Google Announces Changes to SERPs for Mobile Friendly Results

By Ed Nailor, Interactive Director / Creative Services • 4/20/15

On February 26, 2015, Google announced a change to their search algorithms used to ranks sites in their search results that are geared towards the “mobile-friendly” nature of a website.

Specifically, Google stated the following:

Starting April 21, we will be expanding our use of mobile-friendliness as a ranking signal. This change will affect mobile searches in all languages worldwide and will have a significant impact in our search results. Consequently, users will find it easier to get relevant, high quality search results that are optimized for their devices.”

phone6It is important to note one very specific detail in this announcement. Google specifically states that this will “affect mobile searches” in order to get “relevant, high quality search results that are optimized for their devices.”

Currently, Google uses modified search results based on “mobile” searches vs “desktop” searches.

When a user searches using a mobile device, the results will be different and some results that are more mobile centric, like services that may be determined to be more “local” to the user, will be displayed higher. However, the same search on a desktop may yield a different set of results.

The impact here is specific to the mobile search algorithm and will give much higher weight to websites that are optimized for mobile display. Google’s reasoning is that if you are using a mobile device, the user experience should be relative to the device you are using. Google has always placed a high value on relevant content and user experience.

Read the full announcement by Google.

SHOULD YOU BE CONCERNED?

Much of that depends on the audience you currently have. If your website is frequently visited by mobile users and you do not have a mobile experience, then yes, you should be concerned. If mobile users do not comprise a large percentage of your website visitors, then you do not need to panic at this point.

However, even though the impact today should be targeted towards mobile searches, the trend here is important to note. With more and more devices operating in more of a mobile manner, such as laptops that also serve as tablets, we do believe that this will eventually have an impact on all websites and all search results… in due time. So the importance of having a mobile version or view of a website is still very important, and should be addressed sooner than later.

Mobile friendly websites are very important to the overall success of your website business strategy. As our world is becoming more and more mobile, Creative Services has long promoted and advised on creating website with a responsive coding technique to allow websites to be easily viewed on any device. We have offered mobile views of our website products for years, and very often offer this as a special promotion for websites to help encourage the inclusion of this feature with every website sold. We believe in Mobile Friendly websites!

If you have any questions or need advice on how to approach this, please contact Creative Services and/or Big Head Web Host and let us help guide you through this opportunity.  PHONE 704.716.1011

NEED SOME ESPIONAGE DONE?  HACKERS ARE FOR HIRE ONLINE

By Matthew Goldstein • 1/15/15

Hire Hackers ImageThe home page of Hacker’s List, a website that matches hackers with people looking for someone to delete embarrassing photos or retrieve a password Credit.

A man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her.

The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled “hacktivists” taking aim at big targets. Rather, it is an increasingly personal enterprise.

At a time when huge stealth attacks on companies like Sony Pictures, JPMorgan Chase and Home Depot attract attention, less noticed is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage.

A new website, called Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, over 500 hacking jobs have been put out to bid on the site, with hackers vying for the right to do the dirty work.

It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.

In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November.

For instance, a bidder who claimed to be living in Australia would be willing to pay up to $2,000 to get a list of clients from a competitor’s database, according to a recent post by the bidder.

“I want the client lists from a competitors database. I want to know who their customers are, and how much they are charging them,” the bidder wrote.

Others posting job offers on the website were looking for hackers to scrub the Internet of embarrassing photos and stories, retrieve a lost password or change a school grade.

The rather matter-of-fact nature of the job postings on Hacker’s List shows just how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.

Hacking into individual email or social media accounts occurs on a fairly regular basis, according to computer security experts and law enforcement officials. In September, the Internet was abuzz when hackers posted nude photos of female celebrities online.

It is not clear just how successful Hacker’s List will prove to be. A review of job postings found many that had yet to receive a bid from a hacker. Roughly 40 hackers have registered with the website, and there are 844 registered job posters. From the postings, it is hard to tell how many of the job offers are legitimate.

The site did get a favorable review recently on hackerforhirereview.com, which specializes in assessing the legitimacy of such services. The reviewer and owner of that site, who would identify himself only as “Eric” in emails, said he gave his top rating to Hacker’s List because it’s a “really cool concept” that limits the ability of customers and hackers to take advantage of one another.

In light of the novelty of the site, it’s hard to say whether it violates any laws.

