I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
It’s a new year, and I’m sure every one of us made at least one small promise (if only whispered to ourselves at 12:01am on Jan 1) to be better or do better at something this year. I can help you out with an easy one that will definitely improve your security profile, and I’m pretty sure a safer you = a more healthier you (at least digitally).
Let’s talk about the foundation of personal security: the Password.
Change that password. You know the one. The one you use everywhere. Change it! Make it hard. There are dozens of methods for coming up with one. Here’s one:
- Pick your favorite quote (or one you have memorized), use the first letter from each word. How about, “Twas the night before Christmas” which gives us “Ttnbc” – 5 characters, a good starting point.
- Randomize the capitalization in a way you can remember. How about reverse camel caps? “tTnBc”.
- Since we need 8 characters minimum, let’s add two numbers, and since we’re talking about Christmas, let’s add “24” on the end (or the beginning, it doesn’t matter).
- And we need a special character, how about the “@” symbol which looks like a Christmas ornament.
So now we have “@tTnBc24”. You’ll remember it because you created a small story behind the password, which will make it memorable. But Chris, you always say to use a unique password for every account! No problem, here’s how you do that, while still making every password you create memorable:
- For every unique account password you need to create, pick a string of 3 or 4 letters based on the name of the account (however you remember it, company name or type) – let’s say the first 3 letters, and always use the same rule. So for your Chase bank account, you’d add “Cha” somewhere to the password, either beginning or end.
- Before you tack it on the end of the password, pick a symbol that will act as the glue (or divider) between your specific account divider, let’s just say “+” because that makes sense right?
- Now you have “@tTnBc24+Cha”.
WARNING: if anyone ever gets ahold of more than one of your passwords generated via the above method, they may spot the pattern right away, especially if the account is known for each password, making it relatively easy to guess other account passwords. My recommendation here is to not use this method with passwords that you have to share with other people (it will be obvious if they see more than one). For those, use a random generator and store them in a known secure password utility, such as LastPass, KeePass, Dashlane or Roboform.
Use the above method for the accounts you access frequently, but don’t want to lower your security because of how valuable they are. Examples should include your email account (especially the one you use to send password resets/reminders to), anything that is attached to your money, accounts that has sensitive private information like insurance websites, and, most importantly, all of your social media sites, especially any in which you interact with friends and family.
If you are wondering if a password you’ve used in the past has been exposed, you can check https://haveibeenpwned.com if you know the email address to which the account was attached. This website is essentially a giant database of all the known data breaches over the past couple of years. If your email address raises a red flag, you should change the password you used for that account, especially if you used that same password elsewhere.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite the imminent arrival of Windows 10, thousands of businesses and organizations around the world continue to cling to Windows XP. In the business world, this position is increasingly dangerous to a company’s bottom line for a variety of reasons, but for the world’s most (arguably) powerful navy, it could be downright dangerous. The US Navy is actually paying Microsoft nearly $10M to continue to support and patch the expired OS, which was officially “put out to pasture” over a year ago. With over 100K Windows XP computers powering critical systems, the Navy still has a tremendous undertaking to phase the (un)dead OS out of daily operations.
What this means for you:
In a broader sense, it’s disheartening (and a little frightening) to think that our shores are being defended by warships powered by a 14-year old operating system, but the government, like our aircraft carriers, have never been capable of quick maneuvering, so this should come as little surprise to anyone. The fact that many businesses still heavily rely on XP despite repeated warnings from just about everyone in the industry is indicative of a larger problem, which is partly the industry’s fault, as well as a certain willful blindness we all share.
From an IT perspective, we’ve historically done a poor job preparing everyone for the security issues we now face, perhaps relying too heavily on tools and fixes, instead of emphasizing education and reforming business thinking. From an individual (and probably first-world) perspective, we’ve allowed ourselves to become increasingly reliant on technology to accomplish even the most basic tasks, and have built complex technological systems that support our daily lives that most of us can barely comprehend, let alone troubleshoot. A simple password hack can turn into a life-altering identity theft only because most of us fail to truly understand how everything is intertwined, and our personal veils of security are only as strong as the weakest password in your entire collection. The same can be said of your technology infrastructure: you are only as strong as the lowliest of forgotten XP machines on your network, and that isn’t very strong at all, regardless of how much you pay Microsoft.
