How to Keep your Smart Phone Safe and Personal

by , on

Keep your Smart Phone Safe

George Orwell’s 1949 classic 1984 painted a dark picture of a dystopian society in which a malevolent government monitors everything its citizens say and do through a ubiquitous network of “telescreens.” What was science fiction In Orwell’s day is reality now, thanks to technology that billions of people carry around in their pockets.

Smartphone are capable of all the scary surveillance scenarios Orwell envisioned, and many more. With their built-in GPSs, cameras, microphones and connectivity to a world of cloud services, they are the best snooping devices ever invented. Knowing the scope of the threat they can pose can help you protect yourself.

Mobile devices haven’t been considered a major threat factor until recently because criminals could make more money breaching credit card and health care databases. But with the street price of those records plummeting, criminals are now turning more of their attention to attacking individuals. The explosion of ransomware attacks in 2016 is evidence of that.

While there have been few reported incidents of cyber attacks on individual smartphones so far, the threat is real. The issue gained prominence recently with the news that President Donald Trump was using an old, consumer-grade Android phone during his first week in the White House. Wired noted that a single click on a malicious link could have caused the phone to be “infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.”

Andrew Hoog, CEO of NowSecure, a mobile security company, has been demonstrating for the past three years simple ways is to compromise a phone and download contacts, intercept and respond to text messages, activate the camera and microphone and track the device’s whereabouts to within a few feet – all without the owner’s knowledge.

“We always tell customers to assume that your mobile platform is exploitable,” Hoog noted in this webinar. He said iOS and Android are equally vulnerable.

Hacking phones still isn’t all that difficult. The BBC last year challenged two cyber security experts to rig up code that let them activate the microphone on a compromised Android phone and automatically transcribe overheard conversations. They met the challenge in less than two days.

Google and Apple have acted quickly to catch many of the most obvious vulnerabilities, but they can’t stop risky user behavior or third-party applications. NowSecure’s 2016 Mobile Security Report found that nearly one quarter of mobile apps it audited include at least one high-risk security flaw and 35% of communications sent by mobile devices are unencrypted, meaning that they can be intercepted by an intruder.

Phones present a variety of unique vulnerabilities that aren’t common to laptop or desktop computers, and new features create new tripwires. Last year a team of researchers figured out a way to embed garbled voice commands in YouTube videos that could command the phone to perform certain risky actions, such as downloading malware. With voice-enabled virtual assistants now ubiquitous, this is another scary new vulnerability point.

This video shows in frightening detail how simple it is for an attacker with root access to an Android device to use Metasploit, a popular brand of penetration testing software, to full control over the full set of phone functions, including sending text messages, capturing photos and initiating chat sessions. All in less than two minutes.

So is it time to ditch the phone, go off the grid and move to a cabin in Montana? Don’t panic yet. The cyber underworld hasn’t seemed very interested in exploiting these opportunities, at least not yet. But that could be changing. Ransomware attacks targeting Android phones grew 50% in 2016, according to ESET, LLC. There are some basic steps you can take to foil all but the most determined attackers.

Enable password security. This seems like a basic practice, but a recent survey of 1,000 mobile device users by Keeper Security found that 32% don’t enable password protection at all. Failing to take this basic step with a device that is easily pilfered from a pocket or purse is as bad as going on vacation and leaving your front door standing open. An even better practice is to enable two forms of security, such as a password accompanied by a PIN or fingerprint.

Don’t install applications from untrusted sources. This is particularly important for Android users, since protection can be turned off with a single switch. Limit downloads to known app stores or branded organizations that you know and trust.

Check permissions before installing an app. Some ask for a ludicrously high level of access compared to the functionality they provide. Should a flashlight app really have access to your phone? Think before you permit.

Don’t click links in texts unless you know the sender. Smartphones are uniquely vulnerable to phishing attacks because a sender can transmit a link by sending a text to the victim’s phone number, thus evading spam filters. Attackers may pretend to be trusted sources, such as your bank or pharmacy. If you aren’t certain of the source, don’t click the link.

Use Encrypted Messaging Services for Private Conversations – There are several free applications available for both iOS and Android that permit you and those close to you to send and receive text messages protected by powerful encryption. If your conversations may involve sensitive personal information, download and install one of these apps and ask your friends to do the same.