Arguably some of the jobs being sought on Hacker’s List — breaking into another person’s email account — are not legal.

The founders of Hacker’s List, however, contend that they are insulated from any legal liability because they neither endorse nor condone illegal activities.

The website includes a 10-page terms and conditions section to which all users must agree. It specifically forbids using “the service for any illegal purposes.”

Some experts say it is not clear whether Hacker’s List is doing anything wrong in serving as a meeting ground for hackers and those seeking to employ them.

Yalkin Demirkaya, president of the private investigation company Cyber Diligence, and a former commanding officer of the New York Police Department’s computer crimes group, said a crackdown would depend on whether law enforcement officials saw it as a priority. He said Hacker’s List may skate by because many of the “people posting the ads are probably overseas.”

But Thomas G. A. Brown, a senior managing director with FTI Consulting and former chief of the computer and intellectual property crime unit of the United States attorney’s office in Manhattan, said hacker-for-hire websites posed problems.

“Hackers for hire can permit nontechnical individuals to launch cyberattacks with a degree of deniability, lowering the barriers to entry for online crime,” Mr. Brown said.

The website, which is registered in New Zealand, is modeled after several online businesses in which companies seeking freelancers can put projects out to bid. Some have compared the service to a hacker’s version of the classified advertising website Craigslist. Hacker’s List even has a Twitter account (@hackerslist), where it announces the posting of new hacking assignments.

Still, the three founders of Hacker’s List are not willing to go public with their own identities — at least not yet.

After registering with the website and beginning an email conversation, a reporter contacted one of the founders. Over a period of weeks, the founder, who identified himself only as “Jack,” said in a series of emails that he and two friends had founded Hacker’s List and that it was based in Colorado. Jack described himself as a longtime hacker and said that his partners included a person with master’s degree in business administration and a lawyer.

He said that the three were advised by legal counsel on how to structure the website to avoid liability for any wrongdoing by people either seeking to hire a hacker, or by hackers agreeing to do a job. The company, he said, tries to do a small background check on the hackers bidding on jobs to make sure they are legitimate, and not swindlers.

“We all have been friends for a while,” Jack said in an email, adding that Hacker’s List “was kind of a fluke occurrence over drinks one night.”

“We talked about a niche and I built it right there,” he said. “It kind of exploded on us, which was never expected.”

Hacker’s List began its website several months after federal prosecutors and F.B.I. agents in Los Angeles completed a two-year crackdown on the hacker-for-hire industry. The investigation, called Operation Firehacker by the F.B.I., led to the filing of criminal charges against more than a dozen people across the country involved in either breaking into a person’s email account or soliciting a hacker for the job.

In New York, information uncovered during the investigation in Los Angeles led to the arrest in 2013 of Edwin Vargas, a New York Police Department detective at the time, who was charged with paying $4,000 for the hacking of the email accounts of 43 people, including current and former New York police officers. Mr. Vargas, who pleaded guilty in November 2013 and was sentenced to four months in prison, said he had been motivated by jealousy and wanted to see whether any of his colleagues were dating an ex-girlfriend who is the mother of his son.

The F.B.I. investigation also involved the cooperation of the authorities in China, India and Romania, because a number of the websites where the hackers advertised their expertise were based overseas.

Still, the market for hackers, many of whom comply with the law and act more like online investigators, shows no signs of slowing. Many companies are hiring so-called ethical hackers to look for weaknesses in their networks.

David Larwson, a director of operations with NeighborhoodHacker.com, which is incorporated in Colorado, said he had seen increased demand from companies looking to make sure their employees are not obtaining sensitive information through hacking. He said in an email that companies were increasingly focused on an “insider threat” leading to a breach or unauthorized release of information.

On its website, NeighborhoodHacker describes itself as a company of “certified ethical hackers” that works with customers to “secure your data, passwords and children’s safety.”

 

HOW MY MOM GOT HACKED

By Alina Simone • 1/02/15

RansonwareMY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever.

Sincerely, CryptoWall.

CryptoWall 2.0 is the latest immunoresistant strain of a larger body of viruses known as ransomware. The virus is thought to infiltrate your computer when you click on a legitimate-looking attachment or through existing malware lurking on your hard drive, and once unleashed it instantly encrypts all your files, barring access to a single photo or tax receipt.

