October 14th, 2014
You’ve likely heard warnings about using unsecured WiFi networks, but what have you done to protect yourself? According to a recent study conducted by Experian, most of us are making little to no effort to stay secure despite understanding the risks. More than a third of those responding admitted to logging into their bank account while on public WiFi and over half of respondents admit to entering credit card information to sites without checking to see if they’re secure. And yet, 9 out of 10 believe everyone should be more concerned about identity theft.
So, what can you do? At Private WiFi, Jared Howe listed some ways to keep your personal information secure in any situation.
Whether you regularly connect to public WiFi or you’re extremely careful, chances are the password to at least one of your online accounts will be compromised eventually. Password theft can occur in many different ways and it doesn’t always mean an individual user did anything wrong. That’s why it’s important to regularly change passwords and use unique passwords for each account. Changing your passwords protects you in case your log-in credentials were recently stolen and using different passwords for each account ensures that when one account is hacked, it doesn’t mean a criminal now has access to multiple accounts.
In order to infect your device with malware or trick you into giving up your personal information, cyber criminals have a variety of methods. You have to be cautious of links and attachments sent to you in an email. Downloading these attachments or following these links can infect your device. Sometimes, the websites those links point to are designed to persuade you to enter your information, however, which then allows criminals to use that information to hack into accounts or steal your identity.
Many users don’t use any kind of lock on their smartphone or tablet, but that makes your device more of a target. Even though most locking methods aren’t incredibly difficult for a knowledgeable individual to by-pass, just having one in place discourages many would be thieves. It’s also advisable to disable geotagging features.
If you find yourself needing to connect to public WiFi often, you should consider investing in a Virtual Private Network. A VPN encrypts the data transmitted between your device and the internet, which would otherwise be free to intercept on an unsecured network. There are many options available for effective VPNs.
Staying secure means investing time and money now in order to avoid catastrophe later. For help with security on any of your devices, or to recover from a malware infection, call Geek Rescue at 918-369-4335.
For your business solutions needs, visit our parent company JD Young.
September 10th, 2014
Despite the inherent dangers, many users continue to use the same password over and over again for all of their online accounts. Doing so makes it significantly easier to break into those accounts and, when one account is compromised, it greatly increases the risk to other accounts as well. That issue is the reason that a recent theft of Gmail addresses and passwords could potentially lead to millions of compromised accounts. As Lucian Constantin reports for PC World, 5-million email addresses and accompanying passwords were dumped in plain text on an online forum, recently.
The Gmail addresses all have a corresponding password with them, but that password isn’t necessarily the password to the user’s Google account. Instead, it’s suspected that rather than hacking Google to steal this information, cyber criminals have hacked other sites over the span of months or even years to compile this list. By hacking other sites that require an email address to register, the criminals were able to compile a list of Gmail accounts with a possible password that that user has used in the past.
So, for those users who re-use passwords, an unknown number of people could now know both their Gmail address and the password they need to log into it. Thanks to Google’s all-inclusive nature of accounts, compromising an individual Gmail account could also mean compromising their Google+ page, YouTube account, Google Drive and any other Google service being used.
It’s unconfirmed how many of the 5-million addresses and passwords are valid, but it’s estimated that at least 60-percent could be used successfully. That means that about 3-million Gmail users have their log-in credentials available online in plain text. Even if you don’t re-use passwords, this still seems like an ideal time to change not only your Gmail password, but also your password to other important online accounts as well.
At Geek Rescue, we have the expertise to enhance security at home or at the office and on any type of internet-ready device. If you have questions or concerns regarding the security of your devices, call us at 918-369-4335.
For other business solutions, visit our parent company JD Young.
July 14th, 2014
Common advice to web users is to always use a unique password for each online account. By doing so, all of your accounts aren’t compromised if someone else learns one of your passwords. The main complaint that accompanies this advice, however, is that it’s impossible to remember dozens of passwords and which account they each go to. That’s why password managers have become so popular recently. A password manager stores your log-in credentials for any site and encrypts them. Users are able to access their passwords, or have the password manager log-in for them, by using one master password. As Zeljka Zorz reports at Help Net Security, however, this introduces more problems if the password manager itself is insecure.
A group of researchers at the University of California-Berkley set-out to test some of the most popular password managers available to find any vulnerabilities that would lead to a user’s log-in credentials being compromised. The five managers tested, LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, all contained some form of vulnerability.
The vulnerabilities were found in different features of the products and the root causes of each also were different for each vulnerability.
After the flaws were reported, however, all but NeedMyPassword responded and fixed the issues within a few days. It should also be noted that the vulnerabilities found by the researchers have no evidence of being exploited in the wild. This means that while the potential for an attack existed, no attackers had found it before it was discovered and patched.
