IT Solutions | IT Products | IT Partner
Call Today +353 1 8733588

Archive for the ‘Security’ Category

Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes

Though people have reached a seeming point of desensitization to news citing a data breach, protecting user data has become increasingly important amid stricter regulation implementation. Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover should they deal with the data belonging to European Union (EU) citizens in accordance with the General Data Protection Regulation (GDPR) requirements.

Just this year, big names such as Macy’s, Bloomingdale’s, and Reddit have joined the ever-growing list of breach victims. Compromised data is a subject that needs the public’s full attention. Data breaches can result in the loss of millions, even billions, of private records and sensitive data, affecting not just the breached organization, but also everyone whose personal information may have been stolen.

What is a data breach?

A data breach occurs when a cybercriminal successfully infiltrates a data source and extracts sensitive information. This can be done physically by accessing a computer or network to steal local files or by bypassing network security remotely. The latter is often the method used to target companies. The following are the steps usually involved in a typical a breach operation:

  1. Research: The cybercriminal looks for weaknesses in the company’s security (people, systems, or network).
  2. Attack: The cybercriminal makes initial contact using either a network or social attack.
  3. Network/Social attack: A network attack occurs when a cybercriminal uses infrastructure, system, and application weaknesses to infiltrate an organization’s network. Social attacks involve tricking or baiting employees into giving access to the company’s network. An employee can be duped into giving his/her login credentials or may be fooled into opening a malicious attachment.
  4. Exfiltration: Once the cybercriminal gets into one computer, he/she can then attack the network and tunnel his/her way to confidential company data. Once the hacker extracts the data, the attack is considered successful.


What are the biggest breaches to date?

The following table shows the 10 biggest breach incidents reported to date:

Company/Organization Number of Records Stolen Date of Breach
Yahoo 3 billion August 2013
Equifax 145.5 million July 2017
eBay 145 million May 2014
Heartland Payment Systems 134 million March 2008
Target 110 million December 2013
TJX Companies 94 million December 2006
JP Morgan & Chase 83 million (76 million households and 7 million small businesses) July 2014
Uber 57 million November 2017
U.S. Office of Personnel Management (OPM) 22 million Between 2012 and 2014
Timehop 21 million July 2018

What types of data are usually stolen?

The motive of a cybercriminal defines what company he/she will attack. Different sources yield different information. The following are examples of common targets with details on what kind of data was stolen:

Business

  • Timehop (July 2018)
    Mobile App Vendor
    The data of the start-up’s 21 million users was exposed for around 2 hours due to a network intrusion on 4 July.
  • Reddit (June 2018)
    Content Aggregator
    Hackers gained access to an old database of users (the exact number of those affected has not been revealed) on 19 June.
  • Dixons Carphone (June 2018)
    Retailer
    An estimated 10 million customers could be affected by the hacking attack on its network sometime last year. The compromised data may include personal information like names, addresses, and email addresses. Some 5.9 million payment card records (nearly all of which are protected by the chip-and-PIN system though) may have been accessed as well.
  • Equifax (July 2017)
    Information Solutions Provider
    The major cybersecurity incident affected 143 million consumers in the U.S. Initially discovered on 29 July, the breach revealed the names, Social Security numbers, birth dates, and addresses of almost half of the total U.S. population. With investments in 23 other countries worldwide, around 400,000 U.K. customers were also reportedly affected. Final findings revealed a total of 145.5 million exposed records.
  • Ashley Madison (July 2015)
    Social Media Website
    Hacktivists stole and dumped 10GB worth of data on the Deep Web. This included the account details and personally identifiable information (PII) of some 32 million users, as well as credit card transactions.
  • Target (January 2014)
    Retailer
    Hackers penetrated the vendor’s network and infected all of its point-of-sale (PoS) machines. They were able to expose nearly 40 million debit and credit cards to fraud. The information stolen included PINs, names, and banking information.

