10 Unique Holiday Gifts for the Security Geeks In Your Life

by , on

holiday-gift-guide

It’s the holiday season, and at Keeper that means our thoughts turn to security. Actually they turn to security every other time of the year, too, but now is when we think about what we could give that’s a little different. If you’re a Keeper customer, you already have password security covered. Here are some items that can enhance your digital and physical well-being in other ways.

1) Silent Pocket Faraday Cage Sleeves – ThinkGeek

1

Think your credit cards are secure and your phone is safe just because you carry both around in your pocket? Cyber thieves laugh at your confidence. They long ago figured out how to read the magnetic stripes on your credit card while it’s still in your wallet. They can read the new chip-enabled cards now, too, with about $350 worth of electronics.

Many accessories are available to protect yourself, but we chose Silent Pockets because they’re available in a variety of sizes to protect credit cards, mobile devices and tablets from wireless, cellular, GPS, WiFi, Bluetooth, RFID, and NFC hackers. They’re kinda stylish, too. $12.99 – $219.99

 

2) Identity Theft Guard Stamp – DiscountRubberstamps.com

2

Shredders are expensive, noisy and messy. Plus, why would you want to shred a whole file of documents just to protect the Social Security number on page 3? These rubber stamps let you blot out sensitive information instead of shredding. They use a specially crafted pattern that makes it impossible to see the information printed underneath. They’re cheap, portable and kinda mesmerizing when you stare too long at the pattern. $12.99

 

3) SEM Model 0100 “Sledgehammer” Manual Hard Drive Crusher – Mono Machines

3

Satisfy your inner Hulk and keep your data safe at the same time. The Sledgehammer applies a “staggering 6,000 pounds of force to a conical punch causing catastrophic trauma to the hard drive chassis while destroying the internal platter.” We get the shivers just thinking about it. You can also use the Sledgehammer to remove inner metal hubs and springs on backup tapes prior to feeding them into a tape disintegrator, which is an item we’re definitely putting on our shopping list for next year. $1,038.00

 

4) Wallet Buckle – WalletBuckle.com

4

Carrying credit cards in a wallet shoved into your back pocket is both dangerous for your personal privacy and potentially bad for your health (seriously, it’s called Piriformis Syndrome). So two guys used an overfunded Kickstarter campaign to develop this idea, which that we think is flat-out brilliant. Seriously, any idiot can lift a wallet out of your back pocket, but stealing from your belt buckle? That involves familiarity. Plus big belt buckles make you look like a bad-ass. The buckles use a tapered design that can hold up to five cards without risk of falling out, the company says Dozens of designs are available ranging in price from $39.95 to $94.95.

 

 

5) Bobby Anti-theft Backpack – XDDesign

5

The developers of this innovative wearable raised £640,000 on a £20,000 ask, so we figure they’ve gotta be doing something right. And from looking at the feature list, we have to say they are. The design of this backpack cleverly hides the zippers against the wearer’s back, making it impossible for a thief even to find them, much less open them. It features a cut-proof, water-resistant material that also repels stains and spills. Three hidden pockets provide quick access to small items like credit cards and transit passes. Inside, the storage area is designed to accommodate a variety of high-tech gadgets. There’s even an external USB port for charging your smartphone on the go. The company says the design distributes weight optimally to make the backpack feel 20% lighter than conventional backpacks. $95

 

6) Cryptex USB Flash Drive – Amazon.com

6

Okay, okay, the last thing the world needs is another flash drive, right? Especially a paltry little 16GB one. But the Cryptex is so cool looking that you might want to shell out the 48 bucks just to show off your inner steampunk. Inspired by Leonardo da Vinci designs, The Cryptex packs a pretty good security punch, too. It comes with a five-digit combination preset to a number that the user can’t change. With its leather strap, it’s a stylish, if somewhat 15th-century, fashion accessory. $47.95

 

7) Winter-Style Touchscreen Gloves – Brookstone

7

If you’ve ever tried to use your smartphone or tablet while wearing gloves you know it’s, well, impossible. That’s because touchscreens use capacitive sensing, which requires the use of a conductive input mechanism. Skin is a conductor; wool is not. There are lots of gloves that you can use with your smart phone, but we like the Glider Gloves because of their excellent warmth and stylish look. The fingers are woven with a blend of nylon, acrylic, spandex and copper wire to give you excellent phone performance without the risk of frostbite. The company is based in Toronto, so they should know what they’re doing. $29.99

 

