Blog

Archive for Security

Scam of the Week: “Another” New CEO Fraud Phishing Wrinkle

So, here’s a new CEO Fraud phish: see these fresh screen shots from emails reported to us through the free KnowBe4 Phish Alert Button. Bad guys spoof the managing partner and CPA and an accounting & consulting firm and ask an employee for the  “Cash/Bank Statement Reconciliation” for June of this year.

 

Now, it’s not immediately clear what the bad guys could do with the data from such a statement, but this may simply be a first step of a one-two punch that is meant to establish credibility. The next step would be a malicious request for salary payment records like a pay stub that allow the bad guys to change bank accounts for direct deposit salary payment to accounts they control.

Here is another variant, where the employee seems to be willing to comply:

And here is another variant

See the payroll phish screenshot, which asks an employee at a credit union to change the email associated with another employee’s ADP account to a non-company email address.

Of course, ADP already allows employees to do this on their own: http://www2.ccga.edu/Faculty/HumanResources/ADP/files/PersonalContact.pdf

We are expecting the scheme to work like this: once the email address is changed, the bad guys who control that email address can force a password change by selecting the “I forgot my password” option on the ADP portal, change the password, then effectively hijack the account. From there they can change the direct deposit info, mine the account for identity/tax refund theft, and so forth.

Presumably this same scheme could work with similar services (SAP, Paychex, Zenefits, etc.).

The “beauty” of this approach is that targeted employees as well as their employers would remain blind to all the fraudulent changes made after the email address is switched. How often do employees tend to log in to their ADP accounts anyway? Once every few months would be my guess. Perhaps even as infrequently as once a year. Two interesting observations about this particular phish:

  1. The bad guys didn’t bother spoofing the targeted employee’s corporate email address. They used the same address submitted as a substitute.
  2. The targeted employee doesn’t appear to be very senior in the organization. So, this might be some kind of initial test to see if the scheme works.

Sjouwerman, Stu. “Scam of the Week:”Another” New CEO Fraud Phising Wrinkle” KnowBe4.com blog July 20, 2018

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

7 Tips to Using a Password Manager Safely

Password security can look pretty grim! However, the benefits of a good password manager – generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,” says Baumgartner.

You can also take the following seven steps to ensure you’re protecting your accounts:

  1. Choose a password manager without master password recovery

Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get ahold of the master password through account recovery tools, this renders even the most secure password management programs useless,” says Baumgarten.

  1. Use Two-factor authentication

Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgarten.

  1. Turn off autofill

You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.

  1. Use strong passwords

When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy.  You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.

  1. Make sure all of your passwords are unique

Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.

  1. Keep your software up to date

Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.

  1. Be wary of downloads and browser extensions

In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes or copying logins.

Choosing the right password manager

The best password managers do not allow you to recover your master password, they let you use two-factor authentication, they monitor your accounts for password breaches and weak passwords, they generate strong passwords for you, they back up your passwords securely online and they let you use a fingerprint or face ID to log in on your smartphone. Our favorite password manager, Dashlane Premium($60 per year), has all of the aforementioned features and more. It also fills out forms, including your credit card information, syncs across all of your devices, scans the Dark Web for personal data and account information and provides VPN service for your computer and smartphone to encrypt all of your data when using internet-based services over public WiFi.

This excerpt is taken from “Is it Safe to Use a Password Manager?”, an article written by Natasha Stoke, Techlicious.com. Click here if you would like to read the article in its entirety.

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Make your Android or iPhone’s Fingerprint Reader Work Every Time

This dead-simple trick will keep you from wanting to throw your phone across the room.

Raise your hand if this is you: The fingerprint reader on your iPhone or Android phone fails often enough on the first try that you’re starting to wonder if you’ve been cursed with weird fingers.

Relax; there are plenty of reasons why you may not get an accurate read your first try, besides your mutant appendages.

  • Your fingertip hasn’t fully covered the sensor
  • You have wet hands
  • The phone didn’t get an accurate read when you first registered your print
  • The phone maker’s implementation may make the reader more sensitive, like if there are more demanding layers of security built into the software

This tip won’t help with all of those, but it definitely helps.

If you’re up to here with trying to unlock your phone so many times that you have to revert to a password or passcode, stop. Take a deep breath. And try this dead-simple solution that really works.