Don’t conduct sensitive transactions over an open Wi-Fi network. You have no way of guaranteeing that banking or credit card information is encrypted. Use public Wi-Fi only for browsing.

Don’t use public charging stations. Once you plug your phone into a USB port, an attacker can download files, install malware and monitor your keystrokes. A recently discovered threat called “video jacking” even enables them to get a peek at your phone’s display and to record everything you tap, type or view. You can avoid this risk by investing $30 in your own portable charging device.

Don’t make your Bluetooth connection discoverable. This opens you up to the risk of “bluesnarfing,” which enables the attacker to gain  access to any information or service on the device without your permission.

Orwell envisioned 24X7 surveillance as something to be imposed from the top down. He probably never envisioned that we would make ourselves vulnerable to intrusion so willingly. That would have been too strange even for science fiction.

Keeper Mobile Survey Finds Security Awareness is High, but Use of Security Apps is Lagging

by , on

Users approach security in a similar way as they do on their desktop computers. This can be a problem, given the unique vulnerability of a smartphone – the small computer that fits in your pocket.  Today, nearly 2.3 billion people use a smartphone.

Keeper conducted a detailed survey of 1,000 smartphone users to determine how they protect their devices and sensitive data. Our findings indicated that password reuse across different applications is frequent, average password strength for mobile applications and websites is low and that most users rarely changed passwords. Additionally, survey respondents rated their overall “trust” in the security of mobile carriers as being low.

Here are the highlights of the survey in an infographic.

The good news is that the risky practice of sharing passwords with others – a bad idea regardless of the platform – is relatively rare. Nearly 64% of respondents said they never share passwords, and another 29% said they share them with no more than two people.

We were also surprised to find that the practice of resetting passwords is quite common. More than 80% of responders said they have reset a password at least once within the last 60 days. Frequent password resets are considered one of the best ways to foil prospective intruders

But the practice may be driven more by necessity than by security awareness. We were surprised to find that 52% of respondents said they store passwords by remembering them. While that tactic is neither reliable nor secure, it’s better than writing passwords down on paper, a practice employed by a sizable 23% of our survey-takers.

When they forget a password, more than three-quarters of mobile users told us they can usually access their account in four or fewer attempts. Ten percent reset their password every time they log on, an awkward but effective practice.

Use of social media authentication – also called Open Authorization or “OAuth” – is common. More than three-quarters of the users we surveyed use OAuth on at least one service, and 45% use it on three or more. While OAuth rocks for convenience, it also may potentially expose personally identifiable information to third-party applications, so be careful.  

Technology is there to help, but many people don’t use it. We were surprised to find that 55% of smartphone owners have never downloaded protective software. Of the 45% who have, more than half have used an antivirus or anti-malware solution.

Reuse of the same password across multiple applications is quite common, with nearly 84% of users telling us that they access at least two different applications or websites with the same credentials. We commend the 16% who said they never engage in this practice. On the other hand, the 24% who reuse passwords across a whopping five or more applications are playing with fire. We’re also concerned about the 32% of respondents who said they don’t password-protect their phones at all. This is particularly risky behavior because hackers can turn compromised phones into listening devices or use them to track the location of the phone’s owner via the integrated GPS.

People are generally aware that they’re responsible for protecting their own information. A 46% plurality said their mobile device is the least secure device they use, followed by computers at 41% and tablets at distant third at 17%. By that logic, you would expect that people would regard tablets as their most secure devices. But that honor falls to computers, which 52% regard as their most secure device. Strangely, tablets came in a distant third here as well, at 15%.

Bottom line: Mobile devices require just as much security vigilance as desktops. Our survey indicates that people know that, but they’re not getting of the mobile tools that can guarantee peace of mind.

Limited Time Offer: Get 50% Off Keeper Unlimited as Part of the iTunes App Store Promotion

by , on

Apple has selected Keeper for a 50% off worldwide promo, on all of its app stores in all countries.

Plans covered include Keeper Unlimited and the Keeper Family Plan. Here’s how to take advantage of the promotion:

Step 1: Download Keeper on the iTunes App Store

Step 2: Upgrade via iTunes for 50% off

Hurry – this 50% off worldwide offer with Apple expires on March 4th at 6 pm PST. 

