Some Frightening Stats About Accounts and Passwords

by , on

^6573962D4F843C23184C8EFC8750BADFAF0BAAA9533A59DA4A^pimgpsh_fullsize_distr

A recent report by Varonis Systems caught our attention because it illustrates how easily some basic security practices can be overlooked in the crush of day-to-day work.

Varonis released an analysis of more than 235 million folders it examined on file servers at 80 client sites. It found that more than 48 million of them – that’s 20% – were open to “global access groups,” meaning that, in effect, anyone in the organization could read them.

The report also said that the typical company has hundreds of openly accessible files that contain sensitive information.

But what really caught our eye was the data about user accounts and passwords. The audit found 448,000 accounts that were unused but still enabled, an average of 5,500 accounts per site. Typically, these accounts are set up for short-term use or belonged to people who have left the company but who still have active logins. The auditors also found half a million user accounts that had non-expiring passwords, meaning that attackers would have unlimited time to crack them and indefinite access thereafter.

Neither of these findings is surprising; busy administrators can easily overlook details like cleaning out old accounts or plan to get them later and never follow through. Some people also request exemption from the password expiration policy for the sake of convenience. If their title has a “VP” in it, that request is likely to be granted.

But both of these oversights are recipes for disaster. Take unused accounts. It isn’t hard for an attacker to guess which accounts may be dormant at any given company. Simply search LinkedIn for people who recently changed companies, then try common variants of their login names: bsmith@yourcompany.com, billsmith@yourcompany.com, etc. Searching on those email addresses may also turn up a hit.

An attacker can then try to log in using commonly used passwords. Given that 17 percent of people use the password “123456”, it won’t be long before one of those guesses yields a hit. Once inside, the crook has access to anything that user could see which, according to this report at least, is probably a lot.

Non-expiring passwords are just a bad practice. About the only time they make sense is when the account has no privileges, such as a Wi-Fi login at a hotel. Otherwise, users should be limited to no more than five login attempts before they’re locked out and have to call an administrator. The argument against password expiration is that the policy encourages people to write down their passwords, which increases the possibility of theft. Our advice is simple: use a password manager.

 

What is the Value of Stolen Digital Data?

by , on

^B4442DE736575BC944969C6F13E88F2425EA1CFB94E193307E^pimgpsh_fullsize_distr

By Darren Guccione, Co-founder and CEO of Keeper Security

By now most everyone is aware that failing to properly password-protect access to sensitive digital materials can have severe consequences. The damage of having one’s identity stolen or having personal financial or health records purloined can take months or years to repair.

But just what is the value of stolen data on the digital black market today? How is this data passed from hackers who steal it to fraudsters who can make your life miserable?

The answer to the first question of the value of stolen data is, surprisingly, “not as much as you might think,” as we’ll see. That’s good news and bad news. The good news, for fraudsters, is that they can get more stolen data for less money. The bad news, for victims of data theft, is that more fraudsters have access to more stolen data at ever-cheaper prices. And the reason there is so much stolen data available is that hackers simply do not have a difficult time stealing it.

Where is stolen data sold?

But first, it’s important to understand how and where your stolen data is resold. It happens in a part of the World Wide Web called the dark web. Accessed only by using special software that hides the identity of visitors, the dark web is a vast marketplace for anything and everything illegal. Much of it looks very familiar, like any other e-commerce site. Sellers often have ratings given by previous buyers. You can even purchase software to set up your own hacking business. Payments to sellers are arranged using bitcoin, a digital currency that all but assures buyers and sellers remain anonymous.

Once you are in this illicit emporium and you have some bitcoin digital currency, buying stolen identities or access to bank accounts is easy. Let’s take stolen credit cards, for example. As when buying anything else online, buyers specify the type of card (Amex, Visa, etc.); the CVV’s or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit score; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost per card varies with the information the buyer wants. Click “buy now,” download your stolen goods, and off you go.

What does stolen data cost to buy?

How much do these cards cost on the dark web? The variations are wide, and also fluctuate depending upon the supply of stolen cards. So if there were a major hack resulting in the compromise of 10 million cards, the price could plummet if the hackers flood the market. But generally speaking (and these figures are derived from a number of publicly available sources), the cost of stolen credit card data is roughly $13-$21, or the bitcoin equivalent thereof. These prices tend to be higher for stolen European Union, Canadian and Australian credit cards. Buyers pay the most for cards with so-called “fullzinfo” or just plain “fullz” – meaning the stolen record has a very complete set of information about the cardholder.

