Passwords vs Biometrics?

Most people are of the opinion that the use of biometrics will soon take over the use of passwords as we progress technologically as a society.  For those who don’t know what I’m talking about, biometrics are some sort of unique identifier belonging to you that exist somewhere on your body e.g. A fingerprint.

If you use fingerprint identification on anything, then you know how much simpler it can make your life when accessing your information. Most of the modern smartphones and even many laptops have this capability now.  It is hard to argue that the use of biometrics is typically faster and simpler overall for the user.

A recent incident has brought some pretty large attention to the issue of biometrics.  Self-service food kiosk vendor, Avanti, has been a victim of a malware attack that, according to them, has most likely compromised customer biometric data as well as their first name, last name, credit card number, and expiration date.  This attack is also one of the largest, successful Internet of Things (IoT) attacks and according to some reports, up to 1.6 million people could be impacted.

The most major question to me arising from this incident is one of overall security involving biometrics.  While it’s true they are typically easier and faster to use, it’s not exactly like something you can easily change if it gets stolen.  If your password or even credit card data are compromised, those at least you can change.  However, if your fingerprint or other biometric data is stolen, those are not things you can change.  This question and others relating to biometric security are continuing to resurface after incidents such as these.

So, what is the solution? In my mind, we always increase security with a multi-layered approach.  In the case of logging into something like this, one might have a password and biometric data as a form of two-factor authentication. The flip side of this is that users would most likely complain that now the system is more cumbersome to use.  Yes, their data might be a little more protected, but the technology that made their life easier just got more complicated to use.

While I still believe in two-factor authentication, in the case of Avanti’s breach, the data would still be compromised.  So if you are an Avanti customer, your biometric data might be in someone else’s posession now.  I know, it is scary!

While I still think that biometrics still represent a lot of our future authentication, the question must be asked about securing that data, how it is stored, and how it is transmitted.  According to Brian Krebs and his research, some simple technological applications to the kiosks themselves could have prevented this breach easily.  The kiosks fell victim to a known Point of Sale (POS) family of malware known as PoSeidon that siphons credit card data from point-of-sale devices.  In this case, it also grabbed the biometric data too.

In my eyes, the fault lies with Avanti and their terminals, and/or the third-party vendors that distribute and maintain them.  That being said, while everyone is looking for someone to blame, the bigger question and picture here is that of you, the consumer.  How do you protect yourself? How do you avoid these problems?  Unfortunately, it is a question of your own risk management.  I write articles all the time about the best practices you should have to protect yourself, but the fact remains that when your data is in someone else’s hands, you lose control.

My advice this week, do the best very best you can and be careful!  If you are an Avanti customer, follow the advice on their public statement and start monitoring your credit and close any accounts you may have used with them, or at least have your card reissued.

As always, if you have any questions or need help with anything, we at Cyber Watchtower are here to help you in any way we can.  Please contact us and let us help you.

Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Cybersecurity and You (Pt. 2)

In Part 1 of this series, we discussed some current general internet statistics and how they show us why we, as users, need stronger security practices as well as a better understanding of how best to protect ourselves against the growing number of threats out there.  We also discussed good password management practices and how best to avoid common pitfalls that create weak passwords.

In this segment, I want to discuss some of the common threats that exist out there and how you can best protect yourself from and avoid them.

Problem: Malware
The first thing I want to discuss is Malware. Malware is essentially any malicious program created by some intended to do harm to you, your computer, and/or your data. Many times it is intended to steal your data for identity theft purposes.

The most common types of malware are things that you’ve probably heard of such as viruses or worms.  Other, more malicious forms include things like ransomware.

Ransomware is malicious software that once it infects your computer, it encrypts all of your files keeping you from accessing them. A message will then display on your screen essentially extorting you for money if you want to get your files back. Some people pay and some don’t.  Regardless, the damage is done and some businesses never recover after one of these infections.  You may recall an attack in the new recently about “WannaCry”.  This is one of the most recent and worst examples of this type of attack that we have seen.

