Blog

Archive for Security

How to Prevent Phone Hacking

Traditionally a headache reserved for celebrities, smartphone-hacking concerns have crossed the VIP vs. everyone else blood-brain barrier and are now a legitimate concern for anyone who owns a cell phone.

The Security Risks of Phone Hacking

But is this really a serious problem for us regular folks? Are our voicemail messages so interesting that someone would invade our privacy to listen in? Before we go barking up the narcissism tree, it’s best to examine what phone hacking is and whether you really need to worry about it.

There are many types of phone hacking methods, ranging from hacking into a live conversation or into someone’s voicemail, and to hacking into data stored on one’s smartphone. While the fear of the unknown can keep anyone on edge, the person most likely to hack into your live conversation or voicemail will be someone that you already know, and in today’s mobile world, phone hacking continually grows as a security issue. As people increasingly store sensitive data on their mobile devices, the opportunity to exploit privacy weaknesses becomes more tempting to unscrupulous frenemies, exes or the occasional stranger.

The Security Risks of Phone Hacking

There is a cottage industry of phone hacking software, ostensibly developed for legal uses, but that can be easily abused by anyone (password crackers aptly named John the Ripper and Cain and Abel are two examples). Opportunistic hackers can wreak havoc with data deletion or install malicious software that gathers bank account logins and confidential business emails. So, how can you make things tougher for hackers?

How to Secure Your Phone From Hackers

If you want to be proactive, there are several measures you can take to protect yourself against phone hacking, most of which involve common sense. In addition, there are advanced methods to ensure that your phone is as secure as possible (without losing its full functionality). For example:

Basic Phone Security Tips

For casual phone users, adhering to the basics is a great place to start when it comes to blocking simple hacking efforts:

  • Never leave your phone unattended. Keeping your phone with you at all times while in a public place is the first, best rule to follow.
  • Change your phone’s default passcode. Your phone likely comes with a simple, predictable default password, and those who know can use this to their advantage. Change your code to something more complex, and resist the usual “1234,” “0000” and “2580” codes that are commonly used.
  • Manage your Bluetooth Security. Avoid using unprotected Bluetooth networks and turn off your Bluetooth service when you aren’t using it.
  • Protect your PIN and Credit Card data. Use a protected app to store PIN numbers and credit cards, or better yet, don’t store them in your phone at all.

Advanced Ways to Prevent Phone Hacking

If you’re still worried about hacking, there are further steps you can take to protect yourself. However, taking things too far will defeat the purpose of having a smartphone at all.

  • Avoid unsecured public WiFi. Hackers often target important locations such as bank accounts via public WiFi that can often be unsecured due to relaxed safety standards or even none at all.
  • Turn off your autocomplete feature. By doing this, you can prevent stored critical personal data from being accessed.
  • Regularly delete your browsing history, cookies, and cache. Removing your virtual footprint is important in minimizing the amount of data that can be harvested by prying eyes.
  • Have an iPhone? Enable Find My iPhone. By turning the feature on in your settings, you’ll be able to locate your phone if you misplace it before the hackers can lay their paws on it.
  • Use a security app that increases protection. For Android owners, Webroot offers the all-in-one Mobile Security for Android app that provides antivirus protection and allows you to remotely locate, lock up and wipe your phone in the event you lose track of it. For iOS users, Webroot also offers a free secure web browser for increased mobile security on your iPhone and iPad.

Remember—if the thought of hacking has you tossing and turning at night, you can just turn the phone off, remove the battery and hide it under your pillow for some sweet lithium-ion induced dreams. Or, you can double down on securing your mobile devices with mobile security solutions offering secure web browsing and real-time defense against phishing attacks.

Webroot Smarter Cybersecurity, Cybersecurity Education Resources, Tips/Articles

Posted in: Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

6 Tech Mistakes Every Growing Business Should Avoid

We count down some all-too-common tech mistakes – the kind that can damage a growing business, and even stunt its growth for good.

Buying tech for your business is pretty exciting. It’s a chance to drive faster growth and innovation. To do more, in cooler, smarter ways.

That said, it’s also absolutely terrifying. There’s the purchase cost, the hassle of implementation, the new security concerns – and the knowledge that if you make one big mistake, it could have a devastating effect on your bottom line.

So, be forewarned and forearmed.

Here are 7 tech mistakes too many growing businesses make…

1. Not taking security seriously.

These days, every business is a potential target. So, make sure your firewalls are in place, your antivirus is up to date, your data and files are in a secure location and you’ve the power to shut down compromised devices at any time.

A security breach could bring your business to a halt, stunting your growth And even more damaging, if customer data is compromised, it could irreparably harm the relationships and reputation you’re working so hard to build.

