Apr 112014
 

heartbleedOn Monday 7th April 2014, news of the Heartbleed bug broke. The bug affects roughly 70% of internet websites that transmit their data over a secure channel using OpenSSL. Heartbleed was a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it was possible for an attacker to view the contents of this “secure” channel between your web browser and the server.

This bug does not affect your my1login account as your key phrase is not sent or stored by my1login and any passwords you store within your account are only sent to my1login in encrypted form. So, even if the SSL packets to and from my1login were viewable, all the attacker would see is encrypted data that’s useless to them.

Heartbleed could affect your interaction with sites that do not employ the same levels of security as my1login. So, where you have entered your my1login passwords on websites that were vulnerable there is a risk that an attacker could have captured your passwords.

How does it affect my1login

?

OpenSSL is used by my1login for TLS/SSL so would technically be ‘vulnerable’ to this bug. my1login patched our servers on 8th April to remove the vulnerability. The bug was around for some time before being discovered. While it’s unlikely that the my1login SSL keys were compromised, we’re taking the precaution of having our SSL certificates renewed as well.

While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted to and from my1login, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.

What you should do next

Your my1login key phrase will not have been exposed, even if my1login’s certificate was compromised. It is therefore not necessary for you to change your my1login key phrase.

In relation to other websites you use, these will have been vulnerable to this OpenSSL bug, as those sites, unlike my1login, will not have encrypted your data before it was transmitted over SSL.

There is some advice out there to change every single password you have. For large enterprises this is an expensive undertaking.  Our advice would be to change the passwords on your high value websites immediately and carry out a risk assessment on the remaining.  Before changing the passwords though, check that the website has patched the vulnerability and updated their SSL keys. You can check this here: http://filippo.io/Heartbleed/

my1login account helps reduce the cost of large scale password changes by centralizing these assets.  Additionally, our Password Generator tool enables you to easily create new, strong, passwords to protect your accounts.

Additionally, be wary of phishing attacks from spoofed emails and websites asking you to reset passwords. These often follow incidents like these where hackers take advantage of a previous hack to engineer passwords from unsuspecting web users. You can check out our article on phishing to keep yourself protected.

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Apr 082014
 

Like all good IT security businesses, my1login became aware of the Heartbleed OpenSSL bug in the last 24 hours.

Heartbleed turns out to be a programming error in the OpenSSL code that is used by a huge swathe of the world’s software to manage the secure connections between web browsers and web servers. By exploiting this programming error it is possible for an attacker to view the contents of this “secure” channel between your web browser and the server. So, even if you use the https version of websites and see the padlock symbol, a hacker would potentially still see the data that’s being transmitted.

The bug was reported in the last 24 hours and OpenSSL had fixes available this morning. Here at my1login we have patched our servers with no reported downtime for any of our customers.

While Heartbleed is a serious issue for some providers, my1login actually protects users against the vulnerability. With my1login your usernames, passwords and secure notes are encrypted before they are transmitted, so even if an intruder attempted the exploit, they would only obtain encrypted data that is useless to them.

Heartbleed vulnerability

 

How my1login protects your business

There’s one certainty in IT security – that nothing is 100% secure. Given enough time and money anything can be broken. The only way to stay secure is to make it a numbers game – to encrypt your data in such a way that it would take a prospective hacker millions of years to break it. This is where my1login comes in, using AES 256 encryption to make it impossible for hackers to access your data unless they have the key used to encrypted it – a key that is not stored by my1login and only known to you. Even my1login doesn’t know the encryption key (your key phrase) that is used to encrypted your business logins, so even we cannot see your unencrypted passwords.

From the Heartbleed.com website that reported the bug:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

You can find out if any sites that you use still have this vulnerability by going to http://filippo.io/Heartbleed

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Further Reading

 Posted by at 10:14 am
Apr 082014
 

imgresGerman authorities have announced that they have discovered a list of 18 million email addresses and passwords that have been stolen in the countries latest major data breach. This is Germany’s largest data theft known to date. It also follows a similar case that saw authorities uncover a trove of 16 million stolen email addresses and credentials in January.

