Blog Feed

Why US, Canadian, and EU Universities Choose Programmable Hardware Tokens

Posted by on 18:03 in Protectimus Products | 0 comments

Why US, Canadian, and EU Universities Choose Programmable Hardware Tokens

Almost all universities and colleges in the US, Canada, and EU use two-factor authentication to protect their faculty and staff accounts. Quite often they choose in-app 2-factor authentication, which means that one-time passwords are generated on the users’ smartphones. Though, in this case, they face a few issues: Not everybody agrees to use their personal smartphones for corporate needs. Some people still use old models of cell phones and can’t download a 2FA app physically. When people use their own devices there is no guarantee that these devices aren’t infected with viruses. Many universities turned to Protectimus for help describing the same situation. Among them are The George Washington University, Middle Tennessee State University, College of Central Florida, University of Guelph, Simon Fraser University, Old Dominion University, The University of Groningen, Trent University, etc. And actually, there is a simple solution (not to consider buying corporate smartphones for all the staff) – programmable hardware tokens Protectimus Slim NFC. These OTP tokens are programmed as if it was a 2FA app. Everything you need is one NFC enabled Android smartphone for the administrator. The admin scans the QR code with the secret key using TOTP Burner application and then flashes this secret key to the token via NFC. TOTP Burner app is available on Google Play for free. The administrator can program an unlimited number of tokens with one smartphone. So, with programmable hardware tokens: You don’t have any troubles with people who don’t have a smartphone or don’t want to use their own device at work. You don’t worry about any malware. The hardware OTP token is a standalone device which works without Internet or GSM connection. So the user can’t infect this device even if they want to. The administrator is the only person who knows and stores the secret keys. It’s not possible to pull the secret key out of the token. Besides, we offer custom branding for any number of Protectimus Slim NFC tokens starting from a single piece. Check the custom branded tokens our customers already use. Read also: Read more about Protectimus Slim NFC tokens or order few pieces to test How to Program Protectimus Slim NFC Token How to Backup Google Authenticator or Transfer It to a New Phone The Pros and Cons of Different Two-Factor Authentication Types and Methods 10 Basic BYOD Security Rules Top 7 Tips How to Protect Yourself from Phishing Scams Social Engineering: What It Is and Why It...

read more

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Posted by on 17:59 in Industry News, R&D | 0 comments

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Reddit was hacked. The attackers managed to extract logins, e-mail addresses, passwords (salted and hashed, fortunately), and even a complete list of private messages from users who joined the site before 2007. The hackers were also able to access the e-mail addresses and logins of all users who received the site’s newsletter in June 2018. The SMS authentication failed. The attackers were able to intercept SMS messages containing one-time passwords, gaining access to the accounts of several Reddit employees. Let’s take a closer look: What exactly happened, and what is Reddit doing to minimize the consequences of the attack? Who were the victims of the Reddit attack, and how can you tell if you’re one of them? Why did the SMS-based two-factor authentication fail, and what can you replace SMS messages with if you’re still using them?   Reddit just disclosed a breach, says it’s still investigating severity. Of particular note was that the intruders managed to bypass SMS-based two-factor authentication in the compromise. https://t.co/LCu6XAVn34 This is why physical 2-factor or at least app-based 2FA is superior. — briankrebs (@briankrebs) August 1, 2018 How Reddit was hacked On June 19, 2018, the Reddit team realized that there had been a data leak. The attack itself happened sometime between June 14 and 18. The attackers managed to compromise the accounts of several Reddit employees who had access to cloud storage and source code. Access to the employees’ accounts was protected by two-factor authentication, but through the traditional, old-fashioned method of delivering one-time passwords in SMS messages. The attackers intercepted the SMS messages containing one-time passwords and were able to bypass two-factor authentication. If all of Reddit’s staff had been using hardware tokens, the hackers wouldn’t have had even a chance at succeeding. Despite the seriousness of the attack, the attackers weren’t able to make any changes to the system. They had only read access. Nonetheless, they were able to view source code, configuration files, and internal logs. They were also able to download backups. Thus, all data regarding users and the operation of the forum, from its founding until 2007, fell into the hackers’ hands. The attackers also downloaded a database of e-mail addresses belonging to users who received e-mail newsletters in June 2018. What Reddit has done First of all, Reddit’s administrators strengthened the security of the logging, encryption, and monitoring systems. They also discontinued SMS authentication, in favor of software and hardware OTP tokens. They reported the incident to law enforcement agencies, and an investigation was launched. Reddit users who may have been affected were sent messages with information about the incident, encouraging them to look after the security of their accounts — change passwords, enable two-factor authentication. Detailed instructions on how to activate two-factor authentication for Reddit are available here.   So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN — Troy Hunt (@troyhunt) August 1, 2018 Who was affected by the Reddit attack Reddit’s team is not disclosing the number of affected users. All the same, we’re talking about millions of people. The affected users can be divided into 2 groups: Everyone...

