Choose a hard-to-guess username, but don’t make it so difficult that you’ll forget it.
  4. IMPORTANT: Set the new user’s role to “Administrator”.
  5. You will need to use a different email address, as no two users can have the same one.  (Can be changed later.)
  6. Choose a password that has upper and lower-case letters and numbers in it. Symbols are OK too. NEVER use the word ‘password’ in your password, even if it has a different case and includes numbers.  10 characters minimum!
  7. Click “Add New User”.
  8. Sign out as ‘admin’.
  9. Sign in as the new user.
  10. Delete your old ‘admin’ user, MAKING SURE you assign all posts/pages/comments to your new user.
  11. Congratulations, you now have a more secure WordPress system!

What else can you do?  Ban your users from any variation of ‘admin/Admin/adm1n’ as username, enforce strong passwords, and always keep your WordPress software/themes/plugins up to date.  Install a quality security plugin (such as Wordfence) to help you enact all of these items. And make routine backups, as no software is ever 100% hacker-proof.

“Your PayPal Account Has Been Limited” OH NOES!!!111

“Access to your account has been restricted.”  “Your account has been compromised.” “You have violated our terms of service.” Have you ever received an email such as this? Did it set your heart to racing? As they say in The Hitchhiker’s Guide To The Galaxy, “Don’t panic!” Put down the mouse, and slowly step away from the keyboard.

PayPal Scam EmailYou may laugh, and I certainly jest, but it’s really no laughing matter. The email shown in this photo, and those such as this, are serious attacks on your system and your security, designed in such a way as to provoke the panic response: “Oh, no, I have to do something about this immediately!” Click. Disaster strikes.

Now, I will freely admit that I don’t know the specific threat this particular email poses – I wasn’t foolish enough to click the link and find out. And that’s exactly how you should handle it as well, as the secondary response that an email such as this is intended to provoke is curiosity; you may be suspicious of its validity, but don’t you really want to know if it’s true?

No! You don’t. What you really need to be concerned with is not what this email IS, but rather what it isn’t, and that’s “legit.” ANY email you receive from ANY institution that deals with finances or other personal information should be scrutinized very closely, and there are usually clues to help you tell the good from the bad.

In this case there are several, which I have circled in red and given a number. There are also other clues which help us by their absence:

1) Fake email address (and obviously so): This states it’s from “peypal.com” — a dead giveaway, but you can’t always trust that correct email addresses translate to legitimacy.  It’s far too easy for a skilled spammer to spoof a real address.

2) Attachment is an .htm file:  .htm (and .html) are web pages; this is a poorly-disguised attempt to send you to a (possibly porn-related, possibly virus-infected) web site.  The standard for attachments is PDF, but again, even a .pdf extension does not mean it’s 100% trustworthy.

3)  “Secure Transaction”: Wording chosen to set your mind at ease — after all, it’s “secure,” right?  And it’s obviously a hyperlink, ready for you to click. But why is this link here? No explanation is given as to what it is or why you need to click it.

4) “Dear customer ,”: Why is this heading not at the beginning of the letter?  Why no identification by proper name?  Even the comma is misplaced — all clues that this isn’t professionally prepared.  And even though the email itself is carefully worded to say something, the actual specifics — what the issue is, what information is needed, why exactly your account is a “safety risk” — are never mentioned.

5) No contact information (which I have highlighted with a blank circle): No other way to get in touch with PayPal is included in the email.  Why?  Because if your curiosity does overcome your better judgment, your only choice to find anything out is to click one of the links.  Frustrated? Gotcha!

So, what do you do?  First and foremost, if you have ANY doubts as to the validity of a finance-related email, go straight to that business’s website, log into your account, and check it out in that manner.  Do NOT click links in the email that purport to direct you to the business website.  Second choice — call someone at the institution and ask about the issue.  Third, delete it and forget about it.  If there really IS an issue, it’s highly unlikely that an email is the only way you’ll hear about it.

Comments or questions about this information?  I’d love to hear them!