21
Oct, 2022
securityQuestions_504396769_400.jpg

Why Security Questions are Terrible for Security

securityQuestions_504396769_400.jpg

What is your mother’s maiden name? What street did you grow up on? What is your favorite movie?

How about: What good do you really think these questions are going to do to help keep your accounts any more secure?

Seriously, there are a few big problems with the security questions that a lot of businesses, websites, and other accounts rely on. Let’s discuss why these security questions don’t work, and what some alternatives might be.

So, What’s So Bad About These Security Questions?

Let’s walk through an example to illustrate just that!

So, let’s say I was a mean little cybercriminal, and I wanted to help myself to the contents of your bank account. So, I go to your bank’s website, which I confirmed by sending you a phishing message. I also happened to confirm your username (and why I didn’t just take your password along with it, the world may never know) which I can then input into the bank’s website.

Oh darn, I still need that password…or, I can click the handy little Forgot password? link next to the entry field. I’m presented with a few options for your security question, and I have an easy enough way to potentially deduce any of them.

What was your mother’s maiden name? Off to Facebook, for which you either haven’t set your privacy settings or an update reset them without your knowledge. From your profile, I can easily go through and find who your mother is, who just so happens to use her maiden name in her profile so old friends can find her. Security question answered.

What is your favorite book/movie/etc.? Again, Facebook can come in handy here, as it’s somewhat likely you set up your bank account’s web credentials at around the same time as your Facebook. Facebook lists out the books and movies and shows and general interests that people have, and these pages are never as popular as when a Facebook account is first created.

Otherwise, a little bit of perusing through your photos might tip me off, especially if I find countless pictures of you wearing Twilight merch in the early days of you having Facebook, or see lots of John Grisham novels in the background.

What was the name of your first pet? Once more, Facebook is a handy resource. All I’d have to do is search a profile for any mention of a pet and I’ve got a pretty good chance of finding the answer.

Once I’ve completed my bit of Facebook snooping, I can simply give the bank the answers they need for their “security” questions, and I now have total access to your finances.

Keep in mind that Facebook is just one social media platform, too. By posting our entire lives on the platform, we’re putting a lot of trust in their security and in our own capabilities not to overshare or create secure passwords.

It Gets Worse, Too

While it’s getting to be a little old at this point, a study conducted by Google back in 2015 found that many of these security questions have horrifyingly predictable answers.

For instance, the study found that an attacker had a 19.7% chance of correctly answering, “What is your favorite food?” if they only had one guess and knew that the user spoke English. If a user spoke Arabic and the attacker had ten guesses, they had a 24% chance of correctly answering “What was your first teacher’s name?” If the targeted user spoke Korean, ten guesses gave the attacker a 43% chance of answering “What is your favorite food?”

That’s not even mentioning how the cultural differences between the person writing the questions and the person using them to secure their account can pigeonhole the user into selecting a more-easily-guessed answer because these cultural differences make for different experiences. Maiden names aren’t a globally-accepted tradition, after all.

Finally, if the attacker has a bit of technical skill, they can always try a brute-force attack against the recovery question—which, without the complexity requirements that passwords are subject to, is likely to take much less time.

So, If Not Security Questions, What Can We Use to Secure Accounts?

There are a few measures that can be taken to improve security safeguards. For instance, multi-factor authentication and biometrics can make it easier to access your accounts, without making it easier for attackers to do so.

Reach out to us today to learn more about the different authentication and security measures that we can help you implement. Give us a call at 810.230.9455 today!

Oh, and go check that your social media accounts have the right privacy settings.

11
Apr, 2022
ITsecure_233634561_400.jpg

Tip of the Week: 3 Ways to Improve Your Business Technology’s Security

ITsecure_233634561_400.jpg

Businesses largely rely on their information systems and other technology tools, so you need to make sure they stay secure and far from the many threats out there. To this end, we recommend that you implement security systems that prioritize business continuity and data security. Let’s examine three ways you can keep your business’ IT safe and secure.

Promote Strong Password Practices

Many users still practice the use of poor passwords, and unless you are deliberate in making them strong, chances are your passwords are not strong enough. Here are some tips to help you choose better, stronger, and more reliable passwords:

Password Length

Longer passwords are harder to guess simply because the greater number of characters makes for more possibilities. Passwords should be at least 12 characters long, but when they are this long, they can easily be forgotten. You can create easy-to-remember passphrases that use a combination of upper and lower-case letters, numbers, and symbols. For example a password of “elephantredfootball” will usually be secure, but one that is written: “3l3ph@ntr3df00tb@ll” is even more secure. 

Unique Passwords

Some people use the same password for every one of their accounts, but this is dangerous. Remember that if one password is hacked or stolen, it can be used on all of your other accounts, too. It’s best to use unique passwords for each of your accounts.

Use Software Tools 

Password managers and multi-factor authentication tools are great software tools you can utilize to both augment password security and reduce the downtime associated with forgotten passwords. Depending on the tool, it might even allow you to randomly generate a secure password, and with multi-factor authentication, you dramatically increase the security of your accounts by increasing the number of layers of defense your systems are protected by.

Train Your Staff

One of the greatest challenges for any organization’s IT security is the internal threat that certain employees can pose when it comes to a negligence or misunderstanding of security practices. Remember that all it takes is a phishing attack to make it through once to create problems for your business, and if an employee doesn’t know any better, they might be the weak link a hacker is looking for. There are over three billion phishing emails sent every day, so you need to be intentional with protecting your organization from them. This is why it’s so important to train your staff to identify them.

