Website Security: Steps to Protect Your Site From Being Hacked

/in , , /by

Recently a client of mine contacted me because his site looked like this:

Screenshot of a Hacked Website

Screenshot of a Hacked Website

78% of malware cases are attributed to outdated core applications, plugins or modules. That means an outdated version of WordPress, an outdated version of a theme, or an outdated version of a plugin.

Seven Steps to Prevent Your Website From Being Hacked

  1. Backup your site regularly to a location that is different from your website host.
  2. Update plugins, theme, and WordPress version whenever there is an update. Do not let versions lapse. Updates frequently exist because someone has discovered a security vulnerability.
  3. Remove themes and plugins that are not in use. Inactive themes and plugins can be used to access your website. Remove anything that is not pertinent to your site.
  4. Replace plugins that are more than 2 years old and have never been updated.
  5. Use strong usernames and passwords – a non English word with uppercase, lowercase letters, numbers and special characters.
  6. Change your nickname so it’s not your username. Otherwise you are giving hackers half the puzzle.
  7. Use a malware/security service like Sucuri or Wordfence to protect your site.

What to do if your site is hacked?

  1. Keep a deep watch – hackers usually don’t hurry to mess with your site. They do everything slowly. If you think your site has been hacked, watch everything very closely.
  2. Hope that you have that backup in hand.
  3. Contact your web host – try to contact your web host immediately regarding the unnatural activity. Maybe they can help you or maybe they know something about it.
  4. Change your FTP/SSH login passwords – immediately change the FTP and SSH login passwords. And this time, choose completely different and stronger passwords.
  5. Change “admin” username. Do not use “admin” as your username. 99% of attacks take place with this username.
  6. Change password. The hackers know your password. So – change the passwords of all the admin accounts asap. Change the database password as well.
  7. Forced Logout. All users (and hackers) stay logged in until the cookies are expired. Because cookies will be valid even after the password is changed, you need to force everyone to logout. Go to – https://api.wordpress.org/secret-key/1.1/salt/ generate a new secrete key. Add the whole code in your wp-config.php file. If similar code already exists there, just replace it. This will invalidate all the set login cookies.
  8. Update WordPress version. If you’re using an older version of WordPress you really need to update it. This might be how hackers hacked you in the first place.
  9. If the above things don’t fix the situation, there is only one option and that is to create a fresh WordPress installation.

The real lesson here is relatively simple and goes back to that old Boy Scout mantra –

Be Prepared. Have a recent backup of your site. Know how to restore it or who to call in an emergency. Keep your website, content management system, and plugins up to date. Keep all of your username and login information someplace secure because you will need this for your website host and your domain name in an emergency.

Ten ways to protect yourself online

/in , , /by

Any time you are online you are vulnerable to hackers. Whether you are a sole proprietor or a massive corporation like Sony, your chances of being hacked, scammed, or infiltrated in some way, are unfortunately about the same. Hackers can steal your credit card numbers, tax records and passwords, erase your hard drive, disable your entire computer, and even use your built-in webcam or microphone to spy on you. The most complete way to protect yourself online would be to get offline and disconnect yourself immediately, but that solution is no longer an option for any of us.

To protect yourself online, you should take these 10 steps very seriously:

1. Fortify your passwords

Don’t reuse your passwords. If an attacker gets your password she might try it on all of your accounts. This means that a given password is really only as secure as the least secure service where it’s used. Use a single master password or passphrase along with a password manager like LastPass. Choose strong passwords – short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY are not strong enough today.

2. Use a password manager

Check out LastPass. This is what I use. There’s a free version that syncs between devices but doesn’t allow you to sync with your mobile phone. The premium version costs just $12/year!

3. Secure your security questions

Beware of security questions. Honest answers to many security questions are often publicly discoverable facts. If you do use factual information in the security questions, make them more secure by adding numbers and other characters. Your cat Fluffy can be F1uff7 instead.

4. All HTTPS all the time

HTTPS will encrypt any stream of data between you and the service, ensuring that anyone using Firesheep or a packet sniffer on a (usually public) Wi-Fi network can’t glean your login data. Never work at a coffee shop or other public wi-fi without it.