Laptops and cellphones were once the sole domain of high-powered business executives, but thanks to the proliferation of high-speed internet and falling hardware prices, they are pervasive not only in professional environments, but in just about any walk of life. As you can probably guess, this also means an exponentially expanded attack surface for cyber criminals who are no longer focusing on traditional targets. Anyone who has a bank account or credit history is a potential victim, and younger targets can be exposed to potentially dangerous privacy invasions. Rather than enumerate the various ways in which your security and safety could be violated (we all have enough nightmares as it is), I’d like to focus on some positive actions you can take to make your mobile, digital life safer and more secure.
- Password protect your devices.
Even the most careful professional will misplace their mobile device on occassion. While passwords won’t stop determined hackers, it will keep most everyone else out until it can be recovered or remotely wiped. Laptops normally do not have remote wiping capabilities, so don’t stop at just a password for protecting these types of devices. - Use built-in apps, or purchase location-tracking software.
Late-model Android and iOS devices have location tracking and recovery capabilities built-in, but they must be enabled. You can add location tracking or a “phone-home” program to your laptop, but it requires the device to be connected to the internet in order for it to report its location. - Don’t store sensitive information on mobile devices.
With any portable device, the chance of it falling into the wrong hands is high. If you don’t have an IT department managing your device and controlling what can be stored on it, you should inventory what is stored on the device (sensitive client info, photos, personal financial data, passwords) and consider whether you need that information to be stored on that device. If you do, make sure you observe #4. - Encrypt any storage media.
All late-model Android and iOS devices have the capability to encrypt all data stored on the phone. It’s on be default on iPhones, but must be enabled manually on most Android devices. If you have to store sensitive data on your mobile device, make sure encryption is enabled and working. While it’s not completely necessary to encrypt your entire laptop hard drive, it is possible, and many financial service firms require it on their laptops. At minimum, store your sensitive data in an encrypted partition or folder, or on an encrypted thumb-drive. - Back up your data.
Do I even need to qualify this particular practice? Backups should be stored separately from the hardware being backed up. It should be transmitted and stored encrypted if it’s internet/cloud based. It should be as frequent as the minimum period of data loss you are willing to lose, e.g. if you can’t stand to lose an hours worth of work, your backups should run on an hourly basis. Be aware of the performance hits this may have on your hardware and network bandwidth. - Hide devices in parked cars or take them with you.
Mobile device thefts from parked cars is consistently at the top of all loss categories. Thieves know to target cars coming and going from office parks, universities, airports, and the retail/service businesses near these locations. Before you drive away from your work location to a Happy Hour or a quick bite or some grocery shopping, stow your laptop bag in the trunk or hide it in a hard to access part of the car. Don’t do this when you reach your destination, as the thief may already be there, watching for someone to do just that. If you can’t secure it or hide it properly, take it with you. - Add a leash.
If you are highly mobile and work from many locations, it’s easy to misplace your smaller electronics, and sometimes even laptops. Add a colorful leash to your thumb drives so you don’t forget them, and maybe even consider the same for your phone if you are prone to misplacing it. If you have to take your laptop bag with you to a place where you don’t plan to use it (because of #6), attach the strap to something you will be using at that location, whether it be to your jacket or purse, or even to your leg if you are sitting in a location with lots of noise or distraction. It’s easy to forget work-related tools when you are focused on non-work activities. - Be less conspicuous.
In open public places with crowds, conspicuous use of expensive mobile devices will flag you as a target for bold thieves. I’ve talked with victims whose laptops were pulled right out from under typing hands in a sidewalk cafe or picnic table, and have read numerous reports of smartphones and tablets being grabbed in broad daylight. If you want to work on your device in a busy environment, keep one eye on your surroundings, and place yourself and your device in a position where it will be less easy to snatch by a fleet-footed thief. - Educate your friends and family.