A phishing attack will look like a person or organization with whom the company has dealings with, usually someone who demands a certain amount of authority. Scammers will routinely use these tricks to make their way into your organization’s network, and they may impersonate insurance companies, software providers, financial institutions, and even executives within the company. These messages might ask users to click on links or download attachments. Here are some of the variables you might ask your employees to look for in a phishing message:

Demands for Immediate Action

Phishing attacks are largely successful because they instill a sensation of fear, anxiety, or excitement in the recipient that causes them to make questionable choices. The best course of action is not to instinctively respond but to verify and scrutinize potential messages.

Inclusion of Unprofessional Spelling Errors and Grammatical Faux Pas

Phishing messages are often from people in countries whose first language is not necessarily that of the recipient. They may include demands, spelling errors, and grammatical errors that no professional would ever consider acceptable.

They Come From Unrecognizable Accounts 

Phishing emails might look legitimate, but it’s only on the surface level. Look at the email account it originated from and you’ll see that they come from suspicious destinations. Think twice before clicking on links or downloading attachments from unrecognizable accounts.

Keep Your Software Updated

While phishing might be one of the most common threats out there, there are plenty of others that steal the spotlight from time to time. Many hackers choose to exploit vulnerabilities in software, and even though companies try their best to keep up with patches and updates, there are always going to be those that don’t get patched on the user end. If your business doesn’t take steps to implement patches as soon as possible after their release, you’re putting yourself at risk of hacking attacks.

Businesses that use a lot of applications might see patch management as a full-time job, but there are automated solutions out there that can handle this burden for you. You will also want to test each patch to make sure that they don’t interfere with the functionality of your software solutions. Furthermore, you need to ensure you are regularly updating your security tools like antivirus, firewall, and spam filter.

NuTech Services can help you maximize your company’s security. To learn more, reach out to us at 810.230.9455.

24
Jan, 2022
no_password_AdobeStock_204840728_400.jpg

Is it Time to Move Past Passwords?

no_password_AdobeStock_204840728_400.jpg

Passwords have been a staple in data security and user authentication for many, many years… to the point where the idea of using a password has become nearly synonymous with the concept of security. However, data has increasingly shown that alternative options are in fact more secure. Let’s examine some of these passwordless authentication methods, and their pros and cons.

What is Passwordless Authentication?

True to its name, passwordless authentication is identity authentication that operates without relying on a password. You can think of it like two-factor authentication (2FA), with the password factor skipped over.

Instead of using a password, passwordless authentication omits it and focuses on what would be the second factor—a hardware token, biometric, or code generated on-demand through an owned device or sent to an email, among other options.

But Why Eliminate Passwords?

Let’s consider a few options that businesses have in terms of their cybersecurity:

  • Use a password
  • Use a password and supplement it with 2FA
  • Use a passwordless authentication system

Here’s the thing… Passwords, when considered objectively, aren’t really a great option. First of all, how likely is it that the average user is going to be able to remember about 75 unique and sufficiently complex passwords? They aren’t. As a result, your IT team is either going to be inundated with password reset requests, or your users are going to take shortcuts that undermine your security. So, while a password may be a convenient option on a macro scale, it comes at the cost of your security.  Not good.

Next, we might consider adding 2FA to our authentication requirements. This certainly boosts security, but it can also frustrate users and disrupt their experience. Also not good.

Passwordless authentication measures eliminate both pain points—not only are they secure, they make it far easier for your users to access what they need to do their jobs.

Today, There are Plenty of Options for Passwordless Authentication

Having said that, there are a few drawbacks to passwordless authentication that may take some time to resolve (if it doesn’t require a change in user behavior). For instance, if you go the security key route, they can be easy to lose and potentially expensive to replace. Cost is a factor for most forms of passwordless authentication, as you might imagine.

On top of this, some malware attacks are particularly effective against these measures. Time will only tell if businesses ultimately see the benefits of passwordless authentication to be worth the risks.

In the meantime, NuTech Services is here to assist you with every aspect of your organization’s IT, including its security. Give us a call at 810.230.9455 to learn more.

14
Jun, 2021
429555099_2fa_400.jpg

Setting Up Two-Factor Authentication on Multiple Platforms

429555099_2fa_400.jpg

Many organizations are pushing for two-factor authentication, and it is easy to see why. The benefits are so great and the risks so devastating (and unnecessary) that there is no good reason to not implement two-factor authentication. Let’s discuss what two-factor authentication is, why it matters, and how you can set it up for your Microsoft, Google, and Apple accounts.

First, let’s examine two-factor authentication and its many benefits.

What is Two-Factor Authentication?

Passwords are the first line of defense against security threats, but for seasoned hackers, they are simply child’s play. Two-factor authentication aims to increase security through the use of multiple security measures. Ideally, the solution includes at least two of the three methods to secure an account. If they are not met, the account is inaccessible:

  • Something you know (a password)
  • Something you have (a secondary device you own)
  • Something you are (biometrics, facial recognition, fingerprinting, etc)

Why Is It Important?

One way to picture the benefits of two-factor authentication is using the example of a house. Imagine a home with two doors. The first is to the mudroom, and the second is into the house itself. If both doors use the same key, a thief only needs to steal one of the keys to gain access to both the house and the mudroom. If the two keys are different, on the other hand, the amount of effort required for the thief to succeed is effectively doubled.

Now let’s apply this to the cybersecurity topic. It is much harder for a hacker who only has access to one key (the password) when your security protocols require multiple keys (a mobile device or biometric of some sort). The hacker would have to go through a much lengthier and more difficult process to gain access to a mobile device or biometrics compared to the relatively simple act of stealing or guessing a password.

Setting Up Two-Factor Authentication

We will specifically discuss how to set up two-factor authentication for Microsoft, Google, and Apple accounts.