Medical/Healthcare

  • SingHealth (July 2018)
    Medical/Healthcare Service Provider
    The nonmedical personal data of 1.5 million patients was reportedly accessed and copied, including their national identification number, address, and date of birth as part of the attack. The stolen data also included the outpatient medical data of 160,000 patients.
  • Hong Kong Department of Health (July 2018)
    Federal Agency
    The government agency was hit by a ransomware attack that rendered its systems inaccessible for two weeks starting 15 July.
  • Anthem (May 2015)
    Medical/Healthcare Service Provider
    An attack that started in April 2014 resulted in the theft of more than 80 million records of current and former customers. The data stolen included names, birthdays, social IDs, email addresses, and employment information

Government/Military

  • U.K. military contractor (May 2017)
    Military Contractor
    Sensitive data from a military contractor was extracted by a targeted attack group from the military contractor’s network using a backdoor identified as RoyalDNS.
  • U.S. OPM (April 2015)
    Federal Agency
    Hackers gained access to more than 18 million federal employee records, including Social Security numbers, job assignments, and training details.

Banking/Credit/Financial

  • Deloitte (October/November 2016)
    Accountancy Firm
    The firm was targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients. The attack was discovered in March 2017 though findings revealed though the hack may have been launched as early as October or November 2016.
  • JP Morgan Chase & Co. (October 2014)
    Credit Service Provider
    The data of an estimated 76 million households and 7 million small businesses was compromised. The information included names, addresses, phone numbers, email addresses, and others.

Educational

  • University of Maryland (March 2014)
    Educational Institution
    More than 300,000 student, faculty, and staff records going as far back as 1998 were compromised though no financial, medical, or academic information was included. The stolen data included names, birth dates, university ID numbers, and Social Security numbers.
  • University of Greenwich (2004)
    Educational Institution
    The university was fined ₤120,000 for exposing the personal data of students, including names, addresses, dates of birth, signatures, and in some cases even medical information, on a microsite that was left unsecured since 2004.

Based on the data stolen, here are specific types of information that are of value to cybercriminals. Hackers search for these data because they can be used to make money by duplicating credit cards, and using personal information for fraud, identity theft, and even blackmail. They can also be sold in bulk in Deep Web marketplaces.

[Read: Where do all the stolen information go?]

  • Member name
  • Date of birth
  • Social Security number
  • Member identification number
  • Email address
  • Mailing and/or physical address
  • Telephone number
  • Banking account number
  • Clinical information
  • Claims information

End users are almost never the target of cybercriminals who are out to steal sensitive information in bulk, unless an individual is connected to an industry (see Spear Phishing). However, end users can be affected when their records were part of the information stolen from big companies. In such cases, it is best to take note of the following practices.

  • Notify your bank. Verify your account details and change PIN codes.
  • Double-check email addresses from incoming emails. Cybercriminals can pose as bank representatives and ask for credentials.
  • Do not click suspicious-looking links or download files from unknown sources.
  • If credentials or financials have been tampered with, contact the breached company and ask if they can assist in enrolling you to a fraud victim assistance program.

Credit: www.trendmicro.com source

GDPR has arrived: here’s what will happen next

GDPR is finally here, but the story does not end at the implementation date.

http://www.techcentral.ie/wp-content/uploads/2017/03/GDPR-March-2017_web.jpgRegulatory compliance will be an ongoing journey, and questions remain as to how the regulation will be enforced.

Enza Iannopollo, a Forrester analyst on the Security and Risk team, says that companies need to shift from readiness to sustained compliance

“This is only the beginning of the story,” says Iannopollo, a Certified Information Privacy Professional (CIPP/E). “We assume that it will be a work in progress, even for companies that might be ready today, because building compliance within processes and making sure you do that on an ongoing basis will always be partially a work in progress. We don’t expect to see a final stage of compliance. That wouldn’t work for this kind of world.”

Many organisations are not yet compliant. Iannopollo advises them to focus on addressing their most high-risk data processing activities, which will usually involve sensitive personal information.

Consent strategies, data subject rights, and breach notifications will also need to be prioritised, as well as any large predictive analytics programmes with personally identifiable information and anything involving cloud.

Tracking systems for GDPR compliance
Old systems will need to be checked for compliance, while new ones should have data protection embedded in their design, advises Nigel Hawthorn, a data privacy expert at McAfee.

“The GDPR was not intended to be considered an add-on set of policies and procedures changing how data is handled,” explains Hawthorn.

“Instead, all new systems must be designed from the ground up to take into account best practices for data minimisation, which is why, even on deadline day, many companies still aren’t compliant.

“As of today, companies are required to notify a relevant data protection authority of any data breaches within 72 hours of discovery. To help reduce their risk, companies can restrict sensitive information to only managed devices, use behavioural analytics to detect any unusual activity, and must have plans in place to react quickly to correct any threats in the event of a breach.”

