Keeper Announces Microsoft Edge Extension

by , on

Keeper announces Microsoft Edge Extension
LOOK WHAT’S NEW
Hey Windows 10 customers! You’ll be happy to hear that Keeper now has a Microsoft Edge extension. This latest extension will provide you fast and secure access to the Keeper vault right within your browser.

HOW IT WORKS
Now you will be able to utilize Microsoft Edge to quickly and securely login to your favorite online destinations. The extension and Keeper icons appear on the screen as you browse to manage logins, enter passwords and secure your data. The new design also allows the utilization of KeeperFill™ to autofill passwords without navigating away from the current page.

We are so excited to provide millions of Windows 10 users a simple way to manage their passwords from the browser of their choice. The Keeper and Microsoft teams have worked closely together to deliver a “native” feel to the browser that integrates perfectly with your browsing experience.

Microsoft Edge is the faster, safer browser designed for Windows 10. Not only will this latest Keeper extension make your devices and online activity more secure but will also save you time.

WHERE TO GET IT
To download the extension, please visit https://www.microsoft.com/en-us/store/p/keeper-password-manager-digital-vault/9n0mnnslfz1t#.

We look forward to delivering more awesome updates for Windows 10 users in the future. Thank you for your support!

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

by , on

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

We were thrilled last month when Google selected Keeper SSO Connect, our SAML 2.0 service, as one of just nine third-party apps to be included in the search giant’s pre-integrated SSO Apps Catalog. In an earlier post we told you why Keeper and SSO go so well together. Now we’d like to share the reasons why the Keeper solution is unique enough to earn Google’s endorsement.

Even if you’ve never heard of the term SSO (single sign-on), you’ve undoubtedly used it. Whenever you land on a login page that offers you the option of signing in with Facebook, Google, Twitter or other popular social networks as an alternative to creating an account, you’ve seen SSO at work. One example is Fitbit’s login page.

SSO is one of those rare win-win propositions that not only enhances security but also improves the user experience. When used with protocols such as Kerberos and the security assertion markup language (SAML), SSO takes care of most of the complexity of authentication and user identity management in the background.

And SSO isn’t just for public websites; it is also used extensively behind corporate firewalls. For example, companies may use it to make it easier for their employees to log in to multiple corporate accounts, such as email, financial applications, collaboration software and CRM. By deploying SSO, enterprises can greatly reduce the need for people to have to maintain passwords for each application they use. That means fewer helpdesk calls, fewer resets and less risk of compromise due to password theft. Companies can also monitor user SSO activity both to see how applications are being used and also to look for signs of compromise.

One of the most rewarding aspects of the Google endorsement is that Keeper has only been in this market for about six months. Late last year we were approached by one of our customers that wanted to use SSO internally to permit users to authenticate to their Keeper vault. We had a solution ready early in the new year, and it’s been a hit with customers.

There are two big differences between the Keeper SSO solution and most others. One is our ability to store rich information in the vault, including files, sensitive data and access credentials to restricted systems. Our shared password storage capability is useful to enterprise customers because not all applications support SSO. Keeper gives them the flexibility to keep a shared vault of passwords to non-SSO applications in a single, secure place so users can log into whatever systems they need. In another recent blog post we told you about how much some users value encrypted file storage.

The second big Keeper difference is our zero-knowledge security architecture. The customer maintains full control over encryption and decryption of their data. We have no access to the encryption keys, master passwords or records stored within the Keeper vault. This capability has become particularly important to customers in the wake of the OneLogin breach late last month. In that incident, the credentials of potentially millions of individual users were compromised because the encryption keys were kept on a central server. A breach of that kind could never happen with Keeper because we don’t store any sensitive information. That capability lies solely within the hands of the user.

With its decision to include SSO Connect in its third party apps catalog, Google is making it that much easier for customers to implement SSO and SAML. Our own integration is even more extensive. SSO Connect also works with Microsoft’s Active Directory Federation Services and Azure cloud, F5’s BIG-IP Access Policy Manager, Okta’s Identity Cloud, Centrify identity and access management solutions, OneLogin, Ping Identity and the open-source Central Authentication Service.

