Phishing Attacks: Real-World Examples and How to Protect Yourself

/in , , , , /by

At Connect4 Consulting, we’ve seen phishing attacks evolve from obvious Nigerian prince scams to sophisticated deceptions that can fool even the most tech-savvy professionals.

Phishing attacks work because they exploit human nature – our trust, our curiosity, our desire to help. The best defense is a combination of skepticism, knowledge, and good security habits.

Let’s break down the most common types of attacks we’re seeing today and show you how to protect your business.

The Classic Email Phish: Still Swimming Strong

Remember when even tech giants Google and Facebook fell victim to a sophisticated email scam? That’s right – if it can happen to them, it can happen to anyone. Today’s email phishing attempts are increasingly sophisticated, using clever domain spoofing and social engineering to appear legitimate.

Spear Phishing: When Attackers Take Aim

Think of spear phishing as the sniper rifle of cyber attacks. Instead of casting a wide net, attackers carefully research their targets. The Colonial Pipeline attack is a perfect example – attackers specifically targeted key employees with messages so convincing, they appeared to come from trusted sources.

The Colonial Pipeline Attack: A Case Study

The Colonial Pipeline attack, which occurred in May 2021, serves as a prime example of spear phishing in action. Attackers targeted key employees within the organization, sending emails that appeared to come from trusted sources. These messages were designed to look legitimate and often included urgent requests or critical information that prompted the recipients to act quickly.

Key Elements of the Attack:

  1. Targeted Research: Attackers conducted thorough research on the Colonial Pipeline employees, identifying key personnel and understanding their roles within the company.
  2. Convincing Communication: The emails sent to the employees were crafted to mimic trusted communications, often using familiar language and references that would resonate with the recipients.
  3. Exploitation of Trust: By appearing to come from a trusted source, the attackers exploited the natural tendency of individuals to trust communications from known contacts, leading to a higher likelihood of engagement.
  4. Consequences: The successful spear phishing attack led to a ransomware incident that disrupted fuel supply across the Eastern United States, highlighting the severe implications of such targeted attacks.

Spear phishing is a sophisticated and dangerous cyber threat that requires vigilance and awareness. The Colonial Pipeline attack exemplifies how attackers can leverage detailed research and psychological manipulation to achieve their goals. Organizations must implement robust security measures, including employee training and awareness programs, to defend against these targeted attacks. By understanding the tactics used in spear phishing, individuals can better protect themselves and their organizations from becoming victims of this sniper rifle of cyber attacks.

Smishing: When Texts Turn Toxic

That “urgent” text about your package delivery? It is likely a trap. We’ve seen a surge in SMS-based phishing (smishing) attacks, with criminals impersonating everything from delivery services to banks. The USPS impersonation campaign was particularly clever, using our natural curiosity about packages to steal Google credentials.

How Smishing Works

  1. Deceptive Messages: Attackers craft messages that mimic legitimate communications. For example, a message may claim that there is an issue with your bank account and urge you to verify your information immediately.
  2. Malicious Links: The text often includes a link that directs users to a fake website designed to look like a legitimate one. Once on this site, users may be prompted to enter sensitive information.
  3. Data Harvesting: If the victim falls for the scam and provides their information, the attacker can use it for identity theft, financial fraud, or sell it on the dark web.

Recognizing Smishing Attempts

To protect yourself from smishing, it’s essential to recognize the signs of a potential attack:

  • Unexpected Messages: Be cautious of unsolicited messages, especially those that ask for personal information or prompt you to click on links.

  • Urgency and Threats: Smishing messages often create a sense of urgency, claiming that immediate action is required to avoid negative consequences.

  • Poor Grammar and Spelling: Many smishing attempts contain grammatical errors or awkward phrasing, which can be a red flag.

How to Protect Yourself from Smishing

  1. Do Not Click Links: Avoid clicking on links in unsolicited text messages. Instead, visit the official website of the organization directly by typing the URL into your browser.
  2. Verify the Source: If you receive a suspicious message, contact the organization directly using a known phone number or email address to verify its legitimacy.
  3. Report Smishing Attempts: If you receive a smishing message, report it to your mobile carrier and the relevant authorities. In the US, you can forward the message to 7726 (SPAM).
  4. Use Security Software: Consider using mobile security applications that can help detect and block potential smishing attempts.

Smishing is a growing threat in the realm of cybercrime, leveraging the convenience of mobile communication to exploit unsuspecting individuals. By understanding what smishing is, recognizing its signs, and taking proactive measures to protect yourself, you can reduce the risk of falling victim to these deceptive attacks. Stay informed and vigilant to safeguard your personal information in an increasingly digital world.

Vishing: The Voice You Can’t Trust

Phone scams have gone high-tech. Modern vishing attacks use sophisticated social engineering and often spoof legitimate phone numbers. We’ve seen cases where attackers pose as bank security teams, complete with background call center noise and professional scripts.

