Posted on by

How to protect yourself from Password Hacking – Two form Authentication – (Because Just a Password is Not Enough)

Let us start with a reality check – passwords get hacked and stolen all the time, this is a fact! So proactively protecting yourself from password hacking is a must!

Passwords are compromised when they are “hacked” by professional hackers, or exposed through careless user behavior, and even discovered by “password guessing”, which uses information readily available in social media and other sources, things like birthdays, names of children and relatives, pets, school names and so on.

Even if you are a careful and responsible user, choosing only secure and smart passwords, you can be under threat from a penetration from the server side, which is totally outside you control.

You need a password anyway – so choose it wisely:

  •  Create a password which is not connected to yourself in any direct way. For example, you can always choose something suitable for  the moment, or chose an object that is right in front of you
  • Create a smart password that includes letters, numbers and at least one complex symbol
  • Create different passwords for different sensitive accounts, for example – different and non-connected passwords for your bank, Facebook or eBay accounts, so that if one of the password is compromised, other accounts still remain protected.
  • You should be especially careful when working with systems that can cause significant financial damage, like banks, PayPal, etc

How can you protect yourself ?

You cannot depend just on your password, you also should use an additional authentication method:

Two-Form Authentication is based on the principle of using two verification stages in order to access the system:

  • PASSWORD
  • Additional verification key, such as text message or a mobile app

Accessing a secure system must necessitate verification by both methods simultaneously, so that even if the password is lost or stolen, and comes into possession of an unauthorized persons, it will not be possible to access the system without the additional verification.

phone lit with black background

The Way It Works:

It can be seen using the example of Gmail: if you have a enabled a two-form verification function for your Gmail account, you will be required to type in your password, and straight after that to input a code that will be sent to your mobile phone by text message.

Why It Works:

Two-Form Authentication raises the level of verification for your personal identity and makes it much harder for a stranger to hack your account

In most cases, two-form authentication is based on using your mobile phone, utilizing text messages or dedicated applications.

  • Mobile phones and the text messaging tools are usually the more secure of most personal computer systems. They are very difficult for most hackers to be able to penetrate them, most of them just do not have the tools for that
  • Your mobile phone, together with its text messaging ability, is usually in your direct and personal possession, ensuring that an additional verification code will be delivered to you personally, checking your identity in order to be sure that you are the person trying to access the account

This way a two-form authentication system ensures that you are the person typing in the password, and not a wrongdoer.

Two-Form Authentication – two barriers for the hacker:

Two-form authentication forces the hacker to try and penetrate two defence barriers simultaneously. This makes the penetration process extremely difficult, and in most cases this will be enough to deter the wrongdoer from even trying.

Activating it – for a private user:

These days, most popular websites and applications, such as Gmail, Facebook and Dropbox, are equipped with integral built-in two-form authentication capability, you just need to activate it.

Below you can find the activation links:

Facebook https://www.facebook.com/note.php?note_id=10150172618258920

Gmail https://support.google.com/accounts/answer/180744?hl=en

Dropbox https://www.dropbox.com/help/363

Activating it – for a business user:

These days a business user cannot have any excuses for not securing his system, as the two-form authentication can be integrated in almost any business or office system.

Now it is possible to implement two-form authentication even for SSO (Single Sign On) systems, and obtain the management and security capabilities of Active Directory environment together with the protection given by two-form authentication.

Here is the list of business services that have the capability for integrating two-form authentication:

  • Active Directory (for accessing the operating system)
  • Terminal Server
  • Outlook Web Access
  • VPN
  • ERP systems
  • CRM systems
  • All the AZURE/365 products, provided by Microsoft, have the capability for integrated two-form authentication solution
  • FORTINET offers  integrated two-form authentication in most of its products, through the easy and effective use of their cloud  network, which serves as a verifying tool, without a need to integrate a RADIUS server

Below you can see our demo clip for Secure Envoy application that enables 2FA in the full AD environment, describing access to a computer, terminal server and OWA

Posted on by

Protecting Your Data In The Age Of Mobile

Today, one of the main tasks for all institutions is achieving maximum protection for their data while ensuring full accessibility and mobility. Protecting your data has become the responsibility of both users and the organization holding it.