Everyone has the same questions when they first hear about CryptoWall:

Is there any other way to get rid of it besides paying the ransom? No — it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them. (My mother had several I.T. professionals try.)

But should you really be handing money over to a bunch of criminals? According to the Internet Crime Complaint Center, a partnership between the F.B.I. and the National White Collar Crime Center, this answer is also no. “Ransomware messages are an attempt to extort money,” one public service announcement helpfully explains. “If you have received a ransomware message do not follow payment instructions and file a complaint.” Right. But that won’t get you your files back. Which is why the Sheriff’s Office of Dickson County, Tenn., recently paid a CryptoWall ransom to unlock 72,000 autopsy reports, witness statements, crime scene photographs and other documents.

Finally, can law enforcement at least do something to stop these attacks in the future? Probably not. Many ransomware viruses originate in Russia and other former Soviet bloc countries. The main difficulty in stopping cybercriminals isn’t finding them, but getting foreign governments to cooperate and extradite them.

By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking. (Literally — the virus comes with a countdown clock, ratcheting up the pressure to pay.) My father had already spent all week trying to convince her that losing six months of files wasn’t the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay.

Only, paying turned out not to be so easy; the CryptoWall hackers take only Bitcoins.

Picture the kind of early-adopting, hoodie-wearing member of the technocracy totally comfy with the idea of a cybercurrency neither backed nor issued by any central bank or government. Now picture the opposite of that. That is my mom. Having never so much as purchased an app in her life, my mom had no idea how to buy Bitcoins. Happily, her ransomers had anticipated this problem and included a link to a step-by-step guide, complete with pictures.

She’d managed to make a cash deposit via Bank of America to the unique Bitcoin “wallet” provided by her ransomers, but since Bitcoin’s price is extremely volatile, her payment had already fallen $25 short by the time it arrived. (Credit and debit payments can take up to six days to process.) The fastest way to send the extra $25 was to make a direct deposit at an A.T.M. that handled Bitcoin transactions. That’s where I came in. Coin Cafe, the Bitcoin provider my mother had chosen, had an A.T.M. in Greenpoint, Brooklyn, not too far from where I lived.

The Bitcoin A.T.M. was not easy to find. It was housed in the second floor hallway of a cooperative work space, tucked inside an old Nynex phone booth. On one hand, I appreciated the winking irony of this sight gag. On the other hand, Fidelity Investments this was not.

Inside was a little white box with no buttons, just a screen, a camera eye and a money slot. I scanned in the QR code my mom had sent me. The machine whirred to life. “Balance query in progress,” it announced. This query remained in progress for the next 20 minutes during which I left three messages on Coin Cafe’s voice mail before abandoning the booth to get some coffee and walk around in the rain.

The fourth time I called, a human being answered the phone and told me the problem had been fixed. I hurried back to the A.T.M., scanned in my QR code, sent some Voldemorts $25 in crisp bills and called my mom. The whole experience had not done much to allay my misgivings about Bitcoin; what did allay them was Mike Hoats, the nice bearded man Coin Cafe sent over to fix the A.T.M.

We got to talking after I made my payment, and he told me that, while no one at Coin Cafe believed people should fund criminal activity by paying the ransom, their job was to broker the purchase and sale of Bitcoins, which, like cash, could be used for any purpose. CryptoWall had thrust them into the unwitting role of ransomware advisers, coping with grandmothers crying on the phone at the thought of losing all their photos or small-business owners whose family income was on the line. Coin Cafe didn’t like profiting from the victims (according to the company, these transactions are in the low single digits as a percentage of its total business), but they were downright mortified to learn that CryptoWall had anointed them as one of their Bitcoin providers of choice, with praise for their “fast, simple service.” That’s how my mom found out about Coin Cafe — from her ransom note.

This referral is only one of the handy services CryptoWall provides to ensure a more seamless customer experience. Others include the ability to “decrypt one file for free” and a message interface one can use “in case of any problems with payment or having any other questions.” What next, I wondered. Twenty percent off when you refer this malware to a friend? Frequent virus cards? Black Friday ransom specials?