Solution: Defense and DON’T OPEN/DON’T CLICK strategy
So how do you prevent these things from happening to you?  To answer that, we have to look at that the most common way that malware infects computers.  Statistics show us that 91% of all these infections come through some sort of PHISHING attack.

What is PHISHING? Well, it is officially defined as, “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”  They can also be used to infect your computer via bad file attachments or links to infected websites.

So the simplest solution here is to pay close attention to the emails that you open.  The best rule is DO NOT open ANYTHING that is from someone you do not know or that you are not expecting.  Along with that, if it looks fishy (or PHISHY), delete it.  The biggest thing to pay attention to here is that with a stat like 91% you can see that if you’re going to get an infection of some kind, it will more than likely come via email.

Of course, another important solution is to protect your computer/equipment with anti-virus/anti-malware software or these days referred more to as security protection suites.  Having some sort of protection on your machine like this will also go a long way in preventing or helping to prevent your data from being compromised by these malicious programs.

Problem: Social Engineering
When I speak to audiences, I make sure to talk a little about social engineering.  One of my friends once put in the form of a trick question.  What is the least secure operating system?  The answer is the Human Operating System.  US.  We are the weakest link for malicious parties to exploit.  I define Social Engineering as “hacking the human OS (Operating System)”.

It is basically is the oldest trick in the book.  It’s the con game.  It’s the selling of snake oil.  There are a lot of ways these malicious parties attempt to get your information.  They will do anything from stage fraudulent phone calls posing as a representative of a company with which you do business to PHISHING email campaigns.  That’s right, PHISHING that we just discussed is another form of social engineering.

Regardless of the method, social engineering has one goal, to do you harm in a way that also benefits the person initiating it.  Whether they are attempting to steal your personal data or infect your computer, their ultimate goal is financial gain at your expense.

Solution: Be wary.  When in doubt, don’t give out your information.
The best thing you can do in any situation is to trust your gut.  If something feels wrong, it most likely is. Whether in email, on the phone, or even in person, trust that feeling inside that says, “I really don’t feel right giving any information to this person.”  I’ve been known to ask very pointed questions on that phone that either get good answers or make the person hang up.  The hang ups are obviously people who realize I’m more in tune with their intentions than they expected, so they move on to the next target.  Remember that these people are looking for the easy game, so when they meet resistance, it’s easier for them to just move on.

So, ask questions.  Ask them why they need your full social security number, or why they need you to give them your password.  These types of questions are not ones typically asked by legitimate businesses.  They should already have the data and not need you to provide it, especially if they called you.  Also, watch for lack of professionalism.  Some of these people will get belligerent when you question their need for information.

I know this has been a bit of a long post, but I wanted to get you as much information for your own protection as possible.  Be cautious and protect yourself the best you can.  Equip yourself with knowledge and tools to keep you, your business, and your family safe from these ever-increasing dangers online.  As aways, we at Cyber Watchtower are here if you need us.

Stay connected.  Stay Safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Cybersecurity and You (Pt. 1)

I travel state-wide here in Texas and speak to as many people who will have me.  I try to keep my audiences diverse and open because cyber security affects everyone, even you.  Whether you’re a 25-year-old IT professional spending most of your life online or a retired grandmother with 15 grandchildren who may only use the internet once or twice a week, your life is somehow impacted by this ever-growing concern in our modern world.

In this short series of blogs, I am going to discuss several different and important ways that you can make some minor changes to make your digital life more secure.

Now, when I present to audiences, I love to give statistics so that people can see just how important it is to have good cybersecurity practices.  Some of the stats I give really shock people and while my goal is not to cause fear, it is to bring awareness to the criticality of the situation and then personalize it so they can see how it can potentially affect their lives.

We discuss the growing rate of internet usage and how just over 50% of the world now has internet access.  This growing environment not only increases available targets for the malicious people, it is giving the malicious people room to grow and recruit.  Below are some of the other current stats that I use:

  • 130 – Average number of online user accounts per person in the US
  • 91% – The percentage of malware infections that happen from PHISHING
  • Asia has the most internet users at nearly 1.9 Billion but that is only 45% of their population
  • North America has 320 Million users and makes up 88% of our population

Passwords:
We usually discuss password hygiene and security as it is such a huge part of our overall security as a society.  I even explain to them the trends that are growing in password hacking technology such as pattern recognition.  Those malicious parties now look for common password patterns such as:

  • All numbers in the password being together (i.e. “hereismypassword1234”)
  • The most common used special character is the “!” and it is usually at the end. (i.e. “hereismypassword1234!”)
  • When a capital letter is required people just usually make it the first letter of the password.

