Computer Security – Threats & Solutions

Here is a copy of an article I wrote for LIA‘s magazine “The Financial Professional”

Tech-Security.jpgOnce the realm of IT security professionals, computer security is now an issue and concern for all business people. Recent high profile security breaches such as those at eBay which exposed over 140 million users’ details, the Target retail chain in the US which resulted in 100 million credit card details of customers being stolen by criminals, and a US bank which lost over US $45 million within 24 hours. Nearer to home we have seen the Clare based Loyaltybuild company suffer a security breach late last year which exposed credit card details of customers and earlier this month the news headlines highlighted how police disrupted a criminal gang’s virus network which they used to steal over $100 million.

Cyber crime is now big business and criminals are looking to steal information such as financial details, credit card information, personal details, or any other information which they can sell or trade. These criminals are becoming more and more sophisticated and employ many different methods of attacking companies’ computer networks.

One of the primary weapons in their arsenal is the computer virus. While email has been the main method for the spread of these recent computer viruses, it is not the only method. A computer virus can enter a network by USB device, Internet download, visiting an infected website, instant messaging or messaging in social media platforms, file transfer and file sharing programs, or by remote users connecting directly to the corporate network with an infected PC. Once a computer virus gets into a network it can spread from computer to computer in multiple ways.

Given the numerous ways a computer virus can spread, how can a company ensure that its network is protected?

  • Install Anti-Virus Software.
    Ensure that reputable anti-virus software is installed on all computers. This should include all servers, PCs and laptops. If employees use computers at home for business use or to remotely access the network, these PCs should also have anti-virus software installed.
  • Ensure that the anti-virus software is up to date.
    Everyday new computer viruses are being released and it is essential that businesses are protected from these viruses by keeping the anti-virus software up to date. If possible, companies should look at policies whereby computers that do not have the most up to date anti-virus software installed are not allowed to connect to the network.
  • Employ a firewall to protect networks.
    As computer viruses can spread by means other than email, it is important that unwanted traffic is blocked from entering the network by using a firewall. For users that use computers for business away from the protection of the company’s network, such as home PCs or laptops, a personal firewall should be installed to ensure the computer is protected.
  • Filter all email traffic.
    All incoming and outgoing email should be filtered for computer viruses. This filter should ideally be at the perimeter of the network to prevent computer viruses. Emails with certain file attachments commonly used by computer viruses to spread themselves, such as .EXE, .COM and .SCR files, should also be prevented from entering the network.
  • Educate all users to be careful of suspicious e-mails.
    Ensure that all users know to never open an attachment or to click on a link in an email they are not expecting. Even when the email is from a known source, caution should be exercised when opening attachments or clicking on links in emails. Criminals use the trust placed in an email contact you know to trick you into clicking on a link or attachment.
  • Scan Internet Downloads.
    Ensure that all files downloaded from the Internet are scanned for computer viruses before being used. Ideally this scanning should be done from one central point on the network to ensure that all files are properly scanned.
  • Don’t run programs of unknown origin.
    It is important that you use a trusted source for your software requirements. This is to ensure that all software installed can be accounted for and that its sources can be confirmed to be legitimate. Apart from ensuring that the correct licensing agreements are in place, using a trusted supplier can help reduce the risk of software infected with a virus compromising your business. All users should be educated to never run a computer program unless the source is known or has originated from a person or company that is trusted.
  • Implement a vulnerability management program.
    Most computer viruses and worms try to exploit bugs and vulnerabilities within the operating system and applications that companies use. New vulnerabilities are introduced into networks every day, be that from installing new software and services, making changes to existing systems or simply from previously undiscovered vulnerabilities coming to light. It is important to regularly review your network and the applications running on it for new vulnerabilities. Any discovered vulnerabilities should be rated and prioritised regarding their criticality and the potential business impact they could have. Once this has been done, a plan on how to manage those vulnerabilities, either by patching, upgrading, or managing the vulnerability using tools such as firewalls or Intrusion Detection Systems should be put into place.
  • Make regular backups of critical data.
    It is important to ensure that regular copies of important files are kept either on removable media such as portable drives or tape to ensure you have a trusted source for data in the event that the network is infected with a computer virus. Not only will this ensure that important data is available in the event of a computer virus infecting the company’s network, backups will also enable the company to restore systems to software that is known to be free from computer virus infection. For added security you should store these backups securely offsite. That way should a major disaster happen to the business, e.g. the building goes on fire, the data will remain safe in the secure offsite location and can be restored quickly in a new facility
  • Develop an Information Security Policy.
    The creation and publication of an Information Security Policy is key to ensuring that information security receives the profile it requires in the organisation and is the first critical step in securing the company’s systems and data. It is important that senior management support the Information Security Policy and that all users are made aware of their roles and responsibilities under this policy.
  • Monitor logs and systems.
    Regular monitoring of network and system logs can assist in the early identification of a computer virus infecting the network or other attacks by criminals. Unusual traffic patterns or log entries could indicate that the network has been infected or that its security has been compromised. As well as monitoring for suspicious traffic and events, it is important that logs for other devices are checked regularly to ensure that the network remains protected. Log files for the backups should be checked regularly to ensure that the backups succeeded, likewise the log files for anti-virus software deployed should be regularly checked to ensure that all PCs are running the latest version of the anti-virus software.
  • Develop an Incident Response Plan.
    Knowing what to do when a computer virus enters the network or when you suffer a security breach is critical to minimise the damage they may cause, both to the business and also to customers and suppliers. The incident response plan should outline the roles and responsibilities that people have in the event of a computer virus infecting the network or indeed any other type of security breach. This plan should be drawn up and agreed between all relevant parties before an incident occurs. Remember, the worst time to develop a security incident response plan is in the middle of such an incident.
  • Restrict end user access to systems
    Where possible, end users should not be given administrative privileges to their workstations. Most computer viruses can only run in the context of the user that is logged into the system, i.e. they only have the same permissions as the user running the program. If that user has their access restricted, then the virus will be similarly restricted. Unfortunately many applications designed for the Windows platform require the end user to have such privileges; however these users should be the exception rather than the rule.

