About Us
Facebook-f X-twitter Linkedin-in

Tag: security

Are your site’s images hiding an attack?

Posted on by

ImageMagick, one of the internet’s most widely used image processing services, is susceptible to attacks that may put your site at a huge risk of exploitation, according to recent reports. The discovery of this vulnerability means attackers could potentially steal your site’s data, or corrupt it entirely. Let’s take a look at what your SMB should be doing to protect itself from this security flaw.

What is ImageMagick?

ImageMagick is a tool that allows sites to easily crop, resize, and store images uploaded by third parties. Vendors continue to improve user interfaces and experiences by consolidating functions into all-in-one packages, which means administrators are becoming increasingly unaware of what specific services they are actually utilizing. ImageMagick is deeply integrated into countless web services and many webmasters may not even be aware they are using this unsafe software.

How can an image make my site vulnerable?

Recently, it was discovered that images can be uploaded that force ImageMagick into executing commands and permitting attackers to remotely insert harmful code into vulnerable sites. Images are actually made up of complex code that is translated into photos, icons, etc. Different file extensions use what are called “Magic Numbers” to define their file types. Manipulating these numbers allows attackers to exploit a flaw in ImageMagick. The service scans the uploaded file, and attempts to decode the source information whenever it detects the file is not what it claims to be. Scanning that code and attempting to rectify the file misappropriation can then trigger whatever was hidden inside the image and result in remote command of your site.

How should I protect my site?

ImageMagick has admitted knowledge of the security flaw and promised to release a patch very soon. Until then, experts advise implementing multiple workarounds to keep your systems safe. However, if you’re not well acquainted with your web server and its code, then it’s wise to consult an expert instead of attempting these changes on your own.

For those who are familiar, follow these steps. The first is to temporarily incorporate lines of code that preemptively block attackers from exploiting these holes. Those lines of code, and where to insert them, can be found here.

The next step is double checking that any image files utilizing the ImageMagick service aren’t hiding any harmful information. This can be accomplished by opening an image file with a text editor, and checking for a specific set of letters and numbers at the beginning of the text that define what type it is. The list of these “Magic Numbers” can be found here, and will reveal if an image is hiding its true purpose.

Ideally, administrators will halt all image processing via ImageMagick until a patch is released from the developers.

Data security is one of the most crucial aspects of any SMB, however, keeping up with the constant flow of security exploits and patches can be overwhelming for administrators of any ability level. Why not contact us to learn more about keeping your network secure and protected from exploits like this one?

Published with permission from TechAdvisory.org. Source.

Understand these 4 types of hackers

Posted on by

Know thy enemy. When it comes to hackers, most business owners get hung up on the technical and mechanical details of a cyber attack forgetting another important aspect: motive. Why are they attacking people and organizations in the first place? And who are they targeting? By answering these questions you’ll have a better understanding of what resources need the most protection in your business.

Script Kiddies

When it comes to skill level, Script Kiddies are at the bottom of the totem pole and often use scripts or other automated tools they did not write themselves – hence the name. With only an elementary level of technical knowhow, Script Kiddies usually don’t cause much damage…usually. The Script Kiddy virus known as the Love Bug which sent out an email with the subject-line “I LOVE YOU” fooled millions of people, including some in the Pentagon, in the early 2000’s. The virus reportedly caused around 10 billion in lost productivity and digital damage.

So who is a Script Kiddie? Most of the time they’re simply bored youth looking for a thrill or notoriety. Many never evolve into a full-time hacker, and instead just use their skills as a hobby. Oddly enough, many Script Kiddies find a career later on working in the security industry.

Hacktivist

If you’ve heard of Anonymous, LulzSec or AntiSec, then you’re familiar with Hacktivists. These groups are made up of members of varying skill levels, all the way from Script Kiddies to some of the most talented hackers in the world. Their mission is largely politically motivated as they aim to embarrass their targets or disrupt their operations, whether that be a business or government body. Two of the most common ways they attack their target are by stealing sensitive information and exposing it or denial of service (DDoS) where a server is overloaded till it finally crashes.

As a small or medium-sized business owner you are not necessarily immune to Hacktivist disruption. If your business or a company you’re associated/partnered with participates or provides services that can be seen as unethical, such as Ashley Madison (who fell victim of a major Hacktivist attack last year), then you too may be targeted by Hacktivists.