read more

How to enable two-factor authentication on Reddit

Posted by on 19:38 in Setup Guides | 0 comments

How to enable two-factor authentication on Reddit

Learn more about Protectimus Slim NFC security token or order one here:  Protectimus Slim NFC The best 2FA token to protect your Reddit account! Ho set-up two-factor authentication on Reddit, first of all, log in your Reddit account and initiate the two-factor authentication setup. 1. Go to the “User Setting” page using the navigation menu in the right upper corner ->   2. Click “Privacy & Security” ->   3. Choose “Two-factor authentication” ->   4. Click the button “click to enable” ->   5. Confirm that your email address is correct ->   6. Enter your password and click “Next” ->   7. You will see the QR code with the secret key. Now you can either scan it with your authentication app (Google Authenticator, Protectimus Smart, Authy, etc.) or add it to your hardware security token Protectimus Slim NFC. Learn how to program Protectimus Slim NFC token.     8. After you programmed the hardware OTP token or enrolled a software token on your smartphone, enter a 6-digit one-time password to the corresponding field and click “Enable two-factor”.   9. You’ll see the notification about successful 2-factor authentication setup.   Enjoy reliable and convenient protection for your account — make hackers’ lives difficult with two-factor authentication on! Main image...

read more

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Posted by on 13:03 in R&D | 0 comments

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Did you know your Instagram two-factor authentication is ensured by a technology that has a backdoor as big as the one in the Titanic after it met the iceberg? Well, we will tell you more: the same faulty technology may still ensure the security of your Facebook and Twitter accounts! The last, but not the least important — you use the same technology to confirm most of your online purchases, so yeah — your banking account can be compromised as well. The name of that flawed technology is SMS authentication. SMS based 2-factor authentication has few huge drawbacks, undermining the system functionality: SMS are stored and sent as plaintext on your smartphone and can be compromised with malware; SMS are transmitted over inadequately protected channels; Every mobile operator’s employee can change your phone number to another SIM card. Therefore, either by bribing a mobile operator’s employee with access to the SMS database or by using the technique known as “SIM porting”, the hackers can steal your Internet identity. Meddling with OTPs opens up a wide field of manipulations — from stealing your Facebook, Twitter or Instagram account via the password reset procedure (which is exactly what happened when Katy Perry’s Twitter account was hacked) and up to stealing your banking accounts, as the banks still mostly rely on SMS to ensure the 2-factor authentication. Fortunately, more and more services start moving to more secure two-factor authentication alternatives. And Instagram supports this good trend. On July 18th, 2018 an article on Techcrunch announced that Instagram started building non-SMS two-factor authentication.   Instagram is finally working on token-based two-factor authentication!! 🎉 Thank you Instagram! I have been waiting for this since 2016! We finally won’t have to rely our account’s security on SMS! 😍 pic.twitter.com/u0iIPTaZO2 — Jane Manchun Wong (@wongmjane) July 17, 2018 What’s wrong with SMS authentication? 1. SIM swap is real! The hackers can contact the mobile operator’s technical support with a request to port your phone number to another SIM-card, and by completing the verification with the help of social engineering tactics, they will be receiving your SMS (including the ones with one-time passwords) from now on. In fact, the issues with SIM porting has become so common and using SMS for two-factor authentication were proven to be so grave, that the US National Institute of Standards and Technology (NIST) has recommended dropping using SMS for OTP delivery back in 2016. However, this call was not yet followed by the majority of the financial industry, healthcare, insurance and so on. Almost any business dealing with your Personally-Identifying Information (PIA) promotes using SMS two-factor authentication as an additional lever for ensuring the security or at least leaves this opportunity to their users. | Read also: Dutch Scientists: SMS Verification Is Vulnerable 2. Your smartphone might be compromised with malware SMSs are stored in plain text on your mobile device. Many models of smartphones are susceptible to specific Trojans like Perkele, Zitmo, Zeus or Citadel, which can be downloaded as a malware with some third-party apps and monitor the SMS messages with OTP codes. Thus said, as your smartphone is considered a safe haven device for the case when your PC or laptop are compromised, it is actually the smartphone that can provide the backdoor to your data. 3. Don’t rely...

