Scorpion Software Blog

For those of you who were at this year’s Kaseya Connect, you may have had a chance to hear our CEO, Dana Epp, partake in the conversation about Security Trends. It’s a great topic to be thinking about with quite a few stunning statistics. Thanks to Kaseya, the whole talk was recorded, and available for those of us who weren't able to see it live. So, without further ado…

If you're interested in picking up a few tips from Dana himself on keeping secure at events like Kaseya, check out this free eBook

Not Millions, but helps visualize it

With the recent hacking at Evernote, millions of individuals around the globe are once again reminded of the importance of providing an additional layer of safeguarding to protect confidential information online. Evernote suffered an enormous breach of their data that caused them to reset every password for all of their users, some 50 million account holders, as soon as was humanly possible.

In the weeks that followed, Evernote announced the incorporation of two-factor authentication although it would take a while to incorporate the measure into the entire process. By early March 2013, Evernote had sent an email to every user that was victimized by the security breach. There had been a discovery of suspicious activity on the Evernote network. The coordinated attempt was a breach in gaining access to the secured areas of the system.

The hackers had apparently accessed the usernames, passwords, email addresses and other information about Evernote users. Using one-way encryption technology, all of the information was salted and hashed. While none of the information was probably readily available, due to the extensive software and hardware requirements of hacking hashed information, Evernote still decided to reset every user’s password. This avoids the potential of any compromised data, by not giving the hackers enough time to decipher the code.

Cryptographic Algorithm Technology

Evernote is known to have used the MD5 cryptographic algorithm as the method for hashing passwords before they are moved to storage. Unfortunately, this technology has been proven to be a poor selection when providing protection for passwords. The technology is extremely simple to crack if the hacker has enough time to run the data through software programs. In fact, with nothing more than a search on Google, the faithful search engine will trade most any MD5 hash for its plaintext value. Thankfully, Evernote had the forethought to salt the hashes, which would greatly decrease the speed of effective guesses and prevents looking up hashes in Google.

What Will Two-Factor Authentication Do?

Exactly why would Evernote decide to offer two-factor authentication to their users? In essence, adding two-factor authentication may not have protected them from being hacked. However, it certainly would have protected the users from that information being used against them. Even if cyber-thieves had been able to decipher a password they would still need the second layer of authentication to gain access into an account. Without it, the process for access is immediately stopped.

What Was Revealed

Just like all the other high level security breaches where passwords were captured and revealed, Evernote once again refocused the attention on a password’s poor ability to provide security. The breach at Evernote once again revealed that confidential commercial and personal information should not be secured using nothing more than a username/password combination.

Pause and think about it for a moment, how many people likely store important or valuable business documents in Evernote? Too many.

While you may apply more security to your Customer Relationship Management (CRM) tools than a simple online notebook, does that mean it's enough?

AuthAnvil itself is built with security in mind. With not one, but two Security MVPs on our development team, we’ve put thought into designing a system that won’t let you down. However, security isn’t a product; it’s a process, and part of that process lies in how AuthAnvil is deployed and used. That’s part of why we insist our pro services team helps you start off on the right foot with your first installation. Of course, you may find you need to perform an installation yourself sometime, so we like to keep everyone educated on the process. Today, I want to talk a little bit about SSL and preparing your AuthAnvil server to face the internet.

Now, there are three scenarios I’ll cover, each with their own requirements. The first is an internal testing environment, perhaps on a virtual machine or isolated test machine. Next, I’ll cover a purely internal installation that is not web-facing. Finally, we’ll cover the standard deployment situation with AuthAnvil installed on a web-facing server and will be accessible from any where your users need to be.

Internal Test System

An internal test installation is quite common during proof-of-concept systems and while planning your AuthAnvil deployment.  This is also the only environment where using HTTP communications are acceptable. The reason HTTP is acceptable is that the server should have no production data and thus not be used to actually protect any endpoints that aren’t part of the test.

Internal Production System

With a completely isolated internal network we recommend a self-signed SSL certificate as the minimum. In this situation, AuthAnvil should be made only reachable from trusted, continuous network segments. This will however, limit you to protecting endpoints that are behind the firewall. You also will have to make sure that all the workstations and endpoints trust the self-signed certificate. For very small and isolated installations this will work just fine but larger installations you would want to move up to a more reliable certificate.

Public-Facing System

By far the most common and the recommended way to install AuthAnvil is to configure the server to be accessible from the internet so that users can log in and access AuthAnvil anywhere they need to. You also can then use AuthAnvil to protect any endpoint that can access the internet. The key that will keep all of this communication secure is of course, a third-party SSL certificate.