“I THINK they like the idea they don’t have to pretend they’re not criminals,” Chester Wisniewski, a senior security adviser at the computer security firm Sophos, told me when I reached him in Vancouver by phone. “By using the fact that they’re criminals to scare you, it’s just a lot easier on them.” They don’t have to hire a professional translator to get their English perfect, Mr. Wisniewski explained, or engage in any of the baroque subterfuge required of someone pretending to be a Nigerian gentleman farmer who just needs a little help claiming his inheritance.

In addition to being criminals, these peddlers of ransomware are clearly businesspeople, skillfully appropriating all the tools of e-commerce. From branding (CryptoWall is a variant of a fearsome earlier virus called CryptoLocker, which was shut down last year) to determining what they can extort (ransomware hackers have tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay in order to have its database decrypted), these operators are, as Mr. Wisniewski put it, part of “a very mature, well-oiled capitalist machine.” It’s also an incredibly lucrative machine: Some experts estimate that CryptoLocker hackers cleared around $30 million in 100 days in 2013. And more than a million PCs worldwide have been hit with the CryptoWall virus.

Even after reading through numerous descriptions of CryptoWall 2.0 as “the largest and most destructive ransomware threat on the Internet” and “an enormous danger for computer users,” I still couldn’t help thinking this was mainly a problem for moms who persist in using big, boxy PC computers and small-town police departments. Mr. Wisniewski quickly disabused me of that notion. Although CryptoWall has primarily affected Windows computers and Android cellphones so far, there is no technological barrier that prevents the virus from infiltrating Macs like mine. And when it does, Mr. Wisniewski chuckled, I should expect the ransom to be a lot higher.

So what can we all do to protect ourselves? Keep our computers backed up on an independent drive or by using a cloud backup service like Carbonite, take those software update and “patch” alerts seriously and, most of all, Beware the Attachment. (Remember: Brand-name businesses like J. Crew or Bank of America will rarely send you an attachment.)

Of course, this advice arrives too late for my mom. And it appeared her payment had arrived too late as well: By the time I got home from Greenpoint, her CryptoWall ransom had been raised to $1,000, and the $500 in Bitcoins she had deposited had vanished. In a panic, she wrote to Mike Hoats asking for advice. What he told her sounded crazy to me. Use the CryptoWall message interface to tell the criminals exactly what happened. Be honest, in other words.

So she did. She explained that the virus had struck the same week that a major snowstorm hit Massachusetts and the Thanksgiving holiday shut down the banks. She told them about the unexpected Bitcoin shortfall and about dispatching her daughter to the Coin Cafe A.T.M. at the 11th hour. She swore she had really, really tried not to miss their deadline. And then a weird thing happened: Her decryption key arrived.

When I shared the news with Mr. Hoats, he was jubilant. “That is great news, truly!” he wrote. “Whoever these yahoos are, they have some little shred of humanity.”

But Mr. Wisniewski had a more pragmatic take. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back.”

Welcome to the new ransomware economy, where hackers have a reputation to consider.

 

‘RANSOMWARE’ A GROWING THREAT TO SMALL BUSINESS

Cybercriminals, using malware in bogus email, freeze computer files until a ransom is paid.

By Ruth Simon • WSJ • 4/15/15

Mark StefanickMore small businesses are falling victim to “ransomware,” in which malicious code locks up computer files and cybercriminals demand a ransom to free them.

Mark Stefanick, president of a small Houston-based firm, Advantage Benefits Solutions, was shocked when one of his consultants suddenly found his work computer locked. Within hours, rogue computer code had spread from the consultant’s computer to the server and backup system at the firm. The code encrypted the claims information and financial data.

A ransom note popped up on the infected computer: Pay $400 within 72 hours to unlock the data.

Mr. Stefanick’s first thought was to ignore the ransom demand and regain access to the files on his own. But then his firm’s IT provider said it would take “thousands and thousands of hours of running software” to try to break the code on the encryption.

“They set the ransom so low that, as violated as I feel and as much as I wanted to fight, at the end of the day I realized I can pay and get back to work,” he said.

To recover Advantage’s data, Natalie Stefanick, marketing manager for her father’s company, drove to a nearby Walgreens, pulled a MoneyGram gift card off a rack and asked the cashier to load $400. Within 30 minutes, a program that unencrypted the data began to run.

In the end, no data was stolen and there were “no confidentiality breaches,” according to Mr. Stefanick. It was about 72 hours before the company was fully back and running and about two weeks before everything was put back where it belonged, he added.