read more

How to Protect Your Privacy on Facebook

Posted by on 11:36 in Engineering, R&D | 0 comments

How to Protect Your Privacy on Facebook

Personal privacy protection became a popular topic in the last few months. This is especially related to the EU General Data Protection Regulation (GDPR) which has become active in May 2018 and the Cambridge Analytica fiasco. Facebook has reacted almost immediately and provided tools for protecting and viewing your personal information. In this article, we will talk about what information does Facebook collect about you, why is it dangerous, and how to protect your privacy on Facebook in order not to become the victim of next “Cambridge Analytica scandal”, as well as doxing, phishing, social engineering, and so on. To make it easier to navigate through the article, here is a list of issues we are going to cover: What does Facebook know about you Cambridge Analytica Scandal Explained How to protect your Data From Similar Future Misuse How To Make Your Facebook Profile Private General Privacy Settings Facebook Photo Privacy Settings Facebook Apps Privacy Settings Facebook Posts Privacy Settings Facebook Friends Privacy Settings Advanced Privacy Settings How To Delete Your Facebook Account What Does Facebook Know About You? We could simply say “everything”, but it’s not that easy. The information stored on Facebook depends strictly on you and the accesses you granted on your devices. Since most of us don’t always pay attention to what we let devices or apps do, if you are an active user, you are likely to be shocked by the amount of data and the details Facebook knows about you. We’ll go into types of this info, and give you some tips on how to protect your privacy on Facebook. But before this, here are the instructions on how to download the information about you on Facebook. How to get your data Log into your Facebook account and click on the arrow down in the right upper corner.   From the drop-down list choose “Settings”.   There you will see a message asking you to proceed to “Your Facebook information”. You can also find this option on the left side of the panel.   From the “Your Facebook information” page you can view and download your full history.   If you opt for downloading, it might take some time. The exact time will depend on how long have you been using the network, how active you were, and what kind of information you uploaded. The data will be provided to you in a form of a password protected zip. file. On the download page, you can also choose to have all data downloaded or just a certain period. You can as well choose types of information you want to obtain. The file can be downloaded in the HTML or JSON formats. The JSON format can be of use if you want to import the received info somewhere else. Once generated, the file will be available for download at the same page under the “Available Files” tab for four days.   | Read also: Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing? Types of Personal Information Stored on Facebook The index.html file in the root of the folder opens the archive in your browser. That will allow you to navigate through everything as you would any webpage. On this webpage, you’ll find out that Facebook knows your username, real name,...