Keeper is Not Affected by Cloudflare Issue

by , on

This week it was revealed that the content delivery service provider, Cloudflare, was affected by a systemic vulnerability that leaked sensitive information from secure HTTPS connections. While the actual manifestation of the bug that caused the leak at first glance may seem relatively small, affecting an estimated 0.00003% of all requests to the Cloudflare service, this still represents a relatively large amount of data considering that Cloudflare serves traffic for over 5.5% of all websites.

To make matters worse is that some of this data has been leaked for months and some data was cached by Google, Yahoo, Bing and other search engines. The impact of this vulnerability on Cloudflare’s customers and users could stretch on for months or years as more leaked data is discovered by both cybersecurity researchers and hackers alike.

Keeper does not utilize Cloudflare or any other distributed content delivery network for the delivery of encrypted user data and, therefore, was not impacted by the Cloudflare vulnerability. Keeper is a zero-knowledge security provider – the keys to decrypt your data are always derived on the end-user device from the master password and are never transmitted over the internet. This helps ensure that, even in the event of a data leak occurring in the transport layer, your data will remain secure.

Keeper Customer Profile: Philip Leech-Ngo

by , on

^2EBF4C2402531FC94EF7A6D1F0AACAE4F2C918775F26CB0569^pimgpsh_fullsize_distr

PDF version here.

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.

 

Why did you start using Keeper?
I’ve always found Keeper useful, but it really came into its own over the past year or so. I’ve just moved from the UK to Canada. That meant I had to set up a whole host of new accounts and online profiles to go with new job, new bank, new phone, etc. etc. not to mention all sorts of secure documentation that I needed to keep safe during the transition. Keeper was absolutely brilliant for this. Not only did it keep the my info secure, the fact that it is so convenient to use and that it integrates so naturally into by workflow, made life a lot easier and less stressful than it could have been. I’m looking forward to seeing how Keeper continues to innovate, improve and adapt over time and so that it carries on helping keep my life that little bit simpler… though I’m glad to say that I don’t think I’ll be moving to another country anytime soon!

How many passwords does Keeper store for you?
418

What are two benefits you get from utilizing Keeper?

1. Convenience
2. Security across platforms

Anything else that is noteworthy?

The fingerprint scanner on the phone is brilliant!

Why did you decide to start using a password manager?

About 3-4 years ago. I started with a free version but Keeper’s reputation, ability to work cross platform persuaded me to move over.

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?

Lots and lots of web-passwords and banking info. I found it very useful for keeping lots of important personal information securely given my recent experience immigrating.

What is one thing you would recommend to a new Keeper user?

Let it integrate organically with your workflow. i.e. use the browser plug-ins etc. to set and keep passwords as you normally would. You will see the benefits very soon without any hassle.

What features would you like to see added to Keeper in future versions?

Integrate with Mac OS keychain etc. so it can remember things like apple password. Also, use phone to unlock desktop application, a bit like Google does.

The Critical Elements of an Incident Response Plan for SMBs

by , on

Incident-Response-Plan

If you work at a small or midsize business (SMB), you must presume that your organization will fall victim to a cyber attack. It is imprudent to do otherwise, given that a major study of SMBs last year found that half of all SMBs suffered data breaches involving customer and employee information in the past 12 months.

No doubt your organization has taken steps to detect and deter cybercrimes. But has your organization put in place a detailed, predetermined incident response plan for if/when a serious breach occurs?

The fact is that the responses coming from your organization both during and after an attack are as vital to the SMB as what your IT team does to restore your systems and services. But many organizations today, even big enterprises, lack a formal incident response plan. The potential damage of not having a plan can be as devastating to the organization as the attack itself.

Consider this. Following its discovery of a major breach of 500 million user records in 2014, Yahoo’s response was silence. Not a word. That data was subsequently put up for sale on the dark web. When finally the company had to go public with the breach last September, the damage to its reputation was incalculable.

Execs untrained in crisis management. One reason so many organizations get incident response wrong is that top-level executives who determine this response are usually untrained when it comes to crisis management. It isn’t often they have to make potential game-changing decisions in real time. Instead, their usual method of dealing with a crisis is to gather lots of information from lots of sources; review it all with lots of other people; and eventually respond – in days or weeks or in some cases, not at all.