When talking IT in the cloud, there’s a common misperception that it’s not secure because you can’t physically see where your data being stored. Don’t be fooled. One of the biggest benefits of cloud IT is that companies (think Google and Microsoft) can use world-class security experts (the kind only companies like this can hire) to protect their apps and servers.

2. Not keeping backups.

A burglary, a fire, a computer crash… any one of these is a headache for your business – but if you lose data that’s not backed up, it’s a potential catastrophe.

Whatever your size, it pays to pay attention to disaster recovery. Work out an efficient way of backing up your critical data before you need it. Better yet, consider cloud storage to make your data available on any device and ensure it will still be there if a disaster happens. Servers usually don’t survive floods or fires.

3. Not planning for the future.

Your set of Excel spreadsheets might seem like a fine way of tracking customers now, but what about in a year’s time when your customer base soars?

For the smaller business, not thinking about scalability is a big mistake. Whether it’s your business voice service, productivity apps, customer relationship management tools, wireless plans – whatever – you need to know your tech will grow with you, simply, quickly and without harsh penalties or capital investment.

4. Not doing your research.

There’s speed, and there’s carelessness. However agile your business aspires to be, research is a crucial stage in any tech investment.

Spend a little time analyzing exactly what you need, and exactly what each competing product or service will deliver – you’ll almost certainly save yourself a lot more time (and money) somewhere further down the line.

When budgets are tight, tech upgrades can be the first casualty. Witness the number of businesses still on Windows XP – which retained an 11% market share in 2015, despite Microsoft dropping support for the operating system a year before, leaving it unpatched and vulnerable to new security threats.

5. Not upgrading when you should.

Upgrading your tech may be a hassle, but it’s a whole lot easier than dealing with the fallout of a security breach. And that’s just one example. Eking more life out of any aging software and infrastructure than it’s designed for is a fast track to inefficiency and cost.

6. Trying to go it alone.

As you try to deliver the tech your growing business needs, it’s easy to grow a whole new department – which needs to be housed, equipped and paid.

But today – thanks to the cloud and managed services – there’s another option. You can outsource some or all of your tech burden to an expert partner, helping you keep your own business lean, even as its revenues swell.

How to avoid the mistakes – a handy recap…

1. Think Cloud and as-a-Service.

2. Take security seriously.

3. Backup. Backup. Backup.

4. Plan to scale.

5. Don’t skimp on the research.

6. Upgrade when you should.

7. Ask for help.

That’s it.

Watch out for these mistakes, and equipping your business with the technology it needs should at least be a little less scary – but no less exciting.

Have questions? Not a problem. We are happy to help!

We can have one of our professional engineers meet with you to strategize and execute the best solution to suit your business needs. Email us at support@trinityww.com or give us a call at 732-780-8615 to get more information, or to schedule an appointment with one of our trained professionals today!

Posted in: Cloud Computing, Computer Maintenance, Disaster Recovery, IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

How to Snoop Proof Any Phone or Tablet

It’s likely that you’ve got details of your whole life stored on your phone—the people you know, the banks you’ve used, the videos you’ve wasted hours watching—and you don’t necessarily want that info getting out into the wider world. If you’re keen to lock down your handset against unwelcome visitors, you need to take a few steps.

There’s lots to cover, from protecting against friends at parties who might pick up your phone and start scrolling through photos, to government agencies who might be eager to tap into your outgoing messages. There are plenty of ways to put up barriers and stop all but the most advanced attacks, and we’ll cover the most important ones here, for phones and tablets running iOS and Android—though many of the principles can be applied to laptops and other kinds of devices too.

It’s worth noting at the outset that it’s very hard to make a device completely snoop-proof—even if you physically remove the camera and the microphone, Edward Snowden-style, determined hackers can still get at your data.

Basic security tips

Every so often a new report appears lamenting the high number of people who leave their phones unlocked, or who use an easily guessable PIN like 1234. In 2017 there really is no excuse for leaving your device unprotected, with so many options available—from trusted locations on Android, which helpfully turns on additional security when you’re not at home, to Touch ID on iOS, which demands your fingerprint for accessing protected data. Go to Security in Android’s Settings app or Touch ID & Passcode in the iOS one to get something in place.

That should stop passers-by and curious friends from getting at your phone, but more information than you might think can be accessed from the lock screen—for example, by default on an iOS device you can launch Siri and ask “who do I call most?” to see a list of recent calls, no unlock required.

The feature is designed to help someone return your phone to you if it gets lost, but if you’re not comfortable with it you can turn this and other lock screen pop-ups off by going to Touch ID & Passcode menu in Settings. You can disable notifications too if you don’t want people taking a peek at your Twitter mentions as they flash up on screen.