Cyber Criminals

Often talked about in the media and well-known by most SMBs, cyber criminals are after one thing: money. Their targets run the gamut, including everyone from individuals to small businesses to large enterprises and banks. But what do these targets usually have in common? They either have a very valuable resource to steal or their security is easy to exploit…or a combination of both of these. Cyber criminals can attack in a number of ways including using social engineering to trick users into providing sensitive information, infecting an organization/individual with ransomware or another form or malware, or exploiting weaknesses in a network.

Insiders

Perhaps the scariest type of hackers are the ones that lurk within your own organization. Insiders are made up of disgruntled employees, whistleblowers or contractors. Oftentimes their mission is payback; they want to right a wrong they believe a company has perpetrated toward them, so they’ll steal sensitive documents or try to disrupt the organization somehow. Edward Snowden is a prime example of an insider who hacked his own organization – the US government.

Now that you know what motivates your enemy, you’ll hopefully have a bit of an idea as to whether or not you’re a target. To learn more about how to secure your business from these types of hackers, get in touch with our experts today.

Published with permission from TechAdvisory.org. Source.

Improved email security for Office 365

Posted on by

While you can take many security precautions to protect your organization, a cyber attack is always possible because of human error. Microsoft, however, is trying to change this. In the coming weeks, the technology giant plans to launch a new security feature for Outlook, but only if you’re an Office 365 user. Here’s how it can help your business.

Aptly called “Safety Tips”, Microsoft Office 365’s new security feature is designed to help make your employees (and yourself) more aware of which emails may contain harmful content. By analyzing the data patterns of millions of emails, the feature uses a color-coded bar at the top of an email to help you determine what emails are safe, suspicious, or fraudulent.

How it works

Safety Tips uses a simple system to help you identify the safety level of an email quickly. The system consists of four colors that categorizes an email as suspicious, trusted, safe or unknown. The details of each of these categories are outlined below.

Suspicious email
Color label: Red
Description: This has either failed sender authentication or is a known phishing email. These messages should be deleted.

Unknown email
Color label: Yellow
Description: Exchange Online Protection marks this type of email as spam. However, you can move this item to your inbox by clicking it’s not spam in the yellow bar.

Trusted email
Color label: Green
Description: If this email comes from a domain Microsoft deems safe, then it falls into this category.

Safe email
Color label: Gray
Description: This type of email has either been marked safe by the user’s organization, has been moved from the junk folder into their inbox by the user, or the email is from a contact on the user’s safe sender list.

Color coding will look different between the Outlook app and Outlook for the Web. In the Outlook application, only suspicious emails will be flagged, whereas in Outlook for the Web all four types of emails will be color-coded. However, it should be noted that most emails won’t have any color code as they’re only added when Microsoft thinks they’re relevant.

With hackers getting smarter by the day, and human error a roadblock to a secure business, this new feature will hopefully add an extra layer of security to your organization. If you’d like to learn more about Office 365 or other security services we offer, get in touch today. A more secure business awaits.

Published with permission from TechAdvisory.org. Source.

Tips to monitor employee activities online

Posted on by

Whether or not to monitor your employees’ computers can be a tricky decision. While part of you may think it’s unethical, you also may question if your staff are spending too much time on non-work related activities, and taking advantage of you in the process. So, should you monitor? Here are some pros and cons of monitoring, and some tips to effectively do it if you decide it’s right for your business.

The case for monitoring

There are a number of reasons why monitoring your employees is a good idea. Doing so can help you:

  • Protect your organization from data theft or harm – because some disgruntled employees may try to steal from you or corrupt your data.
  • Ensure you have a harassment free workplace – because cyber harassment (sexual or otherwise) happens among employees.
  • Ensure staff are complying with policies – not downloading illegal programs or spending time on websites with illegal or hostile content.
  • Provide evidence in case of a lawsuit – heaven forbid this happens, but if an employee participates in illegal activities on your business’s computers, monitoring can provide evidence of it.

The sad fact of the matter is that many businesses who monitor end up discovering that employees are doing things they’re not happy about. Research by Nancy Flynn, the executive director of the ePolicy Institute in Columbus, Ohio, revealed that two thirds of companies monitor their employees, and half of them have fired employees due to their behavior on email and the web.

Cons

Of course there are some potential downsides to monitoring that you should be aware of as well. These include:

  • Productivity loss – monitoring can kill employee morale, and therefore you may see a hit in their productivity if they feel you distrust them.
  • TMI and lawsuits – you’ll likely learn about the personal lives of your employees that you would’ve never known about had you not monitored. You may discover their political or religious views, sexual orientation or medical problems. This could potentially open up your business to privacy or discrimination issues if you or your management team act negatively on this information.