Register the same print two or three times. I do this with the phones I review and it makes the devices much more likely to unlock the first time around. For example, I’ll scan the finger I usually unlock the phone with at least twice — say, my thumb — and then scan a second finger that I might use to also unlock the device, like my index finger. I’ll usually also scan the index finger of my non-dominant hand, which has bailed me out more than once when I had my hands too full to unlock the phone as I normally would.

The reason multiple scans of the same finger works is because when you register your fingertip the first time around, it isn’t always clear which parts of your print the software has captured. A nominally helpful animation will urge you to lift your finger to capture more area, but that doesn’t necessarily reflect the data your phone’s actually storing.

By laying down the same fingerprint more than once, you’re doubling or tripling the chances that your phone will capture enough data.

Of course, adding duplicate digits won’t solve your unlocking issues if you constantly struggle to reach the reader, or if your hands are too wet for the phone to register your print.

How to register multiple fingerprints on your phone

Most phones give you a maximum of five fingerprints for security reasons. The more fingers you wave through, the higher the probability the phone will unlock for false positives, the reasoning goes.

On Android phones:

  • Open Settings
  • Tap Security
  • Tap “Fingerprint”
  • Re-enter your PIN
  • Tap “Add fingerprint”

On iPhones with Touch ID:

  • Open Settings
  • Tap Touch ID & Passcode
  • Enter your passcode
  • Under the section “Fingerprints” tap “Add a Fingerprint

Dolcourt, Jessica. “Make Your Android or iPhone’s Fingerprint Reader Work Every Time” CNET July 5, 2018

Posted in: Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

7 Passwords You Should Never Use at Your Small Business

Owning a small business means owning data. You’re constantly acquiring new information related to your customers, your financial details, and all the vendors and contractors with whom you work.  One cyber criminal, though, one lucky hack, and you’ve just exposed your business to a major blow. From lost trust among your clients to costly lawsuits for the damage done, protecting your company from data theft is among your most important responsibilities.​

A lot of it comes down to one simple choice you make:  passwords.

“Overall, passwords still present the biggest challenge for businesses of all sizes,” said Ron Schlecht, founder and managing partner of BTB Security. Businesses hire Schlecht’s company to test their digital security for weak spots and, he said, “you can’t imagine how many times we still break in to companies because of a bad password.”

If you want to avoid weak passwords at your business, start by steering clear of the following list. Read on for seven passwords you should never (ever) use.

Password

Arguably, this is the number-one and most common bad choice. Also prevalent are variations such as P@ssword and P@55w0rd!. These might be easy to remember, but they’re also among the first options hackers will try.

QWERTY

Easy-to-guess passwords often take root because they’re simple to remember. That’s the story with this hacker-friendly option constructed from the sequence of letters at the top left of the typical computer keyboard.

12345

Or, 98765. Or, 4567. You get the picture — no consecutive numbers (and the same goes for sequential letter combinations). You can only count on passwords such as these to expose your business to digital theft.

BusinessName1

If your shop is called Serafina’s Weddings, don’t set your password as SerafinasWeddings1. That would be a early choice for hackers looking to break into your valuable data.

Business Address

Skip it entirely, when it comes to passwords. Also avoid trying to mash together similar details, such as your street name and street number — i.e. Main215. 

Date of Birth

Thanks to the Internet, it doesn’t take much effort to find a person’s DOB. Birthdays, birthdates, years of birth — all of them make for readily attainable passwords and are poor choices for your company.

Simple Dictionary Words

Especially if they’re related to your business, don’t use them. No baseball, football, or soccer for your sporting goods store. No muffler, tire, or spark plug for your auto garage.

 And so, what should you do when it comes to picking a password?

A key approach starts with thinking of a passphrase. Next, substitute letters, characters, and abbreviations for parts of it. For example, my first car was a Honda in 1990 would be easy enough to remember, if that was the case in your life. Now, change it to my1stc@r=honda90.

Steer clear of the not so magnificent seven above, and protect your data with hard-to-guess constructions. With a strong password strategy, you’re well on your way to foiling online attacks.

