Archive for Security

How to Deal With the Rising Threat of Ransomware

ransomwareOf all the money-making schemes hackers employ, the most prevalent is perhaps ransomware, a malware that is usually delivered through infected email attachments and hacked websites or websites featuring ads. Ransomware encrypts files on a user’s computer and renders them unusable until the victim ransoms the key for a specific amount of money.

Cybercriminals are making millions of dollars from ransomware. According to forecasts and assessments made by experts, the threat of ransomware will continue to rise in the months and years to come. Recently, several organizations were badly hit by ransomware, including a police department in Massachusetts, a church in Oregon, schools in South Carolina schools and several medical centers in California and Kentucky, one of which ended up paying the attackers 40 bitcoins (approximately $17,000).

Attacks on individuals seldom make the headlines, but in 2015 alone, the FBI received some 2,500 complaints related to ransomware attacks, which amounted to approximately $24 million in losses to the victims.

Technologies such as modern encryption, the TOR network and digital currencies like bitcoin are contributing to the rising success of ransomware, enabling hackers to stage attacks with more efficiency while hiding their trace.

In many cases, victims are left with no other choice than to pay the attackers, and even the FBI often advises victims to pay the ransom as the only recourse. Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses, and new approaches are needed to detect and counter its devastating effects.

The problem with traditional security solutions

Most security practices rely largely on regularly updating your operating system, software and antivirus tools, which are effective to protect yourself against known ransomware viruses — but are of no use against its unknown variants.

The other safeguard against ransomware is to keep offline backups of your files, which will enable you to restore your hostage files without paying the crooks. This is a very effective method, but for many organizations, the downtime of a ransomware attack is more damaging than the ransom itself, which warrants the need for methods that can help avoid ransomware altogether.

Prevention through behavior analysis

The high success rates of ransomware attacks are directly attributed to the shortcomings of antivirus software that rely on static, signature-based methods to detect ransomware. With several variants of ransomware being developed on a daily basis, there’s simply no way signature-based defenses can keep up. Udi Shamir, Chief Security Officer at cybersecurity firm Sentinel One, explains, “With minor modifications a cybercriminal can take a well-known form of ransomware like CryptoLocker, and make it completely unknown and undetectable to antivirus software.”

Experts agree that fighting ransomware needs a new approach, one that should be based on behavior analysis rather than signature comparison. “Behavior-based detection mechanisms are now playing a key role in detecting and preventing ransomware-based attacks,” Shamir says. “While there may be many ransomware variants in the wild, they all share a common set of traits that can be detected during execution.”

Most ransomware can be detected through a set of shared behavioral characteristics. Attempts at deleting Windows Shadow Copies, disabling Startup Repair or stopping services such as WinDefend and BITS are telltale signs of ransomware work. “Each of these actions are behaviors that, if detected, translate into a ransomware attack,” Shamir explains.

This is the general idea behind some of the newer security tools — instead of making signature-based comparisons, processes are scrutinized based on their behavior and blocked if found to be carrying out malicious activity. “Once detected, any malicious processes are killed instantly, malicious files are quarantined, and endpoints are removed from the network to prevent any further spread,” Shamir says.

Aside from Sentinel One, other big players such as TrendMicro, Cisco and Kaspersky Labs are also offering behavior-based security tools.

“These new ‘next-generation’ endpoint protection solutions have proven to be effective against all variants of ransomware,” Shamir says.

Prevention without detection

One of the methods ransomware developers use to evade detection is to force their tool to remain in a dormant state while it is under examination by security tools. This enables new variants of the virus to get past antiviruses and even some behavioral-based security solutions without being discovered. Once out of the sandbox, the ransomware is in the ideal environment to unpack its malicious payload and deal its full damage.

The workaround to this technique, as discovered by an Israeli cybersecurity startup, is to trick the ransomware that it is always in the sandbox environment, which will convince it to remain in the “sleeping” state and never wake up to deploy itself.

