Blog Feed

How to Protect Facebook Account from Being Hacked

Posted by on 15:20 in Engineering, R&D | 0 comments

How to Protect Facebook Account from Being Hacked

Why should you worry about protecting Facebook from hacking Many tend to believe that the security of their social media presence isn’t the first thing worth the effort to work on. You don’t often see a question like ‘How Can I Protect Facebook Account From Being Hacked?’ unless the person making such a request got hacked recently and now seeks the protection based on the bitter experience. What does a hacker get when they hack FB account of yours? Obviously, criminals get access to all your photos and messaging history, which opens ‘great’ social engineering opportunities. You might have heard stories where close friends ask to borrow some money in a message and, well, many people say ‘Sure, here you go!’ and get scammed. Criminals may also extract much more of other information from your private messages. Who would like their messages to be read by a stranger at all? There may be some confidential info there. Secrets. Passwords. Nudes? What if all this becomes public? You can ask Jennifer Lawrence about what might happen. Hackers can ultimately undermine your reputation and make your friends’ private information also vulnerable to publicizing and other manipulations. But the main thing is that GDPR (General Data Protection Regulation) has now come into force and Facebook allows users to download all private data related to their personal accounts in one click. That means a hacker interloping your profile will be able to do the same. This article will tell you how to protect Facebook account from being hacked and offer a whole list of Facebook security best practices. Let’s secure your account and keep your private info safe. Zuckerberg's own Facebook account got hacked in breach https://t.co/Fs4DHBeSS6 pic.twitter.com/AzL9HUw5Sa — New York Post (@nypost) September 29, 2018 Useful to know: Top 10 Ways Hackers Use To Hack Facebook Accounts Now let’s get acquainted with a list of Facebook profiles hacking options and find out how to protect Facebook account from being hacked: Method Description What to do Password phishing The most popular and fruitful way to get your account data is the creation of full copies of real Facebook pages. Victims enter their emails and passwords to log into a fake page, becoming an easy prey for a scammer. Try not to work with Facebook from unknown devices; Use VPN while using public WiFi; Don’t click the links in emails from the ‘Facebook team’ claiming your account is hacked and you must enter your verification data immediately; Try to use Google Chrome for Facebook, this browser is able to recognize some phishing web pages. Authentication data saved in the browser A browser usually offers you to save login and password to automate further authorizations when you enter your Facebook page. If you accidentally launch a hacker resource and allow saving the data, your security gets ultimately undermined. Never use automatic authorization in your browser for any website including Facebook. To find out which passwords you have already saved and secure yourself from chances of being hacked enter the following in Google Chrome: chrome://settings/passwords Learn how to check saved passwords in Firefox here. Email breach Sometimes, it’s easier for scammers to break into your email than hack FB. If you don’t use a strong password to protect access to your email account and don’t activate two-factor...