O’Brien, James. “7 Passwords You Should Never Use at Your Small Business” The Hartford, Small Biz Ahead. June 2018

Posted in: Business, Mobile Computing, Security, Tech Tips for Business Owners, Technology

Leave a Comment (0) →

How to export saved passwords from Chrome to a CSV file

This process shows you how to export your passwords stored in Chrome into a CSV file, so that you are able to import your account credentials into a password manager. However, there’s one big caveat.

At first blush, you may think I’ve lost my mind. Wouldn’t exporting passwords to a text-based CSV file be insecure? Although that may be true, when you want to migrate your passwords from Chrome to a password manager (especially when you have a large number of passwords), the last thing you want to do is rely upon your memory to recall all the URLs, usernames, and passwords. And if you’re migrating away from Chrome—which you might be so inclined to do after reading this piece—you’ll want to export those passwords, such that they can be imported into your password manager of choice.

I’m going to walk you through the process of exporting your password information from Chrome. How you then import that information into your password manager will depend upon the tool you use. Fortunately, many of the better password managers are capable of importing CSV files.

With that said, let’s take care of this.

What you’ll need

You’ll need a working version of Chrome. That’s it. As long as you’ve stored your passwords with that browser, you should be good to.

A word of warning (IMPORTANT!!!)

This exported CSV file stores all your information in plain text. The idea here is to export the file, import it into a password manager, trash the exported CSV file, and then undo the process. If you leave that CSV file on your hard drive, you run the risk of leaving yourself exposed. If you don’t undo Chrome’s ability to export, someone could come along and export the file (more on that danger in a bit). Because of that, it is very important you delete that file after you’ve imported it into your password manager. Or you can always save that file to a USB drive, and then lock that drive up in a safe. Either way you go, make sure to protect that file at all costs.

Exporting

The first thing to do is enable password exporting. To do that, open Chrome and type chrome://flags/ in the address bar and hit Enter. In the resulting window type Password export in the search field. When the search result appears, select Enable from the drop-down.

You will then be prompted to restart Chrome. When Chrome restarts, click on the menu button (three horizontal lines in the upper right corner) and click Settings. In the Settings window, click Advanced and scroll down to Manage passwords. Click the three vertical dots associated with Saved passwords and then click Export.

When prompted, click the EXPORT PASSWORDS button and save the .CSV file.

You can now import that newly downloaded file into your password manager.

Undoing your work

First off, remember to delete that file or tuck it away for safekeeping. Once you’ve done that, go back to Chrome, type chrome://flags in the address bar, search for Password export, and disable the feature (set to Default). Relaunch Chrome and the feature will no longer be available.

THE BIG CAVEAT (IMPORTANT!!!)

Unfortunately, Chrome no longer allows the browser to use a password for profile locks. Because of this, you might consider deleting Chrome from your desktop, if you are migrating to Firefox for example and aren’t planning on using Google’s browser. Otherwise, someone with the understanding of how to export passwords could gain access to that data by following the above process.

In the end, the last thing you should do is allow Chrome to save your passwords. If you do, and a malicious user has access to your browser, there’s nothing keeping them from exporting your passwords to a file and using them to gain access to your accounts. Lock those passwords away in a password manager, and remove the passwords from chrome (Chrome | Settings | Advanced | Manage Passwords).

Consider this a word of warning.

Wallen, Jack. “How to export saved passwords from Chrome to a CSV file” TechRepublic, March 22, 2018

Posted in: IT Support, Mobile Computing, Security

Leave a Comment (0) →

How to Lock Down Your Facebook Privacy Settings

Facebook deserves a lot of the flack it gets, be it for providing Russian propaganda with a platform or gradually eroding privacy norms. Still, it has some genuine usefulness. And while the single best way to keep your privacy safe on Facebook is to delete your account, taking these simple steps in the settings is the next best thing.

Remember, it’s not just friends of friends you need to think about hiding from; it’s an army of advertisers looking to target you not just on Facebook itself, but around the web, using Facebook’s ad platform. In the video above and the post below, we’ll show you how to deal with both.

Fine-Tuning Friends

Limiting who can see which of your posts is an easy first step. On a desktop, go to the little dropdown arrow in the upper-right corner, and click Settings. From there, click on Privacy on the left-hand side. This is where the magic happens.

Under Who can see my stuff, click on Who can see your future posts to manage your defaults. You can make public to anyone at all, limited to your friends, or exclude specific friends. You can quarantine your posts by geography, or by current or previous employers or schools, or by groups. Just remember that the next time you change it, the new group becomes the default. So double check every time you post.