We do NOT recommend using a self-signed cert or HTTP for communications over the internet.

AuthAnvil will support both specific certificates (authanvil.yourdomain.com) and wildcard certificates (*.yourdomain.com). We also recommend that you have your certificate installed and bound to the desired site in IIS before installing AuthAnvil. If you are using a specific third-party certificate, AuthAnvil will detect that and configure itself to use HTTPS right away. If you have a wildcard cert, you will need to manually configure the subdomain as shown below. 

Reconfiguring The URLs

To establish your new URL, open up the AAWebConfigEditor (located by default at C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilTools\AAWebConfigEditor.exe) and change the first section of the SAS and Admin URLs from https://*.yourdomain.com to https://subdomain.yourdomain.com, then click apply and perform an IIS Reset. 

Bringing It All Together

While not everyone needs to know exactly how to install AuthAnvil, it’s important to be aware of the process so you can plan accordingly for your business. Of course, if you ever need us, don’t hesitate to ask. You can contact our support team directly http://www.scorpionsoft.com/help or you can reach out to us on Facebook or Twitter.

Many individuals that spend a lot of time and energy preparing their wills in the event of their untimely demise never consider provisions for their online estate. If an individual has not exerted any effort to safeguard their digital life, then gaining access to an account might be impossible for those left behind after his or her death.

With an increasing amount of personal financial dealings being stored online in accounts that are password-restricted, it is important to provide access after the account holder’s demise. This can include bank accounts, personal messages, email accounts, and arrangements for automatic bill pay. Piecing together an individual’s virtual estate after their death can cause major confusion and headaches that could take years to unravel.

As an example, an individual with an online account that is separate from a traditional financial banking institution may have all of their notifications and statements electronically delivered. Without knowing it, any heirs to the estate could easily overlook the account simply because they do not know it exists.

Locating Electronic Financial Information

Many attorneys that have to deal with estates often spend days tracking down viable financial information from individuals that do not properly set up their wills. Sometimes, even a fully detailed will cannot solve every problem. Without the account passwords, it can take years to get through the maze in an effort to sort everything out. Survivors need detailed login information. However this is usually only acquired through the court system that has the power to provide legal authority to access accounts. While the process varies between states, in every state, the task is never easy.

This challenging issue is not just limited to banking institutions and financial accounts. Many times, the heirs of an estate would like to save sentimental personal electronic items including online email accounts, stored photos and instant messages. Other problems that can arise include the ability to control an individual’s online profile on social media sites including Twitter or Facebook, after the person has departed. Without the proper login information, access into the account is often denied. Some social networking sites will convert an existing profile page to a memorial page, but only after being requested from a family member.

Access to Domain Names and Blogs

There are trickier situations that often arise after a person has died concerning their electronic estate. These include web-based businesses along with the ownership of domain names, media sites and blogs. Sometimes situations get complicated when a survivor attempts to cancel mobile phone or cable service that is set up on automatic bill pay. Without the proper login information, it is nearly impossible for any family member to gain access to the account and stop the charges.

There are numerous restrictions buried deep in many terms of service agreements that can get tricky when accessing an online account of the deceased individual, even if it is a parent or spouse. Without the necessary paperwork showing control of inheritance, changing an online account might be seen as tampering, or a violation of federal anti-hacking laws.

Some States Have Passed Laws

Many professionals that handle estate planning indicate that the problem seems to be getting much larger. Recently, numerous states have passed significant legislation that is directly related to the management of digital property after an individual has died. Even with these new laws, many professionals have created significant strategies to handle the problem. They have developed step-by-step instructions on exactly how every heir can gain access to electronic properties to virtually transfer them after the client has died.

Specifically, these strategies include a full detailed inventory of every digital account with a complete updated list of all active passwords. These are passwords that are managed and maintained on a flash drive and locked safely away in a safety deposit box. Additionally, there are dedicated websites that hold information that can be released to a designated beneficiary after the death of a primary account holder.

What to Consider

A digital asset is typically an online account that stores information electronically. Digital assets can include social networking sites, brokerage accounts, online banking, video sites, sites that store photographs, blogs, online consumer transaction sites and much more. In planning an effective electronic estate, it is imperative to consider the following, that includes:

• A complete inventory of all digital assets
• A list of every account and device along with usernames, PINs, passwords, etc.
• Creating power of attorney for an agent of choice
• Provide authority to the will’s executor or the trustee successor
• The avoidance of detailing names and passwords in a revocable trust or will

Without taking some action, many accounts that hold valuable information or access to cash could be potentially gone forever. It is imperative that every individual creates an electronic estate plan that coincides with their physical estate plan to ensure that the beneficiaries have access to the properties that the deceased individual had desired.

