Larilyn’s Tip of the Week

Do you guys have little sayings that help you remember things?  For example, 30 days hath September, April, June and November.  All the rest have 31, except for February who can’t keep it together to make it to the end of a month.

Wait.  I may have improvised the end of that one.
Or the one I’ve heard parents use to figure out the limits on presents at Christmas time?  Something they want, something they need, something to wear, something to read.
Well when it comes to security on your computer – whether it be your actual computer log in, or your email log in, or your financial institution log in, there’s a saying for the different types of security that can be used.Something you know – this can be anything from a user name and password, to a PIN number, to a secret pass phraseSomething you have – an ID of some sort or a cell phone where you can receive verification codes, or use an authenticator appSomething you are – think biometrics, eye scans, or fingerprint confirmationMost sites we use rely on option number 1.  Something you know.  If you have your user name and password, you are in.  

However, more and more we are moving to two factor (or even multi factor) authentication.

What does this mean?  Well – your user name and password is one factor of the security equation.  That is one factor authentication.  To use two factor, you use a second option of the security equation.

Many phones and even some laptops will take the something you are approach – relying on your finger print or facial recognition to let you access your device.

Many platforms, such as Google for your Gmail, allow 2 Factor as an easy option to turn on.  Once on – whenever you log in from a new device, it will want to confirm that it is you through a second level of authentication.  
The great thing about this is that you can have it send a code straight to your phone.  So no matter how hard a hacker tries to get into your email – even if they are sly enough to figure out that your password is f1ve1$b1gg3rthAnf0ur – they still won’t be able to get into your account.  As soon as they enter your correct password, it will automatically send you a code to your phone.  And they won’t have any way to guess the code before it expires.

Some sites will use an authenticator app – easily downloaded from your app store.  Then you scan a QR code so that their code will show up.  This allows you to go in and find a code for the site you are trying to log into instead of waiting for a code to be sent to you.
When it comes down to it, a lot of this can seem like a frustrating pain in the rear end.  However, it’s the world we live in.  The “bad guys” are getting smarter and smarter, and they don’t care who you are or how nice you are – they want to take advantage of you.  So it is important that you use any and all safety measures you can to ensure that you and your information are safe.

If you need help figuring out how to use two factor authentication, just reach out and we will be more than happy to help!

Larilyn’s Tip of the Week

Impersonators aren’t a new thing, right?  They’ve been around since…..well…..at least since Elvis.
Something that is newer though is impersonation emails, because those have only been around since…..well, you know.  Since email became a widely used thing and bad guys decided to get involved.

What is an impersonation email?  Basically, it’s a phishing method where the bad guys send you an email that is crafted to look like it’s coming from someone you know or someone with authority in your organzation.  It’s all about impersonating someone that they are not.  

This makes it tricky to detect because they have gotten very good at making their emails look legit and like they are coming from the person they say it is.

But not all impersonations look alike.
So in order to help weed out imposters, most email users already have basic imposter detection in place.  It will look for things that seem a bit fishy.  For example, it might see [email protected] is emailing [email protected] – but Sarah’s domain is actually something different (like, inmotionisgreat.com) and is impersonating an inmotionnet.com email address.  So the email gets flagged because the email server can see the impersonation.

Or maybe [email protected] emails something to [email protected], and this gets flagged.  Sure, she may be forwarding something from her personal email to her work email.  Definitely a possibility.  However, it still gets flagged because it’s also possible that someone is just trying to impersonate Sarah and impersonated her personal email address instead of the domain email address.

When it comes down to it, being educated and aware is the most important thing.  So while it’s good that your email probably has some protection in place, still remember to be cautious when opening emails.  If it is from someone you don’t know, even if it looks like it’s coming from your own domain or office, don’t click links or attachments until you verify the sender.

Even if it is from someone you know but they are asking you to do something such as send a wire transfer or change account credentials and you weren’t expecting this from them – don’t do anything until you verify that it is from them.

And above all – please, please, please don’t add your own email address or domain to any allowed lists or filters.  That just makes it too easy for the bad guys.

Heartbleed Bug

OpenSSL is widely used to secure web servers on the Internet and other similar devices. A vulnerability in OpenSSL was found last month that allows attackers to easily capture privileged data from servers running specific versions of OpenSSL. Unfortunately this code has been in widespread use since 2012. Attackers are able to access the secured memory on the server which could contain sensitive information including usernames and passwords and the private master key used for encryption. If the key is obtained it would allow all encrypted information on the server to be unencrypted and read by the attacker.

What does this mean for me?

Unfortunately it is unknown exactly how far reaching this vulnerability was or will be. The only secure option is to not give any privileged information to sites until all the web servers have been impacted. This could mean avoiding online banking, or even avoid signing into facebook if you use the same password there as you do for other sites. It is also possible that hackers have been exploiting this vulnerability for some time without being detected too. Many banks have said that they were not impacted by the vulnerability. Please confirm with your bank prior to logging in.

How the heartbleed bug works.

What do I need to do now?

You should update your passwords everywhere as a precaution. A list of sites where I encourage you to change your password immediately is listed below, but just because a site isn’t listed doesn’t mean you shouldn’t update your password. Remember that you should not use the same password for multiple sites, nor easily guessable variations. Always use a secure password that consists of non-dictionary based words and a combination of upper case, lower case, numbers and symbols if allowed. You should also change your password frequently to ensure no one else has access to your accounts. Finally, if the service offers it you should rely on two-factor (or two-step) authentication. Typically the service will send a text message to you with a code you must use along with your password when signing in from an unknown computer.

Here’s a list of sites that may have been compromised that you should change your password on immediately. Note that it is not known if some of these sites were compromised, but in the interest of safety, please change your password. You’ve probably been using the password for too long there or have shared that password with another site anyway! 🙂

  • Amazon
  • Box
  • Dropbox
  • Etsy
  • facebook
  • Flickr
  • GoDaddy
  • Google, Gmail
  • Instagram
  • Netflix
  • Pinterest
  • Tumblr
  • Yahoo, Yahoo Mail
  • YouTube

Finally, it would be suggested to go ahead and change your passwords again in a few weeks – especially for sites that haven’t confirmed they have patched their servers against the vulnerability. Mashable has a list of websites affected by Heartbleed which can be consulted for a more detailed list.

Stop the Bleeding!

How do you create secure passwords? The best way is with a random password generator. Of course, you’ll need to store all the passwords you’ve created or else you probably won’t remember them. I use and recommend 1Password who is currently offering a 50% off sale. Please see the 1Password blog post for more information as well.