By -- 2021-12-20 in Blog

As you may have seen on the news, on December 9th, 2021, a zero-day exploit was observed targeting Log4j, a ubiquitous open-source logging tool. In short, Log4J is a logging tool for programs to track any errors that may occur within an application. The bug (known as Log4Shell) has affected thousands of various systems across the world including vendors such as Cisco, VMware, Twitter, Amazon, Google Cloud, IBM, and Microsoft. Though the vulnerability was announced recently, experts believe that hackers have been exploiting it since the beginning of the month, with the announcement inadvertently resulting in a surge of attacks. The Cybersecurity & Infrastructure Security Agency estimates that hundreds of millions of devices are likely affected, with some officials stating that this is one of the most serious threats they’ve seen in their career.

The discovered vulnerability, which has existed for approximately 8 years, allows a hacker to remotely take over a computer using this software, and in some cases, it is as easy as posting a certain message in a chat box, as was the case with Minecraft.  Now, hundreds of attempts to exploit it are being launched every minute, as hackers attempt to gain money and sensitive data through cryptomining malware and installing Cobalt Strike. The ubiquitous nature of Log4j makes the bug much more dangerous and likely longer-lasting than other software vulnerabilities because many organizations may not even be aware that the system is part of their network.

So, what does this mean for you?  The good news is that most of the affected applications are cloud-based applications, which makes it easier for companies and developers to update the component without having to touch millions of end-users’ devices. Software vendors will be applying these patches as soon as they become available. Additionally, look out for notifications from trusted sources that inform and allow you to update potentially vulnerable systems, as these updates should include a patch.

Should you have any questions about this vulnerability, please feel free to reach out to us at

By -- 2021-12-20 in Uncategorized

It’s giving season! As the holidays roll around this year, there are plenty of reasons to give back to your community. Americans donated $471.44 billion in 2020, an over 5% increase from 2019. Unfortunately, scammers are well aware of the uptick in charitable donations, and will likely target those altruistic efforts for their own self gain this year. Below are some tips to donate safely this holiday season; remember to be MERRY.


Manually check the URL: Cybercriminals often create websites that mimic legitimate ones to phish for money. Doublecheck URLs and website headers when donating to make sure that the organization’s name is spelled correctly and that there are no discrepancies.

Examine payment methods: It is not suggested to wire money or send cash when making donations. Instead, consider paying via check or online. When donating using a check, make the donation payable to the organization name exactly how they spell it on their website. If you’d like to pay online, ensure that the website is safe by looking at their URL for “https” or a security lock. Generally, it is safest to donate via credit card or check.

Research sites: Check the IRS’ website, along with sites like BBB Wise Giving Alliance, Charity Navigator, CharityWatch, GiveWell, and GuideStar to learn about how organizations spend their money and which are tax-deductible.

Reject unsolicited requests: Scammers may attempt to access your money via calls, social media links, and emails. If an unfamiliar (or familiar) organization is calling or emailing you and you would like to donate, go directly to their website to do so safely.

Your donation, your decision: When donating online, you often have the choice to donate directly through the organization’s page or through a convenient portal that allows you to browse other charities. If you opt for the latter, doublecheck that your money is going to the charity you want to give to and how long processing will take. You may also want to read the fine print to determine if there are additional fees involved when using the portal and if/how the third party shares your personal information with the charitable organization.


With all that being said, don’t let the fear of scammers deter you from giving to organizations that positively impact your community and others! Use our tips and be MERRY when donating this holiday season. If you’d like to talk to someone about online safety, you can reach us at or call us at (703) 790-0400.


P.S. If you’re also interested in shopping safely online this holiday season, check out our blog on that topic!

By -- 2021-12-1 in Blog

If you’re someone who owns a smart device (or expects to receive one this holiday season), you may be concerned about the security of these devices. Apple, Amazon, and Google home gadgets can be convenient ways to consume information or communicate with others, but given these companies’ controversial histories of recording and reviewing voice data without users’ consent, a healthy amount of suspicion is understandable. In 2019, Amazon, Google, and Apple all suspended human review of user audio recordings in the midst of user outrage over privacy concerns. Essentially, contractors were hired to listen to anonymized user audio clips to improve AI capabilities. Google in particular has been notoriously vague when attempting to explain whether or not the information from voice recording is shared with third parties for ad personalization.

