Sep 142014
 

healthcare.govMost hacks don’t hit the headlines, but when it’s the US Government’s HealthCare.gov that’s hacked, you can be sure it’ll make the news. A hacker, still unknown to authorities, recently compromised the HealthCare.gov’s insurance enrolment website. According to the Department of Homeland Security, once the hacker had gained access, they proceeded to upload malicious software to target the site’s visitors.

If it wasn’t such a serious breach, the attack vector would be comical, with the ‘hacker’ gaining access simply by using the default password that hadn’t been changed. The reason for the ‘oversight’ was that the server was in a ‘test environment’ used by the development team.

An investigation was said to have concluded that no personal data was illegally accessed during the attack, but it’s yet another example of organizations being compromised for not taking the most-basic of security measures by simply using strong passwords to protect business critical systems.

No matter how stressful, time-pressured or complex development projects may become, it’s crucial to give proper consideration to the security that underpins them. While it may seem like an acceptable shortcut, cutting corners on security can end up costing more time in the long run and do untold reputational damage should weaknesses be exploited. Neglecting security during a development is a common fault that hackers are only too keen to exploit – the US Government being the latest red-faced victim. If you have a test environment within your business, ensure that your developers take the same precautions that you’d expect them to take with live websites – and protect access with strong passwords.

 Posted by at 9:37 am
Sep 122014
 

NHSA new patient information sharing system by NHS is causing concern that it may be vulnerable to a hack, exposing millions of sensitive patient records.

The care.data programme, which is currently on hold due to concerns over its opt-out policy, will see patient records from across England stored centrally, with apparently non-identifiable data being used for clinical research and studies. Despite the concern over the security of the data, medical experts are urging patients not to opt out of because of the damaging consequences to their research work set to benefit from it.

Labour MP George Mudie had campaigned in Parliament for the data-sharing scheme to be delayed until the UK public were properly consulted. The intended opt-out system means that patients date of birth, postcode, NHS number and gender will be included in the data sharing system by default.

There will be an eventual breach of security, which is inevitable with the size of the database, the information stored in there. The human cost will be potentially disastrous to a patient whose identity and medical history is made public. Careers could be ended, jobs could be lost, insurance refused, relationships destroyed if sensitive medical facts are made public or are used by private firms or people or indeed the media. A further reason for concern is that the information will not be solely available for analysis and research in the NHS but will be made available to non-NHS organisations. George Mudie MP.

The Weakest Link

Health minister Dan Poulter promised there would be ‘robust procedures’ in place to protect patient confidentiality. However, it’s the human element that is the weakest link in any implemented security. With thousands of healthcare employees having to access the data sharing system, the strength of their authentication will come under scrutiny. Typically when employees need to access business systems to carry out their job, they will adopt practices that maximise their convenience, not maximise security. Using easy-to-guess passwords, writing them down on post-it notes, or storing them on phones are all regular occurrences from employees who need to remember passwords. When those passwords protect extremely sensitive patient data, the consequences of a breach are hugely significant.

When the care.data programme is implemented in the coming months there is no doubt that it will greatly benefit diagnosis and medical research. The counterweight is that should a security breach occur, extremely sensitive patient information will be released into the public domain. While the NHS hack threat may be a high profile example, organizations of all sizes are hacked each day due to weak employee practices, with each hacking incident estimated to cost £35,000 to £65,000.

 Posted by at 6:59 am
Sep 112014
 

The recent iCloud hack of Jennifer Lawrence and other celebrities exposed just how much trouble can be caused by inadequate security measures.

Apple confirmed that the hacker gained access to the celebrities’ iCloud storage areas by correctly guessing the answers to security questions. Undoubtedly, private individuals sat up and took note, but there’s a chilling lesson to be learnt for business owners too.

Social engineering 101

Social engineering, or the art of getting ordinary individuals – employees included – to give up useful personal details and sensitive security information, is what presents the risk to businesses.