read more

Man In The Middle Attack Prevention And Detection

Posted by on 16:03 in Engineering, R&D | 3 comments

Man In The Middle Attack Prevention And Detection

In the age of being dependent on contemporary technologies, the cybersecurity issues are as vital to pay attention to as never before. We leave a huge trace of our personal identity online. Not to mention an enormous digital trail we leave in social networks when posting photos with geolocation, reposting all news and thoughts we consider important, commenting on everything that we have an opinion about. We also use online banking almost for all our payments, as well as we use e-governance services to avoid facing bureaucracy in person, etc. Remember, every byte of such sensitive data can be stolen and used against you. You can lose all your money and even more than that if you become a victim of a hacker attack. And one of the most dangerous and inconspicuous hacking techniques is man in the middle attack. If it happens when you transmit sensitive data to your bank or, for example, tax office, you won’t even understand that something wrong is going on, while the attacker will be stealing your login credentials and any other info he/she needs to hack you. In this article, we’ll explain: what is man in the middle attack how MITM Attacks are performed how to protect your company from MITM attack how to protect yourself as an average user from man in the middle attacks So, let’s begin! What Is Man In The Middle Attack? Before we start digging into how to stop man in the middle attack, we should be on the same page regarding what it is. A man in the middle attack is the digital equivalent of eavesdropping. It may occur when a device transmits data to a server or website. For instance, it may be a user’s smartphone that sends the location to the server of an app installed on it or a computer sending login credentials to the bank server. The attacker can intercept the data that is being exchanged. If the connection is not secure, the attacker won’t even have to decrypt the data. After the data gets captured, the original data is usually sent to the destination server, though in some cases the attacker can modify the information, it depends on the purpose he/she has.   Man In The Middle Attack Explained So, now let’s explain man in the middle attack in details. You could easily find yourself under a man in the middle attack before you even had your first computer. The thing is that there can be a man in the middle of any channel used for data exchange. For instance, unbeknownst to you, the mailman could take all the letters that you wrote, open the envelopes, read them, seal them in a way that it is impossible to see that someone opened the letter, and send them to the addressee. If you think “oh, I wouldn’t mind anyone knowing what I write in my letters”, think twice. What if you sent some legal papers? Or business plans? If we return to our present Internet age, think again: what data do you send to servers? It could be anything from exchanging funny memes to approving transactions via online banking systems. In the online world, a man in the middle cyber attack works in the same way. For instance, let’s imagine you connect...

read more

Cybersecurity vs. Information Security

Posted by on 18:18 in Engineering, R&D | 0 comments

Cybersecurity vs. Information Security

Currently, there is a large number of similar terminology used in the field of ensuring international information security, even sometimes without getting a generally recognized definition. The most controversial debates on global markets in the field of international information security (IIS) are more focused on the interpretation of the terms «cybersecurity» and «information security» and related semantic nuances. Telling the difference between terms like «cybersecurity» and «information security» is quite relevant, because nowadays a lot of banking regulatory agencies request banks to implement own cybersecurity systems and IIS security policies. Therefore, it is necessary to know what these definitions are, which side the threat can come from, and how it can be prevented. So, what is the difference between these two terms? Information security (sometimes shortened to InfoSec) is usually understood as the protection of information of the whole company from deliberate or accidental actions leading to damage to its owners or users. First of all, information security is aimed at risk prevention. More often, financial documents, logins and passwords for entering the network of different organizations are taken away from the companies. As it happened in July, 2017, when at the Equifax credit history bureau in the US largest personal data loss occurred. The attacker got personal information of more than 143 million consumers and 209,000 credit card numbers. All in all, on September 8, 2017, the shares of the bureau fell by 13%. While creating the program for information security the special attention should be drawn to the correct management structure you apply. InfoSec experts seek to exploit the CIA (which is the abbreviation for its three components) as a manual for developing policies and procedures for an efficient information security program. The triad components are as follows: Confidentiality: The primary objective is access limitation to information. As a case study an account routing number while banking online may be used. The encryption of data is an overall method of providing confidentiality. IDs and passwords compose a model procedure; two-factor authentication is becoming the standard. Biometric authentication, hardware and software security tokens are also popular options. Integrity: It endorses the data coherence, exactness, and reliability throughout the life cycle. Data should not vary in transit, and all actions are aimed at guaranteeing that data won’t be changed by unregistered people. Availability: Authorized users should have easy access to necessary information in case of need, and all software and hardware should be provided adequately and updated regularly. | Read also: General Data Protection Regulation Summary The CIA triad constitutes the rule sample for securing your organization. It’s three constituent elements present a strong set of safety controls in order to store and save your data. Actual kinds of information security threats: First of all and the most popular reason is employee carelessness and negligence. In 2010, the iPhone 4 prototype was left in the pub by one of the Apple employees, Gray Powell. There were still several months before the official presentation of the gadget, but one student found it and sold it for $5,000 to Gizmodo journalists, who in turn made an exclusive review of the novelty. Using pirated software. In accordance with the Microsoft research, 7% of the studied unlicensed programs contained special software for stealing passwords and personal data. DDoS-attacks (Distributed-Denial-of-Service). Usually, these attacks are...