It is not breaking news that it is important that everyone use proper security methods including secured passwords on every account to guard against online attackers, intruders, and cyber-criminals. It is essential that every account have a unique and complex password, which is nearly impossible to decipher. However, because it considered to be too challenging for most individuals to remember dozens, if not scores, of 15-character passwords or even longer passphrases, many online users create simple passwords and potentially expose confidential information to internal and external hackers.

Oftentimes, individuals create easy to remember passwords and passphrases that are very simple to decipher. The easy-to-guess passwords can be as simple as “password”,

“12345” or “Letmein”. These easy to remember words or phrases take only minutes for an online attacker to decode. Others individuals choose to embed plain text password files directly in their customer network systems in the notes of their RMM (remote monitoring and management) tools, which can provide significant problems if they are ever discovered.

Changing the Password

Once users get past the idea of generating simple, easy-to-guess passwords, and finally begin developing complex passphrases, it is essential to change them on a regular basis. Any time a password remains active, it can significantly increase the ability for a hacker to use algorithms to crack it. Changing passwords every month provides a safer single-authentication level against online attacks.

Two-Factor Authentication

It is not the end-all to simply use good passwords. As an additional backup, deeper-layers of safeguarding, it is important to use multi-factor authentication that might require a different passkey, or another method of ID verification to login. This not only keeps all activity in safe mode, but also, it eliminates the possibility of having the information compromised.

Password Management Systems

Taking a proactive approach to managing your passwords can eliminate many of the common missteps to password management. In the same way you require multiple tools to perform specific jobs, it is essential to have a variety of password management tools to safeguard critical confidential data. An effective password management system eliminates a single point of sale. Proper management tools will keep confidential information safely on the server. However, if the server become inaccessible at any time, it might be impossible to logon to social media, financial accounts, or even the bank.

With the latest advancements in digital identity protection, many password managers offer multiple layers of protection and defense against hackers and key-loggers. The user will only be required to remember one master password and all other logins will be completed automatically. Additional key features of most password managers include:

• Security – Personal information and passwords are managed in an encrypted vault.
• Randomness – Most password managers generate strong, random passwords that are nearly invincible.
• Portability – A proper system should give you access to your passwords when and where you need them.

Multiple PC Accessibility

As important as it is to have a backup system by exporting the data to offline site, the backup system needs to be continuously managed at a safe location. Storing passwords into a database requires a method that provides accessibility and security.

Eliminating Security Breaches

Anytime users have more than one password to manage, it is essential to use a password manager that does not require significant changes to the existing information technology infrastructure, application-level integration or scripting. Businesses that need additional strength application in all of security measures require:

• Strict Password Policy Enforcement
• Transparent Password Changes
• Automatic Password Expiration
• Interoperability with Multi-Factor Authentication 

Effectively managing passwords can be a full-time job for some businesses. However, the extensive benefits will quickly outweigh the downside of any compromised, confidential information. An effective password management solution will help to increase the efficiency of the business’ operations and strengthen all levels of security. In the end, it will improve productivity because of its uninterrupted access to all accounts, without exposing confidential information by internal or external attackers. A quality manager will eliminate the need to hardcode passwords.

Not all cyber-attacks happen from outside an organization. In a recent federal indictment, federal prosecutors have alleged that two individuals in California have conspired together to compromise the POS (point-of-sale) system of numerous Subway restaurant franchises from a remote location. One of the individuals that was indicted had owned a few Subway franchises in Southern California just a few years ago.

The man had started an outside company that sold point of sale systems to numerous Subway franchises which had a backdoor left open to allow them remote access. Part of the indictment indicates that the conspirators had used fraudulent means to add tens of thousands of dollars in value to many of the gift cards that Subway sells. They then used their high valued gift cards to purchase merchandise at subway restaurants. One individual is also charged with selling many of these fraudulent Subway gift cards online.

Looking for Red Flags

This raises red flags to every individual that does any type of business or activity online. Not every cyber-attack occurs from the outside. Every day around the world, online users are being attacked with compromised accounts, allowing hackers to gain unauthorized access to banking institutions, credit card accounts, email and other confidential information.