Third parties can open up further risks.

“You need to understand the third party risk and what it means to sell or share data with third parties,” says Iannopollo. “You need to understand that the way those third parties are complying with the GDPR will affect your own compliance, and you need to handle that risk systematically.”

The data sprawl that builds up requires a long-term solution rather than a one-time clean up, as Daniel Mintz, chief data evangelist at Looker explains.

“Businesses need a single access point for their data, allowing them to see who has accessed it and what they’ve done, all in one centralised, managed and secure place,” he says.

Once this is in place, all the data processing should be clearly documented. This will also help your case if you receive a visit from the regulators.

“Whatever work an organisation is doing to become compliant, that has to be documented,” says Iannopollo. “This is the base of your evidence of compliance strategy, and if a regulator knocks on the door and says ‘hey, I want to see how you’re complying with the rules,’ your documentation will be supporting evidence that some work has been done.”

Carrot and stick
The eye-popping maximum fines for breaches have been the focus of headlines in GDPR reporting, but the penalties will ultimately depend on the nature of the breach.

Investigations will take time to complete, and organisations will have an opportunity to respond to any accusations, but fines will come eventually for major infringements.

“I think we are going to see enforcement action,” says Iannopollo.

“I think the regulators will set a few examples to start with. They want to be perceived as strict with these rules.”

She nonetheless prefers to focus on the business opportunities that GDPR brings. Companies can make data protection a business differentiator, and a way to gain the trust of their increasingly data-savvy customers.

The implementation date gives them a chance to reflect on the benefits of GDPR, says Joe Garber, global head of product marketing, information management and governance at Micro Focus.

“Today we should consider the GDPR from a different angle and explore the opportunities it will bring to not only improve privacy and security, but also to help brands discover the real value of data,” he suggests.

“For businesses, the GDPR is a fundamental step to ensure data is managed in a more holistic way, allowing them to gain a greater and more well-rounded view of the information they store. Once the correct processes have been deployed to organise this data and implement analytics tools – and the privacy requirements of the GDPR have been taken into account – useful and accurate insights can be gleaned – a benefit for organisations and consumers alike.

“Businesses will be able to use customer insights and ultimately grow their business in a way that would not have been possible before. And, as a consumer, I am looking forward to what the GDPR can do for me as an individual, protecting my personal data in a time of severe mistrust around data sharing and use.”

Source Credit  :IDG News Service www.techcentral.ie

Meltdown, Spectre CPU bugs threaten devices worldwide

Fix for massive security flaws could slow down PCs and Macs by as much as 30%
Spectre Meltdown

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues – dubbed Meltdown and Spectre – exist in the CPU hardware itself, Windows, Linux, Android, Macs, Chromebooks, and other operating systems all need to protect against it. And worse, it appears that plugging the hole will negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much, though. Just apply the latest operating system updates and keep your antivirus software vigilant, as ever.

Here’s a high-level look at what you need to know about Meltdown and Spectre, in plain language. If you want a deep-dive into the technical details, be sure to read Google’s post on the CPU vulnerabilities. We’ve updated this article repeatedly as new information becomes available.

It is hard to dive too technically into the issue, as major hardware and software vendors are working together quietly to fix the kernel issue before making the vulnerability public. But The Register’s reporting and comments on patch code coming in hot to the Linux kernel – with details redacted to obscure the exact nature of the vulnerability – give us insight into issue.

Here is a high-level look at what we know so far about the Intel CPU kernel bug affecting Linux, Windows, and presumably Macs. Expect it to be updated repeatedly as the problem becomes more clear.

Intel processor kernel bug FAQ
(Editor’s note: This article was updated to include comments from an Intel statement about the kernel exploit and its performance concerns throughout.)

The bug in play here is extremely technical, but in a nutshell, the chip’s kernel is leaking memory, which could lead to extremely sensitive data being exposed to apps and hackers, or make it easier for attackers to inject malware into your PC.

Intel says that “these exploits do not have the potential to corrupt, modify or delete data,” though simply being able to read the contents of protected kernel memory could give attackers access to your passwords, login keys, and much more.

What’s a kernel?
The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”

How do I know if my PC is at risk?
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “zero” and “near zero” risk to the two known Spectre variants because of the way its chip architecture is designed.

