Blog Feed
10 Basic BYOD Security Rules
Up to now, not everyone knows what is BYOD (bring your own device). But anyone who uses a personal laptop or smartphone to gain access to corporate resources uses this technology even though may have no idea about it. This trend gradually penetrates even the “classic” offices, not to mention the companies whose employees work distantly! The “bring your own device” concept emerged in the early 2000s. But an active transition from theory to practice started only in recent years. And now it is going on in front of our eyes. This is for two main reasons: We are witnessing an explosive growth of the number of personal mobile devices, which become more reliable, powerful, and affordable. The number of companies whose employees work remotely is also growing. Hiring freelancers doesn’t only save money for the office equipment but also helps to find and attract skilled professionals from all over the world. Besides, we cannot forget about a psychological factor of the BYOD. A permission to use lovingly selected device significantly increases the employee’s loyalty to the company as they have a feeling of greater freedom and their motivation grows up. Many people unconsciously start spending a part of their personal time on the office tasks (for example, quickly responding to business correspondence, even when they are at home in free time). Thus, the work time expands – by the way, absolutely free of charge for the company. It would seem that everything is fine: the staff is constantly in touch, always ready to discuss urgent business issues. And you can save money on the office equipment as well. But, like any coin, this one also has the other side: an uncontrolled use of BYOD technology can be critical to the company’s security (and thus revenue). It is well known that a “single” device is an easier target for cyber-criminals than a corporate network of trusted gadgets. And corporate information is for internal use only. Is it possible to combine the confidentiality of corporate information and the use of personal laptops and smartphones? To do so, you must overcome two main mobile security challenges: vulnerability of mobile devices to viruses and nonchalance of their owners when it comes to information security. Both problems can be tackled if desired. You should only remember that BYOD security issues should be carefully designed and thought out in advance. Basic BYOD security rules Antivirus and anti-spyware software approved by the IT-security department of the company and updated on a regular basis are compulsory on the employees’ devices. All BYOD devices should be connected to the corporate network via VPN. Mandatory encryption of data stored in the depository of the data center. Usage of a PIN-code to unlock a computer or smartphone and strong authentication to enter the accounts. Prohibition of use of jailbroken devices with unofficial operation systems. The users can resort to jailbreakers’ practices for different reasons: to improve the performance of their devices, get unlimited rights, install hacked or pirated applications. But there is no place for such “improvements” on a smartphone or tablet used to access the corporate network. And this should be clearly explained to employees. Creation of the technical possibilities to erase data remotely in case of a BYOD device loss or theft. Perhaps, the restriction of access...
read moreRansomware – to Pay or Not to Pay
Just recently, a new “creative” ransomware called CryptMix revealed itself in the malware family. The ransomware promises its victims to transfer their money to a children’s charity. This statement might seem like a funny joke, but most likely the victims of this virus deprived of an access to their files do not consider it funny at all. Moreover, so far it is impossible to decrypt the CryptMix with modern decryption tools. Among all the variety of computer viruses – blockers, trojans, spyware, keyloggers – the ransomware is the most unpleasant one. Such viruses usually encode files on the hard disk of the infected computer and demand a ransom for the decryption key. In general, different types of documents can be exposed to attacks: images, presentations, texts, tables, files, and databases. But there is also another kind of malware, like a much-talked-of “Petya“, which can completely encrypt the entire hard drive. Today, the computer is the main working tool for the majority of people. Thus, it is important to know how to protect yourself from the ransomware and how to decipher the files they damage. After all, it is extremely unpleasant for everyone to lose the work results because of a virus attack. As for the companies, the situation is even worse. Except paralyzing the work process, the ransomware can often damage the health and well-being of the company’s clients. Not so long ago we wrote about a similar misfortune that befell the Hollywood Presbyterian Medical Center. In this case, the hospital management did not wait for the outcome of the police investigation and decided to pay hackers not to endanger the patients’ lives. Is it worth paying to unlock the ransomware The idea that the best way to restore the encrypted files is to pay the fraudsters was voiced in the report by an FBI officer during a forum Cyber Security Summit in 2015. But many cyber security experts do not agree with it. They rightly remind us that the “owners” of any ransomware are real criminals. And even after getting from them a “recipe” for the recovery of infected files, you should not think that you are safe. Prevention is better than cure It is better to think in advance how to protect against the ransomware until nothing has happened. For this purpose you should observe a few simple precautions: Create and maintain up to date backups of your files. It is better to have not one, but two backups of the most important information on different types of data carriers: for example, on the external hard drive and in the cloud storage. Yes, it gives a bit of bother, but the recovery of the data infected with the ransomware can make even more fuss. Do not fall for phishing tricks. There are three main sources of the virus infection: downloading content from pirate websites, clicking links in emails from untrusted senders, and opening files attached to such emails. Turning on file name extensions display in the browser settings. Since the virus is a program, files with such extensions as “scr“, “vbs“, and “exe” must be the first to raise suspicions. You should pay attention to the last letters in the file since hackers often put several successive extensions in a row trying to disguise the virus as a video...