On Android devices the only settings to really be aware of are the notification ones controlling what appears on the lock screen. Go to Notifications in Settings and you can disable all alerts or just ones for certain apps; the recent versions of Android also let you hide “sensitive” information on the lock screen, which typically means anything that comes through one of your messaging apps.

Securing your apps

As we’ve explained before, some apps are more secure than others when it comes to protecting and encrypting your data. Our picks for the most snoop-resistant messaging apps are currently Signal (iOSAndroid) and WhatsApp (iOSAndroid), and if you’re using anything else you’re leaving yourself more at risk to getting snooped on.

When it comes to browsing, the built-in apps do a decent job protecting you against various kinds of snooping, but there’s certainly room for improvement as well. Apps like Orbot (Android) and Onion Browser (iOS) will keep all your browsing encrypted, anonymous, and very difficult (though not impossible) to track. On top of that, a VPN tool such as Opera VPN (AndroidiOS) will encrypt all the data going to and from your device, and they’re especially useful on public Wi-Fi networks in coffee shops and hotels.

Worried about app developers snooping on your activities? Besides studying the terms and conditions very closely, you can check on (and revoke) permissions for a particular app—on Android tap Apps in Settings, then select an app and choose Permissions, or on iOS, from Settings tap Privacy then choose a category to see which apps have privileges and take them back. As a nuclear option you can simply uninstall offending apps.

On Android devices, you also have the extra option of installing an app locker, which adds an additional layer of protection for specific apps or files if someone should get past your lock screen. It can range from demanding a pin number or password, to demanding a fingerprint scan every time you want to open the app. AppLock (Android), Privacy Knight (Android), and Norton App Lock (Android) are all great choices.

One of the best ways of minimizing the risk of snooping is to have as little data on your phone as possible at any one time. How you go about this will vary from app to app, but to take iMessage as an example, you can go to Messagesfrom Settings and then tap Keep Messages to have them automatically cleaned up after 30 days or a year. Other apps will have similar options. Though be sure to offload photos and videos to the web using something like iCloud or Google Photos before you start auto-deleting old texts.

Your phone also has a habit of tracking places you’ve been and subjects you’ve searched, so you’ll want to deactivate that, if possible. Check in the Activity Controls page of your Google account, where you can enable or disable location history, the storing of voice searches, YouTube viewing history, web browsing activities, and so on.

And something you might not often think about are third-party apps hooked up to your main apps—all those little utilities and add-ons you’ve granted permission to use your Facebook or Twitter accounts. While these are usually nothing to worry about, out-dated and unsecured connected apps can be used to snoop on your activities remotely, so it’s best to keep as few active as possible.

Head into the settings pages for all your services on the web to do this. For Google, you can go to the Connected apps and sites page; on Facebook, connected apps are listed in the App Settings page; while on Twitter, you can go to the Apps page to kick out any connected tools you don’t recognize or no longer have any need for.

Nield, David. “How to Snoop-Proof Any Phone or Tablet” GIZMODO, Mobile

Posted in: Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

12 Simple Things You Can Do To Be More Secure Online

Follow these easy tips to protect the security of your devices, your data, your internet traffic, and your identity.

If a major shopping or financial site suffers a data breach, there’s not much you can do about it except change your password, get a new credit card, and possibly freeze your credit.  Protecting against that sort of attack is just out of your hands.  But there are many kinds of security problems that hit closer to home.

Ransomware could effectively brick your computer until you pay the ransom.  A data-stealing Trojan could lift all your secure logins.  Fortunately, there’s a lot you can do to defend against these local problems.

Making your devices, online identity, and activities more secure really dosesn’t take much effort.  In fact, several of our tips about what you can do to be more secure online boil down to little more than common sense. These 12 tips for being more secure in your online life will help keep you safer.

1. Install an Antivirus and Keep it Updated

We call this type of software antivirus, but it actually protects against all kinds of malicious software.  Ransomware encrypts your files and demands payment to restore them.  Trojan horse programs seem like valid programs, but behind the scenes they steal your private information. Bots turn your computer into a soldier in a zombie army, ready to engage in a denial of service attack, or spew spam, or whatever the bot herder commands. An effective antivirus protects against these and many other kinds of malware.

You may be thinking, wait, isn’t antivirus built into Windows? Not only is Microsoft Defender Security baked into the operating system, it automatically takes over protection when it detects no other antivirus, and just as automatically steps aside when you install third-party protection. The thing is, this built-in antivirus just doesn’t compare with the best third-party solutions. Even the best free ones are way better than Windows Defender. Don’t rely on it; you can do better.

