Blog

July 8th, 2015

164_Sec_CLove them or hate them, selfies are here to stay. And with facial recognition technology becoming both more advanced and more mainstream, selfies have now found their way into the online security world. MasterCard is the most recent global corporation to join in on the trend. Here’s how they’re planning to integrate facial recognition technology into the online payment process.

At the beginning of this autumn, MasterCard will acquire the help of 500 customers to test out a new application that enables people to verify their identity and authenticate online transactions with a facial scan. What does this mean? Instead of using a traditional password at the online checkout, MasterCard wants to give you the option to snap a selfie instead. According to the credit card giant, they’ve partnered with every smartphone company in the business to make this mode of identity verification possible.

Why is this happening?

A quote from Ajay Bhalla, security expert at MasterCard, suggests this is an attempt by the credit card giant to appeal to a younger crowd of digital natives. "The new generation, which is into selfies...I think they'll find it cool. They'll embrace it," Bhalla recently said.

That said, the “cool” appeal to youth is likely not the only reason for this change. The firm is likely attempting to make online purchases both more secure and more convenient.

How it works

To use this technology, users will have to download a dedicated app, which they can then use to take a photo of themselves at checkout. But how does MasterCard prevent a thief from using a photo of you to fake your verification? Simple - the app requires you to blink to prove that you’re a living, breathing human being.

However, it’s been noted by critics that, in today’s technological world, even a blink can be animated on a static photo. This leaves those of us with security concerns wondering whether MasterCard will make this app more secure before it’s released.

Note as well, though, that MasterCard is not getting rid of traditional passwords completely. Users will still have the option of the more conventional method of verification, as well as the choice of fingerprint scanning to check your identity.

Is this where the future of online security is headed?

With the release due later this year of a similar Windows 10 security application to identify users using biometrics, it appears that this is where the future of online security is headed. And with ever more applications and online services requiring a password, it is becoming increasingly difficult for the average web user to create one that is both unique and secure for each individual service. So whether it’s facial recognition, a fingerprint scan or some other technology that’s yet to be perfected, it seems as though some sort of more advanced security solution is inevitable.

Want more of the latest security news? Looking to implement new security to protect your IT infrastructure from cyber threats? Get in touch today.

Published with permission from TechAdvisory.org. Source.

Topic Security
June 1st, 2015

Security_May27_CIf your business is lacking adequate security protection, the doors are wide open to an attack from outside. To make things worse, security threats are constantly evolving and developing, rendering them more difficult to keep up with. At least Google is on your side - its recent introduction of physical Security Keys for Drive for Work users means an extra layer of safeguarding for the cloud-based data files you rely on to power your organization.

Google already offers security precautions like two-step authentication, which provides additional protection by requiring you to enter not only your password but also a one-time code received by SMS or similar. This is a crucial weapon in the fight against hackers, since weak usernames and passwords are still be the primary reason for accounts being breached. Security Keys now take things one step further, strengthening your Google Drive account’s coat of armor to an even greater extent.

The Security Key is a physical USB device that is plugged into your computer, and which sends an encrypted signature, instead of a password or other code, to verify your identity and permit you access to your Google account. Crucially, Security Keys are inexpensive - starting from around $6 per unit - and require no additional software for deployment, use or management. Administrators have the ability to track when and where each key is used, as well as being able to disable them if lost and issue backup codes to allow staff uninterrupted access even if they do misplace their key.

Simplifying the login process is also a key part of what Google has tried to achieve with Security Keys. To that end, the first time you use your key to access your Google account on a particular computer, you can opt for Google to remember that device. On subsequent occasions you can quickly sign in using only your password, and without requiring either your key or a two-step authentication code. You can still sign in using your key on other machines, and if a hacker tries to access your account without your key they will also be prompted for a two-step verification code (which, unless they have access to your cell phone, they shouldn’t be able to provide).