5. Turn on Two-Step Verification

Facebook and Google both offer the option of 2-Step authentication when you login, meaning you have to enter a secondary pin number which is generated and/or texted to your phone. It’s a complete and utter pain in the ass whenever you’re logged out, but it’s also a pretty safe guarantee that no one will be getting into your account without a heavy-duty targeted attack.

6. Use a secret email address

Publicly available information is the first way a hacker can get their foot in the door. Few things are tossed around more casually than an email address. Don’t give potential hackers a starting point, especially if you use the same login info across multiple sites (which you shouldn’t be doing in the first place!). Instead, create an email address that as few people know about as possible that you use only for account log-ins.

7. Set up  login notifications

Facebook will allow you to receive a text message anytime an unrecognized IP address logs in to your account. You may not prevent a hack, but if you act quickly enough, you can remotely log them out and re-secure your account before they get their hands too deep into your business. Gmail is also set by default to alert you if it notices anything particularly strange with your login activity.

8. Put passwords on your devices

This is a no-brainer and should not require explanation. All of your phones, tablets, laptops, and desktops should have a password.

9. Don’t save your credit card information in your browser

Another no-brainer.

10. Keep an offline backup

Just in case your online backup provider is ever hacked, it’s probably a good idea to have your most important documents backed up using a physical hard drive connected to your computer.

11. Don’t link your accounts

Facebook sign-on certainly makes life easy for you, but imagine what happens when someone steals the phone that doesn’t have a password or hacks your password on your computer.

12. Use email wisely

Email is a great way to keep in touch with friends and family, and as a tool to conduct business. Even if you have good security software on your PC, however, your friends and family might not have the same protection. Be careful about what information you submit via email. Never send your credit-card information, Social Security number, or other private information via email.

Conclusion

Those of you who are very perceptive will note that I couldn’t resist and actually gave you 2 extra tips for protecting yourself online. Data shows that a blog post titled “ten ways to protect yourself online” will do better than the same post titled “twelve ways to protect yourself online”. If I had to hone in on one or two particularly important ways to protect yourself online, I would pick number 1/2 – fortify your passwords/use a password manager and number 12 – use email wisely as the most important ways to protect yourself online.

Do you all agree with me? Did I miss anything?

If You Aren’t Using a Password Manager, It’s Time To Start Using One Now

/in , , /by

Online merchants and secure websites aren’t doing a very good job of keeping your personal information safe. Not a week goes by without news about a major online retailer being hacked. To make matters worse, even those websites that use decent security practices may have been compromised by the recently discovered Heartbleed bug. If the bad guys got your password, you’re in trouble. But if you used that same password at other sites, then you’re really in trouble. The only safe thing to do is to use a different strong password on every site, and the only practical way to do that is with a password manager.

If you aren’t using a password manager, it’s time to start using one now. This is important stuff, well worthy of major procrastination because setting up a password manager involves a considerable amount of time and planning. If you are starting from scratch, chances are good that you are using your browser’s built-in password management feature. There are a variety of password managers but we recommend LastPass and will help walk you through the process. LastPass will import those passwords, delete them from the browser, and turn off the browser’s password management. LastPass goes for a clean sweep, importing from all major browsers.

Beyond The Master Password

Most password managers support authentication using a master password. Since it’s protecting all of your other passwords, that one password needs to be really strong. But if that’s the only protection for your data, a crook who manages to steal your master password can access all of your data. The best password managers offer two-factor authentication.

LastPass 3.0 Premium can be configured for fingerprint-based authentication. LastPass supports authentication via the Google Authenticator mobile app.

Password Capture and Replay

Most, but not all, password managers integrate with the browser to capture login credentials as you enter them and replay those credentials when you revisit the site. LastPass goes a step beyond, actively detecting and managing password change events and capturing credentials as you sign up for a new service.

Quite a few password managers let you log in to your password storehouse from any browser, so you can look up credentials even when using someone else’s computer. Among these are Norton Identity SafeRoboForm Everywhere 7, and Keeper 5.0; LastPass and Dashlane also offer this feature. F-Secure, by contrast, doesn’t allow any online access, considering it a potential security risk.

Form Filling and Personal Data

Given that most password managers already have the ability to fill your username and password into a login form, it’s not surprising that many also serve as form fillers for personal data. LastPass will cleverly offer to capture what you’ve entered if it sees that you are filling a form manually.

LastPass can store various types of ID data such as passports and driver’s licenses.

