Keeper Customer Profile: Philip Leech-Ngo

by , on

^2EBF4C2402531FC94EF7A6D1F0AACAE4F2C918775F26CB0569^pimgpsh_fullsize_distr

PDF version here.

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.

 

Why did you start using Keeper?
I’ve always found Keeper useful, but it really came into its own over the past year or so. I’ve just moved from the UK to Canada. That meant I had to set up a whole host of new accounts and online profiles to go with new job, new bank, new phone, etc. etc. not to mention all sorts of secure documentation that I needed to keep safe during the transition. Keeper was absolutely brilliant for this. Not only did it keep the my info secure, the fact that it is so convenient to use and that it integrates so naturally into by workflow, made life a lot easier and less stressful than it could have been. I’m looking forward to seeing how Keeper continues to innovate, improve and adapt over time and so that it carries on helping keep my life that little bit simpler… though I’m glad to say that I don’t think I’ll be moving to another country anytime soon!

How many passwords does Keeper store for you?
418

What are two benefits you get from utilizing Keeper?

1. Convenience
2. Security across platforms

Anything else that is noteworthy?

The fingerprint scanner on the phone is brilliant!

Why did you decide to start using a password manager?

About 3-4 years ago. I started with a free version but Keeper’s reputation, ability to work cross platform persuaded me to move over.

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?

Lots and lots of web-passwords and banking info. I found it very useful for keeping lots of important personal information securely given my recent experience immigrating.

What is one thing you would recommend to a new Keeper user?

Let it integrate organically with your workflow. i.e. use the browser plug-ins etc. to set and keep passwords as you normally would. You will see the benefits very soon without any hassle.

What features would you like to see added to Keeper in future versions?

Integrate with Mac OS keychain etc. so it can remember things like apple password. Also, use phone to unlock desktop application, a bit like Google does.

The Critical Elements of an Incident Response Plan for SMBs

by , on

Incident-Response-Plan

If you work at a small or midsize business (SMB), you must presume that your organization will fall victim to a cyber attack. It is imprudent to do otherwise, given that a major study of SMBs last year found that half of all SMBs suffered data breaches involving customer and employee information in the past 12 months.

No doubt your organization has taken steps to detect and deter cybercrimes. But has your organization put in place a detailed, predetermined incident response plan for if/when a serious breach occurs?

The fact is that the responses coming from your organization both during and after an attack are as vital to the SMB as what your IT team does to restore your systems and services. But many organizations today, even big enterprises, lack a formal incident response plan. The potential damage of not having a plan can be as devastating to the organization as the attack itself.

Consider this. Following its discovery of a major breach of 500 million user records in 2014, Yahoo’s response was silence. Not a word. That data was subsequently put up for sale on the dark web. When finally the company had to go public with the breach last September, the damage to its reputation was incalculable.

Execs untrained in crisis management. One reason so many organizations get incident response wrong is that top-level executives who determine this response are usually untrained when it comes to crisis management. It isn’t often they have to make potential game-changing decisions in real time. Instead, their usual method of dealing with a crisis is to gather lots of information from lots of sources; review it all with lots of other people; and eventually respond – in days or weeks or in some cases, not at all.

That is precisely why preparing a cybercrime incident response plan has to be on the agenda for all organizations, regardless of size. Here below are some of the critical elements to consider when building such a plan.

Start by thinking of companies that got incident response right. Those of you old enough to remember will recall the Tylenol scare of 1982 when someone tampered with bottles of the pain reliever, resulting in several deaths. Tylenol’s maker, Johnson & Johnson, acted instantly to remove all Tylenol from store shelves, even though there was no evidence of any manufacturing problems. The company was widely hailed for its instant response, despite potential risks to its reputation.

Put someone in charge, before the fact. When a cybercrime or attack is detected, some predetermined individual needs to be the “point person” in charge of gathering all information on the attack, reporting and updating in plain language to the executive team, and coordinating the overall response. This could be the top IT person or data security chief, depending upon the size of the SMB and its technology staff. This person may or may not be the individual who becomes the public “face” of the company, but this public “face” needs to be determined in advance as part of the incident response plan.

Undertake a risk assessment of your data. There have been major breaches of data that is mostly or largely worthless to cybercriminals, such as data that is carefully encrypted or data of little or no strategic value. Other data, such as customer information and passwords, intellectual property files, or personal health information (PHI) is potentially highly valuable to thieves, and the theft of which can be very damaging to the organization. So when there is a successful breach, a key part of the incident response plan is matching the response to the importance of what has been hacked. This risk assessment needs to be reviewed periodically as new data and files are captured on the SMB’s systems.

Know the laws about breach disclosures. In the 50 U.S. states there are 47 different security breach disclosure laws. If you are located in one state but do business in several others, you must be aware ahead of time of each state’s disclosure laws that determine what you must disclose following discovery of a breach and how soon you need to do so.