8) Burglar Blaster – BurglarBlaster.com

8

The problem with most home alarm systems is that they only tell you that your house is being burglarized after the burglar is inside. This gives you time to hide under the bed while your unwanted guest takes all your jewelry. How about an antitheft system that’s a little more…offensive? That’s the Burglar Blaster. Powered by eight C-cell batteries, it responds to an unwanted intruder by first sounding an alarm and then releasing four ounces of pepper spray at face level. The thief will then either flee the scene retching and screaming or come looking for the jerk who did this to him. Those are the risks you take. $595

 

9) I’m Here Because You Broke Something t-shirt – ThinkGeek.com

1

Tech support people are notoriously shy, so here’s a way they can express themselves with the media they favor – cotton. This t-shirt is the perfect holiday gift for the frontline security technician who’s had enough bozos for one week. $7.99

 

10)The Fortress Luxury Safe – Döttling

2

Billed as the finest luxury safe in the world, The Fortress carries a VdS/EN V security rating, which is said to be the highest standard offered by Europe’s VdS Schadenverhütung GmbH certification agency. It can be connected to a burglar alarm and comes with $1 million in insurance coverage. Only 10 are made for each security class. It’s controlled by eight watch winders, providing an infinitely adjustable number of rotations. And if that isn’t enough, you can set the direction of the rotation to left, right or oscillating. What really got our attention, though, is the integrated humidor drawer. $128,800

Six Security Experts Offer Cybersecurity Predictions for 2017

by , on

cyber-predictions-2

With a new year just over the horizon, we asked six security experts for their views and opinions on what events and trends will unfold in 2017 in the cyber security space. These are people that have spent a great deal of time and energy on the front lines of the contemporary threat environment.

 

1) Cyber attacks and data breaches within small and medium-sized businesses (SMBs) will dramatically increase in 2017. SMBs need to invest in strong security defenses or risk going out of business. A study sponsored by Keeper Security and conducted by the Ponemon Institute titled, “2016 State of Cybersecurity in Small and Medium-Sized Businesses,” found that 55% of SMBs have experienced a cyber attack in the past 12 months.  According to the U.S. National Cyber Security Alliance, 60% of small companies were unable to sustain their businesses more than six months following a cyber attack.  A cyber attack costs a company $4 million, on average. With 71% of all cyber attacks targeting small businesses with fewer than 100 employees, it’s imperative that SMBs strengthen their defenses or risk going out of business.

-Darren Guccione is the CEO at Keeper Security, the leading secure password manager and digital vault for businesses and individuals

 

2) The death of passwords will once again be greatly exaggerated. I have always been fascinated by predictions of the year ahead and of the future. So my only prediction is that everyone who predicts the death of passwords next year will be wrong again, just like the past 10-15 years or so! One tip I have for next year is to write password policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it.

-Per Thorsheim is one of the world’s leading password consultants and founder of the PasswordCon twice-annual conference.

 

3) IoT has a big target on its back – watch for highly targeted attacks. As shown clearly by the big Dyn attack, the Internet of Things will fast become a major security concern in the year ahead. Many of these interconnected devices come with poor security, and attacks on them will result in new loss scenarios. The big loss issue of course is privacy. But with the IoT and all its home devices, medical devices, even home appliances, the different loss scenarios will include bodily injury and property damage. Liability lawyers will go after everyone associated with these breaches. This will include the manufacturer, and possibly even the person who is using the IoT device. Router makers could face exposure they never imagined.

The chief concerns regarding cybersecurity in the past several years have centered on privacy and ID theft. Going forward there will be greater probabilities of targeted attacks around network interruption and specific company systems because everything is so greatly interconnected. Think of a targeted attack on a key element of a global supply chain in a just-in-time manufacturing scenario, where all links in the supply chain are highly interdependent on one another. These attacks will be motivated by those seeking ransomware, as well as those just seeking to do a lot of damage – possibly working for competitors. We could see more environmentalist groups attacking oil and gas operations, possibly even the electrical grid. Imagine an animal rights group hacking into a commercial farming operation, compromising the security system, and turning all the pigs loose.

-Steve Bridges is SVP at the Cyber/E&O Practice at JLT, the world’s largest specialty insurance broker with a specific focus on cyber errors and omissions management liability

 

 

4) Exploiting workers via social engineering through their personal social media accounts at work. Social media seems harmless enough especially when your employees stick to using it for personal reasons. But it can indirectly be responsible for critical security breaches. With some social engineering and patience, an attacker can use persona social media profile information to gain access to your corporate network. The attack is completely outside of your control and uses a combination of social engineering and phishing techniques. It is fairly easy, as this blog shows.

The best advice is to educate users on the dangers of social media and phishing emails. You can install software on our email servers that check attachments for malicious content. And some email administrators simply block all executable attachments.

-Terry Kurzynski is a security consultant at Halock, a U.S.-based information security consultancy.