Monitoring guidelines to follow

If you decide to monitor your employees, here are a few tips you should follow.

1. Create written policies

When you decide to monitor, ask yourself, are you doing it for security purposes? Is it to ensure your employees are not wasting large amounts of time on Social media? Whatever the reasons, it’s smart to balance your policies with the expectations of your employees. If you’re too strict with your monitoring, you could create that atmosphere of distrust we mentioned above. So set guidelines for acceptable use of email, social media, web surfing, instant messaging, and downloading software and apps. Also, in your policy, include how monitoring will be carried out and how data will be secured or destroyed.

2. Tell your employees

It’s important to inform your employees about your monitoring. If they find out you’re doing it without their knowledge, you could create resentment among them or even face legal issues. And just by letting staff know, you may actually see a boost in productivity as it could deter them from wasting time on the web.

When you tell your employees, explain why you’re doing it and the risks your business faces from misuse of digital assets. Reassure them you’re not doing it to spy on their personal life, but only attempting to create a compliant and law abiding workplace. Because their activities will now be less private, encourage your staff to keep their personal communication to their smartphones. Also, provide a copy of your written policy to employees to read over and sign.

3. Get the right technology tools

While there are many technology tools to monitor your employees, bear in mind, you don’t need to follow their every move. In fact, you shouldn’t as it will not only waste your time, but also cause you to find out more information than necessary. So look for technology that will alert you to potential problems, so you can focus on more important things. Lastly, you may also want to consider technology that can block certain content, like porn or hate websites, as employee access to this content could create larger problems.

Whether or not to monitor your employees can be a tricky decision but, if implemented correctly, could benefit your business in making it more secure and even more productive. For more information about security and other IT support tools, get in touch. We’ll make our best effort to help however we can.

Published with permission from TechAdvisory.org. Source.

Get Office 365 switch security right

Posted on by

It’s easy to see why Office 365 is an attractive solution for small and medium-sized businesses already familiar with the Office interface. More and more companies are making the move to the cloud, but many have yet to complete their transition and still rely at least in part on on-site SharePoint systems. When you’re ready to migrate, the move from SharePoint to Office 365 presents numerous security challenges to prepare for – not least because breaches are far more likely to be caused by localized issues than insufficient protection on Microsoft’s part. Here’s what you need to do to ensure you’ve got security covered when you make the leap to migrating from SharePoint to Office 365.

Identify your company’s sensitive data…

It’s so easy to create sites within SharePoint that businesses often have far more than they realize, covering just about every aspect of their operations. And it’s natural, of course, for at least some of the files housed within those sites to contain sensitive commercial or personal data. The key is ensuring that sensitive information is adequately identified and protected. Do this by conducting a security audit before you undertake your migration.

Your audit should identify the types of data stored in the various parts of your SharePoint network, including which specific information needs extra safeguarding. Be sure to consider everything from trade secrets and contract details to the personal information of your clients.

…and then restrict access to it

Once you’ve worked out where your most precious data lies, you can check who currently has access to it and whether their access is appropriate. After all, it’s not necessary for everyone to be able to get at all the data your company owns; it’s far better to operate on a need-to-know basis, with a reasonable level of flexibility.

Ensure that each of your employees has access only to the data that’s necessary for them to perform their duties. When you make the switch to Office 365, you’ll find that it allows you to conveniently set these different levels of permissions, including for external partners with whom you collaborate.

Trust nobody and suspect everybody

We say that lightheartedly, of course – it would be counterproductive to become so security-paranoid as to suspect everyone is attempting foul play with your company’s data. Nonetheless, it’s wise to consider everyone in your organization when it comes to auditing data access permissions – and that includes system administrators who might be assumed to have master access to every element of your network infrastructure.

A rogue administrator is the stuff of nightmares, since their elevated position gives them much greater leeway to siphon off valuable data without being noticed – or even to allow others to conduct questionable business and bypass the usual built-in security precautions. Overcoming the danger of an all-too-powerful administrator admittedly becomes easier if you have more than one on staff, but even in smaller businesses you can mediate some of the risk by regularly checking on your administrator’s usage and ensuring that their top-level system permissions remain justifiable.

