Your Dog’s Name is Not a Good Password

Buster and Champ are great names for dogs. But neither of them make a good online password – especially when those are the names of your dogs!

Password Trust GuardOne of the most annoying things you’ll come across on the web is when a website forces you to create a complicated password. You’ve had to do it before—with capitals, and numbers, and special characters. You end up with something like “Beth@ny12”, which looks more like a 12-year-old’s screen name than a password. The worst part? Those passwords aren’t secure. Here’s why.

Dictionary Attacks

Brute force is usually what people think of when hacking comes to mind. That’s when hackers guess every possible combination of every letter and character. It’s a technique that’s used, but only as a last resort. Hackers start, instead, with dictionary attacks. These involve taking a very large and comprehensive list of common passwords, characters, and substitutions, and then using them to guess your password. So, yes, they’re going to guess “password”, or even “p@ssw0rd1”.

The problem, here, is that people pick passwords out of habit. The computers have been forcing us to when they make us turn “Scruffy” into “$CruFfy89”. We use short, familiar words because it’s the only way we can remember those ridiculous passwords. But that only makes them easier to guess for the dictionary attacks. Online bullies know all of the words we pick, and all the substitutions we’re going to use. And heaven forbid we forget our password. Then we just reset it to a password we already use somewhere else…which is another cardinal password sin.

Better Passwords

So how do we protect ourselves? The best option is to add more letters, preferably in the form of a random word (or words), as words are easier to remember than substitutions. If you have the option, instead of “$CruFfy89”, do a few random words, like “correcthorsebatterystaple”. You’ll get way more bang for your security buck that way. There are online password creation and storage companies like LastPass that can create and store unique passwords for you. That way, you only have to remember one password in order to access all of your accounts.

Online security should be a big deal for you! It seems like every other day we hear about another big company that got hacked. So before you give some online business your personal information and unique, non-personal password, make sure the website has a Trust Guard trust seal on it, verifying that it is secure.


Special thanks to writer Stephen Porritt.

Top Three Cyber Security Tips

Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced on Thursday to 18 months in prison for his role in leaking private nude photos of celebrities he found by illegally accessing their Google and Apple accounts.

He is one of three men who has been convicted of leaking private celebrity photos, and is personally responsible for illegally accessing more than 100 accounts, prosecutors said. In total, the nude photo leak investigation included over 600 victims.

Cyber Security

Between November 2012 and September 2014, Collins pulled off a carefully targeted cyber security attack known as spear phishing. He sent targeted emails to his victims purporting to be from Apple and Google that seemed legitimate and tricked his high-profile targets into handing over their usernames and passwords, according to the U.S. Attorney for the Central District of California.

Once Collins had his target’s username and password, he was able to access their private accounts, steal their photos and in some instances, according to prosecutors, download full backups from the iCloud.

Sometimes, even for celebrities, it is hard to tell if an email is legitimate or not.

Here are some key cyber security tips:

  1. If you receive a suspicious email from a place where you have an account, never click on any links inside of it. Instead, go to the specific service provider’s website and log in from there. You can also make a quick phone call. In any case, most companies will not ask for your username or password through an email.
  2. Once you get to the website, use different passwords for different accounts, and switch passwords often – for banks every three months at least. If you have different passwords and one account gets hacked, the other accounts should be OK.
  3. If you feel confident about opening a link in a non-business-related email – even if it appears to be from a friend – always hover over the link first to see where the link is going before clicking on it. Your friend’s email account may have been hacked.

You could fork out $14,000 or so for a military-grade-secure smartphone to help thwart hackers — but a little cyber security know-how will certainly cost a lot less. There are many, many more hackers just like Mr. Collins who haven’t been caught. Let’s do everything we can to keep them away from our personal, private information.

 

Special thanks to NBC News for their article on the subject.

Airport Security Scans & Website Security Scans

Website Security Body ScansAm I the only one who hates body and suitcase scans at the airport?

Scans can be intrusive, embarrassing, and often come close to crossing the line of what should stay private and what needs to be known in order to keep everyone safe.

 However, after all the extensive scanning at the airport, I can relax knowing that the environment I’m in is safer than it would have been without the scans. The same is true for online shopping. If I know that a website has gone through the rigorous efforts associated with security scanning to protect itself against vulnerabilities used by hackers, I can relax knowing that the website’s environment is much safer than it would have been without the scans.

Many websites that have performed security scans also display a Security Scanned seal, like those offered by Trust Guard. After scanning your site and finding all in order, they provide a trust seal so that your online visitors can feel at peace shopping on a scanned site.

 It would be nice if every website owner scanned their site for vulnerabilities against hackers, just like everyone at the airport gets body scanned, but that’s just not the case. Hackers break into unscanned websites every second of every day. Without a trust seal, if a website asks for a credit card or other confidential information, how do visitors know if the site is safe?