Minerva Labs, which came out of stealth this January, presented a solution that uses the ransomware’s own evasion techniques against it. “We figured that in order to fight malware, we have to think like the hackers that develop it,” says Eddy Bobritsky, CEO of Minerva Labs.

Traditional methods and tools no longer suffice to deal with the fast-evolving landscape of ransomware viruses.

Minerva has introduced the concept ofa low footprint endpoint protection platform that “prevents targeted attacks as well as ransomware before any damage has been done, without the need to detect them first or to have prior knowledge,” Bobritsky explains.

By simulating the constant presence of different sophisticated cybersecurity tools, such as Intrusion Prevention Systems (IPS), the ransomware becomes trapped in a loop that prevents it from knowing where it is. The malware cannot differentiate between the simulated environment and real security environment that it tries to evade, and thus it stays inactive, “waiting for conditions that will never materialize,” Bobritsky says.

Prevention through a multi-pronged approach

“Per se, new products, tools or technology and processes may not solve the challenges individuals or organizations face when infected with ransomware,” says Jens Monrad, consulting system engineer at security firm FireEye. “Above all we need a fundamentally new way of thinking about cyberattacks.”

Monrad suggests the Adaptive Defense model, which instead of focusing on total prevention recognizes that some ransomware attacks will get through and aims at reducing the time to detect and resolve threats.

“In the adaptive model, security teams have the tools, intelligence, and expertise to detect, prevent, analyze, and resolve ever-evolving tactics used by advanced attackers,” Monrad explains.

Adaptive defense should encompass three core interconnected areas of technology, intelligence and expertise, which, according to Monrad, are fundamental for enterprises, governments and organizations that want to develop their capabilities to minimize the time it takes to discover a threat and recover from it.

At the technology level, Monrad proposes the use of sophisticated security tools. “Simple sandbox solutions aren’t enough though,” he explains, “because in many cases a piece of malicious code and an attack can happen over multiple stages, which makes detection and prevention more challenging, if your sandbox is just relying on a single object.”

This includes viruses that download and execute their malicious payload after getting past the sandbox. That’s why sandboxing should occur at the network level, Monrad argues, where you can “focus on the entire stream of packets, in order to analyze what is happening, in a similar way, as normal users are exposed to the code when they browse the Internet, click on a link in an email or open an attached file.”

At the intelligence level, “data should be gathered and shared across many endpoints and should be managed by a dedicated research team that knows attackers and how they operate,” Monrad says. The right solution should “provide intelligence before a ransomware attack happens, while it is happening and also explain why it did happen,” he says.

The expertise discipline includes experience in responding to data breaches, unique insight into how attacks are happening and knowledge on what sort of operational methods attackers employ in order to carry out successful attacks.

Dickson,Ben. “How to Deal with the Rising Threat of Ransomware” TechCrunch April 2016

Posted in: Business, E-mail, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Your Clever Password Tricks Aren’t Helping You From Today’s Hackers


Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.

Background: Passwords Are Easier To Crack Than Ever

Our passwords are much less secure than they were just a few years ago, thanks to faster hardware and new techniques used by password crackers. Ars Technica explains that inexpensive graphics processors enable password-cracking programs to try billions of password combinations in a second; what would have taken years to crack now may take only months or maybe days.

Making matters much worse is hackers know a lot more about our passwords than they used to. All the recent password leaks have helped hackers identify the patterns we use when creating passwords, so hackers can now use rules and algorithms to crack passwords more quickly than they could through simple common-word attacks.

Take the password “Sup3rThinkers”—a password which would pass most password strength tests because of its 13-character length and use of mixed case and a number. Web site How Secure Is My Password? estimates it would take a desktop computer about a million years to crack, with a 4 billion calculations-per-second estimate. It would take a hacker just a couple of months now, Ars says:

Passwords such as “mustacheehcatsum” (that’s “mustache” spelled forward and then backward) may give the appearance of strong security, but they’re easily cracked by isolating their patterns, then writing rules that augment the words contained in the [2009 hack of online games service] RockYou […]and similar lists. For [security penetration tester] Redman to crack “Sup3rThinkers”, he employed rules that directed his software to try not just “super” but also “Super”, “sup3r”, “Sup3r”, “super!!!” and similar modifications. It then tried each of those words in combination with “thinkers”, “Thinkers”, “think3rs”, and “Think3rs”.

