If you use Microsoft Office 365 products at work or at home, you should be aware of the software’s extensive vulnerability. The manner in which Microsoft Office 365 manages “federated identities” through Security Assertion Markup Language (SAML) allows online hackers to infiltrate accounts, data, e-mail messages and files within the software’s cloud. Relying on the cloud for data storage is certainly en vogue, yet more and more stories are emerging regarding the cloud’s security weaknesses. The Microsoft Office 365 vulnerability is just the latest example of the problem with a total reliance on the cloud for information storage and retrieval. Though Microsoft responded to the security exploit with a January 5 mitigation, it is still abundantly clear that cloud storage is fallible. About SAML SAML is a standard employed by businesses and other entities to transfer authentication / authorization information. It permits a single sign-on across a number of different websites, allowing for greatly improved efficiency. Microsoft’s use of SAML version 2.0 in its Office 365 software is flawed in that it does not authenticate the element known as the NameID. As a result, the exchange takes place with other values for authentication. An example of such a value is an IDPEmail attribute. The Service Provider actually relied upon the Issuer of the Assertion yet did not perform “sanity checks” on the IDPEmail attribute value. As a result, it would easily consume assertions, under the impression that Identity Provider A had authenticated users of Identity Provider B. Details About the Attack The Office 365 SAML service provider implementation vulnerability was first discovered by Kakavas, a Research and Technology Network company based in Greece. The firm figured out that the software’s weakness permitted the bypassing of federated domains with cross-domain authentication. The expanse of this cyberattack has been quite vast. It encompasses Outlook Online, Skype for Business, OneDrive, OneNote and more. All in all, any Microsoft Office 365 product purchased by a company in terms of licensing is vulnerable. Malevolent individuals take advantage of the vulnerability in order to obtain access to uber-sensitive personal / corporate information. Corporate in-house documents, e-mails and more have been exposed to hackers. Organizations affected by the software’s vulnerability to domains configured as federated include Verizon, Vodafone and British Airways. Representatives from Kakavas report that the Office 365 flaw was surprisingly simple to exploit. The bug could have been present in the software since its release to the masses, or it could have transpired at any point in the meantime. In order to take advantage of the Office 365 weakness, a hacker merely needed a trial subscription to the software along with an installation of SAML 2.0 Identity Provider. An in-depth knowledge of SAML knowledge is not required to take advantage of the flaw. Once a SAML SSO is established with Office 365, the hacker is well on his way to infiltrating the user’s / company’s data. Hackers with extensive SAML knowledge have taken the hack to the next level by devising a tool that executes the attack automatically without requiring the SAML 2.0 Identity Provider. Yet the weakness is not strictly limited to individual sign-ons with SAML. Hackers have been able to execute the attack through Active Directory Federation Services as well. Our IT Service Can Protect Your Company’s Computer Hardware, Software and Networks {company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at {phone} or send us an email at {email} for more information.

A recent data breach investigation conducted by Verizon reported that cybercriminals have been intentionally taking advantage of human nature. These cyberthieves prey on natural human tendencies with attack patterns like phishing and a heightened use of ransomware. The details of this cybersecurity information were presented in the company’s highly respected and widely read 2016 Data Breach Investigations Report. Details From This Year’s Verizon Data Breach Investigations Report The newest version of the Verizon data breach report shows a series of repeating themes that align with findings from previous years, yet the report specifically highlights the growing trend of cyberattacks that target computer users’ basic human nature. The report states that nearly 90 percent of attacks are the result of financial / spying motivations. The vast majority of these attacks take advantage of existing vulnerabilities that have yet to be patched. This is quite the unfortunate fact, since patches for these vulnerabilities have been available for months and even years. All in all, the leading 10 vulnerabilities represent 85 percent of all successful attacks. More than 60 percent of known data breaches took place because the users’ passwords were easy to figure out or flat-out stolen. The report makes it quite clear that basic computer and network defenses are insufficient in the majority of contemporary organizations. Phishing Is on the Upswing The report also states that phishing attacks have increased at an alarming rate over the course of the past year. This tactic involves sending an e-mail from a phony source with the hope that the computer operator will open the message and be exposed to its digital attack. According to Verizon, nearly one-third of all phishing e-mails were opened, representing a 7 percent increase from last year’s report. It is interesting to note that 13 percent of those who opened phishing messages also clicked the malware attachments or links. After all, everyone loves to receive a message, and it’s only human nature to open correspondence, regardless of its medium. The Human Element Is the Overriding Theme of Modern-Day Hacks Human nature and human errors are clearly responsible for a growing number of computer hacks. Sensitive information is often sent to the wrong person. Phishing e-mails are quite tempting to open as we all want to know what’s in that mysterious message sent to our in-boxes. The common theme of these cyber missteps is the fallibility of human nature. Sure, some amazing advances in cybersecurity solutions have taken place over the past few decades, yet these high-tech tools can’t guard against natural human tendencies. Today’s Three-Pronged Cyberattacks The Verizon report keys in on the dramatic increase in three-pronged cyberattacks. These attacks are becoming much more commonplace as time progresses. Every organization should be hyper-aware of this style of attack. It begins with the transmission of a phishing e-mail that contains a link to direct the recipient to a harmful website. Sometimes, the message includes an attachment with malware rather than a link. The malware is downloaded, searches for sensitive information on the user’s computer, steals it and uses any available credentials to log into other websites such as e-commerce stores or banking sites. It is especially concerning that these hackers can steal information in very little time. Verizon reports that 93 percent of cases take only a few minutes or less to breach a user’s computer and steal his data / login information, etc. Help Is Available to Protect Your Digital Data {company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at {phone} or send us an email at {email} for more information.