Free Protection

The free edition of LastPass has almost everything found in the premium; support for mobile devices is the big exception. LastPass Premium costs only a dollar a month. That’s not a lot, considering what LastPass is protecting.

Security Checkup

Virtually every password manager will report the strength of your master password.  And virtually every product will generate strong, random passwords for you on demand.

LastPass takes this concept a step further by offering a security report listing all of your passwords and rating the strength of each. They also report on duplicates—passwords you’ve used on more than one site. And they make it easy to upgrade all your passwords to improve security.

 

 

 

 

What is SEO Spam and How to Remove It

/in , , /by

SEO Spam, also called Spamdexing, is the practice of search engine spamming. SEO spam involves a number of methods, such as link building and repeating unrelated phrases, to manipulate the relevance or prominence of search terms indexed by search engines. Search engine spam is an attempt to change search engine rankings so that website traffic is redirected to a scam designed by a hacker. To do this, hackers gain access to a normal, healthy website, and then inject keywords and links to another website they have set up that is designed to defraud people.

Victims believe they are going to a legitimate website to buy something – usually male enhancement drugs, designer clothing, or sports gear – but they actually get scammed.

Hackers don’t create their own sites because the search engine algorithms are already good enough that they ignore the scam websites. By gaining access to legitimate websites and injecting links and keywords, hackers create a direct path to their scam websites. These hackers are piggybacking on your legitimate website ranking to get noticed.

A good way to understand this better is to open up your favorite browser and search with the terms “buy viagra cialis”. You may not want to do this at the office.

Now, without clicking anything, scroll through the results. Doesn’t it seem strange that the top result is a page on a museum shopping site? The third result is a page on a florist website. The last result is a page on the County Veterans Service Officers of Wisconsin. These are all examples of websites that have been hacked for spamdexing.

What types of SEO Spam are there?

Spammy links

Links are critically important to scammers. Without the links, there is no way to drive traffic to their scam website.

Spammy keywords

When shady keywords appear in the content of a credible website, search engines assume that it’s safe to index the site for those terms. And when people search online – for medicine, male enhancement drugs, sports gear, loan services, etc. – search results often include scams where the buyer pays for something she never receives.

Spammy ads

Sometimes a hacked website includes banner ads or calls to action (CTAs) that directs traffic to their scam website. This can be a fairly effective scam – especially if the hacker has hacked the code behind the call to action.

Spammy posts and pages

This is the worst case example. When a legitimate site already has a good search engine ranking, the hackers will create fake posts and pages dedicated to ranking for a spammy search term.

How can I protect my website from SEO spam?

Unfortunately spamdexing is always a threat for website owners, but the best way to defend yourself from these hackers is by strictly adhering to a few best practices:

  • Run updates – plugins and themes need updates constantly. Don’t ignore these. Updates almost always include security patches to keep hackers out. Without these updates, your entire website has an open backdoor for an SEO spamdexing.
  • Create strong passwords – easy passwords like pass1234 might be easy to remember, but unfortunately they are also too easy to guess. Make sure you are using strong passwords when they are protecting access to your website.
  • Create strong usernames – don’t use admin or administrator as your username.
  • Use a firewall – if you’re serious about preventing spamdexing on your website, a web application firewall is an absolute must-have. It protects you by updating definitions of known threats, kind of like a bouncer at a bar.
  • Scan regularly – the first step to fixing an SEO spam infection is to be aware of it. Too often, website owners have no idea they have been hacked until it’s too late.
  • Make sure your site is backed up – if you do get hacked, it’s always good to have a backup – just make sure the backup goes back before the hack.
  • Hire someone to do this if you don’t know how to yourself – this is the most important best practice on the list. Don’t step over dollars to pick up a penny. If you don’t know how to do all this or know that you won’t do it on a regular basis, hire someone to adhere to these best practices to defend yourself from seo spam.

What if I already have an SEO spam infection?

If your website is already infected with SEO spam, it is very important that you act quickly. This will not fix itself and it’s not a task that you can put off until you have time.

Every second that your website remains infected with SEO spam, you risk serious penalties. You could get blacklisted by search engines so you don’t show up in search results even after you clean your site. Or worse, your customers could go to your website to do business, see the SEO spam, and then never return.

Be patient. Removing SEO spam can take time. If you’re infected, fix it now and protect your visitors and your reputation. And if you don’t have SEO spam, make sure you are protecting yourself by following the best practices listed above.