About 30% of ransomware victims pay to regain their data, estimates Tom Kellermann, chief cybersecurity officer for Trend Micro Inc., an Irving, Texas, cybersecurity firm.

Intel Security, a unit of Intel Corp., said it reviewed more than 250,000 new ransomware samples in the fourth quarter of 2014, up 155% from the previous quarter. And the Internet Crime Complaint Center, a partnership between the FBI and the nonprofit National White Collar Crime Center, said businesses and individuals submitted 2,275 ransomware complaints from June 1, 2014, to March 31 of this year, with reported losses totaling more than $1.1 million. Ransomware can target more than 230 different types of computer files, up from 70 in 2013, according to Bromium Inc., a Cupertino, Calif., an information-security firm.

Michael W. Cocanower, owner of itSynergy, an IT consulting firm in Arizona that works with many small businesses, says he has seen a resurgence of ransomware in the past three to six months. He tells clients that the first step is to disconnect the infected computer from their network immediately. The infected computer must also be scrubbed and other computers need to be checked as well.

One of Mr. Cocanower’s customers, CoValence Inc., a Chandler, Ariz., maker of private-label skin-care products with roughly 100 employees, has been hit with four ransomware attacks in the past six months. A backup system prevented the loss of data, but the attacks “caused a lot of anxiety,” says John Dennison, the company’s IT manager.

After the last attack, CoValence upgraded its Internet security protections. It also now regularly reminds employees to be on the lookout for fraudulent email.

Small businesses can be particularly vulnerable because they often have less sophisticated computer defenses. Some 80% of small and medium-size businesses don’t use data protection and less than half use email security, according to Intel Security. Overall, 23% of recipients open phishing messages used to transmit ransomware and other malware, according to a data-breach report released Wednesday by Verizon Enterprise Solutions, a unit of Verizon Communications Inc. An estimated 11% click on the attachments, according to Verizon.

Related

Cybercriminals will exploit vulnerabilities in new technology as they figure out how to make money from such activities, a group of security experts tell the WSJ.

Cybercriminals have made it possible for fraudsters with few, if any, coding skills to launch attacks that lock up computer systems at small businesses, among other targets. Some groups of cybercriminals sell “exploit kits,” invisible Web applications that deliver ransomware and other malware. Other criminals peddle payloads, the malware used to lock up files, or obfuscation services that make malware more difficult to detect.

Cybercriminals may rent out exploit kits for $150 a week or $500 a month, or license them out. A cybercriminal can earn roughly $84,000 a month on a $5,900 investment in an exploit kit and other tools, estimates Ziv Mador, vice president of security research at Trustwave Holdings Inc.

To boost response rates, cybercriminals sometimes offer a “freemium” service, decrypting one or a few randomly selected files at no charge, he adds. Many schemes double the price of decryption after a couple of days to create a sense of urgency.

Bitcoin is a preferred method of payment, partly because the use of bitcoin makes payments difficult to track.

As with many computer viruses, ransomware often begins with a fraudulent email.

Kevin Simpson, co-founder of RSFLA Inc., a Santa Monica-based commercial real-estate firm, was waiting for documents from a client last year, when he clicked on an email with an attachment that appeared to come from Federal Express. Within hours, a virus encrypted RSFLA’s data, shared folders used by the company and its clients, and a year’s worth of Mr. Simpson’s photographs. He says he refused to give in to the $500 ransom, a decision made easier because most of the locked-up files were backed up in the cloud or archived.

“To get all those photos, it would have been worth it, but it was on principle that I decided not to pay,” he says. RSFLA was offline for two days and spent at least 10 hours recovering its data, he adds.

GANGS OF HACKERS CAUSE CYBER BREACHES TO SPIKE 23%

By  Elizabeth Weise • USATODAY • 4/14/15

SAN FRANCISCO — Organized criminal gangs of hackers got smarter, faster and more ubiquitous last year, pulling off 312 major breaches against companies. That’s up 23% from the year before, Symantec’s 2014 Internet threat report found.

Health care companies were a major focus of hackers, with 37% of breaches in that sector, compared with 11% in retail and 10% in education, the security company’s yearly look at the seamy underbelly of the Web found.

Things are just as bad for individuals. Symantec, maker of Norton security software, found that fully 60% of all email is spam, though thankfully most email systems filter it out much of it.

