Aug 282014
 

Our blog is normally devoted to non-self-promotional advice on business security, but we wanted to let you know about our new IOS app for iPads and iPhones. The new app provides one-click sign in for your web apps on your iDevice. We’ve built our own browser that has the same features you’ll be used to with Safari, but with the addition of a ‘log in’ button on the toolbar. Pressing the log in button will sign you into any website you have stored in your my1login account. So, no more trying to remember or type usernames and passwords on your iPhone. Any login you have stored in your my1login account is accessible on your iDevice.

IOS App

 

Download the new IOS App

Simply visit the AppStore on your iPhone or iPad and search for ‘my1login’ to find the new app. You can also find it on this link: https://itunes.apple.com/gb/app/my1login-password-manager/id596426753

IOS App Features

  • Securely access business logins from anywhere
  • Never forget usernames or passwords again
  • Remove the risk of employees writing down or storing passwords insecurely
  • Fully-featured browser with ‘sign in’ button which 
automatically signs you into sites
  • Access all of your desktop and laptop websites, usernames and passwords without the need to transfer them.
  • Data is protected with AES 256 encryption using a secure key phrase of your choice
  • All sensitive data is encrypted on your device so that even my1login cannot see it .
 Posted by at 2:25 pm
Aug 282014
 

Dictionaries define a password as a secret word or expression which must be used to gain entry. It’s hard to fault this definition, and yet computer users are using the same old passwords year after year: ‘Password1’, ‘Hello123’, and plain old ‘password’. Sound familiar? Not much of a secret then… passcloud

Using hashed data collected in two years’ worth of penetration tests, Trustwave, an American infosecurity company, cracked over 50% of business passwords in just a few minutes. After 31 days they had cracked 92% of them. The equipment used was nothing extraordinary, but they did use a graphics processing unit (GPU) rather than a traditional central processing unit (CPU); a GPU can perform billions more calculations per second than a similar-priced CPU. What does this mean for businesses? It means a high-probability risk of being hacked. Hackers rely on weaknesses to gain unauthorised entry to networks and, once in, can cause costly mayhem, both financial and reputational. Weak passwords have been identified as the primary cause of online accounts being hacked.

Misconceptions about password strength

In accordance with widespread business policy, passwords are typically 8 characters long (because that’s the stated minimum) and, although many require the inclusion of numbers, upper case and lower case letters, and special characters, these calls for added complexity don’t always translate into strong passwords.

These complex passwords may thwart the colleague sitting next to you (or the passer-by looking over your shoulder), but they’re not really who you’re up against; it’s hackers with their automated tools. In their study, Trustwave point out that, although many users assume that using complex combinations make a password more secure, it’s only by increasing the number of characters in the password that the cracking time is dramatically raised. For example, automated tools find it far easier to crack relatively short, but outwardly very complex, passwords like ‘N^a&$1n’ compared to longer phrases like ‘GoodLuckGuessingThisPassword’.

Ironically, IT administrators who force complexity into short passwords may, in fact, be introducing weakness by unwittingly causing users to create predictable password patterns, usually comprising a single word and tacking on the minimum required numbers and specials.

Similarly, the practice of insisting on regular changes to passwords has been shown to encourage increasingly weaker ones. Users end up creating passwords that are more easily cracked because they simply increment an embedded number, or add the next-in-line special character, or simply revert to using ever more memorable – i.e. common – keywords as the basis for the password.

Creating strong passwords

Any initiative to establish strong business passwords must begin with understanding what is behind the prevalence of passwords like ‘Password1’, ‘Hello123’ and ‘password’. Is it laziness, or ignorance, or wilful arrogance? Or is it because users think that ‘the IT people’ are really in charge of security and it’s not their problem? Sadly, it’s all of the above, but the good news is that the situation can be alleviated using some very simple measures:

  • Educate employees about the business risks associated with weak passwords: if it affects the business, it affects them.
  • Teach them how to create strong passwords: the emphasis should be on unique, memorable – even funny – phrases that have greater length rather than greater complexity. Passwords using a proper name (people, pets, places) as a basis are easily cracked and should be avoided.
  • Ask employees to test the strength of their passwords. Strength meters are good at highlighting weak approaches to password structure and, if existing systems can’t be redesigned to allow long phrases, they’re a great tool for testing short words with or without added specials.
  • Don’t impose regular resets of passwords.
  • Use a password manager, especially if users are expected to remember multiple passwords.