Respond quickly and decisively after an attack. Have different parts of your plan for responding to your customers, your suppliers, your lawyers, and even to the greater public and possibly government regulators. Prioritize and properly escalate these different responses. Be certain to disclose new information as you receive it. And of course be ready to show that your SMB has taken steps—beefing up firewalls, network security and password management—to prevent a similar attack in the future.

Having a fully documented incident response plan can be very helpful in the event of litigation following a breach, as such a detailed plan can serve as proof the company was as prepared as it could be for a breach. In addition, insurance underwriters might consider discounts for companies with such a plan for handling an attack. Apart from these considerations, an incident response plan just makes sense given the great likelihood of a successful breach all SMBs face these days.

What the Most Common Passwords of 2016 List Reveals [Research Study]

by , on

most common passwords of 2016 header

By Darren Guccione, Co-founder and CEO of Keeper Security

Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of people are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.

Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:

  • The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
  • Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that, as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
  • The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
  • Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.

We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.

Here are the results and additional analysis of the study:

00001

 

Methodology and other notes:

  • This study included 10M passwords across a variety of data breaches that occurred in 2016 (Breaches that were announced in 2016, but actually occurred prior to 2016 were not considered for this study)
  • Outliers (passwords that only appeared in 1 breach) were not considered for this study
  • The password “mynoob” only occurred in two breaches, which were gaming-related sites
  • The speed of a successful brute force attack depends on processing power
  • Keeper is zero-knowledge and has no access to user data (therefore Keeper data was not used in this study)

Security Life Hacks for the New Year

by , on

life-hacks

The new year is the time for resolutions, and what better way to enhance your peace of mind than to resolve to improve security? Here are some life hacks – or strategies to manage your life more efficiently – that you can adopt to improve online security, safeguard your home and protect your personal information. All are free or cost only a nominal amount.

Adopt two-factor authentication

If you read this blog regularly, you know about the benefits of using two-factor authentication (2FA). Adding a second layer of protection via a challenge question, hardware device or code sent to your mobile phone improves security by orders of magnitude.

The number of online services that use 2FA is still abysmally low, but it’s growing. The crowdsourced Two Factor Auth list tells you which websites support 2FA and what tools they use. For those that are still stuck on simple password protection, there are links to Facebook, Twitter and email accounts you can use to encourage them to get on the ball. The transportation industry still has a lot of work to do.

See if you’ve been compromised

With online credential theft now nearly an everyday occurrence, you can never afford to be complacent. These four sites help you learn if you’re a victim.

  • Have I Been Pwned? is a database of nearly two billion credentials from more than 165 hacked websites and password files. Plug in your email address and find out if your username and password may be in play. The site won’t fix the problem, but at least you’ll know where you may be vulnerable.
  • BreachAlarm is a similar service that includes a subscription component to notify you immediately if your name shows up on a compromised list.
  • Sucuri is great if you own one or more websites. Plug in the URL and it’ll scan your site for malware and also check you against blacklists.
  • The Internet of Things Scanner checks your internet-connected devices against the Shodan IoT database. If your devices are there, they’re accessible to the public – and to criminals.

Change of habit

  • Do you use public Wi-Fi in a coffee shop or library? If so, there’s a good chance the connection isn’t secure and someone sharing the network can steal your keystrokes. At the very least, make sure you use the “public network” option when connecting, turn off sharing and enable your firewall. Here’s an excellent tutorial on how to stay safe on public Wi-Fi.  
  • What would you do if your wallet and all your credit cards were lost or stolen? It takes hours to track down all those account numbers and call all those customer service numbers. Save yourself the hassle by scanning the front and back of each credit card and emailing the scans to yourself. Use the subject line to identify the credit card and you will never have a problem looking up the account or 800-number.
  • Redditor suggests that you change the way you think about security challenge questions. It’s so easy these days for attackers to find out information about you that details like your mother’s maiden name or your high school mascot are no longer very effective. Instead, treat them as a second password by adding
  • numbers or gibberish letters that make your answers impossible to guess. Or choose a response that makes no sense as answer to the question. Was your first pet really named Hong Kong?
  • Create an email address on a public service like Gmail or Hotmail that you use just for filling out forms on sites you never want to hear from again. You can then create an email filter that sends all communication to that address directly to the a seperate folder or the trash. Or if you really never want to hear from the site again, use 10 Minute Mail to create a temporary, self-destructing email address.
  • Never store credit card numbers on e-commerce sites. The minor convenience you gain is more than offset by the risk of having the customer database hacked.

