Tag Archives: password

Download Free Norton Identity Safe Beta – Simple, Secure, Password Management For Windows, iOS, And Android

imageFair or not, I look upon weak password control – which leads to a catastrophe – as a self-inflicted injury. According to Norton research – 45 % of us re-use the same, easy to remember password, across multiple sites. Which, virtually assures, that should a hacker gain access to such a password – the door is now open for illegal access to all accounts. A catastrophe waiting in the wings.

I understand the dilemma. Complicated, in other words, safe passwords are often hard to remember, whereas easy passwords, in other words, unsafe passwords, are generally easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not.

What a troublesome problem!

Good news:

Today, Norton will release Norton Identity Safe Beta – the free public beta of a service which will allow you to secure and synchronize logins, passwords, credit cards, and other web form information across PCs, iOS and Android devices – using the cloud.

As an added bonus, Norton Safe Search is included.  Safe Search bumps up a user’s confidence level since a user can easily see (from search results), if a website is safe before visiting the site.

Norton Identity Safe setup walkthrough.

Consider very carefully as to whether “Remember Password” is appropriate in your situation.

image

Pay close attention to the password requirements.

image

Almost finished.

image

On completion, a web page will open with the following. From what I can see in this early test – since the application seems to rely on the Toolbar for access – you must accept. In Firefox, for example the Toolbar can be controlled through Tools – Add-ons.

image

Not quite finished. It’s time to check your inbox – confirm your email address. Click on the link………

image

and – finished!

image

Norton Identity Safe Home:

image

Norton Identity Safe Fast facts:

Simplified password management – Eliminates the hassle of remembering multiple logins and passwords, as users only need to remember one master password for quick, secure access to their favorite sites.

Streamlined user experience – Shows users their logins with thumbnail images, allowing them to log in to a desired site by clicking on the image, or for mobile and tablet users, by simply touching the screen.

Share Via – Allows users to safely share online content by sending URLs through email and social networking plugins, directly from Norton Identity Safe beta.

Automatic login synchronization across devices – Enables users to store a password on one device, and easily log in from another device – wherever they go.

Supported browsers:

image

Download at: Norton Identity Safe

Note: Norton Identity Safe Mobile Edition beta application, must be installed on mobile devices to access Norton Identity Safe.  The mobile applications complement the PC client, which must be downloaded and installed prior to installing the mobile applications.

Note:  If you have Norton Internet Security or Norton 360, you already have Norton Identity Safe installed.

Norton let me know of the pending release of Identity Safe Beta, yesterday. So, you’ll understand, this is not a review – but rather, a heads-up.

If you choose to download Identity Safe, I would be most interested in your personal observations as to functionality and value.

Helpful hints – here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. For example, I use an 18 alpha character pass phrase (upper and lower case), supplemented with 4 numeric characters on this site. And, only on this site.

Since brute force dictionary attacks are common, do not use single word passwords that are words in a dictionary.

Use a different password for each sign-in site.

If you have difficulty in devising a strong password/s, take a look at Random.org’s – Random Password Generator – a very cool free password tool.

15 Comments

Filed under Android, Anti-Malware Tools, Beta Software, Cloud Computing Applications, Connected Devices, Don't Get Hacked, downloads, Freeware, Norton

WordPress Password Fiasco

imageFair or not – “You don’t know what you don’t know” is a throwaway phrase, often used to describe a typical Internet users range of knowledge as it applies to security risks. What’s worrisome about relying on the truth of this statement is – it can be applied much more broadly – it doesn’t just apply to casual computer users. It applies equally to you – and, to me.

Virtually on a daily basis, another previously unknown (or, undisclosed), vulnerability in an application, operating system, website, cloud service, or in an Internet protocol is discovered by “security researchers”. Here’s today’s, from my Daily Net News column.

Improper SSL Implementations Leave Sites Wide Open to Attack – Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack.

I’ll venture a guess and suggest – you didn’t know about this. Nor, did I. More to the point perhaps, what needs to be asked is – did cyber criminals know?

What about this one from two days ago?

 Kaspersky: 12 different vulnerabilities detected on every PC – Researchers from Kaspersky have sampled their customer base, and found out that on average, every PC has 12 different vulnerabilities.

The vulnerabilities described are not self inflicted – instead, they are specified, or unspecified, vulnerabilities in Flash, Adobe Reader, Java, and Adobe Shockwave. There’s no need to wonder if cyber criminals are aware of these vulnerabilities – they most assuredly are.