read more

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Posted by on 19:02 in Engineering, R&D | 0 comments

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Recently the Internet has become an integral part of our lives. The network offers many incredible opportunities such as communication, shopping, paying bills, and various entertainments. But unfortunately not always and not everyone uses the Internet for the good of society. Due to the rapid development of numerous resources, many types of fraud have arisen that aim to obtain confidential data and use it further for personal profit. The main ones are phishing, vishing, smishing, pharming. However, to protect you personal data on the internet it’s enough to use elementary data protection rules and to know how to recognize the common threats and how to combat them. And this exactly what will be discussed in this article. Phishing Phishing is one of the most commonly used methods of Internet fraud at this time. It is a kind of obtaining secret information by an attacker who uses the well-known methods of social engineering to make the users to open their personal data themselves. This can be the number and code of a bank card, phone number, login, password, and email address from certain services. Mainly phishing is used to get access to users’ online banking accounts or e-wallets, with the further possibility of funds withdrawal to the fraudster account. So how does phishing work? A user gets a phishing-message to his mailbox that, first of all, affects his emotions. For example, this can be a notification about a big win or, on the contrary, the notification about hacking the account with the further suggestion to follow a phishing link and to enter the authorization data. A user goes to the provided resource and ‘gives away’ his login and password to the fraudster who, on his part, quickly operates with the information received.   There are several specific examples of Internet phishing: Attackers send out millions of messages on behalf of a well-known company to various emails with the request to confirm their login and password. When you click the provided URL you can see the authorization page that is absolutely identical to the page on the original resource. The trick, most likely, is hidden in the link to the site. The domain should be very similar to the real one but differ in several symbols. A similar kind of phishing messages can be also found in different social networks. Phishers can use shortcomings in the SMTP protocol to send emails with the fake “Mail From:” line. Responding to such a letter the user sends the answer directly to the offender. It is also necessary to be cautious during participating in Online Auctions and sales since the goods offered for sale even though the legal resource can be paid through a third-party fraudulent website. Many users face fictitious Internet organizations that request donations. Online shops with extremely accessible prices for branded goods can also be counterfeited. As a result, there is a chance to pay for a product that will never be received since it never existed. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Vishing Vishing (vishing – voice+phishing) is another variety of phishing that also uses methods of social engineering, but with the help of a phone call. This is how attackers, let’s call them “vishers”, usually act: The user receives a phone call,...

read more

How to Protect Your Business Against Cyber Crime

Posted by on 18:18 in Engineering, R&D | 0 comments

How to Protect Your Business Against Cyber Crime

Is your business underestimating the impact of a potential cyber security breach? Even though cyber crime is estimated to cost businesses billions a year, a number of companies don’t understand how they could be under threat. Not sure where to start? Here’s how to protect your business against cyber crime. Understand What You’re Up Against Before taking any other action, work out how secure your business is currently. With a cyber security audit you’ll get a clear idea of where your business is right now, while identifying any potential threats. An audit should take both external and internal threats into account. For example, an employee who uses an infected home device at work can cause just as much harm as hackers. You should also back up data often to protect against the damage a cyber attack would cause. Installing malware is also an essential step to guard against cyber threats. From cookie theft to key logging, the list of potential threats can seem endless. It pays to keep updated and aware of all the risks. You should also be aware of new variants of old scams which might surface. An example of an old scam that remains a threat today is phishing, which comes in many forms and can be very deceptive. The world of cyber crime is constantly evolving, which makes it hard to keep track of. But by doing your due diligence and keeping up to date with the latest recommended practice you give your business the best chance of being protected. Implement a Cyber Security Plan After your risk assessment is mapped out, it’s time to put a strategic plan together. The first step is to implement a risk management policy, and ensuring you’ve informed all employees of the changes. Everyone associated with your organisation, including suppliers and contractors, needs to be compliant with your security plan. Anyone who isn’t should be classed as a security risk! Extra attention should be given to reviewing password policy. Ideally you would like all devices to use 2-factor authentication wherever possible. You should continue to monitor and test your security controls after your plan has been implemented. If you’re aware of any abnormal activity within your business, you need to take action against it before it’s too late. Use Security Solutions In the dark about the steps needed to protect your business? Fortunately there are a number of schemes and solutions out there to help you. In the UK there’s a government-backed Cyber Essentials scheme which protects against up to 80% of all potential cyber attacks. Alternatively, by enrolling in GCHQ Certified Training you can get an in-depth understanding of cyber security and the process of protecting your company.. These schemes cover a variety of bases, including: Ensuring your internet connection is secure. Safeguarding devices. Restricting access to your data. Providing virus protection. Reducing the threat of hacking. Therefore, while it’s essential to have your own cyber security plan in place, using existing schemes can ensure your business is as secure as possible. Be Prepared to Be Hacked Prepare for all eventualities! By preparing for a cyber attack you’ll have a much better chance of dealing with it effectively. Unfortunately, every business is a potential victim of cyber crime. Having a plan in place to deal with an attack...

read more

Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?

Posted by on 11:37 in Engineering, R&D | 0 comments

Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?

Being so used to live their lives on the internet, people usually don’t consider the after-effects of sharing the most intimate and private details. Who thinks of the danger posting the good old granny’s recipe of an apple pie, kids’ photos from the graduation show, or geo marks of the vacation trip? Nobody does until the doxers step forward to invade your privacy. What is doxing? Doxing definition The most common definition of doxing (or doxxing) is “a practice of searching and broadcasting of private authentic information about specific person or organization against their will, based on the internet technologies, evil-minded as a general rule”. In some sources doxing is also identified as a powerful cyber-weapon with incredible aiming range which points its virtual guns at the far-out targets. Origin of the term There are two theories about the origin of this term: The word dox originates from “dropping dox”, a hackers’ society slang for gathering a dossier for the purpose of revenge. One of the first official mentions of the term was in 2003 when ransomware (doxware) blocking the personal data with an extortion following appeared. The etymology of the word doxing is just out of slangish documents/docs. Who can become the victim? Considering that the information is gathered not only out of public sources, aka social media accounts and comments & online chats. And it won’t be only you (the person who blundered the information out), but also your friends and relatives, and other possible contacts, who will be perused and doxed out. Not to mention the fact that doxing tools can involve some hacking techniques with doxing through the IP or sniffing… We come to the deplorable conclusion: in actual fact, ANYONE can become the doxing victim. In 2017 the group of scientists from NYU and University of Illinois presented the report about doxing at the ACM Internet Measurement Conference, London. They found that most doxes include highly identifying information of the victims and their family members, such as their full legal names, phone numbers, real postal and IP addresses, online social networking accounts, and so on. The data they’ve introduced are embarrassing and shocking. Even though the average target type was the American male gamers in their 20s, it is absolutely clear, that everybody is involved. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Is doxing illegal? A difficult question to discuss, as all the law-connected points tend to be ambiguous. In case the information was found in some public open source and republished without significant harm, it is usually not considered to be cognizable by the court. When someone was doxed with the intention of further harassment, and the dox attack resulted into pain, suffering, and loss of amenity, or even in personal injury in some cases, it is considered as illegal activity. Though, the US lawyer, publicist, and activist Susan Basco has a reasonable opinion of doxing being illegal in any case, whenever it is exercised against public employees or ordinary nationals. The United States has federal laws protecting public officers from deliberate doxing. At the same time, any dox attack on an ordinary person might be treated as harassment, cyberstalking, threats, etc., depending on the specific state legislation. There were attempts of misinformation actions, convincing doxing is...

read more
Share This