Whilst every business owner needs to take risks, tolerating weak passwords isn’t one of them; policies for password creation and storage should be an important consideration on every business agenda. The bottom line? ‘GetYourPasswordsSortedRightNow!’

 Posted by at 9:45 am
Aug 152014
 

A cybersecurity breach isn’t something that only happens to other businesses: tens of thousands of websites around the world are hacked each day and the number of new malware strains runs into tens of millions per year.

Hackers are after logins that give access to a money trail, or customer data, or corporate strategies, secrets, and intellectual property; others simply seek to disrupt services.

For hackers, it’s all about finding and exploiting weak links – many of them human, some of them technical. They take advantage of human frailty in the form of lazy, or predictable, or gullible behaviour, finding ever more creative ways to entice people to visit increasingly realistic fake websites, or be conned by elaborate spoofs. Organisations are at fault too: software developers and original equipment manufacturers don’t always incorporate adequate security features into their products, leaving users vulnerable to attack.

So how do hackers gain access?

  1. Server scanning. Hackers remotely scan the servers of the targeted company, looking for an entry weakness through which they can deploy commands that will cause the system to crash before executing their own code.
  2. Wi-Fi vulnerability. Most businesses have secure Wi-Fi, but hackers exploit careless employees who use open wireless networks when out of the office.
  3. Phishing and social engineering. Simple phishing indiscriminately delivers emails containing an attachment or link that automatically downloads malware if opened; they have been moved up a peg using social engineering techniques, targeting specific employees with a seemingly business-relevant attachment or link, or one tailored to the employee’s personal interests.
  4. Infected websites. Websites which are likely to be used by a company are targeted: hackers look for weaknesses on the website, using them to embed code that will infect visitors to the site.
  5. Planting code into web-entry databases. Web-based forms that are used to collect and store a user’s details may be targeted by hackers who, instead of entering the expected personal details, input code that will be executed rather than stored as inert data.
  6. Stealing or guessing passwords. Stealing passwords involves trickery: users receive a fake email asking them to reset their password using an enclosed link. Guessing passwords is easier than it sounds: 90% of passwords are drawn from a list of only 1000 variants.
  7. Stealing IDs from third-party sites. Knowing that some people use the same usernames and passwords for both work and other websites, hackers look for employees of the targeted company on third-party sites and attempt to steal the details from there.
  8. Hijacking email accounts. After researching the background of a targeted employee, hackers prepare a list of possible answers to security questions and use the company’s password-reset mechanism to change the password and access their email account.
  9. USB devices. Even when formatted, some USB drives can appear completely empty, so memory sticks loaded with malware is one way hackers use to gain entry. Another is using USB to connect devices which can spoof a network card to divert internet traffic and record keystrokes – that nice rep that has asked if he can charge his smartphone on a company PC could, in fact, be hijacking passwords.
  10. Inside jobs. Financially desperate or disgruntled employees, undercover recruits and on-site service providers constitute an ever-present threat from within.

Foiling the attempts of hackers requires a systematic approach; in the same way that you wouldn’t lock up your premises at night and leave the windows open, every potential entry point needs securing.

How to protect your business

Ensure that all employees are trained about potential security threats and that they use strong, unique passwords – the same password should never be used across different accounts. Always use the latest version of your operating system’s software, as well as that of your browsers: out of date add-ons are targeted by hackers as a way to redirect those browsers and siphon off user data. Antivirus software should be set to update automatically; alternatively, updates should be downloaded only from the developer’s site, not from links in pop-up reminders. Think backups and encryption.

The adage that prevention is better than cure couldn’t be truer here; undoing damage after a security breach can be – at the very least – time-consuming and costly. Building business systems without information security measures is asking for trouble; without defences, it’s really just a matter of time before your business gets hacked.

The solutions are out there and their implementation is straightforward. Now is the time to review your security provisions…before the cybercriminals do.

 Posted by at 8:12 am
Aug 132014
 

Our CEO, Mike Newman, recently attended Buckingham Palace by invitation of the Queen to celebrate the innovation of the UK’s technology industry.