That’s an important characteristic of any application. While vulnerabilities are unavoidable, being proactive in finding them and fixing them before they’re exploited is vital.
For users, the news that password managers contain vulnerabilities is no reason to avoid them. It is important to keep track of the news of potential attacks and regularly change your master password, however.
Many attacks that compromise online accounts stem from malware that’s infected your device. For help recovering from an attack, cleaning your system or creating a more secure environment, call Geek Rescue at 918-369-4335.
May 21st, 2014
A typical internet user has too many online accounts to manage a unique, strong password for each one. While passwords are still the primary form of security for many important online accounts, being able to realistically keep track of a different password for all of them, which is recommended, is nearly impossible. Ian Barker of Beta News published some tips on how to keep up with passwords when there are seemingly too many to manage.
A recent survey revealed that more than half of internet users have more than 20 active online, password protected accounts. Another 27-percent have between 11 and 20 online accounts. Can you keep 20 different passwords of varying length and using numbers, letters and symbols straight? For that matter, can you keep 11?
For most of us, the answer is a resounding ‘no’. This leads to bad habits. Reusing passwords is common. Using easy to guess passwords is too. This leads to accounts being compromised, which leads to identity theft and other serious problems.
One answer is to use a password manager. There are plenty of trustworthy managers available that will store all of your passwords behind one master password. Many managers even log you in automatically to your accounts. Less than half of internet users are using password managers, however.
The other option, and one that is much more realistic than keeping track of dozens of different passwords for different accounts, is to identify which accounts hold the most valuable information. Banking and credit card sites are obvious choices for your strongest passwords. Don’t overlook ecommerce sites that have your credit card information, address and other personal information stored on them. Also, consider how costly it would be for a criminal to gain access to your social media accounts. Finally, your primary email address, which likely is the destination for password reset messages from other accounts, is vital to protect properly.
Each of these accounts demands a long, strong, unique password to minimize the risk of it being hacked. Some, like email and social media, can even use two-factor authentication to up the security ante even more.
Other accounts, however, don’t need as much attention. An account for a message board, news site or other site where a username and password are the only information at risk don’t necessarily need strong, unique passwords. If these accounts are hacked, you won’t lose much.
For many users, concentrating solely on their most valuable online accounts limits the amount of important passwords to less than ten, which is much easier to manage.
If you’ve been the victim of an attack and need help recovering or help improving security at your home or business, call Geek Rescue at 918-369-4335.
May 1st, 2014
Earlier this month, news broke of the Heartbleed bug that compromised the expected security of websites using OpenSSL. The bug would allow for attackers to steal unencrypted log-in credentials from web servers through a vulnerability, or more specifically, what’s called a “bounds check” was missing. Buried in those initial news reports was the warning to change passwords as soon as possible, but only after websites patched the vulnerability. At Dark Reading, Dave Kearns explains the best practices to stay safe in the wake of Heartbleed and why it’s not always wise to change passwords.
In the context of Heartbleed, the knee-jerk reaction was for users to change passwords as soon as possible because their old passwords could be stolen off a server at any time. It was quickly pointed out, however, that most websites hadn’t patched the vulnerability yet, which means a user changing their password wouldn’t protect their account. It would just hand that new password to any attacker who decided to steal it.
In this case, changing passwords wasn’t the best idea. In fact, users who didn’t change passwords and stayed away from a site completely were probably better off than those that proactively logged in and changed their account. The Heartbleed bug makes users vulnerable when they enter their account information. So, logging in and changing your password would potentially be giving that information to an attacker. But, leaving your account dormant would keep you safe.
Going forward, there are tools available to add on to your web browser that will tell you whether or not a website has been patched to eliminate their vulnerability to Heartbleed. If it has, you’re free to log-in and change your password. This protects you in case your old password was compromised at some point.
If the site hasn’t been patched, leave immediately. That site isn’t safe for use until the vulnerability is fixed.
The best way to protect yourself from catastrophic damage in the wake of an attack of online accounts is to always use unique passwords for each account you hold. That way, if one, insecure account is compromised, your other accounts are safe. For users that use the same password for multiple accounts, the theft of one from an insecure site like a message board could lead to important accounts like social media, email or banking sites being hacked as well.
At Geek Rescue, we have tools to protect you from attacks and to help you recover. Call us at 918-369-4335.
April 10th, 2014
When you are entering sensitive information into a website, like credit card numbers, social security numbers or even just log-in information, you expect that the site will protect this data. Most sites use ‘HTTPS’, which stands for Hypertext Transfer Protocol Secure, to offer protection to users. Unfortunately, that means if a vulnerability is found in HTTPS, there are millions of websites that are suddenly putting valuable information at risk. As Doug Aamoth reports for Time, the Heartbleed bug is that worst case scenario realized.