Common Techniques Used in Vishing

  1. Caller ID Spoofing: Attackers can manipulate caller ID information to make it appear as though they are calling from a legitimate source. This tactic increases the likelihood that the victim will answer the call and engage with the scammer.
  2. Urgency and Fear Tactics: Vishing attacks often create a sense of urgency or fear. For example, the caller may claim that there is a problem with the victim’s bank account that requires immediate attention, prompting the victim to act quickly without thinking.
  3. Pretexting: Attackers may create a fabricated scenario or pretext to justify their request for information. For instance, they might pose as a bank representative conducting a security check and ask for personal details to “verify” the victim’s identity.
  4. Social Engineering: Vishing relies heavily on social engineering techniques, where attackers exploit human psychology to manipulate victims. They may build rapport or use flattery to gain the victim’s trust before asking for sensitive information.

How to Protect Yourself from Vishing

  1. Be Skeptical: Always be cautious when receiving unsolicited calls, especially if the caller requests personal information. Verify the caller’s identity by hanging up and calling back using official contact numbers.
  2. Do Not Share Personal Information: Never provide sensitive information over the phone unless you are certain of the caller’s identity. Legitimate organizations will not ask for sensitive information in this manner.
  3. Use Call Blocking Features: Many smartphones and telecom providers offer call blocking features that can help reduce the number of unwanted calls you receive.
  4. Report Suspicious Calls: If you receive a suspicious call, report it to your local authorities or the relevant consumer protection agency. This can help raise awareness and potentially prevent others from falling victim to similar scams.

Vishing is a growing threat in the realm of cybersecurity, leveraging voice communication to deceive individuals into divulging sensitive information. By understanding the tactics used by attackers and implementing protective measures, you can significantly reduce your risk of becoming a victim of vishing. Stay informed and vigilant to safeguard your personal information against these types of scams.

Social Media: The New Phishing Ground

Platforms like Twitter have become hunting grounds for phishers. Remember the fake Domino’s Pizza accounts offering refunds? That’s just the tip of the iceberg. Social media phishing thrives on our trust in branded accounts and our desire for deals.

Techniques Used in Social Media Phishing

  1. Impersonation: Attackers often create fake profiles that mimic legitimate users or organizations. These profiles may use similar names, photos, and information to gain the trust of potential victims.
  2. Malicious Links: Phishing messages frequently contain links that lead to fraudulent websites designed to steal personal information. These links may be disguised as legitimate URLs, making them difficult to identify.
  3. Social Engineering: Cybercriminals exploit social dynamics by crafting messages that appeal to emotions or urgency. For example, they may pose as a friend in distress or a company offering a limited-time promotion.
  4. Direct Messaging: Phishing attempts can occur through direct messages on social media platforms. Attackers may send unsolicited messages that prompt users to click on links or provide sensitive information.
  5. Fake Contests and Giveaways: Scammers often create fake contests or giveaways that require users to provide personal information to enter. These schemes can lure users into sharing sensitive data.

Implications for Users and Organizations

The use of social media for phishing poses significant risks, including:

  • Data Breaches: Successful phishing attacks can lead to unauthorized access to personal and organizational data, resulting in data breaches and financial losses.

  • Reputation Damage: Organizations that fall victim to phishing attacks may suffer reputational harm, leading to a loss of customer trust and loyalty.

  • Increased Security Costs: Organizations may need to invest in enhanced security measures and employee training to combat phishing threats, incurring additional costs.

As social media continues to grow in popularity, so too does the risk of phishing attacks. Users and organizations must remain vigilant and educate themselves about the tactics employed by cybercriminals. By fostering a culture of awareness and implementing robust security practices, individuals can protect themselves from the dangers of social media phishing.

HTTPS Doesn’t Mean “Totally Safe”

Here’s something that surprises many of our clients: that little padlock icon doesn’t guarantee a safe site. The Scarlet Widow group proved this by creating convincing HTTPS-enabled fake sites. Remember: HTTPS only means your connection is encrypted – not that the site is legitimate.

Limitations of HTTPS

  • Not a Complete Security Solution

HTTPS only secures the data in transit. It does not protect against vulnerabilities on the server side or in the application itself. If a website has poor security practices, such as outdated software or weak passwords, HTTPS cannot prevent data breaches.

  • Phishing Attacks

Cybercriminals can create fraudulent websites that use HTTPS to appear legitimate. Users may mistakenly trust these sites, believing that the presence of HTTPS means they are safe. This can lead to phishing attacks where sensitive information is stolen.

  • Malware and Exploits

HTTPS does not protect users from malware or exploits that can occur after they have accessed a secure site. If a user downloads malicious software from a secure site, their device can still be compromised.

  • Certificate Authorities

HTTPS relies on Certificate Authorities (CAs) to issue SSL certificates. If a CA is compromised or issues a certificate to a malicious actor, HTTPS can be rendered ineffective. Users may not be aware that they are communicating with an untrustworthy site.