But as detailed in a groundbreaking report by McAfee on the market for stolen digital information, credit and debit cards are not necessarily the usual target of hackers and fraudsters today. Increasingly the targets are the password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts.

As you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upwards of $1,000 for access to accounts with $15,000 or more.

A strong market for stolen health information

Both credit card and bank access data have a shelf life, which ends abruptly once the victims discover they’ve been hacked. But there is another record of digital identity that has more permanent information, and that is any kind of personal health information or PHI, including the very valuable electronic medical records or EMR. These contain highly sensitive information about an individual’s health history. And as such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims.

Like other stolen digital data, the cost of such health records is subject to the same supply-demand dynamics as any other traded goods. According to Michael Ash, associate partner of Security Strategy Risk & Compliance at IBM, a stolen EMR can fetch up to $350 on the dark web.

However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped, according to recent research. Also, law enforcement authorities have stepped up efforts to locate and apprehend both buyers and sellers of this highly personal health information, which has spooked some buyers. Thus recently, some EMR have been purchased for as little as $100 apiece. But as mentioned, this is a highly dynamic market in which prices of stolen digital data will vary over time, often wildly.

In any case, the incentives for stealing this data and then selling it to the highest bidders will remain in place for the foreseeable future. Perhaps the single best defense for individuals seeking to protect these assets remains high quality, virtually bullet-proof passwords, and the right password “hygiene” that ensures passwords are changed often. In this regard, it is wise to consider a free password manager to take all the guesswork out of password management, so you can stop the hackers cold.

5 Ways to Protect Yourself from a Phishing Attack

by , on

^381F2044E32C1E09C42BEA1628177B770FDEFE8A3CC2683B14^pimgpsh_fullsize_distr

With news of the Gmail phishing attack still fresh in our memory, this is a good time to review some basic precautions you can take to avoid becoming a phishing victim.

Phishing attacks have been on the rise recently because, to put it bluntly, they work. The Anti-Phishing Working Group recorded 1.22 million phishing attacks in 2016, a 65% increase over the previous year. Phishing is the most common way attackers deliver ransomware, which is the fastest-growing form of malware.

Even though phishing has been around for a long time, it’s still amazingly effective. Some attacks have been found to record click-through rates of 30% or more (marketers would kill for that!). As the Gmail attack showed, phishers are becoming sneakier and more effective.

Most phishing attacks take the form of emails disguised to look like they come from trusted sources. The subject line usually carries an urgent message intended to drive immediate action, such as notice that an account has been compromised or that a service is about to be suspended. The attacker’s goal is to alarm the recipient and prompt immediate action – usually downloading an attachment or clicking on a link – without thinking about what they’re doing. That one click can trigger a malware infection.

Here are five steps to keeping yourself safe.

  1. Beware of poor spelling or grammar. Many phishing attacks originate outside the U.S. from people whose first language isn’t English. Legitimate organizations attend to details like grammar, spelling and usage. If the email contains these errors, it’s probably a scam.
  2. Never respond to requests for information. Reputable organizations will never ask you to send passwords, credit card numbers or other personally identifiable information by email. Never.
  3. Check the email address. There are two parts to the “From” part of an email: the user name (or alias) and the email address. The alias can be anything the sender wants it to be, but you can’t disguise an email address. Phishers always change the alias to look legitimate, like “PayPal Customer Service.” But if the email address in that example isn’t PayPal.com, the message is a fake. Always check before clicking.
  4. Don’t click unless you’re sure. A favorite tactic of phishers is to entice their victims to click on a link that purports to send them to a login or payment page. The page is disguised to look legitimate, but it’s a false front intended to capture information. Before clicking any link, hover your mouse pointer over it first. The address will show up at the bottom of your browser or email client screen. If it looks suspicious, get out of there. Beware of addresses that are doctored to look legitimate, such as “Googlecom.es.”
  5. Use a password manager. One of the little-known benefits of a password manager is that it protects you from phishing scams. That’s because it won’t work on a login page where the URL doesn’t match the URL entered when the record was created. So even if the phisher tricks you into clicking on a link, the password manager gives you an extra layer of protection. Think of it as phishing insurance.