Security Keys aren’t an entirely perfect solution, though - there are some significant limitations to the technology. For one, you can’t use them on mobile devices, since they require a USB port to work, and they only allow you to access your Google account through the Chrome browser. Windows, Mac OS, ChromeOS and Linux operating systems are all supported, but if you’re working from your phone or on a browser other than Chrome then you’ll need to continue using two-step authentication. Google says you can mix and match different methods of verification, opting to use Security Keys where they are supported and two-step verification otherwise (or if you don’t have your key with you).

What’s more, only Google Drive currently supports Security Keys - it’s not yet possible to use them with Google Apps, for example. But, while the technology is primarily targeted at Google Drive for Work users, it’s possible to link a single key to multiple accounts, meaning you can use it to access both your work and personal Google accounts. Some users have also queried how much of a safeguard the technology really provides in the absence of an additional PIN code or fingerprint authentication being required for activation, suggesting that a stolen Security Key could be used to access a computer that a user has previously asked Google to remember. But Security Keys do appear to offer at least some additional protection, which will be of comfort to businesses handling sensitive data.

Give us a call to find out how to employ Security Keys and other technology solutions to bolster your protection against network intrusion and data breaches.

Published with permission from TechAdvisory.org. Source.

Topic Security
May 13th, 2015

164_Security_CCloud computing marketing can be deceiving. When you see an image of the cloud, it’s often a happy, bubbly white puffball floating delightfully in front of a blue sky background. Its presence is both calming and reassuring, and makes you believe that anything is possible. Security would never be an issue, right? Ask one of the nearly seven million Dropbox users who had their accounts hacked, and they’ll give you the definitive answer. While it’s worth noting that not every cloud provider has had security breaches like Dropbox, the point is to be aware that cloud security is not something to be taken lightly. Here’s what you can do to protect yourself as a business owner.

The cloud is playing more and more of a significant role in business. Yet, as more companies jump on the bandwagon, very few of them seem to be taking cloud security seriously. According to a recent survey, the "Security of Cloud Computing Users Study" , only 50 percent of those surveyed had investigated the security of the cloud services they used.

To ensure you put in place proper security measures when beginning your cloud venture, here are five actions every small business owner should take.

Ask your IT provider what cloud security policies they have in place - this is probably the single most important security measure you can take. Find a trusted IT provider and have a candid conversation with them about their cloud security policies.

Ask where the location of the physical cloud servers are - when you have “the conversation”, don’t forget to ask about this. Believe it or not, some cloud servers may not even be stored in your own country. Wherever they are, it’s wise to make sure they’re located in a safe data center area with proper security afforded to them.

Create unique usernames and passwords - your login credentials represent one of the cloud’s main security vulnerabilities. Take the time to come up with a better password than “12345” or “football.”

Use industry standard encryption and authentication protocols - IPsec (Internet Protocol Security) is a reliable technology choice.

Encrypt data before it’s uploaded to the cloud - whether you do it yourself or your cloud computing provider does it for you, this is a must to ensure security.

When it comes to trusting the security of a cloud service provider, transparency is key. The provider should take security seriously, be able to explain their security policies clearly, and be willing to answer any questions. If they can’t do one of these, it’s a clear sign of a red flag.

Are you ready to talk cloud security and transition your business into the cloud? Call us today. We’re happy to answer all your questions.

Published with permission from TechAdvisory.org. Source.

Topic Security
April 29th, 2015

Security_Apr29_CBusiness data is something you can’t afford to lose, since it could lead to you losing the trust of your clients, resulting in loss of revenue. And since the hackers aren’t going anywhere, it’s more important than ever to employ security measures to protect your business data. It’s true that some hackers might be so determined and skilled that no simple security methods will ever prevent them from violating your company’s data. But it’s well worth a try to implement these methods to protect your business data from most attacks.

Get rid of passwords

We are all accustomed to setting passwords to our online accounts, and the tip is always the same - set strong passwords, and change them regularly. But according to Verizon, a global communications and technology leader, a quarter of data breaches analyzed in this year’s report could’ve been stopped if the victimized company had applied more than a password in its defenses. The problem is that passwords can be used with any computer, which is why companies like Facebook and Google have replaced passwords with USB tokens. Tokens, when plugged into a company’s computer, act as a verification device and an extra layer of security.