One more thing. If your antivirus or security suite doesn’t have ransomware protection, consider adding a separate layer of protection. Many ransomware-specific utilities are entirely free, so there’s no reason not to try a few of them and select the one that suits you best.

2. Explore the Security Tools You Install

Many excellent apps and settings help protect your devices and your identity, but they’re only valuable if you know how to use them properly. Understanding the tools that you assume will protect you will go a long way toward them actually protecting you. For example, your smartphone almost certainly includes an option to find it if lost, and you may have even turned it on. But did you actively try it out, so you’ll know how to use it if needed?

Your antivirus probably has the ability to fend off Potentially Unwanted Applications (PUAs), troublesome apps that aren’t exactly malware but don’t do anything beneficial. Check the detection settings and make sure it’s configured to block these annoyances. Likewise, your security suite may have components that aren’t active until you turn them on. When you install a new security product, flip through all the pages of the main window, and at least take a glance at the settings.

To be totally sure your antivirus is configured and working correctly, you can turn to the security features check page on the website of the AMTSO (Anti-Malware Testing Standards Organization). Each feature-check page lists the antivirus tools that should pass. If yours shows up in the list but doesn’t pass, it’s time to contact tech support and find out why.

3. Use Unique Passwords for Every Login

One of the easiest ways hackers steal information is by getting a batch of username and password combinations from one source and trying those same combinations elsewhere. For example, let’s say hackers got your username and password by hacking an email provider. They might try to log into banking sites or major online stores using the same username and password combination. The single best way to prevent one data breach from having a domino effect is to use a strong, unique password for every single online account you have.

Creating a unique and strong password for every account is not a job for a human. That why you use a password manager. Several very good password managers are free, and it takes little time to start using one. The good thing is that when you use a password manager, the only password you need to remember is the master password that locks the password manager itself.

4. Get a VPN and Use It

Any time you connect to the Internet using a Wi-Fi network that you don’t know, you should use a virtual private network, or VPN. Say you go to a coffee shop and connect to a free Wi-Fi network. You don’t know anything about the security of that connection. It’s possible that someone else on that network, without you knowing, could start looking through or stealing the files and data sent from your laptop or mobile device. A VPN encrypts your internet traffic, routing it though a server owned by the VPN company. That means nobody, not even the owner of the free Wi-Fi network, can snoop on your data.

5. Use Two-Factor Authentication

Two-factor authentication can be a pain, but it absolutely makes your accounts more secure. Two-factor authentication means you need to pass another layer of authentication, not just a username and password, to get into your accounts. If the data or personal information in an account is sensitive or valuable, and the account offers two-factor authentication, you should enable it.

Two-factor authentication verifies your identity using at least two different forms of authentication: something you are, something you have, or something you know. Something you know is the password, naturally. Something you are could mean authentication using a fingerprint, or facial recognition. Something you have could be your mobile phone. You might be asked to enter a code sent via text, or tap a confirmation button on a mobile app. Something you have could also be a physical Security Key; Google and Microsoft have announced a push toward this kind of authentication.

If you just use a password for authentication, anyone who learns that password owns your account. With two-factor authentication enabled, the password alone is useless. Most password managers support two-factor, though some only require it when they detect a connection from a new device. Enabling two-factor authentication for your password manager is a must.

6. Use Passcodes Even When They Are Optional

Apply a passcode lock wherever available, even if it’s optional. Think of all the personal data and connections on your smartphone. Going without a pass-code lock is unthinkable.

Many smartphones offer a four-digit PIN by default. Don’t settle for that. Use biometric authentication when available, and set a strong passcode, not a stupid four-digit PIN. Remember, even when you use Touch ID or equivalent, you can still authenticate with the passcode, so it needs to be strong.

Modern iOS devices offer a six-digit option; ignore it. Go to Settings > Touch ID & Passcode and select Change Passcode (or Add Passcode if you don’t have one). Enter your old passcode, if needed. On the screen to enter the new code, choose Custom Alphanumeric Code. Enter a strong password, then record it as a secure note in your password manager.

Different Android devices offer different paths to setting a strong passcode. Find the Screen Lock settings on your device, enter your old PIN, and choose Password (if available). As with the iOS device, add a strong password and record it as a secure note.

7. Pay With Your Smartphone

The system of credit card use is outdated and not very secure at all.  That’s not your fault, but there is something you can do about it. Instead of whyipping out the old credit card, use Apple Pay or an Android equivalent everywhere you can. There are tons of choices when it comes to apps. In fact, we have an entire roundup of mobile payment apps.

Setting up your smartphone as a payment device is typically a simple process. It usually starts with snapping a picture of the credit card that you’ll use to back up your app-based payments. And setup pretty much ends there; you’re ready.