Use machine learning to foresee security breaches

Every action performed by your staff within Office 365 is automatically logged, and with relative ease you can pull reports that allow you to analyze these. But the sheer number of events taking place within Office 365 in the course of your business’s normal operations means that even attempting to identify questionable behavior will be akin to the proverbial needle and haystack. That’s not to say it’s unwise to be on the lookout for anomalies in normal usage – the export of unexplainably large volumes of data, for instance, could suggest that a member of your team is leaking intelligence to a competitor, or that they’re about to jump ship and take your trade secrets with them.

Thankfully, it’s possible to leverage the developing power of machine learning to identify potential breaches before they happen – without the need to wade through unmanageable swathes of perfectly normal data. Graph API is incorporated into Office 365, and allows for the integration of machine learning tools into your security environment to achieve just that. The same tools can also help you avoid being caught out by hackers, by identifying system login attempts from locations that are out of the ordinary; you should bolster this protection by religiously removing inactive accounts and those of departing employees.

By covering these essential security considerations when it comes to your migration, you’ll be one step closer to ensuring you strike the right balance between the powerful collaborative features of Office 365 and the robust safeguards your business’s integrity demands. To find out more about how we can help your Office 365 migration run smoothly, or what other business benefits you can derive from cloud-powered technologies, just give us a call.

Published with permission from TechAdvisory.org. Source.

4 things you should know about the cloud

Posted on by

From hosting websites, email, applications and online file storage, the cloud has become a popular alternative to traditional IT services among businesses. In fact, it is almost impossible to find a company’s data center that does not employ cloud-based services of some kind. However, reported incidents of cloud hacks and server failures can lead some small business owners to be wary of a service that still has much confusion surrounding it. So what are these common misconceptions about implementing cloud computing into a business? Here are a few myths people believe about the cloud.

Cloud infrastructures are unsecure

Security is a necessity for online users. And the most prevalent misconception about the cloud is the idea that cloud services lack appropriate security measures to keep data safe from intruders. Most users also think that the data stored in the cloud can be easily accessed by anyone, anywhere and at anytime.

But the truth is it’s actually a good idea for small businesses to use cloud services. Small companies usually can’t afford to hire an IT department let alone train them to deal with online security threats. Cloud providers, on the other hand, offer services such as layered security and antivirus protection that not only specialize in keeping infrastructures safe from hackers but are available at a price that is much lower than you would pay for in-house IT staff.

Additionally, large cloud-based services such as Google Apps for Work and Office 365 are supported by an infrastructure that constantly installs, updates and patches, which helps manage security breaches. This significantly frees you from the burden of having to install the updates yourself and managing the overall security of your system.

Users should understand that no company is completely safe from security threats regardless of their IT infrastructure. But data is likely to be more secure in the hands of cloud providers as they are the most prepared and qualified to protect your digital property.

Encryption

There is a misunderstanding about the role of encryption or rather how it is implemented to keep your data safe. Encryption is usually used for data in transition, where data is protected from anyone seeing it as it travels from one location to another on the Internet. But encryption can also be applied to data at rest, where data is encrypted on a storage drive.

While cloud service providers already keep their physical storage drive well protected, some keep the decryption key held in software, potentially leaving the key vulnerable to intruders. If hackers were to successfully obtain the decryption key, they can simply access your encrypted data. That’s why some cloud storage services are much better than others in terms of keeping your data protected.

With this in mind, you should understand that while every cloud service highlights their data security by demonstrating their encryption abilities, it does not necessarily mean that a cloud-based service that markets itself as such is right for you. When it comes to choosing the right cloud service, it is best to inform yourself about the security measures that a cloud infrastructure implements and look at how it can protect your company’s digital property.

With the cloud you are no longer responsible for data security

While cloud security is important, the responsibility for protecting data ultimately rests on the user. Misplacing mobile devices can leave your data vulnerable and make the cloud infrastructure insecure. It is also recommended to have verification mechanisms in place for devices that are used to access the cloud.

Losing USBs or external hard drives obviously leads to direct data loss and can be easily remedied by backing up your files. This applies to files stored in the cloud as well. So be smart, and backup your files because it’s better to be safe than sorry.

The cloud is never faulty

Like many online services, cloud-based services are not immune to technical difficulties. For example, some cloud businesses have suffered outages and server failures which corrupted files and may have lost data in the process.

Hacking is another reason why some cloud services fail. Using a less than optimal cloud service that is vulnerable to attacks can lead to stolen or deleted data, which would be near impossible to recover if you did not have any offline backups.

Regardless of these flaws, however, it is vital to note that using the cloud as your only source of data storage and processing can lead to problems in the future. Keeping backups of your files is always a good idea.