Encrypt all data

Encryption is a great obstruction to hackers, since it scrambles and descrambles data each time someone tries to read it. Encryption also causes compatibility issues if the data is not being accessed via the company’s own network systems. While applying encryption can be costly, it is certainly well worth the money if it can protect your business data from leaking into the wrong hands.

Keep systems up-to-date

The technology world is moving at a fast pace. Hackers are always upgrading their tools to take advantage of outdated security systems, and so companies should do likewise to protect their valuable resources. Yet many companies who use software don’t install updates immediately. If the update intends to close security loopholes, delaying an update exposes you to external attacks. So install software updates as soon as they come out in order to give hackers no reason to penetrate your systems.

Back up frequently

Although you’ve implemented several security layers to your data, sometimes hackers can find their way in. This is why you need to back up data frequently, whether it’s on-site, off-site or by way of cloud backups. In the worst-case scenario if your systems do get infiltrated, you can restore lost data from those backups and quickly strengthen security.

Monitor connectivity

Many businesses have no idea how many computers they have, so it’s very hard to keep track of which computers are online. Sometimes a company’s computers and servers are online when they don’t need to be, making them a tempting target for attackers. With that in mind, it’s advisable to configure business servers properly, ensuring that only necessary machines are online and that they’re well-protected.

It’s much more expensive to fix a data breach than to prevent one. If you’re looking to check your business IT systems for potential threats, contact us today and we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
April 15th, 2015

164_C_SecThere are things that all of us hold dear to our hearts: family, a stable career, and our smartphone and tablet. Okay, maybe those last two aren’t as important as the others. But still, your smartphone or tablet is likely an integral part of your life. And you’re probably using them to foster that stable career or family life. So when your device becomes infected, what’s to do? We’re specifically talking Android, and we’re going to show you six steps to take when you suspect infection.

The lowdown on Android viruses

First off, let’s just put some things out there and clear the air. One, getting a virus on your Android product is actually incredibly rare. Two, when you see pop-up ads prompting you to buy a virus removal app, don’t freak out. This doesn’t automatically mean your device is infected. In fact, buying one of these apps could actually get you a virus! This is because all Android viruses are contracted via apps you install on the device. Which means the safest way to avoid getting one is to only install apps from the Google Play app store. If you must buy one outside of this, it’s wise to do your research first.

Before we get to what we think is the best solution, there are alternative ways to remove a virus that should be noted:

  • Use antivirus apps from Google Play - a lot of these are free and will detect and remove malicious apps, but some have a tendency to report apps as infected when they’re actually completely fine.
  • Perform a factory reset - if there’s a virus on your phone, this is a surefire way to remove it. However, in doing so you return your phone to its original factory settings. That means you’ll lose everything you’ve added since then that isn’t backed up.
Now that that’s out of the way, let’s get to the recommended option below.

How to remove the virus

  1. Turn safe mode on: To do this, access the power-off options by pressing the power button, then press and hold Power Off. This gives you the option to restart in safe mode. However, this doesn’t work with all models of the Android phone or tablet. If it doesn’t work with your device, a quick Google will pull up model-specific instructions. And what’s the point of turning on safe mode in the first place? Simple - it prevents any malware from running.
  2. Search for the infected app: Do this by opening Settings and then Apps. Once you’ve done this, be sure you’re looking at the Download tab (since the virus can only be something you’ve downloaded), and then start searching for the suspected app. If you don’t know the virus’s name, it’s likely something that looks out of place.
  3. Uninstall the app: Yes, it’s really that simple. Just click on the suspected app and uninstall it. Then you’re done. But if the name of the app is grayed out and you can’t even tap it, it means the virus has given itself Device Administration Status. In this case, follow the next three steps below.
  4. Remove Administrator Status: Do this by tapping on Settings and Security, then Device Administrators. Simply uncheck the infected app and hit Deactivate on the next screen.
  5. Uninstall the app: Now when you return to the Apps menu, the infected app will no longer be grayed out. Simply uninstall it.
  6. Restart your device: This takes it out of safe mode. Now your phone will be virus-free.
Want more ideas for Android and IT security? Don’t hesitate to give us a call today.
Published with permission from TechAdvisory.org. Source.

