Passwords’ Brave New World

While passwords need to go away, they won’t disappear overnight. So, we highly recommend you – and the internet world – follow some guidelines from the National Institute of Standards and Technology (NIST) in managing your online presence.

For individuals and small businesses, managing hundreds of passwords for all the websites and resources you need to access requires a concentrated effort. Every organization with which you interact online has to manage your password and everyone else’s. Website managers and administrators work hard to roll out security strategies, but piecemeal security strategies are ineffective and risky. There are too many cracks for passwords and other measures to fall through. Ad hoc strategies leave room for errors that could put customers’ data in jeopardy. This is where NIST comes into play and understanding what’s behind their guidelines can help you take some action for your online security. 

Part of the Department of Commerce, the NIST develops guidelines based on best practices from a diverse array of security organizations and publications. NIST guidelines are so well-respected that private sector organizations have adopted them to keep their entire infrastructures secure. They affect some of the requirements you get when creating your own passwords – which you need to follow because they are in response to newer, more powerful threats.

Here are some of the most important new guidelines that NIST has issued to those who provide the services that manage internet access. You can expect them to affect you.

  • Go long: The suggested minimum is 8 characters when a human sets a password and 6 when it’s set by automation. However, NIST encourages users to create passwords with 64 characters or more, including things like spaces and emojis. They’ll be harder to crack.
  • Remove reset requirements: As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones. 
  • Keep it simple: How often have you created a new account, for a new application, online store, or digital news outlet, and encountered the prompt, “your password must contain one lowercase letter, one uppercase letter, one number, and one symbol”? Overly complex passwords can lead to poor password behavior, just as with frequent resets.
  • Be more user-friendly affair: The “show password while typing” is a rare option that can let you use longer, stronger passwords because you don’t have to remember all those gyrations you created. Another friendly option is to allow users to copy and paste passwords. Users who are allowed to copy and paste their passwords are more likely to create and store stronger, lengthier passwords within password managers than those who are forced to type out their password every single time. 
  • Go clueless: Knowledge-based authentication clues can save time, but with all the personal data available today, it’s easier than ever for hackers to decode hint prompts and breach systems.
  • Limit attempts: NIST password standards recommend providing users with a maximum of 10 login attempts before they are turned away. That should be enough to aid a forgetful user but not assist brute-force attackers. 
  • Go hands-free: SMS texting services should not be a part of any two-factor authentication (2FA) process. It isn’t entirely secure, enabling cybercriminals to insert malware that can redirect text messages and facilitate attacks against the mobile phone network. 

NIST standards and the guidelines listed above are important because newer, more powerful cyberthreats will always be deployed. As a user, you need to be aware of newer and better security options. We continue to advocate for biometrics and other measures that are unique to you – and only you – to allow access to your online world.

For most of us, a password manager that works across all the platforms you and your family or businesses use is still a strong defense against hackers. We like Dashlane because its paid version covers an unlimited number of website passwords across multiple devices. For those of you with the right technology, you can start to take advantage of other techniques to access your protected websites. Contact us by phone – 973-433-6676 – or email to discuss your needs and see how we can make you more secure.

Email in Disguise

The trend of getting voicemail messages through email is opening new doors for hackers to enter computer systems. Scammers are using email with spoofed addresses to hack into business operations, such as wiring money. Today’s office environment provides a perfect setup for a hacker: You hit people when they’re juggling multiple tasks, and you come across as a colleague or customer in an expected environment. We have two examples from our client experiences that show how easy it is for a problem to go undetected. And we have some tips to strengthen your security.

The problem with the voicemails happened while we were on vacation in Hawaii, which has a six-hour time difference with New Jersey. Our client reported getting emails about missed calls – which could have been generated by their voicemail/email system. It’s a growing trend to handle voicemails because phone and email run on the same networks, and sometimes it’s more effective for an employee to click a link and return the call while the message is on the screen.