How is that better than using the credit card itself? The app generates a one-use authentication code, good for the current transaction only. Even if someone filched that code, it wouldn’t do them any good. And paying with a smartphone app completely eliminates the possibility of data theft by a credit card skimmer.

Some smartphone payment apps let you pay online with a similar one-time code. If yours doesn’t, check with your credit card provider. Bank of America, for example, has a program called ShopSafe that works like this: You log into your account, generate a 16-digit number as well as a security code and “on-card” expiry date, and then you set a time for when you want all those digits to expire. You use the new temporary numbers in place of your real credit card when you shop online, and the charges go to your regular account. The temporary card number will not work again after it expires. Other banks offer similar services. The next time your credit card company or bank calls you to try and sell you upgrades, ask about one-time use card numbers.

8. Use Different Email Addresses for Different Kinds of Accounts

People who are both highly organized and methodical about their security often use different email addresses for different purposes, to keep the online identities associated with them separate. If a phishing email claiming to be from your bank comes to the account you use only for social media, you know it’s fake.

Consider maintaining one email address dedicated to signing up for apps that you want to try, but which might have questionable security, or which might spam you with promotional messages. After you’ve vetted a service or app, sign up using one of your permanent email accounts. If the dedicated account starts to get spam, close it, and create a new one. This is a do-it-yourself version of the masked emails you get from Abine Blur and other disposable email account services.

Many sites equate your email address with your username, but some let you select your own username. Consider using a different username every time—hey, your password manager remembers it! Now anyone trying to get into your account must guess both the username and the password.

9. Clear Your Cache

Never underestimate how much your browser’s cache knows about you. Saved cookies, saved searches, and Web history could point to home address, family information, and other personal data.

10. Turn Off the ‘Save Password’ Feature in Browsers

Think about this. When you install a third-party password manager, it typically offers to import your password from the browser’s storage. If the password manager can do that, you can be sure some malicious software can do the same. In addition, keeping your passwords in a single, central password manager lets you use them across all browsers and devices.

11. Don’t Fall Prey to Click Bait

Part of securing your online life is being smart about what you click. Click bait doesn’t just refer to cat compilation videos and catchy headlines. It can also comprise links in email, messaging apps, and on Facebook. Phishing links masquerade as secure websites, hoping to trick you into giving them your credentials. Drive-by download pages can cause malware to automatically download and infect your device.

12. Protect Your Social Media Privacy

You can drastically reduce the amount of data going to Facebook by disabling the sharing platform entirely. Once you do, your friends can no longer leak your personal data. You can’t lose data to apps, because you can’t use apps. And you can’t use Facebook to log into other websites (which was always a bad idea).

Of course, other social media sites need attention too. Google probably knows more about you than Facebook, so take steps to manage your Google privacy, too. Make sure you’ve configured each social media site so that your posts aren’t public (well, all except Twitter). Think twice before revealing too much in a post, since your friends might share it with others. With care you can retain your privacy without losing the entertainment and connections of social media.


This article offers excellent cyber security measures that you should apply.  However, knowing, choosing, and implementing the right tools for your environment can take a lot of research and time.  We are here to offer our expertise, so that you can focus your time and energy on your business!

If you are in the market for a managed service provider that specializes in cyber security – CALL US!  We can assess your IT environment, identify areas that can be improved and implement inexpensive, effective cyber security measures to keep you safe.

Email us at support@trinityww.com or give us a call at 732.780.8615 to get more information, or to schedule an appointment with one of our trained professionals.

Posted in: IoT, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (1) →

For Goodness’ Sake, Get a Web Filter

Recently in the news we heard about a government agency being infected with malware because one of its employees watched porn on his work computer.  This mishap could have been avoided if only the organization had a Web Filter in place.

Unfortunately, it was discovered that this employee had been visiting thousands of porn sites, as well as being guilty of  downloading images onto an unauthorized thumb drive.  This type of behavior is a potential nightmare for any organization.  But it’s important to learn from this and know that this could have been prevented if a web filter had been in place. Your employees’ shouldn’t be able to access unauthorized sites like this in the first place.

The Inspector General, who wrote a report on the incident, had some rather obvious recommendations. For starters, he recommended “a strong blacklist policy.” He also recommended regularly checking the web history of employees’ computers to make sure they aren’t visiting websites that could put the agency at risk again.

It’s advice that every company, regardless of size, should be heeding. While you would like to think that employees at small companies are more bought into the mission, it doesn’t mean they aren’t doing foolish things on your computers.

Seems like every week we hear a story blaming employees for being lax about security. They have bad passwords or they fall for phishing scams. They do all kinds of things that compromise your company’s security position, but here’s the thing. You shouldn’t be blaming only your employees, when they are using the systems and policies you’ve put in place.