That’s down from 66% in 2013, Symantec said. But the numbers are still enormous. An estimated 28 billion spam emails were sent per day in 2014, down from 29 billion a day in 2013.

While slightly down, they were more dangerous than ever. One out of every 965 emails was a phishing attack, meaning an email that includes an attachment or link which, when opened, infects the victim’s computer, Symantec found.

Ransomware also continues to grow. These digital extortion rings involve cyber thieves hijacking victims’ systems and locking up their data, then demanding a ransom to unlock it.

The thieves typically charge between $300 and $500 to free the files. Unfortunately, paying doesn’t mean you’ll get your data back.

“Roughly 80% of the time, they don’t decrypt the files,” said Robert Shaker, senior incident response manager with Symantec.

“And 100% of the time, you get put on the ‘payers’ list, meaning they’ll hit you again later,” he said.

These attacks more than doubled, with 8.8 million attacks in 2014, up from 4.1 million in 2013, Symantec found.

Symantec also saw an increase in the organization and reach of hacking groups, which are moving faster than security staff trying to defend companies. For example, in April 2014, a major Internet security bug called Heartbleed was made public.

“Within four hours of being announced, attackers were using it to break in and steal things,” said Kevin Haley, director of Symantec’s security response.

Today, hacking is now just another type of international business enterprise, one that’s highly organized and increasingly well-funded and multinational.

“Ten to 15 years ago, these were ad hoc networks of individuals motivated by ego. Now it’s almost entirely financial gain,” said Lillian Ablon, a cyber-security researcher with the RAND Corp. in Santa Monica, Calif.

International digital thieves have built an entire criminal infrastructure in plain sight with little fear of prosecution, said Haley.

“We’ve found Google guides on where to buy the best stolen credit cards and YouTube guides on where to buy the best exploits,” Ablon said, using the hacker term for a software tool that takes advantage of a flaw in a computer system.

“I’m waiting for Yelp reviews,” she said.

HACKED VS. HACKERS:   GAME ON

By Nicole Perlroth  • 10/12/14

“ ‘Patch and pray’ is not a strategic answer,” Dr. Shrobe said. “If that’s all you do, you’re going to drown.”

The Wake-Up Call

A bleak recap: In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. And in just the last week Sony Pictures Entertainment had to take computer systems offline because of an aggressive attack on its network.

The impact on consumers has been vast. Last year, over 552 million people had their identities stolen, according to Symantec, and nearly 25,000 Americans had sensitive health information compromised — every day — according to the Department of Health and Human Services. Over half of Americans, including President Obama, had to have their credit cards replaced at least once because of a breach, according to the Ponemon Group, an independent research organization.

But the value of those stolen credit cards, which trade freely in underground criminal markets, is eclipsed by the value of the intellectual property that has been siphoned out of United States corporations, universities and research groups by hackers in China — so much so that security experts now say there are only two types of companies left in the United States: those that have been hacked and those that do not yet know they have been hacked.

And this year, American companies learned it was not just Beijing they were up against. Thanks to revelations by the former intelligence agency contractor Edward J. Snowden, companies worry about protecting their networks from their own government. If the tech sector cannot persuade foreign customers that their data is safe from the National Security Agency, the tech industry analysis firm Forrester Research predicts that America’s cloud computing industry stands to lose $180 billion — a quarter of its current revenue — over the next two years to competitors abroad.

“People are finally realizing that we have a problem that most had not thought about before,” said Peter G. Neumann, a computer security pioneer at SRI International, the Silicon Valley engineering research laboratory. “We may have finally reached a crossroads.”

Is There a Playbook?

Only certain kinds of companies, like hospitals and banks, are held up to scrutiny by government regulators when they are hacked. And legal liability hasn’t been established in the courts, though Target faces dozens of lawsuits related to a hack of that company’s computer network a little over a year ago.

But if there is a silver lining to the current predicament, Mr. Neumann and other security experts say, it is that computer security, long an afterthought, has been forced into the national consciousness

“People are finally realizing that we have a problem.” — Peter G. Neumann, a computer security pioneer at SRI International.Credit Jim Wilson/The New York Times

Customers, particularly those abroad, are demanding greater privacy protections. Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.” Companies in various sectors have started informal information-sharing groups for computer security. And President Obama recently called on Congress to pass a national data breach law to provide “one clear national standard” rather than the current patchwork of state laws that dictate how companies should respond to data breaches.