In other words, hackers are totally on to us!

What You Can Do: Strengthen Your Passwords By Making Them Unique and Completely Unpredictable

We’ve suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.

  1. Avoid Predictable Password Formulas

The biggest problem is we’re all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:

Use a name, place, or common word as the seed, e.g., “fido” (Women tend to use personal names and men tend to use hobbies)

Capitalize the first letter: “Fido”

Add a number, most likely 1 or 2, at the end: “Fido1″

Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: “Fido1!”

Not only are these patterns obvious to professional password guessers, even substituting vowels for numbers (“F1d01!”) or appending another word (“G00dF1d01!”) wouldn’t help much, since hackers are using the patterns against us and appending words from the master crack lists together.

Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.

The solution: Don’t do what everyone else is doing. Avoid the patterns above and remember the basics: don’t use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it’s only secure if no one else is using that rule. (Check out IT security pro Mark Burnett’s collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)

  1. Use a Unique Password for Each Site

We’ll get back to password creation in a minute, but first: this is the most important security strategy of all. Use a different password for each site. This limits the damage that can be done if/when there’s a security breach.

If you use the same password for everything, and someone gets a hold of your Facebook password, they have your password for every site you visit. If you have a different password for every site, they only have access to your Facebook account—so at least all your other accounts are protected.

  1. Use Truly Random Passwords

You’ve probably heard that a random, four-word passphrase is more secure and more memorable than complicated but shorter passwords, as web comic xkcd pointed last year. This is true, but often irrelevant, because like we said: you need to use a different password for every account. If you can remember 100 different four-word passwords, be my guest. But for most of us, it doesn’t matter how easy your passwords are to remember—there’s just too many of them. (Though the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password.)

Using a variation on the same password for each site isn’t a good idea, either. Say you have a password like ro7CSfac2V3p1 for Facebook, and you use the variation ro7CSlif2V3p1 for Lifehacker, and so on for all your other sites. If a hacker gains access to one of those passwords, they can easily guess the others by replacing “fac” with the letters that might match other sites (or figuring out whatever your algorithm is). It’s more difficult, but far from impossible, and it isn’t secure enough to rely on—if you can remember it, someone else can probably figure it out.

So: The most secure option is to use a password generator and manager. If you want to keep your accounts safe, you need to use a truly random, long, and complex password, and use a completely different one for each account. How do you accomplish this? Use a password manager like LastPass, KeePass, or 1Password. Not only will they save all your passwords for you, but they can generate random passwords for you. It’s easier to use and set up than you may think.

For more information, read our guide on how to audit and update your passwords with LastPass for detailed instructions. Remember, the only secure password is the one you can’t remember—and this is the only way to achieve that. Those clever password tricks we used to use just don’t cut it anymore.

Lastly, make sure you turn on two-factor authentication for all sites that support it! It is, by far, one of the best ways to secure your accounts against hackers—even if they get your password, they won’t be able to get access to your account.

Pinola,Melanie. “Your Clever Password Tricks Aren’t Protecting You From Today’s Hackers” lifehacker April 2016

Posted in: E-mail, Mobile Computing, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Ransomware Alert: Don’t be Unlucky With Locky

locky 2Ransomware is a rapidly growing plague on computer users, and the latest variant of Locky adds malicious Word macros to its weaponry.

If you must open Word documents created by others, here are some ways to ensure you don’t become a ransomware victim.

When you’re unlucky enough to get Locky

Locky ransomware show up in many formats, but in most cases it’s disguised as an invoice, shipping document, or similar-seeming legitimate attachment. Typically, those attachments are Word or Excel documents, but the malware might also be hiding inside a ZIP or RAR file.