That is precisely why preparing a cybercrime incident response plan has to be on the agenda for all organizations, regardless of size. Here below are some of the critical elements to consider when building such a plan.

Start by thinking of companies that got incident response right. Those of you old enough to remember will recall the Tylenol scare of 1982 when someone tampered with bottles of the pain reliever, resulting in several deaths. Tylenol’s maker, Johnson & Johnson, acted instantly to remove all Tylenol from store shelves, even though there was no evidence of any manufacturing problems. The company was widely hailed for its instant response, despite potential risks to its reputation.

Put someone in charge, before the fact. When a cybercrime or attack is detected, some predetermined individual needs to be the “point person” in charge of gathering all information on the attack, reporting and updating in plain language to the executive team, and coordinating the overall response. This could be the top IT person or data security chief, depending upon the size of the SMB and its technology staff. This person may or may not be the individual who becomes the public “face” of the company, but this public “face” needs to be determined in advance as part of the incident response plan.

Undertake a risk assessment of your data. There have been major breaches of data that is mostly or largely worthless to cybercriminals, such as data that is carefully encrypted or data of little or no strategic value. Other data, such as customer information and passwords, intellectual property files, or personal health information (PHI) is potentially highly valuable to thieves, and the theft of which can be very damaging to the organization. So when there is a successful breach, a key part of the incident response plan is matching the response to the importance of what has been hacked. This risk assessment needs to be reviewed periodically as new data and files are captured on the SMB’s systems.

Know the laws about breach disclosures. In the 50 U.S. states there are 47 different security breach disclosure laws. If you are located in one state but do business in several others, you must be aware ahead of time of each state’s disclosure laws that determine what you must disclose following discovery of a breach and how soon you need to do so.

Respond quickly and decisively after an attack. Have different parts of your plan for responding to your customers, your suppliers, your lawyers, and even to the greater public and possibly government regulators. Prioritize and properly escalate these different responses. Be certain to disclose new information as you receive it. And of course be ready to show that your SMB has taken steps—beefing up firewalls, network security and password management—to prevent a similar attack in the future.

Having a fully documented incident response plan can be very helpful in the event of litigation following a breach, as such a detailed plan can serve as proof the company was as prepared as it could be for a breach. In addition, insurance underwriters might consider discounts for companies with such a plan for handling an attack. Apart from these considerations, an incident response plan just makes sense given the great likelihood of a successful breach all SMBs face these days.

What the Most Common Passwords of 2016 List Reveals [Research Study]

by , on

most common passwords of 2016 header

By Darren Guccione, Co-founder and CEO of Keeper Security

Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of people are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.

Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:

  • The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
  • Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that, as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
  • The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
  • Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.

We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.

Here are the results and additional analysis of the study:

00001

 

Methodology and other notes:

  • This study included 10M passwords across a variety of data breaches that occurred in 2016 (Breaches that were announced in 2016, but actually occurred prior to 2016 were not considered for this study)
  • Outliers (passwords that only appeared in 1 breach) were not considered for this study
  • The password “mynoob” only occurred in two breaches, which were gaming-related sites
  • The speed of a successful brute force attack depends on processing power
  • Keeper is zero-knowledge and has no access to user data (therefore Keeper data was not used in this study)

Security Life Hacks for the New Year

by , on

life-hacks

The new year is the time for resolutions, and what better way to enhance your peace of mind than to resolve to improve security? Here are some life hacks – or strategies to manage your life more efficiently – that you can adopt to improve online security, safeguard your home and protect your personal information. All are free or cost only a nominal amount.

Adopt two-factor authentication

If you read this blog regularly, you know about the benefits of using two-factor authentication (2FA). Adding a second layer of protection via a challenge question, hardware device or code sent to your mobile phone improves security by orders of magnitude.

The number of online services that use 2FA is still abysmally low, but it’s growing. The crowdsourced Two Factor Auth list tells you which websites support 2FA and what tools they use. For those that are still stuck on simple password protection, there are links to Facebook, Twitter and email accounts you can use to encourage them to get on the ball. The transportation industry still has a lot of work to do.

See if you’ve been compromised

With online credential theft now nearly an everyday occurrence, you can never afford to be complacent. These four sites help you learn if you’re a victim.