Many times, businesses are not aware that their actions, or inactions, online can significantly put their company at risk. By understanding the dangers that lurk on the Internet, companies can protect themselves against cyber-crime.

Steps to Take

Developing a proactive stance, businesses can increase the potential of avoiding any type of cyber threat or risk by creating the proper controls. Just like the Subway case, businesses can easily be hacked from within, and only find out about it after the damage is done. There are specific steps to take that can add a layer of protection to safeguard against in-house and outside attacks. They include:

• Lock down the Network – Never make the company Wi-Fi network open to the public. This can cause significant issues by “war drivers” that use high-powered antennas to infiltrate poorly protected company networks.
• Secured Connectivity – Never connect over the Internet unless it is through a properly-protected connection. This can include both limited wired connections and wireless that utilizes WPA security. Additionally, companies can incorporate VPN (virtual private network) technology that will encrypt and send all data through a tunnel over the Internet that is impossible to view, decipher or steal.
• Limit Shared Information – By self imposing heavy limits on all shared information, through social media sites, banking institutions and other financial accounts, companies can minimize the potential of being hacked.
• Use Only Heavy Password Protection – Every online account must be accessed using a heavy, respected password. These passwords are generated using a variety of upper and lower case letters along with numbers, symbols and characters. No password should be less than seven characters long. Administrative accounts bring that minimum length to thirteen or more.
• Add Two-Factor Authentication – Had the Subway franchise owners incorporated two-factor authentication into their systems it would have been much more difficult for the conspirators to hack into their POS systems. Adding two-factor authentication is a simple process. Software or hardware tokens can easily generate single-use codes that are inputted after the username/password combination.
• Encrypt the Data – Companies that accept credit card and debit card information must follow strict PCI security protocols. They must encrypt their data at rest to remain fully compliant with all PCI security standards as a way to safeguard consumer’s confidential information and diminish the potential for cybercrime.
• ecure the Hardware – Hardware, including POS systems and computers are easy targets for physical theft. Unless the data stored on the hard drive of the stolen device is encrypted, it can instantly put the cardholder data at risk. Back-office servers should be installed in a proper cabinet, secured by a key held by only the top management. The countertop POS terminals in customer areas should be locked down with steel cable.
• Maintain Protection Software – Almost all PC-based POS terminals feature standard USB ports, which would provide a possible attack vector to any outside hacker or in-house employee to infect the company intranet or server. By utilizing and frequently updating protection software including anti-malware and software policies, the business can stay protected and avoid data breaches.
• Educate All Employees – Studies indicate that most security breaches come from within. Whether on purpose or not, uneducated employees can easily become victims of social engineering or brute force attacks and unwillingly provide unauthorized access into the company intranet. Through education, employees can be well-informed on how to maintain the high level of security with properly designed passwords and effective two-factor authentication solutions.

Experiencing a cyber attack from the outside or inside is no laughing matter. Although not every compromise is as obvious as a hooded silhouette smashing through the window and departing with a POS terminal. Regardless, at the first noticeable sign of any intrusion, it is imperative to quickly enter a secure lockdown state until the scope of the intrusion has been verified and remedied.

by Steve Syfuhs

According to Wikipedia:

A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion.

Practically speaking, it’s a way to bind two disparate systems together in such a way that allows both systems to understand the same data and work toward a specific goal. Okay, so maybe that wasn’t as practical an explanation as I hoped. Federation is a concept that helps us share information across multiple systems.

Federation is an increasingly important aspect of identity management as more and more systems become interconnected. Federation bridges different identities across different systems so we don’t end up with insurmountable collections of siloed user data. Federation helps reduce stale user information, reduces the sprawl of repetitive identities, and most importantly gives users and their organizations a better security posture.

In this installment of Tech Tuesday we'll begin a new series looking at the vices and virtues of Identity Federation and Single Sign-On.

Single Sign-On

Single Sign-On (SSO) is built around this concept of identity federation. SSO works by creating a trust relationship (the federation) between two or more different systems that agree upon sharing a specific piece of information – the user’s identity. The goal is to centralize the location of a user's identifying information and hopefully reduce the number of authentications necessary to use the systems. Practically speaking this means fewer usernames and passwords to manage. This relationship is usually codified through protocols like SAML, WS-Federation, OpenID, etc.

In the SSO world, both parties agree on the protocol and trade some information with each other once so they can prove the shared data hasn’t been tampered or forged. When the trade is complete, federation is configured and Single Sign-On can occur.