No matter how Locky arrives, the end effect is the same — and frighteningly obvious. You’ll discover that all your documents are encrypted: not just those on the infected computer, but also files on mapped external drives and network locations. Even cloud-based documents are at risk. It can also disable Windows’ volume shadow copies.

It gets worse: Locky will look for bitcoin wallets and try to encrypt them as well.

Locky can even store information in the Windows Registry.

Here are some reminders of ways to protect yourself from this latest variant:

The first line of defense remains unchanged

Regular Windows Secrets readers should already know the first rule of blocking ransomware and similar forms of malware: Don’t open email attachments that did not come from truly trusted sources. I’d even avoid attachments forwarded by those you know well — you can’t know the original source of the document.

Note that the ransomware payload typically isn’t triggered by simply viewing the email message; you have to open the malicious attachment to become infected.

The next best defense is using an email service that filters your email. If you never see the attachment, you won’t be tempted to open it. Many major Interest service providers will filter and clean email — it’s in their interests to protect their subscriber traffic.

If your ISP doesn’t provide effective mail filtering and cleaning, you should sign up for one of the free providers that do. You can, for example, forward your mail through Gmail or I also recommend creating a separate account on one of the free, online mail services; then use that address for the sites that might lead to more spam in your inbox.

Many of the malicious emails and attachments look as if they came from legitimate businesses. It can be hard to tell a bogus FedEx notification from a real one. If you’re suspicious of an email, open it on a platform that’s less likely to be hit by ransomware. For example, I often use my iPhone to open up suspect mail. If it proves safe, I will then open it on one of my Windows machines. But even that’s not foolproof. As noted in a recent Reuters story, some OS X machines saw their first successful ransomware attack. The “KeRanger” exploit was piggy-backing on torrent sites. (That’s what you get for illegally downloading media — I jest: there are legitimate reasons for using BitTorrent.) Experts reportedly expect to see new forms of attachments on Macs.

Preventing infection by blocking macros

Locky’s use of Office-based macros is somewhat unique. If you’re unlucky enough to launch the malware, and if you’ve not taken precautions to block certain macros, the encryption process will begin. Microsoft’s Malware Center hasposted tips for protecting yourself from bogus macros.

It starts with checking whether you have any Word docs or Excel worksheets that contain macros. If you don’t have or use macros, take the following steps to better protect yourself from malicious documents that might slip onto your machine.

  • Open a Microsoft Word document.
  • Click the File tab and then Options.
  • In the Trust Center, click Trust Center Settings.
  • In the Macro Settings section, check that the default Disable all macros with notification is enabled.
  • Click OK.

If you do use macros, the better option is: Disable all macros except digitally signed macros. This will ensure that unsigned macros don’t launch when you open a document.

Looking for the yellow banner when opening files

If you have a newer Office platform — 2010 through 2016, it knows where opened documents have come from. Opening Word or Excel email attachments will trigger the yellow warning shown in Figure 1. (The wording will vary slightly with different Office versions.) Earlier platforms might also display the warning — if you’ve installed specific updates. But as I’ve pointed out in a Patch Watch column, the updated Office versions weren’t perfectly successful when dealing with file opening on older platforms.

lockey image

Figure 1. Office’s warning that a document that arrived in email could be malicious

If you’re using .docx and .xlsx formats, newer Office versions tend to be more effective at spotting and blocking macros. But the key is still to always watch for the yellow banner at the top of opened files. If the document came via the Web, you can enable macros — but, again, only if you truly trust the source.

What do you have access to?

An often overlooked step for limiting damage from ransomware is checking what you have access to from your PC. If you can browse to a location on an internal drive, on an external USB drive, in the cloud, and so forth, the ransomware payload has access to that location, too.

With that in mind, review how your backup software is set up. It’s one of the reasons I don’t completely trust Windows 10’s File History system; it saves a copy to an external USB hard drive that you — and ransomware — have full access to. File History makes no attempt to hide the location of archived files; hiding them would help protect them from ransomware encryption.