There is growing recognition that there is no silver bullet. Firewalls and antivirus software alone cannot keep hackers out, so corporations are beginning to take a more layered approach to data protection. Major retailers have pledged to adopt more secure payment schemes by the end of next year. Banks are making it easier for customers to monitor their monthly statements for identity theft. And suddenly, pie-in-the-sky ideas that languished in research labs for years are being evaluated by American hardware makers for use in future products.

How to Create a Secure Password

Four easy tips to protect your digital accounts from the next breach.

By Wendi Jonassen, Molly Wood and Vanessa Perez on Publish DateNovember 5, 2014. Photo by Mel Evans/Associated Press.

“People are recognizing that existing technologies aren’t working,” said Richard A. Clarke, the first cybersecurity czar at the White House. “It’s almost impossible to think of a company that hasn’t been hacked — the Pentagon’s secret network, the White House, JPMorgan — it is pretty obvious that prevention and detection technologies are broken.”

Companies that continue to rely on prevention and detection technologies like firewalls and antivirus products are considered sitting ducks.

“People are still dealing with this problem in a technical way, not a strategic way,” said Scott Borg, the head of the United States Cyber Consequences Unit, a nonprofit organization. “People are not thinking about who would attack us, what their motives would be, what they would try to do. The focus on the technology is allowing these people to be blindsided.

“They are looking obsessively at new penetrations,” Mr. Borg said. “But once someone is inside, they can carry on for months unnoticed.”

The Keys to Preparation

The companies most prepared for online attacks, Mr. Borg and other experts say, are those that have identified their most valuable assets, like a university’s groundbreaking research, a multinational’s acquisition strategy, Boeing’s blueprints to the next generation of stealth bomber or Target’s customer data. Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.

That approach — what the N.S.A. has termed “defense in depth” — is slowly being adopted by the private sector. Now, in addition to firewalls and antivirus products, companies are incorporating breach detection plans, more secure authentication schemes, technologies that “white list” traffic and allow in only what is known to be good, encryption and the like.

 

“It’s almost impossible to think of a company that hasn’t been hacked.” — Richard A. Clarke, the first cybersecurity czar at the White House.Credit Markus Schreiber/Associated Press

“We’re slowly getting combinations of new technologies that deal with this problem,” Mr. Clarke said.

The most prominent examples are Google, Yahoo, Microsoft and Facebook. Mr. Snowden revealed that the N.S.A. might have been grabbing data from those companies in unencrypted form as it passed between their respective data centers. Now, they all encrypt their traffic as it flows internally between their own data centers.

Though intelligence analysts may disagree, security experts say all of this is a step in the right direction. But security experts acknowledge that even the most advanced security defenses can break down. A widely used technology sold by FireEye, one of the market leaders in breach detection, failed to detect malicious code in an independent lab test this year. The product successfully identified 93 percent of the threats, but as the testers pointed out, it is not the 99 percent of detected threats that matter. It is the 1 percent that are missed that allow hackers to pull off a heist.

Even when security technologies do as advertised, companies are still missing the alerts. Six months before Target was breached last year, it installed a $1.6 million FireEye intrusion detection system. When hackers tripped the system, FireEye sounded alarms to the company’s security team in Bangalore, which flagged the alert for Target’s team at its headquarters in Minneapolis. Then nobody reacted until 40 million credit card numbers and information on 70 million more customers had been sent to computers in Russia, according to several investigators.

Part of the problem, security chiefs say, is “false positives,” the constant pinging of alerts anytime an employee enters a new database or downloads a risky app or email attachment. The result, they complain, is a depletion of resources and attention.

“We don’t need ‘big data.’ We need big information,” said Igor Baikalov, a former senior vice president for global information security at Bank of America, now chief scientist at Securonix, a private company that sells threat intelligence to businesses.

Securonix is part of a growing class of security start-ups, which includes Exabeam and Vectra Networks in Silicon Valley and several other companies that use the deluge of data from employee computers and personal devices to give security officers intelligence they can act on.

Many companies in the Fortune 500 are building their own systems that essentially do the same thing. These technologies correlate unusual activity across multiple locations, then raise an alarm if they start to look like a risk. For example, the technologies would increase the urgency of an alert if an employee suddenly downloaded large amounts of data from a database not regularly used, while simultaneously communicating with a computer in China.