A Linux kernel patch is also being prepared for 64-bit ARM processors. Details are murky, though a statement from Intel says that “many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits.”

So if it’s a chip problem, then the chip makers need to fix it?

Yes and no. While CPU manufacturers will surely address the problem in future chips, the fix for PCs in the wild needs to come from the OS manufacturer, as a microcode update won’t be able to properly repair it.

Linux developers are working furiously to address the flaw in a new kernel update. Microsoft is expected to patch the problem during its Patch Tuesday updates on 9 January, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”

I use a Mac, so I’m OK, right?
Not this time. The vulnerability here affects all Intel x86 chips, so that means Macs are at risk too. However, Apple quietly protected against the exploit is macOS 10.13.2, which released on 6 December, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.

So, what can I do?
Not much besides updating your PC when a fix becomes available. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime – advice that Intel also stresses.

Do you know when a fix will come?
It’s already here for Windows, Mac, and Chromebook users.

Microsoft pushed out a Windows update protecting against Meltdown on 3 January, the day that the CPU exploits hit headlines. Updates issued outside of Microsoft’s monthly “Patch Tuesdays” are rare, underlining the severity of this issue.

Apple quietly protected against Meltdown in macOS High Sierra 10.13.2, which released on 6 December, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.

Linux developers are working furiously to address the flaw in a new kernel update.

Chromebooks received protection in Chrome OS 63, which released on December 15. Furthermore, the Chrome Web browser itself was updated to include an opt-in experimental feature called ‘site isolation‘ that can help guard against Spectre attacks. Site isolation is trickier on mobile devices; Google warns that it can create “functionality and performance issues” in Android, and since Chrome on iOS is forced to use Apple’s WKWebView, Spectre protections on that platform need to come from Apple itself. Chrome 64 will include more mitigations.

Mozilla is taking steps to protect against Spectre as well. Firefox 57 released in November with some initial safeguards.

So once the fix arrives, it’s OK?
Well, the operating system patches will plug the risk of Meltdown, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.

How much slower will my Intel PC become?
It’s complicated.

More recent Intel processors from the Haswell (fourth-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications – most notably virtualisation tasks and data centre/cloud workloads – are affected more than others. The Register says “we’re looking at a ballpark figure of five to 30% slow down, depending on the task and the processor model.” Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.

“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.

“It will depend heavily on the hardware too,” he continued. “Older CPUs without PCID will be impacted more by the isolation. And I think some of the back-ports won’t take advantage of PCID even on newer hardware.”

Michael Larabel, the open source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.

Your mileage will, indeed, vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts, so do not treat these as a locked-in look at what to expect from the eventual fixes for the Intel x86 kernel bug. We won’t know the full extent of the slowdown on Windows and macOS machines until a patch lands.

IDG News Service

Credit: Techcentral.ie

How Intel Core chips and Lenovo PCs could take over two-factor authentication from your phone

Image result for over two-factor authentication

Password manager Dashlane and PC maker Lenovo are among the first consumer-facing companies to take advantage of a little-known feature within Intel’s 8th generation Core chips that could become much more popular: enabling two-factor authentication with just your PC, and not your phone.

What Intel calls Intel Online Connect (or, more generically, Universal Second Factor (U2F) authentication) lives within the 8th-generation Core architecture. Typically, two-factor authentication (2FA) – recommended for years as an additional security measure for e-mail, online storage, and other data – required that a code be sent to your phone either via an app or text message. Intel’s 8th-gen Core architecture and its associated software cuts out the need for a phone, simply requiring you to click a software ‘button’ to authenticate the 2FA transaction.

Intel’s Online Connect improves on a related technology Intel introduced in its 7th generation Core chips, known as Software Guard Extensions, or SGX. SGX is essentially a protected area within the chip for storing encryption keys. But only two services announced support for SGX: Dropbox and Duo Security, which announced proofs-of-concept earlier this year.

Lenovo is the first PC maker to announce support for Intel Online Connect in both some of its older as well as its more recent PCs. On Tuesday, Lenovo announced Intel Online Connect support for the Yoga 920, IdeaPad 720S, ThinkPad X1 Tablet (2nd generation), ThinkPad X1 Carbon (5th generation), ThinkPad Yoga 370, ThinkPad T570, ThinkPad P51s, ThinkPad T470s, ThinkPad X270 and ThinkPad X270s. Intel Online Connect can be either downloaded from the Web directly, or will be made available via Lenovo System Update and Lenovo App Explorer on all supported Lenovo devices, the company said.