read more

Windows Computer Safety Tips

Posted by on 12:20 in Engineering, R&D | 0 comments

Windows Computer Safety Tips

Windows is undoubtedly the most popular family of operating systems for personal computers and laptops worldwide. It is used on home machines and corporate workstations alike, so the question of ensuring Windows user profile security is essential. This article provides some Windows computer safety tips we hope will be useful to you. In order to understand how to protect Windows and what Internet safety measures are there, we must first understand what Windows security breaches are possible and widespread. Thus said, there are 10 major Windows security issues to keep in mind: Unpatched and outdated software. Lack of antivirus for Windows 7 or later versions. Disabled Windows firewall. Absent disk encryption and backups. Lack of minimum Windows security standards. Full access permissions for everyone. Weak passwords. Insufficient Windows security policy strength. Legacy software within the corporate network. Mobile access exploits. Even this short breakdown of the main issues of Windows computer protection allows highlighting the massive problems any business can face if they prefer to leave the matter unattended. Luckily enough, there are multiple solutions for each of the aforementioned issues, and we will list them too. 1. Update Windows and Software Regularly Disabling the automatic Microsoft Windows update is the easiest way to ensure the system won’t begin to upgrade while you are playing your favorite online game, yes. However, this is the shortest route for the hackers to get access to your system once they are inside the network. Still thinking that providing that full access to anyone was a great idea? When you use only licensed and fully updated software, the risk of catching a virus is significantly reduced. Do you recall the 2017 Petya ransomware attacks in Europe? It turned out the major part of infestation was done through a security backdoor that was fixed by a Windows update released… 6 months prior to the attacks! If only the users had 10 minutes to download an install it…Instead, they either paid ransom or lost their sensitive data. Enable automatic Windows updates For Windows 7 update just go to your Windows control panel from the Start menu, there go to System and Security>Windows Update>Change Settings. Then choose the time when you can spare about 15-30 minutes to download the Windows upgrade files, install them and reboot the computer — and rest assured your Windows system files are up-to-date. The same goes for all the software you use, as new vulnerabilities in multiple software and hardware tools are discovered daily, like these Meltdown and Spectre processor vulnerabilities.   Create a restore point One of the best ways to secure Windows computers is to create a Windows restore point. Sometimes the new drivers are incompatible with some of your hardware, or update process may go awry, etc. There is a widely-known case when Windows 7 users have to download the outdated Nvidia drivers to play Heroes of Might & Magic VI, as any new version of the video drivers results in black screen. However, the consequences might be much more serious than the inability to play one of the best turn-based games of all times. To create a system restore point on Windows 7 go to the Start menu, there to Control Panel>Systemand Security>System and go to System Protection tab. Press the Create button and choose the name...

read more

Why US, Canadian, and EU Universities Choose Programmable Hardware OTP Tokens

Posted by on 18:03 in Protectimus Products | 0 comments

Why US, Canadian, and EU Universities Choose Programmable Hardware OTP Tokens

Almost all universities and colleges in the US, Canada, and EU use two-factor authentication to protect their faculty and staff accounts. Quite often they choose in-app 2-factor authentication, which means that one-time passwords are generated on the users’ smartphones. Though, in this case, they face a few issues: Not everybody agrees to use their personal smartphones for corporate needs. Some people still use old models of cell phones and can’t download a 2FA app physically. When people use their own devices there is no guarantee that these devices aren’t infected with viruses. Many universities turned to Protectimus for help describing the same situation. Among them are The George Washington University, Middle Tennessee State University, College of Central Florida, University of Guelph, Simon Fraser University, Old Dominion University, The University of Groningen, Trent University, etc. And actually, there is a simple solution (not to consider buying corporate smartphones for all the staff) – programmable hardware tokens Protectimus Slim NFC. These OTP tokens are programmed as if it was a 2FA app. Everything you need is one NFC enabled Android smartphone for the administrator. The admin scans the QR code with the secret key using TOTP Burner application and then flashes this secret key to the token via NFC. TOTP Burner app is available on Google Play for free. The administrator can program an unlimited number of tokens with one smartphone. So, with programmable hardware tokens: You don’t have any troubles with people who don’t have a smartphone or don’t want to use their own device at work. You don’t worry about any malware. The hardware OTP token is a standalone device which works without Internet or GSM connection. So the user can’t infect this device even if they want to. The administrator is the only person who knows and stores the secret keys. It’s not possible to pull the secret key out of the token. Besides, we offer custom branding for any number of Protectimus Slim NFC tokens starting from a single piece. Check the custom branded tokens our customers already use. Read also: Read more about Protectimus Slim NFC tokens or order few pieces to test How to Program Protectimus Slim NFC Token How to Backup Google Authenticator or Transfer It to a New Phone The Pros and Cons of Different Two-Factor Authentication Types and Methods 10 Basic BYOD Security Rules Top 7 Tips How to Protect Yourself from Phishing Scams Social Engineering: What It Is and Why It...

read more

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Posted by on 17:59 in Industry News, R&D | 0 comments

Reddit was hacked: how it happened, who the victims were, and why SMS authentication failed