Latest Keeper Release Incorporates FIDO U2F Security Keys

by , on

As a part of Keeper’s core offering, FIDO U2F and YubiKey support will now be available to our individual users and enterprise accounts. With our mission to make the internet secure for everyone we are thrilled to partner with these world class companies to deliver the highest level of security to our customers. The feature is immediately available to all Keeper customers and provides the added protection and security of hardware 2FA for their critical accounts.

FIDO U2F Security Keys are small USB and NFC hardware 2FA devices that can instantly be added to secure Keeper accounts. Once a device is registered, when prompted for the second factor during login to Keeper, a user simply has to touch the device to authenticate and gain access. The YubiKey supports multiple authentication protocols and can protect access to a wide range of consumer and enterprise applications. A single YubiKey can perform authentication to FIDO U2F supported services (Facebook, Google, Dropbox, GitHub, Salesforce, etc.), password managers such as Keeper, Windows login including Windows Hello, remote access, IAM, VPN and much more. The YubiKey works on Microsoft Windows, Mac, Linux, and on major browsers without the need for extra software or drivers.

Latest Keeper Release Incorporates FIDO U2F Security Keys

Keeper will be demoing and giving away YubiKeys at the Gartner Security & Risk Management Summit, June 12-15 in National Harbor, MD. If you are attending this summit please stop by our booth at #601 to learn more.

Why Keeper and SSO Are Better Together

by , on

Why Keeper and SSO Are Better Together

SSO (Single sign-on) products provide a digital handshake which allow users to sign in to 3rd party SAML-compatible cloud services, without the need to enter a password. In addition to providing this capability, some SSO identity providers also provide a basic level of password management for websites that do not use SAML. In some cases the password management features inside SSO products are not providing a zero-knowledge solution. This is why we created Keeper SSO Connect.

Keeper SSO Connect is an encryption key management application that runs on-premise. It can be installed on a physical appliance (server) or virtual machine (VM). Keeper SSO Connect supercharges the capabilities of SSO Identity Providers with a powerful password management solution. Keeper provides full zero-knowledge encryption and storage of user-generated passwords and private information.

Keeper, as a zero-knowledge security provider, has no ability to decrypt user records, files, or data stored within the Keeper Vault.

Keeper SSO Connect is not vulnerable to the attack that recently affected OneLogin for one simple reason: the keys necessary to decrypt user records are never made available to Keeper, either through our standard Vault product or through Keeper SSO Connect.

Authorization and encryption keys are derived on the device separately from the user’s master password. Neither the master password nor the encryption key is ever transmitted or stored in Keeper’s vault or cloud storage – the encryption key and master password remains in the client’s control and possession in both Keeper’s standard products and Keeper SSO Connect.

Even if the encrypted data stored in Keeper’s vault were be obtained by a hacker or obtained by a third party, the hacker would need the user’s master password and/or encryption key to decrypt the data – and these are not stored anywhere in Keeper’s vault or databases.

Keeper SSO Connect integrates with leading SSO solutions like Azure ADFS, F5 BIG-IP APM, Okta, Ping Identity and Centrify.

Sign up for a free trial and demo today.

Keeper Users Tell Why They Love Secure File Storage

by , on

Keeper Users Tell Why They Love Secure File Storage
One of the distinctive features of the Keeper password manager is Secure File Storage, but we find many customers aren’t aware that it’s even available.

Secure File Storage gives you 10GB of space on the Family Plan and 1TB on the Business Plan to store anything you like. The files, photos and videos you keep there are protected by the same 256-bit AES encryption and optional two-factor authentication as your passwords.

People find all kinds of uses for secure file storage. J.C. Rausch, a video network engineer at Metro Systems keeps nearly 300 documents in Keeper Secure File Storage. “I store multiple documents in there ranging from car insurance and renter’s insurance to medical information and lab reports,” he told us. “I also keep important notes that I’ve written to myself. Even though I have backup on my PC, I use Keeper as an encrypted secondary backup.”