Protect your privacy

  • When was the last time you reviewed your privacy settings on social networks? Cybercriminals love social profiles because they serve up all kinds of information that can be used to hack online accounts and even tip off burglars when you’re not home. AdjustYourPrivacy.com has links to the privacy pages of most of the major social networks. It also shows you what the world sees when it looks at  your public Facebook page. And it has a cool list of search engines that will show you what’s out there about about yourself.
  • Here’s a great idea from Reddit for how to find out who’s selling your information. When you fill out a web form, use the name of the website as your first or middle name. That way you’ll immediately know who’s responsible for spam or unwanted promotions.
  • How much do you love tele- and robotic marketers? We thought so. Ban them forever by signing up at Nomorobo. The service keeps a massive list of known telemarketing sources and automatically sends their calls to a voice message telling them to get lost. A single land-line is free.

Physical Security

  • If you’re going away on vacation for two weeks, don’t brag about it in public on Facebook. If you just can’t resist, at least review the post privacy settings to limit visibility to your close friends.
  • While you’re away, make sure your house looks lived in. Have your mail held and lawn mowed. Leave on a couple of lights and a TV or radio. Ask a neighbor to park a car in your driveway. Ex-burglars say that’s one of the most effective deterrents you can use.
  • If you want to really get fancy, trace the outline of a body on a large piece of cardboard. Cut it out and lean it against a chair or window. Close the blinds and it’ll look like you’ve got your own personal security guard.
  • Even if you don’t have a home security system, you should put up signs and stickers saying that you do (you can easily buy them online). You’ll make burglars think twice. Throw in a couple of “Beware of dog” signs while you’re at it.

Have You Been Pwned? Troy Hunt Will Help You Find Out

by , on

have-you-been-pwned

If you visit Troy Hunt’s website – Have I Been Pwned.com – and read the often-voluminous posts on his blog, you might think he has time for little else. But the sites are just a sideline for Hunt, an Australia-based Microsoft Regional Director and MVP whose primary business is training security professionals.

Have I Been Pwned is a free resource that people can use to find out if they have been put at risk due to a data breach. As of this writing, it includes authentication data from 166 compromised websites and nearly two million accounts. Type in your email address or username and find out if you’ve been a victim (the site stores no passwords).

Hunt launched the site after 153 million Adobe accounts were breached in late 2013. He noticed that the same accounts – and passwords – were showing up across multiple incidents. He began acquiring usernames of accounts that had been compromised so people could easily learn if they’d been victimized.

Have I Been Pwned gets tens of thousands of visitors each week, and Hunt’s mailing list is approaching one million names. He uses the insight he gains from the constant back-and-forth with visitors and contributors to improve his coursework and build his profile as a security expert. It’s working; Hunt has been quoted dozens of times in global media outlets, and his blog is a must-read for people who care about cyber attacks.

We caught up with him via Skype.

 

This site would appear to require a huge time commitment on your part. How do you fit it in with your day job?

It’s complementary to my main business of security training. Companies tell me their goal is not to end up on the website! The time commitment can be as much as a day each week, but I also get a lot of useful information. Recently, I got 75 notifications of new breaches in one day.

For example, I learned about a big data leak at the Red Cross Blood Service in Australia that was caused when someone inadvertently published information from a database on a public web server. The same week there was another incident with a major international brand having data exposed on a website because of a partner screw-up. This is the type of thing that comes in multiple times a day.

Why do people share this information with you?  

They have all kinds of motivations. I get answers varying from exploiting the company to getting a leg up on a competitor to wanting to sell the data. Very often, no one thinks there’s anything wrong with what they’re doing. I want to tell them that they should go to their room and think about it a bit. They’ve got their hands on deeply personal information and they have no idea what that means.

Where do you get your source material?

It’s almost always someone sending me data. Some people send me dozens of files or a link to a folder with huge amounts of compromised data. Often that data is fake, so I troll through and try to verify it. Other times I get data that’s broadly redistributed – like the Ashley Madison database.

Are you surprised by the reactions from companies that have been breached?

The most positive reaction I’ve seen was from the Australian Red Cross. I got an appreciative call from the CEO. That’s what I like to see: ethical disclosure.

Then there are folks like Nissan, which had a vulnerability in their API that let attackers take control of their vehicles. At first, Nissan didn’t want to hear about it. They only came around reluctantly.

What response do you get from people who use the site to see if they’ve been pwned?

It’s 99.99% positive. I’m careful about what data I expose. You can’t search the Ashley Madison list, for example. I’m also careful not to reveal email addresses or passwords.

What has running the site taught you about the state of password security?

That some woeful practices are the norm rather than the exception. People defer to the lowest common denominator of password strength. There’s a prevalence of the “123” passwords.

Also, surprisingly few companies use multi-step verification, even though it’s a great protection against credential theft.

What is your opinion of the various alternatives to password security?

Nothing is without trade-offs. There’s password-less login via email, but emails can be delayed. QR codes can be used for authentication, but that’s asking people to do something they’re unfamiliar with. Whenever we ask people to learn an entirely new method, it’s a problem.

I love biometrics, picture logins and PINs on Windows 10. All are great, but none of them remove the underlying weakness of the password.