Heartbleed exploits a flaw in OpenSSL, which is a common method used to encrypt data and implement HTTPS on a site. This bug allows attackers to steal data and listen in on communications between the user and the website. This isn’t a new development either. Researchers believe the flaw in OpenSSL has existed for at least two years.
The good news is that Heartbleed wasn’t discovered through an attack in the wild. Instead, it’s a proof of concept. This means that instead of attackers actually successfully exploiting the Heartbleed bug and victimizing actual users, the bug was discovered by researchers, who alerted the public. This doesn’t make your data any safer, but it means a permanent solution could be found before any large scale damage occurs.
If left unchecked, there’s certainly the possibility for large scale damage. As many as two-thirds of web servers could be affected by Heartbleed. There are potentially millions of other devices, such as Android smartphones and tablets, that could also be exploited by the Heartbleed bug.
The knee-jerk reaction to a bug capable of stealing log-in credentials would be to quickly change every password on every online account. But, it’s not that simple. If a website is still vulnerable to the bug, changing your password might just be giving the new information to eavesdropping criminals.
For users, the best option is to closely monitor accounts for suspect activity and wait for websites to update their infrastructure.
There are a couple of options you can use to check if a site has protected itself or not. First, this site allows you to enter the URL of a site you use and see if it’s vulnerable to Heartbleed. If it is, you should avoid it and don’t log-in until the problem is fixed. If you’re a LastPass user, you can also use the password management tool to check on which of your saved passwords could have been compromised.
Once important sites like your bank’s website, credit card sites, any site where you pay bills and social media and email are given the all clear, be sure to change your passwords. Just because the site is now safe doesn’t mean that your password couldn’t have been stolen at some point to be used later.
At Geek Rescue, we know security. Whether you need enhanced security for your website, office, or home network, call us at 918-369-4335.
April 3rd, 2014
The “Find My iPhone” feature is a valuable security tool and the last hope for users who have had their smartphone stolen or have lost it. Previously, reports surfaced pointing to vulnerabilities in Apple’s “Lost Mode”, which allows users of iPhones, iPods and Macs to lock their device remotely. As Ashley Feinberg reports for Gizmodo, a security flaw has also been found in “Find My iPhone”, which allows strangers to completely unlock a stolen device.
“Find My iPhone” allows users to log in to their iTunes account and find the location of their smartphone as long as the device is still turned on. Not only does this help users recover lost phones, but it also ensures that criminals can’t steal and sell iPhones. As long as the original user’s iCloud account information is still on the device, it can be tracked down.
Erasing the iCloud account requires an Apple ID password. While breaking that password is possible, it would usually require a minimum of a few hours to do so, which would provide the rightful owner plenty of time to find their missing device.
A video recently posted to YouTube, however, demonstrates how criminals can by-pass the need for a user’s Apple ID password and delete their iCloud account. Doing so doesn’t even require a great deal of technical expertise. All that’s needed is for the “Delete Account” button to be pressed at the same time as the “Find My iPhone” switch from the iCloud settings menu. That brings up the password prompt and the delete window at the same time, which freezes the device.
From there, after restarting the device, you’ll find that you’re able to delete the iCloud account without a password and have free reign.
While no fix for this issue exists yet, Apple has likely been working on one since this exploit was made public. Users who have a PIN in place to lock their iPhone are already partially protected from this bug. Even if their device is stolen, the PIN has to be broken before anyone would even have access to this exploit.
While Geek Rescue can’t find your missing smartphone, we do fix it when it breaks. For any issues with your device, call us at 918-369-4335.
March 21st, 2014
There are many tools and applications available to keep your information and your network safe from attacks. When it comes to online accounts, however, security starts from the user’s end with effective passwords. A strong password doesn’t guarantee that your account will never be compromised, but it does protect you from a number of attacks a weaker password would succumb to. At About, Andy O’Donnell explains the characteristics of strong passwords so you can create one for all of your online accounts.
Do’s
Most brute force attempts at cracking your password involve guessing off of a set list of common passwords. The more random your password is, the less likely it will be guessed by an attacker.
Random is good, but not if it’s still overly simple. Passwords that only use letters or only use numbers are much easier to crack than those that use both. Adding symbols into your password will further strengthen it.
Longer passwords take much longer to crack than shorter passwords. The reason is simple mathematics. When a password is 12-characters long, there are 12 different blanks to fill in and millions of different combinations. A password that’s only 5-characters long drastically cuts down on the number of combinations possible.
Don’ts
Everyone has so many accounts online, it’s almost impossible to remember a unique password for each one. That’s why many users opt to use the same password for multiple websites. That creates the possibility, however, that if one of your accounts is compromised, all of them will be. Some sites don’t use as robust security as others. So, using the same password for your bank as you do for an online message board is creating an easier path for criminals to infiltrate your bank account.