J.C. has been using Keeper for over 5 years on his desktop computer and iPhone. “I probably tried four or five different apps, and Keeper seemed to be the easiest and simplest to use. It’s never let me down,” he said.

He didn’t use secure file storage at first, opting instead for one of those internet file-sharing services. But as we’ve seen in recent headlines, even they are susceptible to hackers. “As far as I know, Keeper has never been hacked, and others have,” he said. J.C. still uses public filesharing services for non-sensitive documents, but “for anything I don’t want others to see, I use Secure File Storage,” he said. And with 10GB of storage, “I have so much space available that I plan on going through a lot of my documents and uploading them,” he added.

Happy Guadalupe doesn’t use secure file storage for documents, but he’s founded equally an useful application that relates to his job in team admin support at the Coca-Cola Company.
Happy (whose real name is Eduardo, but he’s been “Happy” as long as he can remember) first came across Keeper because he was looking for a way to get his passwords out of a paper notebook and into something more secure. “I was becoming afraid, because that book had become my life,” he said. “Keeper came along and it was love at first sight.”

Keeper has particular value for Happy at work because Coca-Cola’s security settings don’t permit employees on the internal network to save passwords on any sites they visit. “Keeper is a blessing,” he said. “I call it my second brain.”

As an admin, he frequently makes travel reservations for others, and that’s where secure photo storage comes in handy. Experts will tell you that sending personally identifiable information in email is playing with fire, but in Happy’s field of work he frequently needs to exchange credit card information with hotels and travel services. That’s why he files away photos of all his credit cards next to the card numbers in Keeper. When making a hotel reservation, “I can send the photo of the card without sending the number in text,” he said. “After I send it, I immediately delete the message.” So far, most vendors have been perfectly OK with that arrangement.

Which makes Happy, um, happy.

Keeper Secure File Storage is $9.99 per year and included in the $59.99 per year Family Plan for up to five users.

Some Frightening Stats About Accounts and Passwords

by , on

^6573962D4F843C23184C8EFC8750BADFAF0BAAA9533A59DA4A^pimgpsh_fullsize_distr

A recent report by Varonis Systems caught our attention because it illustrates how easily some basic security practices can be overlooked in the crush of day-to-day work.

Varonis released an analysis of more than 235 million folders it examined on file servers at 80 client sites. It found that more than 48 million of them – that’s 20% – were open to “global access groups,” meaning that, in effect, anyone in the organization could read them.

The report also said that the typical company has hundreds of openly accessible files that contain sensitive information.

But what really caught our eye was the data about user accounts and passwords. The audit found 448,000 accounts that were unused but still enabled, an average of 5,500 accounts per site. Typically, these accounts are set up for short-term use or belonged to people who have left the company but who still have active logins. The auditors also found half a million user accounts that had non-expiring passwords, meaning that attackers would have unlimited time to crack them and indefinite access thereafter.

Neither of these findings is surprising; busy administrators can easily overlook details like cleaning out old accounts or plan to get them later and never follow through. Some people also request exemption from the password expiration policy for the sake of convenience. If their title has a “VP” in it, that request is likely to be granted.

But both of these oversights are recipes for disaster. Take unused accounts. It isn’t hard for an attacker to guess which accounts may be dormant at any given company. Simply search LinkedIn for people who recently changed companies, then try common variants of their login names: bsmith@yourcompany.com, billsmith@yourcompany.com, etc. Searching on those email addresses may also turn up a hit.

An attacker can then try to log in using commonly used passwords. Given that 17 percent of people use the password “123456”, it won’t be long before one of those guesses yields a hit. Once inside, the crook has access to anything that user could see which, according to this report at least, is probably a lot.

Non-expiring passwords are just a bad practice. About the only time they make sense is when the account has no privileges, such as a Wi-Fi login at a hotel. Otherwise, users should be limited to no more than five login attempts before they’re locked out and have to call an administrator. The argument against password expiration is that the policy encourages people to write down their passwords, which increases the possibility of theft. Our advice is simple: use a password manager.