At the airport, getting a body and luggage scan is a nuisance, but it ensures a higher level of peace and safety about flying that I would have had otherwise. I don’t have to guess who has been body scanned and who hasn’t. But online, it’s difficult to know which site is safe. It’s nice to see a trust seal displayed showing that the website values its visitors’ safety and security.

Trust Guard's Security Scanned Seal

Businesses should perform security scans on their sites then they should display a trust seal to show their online visitors that they are just as safe as, if not safer than, an airport terminal.

The Simplest Way to Guarantee System Security: It’s Not a Product –It’s a Setting!

Default AllowWe are all familiar with the idea of “garbage in, garbage out”. This neat little couplet reminds us to be careful with what we download to and install on our computer’s hard disk. Using the human body as a metaphor for computer technology is not new. I’d like to expand on this metaphor to explain an important concept we would all benefit from understanding. Your system security may depend on it!

Imagine I have a fictitious friend Bob. He will eat anything that is placed in front of him. He will not only eat any food item, including exotic offerings such as fried arachnids and bovine testicles, tongues and brains but he will also eat things that were never intended for consumption, such as wood chips, smooth rocks and colorful plastics, etc.. There is nearly nothing he would not eat; in fact he would eat something from every category of items found on planet Earth. Bob is on a default permit diet. His rule is that he will eat literally anything once and only after eating something does it get placed on a list of things he will no longer eat, if he desires to place it there. As a result of his extreme diet, he is a frequent customer of his local emergency room and his insurance provider has dropped him as a client. He is at high risk of any number of illnesses and requires surgery on a pretty regular basis. How long can Bob sustain this?

Bob is now growing older and no longer wants to live with the pains and financial consequences of a dangerous diet so his “do not eat” list is becoming extensive. It includes food items which are growing mold, items with sharp edges, things harder than his teeth and anything with explosive or flammable properties. He doesn’t rule out any complete category but painstakingly writes down every item that is not yet listed. Though Bob doesn’t show much evidence of learning from his mistakes, he is very organized and appears to be capable of remembering all of the items on his list. Needless to say, maintaining, adding to and memorizing the list takes up much of his time and energy and does not ever guarantee he will always avoid another catastrophic gastric event from eating something he has not yet identified to be bad for him. Now would be a good time to identify that Bob, based on this behavior is not sane. Most would agree that this sort of approach would not be sustainable over time. Eventually, Bob will pay for this method with his life.

This is an admittedly extreme and graphic example but this is what your computer’s firewall is doing right now. It is set to default permit, which means that the door is open to everything, except for those which are on a very long list of things to block. I imagine many of you are asking why they are set up that way. The answer is that default permit is easy and cheap, at least at first. Programmers and administrators use default permit because they can roll out the new software or network quickly without spending money and time on front-end quality. They can do it because, at this point, nobody expects it –most people are not even aware of the alternative.

Stepping back into our dietary metaphor, for just a moment, might be helpful. You and I can quickly see that most people use a much more intelligent approach to deciding what we will and will not eat. Most people have an unwritten list of things they like to eat and will only cautiously add new items to it. If there were people actively trying to poison our food, we might actually take the time to write the list down. In this scenario we would have a “Default Deny” approach. In other words, we would only permit those things on our list, which, by the way, is a very short list compared to the one Bob had to maintain. In addition, our default deny list (the list of things to allow) could be truncated with things like, “I will eat chicken as long as the head is not still attached and the feathers are removed and never when it has been sitting out all day or has been undercooked”. This would allow for whole categories of items to be allowed as long as they met our predetermined criteria –not every single item would need to be listed. Consider, though, that even if every item were listed for both types of lists, the allow list would be infinitesimal compared to the mammoth deny list. So, if we set up our computers similarly to the way we choose our diets, we would avoid all those metaphorical treatment regimes, emergency surgeries, painful and bewildering maladies and probable organ transplants.

Food ListWhat is the moral of this story? Rather than spending all the time, money and headache listing and blocking all of the “badness” that does exist and will multiply in the world, simply take the time to list all of the “goodness” you want to allow and nothing else will be permitted to run. This sounds simplistic and there is a lot of background work required with such an approach but that but that’s the basic idea. Using default permit and enumerating badness is, by its nature, problematic and will never result in fully dependable security. Taking the time to enumerate goodness and setting your system to default deny is the only way to ensure security.

Now that we’ve identified the issue, how do we change our settings? Those directions will be specific to your system, firewall and network (if you have one), so I won’t attempt to give that information. If you’d like to look into setting up your firewall to default deny, you can check out this article for starters:

https://securosis.com/blog/network-security-fundamentals-default-deny/