It is human nature to tell the truth when asked questions by people who are perceived to be in a position of authority, and it is this same inclination that applies to password security questions – individuals answer them accurately. There is also a tendency for individuals to use the same passwords and security answers in the workplace as they do in their private lives.

This combination of habits is what hackers aim to exploit: if they can find out the likely answers to security questions, they can hijack an employee’s email account and gain access to a business network.

The trouble for celebrities is, because so many of their detailed personal facts are liberally sprinkled across the public domain, these answers are easy to guess. Unlike with celebrities, hackers have to actively find out facts about the particular individual or employee they want to target. Too hard? Wrong! Too easy…

Admittedly, you can’t read about Ms Smith from Accounts in Rolling Stone, OK! or Vanity Fair, but what if Ms Smith is on LinkedIn, Facebook, Twitter, Pinterest, or any other number of social media or third party sites? Granted, no one’s shouting, “Read all about it!” from the street corner, but they may as well be.

In order to learn more about an individual or employee, hackers do their homework by digging around on social media sites. Armed with personal information – often simple details like a pet’s name, spouse’s name, date of birth – they have paved the way for an easier break-in. And the unwitting individual has helped them.

Tell me lies, tell me sweet little lies

Business owners should increase awareness about the concept of social engineering and share with employees the full extent of what assets could be stripped as a result of a security breach: passwords, customer information, corporate plans and strategies, or data pointing to a financial source. After all, it is in their collective interest that the company they work for isn’t compromised.

There is a simple but effective way to reduce the threat posed by social engineering: employees can protect both themselves and, consequently, their employers, by changing their natural instinct to tell the truth when answering security questions.

The fact is, no one is actually verifying that an answer is true, just that there is an answer, and that it’s the same one each time the question is asked.

This simple fact means that, by telling a white lie, or even a supersize one, users can add extra strength to a potentially weak security measure. No system can check that a first pet really was called Spot – it’s just as happy with HotDiggidyDog. And mother’s maiden name? Why, it’s R2D2N0ne0fY0urBu5ine55, of course…

The downside to disguising the truth, as any experienced dissembler will tell you, is having to keep track of the web of lies: it’s much easier being honest. In this case, as the deception is so clearly worth the effort, using a password manager is an ideal way to store passwords and security answers – you only have to remember one pass phrase.

The celebrity photo hack was a classic case of social engineering and is directly relevant to business owners. Fleetwood Mac’s immortal line, “Tell me lies, tell me sweet little lies”, encapsulates an unusual workaround, which is why you won’t hear any hackers humming it…

Falsehoods, fibs and fabrications are not your average recommendation in the workplace, but business is business, after all.

 Posted by at 6:57 am
Sep 012014
 

Tinseltown has been hacked: nude or explicit photos of around 100 celebrities have been illegally accessed and posted on the 4Chan anonymous image-sharing platform.

The celebrities include Jennifer Lawrence, Kim Kardashian, Kirsten Dunst as well as Brits Kelly Brook, Michelle Keegan, and Cat Deeley.

How did it happen?

A suitably attired Jennifer Lawrence at the 68th Annual Golden Globes. ©iStock.com/Jennifer Lawrence

A suitably attired Jennifer Lawrence at the 68th Annual Golden Globes. ©iStock.com/Jennifer Lawrence

Jennifer Lawrence is – so far – leading the understandably outraged reaction, saying that she intends to take legal action for invasion of privacy. Whilst Ms Lawrence has confirmed that the photos are genuine, some celebs are dismissing them as fake and/or over two years old. There’s no saying, then, exactly when the first hack took place.

The perpetrator has not confirmed exactly how he or she accessed the photos, but possible hacking routes are phishing, irresponsible sharing of password details, or using the same password on multiple website accounts. Of course, a natural consequence of one celebrity email account being hacked is that it opens up the possibility of hacking further into their network – of friends, that is.