Even though you may be cautious and secure, the people around you can undo your careful preparations with carelessness or even well-meaning intent. Be mindful of everyone around you who might not be as savvy as you in technology, and choose carefully how you interact with them via email, social media, and even device sharing. Work laptops are notorious for being infected by family members who don’t have the same security concerns as you do. Quieting a young child with your smartphone may seem like a good idea at the time, but maybe there is some other way you can entertain them that doesn’t involve your work phone. - Report thefts/losses immediately.
Eventually, it will happen. Whether the device is stolen, damaged or infected and compromised, you should work immediately with the appropriate authorities and professionals to make sure you limit the damage, both to you and your organization, as well as any customers or clients who might be affected. Don’t wait.
Security firm Hold Security LLC is reporting that a cache of 360 million account credentials are up for sale on the black market. Of the 360 million identities, 105 million of them may be from a single data breach, the size of which rivals Adobe’s breach (153 million) from October 2013. Also on sale are 1.25 billion email addresses, a veritable treasure trove for spammers. In this particular case, the account credentials up for sale seem to be mostly comprised of account logins and unencrypted passwords, an important distinction as any buyer can immediately start using the data versus spending time unencrypting passwords.
What this means for you:
Given the sheer volume of account credentials compromised it’s highly likely one or more accounts you use is somewhere on that list, as well as the passwords associated with those accounts. According to Hold Security, they believe the organizations from whom this data was stolen are still unaware of the breach, so it’s even more likely you will be the last to know if you have been compromised. Rather than waiting around, I recommend changing your passwords on all your important online accounts to much stronger, randomized ones, such as can be created and managed by programs like internet-based LastPass or Passpack (my personal choice), or if you prefer to keep your passwords closer to home, desktop programs like Roboform or 1Password.
Image courtesy of Creativedoxfoto / FreeDigitalPhotos.net
It’s getting so that it might be easier to publish a list of companies that haven’t been hacked. Sadly, this week it’s dot-com darling Kickstarter and Wall Street stalwart Forbes.com, both of whom were hacked and user data exposed. Where Forbes almost immediately acknowledged that it had been hacked (unavoidable as the infamous Syrian Electronic Army announced that it was behind the attack), Kickstarter got on the wrong side of some folks for delaying it’s own announcement that it had been breached earlier in the week. Waiting almost 5 days before sending out an email to its users was viewed by many pundits as everything from lacksadaisical to outright criminal. In both cases, user names, email addresses and passwords were stolen, though both companies state that the passwords were encrypted which would make it difficult, but not impossible for hackers to crack weaker passwords in the stolen data.
What this means for you:
If you had accounts on either of these websites using passwords that you use elsewhere, you need to go out and change that password everywhere else it was used – preferably with a unique one for each website. I had accounts on both of these websites, but I’m less worried as both were unique to the websites and will never be used again. Until the technology industry can come up with a better way than passwords to secure our safety, your next best bet is to generate unique passwords everytime one is needed. Utilities like LastPass, Passpack and 1Password are invaluable for this sort of practice and are worth their weight in gold.
It’s also worth noting that in the case of the Forbes hack, their security was compromised by a targeted phishing attack. By responding to fake emails, duped employees revealed passwords that gave the attackers access to the WordPress engine that powers the Forbes.com website. Kickstarter has yet to reveal the nature of their security breach, but I wouldn’t be surprised if a similar phishing attack cracked their security. Phishing emails are becoming increasingly harder to spot as cybercriminals pour more effort and money into crafting effective attacks. The only protection is to be suspicious of everything, and to never click links in emails before independently verifying where they actually lead.
Though it sounds crazy to hear it, I’m pretty sure I’m not the only technology professional who wishes computer security was as easy as flipping a switch. Fixing broken technology is a major part of how I make a living, and nothing breaks technology like security breaches. In fact, I don’t want anyone to get infected, hacked or for their data to get corrupted, just like doctors don’t want to see their patients get sick. In keeping with the medical metaphor, there are technology guidelines and practices that can act as preventative medicine for your technology lifestyle. Here are ten suggestions that I hope you will resolve to follow to keep your technology streamlining and not derailing your path to success.