It is easy for us to blame the user, but as a business owner it is also your responsibility to implement safeguards that will ensure that employees cannot access potentially harmful sites that could end up infecting your network.

This can be easily prevented by simply implementing a web filter!  By doing so you are protecting your valuable business assets.  Your company assets shouldn’t be at risk because one of your employees was poking around questionable websites that exposed your network to the dangers of malware.

You should also consider some basic training to lay the groundwork for what’s acceptable at work. While it might seem like common sense, and it often is, people don’t always behave sensibly. That said, you also have to be careful of being overly rigid when writing the rules of what’s acceptable. For example, some companies have blocked social media when the fact is a lot of business gets conducted on these sites.

In the end, it’s your business and you need to ensure that it’s safe. If you’re allowing employees to explore the internet without any kind of filtering tools, you’re leaving yourself vulnerable to a host of malware. While you can blame the employees for not being smart about the sites they visit, in the end it all comes down to you and putting the tools and training in place to make sure they don’t do that.

Miller, Ron. ” For Goodness’ Sake, Get a Web Filter”. TechCrunch October 2018


As a rule, we implement internet security filtering for all of our “managed clients.”   This service has the potential to stop most ransomware in its tracks, by blocking their ability to contact their command and control server.  We consider this to be as critical a part of your overall security as antivirus protection.

Whether you are in the market for a managed service provider or looking into adding a web filter to your existing network  – we can help.  We can have one of our professional network engineers evaluate your needs, and identify any areas that can be improved.

Email us at support@trinityww.com or give us a call at 732.780.8615 to get more information, or to schedule an appointment with one of our trained professionals.

 

Posted in: Security

Leave a Comment (0) →

Forget Passwords! It’s Time for Passphrases!

 Mr. Henry Williams is a deputy editor for The Wall Street Journal in New York, and he reported on something we just also recommended. Here is an excerpt with a link to the full article at the end. You should forward this to your C-suite:

Two researchers say they have come up with a system that makes passphrases more secure and practical.

We all know the drill: When signing up at a website, you’re told to choose a password. It has to be at least a certain number of characters. It must contain letters and at least one number and perhaps at least one special character. Oh, but some special characters aren’t acceptable.

The death of complicated passwords—which are both hard to remember and not that secure—has been forecast for years, but reality hasn’t quite caught up yet.

Now, however, two researchers have developed an idea for replacing passwords with more-secure passphrases that people will actually remember and use.

Kevin Juang, a former doctoral student at Clemson University, and his co-author and adviser, Joel Greenstein, have created a working prototype of an online system for websites and their registered users to replace passwords with randomly generated passphrases that in theory, in combination with other cues, will be much easier to remember and to enter accurately.

Passphrases have been discussed in online-security research for over 30 years, but most websites and apps still use passwords. Partly, that’s because long passphrases are harder to type, leading to more log-in failures, but it’s also because users tend to pick phrases from common sources, likes song lyrics, making them easy for hackers to figure out. People also sometimes use a passphrase on more than one website, or use a certain word repeatedly to make the passphrase even easier to remember.

Williams, Henry. “Forget Passwords. It’s time for Passphrases” The Wall Street Journal. 2018 September

Wall Street Journal Article: “Forget Passwords It’s time for Passwords”


This is only one aspect of our layered security strategy that our cybersecurity team has been recommending to our customers. To see how fast any of your complex passwords can be cracked, go to www.passfault.com.

A good place to start is to see if your employees credentials (email and password combinations) are on the Dark Web.

Right now, we are offering a complementary Dark Web Scan for your business’s email domain. This report will immediately reveal if you or any of your employees have been compromised within the last 36 months.

If nothing turns up, you’ll have peace of mind and you can take preventative actions to make sure it stays that way. On the other hand, if the report reveals a compromise, you are in the best position to take the next logical step towards protecting your business!

You can always contact us at CyberSecurity@Trinityww.com or by calling (732) 780-8615 if you have any questions about what you can be doing to put your business in the best position to avoid a cyber security breach

Posted in: E-mail, IT Support, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Scam of the Week: “Another” New CEO Fraud Phishing Wrinkle

So, here’s a new CEO Fraud phish: see these fresh screen shots from emails reported to us through the free KnowBe4 Phish Alert Button. Bad guys spoof the managing partner and CPA and an accounting & consulting firm and ask an employee for the  “Cash/Bank Statement Reconciliation” for June of this year.

 

Now, it’s not immediately clear what the bad guys could do with the data from such a statement, but this may simply be a first step of a one-two punch that is meant to establish credibility. The next step would be a malicious request for salary payment records like a pay stub that allow the bad guys to change bank accounts for direct deposit salary payment to accounts they control.