The future of security, experts say, won’t be based on digital walls and moats but on these kinds of newer data-driven approaches.

“Most large organizations have come to the painful recognition that they are already in some state of break-in today,” said Asheem Chandna, a venture capital investor at Greylock Partners. “They are realizing they need to put new and advanced sensors in their network that continuously monitor what is going on.”

While much progress is being made, security experts bemoan that there is still little to prevent hackers from breaking in in the first place.

In May, the F.B.I. led a crackdown on digital crime that resulted in 90 arrests, and Robert Anderson, one of the F.B.I.’s top officers on such cases, said the agency planned to take a more aggressive stance. “There is a philosophy change. If you are going to attack Americans, we are going to hold you accountable,” he said at a cybersecurity meeting in Washington.

Still, arrests of hackers are few and far between.

“If you look at an attacker’s expected benefit and expected risk, the equation is pretty good for them,” said Howard Shrobe, a computer scientist at the Massachusetts Institute of Technology. “Nothing is going to change until we can get their expected net gain close to zero or — God willing — in the negative.”

Until last year, Dr. Shrobe was a manager at the Defense Advanced Research Projects Agency, known as Darpa, overseeing the agency’s Clean Slate program, a multiproject “Do Over” for the computer security industry. The program included two separate but related projects. Their premise was to reconsider computing from the ground up and design new computer systems that are much harder to break into and that recover quickly when they have been breached.

“ ‘Patch and pray’ is not a strategic answer,” Dr. Shrobe said. “If that’s all you do, you’re going to drown.”

 

 

5 STEPS TO KEEPING YOUR SITE SECURE FROM HACKERS

By Michael Butler • 4/13/15 • Big Head Web Host

1.  Keep Your Website Software Updated.

If you are using WordPress (or any other CMS), and it is not already using the stable current version, take a minute to update. Out-of-date software is the leading cause of infections. This includes your CMS version, plugins, themes, and any other extension type.

2.  Change your Password at all Access Points including FTP, SFTP (or SSH), CPANEL.*

Choose a unique and STRONG password. What often defines a good password is built around three core components – Complex, Long and Unique. The argument most made when it comes to passwords is that it’s too difficult to remember multiple passwords. This is true. It’s also why Password Managers were created.

Password Tip: Start using a password manager: Peguta and LastPass are good ones to use (online and free).

We cannot stress the importance of changing all passwords to include those not related to your CMS. Your website has various access points, attackers understand this and because of this they will often exploit multiple points of entry. At a minimum, be sure to update the password for all administrator accounts. We say all because often users will create more administrators than they require and will often update one, but forget about the rest. There really is no better time to clean than after a compromise, take advantage of this time.

3.  Change your Database Password.*

If you are using a CMS (WordPress or any other) change your database password. Please be sure to update your configuration file – wp-config.php. This is not an automated process so you will need to know how to open those files and edit manually. If you’re not familiar with handling changes in your database and configuration files, contact your host.

*If you don’t know how to change your passwords (specified above), contact your hosting company for details.

4.  Scan Your Personal Computer.

Run a virus scan on your personal desktop/laptop.

In a lot of cases we see that websites are compromised via local environments (notebooks, desktops, etc..). It’s why we always ask you take a minute to run an Anti-Virus product. If you’re OK with spending a little money, BitDefender is leading the pack in malware detection on MAC’s and PC’s. Other alternatives include Kaspersky for Windows and MAC, and Sophos and F-Secure for Windows. You can also try Avast, MSE, Spybot that are free alternatives and very good. Here is the bottom-line, it doesn’t matter how many times your site gets cleared, if your desktop is not clean, your site can get reinfected quite easily.

5.  Install a Website Monitoring System like SmartALERTZ  button  

With SmartAlertz, a monitoring system is added to your website that alerts Big Head Hosting Technicians when hackers have added malware.  When the alert is received, technicians immediately begin cleansing all of the coding within your website of any injections by a hacker.

Many times your site will not be down, but if the attack is extensive, you may have some downtime.  Speed is of utmost importance to our technicians since your website serves as your 24/7 lifeline to your clients.  If your site was also blacklisted by Google, Norton, etc.,  it will be unlisted.   Additional info about SmartALERTZ.