Jul 052014
 

An investigation by Cisco found that malicious advertisements on Disney, Facebook, The Guardian newspaper domains led unsuspecting visitors to be affected by malware. The computer users who were affected had ransomware installed on their devices.

Ransomware is malicious software that installs on your device without your consent – it gives the cybercriminal the ability to lock you out of your device, typically by encrypting your data. The cybercriminal will then offer to give you access to your data or device again, provided you pay.

Ransomware is quickly becoming the scourge of the Internet and Cisco Systems is reporting that several very popular web sites have recently been distribution points via malvertising. According to an investigation detailed on the Cisco Systems blog site, popular web sites including Disney and Facebook have been compromised to display infected advertisements that download a ransomware program similar to the notorious CryptLocker.

CISCO analyzed data accumulated by its Cloud Web Security (CWS) that monitors its customer’s web use and warns them if they have been visiting domains that could be malicious. Cisco’s analysis determined that in the last month there has been a dramatic increase in sites compromised by cyber criminals who use the RIG exploit kit (ET). According to Cisco, “ we have so far blocked requests to over 90 domains for more than 17% of our Cloud Web Security (CWS) customers” because of the RIG ET.

Cisco has determined that many of the sites compromised by the use of RIG have been spreading the Cryptowall ransomware via compromised advertisements, malvertising. These appear to be exploiting the following vulnerabilities:

Silverlight: cve-2013-0074

Java: cve-2013-2465 and cve-2012-0507
Flash: cve-2013-0634

(from Cisco)

Once ransomware has infected your device, it’s extremely difficult to to retrieve your data due to the encryption that’s used to scramble your information. Often users have to resort to restoring their devices back to factory defaults, losing their data. Proactively protecting your devices is the solution rather than reacting once it has happened.

Our advice is to ensure your data is backed up in the first place, so if this does happen you can restore your device without losing your data. User education is also extremely important, especially in business where not all employees may be technically proficient – train employees not to open attachments from unsolicited emails and be wary of websites that ask them to download and open files. Make sure all Operating System sand browsers are up-to-date and have all patches applied, and make it a requirement that anti-virus software on you and your employees devices – especially if employees use their own personal devices for business.

 Posted by at 6:53 am
Jul 042014
 

We like to believe we’re different, but when it comes to thinking up passwords, it appears that we’re all just the same after all. Whether it’s human nature or a distinct lack of creativity when it comes to the mundane, we’re all choosing the same passwords as each other. A study of 6 million passwords by Mark Burnett found that 99.8% are the same 10,000. In fact, around 90% of passwords are the same 1,000, and nearly 5% of people simply use password as their password :)

passcloud

The top 500 passwords courtesy of Xato.net

So, what does it mean for us? Well, if we’re one of the 99.8% it means our bank, our blog, our work logins are all pretty easy targets. Hackers are clever folk, but with so many people choosing the same passwords, they hardly have to break a sweat to crack them.

Your aim should be to make your sure you’re in other 0.2% and that your passwords are strong enough to make it not worth the hackers’ time to try and crack them.

How do your current passwords stack up? Take the test using our Password Strength Checker - it will tell you just how good or bad your passwords are and how long it’ll take a hacker to crack them.

Take the my1login password test!

If you’ve tested your passwords and they’re strong, excellent! You’re in the 0.2% and can rest easy. If your current passwords aren’t strong, then it’s time to take some steps to improve your password security.

5 tips to improve your passwords:

  • Do make them at least 14 characters long
  • Do use letters, digits and symbols
  • Don’t use dictionary words or names
  • Don’t use number sequences
  • Don’t simply change e’s for 3′s, a’s for 4′s or append numbers to the end of words.

If you’d rather not have to think about creating strong passwords, as you know, my1login’s password manager can do it for you. my1login lets you generate super-strong passwords such as e#5/yXczsID~Ygw-wIzvXJP?9 for all your accounts and saves you the trouble of having to remember or type them again: try my1login for free.

 Posted by at 1:58 am
Jul 022014
 

MongoHQMongoHQ is the latest company to suffer a security breach due to its own poor password practices.

Jason McCay, MongoHQ’s CEO, reported “On October 28, 2013, we detected unauthorized access to an internal support application using a password that was shared with a compromised personal account.” The consequences of the breach were huge, giving hackers access to customer account information, including databases, email address and bcrypt-hashed user credentials. Furthermore, it had the knock-on effect of causing some of MongoHQ’s customers significant financial and repetitional damage.