  • Have I Been Pwned? is a database of nearly two billion credentials from more than 165 hacked websites and password files. Plug in your email address and find out if your username and password may be in play. The site won’t fix the problem, but at least you’ll know where you may be vulnerable.
  • BreachAlarm is a similar service that includes a subscription component to notify you immediately if your name shows up on a compromised list.
  • Sucuri is great if you own one or more websites. Plug in the URL and it’ll scan your site for malware and also check you against blacklists.
  • The Internet of Things Scanner checks your internet-connected devices against the Shodan IoT database. If your devices are there, they’re accessible to the public – and to criminals.

Change of habit

  • Do you use public Wi-Fi in a coffee shop or library? If so, there’s a good chance the connection isn’t secure and someone sharing the network can steal your keystrokes. At the very least, make sure you use the “public network” option when connecting, turn off sharing and enable your firewall. Here’s an excellent tutorial on how to stay safe on public Wi-Fi.  
  • What would you do if your wallet and all your credit cards were lost or stolen? It takes hours to track down all those account numbers and call all those customer service numbers. Save yourself the hassle by scanning the front and back of each credit card and emailing the scans to yourself. Use the subject line to identify the credit card and you will never have a problem looking up the account or 800-number.
  • Redditor suggests that you change the way you think about security challenge questions. It’s so easy these days for attackers to find out information about you that details like your mother’s maiden name or your high school mascot are no longer very effective. Instead, treat them as a second password by adding
  • numbers or gibberish letters that make your answers impossible to guess. Or choose a response that makes no sense as answer to the question. Was your first pet really named Hong Kong?
  • Create an email address on a public service like Gmail or Hotmail that you use just for filling out forms on sites you never want to hear from again. You can then create an email filter that sends all communication to that address directly to the a seperate folder or the trash. Or if you really never want to hear from the site again, use 10 Minute Mail to create a temporary, self-destructing email address.
  • Never store credit card numbers on e-commerce sites. The minor convenience you gain is more than offset by the risk of having the customer database hacked.

Protect your privacy

  • When was the last time you reviewed your privacy settings on social networks? Cybercriminals love social profiles because they serve up all kinds of information that can be used to hack online accounts and even tip off burglars when you’re not home. AdjustYourPrivacy.com has links to the privacy pages of most of the major social networks. It also shows you what the world sees when it looks at  your public Facebook page. And it has a cool list of search engines that will show you what’s out there about about yourself.
  • Here’s a great idea from Reddit for how to find out who’s selling your information. When you fill out a web form, use the name of the website as your first or middle name. That way you’ll immediately know who’s responsible for spam or unwanted promotions.
  • How much do you love tele- and robotic marketers? We thought so. Ban them forever by signing up at Nomorobo. The service keeps a massive list of known telemarketing sources and automatically sends their calls to a voice message telling them to get lost. A single land-line is free.

Physical Security

  • If you’re going away on vacation for two weeks, don’t brag about it in public on Facebook. If you just can’t resist, at least review the post privacy settings to limit visibility to your close friends.
  • While you’re away, make sure your house looks lived in. Have your mail held and lawn mowed. Leave on a couple of lights and a TV or radio. Ask a neighbor to park a car in your driveway. Ex-burglars say that’s one of the most effective deterrents you can use.
  • If you want to really get fancy, trace the outline of a body on a large piece of cardboard. Cut it out and lean it against a chair or window. Close the blinds and it’ll look like you’ve got your own personal security guard.
  • Even if you don’t have a home security system, you should put up signs and stickers saying that you do (you can easily buy them online). You’ll make burglars think twice. Throw in a couple of “Beware of dog” signs while you’re at it.

Have You Been Pwned? Troy Hunt Will Help You Find Out

by , on

have-you-been-pwned

If you visit Troy Hunt’s website – Have I Been Pwned.com – and read the often-voluminous posts on his blog, you might think he has time for little else. But the sites are just a sideline for Hunt, an Australia-based Microsoft Regional Director and MVP whose primary business is training security professionals.

Have I Been Pwned is a free resource that people can use to find out if they have been put at risk due to a data breach. As of this writing, it includes authentication data from 166 compromised websites and nearly two million accounts. Type in your email address or username and find out if you’ve been a victim (the site stores no passwords).