  • User Behavior

Even with HTTPS, user behavior plays a significant role in security. For example, if users reuse passwords across multiple sites or fail to recognize suspicious links, they can still fall victim to attacks.

While HTTPS is an essential aspect of online security, it is not a foolproof solution. Users must remain vigilant and adopt a multi-layered approach to security that includes strong passwords, regular software updates, and awareness of phishing tactics. Understanding the limitations of HTTPS is crucial for navigating the digital landscape safely.

Phishing Protection Toolkit

Here is what we recommend:

  • Trust But Verify: Urgent request from your CEO? Pick up the phone and confirm.
  • Check Those Details: Look closely at sender addresses – “paypal.secure.com” isn’t the same as “paypal.com”
  • Guard Those Links: Hover before you click. Better yet, manually type known URLs.
  • Enable MFA: Yes, it takes an extra few seconds. No, that’s not too much time to protect your accounts.
  • Stay Updated: Both your software and your knowledge need regular updates.
  • Train Your Team: Security awareness isn’t a one-time thing – it’s an ongoing process.

Conclusion

Remember: if something feels off, it probably is. Take the extra minute to verify before you click, share, or respond. That minute could save your business from becoming another phishing statistic.

Protecting Your Business: Cybersecurity Essentials You Can’t Ignore

/in , , , /by

At Connect4 Consulting, we’ve seen too many small businesses learn about cybersecurity the hard way. Let’s be clear: cyberattacks aren’t just a big business problem anymore. Small businesses are increasingly becoming targets, often because attackers see them as easier marks. But here’s the good news: you can significantly reduce your risk with some fundamental security measures.

Know Your Enemy: Common Cybersecurity Threats

cybersecurity threats to small businesses

First, let’s talk about what you’re up against. These are the threats we most commonly see targeting small businesses:

  1. Phishing Attacks: Those deceptive emails and text messages that look legitimate but aim to steal your information. We’ve seen sophisticated attacks that could fool even tech-savvy users.
  2. Malware: Think of it as a digital virus that can infect your entire system. One wrong click can compromise your whole network.
  3. Ransomware: This is particularly nasty – it locks up your data and demands payment. We’ve helped businesses recover from ransomware attacks, and trust us, prevention is much better than cure.
  4. Data Breaches: Your customer data is gold to cybercriminals. Once it’s stolen, the damage to your reputation can be irreparable.
  5. Insider Threats: Sometimes the risk comes from within – whether intentional or accidental.

Your Security Foundation: Essential Steps

Let’s get practical. Here are the fundamental security measures we recommend to all our clients:

Strong Passwords and Multi-Factor Authentication: Your First Line of Defense

Make complex passwords mandatory and enable multi-factor authentication everywhere you can. Yes, it takes an extra few seconds to log in, but those seconds could save your business.

Update Everything

Think of software updates like maintenance for your car – skip them at your peril. Set up automatic updates wherever possible, and make regular updates part of your routine.

Antivirus: Your Digital Security Guard

Install reputable antivirus software on every device and keep it updated. This isn’t optional anymore – it’s as essential as having locks on your doors.

Network Security

Your network needs a good firewall and encrypted Wi-Fi. If you’re still using the default password on your router, change it right now. We mean it – right now.

Your Backup Strategy is Your Safety Net

Follow the 3-2-1 rule: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. Test your backups regularly – a backup you can’t restore is just a false sense of security.

Your Secret Weapon: Employee Training

Here’s something we’ve learned from years of experience: your employees can be either your biggest security weakness or your strongest defense. Regular training is crucial. Focus on:

  • Spotting phishing attempts (they’re getting cleverer by the day)
  • Safe browsing habits
  • Proper data handling
  • Password best practices
  • How to report security concerns

When Things Go Wrong: Recovery Planning

Even with the best precautions, you need a plan for worst-case scenarios. Develop and regularly test:

  • A detailed disaster recovery plan
  • Clear steps for breach response
  • Communication protocols
  • Backup restoration procedures

Moving Forward

Cybersecurity isn’t a one-and-done task – it’s an ongoing process. Start with the basics we’ve outlined here, then build on that foundation. Remember: the cost of preventing a cyber attack is always less than recovering from one.

Take action today. Review your current security measures against this list. Where are the gaps? What needs immediate attention? Your business’s future could depend on the steps you take right now.

Looking to strengthen your cybersecurity? These guidelines will help get you started. Keep checking back for more insights on protecting your business.

What to do if your website home page now say’s ‘The Site Ahead Contains Malware’

/in , , , , /by

If you get to a website and you see the warning “Site Ahead Contains Malware”, you need to act fast.

If it’s not your site, you need to turn around because there could be malware on the website you are trying to access.

If the site ahead happens to be your own site, you need to act fast to fix the situation. This message indicates that your website is either infected with malware and/or has been hacked. Google crawls websites regularly to add new or updated content to the search index. These crawlers also can detect if your site has a malware infection.

