Reminder: To Whom are You Really Emailing?

Confirm the email address before you hit send!

Nowadays, it's not uncommon for people to have multiple email addresses. Some people even belong to group email accounts in which an email sent to one address is actually received and potentially read by multiple people.

Before you hit send, be sure you know exactly where your email message is headed. Even when you're replying or forwarding, take the extra moment to hover your mouse over the address in the "To" field to be sure it's going to the intended address.

If you find yourself making this mistake often, consider changing email clients. Gmail, for instance, is notorious for allowing this recipient confusion. Gmail users should also be aware that Google has copies of and access to all email sent using its system. Mr. Snowden provided some proof of that.

Businesses especially should always use a proprietary domain for their email (not Gmail, Yahoo, etc., and certainly not a social email address, like those from Facebook). Business owners should always ensure their email provider follows good security practices (e.g., not storing any email on their servers after it is delivered to the client destination).

Take Time To Understand Free Tools Before You Use Them

Free tools and technologies can deliver real value, Yet they also can present risks!

URL shortening services, for example, are fantastic, especially for those of us who love to share our knowledge and findings inside social networks. Yet they can very easily, and often do, hide a nefarious attack.

Another Free Tool to Use with Caution

Be sure to check the security of shortened URLs before clicking them. One service you may consider is urlxray.com.

Think someone may be reading your emails?

Encrypt them, and they can't

Are you sending confidential information in your email, text and instant messages? If so, you could be exposing it to a lot of peeping eyes...and they may decide to do bad things with it!

Here are some ways to encrypt your digital messages:

• In Outlook, within your message, go to File, Properties, Security Settings, and click the box for "Encrypt message contents and attachments."
  
• If you use some type of webmail, most good ones offer SSL as a security option; use it. It encrypts the messages *while they are traveling through the Internet.*
  
  However, it is not the same as encrypting the message itself. Your messages are still in clear text within the mail box storage, and when forwarded elsewhere not using an SSL-encrypted transmission method.
  
• For webmail, consider getting an add-on tool, such as Armacrypt.
  
• Another email option is Hushmail.
  
• Consider using an up-to-date version of PGP.
  
• Here's a pretty good discussion of encrypting text messages on Android devices.
  
• Here are some smartphone encryption apps to consider.

Useful TIP! Don't send any sensitive or confidential information using social network messaging systems, such as Facebook mail. While you can have the *connection* (meaning while it is traveling from you to your recipient) encrypted using SSL, it does not encrypt the message itself, leaving it in clear text within the many Facebook repositories.

Is It Safe & Secure To Use Free Email Service?

If a government wants to peek into your Web-based e-mail account, it is surprisingly easy, most of the time not even requiring a judge’s approval

Ever wonder what Google has planned for all of the information it's collecting on its users? Well, their intentions may be completely irrelevant. As it turns out, Google has been compelled to give over their user data by law enforcement at an increasing and alarming rate.

In the second half of 2012, the tech giant received more than 21,000 requests for information, which represents a 70-percent increase over three years. The majority of the requests came from the federal government, who was hoping for a peek into users' email accounts. In most cases, the Feds didn't need a judge's okay.

Google is fighting back, trying to rally support against government access to personal data. In this professional's opinion, however, that's a bit ironic considering Google's own policies on collecting user information.

Just remember, anytime you are using a webmail site like Gmail for communication, understand your email is absolutely not protected and is not private.

Do not send sensitive information or conduct business using these types of free webmail services.

If you must use these sites, gather the emails through an off-cloud software system, like Microsoft Outlook. Then, configure your Outlook settings to delete the emails from Gmail, Yahoo, Hotmail or whatever cloud email service they are coming from, as soon as Outlook downloads them.

How to Catch a Phish?

Helpful hint on spotting a phishing-scam email before it's too late!

You can detect a fake email very quickly simply by focusing on the "From" field in your email header.

Most malicious e-mails say they are from a legitimate company, but the address in the "From" field does not match that in the signature. If you are unsure of the sender's legitimacy, you can also use free tools on the Internet to verify any email address quickly.

Be aware, however, that some of these phishing artists are very adept at masking their identities.

Law firms are a prime target for hackers

Mobile devices and apps provide multiple avenues for hackers to access confidential information


Laptops, cell phones and mobile apps for devices such as iPhones and Androids keep us constantly connected to friends, family and colleagues. Unfortunately, they also may be connecting lawyers to predatory hackers, according to an article in the Wall Street Journal.


Law firms are a prime target for hackers seeking to access valuable confidential information, such as documents related to upcoming mergers and acquisitions or litigation. Over the past few years, several Canadian and U.S. law firms have been targeted by hackers linked to Chinese computers, according to the article. In 2010, lawyers at Gipson Hoffman & Pancione received emails—ostensibly from members of the firm—that were designed to steal data from their computers.


At the time, the firm was representing a software company in a $2.2 billion lawsuit against the Chinese government and computer manufacturers. Emails are just one way for hackers to retrieve sensitive information. Popular cloud storage applications such as Dropbox, for instance, afford lawyers the convenience of accessing their files on multiple devices.


But these applications potentially leave information vulnerable to third parties—Dropbox reserves the right to turn over files in response to legal or regulatory requests.


To protect data security, many firms are advising attorneys to take increased security measures, such as encrypting messages, avoiding free Wi-Fi connections, password protecting their devices and deleting suspicious emails or text messages.


Read the full story at the Wall Street Journal.

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:

1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.
   
   Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.
   
   
2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.
   
   Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.
   
   
3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
   
   This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.
   
   
4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.
   
   The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.
   
   
5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.
   
   In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.
   
   
6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.
   
   The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.
   
   
7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.
   
   The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.
   
   
8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
   
   
9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.
   
   Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.
   
   
10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.
    
    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

Top-Five Facebook Scams

You Should Protect Yourself From hackers and spammers

As Facebook has grown in popularity, it has also become a primary target for hackers and spammers. An increasing number of Facebook users are having their accounts compromised. Each newly compromised account is then used by the hackers and scammers to propagate their scam further. You don’t need to be an idiot to have your account compromised. If you are caught off guard for a second, you may accidentally fall for one of these scams.

1. IQ Quiz Adds
   
   While Facebook has spent the past year trying to cut down on the number of misleading advertisements on the site, the fact remains that a small percentage of users still get duped into purchasing services they don’t really want. The IQ Quiz Scam has become ubiquitous on the Facebook Platform, and those users who install applications can expect to see an advertisement for an IQ Quiz Scam at some point. In December one application was discovered in which developer was using spammy techniques to get new users to install their application and ultimately click on the IQ Quiz advertisements.
   
   As soon as you click on one of the ads, you’ll be brought to a site where you’re asked up to 10 questions which are relatively easy to answer. You will then be prompted to enter your phone number to view the results. Don’t enter your phone number! If you do, you will be charged upwards of $10 a week directly to your phone bill. While most phone companies are willing to refund you for your first purchase, they won’t do it after the first occurrence. That’s because the phone companies generate billions of dollars each year off of these types of transactions.
   
   If you want to protect yourself from IQ quiz scams, do not enter your phone number into any sites outside of Facebook.
   
   
2. I’ve Been Robbed! Western Union Me Money!
   
   You’re browsing around Facebook and suddenly one of your friends IMs you to tell you that they’re stuck in another country; they’ve been robbed, don’t have a wallet, and need money to get out of the country. It’s a horrible situation but what are the odds that they found a computer to log on to in order to instant message you? Even worse, what are the odds that one of your friends who was travelling abroad got robbed and wasn’t able to find anybody to help them out?
   
   I’ve been with people who’ve lost their wallet abroad and needed to get money sent via Western Union, however if the person can get access to Facebook, they probably can access a phone. While you should always help out your friends, you can avoid being duped by international fraudsters by asking your friend to call you in order to wire the money. Unless your friend is in the middle of a jungle in the Congo, they should be able to call you.
   
   Most of the times in such incidents, it is a scammer who has stolen your friend’s account and is systematically going through and IMing each of their friends to try and get money wired to them. Don’t fall for it, try to talk to them on the phone before offering any help.
   
   
3. Facebook Phishing Landing Pages
   
   One of the most common ways Facebook accounts get compromised is through simple phishing scams. The way it works is that a user’s account is compromised by a hacker and the hacker then uses that account to automatically post links on each of that user’s friends’ walls. Sometimes the system will send messages to the friends such as “Check out this funny video of you!” with a link that redirects to a page with a fake Facebook login page.
   
   It’s pretty straight forward, and it’s easy to avoid, however countless people have fallen for this scam. The easiest way to tell if it’s a scam is by looking at the URL of the page you land on. The best way to protect yourself is, anytime you see a Facebook login page, leave it and go to http://www.facebook.com in your browser. This way you can ensure you are logging in to the correct site.
   
   
4. Koobface Worm That Automatically Hijacks Your Account
   
   Facebook has worked aggressively to prevent this worm, it still continues to spread rapidly. The scam is pretty straight forward. In this attack, a user will receive a message from what appears to be one of their friends. The message will say things like “Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments” and many others.
   
   Included in the message will be a link to a page which appears to be a YouTube video. If you click on the video, you will be prompted to “upgrade your Flash player now” and will ask to download a file which contains the Koobface worm. If you download and install the file, your computer will automatically log in to Facebook and send similar messages to your friends.
   
   The best way to avoid this scam is to avoid all links that are posted on your wall or in your inbox that are out of the ordinary. Also, never download a file / codecs after clicking on a link.
   
   To learn more about the Koobface worm, check out the information at the Kapersky Lab.
   
   
5. Other Malware Applications And Links
   
   While we’ve attempted to highlight the primary scams, hackers and scammers are constantly evolving their strategies to steal passwords, and take over computers. The best thing to do is always be careful of strange links posted to your profile or messages sent to your inbox. While many of the scams on Facebook are harmless to your computer, it's still important to protect yourself against any viruses and worms.
   
   Some Facebook applications have used toolbars among other things to make money from their application. Some of these toolbars will significantly damage your computer.

The bottom line is: be on guard any time you see anything suspicious. If you do notice anything suspecious or happen to fall for a scam, make sure to immediately change your password. If you aren’t able to access your account because you were phished and your password was changed, fill out this form, which might help you get your account back.

Gmail activity log helps you detect hijacking

Gmail Activity log can alert you to unauthorized use of your account

A line at the bottom of the Gmail window indicates when your account was last used and also links to more-complete usage info. We can use this activity log to determine whether someone has guessed your password and taken over your account.

Last week I posted, "One third of surfers admit they use the same password for all websites," that how hackers take advantage of user weak passwords and test thousands of passwords per day and take over poorly defended accounts.

I recently found out that Gmail activity log, at the bottom of the page, can alert you to unauthorized use of your account. If you're a Gmail user and are concerned as to whether your account password has been compromised, there's a link at the bottom of the screen that shows when your account was used and from where.



At the bottom is a message Last account activity: xx minutes ago at IP xxx.xxx.xxx.xxx [or on this computer] refer to above picture. Click the Details link, and a pop-up window shows all sign-ins over the last couple of days, together with other useful info and a button to Sign out all other sessions. Refer to below picture.




I would advise all my readers, to frequently check your account activity just to ensure that you are keeping an eye on your account. If you notice any un-usual activity, I recommend you change your password immediately.