What do you think are the most effective steps organizations can take right now to improve security?

Better training, particularly for software developers. While I obviously have a vested interest in saying that, systems are nearly always compromised by a flaw in a process. If you give developers the knowledge to write secure programs, they’ll use it for the rest of their careers. So why pay a penetration testing company $20,000 if developers are just going to make the same mistakes again?

If you address problems when the software is being written, you get a massive benefit across the lifecycle. We understand how SQL injection and cross-site scripting works, but we still create so much stuff that’s vulnerable. The problem is education.

What has been the most rewarding aspect of running this site?

A big one has been the messages I get from people who say they wouldn’t have known about their exposure without it. I’ve also learned an awful lot about how breaches happen and about scaling a service to tens of thousands of users. One of my objectives has been to run the whole thing for less than what I spend on coffee. Using Microsoft Azure, I’ve been able to build something at scale and do it cost-effectively.

What have been the biggest surprises?

That I’ve never had any legal threats [laughs]. I suppose that’s because I’m transparent. I jump on the phone with anyone who’s concerned. The volume of interest has been a surprise. I now have about 830,000 verified subscribers, and I expect that to be one million by Christmas.

The amount of interest from enterprises and commercial vendors has been surprising, such as security companies wanting to make the API part of a commercial service. I’ve done some of these deals to build leverage.

What has HaveIBeenPwned.com done to your visibility in the security community?

After a large incident, I often get up to a dozen press calls. I get a lot of offers to speak, many of which I have to decline. That said, I’ve had five international trips this year that involved speaking.

How do you manage to blog so prolifically?

I get up very early. I often blog when I have an itch to scratch, such as when I took my iPhone in for service and they wanted me to unlock it so they could work on it. Or it’s something that I just find fascinating. I’ve found that when I write about something, I understand it better. It’s part of my learning experience as well.

2016: What Can We Learn From A Banner Year for Cybercrime

by , on

2016_-what-can-we-learn

2016 will go down as yet another banner year – unfortunately – for hackers and data thieves globally. This article looks at some of the successful attacks while probing for patterns and trends in cybercrime.

Big target on the IoT: The Dyn DDoS attack. Our blog on cybercrime predictions for 2017 forecasted increasing efforts of hackers exploiting fundamental weaknesses in the fast-growing Internet of Things (IoT) environment. For the first time in a major attack, hackers in the Dyn DDoS attack didn’t go directly at the servers of their target. Instead, they compromised some 100,000 IoT devices possessing weak default passwords, creating an enormous botnet, which then slammed the real target. Some evidence suggests the attackers were just firing a warning shot with this attack, as they could have compromised 500,000 devices just as easily. The obvious lesson here: Use the same password best practices on IoT devices as you would for any other digital device or endpoint. That means changing the default password to a strong, complex password.

Passwords, get your stolen passwords right here! Literally millions of stolen passwords went up for sale on the dark web this year, some of which were stolen in previous years. In May more than 400 million passwords stolen previously from MySpace went up for sale to the highest bidder. What’s more, the same hacker who listed the MySpace passwords put another 100 million passwords up for sale that were previously stolen from LinkedIn. There is every reason to expect that stolen information will increasingly be put up for sale. These incidents highlight the great importance of frequently changing passwords and not reusing the same passwords for various accounts. Warnings to do so are coming from all over the globe. As one major cybercrime study showed in 2016, 63% of successful data breaches involved weak, default or stolen passwords.

Life of the Party: The DNC hack. Considerable questions remain as to exactly who was behind the epic successful attack on the servers belonging to the Democratic National Committee. What is not in question is the damage done to the Democratic Party and to the reputations of a lot of political higher-ups. It is entirely possible the success of this attack and the apparent ease with which it was pulled off will only encourage more such geopolitical cybercrime. In fact, a couple of months after the DNC break-in, the FBI alerted officials in two states that hackers were targeting their election systems. The hackers were into the DNC computers for an entire year before they were discovered. Sophisticated phishing techniques were likely used to pry open the doors. The rest is history.

Simply shocking! Electrical grids in hackers’ crosshairs. As devastating as the attack on the Ukrainian power grid was, it may have been just the canary in the coal mine in terms of what is to come. The simple fact is that power grids around the world are extraordinarily ripe for cyber assaults, such as those in most all of Southeast Asia, where much of the computerized instrument control infrastructure is extremely vulnerable. The attack in the Ukraine was as sophisticated as it was brilliantly planned and executed. But a not-so-sophisticated phishing campaign using infected Word documents was all it took to put the whole mess in motion.

Yahoo times 500 million. The devastating attack on Yahoo happened two years ago, but the extent of the damage and actual revelation of the attack didn’t happen until 2016. It isn’t that Yahoo wasn’t aware that more than 500 million records were compromised in the attack. The company just chose not to tell anyone about it, despite having been for sale for the last year. The important takeaway here is that it is likely governments in general and regulators too are going to double down on requirements of just what must be disclosed when a breach is detected, and when. Shareholders, consumers, suppliers and others feel they need protection when some of their data may have been compromised in a breach. The year ahead may well bring them some much-needed relief in this regard.