- Put a password or pin on your smartphone. This bears repeating over and over. I know it’s inconvenient, but think of how inconvenient it will be if someone got ahold of your unsecured smartphone and used it to access your private information, or worse, your clients’ information.
- Encrypt your mobile devices and thumb drives. If your device happens to fall into unknown hands, encryption provides a layer of protection that will discourage casual data thieves. In the case of certain smart devices, it may even give you time to remotely wipe and deactivate the device. Certain types of data (especially confidential client or customer information) should always be stored with strong encryption.
- Open attachments and links from emails with extreme caution. The most common vector of infection is via email, either by opening attachments or clicking links to compromised websites. Even if the email comes from someone you know, pay close attention to every aspect of the email for hints that it may be a fake, and if you are at all uncertain, pick up the phone or delete it and ask the sender to resend the email.
- Check your anti-malware software regularly. I know plenty of people who know they have anti-virus installed, but don’t know the name of the product, whether or not it’s up to date, or even if it’s working. Check your antimalware at least once a week to make sure it’s updating and if it’s caught anything recently.
- Don’t allow unsupervised, non-professional use of your computer. Originally, this rule was about keeping work and personal use completely separate, but I realize that is near impossible these days, so I amended it to focus on a potentially dangerous aspect of computing, which is allowing less security-conscious individuals access to the devices you use for business. If you wouldn’t trust this person with your business, don’t grant them unfettered access to your business devices.
- Back up your data. Viruses, thefts and hard drive crashes happen. Like death and taxes, hard drive crashes are inevitable, and it will fail when you can least afford it to fail. Unlike the first two, countering the negative consequences are handled by a simple process.
- Ensure confidential customer/client data is stored securely. If you are in a regulated industry, you are more likely to understand why this is important. But if your business services clients who are part of a regulated industry, you might be held to the same standards of security as your clients. Know what data you are storing, know where you are storing it, and how you are storing it.
- Familiarize yourself with the privacy policies of any social networking platforms you use. Even if you’ve managed to avoid the big names in social media (Facebook, LinkedIn, G+, Twitter, etc.), any community you participate in that has a digital component should have a clearly stated privacy policy that governs how your personal information will be used by that organization or platform. Don’t be surprised if you’ve inadvertently relinquished much more control and/or privacy than planned over information and the content you author on that platform.
- Make sure you have a proper firewall anywhere you use the internet. For the moment, you should consider the internet a wonderful AND dangerous place. Your office probably has a firewall in place (check anyways if you are the least bit unsure), but make sure you have a proper firewall working at home, AND on your desktop or laptop (where practical/allowed by corporate policy). Yes, they can be a bother sometimes, but weigh the inconvenience against a data breach, virus infection and uncomfortable client conversations about losing their data.
- Practice constant vigilance, and encourage it in everyone around you. You may be always on your toes, but you are more likely to let down your guard when interacting with co-workers, friends and family. The more you educate them about the above practices, the safer they will be, and you will improve your odds of keeping your own technology safe.
As in just about every facet of normal life, there are no guarantees, and no magical security switches to flip on and forget, but taking the above ten practices to heart can better prepare you for rougher aspects of technology and the internet. It also helps to have a guide while you are navigating the twisting paths of technology, and you should always consider C2 Technology ready to help you find your way to success with technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Back when Google’s Chrome browser was brand new in the browser market and demonstrating how poor Microsoft’s Internet Explorer security was in comparison, it was easy to recommend it as the faster, more secure option. However, with market share comes concessions to convenience and feature-creep, and it seems that Google may be stretching itself too thin to be the browser on everything and for everyone. Aside from the rather disturbing and glaring security flaw pointed out earlier this year in the desktop versions of Chrome (and steadfastly refuted by Google…until it was fixed), Chrome has typically been viewed as the “most secure” of the big three Windows browsers (the other two being IE and Firefox).