Here are some recommended adjustments that while minor will still help take the security of your passwords to the next level.  Essentially make adjustments to your existing passwords around the few things I mentioned above.

  • Start your password with a lower case letter or special character
  • Mix up your numbers
  • Place capitals at random
  • Substitute some letters with numbers

Example:
“h3re1sMyp@ssw0rd”

Internet access exists all over the world and let’s face it, it’s not going to lessen anytime soon.  Anyone reading this blog most likely has plenty of online presence including at least 10 user names and passwords online.   Hopefully, the above information has been helpful to you and will be a good starting place in you having a better understanding of cyber security and how you can flex some of your own security muscle in your digital life.

Keep watching here.  Next time I will discuss some specific threats to your digital life and how you can protect against them.

Stay connected.  Stay Safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Cyber Watchtower Turns ONE!

Here at Cyber Watchtower, we are excited to be celebrating a full year of protecting our customers with our suite of cybersecurity services.

One year ago, we set out with a goal to provide a comprehensive collection of full-service cybersecurity protection options for individuals, families, and companies.  We are a team made up of people who not only understand cybersecurity but we also see the overwhelming need for everyone to have some level of protection and education when it comes staying safe online.  Our services focus on total online security and range from password management to cyberbullying protection.

We started by researching and testing product after product in order to figure out what was out there that would provide the best protection and monitoring for our potential customers.

Several months later we began engaging a small group of individuals to test the services that we had chosen.  This WONDERFUL group of people has really helped to shape our services as we’ve gone through some changes, growth, bumps, and bruises.  I cannot thank these, our test users, enough for all they have done for us.  THANK YOU! THANK YOU!

Starting at the beginning of 2017 we went full bore into service mode and now have a steadily growing client base.  We are constantly working to improve and expand our services to make sure that we keep all of existing and future clients protected from the dangers online.

Today our current services are:

  • Password Management
  • Social Media Monitoring
  • Web Presence Monitoring
  • Web Filtering
  • Device Management
For a full description of all of our services visit our Services page.

If you are one of our current customers, thank you for your business and we promise that we will continue to provide you the best support and protection possible.  If you are not out customer, we truly hope you are doing your best to stay safe online, but we’d love the opportunity to help you ensure that you and your family or business are staying as safe as possible.

As we here at Cyber Watchtower love to say . . .
Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Apple Breached?

Story:
On March 21st of this year, Motherboard released an article about a possible security breach to Apple and its iTunes’ accounts.  According to the article, a hacker group calling themselves the ‘Turkish Crime Family’ has acquired a cache of iCloud and other Apple user names and passwords and are attempting to extort Apple for $75,000 in bitcoin or $100,000 in iTunes gift cards.

Apple has stated that there have been no breaches to any of their systems.  According to an article from Wired, Apple has stated, “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services. We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved.”Apple has gone on to say that they do not perceive the hacker group as a credible threat.

Apple has gone on to say that they do not perceive the hacker group as a credible threat.  In some ways, it is easy to see why they feel that way.  I’ve honestly waited until now to write about this because the more that is published and I read, the story seems to change and the group even changes their story.  Even in the first article, there was a discrepancy in the number of accounts the group claimed they had in their position.  Now, from all that I’ve read, they’ve either upped their demands or the story keeps changing.  Now the threat includes everything from locking people out of their accounts to wiping 250 million iPhones.  They have even apparently given a deadline of April 7, just 3 days away, for Apple to comply with their demands.

Recommendation/Solution:
Regardless of the threat credibility, the solution for everyone is actually quite simple.  The simple answer to this problem if you are worried is . . . change your iTunes password.  I know it sounds so repetitious of me, but it really is that simple.  If what the hacker group has is truly active credentials for iTunes/iCloud, then we can all just take away the threat by changing the passwords so that whatever the information they have is no longer any good.