 

What is the Value of Stolen Digital Data?

by , on

^B4442DE736575BC944969C6F13E88F2425EA1CFB94E193307E^pimgpsh_fullsize_distr

By Darren Guccione, Co-founder and CEO of Keeper Security

By now most everyone is aware that failing to properly password-protect access to sensitive digital materials can have severe consequences. The damage of having one’s identity stolen or having personal financial or health records purloined can take months or years to repair.

But just what is the value of stolen data on the digital black market today? How is this data passed from hackers who steal it to fraudsters who can make your life miserable?

The answer to the first question of the value of stolen data is, surprisingly, “not as much as you might think,” as we’ll see. That’s good news and bad news. The good news, for fraudsters, is that they can get more stolen data for less money. The bad news, for victims of data theft, is that more fraudsters have access to more stolen data at ever-cheaper prices. And the reason there is so much stolen data available is that hackers simply do not have a difficult time stealing it.

Where is stolen data sold?

But first, it’s important to understand how and where your stolen data is resold. It happens in a part of the World Wide Web called the dark web. Accessed only by using special software that hides the identity of visitors, the dark web is a vast marketplace for anything and everything illegal. Much of it looks very familiar, like any other e-commerce site. Sellers often have ratings given by previous buyers. You can even purchase software to set up your own hacking business. Payments to sellers are arranged using bitcoin, a digital currency that all but assures buyers and sellers remain anonymous.

Once you are in this illicit emporium and you have some bitcoin digital currency, buying stolen identities or access to bank accounts is easy. Let’s take stolen credit cards, for example. As when buying anything else online, buyers specify the type of card (Amex, Visa, etc.); the CVV’s or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit score; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost per card varies with the information the buyer wants. Click “buy now,” download your stolen goods, and off you go.

What does stolen data cost to buy?

How much do these cards cost on the dark web? The variations are wide, and also fluctuate depending upon the supply of stolen cards. So if there were a major hack resulting in the compromise of 10 million cards, the price could plummet if the hackers flood the market. But generally speaking (and these figures are derived from a number of publicly available sources), the cost of stolen credit card data is roughly $13-$21, or the bitcoin equivalent thereof. These prices tend to be higher for stolen European Union, Canadian and Australian credit cards. Buyers pay the most for cards with so-called “fullzinfo” or just plain “fullz” – meaning the stolen record has a very complete set of information about the cardholder.

But as detailed in a groundbreaking report by McAfee on the market for stolen digital information, credit and debit cards are not necessarily the usual target of hackers and fraudsters today. Increasingly the targets are the password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts.

As you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upwards of $1,000 for access to accounts with $15,000 or more.

A strong market for stolen health information

Both credit card and bank access data have a shelf life, which ends abruptly once the victims discover they’ve been hacked. But there is another record of digital identity that has more permanent information, and that is any kind of personal health information or PHI, including the very valuable electronic medical records or EMR. These contain highly sensitive information about an individual’s health history. And as such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims.

Like other stolen digital data, the cost of such health records is subject to the same supply-demand dynamics as any other traded goods. According to Michael Ash, associate partner of Security Strategy Risk & Compliance at IBM, a stolen EMR can fetch up to $350 on the dark web.

However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped, according to recent research. Also, law enforcement authorities have stepped up efforts to locate and apprehend both buyers and sellers of this highly personal health information, which has spooked some buyers. Thus recently, some EMR have been purchased for as little as $100 apiece. But as mentioned, this is a highly dynamic market in which prices of stolen digital data will vary over time, often wildly.

In any case, the incentives for stealing this data and then selling it to the highest bidders will remain in place for the foreseeable future. Perhaps the single best defense for individuals seeking to protect these assets remains high quality, virtually bullet-proof passwords, and the right password “hygiene” that ensures passwords are changed often. In this regard, it is wise to consider a free password manager to take all the guesswork out of password management, so you can stop the hackers cold.

5 Ways to Protect Yourself from a Phishing Attack

by , on

^381F2044E32C1E09C42BEA1628177B770FDEFE8A3CC2683B14^pimgpsh_fullsize_distr

With news of the Gmail phishing attack still fresh in our memory, this is a good time to review some basic precautions you can take to avoid becoming a phishing victim.