read moreTurn on Two-Factor Auth on Linkedin Today
Another scandal with hacked accounts has rocked the network and gave us another reason to think of the importance of two-factor auth for everyone. This time, the data protection system of LinkedIn, the largest social network for business people, was compromised. Actually, this data leakage happened four years ago, in summer 2012. Back then hackers got an access to the email addresses and passwords of the LinkedIn users. Shortly after that 6.5 million of them were put on the Internet. The company could not deny hacking and decided to reset the passwords for those accounts whose data were published. But the losses the LinkedIn data protection system suffered in 2012 appeared to be higher than it was supposed earlier. A few days ago a hacker who calls himself Peace_of_mind posted an offer for the sale of information about the LinkedIn users on one of the DarkNet trading platforms. The hacker sells the data of 167 million accounts (117 million of them with passwords) for the $2,200, but in Bitcoins. According to the LinkedIn experts and representatives, this is that very database “leaked” four years ago. Soon after the database of 167 million LinkedIn users went on sale, a group of fraudsters OurMine Team hacked several Twitter and Tumblr accounts of famous people. Among the victims are Markus Persson, an author of a famous game Minecraft, a pop star David Choi and even the founder of Twitter Biz Stone. The hackers argue they didn’t use the data of 2012 leakage. But all the victims had LinkedIn accounts bound to other accounts and were among those compromised in 2012. Is it a coincidence? What should the LinkedIn hacking victims do? In order not to lose more than has been lost because of the hackers’ attack and the negligence of LinkedIn leadership you should immediately do three following things: Change your LinkedIn password. Although the service has already reset the passwords, it is still better to choose your own combination. After the incident the administration of this social network cannot be trusted one hundred percent as it has been hiding the scale of the data leakage for four consecutive years – apparently hoping that everything “will melt away” on its own. Thus, it is wise to create a new strong LinkedIn authentication password according to all safety rules. Change the passwords for all your accounts. Most accounts on different resources are connected in one way or another. Having hacked one of them, the fraudster can get access to others (as it has probably happened to Choi, Stone, and others). In spite of all precautions, even now a large number of people use at best only 2-3 passwords for different websites. Sometimes, they have only one “universal” password for all the accounts. Under these conditions, the effectiveness of user data protection tends to zero. Thus, only the thought-out authentication on each resource can save the situation. Having a different password for each account is a necessary precaution. Use two-factor authentication. To avoid the recurrence of such stories in the future, use two-factor auth on all the websites supporting this function. Even if the fraudsters hack public databases, they cannot take control of, at least, those accounts that are protected with two-factor auth. The last point should be considered in more details. Many users believe that...
