Category Archives: Password

Strong passwords (or phrases) can keep you safe.

Strong passwords (or phrases) can keep you safe.

(Photo from – https://thehackernews.com/2016/07/best-password-manager.html)

Many of us have taken cyber security trainings that encourage us to use special characters such as the @ symbol for an “a” or $ for an “S”, however cyber-criminals have developed technology that can help them crack passwords that use these tactics.

  • Consider a passphrase instead.
    • Passphrases are a series of unrelated words that are being used in place of our traditional passwords ( 8 characters 1 capital and special character).
    • For your passphrase to be strong and secure be sure to use at least 4 unrelated words.
    • ILoveYorkiePuppies can still be cracked if the cyber-criminal has done their homework.
  • Too many passwords, and not enough memory?
    • Consider using a reputable password manager.
    • These services allow you to store your information for several sites securely
    • There are several options available, as with any software there are free and paid versions available.
    • Do your homework and find one youll feel confident using.
  • A few highly rated free versions include:

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu

Backup all of your devices, and do it often!

Backup all of your devices, and do it often!

(Photo from – https://www.fusionspan.com/backup-disaster-recovery-small-office/)

Backing up your files can help you if you are ever a victim of a cyber-crime.

  • Regular backups can help
    • Recover files that may have been ransomed or corrupted
    • Allow you to do a full wipe of a defected device
    • Ensure even in an accident ( such as water damage) your important files are safe to be recovered
    • Keep your device running smoothly
    • If you are doing regular backups you can go through and update important files and delete those you no longer need, therefore freeing up space and allowing your device to run effectively.
  • There’s more than one way to backup your important files
    • Create a backup or system image directly on the device.
    • Use reliable cloud storage.
    • Consider a portable device.
    • USB Flash Drives can be useful.
    • Consider the amount of data you are backing up and if it needs to be encrypted or not
    • Many options and sizes are available to meet your needs.
    • Ideal if you do not have a need to store a large amount of files.
    • USB’s can be easy to loose, consider password protection.
    • Remember the smaller the USB drive (in physical size not GB) the slower it maybe.
    • Portable External Hard Drives.
    • Have recently become more affordable
    • Also come in many different sizes, colors, and styles to meet your needs
    • Can be password protected and encrypted as well.
    • Would be ideal if you have a need to store a large amount of files as many being at 1TB

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu

Keep your mobile device safe!

Keep your mobile device safe!

(Photo from – https://www.thompsoncoburn.com/insights/blogs/cybersecurity-bits-and-bytes/post/2016-09-28/the-serious-security-vulnerabilities-of-mobile-devices)

  • Don’t think you’re device is safe from cyber-attacks or criminals.
    • Mobile devices are just as susceptible to the same types of attacks.
    • Including malware and phishing.
  • Use the same security on your mobile device as you would your personal or business computer.
    • Use a strong password
    • Passphrases are strong and hard to crack, use 4 or more unrelated words to create a difficult password for your device.
    • Such as PumpkinMovieCarStar
    • Alternate the letters you capitalize for additional protection, or add a special character as well.
    • It may take longer to log in, but it will ensure your device is secure
  • If you have a newer mobile device fingerprint recognition as well as facial recognition may be available.
    • Using these options allow you to unlock your device quickly, while ensuring it can’t be accessed by another party.
    • When using fingerprint recognition remember it allows you to store more than one print. Consider using one finger on each hand for ease of use.
  • If it connects to the internet, it should be protected.
    • Tablets, iPads, and net books can also be compromised.
    • Password protect these devices, encrypt important data on them
    • Do not save your user names and passwords on them.
    • Consider a password management system
    • Do not download applications from untrusted sites.
  • If your device has been compromised contact Fordham IT.
    • Contact Fordham IT and provide them as much information as you can.
    • Fordham IT will work with public safety and local law enforcement to help you attempt to recover your files and protect you from future attacks.

Detailed information regarding device security and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at fordhamsecureit.blogspot.com

If you believe your device has been infected or compromised, please contact IT Customer Care at (718) 817-3999 or HelpIT@fordham.edu.

 

Yahoo says all three billion accounts hacked in 2013 data theft

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

Source: https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

Tip #6 Set Strong Passwords

PasswordChalkBoard

Setting a strong password is the first line of defense when trying to protect your personal data and devices. Strong passwords are typically long, unique, hard to guess, and incorporate numbers, random words, and special characters. Using common words or easily guessable information about yourself and your lifestyle is not recommended.

Consider changing passwords regularly and using different passwords for different accounts. This will prevent attackers from having access to all of your accounts immediately after compromising one password.

Some common password tips include:

  1. Use a unique password for each of your important accounts.
  2. Use a mix of letters, numbers, and symbols in your password.
  3. Don’t use personal information or common words as a password.
  4. Make sure your backup password options are up-to-date and secure.
  5. Keep your passwords secure.

 

Article: Smoking vs. Weak Passwords

“A study revealed that government spent $48 million on anti-smoking campaigns. Every year same or higher amount of money is spent on such campaigns. Government still allows its sales though smoking is injurious to health

Why talk about advertisements and sale of cigarettes and what does it have to do with weak passwords?

Like smoking, weak passwords have consequences. CISO’s and security professionals spend thousands if not millions of dollars on awareness but still allows weak passwords.

Security professionals those protecting Organizations, leave many applications allowing users to enter weak passwords. Problems of weak passwords are higher where Organizations allows Shadow IT applications. Many e-commerce websites accept weak passwords in favor of better user experience.

A strong password is a default necessity to increase our chances to stay protected. Yet, in a recent study, “123456” and “password” remains most popular password in the year 2014 and 2015.  Not only CISO’s but end users too needs to understand the dangers of weak passwords. But, sometimes “Ignorance is bliss” costs.

Password strength vs. User experience is going to be a never ending debate. But as security professionals, we need to analyze risks and favor strong Passwords.

Government have powers to ban cigarettes so do CISO’s and security professionals. Security managers too have powers to enforce strong passwords or make two-factor authentication mandatory.

It is clear that just awareness is not enough to reduce exposure on weak passwords. Perhaps, awareness must include real-life cases of breaches due to weak passwords. Just like cancer patients are cast for anti-smoking advertisements!”

Source: https://www.linkedin.com/pulse/smoking-vs-weak-passwords-vishant-pai

Article – Your Secret Questions Are Just as Terrible As Your Passwords

A recent article from PC Magazine highlights research from Google surrounding the limited effectiveness of secret questions for account recovery:

“Not being able to remember your secret question responses is
annoying, but Google said the bigger concern is hackers who try to
hijack accounts using “mass guessing attacks.” With weak answers, it’s
not that difficult: a 2009 report from the Institute of Electrical and
Electronics Engineers said that researchers guessed about 10 percent of
people’s answers by using common responses.

In an era of openness, meanwhile, where your every move is chronicled
online, it’s not hard to find things like place of birth, mother’s
maiden name, or high school mascot by trolling a Facebook or Twitter
account. This type of scenario is potentially how hackers gained access to
celebrity iCloud accounts last year. “Certain celebrity accounts were
compromised by a very targeted attack on user names, passwords, and
security questions, a practice that has become all too common on the
Internet,” Apple said in a September statement”

Tips for Safe Password Sharing

Source: http://www.pcmag.com/article2/0,2817,2484538,00.asp