If Google or other search crawlers find malware on your site, they immediately flag your site and display this warning to protect users from accessing the web site. This warning has detrimental effects on SEO, site traffic, and your credibility. It can also lead to your web host suspending your hosting account.

Why did your WordPress website get hacked?

Websites get hacked for the following reasons:

  • economic gain
  • drive-by downloads – malware injections
  • black hat SEO
  • system resources
  • hacktivism

How did your WordPress website get hacked?

Malware can infect your site in a number of ways:

  1. Plugins – An infection could have come through the plugins installed on your website. This can happen for several different reasons – a) old plugins without recent updates are prone to vulnerabilities; b) pirate software is free but often contains malware; c) you may have installed a plugin from an untrusted source.
  2. Your Computer Might Have Malware – Often when a computer is infected with malware, uploading a file to a website can lead to a website infected with malware.
  3. Brute-force attacks by hackers – Hackers can use a brute-force attack to guess your username and password and break into your website.

What do you do if your site now say’s “The Site Ahead Contains Malware”?

It’s important that you act fast. You will have to remove the malware from the website and then submit your website to Google for review. Google’s safe browsing policies that you need to follow before you submit your site for review are:

  • You need to log into Google Search Console and prove you are the owner of your website.
  • You need to make sure that your website is clean and free of any malware infections or backdoors.
  • You need to fix the vulnerability that led to the hack. We recommend installing the premium version of Wordfence.
  • If your host has suspended you for malware, you need to contact them and request they remove the suspension. Your website needs to be back online prior to submitting it to Google for review.
  • Call Connect4 Consulting at 202-236-2968 so we can help you with these steps.

How do you prevent “The Site Ahead Contains Malware” from happening again in the future?

If you’ve ever had the misfortune of finding yourself in this situation, it is imperative that you do everything possible to prevent it from happening again. To do that, implement the following procedures:

  • Make sure someone is actively managing the hosting of your website. That means you need to make sure that all plugins and WordPress are updated as soon as updates are available. You can’t just rely on hosting alone.
  • Install Wordfence or Wordfence Premium to protect your website.
  • Update WordPress regularly.
  • Only use trusted themes and plugins – stay away from free plugins or themes – particularly if there have been no updates in the last 3 months or more.
  • Remove inactive themes and plugins – the more elements you have on your website, the greater the opportunities a hacker has to break into your website.
  • Update website passwords, remove inactive users, limit login attempts, install an SSL Certificate.

 

 

 

How to Stop Comment and Contact Form Spam

/in , /by

Comment and contact form spam is a total waste of time and there are few things more annoying than sorting through junk mail to filter out varying degrees of junk email.

And if you don’t take the time to clean up all of the spam submissions (and figure out a way to ultimately stop them) you run the serious risk of damaging your brand’s reputation if these spammy messages ever appear on the frontend of your website.

As a website designer and developer you can rest assured because I can help.

There are ways to combat comment and contact form spam and make your life a little easier. I’m sure we all have things we’d rather be doing than sorting out through form spam.

What is Form Spam & Why Does it Exist?

Form spam happens when people submit unwanted information through online forms to phish or send abusive messages.

Form spam exists because spammers look for vulnerabilities in website forms so they can hijack them and use the website forms to relay email spam messages to others. These emails arrive in people’s inboxes looking like emails you might send. People unknowingly open these emails and click the links thinking they are going to your site only to find themselves on an entirely different website. Often the spammer is also trying to game the system by posting hyperlinks to other websites and products so they can gain link equity and a boost in SEO.

How Does Form Spam Work?

Form spam is performed in two ways:

  1. Manual Spamming – manual spamming happens when a company hires real people to manually fill out web forms with information linking back to companies that need link juice. This type of form spam is difficult to beat because human spammers can get through most anti-spam measures a website owner can put in place on his website.
  2. Spambots – spambots happen when programs are developed to seek out web forms and fill them out with the hope that the message will appear somewhere on the website. Think of a commenting or testimonial form that allows messages to publish automatically on your site (don’t do this) without approval can easily have this kind of spam. This type of spam is easier to combat because spambots aren’t human and have a tough time getting past most anti-spam measures.

Why Comment Spam is Bad

Some people will feel that it’s okay to approve comments they might feel aren’t actually legit. There is harm in doing this for the following reasons:

  • Google is cracking down on bad links. This doesn’t just include sites that buy links. It also includes sites that allow them. The last thing you want to do is degrade the quality of your site by allowing spam comments.
  • Comment spam shows lack of moderation. Comment spam gives users the impression that no one is at home maintaining the website. Suppose you are selling a product or service. Clearly you want prospects to believe you will care for them the way you care for your own website…
  • Your readers might not trust you. If a reader clicks on a link in the comments and is taken somewhere they don’t want to be they might not come back to your website.

