Posts

3 Stupid Simple Tips to protect your Identity

/in /by

For anyone who goes online, it’s impossible to hack-proof yourself, but not impossible to make a hacker’s job extremely difficult. Here are three things to almost hack-proof yourself.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Two-factor authentication. Imagine a hacker, who has your password, trying to get into your account upon learning he must enter a unique code that’s sent to your smartphone. He doesn’t have your smartphone. So he’s at a dead-end.

The two-factor authentication means you’ll get a text message containing a six-digit number that’s required to log into your account from someplace in public or elsewhere. This will surely make a hacker quickly give up. You should use banks and e-mail providers that offer two-factor. Two factor in various forms is available on Gmail, iCloud, PayPal, Twitter, Facebook and many other sites.

Don’t recycle passwords. If the service for one of your accounts gets hacked, the exposed passwords will end up in the hands of hackers, who will invariably try those passwords on other sites. If you use this same password for your banker, medical health plan and Facebook…that’s three more places your private information will be invaded.

And in line with this concept of never reusing passwords, don’t make your multiple passwords sound schemed (e.g., Corrie1979, Corry1979, Corree1979) for your various accounts, because a hacker’s penetration tools may figure them out.

Use a password manager. With a password manager, you’ll no longer be able to claim not being able to remember passwords or “figure out” how to create a strong password as excuses for having weak, highly crackable passwords. You’ll only need to know the master password. All of your other passwords will be encrypted, penetrable only with the master password.

A password manager will generate strong passwords for you as well as conduct an audit of your existing passwords.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

How to Secure Your iCloud

/in /by

By now you’ve heard that Jennifer Lawrence’s (and other celebs’) cellphone nude pictures were leaked out, but how in the heck did the hacker pull this off? Tech experts believe it was through the “Find My iPhone” app.

Apple2Someone anonymously posted nude photos of Jennifer Lawrence and Kate Upton to the 4Chan site, and the stars confirmed the photos were of them.

It’s possible that the hacker/s discovered a vulnerability in the Find My iPhone service. This app helps people locate missing phones via cloud. hackers use a “brute force” program to protect hack accounts. These programs make repeated guesses at random passwords for a particular username until a hit is made.

So it’s possible hackers used “iBrute” to get celebs’ passwords, and hence, the photos in their iCloud accounts.

This is only a theory, as most hacking occurs in a more straightforward manner such as:

a person receiving a phishing email and responding with their password

someone’s personal computer gets hacked and spyware is installed

a laptop with all kinds of data is stolen

the wrong person finding a lost cellphone.

Also, evidence suggests that some of the leaked photos came from devices (like Android) that won’t back up to the iCloud.

Apple is investigating the leaks, and apparently put out a security upgrade Sept. 1, to prevent a brute force service from getting passwords via Find My iPhone.

You yourself are at risk of this breach if brute force indeed was used, as long as the problem hasn’t been fixed. If someone has your username, this tactic can be used.

If you want 100 percent protection, stay off the Internet. (Yeah, right.)

Bullet proof your passwords

  • Each site/account should have a different password, no matter how many.
  • Passwords should have at least eight characters and be a mix of upper and lower case letters, numbers and symbols that can’t be found in a dictionary.
  • Use a password program such as secure password software.
  • Make sure that any password software you use can be applied on all devices.
  • A password manager will store tons of crazy and long passwords and uses a master password.
  • Consider a second layer of protection such as Yubikey. Plug your flashdrive in; touch the button and it generates a one-time password for the day. Or enter a static password that’s stored on the second slot.
  • Have a printout of the Yubikey password in case the Yubikey gets lost or stolen.
  • An alternative to a password software program, though not as secure, is to keep passwords in an encrypted Excel, Word or PDF file. Give the file a name that would be of no interest to a hacker.
  • The “key” method. Begin with a key of 5-6 characters (a capital letter, number and symbols). For example, “apple” can be @pp1E.
  • Next add the year (2014) minus 5 at the end: @pp1E9.
  • Every new year, change the password; next year it would be @pp1E10. To make this process even more secure, change the password more frequently, even every month. To make this less daunting, use a key again, like the first two letters of every new month can be inserted somewhere, so for March, it would be @pp1E9MA.
  • To create additional passwords based on this plan, add two letters to the end that pertain to the site or account. For instance, @pp1E9fb is the Facebook password.
  • Passwords become vulnerable when the internet is accessed over Wi-Fis (home, office, coffee shop, hotel, airport). Unsecured, unprotected and unencrypted connections can enable thieves to steal your personal information including usernames and passwords.