 

Why Do Hackers Attack Websites?

/in /by

Do you know why hackers target websites? Do you believe that your website is too small or insignificant to be the target of a hacker? It’s time to think again. There are over 90,978 security attacks that happen every minute of every day and hackers have zero prejudice when it comes to the size of the website or business they attack.

Hackers aren’t just looking to take advantage of big corporations. They are simply looking for any kind of exploitable vulnerability.

Hackers Attack Websites For All These Reasons:

1. Inject Malicious Content

Sometimes, hacking is simply about getting malicious content or code onto the front end of your WordPress site with the hopes that your visitors then click on the malicious links. This can happen through comment spam, email hijacking, or through actual content submissions.

2. Steal Visitors’ Personal Information

This is the one you and your visitors should be most worried about. Any security breach is bad for business, but this one also means having to compensate visitors and customers for the money and privacy compromised in the attack.

3. Spread Viruses

Another way which hackers attempt to terrorize your visitors is by using your website to spread viruses and malware. They can do this by using malicious code they’ve written into the backend or with files they’ve uploaded for download on the front end. When visitors interact with these files, hackers then steal the visitors’ information or they cannibalize visitors’ computers to further spread viruses to other websites.

4. Steal Business’s Private Information

Businesses work very hard to keep their secrets a secret. This is why it’s critical not to sync that information to the corresponding business website.

5. Use Your Web Server to Host Phishing Pages

Phishing on websites basically refers to when hackers create fake pages within your website in an attempt to collect information from visitors willing to give it. They can do this by embedding a contact form on the page and directly collecting information.

6. Host Legitimate Pages on Your Web Server

This is less common, but sometimes hackers actually take the time to build legitimate pages on high authority websites to improve their own SEO. These pages talk about them and link back to them.

7. Steal Your Server Bandwidth

Hackers can steal server bandwidth to host their own activities, such as bitcoin mining and brute force attacks on other websites.

8. Overload Your Web Server

Obviously this is relate to the concept above, but when hackers overload your web server with a huge increase of hits, this is what’s known as a distributed denial of service (or DDoS) attack. Once they hit the overload threshold, the site goes down, and they win. Why would they do this? How could a hacker benefit from taking your website offline? Here are some possible reasons:

  • They could be doing it for bragging rights.
  • They might have a personal or political motivation.
  • The website could be just one of many victims in a broader attack.
  • They want a ransom.

9. Vandalize Your Website

For the most part, a hacker might vandalize a website to gain street cred – establish hacker credibility while hurting your brand.

How Can You Protect Your Website?

We have the means to put up a good defense against intruders if we accept two realities:

  1. We are not invincible.
  2. We remain vigilant.

As a reminder, here’s what you can do to protect your website.

 

How Not To Get Hacked – Six Easy Steps

/in , , /by

There’s been a lot of talk about Russian hackers these days, and while the thought of getting hacked by the Russians (or anyone else) often conjures up thoughts of Jason Bourne, most incidents of hacking are actually much less sophisticated. Let’s face it, hackers, like us, often take the easy way out and go for low-hanging fruit. The good thing about this is that it’s relatively easy to avoid getting hacked. What follows is a simple primer – how not to get hacked – six easy steps.

How Not To Get Hacked Step 1:

Create Strong Passwords

The first and most important rule is to never use the word “password” for your password. Don’t use these passwords either:

  • 123456
  • 123456789
  • qwerty
  • 1111111
  • 123123
  • qwertyuiop
  • 123321
  • 666666
  • 1q2w3e4r5t
  • google

These were the most commonly hacked passwords in 2016.

What all of these have in common is that they are painfully obvious. It is very important to choose your passwords carefully. Don’t use the name of your dog or cat or children. All of these are easily guessed. Strong passwords are cryptic – a meaningless string of numbers, letters, and characters. It’s also important to not use the same password for everything. Your Gmail or Yahoo password shouldn’t be the same as your Facebook password and that shouldn’t be the same as your bank password. Imagine if you were one of the billion or so Yahoo users who were hacked! The hackers would suddenly also have access to your bank account and your social media presence. They could learn everything about you at once.

Check HERE to see if any of your email account passwords have been compromised. If they have (and they probably were), make sure you go change the passwords at the sites where you have an account (or you set up an account eons ago).