Eight Ways to Stop Form & Blog Post Comment Spam

If you want to stop form spam, you have to do everything in your power to make it nearly impossible for the spambots to fill out your forms. At the same time, you have to balance usability and make your forms as easy as possible for real website visitors to fill out.

1. Use Contact Forms – Don’t use email addresses

If eliminating as much spam as possible is your goal, your first task should be getting rid of the email address on your website. Why? Spambots that troll websites looking for forms to fill out also look for email addresses they can harvest and use to spam others. There are ways to hide your email address from spambots, but the best solution is to use a paid WordPress contact form plugin like GravityForms or Ninja Forms.

2. Use Google reCaptcha

Google reCAPTCHA is the remake of Captcha. Remember this craziness? Although it was effective in reducing form spam it also significantly reduced real human traffic because it was so hard to use.

Google reCAPTCHA helps you detect abusive traffic on your website without any user friction. Now instead of having to type text or answer a question, site visitors only have to click a button identifying themselves as human so they can submit their form. The takeaway is that you should use Google reCAPTCHA.

3. Use the Honeypot Method

If you don’t like the idea of using reCAPTCHA, you can use the honeypot method instead. Honeypots are tiny bits of code that are used to catch spambots by presenting a hidden form field that only appears to spambots.

4. Ask a Question

Another technique is to incorporate a question into the form. You might use a text question or ask the user to answer a basic math question before they can submit the form. Here are some examples of questions you could use:

  • What is 5+3?
  • What is the first letter in the word “cat?”
  • What comes first, B or X?

The only thing that matters when you use this anti-spam strategy is that you make the question and answer easy enough for people to actually answer. And if you have a global audience, it’s important to remember to translate your forms into other languages.

5. Don’t Allow Links

One of the simplest solutions for stopping form spam is to stop allowing links on blog comments and forms. This won’t eliminate all form spam, but it will certainly reduce it. There are wordpress plugins that do this or you can add this line of code in your theme’s functions.php file:

remove_filter( 'comment_text', 'make_clickable', 9 );

WordPress doesn’t store plain text URLs as links in the database. Instead it changes them into clickable links on the fly. This code simply disables the filter that makes the URLs clickable. Don’t do this unless you know what you are doing or have someone on speed dial who knows how to help you if something goes wrong.

6. Install the Akismet WordPress Anti-Spam Plugin

Akismet checks your comments and contact form submissions against a global database of spam to protect sites from malicious content. This is not the end-all-be-all solution but it works well to complement some of the other solutions I have mentioned above.

Akismet’s top features are:

  • Automated checks of all comment and contact form submissions for spam
  • Automatically filters out submissions that look spammy
  • ‘Unspam’ feature for mistaken spam flagging – when something that isn’t spam is identified as spam

7. Turn Off Trackbacks

Trackback spam is often worse than comment spam. Trackbacks are manual notifications by one blogger that they have linked to your blog post within theirs. Pingbacks were created to automate this process.

8. Turn Off Comments After 30-60 Days

People who comment for link building purposes (SEO spammers) typically look for blog posts with high PageRank – Google’s 1-10 scoring of authority. Typically blog posts start out at a PageRank of 0 and only gain PageRank after a few months. This means that SEO spammers will be targeting your older blog posts.

Conclusion

There is no perfect solution for combatting comment and contact form spam. Whatever you do, don’t rely on a single strategy to stop all the spam on your website.

 

Best Online Password Managers

/in /by

Many people make the mistake of using the same password for all of their accounts, risking having them all hacked if the credentials of just one are hacked. Many people also keep track of their passwords in a document on their computer or on a piece of paper in their office. What happens if your computer is hacked? Or if your computer dies and isn’t backed up? Or if your backup isn’t complete and doesn’t include your password list? What happens if someone sees your password list and you don’t even know it?

If you do anything online in 2020, you have more passwords than you can safely remember. So you need a strategy and you need to commit to the strategy.

I’m going to talk about the best online password managers, but before I get into that, there is one other viable approach that is also the safest – but only if you have a strategy and stick to it.

Password managers store all of your valuable login information and help you generate secure passwords. Companies that create password managers are aware of the importance of keeping your data safe so all of the data is stored in highly secure data vaults.

As of January 2020, these are the best online password managers. Each have pros and cons but I hope this article will provide you enough information to make an educated decision based on your budget and your needs.

Best Online Password Managers

Dashlane

Dashlane is a full-service password manager that is packed with features. It works on mobile as well as desktop devices and operating systems such as Windows, macOS, Linux, Android and iOS. In addition to being a password manager, Dashlane is also a VPN enabling you to browse the internet more securely. Like most of the password managers on this list, Dashlane is available in a free version allowing for password storage up to 50 accounts. However, this is useless for most people since most of us have far more than 50 accounts. The most popular option is the Premium Plan which stores an unlimited number of passwords and syncs across unlimited devices (this is what you want so that passwords stored on your PC also work on your laptop and other mobile devices). The Premium version costs $4.99/month, billed annually for a total of $59.99. As with any online purchase, use something like Honey price tracker to figure out if there are applicable coupons for your purchase.