Pointless Password Policies

This breach is another example of how passwords policies rolled out by organizations are not only ineffective, but ultimately pointless when there’s no governance in place to measure compliance with the policies. Forcing minimum requirements for passwords does not work, primarily because the aims of the employee are often at odds with the aims of the business. Organizations want security, while employees strive after convenience. The prospect of remembering multiple complex passwords is a burden many employees don’t want or need. Even employees with the best of intentions often leave the company exposed by unknowingly using weak passwords that meet the minimum requirements of the password policy. Meeting the minimum requirements of password policies can often give a false sense of security that accounts are well protected, when in fact the passwords can be cracked in minutes. Meeting minimum requirements of password policies is no guarantee of strong passwords and with no mechanism to measure effectiveness of the policies, both businesses and employees alike can be blissfully unaware that they have security vulnerabilities.

Typical Password Policies

Passwords Policies rolled out by companies tend to put in place a minimum standard for passwords. Typically this requires passwords to be a minimum of 8 characters, and use a capital and number. It’s policies such as this though that have resulted in Password1 being one of the most popular passwords in existence, used by millions every day across the globe. Password 1 meets the minimum requirements for the MS Windows Login, which has become a de facto standard, even although it’s totally inadequate in today’s world. Businesses often unknowingly compound the problem by requiring passwords changes every few months. Forcing employees to change passwords frequently can actually reduce security, as employees start to use weaker passwords that are easier to remember, often simply incrementing a digit to existing passwords to fulfil the policy requirement. It’s simply convenient for employees to create something that’s easy to remember so they can get on with their job. The MongoHQ example is typical of what goes in on every organization, where employees seek out convenience while finding a way to meet the minimum requirements of any corporate password policy.

Buffer Hacked

downloadThe MongoHQ employee using the same password for a personal and business account not only caused a breach of MongoHQ, but had the knock-on effect of compromising one of MongoHQ’s biggest customers – Buffer.

Buffer is a social media app that allows people to queue posts to their social media accounts. The MongoHQ breach gave hackers access to Buffer’s database (managed by MongoHQ) and resulted in hackers spamming content to Buffer users’ social media accounts.

Even with a password policy in place, it was ultimately useless to MongoHQ without the company having a means to measure employee compliance. Employees using the same passwords for business accounts that they used for their own personal accounts is a typical weak practice, and was the same cause of the Dropbox breach in 2012. 

How my1login can help

macbookcharts400my1login is a cloud-based, business password manager that works in conjunction with existing business passwords enabling end users to only require one secure login for all business services.

 

my1login’s password reports provide management with a mechanism to measure employee compliance with password policies. Management can see at a glance where there may be security vulnerabilities due to employees are using weak passwords or weak passwords practices such as using the same password across multiple accounts – the problem which led to MongoHQ and Dropbox being hacked.

Find out how my1login can protect your business.


 

Further Reading

 

 

 Posted by at 7:50 am
Jun 302014
 

Last August we engaged with the University of California Berkeley who were assessing several on-line password security services.

We were delighted to be included as one of the leading password security services and to have the beta version of our old consumer product subjected to additional ethical hacking by acknowledged leaders in the field. The outcome of this extensive, in depth, analysis of the five products tested, it was found that my1login had the fewest issues across all of the areas evaluated. The issues raised by the experts at the University of California Berkley were resolved by our development team the same day and we were pleased that none of the issues found affected any of our customers.

The University of California Berkley is at the forefront of computer security research and we were delighted to receive the benefit of the wisdom of some of the leading minds in the security industry.

You may know this already, but we no longer offer the beta consumer version of our service. However this beta service provided us with a rich test-bed and we gained a hugely valuable insight from it. It was remarkable that even an old beta product of ours out-performed some of the other well established competitors in the industry. For more-detailed information please check out this link.

 Posted by at 5:15 am
Jun 092014
 

Our CEO, Mike Newman is in London today to attend the UK Technology Reception at Buckingham Palace, celebrating tech success and innovation in the UK.

photo

The Duke of York has a strong focus through his work in supporting Technology in the UK and Entrepreneurship.  His Royal Highness is delighted that The Queen and The Duke of Edinburgh are to give a Reception at Buckingham Palace on Monday, 9th June.