And that’s how this problem showed up. Every time our client clicked on the link, nothing happened. When we got back from vacation, our first job was to install a new computer for the client. Everything went as planned, but then we got a call that the client only had 11 emails in the system. To make a long story short, it took all day to find all of the emails in a “recovery for deleted emails” folder and restore them – all 75,000 of them. The time was lengthened because we needed to sort them to cull the voice-mail files.

We changed the password immediately to cover the possibility the computer may have been hacked. After that was done, we got a call that our client couldn’t click to return numbers left in voicemails. I left a voicemail, and we were able to get a return call.

The likely issue is that someone from the outside spoofed a known and trusted phone number. The lesson here is that if it happens a second time, don’t click the link. While you may not know if you were hacked or fooled by some malware, you should know that something is wrong and needs attention. The earlier you let us know about it, the sooner we can work with you to mitigate the problem and minimize damage.

A second incident could have been catastrophic. Again, we awoke to find several urgent emails from a client that regularly wires large sums of money to entities worldwide. The incident occurred July 1, when they were preparing to wire nearly $100,000 to an entity. The entity to which they were wiring the money said they hadn’t received their wire in April. That raised alarms. We learned that the amount of money in both transfers was consistent, and the entity to which the money was to be wired could change names from time to time. Everything with the April and July transfers seemed to be within the realm of normal operations.

While we couldn’t get the April money back (the client had insurance to cover it), they were able to halt the July transfer. At the same time, we worked with them to develop new policies to help double-check money-wiring instructions and monitor the process better.

Among the key takeaways from these incidents, you should always be on guard because hackers and cyberthieves are getting much, much better at disguising their identities. When it comes to VOIP and cellular voicemails, it becomes way too easy to click on a number to return a call. That click could direct you to a link that installs some kind of malware. You can write down the phone number and initiate a phone call – much in the same way you can open a browser and go to a website instead of clicking on a suspicious link. In a related matter, the Federal Communications Commission (FCC) is about to force telephone carriers to verify the phone number location of incoming calls. This should reduce – at least for now – phone number spoofing.

Also, be vigilant about looking for anything that looks like a change in your operations or the entities you deal with. Don’t hesitate to pick up the phone and call somebody to verify instructions.

We can help you fight fraud and mitigate security issues in a number of ways, including security assessments and developing and installing rules and policies for critical operations. Call us – 973-433-6676 – or email us for an appointment.

Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.

Hello, New Security Technology

Passwords are on the verge of becoming extinct, and for many people, the passing of passwords will be like getting rid of a migraine. With the latest Windows 10 major update from Microsoft, your computers and devices may now say “hello” to you to access Microsoft accounts, and additional security measures may now work together better with smart devices. Facial recognition is playing a big role.

Security is more important than anything in today’s world, and hackers keep cyber defenders back on their heels in many instances. Our message continues to be that you need to harden your security measures while you have control of your computer, device, network, etc. If you wait until it controls you, it can cost you a lot of time, money and aggravation.

Combining facial recognition with another authentication factor is one element of Hello, which is available on certain computers with Windows 10 installed. It replaces a password with biometrics to authenticate secure access to devices, apps, online services and networks with a fingerprint, iris scan or facial recognition. It’s considered to be more user friendly, secure and reliable than traditional passwords, which are easy to crack because most people use simple ones they can remember or leave written notes in easy-to-find places.

You can authenticate a Microsoft account or a non-Microsoft service that supports Fast Identity Online (FIDO) by setting up a facial scan, iris scan or fingerprint to log into a device. Hello uses 3D-structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system. Once you set up your initial scan, the image will enable you to unlock access to Microsoft accounts, core applications and third-party applications that use the system. You can modify facial and iris scans, and add or remove additional fingerprints, and you can uninstall biometric identification.

Microsoft has updated Hello to support new security keys and offers two-factor authentication. There are keys to authenticate users for Azure Active Directory without requiring that a user enter a username or password, or even set-up Windows Hello beforehand. Technology advances could include authentication through a smartphone, but don’t expect any of those to involve text messages. Your cell phone number can be easily highjacked, and a perpetrator can simply have all of your passwords sent somewhere else without you ever knowing about it.