LastPass

LastPass was my first choice for the last few years, and I would have continued with it had they not significantly increased the price of the Premium version. If you don’t need to sync across multiple devices, the free version of LastPass might work just fine for you. Once you create a master password, LastPass allows you to easily import all saved login credentials – passwords and usernames – from any browser. The user interface is friendly and the premium version is chock full of features. It should be noted that LastPass has experienced major security flaws in the past.

1Password

1Password is a password manager with options for families and businesses and reasonable pricing for both audiences. The family password option  secures unlimited passwords, credit cards, secure notes, provides 1GB of secure document storage, and can be used for a family of up to 5 people. The business option is slightly more expensive but is designed to work for teams.

1Password’s most significant drawback is that there is no free version. Nearly every other online password manager has some level of free service.

Zoho Vault

Zoho Vault has both free and paid versions. Like most of the other online password managers, the system allows you to securely store all your passwords and organize them for easy access and management. Passwords are encrypted with the strongest encryption standard (AES-256). The paid version includes password sharing, user management, and automated backups while the free one doesn’t.

Keeper Security

 

Keeper Security is the top-rated online password manager with high praise from both PC Magazine. According to PC Magazine’s review, “The main reason to use a password manager is to create varied, strong passwords for every website and app you use—ones that you don’t have to remember for yourself. However, it’s also important that you can access your passwords from every one of your devices without difficulty. Keeper Password Manager & Digital Vault delivers an excellent experience across a ton of platforms and browsers. It also offers top-notch features such as robust two-factor authentication support, good sharing capabilities, and full password histories. Keeper is an Editors’ Choice password manager alongside Dashlane.”

My own experience is inline with PC Magazine and I recently switched from LastPass to Keeper Security. Keeper Security:

  • Supports all popular browsers and operating systems
  • Two-factor authentication
  • Secure password sharing
  • Optional secure file storage and messaging
  • Retains the history of passwords and files

As with Dashlane and others, there’s a free version of Keeper if you’re willing to restrict your usage to a single device. There’s no limit on the number of passwords.

If you want to use Keeper across all your devices, you pay just $29.99 per year for a personal subscription. This is a good price considering that LastPass Premium costs $36/year and Dashlane costs $59.99/year.

The Bottom Line

The bottom line when it comes to passwords is that we all have far too many. Hopefully this is a problem we won’t have ten years from now, but for now it is clear that you need to adopt a strategy and stick to it. That strategy either has to be creating your own formula for keeping track of passwords or using one of the online password managers I have reviewed above.

Alternatives to Password Managers

/in /by

Password managers are software applications that automatically fill-in your passwords on websites, e-mail accounts, and portals that you use. With a password manager, you typically only have to remember one master password or passphrase to the application, rather than all of the individual passwords to your accounts. Password management apps include:

  • LastPass
  • Dashlane
  • Keeper Security
  • 1Password
  • Password Boss
  • Sticky Password
  • bitwarden
  • LogmeOnce

Neil Rubenking’s article in PC Magazine discusses the best password managers for 2020.

Most browsers also have settings that allow you to save your passwords. If you have an iPhone, this is called Apple Keychain password manager.

Where are my passwords stored?

Most of these password managers store your passwords in the cloud so they are accessible anywhere. Some password managers – like Apple Keychain – save to a physical computer or device but can be uploaded onto iCloud.

If applications do get compromised, on occasion, is it safe to use a password manager?

The downside to the password manager approach is that applications in the cloud do get compromised, and your computer is only as secure as you allow it to be. You can keep your identity safe by considering alternatives to password managers. This new approach is completely free but it requires some thought on your part. However, if you follow this approach, you should be able to generate complicated passwords that you can remember and not have to create more than 20 passwords for all your accounts.

Never use the same password for multiple accounts

This is the cardinal rule in cyber security. While this is generally excellent advice, it also assumes that all accounts share the same password severity impact. Think about it this way, what do you value more? A compromise of your online bank account is not the same as a compromise of your Instagram account.

Password Severity Impact

The first step in this alternative to password manager approach is to divide passwords and accounts into three groups, depending on password severity impact.

Severe Impact Rating

Rate your impact as severe if:

  • Financial loss or personal information exposure could damage your reputation
  • Any adverse effect would require sustained effort to fix the situation

Types of Accounts:

  • Online banking accounts
  • Healthcare portal
  • Main business account – especially if it contains confidential information about your company

Serious Impact Rating

Rate your impact serious if:

  • Unwanted access could result in loss of credit card information
  • Unwanted access could compromise your business network
  • Any adverse effect would require some effort to remedy the situation

Types of Accounts:

  • Accounts containing credit card information (any online shopping account)
  • Accounts containing your main personal or business email account, Facebook, or Google accounts

Limited Impact Rating

Rate your impact as limited if:

  • Loss or compromise of information is meaningful only to you

Types of Accounts:

  • News feeds
  • Spam e-mail accounts
  • Social networking accounts (note: on social media, never post any information that would answer password security questions)

Create Strong Passwords in Three Easy Steps

Step 1: Group Accounts by Severity Impact

Once you group your accounts by severity impact, you should have unique passwords for every account in the severe impact category.