Licenses, Drivers

To understand the benefit of Federation and Single Sign-On we need to understand the trust relationship. The relationship model we use for Single Sign-On parallels that of government-issued ID's.

Imagine for a moment you are wanting to go the bar and order a drink. The bartender is legally obligated to verify your age. He has a few ways he can do this, but most of them are impractical. Apparently cutting someone open and counting the rings doesn't quite work like it does for trees, but I digress. So he relies on your government-issued photo ID.

Verifying your government-issued photo ID solves a couple problems for the bartender. The ID contains special information that describes the holder of the identity like date of birth. The bartender does a simple check: is the date of birth on the card far enough back to legally allow you to drink? The bartender has a relationship with the government so he's reasonably certain he can trust the information on the ID, but now he has to verify if the ID is real or not. He does this by verifying certain properties of the ID exist that were previously agreed upon between him and the government. These properties are things like inlayed holograms under the laminate, State seals, or special codes on the magnetic strip on the back of the card. With these properties he can reasonably determine if the ID is genuine because the properties are supposed to be very hard to reproduce by 3rd parties.

Finally, the bartender has to verify the ID actually belongs to you. This is where that photo part comes in. The ID would be pretty useless (or rather, extremely valuable) if using it didn't require the holder to be verified -- anyone holding the ID could use it. If the ID is simply a laminated card that you carry around in your pocket you run the risk of someone stealing it and impersonating you. So there's a photo on it to tie you to the ID. The bartender needs to compare the photo on the ID to you. If you look alike there's a reasonably good chance you are the one entitled to use the ID.

When you put everything together you get an ID that only you can use, but can be trusted and verified by any number of people that understand that trust relationship. This basic trust model is used in Federated Single Sign-On.

The Protocols

There are quite a number of publically and privatively documented protocols used for SSO, however there are a few well known protocols that are used in the majority of SSO implementations. These protocols are:

• Kerberos
• SAML (Security Assertion Markup Language)
• WS-Federation/WS-Trust
• OpenID/OAuth
• CAS (Central Authentication Service)

Each protocol is unique, but they all share some important similarities. Basically, they talk to their friends the same way. Each party in the SSO relationship is essentially the same across all protocols.

The relationship consists of two parties: the source of the identity and the receiver of the identity. Each protocol calls the parties something different, but suffice to say they all mean the same thing. For the sake of simplicity we'll be referring to the source of the identity as the Identity Provider and the receiver of the identity as the Relying Party. These names coincide with Microsoft naming conventions.

The Identity Provider provides the identity in the form of opaque token, and the Relying Party relies on the identity provided in the token. A token is generally a specially crafted chunk of XML or binary data. The Identity Provider is like the government agency issuing the photo ID, the photo ID is the token, and the Relying Party is like the bartender verifying the ID. Simple, right?

With all of that being said, let's take a look at how this works in the wild.

Federating Salesforce.com

Salesforce.com is the quintessential cloud application. It's a perfect candidate for identity federation because it can be used by so many people in an organization, it's simple to configure, and all it's users benefit greatly from having one less password to remember. We'll be looking at Salesforce.com as an example here and in future posts.

Federating is the act of creating a trust relationship between the Identity Provider and Relying Party. In this case the Relying Party is Salesforce.com and the Identity Provider can be whatever we want to trust as an authoritative source for our identity. Selecting a proper Identity Provider is a great topic for another post, but seeing as I'm the guy behind the AuthAnvil Single Sign On product I might be remiss in not talking about it as much as possible. So lets use that.

Assume for a moment we have a working Salesforce.com account and a working AuthAnvil Single Sign On instance. Creating the trust relationship is fairly straightforward and the exact steps can be found in our integration guide. If we take a look at the configuration, we can see a few important pieces of information that need to be exchanged. This exchange allows Salesforce.com to trust the token AuthAnvil Single Sign On provides.

First, the relying party needs to know who the token came from. This is called the Issuer. The issuer is kind of like the agency that issued our government ID, e.g. Department of Motor Vehicles, and the relying party decides whether it's willing to trust the token based on this value.

Second, the relying party needs to know how it can verify the issued token hasn't been modified in transit or created by an untrusted 3rd party. This is where that Signing Certificate is used. The signing certificate has a private key that is owned by the identity provider and is used to sign the token. It never leaves the Identity Provider. If the token is improperly modified in transit the signature is invalidated, and an attacker can't recreate the signature because they need access to that private key. If you can't get the private key you can't create the signature. To verify the signature you only need the signing certificate's public key, which can be shared, well, publically. The signature is like the photo ID's hologram. The design of the hologram as well as the method of verifying it's authenticity is public knowledge, but the hologram itself is really difficult to forge.