Here is another variant, where the employee seems to be willing to comply:

And here is another variant

See the payroll phish screenshot, which asks an employee at a credit union to change the email associated with another employee’s ADP account to a non-company email address.

Of course, ADP already allows employees to do this on their own: http://www2.ccga.edu/Faculty/HumanResources/ADP/files/PersonalContact.pdf

We are expecting the scheme to work like this: once the email address is changed, the bad guys who control that email address can force a password change by selecting the “I forgot my password” option on the ADP portal, change the password, then effectively hijack the account. From there they can change the direct deposit info, mine the account for identity/tax refund theft, and so forth.

Presumably this same scheme could work with similar services (SAP, Paychex, Zenefits, etc.).

The “beauty” of this approach is that targeted employees as well as their employers would remain blind to all the fraudulent changes made after the email address is switched. How often do employees tend to log in to their ADP accounts anyway? Once every few months would be my guess. Perhaps even as infrequently as once a year. Two interesting observations about this particular phish:

  1. The bad guys didn’t bother spoofing the targeted employee’s corporate email address. They used the same address submitted as a substitute.
  2. The targeted employee doesn’t appear to be very senior in the organization. So, this might be some kind of initial test to see if the scheme works.

Sjouwerman, Stu. “Scam of the Week:”Another” New CEO Fraud Phising Wrinkle” KnowBe4.com blog July 20, 2018

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

7 Tips to Using a Password Manager Safely

Password security can look pretty grim! However, the benefits of a good password manager – generating and saving complex, unique passwords you can easily update – mean that most experts recommend using one. “While it’s impossible to be completely immune from the most advanced threats, selecting the right third-party password manager can help users to protect their credentials from the majority of attacks that they may face,” says Baumgartner.

You can also take the following seven steps to ensure you’re protecting your accounts:

  1. Choose a password manager without master password recovery

Whatever you do, choose a password manager that does not allow for recovery of the master password. “If a malicious actor is able to get ahold of the master password through account recovery tools, this renders even the most secure password management programs useless,” says Baumgarten.

  1. Use Two-factor authentication

Any online account has a risk of being hacked. One way to circumvent this risk is to use two-factor authentication to protect your password manager. Chrome supports two-factor authentication with your smartphone, and, along with Firefox and Edge, also works with authentication hardware keys such as Yubico. Third-party password managers including Dashlane, LastPass and Sticky Password supports two-factor authentication with your smartphone. “While two-factor authentication may still have some risks due to threats like SIM hijacking, at a minimum it puts one more layer of defense between the cybercriminal and your full arsenal of login information,” says Baumgarten.

  1. Turn off autofill

You may want to consider turning off autofill. This also means logging into your password manager, then copying and pasting your passwords into the login screen.

  1. Use strong passwords

When composing your master password, make it strong. “By today’s standards this means 20 characters or more, randomly generated passwords that contain lower and uppercase letters, digits and symbols,” says Palfy.  You might be proud of how devilishly uncrackable it is – but don’t reuse your master password.

  1. Make sure all of your passwords are unique

Make sure all your other passwords are unique. Dashlane Premium is one of the options that can automatically check for weak or repeated passwords then automatically replace them with a random, complex password.

  1. Keep your software up to date

Download security updates for your password manager as soon as available – often, they will be patching newly discovered vulnerabilities.

  1. Be wary of downloads and browser extensions

In general, be wary of your downloads especially browser extensions – unwittingly installed malware could end up logging keystrokes or copying logins.

Choosing the right password manager

The best password managers do not allow you to recover your master password, they let you use two-factor authentication, they monitor your accounts for password breaches and weak passwords, they generate strong passwords for you, they back up your passwords securely online and they let you use a fingerprint or face ID to log in on your smartphone. Our favorite password manager, Dashlane Premium($60 per year), has all of the aforementioned features and more. It also fills out forms, including your credit card information, syncs across all of your devices, scans the Dark Web for personal data and account information and provides VPN service for your computer and smartphone to encrypt all of your data when using internet-based services over public WiFi.

This excerpt is taken from “Is it Safe to Use a Password Manager?”, an article written by Natasha Stoke, Techlicious.com. Click here if you would like to read the article in its entirety.

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Make your Android or iPhone’s Fingerprint Reader Work Every Time

This dead-simple trick will keep you from wanting to throw your phone across the room.

Raise your hand if this is you: The fingerprint reader on your iPhone or Android phone fails often enough on the first try that you’re starting to wonder if you’ve been cursed with weird fingers.

Relax; there are plenty of reasons why you may not get an accurate read your first try, besides your mutant appendages.