There are too many ‘free’ anti-virus software packages out there nowadays. It always seems like such an amazing deal, right? Keep your computer and data protected for free! Why wouldn’t this be an awesome thing? If you do a bit of research on the ‘free’ anti-virus programs, some computer companies won’t even install them on their clients’ computers. This is because as always, there really is no such thing as free. So, why are these programs that are supposed to protect our computers not ‘free’? What makes them so bad? Let’s find out. PUPs PUPs doesn’t mean the furry little critters that you can go adopt at any shelter. Instead, it is the acronym for “Potentially Unwanted Programs.” This can be anything from toolbars for your browsers to driver updaters to optimizers for your registry and much more. There are quite a few problems with these things: They will ask you for money They can cause an awful lot of pop ups They will nag you to purchase something They will track you to try to sell to you They will slow your system down When looking at the eight top-rated free products when talking about anti-virus programs, an astonishing seven of them are bundled with PUPs. See, the vendors for the PUPs will pay the distributors of the software a small fee for each installation in order to get them bundled with the so-called ‘free’ anti-virus programs. They will then make even more money when they redirect you to their ‘safe’ search sites. Nagging Yet another thing to annoy you with these programs is that they will begin to nag you. Yes, even more than your mom did when it came to cleaning your room as a teenager. They are persistent with the nagging, too. After this has been going on for a while, it will start to feel like you can’t even go 10 minutes without them asking you to upgrade to their paid subscription. Some of them will even continue nagging after you purchase the paid version. They will want you to buy add-ins to optimize the paid version. This can take the form of “internet Security Suites’’ and any other type of product that you don’t need and certainly don’t want. They prey on users who will believe everything they read on the internet. They are the modern day version of snake oil or hair tonic salesmen. Privacy Take the time to actually read the privacy policy of one of these things and it might just scare you. Many of the free anti-virus programs collect all sorts of information about you…and what do they do with it once they have it? They collect: Information about your computer hardware Copies of your ‘potentially infected’ files Information about your email Information about possible infections Information about the websites that you visit Anything else they want to know If it is on your computer, they have access to it. Think about that for a moment. How do you feel about that? There are alternative solutions though. There is a program called Emsisoft Anti-Malware. This is software that is committed to not ever including any sort of PUPs. They also make your privacy a priority. You can get this as a one-year subscription or for longer. The bottom line is this: if you are looking at these programs and thinking about installing one, do your research first. Remember that if it looks too good to be true then it probably is.