The compromised accounts are reportedly being used for criminal purposes such as to spread spam emails, and authorities say that the passwords were used to assemble a botnet. The BSI also stated on Monday that of the 18 million email accounts, 3 million compromised accounts are German based, with .de domain suffixes. The rest are international, with endings for other countries, including the most common suffix .com.

The Federal Office of Information Security (BSI) released a statement saying they were working on informing victims that their accounts have been compromised. The BSI has been working with various email providers, such as Deutsche Telekom, Freenet, gmx.de, Kabel Deutschland, Vodafone and web.de to inform users that may have been affected. Harald Neymanns, an Interior Ministry spokesman said ‘A procedure is being prepared similar to what happened in the previous identity-theft case.’

The previous case Naymanns refers to is the January data breach where 16 million email addresses were stolen. The BSI launched a service for people to check if their accounts had been compromised. The service asked users to enter their email data and they would be alerted by the BSI if their account had been effected and would then offer advice on what actions to take.

However, the site was not prepared for the volumes of traffic that it had received and caused the service to crash repeatedly. The BSI said that the server to be used for this breach would need load-testing before going live so it can handle the vast amounts traffic likely to visit the site.

Until the service is set up and concerned account holders can get a straight answer to whether their accounts have been affected. For those that are worried that they have been affected or are victims of the breach, it is strongly advised that computers are digitally cleaned with anti-virus programmes and all passwords used for online services are changed. Account holders should also be vigilant when opening and clicking email content as they could be spam.

The key advice  here is to change passwords for all online services.  However, before taking on this task  it is imperative that you stop using weak passwords and stop using the same password on multiple sites.  Employing the use of a password manager, like my1login will not only help you implement strong complex passwords for all online accounts, those passwords can easily be changed if a specific account is hacked. It also removes the hassle of having to remember individual logins.

my1logoPWMFB250my1login allows you to use one super strong and unique password that grants you access to all of your account, without having to remember the individual logins. Therefore, you can create strong complex passwords for all your accounts, for example a typical password for your gmail account could be “$~dY>zD9n_+J]SkMZoPlZhBZ3″ and a typical password for your Facebook account could be “DCTt8B-4J#F$Hxssv7}3k)oax”. The length and entropy of these passwords make them extremely strong, and using different passwords for all your accounts means that should any remote site be compromised no other account of yours would be compromised.

Using my1login also eliminates the need to rely on insecure practices such as writing passwords down or storing them in documents, spreadsheets or even on your phone. Passwords can also be securely shared using my1login meaning you’ll never need to email a password, or need to select a weak password because it’s simply easier to convey?

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Further Reading

Germany Suffers Hack That Sees Millions Of Emails & Passwords Stolen

A Horde of 360 Millions Sotlen Usernames & Passwords Uncovered Online

Click here for more information about my1login



Mar 262014
 

new-microsoft-logo-square-largeA disgruntled former employee of Microsoft was arrested last week for stealing secret information about Windows 8 and leaking it to a technology blogger before the operating system was released in 2012.

Software Engineer, Alex Kibkalo was employed by Microsoft for seven years, before reportedly being asked to resign from his post shortly after receiving a poor performance report in 2012. This has not been directly linked to his extra-curricular activities but it may have had something to do with it.

Kibkalo was arrested last Wednesday and faces federal criminal charges for allegedly leaking secrets to Windows 8 and Microsoft’s Activation Server SDK (Software development kit), which could be used to aid hackers in reverse engineering Microsofts anti-piracy code.

In circumstances like this, where employees have access to valuable intellectual property, it is important for businesses to make sure that when employees leave the company that their accounts are closed and access to any company information has been revoked.

One way of controlling the identity and access management within businesses would be to employ a password manager, like my1login. With this service in use, administrators can share passwords with individuals and workgroups but also quickly cease individual user access to logins when necessary. The password manager has further security benefits by allowing admins to restrict the visibility of passwords – users then have access to business systems with even knowing the login credentials.

In addition to these security features, admins also receive an audit trail that allows them to track who has access to what and when. This provides the ultimate protection from employees abusing business systems, which in turn protects the company reputation.