 

5) We’ll see FIDO come front and center. The Fast IDentity Online Alliance (FIDO) is a non-profit organization formed four years ago to address the lack of interoperability among strong authentication devices as well as password problems users face. In 2017 we’ll see the beginning of the FIDO impact. This will include protocol improvements, as well as support across multiple platforms and devices.  And this accordingly will challenge enterprises, governments, and end-users to explain why they aren’t adopting FIDO authentication or similar technology to replace or modify failing access controls.

-John Fontana is an Identity Evangelist at Yubico, the creator of the YubiKey, a small USB and NFC hardware two-factor authentication device.

 

6) Is a full-scale cyberwar looming? My primary prediction for 2017 is the escalation of skirmishes like the infamous hack of the Democratic National Committee to gradually escalate to an overt, international incident. While the term cyberwar is thrown around a lot, we’re seeing all the major signs and lead-ins to what will be the first major cyber clash between two or more world powers.

-Ben Caudill is founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.

Keeper Q&A: Password Tips with PasswordsCon Founder, Per Thorsheim

by , on

qa-per-thorsheim

Per Thorsheim, 45, has a self-described “insane” interest in passwords. As one of the world’s foremost security consultants focused solely on passwords, Thorsheim is the founder of PasswordsCon, the respected academic conference where international password security experts gather twice per year in Las Vegas and Europe. He spoke with us from his home in Bergen, Norway.

What ignited this enthusiasm and passion you have for password technology?

In 2001 I was working for PwC doing penetration testing on an office of a Fortune 100 company. We gained building access by wearing black suits and saying we were auditors. By 8:30 a.m. we got into the company system via a simple RJ45 Ethernet wall port. We quickly identified a list of all user account names in their entire domain and began trying to gain access to their accounts with two dummy passwords: the company name and ‘password’. One user of the ‘password’ password was a member of domain administration root in their Windows domain. Just like that, we had access to the entire company, a Fortune 100 company no less. That haunted me. The rest with me is history.

With everything we know about the dangers of poor password practices, why is there so much bad password ‘hygiene’ today?

It really is not difficult to get to a secure level of password practice, but there are real challenges getting there. Several years ago I was helping my mother, a retired nurse, with a computer problem on her work laptop. She told me her password and I was shocked as it was one of the easiest to hack. I asked her why she uses it and she said, “Because our system and the IT people at work accept it.” That is, it met their minimum standards. So when people blame end users for bad password practices, that is just wrong for the most part. Organizations need to look at their own policies and rules.

So end users do what is easiest for them?

Of course. They want to get their job done, right? Imagine if they have to change passwords every month and create multiple passwords that no one could possibly remember. Research in Sweden and Norway puts the number of passwords needed to access all different systems for people over 18 years old at 20-25 passwords! So password practices come down to a matter of usability. If it gets in the way of people getting their work done, of course they will default to the easiest practices available.

Such as using the same password for multiple systems?

Yes, but don’t necessarily believe all the statistics and research you read about that. I have done both anecdotal and online research into this matter. What I found is that users often think they are using the same password, say Wednesday1. But in fact use a variant to get into different systems, such as wednesday1 or WeDnEsDaY1.

Would you say it is wrong to use the same password across multiple systems?

No, not necessarily. I do it. But, I have also undertaken a risk analysis, which is really important for individuals and businesses to do. For example I have several systems here at home in Bergen. They are not interconnected and can only be hacked if someone actually comes to my house and takes them. However I know what is on them, and it isn’t worth taking, like a Linux test system I use. So you need to apply some intelligent risk analysis before you go off crying wolf about all passwords needing to be impossibly long and complicated and unique. That is stupidity and paranoia. On the other hand, with your passwords you have to pay close attention to any compliance or regulations that mandate certain password policies. Some of the things these regulations make you do might seem crazy and over the top. But if you go to court because you haven’t complied, that craziness is irrelevant. All that matters is that you didn’t do what you were told.

Do you have general recommendations or a ‘wish list’ for password best practices?

Many organizations have different password policies for different systems, with different password length requirements, different password change timeframes, and so on. I see no logical reason for this in most cases. Usability takes a hit as productivity drops and users make call after call to the helpdesk for password support. Implement one password policy across all systems and you’ll get a large productivity gain. Again, it isn’t the end users that are the problem here. It’s bad internal policies. The helpdesk is not the security department. To avoid repeated calls from users who forgot passwords, what will the helpdesk do? They’ll give them easy-to-remember passwords that happen to comply with the policy! Easy to remember means easy to hack.

Anything else?

Write policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it. So you have a policy that says ‘don’t use the same password on multiple systems.” Great. But can you enforce that? Can you measure its effectiveness? No!** Think things through. Planning and common sense will go a long way.