I wouldn’t turn File History off, but I would add the old-school method of rotating backup media (to multiple, external USB drives). Combine that strategy with cloud backup that includes versioning. In short, never rely on one backup system.

Ransomware is getting only cleverer at tricking computer users into downloading and launching malicious code. As it adapts, so too must we. Open only those attachments you expected to receive — and don’t worry if your friends think you are a tad paranoid when you call them to check that they really sent an email with any form of attached file.

A little paranoia helps keep us all safe.

Bradley, Susan. “Don’t be Unlucky With Locky” Windows Secrets March 17, 2016

Posted in: IT Support, Security

Leave a Comment (0) →

One in the eye for ransomware: Microsoft adds new macro controls to Office 2016

Office 2016As you probably know, a lot of ransomware arrives by means of believable-looking Word documents.

You receive an email that looks just like a customer requesting a quote, or an invoice that you need to pay, or a courier delivery that went astray.

You’re supposed to consult the attached document for details…

…but when you do, there’s some problem viewing it, but you can fix that…

…if only you click the [Options] button and enable macros.

The problem is that a macro is essentially a miniature program embedded inside the document, and it can do almost anything that a regular program can do, such as connecting to a web server, downloading some software, and running it.

In other words, an email telling you to enable macros in a document is as dangerous as an email telling you, “Please download and install this unusual version of NOTEPAD.EXE, ignoring all security warnings, to read this email properly.”

Macros don’t run by default, for security reasons, but an outright block on macros can get in the way, because many legitimate Word and Excel files use macros for perfectly unexceptionable purposes, such as helping you fill in forms or perform complex calculations.

That means that in most businesses, users can enable macros if they think they need to – so that just one bad judgement call could let ransomware, or any other malware, into the organization.

Microsoft has therefore added a new policy option into Office 2016 that allows finer control over documents with macros.

You can now limit the functionality of the macro programming system so that even if users normally have the chance to enable macros, they can’t if the macros came in an Office file from the internet.

The option is well-named: Block macros from running in Office files from the internet.

Is this end of ransomware?

Sadly, the answer is,”No.”

Malware, including ransomware, can arrive in many other ways.

Instead of using attachments containing Word macro downloaders, crooks can use numerous other infection techniques.

A common trick is to send a .js attachment (JavaScript) instead of a .doc file; scripts written in JavaScript have much the same powers as those written as Office macros, and protection based on controlling macros won’t help in this case.

And crooks can also use booby-trapped documents that work by exploiting bugs in Word itself, so that no macros are needed at all.

Lastly, there’s still plenty of malware that get in without using email, thanks to USB flash devices, malvertising, and booby-trapped websites.

Nevertheless, if you are using Office 2016, this new anti-untrusted-macro execution protection is well worth using.

Dicklin, Paul. “One in the eye for ransomware: Microsoft adds new macro controls to Office 2016” Naked Security March 23, 2016

Posted in: IT Support, MS Office Tips and Tricks, Security, Tech Tips for Business Owners

Leave a Comment (0) →

How Users are (and are not) Blocking Malware

malwareEvery Windows user has some sort of antivirus and security software installed — or at least everybody should. But what protection do they use, and how do they use it? And does the software do any good?

To help answer that question, AV-Comparatives does an annual survey of computer users. Here’s a summary of the latest report.

Windows users who follow PC security trust Austria-based AV-Comparatives (site) as one of the most respected computing-security research organizations. I wrote about its anti-malware tests in the July 23, 2015, Top Story, “AV testing: Is your antivirus app doing its job?”

AV-Comparatives released its most recent survey (pdf download) on Feb. 16, and it includes a few surprises. For example, more than a third of respondents reported that their security software blocked a malware infection in the previous week; and nearly two thirds believe that a full security suite provides more protection than a simple antivirus program.

Most surprising, almost half of the respondents are using Windows 10.