What makes my1login so secure?

my1logoPWMFB250my1login uses complex, multi-layered encryption processes so that not even my1login employees can access users’ data. Business accounts are protected using two-step authentication (password and key phrase) making its default level of security the most secure of any password manager. Business passwords are encrypted client-side using 256 bit AES, then further encrypted using 256 bit SSL before being sent to my1login for storage. 1024 bit RSA public/private key cryptography further encrypts AES keys to enable secure sharing and central distribution of specific passwords where required.

A business user’s key phrase encrypts access to their business passwords using AES 256. It’s impossible for anyone to decrypt and access that stored password data without the key phrase, and it would take the most advanced computers millions of years to try out every possible permutation of a reasonable length phrase.

Want to find out more on how my1login can help protect your business from disgruntled employees seeking revenge or simply to improve your online security?

Either sign up for a free trial of my1login Business Password Manager or leave your email address in the box below to receive more information.

 

Mar 172014
 

A 15 month jail term has been handed to a man in China for stealing 18,974 yuan ($3,085) from online payments accounts. According to a press release from Songjiang District People’s Court, the man, surnamed Deng, had purchased a second-hand laptop online last September, and found that the previous owners personal data was still stored.

Deng used the stored data, that consisted of usernames and passwords, to access two online payment accounts. He then altered the account credentials, switching the associated phone numbers with own and then emptied the accounts of 18,974 yuan to his own account.

The owners of the accounts were sent a message to say that their credientials had been altered, they then called their bank to find that their accounts had been drained. The victims informed the police and arrested Deng two months later.

During Dengs trial the court suggested that computer owners who intended to sell, recycle, or give away their devices should delete all their personal information.

trashThis is great advice however, removing data from a computer’s hard drive, involves more than simply putting the file in the trash can and then emptying it.  A recoverable imprint of your data will remain on the hard drive even after formatting your computer or resetting it to factory default.

With a few simple steps you can fully protect yourself and your personal information when getting rid of old devices. The first method is to physically destroy the hard drive, albeit impractical it is very effective. A more practical solution for the average person is to use secure data removal software.

Programs such as CCleaner and Eraser work by overwriting the original hard drive information many times, eventually removing the traces. They do not require the dismantling of the computer, nor expert knowledge. At their maximum security setting they can take a very long time to delete all your data, the benefit being that once complete it will be virtually impossible for your personal information ever to be recovered.

Following on from their study, the UK’s Information Commissioner’s Office have also published their own guidelines on how to securely delete information.

In the event of a hack or data security breach, where personal accounts have been compromised, passwords will need to changed. By adopting the use of a password manager, like my1login will not only help you implement strong complex passwords for all online accounts, those passwords can easily be changed if a specific account is hacked. It also removes the hassle of having to remember individual logins.

my1logoPWMFB250my1login allows you to use one super strong and unique password that grants you access to all of your account, without having to remember the individual logins. Therefore, you can create strong complex passwords for all your accounts, for example a typical password for your gmail account could be “$~dY>zD9n_+J]SkMZoPlZhBZ3″ and a typical password for your Facebook account could be “DCTt8B-4J#F$Hxssv7}3k)oax”. The length and entropy of these passwords make them extremely strong, and using different passwords for all your accounts means that should any remote site be compromised no other account of yours would be compromised.

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

Mar 072014
 

comics_by_comixology_logo_black_textComiXology a digital comic distributor discovered a vast security breach during a recent company security review and upgrade. The company stated, in an email they sent out to account holders on Thursday, that an unauthorised individual accessed their databases that contain user information such as usernames, emails and encrypted passwords.

ComiXology have requested that all users reset their password as a “precautionary measure” but informs users that payment information is safe as they don’t store the information and that user passwords are stored in an encrypted form so should be safe.

It is recommended that users with the same or similar passwords in use for other services are also changed. It is strongly advised that all account passwords are strong and unique. Duplicated passwords are a major weakness in online security, when one account is compromised it leaves other services using the same credentials vulnerable to hacks.