Why You Should Change Your Social Network Passwords Now

by , on

^A1776851FD2327F7A3632C514BC5AE46C1A425944A712445C5^pimgpsh_fullsize_distr

When was the last time you changed your Facebook password? If you’re like many of us, you probably can’t even remember. Facebook won’t prompt you to make a change, and its two-factor authentication is strictly optional. The same goes for Twitter. LinkedIn is a bit more aggressive in that area, but it, too, makes the feature optional.

We tend not think of our social media accounts as important points of vulnerability because we don’t store payment information there. But think again. Recent hacks of McAfee’s LinkedIn account and McDonald’s Twitter account show how easy it is for even big companies to be compromised. Facebook co-founder Mark Zuckerberg’s social network accounts were hacked last year. It can happen to companies of any size and it can happen to individuals, too.

Consider what a malicious person with access to your social accounts could do:

  • Impersonate you and post content that embarrasses you and alienates friends and colleagues;
  • Access personal settings to look up information like addresses and phone numbers that you share only with your closest friends, opening the door to identity theft;
  • Access content, such as photos and videos, that you share only with close friends or family members;
  • Log in to the myriad of services that use Oauth, the popular single sign-on method used by thousands of other websites;
  • Once signed in on those services, repeat the mischief elsewhere;
  • Change the password to your social network accounts, forcing you to go through the painful process of contacting and verifying your identity to each of those operators;
  • Monitor your travel activity to look for opportunities to break into your home or business;
  • In the case of Google, make payments using Google Pay.

Do you need any other incentive to safeguard your social network passwords? All the major social networks now offer two-factor authentication. Our advice is to use it. The extra step may take a few seconds, but consider the trouble you may be saving yourself.

Artificial Intelligence and Machine Learning: Security Panacea

by , on

^8F63EC9372CEABAF7667CF52C0EC7F4F085B5C192F0E8FBD9A^pimgpsh_fullsize_distr

When it comes to data security, there are no magic bullets. There is, however, a very potent cyberdefense solution representing a great leap forward in the struggle to protect data and information. Actually, it is a combination of two closely related technologies – one fairly new and the other decades old.

They are artificial intelligence (AI) and machine learning (ML). Think of AI as the ability of computers to be programmed to do things that normally require human intelligence, such as speech recognition, decision making, and language translation. It has been around in one form or another since the dawn of the computer age.

ML, the new kid on the block, is closely related to AI but uses highly complex algorithms to actually learn to make decisions on its own – without being programmed to do so. ML programs actually change on their own when exposed to new data. For example, last year a machine-learning program called AlphaGo from Google DeepMind beat one of the world’s best players of Go, a highly complex and ancient Chinese board game. AlphaGo was not programmed to play Go, but rather learned to play on its own.

Machine learning already hard at work

Already ML solutions are bearing some of the data security burden when it comes to sniffing out money-laundering schemes, preventing an all-out security attack, and protecting customer credit cards. For example, honest consumers are often dogged by temporary “stops” put on their credit cards when suspicious activity is noted, like purchases in foreign countries. Machine learning algorithms learn to “think” differently. If the credit card activity includes things like buying airline tickets, taking Uber to the airport, buying a meal at the airport, and so forth, this “suspicious” activity is noted by the ML program as normal, and no annoying credit card stops are needed.

Specifically when it comes to data security, AI and ML shine in unique ways. They can create customer personas that are self-adjusting (they “think” on their own) as underlying business rules change. They can aggregate data from sources as diverse as terrorist watch lists and the near century-old Interpol. And they can integrate and interoperate with other global financial firms to mine an even deeper pool of fraud prevention data – all with little or no human intervention.

According to Patrick Tiquet, director of security and architecture at Keeper Security, baking advanced security techniques like AI and ML into the fabric of cybersecurity strategies is not simply a nice feature – it is essential.

“New vulnerabilities and threats are being developed and discovered on a 24/7 real-time basis,” Tiquet says. “Traditional cybersecurity threat detection has relied mostly on static rules or signatures of known threats, which leaves an organization blind and virtually unprotected from newly developed, unknown, or zero-day vulnerabilities. The ability to utilize a learning artificial intelligence system to detect and identify unknown threats or zero-day exploits is a game changer. Organizations will be able to detect previously unknown threats based on behavior rather than matching to known static rules or signatures.”