My personal recommendation is to do just that.  I have already changed mine.  I suggest you change yours.  Now, I know that many of you have multiple Apple devices that will require you to update your password once you change it.  I am not different.  I have 4 devices that will need updating with my new password, but it seems a small price to pay to protect myself and my data.

Remember, the group has given a date of April 7, so I suggest changing your password as soon as possible if this worries you at all.  For the sake of fair play, below I’ve provided three links to different articles to let you decide for yourself.  My opinion is still the same though.  It’s a simple fix versus rolling the dice.

Motherboard Article
Wired Article
Fortune Article

As always, be safe.

Austin Bynum
Chief Watchman
Cyber Watchtower

Kids, Technology, and Security

Being the father of teenage twin daughters, I’m continually surprised and impressed at the amount of technology they use in school and in their lives compared to when I was a teenager.  Over the course of the last several weeks I have had the privilege of speaking to several classes at my daughters’ high school about cyber security and identity theft.  The classes that I have been speaking to belong to the school’s “LIFT” program.  This special set of classes prepares and competes in a really innovative event called Future Problem Solving or FPS.

While I love everything about this concept and event, especially with the subjects that they choose to tackle, I wasn’t sure what to expect when I was asked to come speak on these subjects.  Usually these kids have done tons of research and are very informed on their topics.  To be fair, they had just started researching this one, but the most amazing part to me was the lack of basic security knowledge and understanding inside a group of very intelligent teenagers from a generation that has been completely saturated with technology their whole lives.

Don’t get me wrong, there were some things that they knew.  However, when I started on the discussion of passwords and best practices surrounding them for protections, they were as surprised as the adults I often speak to.  They had a general idea of what malware is, but no real understanding of how it works, spreads, or how dangerous it is.  When I discussed social engineering, they hadn’t really heard of even the most basic and oldest concepts.  I was very shocked.

To their credit, they did have some understanding of social media dangers, which makes sense and made me breathe a small sigh of relief.  The most amazing part was that as I started connecting some of the dots for them and teaching about some of the real dangers out there and how identity really gets stolen digitally as well as just basic cyber security practices everyone should be aware of, they latched on and soaked up most of what I had to say.

Don’t get me wrong here.  I am not knocking these kids.  They were all great and let’s be honest, the reason they didn’t know a lot of what I spoke about is because we, the generations ahead of them, have not taught them.  Again, to be fair, I do this for a living and so I do take my own knowledge for granted sometimes, but many of the things I discussed were things that in my mind everyone should know and be on the look out for.

Honestly, speaking in front of these classes opened my eyes even further to the need for general education and training for everyone so that they can simply protect themselves.  It was also a nice confirmation that the services we offer as a business are just as needed as I have suspected.

I do ask this of you, my readers.  If you have kids, teenagers especially, please start teaching them good cyber security practices, password hygiene, and responsible social media usage as soon as you can.  Also, please start using them yourself.  Protect yourself! Your online presence has so much more information about you out there than you realize and you need to take care of it.

Remember that if you need help, advice, or services to help protect you, that is what Cyber Watchtower is here for.  We are here for you and your family to make sure that you stay as safe online as you possibly can.

Austin Bynum
Chief Watchman
Cyber Watchtower

Yahoo! . . . Again and Again and Again

If you have been reading my blog entries, you know that Yahoo, one of the first and largest dot coms, has been having a lot of security headaches over the past few years.  Most recently you may remember that a breach originally reported to have exposed 500,000,000 user accounts was updated to twice that many, 1 billion user accounts.

Oddly enough, with all of the media coverage on this huge issue, another, more disconcerting issue was reported by Yahoo in December of 2016, largely flew under the RADAR.

This new issue had nothing to do with user names and passwords being compromised, but according to Yahoo, they “believe an unauthorized third-party accessed the Company’s proprietary  code to learn how to forge certain cookies”.  What does this mean?  It means if your account was a victim of one of these “forged cookies”, the malicious parties didn’t need your user name or password to access your account.  The new cookies allow them the access accounts without credentials.