How the Survey Information was Collected
The quality of any survey depends on the polling methods and the people who answer it. Political polls, for example, call thousands of random people and interview them. But that’s costly, so AV-Comparatives used an opt-in method.

Over a two-week period this past December, the organization asked visitors to its site to fill out a security questionnaire. It received 2,022 responses, filtering out those “involved with anti-virus companies.”

When you look over the survey results, keep an important point in mind: Despite AV-Comparatives claim that “We were primarily interested in the opinions of everyday users,” visitors to the organization’s site rarely qualify as “everyday users.”

That’s clear from the published results. When asked to describe “your level of computer expertise,” more than 70 percent of respondents identified themselves as “computer enthusiast” or “computer professional or equivalent”. Only about six percent described themselves as a “basic computer user.”

Spector, Lincoln. “How Users are (and are not) Blocking Malware” Windows Secrets: On Security March 1, 2016

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Protect Your Online Accounts with Two-Factor Authentication Now!

A password thTwo-Factor Authenticationat’s tough to crack provides protection against unauthorized intrusion into your digital accounts, but even a strong password is not completely impenetrable. Many companies increase security by offering users the option to log in using two-factor authentication.

What is two-factor authentication?
Two-factor authentication (also known as 2-step verification) is a log-in process that requires users to prove that they are who they claim to be not once but twice. The required proofs usually combine two of the following:

  • Something known only to the user such as a password or PIN
  • Something that the user has to have in hand, such as an ATM card, smartphone or passcode generator key
  • Scans of some physical or biometric property of the user such as retinal scans, voice identification or fingerprints

If you cannot supply both the required proofs of your identity, the system will not authenticate you and you will not receive access.

Improved security
Because it uses not one but two security measures, two-factor authentication arguably provides tighter — though not absolute — security than password- or PIN-based systems. No matter how complex a password is, someone out there is smart enough to guess or steal it, often by electronic means or by social engineering techniques such as phishing.

But when two-factor authentication is in place, even intruders who know your password are barred from accessing your account if they cannot supply the other required proof. Think of it as a second lock on your door.

Where two-factor authentication is used
We’ve all seen movies where scientists develop some top-secret gadget in a heavily secured lab. Access to the lab is severely restricted with multi-factor verification mechanisms. A whitelisted scientist can enter the lab by undergoing a retinal scan, then by speaking to authenticate the voice print, then by typing a long passcode at a terminal with fingerprint-scanning buttons. Quite exaggerated, but that’s multi-factor authentication at its finest.

In the real world, some companies use two-factor authentication to restrict employee access to certain buildings or areas. Identification cards with embedded chips or magnetic strips allow employee to swipe or tap at security terminals and then key in a company-issued passcode. If both are correct and the worker has access privileges, the door will unlock.

Many online services use two-factor authentication. Most recently, Instagram is in the process of rolling out optional two-factor authentication to give its more than 400 million users an additional blanket of safety against unauthorized access to their accounts.

Google has been using two-step verification since 2011. When it’s enabled for your account, a special code is sent to your phone whenever you log in to your account on a new device. Google also sends you an email notifying about the access on the new device.

Twitter activated two-step authentication in 2013, while Facebook’s version, known as Login Approvals, has been around since 2011. In late 2015, Amazon also rolled out its implementation of the method.

Other high-profile online services that have implemented some form of two-factor authentication include Apple, Microsoft, Steam, Yahoo, Xbox Live and Dropbox.

Online banking services also use two-factor authentication. One international bank, for example, combines password and token generation. Clients are given token generator devices for free. To log in, you enter your username, password and a random, unique token generated by the key. Another bank uses both passwords and a one-time passcode sent to the user’s phone via SMS.

To see a list of services that use two-factor authentication, visit Two Factor Auth.

Should you enable two-factor authentication?
Generally, you should enable two-factor authentication wherever it is available, especially for important and sensitive accounts such as online banking.