At Keeper, a leading password management solution company, password-enabled authentication solutions will increasingly rely upon AI and ML to authenticate a user. For example, AI-based authentication will be used to examine a number of different factors in making a decision to authenticate a user. These factors could include biometric inputs, location, behavior, and even proximity of known devices. As Tiquet says, “Think of it as AI-based multifactor authentication.”

An end to false positives?

One persistent argument against AI- and ML-based security systems is that they tend to report too many false positives and alerts that can lead to “alert fatigue” – think “the boy who cried wolf.” But the reality is that the sheer volume and complexity of security-related data generated today have already blown past the capacity of human beings to analyze it all.

So MIT’s Computer Science and Artificial Intelligence Lab is attacking this false-positives issue head-on by developing a system called AI2. The system can review security-related data from literally millions of data logs every day, reporting back anomalies and suspicious data. Its reports are studied by a human analyst who provides the system input on whether the threats were legitimate. Over time, this ML/AI system learns from its past mistakes and gets better at finding real threats while reporting fewer false ones. In one test of the solution, false positives were eventually reduced by a factor of 5 as the system crunched through some 40 million log lines of data per day generated by an ecommerce website.

Security systems incorporating AI and ML techniques have arrived at a key time cybersecurity threats are growing in number and sophistication, and the stakes in protecting sensitive data have never been higher. It will be a race to see if these new techniques can keep up or possibly stay ahead of the threat environment.

 

What’s the big deal with hashing, and why should I care?

by , on

^71242E04774D78AD85FAEAB735429459309A02F456D3B547DA^pimgpsh_fullsize_distr

Hashing algorithms have been in the tech news a lot lately. What are they and why is everyone trying so hard to break them?

The latest news concerns the SHA-1 algorithm, which has been declared dead now that a team of researchers from the Centrum Wiskunde & Informatica (CWI) institute and Google Research have found a way to create two documents containing different content that generate the same hash. In crypto terms, this is called a collision.

The reason this is big news is because about 20% of websites that use certificates are still using SHA-1. If yours is one of them, then your administrators have got some scrambling to do.

Let’s back up and explain briefly what hashing is, how it differs from cryptography and why collisions are such a big deal. A hashing algorithm disguises input text by running it through a filter that turns it into an unintelligible string of gibberish, with all strings usually being the same length. It does this by adding a random string of data called a “salt” to the front or back of the password. The password plus the salt are then run through the hash algorithm to create a unique character string.

The authentication system can then store the salt plus the hash instead of the password to validate access attempts. Any time there’s a login attempt, the salt is applied to the password that’s entered and the resulting “salted hash” is compared to the one stored in the password table. If they match, then the password is valid and access is granted. If they don’t, the password is rejected.

The beauty of salted hashing is that it enables password authentication to work without requiring that the password itself be stored. Once the salted hash is created, the password can even be thrown away. Anyone who steals the password file only gets a bunch of gibberish characters that are nearly impossible to decode*. Even if multiple accounts use the same password, the randomly generated salts ensure that the hash values are different.

So why does this matter to you? Because hashing systems only work if no two strings of code can produce the same salted hash code, an event that’s called a collision. That’s why security researchers work so hard to find weaknesses that enable collisions to happen. The thinking is that if the good guys can find a weakness first, they can warn everybody before the bad guys have a chance to do any damage.

Security researchers first produced a collision in SHA-1’s predecessor, MD5, in 2005. They used brute-force methods to create two different password input strings that produced the same salted hash in as little as one minute using a basic laptop computer.

At that time, SHA-1 was suspected of also being vulnerable, but no one had yet successfully produced a hash that created a collision. All that changed in February with the publication of a paper by CWI Institute and Google Research that described in detail how a collision had been induced.

Bottom line: If your authentication system uses SHA-1 or MD5, you’re at risk of being breached.

You might wonder why these vulnerabilities are being discussed more than a decade after their existence first came to light. The answer is part technology, part human nature.

Switching from one hashing algorithm to another isn’t a trivial task. There are issues of backward compatibility with systems that use old hashing algorithms. Administrators must, in effect, catch every instance that uses the old algorithm and modify it. It’s time-consuming drudge work, and it’s tempting for busy admins to work on more pressing projects.