The event was hosted by Prince Andrew, the Duke of York, and was attended by the Queen and other members of the Royal Family including Prince William, Prince Edward and Prince Phillip. Guests included leading entrepreneurs and thought-leaders from the UK technology industry.

The guests were given the privilege of being formally introduced to Her Majesty The Queen and The Duke of Edinburgh.

Attending Buckingham Palace as representative of the UK’s technology sector was a great honour. As a country, we have fantastic pedigree in innovation and technology and it’s tremendous that the sector’s achievements are recognised and celebrated by the royal household.

Mike Newman, CEO

Mike Newman, M1Login CEO, being introduced to Her Majesty The Queen

Mike Newman, M1Login CEO, being introduced to Her Majesty The Queen

The event itself was all you would expect from a Queen’s reception at Buckingham Palace, with lavish surroundings and priceless paintings, but the main reason for the event was to discuss the UK’s technology sector and how it could be improved to further support innovation and drive the global success of UK business.

After meeting the Queen, Mike had the opportunity to discuss the tech industry with Prince Phillip, the Duke of Kent and the Duke of Gloucester, outlining how My1Login is using its technology to improve the security of businesses around the world.

From the conversations I had, it is clear that the importance of online security and the growing challenge of password management was clearly recognised and at least one of the royals present expressed great interest in My1Login’s offering

Mike Newman, CEO

 Posted by at 6:17 am
Aug 062014
 

Hold Security have reported that they’ve identified the theft of 1.2 billion username and password combinations that have been stolen by a Russian cybergang from various web and FTP sites.

“Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach,” Hold Security say in their report. “Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.”

Hold Security explain that the hackers “didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.” 

With the 1.2 billion usernames and passwords stolen, and associated with 500 million email addresses, the sheer scale of the breach makes it likely that you or your business may have been affected in some way by the breach. Our advice is to ensure that your business passwords are strong and that you have good password practices in place within your business. Strong passwords make it extremely difficult for hackers to crack the password hashes that are typically stolen in these types of breaches. If you are concerned that this breach may have affected your business, then it’s a good time to improve your password strength and practices. Password security is vital to keeping your identity safe online and with a few simple changes you can improve your online security.

Tips on making your passwords strong:

  • Make all passwords at least 15 characters long
  • Use entropy in passwords. They should contain uppercase & lowercase letters, numbers & symbols.
  • Avoid the use of dictionary words or common names, and avoid using any personal information.
  • Don’t replace ‘i’ with a ’1′, or ‘a’ with a ’4′ etc. These are well-established password tricks which any hacker will be familiar with.
  • Avoid sequences or repeated characters.

Strong passwords need to be augmented with strong practice:

  • Do not use the same password on multiple sites.
  • Never allow passwords to be written down or stored in the notes section of phones.
  • Do not store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of it on the computer, long after it is sold or donated to a recycling company.
  • Do not allow passwords to be emailed. Emails are able to be read by provider of the service.
  • Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.

As hackers, and the tools available to them, become more sophisticated the number of website breaches will continue to grow. They are not one-offs and are only going to become more prevalent in the future. Ensuring your passwords are strong, not re-used across your company, and stored in encrypted form will put your and your business in the best position to mitigate the risk of these hacks affecting your organization.

 

Further Reading

 

 Posted by at 11:11 am
Jul 052014
 

An investigation by Cisco found that malicious advertisements on Disney, Facebook, The Guardian newspaper domains led unsuspecting visitors to be affected by malware. The computer users who were affected had ransomware installed on their devices.

Ransomware is malicious software that installs on your device without your consent – it gives the cybercriminal the ability to lock you out of your device, typically by encrypting your data. The cybercriminal will then offer to give you access to your data or device again, provided you pay.

Ransomware is quickly becoming the scourge of the Internet and Cisco Systems is reporting that several very popular web sites have recently been distribution points via malvertising. According to an investigation detailed on the Cisco Systems blog site, popular web sites including Disney and Facebook have been compromised to display infected advertisements that download a ransomware program similar to the notorious CryptLocker.