The complexity and the resulting problems are caused by a following sequence:

Increased mobility leads to improved employee productivity leading to wider dispersal of data leading to increased chance of dangerous data leakage

Below, I will focus on the example of the widely used DROPBOX tool.

The challenges we face tend to increase as the tools providing accessibility and mobility improve drastically.  A good example of this is DROPBOX – it enables users to effectively access their data, while the integration and training efforts for them are kept to a minimum.  This tool is very much liked by most users, and they work with it extensively. DROPBOX gives us the ability to access the data from any mobile device anyplace, and enables us to work OFFLINE as well.

I do not doubt the fact that DROPBOX is a very effective tool that can significantly increase employees’ productivity.  For example, a salesperson can quickly generate a price offer while being on the move, using a mobile device, and instantly share it with his co-workers – this is quite an achievement!

So if it is true, then why has DROPBOX earned such a bad reputation within IT managers’ community as a tool contributing to harmful data leakage?

This is first and foremost an issue of control!

DROPBOX can sometimes lead to a loss of control, resulting in some segregated files leaking outside the institution.

It is important to note that a similar problem can also occur in any Windows Server environment, but the ease of using DROPBOX can be very conducive to such problems happening much more often.

How do we stay in control?

The newer and more sophisticated product, DROPBOX FOR BUSINESS, does offer advanced control facilities, such as compartmentalization, 2-Form Authentication, control of outside sharing, centralized file management and Active Directory authorization management (using an additional third-party tool, though).

Is all this enough?  Sadly, no…

All these features help in protecting your data if your company’s employees are honest and dependable, and not tinged with corruption or carelessness, which can easily lead to data leakage.  In addition, these tools cannot provide protection in an OFFLINE mode, which is especially important in cases of your device being misplaced or stolen.

The protection should be applied to the files themselves, and not to the outer envelope that contains them. The protection/encryption should be applied on the file level itself, so the files would be protected at all times while opened in different gadgets or applications:

  • PC/laptop
  • Smartphone
  • Tablet/PDA
  • DROPBOX
  • SkyDrive

Basic RMS by Microsoft and more advanced tools, such as Secure Islands IQP, provide effective encryption solutions that focus on safeguarding the files, and not the outer shell, which is proving to be so difficult to protect nowadays.

The mobile devices themselves should be encrypted, so the data will still be safe even in case of lost or stolen devices.

  • For most laptops – use the file encryption system such as centrally controlled BitLocker
  • For mobile devices such as smartphones or tablets – several centrally-controlled MDM tools that can enforce the devices’ encryption from a central node

All your mobile devices should be equipped with centrally-activated active encryption, ensuring that losing the device will not lead to data misappropriation. This process is an effective way of protecting your data.

Conclusions:

  1. A classified file that has been properly encrypted, with a tool such as Secure Islands IQP, can be disseminated on all kinds of media and devices – office computer, tablet, home computer, mail program, DROPBOX.  In all the cases the access to the file will be open only to a person authorized for it
  2. A standard file, protected by DROPBOX (for example), and placed in the DROPBOX offline cache directory, will still be protected, even if the mobile device was lost or stolen

So, can the use of the DROPBOX tool on employees’ tablets work with data security rules? The answer is YES – if the IT System is designed correctly, using the modern methods of data security assurance!

Eli Migdal, CEO of Migdal Computing Solutions LTD

Visit our Information Security page for more information and find out how we can help you.

Posted on by 1 Comment

How to Defend Yourself From Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. It’s important to learn how to defend yourself from phishing as this tactic is being used by hackers left and right.

The criminals’ most popular approach is to create a decoy “website”, which would seem to be a legitimate website of a well-known company, in order to obtain your passwords.