Then there’s the risk/reward tradeoff. The CWI/Google team said they committed 6,500 years of CPU computation and 110 years of GPU (graphical processing unit) computation to completing the two phases of the SHA-1 attack. They estimated that it would have cost about $110,000 worth of Amazon Web Services resources to duplicate the computing power they brought to the task. Since no one but the most determined and well-funded criminal enterprises or governments would commit those kinds of resources, it’s tempting to just hope for the best. Now that a compromise has been published, however, smarter attacks will follow.

That’s why even patches for severe vulnerabilities can take years to percolate through the user community. As recently as mid-2015 there were reports that MD5 was still in widespread use. When 200 million Yahoo credentials went up for sale online last summer, it turned out that they had been protected using MD5. That breach occurred in 2012, seven years after the first vulnerabilities were reported.

In other words, things don’t change nearly as quickly as we would like to believe. That’s why vendors are trying to push the issue this time. Google said it will publish the source code for creating an SHA-1 collision next month, along with protections for Gmail and GSuite users that defend against use of their collision technique. Security experts recommend switching to SHA-2 or one of its companions.

Ask your email administrator which hashing algorithm your company is using. It it’s SHA-2 or higher, you’re in good shape. If you’re greeted by a blank stare, well, you have bigger problems.

*If you think hashing sounds a lot like encryption, you’re right. The approaches are similar, but the intended outcomes aren’t. The main difference is that encrypted data is intended to be decrypted at some point, which is why keys are used. In contrast, hashed data is never intended to be decrypted.

 

Password Myth Busters

by , on

^CB937364A004D670C5729C42DC0BA855FE02751AF82B90BAD8^pimgpsh_fullsize_distr

Think you know it all when it comes to passwords and protecting your digital life? Guess again. As the saying goes, it’s what you don’t know that can hurt you. Here below are some popular myths about passwords and digital security – busted for you.

Myth: Most people exercise reason and caution in securing their digital devices and Website access with good passwords.

Reality: Nearly one in five people use the following password, many on multiple devices: 123456. That’s the conclusion of a search of 10 million passwords used in successful data breaches in 2016. The second most commonly used password? None other than 123456789! And coming in a close third is qwerty – the top six letters of a common keyboard. Don’t expect much help from Websites who could, if they wanted enforce tougher password policies. But that might slow site traffic. Thus good password hygiene is up to you. Click here for a free copy of a great guide to password safety in an unsafe world.

Myth: Passwords are becoming outmoded and old school, easily replaced by more snazzy technologies and techniques.

Reality: In the words of international security expert Per Thorsheim, “Everyone who predicts the death of passwords next year will be wrong again, just as they have the past 10 years.” It’s not that the industry hasn’t tried to retire tried and true passwords to protect your digital life. There are patented, wearable devices for wrist vein recognition; a ‘selfie’ that identifies you by the size of your body parts (just don’t gain/lose weight); iris scanning (hold the contacts); even a notion for a swallowable ‘pill’ that is powered by stomach acid and which emits signals to sensors in digital devices. Or – you can just get yourself a great free password management solution that creates nearly uncrackable passwords for each device and site you enter, and remembers them all for you.

Myth: There’s no need to reset the factory-installed passwords in digital devices like baby monitors and security cameras. Why bother?

Reality: Last October sophisticated international hackers using a popular piece of hacking software called Mirai broke into more than 100,000 Internet of Things devices, including security cameras and baby monitors. They then created a large botnet—a centrally controlled, infected network of internet-connected devices, albeit not exactly smart devices but interconnected all the same. They then used the botnet to launch a distributed denial of service attack on a major internet backbone company, rendering millions of people and businesses without service. Mirai-toting hackers struck again a month later, this time knocking electric power out to nearly a million German customers. The moral of the story: Reset the factory password presets on your digital devices so you won’t become part of the problem.

Myth: So what if my password gets stolen. What can the crooks do with it anyway? Probably nothing.

Reality: A year ago some 400 million passwords stolen from MySpace went up for sale to the highest bidders on part of the Internet known as the dark web. The same hacker later placed another 100 million purloined passwords stolen from LinkedIn for sale. Armed with these seemingly innocuous passwords, hackers used sophisticated programs to try to kick the door in on personal bank accounts, social media accounts, credit card accounts, and other places where troves of personal data lie. And once they are in they can do all sorts of nasty things to make your life miserable. Again the only protection is strong passwords that are not used repeatedly for different devices and different sites. Remember that 63% of successful data breaches result from weak, default or stolen passwords. Virtually all of this can be stopped.