WordPress Password – I didn’t know, that I didn’t know.

More than once, I’ve made the point here, there are certain companies which put forward unrealistic assertions that their Web operations are inviolate – they can’t be hacked. One of those companies is WordPress.com.

So, I was hardly taken by surprise when I received the following email from WordPress, yesterday. Not surprised – but, pretty pissed at the approach taken by WordPress to describe a potentially devastating circumstance for WordPress bloggers who run popular sites.

Hello Bill Mullins,

We recently found and fixed a mistake that we’d like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

Please change your password using this link or copy and paste the URL below into your web browser:

https://wordpress.com/wp-login (I have removed certain parameters here)

If the password you used when you registered on WordPress.com was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the WordPress.com Store:

pc21d064ae

If you have any questions, please reply to this email and one of our Happiness Engineers will get back to you as soon as possible.

Thank you,
The WordPress.com Team

Some salient points:

Why on earth would WordPress send an email that has all the hallmarks of a phishing scam – quote: “to be on the safe side we are resetting your password since your account is among those affected”. Huh – you’re going to reset my password? So there was zero chance of me clicking on the password reset link. The only secure method was a password reset from this blog’s Dashboard.

“A mistake in one of our systems” – At the desk I’m sitting at, I tend to call this type of “mistake” a vulnerability.

“In the future, remember that it’s good practice to always use unique passwords for different services.” Yeah, sure WordPress is just about the last organization I’d take advice from in terms of password control!

Offering a 15% discount on WordPress products “to say we’re sorry”, is ill advised and inappropriate. This “bad news” – “good news” approach, is out of bounds.

Finally, referring to support staff as “Happiness Engineers”, makes me wonder what these people smoke after breakfast. It’s a little late for ‘60s terminology, it seems to me.

I titled this article “WordPress Password Fiasco”, not because WordPress found itself in an unknown vulnerable position, which by extension applies to me as well – but because the manner in which a serious situation was handled, is appalling. At a minimum, WordPress has an obligation to disseminate news of this potential breach widely on the Internet. This is not business as usual.

Consider the number of serious breaches that occurred in the last year, which initially were classified by the victimized organization as inconsequential. Until, that is, information slowly leaked, that in many cases, the penetrations were disastrous. Think Sony.

I’m hopeful, that months from now, I won’t have to replace “Think Sony” with -“Think WordPress”. But, then again – “I don’t know what I don’t know”.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

10 Comments

Filed under Email, Internet Security Alerts, Opinion, Password Control, Point of View, Tech Net News, WordPress

Ashampoo Database Hacked – What You Need To Know

I could spend all day, every day, reporting on nothing more than the latest cyber criminal targeted intrusions into enterprise IT systems.  Two reports from my today’s Tech Net News column illustrate that we are barely scratching the surface of this significant, continuous, and rapidly expanding problem:

European Space Agency website and FTP servers hacked

Dramatic increase in cyber attacks on critical infrastructure

If you’re an everyday reader here, then you may recall that I regularly recommend that you take advantage of the German software developer Ashampoo’s, occasionally offered free application multipacks.

The downside (for some) is, you must register and provide an email address. Additional benefits can be gained by registering as an  Ashampoo member, which includes creating a password.

Unfortunately, Ashampoo has become a victim of a cyber criminal targeted intrusion aimed at their customer database. According to the company:

“Hackers gained access to one of our servers. We discovered the break-in and interrupted it instantly. The security gap through which the hackers gained access was closed immediately.

The stolen pieces of information are data of addresses such as name and e-mail address. Billing information (e.g. credit card information or banking information) is definitely not affected … it is not stored on our system.”

If you have taken advantage of Ashampoo’s offers, then it’s important that you exercise extreme caution with any future emails sent by the company and, any unsolicited email sent by any company, for that matter.

As well, if you have registered as an Ashampoo member, it’s important that you change your account password. Additionally, if you have used the same password elsewhere (you’d be surprised how often this occurs), it’s imperative that you change these passwords immediately.

My thanks to my buddy John B. (a great Scot!), for bringing this unfortunate incident to my attention this morning.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

14 Comments

Filed under Cyber Crime, Cyber Criminals, cybercrime, Don't Get Scammed, Don't Get Hacked, Email, Malware Advisories, Phishing, Tech Net News, Windows Tips and Tools

Conseal Security Takes Portable Device Security To Another Level With Conseal USB

“This tape will self-destruct in five seconds!” – Mission Impossible.