This section has other important privacy tools you can fiddle with, including who can look you up with your email address or phone number. We’d recommend not listing either in the first place, but if you do, keep the circle as small as possible. (If you do have to share one or the other with Facebook for account purposes, you can hide them by going to your profile page, clicking Contact and Basic Info, then Edit when you mouse over the email field. From there, click on the downward arrow with two silhouettes to customize who can see it, including no one but you.)

But pay special attention to the option to (deep breath) Limit the audience for posts you’ve shared with friends of friends or public? If you ever had a public account, taking it private wasn’t retroactive. If you want to hide those previously viewable posts, lock this setting down.

Over on Timeline and Tagging you can control over what shows up on your own Facebook timeline. Basically, you can’t stop your friends from tagging you (sorry!), but you can stop those embarrassing photos from popping up on your page. At the very least, you should go to Review posts you’re tagged in before the post appears on your timeline, and enable that so that you can screen any tags before they land on your page.

To test out your changes, go to Review what other people see on your timeline. You can even see how specific people view your page, like your boss or your ex or complete strangers. It also never hurts to take stock of you present yourself to the world. (Looking at you, people who haven’t updated your cover photo since the Obama administration.)

That should about cover your friends. Now onto advertisers, which are like friends, except they never leave you alone, even if you ask nicely.

Ad It Up

In that same Settings panel, head down to Ads. As you probably realized, Facebook knows what you do pretty much everywhere online. So does Google, so do dozens of ad networks you’ve never heard of. You’re being tracked pretty much all the time, by everyone, thanks to this here internet.

You can still limit how Facebook uses that information, though. Tired of that lawnmower you looked at following you to Facebook? Turn off Ads based on my use of websites and apps. Saying no to Ads on apps and websites off the Facebook companies does the same, except for all the sites Facebook serves ads to around the web. Which is most of them.

Lastly, for some fun insight into how advertisers think of you, click on Your Interests. There you’ll find all the categories Facebook uses to tailor ads for you. You can remove any you don’t like, and marvel at the ones that don’t make any sense. This won’t make the ads go away, but it’ll at least you can banish all those off-brand kitchen gadgets from your News Feed.

And you’re good! Or at least, as good as can be expected. It’s still Facebook, after all.

Barrett, Brian. “How to Lock Down your Facebook Privacy Settings,” Wired, Security, November 14, 2017

Posted in: Security, Social Media Marketing

Leave a Comment (0) →

Ransomware Can Destroy Backups in Four Ways

I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.

He started out with “The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.” I have added number 4 at the end as a bonus.

And then he described three bad guy tactics to ruin your backups:

  • Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
  • Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
  • Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
  • Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.

Wendt concluded: “Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk.

“To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.”

Excellent advice!

Sjouwerman.Stu. “Ransomware Can Destroy Backups in Four Ways” KnowBe4 CyberheistNews Vol7 #37 Sept 2017

Posted in: Security

Leave a Comment (0) →

Hey, Turn Bluetooth Off When You’re Not Using It

You intuitively know why you should bolt your doors when you leave the house and add some sort of authentication for your smartphone. But there are lots of digital entrances that you leave open all the time, such as Wi-Fi and your cell connection. It’s a calculated risk, and the benefits generally make it worthwhile. That calculus changes with Bluetooth. Whenever you don’t absolutely need it, you should go ahead and turn it off.

Minimizing your Bluetooth usage minimizes your exposure to very real vulnerabilities. That includes an attack called BlueBorne, announced this week by the security firm Armis, which would allow any affected device with Bluetooth turned on to be attacked through a series of vulnerabilities. The flaws aren’t in the Bluetooth standard itself, but in its implementation in all sorts of software. Windows, Android, Linux, and iOS have been vulnerable to BlueBorne in the past. Millions could still be at risk.

So, yeah, turn off Bluetooth if you’re not using it or if you’re near anyone you don’t trust. There might be some inconvenience when you bring your laptop to your desk and want it to connect to a Bluetooth mouse and keyboard. You might end up flipping the switch fairly often to use Bluetooth headphones. But you likely don’t use Bluetooth most of the time. Even if you lean on it all day at work, you can ditch it at a birthday dinner or when you’re asleep. And if you use it 24/7 on your phone because of a peripheral like a smartwatch, you can at least turn it off on your other devices, especially any Bluetooth-enabled internet of things gear.

“For attackers it’s Candy Land,” says David Dufour, vice president of engineering and cybersecurity at the security firm Webroot. “You sit with a computer with a Bluteooth-enabled radio—just scanning for devices saying, ‘Hey, is anybody out there?’ Then you start prodding those devices to look for things like the operating system and the Bluetooth version. It’s a hop, skip, and a jump to start doing bad stuff.”

BlueBorne

As overall device security improves, researchers and attackers alike have turned to ancillary features and components to find ways in. In July, researchers announced a bug in a widely used Broadcom mobile Wi-Fi chip that put a billion devices at risk before it was patched. And in 2015, researchers found a critical flaw in Apple’s Airdrop file-sharing feature over Bluetooth.

And then there’s BlueBorne. Apple’s iOS hasn’t been affected by the flaws since the 2016 iOS 10 release, Microsoft patched the bugs in Windows in July, and Google is working on distributing a patch (though this can take significant time). But in addition to endangering core devices such as smartphones and PCs, BlueBorne has implications for the billions of Bluetooth-equipped internet of things devices in the world including smart TVs, speakers, and even smart lightbulbs. Many of these devices are built on Linux and don’t have a mechanism for distributing updates. Or even if they do, they rarely receive them in practice. Linux is working on but hasn’t yet issued a BlueBorne patch.

“We wanted get the research community on board with this, because it didn’t take us a long time to find these bugs, one thing kind of led to another and we found eight really severe vulnerabilities,” says Ben Seri, the head of research at Armis. “Our assumption is there are probably a lot more. We want to get eyes and ears on this type of thing because it’s largely gone neglected by the research community and by vendors over the past years.”

When Bluetooth is on in a device, it is constantly open to and waiting for potential connections. So a BlueBorne attack starts by going through the process Webroot’s Dufour describes—scanning for devices that have Bluetooth on and probing them for information such as device type and operating system to see if they have the relevant vulnerabilities. Once an attacker identifies vulnerable targets, the hack is quick (it can happen in about 10 seconds) and flexible. The impacted devices don’t need to connect to anything, and the attack can even work when the Bluetooth on the victim device is already paired to something else. BlueBorne bugs can allow attackers to take control of victim devices and access—even potentially steal—their data. The attack can also spread from device to device once in motion, if other vulnerable Bluetooth-enabled targets are nearby.

As with virtually all Bluetooth remote exploits, attackers would still need to be in range of the device (roughly 33 feet) to pull off a BlueBorne attack. But even with the extensive and productive BlueBorne patching that has already happened, there are still likely plenty of vulnerable devices in any populated area or building.

The Best Defense

The importance of Bluetooth defense has become increasingly clear, and the Bluetooth Special Interest Group, which manages the standard, has focused on security (particularly cryptography upgrades) in recent versions. But attacks like BlueBorne that affect individual implementations of Bluetooth are attracting attention as well. “Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized use of Bluetooth devices and other systems or networks to which the devices are connected,” the National Institute of Standards and Technology noted in its extensive May “Guide to BluetoothSecurity” update.

You can’t control if and when devices get patched for newly discovered Bluetooth vulnerabilities, and you’re probably not going to stop using Bluetooth altogether just because of some possible risks. But apply every patch you can, and keep Bluetooth off when you’re not using it. “With security everything is kind of like the flavor of the week,” Webroot’s Dufour says. “So this week it’s Bluetooth.”

Security’s often a matter of weighing risk and reward, defense versus convenience. In the case of Bluetooth, it’s an easy call.

Hay-Newman, Lily. “Hey, Turn Bluetooth Off When You’re Not Using It” Wired September 13, 2017

Posted in: Security

Leave a Comment (0) →

6 Easy Opt-Outs to Protect Your Privacy

How to shrink your exposure to telemarketers, bulky catalogs, and online data mining

Marketers want your personal data and they’re willing to work hard to get it. The result can be a barrage of unsolicited mail, telemarketing calls, and pop-up ads.