Third, the relying party needs to know where it can get a new token. This is the federation endpoint. Each protocol works differently, but this endpoint is central to the whole process as it's where the user is sent to get a token useful to the relying party. This is kind of like the DMV office (but with less waiting and better turnaround time).

Forth, the relying party needs to know how to interpret the identity information. Part of this is implicitly handled by the nature of the protocol, but a lot of times the protocol is vague about the information it provides so we need to help it along. Compare this to a government-issued ID. Generally speaking we have a photo ID, but each agency issues the ID with different information. The ID's are cards, roughly 3.5" x 2.25" in dimension, and contain personally identifying information, but each agency uses different layouts and markings. Humans are pretty good at understanding the differences between layouts, but computers kind of suck at it unless we help.

Finally, the identity provider needs to know who is requesting the token. Sadly I may have stretched our government-issued ID analogy a bit too far by this point. To limit the misuse of our issued token, the identity provider stamps it with a marking that defines who is supposed to receive the token. This is called the Audience URI. Amongst doing other things, this prevents the relying party from forwarding the token to another relying party and impersonating the user.

NOTE: This diverges from the driver’s license analogy because the original use of a driver’s license was to simply prove the license holder was allowed to drive a car. It was later transformed to allow for multiple uses such as validation of age which doesn't work with our analogy. We don't really want that behavior with Federated Single Sign-On for reasons a bit out of scope right now.

Once this exchange has taken place a user can log into Salesforce.com via AuthAnvil Single Sign On.

Our next post in this series will take a deeper look at tokens and see just how important they are to Single Sign-On (spoilers: they are very important).

Want to learn more about how AuthAnvil can benefit your business? Check out the free eBook below.

Just a short decade ago, most online users felt very little threat from any type of outside intrusion by hackers that meant to steal their identities or do them harm. However, in the last 10 years many things have changed regarding how individuals perform their daily routines online and off-line. With recent advancements in mobile technology, many tablets and mobile phones have become the devices we use to connect to the Internet, whether it is for pleasure or for work.

While much concern is given to how individuals connect from their desktops to online financial institutions and other sites that contain personal information, connecting through a mobile device is often not given as much focus. For instance, a recent issue with the Galaxy SIII made it possible to completely bypass the lock screen, granting full access to the device.

A Settled Federal Mobile Security Case

Not long ago, the Federal Trade Commission (FTC) settled with HTC America after a complaint had been filed against them. The complaint was over the software vulnerabilities of all of their mobile products, including Windows Phone, Windows Mobile and Android products.

The FTC addressed the long list of problems that involved the mobile software used to operate HTC products. While many of the issues seem small and insignificant, when grouped together, they created serious security issues that affected every mobile user. In addition to that, the company was cited for their failure to implement the appropriate means to evaluate the security levels in all of the products the company shipped to its customers.

Provided Inadequate Security

Other issues involved the failure to implement adequate security and privacy guidance for its own in-house engineering staff or to provide the required training. The company also failed to conduct reviews, audits, tests and assessments that could help ascertain all of the potential vulnerabilities and security on the mobile devices they sold.

The company also failed in the implementation of addressing many of the security vulnerability reports that were provided through third-party academics, researchers, and the public. Their inaction helped to delay the opportunity to provide a variety of corrections and solutions once the incidents had been reported.

Harmful Coding

Some of these stated vulnerabilities included non-secured communications, the misuse of application permissions, non-secured application installations, and the insertion of a harmful debug code. The complaint filed by the FTC fully outlines the risks that were developed because of HTC America’s practices.

The settlement surely sent a shiver through the software development industry, especially those that provide mobile software solutions. The precedent set by the federal government and their concern over mobile security seems to have found solid footing. Hopefully, the direct actions of the mobile provider industry will reflect more protection in the products that are shipped to customers.

As a Consumer

As a consumer, most of us do not realize the mobile security threats that lurk every day on our mobile devices, smart phones and tablets. Many of these problems include malware, SMS spoofing, and toll fraud. To the online hacker, mobile cybercrime creates large amounts of money. It is estimated that cybercrime on the Internet caused all consumers over $100 billion worldwide back in 2011. Studies indicate that mobile crime will cost significantly more in the near future.