Mike comments, “my1login is increasingly becoming recognised around the world as an innovative security company, it is a great privilege to be invited to attend such a wonderful event that highlights and celebrates the excellent work of the UK’s technology industry.”

my1login is designed to protect businesses against 65% of the causes of data security breaches. Our services protect businesses against serious financial and reputational damage resulting from a hacking incident, and also prevent the use of weak passwords and weak password practices, where employees use the same password across multiple websites. Our technology means that employees only need one secure login to access business passwords whilst management benefit from a full audit trail of password security.

my1logoPWMFB250If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 
May 222014
 

ebay

The cyber-attack on eBay is the world’s biggest online security breach where passwords, names, addresses and phone numbers of the company’s 145 million users have been stolen by hackers.

An official news release by eBay Inc. on May 21st, stated ‘eBay Inc… will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.’

The statement comes after the news that eBay’s database was compromised sometime between February and March, which included customer usernames, email address, physical address, phone number and date of birth, as well as encrypted passwords. The company stress that the database did not contain financial information and that PayPal, owned by eBay Inc., has not been affected.

‘The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’

eBay have been severely criticised for their handling of customer data, with the main question asking why all personal data stored in the database was not encrypted. The company have also been criticised for the handling of the breach. They have neglected to directly alert users that their credentials and personal information has been compromised via email, as well as failing to provide easy access links to change passwords on their website.

The breach, which was detected two weeks ago, occurred after ‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’, according to the statement. It’s certainly not the first time that a company have suffered security breaches or major embarrassment because of poor password policies with companies – a few examples include Dropbox, who suffered a data breach after an employee’s  credentials were stolen and used to access documents containing user email address and Thomson Travel were duped out of $100,000 (£70,000) by an ex-employee, and Wyndham Hotels weak admin passwords resulted in a lawsuit after 50,000 customers credit card details were compromised.

Employing good password practices in vital to keeping your online information safe as well as preventing your business from a total PR nightmare. Firstly, it is strongly advised that you change your eBay password as soon as possible and whilst doing so it might be worth changing your PayPal password too or any other account that uses the same credentials. However, before heading off to do such a task, it is imperative that you make use of good password practices:

  1. Don’t use the same password on multiple sites.
  2. Create a strong, complex and unique password.

Employing the use of a password manager, like my1login will not only help you implement strong complex passwords for all online accounts, those passwords can easily be changed if a specific account is hacked. It also removes the hassle of having to remember individual logins.

my1login Password Management for Businessmy1login allows you to use one super strong and unique password that grants you access to all of your account, without having to remember the individual logins. Therefore, you can create strong complex passwords for all your accounts, for example a typical password for your gmail account could be “$~dY>zD9n_+J]SkMZoPlZhBZ3″ and a typical password for your Facebook account could be “DCTt8B-4J#F$Hxssv7}3k)oax”. The length and entropy of these passwords make them extremely strong, and using different passwords for all your accounts means that should any remote site be compromised no other account of yours would be compromised.

Using my1login also eliminates the need to rely on insecure practices such as writing passwords down or storing them in documents, spreadsheets or even on your phone. Passwords can also be securely shared using my1login meaning you’ll never need to email a password, or need to select a weak password because it’s simply easier to convey?

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

 

May 022014
 

Our team have spent an exhilarating week exhibiting in London at InfoSecurity Europe – Europe’s largest dedicated Information Security event. It is the most important date in the calendar for information security professionals across Europe and it was great to be once again exhibiting at the prestigious event.

InfoSecurity 2014  - Earls Court

Earl’s Court – Venue for InfoSecurity 2014

infosecgls

my1login‘s stand at InfoSecurity14

Thanks to all of our existing business customers who came by stand B89 to say hello – it was great to meet you again, and wonderful to meet some of you in person for the first time. We’re proud to continue to help you solve the password management challenges that your businesses face.

It was another great year at InfoSec and again the sheer volume of interest was humbling. We’ll be returning once again next year and are looking to increase the size of our stand to cope with the number of visitors and product demonstrations.

my1login Product Suite

If you’re interested to find out how my1login‘s Identity and Access Management services can help your business just let us know and we’ll be in touch:

  • Cloud-based Password Manager
  • Desktop Password Manager
  • Active Directory Self-Service Password Reset
 

 

 Posted by at 9:31 am
Apr 252014
 

My1Login are exhibiting at Infosecurity Europe on April 29th – May 1st at Earls Court in London. You will find the team showcasing our Enterprise service at stand B89.