Reddit was hacked. The attackers managed to extract logins, e-mail addresses, passwords (salted and hashed, fortunately), and even a complete list of private messages from users who joined the site before 2007. The hackers were also able to access the e-mail addresses and logins of all users who received the site’s newsletter in June 2018. The SMS authentication failed. The attackers were able to intercept SMS messages containing one-time passwords, gaining access to the accounts of several Reddit employees. Let’s take a closer look: What exactly happened, and what is Reddit doing to minimize the consequences of the attack? Who were the victims of the Reddit attack, and how can you tell if you’re one of them? Why did the SMS-based two-factor authentication fail, and what can you replace SMS messages with if you’re still using them?   Reddit just disclosed a breach, says it’s still investigating severity. Of particular note was that the intruders managed to bypass SMS-based two-factor authentication in the compromise. https://t.co/LCu6XAVn34 This is why physical 2-factor or at least app-based 2FA is superior. — briankrebs (@briankrebs) August 1, 2018 How Reddit was hacked On June 19, 2018, the Reddit team realized that there had been a data leak. The attack itself happened sometime between June 14 and 18. The attackers managed to compromise the accounts of several Reddit employees who had access to cloud storage and source code. Access to the employees’ accounts was protected by two-factor authentication, but through the traditional, old-fashioned method of delivering one-time passwords in SMS messages. The attackers intercepted the SMS messages containing one-time passwords and were able to bypass two-factor authentication. If all of Reddit’s staff had been using hardware tokens, the hackers wouldn’t have had even a chance at succeeding. Despite the seriousness of the attack, the attackers weren’t able to make any changes to the system. They had only read access. Nonetheless, they were able to view source code, configuration files, and internal logs. They were also able to download backups. Thus, all data regarding users and the operation of the forum, from its founding until 2007, fell into the hackers’ hands. The attackers also downloaded a database of e-mail addresses belonging to users who received e-mail newsletters in June 2018. What Reddit has done First of all, Reddit’s administrators strengthened the security of the logging, encryption, and monitoring systems. They also discontinued SMS authentication, in favor of software and hardware OTP tokens. They reported the incident to law enforcement agencies, and an investigation was launched. Reddit users who may have been affected were sent messages with information about the incident, encouraging them to look after the security of their accounts — change passwords, enable two-factor authentication. Detailed instructions on how to activate two-factor authentication for Reddit are available here.   So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN — Troy Hunt (@troyhunt) August 1, 2018 Who was affected by the Reddit attack Reddit’s team is not disclosing the number of affected users. All the same, we’re talking about millions of people. The affected users can be divided into 2 groups: Everyone...

read more

How to enable two-factor authentication on Reddit

Posted by on 19:38 in Setup Guides | 0 comments

How to enable two-factor authentication on Reddit

Learn more about Protectimus Slim NFC security token or order one here:  Protectimus Slim NFC The best 2FA token to protect your Reddit account! Ho set-up two-factor authentication on Reddit, first of all, log in your Reddit account and initiate the two-factor authentication setup. 1. Go to the “User Setting” page using the navigation menu in the right upper corner ->   2. Click “Privacy & Security” ->   3. Choose “Two-factor authentication” ->   4. Click the button “click to enable” ->   5. Confirm that your email address is correct ->   6. Enter your password and click “Next” ->   7. You will see the QR code with the secret key. Now you can either scan it with your authentication app (Google Authenticator, Protectimus Smart, Authy, etc.) or add it to your hardware security token Protectimus Slim NFC. Learn how to program Protectimus Slim NFC token.     8. After you programmed the hardware OTP token or enrolled a software token on your smartphone, enter a 6-digit one-time password to the corresponding field and click “Enable two-factor”.   9. You’ll see the notification about successful 2-factor authentication setup.   Enjoy reliable and convenient protection for your account — make hackers’ lives difficult with two-factor authentication on! Main image...

read more

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Posted by on 13:03 in R&D | 0 comments

Non-SMS Two-Factor Authentication for Instagram. Why Is It Good?