Phishing attacks have been on the rise recently because, to put it bluntly, they work. The Anti-Phishing Working Group recorded 1.22 million phishing attacks in 2016, a 65% increase over the previous year. Phishing is the most common way attackers deliver ransomware, which is the fastest-growing form of malware.

Even though phishing has been around for a long time, it’s still amazingly effective. Some attacks have been found to record click-through rates of 30% or more (marketers would kill for that!). As the Gmail attack showed, phishers are becoming sneakier and more effective.

Most phishing attacks take the form of emails disguised to look like they come from trusted sources. The subject line usually carries an urgent message intended to drive immediate action, such as notice that an account has been compromised or that a service is about to be suspended. The attacker’s goal is to alarm the recipient and prompt immediate action – usually downloading an attachment or clicking on a link – without thinking about what they’re doing. That one click can trigger a malware infection.

Here are five steps to keeping yourself safe.

  1. Beware of poor spelling or grammar. Many phishing attacks originate outside the U.S. from people whose first language isn’t English. Legitimate organizations attend to details like grammar, spelling and usage. If the email contains these errors, it’s probably a scam.
  2. Never respond to requests for information. Reputable organizations will never ask you to send passwords, credit card numbers or other personally identifiable information by email. Never.
  3. Check the email address. There are two parts to the “From” part of an email: the user name (or alias) and the email address. The alias can be anything the sender wants it to be, but you can’t disguise an email address. Phishers always change the alias to look legitimate, like “PayPal Customer Service.” But if the email address in that example isn’t PayPal.com, the message is a fake. Always check before clicking.
  4. Don’t click unless you’re sure. A favorite tactic of phishers is to entice their victims to click on a link that purports to send them to a login or payment page. The page is disguised to look legitimate, but it’s a false front intended to capture information. Before clicking any link, hover your mouse pointer over it first. The address will show up at the bottom of your browser or email client screen. If it looks suspicious, get out of there. Beware of addresses that are doctored to look legitimate, such as “Googlecom.es.”
  5. Use a password manager. One of the little-known benefits of a password manager is that it protects you from phishing scams. That’s because it won’t work on a login page where the URL doesn’t match the URL entered when the record was created. So even if the phisher tricks you into clicking on a link, the password manager gives you an extra layer of protection. Think of it as phishing insurance.

Why You Should Change Your Social Network Passwords Now

by , on

^A1776851FD2327F7A3632C514BC5AE46C1A425944A712445C5^pimgpsh_fullsize_distr

When was the last time you changed your Facebook password? If you’re like many of us, you probably can’t even remember. Facebook won’t prompt you to make a change, and its two-factor authentication is strictly optional. The same goes for Twitter. LinkedIn is a bit more aggressive in that area, but it, too, makes the feature optional.

We tend not think of our social media accounts as important points of vulnerability because we don’t store payment information there. But think again. Recent hacks of McAfee’s LinkedIn account and McDonald’s Twitter account show how easy it is for even big companies to be compromised. Facebook co-founder Mark Zuckerberg’s social network accounts were hacked last year. It can happen to companies of any size and it can happen to individuals, too.

Consider what a malicious person with access to your social accounts could do:

  • Impersonate you and post content that embarrasses you and alienates friends and colleagues;
  • Access personal settings to look up information like addresses and phone numbers that you share only with your closest friends, opening the door to identity theft;
  • Access content, such as photos and videos, that you share only with close friends or family members;
  • Log in to the myriad of services that use Oauth, the popular single sign-on method used by thousands of other websites;
  • Once signed in on those services, repeat the mischief elsewhere;
  • Change the password to your social network accounts, forcing you to go through the painful process of contacting and verifying your identity to each of those operators;
  • Monitor your travel activity to look for opportunities to break into your home or business;
  • In the case of Google, make payments using Google Pay.

Do you need any other incentive to safeguard your social network passwords? All the major social networks now offer two-factor authentication. Our advice is to use it. The extra step may take a few seconds, but consider the trouble you may be saving yourself.