Breaking into your PC is bad enough – that’s why there’s Windows Hello, user PINs, and Windows passwords. With Web services accessible from just about anywhere, however, there’s a need for a second layer of security to differentiate you from the bad guys. Two-factor authentication helps secure those online transactions; U2F promises to make them less of a hassle.

Once the 8th generation Core chips ship, Dashlane will immediately be able to take advantage of the built-in technology and use U2F as an additional form of authentication, Allison Baker, the strategic partnerships manager for Dashlane, said. She confirmed that U2F will work with 8th-gen Core chips for consumers, and don’t require Intel’s vPro technology for businesses.

“You don’t need a phone or anything else,” besides a compatible Intel-based PC, Baker said.

The FIDO Alliance developed U2F as an open authentication standard, designed to help simplify two-factor authentication. For the purposes of registering with an online service like Dashlane, two “keys” are created: a public one, which is registered with the service itself, as well as a private one, which is stored within the Core chip on the client PC.

According to Dashlane’s Baker, the client’s private key signs an assertion that the service can verify as coming from the client PC. But the signature is only released after the user verifies his presence by clicking a button on the screen, displayed by Intel’s Online Connect middleware. Intel’s been busy working on PC security solutions for years; last year, Intel showed off its Authenticate technology, combining fingerprints, PIN, paired phones, and more.

According to Dashlane authenticating requires entering your password. Intel’s Online Connect will then find the security key. Sending it on its way requires clicking on a button that appears randomly within a separate window, within 15 seconds. That window uses what’s called Intel Protected Transaction Display technology, which actually generates the screen from within the Intel chip itself. The user sees the button; according to Intel, any man-in-the-middle attacker would merely see a blank, black box with no indication on where to click.

It appears, though, that U2F places more of an emphasis on the first line of security used to defend your PC: Windows Hello, a PIN, or a password. If an attacker were able to guess your PIN while you left your eighth-generation PC alone to buy a cup of coffee, they’d still need to know your Dashlane master password to log in. But with traditional two-factor, phone-based authentication, a service like Dashlane would also buzz your phone – which you might have in your pocket, alerting you that an attack was in progress.

In any event, though, services like Dashlane appear to be preparing to take advantage of the U2F capabilities built into Intel’s Core chips. Passwords used to be sufficient, but complex, hard-to-guess passwords can be a pain to use repeatedly. The challenge is to offer security without imposing too much of a burden on the user, and Intel and its partners appear to be zeroing in on quick, convenient security methods.

IDG News Service

WannaCry/Wcry Ransomware: How to Defend against It

 

An unprecedented wave of ransomware infections is hitting organizations in all industries around the world. The culprit: the WannaCry/WCry ransomware (detected by Trend Micro as RANSOM_WANA.A and RANSOM_WCRY.I).

What happened?

Several firms in Europe were the first to report having their mission-critical Windows systems locked, showing a ransom note. This quickly developed into one of the most widespread ransomware outbreaks currently affecting a large number of organizations around the world. Some affected organizations had to take their IT infrastructure offline, with victims in the healthcare industry experiencing delayed operations and forced to turn away patients until processes could be re-established.

 

Figure 1: One of WannaCry’s ransom notes

Who is affected?

This variant of the WannaCry ransomware attacks older Windows-based systems, and is leaving a trail of significant damage in its wake. Based on Trend Micro’s initial telemetry, Europe has the highest detections for the WannaCry ransomware. The Middle East, Japan, and several countries in the Asia Pacific (APAC) region showing substantial infection rates as well.

WannaCry’s infections were seen affecting various enterprises, including those in healthcare, manufacturing, energy (oil and gas), technology, food and beverage, education, media and communications, and government. Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

 

What does WannaCry ransomware do?

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block, to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the “EternalBlue” exploit, in particular. Microsoft’s Security Response Center (MSRC) Team addressed the vulnerability via MS17-010 released March, 2017.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.

 

What can you do?

WannaCry highlights the real-life impact of ransomware: crippled systems, disrupted operations, marred reputations, and the financial losses resulting from being unable to perform normal business functions—not to mention the cost of incident response and clean up.