Hospitals: Pay up or else. Starting early in 2016 and continuing throughout the year, hackers conducted a series of successful ransomware attacks on hospitals throughout the world. The attacks typically began on a single server but then quickly infected the entire network, eventually affecting multiple systems. Demands at times were modest, as low as $1,600 for system restoration. Hospitals are relatively easy targets, often lacking layered security-centric protocols, according to some experts. Expect regulators to take a hard look at hospital security practices.

Keeper Q&A: An Interview with the Editor-in-Chief of Threatpost

by , on

michael-mimoso

Threatpost breaks with the conventional wisdom that an information service funded by a technology company is inherently biased. The independent news site is owned by Kaspersky Labs, but its reputation as an authoritative, independent source of cyber security news has been endorsed by such leading news outlets as The New York Times, The Wall Street Journal, MSNBC, USA Today and National Public Radio. Hundreds of thousands security professionals regularly visit Threatpost for the latest breaking news.

Editor-in-Chief Mike Mimoso leads a small team of reporters who collectively turn out a huge volume of information. A veteran journalist with more than a decade of IT security news reporting, he was previously Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won numerous national and regional awards.

In this interview, Mimoso talks about Threatpost’s mission and the changes he’s seeing in the security landscape.

 

Who’s the target Threatpost reader?

Threatpost’s audience is pretty technical. We reach a lot of white-hat researchers, people working for vendors or independently, who spend their days looking for vulnerabilities in products and hopefully disclosing them so that issues can get fixed in a timely manner. IT and security managers read us, as do an increasing number of people focused on privacy.

What are the most important changes you’ve seen in the cyber security landscape over the last couple of years?

The rapid acceptance and understanding of the need to encrypt data and keep communication between businesses and individuals secure, even secret. The last few years have opened my eyes to the fact that encryption is about far more than keeping Amazon or PayPal or banking transactions safe. A lot of people around the world rely on encryption to communicate in locations where freedom is scarce. It’s encouraging to see how many of them have gravitated toward using encrypted technologies, particularly secure messaging apps.

Would you say we’re gaining or losing the battle against cyber attackers, and why?

I don’t think defenders will ever catch up to those people on the offensive side of security; they’re just in too reactive of a position. Hackers aren’t hamstrung by regulations, laws and oversight. They run freely because the law is woefully behind. International cooperation between law enforcement agencies has improved, but still has a long way to go.

What recent story alarmed you the most and why?

That would have to be the recent distributed denial of service (DDoS) attacks that were carried out using unsecured IoT devices. Who would have thought a DVR or closed-circuit camera connected to the Internet could be used to impact Internet service on the East Coast? But that’s exactly what happened, and I’m not sure how that situation is going to be addressed. Many of these IoT devices are out there with no authentication—or very weak authentication—and it’s child’s play for hackers to use them in this way.

What recent story gave you the most cause for hope?

A year ago, there was a lot of worry about the Wassenaar Arrangement among researchers who look for bugs in products. The rules were about to be implemented in the U.S., and they would severely impact how vulnerability information was shared and whether bugs would get fixed at all. Many “nerdy” researchers stood up and turned into advocates to let people in charge know what a bad idea this was. And it worked. The rules have been up for revisions for months. It’s good to see people stand up and make a positive change.

What makes the computer security field different from other IT disciplines?

It’s such a moving target. Every day there is a new risk – from ransomware to gaping holes in long-standing open source software – and it’s difficult to prioritize investments and manage risk.

From a computer security standpoint, how do organizations most often shoot themselves in the foot?

By failing to keep up with the basics, like keeping operating system and third-party software patches up to date. We write about so many so-called “sophisticated” attacks, but the vast majority of successful hacks are against unpatched software that’s running across platforms.

What’s one big misperception people have about cyber security that you’d like to set straight?

The biggest misconception is that security is a hindrance to business. That attitude is starting to shift, I think, but there are plenty of places where security is a differentiator that actually makes a company more desirable to do business with

Threatpost is a top source of security news, but you must get your tips and ideas from somewhere. What are your best sources?

Security people have gravitated to Twitter, for better or worse. If you follow the right people on Twitter, you get a pretty accurate feel for what’s happening. There are a few good sub-Reddits that also share decent technical information.

What’s one big story or package of stories of which you’re most proud?

We did a lot of solid reporting earlier this year on the controversy about Apple and the FBI over the dead terrorist’s phone. There were a lot of implications to that story beyond the technical issues of accessing the device that we touched on while a lot of other outlets didn’t. Of late, our coverage of the IoT botnet DDoS attacks was pretty solid too.