We will be showcasing:
• AD Self-service Password Reset
• Cloud Based Password Manager
• Desktop Password Manager

my1login Products

Infosecurity Europe is Europe’s number one dedicated Information Security event. The event features free access to an unrivalled education programme, showcasing of new and emerging services and technologies and access to professional expertise. It is the most important date in the calendar for information security professionals across Europe.

We will be showcasing our business password manager solution that is suitable for businesses of any size. Unlike traditional single sign-on solutions, my1login is cloud-based and can be set-up across an organisation rapidly as it needs no integration or application interfaces with the business’s existing IT systems.

If you want to find out how you can reduce corporate risk and increase password security in your business the team would be delighted to provide a quick demo and answer any questions you may have during the conference, or if you simply fancy a chat pop by stand B89 and meet the team.

If you’d like to book an appointment to see the team and discuss how my1login can improve your business’s online security and help protect you against hacks, leave your email address and we’ll set up a time.

 

 

Apr 112014
 

heartbleedOn Monday 7th April 2014, news of the Heartbleed bug broke. The bug affects roughly 70% of internet websites that transmit their data over a secure channel using OpenSSL. Heartbleed was a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it was possible for an attacker to view the contents of this “secure” channel between your web browser and the server.

This bug does not affect your my1login account as your key phrase is not sent or stored by my1login and any passwords you store within your account are only sent to my1login in encrypted form. So, even if the SSL packets to and from my1login were viewable, all the attacker would see is encrypted data that’s useless to them.

Heartbleed could affect your interaction with sites that do not employ the same levels of security as my1login. So, where you have entered your my1login passwords on websites that were vulnerable there is a risk that an attacker could have captured your passwords.

How does it affect my1login

?

OpenSSL is used by my1login for TLS/SSL so would technically be ‘vulnerable’ to this bug. my1login patched our servers on 8th April to remove the vulnerability. The bug was around for some time before being discovered. While it’s unlikely that the my1login SSL keys were compromised, we’re taking the precaution of having our SSL certificates renewed as well.

While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted to and from my1login, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.

What you should do next

Your my1login key phrase will not have been exposed, even if my1login’s certificate was compromised. It is therefore not necessary for you to change your my1login key phrase.

In relation to other websites you use, these will have been vulnerable to this OpenSSL bug, as those sites, unlike my1login, will not have encrypted your data before it was transmitted over SSL.

There is some advice out there to change every single password you have. For large enterprises this is an expensive undertaking.  Our advice would be to change the passwords on your high value websites immediately and carry out a risk assessment on the remaining.  Before changing the passwords though, check that the website has patched the vulnerability and updated their SSL keys. You can check this here: http://filippo.io/Heartbleed/

my1login account helps reduce the cost of large scale password changes by centralizing these assets.  Additionally, our Password Generator tool enables you to easily create new, strong, passwords to protect your accounts.

Additionally, be wary of phishing attacks from spoofed emails and websites asking you to reset passwords. These often follow incidents like these where hackers take advantage of a previous hack to engineer passwords from unsuspecting web users. You can check out our article on phishing to keep yourself protected.

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Apr 082014
 

Like all good IT security businesses, my1login became aware of the Heartbleed OpenSSL bug in the last 24 hours.

Heartbleed turns out to be a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it is possible for an attacker to view the contents of this “secure” channel between your web browser and the server. So, even if you use the https version of websites and see the padlock symbol, a hacker would potentially still see the data that’s being transmitted.

The bug was reported in the last 24 hours and OpenSSL had fixes available this morning. Here at my1login we have patched our servers with no reported downtime for any of our customers.

While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.

Heartbleed vulnerability

 

How my1login protects your business

There’s one certainty in IT security – that nothing is 100% secure. Given enough time and money anything can be broken. The only way to stay secure is to make it a numbers game – to encrypt your data in such a way that it would take a prospective hacker millions of years to break it. This is where my1login comes in, using AES 256 encryption to make it impossible for hackers to access your data unless they have the key used to encrypted it – a key that is not stored by my1login and only known to you. Even my1login doesn’t know the encryption key (your key phrase) that is used to encrypted your business logins, so even we cannot see your unencrypted passwords.

From the Heartbleed.com website that reported the bug:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can find out if any sites that you use still have this vulnerability by going to http://filippo.io/Heartbleed

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Further Reading

 Posted by at 10:14 am