Phishing is mostly preformed through the use of e-mail messages, so we, as computers users, should know how to protect ourselves from these dangers.

The Way It Works

A criminal sends you an e-mail with a link that seems to lead to a website of a respected and legitimate company, such as PayPal, Google or Ebay. The headline is supposed to scare you so you will follow the link in order to check whether you have a problem.

After you click on the provided link, you would be transferred to a web page that looks very much like the one of the legitimate company, but in reality it will be a decoy web page specially created to entice you to reveal your password and other personal information,

How It Looks

Below is a real life example of phishing which I encountered a few weeks ago. I would like to use this example to demonstrate how you can protect yourself from this scam with the help of knowledge and awareness.

The widely used protection mechanisms, such as anti-virus programs or e-mail filters, generally block such e-mails 12/24 hours after the appearance of a new threat. But if the mail is sent to you BEFORE your protection system has managed to study and neutralize this threat, this message will arrive in your Inbox – and you should not blindly trust your anti-spam filter, as it cannot be 100 percent foolproof.

The e-mail message, appearing to be from PayPal, declared that “your account has been restricted, immediate action required”, and the idea is to scare you into following the instructions included in the message.

The e-mail message was sent from an address identified as “[email protected]“, and made to look like a legitimate PayPal communication.

Below you can see the screenshot showing what this looks like:

Please note how much the criminal invest in tiny details that make the message look believable: it includes all the details of PayPal Inc, as well as their trademark logo.

How We Should Deal With The Threat

First, you need to stay calm, and think clearly ?

If you are really worried that there might be a problem with your PayPal account (if such an account exists), you should go to the PayPal website DIRECTLY via your web browser by typing the web address instead of using any links provided in the suspicious e-mail.

Please do not be lazy – just type the full web address in the address line of your browser! In this case – https://www.paypal.com

The link in the e-mail message you received is a trap – the scammers are counting on you to follow that link. So the most important lesson is – never follow a link in such an e-mail, use the browser address line in order to check the real company website.

Why Do Criminals Invest So Much Effort In Generating Those E-mails?

The moment you follow the link inside the message and arrive to the decoy page, the swindlers get access to your username and password. From that minute on they can use those to access your real PayPal account, and probably your other financial information as well  – many people use the same usernames and passwords for different accounts in various institutions.

Here is a piece of advice from me: please use different usernames and passwords for different services! Yes, it makes your life a bit more complicated, but your data will be much safer as a result.

What If I Did Not Pay Attention, And Followed The Link Anyway?

As usual, the devil is in the details!

1. The address of the decoy website will never be paypal.com with a secure lock symbol attached!

a. This is what legitimate address looks like:

b. The true address should be paypal.com/ (with the slash present)

c. Please make sure there is a lock symbol next to the address – proving the web page has a valid security certificate

2. Please note that the right web address is www.paypal.com, it is very difficult to fake

3. The fake address of a decoy website is usually made to look very similar to the real one, for example: www.paypal.com.secureconnectionpaypal.com

Please note that the fake address does include the words paypal,com, but just as the SUBDOMAIN, while the final domain is “secureconnectionpaypal.com“, a fake domain created by the bad guys. The final domain IS the one controlling the identity of the webpage.

Please remember – always look at the final domain, otherwise it is very easy to make a mistake. Thus the real PayPal site web pages will always have the address ending with paypal.com.

Summary

1. The thieves count on us to be inattentive, so we will not use out common sense to check the authenticity of the message

2. Never follow a link in a message that is supposed to scare you or to entice you with a promise of quick financial gain – if in doubt, just go directly to the legitimate website using your web browser!

3. Always check the final domain, as well as an accompanying lock symbol, that is required for all web pages with a payment facility

Provided as a public service by Migdal Computing Solutions LTD

For more information on ways we can help you (and your computers) stay safe and defend yourself from phishing, visit our Information Security Services