The three people on your staff produce an enormous amount of news. How do you keep things straight between you?

We each have our strengths and complement each other well. Threatpost has been around since 2009 and it’s always had great internal support. Kaspersky has been smart enough to hire competent, well-regarded security journalists to keep the quality of content high.

Complete this sentence: I know it’s been a good day when…  

We can post three or four well-reported stories that aren’t just a rehash of what’s been reported elsewhere. A lot of traffic helps too ;)

10 Unique Holiday Gifts for the Security Geeks In Your Life

by , on

holiday-gift-guide

It’s the holiday season, and at Keeper that means our thoughts turn to security. Actually they turn to security every other time of the year, too, but now is when we think about what we could give that’s a little different. If you’re a Keeper customer, you already have password security covered. Here are some items that can enhance your digital and physical well-being in other ways.

1) Silent Pocket Faraday Cage Sleeves – ThinkGeek

1

Think your credit cards are secure and your phone is safe just because you carry both around in your pocket? Cyber thieves laugh at your confidence. They long ago figured out how to read the magnetic stripes on your credit card while it’s still in your wallet. They can read the new chip-enabled cards now, too, with about $350 worth of electronics.

Many accessories are available to protect yourself, but we chose Silent Pockets because they’re available in a variety of sizes to protect credit cards, mobile devices and tablets from wireless, cellular, GPS, WiFi, Bluetooth, RFID, and NFC hackers. They’re kinda stylish, too. $12.99 – $219.99

 

2) Identity Theft Guard Stamp – DiscountRubberstamps.com

2

Shredders are expensive, noisy and messy. Plus, why would you want to shred a whole file of documents just to protect the Social Security number on page 3? These rubber stamps let you blot out sensitive information instead of shredding. They use a specially crafted pattern that makes it impossible to see the information printed underneath. They’re cheap, portable and kinda mesmerizing when you stare too long at the pattern. $12.99

 

3) SEM Model 0100 “Sledgehammer” Manual Hard Drive Crusher – Mono Machines

3

Satisfy your inner Hulk and keep your data safe at the same time. The Sledgehammer applies a “staggering 6,000 pounds of force to a conical punch causing catastrophic trauma to the hard drive chassis while destroying the internal platter.” We get the shivers just thinking about it. You can also use the Sledgehammer to remove inner metal hubs and springs on backup tapes prior to feeding them into a tape disintegrator, which is an item we’re definitely putting on our shopping list for next year. $1,038.00

 

4) Wallet Buckle – WalletBuckle.com

4

Carrying credit cards in a wallet shoved into your back pocket is both dangerous for your personal privacy and potentially bad for your health (seriously, it’s called Piriformis Syndrome). So two guys used an overfunded Kickstarter campaign to develop this idea, which that we think is flat-out brilliant. Seriously, any idiot can lift a wallet out of your back pocket, but stealing from your belt buckle? That involves familiarity. Plus big belt buckles make you look like a bad-ass. The buckles use a tapered design that can hold up to five cards without risk of falling out, the company says Dozens of designs are available ranging in price from $39.95 to $94.95.

 

 

5) Bobby Anti-theft Backpack – XDDesign

5

The developers of this innovative wearable raised £640,000 on a £20,000 ask, so we figure they’ve gotta be doing something right. And from looking at the feature list, we have to say they are. The design of this backpack cleverly hides the zippers against the wearer’s back, making it impossible for a thief even to find them, much less open them. It features a cut-proof, water-resistant material that also repels stains and spills. Three hidden pockets provide quick access to small items like credit cards and transit passes. Inside, the storage area is designed to accommodate a variety of high-tech gadgets. There’s even an external USB port for charging your smartphone on the go. The company says the design distributes weight optimally to make the backpack feel 20% lighter than conventional backpacks. $95

 

6) Cryptex USB Flash Drive – Amazon.com

6

Okay, okay, the last thing the world needs is another flash drive, right? Especially a paltry little 16GB one. But the Cryptex is so cool looking that you might want to shell out the 48 bucks just to show off your inner steampunk. Inspired by Leonardo da Vinci designs, The Cryptex packs a pretty good security punch, too. It comes with a five-digit combination preset to a number that the user can’t change. With its leather strap, it’s a stylish, if somewhat 15th-century, fashion accessory. $47.95

 

7) Winter-Style Touchscreen Gloves – Brookstone

7

If you’ve ever tried to use your smartphone or tablet while wearing gloves you know it’s, well, impossible. That’s because touchscreens use capacitive sensing, which requires the use of a conductive input mechanism. Skin is a conductor; wool is not. There are lots of gloves that you can use with your smart phone, but we like the Glider Gloves because of their excellent warmth and stylish look. The fingers are woven with a blend of nylon, acrylic, spandex and copper wire to give you excellent phone performance without the risk of frostbite. The company is based in Toronto, so they should know what they’re doing. $29.99

 