Artificial Intelligence and Machine Learning: Security Panacea

by , on

^8F63EC9372CEABAF7667CF52C0EC7F4F085B5C192F0E8FBD9A^pimgpsh_fullsize_distr

When it comes to data security, there are no magic bullets. There is, however, a very potent cyberdefense solution representing a great leap forward in the struggle to protect data and information. Actually, it is a combination of two closely related technologies – one fairly new and the other decades old.

They are artificial intelligence (AI) and machine learning (ML). Think of AI as the ability of computers to be programmed to do things that normally require human intelligence, such as speech recognition, decision making, and language translation. It has been around in one form or another since the dawn of the computer age.

ML, the new kid on the block, is closely related to AI but uses highly complex algorithms to actually learn to make decisions on its own – without being programmed to do so. ML programs actually change on their own when exposed to new data. For example, last year a machine-learning program called AlphaGo from Google DeepMind beat one of the world’s best players of Go, a highly complex and ancient Chinese board game. AlphaGo was not programmed to play Go, but rather learned to play on its own.

Machine learning already hard at work

Already ML solutions are bearing some of the data security burden when it comes to sniffing out money-laundering schemes, preventing an all-out security attack, and protecting customer credit cards. For example, honest consumers are often dogged by temporary “stops” put on their credit cards when suspicious activity is noted, like purchases in foreign countries. Machine learning algorithms learn to “think” differently. If the credit card activity includes things like buying airline tickets, taking Uber to the airport, buying a meal at the airport, and so forth, this “suspicious” activity is noted by the ML program as normal, and no annoying credit card stops are needed.

Specifically when it comes to data security, AI and ML shine in unique ways. They can create customer personas that are self-adjusting (they “think” on their own) as underlying business rules change. They can aggregate data from sources as diverse as terrorist watch lists and the near century-old Interpol. And they can integrate and interoperate with other global financial firms to mine an even deeper pool of fraud prevention data – all with little or no human intervention.

According to Patrick Tiquet, director of security and architecture at Keeper Security, baking advanced security techniques like AI and ML into the fabric of cybersecurity strategies is not simply a nice feature – it is essential.

“New vulnerabilities and threats are being developed and discovered on a 24/7 real-time basis,” Tiquet says. “Traditional cybersecurity threat detection has relied mostly on static rules or signatures of known threats, which leaves an organization blind and virtually unprotected from newly developed, unknown, or zero-day vulnerabilities. The ability to utilize a learning artificial intelligence system to detect and identify unknown threats or zero-day exploits is a game changer. Organizations will be able to detect previously unknown threats based on behavior rather than matching to known static rules or signatures.”

At Keeper, a leading password management solution company, password-enabled authentication solutions will increasingly rely upon AI and ML to authenticate a user. For example, AI-based authentication will be used to examine a number of different factors in making a decision to authenticate a user. These factors could include biometric inputs, location, behavior, and even proximity of known devices. As Tiquet says, “Think of it as AI-based multifactor authentication.”

An end to false positives?

One persistent argument against AI- and ML-based security systems is that they tend to report too many false positives and alerts that can lead to “alert fatigue” – think “the boy who cried wolf.” But the reality is that the sheer volume and complexity of security-related data generated today have already blown past the capacity of human beings to analyze it all.

So MIT’s Computer Science and Artificial Intelligence Lab is attacking this false-positives issue head-on by developing a system called AI2. The system can review security-related data from literally millions of data logs every day, reporting back anomalies and suspicious data. Its reports are studied by a human analyst who provides the system input on whether the threats were legitimate. Over time, this ML/AI system learns from its past mistakes and gets better at finding real threats while reporting fewer false ones. In one test of the solution, false positives were eventually reduced by a factor of 5 as the system crunched through some 40 million log lines of data per day generated by an ecommerce website.

Security systems incorporating AI and ML techniques have arrived at a key time cybersecurity threats are growing in number and sophistication, and the stakes in protecting sensitive data have never been higher. It will be a race to see if these new techniques can keep up or possibly stay ahead of the threat environment.