How Not To Get Hacked Step 2:

Stop Trying To Remember Passwords…Get A Password Manager

As a website designer I need nearly 1,000 passwords in order to get my work done. Even if I had a meaningful and secure logical way of producing passwords, I would never remember them all. For the past 4 years I’ve been using LastPass. Basically LastPass creates extremely complex passwords (more than 20 characters if I want) and then remembers them whenever I go to a website. All I have to do is create one very long strong password that works as a master password. The master password will then unlock a secure, encrypted vault that contains each unique password for all of your accounts. Password managers also integrate seamlessly into Web browsers, so you can quickly log into any of your accounts from any of your devices. The basic version of LastPass is actually free. If you want to use LastPass on your mobile devices, then all it costs is $1/month.

How Not To Get Hacked Step 3:

Use Two-Factor Authentication

Two-factor authentication requires you to enter a password and choose whether to receive a second code via email or your cell phone.  Then, that second code is either texted to your cell phone or sent to your email so that further authentication steps will be required. The exact methods may vary, but two-factor authentication is a much more secure way to prove that you’re you.

How Not To Get Hacked Step 4:

Be Wary of Public Wi-Fi

If you take the right steps to secure your Internet connections, you will probably be okay with public wi-fi. However, avoid doing the following things while on public wi-fi:

  • Don’t check email.
  • Don’t access your bank accounts.
  • Don’t shop online.

In general, whether on public wi-fi or not, seek out websites that start with https:// instead of http://. That extra “s” is a critical level of security. Legitimate shopping, bank, and email websites all use SSL encryption.

For more information about the danger of public wi-fi, check out Norton’s post on the risks of public wi-fi.

How Not To Get Hacked Step 5:

Be Defensive and Watch Out for Phishing Tactics

Spoofs are cyber criminals who try to steal passwords from people who actually know how to come up with complex passwords. This is also called phishing. They’ll get you to click on a link leading to a spoofed website that looks exactly like the one at which you have an account. When you “log in” to the spoofed website, your user log-in credentials are stolen. Do not click on the link. Instead delete the phishy email.

How Not To Get Hacked Step 6:

Trust Your Instincts

If an email or website seems suspicious in any way, delete it or don’t visit it. Many of the attacks – an email phishing campaign for example – attempt to take advantage of our caution and reason by appearing to come from an authoritative source – like our banks, credit card companies, or even the IRS. But in reality, most of those entities will mail you multiple letters before any action is taken. If something – even mailed to you – looks suspicious, pick up the phone and call your bank. Don’t use the number on the suspicious mailing or email.

Check For Vulnerabilities In Your Connected Devices

/in , /by

Last week’s DDoS attack on Dyn shut down portions of the internet. A DDos attack is a distributed denial of service attack. Dyn is a major DNS provider. The attack was created by a botnet that took control of a bunch of different connected cameras that still had the default passwords in use. In order to understand how to protect yourself, you need to check for vulnerabilities in your connected devices. And to do that, you need to understand what a DDos attack is and what DNS is first.

What’s a DDoS attack?

At the most basic level a distributed denial of service attack works like this. An attacker sends an onslaught of packets – essentially just garbage data – to an intended recipient. In the case of the most recent attack, the recipient was Dyn’s DNS servers. The server is overwhelmed by the garbage packets, can’t handle any new incoming connections, and eventually slows down significantly or crashes entirely. What’s new about this particular attack is that it’s now possible for an attack by a group of hijacked insecure network devices. The group of hijacked insecure network devices become a DDoS army that can work together to bring down a website.

What’s DNS?

DNS stands for Domain Name Servers. These are the internet’s equivalent of a phone book. Domain Name Servers maintain a directory of domain names and translate them to IP addresses. Without DNS, we would have to remember the IP addresses for websites instead of their easy to remember names. Google’s IP address is 8.8.8.8 but most IP addresses are far harder to remember.

Why Should I Check For Vulnerabilities in Connected Devices?

Since last week’s DDoS attack was created by a botnet that took control of a bunch of different connected cameras with default passwords, it’s important to run a scan on your own network to make sure you don’t have any devices that are essentially open and accessible to an internet hijacking. To scan if you have such devices on your network, Bullguard Security created IoT Scanner. Go to the site, click the scan button, and IoT Scanner will look for open ports on your network.