Cyber criminals poses a very real and constant threat to every business. It is important that businesses recognise this threat and take the appropriate steps, such as those outlined above, to reduce the likelihood and minimise

 

Gone In 24 Hours: 470 Million Sites Die Daily (But 22% Are Malicious)

Making a living, or publishing around a hobby, online can be hard work. So much so, that many people give up on their new projects well within the first year after starting them.

But, according to research from Blue Coat, the majority of sites appear to last for far less time.

The security and networking solutions company examined 660 million unique hostnames that were requested by 75 million global users over a 90 day time period.

What it found was that 470 million of those hostnames (71%) were ‘one-day wonders’ that appeared to come and go in less than 24 hours.

The majority of these sites are generated by organisations that carry a significant internet presence, such as Google, Amazon and Yahoo, as well as web optimisation companies that help accelerate the delivery of content.

Of the top 50 parent domains that were found to use one-day wonders, 22% were deemed to be malicious. Such domains use short-lived sites to both facilitate attacks as well as manage botnets. The fact that these sites are so new can often prove advantageous in evading security measures.

One example put forward by Blue Coat is a dynamic command and control architectures that is scalable, difficult to track and easy to implement. Another example would evolve around spam – a unique subdomain could be created for each spam email which would help avoid detection by spam or web filters.

Tim van der Horst, senior threat researcher for Blue Coat Systems said:

“While most One-Day Wonders are essential to legitimate Internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity. The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”

Whilst Mark Sparshott, EMEA Director at Proofpoint commented that:

“One-day wonder” sites are an essential tool for legitimate Content Delivery Networks (CDNs) to accelerate and optimise content delivery and enable individual visitor tracking. CDNs often create a unique sub-sub-domain per user so their site visit can be tracked for marketing purposes. Cybercriminals have copied the CDN approach, as well as other database marketing techniques such as IP, Sender Address and content rotation, to enable their malicious attacks to fly under the radar of the reputation systems used by email and web security solutions.