Topic Security
April 1st, 2015

Security_Apr1_CIf you think your email is fully protected from hackers, think again. A lack of sufficient email security measures can result in data theft, unauthorized access to sensitive information and the invasion of your computer by viruses and malware. Here are some tips to secure your email account from unwanted intruders and the many troubles that come with them.

Use separate email accounts

Most people use a single email account for all their personal needs. As a result, information from websites, newsletters, shopping deals, and messages from work get sent to this one inbox. But what happens when someone breaks into it? There’s a good chance they would be able to gain access to everything else.

Having multiple email accounts will not only boost your security, but also increases your productivity. You can have a personal account to communicate with your friends and family, another solely for receiving emails from work, and one recreational account for various website registrations and getting newsletters. Wise email users never put all their eggs in one basket!

Set strong passwords

Too many email accounts have predictable passwords. You might be surprised to learn that email passwords like ‘123456’, ‘qwerty’, and ‘password’ itself are still the most common around. For the sake of security, be a little more selective with your passwords. Spending a few moments on coming up with a good password will be beneficial in the long run. Mix upper and lower case letters, numbers, and special characters to form a unique password that makes sense and is memorable to you, but no-one else. Also, never use the same password for all your email accounts. This way, if someone hacks one of your accounts, all of the others are still safe.

Beware of links and attachments

When you see a link in an email, don’t click on it unless you’re expecting the link from a known source, such as from your friend or a confirmation link for your game account registration. The truth is that you never know where those links might lead you. Sometimes they can be safe, but other times they can infest your computer with viruses and malware.

Similarly, if you’re expecting a file from your friend or family, then go ahead and open the attachment. It’s always good to know the person sending the file. But be wary of attachments in emails from strangers. Even if the file name looks like a JPEG image, you should never open it. File names can be spoofed, and innocent files may be a clever virus in disguise, ready to latch itself onto your computer the moment you click on it.

Beware of email phishing

Phishing is a type of online scam when malicious users send you an email, saying that they’re representatives from high-profile websites like eBay, Facebook or Amazon. They claim that there’s a problem with your account, and that you should send them your username and password for verification. The fact is that, even if there was a genuine issue with your account, these companies would never ask for your password. You should ignore these phishing emails and sweep them into your spam box.

It all comes down to common sense when you’re dealing with email security issues. If you’re looking to secure your business emails, give us a call today and see how we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
March 18th, 2015

Security_Mar18_CIt’s easy to get complacent about internet security, but the reality is that none of us can afford to let our guard down. Precautions to protect yourself, your identity and your finances online can be simple, but they are only effective when practiced rigorously and consistently. And while the most obvious things like making passwords hard to guess and locking your workstation are as effective as they ever were, nowhere are conscientious security efforts more crucial than when using online banking systems and mobile payment portals. Users of peer-to-peer payment provider Venmo can breathe a sigh of relief, then, because the service just added extra security controls for its customers.

The Venmo platform is known for its convenience and ease of use, and is commonly used to split the cost of drinks, dinner, taxis and the like. The app is now adding a raft of new security-focused features, in response to criticism of its record for ensuring the security of its customers and their financial transactions.

Back in February, a Venmo user discovered his account had been hacked and used to withdraw almost $3,000 from his credit card. The intruder had also thought to change the email address associated with the Venmo account and to disable notifications of payments, but Venmo did not tell the genuine user about the changes that had been made. Venmo was decried for letting basic lapses in security exist in its trendsetting platform.

Now the service is doing what it can to pick up the pieces and up the ante on the security front. The most obvious change is to incorporate automatic email notifications when changes are made to the basic personal details associated with a Venmo account - a feature which many believe should have been built in from the word go. But the app will also add multi-factor authentication, another name for the two-step verification that can be enabled within Google Apps and other services. This feature makes it more difficult for would-be intruders to gain access to your account, even if they manage to get hold of your password.