read moreProtectimus Cuts the Prices
Two-factor authentication is an indispensable element of modern information security system. Today, every resource, which stores confidential user data, is obliged to provide reliable data protection. It is dangerous and unprofitable to “recreate the wheel”. Developing a 2-step verification system on its own, the company assumes full responsibility for data protection. Very often such solutions have vulnerabilities that would later lead to disastrous results. This is due to the fact that “self-made” 2-factor authentication solutions do not undergo any safety checks or certification processes. Moreover, independent two-step authentication solution development requires additional financial investments – the purchase of equipment (servers), salaries for the developers, etc. Thus, it will be safer and more convenient to buy a ready-made two-factor authentication solution. Professional 2FA solutions are definitely more reliable. They undergo a number of tests before being placed on the market. For example, Protectimus 2-step verification solution was certified by the industry-wide collaboration OATH, and tested by the hacking experts from the OnSec Company and hackers at the ZeroNights Conference 2014 in Moscow. Unfortunately, many companies cannot afford a ready-made 2-factor authentication solution because they are quite expensive. Indeed, sometimes the cost of the ready-made two-factor authentication solutions can reach up to $6 per user per month. The Protectimus pricing policy is competitive and democratic. We believe it is our duty to popularize the cyber security in general and 2-way authentication in particular. To assure the reliable data protection of the users of the smallest startup 2-factor authentication should be, first of all, affordable. Therefore, we decided to revise our tariffs and further reduce the cost of two-factor authentication service. So, here is the list of changes our users will see. Small companies who just want to try a 2-factor authentication service for free can choose a FREE tariff plan. It is perfect for the protection of up to 10 users. For companies that are going to protect up to 34 users, STARTER tariff plan is a good choice. In this case, the cost is 0.99 dollars per user per month. For larger enterprises that have up to 144 people, BUSINESS tariff plan will be a more profitable choice. The cost is USD 0.77 per user per month. But the most favorable conditions are expected for large companies. If you connect more than 144 people, the service charge is reduced in proportion to the number of users. You can calculate the approximate cost here after the registration. Good news for the startups. We announce the launch of the program “Let You Startup Be Secure”. We offer every startup to implement Protectimus two-factor authentication solution and use it for free for 1 year or more without limits on the number of users. You might be surprised by a little awkward numbers 34 and 144, which mark the boundaries of the tariff plans. We did not want to express the numbers 34 and 144 in round numbers as these 34 and 144 are the elements of the Fibonacci sequence – a sequence that displays an amazing harmony of the universe in...
read more10 Things You Can Do with the Smartwatch
How often do you have to worry about your cell phone running out of battery when you have a whole heap of things to do today? Have you ever forgotten your phone at home while hurrying to work in the morning? And how did you feel this day? Waiting for an important call, you have to carry your cell phone everywhere (even to the toilet)? And what it is like when you are in a crowded transport and your phone starts ringing being in the depths of your inner jacket pocket or at the bottom of your purse? I think there is no need to tell how greatly a modern person depends on the cell phone, as well as describe curious situations one can get in if deprived of the opportunity to answer the call or to read an important SMS. Fortunately, these disadvantages can be easily bypassed since now the smartphones have multi-functional companions – smartwatches. Tiny, convenient, and connected to the smartphones they are easy to use and always at hand being fixed on your wrist. What is a smartwatch, and what are its main functions The smartwatch looks like a simple watch but has more functions. Depending on the manufacturer the smartwatches can differ in features, but the majority can receive and send text messages, receive Push notifications and social media alerts, provide access to the Internet, play music, and give an opportunity to do many other manipulations. So let’s find out how to use the smartwatches in everyday life as efficiently as possible. Use case №1: Call Management This feature allows the user to accept or reject incoming calls, to set a speakerphone mode, to mute a microphone, and also provides the information on the caller and the duration of the call. Also, you can check the call history and make calls. If you have a headset, you even do not need to get a smartphone out of your pocket. Use case №2: Receiving notifications One of the main functions the smartwatches is to receive notifications like a mini-pager. The user can set up the preferred apps that are allowed to send Push notifications to the smartwatch. Without holding the phone in hand, this feature allows you to receive social media notifications, SMS, messages from Hangouts, WhatsApp Messanger or Viber. Use case №3: Music Management Smartwatch knows how to adjust the volume, switch records, run and manage music apps on your phone. Use case №4: Reading E-books With the help of the smartwatch menu, you can open a text file without taking your phone out of the pocket. Some smartwatches read the txt files. This is also a handy tool to save cribs. You need to press just one button and the smartwatch will quickly switch to the normal operation mode. At the same time, it will remember the place in the file where you stopped reading, which is useful when you re-open a file. You can change the font size, line spacing or a paragraph intervals, and the highlight color. Use case №5: Wrist Navigator It is convenient to use a smartwatch for walking and cycling navigation. The application that works with the online maps will give you a verbal assistance on the route every time you pass the next checkpoint. The screen also displays the speed, distance to the next...
