It’s been less than a month since mega retailer Target announced that a little more than 40 million customer debit and credit cards had been stolen by hackers. Not long after that, we saw the first of those cards being sold a few hundred thousand at a time, in a variety of underground hacker forums. Although not that underground, since I was able to register on the most notorious hacker sites and see for myself how easy it was to buy an identity.
Tag: cyber theft
As we continue to dissect the massive data breach at Target, we’re going to learn lots of lessons. But probably the biggest lesson you can take away from it is that if it can happen to Target, it can certainly happen to you. Even if it’s on a much smaller scale, it could still be big enough to matter to you.
When news broke last week that security researchers had found more than 2 million stolen passwords hidden on a hacker’s website, it didn’t take long for media around the world to get on the case. It appears the passwords were stolen over many months, and from users of Facebook, Twitter, Google, LinkedIn and many other sites.
The story that seemed to get the most attention from the media and from security experts was what these 2 million passwords told us about the password habits of users. That they were awful. Not that that’s really news, but still, once again we discovered that the most common passwords included in the haul were 123456, 111111, and perhaps worst of all, password.
However, we noticed something else, something that other security experts seemed to miss completely. The initial suspect in the heist was a keylogger, a tiny piece of malware that will infect computers, steal things like logins and passwords, and pass them back to the hackers.
On the very same day the media frenzy started, we noticed that a security firm OPSWAT revealed some very scary test results. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular consumer and business antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers and even small businesses probably won’t be able to detect it either.
While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that’s the stuff that can do the most harm.
Keyloggers are typically in search of logins and passwords, but they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There’s a growing trend towards hardware keyloggers – keyloggers designed to look identical to a plug or connector you’d expect to find at the back of a computer or even a cash register. One such hardware keylogger was recently found plugged into the back of a cash register at a Nordstrom store in Florida.
If keyloggers make their way on to computers in your business, the hackers may be able to steal logins and passwords to your website or bank account. They might also be able to steal payroll and customer information. They might even be able to hop from your computers to your website, and from there infect visitors to your site. Which could end up with your business being blacklisted by the search engines until you solve the problem.
So what can you do cripple this menace?
- Start by talking to your employees, explain what a keylogger is, how it can threaten your workplace, and how you can all work together to protect against them.
- Require all your employees to use anti-keylogger software, like Key Scrambler (free). They won’t protect your business against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.
- Make sure you and your employees use one of the many safe surfing tools or plugins, like Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. SiteLock is finding as many as 5,000 small business web sites every single day already compromised and requiring malware removal. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.
- Always have good antivirus software on every computer and device you use in your business and at home. And encourage your employees to do the same. Some of the best is free, including for your smartphone and tablet. And scan often — at least once a week is recommended.
- All employees should change their passwords often and think about passphrases instead.
- Be careful what you allow employees to download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.
As National Cyber Security Awareness Month wraps up for yet another year, have you learned anything? More important, have you done anything, at least to improve your security? In case the answer to one or both is no, I thought I’d share the experiences of just a couple of small businesses (one which I worked with personally) that learned about security the hard way.
In the first case, the victim was a small but thriving electronics business based in Nevada. Their problems began when they started getting phone calls from angry suppliers wanting to know why some big bills hadn’t been paid. After some investigating, the business owners figured out that the bills had not been paid because they had never actually placed the orders.
Data has always been a currency for crooks but, now more than ever, personal data has become a hot commodity for everyone from petty identity thieves to major organized crime. And one of the easiest ways to get this kind of information is from websites just like yours.
When it comes to website security, many small businesses are in a constant state of change. Changing from a state of denial “I don’t need security because I have nothing to steal and I’m too small for hackers to find me anyway” to a state of panic “Oh no! I’ve just found out I’ve been hacked, they’ve been using my website to spread malware for months and now I’m blacklisted by the search engines.”
That’s the unfortunate state of small business web security, and it usually starts with the word don’t. That’s because most small business owners simply:
- Don’t give website security a second thought because they’re too busy with more pressing matters, like trying to meet this month’s payroll.
- Don’t think they’re big enough for hackers to bother with, not realizing that hackers now use automated tools that will easily sniff out unprotected websites in a matter of seconds.
- Don’t think small businesses are targets in general, in spite of the numerous studies that suggest they could actually be the top target.
- Don’t think they have anything worth attacking or stealing, although hackers think otherwise.
- Don’t know where to start with security and how to even begin plugging those holes and so keep putting it off.
- Don’t know what to do if they are hacked – which is usually the last step before that state of panic.
So much of the panic could be alleviated if small business owners took just a little time out of their busy schedule to think about security and understand how bad security or none at all can destroy a business, and how good security is a business enabler.
Bill Gates, co-founder of Microsoft, maintained that when it comes to business, security is job one. If you’re not protecting your website, it could turn into your greatest liability. Time and money are not an excuse because good security is automated, always on, and very affordable (I don’t want to say cheap in case you get the wrong idea but I really do mean cheap).
And good security leads everyone – you, your customers, your employees, and even your credit card processor – toward a state of bliss. Start on your journey by simply making sure that the next time the automated tool of a ruthless hacker comes sniffing around your website, you’ve beaten them to the punch and closed all the holes.