**Footnote from Keeper: Keeper Business provides auditing capabilities to see which employees are using the same password across multiple systems.

4 Things Senior Execs Must Do To Evangelize Password Security

by , on

4-things-execs-must-do

What do the words and advice of a former, highly successful CEO of IBM have in common with sound password management? The answer is surprising.

Lou Gerstner, who propelled IBM to nearly 10 years of non-stop growth and prosperity, has a poignant message for top executives at all companies. When it comes to establishing corporate culture, look at what your actions tell your employees.

As Gerstner says, “People do not do what you expect, but what you inspect.” In other words, senior execs have to walk the walk and talk the talk to get others to follow.

That is certainly the case when it comes to password management. One high-level security consultant tells a story of a recent engagement with a company on which he performed a security audit. The audit uncovered several major security flaws, including poor password management. The consultant was to present the findings to the senior staff, not one day after its CEO had delivered a presentation at a local security conference. All senior staff were present – except for the CEO, who gave no reason for his absence.

“So what’s the message here to the rest of the company execs,” the consultant asks? “It wasn’t a message you’d want the rest of the employees to embrace regarding security!”

Brian Sprang is CIO at Quest Federal Credit Union, where employees have registered a 97% adoption rate for their comprehensive password management solution. Speaking of Quest’s senior managers, Sprang says, “They are proponents of the use of good password security and the tools we’ve provided. All of our executives have been vocal in the use of the tool and understand the vital importance of password security to our daily duties to protect our assets and member personally identifiable financial information.”

So just what should be the role of the top executives with respect to password management? It should be something like this.

Be the chief torchbearer of the message that password security is not an IT problem.

A broad belief that IT will ‘take care of all security’ flies in the face of overwhelming evidence that people, not technology, are the front line of defense against cyber attacks. Whether it is through memos, live at company meetings, via Webcasting or other means, top executives must articulate that password security is the responsibility of each individual. That is the kind of message that conveys both responsibility as well as accountability.

Actively practice what you preach.

As a senior executive, demonstrate your ‘street cred’ when it comes to password security by articulating the steps you have taken to ensure your password isn’t compromised. The simpler the message the better, because password management today isn’t complicated. Let it be known you don’t use the same password for multiple accounts, and that you leverage a password management solution to routinely change passwords.

Stress the value of continuing education about password protection.

As with all cyber security measures, executives should personally issue calls to action encouraging continuing education and training about password security. While these sessions can be led by IT, they don’t have to be. In fact the impact of a training Webcast led by the senior executive can be very effective in elevating employee awareness of the need for password protection. As Sprang notes of the efforts of Quest’s executive team to continuously promote better password management, “I’ve relayed the reports and findings to staff members in my training documents and all staff meeting notes and highlighted the issues regarding weak password and poor password security habits.”

Arm yourself with statistics and knowledge of the cyber security environment.

These training sessions above are great places to talk about recent cyber attacks and their corresponding negative impact on the organization. Most individuals read about the headlines of major attacks against mega-organizations. But with the help of research, such as this excellent report specifically about the cyber security challenge in the SMB, crime statistics and the impact of cybercrime become a lot more personal. As you will see, this unique report details that passwords are widely held to be an essential piece of the security puzzle. But at the same time, the report shows that 60% of SMB employees use the same password for everything! Snippets such as these doled out by senior executives can be very compelling. At Quest, Sprang says, “I have stressed the use of unique, non-repeating, highly randomized, and maximum length passwords as vital to our security and our member data security.”

If cyber security is mission critical – and it is – then creating a culture of information security is among the most important roles executives can fulfill. And there is no substitution for leading by clear, unambiguous example.

Keeper Q&A: What You Can Learn From Michael Pound’s Scary Password-Cracking Video

by , on

password-cracking-with-michael-pound

Dr. Michael Pound’s current research focuses on image analysis for phenotyping crops, but you don’t have to be an expert in agriculture – or even computer science – to be frightened by this Computerphile video in which Pound demonstrates a deep-learning server called Beast at the University of Nottingham. Beast uses four parallel graphics processing units to test 10 billion hashes per second in a brute-force password crack using the hashcat password recovery utility.

In the first 15 minutes, Dr. Pound cracks nearly 30 percent of the entries in a 6,000-password list. He then uses a dictionary attack to reveal nearly half of the passwords in another file. And a computer like Beast costs about as much to build as a standard business server.

We contacted Dr. Pound, who is a computer science researcher and professor at the University of Nottingham, to get his insights on password vulnerability and what security administrators can do to better shore up their defenses. He was generous with his advice. 

How did you get interested in this topic in the first place? It seems somewhat tangential to your principal areas of focus.