Proofpoint’s researchers regularly see these techniques used in so called “longlining” email attacks that deliver targeted emails to tens of thousands of staff across 100s of companies within 1 or 2 hours. The emails contain a message that is personally relevant to most recipients resulting in 1 in 10 people clicking on a link in the email that goes to a malicious website which is often a “one-day wonder site” that looks harmless but can have total control over their PC in less than 5 seconds without them or their company’s security software noticing anything is wrong.

As this new research shows, only 22% of “one-day wonders” are malicious, which makes it difficult to for security tools to aggressively block sites that have not been seen before. This highlights the importance of evaluating a sites threat level on every click using the latest techniques such as URL re-writing combined with cloud based sandboxing.”

Blue Coat further explained why One-Day Wonders are particularly enticing for cyber criminals, saying that:

  • They keep security solutions guessing – dynamic domains are harder to thwart than static domains.
  • They can overwhelm security solutions – the generation of a high volume of domains increases the chances that a small percentage will be missed by security controls.
  • They can evade security solutions – by simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organisations are typically blind to the attack, impacting their ability to prevent, detect and respond.

The research from Blue Coat should act as a stimulus to companies to assess their own security posture to ensure that:

  • Their security controls are set up with real-time intelligence that can accurately identify and assign risk levels to these types of sites. Static or slow-moving defenses do not suffice to protect users and corporate data.
  • Their policy-based security controls are able to act on real-time intelligence to block malicious attacks.

The Data Breach – It’s More When Rather Than If

So, you put on the radio (anyone still have one of those old-fashioned things?), switch on the tv, or visit your favourite news website and you see it: another data breach has snaffled all the headlines.

Reported data breaches are becoming ever more common. I say reported because I’m not convinced that they necessarily occur vastly more often than in the past, but I do think that they garner more common inches in the rags and more electrons on the interwebs than they ever did.

That said, the nature of data breaches is shifting.

Not so long ago they affected large companies. Hackers, or organised criminals as they more likely are, were targeting big business with the intention of gathering data from which they could profit in some way. It wasn’t great for those affected of course but at least we could go to bed at night and not worry about our own data falling into the wrong hands.

Nowadays of course the situation is somewhat different. Personal data is being hoovered up via data breaches, either as a side effect or by deliberate design. It’s not just hackers that are stealing that data either, but post-Snowden observations have been covered plenty well enough elsewhere.

The trend which sees the average man or woman in the street become a direct victim of the data breach is an alarming one as it potentially affects so many people.

To put things into perspective, it has emerged today that up to 27 million South Koreans may have had their personal data compromised by a gang that snaffled up website registrations from a variety of sites, including gambling sites, ringtone sites and games sites.

All in, it looks like up to 220 million records may have been stolen by around 16 people who used that info to fraudulently acquire in-game currency and other virtual items for cash.

Worse yet, breached accounts, along with the associated passwords and resident registration numbers, may have been used by third parties as part of a mortgage fraud ring. The guy behind all of this, known simply as Kim, is also said to have sold personal information on to others too.

It’s not the first time this has happened in South Korea either – in 2011 some 35 million people had their personal information exposed after a breach at Cyworld, a local social network. That figure represents almost the entire population of the country.

Whilst south Korea may not be Ireland, Britain or the US, it would still be naive to think that it couldn’t happen in one of those countries, and on a similar scale.

Because for most people it’s not so much if but when.

So what are you doing to lessen the risk of your company being the next victim of the next big data breach? How are you protecting your own personal information on your local computer? What about your online accounts, of which you likely have many? Are they all protected by unique complex passwords? Are they all trustworthy?