Consider the potential consequences of enabling two-factor authentication. For example, Amazon lets you receive the second passcode either via SMS text or voice call. You wouldn’t be able to receive either of these when you’re on an airplane, so if you plan to shop in the air, you’d have to switch to the authenticator app method before boarding the plane. We like Google Authticator (free for iOS and Android), which generates codes for any two-factor site. You might also find yourself unable to use mobile phone authentication anywhere cellular coverage is spotty or nonexistent.

Familiarize yourself with the system’s safety nets for occasions when the second factor is unavailable to you. For instance, if you lose your phone, does your service provider allow an alternate way for you to log in without your phone or provide a second phone number? One bank offers alternate access by supplying randomly requested characters of a second password defined previously by the user.

Some services let you turn off two-factor authentication for a device once it’s been authenticated. We don’t recommend doing this.

Two-factor authentication can be a bit of an inconvenience, but that extra step will make you a less desirable target for those looking to steal your banking information, upload scandalous photos to your social network or read your confidential messages. The minor inconvenience is a small price to pay to keep your accounts secure.

Montejo, Elmer. “Protect Your Online Accounts with Two-Factor Authentication”, Techlicious, Tips & How-To’s, Privacy February 23, 2016

[Image credit: Screen requesting password and security token via Shutterstock]

Posted in: Security, Tech Tips for Business Owners

Leave a Comment (0) →

Is Single Sign-on Right For Your Business?

When your workers log onto their computers, do they automatically, by entering one password and login name, gain access to all of your business’ software systems? Does their single login allow them to access the company’s Intranet, their e-mail systems and your company’s sales data? If so, your company’s software systems operate under a single sign-on system.

Different versions

There are several versions of single sign-on systems. Under a Kerberos-based system, workers must supply their login names and passwords when signing onto their computers. After this, they get a Kerberos ticket that gives them access to email clients, editing software and other systems. This happens because the Kerberos ticket supplies the user’s credentials to each new system that the user tries to access. This prevents workers from having to re-enter their passwords and login names each time.


The main benefit of single sign-on is that workers don’t have to constantly enter passwords and logins every time they need to access a new software system. Not only does this prevent password fatigue for your company’s employees, it also saves time. Employees don’t have to stop working to enter their passwords throughout the day. Single sign-on might also save your company IT costs; your IT department won’t be swamped with as many calls from employees struggling to remember their passwords and login names throughout the day.


Of course, there is some risk to single sign-on. A hacker can gain access to your company’s software systems more easily if you rely on single sign-on. This is why it’s important for your company to tie single sign-on to authentication methods such as smart cards or one-time password tokens. As with all forms of electronic security, then, single sign-on isn’t perfect. You’ll have to take a close look at your company to determine whether this system is right for your business and your employees.

Posted in: Business, Security, Tech Tips for Business Owners, Technology

Leave a Comment (0) →

Phishing Attempts Can Snare the Best of Us, Even the AP


We would all like to think that we’re clever enough to detect phishing e-mails in our inboxes. Some of them are easy to spot. But the scam artists behind phishing e-mails are getting better. And that means that they’re netting some high-profile victims. For instance, as Slate recently reported, a particularly sneaky phishing e-mail recently caused a lot of trouble for the Associated Press, the country’s biggest provider of wire-service news.

Syrian Electronic Army

Earlier this year, a group calling itself the Syrian Electronic Army hacked into the Twitter account of the AP and posted a message stating that President Obama had been seriously injured in an explosion at the White House. This Tweet was false, of course. But that didn’t stop the stock market from taking a big plunge. And it shows, too, that even the savviest among us have to be on guard from sophisticated phishing attacks.

The E-mail

The Syrian Electronic Army hacked the AP Twitter account through a process known as spear-phishing. As Slate explains, this involves sending specific recipients e-mail messages that look legitimate. In the case of the AP hack, the group sent a message to AP staffers containing a link to what looked like a Washington Post news story. The message looked professional enough that it tricked some AP staffers into clicking on it, the first step in giving members of the Syrian Electronic Army control over the AP’s Twitter account.