Did you know your Instagram two-factor authentication is ensured by a technology that has a backdoor as big as the one in the Titanic after it met the iceberg? Well, we will tell you more: the same faulty technology may still ensure the security of your Facebook and Twitter accounts! The last, but not the least important — you use the same technology to confirm most of your online purchases, so yeah — your banking account can be compromised as well. The name of that flawed technology is SMS authentication. SMS based 2-factor authentication has few huge drawbacks, undermining the system functionality: SMS are stored and sent as plaintext on your smartphone and can be compromised with malware; SMS are transmitted over inadequately protected channels; Every mobile operator’s employee can change your phone number to another SIM card. Therefore, either by bribing a mobile operator’s employee with access to the SMS database or by using the technique known as “SIM porting”, the hackers can steal your Internet identity. Meddling with OTPs opens up a wide field of manipulations — from stealing your Facebook, Twitter or Instagram account via the password reset procedure (which is exactly what happened when Katy Perry’s Twitter account was hacked) and up to stealing your banking accounts, as the banks still mostly rely on SMS to ensure the 2-factor authentication. Fortunately, more and more services start moving to more secure two-factor authentication alternatives. And Instagram supports this good trend. On July 18th, 2018 an article on Techcrunch announced that Instagram started building non-SMS two-factor authentication.   Instagram is finally working on token-based two-factor authentication!! 🎉 Thank you Instagram! I have been waiting for this since 2016! We finally won’t have to rely our account’s security on SMS! 😍 pic.twitter.com/u0iIPTaZO2 — Jane Manchun Wong (@wongmjane) July 17, 2018 What’s wrong with SMS authentication? 1. SIM swap is real! The hackers can contact the mobile operator’s technical support with a request to port your phone number to another SIM-card, and by completing the verification with the help of social engineering tactics, they will be receiving your SMS (including the ones with one-time passwords) from now on. In fact, the issues with SIM porting has become so common and using SMS for two-factor authentication were proven to be so grave, that the US National Institute of Standards and Technology (NIST) has recommended dropping using SMS for OTP delivery back in 2016. However, this call was not yet followed by the majority of the financial industry, healthcare, insurance and so on. Almost any business dealing with your Personally-Identifying Information (PIA) promotes using SMS two-factor authentication as an additional lever for ensuring the security or at least leaves this opportunity to their users. | Read also: Dutch Scientists: SMS Verification Is Vulnerable 2. Your smartphone might be compromised with malware SMSs are stored in plain text on your mobile device. Many models of smartphones are susceptible to specific Trojans like Perkele, Zitmo, Zeus or Citadel, which can be downloaded as a malware with some third-party apps and monitor the SMS messages with OTP codes. Thus said, as your smartphone is considered a safe haven device for the case when your PC or laptop are compromised, it is actually the smartphone that can provide the backdoor to your data. 3. Don’t rely...

read more

How to Protect Your Privacy on Facebook

Posted by on 11:36 in Engineering, R&D | 0 comments

How to Protect Your Privacy on Facebook

Personal privacy protection became a popular topic in the last few months. This is especially related to the EU General Data Protection Regulation (GDPR) which has become active in May 2018 and the Cambridge Analytica fiasco. Facebook has reacted almost immediately and provided tools for protecting and viewing your personal information. In this article, we will talk about what information does Facebook collect about you, why is it dangerous, and how to protect your privacy on Facebook in order not to become the victim of next “Cambridge Analytica scandal”, as well as doxing, phishing, social engineering, and so on. To make it easier to navigate through the article, here is a list of issues we are going to cover: What does Facebook know about you Cambridge Analytica Scandal Explained How to protect your Data From Similar Future Misuse How To Make Your Facebook Profile Private General Privacy Settings Facebook Photo Privacy Settings Facebook Apps Privacy Settings Facebook Posts Privacy Settings Facebook Friends Privacy Settings Advanced Privacy Settings How To Delete Your Facebook Account What Does Facebook Know About You? We could simply say “everything”, but it’s not that easy. The information stored on Facebook depends strictly on you and the accesses you granted on your devices. Since most of us don’t always pay attention to what we let devices or apps do, if you are an active user, you are likely to be shocked by the amount of data and the details Facebook knows about you. We’ll go into types of this info, and give you some tips on how to protect your privacy on Facebook. But before this, here are the instructions on how to download the information about you on Facebook. How to get your data Log into your Facebook account and click on the arrow down in the right upper corner.   From the drop-down list choose “Settings”.   There you will see a message asking you to proceed to “Your Facebook information”. You can also find this option on the left side of the panel.   From the “Your Facebook information” page you can view and download your full history.   If you opt for downloading, it might take some time. The exact time will depend on how long have you been using the network, how active you were, and what kind of information you uploaded. The data will be provided to you in a form of a password protected zip. file. On the download page, you can also choose to have all data downloaded or just a certain period. You can as well choose types of information you want to obtain. The file can be downloaded in the HTML or JSON formats. The JSON format can be of use if you want to import the received info somewhere else. Once generated, the file will be available for download at the same page under the “Available Files” tab for four days.   | Read also: Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing? Types of Personal Information Stored on Facebook The index.html file in the root of the folder opens the archive in your browser. That will allow you to navigate through everything as you would any webpage. On this webpage, you’ll find out that Facebook knows your username, real name,...