ComiXology have updated their security following the breach and intend to continue to review their security “on an ongoing basis.”

Because of the nature of the data breach it is important to look out for phishing attacks. Comixology made it clear in their statement that they ‘will never ask for personal or account information’. Therefore users need to be vigilant in checking emails that may claim to be from Comixology.

Employing the use of a password manager, like my1login will not only help you implement strong complex passwords for all online accounts, but those passwords can easily be changed if a specific account is hacked. It also removes the hassle of having to remember individual logins. Using my1login also eliminates the need to rely on insecure practices such as writing passwords down or storing them in documents, spreadsheets or even on your phone.

my1logoPWMFB250my1login allows you to use one super strong and unique password that grants you access to all of your account, without having to remember the individual logins. Therefore, you can create strong complex passwords for all your accounts, for example a typical password for your gmail account could be “$~dY>zD9n_+J]SkMZoPlZhBZ3″ and a typical password for your Facebook account could be “DCTt8B-4J#F$Hxssv7}3k)oax”. The length and entropy of these passwords make them extremely strong, and using different passwords for all your accounts means that should any remote site be compromised no other account of yours would be compromised.

If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

Mar 062014
 

 

Delhi Police failed to answer corruption complaints for 8 years because they had forgotten the password to an online complaints portal.

The Central Vigilance Commission (CVC) set up an online portal to manage complaints and send them to the correct department for the chief vigilance offer to handle.  Each department was given a password to access the portal.  The Indian Express Newspapers states that the Delhi Police did not know the password to access their portal or how to operate it, leaving over 600 complaints unanswered for eight years.

Thankfully, two senior police officers have received training on how to use the system and can now begin addressing the back log of cases, all 667 of them.

If only a password management solution, such as my1login had been in place, the CVC, could have easily and securely shared the login in details with the Delhi Police department, allowing them instant access to their portal. In addition to secure sharing, my1login would have allowed the Police department to self-reset their forgotten password and gain access to the portal. The CVC would also have an audit trail which would have shown that the Delhi Police had not been logging into their portal in 8 years.

my1logoPWMFB250my1login is a cloud based password manager that provides a secure way to store and access your business passwords. my1login uses AES 256 to encrypt your business passwords meaning they’re impossible to decrypt and access without your encryption key (key phrase) which only you know. my1login  resolves the problem of remembering multiple logins, passwords and PINS by providing a safe way of accessing them via a highly secure portal.

my1login enables business users to to securely manage and, where authorised, share specific passwords for business applications using one login. The service also provides an audit trail of who has access to what and when, and makes it easy to cease employees when access is no longer required.

If you’d like to see how my1login can improve your business’s online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

Feb 262014
 

On the 25th of February, a cybersecurity firm announced that it had uncovered a horde of 360 million stolen usernames and passwords for sale on cyber black markets.

f04bb4_2529af14246aad3aefc0dc51ce52495e.jpg_srz_p_200_205_75_22_0.50_1.20_0

Hold Security’s Chief Information Security Officer, Alex Holden, said in an interview that the firm had managed to obtain the details during the first 3 week of February. The stolen usernames and passwords are believed to have been obtained by hackers from multiple data breaches that are yet to have been publicly reported. One batch of credentials contains more than 105 million details, which would make it one of the largest data breaches discovered.

The humongous horde of compromised details, include user names, email addresses, and passwords, of which a majority are in unencrypted text.  The email addresses are from Fortune 500 and non-profit organisations, as well as major web providers such as AOL, Google, Microsoft and Yahoo.

Hold Security released a statement on its website saying that as well as the 360 million credentials, the criminals are selling approximately 1.25 billion email addresses, which may then be used for spamming and phishing more details from unsuspecting victims.

At this point it is unclear as to who has fallen victim to the security breaches but it is advised that you change your passwords to any accounts you think may have been compromised. Password security is vital to keeping your identity safe online and with a few simple changes you can improve your online security:

  • Make all passwords at least 15 characters long
  • Use entropy in passwords. They should contain uppercase & lowercase letters, numbers & symbols.
  • Avoid the use of dictionary words or common names, and avoid using any personal information.
  • Don’t replace ‘i’ with a ’1′, or ‘a’ with a ’4′ etc. These are well-established password tricks which any hacker will be familiar with.
  • Avoid sequences or repeated characters.