Once considered to be the crime of desktops and laptops, phishing scams have made their way into mobile technology. Included with that are unsolicited text messages that have the ability to capture personal confidential information. It can also infect the phone with nothing more than an SMS message. The bottom line is that every smart phone requires the same level of protection that a PC or Mac does.

Now instead of using email social engineering to request information, cyber-thieves have incorporated the process into SMS text. The SMS message will likely have an embedded link or provide a phone number to listen to a “voicemail” in an effort to garner personal data.

Installing Spyware on a Mobile Phone

Cyber-hackers that want to obtain information on a child, spouse, employee, or even a rival will often turn to another individual’s smart phone by installing spyware. Many spyware applications have the ability to disguise or hide themselves and will not even show up on the long list of running applications. The application allows the hacker to use GPS tracking to locate the individual, or even activate the microphone or camera to record conversations. So far, most spyware applications need to be initiated using the phone. By keeping it protected with a passcode and only installing applications from official app stores, most would-be hacking or spy action can be averted.

Without most mobile phone users becoming aware, cyber criminals and hackers have apparently found mobile technology to be the next platform to exploit. Through malicious websites, spyware technology, SMS phishing, covert emails, and harmful malware every mobile phone owner should be aware of the problems lurking inside their phone.

Dealing with a reported possible breach of an employee’s account requires specific action to be performed by the employee and IT department. The breach can often create many problems because it has the potential of exposing confidential data that likely needs to be protected at all times.

What Happened?

The first determination to be made is exactly what happened. By understanding how the account was compromised, the Help Desk can quickly get to work on rectifying the problem. Many times, an account was compromised through a cyber attack, where hackers gain unauthorized access into the account and steal the data. It is imperative to understand if the possibility exists that the hacker obtained the information through social engineering (trickery), brute force (using guessing or computer software programs), or a vulnerability in the company infrastructure.

What Accounts Are Affected?

If the company has strict password guidelines and protocols firmly in place and fully enforced, then more than likely only one account has been affected. If the employee used the identical password on multiple accounts, it is highly likely that the other accounts will be compromised, if that has not already happened. While it is important to immediately change all the affected account passwords there are other steps that must be initiated to minimize the damage from this breach, and prevent any future breach.

Taking the Appropriate Steps

There are specific and appropriate steps that must be taken to ensure the damage to the affected accounts is minimized. The steps include:

Step #1. Change All Passwords

An immediate change should be made on all passwords held by that specific user on every account they maintain. Limiting access to the company server will minimize any damage from this moment forward.

Step #2. Scan for Malware

It is imperative to instantly perform a virus scan to seek out any malicious malware or embedded viruses that may have been opened on the company server. This includes a full scan on both online and off-line hard drives, along with portable devices including USB sticks and external hard drives.

Step #3. Review Password Policies

Once the damage has been identified, minimized and controlled, it is important to review all password policies and protocol. An effective policy should be implemented that ensures that all generated passwords include both lowercase and uppercase characters along with letters, numbers, symbols and special characters. Password lengths should be pre-determined to be no less than nine characters long. The policy should also include an automatic change every 90 days, with the inability to reuse historical passwords again. The system should also be set to prevent the use of personal names, or other identifying data, sequential numbers or easy-to-guess words or phrases.

Step #4. Retrain Employees on Social Engineering

Anytime a potential breach exists, it is important to retrain all employees on the damaging effects of social engineering. Every member of the workforce should be instructed on how to handle all types of social engineering including effective emails. Writing, speaking or posting passwords openly should be strictly prohibited, along with storing them in text files on the Internet, or the company intranet.

The IT department should also train every employee on brute force attacks from hackers and cyber-thieves. The training should include how hackers work to steal confidential company data through unauthorized access into the organization’s servers.

Step #5. Incorporate Two-Factor Authentication

A simple way to develop a higher level of protection to avoid the potential for security breaches is to incorporate two-factor authentication. The additional layer of security can be provided through biometric means (a fingerprint or iris scan), USB tokens, token-less software authentication, smart cards, audio port tokens, magnetic stripe cards, virtual tokens and others.

A second layer of authentication works over and above the standard username/password combination. Two-factor authentication is based on two or more specific factors that include knowledge, possession and/or inference. Knowledge is based on something the user automatically knows (their username and password), something they possess (a token, or answer to a specific secret question), and something they are (a fingerprint scan).