Here are some of the solutions and best practices that organizations can adopt and implement to safeguard their systems from threats like WannaCry:

wcry infection chain

 

Source: www.trendmicro.com

How to Create and Remember Super-Secure Passwords

Image result for password managementPasswords are the front line of defence in protecting the data on your computer. They keep your kids from hijacking your Twitter account, and keep cybercriminals from gaining access to your bank accounts.

The problem is that because we need so many passwords today, many of us take the easy way out. We use the same password for everything, or use very simple, easy-to-remember passwords. And that’s where we can get into trouble.

The risks of weak or multiple-use passwords

“Let’s say you fall for a phishing attack on Facebook,” explained Boston-based digital-security expert Beth Jones. “They can see your email address and try that same password there.

“If you have sensitive information in your email, such as bank statements or credit-card statements, then the attacker can try that password to access bank accounts or credit-card accounts as well,” Jones said.

“They would have several key pieces of [personal] information … so in theory they could try the ‘forgot username’ on other accounts, such as Twitter, or online games,” Jones said. “You can see how this snowballs quickly.”

Not only should you have a unique password for each site you log into online, but, as Gunter Ollmann, chief security officer at the Atlanta-based computer-security firm Vectra Networks, pointed out, you should also avoid recycling old passwords.

“Criminals — and unethical webmasters — often try to use the passwords that have been taken from one site and use them against other sites, especially if your email address is also known to them,” Ollman explained.

“Each website or application you use should have a different password, and ideally you should not use a predictable algorithm for generating them,” he said. “For example, a bad practice is to use a password that contains the particular website’s name or address in it.”

How to create perfect passwords

So what makes a good, strong password?

“Password strength is measured by two characteristics — length and complexity,” said Josh Shaul, vice president of product management at Chicago-based security firm Trustwave and author of Practical Oracle Security: Your Unauthorized Guide to Relational Database Security. “In general, the longer the password, the more difficult it is to guess and the stronger it is.”

Password complexity, he added, means avoiding passwords that can be easily guessed.

“The easiest passwords to remember are simple words, places, dates or easy-to-type text strings,” Shaul said. “Favorite sports teams, cities, names, birthdays and even strings like ‘12345’ or ‘qwerty’ are very commonly used. These are all weak passwords.”

Most experts agree on the basics of creating strong passwords. Here are some tips from the San Diego-based Identity Theft Resource Center:

  • A password should contain at least 12 characters. (When we first wrote this story in 2011, the recommendation was eight characters, but password-cracking computers have become faster.)
  • The password should have at least three of the four following types of characters — upper-case letters (ABC), lower-case letters (abc), numerals (123), and punctuation marks or other special characters (!#$%&*_=+? ).
  • If you’re using only one capital letter or special character, don’t make it the first or last character in the password. That’s just too obvious.
  • Avoid common names, slang words or any words in the dictionary. Computers can run through entire dictionaries in a few minutes.
  • Don’t include any part of your name or any part of your email addresses.
  • Choose an especially strong password for websites that hold especially sensitive personal information — for example, social networks, online email or banks and online retailers that store your credit-card information.
  • Don’t ever refer to anything that can be learned from your social networking profiles or an Internet search. In other words, don’t make it your favorite band or movie, your pet’s name, your nickname, your phone number or, especially, your birth date.

Here’s a good way to create a strong password. Pick a phrase you’ll remember. Take the first letter of each word and run them together into a “word.” Capitalize some letters and substitute numerals where it would make sense to – but don’t make the substitutions too regular or obvious.

For example, the phrase “I hate to work late” could become “iH82wkl8.”

Or tweak that formula and don’t abbreviate all the words. “This little piggy went to market” might become “tlpWENT2m.”

Not sure, even after following those tips, whether your password is strong enough? Go to one of the manywebsites that will check it for you.

Can’t think of a good password? There are also websites thatgeneratethem.

Should you write them down?

So if we need a unique, strong password for nearly everything we do online — check multiple email accounts, use Facebook and Twitter, make comments on CNN, buy something from Amazon — how can we remember them all? Is it okay to write them down somewhere?

Several years ago, the conventional wisdom was to never write down passwords — but that was when most of us only had a few to remember. Some experts have since changed their minds.

“With today’s threat landscape being dominated by password-stealing malware, physically writing down your passwords is becoming more acceptable,” Ollman said.