Strong passwords need to be augmented with strong practice.

  • Do not use the same password on multiple sites.
  • Never allow passwords to be written down or stored in the notes section of phones.
  • Do not store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of it on the computer, long after it is sold or donated to a recycling company.
  • Do not allow passwords to be emailed. Emails are able to be read by provider of the service.
  • Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.

my1logoPWMFB250my1login is a cloud based password manager that provides a secure way to store and access your business passwords. my1login uses AES 256 to encrypt your business passwords meaning they’re impossible to decrypt and access without your encryption key (key phrase) which only you know. my1login  resolves the problem of remembering multiple logins, passwords and PINS by providing a safe way of accessing them via a highly secure portal.

my1login also mitigates against key loggers. Users can sign into web services without having to type their password to log into sites. my1login 2 step authentication to grant access to user accounts. Users create a secure phrase that encrypts all their logins within their browser before being sent over the internet and stored, and since their secure phrase is not stored, even my1login are unable to read these details. Users then select characters from their passwords using dropdowns, like banking services. This process mitigates against this form of attack and increases your general online security.

If you’d like to see how my1login can improve your business’s online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

Feb 182014
 

kick

Crowdfunding website Kickstarter announced on Saturday that it has suffered a security breach -

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

This is another story of ‘Sorry, we’ve been hacked and your passwords have been stolen!’ It is strongly recommended that users change their account passwords as a precaution, as well as changing any other accounts that are accessed with the same login credentials.  Any hack that exposes email addresses, usernames and passwords exploits the typically weak practices that are employed by users.

However, before heading off to change your login details it is imperative that you stop using weak passwords and stop using the same password on multiple sites.  Employing the use of a password manager, like my1login will not only help you implement strong complex passwords for all online accounts, those passwords can easily be changed if a specific account is hacked. It also removes the hassle of having to remember individual logins.

my1logoPWMFB250my1login allows you to use one super strong and unique password that grants you access to all of your account, without having to remember the individual logins. Therefore, you can create strong complex passwords for all your accounts, for example a typical password for your gmail account could be “$~dY>zD9n_+J]SkMZoPlZhBZ3″ and a typical password for your Facebook account could be “DCTt8B-4J#F$Hxssv7}3k)oax”. The length and entropy of these passwords make them extremely strong, and using different passwords for all your accounts means that should any remote site be compromised no other account of yours would be compromised.

Using my1login also eliminates the need to rely on insecure practices such as writing passwords down or storing them in documents, spreadsheets or even on your phone. Passwords can also be securely shared using my1login meaning you’ll never need to email a password, or need to select a weak password because it’s simply easier to convey?

If you’d like to see how my1login can improve your business’s online security and help protect you against hacks in 2014 try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.

 

Further Reading

my1login

Kickstarter hacked. Users told to change passwords

Feb 032014
 

Super-Bowl-ScreenThe Super Bowl security centre could use a few tips on how to securely store and share their passwords. And we don’t mean projecting it on a wall for all to see and having it broadcast to millions of viewers. We’ll admit that it’s a fairly quick way to give the details to lots of people but it’s not great when you don’t want to give millions people access to your Wi-Fi.

The security gaffe was all thanks to CBS, who were running a televised segment on the top class security of the Super Bowl. The segment showed dramatic footage of the security team standing in front of large screens with a hawk eye view of the stadium, but in the corner the Wi-Fi Access codes can clearly be seen. We can only hope that the team quickly changed the credentials after news of the blunder broke.

A password management solution such as my1login makes it easy to securely share specific passwords with employees and teams. The service also provides an audit trail of who has access to what and when, and makes it easy to cease employees when access is no longer required.

my1logoPWMFB250If you would like to see how my1login can improve your business’s online security and help protect you and your business against hacks, try out the my1login password manager for free, or leave your email address and we will send you an information pack.