Dumb PINs Lack Security

No Comments

A while back I wrote an article on the 25 worst passwords and a lot of readers were surprised to see how simple some of the passwords that people chose were: 123456, password, qwerty… Now a group of British computer security researchers have collected data to show just how vulnerable banking PINs actually are.

Cambridge University Computer Laboratory team collected statistics on how people choose banking PINs when they are permitted to select their own keys. The risk is that a thief who steals a wallet can then try to siphon money from a bank account by guessing the password, often with the aid of personal identification information like the birth date found in the wallet.

It seems that when the bank enforced a policy on how to create a strong PIN, thieves can expect to cash in on every 18th wallet stolen. If the bank allowed its customers to choose weak PINs, the thieves can expect to get lucky every 11 wallets. The researchers describing the criminal practice of guessing PIN numbers from stolen bank cards as “jackpotting.”

Fortunately, the conclusions of the report are not entirely bleak. They discovered that most people’s choice of banking PINs were not as weak as with other choices such as security passwords. Shorter sequences and user-chosen passwords are more vulnerable.

The researchers found that in the United States and in Europe different banks had different practices on what kinds of PINs were permitted. In the U.S.A., Bank of America and Wells Fargo let customers choose dumb PINs, while Citibank doesn’t. In the UK, Lloyds and the Co-op let you choose anything while Barclays, RBS and HSBC don’t.

If this has you worried maybe a quick re-read of my post on how to choose a strong password might be in order.

Striking A Balance Between Flexibility And Security

No Comments

Striking a balance between flexibility and securityIT professionals are plagued with the massive challenge of trying to secure their networks from malicious threats. And the people who use the technology are constantly complaining about blocked Internet access, social media restrictions, and even application limiting. Given that more and more organizations are incorporating social media into their communications efforts, these restrictions can interfere with your staff’s ability to do their job.

So how can IT professionals strike a balance between security and flexibility? Getting online can be dangers as threats are on the rise. Having IT spending months every year removing malware from social networking sites is not the answers. Locking down computers so that users can’t access these sites only creates dissatisfied users. It seems like there’s a big divide between the groups that maintain technology and the groups that use it.

Fortunately there are alternatives! One solution is to install software that will “wipe” user computers clean of any unwanted files periodically. This can be a real lifesaver for IT Teams where each technician is responsible for managing hundreds of computers. With this solution users can do whatever they need to get their work done, but now all of their customization – that waterfall screen saver, the funny mouse pointer that looks like a cat, and that annoying web browser toolbar they installed – all of these changes disappear with a simple click or reboot.

Or even better, when a user runs into a problem with their machine. Now IT doesn’t have to waste time reimaging the machine and cleaning it out. Instead, they can ask the user to simply restart their machine and it will be reset to its original state. But don’t worry. Not everything gets wiped out if you don’t want it to. There’s an option to set-up special partitionsto save the user’s hard work. Now users are happy getting the freedom they want and administrators are smiling because their volume of support tickets just dropped at least 50%. Maybe now IT can finally leave the office at 5… just this once.

—Written by Dustin Lewis, Key Account Manager

“Dude, Where’s My App?”

No Comments

We’ve all pocket-dialed someone at least once in our lives. Maybe been guilty of pocket-deleting an app too. It’s no big deal, you just reinstall it. But what if it wasn’t you who deleted it? What if it was Google, Apple or Microsoft—using the “kill switch”?

Before you start freaking out, the kill switch is used when apps are found to have malware. This happens on Android a lot. Google can remove the infected apps from the Market Place to prevent further infection, but what about all of the devices out there that are already infected?

It would take too long to contact each person and have them remove it. By that time more damage could be caused by the malware. That’s where the kill switch comes in. Google for example can delete the app from every infected device at once. Quick and easy—and without your permission.

This screams “privacy abuse” but is it really a bad thing? Once again it’s your best interests in mind. How would you like to be walking around with an infected device and not know? It could be key logging your data,  tracking you—who knows. The bottom line is the app is bad for you so it should be removed. Google, Apple and Microsoft can make this happen. They’ve done it before and they’ll do it again.