According to Mohit Kumar, CEO of The Hacker News, “Yahoo began warning its customers just last month that some state-sponsored actors had accessed their Yahoo accounts by using the sophisticated cookie forging attack.”

He does go on to say, “However, the good news is that the forged cookies have since been “invalidated” by Yahoo so they cannot be used to access user accounts.

Below is a link to the full article:
Yahoo Reveals 32 Million Accounts Were Hacked Using ‘Cookie Forging Attack’

While it is a great thing that the issues was discovered and the cookies were invalidated, there are still major questions and issues that linger for me.  It might not seem like as big of an issue since it only affected 35 million users.  However, what is most disconcerting to me is that an “unauthorized party” was able to access “proprietary code” from the company.  That is usually the most protected asset of any company like Yahoo.

The other major issue is that the compromise completely circumvents normal authentication, i.e user names and passwords.  This means that even if users changed their passwords or other security measures, it likely would have little impact on the malicious party’s ability to access the accounts.

What does this mean for you?
First, if you have one of the accounts that could have been compromised, you should have received an email from Yahoo regarding it in the last month.  Follow the advice that they gave you, but I would also change every bit security with them that you can.  This means, your password, your security questions, and even turning on any form of secondary authentication they have available.  If you are more daring and can, I’d say close any affected Yahoo account you have and change services.  Things are not looking good for Yahoo and they are about to be sold and split up anyway.

Second, as always, keep a close watch on all your security surrounding any online account access you have.  Your email accounts, believe it or not, are just as important as your bank accounts.  Why?  Because, if your email is compromised, then a malicious party can issue password resets on your accounts and get into your email to complete them.

Summary
Honestly, as important as cyber security is in today’s world, and considering the size and penetration of Yahoo, I am seriously worried about anyone who uses them for anything now.  Yahoo just can’t seem to get things together or protect anyone anymore.  Perhaps that is unfair, but hey, 3 strikes and all.

As usual, I strongly encourage you all to keep a close watch on everything you do online from banking to email and from social media to online purchasing.  Be careful out there and remember that Cyber Watchtower is here if you need us or our help with any of these issues, Yahoo or otherwise.

Austin Bynum
Chief Watchman
Cyber Watchtower

2016 – The Good, The Bad, and The Scary

2016 was quite a year in regard to the internet and its usage, not to mention users’ increase in security awareness.  While those things are positive, we also saw an increase in security breaches as well as an increase in the complexity of attacks the hackers and other malicious parties are using.

According to Gina Smith from anewdomain.net and Internet World Stats, 2016 saw an increase to the tune of just under 3.7 billion internet users world wide.  The increase represents roughly a 10% increase from the previous year, but more astoundingly, mobile usage saw an increase of roughly 17% by adding over 280 million users.

I promise, I’m not trying to bore you with stats.  I just think the numbers help to fully understand why all of our lives are so much more at risk online than they used to be.  What’s more fascinating is that while North America only represents 8% of the internet users, the United States itself leads the world in overall online spending.  It’s no wonder we make exceptional targets for malicious activities like identity theft and credit card fraud.

The malware that is responsible for so many of data loss and security breaches continues to become more and more complex, almost by the week.  These days, most security professionals will tell you that a simple anti-virus program just isn’t enough anymore for your protection.

What’s amazing is that even with the increase of users and the increase of awareness of those users, the bad guys are still finding their way into our systems and devices by using the same old tricks most of the time.  According to TrendMicro, 91% of system infectious of malware are still coming from successful PHISHING attacks.  That means that users are still clicking on links and opening files in emails that are infected and they are not from who they say they are from.  To be fair, the PHISHING emails themselves have become very, very good and look very official most of the time.

TIP:  As always, don’t open emails from people you do not know or you are not expecting.  If it is from an official site or company, remember to be skeptical, especially if you are not expecting the email.  For example, this time of year, the bad guys like to use emails the appear to be from the IRS, but they end up asking you for information then stealing your identity.