A Warning

It’s easy to poke fun at the AP for getting hacked. But the truth is, no one is safe from the more sophisticated con artists behind the newest phishing attacks. These scammers no longer send phishing e-mails about Nigerian princes. Instead, they send messages that look like they’re coming from people we know. The lesson here? You need to be constantly vigilant if you want to protect yourself from today’s trickiest online scammers.


Posted in: Business, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Guilty of These Bad Tech Habits?

No one is perfect. We all have bad habits. Some of us smoke. Some eat in our cars. Some write e-mail messages in all capital letters. Here’s the good news, though. When it comes to technology, it’s relatively simple to identify our bad habits and break them. PCWorld magazine recently ran a list of the most common bad tech habits. Took a look at these tech mistakes. Do you suffer from any of these bad tech habits?

Easy Target

Some of the worst tech bad habits identified by PCWorld make you an easy target for thieves. For instance, do you ever leave your smart phones or tablets sitting at your booth in the coffee shop while you run back to the counter to get another shortbread cookie? Leaving your devices unattended and in plain sight can make it easy for criminals to quickly snatch them and disappear. Or what if you spend all your waking minutes staring at your smart phone screen without taking notice of your surroundings? This bad tech habit can hurt, too. While you’re staring at your screen, you don’t notice that suspicious guy walking close to you. Before you know it, the guy’s popped you in the face, grabbed your smart phone and run away.

Hurting Your Health

Bad tech habits can damage your health, too. Maybe you sit all day hunched in front your computer. This bad posture can lead to serious back pain. It can also cause carpal tunnel syndrome. The solution here? Sit up straight, take frequent computing breaks and purchase a comfortable chair that places less strain on your back. Speaking of breaks, another bad tech habit is not taking any. As PCWorld says, your can hurt your eyes, strain your back and blur your thought processes if you insist on spending the entire work day focusing on your computer screen. Remember to take regular breaks to keep yourself healthy.


What happens if your computer suffers a sudden hard-drive crash? Will you lose your important files? If you suffer from the bad tech habit of not backing up your files, you probably will. And do you reuse the same passwords frequently at several different Web sites? This tech habit can open you to a world of pain should someone crack that go-to password. Now, instead of gaining access to your personal information on one site, this cyber criminal can gain access to it on several. Finally, do you ignore the updates that publishers create for the software that you most frequently use? Don’t. Ignoring these updates can leave you vulnerable to hacks and keep you from fully enjoying your software.

Posted in: Business, Security, Tech Tips for Business Owners, Technology

Leave a Comment (0) →

Does Your Business Have a CyberSecurity Plan?

Here’s an interesting fact: In 2012, companies with just one to 250 employees — what we commonly think of as small businesses — were the victims in more than 30 percent of all cyber attacks. Entrepreneur Magazine cites this statistic, taken from the 2013 Internet Security Threat Report from Symantec, to prove a point: Even small businesses need a cybersecurity plan.

Anti-Virus Software Matters

The Entrepreneur story says that the first step in any cybersecurity plan is anti-virus software. As the story says, this software is a must for small business owners. Anti-virus software isn’t perfect, and especially clever viruses can slip past it, but businesses that don’t have any anti-virus protection are setting themselves up for a massive hack.

Suspicious E-mails

Next, small businesses should make sure that their employees understand how important it is to delete e-mail messages that seem suspicious, whether sent by known or unknown senders. Businesses should also remind their employees to never click on the links contained in these suspicious e-mail messages. Not all employees will listen or remember. But many will.


Entrepreneur also recommends that small businesses use firewalls to protect their inbound and outbound network traffic. Firewalls can keep hackers from tapping into a small business’ network. Firewalls can also block employees from accessing potentially dangerous Web sites.

Posted in: Business, Disaster Recovery, Security, Tech Tips for Business Owners

Leave a Comment (0) →
Page 5 of 7 «...34567