CISCO analyzed data accumulated by its Cloud Web Security (CWS) that monitors its customer’s web use and warns them if they have been visiting domains that could be malicious. Cisco’s analysis determined that in the last month there has been a dramatic increase in sites compromised by cyber criminals who use the RIG exploit kit (ET). According to Cisco, “ we have so far blocked requests to over 90 domains for more than 17% of our Cloud Web Security (CWS) customers” because of the RIG ET.

Cisco has determined that many of the sites compromised by the use of RIG have been spreading the Cryptowall ransomware via compromised advertisements, malvertising. These appear to be exploiting the following vulnerabilities:

Silverlight: cve-2013-0074

Java: cve-2013-2465 and cve-2012-0507
Flash: cve-2013-0634

(from Cisco)

Once ransomware has infected your device, it’s extremely difficult to to retrieve your data due to the encryption that’s used to scramble your information. Often users have to resort to restoring their devices back to factory defaults, losing their data. Proactively protecting your devices is the solution rather than reacting once it has happened.

Our advice is to ensure your data is backed up in the first place, so if this does happen you can restore your device without losing your data. User education is also extremely important, especially in business where not all employees may be technically proficient – train employees not to open attachments from unsolicited emails and be wary of websites that ask them to download and open files. Make sure all Operating System sand browsers are up-to-date and have all patches applied, and make it a requirement that anti-virus software on you and your employees devices – especially if employees use their own personal devices for business.

 Posted by at 6:53 am
Jul 042014
 

We like to believe we’re different, but when it comes to thinking up passwords, it appears that we’re all just the same after all. Whether it’s human nature or a distinct lack of creativity when it comes to the mundane, we’re all choosing the same passwords as each other. A study of 6 million passwords by Mark Burnett found that 99.8% are the same 10,000. In fact, around 90% of passwords are the same 1,000, and nearly 5% of people simply use password as their password :)

passcloud

The top 500 passwords courtesy of Xato.net

So, what does it mean for us? Well, if we’re one of the 99.8% it means our bank, our blog, our work logins are all pretty easy targets. Hackers are clever folk, but with so many people choosing the same passwords, they hardly have to break a sweat to crack them.

Your aim should be to make your sure you’re in other 0.2% and that your passwords are strong enough to make it not worth the hackers’ time to try and crack them.

How do your current passwords stack up? Take the test using our Password Strength Checker - it will tell you just how good or bad your passwords are and how long it’ll take a hacker to crack them.

Take the my1login password test!

If you’ve tested your passwords and they’re strong, excellent! You’re in the 0.2% and can rest easy. If your current passwords aren’t strong, then it’s time to take some steps to improve your password security.

5 tips to improve your passwords:

  • Do make them at least 14 characters long
  • Do use letters, digits and symbols
  • Don’t use dictionary words or names
  • Don’t use number sequences
  • Don’t simply change e’s for 3′s, a’s for 4′s or append numbers to the end of words.

If you’d rather not have to think about creating strong passwords, as you know, my1login’s password manager can do it for you. my1login lets you generate super-strong passwords such as e#5/yXczsID~Ygw-wIzvXJP?9 for all your accounts and saves you the trouble of having to remember or type them again: try my1login for free.

 Posted by at 1:58 am
Jul 022014
 

MongoHQMongoHQ is the latest company to suffer a security breach due to its own poor password practices.

Jason McCay, MongoHQ’s CEO, reported “On October 28, 2013, we detected unauthorized access to an internal support application using a password that was shared with a compromised personal account.” The consequences of the breach were huge, giving hackers access to customer account information, including databases, email address and bcrypt-hashed user credentials. Furthermore, it had the knock-on effect of causing some of MongoHQ’s customers significant financial and repetitional damage.

Pointless Password Policies

This breach is another example of how passwords policies rolled out by organizations are not only ineffective, but ultimately pointless when there’s no governance in place to measure compliance with the policies. Forcing minimum requirements for passwords does not work, primarily because the aims of the employee are often at odds with the aims of the business. Organizations want security, while employees strive after convenience. The prospect of remembering multiple complex passwords is a burden many employees don’t want or need. Even employees with the best of intentions often leave the company exposed by unknowingly using weak passwords that meet the minimum requirements of the password policy. Meeting the minimum requirements of password policies can often give a false sense of security that accounts are well protected, when in fact the passwords can be cracked in minutes. Meeting minimum requirements of password policies is no guarantee of strong passwords and with no mechanism to measure effectiveness of the policies, both businesses and employees alike can be blissfully unaware that they have security vulnerabilities.