It is emerging, though, that the most likely route was by cracking weak personal passwords on Apple’s iCloud and accessing the celebs’ storage areas. Certainly no one has suggested that iCloud itself has a security flaw, but they have recently issued a patch for a piece of programming code which could help crack user accounts by using the 500 most common passwords approved by Apple’s rules. The script allowed anyone using it to repeatedly guess passwords on Apple’s ‘Find my iPhone’ service without locking them out or issuing an alert. Once in, the hacker would have access to the iCloud storage areas – and any photos there.

Although Apple has said they are aware of the photo hacking scandal, they have not issued any statement other than that they will comment in due course. If nothing else, they are likely to offer advice on how to avoid a personal iCloud security breach.

How to avoid the naked truth

Heading the list of weak links in the security chain is the users themselves: passwords are invariably inadequate when it comes to ensuring privacy from a determined hacker. Passwords can be made stronger by including numbers, upper and lower case letters, and special characters but, if you do nothing else, you should make your passwords longer – long passwords or phrases are hard to crack. ‘D0ntGetCaughtWithY@urPantsD()wn!’ would take over 200 million years to crack – yes, you read it right. No one would be interested in your photos by then. Surely?

Get to know how remote storage systems like iCloud work: many don’t realise that it syncs recorded media from all devices as soon as a WiFi link is established, or any time the device is recharged or rebooted. This means that deleting a photo on one device isn’t enough if you want no record of it; it has to be deleted from the cloud as well. (One very simple solution is to turn off iCloud backups under the iPhone’s Settings, but the downside is that you lose the option to recover records after a device failure.)

Use the security feature on iCloud that is not widely known about: two-factor authentication. In addition to the usual username and password, a one-time password is sent to the device itself and must be entered before access is granted. It’s not a default setting, though, and must be manually enabled.

So, if you don’t want to become a celebrity yourself – even if it’s only down at the local pub – use a strong password, invoke two-factor authentication and – safest of all – avoid the urge to take nude or risqué selfies. However, if the Devil does make you do it, stick to bathing suits not birthday suits…

 Posted by at 2:53 pm
Aug 282014
 

Our blog is normally devoted to non-self-promotional advice on business security, but we wanted to let you know about our new IOS app for iPads and iPhones. The new app provides one-click sign in for your web apps on your iDevice. We’ve built our own browser that has the same features you’ll be used to with Safari, but with the addition of a ‘log in’ button on the toolbar. Pressing the log in button will sign you into any website you have stored in your my1login account. So, no more trying to remember or type usernames and passwords on your iPhone. Any login you have stored in your my1login account is accessible on your iDevice.

IOS App

 

Download the new IOS App

Simply visit the AppStore on your iPhone or iPad and search for ‘my1login’ to find the new app. You can also find it on this link: https://itunes.apple.com/gb/app/my1login-password-manager/id596426753

IOS App Features

  • Securely access business logins from anywhere
  • Never forget usernames or passwords again
  • Remove the risk of employees writing down or storing passwords insecurely
  • Fully-featured browser with ‘sign in’ button which 
automatically signs you into sites
  • Access all of your desktop and laptop websites, usernames and passwords without the need to transfer them.
  • Data is protected with AES 256 encryption using a secure key phrase of your choice
  • All sensitive data is encrypted on your device so that even my1login cannot see it .
 Posted by at 2:25 pm
Aug 282014
 

Dictionaries define a password as a secret word or expression which must be used to gain entry. It’s hard to fault this definition, and yet computer users are using the same old passwords year after year: ‘Password1’, ‘Hello123’, and plain old ‘password’. Sound familiar? Not much of a secret then… passcloud

Using hashed data collected in two years’ worth of penetration tests, Trustwave, an American infosecurity company, cracked over 50% of business passwords in just a few minutes. After 31 days they had cracked 92% of them. The equipment used was nothing extraordinary, but they did use a graphics processing unit (GPU) rather than a traditional central processing unit (CPU); a GPU can perform billions more calculations per second than a similar-priced CPU. What does this mean for businesses? It means a high-probability risk of being hacked. Hackers rely on weaknesses to gain unauthorised entry to networks and, once in, can cause costly mayhem, both financial and reputational. Weak passwords have been identified as the primary cause of online accounts being hacked.