  • Your fingertip hasn’t fully covered the sensor
  • You have wet hands
  • The phone didn’t get an accurate read when you first registered your print
  • The phone maker’s implementation may make the reader more sensitive, like if there are more demanding layers of security built into the software

This tip won’t help with all of those, but it definitely helps.

If you’re up to here with trying to unlock your phone so many times that you have to revert to a password or passcode, stop. Take a deep breath. And try this dead-simple solution that really works.

Register the same print two or three times. I do this with the phones I review and it makes the devices much more likely to unlock the first time around. For example, I’ll scan the finger I usually unlock the phone with at least twice — say, my thumb — and then scan a second finger that I might use to also unlock the device, like my index finger. I’ll usually also scan the index finger of my non-dominant hand, which has bailed me out more than once when I had my hands too full to unlock the phone as I normally would.

The reason multiple scans of the same finger works is because when you register your fingertip the first time around, it isn’t always clear which parts of your print the software has captured. A nominally helpful animation will urge you to lift your finger to capture more area, but that doesn’t necessarily reflect the data your phone’s actually storing.

By laying down the same fingerprint more than once, you’re doubling or tripling the chances that your phone will capture enough data.

Of course, adding duplicate digits won’t solve your unlocking issues if you constantly struggle to reach the reader, or if your hands are too wet for the phone to register your print.

How to register multiple fingerprints on your phone

Most phones give you a maximum of five fingerprints for security reasons. The more fingers you wave through, the higher the probability the phone will unlock for false positives, the reasoning goes.

On Android phones:

  • Open Settings
  • Tap Security
  • Tap “Fingerprint”
  • Re-enter your PIN
  • Tap “Add fingerprint”

On iPhones with Touch ID:

  • Open Settings
  • Tap Touch ID & Passcode
  • Enter your passcode
  • Under the section “Fingerprints” tap “Add a Fingerprint

Dolcourt, Jessica. “Make Your Android or iPhone’s Fingerprint Reader Work Every Time” CNET July 5, 2018

Posted in: Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

7 Passwords You Should Never Use at Your Small Business

Owning a small business means owning data. You’re constantly acquiring new information related to your customers, your financial details, and all the vendors and contractors with whom you work.  One cyber criminal, though, one lucky hack, and you’ve just exposed your business to a major blow. From lost trust among your clients to costly lawsuits for the damage done, protecting your company from data theft is among your most important responsibilities.​

A lot of it comes down to one simple choice you make:  passwords.

“Overall, passwords still present the biggest challenge for businesses of all sizes,” said Ron Schlecht, founder and managing partner of BTB Security. Businesses hire Schlecht’s company to test their digital security for weak spots and, he said, “you can’t imagine how many times we still break in to companies because of a bad password.”

If you want to avoid weak passwords at your business, start by steering clear of the following list. Read on for seven passwords you should never (ever) use.

Password

Arguably, this is the number-one and most common bad choice. Also prevalent are variations such as P@ssword and P@55w0rd!. These might be easy to remember, but they’re also among the first options hackers will try.

QWERTY

Easy-to-guess passwords often take root because they’re simple to remember. That’s the story with this hacker-friendly option constructed from the sequence of letters at the top left of the typical computer keyboard.

12345

Or, 98765. Or, 4567. You get the picture — no consecutive numbers (and the same goes for sequential letter combinations). You can only count on passwords such as these to expose your business to digital theft.

BusinessName1

If your shop is called Serafina’s Weddings, don’t set your password as SerafinasWeddings1. That would be a early choice for hackers looking to break into your valuable data.

Business Address

Skip it entirely, when it comes to passwords. Also avoid trying to mash together similar details, such as your street name and street number — i.e. Main215. 

Date of Birth

Thanks to the Internet, it doesn’t take much effort to find a person’s DOB. Birthdays, birthdates, years of birth — all of them make for readily attainable passwords and are poor choices for your company.

Simple Dictionary Words

Especially if they’re related to your business, don’t use them. No baseball, football, or soccer for your sporting goods store. No muffler, tire, or spark plug for your auto garage.

 And so, what should you do when it comes to picking a password?

A key approach starts with thinking of a passphrase. Next, substitute letters, characters, and abbreviations for parts of it. For example, my first car was a Honda in 1990 would be easy enough to remember, if that was the case in your life. Now, change it to my1stc@r=honda90.

Steer clear of the not so magnificent seven above, and protect your data with hard-to-guess constructions. With a strong password strategy, you’re well on your way to foiling online attacks.

O’Brien, James. “7 Passwords You Should Never Use at Your Small Business” The Hartford, Small Biz Ahead. June 2018

Posted in: Business, Mobile Computing, Security, Tech Tips for Business Owners, Technology

Leave a Comment (0) →
Page 1 of 7 12345...»