Growing up in the 1960’s, I though that was just the coolest phrase – and the underlying technology, of course. As a way of keeping confidential  information out of the hands of the bad guys, what could be better than that? BOOOM!

Today, safeguarding confidential information is far more complex – and there are many more “bad guys”. Information, in a very real sense, is currency – and the need to protect it is every bit as real as if it were hard currency.

Unfortunately, protecting critical data in an age of extreme data portability (USB sticks, portable Hard Drives, memory cards …. ) against theft, or loss, is exasperated by the very nature of portable technology.

How hard is it to lose a USB key through theft or misadventure – easy (personally, I’ve lost two over the years).

How hard is it to lose a portable Hard Drive through theft or misadventure – easy.

How hard is it to lose a memory card through theft or misadventure – easy.

How hard is it recover any one of the storages devices mentioned? Hard. Hard. Hard.

While it’s true, that both password and encryption applications, offer some protection against unauthorized access should a portable storage device vanish, neither provides absolute protection. Both password cracking, and decrypting applications (and the computing resources necessary), are readily available to those with less than honorable intentions.

What’s needed then, is a technology that not only offers password protection and file encryption, but the ability to remotely destroy data on a non-recoverable device – if it becomes necessary.

I suspect that the Ministry of Defense in the UK, would have been delighted with this type of technology had it been available when, in 2008,  fifty eight Ministry of Defense unencrypted drives – which contained details of troop movements, locations, and travel accommodation, were “lost”.

Certainly, portable media device theft, or loss, is not restricted to organizations; it can just as easily happen at an individual level. For example, in the U.K., in 2008, – 9,000 USB drives were found by dry cleaners in various articles of clothing. It’s safe to say, that data loss and data leakages related to lost or stolen computer portable devices, are now commonplace.

Luckily, Conseal Security has just released a security safety system  that not only includes strong AES encryption, it allows protected devices to be remotely self-destructed, if they are lost or stolen. Moreover, as part of the package the ability to lock devices to specific networks, domains or specific computers, is included. A bonus feature includes a capacity to review all access attempts on a device.

Application setup, including creating an account which provides access to all of the programs features, is straightforward.

image

The initial account password will be emailed to you. The temporary account password in the screen capture shown below, has been changed.

image

Once logged in, you can proceed to manage the portable device attached to your machine.

image

In the following screen shot, you’ll notice I have logged in and entered a name for the attached device.

image

The USB drive I used for this test was quite small (512 MB), so the encryption and registration took less than two minutes.

image

image

As per the message box, no files were accessible on Drive F: (the original drive designation) – instead the files were on Drive G: (the newly concealed drive).

image

Following encryption of the drive’s contents you will have a number of options to choose from, including –

Access Control

You can set up rules to control where and when this device can be unlocked.

image

Alerting

You can set up alerts to email you when this device is used.

image

Self Destruct

You can securely delete the contents of this device if it has been lost or stolen. It will become a blank disk.

image

Unlocking the portable device is an uncomplicated process – as shown in the following screen captures.

image

image

A taskbar popup will notify you on successful completion of the “unlock” process, as illustrated in this screen capture.

image

Fast facts:

Remote self destruct – If your Consealed device is lost or stolen, you can remotely destroy the data it contains. Press a button on a website and the contents of your device will be securely wiped when next inserted.

image

Who’s accessed your data? – View a log of who attempts to unlocks your Consealed device, including who they are and what computer they used. The log shows all access attempts and contains sufficient information for law enforcement officials to uniquely identify the computer used.

image

Define who can access your data – Specify the computers or network domains which can unlock your Consealed device. Also specify what times of the day it can be unlocked. Rules can be changed even when the device is out of your hands.

image

Safe from password guessing attempts – Even fairly complex passwords can be guessed on average within 16 minutes. Conseal’s “Dual Locks” system completely secures your protected data against password guessing attempts. Consealed devices can only be unlocked with permission from a central server.

Warnings of attempted break-ins – Receive email warnings when someone tries to unlock your Consealed device, directly and uniquely identifying the user, where they are, and what computer they used.

Strong encryption – Your data is stored using super-strength 256-bit AES encryption (approved by governments to protect ‘Top Secret’ information).