8) Burglar Blaster – BurglarBlaster.com

8

The problem with most home alarm systems is that they only tell you that your house is being burglarized after the burglar is inside. This gives you time to hide under the bed while your unwanted guest takes all your jewelry. How about an antitheft system that’s a little more…offensive? That’s the Burglar Blaster. Powered by eight C-cell batteries, it responds to an unwanted intruder by first sounding an alarm and then releasing four ounces of pepper spray at face level. The thief will then either flee the scene retching and screaming or come looking for the jerk who did this to him. Those are the risks you take. $595

 

9) I’m Here Because You Broke Something t-shirt – ThinkGeek.com

1

Tech support people are notoriously shy, so here’s a way they can express themselves with the media they favor – cotton. This t-shirt is the perfect holiday gift for the frontline security technician who’s had enough bozos for one week. $7.99

 

10)The Fortress Luxury Safe – Döttling

2

Billed as the finest luxury safe in the world, The Fortress carries a VdS/EN V security rating, which is said to be the highest standard offered by Europe’s VdS Schadenverhütung GmbH certification agency. It can be connected to a burglar alarm and comes with $1 million in insurance coverage. Only 10 are made for each security class. It’s controlled by eight watch winders, providing an infinitely adjustable number of rotations. And if that isn’t enough, you can set the direction of the rotation to left, right or oscillating. What really got our attention, though, is the integrated humidor drawer. $128,800

Six Security Experts Offer Cybersecurity Predictions for 2017

by , on

cyber-predictions-2

With a new year just over the horizon, we asked six security experts for their views and opinions on what events and trends will unfold in 2017 in the cyber security space. These are people that have spent a great deal of time and energy on the front lines of the contemporary threat environment.

 

1) Cyber attacks and data breaches within small and medium-sized businesses (SMBs) will dramatically increase in 2017. SMBs need to invest in strong security defenses or risk going out of business. A study sponsored by Keeper Security and conducted by the Ponemon Institute titled, “2016 State of Cybersecurity in Small and Medium-Sized Businesses,” found that 55% of SMBs have experienced a cyber attack in the past 12 months.  According to the U.S. National Cyber Security Alliance, 60% of small companies were unable to sustain their businesses more than six months following a cyber attack.  A cyber attack costs a company $4 million, on average. With 71% of all cyber attacks targeting small businesses with fewer than 100 employees, it’s imperative that SMBs strengthen their defenses or risk going out of business.

-Darren Guccione is the CEO at Keeper Security, the leading secure password manager and digital vault for businesses and individuals

 

2) The death of passwords will once again be greatly exaggerated. I have always been fascinated by predictions of the year ahead and of the future. So my only prediction is that everyone who predicts the death of passwords next year will be wrong again, just like the past 10-15 years or so! One tip I have for next year is to write password policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it.

-Per Thorsheim is one of the world’s leading password consultants and founder of the PasswordCon twice-annual conference.

 

3) IoT has a big target on its back – watch for highly targeted attacks. As shown clearly by the big Dyn attack, the Internet of Things will fast become a major security concern in the year ahead. Many of these interconnected devices come with poor security, and attacks on them will result in new loss scenarios. The big loss issue of course is privacy. But with the IoT and all its home devices, medical devices, even home appliances, the different loss scenarios will include bodily injury and property damage. Liability lawyers will go after everyone associated with these breaches. This will include the manufacturer, and possibly even the person who is using the IoT device. Router makers could face exposure they never imagined.

The chief concerns regarding cybersecurity in the past several years have centered on privacy and ID theft. Going forward there will be greater probabilities of targeted attacks around network interruption and specific company systems because everything is so greatly interconnected. Think of a targeted attack on a key element of a global supply chain in a just-in-time manufacturing scenario, where all links in the supply chain are highly interdependent on one another. These attacks will be motivated by those seeking ransomware, as well as those just seeking to do a lot of damage – possibly working for competitors. We could see more environmentalist groups attacking oil and gas operations, possibly even the electrical grid. Imagine an animal rights group hacking into a commercial farming operation, compromising the security system, and turning all the pigs loose.

-Steve Bridges is SVP at the Cyber/E&O Practice at JLT, the world’s largest specialty insurance broker with a specific focus on cyber errors and omissions management liability

 

 

4) Exploiting workers via social engineering through their personal social media accounts at work. Social media seems harmless enough especially when your employees stick to using it for personal reasons. But it can indirectly be responsible for critical security breaches. With some social engineering and patience, an attacker can use persona social media profile information to gain access to your corporate network. The attack is completely outside of your control and uses a combination of social engineering and phishing techniques. It is fairly easy, as this blog shows.

The best advice is to educate users on the dangers of social media and phishing emails. You can install software on our email servers that check attachments for malicious content. And some email administrators simply block all executable attachments.

-Terry Kurzynski is a security consultant at Halock, a U.S.-based information security consultancy.