Step 2: Use easy to remember passphrases to develop initialized passphrases

Do not use traditional passwords. Instead, use easy to remember passphrases related to each account. For example:

  • Healthcare – Health-related phrase – “A spoonful of sugar makes the medicine go down” becomes Asosmtmgd
  • Finance – Money-related phrase – “A penny saved is a penny earned” becomes Apsiape
  • Personal – Memorable personal event – “Tom and Jane met at Johnny’s Bar” becomes Tajmajb

Step 3: Insert special characters and numbers

Next, insert a special character. Then add a date that is significant to you as long as it’s not your birth date, anniversary, or any personal date that is commonly known. For example, assuming Flag Day is June 14th and my special character is #, my Healthcare password becomes: Asosmtmgd#0614.

Examples of Strong Passwords:

  • Healthcare – Health-related phrase – “A spoonful of sugar makes the medicine go down” becomes Asosmtmgd. Date of surgery was January 14. Original passphrase becomes Asosmtmgd#0114.
  • Finance – Money-related phrase – “A penny saved is a penny earned” becomes Apsiape. Business was created in September of 2009. Original passphrase becomes Apsiape#0909.
  • Personal – Memorable personal event – “Tom and Jane met at Johnny’s Bar” becomes Tajmajb. Date Tom and Jane met was 3/3/11. Original passphrase comes Tajmajb#030311.

Depending on your accepted level of risk – and remember that any part of this approach is more secure than what you were doing in the first place – you will only need to create a few groups of passphrases. There are also variations of this approach.

The key is to create your own password key and stick to it. So, for example, another approach might be to use the last two letters of a website, Capitalize the second letter, add a special character, and then a set of 6 numbers that are meaningful only to you, and finally another special character. So your Amazon password could be: nO$13579!. And your Ebay password would be: yA$13579!. And your Washington Post password would be: tS$13579!.

The Equifax Data Breach: What To Do Now

/in /by

News broke this week of yet another major data breach. Equifax, one of the main credit reporting companies, was hacked back in July and sensitive personal information for more than 143 million Americans was exposed. If a credit report has ever been run for you, chances are strong that your data has been compromised in this hack. The three big credit agencies have a very high duty to keep customer information safe, and they failed outright.

According to Equifax the data breach lasted from mid-May through July. Hackers accessed names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.

Equifax has set up a website so that people can check and see if they have been hacked. I strongly urge against this. Equifax’s website is filled with security holes. Their executives reportedly sold Equifax stock in the five weeks between the discovery of this data breach and notifying anyone about it.  Equifax is also pushing their own credit monitoring service. Why trust someone twice with your valuable information? This is like asking the guy who robs you at gunpoint to watch your kids for you. 

Here’s what the FTC suggests you should do to protect yourself after a data breach:

  • Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could indicate identity theft. Visit IdentityTheft.gov to find out what to do.
  • Consider placing a credit freeze on your files. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that a credit freeze won’t prevent a thief from making charges to your existing accounts.
  • Monitor your existing credit card and bank accounts closely for charges you don’t recognize.
  • If you decide against a credit freeze, consider placing a fraud alert on your files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you.
  • File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

How Not To Get Hacked – Six Easy Steps

/in , , /by

There’s been a lot of talk about Russian hackers these days, and while the thought of getting hacked by the Russians (or anyone else) often conjures up thoughts of Jason Bourne, most incidents of hacking are actually much less sophisticated. Let’s face it, hackers, like us, often take the easy way out and go for low-hanging fruit. The good thing about this is that it’s relatively easy to avoid getting hacked. What follows is a simple primer – how not to get hacked – six easy steps.

How Not To Get Hacked Step 1:

Create Strong Passwords

The first and most important rule is to never use the word “password” for your password. Don’t use these passwords either:

  • 123456
  • 123456789
  • qwerty
  • 1111111
  • 123123
  • qwertyuiop
  • 123321
  • 666666
  • 1q2w3e4r5t
  • google

These were the most commonly hacked passwords in 2016.

What all of these have in common is that they are painfully obvious. It is very important to choose your passwords carefully. Don’t use the name of your dog or cat or children. All of these are easily guessed. Strong passwords are cryptic – a meaningless string of numbers, letters, and characters. It’s also important to not use the same password for everything. Your Gmail or Yahoo password shouldn’t be the same as your Facebook password and that shouldn’t be the same as your bank password. Imagine if you were one of the billion or so Yahoo users who were hacked! The hackers would suddenly also have access to your bank account and your social media presence. They could learn everything about you at once.