Multi-factor authentication works by requiring not only your password for login, but also a second piece of information such as a one-time code - often generated on-the-spot and sent by SMS to the user’s cell phone - or the answer to a pre-set security question. Insisting on two phases to the sign-in process allows another opportunity to stop potential fraudsters in their tracks. The changes being implemented by Venmo also reflect the growing awareness on the part of technology companies for the need to get serious about security and protect the integrity of their systems and their users’ data.

You can put multi-factor authentication to use in your IT systems to keep your business protected. Get in touch with us and we’ll show you how.

Published with permission from TechAdvisory.org. Source.

Topic Security
March 4th, 2015

Sec C 164Are you concerned about internet security? Did you know there are a few simple ways to get increased protection that require only minimal investment of time? We’re not just talking about changing your passwords regularly or installing antivirus software. There are a few other methods that are less often talked about - here are three tips to boost your internet security that you might not have thought of yet.

Embrace two-factor authentication

Also known as two-step verification, most of us have likely dealt with this at one time or another. When you’re logging onto your bank’s website or your email account from a different computer than you normally use, you’re sometimes prompted for a one-time password - sent to you via text message, email or via some other method.

Nowadays, many sites such as Facebook, Dropbox and Twitter also give you the option to use two-factor authentication each time you log in. So if you’re looking for an easy way to up your security, it can give you that extra protection without slowing you down too much.

Update browsers and devices

Did you know that dated versions of browsers, operating systems and even other software packages can create an easy entry point for hackers? Often, new updates are created specifically to fix security holes. And hackers are ever aware that people can be lazy - saving that update for another day that never seems to come. They’ll often try to take advantage of this, searching for outdated devices to infiltrate while their victims watch YouTube on last year’s version of Firefox.

Yes, installing an update might take 15 minutes of your time. But it can pay dividends in preventing a security breach that could cost you or your business thousands.

Use HTTPs

When was the last time you typed those letters into a browser? Probably not this decade. It’s no wonder most people are unaware of this tip. So for those who are oblivious, https is the secure version of http - hypertext transfer protocol. Believe it or not, that last “s” actually adds an extra layer of protection. It encrypts information sent, both ways, between a website’s server and you.

You’re probably thinking, adding that last “s” to http (or even typing in http in general) is a complete pain in the rear. So to make this easier you can actually install a program like “HTTPS Everywhere” that’ll automatically switch an http into an https for you. Currently “HTTPS Everywhere” is available for Firefox, Chrome and Opera.

Looking for more tips to boost your internet security? Get in touch to find out how we can help.

Published with permission from TechAdvisory.org. Source.

Topic Security
February 18th, 2015

Security_Feb18_CWhatever services and systems we use to share, store or transfer personal and business information online, we want the reassurance that our data is safe and that everything possible is done to prevent it from falling into the wrong hands. But we also know that security breaches happen, as they did with the large-scale celebrity photo leaks in 2014. Since then, Apple platforms in particular have been prevalent in discussions about the security of such platforms - but Apple is now seeking to bolster its security defenses with the launch of a two-step authentication feature for the FaceTime and iMessage applications.

After the fall-out from the celebrity photo leaks, Apple extended the two-step authentication process (also known as two-step verification) to iCloud, the online storage platform at the center of the scandal. The feature was initially introduced only to the user IDs for access to Apple accounts; the motivation for the launch of that extra security measure was the hacking of a journalist’s data back in 2013. But what is two-step authentication and how does it work to protect your data?

The premise behind two-step authentication, which experts recommend all businesses implement as part of their security strategy, is actually pretty simple. Usernames and passwords are all too easily stolen by malicious parties, whether by phishing emails or a more sophisticated hacking attack. So, rather than typing just your username and password to access your account, the password is teamed up with a four-digit verification code which is newly and uniquely generated each time you attempt to access your account.