Microsoft

Before you get started, Microsoft recommends that you have a backup email address, a phone number, or the Microsoft Authenticator application installed on a mobile device. First, go to this page and sign in with your Microsoft account. Next, click on More security options. Under the option for Two-step verification, you must select Set up two-factor verification. Follow the on-screen instructions and you should be all set.

Google

First, log into your Google account by clicking here. The next step is to select Security. For the option Signing in to Google, select 2-Step Verification. Finally, click on Get started. The directions for the next steps should appear on your screen. You have several options for setting up your verification step, including Google Prompts, security keys, Google Authenticator, verification codes via text or call, or a backup code. You can also disable this second step on trusted devices, but why go through all the trouble of setting it up if you are just going to disable it?

Apple

The first step for setting up two-factor authentication for your Apple ID is to access your account here. After you sign in and answer your security questions, click on Continue. If you see a prompt to upgrade your account security, tap Continue. Select Upgrade Account Security. You can then add a phone number for receiving verification codes through text message or phone call. Click Continue, enter your verification code, and turn on two-factor authentication.

If you are looking to get started with two-factor authentication, don’t let these three accounts be the limit. NuTech Services can help you set up 2FA for your business. To learn more, reach out to us at 810.230.9455.

26
May, 2021
423837102_password_management_400.jpg

Tip of the Week: Is Browser-Based Password Management Safe to Use?

423837102_password_management_400.jpg

Passwords are quite literally everywhere nowadays. With so much of modern life now controlled or held within user accounts, keeping your passwords both secure and straight in your head is crucial. Many web browsers now offer some built-in password management utility to help make this process more convenient for the user, but is this option available at the cost of security?

Let’s examine how secure each major browser’s integrated password manager is, as well as how to disable them if you so choose.

How Secure is Your Chosen Browser’s Password Management?

Let’s do a side-by-side comparison of the password managers now built into the major browsers on the market: Google Chrome, Firefox, Microsoft Edge, and Safari. 

Chrome

Tied to the user’s Google account, the password manager found in Google Chrome offers many of the features one would expect of a modern password manager. Not only is it itself protected by two-factor authentication, but it also offers the capability to generate a random password on the user’s behalf whenever they create a new online account. This password generation helps to prevent users from simply recycling the same password over and over which minimizes the chances of a single data breach undermining more than one account.

Firefox

Whenever you access one of your accounts through Firefox, the browser will prompt you to save the username and password you used on that device where it can be viewed through your browser’s Options. From that point on, the credentials will be saved. The default setting for this capability is unfortunately insecure, but you can set a master password to protect its contents, making this the most secure option available to you.

Edge

Microsoft was late to the party concerning its password management, only adding the capability to its browser at the start of January 2021 to supplement its other security features. Among these features is Password Monitor, which helps to alert the user of breaches, as well as the capability to auto-generate a password when creating an account.

Safari

Rounding out our selection of browsers, Safari features a bundled password generator and management tool, enabling you to autofill your passwords into the websites you visit. Taking it a step further, contact info and credit card information can be saved, with all of it accessible on all your devices with iCloud Keychain. Of course, this platform is Apple-agnostic, and is relatively stingy compared to many third-party password management options, with no two-factor authentication available.

So, What’s the Most Secure Offering?

As a general rule, integrated password managers will do in a pinch, but the better option is to instead use a dedicated password manager. The reason that this is the case? Primarily: most integrated password management platforms don’t require the passwords they save to be all that secure. The opposite is usually true of your dedicated management programs, which also offer the convenience of generating sufficiently secure passwords at the click of the mouse.

We also recommend that you supplement your password security whenever available with two-factor authentication, in addition to many of the typical best practices we always recommend, including:

  • Keeping your devices and browsers up to date to ensure security patches are installed properly.
  • Avoiding websites without SSL certificates (which will simply have “http” in the URL, as compared to “https”) or using publicly-accessible Wi-Fi connections. This is noted with a little lock icon in your browser address bar.
  • Being discerning about the browser extensions or software titles you enable.

How to Deactivate the Built-In Password Management in Your Browser

Each option provides its own means of disabling its integrated password manager:

Chrome

In the Chrome browser, access the three-dot menu and select Settings. Under Autofill, click into Passwords and switch off Offer to Save Passwords.

Firefox

In your Firefox browser, access the hamburger menu and select Options. Find Privacy & Security out of the options on the left and locate the Logins and Passwords section. Deselect Ask to save logins and passwords for websites.

Edge

In Edge, access the three-dot menu and click into Settings. From there, select Passwords and then deselect the option to Offer to save passwords.

Safari

In Safari, access the Menu and select Preferences. Accessing the AutoFill category, deselect everything: Using info from my contacts, User names and passwords, Credit cards, and Other forms.

If you’re looking for reliable IT solutions, along with the means to keep them secure, look no further than what NuTech Services provides. Learn more about what we have to offer by calling 810.230.9455 today.

20
Jan, 2021
245723955_reset_password_400.jpg

You Better Update Your Microsoft Password Today

245723955_reset_password_400.jpg

While we would strongly recommend that you update your passwords more than once a year, now is as good a time as any to do so. Reflecting on this, let’s go over how to fully lock down your Microsoft accounts.

We should start with a bit of a warning. In December, a massive cybersecurity attack targeted the US government via (along with other tools) Microsoft Office. As it was revealed, foreign hackers were monitoring the US Treasury Department and the National Telecommunications and Information Administration through their email accounts.

While Microsoft hasn’t identified any specific vulnerabilities within their cloud services or applications (a good sign, for certain), they have shared some practices to help users properly and comprehensively secure their data. These practices are important to keep in mind for both your personal and business accounts.

What is Included in a Microsoft Account?

Your Microsoft account will include many programs under its purview… basically, anything that Microsoft contributes to will be tied to this account, including:

  • Windows
  • Outlook
  • Office
  • Skype
  • OneDrive
  • Xbox Live
  • Bing
  • Microsoft Store
  • MSN

How to Update Your Microsoft Account Password

Microsoft has made the process somewhat simple and straightforward.

  • Visit https://account.microsoft.com/
  • Click Sign In on the top right if you aren’t already signed in. If you are already signed in, the page will display your name with options about your subscriptions and other services. Once you sign in with your email and password, you’ll be taken to this page.
  • Towards the top of the page, on the right-hand side, you’ll see an option that says Change Password. Click it.
  • If you have Two-step verification enabled, it will walk you through verifying your account with a text, an email, or using the Microsoft Authenticator app. If you don’t have that set up, don’t worry, we’re going to get you set up after you change your password.
  • Once prompted, enter your current password, and then come up with a brand-new password.

An important consideration: You need to make sure that every password you create abides by certain best practices, like not being used for more than one account and involving no personal details or identifiable information. If pressed, select four random and unrelated words, switch up some of the capitalization, and substitute numbers and symbols for some letters—the more complicated, the better.

Helpfully, Microsoft has included a feature that will require a password change every 72 days. While this sounds like a pain to deal with, it can help reduce the chance of your password being breached and therefore can keep your account more secure.

Additional Security Features

While we’re changing your password, let’s go ahead and add another layer to your security in the form of Two-Step Verification. Setting this up will require you to provide proof of your authenticity beyond just having the right username and password. Work accounts may need administrator permissions to activate it, but it is worth doing.

Once you change your password, you should be directed to Microsoft’s account security page, where you will find the option to activate two-step verification. You’ll be walked through the process via on-screen instructions that will tell you how to link an authenticator application on your smartphone (like Google Authenticator, LastPass Authenticator, Duo Mobile, and other examples). If you don’t have one, you’ll be instructed how to set up Microsoft Authenticator, or you can opt in to one of these other options.

You’ll be taken through the setup process and asked to verify your contact information.

From that point forward, you’ll need to use your authentication app to log into your Microsoft account on a new device, or anytime you want to make changes like updating your password. You’ll be able to use other programs, like Word or Outlook, as normal. Make sure that you keep an eye on your emails and text messages for any Microsoft may send you.

This process can take mere minutes but deliver lasting benefits to your security. For more assistance with locking down your work accounts, or any other of your IT needs, make sure you reach out to NuTech Services by calling 810.230.9455.

18
Jan, 2021
213170870_password_400.jpg

Hey You… Update Your Google Password, Right Now!

213170870_password_400.jpg

If you haven’t taken the time to go through and update your passwords lately, particularly the one protecting your Google account, you should do so… despite it undeniably being a pain. After all, Google serves various purposes and is attached to many accounts for most. Considering the number of data breaches and other cybersecurity issues this potentially contributes to, you will want to ensure your Google account is properly locked down.

What Does a Google Account Involve?

Seeing as Google has grown to include far more than the original search engine, there are a lot of things that the average user has that involve Google in some way. Anyone who owns an Android smartphone, or surfs the Internet via the Chrome browser, or checks their email via Gmail certainly has a Google account, and this is but a small sample from a considerable list of items.

So, if a user’s Google account were to be compromised, a lot of data could potentially be exposed:

  • Google.com (for custom tailored search results)
  • Gmail
  • Google Drive
  • Google Docs/Sheets
  • Google Maps
  • Android
  • Google Workspace
  • Google Chrome
  • YouTube

Again, this is a brief sample. Chances are that—if it has something to do with Android, Chrome, or of course Google—it’ll be tied to your Google account.

Updating a Google Password

Fortunately, the process to change your Google password is quite simple:

  1. Visit https://accounts.google.com/. If you aren’t signed in already, log in with your email/phone number and password.
  2. Click Security on the left-hand side.
  3. Look for Signing in to Google. Click Password.
  4. Google will usually prompt you to provide your current password, and then have you input a new password.

REMINDER: While password security should always be a priority, the password you use to lock down your Google account absolutely must be as secure as you can make it. Use a unique password that is strong, without any personally identifiable information or other password shortcuts involved. Using a password manager can help make this easier, both by storing all your different passwords for you and assisting you in generating ones that are secure.

Once you have updated your Google password, you may have to log back in on some of your devices.

Adding Some Extra Security to Your Google Account

To really protect your Google account and the data it holds, it helps to take your security to the next level by enabling 2-Step Verification/2-Factor Authentication. This will help protect your account, even if your password was somehow stolen.

After changing your password, on the Google Account page:

  1. Click the Security option on the left-hand side of the page.
  2. Click 2-Step Verification.
  3. Google may prompt you to enter your password again, just to make sure it’s you.
  4. Depending on what Google already knows about you, this might go a few different ways—you’ll either be prompted to set up a phone number to get a text message or phone call, or Google might walk you through setting this up on your smartphone. Either way, follow the on-screen instructions.

You have a few options available to you in terms of the verification process. One of the more convenient is the option to be sent an SMS message with a secondary code required before your account can be accessed from a new device. For more security, there’s the Google prompt, which serves up a notification on your mobile to be tapped to confirm login, or Google’s own Authenticator app.

Fair warning—if your workplace uses Google Workspace, you might need the help of an administrator to enable 2-step verification. For more information on securing your accounts (or any other IT question you have), turn to the team at NuTech Services and reach out at 810.230.9455.

21
Sep, 2020
370928450_password_authentication_400.jpg

Are Developers Going to Eliminate the Password?

370928450_password_authentication_400.jpg

A lot is made about data breaches and hackers, but I think you’d be surprised to find out that over 80 percent of cyberattacks are the result of stolen authentication credentials. This has led many security-minded IT administrators to try and find a better way than the old username & password strategy that we’ve all been using for as long as there have been user accounts. One organization that is actively making waves trying to replace the username/password combo is Microsoft. They are at the forefront of the move to passwordless authentication.

What Exactly is Passwordless Authentication?

Instead of using passwords, you would effectively verify your identity through alternative means such as a verification app, a predefined security token, or even biometric information. These forms of authentication aren’t exactly new–most smartphones have a biometric authentication system onboard–but now they are beginning to become the predominant way that IT administrators set up their authentication systems. 

Why Is This Shift Happening?

Reduced Cost

You may be surprised, but passwords actually can cost a business a lot of money. A study by Forrester Research found that each password reset can cost a company $70. By using passwordless authentication, there are no passwords to reset, so these costs are completely eliminated. 

User Experience and Convenience

Every account you have has its own password. With more and more accounts being added each day, managing all the passwords that you need to remember can get difficult. Using methods that don’t require the need to remember passwords removes these challenges. 

Security

The main reason passwords are used is for security, but with so many hackers and scammers trying to get people to mistakenly give over their passwords through phishing attacks and other social engineering attempts, removing that possible vector can immediately make a computing network more secure.

Microsoft’s Approach to Security

For the past few years, Microsoft has been transitioning to a passwordless authentication system. In May, over 150 million users were utilizing some type of passwordless authentication, including 90 percent of the software giant’s 150,000 employees. Microsoft has gone on the record stating that it is saving 80 percent of the support costs that they had seen with password-fueled systems. 

At this point passwordless authentication seems to be a no-brainer. It is more secure, more affordable, better for the user, and far more manageable.

At NuTech Services, our IT experts can assist you in implementing passwordless authentication for your company. Give us a call to learn more at 810.230.9455. Of course, if you do continue to use passwords, be sure you use strong passwords!

10
Jul, 2020
180541233_password_400.jpg

Are You Practicing Good Password Hygiene?

180541233_password_400.jpg

Passwords are not a modern invention by any stretch, but as we have dealt with them for so long, there are a lot of bad habits that many people have adopted. That’s why we felt that it was appropriate for us to call out some of these habits and discuss some better options for you to adopt.

How Hygienic are Your Passwords?

With so many of us relying on so many passwords every day, poor password hygiene can often seem to be a foregone conclusion. Think about your own passwords, right now, and see how they compare to this list of inherently insecure patterns that many people develop:

  • Personal details, like your name or birthday
  • Names of friends, family, or most infamously, your pets
  • Commonly used words (like “password” or a favorite sports team)
  • Simple keyboard patterns (like “12345” or “qwerty”)
  • Repeated login credentials (like username: David1973, password: David1973)
  • Making their passwords as short as possible

Now, before you zip away and try to figure out new passwords for all of the accounts that have these kinds of passwords protecting them, let’s take a few more moments to figure out how to actually come up with ones that will be secure.

To begin, let’s consider some “best practices” that should no longer be described as “best.”

Some Less-than-Best Practices

According to NIST (also known as the National Institute of Standards and Technology), the following practices aren’t all that effective any longer when it comes to secure password creation.

  • Alphanumeric Switching: So, we all (should) know that something like “password” isn’t nearly secure enough to be used as a password. As a result, many users would use “p455wO2d” instead, changing letters to numerals and occasionally playing fast and loose with their capitalization. While this isn’t always a bad strategy, using such a common password still makes it far less secure than it needs to be.
  • Length Requirements: It’s likely that you have encountered this as well, as a program has kicked back your chosen password while announcing that “it is too short/long for its eight-to-ten character limit.” According to NIST, these antiquated requirements literally short-change security, as longer passwords or passphrases are more difficult to crack but easier to remember than the short jumbles of random characters.
  • Banning Cut and Paste: For some reason, many username and password fields don’t allow content to be cut and pasted into them, almost as if the prospect of typing out someone’s account details will stop a hacker in their tracks. This also makes the use of password managers, a hugely useful tool in maintaining good password practices, less available. So long as they are used properly, password managers should always be encouraged, as they enable a user to store and use multiple passwords while only really remembering one.
  • Password Hints: We’ve all been asked to set hints for our passwords before, just in case we forget them. You know the ones: “Where did you graduate from high school?” or “What was your first pet’s name?” The trouble with these questions is simple: our online habits make this kind of information easy enough to find online, especially with social media encouraging us to share pictures of our pets, or announcing that we’re attending the “Educational Institution’s Class of Whatever Year’s Something-th Reunion.” Instead of relying on these hints, combine multiple forms of authentication to both offer additional means of confirming your identity and better secure your account.
  • Frequent Password Changes: Considering how many passwords we’re all supposed to remember, it only makes sense that users would fight back against frequent password updates by only changing a single detail about it and calling it changed. For instance, let’s return to David1973 for a moment. If this user were forced to change his password too often, it is likely that he would resort to simply adding an easy-to-remember (and guess) detail. Maybe this is the fifth time that David1973 has been told to change his password, so while his password started as “David1973,” it progressed to “2David1973” to “3David1973” and so on to “5David1973.” Of course, we aren’t arguing that passwords should never be changed, but make sure that these changes aren’t actually counterproductive.

How to Create a Secure Password

Rather than using a password, per se, we recommend that you instead use a passphrase. Let’s use a quote by author Elbert Hubbard as our example: “Positive anything is better than negative nothing.” 

Of course, this is a mouthful to type, in a manner of speaking, so it might make sense to use some alphanumeric switching to help abbreviate it into a complex phrase that is still easy to remember.

Doing so, “positiveanythingisbetterthannegativenothing” becomes “p0$!tiV3NE+hg>-tiV3_+hg”.

Then, if you use this password as the master access code for a password manager, the rest of your passwords/passphrases could foreseeably be randomly generated, increasing your overall security even further. To make your password manager even more secure, you should really devise your own complex phrase, rather than steal one from an author.

You never know, some enterprising cybercriminal might be a big fan of Hubbard’s works, too.

For more advice and assistance to help you make your passwords and accounts as secure as possible, reach out to NuTech Services by calling 810.230.9455 today!

30
Aug, 2019
119686351_400.jpg

How You Should Judge Potential Password Management Programs

119686351_400.jpg

Passwords are hard to remember – there’s no denying that. However, there is also no denying how important it is to use different ones for each account, all sufficiently complex, and all the rest. The point is, a lot of people use bad password practices because (to be frank) good password practices are too intimidating. There has to be some kind of acceptable middle ground… right?

Fortunately, there is: password management systems.

What Are Password Management Systems?

A password manager is effectively what it says on the box: it’s a program that keeps track of your passwords for you. While these are available for individual users, we are more concerned with those that are meant for businesses to leverage.

These solutions have a reputation for being complicated and time-intensive to set up. However, this no longer has to be the case, and it is now more important that you find a solution that offers the features that every business needs to prioritize.

What to Look for from a Password Manager

During your search, you will want to make sure your chosen password management system offers the following features:

Security

While this may seem obvious, not all of your password management options will necessarily offer the same protections or follow the same practices. For instance, standalone password managers are inherently more secure than those tied to another solution, like a built-in one in your browser of choice.

These separate solutions usually have additional features to assist your security as you use them. Good password managers will remind you of best practices if too many saved passwords are the same or too weak and will require multi-factor authentication to be accessed in the first place. It also wouldn’t hurt to find one that also notifies you when you’re due to update some of the passwords you have saved.

It should also never save one password: the master password used to access the solution itself. That is still the user’s responsibility.

As far as behind-the-scenes security is concerned, you should find a password manager that is itself protected by a variety of security features, like encryption, role-based access, and secure cloud storage.

Storage Considerations

Determining where your credentials are kept by the password manager is another important detail to keep in mind, largely as an extension of your security considerations. Does your password manager save your passwords to the cloud, or are they kept natively on the device? Either approach has its pros and cons.

If the cloud is leveraged, your credentials will be available to you on any of your devices… but this does put your credentials in the crosshairs if that cloud solution was ever breached. If you keep your credentials stored locally, you won’t risk losing them in a cloud storage breach, but they are still vulnerable. For instance, if that device fails, there go your passwords.

Generally, this won’t have much impact on the solution you choose, as most enable either option, if not a combination of both.

User Friendliness

As difficult as your password manager should make things for cybercriminals, it should make simple for your legitimate users – starting with adding and removing them to the business’ accounts. They should find it easy to change their password as needed, and your password manager should automatically log a user into a website or application. If it senses that there are not currently credentials for that site, it should offer to save them.

NuTech Services has plenty of experience dealing with password security, which means we’re familiar with password managers and maintaining them. If you’d like assistance with selecting, implementing, and utilizing one in your business, let us know! We’re just a call to 810.230.9455 away.

10
Aug, 2018
dirty_little_secret_400.jpg

Don’t Be Fooled When Scammers Threaten to Spill a Dirty Little Secret

dirty_little_secret_400.jpg

What would you do if a stranger claimed to have compromising webcam footage of you and threatened to share it with your contacts? A new, very convincing email scam is making some users very nervous.

The Sextortion Scam
It’s as screwed up as it sounds. A scammer emails you saying that they got access to your passwords, and then started to run amok to see how much trouble they could get you into. They even show you one of your passwords to prove it (the password will likely come from lists found on the dark web from online businesses and services that have been hacked and stolen over the years). Then the scammer admits they’ve been watching what you do on your computer and recording your webcam, and they happened to catch you at a very inopportune time… Well, let’s let the email explain it for us. 

“You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).”

The reader is then given the address to a Bitcoin wallet, where they are to send the ransom.

The email continues:

“Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately [sic]. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.”

This email comes in a few different versions in the wild, but all of them follow the same pattern and end with the same threat… fork over the cash, or everyone will see you in your most private moments.

Is This a Serious Threat?
This is a very real concern for many people, who will be relieved to hear that, no, there is no indication that these threats are for real. The first clue is the fact that the passwords that the email provides are usually a decade old, indicating that they came from some (relatively) ancient database from some long-forgotten hack.

However, in some ways, this is even worse news, because this threat has made a tidy sum of money: as of the 31st of July, the scam had brought in $250,000, as compared to just over $50,000 by the 19th. Clearly, this scam has been plenty effective for the perpetrators, and this won’t deter others from following its example.

Keeping Yourself Safe from an Actual Attack
Granted, this attack is just an unfair wager, but scams like this are more than possible for a criminal who actually means what they say/threaten. As a result, the security lessons we can take away from this particular attack still apply.

The first thing to remember is also the first rule of passwords – change them frequently. Again, this scam has made quite a bit of money based on a total bluff… a bluff that, paid in increments of $1,400, was worth $250,000 and counting. From this, we can infer that quite a few people who received this message had online activities that they wanted to hide, and more critically, that their passwords had remained the same for all those years.

This is an excellent example of why it is so crucial to regularly update your passwords, without repeating them – if an old database is hacked, as happened here, you won’t have to worry if your password is revealed – it won’t be any good anymore.

The second thing to remember? If you aren’t actively using your webcam, keep its lense covered up.

For more best practices to follow, including those that will improve your business’ security, make sure you keep checking back to this blog – and if you want to take more action, reach out to us at 810.230.9455.

25
Sep, 2017
data_security_switch400.jpg

3 Ways Your Business Can Prioritize Data Security

data_security_switch400.jpg

In the wake of the Equifax data breach, which placed the personal information of 143 million users at risk, the issue of data security is at the forefront of social consciousness. Your organization needs to go about its daily business as if it will experience a data breach at any given moment. This involves looking at the worst-case scenario, and planning for it so that you’re never caught unaware.

Here are three preventative measures that you can take to secure your business.

Use Strong Passwords and Two-Factor Authentication
Passwords are often the only thing standing between your online accounts and your personal data. Think about it; a string of maybe 8-to-10 characters is the only thing keeping your sensitive information secure. Doesn’t it make sense to make this password as complex and difficult to crack as possible? You would think so, but a surprising number of folks still use the word “password” as their password. You should be using both upper and lower-case letters, numbers, and symbols, formed into a seemingly random string of characters. Doing so keeps hackers from guessing your password and accessing an account.

Secure Your Network with Unified Threat Management
Network security depends on both internal and external measures, which include network-attached security devices like a Unified Threat Management (UTM) tool. A UTM consists of an enterprise-level firewall, antivirus, spam blocker, and content filter, all to keep threats from taking root on your network in the first place. Furthermore, you’ll be able to react to issues that become prevalent before too much damage is done, which is a valuable opportunity in its own right.

Educate Your Users on Best Practices
Your employees access important information on a day-to-day basis, and they are often in contact with more threats than you’d like them to be. Something as simple as a spam message in the wrong inbox or a carefully disguised link could be all it takes to expose your business to dangerous situations. Take the time to teach your employees how to identify potentially dangerous scenarios, like phishing phone calls and sketchy emails or attachments. Often times, you’ll stop attacks from taking off simply by keeping your employees informed.

By using these three methods to secure your organization, you’ll be less likely to suffer from a data breach. To learn more about network security and other ways to keep yourself secure, subscribe to our blog, and call our IT professionals at 810.230.9455.

2
Jan, 2017
password_security_400.jpg

Helpful Suggestions to Improve Password Security

password_security_400.jpg

Passwords are important for any online account (and for most accounts in general). Sometimes they might feel like inconveniences, but it’s crucial to remember that these passwords are often the first line of defense, if not the only line of defense, that stands between your data and hackers. We’ll discuss ways that you can augment password security with other powerful measures.

There are two major ways that you can improve password security; two-factor authentication and password managers.

Two-Factor Authentication
2FA provides organizations and users with secondary credentials that can protect their network or online accounts. This type of protection can come in the form of an SMS message, a phone call, or an email sending you a secondary credential. You then enter this code into the app or service, and since you know without a doubt that only you could have access to this code, you can practically guarantee that you’re the only one accessing your account.

Basically, the biggest way this helps your organization is by making it as hard as possible for hackers to infiltrate your network and company accounts. When you involve devices like smartphones with two-factor authentication, you make it much more difficult for hackers, as they would need access to two different devices rather than just one. Reach out to NuTech Services and ask us about our two-factor authentication solutions.

Password Managers
A good password is often long and complex, consisting of several different types of characters, numbers, and letters. As you might expect, these types of passwords are rather difficult to remember. Plus, since you can’t (or shouldn’t) use the same password for multiple accounts, you can easily use the password for another account on accident, eventually leading to an account lockout. This is both frustrating and unnecessary. Alternatively, you can keep track of your passwords using a password manager, allowing you to use complex passwords without any problems.

An enterprise-level password manager from NuTech Services can allow your organization to take advantage of complex passwords. Your passwords are stored in a secure encrypted database that shields them from hackers. Furthermore, you only pull the passwords as they are needed. There’s no better way to take advantage of complex passwords, as the password manager will keep track of multiple account credentials without you having to remember them.

NuTech Services can help your business with all of its password managing needs. To learn more, reach out to us at 810.230.9455.

3
Aug, 2016
secure_yourself_password_400.jpg

Tip of the Week: Why You Should Rethink Routinely Changing Your Password

secure_yourself_password_400.jpg

One of the main ways to keep an account’s credentials secure is by changing them consistently. However, we ran across an article recently that plays “devil’s advocate” on the password security issue, and they made some fair points about how changing passwords too frequently can lead to decreased security as a whole.

At first, this idea may not make a lot of sense. The reason that we change passwords so often is to prevent them from being used in attacks on sensitive accounts. If hackers steal passwords that don’t work, they can’t access the accounts. IT administrators often require user passwords to be changed on a regular basis, which may prompt users to choose passwords that are easy to remember or less complex than they should be.

In reality, there are several news outlets and security websites that suggest changing passwords regularly will lead to less-secure passwords as a whole. ZDNet, The Washington Post, and WIRED magazine, all suggest that frequently changing passwords, despite its intended purpose, can lead to watered-down security. Consider this scenario: you’re using a password, but are suddenly forced to change it. Would you be more likely to create a whole new password, or use a slight variation of your current password?

The Washington Post writes, “forcing people to keep changing their passwords can result in workers coming up with, well, bad passwords.” This statement is backed by research from a study performed by Carnegie Mellon University, which found that those who feel that their organization’s password policy was annoying, created passwords that were 46 percent less secure. Additionally, users who need to update their passwords constantly often leave patterns that connect old passwords to new passwords, like replacing a letter with a number or special character.

ZDNet explains that changing passwords for the purpose of securing accounts in case of stolen credentials doesn’t make sense, simply because “stolen passwords are often exploited immediately.” The security website also cites that “regularly changed passwords are more likely to be written down (another vulnerability) or forgotten,” which only seems to add to the frustration of changing passwords on a regular basis.

The fact remains that passwords may not be the most reliable way of keeping accounts safe, but there are ways that you can make using passwords, and account security, easier to handle. One way is to use an enterprise-level password manager. You can store all of your organization’s credentials in one secure location, where they will be called from and propagate in the required fields when needed. This helps you utilize complex passwords without needing to remember all of them.

Another way that you can improve account security is through two-factor authentication. This adds a second layer of security to your accounts by requiring a secondary credential, which can be sent to a smartphone via SMS message, voicemail, an alternative email account, and more. There are also biometric or GPS-tracking two-factor authentication methods that are viable (and effective).

If you’re ready to improve your business’s security practices, reach out to NuTech Services at 810.230.9455.

9
Dec, 2015
b2ap3_thumbnail_security_for_your_passwords_400.jpg

Tip of the Week: Make Your Password Rhyme Every Time

b2ap3_thumbnail_security_for_your_passwords_400.jpgPassword security is quite the conundrum. We want our passwords to be easy to remember, but the problem is that passwords that are easy to remember are often simple and insecure. Therefore, it becomes a best practice to use complicated passwords with both upper and lower-case letters, numbers, and symbols to compensate. The “passpoem” might resolve this issue in the most obvious way.

The method in question suggests that passwords chosen by your average PC user aren’t nearly as secure as they should be, but are very easy to remember. As explained in an essay from the university of Southern California, written by Marjan Ghazvininejad and Kevin Knight, it’s best to use randomly generated 60-bit strings (basically, a series of 60 ones and zeros), and convert these strings into words or phrases.

Confused? Let us explain a little more in detail. This method is derived from a XKCD comic (which you can find here) that describes the difficulty of remembering passwords. Basically, what it entails is taking a string of numbers, like 10101101010100101101010101010101010110101101, and converting segments of this code into words to create an English phrase. The above string would wind up reading “correct horse battery staple,” which is complete and utter nonsense, but very easy to remember by associating it with a mental image or a story.

Rather than use a 44-bit string like the above example, Ghazvininejad and Knight suggest using a 60-bit string to increase security, and to create a poem-like string of words that makes sense and is easy to remember. Going too in-depth into this method would take a considerable amount of time to explain, but the basic idea is to create something that’s easy to remember while making it borderline impossible for a computer to guess. By today’s standards, the 44-bit string would take around an hour to crack, while a 60-bit string would take well over a decade. How’s that for secure?

While using segments from existing poems is a possibility, Knight and Ghazvininejad don’t suggest doing so. Considering how there are millions of poems online, the chances of getting hacked are much higher than if the string of characters were truly random. However, while using a line from your favorite poem isn’t as secure as a string of 60 characters, it’s certainly more secure than using a simple password like “MOM385” or “password.” On one hand, you’re using real words that can be used in a dictionary attack; but on the other, you’re using a long password (which is a best practice). So, it’s really up to you to decide how you want to approach password security.

Of course, you’ll need multiple passwords for all of your different accounts. This in itself can make memorizing passwords a huge pain. Therefore, the best way that you can remember all of your passwords and effectively use them to maximize your account security, is by taking advantage of a password manager. NuTech Services can help your business get set up with the best password manager on the market. To learn more, give us a call at 810.230.9455.

12
Feb, 2015
thumb identity

What is your Identity Worth to You?

thumb identityYour identity has quite a lot of value, especially in the wrong hands. Security firm ZoneAlarm put together some numbers in 2011 concerning identity fraud, and it even shocked us. Let’s talk about a few of these statistics and what it means.

First of all, what shocked us the most is that according to the FTC, in the United States, 9 million individuals have their identities stolen each year. Identity theft is a little different than identity fraud, however. Theft is when personal information is exposed and taken without permission. This is happening all the time by malicious software like spyware, but it can also happen when legitimate websites and services get infiltrated by cybercriminals. If a reputable online store (or even a database for a brick and mortar store) gets hacked into, your personal information can be stolen. That’s identity theft.

Identity fraud is when that data is misused for financial gain. This is when things start to get very dangerous. In 2009, $56 billion dollars were accumulated by cyber criminals through identity fraud. The good news is in 2010 that number went down to “only” $37 billion. What does that mean to the average person? On average, victims of identity fraud had $4,841 dollars stolen per victim. Trouble is, the world has had to improve drastically to protect consumers from identity fraud. This means higher costs of doing business which then get reflected on prices of products and services. In other words, because of identity fraud, we all lose.

How does your data get stolen?  There are plenty of ways, but here are a few popular methods:

  1. Hackers can pick up credentials via public Wi-Fi and public PCs.
  2. Credit Card Skimming – a process that involves your credit card data being stolen when your credit card is swiped at a standard ATM or credit card terminal.
  3. Selling or discarding used computer equipment that isn’t properly wiped can expose personal information.
  4. Hackers can infiltrate networks and databases.
  5. Dumpster diving and paper mail theft.
  6. Malware and viruses
  7. Phishing.

In almost half of reported identity theft cases, the victim knew the criminal.

What do you do if your identity is stolen?

Almost half of all reports of identity frauds are discovered by the user first, although banks and credit card companies have methods in place to stay on top of it as well. If your financial credentials are stolen, you need to contact your bank and/or credit card companies immediately, both by phone and in writing. You’ll want to file a police report with details about where your identity was stolen, what you believe was or could have been stolen, and documented proof of the crime.

You don’t want to risk identity fraud. Monitor your credit reports closely, shred sensitive mail and documents before throwing them away, and ensure your computers and network are running latest security updates and antivirus, as well as other security measures. For a complete review of your security, contact us at 810.230.9455 and we will help pinpoint vulnerabilities and fill in the cracks before a costly event occurs.