Typical Password Policies

Passwords Policies rolled out by companies tend to put in place a minimum standard for passwords. Typically this requires passwords to be a minimum of 8 characters, and use a capital and number. It’s policies such as this though that have resulted in Password1 being one of the most popular passwords in existence, used by millions every day across the globe. Password 1 meets the minimum requirements for the MS Windows Login, which has become a de facto standard, even although it’s totally inadequate in today’s world. Businesses often unknowingly compound the problem by requiring passwords changes every few months. Forcing employees to change passwords frequently can actually reduce security, as employees start to use weaker passwords that are easier to remember, often simply incrementing a digit to existing passwords to fulfil the policy requirement. It’s simply convenient for employees to create something that’s easy to remember so they can get on with their job. The MongoHQ example is typical of what goes in on every organization, where employees seek out convenience while finding a way to meet the minimum requirements of any corporate password policy.

Buffer Hacked

downloadThe MongoHQ employee using the same password for a personal and business account not only caused a breach of MongoHQ, but had the knock-on effect of compromising one of MongoHQ’s biggest customers – Buffer.

Buffer is a social media app that allows people to queue posts to their social media accounts. The MongoHQ breach gave hackers access to Buffer’s database (managed by MongoHQ) and resulted in hackers spamming content to Buffer users’ social media accounts.

Even with a password policy in place, it was ultimately useless to MongoHQ without the company having a means to measure employee compliance. Employees using the same passwords for business accounts that they used for their own personal accounts is a typical weak practice, and was the same cause of the Dropbox breach in 2012. 

How my1login can help

macbookcharts400my1login is a cloud-based, business password manager that works in conjunction with existing business passwords enabling end users to only require one secure login for all business services.

 

my1login’s password reports provide management with a mechanism to measure employee compliance with password policies. Management can see at a glance where there may be security vulnerabilities due to employees are using weak passwords or weak passwords practices such as using the same password across multiple accounts – the problem which led to MongoHQ and Dropbox being hacked.

Find out how my1login can protect your business.


 

Further Reading

 

 

 Posted by at 7:50 am
Jun 302014
 

Last August we engaged with the University of California Berkeley who were assessing several on-line password security services.

We were delighted to be included as one of the leading password security services and to have the beta version of our old consumer product subjected to additional ethical hacking by acknowledged leaders in the field. The outcome of this extensive, in depth, analysis of the five products tested, it was found that my1login had the fewest issues across all of the areas evaluated. The issues raised by the experts at the University of California Berkley were resolved by our development team the same day and we were pleased that none of the issues found affected any of our customers.

The University of California Berkley is at the forefront of computer security research and we were delighted to receive the benefit of the wisdom of some of the leading minds in the security industry.

You may know this already, but we no longer offer the beta consumer version of our service. However this beta service provided us with a rich test-bed and we gained a hugely valuable insight from it. It was remarkable that even an old beta product of ours out-performed some of the other well established competitors in the industry. For more-detailed information please check out this link.

 Posted by at 5:15 am
Jun 092014
 

Our CEO, Mike Newman is in London today to attend the UK Technology Reception at Buckingham Palace, celebrating tech success and innovation in the UK.

photo

The Duke of York has a strong focus through his work in supporting Technology in the UK and Entrepreneurship.  His Royal Highness is delighted that The Queen and The Duke of Edinburgh are to give a Reception at Buckingham Palace on Monday, 9th June.

Mike comments, “my1login is increasingly becoming recognised around the world as an innovative security company, it is a great privilege to be invited to attend such a wonderful event that highlights and celebrates the excellent work of the UK’s technology industry.”

my1login is designed to protect businesses against 65% of the causes of data security breaches. Our services protect businesses against serious financial and reputational damage resulting from a hacking incident, and also prevent the use of weak passwords and weak password practices, where employees use the same password across multiple websites. Our technology means that employees only need one secure login to access business passwords whilst management benefit from a full audit trail of password security.

my1logoPWMFB250If you’d like to see how my1login can improve your online security and help protect you against hacks, try out the my1login password manager for free, or leave your email address and we’ll send you an information pack.