The verification code is delivered by text message (meaning that to use the two-step verification feature, you’ll need to have a cellphone to receive the SMS on). As a result, even if a hacker manages to get hold of your password, unless they also have your phone by their side then they won’t be getting into your account. This authentication method is already used by organizations around the world including banks, mobile service providers and other companies who recognize the added layer of security that it brings. And now you can give yourself the same level of protection to ensure that only you can FaceTime your family and send iMessages to your friends.

Fear not, there’s a backup plan to ensure that you can still access your accounts if you happen to forget your password or if something happens to your phone so you can longer receive authentication codes. Apple also provides you with a 14-character recovery key that will get you back in if all else fails. To enable two-step authentication for your FaceTime and iMessage applications, login to your Apple ID account, select Password and Security and then click Get Started under Two-Step Verification.

To find out more about using two-step verification and other security measures to protect your business, contact us today.

Published with permission from TechAdvisory.org. Source.

Topic Security
January 29th, 2015

Security_Jan28_CThink your security is taken care of with a frequent anti-virus scan? Think again. While we’ve all become used to the idea that viruses, worms and other malware - however much disruption and damage they cause to our systems - can be detected and removed thanks to the tracks they leave as they create havoc, that’s no longer something to count on. Proving the point is Poweliks, an invisible trojan horse that evades being picked up by anti-virus software. Read on to find out all you need to know about Poweliks and how to fight it.

What is Poweliks?

Security firm Symantec describes Poweliks as a trojan horse that performs malicious activities on the compromised computer. But it’s no ordinary trojan - unlike the majority, which infect your computer with malicious files, Poweliks is a silent and invisible threat that hides away in the memory registry of your system. It’s not entirely new for a virus to seek to cover its tracks by making itself "file-less" but, in contrast with Poweliks, most are wiped when you restart your computer and its memory is cleared. Worse still, Poweliks hijacks the legitimate processes and applications running on your network, inserting its code into them where it can largely evade detection.

First discovered back in August 2014, Poweliks has therefore created something of a headache for firms behind conventional security solutions like anti-virus software. Symantec and others have admittedly managed a number of updates to their protection in response to the threat posed by Poweliks. But although very minor records of the presence of the trojan are left behind by way, for instance, of registry logs, the signs of its destructive presence are much lower key than the computer world is used to, meaning Poweliks is unlikely to show up on most system scans.

Poweliks has links to Kazakhstan, the home of two servers the malware connects to once it is up and running from within your computer. The servers in Kazakhstan then send commands to the bug to tell it what to do next. In theory, this then makes way for the tool to be used to download other undesirable programs that could infect your system without your knowledge. It could equally be used to steal and disseminate data from your network.

How can I best protect myself?

As well as the anti-virus updates that have gradually been released - but which are still likely to have only a limited impact on threats of this type compared with those of the past - a number of Poweliks removal guides are now available online. Nevertheless, prevention as ever, remains better than cure. One method reported to have been employed in the distribution of the Poweliks infection is embedding it in a Microsoft Word document, which is then sent as an attachment to spam emails, and which the attackers hope your curiosity will lead you to open. Among the senders that these spam messages have masqueraded as being from are the United States Postal Service and Canada Post. Of course the best advice remains to be suspicious of any and every email attachment you open, particularly if you weren’t expecting mail or it's from someone you don’t know.

Should I be concerned?

In fact, revisiting your everyday security precautions is probably pretty good advice all round, since experts predict that this type of threat is likely to become ever more common as attackers seek to exploit the techniques of Poweliks in order for their infiltration to remain unnoticed for as long as possible. Sure enough, a number of copycat threats have already been detected by security specialists as of the start of 2015.

General awareness around web sites you choose to visit is also recommendable in particular, since others have also reported the bug making its way onto their systems thanks to so-called ‘drive-by download attacks’ - whereby simply visiting a malicious web site is enough to trigger the infection, and actively downloading a file isn’t even necessary. As a result, organizations may wish to consider more comprehensive filtering of internet access, or at the very least reactive blocking of known malicious sites, in order to prevent employees from inadvertently infecting a company network.

To find out more about IT security solutions and protecting your technology from attack, contact us today.

Published with permission from TechAdvisory.org. Source.

Topic Security