 

5) We’ll see FIDO come front and center. The Fast IDentity Online Alliance (FIDO) is a non-profit organization formed four years ago to address the lack of interoperability among strong authentication devices as well as password problems users face. In 2017 we’ll see the beginning of the FIDO impact. This will include protocol improvements, as well as support across multiple platforms and devices.  And this accordingly will challenge enterprises, governments, and end-users to explain why they aren’t adopting FIDO authentication or similar technology to replace or modify failing access controls.

-John Fontana is an Identity Evangelist at Yubico, the creator of the YubiKey, a small USB and NFC hardware two-factor authentication device.

 

6) Is a full-scale cyberwar looming? My primary prediction for 2017 is the escalation of skirmishes like the infamous hack of the Democratic National Committee to gradually escalate to an overt, international incident. While the term cyberwar is thrown around a lot, we’re seeing all the major signs and lead-ins to what will be the first major cyber clash between two or more world powers.

-Ben Caudill is founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.

Keeper Q&A: Password Tips with PasswordsCon Founder, Per Thorsheim

by , on

qa-per-thorsheim

Per Thorsheim, 45, has a self-described “insane” interest in passwords. As one of the world’s foremost security consultants focused solely on passwords, Thorsheim is the founder of PasswordsCon, the respected academic conference where international password security experts gather twice per year in Las Vegas and Europe. He spoke with us from his home in Bergen, Norway.

What ignited this enthusiasm and passion you have for password technology?

In 2001 I was working for PwC doing penetration testing on an office of a Fortune 100 company. We gained building access by wearing black suits and saying we were auditors. By 8:30 a.m. we got into the company system via a simple RJ45 Ethernet wall port. We quickly identified a list of all user account names in their entire domain and began trying to gain access to their accounts with two dummy passwords: the company name and ‘password’. One user of the ‘password’ password was a member of domain administration root in their Windows domain. Just like that, we had access to the entire company, a Fortune 100 company no less. That haunted me. The rest with me is history.

With everything we know about the dangers of poor password practices, why is there so much bad password ‘hygiene’ today?

It really is not difficult to get to a secure level of password practice, but there are real challenges getting there. Several years ago I was helping my mother, a retired nurse, with a computer problem on her work laptop. She told me her password and I was shocked as it was one of the easiest to hack. I asked her why she uses it and she said, “Because our system and the IT people at work accept it.” That is, it met their minimum standards. So when people blame end users for bad password practices, that is just wrong for the most part. Organizations need to look at their own policies and rules.

So end users do what is easiest for them?

Of course. They want to get their job done, right? Imagine if they have to change passwords every month and create multiple passwords that no one could possibly remember. Research in Sweden and Norway puts the number of passwords needed to access all different systems for people over 18 years old at 20-25 passwords! So password practices come down to a matter of usability. If it gets in the way of people getting their work done, of course they will default to the easiest practices available.

Such as using the same password for multiple systems?

Yes, but don’t necessarily believe all the statistics and research you read about that. I have done both anecdotal and online research into this matter. What I found is that users often think they are using the same password, say Wednesday1. But in fact use a variant to get into different systems, such as wednesday1 or WeDnEsDaY1.

Would you say it is wrong to use the same password across multiple systems?

No, not necessarily. I do it. But, I have also undertaken a risk analysis, which is really important for individuals and businesses to do. For example I have several systems here at home in Bergen. They are not interconnected and can only be hacked if someone actually comes to my house and takes them. However I know what is on them, and it isn’t worth taking, like a Linux test system I use. So you need to apply some intelligent risk analysis before you go off crying wolf about all passwords needing to be impossibly long and complicated and unique. That is stupidity and paranoia. On the other hand, with your passwords you have to pay close attention to any compliance or regulations that mandate certain password policies. Some of the things these regulations make you do might seem crazy and over the top. But if you go to court because you haven’t complied, that craziness is irrelevant. All that matters is that you didn’t do what you were told.

Do you have general recommendations or a ‘wish list’ for password best practices?

Many organizations have different password policies for different systems, with different password length requirements, different password change timeframes, and so on. I see no logical reason for this in most cases. Usability takes a hit as productivity drops and users make call after call to the helpdesk for password support. Implement one password policy across all systems and you’ll get a large productivity gain. Again, it isn’t the end users that are the problem here. It’s bad internal policies. The helpdesk is not the security department. To avoid repeated calls from users who forgot passwords, what will the helpdesk do? They’ll give them easy-to-remember passwords that happen to comply with the policy! Easy to remember means easy to hack.

Anything else?

Write policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it. So you have a policy that says ‘don’t use the same password on multiple systems.” Great. But can you enforce that? Can you measure its effectiveness? No!** Think things through. Planning and common sense will go a long way.

**Footnote from Keeper: Keeper Business provides auditing capabilities to see which employees are using the same password across multiple systems.