Misconceptions about password strength

In accordance with widespread business policy, passwords are typically 8 characters long (because that’s the stated minimum) and, although many require the inclusion of numbers, upper case and lower case letters, and special characters, these calls for added complexity don’t always translate into strong passwords.

These complex passwords may thwart the colleague sitting next to you (or the passer-by looking over your shoulder), but they’re not really who you’re up against; it’s hackers with their automated tools. In their study, Trustwave point out that, although many users assume that using complex combinations make a password more secure, it’s only by increasing the number of characters in the password that the cracking time is dramatically raised. For example, automated tools find it far easier to crack relatively short, but outwardly very complex, passwords like ‘N^a&$1n’ compared to longer phrases like ‘GoodLuckGuessingThisPassword’.

Ironically, IT administrators who force complexity into short passwords may, in fact, be introducing weakness by unwittingly causing users to create predictable password patterns, usually comprising a single word and tacking on the minimum required numbers and specials.

Similarly, the practice of insisting on regular changes to passwords has been shown to encourage increasingly weaker ones. Users end up creating passwords that are more easily cracked because they simply increment an embedded number, or add the next-in-line special character, or simply revert to using ever more memorable – i.e. common – keywords as the basis for the password.

Creating strong passwords

Any initiative to establish strong business passwords must begin with understanding what is behind the prevalence of passwords like ‘Password1’, ‘Hello123’ and ‘password’. Is it laziness, or ignorance, or wilful arrogance? Or is it because users think that ‘the IT people’ are really in charge of security and it’s not their problem? Sadly, it’s all of the above, but the good news is that the situation can be alleviated using some very simple measures:

  • Educate employees about the business risks associated with weak passwords: if it affects the business, it affects them.
  • Teach them how to create strong passwords: the emphasis should be on unique, memorable – even funny – phrases that have greater length rather than greater complexity. Passwords using a proper name (people, pets, places) as a basis are easily cracked and should be avoided.
  • Ask employees to test the strength of their passwords. Strength meters are good at highlighting weak approaches to password structure and, if existing systems can’t be redesigned to allow long phrases, they’re a great tool for testing short words with or without added specials.
  • Don’t impose regular resets of passwords.
  • Use a password manager, especially if users are expected to remember multiple passwords.

Whilst every business owner needs to take risks, tolerating weak passwords isn’t one of them; policies for password creation and storage should be an important consideration on every business agenda. The bottom line? ‘GetYourPasswordsSortedRightNow!’

 Posted by at 9:45 am
Aug 152014
 

A cybersecurity breach isn’t something that only happens to other businesses: tens of thousands of websites around the world are hacked each day and the number of new malware strains runs into tens of millions per year.

Hackers are after logins that give access to a money trail, or customer data, or corporate strategies, secrets, and intellectual property; others simply seek to disrupt services.

For hackers, it’s all about finding and exploiting weak links – many of them human, some of them technical. They take advantage of human frailty in the form of lazy, or predictable, or gullible behaviour, finding ever more creative ways to entice people to visit increasingly realistic fake websites, or be conned by elaborate spoofs. Organisations are at fault too: software developers and original equipment manufacturers don’t always incorporate adequate security features into their products, leaving users vulnerable to attack.

So how do hackers gain access?