Hunt launched the site after 153 million Adobe accounts were breached in late 2013. He noticed that the same accounts – and passwords – were showing up across multiple incidents. He began acquiring usernames of accounts that had been compromised so people could easily learn if they’d been victimized.

Have I Been Pwned gets tens of thousands of visitors each week, and Hunt’s mailing list is approaching one million names. He uses the insight he gains from the constant back-and-forth with visitors and contributors to improve his coursework and build his profile as a security expert. It’s working; Hunt has been quoted dozens of times in global media outlets, and his blog is a must-read for people who care about cyber attacks.

We caught up with him via Skype.

 

This site would appear to require a huge time commitment on your part. How do you fit it in with your day job?

It’s complementary to my main business of security training. Companies tell me their goal is not to end up on the website! The time commitment can be as much as a day each week, but I also get a lot of useful information. Recently, I got 75 notifications of new breaches in one day.

For example, I learned about a big data leak at the Red Cross Blood Service in Australia that was caused when someone inadvertently published information from a database on a public web server. The same week there was another incident with a major international brand having data exposed on a website because of a partner screw-up. This is the type of thing that comes in multiple times a day.

Why do people share this information with you?  

They have all kinds of motivations. I get answers varying from exploiting the company to getting a leg up on a competitor to wanting to sell the data. Very often, no one thinks there’s anything wrong with what they’re doing. I want to tell them that they should go to their room and think about it a bit. They’ve got their hands on deeply personal information and they have no idea what that means.

Where do you get your source material?

It’s almost always someone sending me data. Some people send me dozens of files or a link to a folder with huge amounts of compromised data. Often that data is fake, so I troll through and try to verify it. Other times I get data that’s broadly redistributed – like the Ashley Madison database.

Are you surprised by the reactions from companies that have been breached?

The most positive reaction I’ve seen was from the Australian Red Cross. I got an appreciative call from the CEO. That’s what I like to see: ethical disclosure.

Then there are folks like Nissan, which had a vulnerability in their API that let attackers take control of their vehicles. At first, Nissan didn’t want to hear about it. They only came around reluctantly.

What response do you get from people who use the site to see if they’ve been pwned?

It’s 99.99% positive. I’m careful about what data I expose. You can’t search the Ashley Madison list, for example. I’m also careful not to reveal email addresses or passwords.

What has running the site taught you about the state of password security?

That some woeful practices are the norm rather than the exception. People defer to the lowest common denominator of password strength. There’s a prevalence of the “123” passwords.

Also, surprisingly few companies use multi-step verification, even though it’s a great protection against credential theft.

What is your opinion of the various alternatives to password security?

Nothing is without trade-offs. There’s password-less login via email, but emails can be delayed. QR codes can be used for authentication, but that’s asking people to do something they’re unfamiliar with. Whenever we ask people to learn an entirely new method, it’s a problem.

I love biometrics, picture logins and PINs on Windows 10. All are great, but none of them remove the underlying weakness of the password.

What do you think are the most effective steps organizations can take right now to improve security?

Better training, particularly for software developers. While I obviously have a vested interest in saying that, systems are nearly always compromised by a flaw in a process. If you give developers the knowledge to write secure programs, they’ll use it for the rest of their careers. So why pay a penetration testing company $20,000 if developers are just going to make the same mistakes again?

If you address problems when the software is being written, you get a massive benefit across the lifecycle. We understand how SQL injection and cross-site scripting works, but we still create so much stuff that’s vulnerable. The problem is education.

What has been the most rewarding aspect of running this site?

A big one has been the messages I get from people who say they wouldn’t have known about their exposure without it. I’ve also learned an awful lot about how breaches happen and about scaling a service to tens of thousands of users. One of my objectives has been to run the whole thing for less than what I spend on coffee. Using Microsoft Azure, I’ve been able to build something at scale and do it cost-effectively.

What have been the biggest surprises?

That I’ve never had any legal threats [laughs]. I suppose that’s because I’m transparent. I jump on the phone with anyone who’s concerned. The volume of interest has been a surprise. I now have about 830,000 verified subscribers, and I expect that to be one million by Christmas.

The amount of interest from enterprises and commercial vendors has been surprising, such as security companies wanting to make the API part of a commercial service. I’ve done some of these deals to build leverage.