There are specific basic actions that the IT department and Help Desk can perform to ensure potential security breaches are minimized in the organization. Higher levels of security can be created by building a system that will require the user to use a two-factor authentication system every time sensitive resources are accessed. The company protocols on passwords should also include the necessity to use a different password for each specific account, especially those at the administration level.

By incorporating two-factor authentication methods into the authorized user protocol, the IT department can ensure that the company data remains secure and confidential. It is up to the management of the IT department to develop and enforce strong procedures. This will ensure that every employee understands the same guidelines when creating and maintaining the safeguards at protecting company information.

Remember: just as loose lips will sink ships: poor policies, collapse companies.

If you want to learn more about how devastating cyber-crime can be, download our free 10-page eBook on Cyber-crime and Small Business.

The Help Desk in every organization and enterprise continually works on implementing the best practices to maintain the security and confidentiality of the company’s data. This includes maintaining passwords as the initial line of defense to safeguard against cyber-attackers.

Without a doubt, one of the most common in-house requests made to the Help Desk is to reset a password. With proper procedures firmly in place and fully enforced, organizations can provide a higher level of security in safeguarding the company server and all confidential information.

Automated (Self-Service) Resets

With nearly ¼ of all calls into the Help Desk being related to password resets, many enterprises choose to offer self-service management to their employees. This helps minimize the demands on the Help Desk that are often overburdened resolving other critical IT issues. However, this often requires a password management tool that will provide the opportunity for end-users to automatically reset forgotten passwords.

By incorporating a personal question that needs to be answered correctly before the reset is allowed, IT departments can greatly reduce the demand of Help Desk requests. Providing the opportunity for an employee to automatically reset their forgotten password also helps to increase worker productivity because the worker can quickly gain access into the server and resume performing their job.

Strict Access Regulations

Incorporating strict access protocols for password resets can create a stronger security level when maintaining the confidentiality of crucial company data. Many companies develop strict procedures will automatically expire a password after a pre-determined amount of time (typically 60 to 90 days). Resetting an old password with the new one requires a credential-verified authorization to identify the account owner. The process includes:

• Proof of Identity – The identity of the account user will need to be verified before any new password can be generated. The proof of identity will usually be obtained through the previous password, but sometimes a second level of security is used, which could simply be the answer to a secret question, access through a USB token, or a Smart Card.
• Access Regulations – Only a minimal amount of individuals on the Help Desk staff and upper levels of IT management should have the ability to reset passwords for company infrastructure. In addition, any infrastructure password reset should be automatically reviewed to ensure the highest standards have been maintained throughout the entire process. 

Strict Reset Requirements

 The Help Desk should provide strict guidelines when developing a new password on a reset. These guidelines should include the following:

• Case Sensitivity – All new generated passwords will be case-sensitive.
• No Traceable Information – All personnel are strictly prohibited from using traceable information such as detailed data in the personnel file. This would also include the avoidance of a spouse's name, the name of a dependent, Social Security numbers, addresses, the name of their car, pet, or other identifiable data.
• No Dates – No dates can be used in generating new passwords in any format. This includes year dates, months of the year, or days of the week.
• Special Characters and Symbols – Every new generated password must incorporate at least one special character or symbol (i.e. #,@, %,?), along with at least one uppercase and lowercase letter along with at least one number.
• No Sequential Characters – All consecutive or sequential alphanumeric characters will not be allowed (i.e. AAA, bbb, ABC, AbC, 111, 123).

No Password Assist Allowed

Part of the policy that should be incorporated by the IT department should include a strict guideline that forbids personal password assist programs. If the system automatically prompts the user to save any password on the computer, the user must decline the specific opportunity.

Another important aspect in designing strict policies concerning password resets is that only the user can request and obtain a password reset opportunity. Any attempt to obtain a new password reset for another individual should automatically lock the user out of the system with a generated report sent to the supervisor of the employee.

Finding the Right Level of Protection

Every IT department should always follow the strictest guidelines of finding the right level of protection when developing strong security layers. Any password reset performed over the Internet or on the company server should only provide access to a password reset link, instead of sending the physical temporary password.

Creating a secure perimeter often requires more than just one level of safeguarding. By incorporating two-factor authentication into the process, IT departments can minimize many of the problems that involve user/password combinations.

It is imperative that companies, organizations and enterprises develop strict guidelines for employee password resets. Adding an additional layer of two-factor authentication will increase the security level when protecting crucial, confidential data, or access into the system. Whether a company’s IT department elects to incorporate a self-service automatic password reset, or only allows the Help Desk to perform the job, strict guidelines must be implemented and enforced.