Like many computer scientists, I find security inherently interesting. In this case, I was asked to teach the core security module at the university, which meant I had to thoroughly explore the area first. I’m continuing to teach this course, so I continue to keep up with modern security concerns as much as possible.

What are the most important messages you hope viewers will take away from the video?

My hope is that people who have assumed that an attack won’t happen to them might take some notice after seeing just how easy password cracking is. I’m not necessarily an expert in password cracking tools, and yet I was able to break half of the passwords in the file within a few minutes. This tells us something about the kind of passwords people use, and about how much work we need to do to educate people on this issue.

The machine you used is powerful, but hardly supercomputer capacity. How much faster could password cracking computers theoretically be?

The only limit is your finances. I think a small cluster of computers could operate perhaps 10 times faster than our server. Then nine characters may no longer be enough. Luckily for us, it’s unlikely that the criminals would bother with this kind of expenditure. There are so many ways to crack passwords even with slow machines that their time is better spent with the most vulnerable passwords, rather than trying to crack that last 25%.

Having looked at thousands of passwords in your research, what do you see as some of the most common mistakes people make?

People make the same mistakes over and over. Aside from the obvious ones, like using your own name or common words, the ways people usually attempt to make a password more secure often offers little improvement. If they add a number, it’s usually a couple of digits at the end. Or they perform a common substitution, like replacing “I” with “1.” The same is true of symbols. Common substitutions like “@” for “a” and “$” for “s”  are easily broken, yet people do that because it’s easy to remember.

You called the Rockyou list a “game-changer.” Why do you believe that’s the case?

Prior to Rockyou, attackers had intuition about the kinds of passwords people used, but still had to generate the lists themselves. Usually they’d use common dictionary words with a few rules applied. Rockyou’s list had millions of actual passwords, which can be adapted into millions more through rules changes. The number of possible password guesses that can be generated from this list is massive, and as some of the Rockyou passwords are complex, they lead to the cracking of previously “unbreakable” passwords.

The Yahoo hack is reported to have encompassed nearly half a billion passwords. Do you anticipate any fallout when that list makes it onto the Dark Web?

That would be very worrying. Rockyou may prove to have been more of an incremental change, but a half billion new passwords will allow hackers to break almost anything that doesn’t follow strict security guidelines about length and derivation. The onus will be on users to secure passwords better than ever, and on organizations to apply the best hashing algorithms.

You were pointed in your remarks about the weaknesses of the MD5 hash algorithm. What do you believe is an alternative that provides a baseline of good security?

Most modern hashing algorithms produce hashes of sufficient length to avoid naturally occurring collisions. However, as we saw in the video, we’re not waiting for these collisions to happen naturally; rather, we’re making educated guesses. An important aspect of a modern hashing function is the speed at which we can use it. PBKDF2 will perform multiple rounds of hashing using a hash function like SHA-256, so as long as the number of rounds is high enough, cracking becomes much more impractical. Other algorithms, like bcrypt, are specifically designed to be a pain to exploit on the GPU, slowing them further. The best advice I can give is to pick a hash function of suitable length and difficulty, then repeat it as many times as possible.

What do you believe is the current minimum safe length for a secure password made up of random characters? Given what you know about the rate of advance in computer technology, what do you think the minimum safe length will be five years from now?

If your password is completely random, and includes symbols, nine characters is probably a safe position to start. Dictionary attacks aren’t effective against random passwords. A brute-force attack might get lucky at nine characters, but it’s not likely. Luckily for us, the difficulty of brute-forcing a password increases exponentially, so while nine characters might be feasible to crack in five years, 10 definitely won’t be. The vast majority of my random passwords are 12 and 16 characters long, and I use a password manager to make sure I keep track of them.

Why are dictionary cracks more effective than brute force cracks?

Since people often don’t use truly random passwords, dictionary attacks can be brutally effective. While a brute-force attack becomes challenging at eight characters – and impossible at 10 – no such restriction affects dictionary attacks. If your password comprises smaller parts, each of which happens to appear in the dictionary, it could be cracked even at 20 characters or more. As always, avoiding common words and digit combinations can help a lot here.

It’s been said that quantum computers will be able to crack 512-bit encryption algorithms in seconds. Once those machines are commercially available, will passwords even be viable anymore?

Luckily for us, and perhaps counter-intuitively, many hashing algorithms can stand up to quantum attacks. Quantum computers aren’t simply computers that run very fast; they have a unique architecture. While they are capable of quickly solving problems like integer factorization, which lies at the heart of RSA encryption, they can’t cycle through bcrypt hashes much faster than a modern machine can.