Use two-step verification.

Apple’s iCloud asks users two personal questions before allowing access. And let’s face it: We’re all wondering what Jennifer Lawrence was thinking when she decided it was a smart idea to put her nude photos into cyberspace.

Passwords seem to be the common thread in data breaches. But passwords aren’t too valuable to a hacker if they come with two-factor authentication. This is when the user must enter a unique code that only they know, and this code changes with every log-in. This would make it nearly impossible for a hacker to get in.

Go to applied.apple.com and you’ll see a blue box on the right: “Manage Your Apple ID.” Click this, then log in with your Apple ID. To the left is a link: “Passwords and Security.” Click that. Two security questions will come up; answer them so that a new section, “Manage Your Security Settings,” comes up. Click the “Get Started” link below it. Enter phone number and you’ll receive a code via text. If your phone isn’t available, you can set up a recovery key, which is a unique password.

All that being said, two factor will not protect your phones data. Apple is lax in making this happen. What Apples two factor does is protect you when you:

  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Change Your Password. World Password Day

/in /by

We also say we want to be safe online. Yet sometimes our actions betray our words—especially if we’re using simple, short passwords for our online sites. Passwords with less than eight characters are the easiest to crack, especially if they include a proper noun or a word that’s in a dictionary. Hackers especially love passwords of all one character. Lose the “ilovedogs” password please.

WorldPasswordDayTake a look at your passwords. Are they simple and include an actual word, or are they long and unique?  World Password Day. Take the pledge and change your passwords.

And don’t balk about changing your passwords; you must change them to be safe online. Your password is your first line of defense—not only for your online accounts, but also on your devices. Be like Nike and “Just Do It!” Think about this if you’re reluctant to change them:

  •  Research shows that 90% of passwords are vulnerable to hacking
  • The most common password is “123456”  and the second most common password, is “password”
  • 1 in 5 Internet users have had their email or social networking account compromised or taken over without their permission

Now, believe it or not, a password of eight characters, even with various symbols and no dictionary words, can be cracked. However, a password the length of “Earthquake in the Sahara” would take over a million years to unearth. Ladies and gents, size does matter when it comes to passwords.

Ditch your old passwords

They may already be on the black market, and if not, it’s inevitable. Especially in this post Heartbleed time, we need to make sure we all change our passwords.

Think pass-sentence, not password

Just four words (with spaces) will make a killer password. Toss in punctuation. Create a sentence that makes no sense, like “Sharks swimming in the shower” and then add some space, numbers and special characters so it’s “Sh@rks swimming >n The Sh0wer!” That’s a 30-word password, technically known as a passphrase, and beats out #8xq3@2P. And which is easier to remember?

And don’t use something that a person who knows you might be able to guess: If you own five black cats, don’t make a passphrase of “I love black cats.”

Here’s a fun way to make a passphrase.

Make the change

Now that you have a passphrase that will take millions of years to crack, it’s time to make use of it. Sift through all of your accounts and change your passwords, using a different passphrase for each account, and not similar, either, for optimal uncrackability.

Once all of your new passwords (passphrases) are in place, you’ll have peace of mind, knowing that it would take millions of years for these passwords to be cracked.

Remember, there’s no better time than World Password Day to change your password!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

New year, new Passwords, here’s how

/in /by

You must change your passwords like you must change your bed sheets. This is not up to negotiation, thanks to the influx of viruses, malware, phishing sites and key loggers.

5DChanging a password means having a new password for all of your accounts rather than using the same password. Imagine what would happen if someone got ahold of your one password—they could get into all of your accounts.