read morePanama Papers Leak – Evil or Good?
Information bomb, known as the “Panama Papers Leak,” was planted a year ago, although it was detonated April 3, 2016, when the Panama documents were put on the Internet. It all started in 2015 when an unknown person proposed the journalists of the German newspaper Süddeutsche Zeitung the official documents of the Panamanian law firm Mossack Fonseca. The source didn’t ask for money, but only for preserving his anonymity. “John Doe” contacted Frederik Obermaier and Bastian Obermayer, the correspondents of the Süddeutsche Zeitung. Having estimated a huge amount of information provided in the Panama papers, they decided to engage the International Consortium of Investigative Journalism (ICIJ) in work. For a year, an international community, which included more than 400 journalists from different countries, had been examining and analyzing the Panama archive. Every effort was made to keep the investigation confidential. The project participants used a specially created website, which was protected with 2-step verification and other information security means. In real time, the journalists communicated (both with each other and with the informer) only in the encrypted chats and used only free software at all stages of processing and storing the data. This hard work resulted in relatively large amounts of the materials put on the Consortium (ICIJ) website. It is worth mentioning that the original documents have not been posted – only their interpretation and analysis made by the researchers. The very same archive is stored on the Amazon Cloud Drive and is available only for those who know the URL and the password. The journalists, who were the first to cover the Mossack Fonseca case – Bastian Obermayer and Frederik Obermaier, – published a book “Panama Papers: The Story of a Worldwide Revelation” describing a scandal with the Panama documents. The book was released in Germany April, 6. It does not duplicate the materials on the ICIJ website but tells how the authors communicated with a stranger who submitted the sensational materials and how the work was organized. What is the crux of the matter The law firm Mossack Fonseca holds more than forty offices worldwide, and its main office is located in Panama. The main activity of the company is financial consulting of organizations and individuals especially on issues relating to opening and running the offshore companies. Although offshores are not illegal, they make it possible to hide the names of the real owners of the companies, that in its turn allows them to evade taxes and launder shadow capital. And this is where the law may have certain questions. It is not the first time Mossack Fonseca has fallen victim to fraud: in 2014, the German government already had a chance to buy some official documents of the company. But that file was not even nearly so big, and the data were older. The current leak of Panama Papers, of course, is one of the largest in the history of similar incidents. Never before such big and valuable data have been put into the public domain: The size of the Panamanian file is 2.6 TB, and the number of files in it is more than 11 million. The records provide the information on nearly forty years of the company’s activity (since 1977). The Papers contains data on more than 214 thousand companies. The already processed documents reveal...