This is good news, but your system is only as secure as its weakest link. If your key exchange and encryption algorithms are compromised, then the security of your password in transit is lost. Researchers are focusing their efforts on “post-quantum” cryptography, in an attempt to move towards algorithms that resist this new technology.

Any other advice for security administrators?

I would advise administrators to begin moving away from the old security models that force users into large character sets and frequent password changes. A better approach is to educate users in the use of random and unique passwords, and provide them with access to password management software to help them. If a company enforced the use of password management software for all employees, I’d guess that we’d find the instances of weak and forgotten passwords would decrease significantly.

Keeper Customer Profile: Mike Maddaloni

by , on

maddaloni

PDF version here.

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.

 

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?
Well, I don’t want to divulge specifically everything, but I started by keeping copies of non-vital cards, store affinity card and my AAA card, and now I do have copies of some vital documents I need to reference on a regular basis. I admit that at first when Keeper started offering file storage I was not immediately drawn to it, but now I rely on it on an almost daily basis.

Why did you decide to deploy a password manager?

Like everyone, you have unique logins and passwords for online services. I had this for my own personal use, plus all of my clients for my web consulting business. Using password-protected spreadsheets can only get you so far, plus you don’t have the ability to have ready access to them whenever and wherever you need them. So it’s needless to say I am using Keeper almost everyday that I am using a computer.

 When did you start using Keeper?

Over 5 years – I looked and found an encrypted backup going back that far! I first started using it for my former Web consulting business, and eventually transitioned it to my own personal use.

How many passwords does Keeper store for you?

674 (as of June 14, 2016)

What is one thing you would recommend to a new Keeper user?

Although Keeper has the ability to bulk-upload information, I manually copied and pasted everything from my spreadsheets. That ensured me I was moving over actual information I would be using. As I became more reliant on Keeper, it was an added incentive to get everything I had, in multiple files, in one place. This is also a good method to follow if you are not sure you need Keeper or not.

What are two benefits you get from utilizing Keeper?

Cross-platform access as well as synchronization of information and files 2. Outstanding reliability – I can’t recall a time over the five years that Keeper didn’t work, which speaks a lot for its engineering

What features would you like to see added to Keeper in future versions?

I would like to see some additional ways to view information, such as in a grid, almost like in a spreadsheet view. As well, I would like the iPhone app to be able to choose what mobile browser I would like to open a link to.

You can follow Mike on Twitter @thehotiron.

7 Tips for Keeping Kids Safe Online for #CyberAware Month

by , on

tips-for-keeping-kids-safe-online

For National #CyberAware month, we are offering 50% off the Keeper Family Plan with code “NSCAM”.

Click here – hurry, this deal will end soon!

Today’s youth are often called “digital natives” because they are so comfortable with living online. But much as we may admire their proficiency with their devices, we shouldn’t forget that security is probably not top of mind.

Innocent young minds don’t grasp the concept of identity theft or understand the consequences of a ransom attack. In recognition of National Cyber Security Awareness Month, here are some things you can do to keep them – and your entire family – safe.

Keep family computers in an open area. This allows you to monitor what’s on the screen and to check back on activity later. In particular, keep an eye on chat sessions, which is where predators lurk.

Be sure security software is installed and updated. At the very least, you need anti-malware and anti-spyware packages. A password manager is also a good idea for creating and saving passwords that can’t easily be compromised by hackers.

Give children their own accounts on shared computers. This enables you to limit the software they can access and to define unique controls on each account.

Don’t permit kids to download and install software without your oversight. Free software downloads are a primarily medium for spreading spyware.

Use parental controls in web browsers. These enable you to block unsafe sites, disable potentially malicious scripts and review browsing history to see what your kids have been doing when you weren’t watching. Here is a good guide to implementing parental controls in major browsers.

Have a talk. Remind kids of a few basic protections. Never click on unknown links. Never open email attachments. Never respond to chat messages from people they don’t know. Never “friend” strangers. Don’t bully others and alert parents if they suspect they are the targets of a bully.

Have logins to kids’ social accounts such as Facebook, Snapchat and anywhere else private conversations go on. This not only enables you to keep an eye on what they’re doing but to spot malicious activity by others that’s directed at them.

For additional protection you can install activity monitoring software that keeps detailed records of everything that happens on your computer. Examples include Cyber Patrol, Cybersitter, Net Nanny and SpyAgent. But if you follow the advice above, you probably don’t need additional protection.

Above all, stress to your children that your monitoring and cautionary steps are for their protection. Even if they don’t understand the risks that are out there online, they know that you have their best interests in mind.

Q&A with Benjamin Caudill: Five Most Vital Cybersecurity Considerations for the SMB

by , on

five-most-vital-cyber-security-considerations-for-the-smb

Benjamin Caudill – a veteran penetration tester - has broken into organizations, large and small, just about everywhere. In doing so, he has exposed security vulnerabilities and numerous pathways for hackers to do their worst to unsuspecting businesses.