Hopefully you are as secure as you can be already but it is worth returning to Mr Snowden. Whatever you may think of him and the way he has leaked certain sensitive information, there is no denying the fact that he has taught us all one thing: if someone wants your data badly enough, they’ll find a way.

GCHQ And The NSA May Be Deliberately Leaking Tor Flaws

GCHQ and the NSA have come in for a lot of flack recently, especially in light of the multiple revelations coming from a certain Mr Snowden. But some spooks are not so bad it seems.

According to a report from the BBC, some agents may be intentionally leaking flaws in Tor’s code. Andrew Lewman, executive director of the Tor Project, certainly holds that belief and he reckons it happens on a regular basis too.

By alerting developers, the spies are allowing the project to fix the flaws and so better help users retain their privacy he said.

Lewman’s view that the information comes from the security services is entirely credible but unproven because Tor allows users to send bug reports anonymously. Even so, Lewman said:

“There are plenty of people in both organisations who can anonymously leak data to us to say – maybe you should look here, maybe you should look at this to fix this. And they have.”

Lewman went on to tell the BBC that he believes the Tor project receives security tips from various security agencies on a monthly basis, covering both bugs and design issues that could potentially lead to the service being compromised. He added that:

“You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don’t get to see in most commercial software. And the fact that we take a completely anonymous bug report allows them to report to us safely.”

If Lewman is correct, and the security agencies are leaking fixes to Tor, then it makes you wonder why. Whilst there is, and most likely never will be, any official confirmation, it is likely that national agencies would have a high level of interest in any service that allows its users to remain anonymous. Therefore it is not beyond the realms of possibility that some spooks are supplying information about the very bugs they’ve been paid to find as part of their jobs.

Why would they do such a thing?

My own personal opinion here is that there may be some people within GCHQ and the NSA who disagree with the way the organisations have been going recently. Whilst it would be naive to think that the surveillance services don’t hoover up a vast amount of information about everyone, it is quite likely that some personnel may disagree with the blanket approach they are widely believed to have taken – spying on criminals and terrorists is one thing, the mass collection of innocent data is something entirely different.

Alternatively, it may be an ego thing. I could also imagine some spook discovering a flaw and desperately wanting some recognition for it (which, of course, they will never be able to get officially), as well as the challenge of having to work harder and delve deeper to find more of the same in the future. What could be more challenging than helping Tor fix its security issues every time you unearth a new one?

The other option, which is a bit more sinister, is that there may be spies out there who rely on Tor for anonymity for their extra-curricular activities, though I daren’t pause to consider what they may be!

Convenience Trumps Security For The Average Consumer

New research from Intercede reveals interesting insights into the way consumers behave online and highlights the continuing need for security education and awareness on a mass scale.

In its research, labelled The Rise of the Identity Centric Economy, Intercede discovered that users were engaging in risky behaviours such as auto-logins to apps and websites, as well as sharing device PIN codes with friends, family and co-workers. Unsurprisingly, to me at least, the research also discovered that passwords were being routinely shared too.

The survey, which polled 2,000 consumers, discovered that around 75% of the social media-using respondents and email users left themselves logged into their mobile devices, potentially putting their data at risk should the device be stolen, or even just picked up and accessed for a short period of time. Mobile bankers and shoppers were alarmingly lax in their attitude to security too with 45% leaving themselves logged into bank accounts, 46% asking Amazon to remember them, and 54% perpetually signed into PayPal.

Richard Parris, CEO of Intercede said:

“Keeping your Facebook, Gmail, shopping and financial accounts automatically logged in might be convenient for consumers, but it’s leaving the back door wide open to hackers. Consumers are more wary about clicking ‘Remember me’ when it comes to online banking and financial apps, but cyber criminals don’t necessarily need access to your bank account or credit card details to commit identity theft.

There are plenty of rich pickings available in email and social media accounts too. Leaving yourself automatically logged in is like leaving the windows of your house wide open while you’re out – it’s time for a new generation of secure identity authentication.”