read moreDutch Scientists: SMS Verification Is Vulnerable
Computer security experts in their confrontation with the hackers are always trying to work ahead of the curve: to model and foresee probable “loopholes” in the data protection systems of different services and operating systems. In recent years, special attention has been paid to the mobile operating systems as more and more people use smartphones to enter their accounts or use them as 2-step verification means. Most often, users get 2-step verification codes (one-time passwords) via SMS. Sometimes, OTP passwords are also delivered via voice messages or generated with the help of a special application – mobile one-time password generator. But in this article, we will discuss the most popular OTP delivery method – SMS verification. Unfortunately, SMS verification cannot provide a proper level of reliability. First of all, mobile networks use open, unencrypted communication channels where any data protection is almost impossible. It is not difficult for a person who has the necessary technical skills and equipment to get connected to such a network. But, according to the researchers of the Free University of Amsterdam, even this is not so important: they have found another critical vulnerability of the SMS-based authentication. What is the problem with SMS verification Usually, a hacker needs two conditions for carrying out two-factor verification on behalf of his victim: a victim’s computer must be infected with the Trojan virus and the hacker should know the static password, which is the first factor of 2-step verification. But the Dutch researchers have found how to intercept the SMS tokens on the mobile devices with Android and iOS operating systems without having a permanent account password. The source of trouble lies in the possibility to synchronize your smartphone and computer. Once invented for convenience, this Apple and Google provided function now can endanger the user’s data protection. Moreover, although earlier the Android operating system was considered the most vulnerable, the present study showed that the vaunted iOS is even easier to hack. In both cases, the only thing the hacker needs to bypass the SMS-based authentication is to have a victim’s computer infected with the Trojan virus. Usually, it is not difficult to install it: there have already been precedents when the spyware in the guise of the useful programs penetrated to the official app stores. And yes, we shouldn’t forget about phishing, which, despite many warnings, keeps working. Further events are developing in different ways depending on the operating system – Android or iOS. In the Android case, the Trojan virus, disguised as the account holder, asks to download a spyware application on your smartphone, connected to the account. Once the malware is installed, it does not manifest itself and waits for an SMS with the OTP password. Then the one-time password is sent to the fraudsters’ server even before the real account holder enters the OTP. “Working” with OS X and iOS is even easier for the Trojan virus. The latest versions of these operating systems have a feature allowing to read iMessages right from the computer. All incoming messages are placed in a separate file on the computer’s hard drive. The virus only needs to monitor the content in anticipation of the “H-hour.” Possible Solution If the SMS verification can be compromised, what can help you to avoid this threat? Currently, the most obvious solution...
read moreWhy Gamers Need 2-Step Verification
Online games ceased to be considered a not serious occupation long ago. Today not only students but also bankers, senior managers, and other adult solid people play computer games. For some, it has even become a rather profitable profession. Even if the game is played just for fun, it is still about large sums of money: to buy bonuses and gaming resources, upgrade items and characters. Besides, paid online games are growing in popularity. As we know fraudsters always show up when it comes to money and seeking to get their hands on them. Thus, the player account protection requires close attention. Often, the first barrier the fraudsters may face is 2-step verification. Let’s try to figure it out. The risks the gamers should be afraid, and how to avoid them 1. Phishing A threat: When it comes to online games, the phishing pages usually look like popular game websites. Players can be lured to such pages under various pretexts: to change the password, update the registration information, download the update. Such offers are usually enforced with threats to block the game account. When a victim enters personal information on a fake website to log into the account, all the fraudsters have to do to get a full control on his account is simply to change the password. Often the hackers’ goal is to sell game accounts on the black market. How to protect yourself: When entering the game account type the website address manually (after playing the network games for a long time you can memorize it easily), rather than follow the links in the messages. Also, you can make the account theft more difficult for hackers if you use a 2-step verification when logging in. 2. “Dirty” game A threat: Sometimes you can come across the online gamers who try to gain an advantage using fraudulent practices. Some use the game server errors and other practice hacking online games to get the undeserved points, lives, and items. The most “advanced” players even use the automatic players known as bots. But not always a foul play is conducted with the use of technical means. Sometimes it may be either a negotiated game battle or several cheaters can unite to attack a newcomer. Often you may come across people selling virtual items at a lower price. The purpose of this “unprecedented generosity” is usually the same: to lure out money without giving anything in return. How to protect yourself: In games as well as in real life don’t forget the famous proverb “There’s always free cheese in the mouse traps, but the mice there ain’t happy.” As for the virtual gangs, rigged game battles or suspiciously quickly “growing” players, it is a task of the technical support teams to fight them as they have an opportunity to issue the violators a “perpetual” ban. The main thing – do not be lazy to inform the team about the violations. 3. Experienced players are first who need 2-step verification A threat: The game has its own values – and this is not always about money. The fraudsters, who stuck on gaming environment, are looking first of all for the strong characters, resources and items. The question arises: who of the gamers has most of these coveted “goods”? Of course, those who...