If you own or manage a business, you have likely heard the term “information security compliance” before. Each organization has specific information security compliance duties that cannot be neglected. Let’s take a look at approaches to compliance, the importance of compliance and what happens when businesses ignore this obligation by performing what the IT industry has dubbed as “willful noncompliance”. Willful Noncompliance An organization that determines that abiding by regulatory compliance rules is not necessary will face negative repercussions. Though it might sound like a rare event, willful noncompliance is actually much more common than most assume. A surprising number of companies are willing to risk potential fines and hits to their reputation by bypassing these rules. These groups either view information security compliance as a massive hassle in terms of labor and logistics or they view it as too expensive. Sure, compliance is somewhat of a burden yet the failure to comply with existing laws and regulations has the potential to drastically reduce a business’s security and financial well-being due to hefty fines. There is No Standard Approach to Security and Compliance Obligations Those who are familiar with information security compliance efforts are quick to state that most organizations take their own idiosyncratic approach to this responsibility. Some play it completely by the book, documenting the organization’s compliance according to each provision of every nuanced regulation. Other companies have more of an informal approach to information security compliance by striving to stay within the boundaries of regulations. Such a loose approach is generally meant to comply with the spirit of regulations rather than the letter of the law. Other organizations use a unique combination of both of the approaches described above. Those who are experts in information security will testify that the majority of organizations perform a blend of these approaches in a concerted effort to keep their IT operations fully compliant with the law. Is Failure to Comply Really Worth It? The failure to adhere to information security standards is quite risky. It can result in a range of costly penalties from civil fines to prosecution in criminal court. The bottom line is that merchants that refuse to comply with the rules of PCI DSS will endure considerable financial penalties. In the worst case scenario, these non-compliant organizations will put their ability to engage in transactions involving credit cards at serious risk. Any individual or organization that is proven to have willfully breached HIPAA rules could face extensive jail time due to their inability to provide “due care.” The legal system labels such a failure to provide due care as “negligence.” In a nutshell, it is not prudent to neglect information security compliance. Just about every organization should view compliance as a requirement rather than a choice. In the end, the investment of money, time and effort in information security compliance is well worth it. Information Security Compliance Help is Available {company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at {phone} or send us an email at {email} for more information.

Originally released in October of 2001, Microsoft’s Windows XP quickly became one of the most popular operating systems in the history of personal computing. It featured a number of advancements over its predecessor from its completely redesigned and streamlined graphical user interface (GUI) to a number of features designed to bring businesses into the 21st century. It should come as no surprise that over a billion copies were estimated sold between 2001 and 2014 alone. Even though Microsoft has subsequently released numerous successors including the Windows Vista, 7, 8, 8.1 and Windows 10 operating systems, there are STILL millions of computers powered by Windows XP as of 2016. Make no mistake: this is very much cause for concern for a number of important reasons. Why Are People Still Using Windows XP? To simplify things as much as possible, there are two key reasons why millions of computer users – especially business users – still have computers with Windows XP in 2016. For starters, Windows XP was a legitimately groundbreaking operating system. It features an almost startlingly-intuitive user interface expanded multimedia capabilities and a deep level of hardware support that proved particularly valuable for business users. The second main reason, however is that XP’s successor Windows Vista received an incredibly poor reception early on. Despite the fact that Windows 7 and eventually Windows 10 were legitimate improvements, the damage had already been done. But rather than shell out huge amounts of money to switch to a competing platform like Mac OS X, business users in particular chose to just “stick with what they knew” and further entrenched themselves into the Windows XP ecosystem. To put this into a different perspective, there are more computers in the world running Windows XP than there are Windows 8.1 and all versions of Mac OS X combined. Why Is This a Problem? The fact that so many people are still using Windows XP is a problem for a very simple reason – Microsoft themselves has stopped supporting it. Mainstream support for the operating system ended in April 2009, meaning that home users would no longer be receiving updates. Extended support (an update track commonly employed by businesses) ended in April 2014. Updates are hugely important to an operating system, not just for fixing bugs and adding new features but also for addressing newly discovered security vulnerabilities. A company like Microsoft is in a never-ending security race. Whenever a hacker discovers a new vulnerability, Microsoft must work quickly to patch it. Hackers will then discover a new vulnerability that Microsoft will then close with this process continuing indefinitely. Because Windows XP is no longer supported and hasn’t received an update in years, this means that ALL newly discovered vulnerabilities are essentially permanent. Any computer running Windows XP in 2016 is essentially just waiting to be compromised. If that computer is connected to a business’ Intranet providing access to file servers containing confidential client information, you can begin to get an idea of just how big this issue really is. If you’re in {city} and you still have questions about why millions of people are still running Windows XP as an operating system, or if you’d just like to speak to a professional about how to best address your own business’ IT needs moving forward, please always feel free to call {phone} or email {email} to speak to someone at {company} today.