You can cut down on those offers by signing up with the Do Not Call Registry and other services, some set up by industry groups. The World Privacy Forum’s Top 10 Opt Outs is a comprehensive resource of websites and organizations that help consumers reduce the amount of marketing material coming their way.

But you can also accomplish a lot, more quickly, with the whittled-down data-collection cleanse outlined below.

Not all of the online forms you’ll be accessing are equally simple to navigate. Follow these tips for cutting through the clutter and the whole six-step exercise can take under 10 minutes to complete. (I got it down to 9 minutes, 8 seconds.) That’s less time than it takes to do the dishes, and it will help make your inbox equally sparkly and clean.

Let’s start with pesky telemarketing calls.

1. National Do Not Call Registry

You know those annoying calls from “Heather at account services?” The National Do Not Call Registry helps you prevent such unsolicited intrusions from telemarketers.

Where to go: The FTC’s National Do Not Call Registry provides one-stop shopping for telemarketer opt-outs.

How it works: Once you get to the Registry you’re given two options: 1) to register or 2) to check to see if you’re registered. The straightforward form allows you to provide up to three lines, I registered my cell, my home landline, and my office line in just seconds.

What you’ll need: You have to provide a valid e-mail address to receive confirmation e-mails—one for each phone number you register—those confirmations arrived in my inbox almost instantly. When I clicked on the link in each e-mail, I was done.

2. Prescreened Credit Offers

Is your mailbox filled with “pre-approved” credit card offers? Lenders send out those solicitations after buying lists of potential borrowers from major credit reporting firms such as Equifax, Experian, and TransUnion. You can stop that cycle at the source. (This Federal Trade Commission FAQ page explains pre-screened credit.)

Where to go: The Consumer Credit Reporting Industry website, or call 888-567-8688.

How it works: The online form lets you opt out for five years. If you want to opt out permanently, you need to print out, fill out, and mail back an old-school paper form. Maddeningly, to get access to the paper form you first need to fill out another form online. You might want to do the quick-and-easy online opt-out first, and then go back and do the paperwork for the permanent opt-opt later.

What you’ll need: Your Social Security number. I’ll admit I felt a little uncomfortable entering my SSN, but the reality is that if you’re getting these offers, the credit reporting agencies have this information anyway.

How long it took: 1 minute, 24 seconds (not including the time to fill out and mail the permanent opt-out form).

3. DMA Choice

I like the fall Pottery Barn catalog as much as the next guy—until I have to carry 20 pounds of mixed paper to the curb on recycling day. The opt-out program set up by the Data & Marketing Association won’t solve that problem completely, but it will reduce the volume of mail coming in.

Where to go: Head to DMA Choice.

How it works: This is a two-stage process. First, you register with DMA, providing an e-mail, password, and credit card information, including your zip code. Once you’re logged in, you get steered to a menu with three options. Clicking on the Catalogs/Magazines/Other Mail Offers link opens a daunting alphabetical list of companies. Ignore it. Head instead to Stop All Catalogs and click on Remove My Name. The site will ask you if you’re sure, at which point you click on Yes, Take Me Off and confirm your address.

What you’ll need: A credit card. You have to pay $2 for the online opt-out and $3 if you mail in the form. There are free opt-outs for caregivers and those with a deceased relative.

How long it took: 3 minutes, 12 seconds (including the time spent entering my credit card information to pay the small fee).

4. FERPA

Public school enrollment information about your children doesn’t have to be public. FERPA, the Family Educational Rights and Privacy Act, gives parents and students the right keep a range of directory-style information private, such as the student’s address, place of birth, and dates of attendance at the school. The catch is, you have to request this.

Where to go: Since the FERPA opt-out procedure is district-specific, there’s no national online clearing house. You need to request a form from your local school district or print out the generic one on the WPF website, which you can then submit to local officials.

How it works: The WPF form is reasonably straightforward. You enter a little info about your student, along with your opt-out preferences. Many school districts only accept FERPA opt-outs at the beginning of the school year, so don’t delay.

What you’ll need: The forms vary somewhat, but there’s a good chance you’ll need to provide a student ID number.

How long it took: 40 seconds (not including the time to fill out the printed form and return it to the school).

5. Banks and Other Financial Institutions

The information collected and distributed by banks varies widely. Since that information can include very sensitive information such as account balances, it’s worthwhile to take the time to protect it.

