Tis the Season for Malware & Phishing

A Wolf in Sheeps Clothing

During every holiday season there is an unfortunate surge in malware and cybercriminal activity. As we the lawful consumers gear up to show our thanks and generosity to our friends and family cybercriminals lie in wait to thieve at every email, page and click. With this persistent threat I offer a few simple tips to keep your information, identity and financial health intact. These threats come in many forms, they will look legitimate but are most certainly not.  Just like the wolf in sheep’s clothing shown above you might not spot them at first glance.  Here are a few examples you may see:

  • A cute but pernicious “free” screensaver forwarded by a friend
  • A falsified notice from your bank, ebay or Amazon about your account
  • A bogus friend request from Facebook, Linkedin or elsewhere

All of these things may show up in a multitude of places but most often will show up in email, website, or in a social media settings. Phishing arrives via emails and redirect a user to fraudulent websites which look much like (or exactly like) the real thing. Malware or the overarching term for bad programs which do highly pernicious things and exist in supernumerary forms. These are trojans, rootkits, viruses, keyloggers, spyware, etc. all of which you want to avoid at all costs. These are delivered via endless channels of websites, emails, social media and more. In all cases, I suggest you think seriously before you click and take a few steps to reduce your risks by doing what I detail below.

  • Trust not, click not. Trust nothing communication, application or update unless you can validate its source.
  • Don’t read/open/click on spam, IM’s, websites, social media content that you do not know or trust.If an email seems suspect do NOT open it. Delete it. Then open a new browser window and go directly to the organization in question or call them and ask to clarify the issue from the number listed on their website.
  • Backup your data to external disk, CD, DVD and or internet backup (encrypted in transit and at rest). At least 2 forms of backup one local and one remote is important.  Businesses should always have automated and managed backup services to ensure they have an option to recover should an unfortunate situation arise.  This should be a part of any disaster recovery and business continuity effort.
  • Don’t run EOL (End of Life) software. Don’t run software that is unpatchable due to the manufacturer discontinuing support.  Ex. Windows 95/ME/2000/etc. and even XP(as of 04/14) or Apple OS 8/9.
  • Patch your system. Windows (Windows Update), Apple OSX (Systems Update). On your personal machines set your systems to auto-update.  Companies should have some form of patch management in place to actively patch desktops, servers and networking devices.
  • Patch third party applications. Most important of these is browsers, email applications, Adobe applications such as Acrobat Reader, Flash and Oracle Java.  In a business environment patch management should address ALL applications with active effort to patch them on a scheduled basis.
  • Least privilege. Run as regular user not Administrator/Root. Windows (Standard User), OSX (Standard User). This simple step will reduce your risks quit a bit.
  • Use strong passwords & password managers. >12 alphanumeric characters, not a word in any language.
    RoboForm (commercial), 1Password (commercial), KeePassX (open source), KeePass (open source)
  • Deploy both software/hardware firewall. Most anti-malware suites have a software firewall in them.
    Hardware firewalls should always be used at home.  Options from Netgear, D-Link, are inexpensive and generally effective.  Many of these offer “content control” or “parental control” features to block objectionable content, etc.  Companies should deploy either a Next Gen Firewall, UTM or proxy solution to filter out known phishing and malware.
  • Get Reputable Anti-malware.  Anti malware should cover you against the myriad of threats that are out there.  A quality anti-malware isn’t optional on any operating system (Apple OS X included).
  • Update your firmware. The firmware is the embedded operating system on your network device.

Wireless at Home

  • Use only WPA-2. If you have wireless at home don’t use WEP, use WPA.  If your devices don’t support the current WPA2 standard it is time to upgrade.
  • Change the web management password.  password to access web management interface to a secure >12 password as detailed above.
  • Use a strong PSK (PreShared Key).  Set up WPA2 PSK (pre shared key) at the very least with a very long PSK (>33 characters).
  • Update your firmware (software on the device). See vendor site for details.

Wireless while traveling

  • Connect to valid networks only. Check with the hotel, conference, coffee shop for the valid SSID or network name.
  • Trust not wifi networks.  Don’t connect to random access points for “free internet” as you may become a victim of cyber criminals.
  • Use a VPN. A (Virtual Private Network) if the information resource you are connecting to is of any importance. I.e. banking or financial services.  There are many commercial VPN services if you find it complex to set one up to your home network.


  • Smart phones & tablets have sensitive data.  Mobile devices store a treasure trove of personal information such as: Applications, appointments, contacts, email,pictures, banking Information, company VPN connections, and even our social media accounts/passwords.
  • Setup password on your device.  As long and complex as your software will allow.  Additionally devices now support biometrics which is something quite effective.
  • Encrypt data.  If you want to keep secure and private encrypt where you can.
  • Setup Remote wipe.  Should your phone get lost or stolen you can remotely erase it.  This important feature exists on most devices and should be setup so you can be sure to be able to remotely clear it of sensitive personal information.
  • Anti-malware software.  Just like on any other computing device anti-malware is critical.  Apple doesn’t offer such software but hopefully this will change in the future.
  • Apple iPhone – Find my phone – Tracking and remote wipe.
  • Lookout – Android, Windows Mobile, Blackberry. Anti-malware, backup, tracking & remote wipe.
  • Kaspersky Mobile Security – Android, Windows Mobile, Blackberry, Symbian. Anti-malware, tracking & remote wipe.

None of these will work in isolation so I encourage you to use them all concurrently.  No single effort, technology or practice will make us 100% secure but the sum of many best practices will certainly improve our security stance and reduce our risks.

Congrats, you made it to the end of the list without the need for headache medicine (hopefully). Bravo! =) It is my hope that this post was somewhat helpful. I wish you and yours a safe and secure Holiday season.  Stay safe and secure out there.

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.
Posted in Information Security  |  Leave a comment

Leave a reply