If IoT Scanner comes back saying that your network can be breached, that means some device that’s connected to your Wi-Fi network has an open port that makes it accessible from the internet. This could be on purpose if you’re running a server or have some other device that you can access from outside your home network. If you’re not doing that and IoT Scanner says your network can be breached, then it’s a good idea to contact your IT professional and see which device has that open port.

Like most tools, take the results with a grain of salt and use this as a starting point to really secure your network.

Ten Tips For Spotting Phishing Emails

/in , /by

Every day millions of phishing emails are sent to unsuspecting victims all over the world. I know because I receive five or six myself in my spam folder every day. While some of these messages are so outlandish it’s obvious they are fraud, others can be a bit more convincing. So how do you tell the difference between legitimate emails and phishing emails? Unfortunately there is no single way, but this post provides ten tips for spotting a phishing emails.

Ten Tips For Spotting Phishing Emails

#1 URLs contain a misleading domain name

People who launch phishing scams often rely on victims who don’t know much about technology or how the DNS naming structure for domains works. The last part of a domain name is the most telling. For example, the domain name info.gabeseiden.com would be a child domain of gabeseiden.com because gabeseiden.com appears at the end of the full domain name (on the right-hand side). Conversely, gabeseiden.com.maliciousdomain.com would clearly not have originated from gabeseiden.com because the reference to gabeseiden.com is on the left side of the domain name.

This happens all the time, especially when the phishing criminal uses a trusting name like Microsoft or Apple or even the IRS. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

#2 The message is poorly written with grammar and spelling mistakes

Whenever a company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality. So if a message is filled with poor grammar or spelling mistakes, it probably didn’t come from a major corporation’s legal department.

#3 The message asks for personal information

This is usually a major red flag. No matter how official an email message looks, it’s always a bad sign if the email asks for personal information. Your bank or credit card company already know your account number and social security number.

#4 The message contains a mismatched url

One of the first things you should check in a suspicious email message are any embedded URLs. Often the URL in a phishing message will appear to be perfectly valid but if you hover your mouse over the top of the URL, you see the actual hyperlinked address (at least in Outlook) and if the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

#5 The message looks too good to be true

If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

#6 You’re asked to send money to cover expenses

You might not get hit up for cash in the initial message. But sooner or later, phishing criminals will ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

#7 You didn’t initiate the action

If you get an email congratulating you on winning the lottery, but you never bought a ticket, you can bet that it’s a scam. If you didn’t do something to initiate the action, it is probably a scam.

#8 The message makes unrealistic threats

Most phishing scams try to trick people into giving up cash or sensitive information by promising instant money. However, some phishing scams use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

I once received an email from what looked like the IRS. Everything looked legitimate except for one thing. The letter said my account had been compromised and that if I did not submit a form (which asked for my social security number) along with two picture IDs, my assets would be seized.

I knew this was a scam because the IRS doesn’t send out emails like this. The IRS sends out its threats via snail mail.

#9 The message appears to be from a government agency

Government agencies in the U.S. don’t normally use email as an initial point of contact.

#10 Something is fishy

If you receive a message that seems suspicious, it’s usually in your best interest to avoid acting on the message. On the off chance that it’s a real message, usually the real person will find another way to contact you.

How to stay ahead of cyber criminals

/in , , /by

It’s no secret that cyber attacks are becoming more increasingly sophisticated, stealthy, and, as a result, commonplace. We have seen high profile security breaches at Target, JP Morgan, Home Depot, and the US Government. Attackers can infiltrate practically any “secure” environment and maneuver undetected for months at a time while they scope out the best practice (for them) for a cyber attack. So the question for us is – how do we stay ahead of cyber criminals?

This is ultimately a cat and mouse game and it’s clear that the cyber criminals play the cat in this game. As cyber attackers become increasingly aware of cyber security measures, both large and small organizations must be on the defense and continuously learn about potential warning signs. Here are a few helpful tips to help you stay ahead of cyber attacks and reduce the risk of data breaches.

Constant Change

There’s one thing that cyber criminals and the rest of us have in common – none of us like change. We want to keep systems and processes static because it makes life and work easier. Attackers love static systems and processes because it makes it easier for them to study their subjects, learn the ins and outs, and figure out exactly how they can compromise your data. If you want to make it difficult for sophisticated cyber attackers, create a culture that thrives on change.