We let software make decisions for us all of the time on our computers. We have anti-virus to scan and remove items it flags as viruses or malware. We use whitelisting to make sure nothing installs itself without our knowledge. How is this any different? Just because it’s a company doing the removal?

The kill switch is a standard function on all smartphones, but don’t think this is limited to just phones. Tablets have it and as apps start replacing traditional software, this functionality will be present on computers too. You can count on Windows 8 having it as the one OS will be used on all machines.

These companies have total control over your devices. We have to trust they’re using this power for good, and not evil. Is that asking too much? What if the government steps in and demands “things killed”? Then what? Is it just your best interests in mind…? Think about it.

Beware Of The Top Cyber Threats for Early 2012

No Comments

Beware of the Top Cyber Threats for Early 2012Cybercriminals watch all the news trends and even the seasons. As soon as there’s a new game coming out, lets exploit it. Oh look, it’s January, let’s create a weight loss scam. Oh my goodness, there’s been a natural disaster. Let’s create some catchy headlines and trick those innocent web surfers looking for more information.

And the collection of exploit tools continues. Misspelled url addresses, fake browser plug-ins, celebrity deaths, and many more. Together they form an ever-changing all-you-can-eat buffet for hackers who are out to steal your lunch money and more.

There is definitely a pattern of exploit. And GFI’s latest VIPRE Report for January 2012 shows us the scary truth. They identified the top ten threats for the first month of the year. Some of the trendiest traps included luring Pro Evolution Soccer 2012 fans with a game crack that actually installed ZeroAccess – a sophisticated rootkit known for overwriting critical OS files.

Other traps included taking advantage of businesses concerned about their reputation through Better Business Bureau scams. While Tumblr users were attacked with more Southwest Airline scams. And let’s not forget the domain typo scam that targeted the shutdown of Megaupload.

Despite all the sophisticated security technology in the world, the biggest weakness is the human element. By creating sophisticated scams that exploit the basic human need for curiosity, cyber attack success rates go up through the roof and make victims out of even the savviest Internet users. As a rule of thumb, if it sounds too good to be true, it probably is.

—Co-written by Maria Osipova & Eikbal Dhillon, Sales Engineer

The Dangers Of Social Media: It’s All Free Stuff And Sex

1 Comment

Social media has exploded in popularity as a business tool. There are heaps of reasons. Think of Best Buy and Old Spice just to name a few. Facebook alone has over 800,000,000 reasons to share. But while companies are encouraging their staff to be more social, do they realize the dangers they face?

Did you know that 85% of all malware infections come from the web? Not too surprising. But here’s the kicker. Out of those successful attacks, one third of all business infections come from social media platforms. We’ve seen the headlines. From Southwest Airline tickets to free iPads to free Costco gift cards, there number of scams is overwhelming. And then there’s the other kind. They go something like this: find out how this guy got revenge on his ex-girlfriend when he caught her cheating…

Even though there are many sites dedicated to sharing the latest scams to help protect users from quick thinking cybercriminals, new victims are caught daily. From simple survey scams to stealing login credentials to installing malware on your machine, the bad guys are stilling hitting the jackpot. And if this wasn’t bad enough, social networking sites make distributing malicious links a piece of cake.

Why are users still falling for it? Well the answer is simple. “Free stuff and sex,” said Bimal Parmar, VP of marketing at Faronics, “always attract people to click on the accompanying link.” And the fact that our social networks are mostly made up of our friends makes the problem worse. Sure the term friend is being used very loosely. But the premise remains unchanged. We inherently trust the people in our social networks.

What’s a company to do? Well banning social media isn’t really an option. Educating employees is a great place to start. Try a social media policy and providing education about Internet threats. Applying the latest patches is critical and building a solid endpoint security system is a must that combines blacklisting and whitelisting technology.