Unfortunately, security firm Identity Finder has burst this bubble by revealing another weakness in Chrome. In the spirit of convenience, Chrome offers to save information used to fill out the countless webforms we all run into on a daily or even hourly basis while surfing. Most of these fields are what would be considered personally identifying information (names, addresses, account numbers, etc.) and Chrome stores them in plain text on your hard drive so as to be able to retrieve them for autopopulating other web forms. The problem with this, of course, is that anyone with access to your hard drive can read that data and use it to nefarious ends. And in case you’re still trying to sort out why this is bad, access isn’t limited to someone working on your computer or stealing your hard drive. Unauthorized access is most often gained now through malware infections.
What this means for you:
Sadly, achieving better security is no longer simply a matter of changing your browser, no matter how much any company (even Google!) would have you believe otherwise. If you want to disable the above mentioned “feature” in Chrome, you can do so by visiting Settings -> Advanced Settings -> Passwords and Forms and unchecking “Enable Autofill to fill out web forms in a single click.” You should never rely on just a browser choice to determine the totality of your security. Good security is a combination of browser choice, settings, malware protection and constant vigilance. Chrome still remains a solid choice as a browser but beware convenience features like Autofill and saving passwords in your browser, as this convenience may come at the price of security.
Just in time to ride the publicity wave created by Amazon Prime’s Delivery Drones, infamous MySpace hacker Samy Kamkar has created a flying drone that can hack other drones and take over control of them. Before you grab your bug-out bag and head to that bunker in Montana, it may ease your fears somewhat to understand the drones in question are of the toy variety, versus the death-dealing military variety. The popular Parrot AR Drone is controlled from an iPad or iPhone via unencrypted Wi-Fi, a feature that Mr. Kamkar takes full advantage of in his miniature drone predator, aptly dubbed, “Skyjack“.
What this means for you:
While Skyjack is a long ways away from hacking the various UCAVs that are in extensive use around the world, it’s not hard to imagine how this could escalate the high-tech arms race fueled by the highly-publicized arrival of combat drones in the Afghanistan invasion. The idea behind Skyjack is a drone that can hunt out other Parrot AR Drones autonomously and enslave them. Fly Skyjack into a park where enthusiastic drone pilots are taking their Parrots for a spin, and the more unscrupulous Skyjack pilot can steal away the $300 devices in a blinking of an LED. Now extend that idea to a drone that can fly around neighborhoods, hunting out unsecured Wi-Fi networks or routers, hacking them, logging their locations, and then returning to its owner with map and database of ripe targets. Have I frightened you enough yet to get you to change the password on your home router to something a bit harder to guess?
Image Courtesy of Wikipedia.org
Once again, Google is blazing a new technology path, not necessarily by innovating, but by having the size and influence to make change happen in an industry that seems at times to get stuck in a vicious circle. In this particular case, technology has been navel-gazing on the password issue for years despite having the solution in hand decades ago: multi-factor authentication. In its most simplistic and well known form, you have probably been using two-factor MFA for years without even realizing it: your ATM card and PIN. In MFA terms, this is “something you have” (your ATM card) and “something you know” (your PIN). Without both present, authentication doesn’t happen.
Using its thousands of employees as guinea pigs since early 2013, Google is testing a technology platform it plans on releasing in 2014 based on MFA. The “something you have” in this case is a small USB FOB that is paired with your user login and a simple 4-digit PIN (“things that you know”) that authenticates you on a computer or an NFC-capable mobile device. If this sounds familiar, it may be because this device I wrote about previously does essentially the same thing. Instead of having to remember a bunch of different passwords, whenever you needed to prove who you are on the web or in an app, you could plug in your Yubikey (or tap your Nymi!) and viola, “Identity Verified!”
What this means for you:
The Yubikey Neo isn’t available yet, and Google hasn’t given a firm date as to when it will be available other than “2014”. Also, the utility of the device is highly dependent on a wide variety of services adopting the authentication platform, so even if they made it available as early as next month, you may find it to be somewhat useless until your favorite providers implement the technology, if they do at all. If you want to show your support for the death of the password, you may want to jump on the Nymi bandwagon, as even if the product never gets widely adopted, you can still accessorize with a wearable conversation-piece!
- 1
- 2