  1. Server scanning. Hackers remotely scan the servers of the targeted company, looking for an entry weakness through which they can deploy commands that will cause the system to crash before executing their own code.
  2. Wi-Fi vulnerability. Most businesses have secure Wi-Fi, but hackers exploit careless employees who use open wireless networks when out of the office.
  3. Phishing and social engineering. Simple phishing indiscriminately delivers emails containing an attachment or link that automatically downloads malware if opened; they have been moved up a peg using social engineering techniques, targeting specific employees with a seemingly business-relevant attachment or link, or one tailored to the employee’s personal interests.
  4. Infected websites. Websites which are likely to be used by a company are targeted: hackers look for weaknesses on the website, using them to embed code that will infect visitors to the site.
  5. Planting code into web-entry databases. Web-based forms that are used to collect and store a user’s details may be targeted by hackers who, instead of entering the expected personal details, input code that will be executed rather than stored as inert data.
  6. Stealing or guessing passwords. Stealing passwords involves trickery: users receive a fake email asking them to reset their password using an enclosed link. Guessing passwords is easier than it sounds: 90% of passwords are drawn from a list of only 1000 variants.
  7. Stealing IDs from third-party sites. Knowing that some people use the same usernames and passwords for both work and other websites, hackers look for employees of the targeted company on third-party sites and attempt to steal the details from there.
  8. Hijacking email accounts. After researching the background of a targeted employee, hackers prepare a list of possible answers to security questions and use the company’s password-reset mechanism to change the password and access their email account.
  9. USB devices. Even when formatted, some USB drives can appear completely empty, so memory sticks loaded with malware is one way hackers use to gain entry. Another is using USB to connect devices which can spoof a network card to divert internet traffic and record keystrokes – that nice rep that has asked if he can charge his smartphone on a company PC could, in fact, be hijacking passwords.
  10. Inside jobs. Financially desperate or disgruntled employees, undercover recruits and on-site service providers constitute an ever-present threat from within.

Foiling the attempts of hackers requires a systematic approach; in the same way that you wouldn’t lock up your premises at night and leave the windows open, every potential entry point needs securing.

How to protect your business

Ensure that all employees are trained about potential security threats and that they use strong, unique passwords – the same password should never be used across different accounts. Always use the latest version of your operating system’s software, as well as that of your browsers: out of date add-ons are targeted by hackers as a way to redirect those browsers and siphon off user data. Antivirus software should be set to update automatically; alternatively, updates should be downloaded only from the developer’s site, not from links in pop-up reminders. Think backups and encryption.

The adage that prevention is better than cure couldn’t be truer here; undoing damage after a security breach can be – at the very least – time-consuming and costly. Building business systems without information security measures is asking for trouble; without defences, it’s really just a matter of time before your business gets hacked.

The solutions are out there and their implementation is straightforward. Now is the time to review your security provisions…before the cybercriminals do.

 Posted by at 8:12 am
Aug 132014
 

Our CEO, Mike Newman, recently attended Buckingham Palace by invitation of the Queen to celebrate the innovation of the UK’s technology industry.

The event was hosted by Prince Andrew, the Duke of York, and was attended by the Queen and other members of the Royal Family including Prince William, Prince Edward and Prince Phillip. Guests included leading entrepreneurs and thought-leaders from the UK technology industry.

The guests were given the privilege of being formally introduced to Her Majesty The Queen and The Duke of Edinburgh.

Attending Buckingham Palace as representative of the UK’s technology sector was a great honour. As a country, we have fantastic pedigree in innovation and technology and it’s tremendous that the sector’s achievements are recognised and celebrated by the royal household.

Mike Newman, CEO

Mike Newman, M1Login CEO, being introduced to Her Majesty The Queen

Mike Newman, M1Login CEO, being introduced to Her Majesty The Queen

The event itself was all you would expect from a Queen’s reception at Buckingham Palace, with lavish surroundings and priceless paintings, but the main reason for the event was to discuss the UK’s technology sector and how it could be improved to further support innovation and drive the global success of UK business.

After meeting the Queen, Mike had the opportunity to discuss the tech industry with Prince Phillip, the Duke of Kent and the Duke of Gloucester, outlining how My1Login is using its technology to improve the security of businesses around the world.

From the conversations I had, it is clear that the importance of online security and the growing challenge of password management was clearly recognised and at least one of the royals present expressed great interest in My1Login’s offering

Mike Newman, CEO

 Posted by at 6:17 am
Aug 062014
 

Hold Security have reported that they’ve identified the theft of 1.2 billion username and password combinations that have been stolen by a Russian cybergang from various web and FTP sites.

“Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach,” Hold Security say in their report. “Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.”

Hold Security explain that the hackers “didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.” 

With the 1.2 billion usernames and passwords stolen, and associated with 500 million email addresses, the sheer scale of the breach makes it likely that you or your business may have been affected in some way by the breach. Our advice is to ensure that your business passwords are strong and that you have good password practices in place within your business. Strong passwords make it extremely difficult for hackers to crack the password hashes that are typically stolen in these types of breaches. If you are concerned that this breach may have affected your business, then it’s a good time to improve your password strength and practices. Password security is vital to keeping your identity safe online and with a few simple changes you can improve your online security.

Tips on making your passwords strong:

  • Make all passwords at least 15 characters long
  • Use entropy in passwords. They should contain uppercase & lowercase letters, numbers & symbols.
  • Avoid the use of dictionary words or common names, and avoid using any personal information.
  • Don’t replace ‘i’ with a ’1′, or ‘a’ with a ’4′ etc. These are well-established password tricks which any hacker will be familiar with.
  • Avoid sequences or repeated characters.

Strong passwords need to be augmented with strong practice:

  • Do not use the same password on multiple sites.
  • Never allow passwords to be written down or stored in the notes section of phones.
  • Do not store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of it on the computer, long after it is sold or donated to a recycling company.
  • Do not allow passwords to be emailed. Emails are able to be read by provider of the service.
  • Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.

As hackers, and the tools available to them, become more sophisticated the number of website breaches will continue to grow. They are not one-offs and are only going to become more prevalent in the future. Ensuring your passwords are strong, not re-used across your company, and stored in encrypted form will put your and your business in the best position to mitigate the risk of these hacks affecting your organization.

 

Further Reading

 

 Posted by at 11:11 am
Jul 052014
 

An investigation by Cisco found that malicious advertisements on Disney, Facebook, The Guardian newspaper domains led unsuspecting visitors to be affected by malware. The computer users who were affected had ransomware installed on their devices.

Ransomware is malicious software that installs on your device without your consent – it gives the cybercriminal the ability to lock you out of your device, typically by encrypting your data. The cybercriminal will then offer to give you access to your data or device again, provided you pay.

Ransomware is quickly becoming the scourge of the Internet and Cisco Systems is reporting that several very popular web sites have recently been distribution points via malvertising. According to an investigation detailed on the Cisco Systems blog site, popular web sites including Disney and Facebook have been compromised to display infected advertisements that download a ransomware program similar to the notorious CryptLocker.

CISCO analyzed data accumulated by its Cloud Web Security (CWS) that monitors its customer’s web use and warns them if they have been visiting domains that could be malicious. Cisco’s analysis determined that in the last month there has been a dramatic increase in sites compromised by cyber criminals who use the RIG exploit kit (ET). According to Cisco, “ we have so far blocked requests to over 90 domains for more than 17% of our Cloud Web Security (CWS) customers” because of the RIG ET.

Cisco has determined that many of the sites compromised by the use of RIG have been spreading the Cryptowall ransomware via compromised advertisements, malvertising. These appear to be exploiting the following vulnerabilities:

Silverlight: cve-2013-0074

Java: cve-2013-2465 and cve-2012-0507
Flash: cve-2013-0634

(from Cisco)

Once ransomware has infected your device, it’s extremely difficult to to retrieve your data due to the encryption that’s used to scramble your information. Often users have to resort to restoring their devices back to factory defaults, losing their data. Proactively protecting your devices is the solution rather than reacting once it has happened.

Our advice is to ensure your data is backed up in the first place, so if this does happen you can restore your device without losing your data. User education is also extremely important, especially in business where not all employees may be technically proficient – train employees not to open attachments from unsolicited emails and be wary of websites that ask them to download and open files. Make sure all Operating System sand browsers are up-to-date and have all patches applied, and make it a requirement that anti-virus software on you and your employees devices – especially if employees use their own personal devices for business.

 Posted by at 6:53 am