read moreA Wrong Lesson on Information Security
Recently, the CNBC news website gave a quite controversial lesson on information security. The author of the article, indirectly related to the information security issue (it said about the confrontation between Apple and the FBI), decided to add a text box for the passwords strength check. Most likely, this form was included as a “salt” to attract more attention. The author of the publication didn’t aim to improve the computer literacy of the readers. And it should be said the publication called more than enough attention, especially among the information security specialists. After all, this text box called the readers to violate the key information security rule. The password can be entered only in the text box of official authorization on the website for which it is intended. The author, who added this text box to his article, made a small caption (probably to avoid possible lashing) saying that this tool was designed for educational purposes only and that the passwords entered in the text box are not saved. worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR — Adrienne Porter Felt (@__apf__) 29 марта 2016 г. Struck with such illiteracy, several information security experts decided to take a closer look at the “educational” text box. And, as it turned out, the passwords were not only saved in unencrypted form in Google Docs but were also transmitted to the CNBC partner companies. And then a scandal broke out. The representatives of the information security community required removing the text box from the website immediately. However, the CNBC’s reaction was quite strange. They didn’t reply to the criticism and simply deleted the ill-fated article – together with the text box, of course. The publication cleaned up all references to this article on Twitter and the personal page of the author of the article suddenly became private and closed. As you can see, neither the victims nor the online community will get any apologies from the CNBC administration. We don’t know how many users fell victims to this provocation and entered their passwords in the text box. But if to consider the popularity of the CNBC website (more than 6 million visitors per month) there should be quite a lot of them. The information security specialists (real) recommend everyone who entered their passwords in this text box to change them quickly. Despite this apparent failure, the CNBC’s “lesson” can teach us a lot. First of all, it gives a reason to remind once again: the data protection is the user’s matter. Even the most perfect data protection system cannot substitute simple caution and a certain amount of healthy skepticism. In order not to find yourself in the situation of people who sent their passwords to the unknown direction, we should remember a few simple rules: Any account password should be entered only on the official website. Avoid the third-party resources and the links in the innocuous-looking letters. It doesn’t take much time to manually type the name of the website you need in the address bar or open a saved bookmark. But similar precautions can protect you from phishing. In general, you should not disclose your secret combination to outsiders – either orally or in a written form Even the most carefully...
read moreProtectimus Team at IT Spring Forum
Last week was very active for the Protectimus team. In addition to the participation in OWASP KNURE conference, we attended another event – IT Spring Forum held in Dnipropetrovsk. The participants of the IT Spring Forum discussed international trends in the development of the software industry, the Internet of things (IoT), the development of IT-solutions for the healthcare institutions, and modern tools for users’ data protection in the context of the above-mentioned areas. Last year the healthcare industry came out on top by the volume of the users’ data leakages. The confidential data of more than 100 millions of Americans leaked on the Internet in the result of hacking the databases of some hospitals and insurance companies. In other countries, the situation was similar. Only a lazy one has not heard about the vulnerabilities that are regularly found in modern household items, belonging to the Internet of Things. The fraudsters can connect to the surveillance cameras, installed in your house for the safety, or even to the Smart TV, and spy on you. Hackers can seize control of the car as it has been demonstrated on the Jeep Cherokee example. And it is not a problem for them to get connected to a “smart” refrigerator or even a coffee machine. Two-factor authentication can help us solve many of the current safety problems. Especially if you use the additional 2FA features like smart identification, data signature, reprogrammable OTP tokens, etc. Below you can see a small photo report on the event and the pictures of the wonderful city of Dnipropetrovsk, which we have visited for the first...
read more