Myth: When US citizens traveling in the US, TSA as well as US Border Patrol agents can never demand the passwords to your devices.

Reality: That is true for the TSA, but not so for US Border Patrol agents. There are confirmed news reports of US citizens being prevented from re-entering their own country unless they turn over both their devices and the passwords for unlocking them. What the agents can then do with the information they view or seize and how long they can keep it is undefined and unclear. The only solution and protection, for now, is to remove any sensitive data and files from your devices before traveling internationally –much easier said than done for business travelers. But that is another reason for using third party cloud storage providers, which can safely offload those files from the devices for retrieval later on.

Myth: When traveling internationally it is generally safe to use the digital device charging stations in hotel rooms, and it is safe as well to just jump on line to check your bank balances and credit card statements from ‘public’ PCs and tablets at coffee houses and bookstores.

Reality: Wrong on both accounts. Even in nice hotels, it is easy for cyber thieves working with cleaners to install malware discretely on room docking stations. Using these, it is easy to steal passwords to whatever sites you access. Ditto with publicly available devices, which are notoriously riddled with malware to swipe your digital goods.

Conclusion

Perhaps the most stark reality is that the world is a very unsafe place when it comes to your digital data, given the number of cyber thieves out there, the sophistication of their illicit techniques, and their determination to rip you off.  For consumers, passwords by far remain the best protection in this global threat environment.

 

Cybersecurity Travel Tips When Going Abroad

by , on

^5491957A0530F0BD980DCB6DA9F9C353B216B27D30447FE618^pimgpsh_fullsize_distr

Tips and Tricks for Cyber Safe Foreign Travels

Vacation time is looming, and with the growing strength of the U.S. dollar vs. other currencies, many people are making plans for international travel. If you are among them, be sure you have done all you can to take responsibility for cybersecurity when traveling. After all, it’s a dangerous world out there when it comes to the cyber threat environment. Some common sense and preparation will go a long way toward ensuring your international travel memories are of the good kind.

Let’s break down the tips and tricks of cyber safe travel into two categories. The first is basic “blocking and tackling,” which for the most part is done prior to your travel. The second category deals with security tips once you are on the road.

Held up at the border

First, it is important to know in advance that the travel environment itself has changed. While traveling within the U.S., the TSA agents at the gates are not allowed to confiscate your digital devices nor are they allowed to demand passwords to get into them. If such attempts are made, demand to speak to a supervisor.

The rules, however, are different for U.S. Border Patrol agents and for agents in other nations too. Recently there have been multiple news reports of U.S.-born citizens having to turn over digital devices and their passwords as a condition for entering or reentering their own country. What can the border agents do with your passwords or data on your devices? How long can they keep that information? How long can you be detained? These and other questions are not easy to answer. But as you will see from the tips and tricks below, there is much that can be done to minimize what might be compromised or inspected while you ensure your trip overall is as cyber safe as it can be.

Basic blocking and tackling, before you head out

  • Back up your e-files. Just presume you are going to lose everything on your devices. If all data is backed up before you leave, then if you lose your device you won’t lose what really matters most to you.
  • Don’t carry sensitive data. This is easier said than done if you are mixing business and pleasure, but it is not unreasonable to just leave behind all the sensitive files you are not likely to use. Store them on cloud backup or on removable media. But get them off your devices.
  • Change all passwords for all devices. When doing this, use two-factor authentication if possible, which most devices have today. Make the passwords eight characters or longer with a combination of nonsensical letters, numbers, and symbols.  Download a free password manager that will do all the work of creating complex passwords and remembering them for you.
  • If you haven’t checked recently, this is an excellent time to be sure your antivirus software is current. There is plenty of danger lurking in foreign hotels, coffee houses, and even airports, as we’ll see. This software is your first line of defense.
  • If your smartphone allows, and most do, enable the feature that automatically erases all data in the event of multiple failed password attempts (usually 10 or so).
  • If available, enable anti-theft software (often through the cloud) that allows you to lock your device remotely if it is stolen. Enable and activate the “find my phone/device” function so if your phone or tablet is stolen, you can track it, disable it, and change all the passwords.
  • Be mindful of movies, books, and other things you have loaded into your devices that could be considered pornographic and otherwise illegal in certain other countries. Also, some downloads considered legal in the U.S. may actually violate local intellectual property or digital asset rights in other countries, should your device be searched. Just err on the side of caution and store and remove anything that might be thusly construed.
  • Disable Wi-Fi auto-connect options from all devices before you leave, such that you have to manually connect when you think it is safe to do so. The best approach is to buy a subscription to services that only connect to secure Wi-Fi hotspots throughout the world. Rates are inexpensive and getting more so all the time. Just do a search on “unlimited wifi.” If you will need to transfer or access sensitive data abroad, consider getting a highly secure VPN connection on a daily or weekly rental basis. Just search “VPN rental.”
  • Similarly, disable Bluetooth connectivity. If left on, cyberthieves can connect to your device in a number of different and easy ways. Once they are in, your cyberworld is their oyster!
  • Finally if you do not have an international subscriber identity module, better known as a SIM card or do not have a roaming package on your smartphone, your two-factor authorization access will be limited. All the more reason to purchase a secure Wi-Fi data plan.