As much as you need the proper tools and services to protect you, remember that you are your best protection agains these issues.  Use the internet and your email wisely.  Pay attention to ANYTHING that seems out of the ordinary on your computer, your phone, your bank account, your credit cards, or anything else that could mean a breach of your security and information.  Even a hack of your social media (i.e. Facebook, Twitter, etc.) could mean the beginnings of a larger attack on you as a person.

2016 was a growing year in many ways, but not all of them good.  Remember that Cyber Watchtower is here to help you with information and services to help keep you life more secure.    The internet is going to get more crowded as the years go on, so let us help keep you safe online.

Austin Bynum
Chief Watchman
Cyber Watchtower

New Year’s Cyber Revolution Resolution

Well, here we are.  It’s January, 2017 and it’s another new year.  Now is the perfect time to start seriously thinking about your passwords and your overall online security.  Cyber Watchtower stands ready and willing to not only help you get this process started, but to do it for you!

“What?”, you ask.
“There’s a company that will do these things for me?”

The answer is “YES, absolutely!”  There is a company cares more about your security than anything else.  We will partner with you, help you assess your real needs, and be your advocate and security expert.  We are Cyber Watchtower and we want to stand guard for you, your family, and even your business.

In this new year of 2017, we want to help you by:

  1. Increase your password security
  2. Protecting your children from cyberbullying and inappropriate content
  3. Keeping you and your family’s online presence secure
  4. Securing your business while helping it stay efficient and productive.

Cyber Watchtower offers a suite of customizable services to not only help make your digital life more secure, but to keep it secure.

Our services include:

  • Comprehensive Password Management
  • Social Media Monitoring
  • Web Presence Monitoring (Business)
  • Web Filtering
  • Device Management

We have been consistently developing, testing, and refining our services for months and now stand ready to partner with you to greatly increase your online and cyber security posture.  Our average user comes on board with a security score of around 50-55%.  Within 1 to 2 months we are able to increase that security to 90%.  Our ultimate goal for all of our customers is to keep them above 90% while keep a close watch on their ongoing online presence.

We would love the opportunity to get to know you and help protect your life with our services.

Contact us NOW, to learn more.  Please don’t let another year go by without truly protecting yourself online.

Austin Bynum
Chief Watchman
Cyber Watchtower

Secure Your 2017

2016 was a rough year in so many ways.  We saw one of the fiercest elections in memory and we lost countless amazing artists.  In the world of cyber security, we saw an unprecidented number of security breaches to companies like Yahoo! and LinkedIn, with record-setting account information lost.  We also saw an ever-increasing number of cyber bullying incidents to both celebrities and average teens.  Overall, a very big year.

As we are such a digital society, we must look forward and try to do a better job all around.  Many people still take for granted the importance of good password security.  I will say however, I am starting to see some improvement in people’s understanding and habits when it come to managing their passwords and online credentials.  While I’m encouraged by what I see, I fear these breaches will just continue and the best defense users have is solid password hygiene.

Just like user credentials being so much a part of our daily lives, so is social media.  Most of us spending any time online belong to some sort of social media network.  Whether it be Facebook, Twitter, LinkedIn, Instagram, or one of the many other networks, social media impacts not only our individual lives, but sometimes how society even gets their information and the speed at which it travels.  Now, while many of us will never experience cyberbullying in a detrimental capacity as some have, the fact remains the problem has become an epidemic and not just a nuisance.  There were countless celebrities in the news fighting this issue.  Prince William has even been so appalled by what he has seen in the realm of cyberbullying that he has made his own mission to fight it.  GuardChild reports that over 25% of teens have been threatened by some sort of electronic means.  Cyberbullying isn’t just limited to social media.  It sometimes may just be taking place via text message or private chats.  Regardless of the way the bullying takes place, it remains an ever-increasing issue.

There’s no doubt that as we continue to increase our online dependence, security of our information and protection of ourselves will become more and more important.  No matter how much of your life is online, I beg you, please make a resolution this year to protect yourself and your loved ones online.  We here at Cyber Watchtower wish you a very happy new year and we hope that you make 2017 a great year

Austin Bynum
Chief Watchman
Cyber Watchtower