Security is truly one of the biggest barriers to the adoption of cloud computing in a small business. But as cloud services expand and encryption technologies advance, cloud adoption is increasingly becoming the most cost-effective solution to meet the small business owner’s IT demands. Contact us today to learn how your business can take advantage of all the cloud has to offer.

Published with permission from TechAdvisory.org. Source.

Follow up on WordPress security plugins post

Posted on by

I just wanted to write a quick follow up to the blog I wrote last week about a few plugins I was using for WordPress security in light of the global WordPress brute force attacks taking place . The good news is the Wordfence plugin does a great job blocking people trying to login to my site. The bad news is either the Stealth Login Page plugin doesn’t work or some how people are easily guessing my question and answer phrase to get to my login page, which seems hard to believe. I’m thinking there must be some other way to by pass it.

Because of this, I first removed the Stealth Login page and installed AskApache Password Protect. This requires you to create a separate user account and utilizes .htaccess to secure wp-admin and wp-login.php. When you attempt to login to the WordPress admin page, you are prompted by your web browser for one login. Then if you enter that properly, you are prompted for the normal WordPress login. There are other security features to the AskApache plugin, but I quickly broke my site trying them out, so I won’t touch on them.

This seemed to be a good option until I saw a post from Matt Hartley on Google+ mentioning a two factor authentication option for WordPress. That plugin is put out by Duo Security and it sends you an SMS text after you login for the second phase of authentication to your WordPress blog. You can configure it to remember your computer for a specific period of time, so you won’t have to do this every time you login.

The plugin was fairly simple to setup, and so far it seems to work great. The service is free for up to 10 users. If you want to set it up, you can find instructions here.

A couple WordPress security plugins

Posted on by

First, let me say I am no WordPress expert. I can set it up and make my way around it to do the things I want to do, like this blog and my other blog playingwithpython.com. Being a network/systems guy, I’m always worried about security. With WordPress there are a few concerns I had that are nicely addressed by a couple plugins that I think everyone should have.

1.  Many sites are used to spread malware without even knowing it. To protect against this, you can use WordPress File Monitor Plus. This plugin scans your site for changed files and alerts you when something has been altered. You can then clear the alert if it is OK, or take action to correct your site. Another plugin Wordfence keeps a copy of every WordPress version and every theme on their servers, and they scan your installation comparing it against their database to see if any files have been changed or tampered with. If you alter a file, you can tell it to ignore that change until it changes again. They also scan for many of the known malware.

2.  Unlimited login attempts. By default, WordPress allows unlimited login attempts, so anyone can sit there and pluck away trying to get into your site. Hopefully, you have a strong password, but if you have multiple users, do you know for sure everyone does? Also, if there are no limits on logins, it might not matter how good your password is if a hacker has unlimited attempts to figure it out. To address this, you can load the plugin Limit Login Attempts or Wordfence. Both have settings where you can specify how many bad attempts are made before an account is locked. Both have minor differences in the options, but both are much better than allowing someone to keep trying to get into your site.

3.  Lastly, it’s probably worth changing the default wp-admin login page. This may not seem like a big issue, but it’s just another layer to avoid someone possibly login into your site. I found a few pages showing how to do this by editing .htaccess, wp-config.php, etc, but that seems like a bit much for something that should be fairly simple, not to mention I couldn’t get it to work (wawawawa). Instead I opted for the plugin, Stealth Login Page. This plugin lets you mask your wp-admin login page. You specify a url to redirect users who attempt to access http://yoursite/wp-admin. For instance, you can redirect them back to your main page. After that, you specify a question and an answer. This will make up the url you will use to actually get to the login page. For example, if your question is “whoami” and the answer is “nobody”, you’re login page would be http://yoursite/wp-login.php?whoami=nobody.

As you can see these are just a few low hanging fruits in the security picture, but I think they’d help secure your site fairly well. Wordfence does a lot more than what is mentioned here, including scanning your site for various vulnerabilities. By using number 2 and 3 together, you not only force someone to guess your password, but they’d also have to guess your question and answer.

If you have any other solutions or WordPress security concerns, I’d be interested in hearing them in the comments.

Our Offices

Mohali, 8B industrial area, Punjab, India

Fynovus@gamil.com.

Quick links
Contact us

Copyright ©2025 Fynovus Technology Group, Inc. All Rights Reserved.

Facebook-f X-twitter Linkedin-in