The biggest problem with passwords as far as how easy they can be cracked, is when they have fewer than eight characters, and are an actual word that can be found in a dictionary, or are a known proper name. Or, the password is all the same type of character, such as all numbers. There’s no randomness, no complexity. These features make a hacker’s job easy.

How to change Passwords

  • Each site/account should have a different password, no matter how many.
  • Passwords should have at least eight characters and be a mix of upper and lower case letters, numbers and symbols that can’t be found in a dictionary.
  • Use a password program such as secure password software.
  • Make sure that any password software you use can be applied on all devices.
  • A password manager will store tons of crazy and long passwords and uses a master password.
  • Consider a second layer of protection such as Yubikey. Plug your flashdrive in; touch the button and it generates a one-time password for the day. Or enter a static password that’s stored on the second slot.
  • Have a printout of the Yubikey password in case the Yubikey gets lost or stolen.
  • An alternative to a password software program, though not as secure, is to keep passwords in an encrypted Excel, Word or PDF file. Give the file a name that would be of no interest to a hacker.
  • The “key” method. Begin with a key of 5-6 characters (a capital letter, number and symbols). For example, “apple” can be @pp1E.
  • Next add the year (2014) minus 5 at the end: @pp1E9.
  • Every new year, change the password; next year it would be @pp1E10. To make this process even more secure, change the password more frequently, even every month. To make this less daunting, use a key again, like the first two letters of every new month can be inserted somewhere, so for March, it would be @pp1E9MA.
  • To create additional passwords based on this plan, add two letters to the end that pertain to the site or account. For instance, @pp1E9fb is the Facebook password.
  • Passwords become vulnerable when the internet is accessed over Wi-Fis (home, office, coffee shop, hotel, airport). Unsecured, unprotected and unencrypted connections can enable thieves to steal your personal information including usernames and passwords.
  • Thus, for wireless connections (which are often not secure), use a VPN—virtual private network software that ensures that anything you do online (downloads, shopping, filling out forms) is secured through https. Hotspot Shield VPN is an example and has a free version, available for Android, iPhone, PC and Mac.
  • Set your internet browsers to clear all cookies and all passwords when you exit. This way, passwords are never retained longer than for the day that you’ve used them.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Is A Password Enough? A Closer Look at Authentication

/0 Comments/in /by

Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.

The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.

These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.

The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach  CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Second: spyware, malware and viruses on a user’s device can easily record passwords.  Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.

The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.

Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you have”—a personal security device separate from the PC

While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

Username and Passwords Are Facilitating Fraud

/0 Comments/in /by

In 2005, the Federal Financial Institutions Examination Council stated:

“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.  Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”

Here we are in 2011, six years later, and well over half a billion records have been breached. And while it is true that not all of the compromised records were held by financial institutions, or were accounts considered “high-risk transactions,” many of those breached accounts have resulted in financial fraud or account takeover.

Back in 2005, you might have had two to five accounts that required you to create a username and password in order to log in. Today, you may have 20 to 30. Personally, I have over 700.

The biggest problem today is people most often use the same username and password combination for all 20 to 30 accounts. So if your username is name@emailaddress.com, and your password is abc123 for one website that ends up getting hacked, it will be easy enough for the bad guy to try those login credentials at other popular websites, just to see if the key fits.

The quick and simple solution is to use a different username and password combination for each account. The long-term solution is for website operators to require multifactor identification, which may include an ever-changing password generated by a text message, or a unique biometric identification.

Until that time, the three best tips to create an easy to remember but hard to guess string password are as follows:

Strong passwords are easy to remember but hard to guess. “Iam:)2b29!” consists of ten characters and says, “I am happy to be 29!” (I wish).

Use the keyboard as a palette to create shapes. “%tgbHU8*” forms a V if you look at the placement of the keys on your keyboard. To periodically refresh this password, you can move the V across the keyboard, or try a W if you’re feeling crazy.

Have fun with known short codes or sentences or phrases. “2B-or-Not_2b?” says, “To be or not to be?”

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures