I work with a wide variety of people, from home users to various sizes of small businesses. A common issue I see is poor password security. Passwords have been used since some of the earliest computer systems in order to keep people out of areas they shouldn’t be in. They are in essence a padlock on your stuff. The problem is a lot of people use a master key for all their padlocks and their padlocks are about as strong as a little luggage padlock. Perhaps you are also guilty of re-using variations on the same password like your dog’s name, the town you were born in, or even your phone number. The problem with these passwords is that they are fairly easy to guess for a hacker.
Don’t think it’s a big deal? Check this out: as a small business owner or even an employee at a business, you probably have an email address @businessname.com so any mail from you is official business communication. If someone could guess your password, they could access your address list, your sent mail, and all your mail in your inbox. Is there any information in those emails you wouldn’t want getting out? Like profit margin information, price list info, buyout or merger info? There could be a lot of damaging information stored in your email. Now suppose the person who guessed your password decided to send mail to your customers as you because they can do that now. What if they sent out an offensive email to your entire address book? While they’re at it, they go ahead and change your password so you can’t get into your own mail. Depending on how your mail is set up, an admin might be able to reset the password for you but it may take awhile and you may have to do a lot of damage control before you can get the hacker out. They could access your Facebook page and reset the password because they have access to your mail. How many other online sites would they now have the ability to access and change passwords because they have access to your email and can hit that “send me a new password button” on sites? With several of your sites in hand what kind of havoc could a hacker cause and how much trouble could they cause? How much work will it take to recover from the hack and do you have the time?
One of the worst places I see poor passwords used is on a registrar like GoDaddy.com. If you have a domain for your business, then you have it registered somewhere. If your password isn’t extremely secure, a hacker could gain access to your domain, take over your website, your email and anything about your domain. They can redirect your traffic to other sites or just stay quiet and glean as much from your information as they can. It all depends on the intents of the hacker as to how much damage they can do.
I completely understand why people want to use the same password and make it simple to remember. The problem with this is that hackers have automated tools that can run through dictionary searches against your passwords. This is basically trying every word in the dictionary, then trying words with 1 or 01 or 02 and so on at the end, or capitalizing the first letter. All of this can be done on a pretty simple computer in minutes. This is why a good password 1. doesn’t contain any words, 2. has upper and lower case letters, with the first letter not being the only one capitalized, and 3. has numbers and symbols interjected. Something like this: vU5ZQ85u7E is a good, strong password and would survive any dictionary attempts.
Just changing your passwords to make them strong won’t fully solve the problem if you use a spread sheet to keep track of them or they are on sticky notes on the side of your computer. Case in point: the recent Sony hack was made much worse because a spread sheet with a number of online account information was found sitting on a server. This allowed the hackers to go even further with ease. Most of us humans can’t remember passwords like vU5ZQ85u7E unless we use it a lot. So what’s the solution? Use a password manager. A password manager uses encryption to securely store all your passwords under the lock of one good password. So you use one good password to open your password vault and then pull passwords for other sites as needed. There are a number of products out there. Some encrypt your data then upload them to cloud storage making them available to any of your devices. Others are for use on a single computer and don’t leave that machine unless you backup the vault. I have used LastPass which is an online service and also KeyPass that is a local only program. There are other options and I may do a review at a later date, but if you have your business locked down with a luggage lock, I highly recommend that you fix it soon!
“Why Would Small Businesses Be a Target for Malware?”
Malware threats are everywhere. Working with various small businesses a statement I hear too frequently is “We don’t have anything anyone would want” or “I don’t care if we get hacked.” Both of these make me cringe. What they mean is “I don’t think anyone would want our stuff.” You hear about big businesses being hacked and may think they are the only ones who have a lot of information that they don’t want out in the public. In reality, most small businesses have computer data that should be guarded – even if it’s just client lists, or company financials. Imagine what would happen if that information was spread around the internet or if your financial data was emailed to your client list. As a small business owner, you may be using your computer for more than just business. Do you have family photos on your computer? Would you want all of them spread around the internet? Would you mind losing them all? Do you store passwords on your computer in text files, word files, spreadsheets, or just in the browser? If someone could gain access to your Facebook or Twitter account, could they get any of your friends to click on a link that supposedly you sent out? What if your computer were being used for illegal activity and you didn’t even know it? Chances are you can relate to one or more of the questions I have asked, and chances are you would prefer not to be hacked and not to have your information spread around the internet. The intent of most malware is to steal information or gain access to computer resources.
The Scrap Value of a Hacked Computer
Below is a list of tasks a “Hacked Computer” can be used for. This information was pulled from this article: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ Brian Kreb’s site is a gold mine of security information.
- Your computer could be turned into a Web Server for the following activities.
- Phishing Site
- Malware download site
- Warez / Piracy server
- Child Porn server
- Spam Site
- Your computer could be turned into an Email Server for sending out the following mail.
- Stranded abroad scams
- Harvesting email contacts
- Harvesting email accounts
- Access to corporate email
- Your computer could be used to sell Virtual Goods.
- Online gaming characters
- Online gaming goods/currency
- PC game license keys
- OS license keys
- Access to your computer and your credentials for Reputation Hacking.
- Linked In
- Google +
- Your computer could be used for Bot Activity.
- Spam zombie
- DDos extortion
- Click fraud
- Anonymization proxy
- CAPTCHA solving
- Your Account Credentials could be stolen and used for:
- eBay / Paypal fake auctions
- Online Gaming
- Web Site and FTP access
- Client Side Encryption keys
- Your Financial Credentials could be stolen giving access to:
- Bank account data
- Credit card data
- Stock trading data
- Mutual funds / 401K accounts
- Your computer or data can be held Hostage with the following attacks:
- Fake antivirus
- Ransom ware
- Email account ransom
- Webcam image extortion
How to Protect Your Information
1. Strong Passwords. With so many ways a computer can be utilized for dark reasons it’s important to be vigilant with your security. The reason to use different credentials on every site you visit is if one account is compromised it’s easier to contain the breach. If you have used the same password or a slight variation thereof on many sites, then you could have multiple accounts compromised and you may never get the genie back in the bottle. If you only access a few sites, you might be able to remember a few good passwords but if you have hundreds like I do, then you should be using a password manager. I will do another article on password managers later. Password Managers come in different flavors but they usually will have a master password that gives access to your vault of other passwords so that you only need to remember the one strong password.
2. Be vigilant. Passwords alone will not prevent all malware. You must be vigilant any time you are online. If your computer is on a broadband connection, and most are these days, you need to take precautions. You should have a properly set up router with firewall and secure WiFi. Your computer should have a firewall in place. You should always keep your software patched and updated. You should not have any software you don’t need on your computer. For example, if you loaded java for a job or something and you no longer use it, you should uninstall it when done. You should think about your exposure when uploading files to cloud services. You should have strong passwords protecting any online account where you store data. Think about the pictures you upload from your phone to a cloud somewhere. How safe are they? Do you have passwords stored on your phone or tablet? If those were stolen, what could someone gain access to? Email is one of the simplest ways to get a user to give access to their computer. Phishing emails tempt people to open an attachment that may look benign when in fact it’s malicious code waiting for access to your computer. Resist the urge to see that picture someone has of you. Resist the urge to reply to that guy in Nigeria just needing an account to transfer 6 million dollars to. Resist the urge to look at tracking information for a package you didn’t order. Some of them are very clever but they all have the goal of gaining access to your computer and your information.
If you need help securing data, I can help. With an analysis of your network infrastructure and verifying that credentials are not factory defaults. I provide guidance setting up backup solutions and data protection. I can assist in selecting a password manager and helping you use it correctly. If you have security questions I can help. Call 913-893-1123 and ask for Kent.
Revelation that the NSA has been looking at more emails than they probably should be raises the issue of how secure are your emails? This will be a multi-part blog about different methods of communication. If you happen to be reading this from outside the USA, then some of this may not pertain to you or it may be even more pertinent. In this country we have the 4th amendment that is supposed to guarantee us the freedom from illegal search and seizure. Over the years what this actually means had changed with different court rulings. Most of us expect our email and other communications to be hands off and secure. This is a fallacy I hope to correct with this and future articles.
How Secure is your Email:
The short answer is, IT’S NOT! Email was originally developed to send simple text messages between computers. Nothing was encrypted – not even passwords. Today email is still the centerpiece of most online communication. Many services use an email account as the basis of the service. Think Gmail.com, Mac.com and Outlook.com. These are used for a lot more than simply sending and receiving email and using an email account for access to other services doesn’t change the security of the email system. The simple truth is that most email is passed around in a basic text format. So even if you are using a secure connection to pass your mail from your machine to the server, most likely from there to the destination server your mail is passed around and stored in plain text. Anyone with access to the server could view and read your mail. Anyone capable of reading the traffic between servers could read your emails. However, at the server level the volumes of email being processed create security through anonymity that would deter most from trying to find a specific email.
There are some services that have tried to eliminate this problem. Hushmail is a Canadian secure email provider. They have several levels of service they offer. It was revealed that a Canadian court forced it to decrypt some users emails and turn them over. Hushmail also offers a version of their mail that utilizes a java applet that runs on the customers machine to encrypt the email. This is the most secure method but still has some vulnerabilities if the applet were compromised.
Lavabit, a US based secure email provider used by Edward Snowden, decided to shut down rather than comply with government demands to divulge information on some of its customers. Silent Circle, another messaging provider stopped their offering of encrypted email offerings as well.
The problem with secure emails is that if someone else holds the keys to your security, then the law allows the government to force that provider to cough up the keys and the data. The only protection for a service provider is if they don’t have they keys. This means that if you really want secure email communication you have to encrypt it yourself and pre-share the key with the person you are sending it to.
If you really must send secure data by email be sure it’s encrypted locally. In my next post I’ll discuss some of the other methods of communication and how secure they are.
Is Your WiFi Network Secure?
If you have a WiFi network, and let’s face it who doesn’t, WiFi security is important to you. Most people believe their WiFi connection is secure, but from my experience, some of them aren’t. Most SOHO (Small Office Home Office) routers purchased these days include built-in WiFi. From what I’ve seen, most of the manufacturers are now setting the default security settings to be encrypted. In the not-too-distant past though either WiFi was disabled or it was wide open by default. I still find people who unknowingly operate open WiFi networks. An open network is just that, it’s open like an unlocked front door. It allows anyone to connect to your network without a password. Once connected, a person may connect to the internet and use your connection, and they may try to access your computers also located on the network.
We all like those restaurants and other businesses that offer FREE WIFI, but they do that to attract customers. When it comes to your business or your home, you probably don’t want those types of customers. If you are a business that wants to offer free WiFi, then you need to take precautions so that the free portion is not directly connected to your secure side. If you don’t know what that means, then you definitely need to read on!
Piggybacking is the term used to describe using an internet connection without permission. Using up your bandwidth may not seem that bad unless you have limited bandwidth or are paying for data on a hotspot device. Now for a little tin foil hat time. It’s not unheard of for law enforcement to get their hands on the browsing records of an internet account. If you have been sharing your account knowingly or not, anything searched for and or downloaded via your account is on your record. So if someone has been looking for ways to knock off their boss while connected to your network, that is now associated with your account.
Gaining access to your network also means access to all the computers and devices on that network. If someone has access to your network they can then attempt to access any computer on that network. With poor or no passwords on many computers, that potentially gives access to your files stored on your computer. Once access is gained your pictures, movies, bank info and whatever you have stored on your computer can be viewed. Depending on the level of hacker you have allowed onto your open network and how much time they have, it’s hard to say what they could access. Once on the inside it’s possible to lock you out of your own network.
You might be thinking that none of my neighbors are hackers and they all have their own internet access. My WiFi is only visible if they were sitting on my driveway so I am pretty safe. While anonymity and distance is a security plus for WiFi it doesn’t eliminate the problem. With a simple device that can be constructed or purchased your WiFi can be accessed from up to 2 miles away. The device is called a cantenna and they really work. The word is derived from can and antenna because it is an antenna placed inside a can. This changes the omnidirectional WiFi antenna into a directional antenna. Once the signal is directed it can be accessed from much farther away.
If you still want to operate an open WiFi hotspot for customers you can, but you might want to lock it down with a simple access code like “guest”. That way the causal passer by looking for open WiFi won’t take notice. Your customers who are inside hopefully paying for your services can see your sign posting the access code. This will help reduce your usage to your actual customers. If you have computers that you conduct business on at the same location, you will want to separate the guest network from the business network. For home offices or just home usage there is no reason you would want an open WiFi system. It would be like leaving the front door open all the time.
If you need help setting up a wireless network or want to be sure you are locked down please contact me.