Microsoft has made its mark on the business world. It is one of the most essential computer programs used by businesses all over the world. Here are five ways Microsoft Excel is used in the workplace today. 5 Ways Microsoft Excel Is Used in the Workplace 1. Building Excellent Charts When you’re running a business, the ins and outs can be frustrating to explain, especially when you are making comparisons between companies and looking at results from one year to the next. A chart is one of the best ways to show your employees where the business stands in the mix. One way you can build excellent charts with Microsoft is by using formulas. When you are using formulas, you insert information into individual cells called rows and columns. You can sort, filter and create the columns any way you want to help with your presentation. Using formulas places emphasis on the points you are trying to make during your presentation. 2. The Best of Conditional Formatting Formatting a spreadsheet has never been easier with Microsoft Excel. Using conditional formatting — a variety of fonts, italics and bold emphasis on fonts, and different colors — is a great way to highlight important data and separate other instances to help you prove a point. With conditional formatting, users can compare values and lists and expose any duplicates. 3. Trend Identification When it comes to business, trend identification is essential, and to identify specific trends, you need charts and graphs. You can add lines to showcase key trends from the information you provide. One of the greatest perks of trend identification is that it provides the ability to make predictions for the future. When your business can make predictions of this nature, you can set your business up to handle upcoming changes. 4. Data Collection Microsoft Excel allows you to bring data together by putting different files and documents together. When you are collecting data, you can not only collect raw data, you can also include images and text. If you would like, you can add additional spreadsheets for the ultimate data collection to showcase and switch between tabs. 5. Access to the Internet Online access ties everything together. Employers and employees can view files and documents from more than one device, thanks to Microsoft’s Office 365 productivity suite. Information can be viewed from any PC, tablet, smartphone or laptop that is Internet capable. Microsoft Excel Tips One of the first things you want to do in Excel is to learn how to use pivot tables, including the report filter, column labels, row labels and value. The report filter allows you to single out rows in your data by filtering certain data. Column rows can be used as your database headers, and row labels can be used to insert data for specific headers. You can use value to average, count, min, sum and many other manipulations. It’s in your best interest to use more than one row and column, because it allows you to expand your data and include more information. Inserting information one by one is time-consuming and can be frustrating. Using filters is important, especially when you are working with data sets on a large scale. Filters help you find exact information without skimming the entire spreadsheet and wasting time. When you use Microsoft Excel, you are allowed to filter every column of data. These are a few Microsoft Excel tips and benefits of using the software. You can organize your business and become more productive than you ever imagined when you use Microsoft Excel in the workplace. {company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news with Microsoft Excel. Contact us at {phone} or send us an email at {email} for more information.

FireEye, a network security firm based in Milpitas, California, recently issued a report detailing how malevolent hackers are using Google Docs and PowerShell to transmit a Trojan virus referred to as “Laziok”. Anyone who owns or manages a business should be aware of this Trojan attack. Even those who use personal computers at home for non-business purposes are vulnerable to the attack as well. About the Laziok Trojan Attack The Laziok Trojan was first identified a year ago when employed in a multi-tiered attack against energy companies across the Middle East. The virus was actually pinpointed on a Polish hosting service website used by those energy businesses. Laziok is best described as a combination of a program that steals information and a reconnaissance tool. The malware was employed through a threat group’s exploitation of an antiquated Windows weakness tracked with the label of “CVE-2012-0158”. This vulnerability implements the Trojan directly onto users’ computers. Google Docs and Laziok The FireEye report indicates that hackers apparently devised a highly creative method of bypassing Google’s stringent security checks. The hackers then uploaded the Laziok Trojan to Google Docs. The malware was originally uploaded last March and remained in place until FireEye made Google aware of its presence. Google regularly scans and blocks potentially harmful content on Google Docs to prevent such malware from harming its customers’ computing devices. It was widely assumed that Google Docs users would not be able to download malicious files from the popular file sharing / editing service until Laziok hit. It is clear that the malware found a way to slide in past Google’s extensive security scans. Thankfully, the malicious file has been successfully removed by Google so that users can no longer fetch it. How the Laziok Trojan Attack Occurs The attack was launched by uploading a highly complicated JavaScript code to take advantage of the aforementioned Windows vulnerability that is now being referred to as “Unicorn”. A VBScript was used to exploit the vulnerability upon users’ requests to access the particular page in question through the popular web browser Internet Explorer. Attackers relied on a means of exploitation referred to as “Godmode” that permits code written with VBScript to compromise the web browser’s sandbox. The script then proceeds to leverage Microsoft Windows’ PowerShell, a management program that automates and configurates computing tasks. PowerShell has been regularly abused by cyber thieves, especially throughout the past couple of years. PowerShell is used to download the Laziok Trojan from Google Docs and promptly execute it. This management framework is also favored by hackers as it is able to quickly and easily evade anti-virus software as it injects payloads right into memory. After infecting a computing device, Laziok proceeds to gather extensive information about the system including all of its antivirus programs. IT Assistance for Small to Medium Sized Businesses {company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at {phone} or send us an email at {email} for more information.