Now that you have arrived…

The tips and tricks in this list really won’t take long at all for travelers to put in place. Doing so is great insurance against many of the cyber threats that lurk when your plane touches down on foreign soil. But once that happens and your excitement builds as you head to the luggage carousel, your cybersecurity work is not done. Here are some steps to promote cybersafety on the ground:

  • Double check to be sure all of your apps are password protected with fresh, new passwords, ideally stored in your password management system so you don’t have to remember any of them. And don’t use the same PIN for hotel room safes that you use for your device password.
  • At all cost, avoid using “public” digital devices, such as those at coffee houses, libraries, and bookstores. They are often notoriously riddled with malware lurking to steal your information. If you use them, you should presume that someone other than you will see any information you enter.
  • Be very careful about connecting to any Wi-Fi network if you haven’t subscribed to a global service previously, per the tip above. These are prime milieus for cyberthieves. Say you are in a train station (bahnhof) in Germany. You scan your device for a wireless network and there are several. A legitimate one might be “bahnhofwifi”—but you don’t know that. A cyberthief has set up his own Wi-Fi trap and it shows up as “bahnhoffwifi,” with but one letter changed. Connect to that and your troubles are just starting.
  • Don’t charge your devices using anything other than your own chargers plugged directly into the wall or into your adapter. It is easy for cyber thieves to install malware onto hotel and other public docking stations.
  • Never connect any USB drive or other removable media that you don’t personally own. Again, they are easy to load with malicious software.
  • This goes without saying, but NEVER let your devices leave your sight. If you cannot physically lock devices in your hotel room safe or other secure place, take them with you. There are no good hiding spots in your hotel room. And, of course, never check your devices with your luggage.
  • Most social media sites are happy to automatically share your location as you post photos and messages. This also tells thieves back home that you are away, which is a great time to break in. So limit the information you post regarding your location at any point in time.

Bon voyage! And safe cyber travels.

 

Why Company-wide Password Management Just Makes Sense

by , on

^8508EED4B73C45CDD45349C37D69D94A81111E9113291A40CD^pimgpsh_fullsize_distr

When pressed for reasons for not deploying a comprehensive password management system company-wide, leaders conjure a variety of answers. Among the most common refrains is, “We haven’t been attacked or breached, so why bother? We have other priorities.”

What they should be saying is, “We haven’t been attacked or breached – yet.” Data from the 2016 Ponemon Institute’s State of Cybersecurity in SMBs research study shows that half of SMBs today will suffer data breaches involving customer and employee information this year. And in the 2016 Data Breach Investigations Report by Verizon, a key finding is that nearly two-thirds (63%) of confirmed data breaches involve weak, default, or stolen passwords.

With strong passwords clearly a deterrent to attacks, it is sobering that the Ponemon study also finds that nearly six in 10 SMBs have no visibility into employees’ password practices. Worse, in typical SMBs today, 60% of employees use the same password for everything – and they’re often not strong passwords at that.

Password solutions that deliver big time

By contrast, SMBs that have adopted company-wide password management solutions have achieved measurable results in upping their security efforts. Keeper Business includes a security audit dashboard with its comprehensive password management solution. The dashboard scores various password practices in effect in the organization, such as whether two-factor authentication is in use, the relative strength of passwords in use, whether the same passwords are used for access to different systems, and so on.