Where to go: The Federal Deposit Insurance Corporation explains your rights and opt-out options, but does not provide a universal opt-out for financial institutions. The WPF site, however, includes an opt-out list for many large institutions, including Bank of America, Chase, Wells Fargo, and Citibank (1-888-214-0017)

How it works: I bank at Chase. So using the link above, I entered my account information and checked off all the options provided, instructing the bank not to share information about my creditworthiness or other personal information with affiliates and third parties for marketing purposes.

What you’ll need: Your account number and your Social Security number. If you have multiple accounts, you only need to enter the info for one. Don’t forget about your mortgage and investment accounts.

How long it took: 52 seconds.

6. Data Brokers

Data brokers are clearing houses for much of the information that’s gathered about you online and used by marketers. Most don’t have easy opt-outs. But Acxiom, one of the biggest data brokers, is an exception.

Where to go: Acxiom’s website includes an opt-out page.

How it works: I checked Acxiom’s About the Data site, and discovered that the company knows quite a lot about me, ranging from my family status to my income and political affiliations. Some of the information was surprisingly accurate, while other parts were flat-out wrong. You can, however, skip this step and go straight to the opt-out form.

What you’ll need: A little advance research. You’ll want to register your name, but also common misspellings, any maiden name, names from previous marriages, addresses dating back as far as you can recall, and all of your e-mail addresses.

How long it took: 1 minute, 30 seconds. The form itself is quite simple to use, but the dropdown menus slow things down a bit, as does the CAPTCHA confirmation that you’re a human, not a robot.

St. John, Allen. “6 Easy Opt-Outs to Protect Your Privacy” Consumer Reports September 2017

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Scrap Everything You Know About Creating Strong Passwords And Do This Instead

You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically – or just ignore change alerts until a hacking scandal suddenly arises.

You may want to rethink your strategy.

Bill Burr, the man behind how we commonly think of devising passwords, recently told The Wall Street Journal, “much of what I did I now regret.”

The password creation shakeup

The retired 72-year old was reportedly a manager at The National Institute of Standards and Technology (NIST) back in 2003 when he wrote “NIST Special Publication 800-63. Appendix A,” featuring the password guides we’ve held true for years now.

According to The Wall Street Journal, this included, namely, the rule that passwords should be a combination of numbers, special characters, and uppercase letters, which you change every 90 days.

Why is Burr changing his tune years later?

He reportedly had to produce the rules quickly and wanted them to be based on research, but he had no “empirical data on computer-password security.” So he turned to a white paper from the 1980s.

Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too difficult to crack.

In June, the NIST released new guidelines, which don’t call for “special characters” or changing passwords frequently anymore. Instead, the NIST says the rules now preach “long, easy-to-remember phrases” and just coming up with new ones “if there is a sign they may have been stolen.”

A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password “Tr0ub4dor&3” would take three days to solve, according to the cartoonist’s calculations, compared to the words “correct horse battery staple” typed as a single word, which would take a staggering 550 years to solve. Computer-security specialists found this to be true.

Be careful changing passwords

You may also want to rethink how often you update your password. This practice can place us at risk if we take the wrong approach.

When we repeatedly change passwords, we don’t always change them properly.

Professor Alan Woodward of the University of Surrey told BBC News that NIST publications have a far reach, giving the rules “a long lasting impact.” But he also mentioned “a rather unfortunate effect”:

For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. . . . And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.

Steer clear of these password options

So if you’re looking to change your password soon, don’t pick these.

SplashData, which supplies password management applications, released the 2015 version of its “Worst Passwords List.” Here are the top 10 worst ones featured:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball

Morgan Slain, CEO of SplashData commented on the findings in a statement.

We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers…As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.

Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm’s way.

Burnett, Jane. “Scrap everything you know about creating strong passwords and do this instead” Ladders (theladders.com) August 2017


You can go to the site www.HaveIBeenPwned.com, put your login names one at a time (ex: Jkalli, JohnKalli, Jkalli@trinityww.com, etc. – whatever login names you might have) and it will tell you if it has ever been part of a hack.  If so, change the login/password combination wherever you might have used it.

Also, go to www.passfault.com to see how long it would take a hacker to crack your password.

Posted in: Security

Leave a Comment (0) →
Page 1 of 7 12345...»