Caudill, who was dubbed a ‘deadly force that could easily penetrate and exploit a firm’s most private files’, was always on the right side of the law – a good guy whose cyber hacking is intended to strengthen cyber defenses. Today he is also founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.

We recently asked Caudill to list the most vital cyber security considerations for the SMB, based on his extensive hands-on experience. Here’s what was said.

Ignore the basics – at great risk. With security certainly in the SMB, probably 80% of the attacks and threats can be mitigated by 20% of the protections that should be in place. These aren’t the sexy ones either. They are the basics, like password control, patch management, defining policies, educating all employees about being cautious about opening emails they can’t identify, and don’t make your WiFi public. These basics are usually inexpensive, even free at times. Attending to basic security principles will make it very hard for the every-day hacker. Many of the successful attacks we have analyzed result from one or more of these basics simply not being followed or in place. Don’t be overwhelmed as an SMB when you read about the really big guys getting breached. They have their own problems. For the SMB, basics can and do make a big difference.

Attackers follow a path of least resistance. If you leave a door open at home, it’s not like it takes a lot of sophistication to break in. Attackers are very opportunistic. Valid email addresses, a company website, and seemingly common things can be used for malicious purposes like hosting illicit content or sending spam emails. I see it very commonly from start-ups to big companies that the sense is ‘well we aren’t a hospital or credit card company and therefore who’d want to hack into us?’  In the huge Home Depot breach a couple years ago, one famous quote attributed to company managers when employees asked for advanced security training was, “We sell hammers.” But what was stolen was data on 56 million credit cards. That mentality is seen in all sorts of companies, certainly in SMBs.

Security goes beyond the technology. In reality, technology is a minority of what the overall cyber security focus should be. People, process and culture are what matters most. We worked with a large start-up whose culture was very open in every sense. Our penetration testing showed they were just Swiss cheese when it came to information security. They pretty much had all the technology in place. But you could walk in off the street and just about stroll into the data center. There was no badging, no questioning of people. Technology was not the problem. It was their culture as it pertained to security. Do you in the SMB know what people, based on their specific roles, should have access to what data? We see that many if not most security problems are people or process problems. Employees must understand why security is mission-critical, and also understand their specific role in promoting it. That kind of message has to come from the top.

Know your data. We see situations where all data is protected equally, and that is not right. If you don’t know the value of your data and what is most valuable, you won’t protect it properly. As the saying goes if you protect your toothbrushes like you protect diamonds, you are going to lose a lot more diamonds! Also you must know where your data is going. Are you sharing credit card information with an overseas partner? Do you know what their security protocols are? What governing body there is in charge should something go very wrong with that data? There is an important data sensitivity criticality process that needs to be followed, and all too often we see this acknowledged only after a major breach.

Don’t go it alone. We typically rely on specialists for everything from building houses to doing our taxes. Doing security alone is risky. Yes the IT department can take care of firewalls and some intrusion prevention measures. But for total cyber security the SMB needs third party specialists. They have the resources, people and experience to analyze and advise. Look for a partner that really puts two-way communications at the forefront of your relationship. Don’t worry about vertical market expertise, which is maybe 5% of the security equation. And talk to your peers to see whom they like.

Password Management Is Much More Than an IT Problem

by , on

password-management-is-much-more-than-an-it-problem

Two years ago the CIO at Quest Credit Union  had no problem extending responsibility for password management beyond just the IT department. That’s because C-suite executives were using a password management solution for personal use. Thus getting the the organization aligned with an enterprise password management solution was almost automatically a shared responsibility.

There are many compelling reasons why small and mid-sized businesses (SMBs) absolutely must make password management an organization-wide effort, not just an issue delegated to IT. Unfortunately in many SMBs today, this responsibility is left entirely with IT. In doing so, these organizations run the greater risk of failing to build a risk-aware culture across the organization – an effort aimed at ensuring every employee knows exactly why cybersecurity is mission-critical today.

The landmark Ponemon Institute State of Cybersecurity in SMBs, which polled some 600 SMBs, found that 71% of respondents emphasize password protection and management as important. Surprisingly in 60% of these businesses, IT has no visibility into employee password practices. In SMBs that do have password policies, 65% do not strictly enforce them.

Could the reason be that IT alone does not have the weight or influence to affect password policy enforcement?

A recent report from PwC piles on even further. In its Global Economic Crime Survey 2016, PwC says that all too often non-IT executives are more than willing to pass the buck to IT when it comes to cybersecurity in general, of which password management is a key element.