In the world of cyber security, no topic is more important (or more derided) than that of passwords. Passwords are everywhere. They help personal users log into their online banking information, give system administrators in a business access to mission-critical file servers and more. Passwords as a concept are inherently secure; they’re the first line of defense between the user and an attacker who wants to do harm. The thing that makes passwords such a hot-button topic, however, ultimately rests with the users themselves. Simply having a password is not enough to keep anything safe in the digital age. Having a strong, complicated password is – but for many users, even in the world of business, this is often a lot easier said than done. The Problem with Passwords A number of studies are done on an annual basis which take a deeper look into the password-creation habits of users all over the world. One trend is overwhelmingly clear: users prefer simple, almost generic passwords above any other kind. Two of the most commonly used passwords are “12345” and “password” which, while they are technically passwords, pose a number of challenges that cannot be ignored. First, something like “12345” is incredibly easy to guess. You don’t even have to be a “hacker” in the strictest sense of the term to guess that password, you just have to try it out and get lucky. Another issue presented when a person uses a weak password is that it IS possible for sophisticated computer software to “guess” these terms or phrases during a brute force attack, unlocking the associated account in a startlingly short amount of time. When a user employs the password “12345” for their favorite movie-related website, that’s one thing. When a business user has the password “12345” on an online account holding important client financial information, you can begin to get an idea of just how serious this issue really is. Not All Passwords Are Created Equally One of the most important ways to remain safe in today’s online environment is through the creation of STRONG passwords that are a combination of not only numbers and letters, but also special symbols. “Aardvark1” may seem hard to guess to a human, but a computer can do it in a couple of minutes. “A@rdvark1!”, on the other hand, complicates things greatly and makes the password more difficult to crack. For the best results, a password shouldn’t actually be a word at all. The strongest passwords are not only long (many experts recommend a minimum of 12 characters), but are also completely incomprehensible. Something like “a2398urasdf&#()$+” would take years for even a powerful computer to come remotely close to guessing. The problem, however, is remembering dozens of complex passwords. Password managers were created for this exact purpose, as not only do they give users the ability to automatically generate strong passwords, but they then keep a record of all these passwords in a secure database so that users can refer to them in seconds when logging in online. If you live in {city} and would like additional information about how to make the types of strong passwords that will keep you and your private data safe, or if you’d like to sit down with someone and discuss any other IT and technology-related needs you may have, please don’t hesitate to call {phone} or email {email} to speak to someone at {company} today.

Emails masquerading as notifications from Financial Institutions are an ongoing challenge for consumers. While variations of this type of fraud attempt pop up all of the time, these “phishing” emails have become a regular occurrence. Remember that criminals are behind phishing emails. Their intention is to get at your personal information which they may use to commit financial fraud or identity theft If you are unsure if an email request is legitimate or not, take a few moments to verify the request before you give out information or click on a link. Just ensure that you verify the request using another source, not a source that is provided within the email itself. Remain wary of unsolicited email and always be cautious in your online activity. Those simple steps can help protect you from falling victim to a scam. Your best defense against these email scams remains knowing how to recognize them: 1. Phishing emails do not only begin with a generic greeting such as “Dear Client”. They can also address you directly by name or email address. 2. Beware of emails requiring your “immediate action” in order to prevent a service from being shut down unless you log on “now” or enter your personal, financial or credit card information. These are classic phishing email techniques and should always be viewed skeptically; 3. Be suspicious of all unsolicited emails that request personal information, even if you recognize the name of the sender. Though that email may contain your name and other information that applies to you, it may still be a scam; 4. Don’t be fooled by emails that offer “too good to be true” enticements, 5. Email scams regularly take advantage of timing and promote fraudsters’ phony websites: a. when tragic incidents occur, fake charity sites pop up; b. when “juicy” stories make the news, websites promising the latest pictures or information quickly surface; c. for sporting events, phony websites offer amazing deals on seating; d. on occasions such as tax season, emails try to scare you into entering personal information on a fake website; e. for annual holidays, fraudsters’ websites promise “unheard of” shopping deals. The goal of all of these scams is to get you to click on a link or access the fraudsters’ website. The result could be an automatic attempt to secretly load malicious code to your computer. Or the email or website could contain convincing tactics to get you to enter your credit card or other personal information that could be used to commit financial fraud against you. Charles J. Hammett Jr. President – CEO Hammett Technologies, LLC Office: 877-659-4399 x1201 | Fax: 443-408-6333