For example, a small financial institution registered a score of 50 (on a scale from 1–100, with 100 being highly secure) prior to deploying the Keeper solution. A few weeks after the deployment, that score shot up to 95, reflecting consistent usage of very strong passwords by employees and an end to using the same passwords repeatedly.

A big benefit of the Keeper security audit dashboard is benchmarking an organization from a security perspective so they can see over a three-to-six month period how well they are doing in increasing security and mitigating risk.

Additionally, organizations opting for a company-wide password management solution may find that it pays for itself. With Keeper’s solution, the often dozens of passwords and login credentials employees typically have are boiled down to just one. Keeper customers notice a marked reduction in helpdesk calls for password resets, saving measurable IT helpdesk time. Given that Keeper’s comprehensive password solution costs about $30 per employee, that cost can be recouped through these helpdesk savings.

Fast deployment, ease of use

Some organizations choose to manufacture their own password management solution, often an on-premises one. But those solutions lack the flexibility and agility of a true cloud-based offering like Keeper’s. Also, companies like Keeper are constantly updating their offerings to combat the ever-changing threat environment, updates that may not occur when companies opt for a homegrown system.

A business can fully deploy the Keeper company-wide password management system in five to 10 business days, depending upon the local administrator’s availability to do so. Users are then invited to very quickly learn how to use the solution. As an indication of the product’s ease of use, 90% of all employees at organizations that have adopted Keeper are using the solution.

One Keeper customer, Education Advanced, has this to say about the experience of installing Keeper across the entire organization: “We needed no support from Keeper whatsoever because getting the solution up and running was so simple,” says Eli Crow, CEO and company founder. “I really couldn’t imagine it being any easier.” In fact, the solution was so easy to install and use that several employees quickly adopted the Keeper solution for their personal use.

 

Why a Password Manager is a Gadget Lover’s Best Friend

by , on

^D3949C83D1E7F2A8213747F0A370C9A9058445DA970C62CB32^pimgpsh_fullsize_distr

Gadget lovers. We all know one. Perhaps you are one.

People who love gadgets appreciate the freedom their devices give them to access the information and services they want at any time. But gadget lovers often take big risks with security. They may have an assortment of favorite apps that are spread across their phones, tablets, game players, PCs and even watches. Remembering unique passwords for all of them is simply impossible.

Some multi-device aficionados might be tempted to default to using the same password again and again (60 percent of online users do that). Others may opt for the convenience of storing their passwords in a text file or email message.

Both are bad ideas. Sure, fumbling for passwords on a tiny device is inconvenient. But there’s a better approach: a password manager.

A password manager ensures that you have access to everything you need to access any service from any device. A good one provides equivalent functionality across desktop and mobile devices, and support all the browsers and operating systems the gadget lover will ever use. The beauty of a password manager is that you only need to remember one password access your entire trove of services (so make sure you choose a strong and unique one!). Login once and everything else is automatic.

It’s also a great tool for making sure your various digital identities are secure. That’s because a password manager generates unique and secure passwords for every site and app you use. It takes care of remembering them for you and automatically fills in your login credentials when you open the site or app. You literally only need to remember one password.

There’s a secondary benefit many people don’t realize: A password manager protects you from phishing attacks. A favorite tactic of phishing scammers is to trick their victims into clicking on a link that takes them to a webpage that looks legitimate but is actually a false front intended to capture a password or credit card number. A good password manager won’t fill in a form unless the web address is one it recognizes. If the automatic form field doesn’t work, the page probably isn’t legit. Given the many small devices don’t display URLs – or make them difficult to see – this is an essential mobility feature.

Mobile device lovers should appreciate another compelling virtue of password managers: More than three million phones are lost every year in the US alone. If a phone isn’t secured – and 32% of them aren’t, according to a recent Keeper survey – then anyone who finds it can read any plaintext files that are on it. Passwords stored in text or email messages are sitting ducks.

For all the reasons above, it’s a good idea to gift the gadget geek in your life with a password manager. Look for one that uses strong encryption (we recommend 256 bit AES and PBKDF2, at a minimum), supports biometric authentication and has secure sharing capabilities.

Also, consider one that includes secure vaulting capabilities. That’s because sensitive documents and images shouldn’t be stored locally on a mobile device. Storing them on a cloud drive isn’t necessarily any safer, particularly if the owner is logged in automatically. A secure vault not only ensures protection but also enables sharing with other trusted users. And what gadget lover doesn’t appreciate a little peace of mind?