This is wrong, PwC maintains, adding that responsibility for all aspects of cybersecurity “must be embedded within an organization’s culture.” Non-IT executives must “incorporate cybersecurity into their routine risk assessments and communicate the plan up, down and across organizational lines, ” PwC states.

Juliet Maina, an attorney who frequently writes on cybersecurity and the law, suggests that non-IT executives may put their organizations at risk if they cannot show a concerted effort to involve themselves in cybersecurity strategy, including password management. “Cybersecurity is and needs to be acknowledged as an executive level concern,” she notes. “As the leader of a company, one ought to be aware of the defense strategies that are in place, and ensure that holistic approaches are taken towards ensuring security and the protection of investments. This top-down approach is crucial for success.”

With password management being a key element of an overall cybersecurity strategy, what can be done in practical terms to begin to shift the responsibility for such strategies to a broader coalition of C-suite managers? As it turns out, IT can take the lead in this important, company-wide effort.

Educate, don’t scare. Many C-level executives shun cybersecurity involvement and responsibility because they don’t fully comprehend the supreme value of data in their own organizations – and therefore the dangers of a breach or attack. It’s easy to see why matters like data compliance and regulation might not interest them. Your job as the IT leader is to put those matters in proper context. Non-compliance, breaches and attacks have very real and very costly consequences. The PwC report shows that only 37% of organizations have a management-backed cyber incident response plan in place. Now is the time to distinguish your SMB from the majority of companies where senior management is a silent partner in password management and cybersecurity.

Cybersecurity is mostly about people Ask most C-level SMB executives if their companies are protected and they’ll likely answer, “Sure. We got firewalls and antivirus stuff.” As the IT leader you know the reality is that it is human error, or deliberate acts by employees, that are at the root of cybersecurity challenges. Getting senior management firmly behind a comprehensive password management strategy is one of the fastest ways of reaching virtually every single employee with a powerful, unified message that cybersecurity is everyone’s responsibility. When senior management endorses and funds such a password management strategy, every worker becomes responsible and accountable for cybersecurity.

Cybersecurity is not a one-off. It is one thing to get senior management involved in a password management and general cybersecurity strategy, and another to keep them involved. That’s why part of the education of the C-suite is the message that security is an ongoing, evolving endeavor that needs regular review meetings. These are best led by IT leaders, who are well suited to put changes to the threat environment in concrete business terms. It is this periodic engagement with senior management that can ensure password management and cybersecurity is never again considered ‘just an IT problem.’

20 Fascinating Facts about Passwords

by , on

20-fascinating-facts-about-passwords

1) These five user passwords accounted for 3.2 million of the 130 million accounts that were stolen in the Adobe hack of 2013: “123456,” “12345678,” “Password,” “Adobe123” and “12345678.” source

2) An analysis of 11 million stolen passwords for cloud services conducted by Skyhigh Networks found that just 20 passwords constitute 10.3% of all passwords in use.

3) The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13

4) In 2012, a password-cracking experts unveiled a five-server clustered computing environment powered by 25 graphics cards that could cycle through 350 billion password guesses per second.  That means it could try every possible Windows passcode in a typical enterprise in less than six hours. There is no record of anyone building a faster machine since.

5) About 40% of organizations store privileged and administrative passwords in a Word document or spreadsheet.

6) It would take a typical brute-force password cracking program 12 years, four months and 16 days to unscramble the random eight-character password “z7S69s@9.” Source

7) The same password would have taken a cracker built with 1990 technology 6,495 years.

8) In 2020 it’ll take about 9 years, six months and 18 days.

9) Experts believe a quantum computer will be able to do it in less than five seconds.

10) When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end.

11) Two-thirds of people use no more than two passwords for all their online accounts. Source

12) The top 10 most-used password list has barely changed in the last five years.

13) Experts says a great technique for creating a secure password is to use the first letter of each word in a phrase (esagtfcaspitutfloewiap). Mixing in a single random symbol (!*$@) dramatically improves security.

14) Thirty percent of phishing emails get opened. Source

15) Nine out of 10 phishing emails carried ransomware in March, 2016. Source

16) Many experts now believe that frequent password changes actually worsen computer security because people tend to choose minor variations of their current passwords so they’ll be 17 easier to remember.

17) This is a list of the 10,000 most frequently used passwords. If any of yours are on it, your account will be compromised in seconds by any of the most common dictionary-based cracking tools.

18) Retail was the most-targeted industry for phishing attacks in the first quarter of 2016 by more than a two-to-one margin over any other industry. Source

19) An eight-character password using only upper- or lower-case characters has 200 billion potential combinations. Source

20) An eight-character password using a combination of upper- and lower-case characters has 53 trillion billion potential combinations. - Source