“The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal’s malware,” he said.

Jones sticks to the old advice — don’t write them down.

“This is really not a great idea, particularly for work,” Jones said. “Physical security is just as important as online security.

“Anyone walking by could see the sticky note next to your machine and then break into your accounts (especially if you use the same password for everything),” she added. “The risk is even greater if, as a user, you log into more than one location and have your password written at all those locations.”

Web browsers often ask if they can remember your password for you. Is that safer than writing down your password?

“For some passwords, it may be okay to let the browser remember your password on your personal laptop or home PC,” said Chris Burchett, an executive director at Dell.

“In general, if the information on the website that requires your password is what you consider to be public, then it may be okay to let the browser remember the password,” Burchett said. “But be careful. Never let the browser remember passwords to banking websites or other sites where private personal identity information is used or available.”

“Also be careful when using a public-kiosk computer like the ones at the airport. Never let browsers on computers you don’t own store passwords,” Burchett added. “In fact, it would be best not to log into any website requiring a password from a computer you don’t own.”

Password-management software

Instead, the experts suggest using third-party password-management software, which stores all your passwords in one place and protects them with one very strong master password — the only one you’ll have to remember.

“Managing passwords is a challenge because there are so many online accounts requiring passwords these days,” Burchett said. “Using a password manager to securely generate, store, rotate and supply passwords on demand may be worth considering as long as you remember to make the master password strong enough.”

MORE: 10 Desktop Password Managers

There are dozens of password managers, both free and inexpensive (none cost more than $30). Some of the better-known ones include Web Confidential, LastPass, KeePass and its Mac/Linux sibling KeePassX. Some run on PCs, others on smartphones, while some are browser plug-ins.

Now that you’ve read all this, do yourself a favor this weekend. Go through all your online accounts and use these tips to create strong, unique passwords for each one, and then use a password manager to remember them all.

Source:http://www.tomsguide.com

Ransomware – How to prevent being a victim

How to prevent being a victim

Ransomware is a particularly sophisticated type of malware, and while knowledgeable professionals might know how to disable it, users can curb the problem by following routine security measures. It’s important to remember that in some cases, recovery without paying the ransom might not be possible, and this is when it becomes necessary to resort to file backups.

Here are a few simple tips on how you can secure yourself from likely attacks:

  • Backup your files regularly – the 3-2-1 rule applies here: three backup copies of your data on two different media and one of those copies in a separate location.
  • Bookmark your favorite websites and access only via bookmarks – attackers can easily slip malicious codes into URLs, directing unwitting users to a malicious site where ransomware could be downloaded. Bookmarking frequently-visited, trusted websites will prevent you from typing in the wrong address.
  • Verify email sources – while this practice could be tricky, it always pays to be extra careful before opening any link or email attachment. To be sure, verify with your contacts prior to clicking.
  • Update security software – employing security software adds an extra layer of protection from all possible points of infection. Specifically, it prevents access to malicious websites hosting ransomware variants. More importantly, it detects and deletes ransomware variants found in the system.

For screens that have been locked by ransomware, the Trend Micro AntiRansomware Tool 3.0 can be used to resolve the infection from a USB drive.

 

Ransomware 101

Windows Update stuck downloading updates

If you find that your Windows Update is stuck downloading updates at 0 % or any other figure in Windows 10

Windows Update stuck downloading updates

This is what helped me and I am sure that it could help you too. You may click on the images to see their larger versions.

From the WinX Menu, open Command Prompt (Admin). Type the following one after the other and hit Enter:

net stop wuauserv

net stop bits

This will stop the Windows Update related Services.

 

Next browse to the C:\Windows\SoftwareDistribution folder and delete all the files and folders inside. Press Ctrl+A to Select All and then Delete.

software-distribution

If the files are in use, and you are unable to delete some files, restart your device. After rebooting, run the above commands again. Now you will be able to delete the files from the mentioned Software Distribution folder.

After you have emptied this folder, you may restart your computer or you may type the following commands one at a time in the CMD, and hit Enter to restart the Windows Update related Services.

net start wuauserv

net start bits

Run Windows Update again and see.

updating and downloading

You will be able to download and install the updates successfully. Once done, you will see that a restart has also been scheduled.

windows-10-update-restart-scheduled

I suggest you restart immediately to complete the process.

Make a payment on-line

Enter your name or A/C Ref: