Connect with us

Expert Speak

How to Get Your Passwords in Good Order for 2019



Written by Tomas Foltyn, security writer at ESET

Many of us entered 2019 with a boatload of New Year’s resolutions. Doing more exercise, fixing unhealthy eating habits and saving more money are all highly respectable goals in their own right, but could it be that they don’t go far enough in an era with countless apps and sites that scream for letting them help you reach your personal goals, which apparently also implies – you guessed it – reach your New Year’s resolutions?

Now, you may want to add a few more weighty and yet fairly effortless habits on top of those well-worn choices. Here are a handful of tips for ‘exercises’ that will do good for your cyber-fitness.

I won’t pass up on stubborn passwords
Passwords have a bad rap, and deservedly so: they suffer from weaknesses, both in terms of security and convenience, that make them a less-than-ideal method of authentication. However, much of what the Internet offers is dependent on your signing up for this or that online service, and the available form of authentication almost universally happens to be the username/password combination.

As the keys that open online accounts (not to speak of many devices), passwords are often rightly thought of as the first – alas, often the only – line of defense that protects your virtual and real assets from intruders. However, passwords don’t offer much in the way of protection unless, in the first place, they’re strong and unique to each device and account.

But what constitutes a strong password? A passphrase! Done right, typical passphrases are generallyboth more secure and more user-friendly than typical passwords. The longer the passphrase and the more words it packs the better, with seven words providing for a solid start. With each extra character (not to mention words), the number of possible combinations rises exponentially, which makes simple brute-force password-cracking attacks far less likely to succeed, if not well-nigh impossible (assuming, of course, that the service in question does not impose limitations on password input length – something that is, sadly, still far too common).

I’ll have no sympathy for the passphrase-cracker
Another caveat is that it’s better to refrain from phrases that have made it into the everyday lexicon. Entire books, famous quotes, or lyrics – sing, ‘Pleased to meet you, hope you guess my name’ as a bit of an extreme example that is not to be taken literally – already tend to be part of the fodder of password-cracking tools. The individual words should be in random order and, ideally, sprinkled with special characters and character substitution, all the while retaining a hidden meaning and memorability to its creator. For practical guidance about creating your passphrases, you may want to refer to this short video tutorial or to this article.

Then, of course, there is the need for each passphrase to be distinct for each account, so that a leak of one of your passphrases doesn’t reverberate through your other and possibly more valuable accounts. Alas, the dangerous practice of password recycling is ubiquitous, and attackers can exploit it hands-down with an automated technique known as ‘credential stuffing’.

It’s quite likely that you use too many online accounts to remember a distinct passphrase for each of them. In which case, it’s worth considering a reputable password vault/manager that encrypts your password storage and takes away much of the pain that password management involves. Of course, such a tool can also generate randomized and complex passwords and passphrases for you.

While then you should need to remember only one master password that, ultimately, opens all your online accounts, the pressure will be on the sturdiness and uniqueness of this one key to your digital kingdom – so it’s back to the suggestions above.

I won’t skip the second step
Another trouble with passwords/passphrases may arise when they are not only the first, but actually the only line of defense for your account security. When that barrier crumbles – commonly through a phishing attack or by attackers somehow working out your login details – an extra authentication factor that does not rely on ‘something you know’ may very well foil your adversaries.

Two-factor authentication (2FA), or multi-factor authentication (MFA), is an excellent way of boosting the security of your accounts, especially when coupled with hardware keys or dedicated apps, and less so with SMS-borne 2FA.  Although many online services provide 2FA options, few require its use. However, the adoption of 2FA has been on the rise and it’s never been easier to jump on the practice. Regardless if its implementation, signing up for 2FA wherever you can is well worth the little extra effort, as it can help in various scenarios, including when you never fell prey to a cyberattack compromising any of your passwords.

In fact, it’s quite probable that some of your authentication details will be, or have already been, stolen and posted online or made available for sale on underground marketplaces. The source of these password leaks include the many security breaches that have blighted online services, retailers, hotel chains and the like.

Additionally, the targeted entity may have protected the users’ passwords with weak hashing and salting functions, or even stored the passwords in plain text. Worse still, the service provider, let alone you, may not know until quite a while later that hackers pilfered the often poorly secured data, or purchased them on the dark web, so you had no shot at taking any ad-hoc defensive measures. Again, this is also where that extra authentication factor will usually thwart any account-takeover attempts.

In fact, go ahead and see for yourself on Have I Been Pwned? whether any of your online accounts may have been part of a known breach. Aside from the almost 5.7 billion compromised accounts that the site indexes, it also has a cache of more than half a billion publicly leaked or stolen passwords in clear text that have been revealed in past breaches, so you can check yours against the database, too.

I’ll use fewer passwords
Surely a mistake, right? Well, it may sound counterintuitive, but fixing your passwords may also imply needing fewer of them in the first place. More precisely, it means cutting ties with the services you no longer use, so that you needn’t ‘look after’ your accounts with them. We all have set up accounts that we no longer use. Indeed, we may have racked up quite a few of them over the years, including some we barely remember. However, the adage ‘the internet never forgets’ fits here too, and forgetting is something you shouldn’t do, either.

The trouble with unused accounts is that each of them – even if only a vestige of your much younger self – is a potential source of danger. The service may suffer a breach exposing your password or may be sold to new owners whose intentions might not exactly be honest. Or, if miscreants take over your account, they might be able to use it to break into one of your highly valued accounts, be it by gathering private information about you, or through your failing to use a unique password for each account. Or they can just as well use it to spew out spam.

But what doesn’t exist can’t be taken over, can it? Feel no remorse: just dispatch those accounts to a better place and never look back. There are even services that promise to scale back your online footprint in bulk; that is, without you having to recall or comb through and then manually shut down each inactive account. Using a service just to help kill online accounts may not be for everybody, however, as essentially you need to take the developers of such tools at their word.

While you’re cutting the clutter, consider severing ties also with third-party apps and services that are associated with your accounts on social and other major sites, especially the apps that you no longer use. These apps, too, can be misused as other entry points for illicit data collection or even worse. To pull the plug on their access to your account and data, navigate to the privacy and/or security settings of your online service(s) of choice; from there, it usually takes only a click or two.

Next up
Staying safe online isn’t going to become any easier this year, so we’ll be back in a few days with more tips for beefing up your personal online security. Next time, we’ll focus mainly on a couple of easy ways to boost the security of your wireless network.

Click to comment

Leave a Reply

Your email address will not be published.

Expert Speak

Why You Should Use a VPN While Traveling



According to a survey conducted by NordVPN, 50% of travellers use public Wi-Fi while on the road. However, only 20% of them use a VPN (a virtual private network) to protect themselves while being connected to a public network. “Travelers connect to public Wi-Fi in airports, cafes, parks, and trains. Some even use public computers to print their visa information or flight tickets. A VPN in those cases is crucial if you want to make sure that your vacation will not be ruined by cyber criminals. Nobody wants to lose access to their device or their bank account during a trip to a foreign country,” says Daniel Markuson, a cybersecurity expert at NordVPN.

As International VPN day (August 19th) is just around the corner, Markuson lists all the benefits offered by the service.

Enhanced online security
The main purpose of a VPN is to keep its user’s online connection secure even when they are away from home. Hackers can set up fake hotspots or access unsecured public routers and this way monitor users’ online activity. Once a user is connected, criminals can intercept their internet traffic, infect the device with malware, and steal their victim’s personal information.

When authenticating themselves on public Wi-Fi, users often need to type in their email address or phone number. However, if a user has accidentally connected to a hacker’s hotspot, they could be exposing themselves to real danger.

A VPN hides users’ IP addresses and encrypts their online activity. That means that, even if a user is using a malicious hotspot, the hacker behind it won’t be able to monitor their activity. Therefore, getting a VPN for travelling abroad is essential if you want to stay secure and private online.

Grab the best deals
Depending on the country in which you’re located, the prices for airline tickets, car reservations, and hotels might vary. That’s because businesses know that people in different countries can and will pay higher amounts for certain products and services. If you use a VPN for travel, you can hop between servers in different countries and find the best deals available.

Make the best of additional VPN features
As the industry is evolving, many VPN providers add new features to make their users’ experience even more wholesome. NordVPN, for example, recently added the Meshnet feature that lets travellers connect to other devices directly no matter where in the world they are. This enables users to form a remote connection with their home or office PC from anywhere in the world to share files or for other uses.

However, having said that, please check local laws and regulations about using VPN services on your devices, before you do.

Continue Reading

Expert Speak

Social Media Data Leaks Account for 41% of All Records Breached



Written by Edward G, Cybersecurity Researcher and Publisher at Atlas VPN

Social media is quickly turning into a primary security weak point. A single data breach within one of the major social media networks can result in millions of records being stolen. Within the past few years, we have seen multiple large-scale data breaches involving companies like Facebook and Twitter. Yet, we rarely see the bigger picture.

Luckily, data presented by Atlas VPN gives insight into the scope of the issue. It turns out that 41% of all compromised records in 2021 originated from social media data leaks, which is a significant upsurge compared to 25% in 2020. The data presented is based on the 2022 ForgeRock Consumer Identity Breach Report, which gathered data from various sources, such as 2021 Identity Theft Resource Center, IBM Ponemon, TechCrunch, Forrester Research, as well as UpGuard, and IdentityForce.

A few other factors make social media a security weak point within the current online landscape. First, criminals can prey on business clients by posing as the company in order to obtain credentials. This is becoming especially prevalent since companies increasingly use social networks to communicate with customers.

Second, fraudsters frequently attempt to infiltrate businesses by leveraging mutual connections, which create a false sense of security. Moreover, people who overshare on social media make it simple for thieves to locate personal information that aids in company breaches.

Besides social networks, another major source of leaked information is the retail sector, which accounted for nearly a quarter of all records breached in 2021. According to the U.S. Department of Commerce Retail Indicator Division, e-commerce sales increased by 50% during the pandemic. Retail data breaches increased in frequency and severity during the same period.

While the average cost of a retail breach was $2.01 million in 2020, it increased by 63% to $3.27 million in 2021. Customer credit card, payment information, and personal data were the principal targets of retail data breaches. E-commerce websites and applications sometimes skip security precautions like two-factor authentication (2-FA) as they seek a simple user experience.

When the enormous volumes of personal data that retail websites collect are not adequately protected, it creates the ideal environment for breaches and subsequent fraud. Finally, the healthcare sector is worth mentioning with only 1% of records, yet, at the same time, the information leaked is usually particularly sensitive.

Data compromised from healthcare institutions tend to include name, address, SSN, date of birth, and, in two-thirds of the breaches, actual medical history information. With this information in hand, cybercriminals can blackmail companies or even particular individuals.

To round up the findings, it’s obvious that retail and social media companies should go the extra mile in securing their customer information. In addition, even though healthcare providers leak only a fraction of the data, they should still safeguard their client data with particular care due to the sensitive nature of the information.

Some services offer data breach monitoring tools. Data breach monitors track any data breaches related to your online accounts. It automatically scans leaked databases and informs you of any past or recent breaches where your personal information was exposed.

As always, we must mention the most effective countermeasure against data leaks. It is advised to enable multi-factor authentication on all of your accounts that offer the functionality. This way, even if your credentials are compromised, threat actors will not be able to access your account unless you lose your phone, and it is also found by ill-meaning individuals, which is less than likely.

Continue Reading

Expert Speak

Airline and Booking Services Scams Intensify at the Height of the Holiday Season



Vacation season is well and truly upon us, and travellers around the world are looking for interesting places to go, cheap places to stay and reasonably priced flights. And scammers are here to give them what they need — well, sort of. Kaspersky researchers have observed intensified scamming activities, with numerous phishing pages distributed under the guise of airline and booking services. To help travellers avoid scams, company researchers share some of the most widespread fraud schemes used to lure victims as well as helpful tips on how to plan a safe, scam-free, vacation.

Fake Ticket Aggregators
Most trips start with a plane or train ticket, and travel enthusiasts are often interested in getting their hands on a bargain. Kaspersky experts have seen numerous fake websites claiming to offer users the chance to buy aeroplane tickets at cheaper costs. Such websites are usually well-made phishing pages that mimic famous airline services and air ticket aggregators. Some of these websites even display the details of real flights, with experienced phishers sending search requests to flight aggregators and displaying the information received from them. However, instead of delivering on promised flight tickets they keep your money and use your personal information for malicious purposes (e.g. selling your bank details and identifying information on the dark web).

Fake Lotteries for Discounted Tickets
There are also plenty of fake pages attempting to lure travellers with aeroplane ticket draws, lotteries and gift cards. Users are offered the opportunity to take a small survey and enter their personal details in exchange for a generous discount on a flight ticket. As with many other offers that seem to be too good to be true, such websites end up being phishing sites, collecting victims’ personal information and card details.

On top of this, the survey usually ends with a request to distribute the site among friends to receive the prize. In such cases, cybercriminals are using the victims themselves as a tool for spreading the scam further. A link sent by people you know seems more trustworthy than one received from a stranger. If the user then follows the link and tries to get their prize, they often find they need to pay a commission or fee first. After this money is paid, the cybercriminals disappear – without rewarding the user.

Fake Rentals
Another popular tactic used to scam travellers is fake rental services. One example includes the offer of a luxury two-bedroom apartment close to the centre of a European capital for just €500 a month. Another seemingly appealing offer is for the rental of an entire four-bedroom house with a pool and fireplace for only €1,000 for the whole month. The reviews describe amazing vacations and hospitable hosts. This encourages users to pay for their month-long stay, but in reality, they end up sending their money to fraudsters.

“Planning a vacation is not easy. People can spend weeks, even months, looking for the perfect place to stay and the tickets to get them there. Fraudsters use this to lure users that have grown tired of searching for great deals. After two years of flight restrictions imposed by the pandemic, travelling is back. But so are travel scams – with intensified scamming activity targeting users through fake booking and rental services. Such attacks are totally preventable, which is why we urge users to be sceptical about overly generous offers. If an offer seems too good to be true, it probably is,” comments Mikhail Sytnik, a security expert at Kaspersky.

To keep yourself protected while planning a vacation, Kaspersky experts recommend:

  1. Carefully look at the address bar before entering any sensitive information, such as your login details and password. If something is wrong with the URL (i.e. spelling, it doesn’t look like the original or it uses some special symbols instead of letters) don’t enter anything on the site. If in doubt, check the certificate of the site by clicking on the lock icon to the left of the URL.
  2. Only book your stay and tickets through the trusted websites of trusted providers. Ideally, type the address of their website manually in the address bar.
  3. Not clicking on links that come from unknown sources (either through e-mails, messaging apps or social networks).
  4. Visiting the business’ official website if you see a giveaway offered in e-mail or on social media by a travel company or an airline to confirm the giveaway exists. You should also carefully check the links the giveaway ad leads you to.
  5. Using a good security solution that can protect you from spam emails and phishing attacks. We recommend Kaspersky Security Cloud.
Continue Reading

Latest Reviews

Follow us on Facebook