Everyone knows that ‘12345’ is a weak password, but some users believe that “qwerty” is strong. It isn’t an actual word, but attackers know this is a popular password. If typing your password forms a pattern on the keyboard, it’s likely going to be guessed in the case of an attack.
Many websites have started demanding users use longer passwords by implementing a minimum character length. To get around that, some users simply put in the same password twice. That breaks a number of these rules, however. It forms a pattern and isn’t random.
There are a number of ways a criminal can break into one of your online accounts. More intelligent attacks are even able to circumvent the number of failed log-in attempts some sites limit you to. To stay safe, you need a strong password that’s changed regularly.
If you are the victim of an attack and need help getting rid of malware or implementing better security, call Geek Rescue at 918-369-4335.
March 18th, 2014
Phishing scams are a common threat of the internet. If users aren’t careful, they can easily be tricked into giving away log-in credentials and other valuable information without even realizing they’re being scammed. At Gizmodo, Adam Clark Estes reports on one of the latest and trickiest phishing scams to hit the web.
The reason this scam is so tricky is because it manages to avoid some of the usual tell-tale signs of phishing. It begins with an unsolicited email arriving in your inbox. The email has the subject line “Documents” and contains a link to Google Drive. On the surface, receiving an email from someone you don’t know that’s called simply “Documents” sounds suspect. But, the Google Docs link is legitimate and points to a google.com URL. What’s the harm in following the link and finding out if this document is really meant for you?
Unfortunately, that’s the thinking of many users. When you follow the provided Google Drive link, you land on an official looking Google log-in page. In fact, it’s an exact replica of an actual Google log-in page. The only difference is that it asks you to enter both your email and password, even if you’re already logged in to your Google account. Many users won’t think twice about entering their information, but noticing this subtle inconsistency is key to avoiding a scam.
Logging in to this spoofed page does take you to a legitimate Google document, but attackers already have your password.
This is another example of how online threats are becoming more intelligent and harder to avoid. For phishing scams like this one, it’s important to remember to avoid following links in your email. Many times, you can visit a website directly, rather than following a provided link. This way, you’ll be sure to land on the actual site rather than a malicious copy.
This scam uses Google Drive because users trust a page with Google’s recognizable logo and branding and because users can’t access a document in Drive without following the link. If you receive an email inviting you to view a file in Drive, be sure you verify who sent it before following the link.
If you’ve been the victim of an attack and need help recovering data, removing malware or improving security, call Geek Rescue at 918-369-4335.
March 10th, 2014
Recently, Apple has been making headlines for the wrong reasons. Multiple security flaws have been reported that affect users of both iPhones and iPads and Macs. While in the past, a lower number of targeted attacks made Apple’s operating systems safer environments than Microsoft’s Windows these reports suggest that Apple doesn’t necessarily have a more secure operating system. At Network World, Bob Violino takes a closer look at OS X, the operating system used on Macs, to expose the potential security flaws within.
How often an operating system is patched and updated often makes the difference in keeping attacks at bay. Unfortunately for Apple device users, support is usually only given to the current operating system and the previous version. This leaves a number of users with older machines in the lurch. Currently, users of OS X Snow Leopard from 2009 are already missing out on some updates and the critical security patches they are given access to come slowly. This is in contrast to Windows users who typically enjoy support for much longer. Windows is ending support for XP users this April after nearly 13 years.
Many users aren’t certain about how to properly secure their computer. Even more advanced users may not be aware of points where they are most vulnerable. To help users protect themselves, security configuration guides from the manufacturer are extremely helpful. Unfortunately, no recent version of OS X has been provided with a configuration guide from Apple. This leaves users in the dark about proper security and leads to many believing they’re more secure than they actually are.
As mentioned in the first section, updates are key in protecting users from attacks. Apple has been slow to update OS X, however, especially concerning its open source components. Slow updates mean that users could be vulnerable to a known exploit. Even if it doesn’t affect security, compatibility and other issues aren’t being fixed in a timely manner.
- Easy To By-Pass Passwords
OS X includes a feature that’s designed to make working with your Mac more convenient. Any attached disk that includes an installed version of OS X can be used to boot the machine. Unfortunately, this allows someone to by-pass the password required to log-in on your machine by booting from an attached disk. This only comes into play if your laptop or computer are stolen, but it still a concern.
This isn’t a exhaustive list of potential security issues with OS X, but it illustrates that there’s additional security required for most users.
If you’re having problems with your Mac, bring it to Geek Rescue for a fix. If you’d like to explore security options to protect yourself from future attacks, call us at 918-369-4335.