read more

Man In The Middle Attack Prevention And Detection

Posted by on 16:03 in Engineering, R&D | 3 comments

Man In The Middle Attack Prevention And Detection

In the age of being dependent on contemporary technologies, the cybersecurity issues are as vital to pay attention to as never before. We leave a huge trace of our personal identity online. Not to mention an enormous digital trail we leave in social networks when posting photos with geolocation, reposting all news and thoughts we consider important, commenting on everything that we have an opinion about. We also use online banking almost for all our payments, as well as we use e-governance services to avoid facing bureaucracy in person, etc. Remember, every byte of such sensitive data can be stolen and used against you. You can lose all your money and even more than that if you become a victim of a hacker attack. And one of the most dangerous and inconspicuous hacking techniques is man in the middle attack. If it happens when you transmit sensitive data to your bank or, for example, tax office, you won’t even understand that something wrong is going on, while the attacker will be stealing your login credentials and any other info he/she needs to hack you. In this article, we’ll explain: what is man in the middle attack how MITM Attacks are performed how to protect your company from MITM attack how to protect yourself as an average user from man in the middle attacks So, let’s begin! What Is Man In The Middle Attack? Before we start digging into how to stop man in the middle attack, we should be on the same page regarding what it is. A man in the middle attack is the digital equivalent of eavesdropping. It may occur when a device transmits data to a server or website. For instance, it may be a user’s smartphone that sends the location to the server of an app installed on it or a computer sending login credentials to the bank server. The attacker can intercept the data that is being exchanged. If the connection is not secure, the attacker won’t even have to decrypt the data. After the data gets captured, the original data is usually sent to the destination server, though in some cases the attacker can modify the information, it depends on the purpose he/she has.   Man In The Middle Attack Explained So, now let’s explain man in the middle attack in details. You could easily find yourself under a man in the middle attack before you even had your first computer. The thing is that there can be a man in the middle of any channel used for data exchange. For instance, unbeknownst to you, the mailman could take all the letters that you wrote, open the envelopes, read them, seal them in a way that it is impossible to see that someone opened the letter, and send them to the addressee. If you think “oh, I wouldn’t mind anyone knowing what I write in my letters”, think twice. What if you sent some legal papers? Or business plans? If we return to our present Internet age, think again: what data do you send to servers? It could be anything from exchanging funny memes to approving transactions via online banking systems. In the online world, a man in the middle cyber attack works in the same way. For instance, let’s imagine you connect...

read more

Cybersecurity vs. Information Security

Posted by on 18:18 in Engineering, R&D | 0 comments

Cybersecurity vs. Information Security

Currently, there is a large number of similar terminology used in the field of ensuring international information security, even sometimes without getting a generally recognized definition. The most controversial debates on global markets in the field of international information security (IIS) are more focused on the interpretation of the terms «cybersecurity» and «information security» and related semantic nuances. Telling the difference between terms like «cybersecurity» and «information security» is quite relevant, because nowadays a lot of banking regulatory agencies request banks to implement own cybersecurity systems and IIS security policies. Therefore, it is necessary to know what these definitions are, which side the threat can come from, and how it can be prevented. So, what is the difference between these two terms? Information security (sometimes shortened to InfoSec) is usually understood as the protection of information of the whole company from deliberate or accidental actions leading to damage to its owners or users. First of all, information security is aimed at risk prevention. More often, financial documents, logins and passwords for entering the network of different organizations are taken away from the companies. As it happened in July, 2017, when at the Equifax credit history bureau in the US largest personal data loss occurred. The attacker got personal information of more than 143 million consumers and 209,000 credit card numbers. All in all, on September 8, 2017, the shares of the bureau fell by 13%. While creating the program for information security the special attention should be drawn to the correct management structure you apply. InfoSec experts seek to exploit the CIA (which is the abbreviation for its three components) as a manual for developing policies and procedures for an efficient information security program. The triad components are as follows: Confidentiality: The primary objective is access limitation to information. As a case study an account routing number while banking online may be used. The encryption of data is an overall method of providing confidentiality. IDs and passwords compose a model procedure; two-factor authentication is becoming the standard. Biometric authentication, hardware and software security tokens are also popular options. Integrity: It endorses the data coherence, exactness, and reliability throughout the life cycle. Data should not vary in transit, and all actions are aimed at guaranteeing that data won’t be changed by unregistered people. Availability: Authorized users should have easy access to necessary information in case of need, and all software and hardware should be provided adequately and updated regularly. | Read also: General Data Protection Regulation Summary The CIA triad constitutes the rule sample for securing your organization. It’s three constituent elements present a strong set of safety controls in order to store and save your data. Actual kinds of information security threats: First of all and the most popular reason is employee carelessness and negligence. In 2010, the iPhone 4 prototype was left in the pub by one of the Apple employees, Gray Powell. There were still several months before the official presentation of the gadget, but one student found it and sold it for $5,000 to Gizmodo journalists, who in turn made an exclusive review of the novelty. Using pirated software. In accordance with the Microsoft research, 7% of the studied unlicensed programs contained special software for stealing passwords and personal data. DDoS-attacks (Distributed-Denial-of-Service). Usually, these attacks are...

read more

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Posted by on 19:02 in Engineering, R&D | 0 comments

Phishing, Vishing, Smishing, Pharming – What Is the Difference

Recently the Internet has become an integral part of our lives. The network offers many incredible opportunities such as communication, shopping, paying bills, and various entertainments. But unfortunately not always and not everyone uses the Internet for the good of society. Due to the rapid development of numerous resources, many types of fraud have arisen that aim to obtain confidential data and use it further for personal profit. The main ones are phishing, vishing, smishing, pharming. However, to protect you personal data on the internet it’s enough to use elementary data protection rules and to know how to recognize the common threats and how to combat them. And this exactly what will be discussed in this article. Phishing Phishing is one of the most commonly used methods of Internet fraud at this time. It is a kind of obtaining secret information by an attacker who uses the well-known methods of social engineering to make the users to open their personal data themselves. This can be the number and code of a bank card, phone number, login, password, and email address from certain services. Mainly phishing is used to get access to users’ online banking accounts or e-wallets, with the further possibility of funds withdrawal to the fraudster account. So how does phishing work? A user gets a phishing-message to his mailbox that, first of all, affects his emotions. For example, this can be a notification about a big win or, on the contrary, the notification about hacking the account with the further suggestion to follow a phishing link and to enter the authorization data. A user goes to the provided resource and ‘gives away’ his login and password to the fraudster who, on his part, quickly operates with the information received.   There are several specific examples of Internet phishing: Attackers send out millions of messages on behalf of a well-known company to various emails with the request to confirm their login and password. When you click the provided URL you can see the authorization page that is absolutely identical to the page on the original resource. The trick, most likely, is hidden in the link to the site. The domain should be very similar to the real one but differ in several symbols. A similar kind of phishing messages can be also found in different social networks. Phishers can use shortcomings in the SMTP protocol to send emails with the fake “Mail From:” line. Responding to such a letter the user sends the answer directly to the offender. It is also necessary to be cautious during participating in Online Auctions and sales since the goods offered for sale even though the legal resource can be paid through a third-party fraudulent website. Many users face fictitious Internet organizations that request donations. Online shops with extremely accessible prices for branded goods can also be counterfeited. As a result, there is a chance to pay for a product that will never be received since it never existed. | Read also: Top 7 Tips How to Protect Yourself from Phishing Scams Vishing Vishing (vishing – voice+phishing) is another variety of phishing that also uses methods of social engineering, but with the help of a phone call. This is how attackers, let’s call them “vishers”, usually act: The user receives a phone call,...

read more
Share This