Takeaway: A very impressive and elegant solution to a potentially disastrous occurrence at a cost that’s appropriate.

Conseal USB Licenses:

Home User – 1 year’s protection. Non-commercial use only. Up to 5 devices £19.95.

Corporate User – 10 devices £140 (for 1 year). 100 devices £99/month. 1000 devices £830/month. 10,000 devices £5950/month.

Conseal Security offers a full no-quibble 14 day money-back guarantee from date of purchase.

System requirements: Windows XP and above.

Devices: You can Conseal literally any USB storage device. This includes memory sticks, USB pen drives, external hard disks, SD / MMC / xD / CompactFlash cards. It also includes all Firewire, eSATA and USB3 devices. Conseal is completely device and manufacturer independent.

Further details, and a 15 day Trial download are available at the developer’s site – Conseal Security.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

3 Comments

Filed under Business Applications, Cloud Computing, Computer Tools, Connected Devices, Cyber Crime, Cyber Criminals, downloads, Encryption, Encryption Software, flash drive, Geek Software and Tools, Software, Software Trial Versions, Surveilance Tools, USB, Windows Tips and Tools

Cyber Criminals Bump Up Efficiency Using Cloud Services

In a comment response yesterday to regular reader Mal C., I made the point – “It’s the person at the keyboard, that’s where the trouble starts – not the OS”. Continuing the discussion with regular reader John B., I expanded on this –

“It’s the person at the keyboard, that’s where the trouble starts – not the OS”, is operative – no matter the operating system.

Just one example: Email accounts are continuously been phished (“your account will be deactivated”, is a popular approach), with the objective being to have the user respond with, password, DOB, mobile telephone number, etc.

If the phish is successful (and many are), the crook ends up controlling that account. Cyber crimes like this, are not system specific. They depend on unaware, undereducated users, for their success.”

As luck would have it, this morning I got an invitation from Commtouch, to post an upcoming article here on Tech Thoughts (which will be published on their site shortly), that partly supports this view.

Cloud Streamlines Efficiency of Identity Theft

Working with cloud-based services significantly improves economies of scale – for cybercriminals, too. Phishers are already benefiting from free hosting by hiding phishing pages within hacked legitimate sites.  Now, they are leveraging cloud-based form management sites, such as Google docs or formbuddy.com. to collect information from unwitting victims.

With this technique, the phisher does not have to worry about creating/managing/storing back-end form data and can more easily scale the harvesting of phished data.  Those duped into filling out the form will not be aware of this nuance.

We just hope victims are paying attention when they fill out a seemingly legitimate form that directly asks for an “email address password.” If their attention lags, they are giving the phisher a significant pay-off for a minimal investment: Identity theft.

This attack targets users of HomeAway holiday rentals – See the images below. Click on an image to expand.

image

A look at the page source reveals that the filled in form is sent to “formbuddy.com” and not collected directly by the phisher.  Formbuddy.com collects and stores all the responses to the “form” shown above, and then emails a neat summary to the phisher (whose login name is “fanek”).

image

As a matter of interest, WOT (Web of Trust) warns against visiting formbuddy.com, as per the following screen capture.

image

As an aware and educated computer user, I know that you wouldn’t be deceived by this type of clumsy attempt to defraud – under no circumstances would you disclose your email address password to anyone.

As I said at the opening, these schemes depend on unaware, undereducated users, for their success. Unfortunately, that describes far to many Internet users.

About Commtouch:

Commtouch provides proven Internet security technology to more than 150 security companies and service providers including 1&1, Check Point, F-Secure, Google, Microsoft, Panda Security, Rackspace, US Internet, WatchGuard and Webroot,, for integration into their solutions. Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™) technologies are founded on a unique cloud-based approach, and protect effectively in all languages and formats.  Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award winning malware detection and industry-leading performance.

More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

4 Comments

Filed under Cloud Computing, Cyber Crime, Cyber Criminals, Don't Get Scammed, Don't Get Hacked, email scams, Freeware, Internet Security Alerts, Online Safety, Phishing, Windows Tips and Tools, WOT (Web of Trust)

Weak Password Control – A Self Inflicted Injury

imageOver the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

15 Comments

Filed under cybercrime, Don't Get Hacked, downloads, Freeware, Interconnectivity, Internet Safety, Online Safety, Password Control, Software, System Security, Windows Update