Monitor for Usage of Irrelevant Information

Cyber criminals do their homework before launching an attack. Sometimes their data is misinformed or incomplete. You should monitor for activity that doesn’t make sense for your organization.

A typical example of an irrelevant information scenario is the “former employee” situation. In this case, an attacker targets a specific user from your list of employees, not knowing that the person no longer works for your organization. Because the employee no longer works for you, that employee should not be taking actions within the company’s network and the network shouldn’t be contacting them. Spotting this suspicious activity can help you prevent data breaches.

Avoid Alarm Fatigue

Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.

It is impossible to launch a full-scale investigation every time your security appliances send a notification. Instead, you must monitor your organization for signs of alarm fatigue and resolve them as soon as possible. If you stop monitoring for serious notifications, you are sure to miss the real issues as they come up.

Invest in Cyber Security Education

Did you know that human error is the leading cause of data loss? Cyber security training and education teaches employees the importance of changing passwords and monitoring for suspicious activity to cut down on the amount of human errors.

One major part of training employees for better cyber security is preparing them for phishing schemes. In Phishing attacks, cyber criminals often send out seemingly legitimate emails, mimicking companies like PayPal or eBay in an attempt to lure readers to click on a fake link. While the link seems real and the landing page is set up with real logos, the site is built to filter sensitive data to cyber criminals. The email might mention an issue with the user’s account and lead them to a site that requests PIN numbers, credit card data and more. These can be tough to spot, but there are warnings to look out for.

All of the security solutions in the world can’t protect your network if your workforce is willingly (but unknowingly) giving cyber criminals access to it. Creating a truly secure workforce requires ongoing education and training.

 

LastPass Hacked, Change Your Master Password Now

/in , /by

LastPass – my favorite password manager – has been hacked. This is the bad news. It’s time to change your master password. If you have LastPass, do this right now before you finish reading this post. The good news is that passwords you have saved for other sites should be safe.

LastPass announced on their company blog that they detected a server intrusion. While encrypted user data (your stored passwords for other sites) was not stolen, the hackers did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.

According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.

LastPass Security Notice – Updated June 16, 2105:

Was my master password exposed?
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.

Am I at risk if I have a weak master password?
An attacker could try to guess your master password, then use your per-user-salt and authentication hash to determine if their guess was correct. Typically, an attacker would try a list of commonly-used passwords or dictionary words (such as 12345678, password1, mustang, robert42, iloveyou). They would have to do this for you specifically, since your “per-user” salt is unique to your account . Because your password is hashed thousands of times locally, and this hashed value is again hashed 100,000 times before being stored server-side, guesses will be very slow. If your master password is weak or if your password reminder makes it easy-to-guess, then the attacker could significantly reduce the number of attempts needed to guess it correctly. Then the attacker would have your master password, but not your data, since your data vault was not exposed. If the attacker attempted to get access to your data by using these credentials to log into your LastPass account, they’d be stopped by a notification asking them to first verify their email address.  We require this security measure for any attempt to access your vault from a new device/location, unless you have multifactor authentication enabled.

Were passwords or other data stored in my vault exposed?
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!

What should I do now?
Our security and processes worked as designed, and customer data was, and is, protected. Because we are requiring verification for any new IP address or device, your account is secure. You will be prompted to update your master password when you login. Not all users will see the prompt immediately, but your account is safe and you can update when prompted. For added security going forward, we recommend enabling multifactor authentication. Also, be wary of phishing emails asking you to disclose your master password, payment information, or any other personal information. Never, ever disclose your master password or any confidential information, even to someone claiming to work for LastPass.

Why did I hear about this in the media first?
Emails have been sent to all users regarding the security incident. Notifying millions of users via email takes time. Therefore, we also announced the security alert to our blog and our social accounts in real-time, and the media quickly picked up the story.

I reset my master password, but now I can’t get in!
If you forgot or mis-typed your new master password, please revert your change: https://lastpass.com/revert.php and login again with the previous master password. Then you can try another change (and be careful of typos!).

I don’t remember my old master password.
Please try password recovery: https://lastpass.com/recover.php on a browser where you’ve used LastPass before. For more information about account recovery, see: https://helpdesk.lastpass.com/account-recovery/