What has HaveIBeenPwned.com done to your visibility in the security community?

After a large incident, I often get up to a dozen press calls. I get a lot of offers to speak, many of which I have to decline. That said, I’ve had five international trips this year that involved speaking.

How do you manage to blog so prolifically?

I get up very early. I often blog when I have an itch to scratch, such as when I took my iPhone in for service and they wanted me to unlock it so they could work on it. Or it’s something that I just find fascinating. I’ve found that when I write about something, I understand it better. It’s part of my learning experience as well.

2016: What Can We Learn From A Banner Year for Cybercrime

by , on

2016_-what-can-we-learn

2016 will go down as yet another banner year – unfortunately – for hackers and data thieves globally. This article looks at some of the successful attacks while probing for patterns and trends in cybercrime.

Big target on the IoT: The Dyn DDoS attack. Our blog on cybercrime predictions for 2017 forecasted increasing efforts of hackers exploiting fundamental weaknesses in the fast-growing Internet of Things (IoT) environment. For the first time in a major attack, hackers in the Dyn DDoS attack didn’t go directly at the servers of their target. Instead, they compromised some 100,000 IoT devices possessing weak default passwords, creating an enormous botnet, which then slammed the real target. Some evidence suggests the attackers were just firing a warning shot with this attack, as they could have compromised 500,000 devices just as easily. The obvious lesson here: Use the same password best practices on IoT devices as you would for any other digital device or endpoint. That means changing the default password to a strong, complex password.

Passwords, get your stolen passwords right here! Literally millions of stolen passwords went up for sale on the dark web this year, some of which were stolen in previous years. In May more than 400 million passwords stolen previously from MySpace went up for sale to the highest bidder. What’s more, the same hacker who listed the MySpace passwords put another 100 million passwords up for sale that were previously stolen from LinkedIn. There is every reason to expect that stolen information will increasingly be put up for sale. These incidents highlight the great importance of frequently changing passwords and not reusing the same passwords for various accounts. Warnings to do so are coming from all over the globe. As one major cybercrime study showed in 2016, 63% of successful data breaches involved weak, default or stolen passwords.

Life of the Party: The DNC hack. Considerable questions remain as to exactly who was behind the epic successful attack on the servers belonging to the Democratic National Committee. What is not in question is the damage done to the Democratic Party and to the reputations of a lot of political higher-ups. It is entirely possible the success of this attack and the apparent ease with which it was pulled off will only encourage more such geopolitical cybercrime. In fact, a couple of months after the DNC break-in, the FBI alerted officials in two states that hackers were targeting their election systems. The hackers were into the DNC computers for an entire year before they were discovered. Sophisticated phishing techniques were likely used to pry open the doors. The rest is history.

Simply shocking! Electrical grids in hackers’ crosshairs. As devastating as the attack on the Ukrainian power grid was, it may have been just the canary in the coal mine in terms of what is to come. The simple fact is that power grids around the world are extraordinarily ripe for cyber assaults, such as those in most all of Southeast Asia, where much of the computerized instrument control infrastructure is extremely vulnerable. The attack in the Ukraine was as sophisticated as it was brilliantly planned and executed. But a not-so-sophisticated phishing campaign using infected Word documents was all it took to put the whole mess in motion.

Yahoo times 500 million. The devastating attack on Yahoo happened two years ago, but the extent of the damage and actual revelation of the attack didn’t happen until 2016. It isn’t that Yahoo wasn’t aware that more than 500 million records were compromised in the attack. The company just chose not to tell anyone about it, despite having been for sale for the last year. The important takeaway here is that it is likely governments in general and regulators too are going to double down on requirements of just what must be disclosed when a breach is detected, and when. Shareholders, consumers, suppliers and others feel they need protection when some of their data may have been compromised in a breach. The year ahead may well bring them some much-needed relief in this regard.

Hospitals: Pay up or else. Starting early in 2016 and continuing throughout the year, hackers conducted a series of successful ransomware attacks on hospitals throughout the world. The attacks typically began on a single server but then quickly infected the entire network, eventually affecting multiple systems. Demands at times were modest, as low as $1,600 for system restoration. Hospitals are relatively easy targets, often lacking layered security-centric protocols, according to some experts. Expect regulators to take a hard look at hospital security practices.