Windows’ latest update, version 1809, which is being pushed out this month, will increase the number of computers able to use Hello, and that will certainly help expand its user base – which, in turn, will spur more development of more ways to use it.

Microsoft is working with a growing number of service providers and device manufacturers to give its users a more seamless method to authenticate multiple accounts. Ultimately, the industry needs to tighten its false rejection rates and “liveness detection,” which ensures that the scan is that of a living person.

We’re confident that use of these new systems, such as Hello, will make us more secure, especially for business systems. We still see so many offices with passwords attached to computer monitors. Hello will go a long way to eliminating this particular potential for security breaches.

If you have computers that can work with Hello, we urge you to take a close look at implementing it. If you have questions about getting computers that are compatible with Hello or will be, we can help you set it up or prepare you to set it up. In the meantime, we can perform a security assessment to make sure your information technology system has no open backdoors or trapdoors that can allow access. This can be especially important, as one client discovered after they bought a company and started to merge IT systems.

Call us – 973-433-6676 – or email us to talk about your security.

Refreshing Devices Re-Energizes Them – Up to a Point

Refreshing your computers, peripherals and devices requires you to take a long pause, but in the end, it still might leave you thirsting for better results. If you’re hanging onto old equipment, Tech Data reports a few facts that might make you change your mind.

First of all, the report says, some 46 million small and medium-size businesses rely on devices dating back to 2014. That’s approaching five years, and that can be a lifetime in technology. Second, repair costs for equipment four years old or more can be 1.5 times the cost of repairing newer technology. Finally, PCs older than four years can be less than half as productive – costing an average loss of productivity rate of $1,260, according to an internal study by Microsoft.

Microsoft, which is phasing out Windows 7 because of its increasing inefficiency (Windows 7 Support Ends in January 2020), certainly has an interest in seeing you buy new computers with their operating systems. But they also know that the more efficient and productive their customers are, the more likely they’ll continue to use Microsoft software.

So, with that last point out there, what are your considerations for refreshing or replacing a computer? If you’re running Windows 7, we see replacement as a no-brainer. One client engagement illustrates how extreme it can get. We were tasked with refreshing a 10-year-old computer to get it to run better, which we did at a cost of $200 or so – after we advised our client to replace it. Refreshing, in this case, meant reinstalling software and updating it as much as possible. A 10-year-old computer cannot run the latest versions of Windows or any application software, and you cannot install the latest, most secure browser software. If we had installed a new hard drive and added licensing fees and our setup time, it would have been about $570. A new computer would have been around $800 plus some setup time to properly install the operating system and applications and transfer some data files.

With that as background, let’s delve more into a cost-benefit analysis.

Performance: Older PCs, according to Tech Data, can only run approximately five applications simultaneously without performance degradation, while newer PCs can easily run eight or more, according to a 2016 study. On the other hand, new Windows 10 Pro devices with 7th and 8th generation Intel® vPro™ processors keep users more productive with up to 25 percent more time efficiency. They are also up to 28 percent faster for startup on average compared to Windows 7. Batteries can last up to three times longer on newer Windows devices.

Repairs: We mentioned early on that repairs can cost 1.5 times more for older computers than for newer computers. Some of that extra cost can come from more time to find parts. Generally speaking, older parts are scarcer and more expensive.

Security: We’ve harped on security, and here’s something to add: More than 50 percent of smaller businesses have suffered a data breach or cyberattack with the cost averaging more than $84,000 per breach. Older Windows devices are likelier to lack the latest hardware and software security features, putting data at risk. When you factor in the fact that small-business customers are prime targets for security breaches, you can be looking at costly recovery.   Upgrading to a computer that can run Windows 10 Pro will give you more built-in defenses and increased support for the lifetime of your device.

To translate all this into an action plan, we recommend refreshing and some component replacement for computers three years old or younger. For older computers, especially those running Windows 7, we recommend replacement. Business users will benefit from improved performance and security, and home users will benefit from better security. Call us – 973-433-6676 – or email us to discuss your refresh/replacement needs.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.