Check HERE to see if any of your email account passwords have been compromised. If they have (and they probably were), make sure you go change the passwords at the sites where you have an account (or you set up an account eons ago).

How Not To Get Hacked Step 2:

Stop Trying To Remember Passwords…Get A Password Manager

As a website designer I need nearly 1,000 passwords in order to get my work done. Even if I had a meaningful and secure logical way of producing passwords, I would never remember them all. For the past 4 years I’ve been using LastPass. Basically LastPass creates extremely complex passwords (more than 20 characters if I want) and then remembers them whenever I go to a website. All I have to do is create one very long strong password that works as a master password. The master password will then unlock a secure, encrypted vault that contains each unique password for all of your accounts. Password managers also integrate seamlessly into Web browsers, so you can quickly log into any of your accounts from any of your devices. The basic version of LastPass is actually free. If you want to use LastPass on your mobile devices, then all it costs is $1/month.

How Not To Get Hacked Step 3:

Use Two-Factor Authentication

Two-factor authentication requires you to enter a password and choose whether to receive a second code via email or your cell phone.  Then, that second code is either texted to your cell phone or sent to your email so that further authentication steps will be required. The exact methods may vary, but two-factor authentication is a much more secure way to prove that you’re you.

How Not To Get Hacked Step 4:

Be Wary of Public Wi-Fi

If you take the right steps to secure your Internet connections, you will probably be okay with public wi-fi. However, avoid doing the following things while on public wi-fi:

  • Don’t check email.
  • Don’t access your bank accounts.
  • Don’t shop online.

In general, whether on public wi-fi or not, seek out websites that start with https:// instead of http://. That extra “s” is a critical level of security. Legitimate shopping, bank, and email websites all use SSL encryption.

For more information about the danger of public wi-fi, check out Norton’s post on the risks of public wi-fi.

How Not To Get Hacked Step 5:

Be Defensive and Watch Out for Phishing Tactics

Spoofs are cyber criminals who try to steal passwords from people who actually know how to come up with complex passwords. This is also called phishing. They’ll get you to click on a link leading to a spoofed website that looks exactly like the one at which you have an account. When you “log in” to the spoofed website, your user log-in credentials are stolen. Do not click on the link. Instead delete the phishy email.

How Not To Get Hacked Step 6:

Trust Your Instincts

If an email or website seems suspicious in any way, delete it or don’t visit it. Many of the attacks – an email phishing campaign for example – attempt to take advantage of our caution and reason by appearing to come from an authoritative source – like our banks, credit card companies, or even the IRS. But in reality, most of those entities will mail you multiple letters before any action is taken. If something – even mailed to you – looks suspicious, pick up the phone and call your bank. Don’t use the number on the suspicious mailing or email.

How To Avoid Phishing and Spear Phishing

/in , /by

Phishing is when someone sends you an email that looks like it came from a bank or service you trust. They try to get you to open an attachment that compromises your device or to click on a web link and to sign in on a malicious website.

Spear phishing is the same as phishing, except the email you receive is especially crafted just for you. The attacker has researched you well and knows who your friends, family and associates are. They may know who you work for and what you are working on. The phishing email received in a spear phishing campaign looks much more authentic, appears to come from someone you know and may refer to something you are working on. Spear phishing attacks have a much higher success rate.

Follow these two simple rules to avoid a phishing or spear phishing campaign:

  1. Never open an attachment unless you are 100% certain that someone you trust sent it to you. If you have any doubt at all, pick up the phone and call the person.
  2. Never click on a website link unless you are 100% certain that the person or organization that sent it to you is someone you trust. When you do open the link, check your browser location bar at the top for the following:
    • The location should start with https://
    • The part after https:// should be the domain name of an organization you trust. For example, it should say paypal.com and not paypal.com.badsite.com. Everything from the first forward slash to the final forward slash in the location should be a name that you trust.
    • The https:// part should be green if you are using Chrome and it should also say “Secure” to the left.

If you receive an email that looks suspicious in any way, just delete it. Then pick up the phone and call the person who sent it to you. They may not know their email account has been hacked.

How To Avoid Social Engineering

/in , /by

Social Engineering is what happens when someone phones you and pretends to be an organization or individual that you trust. They will try to get sensitive information out of you including passwords, usernames and a description of systems that you have access to.

This kind of attack is common and is used to commit tax refund fraud. It is also used to gain access to your bank accounts. You will even find attackers trying to get access to your workstation by telling you that they have found something wrong and asking you to install their software to fix it.

You can use a simple technique to avoid social engineering scams. Usually the individual will claim they’re from a reputable company or organization. Simply hang up, find the organization’s central number, call back and ask for that individual or someone in the same role.

Using the callback method is an effective way to defeat social engineering.