Fortunately for owners of Google Home, Apple HomePod, or Amazon Echo devices, there are ways to stop strangers from listening to your voice commands.

  • To stop Amazon employees from listening to your Alexa voice recordings:
    • Open the Alexa app
    • Settings > Alexa Privacy > Manage Your Alexa Data.
    • Now, select Choose How Long to Save Recordings > Don’t Save Recordings > Confirm
    • Finally, scroll down to Help Improve Alexa and turn the Use of Voice Recordings off
  • To do this for your Google Home:
    • Open the Google Home app and click on your Profile Icon
    • Navigate to > My Activity > Saving Activity.
    • Now, turn Include Audio Recordings off
  • To do this for your Apple iPhone or HomePod:
    • If you’ve chosen to opt-in to allow Apple to receive your audio data…
    • Go to Settings > Privacy > Analytics and Improvements > turn off Improve Siri & Dictation

If you’d like to ensure the privacy of your own devices (smart or not) feel free to reach out to us at

By -- 2021-11-24 in Blog

In the past few weeks, hundreds of WordPress sites have experienced an onslaught of ransomware attacks. The hackers implement encryption notices and demand a ransom of 0.1 Bitcoin, which equates to roughly $5,500 dollars.   The hackers include a countdown timer and tell the website owners that they will delete their entire website, which for a small business can be very costly.

The interesting aspect of this attack though is that it is FAKE.

Researchers have discovered that the websites were in fact not encrypted. Instead, threat actors changed an installed plugin called Directorist to display a ransom note and countdown. Researchers have also noted that hackers used admin credentials to get into these sites, likely as the result of brute-force or stolen credentials purchased through the dark web. However, these attacks appear to be only a part of a much larger campaign, suggesting the latter to be the avenue through which criminals gained access to private information.

So, what can you do? If you’re a WordPress user, review the plugins you use, as WP Reset Pro, OptinMonster, and Hashthemes Demo Importer have all been discovered to have vulnerabilities that hackers could exploit. Additionally, watch for and install software patches and updates to decrease the possibility of your site being attacked. If you’d like to learn more about website development and ransomware protection, you can reach out to us at or call us at (703) 709-0400.

By -- 2021-11-22 in Blog

Happy Holidays! We hope your season is filled with family, friends, and delicious food. As the holidays approach, you’ll no doubt be thinking about partaking in Cyber Monday deals to prepare for the holidays. In 2020 alone, 72.4 million people shopped on Cyber Monday. Unsurprisingly, as Cyber Monday sales have increased over the past few years, the opportunity for scams and hackers have as well.

In fact, it has recently been revealed that over 4,000 online retailers have been compromised by hackers in an attempt to steal financial and personal information from customers through launching payment-skimming attacks. The majority of targets are small and medium-sized online retailers. For more information about how to shop safely online, check out the NCSC’s Active Cyber Defence programme report and continue reading for additional tips.

Here are some things to watch out for:

  1. Evaluate the websites you use
    1. Beware copycat and fake websites- These types of websites are the most popular method scammers use to trick online customers into giving out personal and financial information. Keep an eye out for misspelled links, pixilated site images, sub-standard content, and faulty website functions to spot these types of scams.
    2. Shop on secure sites- To avoid unsecure sites that may not properly protect your personal and financial information, look for the padlock symbol within the URL line and a URL that begins with “HPPTS://” or “SHTTP://”. These indicate that the website is encrypted and has been secured with an SSL certificate. Additionally, you can visit the Better Business Bureau’s site to verify the website’s legitimacy.


  1. Consider your methods of payment
    1. Use a credit card- When shopping online, using a credit card is preferrable, as it provides additional protections when compared to debit cards. Further, if someone makes a fraudulent purchase using your credit card information, you are only liable for the first $50 and even then, most credit card companies cover that. Additionally, a virtual credit card will provide even more protection, as this proxy for your credit card will change with each purchase you make.
    2. Keep an eye on your bank accounts- During the holiday season, regularly monitor your accounts for suspicious activity. You can also choose to be notified by your bank or credit card company if they notice strange activity on your account or to monitor all activity


  1. Set a foundation of security
    1. Use unique passwords- Just under 50% of Americans use identical passwords repeatedly. This puts shoppers at an increased risk of hacking. Using a password manager is a great way to generate and implement the use of strong, unique passwords without having to remember all of them.
    2. Use a secure network- To avoid cybercriminals accessing your data, use your own phone’s cellular network or a private Wi-Fi connection in lieu of public Wi-Fi when shopping online.
    3. Ensure your software is up to date- Make sure that your security and device software has been updated prior to Cyber Monday shopping. These often contain patches that would otherwise allow hackers to access your data through vulnerabilities in older systems.


  1. Extra: Shop happy!
    1. Don’t give into scarcity and fear when shopping online this holiday season. Cybercriminals recognize that playing on feelings, fears, and a sense of trust are important elements in gaining access to sensitive data. Look out for previously mentioned red flags when shopping for hard-to-find gifts and deals that seem too good to be true. Take a deep breath before you begin your Cyber Monday journey- a late gift is much less harmful than compromised data.

Shop safely and enjoy the holiday season! If you’d like to discuss your network security with us, you can reach out at

By -- 2021-10-25 in Blog

The Transportation Security Administration (TSA) recently announced that it will soon implement new cybersecurity requirements on the railroad and airline industries. To many, this comes as no surprise, as critical infrastructure has been subject to a slew of high-profile cybersecurity attacks this past year. The new directives will all but waive existing voluntary cybersecurity measures for these industries in favor of a mandatory cybersecurity baseline. These new guidelines will be implemented by the end of the year, and fines will be imposed on noncompliant contractors and entities.

The Railroad Industry: Now, TSA will require higher-risk railroads to report cyber incidents to a federal agency. Creating cybersecurity point persons and contingency and recovery plans are also part of the forthcoming security directive.

The Airline Industry: As for the airline industry, the TSA will require designated cybersecurity coordinators and reports on cyber incidents to the Cybersecurity and Infrastructure Agency. Entities ordered to follow these new guidelines include critical US airport operators, passenger aircraft operators, and all-cargo aircraft operators.

Though many are familiar with the Colonial Pipeline hack that disrupted access to gas and created a hike in prices, different incidents’ have been of particular concern to policy makers. The Southeastern Pennsylvania Transportation Authority, Cape Cod’s ferry services, and New York City’s Metropolitan Transportation Authority have all been hit with similar malware in the past 2 years, demonstrating the importance of securing the nation’s critical transportation services. If you’re concerned about malware hitting your business, reach out to us at or call us at (703) 790-0400.

By -- 2021-10-25 in Blog

Many cybersecurity experts are now warning of a new ware called killware. Unlike ransomware and malware, which primarily aim to gain money and access to sensitive data, killware’s aim is to take lives. Authorities warn that these types of attacks could impact hospitals, transportation, law enforcement agencies, banks, and even the water supply. Hospitals specifically are of great concern to officials due to underreporting. As they increase their use of digital tools, they become more dependent on technology to deliver treatment and keep patients safe.


These types of attacks have already forced hospitals to cancel or defer procedures, including critical surgeries. This not only put lives at risk, but leaves hospitals vulnerable to HIPPA violation fines and liability lawsuits. Gartner estimates that the financial impact of cyber attacks resulting in fatalities will exceed $50 billion within the next few years.


Though authorities are now warning that killware will likely become more common and devastating in the near future, these types of attacks are not new.  In fact, a recent and prominent example of this occurred earlier this year. Hackers were able to infiltrate a Florida water treatment facility and alter its chemical mixture to a dangerous level before operators noticed and quickly changed the levels back to normal.


One of the best ways to protect your organization from these types of attacks is to implement a strong security policy and train employees to know the warning signs of a cyberattack. To learn more or implement a strong security policy in your organization, contact us at or via phone at (703) 790-0400.

By -- 2021-10-25 in Blog

In early October, an anonymous 4chan user posted a 125GB torrent link to the 4chan site containing breached data from the popular streaming platform Twitch. The hacker claimed that the intent of the leak was to “foster more disruption and competition in the online video streaming space”, suggesting that the breach was driven by spiteful intent.  Twitch has since confirmed the breach and stated that it is still working to comprehend the full impact of the incident.


So, what happened? According to Twitch, an error in a server configuration allowed the unknown hacker to maliciously gain access to sensitive reports and unreleased information. Fortunately, there has been no indication that login credentials were accessed and because the platform does not store full credit card numbers, full credit card numbers had not been retrieved. In an attempt to prevent similar breaches from occurring, Twitch has recently increased its bug bounty pay-outs from $3,000 to $5,000.

Bug bounties are deals offered by organizations and websites that promise monetary pay-outs in exchange for reporting bugs that may lead to security exploits and vulnerabilities. Twitch appears desperate to seal off any and all entry points, as labeling of the leak as “part one” suggests that more hacking attempts are likely. If you’re concerned about the security of your organization’s endpoints, feel free to contact us at or at (703) 790-0400.

By -- 2021-09-29 in Blog, Uncategorized

Cybersecurity Awareness Month 2021: Week 4


Cybercrime has risen immensely since the onset of the coronavirus pandemic, largely due to the sudden sharp increase in employees working remotely. This month, we focused on both email and mobile phishing attacks, as 36% of successful corporate cyberattacks have involved phishing. Already, hackers have ransomed millions of dollars from organizations since the beginning of the pandemic, making cyber hygiene even more necessary than ever before.

This past month, we’ve focused on providing you with the latest news on cybercriminal tactics and ways to stay safe online. Our first week’s blog focused on the basics of cyber hygiene: creating a routine, using multi-factor authentication, creating long and unique passwords, implementing a password manager to store those passwords, and keeping software updated. Therefore, here we’ll recap the 4 most effective things you can do to avoid cybercrime:


  1. Manage social media settings
    • Cybercriminals often utilize social engineering to obtain sensitive information, so be mindful of what you post publicly. Even posting seemingly benign information like your pet’s name or your mother’s maiden name can expose answers to common security questions.
  2. Use a Virtual Private Network (VPN)
    • A VPN encrypts all traffic leaving your devices until it arrives at its destination. If a hacker accesses your communication line, they won’t be able to intercept any non-encrypted information. VPNs are useful for a variety of purposes, such as:
      • When using public Wi-Fi
      • When accessing sites that contain sensitive information
      • Hiding private information from your browsing history and/or apps, which may otherwise be accessible to criminals if hacked
  1. Talk to family about internet security
    • Whether it’s your kids or your parents, talk to those you live with or who may not be tech-savvy about online threats
    • Communicate with your kids about acceptable use of the internet
    • Make sure your children know that they can come to you about online issues like bullying, stalking, or harassment
    • Inform those who are not as tech savvy (like your kids and/or parents) about the markers of online identity theft attempts
      • Be careful when sharing your family members’ personal information
      • Know that children are popular targets of identity theft because their social Security number and credit histories represent a clean slate
  1. Stay updated on major security breaches
    • If you hear about a website or ecommerce site that you use has been hacked, find out what information has been accessed and change your password immediately
    • You can use sites like this one to find out if your email or phone number has been compromised in a security breach. If it has- change the passwords to sites that have been compromised ASAP
    • One of the ways you can stay up to date is by reading our blog, where we frequently post updates about the latest major cybersecurity news


What Should I do if I Fall Victim to Cybercrime?

Though it’s important to know how to best prevent cybercrime from happening, its equally as important to know what to do if you believe hackers have accessed your device or data. Depending on the situation, you may need to alert your local police, the Federal Trade Commission, or even the FBI. Even if you think the cybercrime is minor, you should always report it. The malicious capabilities of hackers are broad and harmful* and should not be underestimated. Reporting may assist authorities detect cybercrimes and criminals in the future. If you think your information has been stolen, you should first contact the companies/banks where you know fraud occurred. Then, fraud alerts should be placed in your credit reports if bank information has been compromised. Lastly, if your identify has been stolen, identify theft can be reported to the FTC.


If you’re unsure how to navigate the waters of cyber hygiene, reach out to us at or call us at (703) 790-0400. Do your part and be cyber smart!




By -- 2021-09-29 in Blog

Cybersecurity Awareness Month 2021: Week 3


Last week, we discussed email phishing and the red flags you need be aware of. This common yet effective method of harvesting personal data laid the foundation for attacks that target mobile devices. Though many people are aware of phishing email campaigns, not the same can be said about mobile phishing campaigns. Hackers use social engineering techniques to target services like Facebook, WhatsApp, SMS, and malicious apps to exploit users who are less suspicious of these new avenues of cybercrime.

Perhaps this explains why research has found that mobile users are three times more likely to fall victim to phishing attempts compared to desktop users. The goal of mobile phishing attempts is often the same as email phishing attempts, and as such, warrant awareness and attention. Below, we outline the four most common ways hackers are infiltrating mobile devices.


  1. Malicious Apps

Hackers try to trick users into downloading malicious apps in two ways. One method involves using legitimate app stores like the iOS or Android stores. They use these markets to broadcast harmful apps that use phishing tactics to steal personal information. Though these stores constantly remove malicious apps, some are able to slip through the cracks amidst the torrents of official apps uploaded to these stores on a daily basis. Secondly, cybercriminals create unofficial app stores. Here, fraudulent apps mimicking legitimate ones are riddled with malware that activates only after they are installed.

These two means of infiltrating devices have become more common as corporate desktops have begun implementing pre-approved lists of software. This limits the success of hacking devices through application stores. Meanwhile, mobile devices can download any app from any network, broadening cybercriminals’ points of entry.

To keep yourself safe, never download apps from a browser; only use apps in your device’s official store. Within legitimate stores, keep an eye out for apps from unknown developers or those with few or negative reviews. Lastly, if an app is no longer supported by your device’s store, there’s probably a good reason it isn’t- so just delete it!


  1. Smishing

Text messaging is an often-overlooked segment of organizational cybersecurity, making “smishing” (SMS phishing) a newly popular way of hacking into mobile devices. Further, the success of these attacks has only incentivized hackers to continue deploying smishing attacks, as open rates are at an astounding 98%. Smishing primarily exploits devices through encouraging users to click on a link. Opening these links either loads a fraudulent landing page that asks for a user’s login credentials, or secretly downloads spyware onto the device. Both tactics have been successful in gaining access to personal and corporate data. Be wary of links within texts, and if you are unsure if a link from a seemingly legitimate text is safe, reach out to the company it claims it’s from and confirm if they sent a text to your device from the number you have.  Always use the phone number from an official source and not one which has been sent to you.


  1. Whishing

After hackers saw the success in smishing, they began launching phishing campaigns via a medium commonly used as an alternative to SMS messaging: WhatsApp. “Whishing”, or WhatsApp phishing, operates in the same way that smishing does; through sending malicious links over text. Whishing has risen in prevalence due to its relatively cheap and easy implementation. WhatsApp allows communication with anyone else on the app, enabling hackers to send mass phishing messages to a plethora of unsuspecting app users.

Whishing can be neutralized by using a web gateway to block connections to a phishing server, so make sure you are connected to your organization’s corporate network before inspecting any strange WhatsApp messages. Whether using a corporate or personal phone, never disclose sensitive information over Wi-Fi unless you know that the network is secure.


  1. Social Media

Lastly, hackers use social media to exploit mobile devices. Malicious links can be embedded into posts that appear innocent and uploaded to many social media sites. Facebook, Twitter, Instagram, and even LinkedIn have been known to host these types of posts. The links within these posts redirect users to phishing sites that ask for sensitive credentials. Phishing posts may appear as ads, giveaways, or contests that seem too good to be true. When clicked on, they take users to phishing sites that look real, but are simply fronts for stealing data. Be wary of any post that urgently encourages you to click on a link, especially if it involves a purchase or giving out personal information like an address.


If you’re worried about hackers gaining sensitive information through mobile attacks, contact us about network security at