On the bright side, 53% of those questioned had protected their devices with a PIN but that of course means almost half had not which I find quite shocking. Of those who did employ a PIN, however, many were found to be sharing them, along with other passwords, with almost anyone in their circles it seems. Twenty-eight percent of the surveyed consumers admitted that they knew friend’s, family member’s or colleague’s mobile login credentials.

The surveyed also looked at the strength of the protection where it was used. The PIN numbers found on phones are inherently weak, being just 4 digits long, but passwords don’t appear to add much based on the findings here – 60% of the respondents said they avoided the classic security faux pas of writing their passwords down (what about the other 40%? Eek!) but they didn’t use password managers which may imply the widespread use of easy to remember gems such as “password1,” “password2,” et al.

Parris added that:

“As we live more and more of our lives online, all our various digital identities need to be effectively protected – worryingly, it appears that this is not the case at the moment. We need so many passwords today, for social networking, email, online banking and a whole host of other things, that it’s not surprising consumers are taking shortcuts with automatic log ins and easy to remember passwords. These solutions are increasingly not fit for purpose though – they do not offer proof of a person’s identity and are easily lost, stolen or hacked, leaving consumers at risk of identity theft. It’s time for stronger authentication and more sophisticated forms of identity.”

I guess the message to be taken from this survey is that the average consumer values convenience over security. Whilst those few seconds saved by not having to login to an account do mount up, and the use and sharing of simple passwords can make life a little easier, both would be blown into insignificance should the user ever find their accounts or devices compromised.

How can the security profession address such a mindset do you think?

Trading Privacy For Security In the Job Market

Personal data from Facebook, Twitter and other social media sites will be monitored more by employers over the next decade, according to a new report from PwC, which says that one third of young people would happily trade in their privacy in return for a little job security.

The future of work: A journey to 2022 report surveyed 10,000 workers around the world as well as 500 human resources professionals in order to guage their attitude towards their social media use being monitored by their employers.

The report suggests that data available through Facebook, Twitter and other social channels could be used by employers to gain an insight in to what motivates their workforce along with other information including why staff change jobs and what could be done to improve their wellbeing within the organisation.

John Harding, human resource services partner at PwC in Manchester, said:

“Just as advertisers and retailers are using data from customers’ online and social media activity to tailor their shopping experience, organisations could soon start using workers’ personal data (with their permission) to measure and anticipate performance and retention issues.

This sort of data profiling could also extend to real-time monitoring of employees’ health, with proactive health guidance to help reduce sick leave. Key to the success of organisations being able to use employee data will be developing measurable benefits for those who hand over their data and building trust through clear rules about how data is acquired, used and shared.”

According to the research, half of the global workforce will be aged 32 or under by 2020, which will see a shift in attitude towards the use of technology and personal data. The PwC report says that these younger workers are far more relaxed about the sharing of data than previous generations, with 36% saying their employer is welcome to their personal data.

Whilst I can see why an employer would love to gain access to an employee’s social postings, either by viewing what is publicly available or via explicit consent, I struggle to see how the staff member gains from such an agreement.

By giving an employer permission to access their social media accounts, the individual would be giving up their privacy for very little return. The employer would gain all sorts of insight into how their staff think and what they do with their time when away from the workplace but I fail to see how that could be used to motivate them further, or increase their feeling of wellbeing. From the employees’ point of view I can see nothing to gain whatsoever. How giving up access to their social media accounts would lead to the claimed increase in job security I do not know.

This just seems to be another case of the general poulace giving up their rights for very little in return. Or, as Benjamin Franklin may have said “Those who surrender their social media accounts for job security will not have, nor do they deserve, either one.”

Considering the laid back attitude many youngsters have towards the sharing of their personal data these days I do wonder if, in the future, that approach will come back to bite them where it hurts.

Tesco Hudl – Every Little Data Reset Flaw DOESN’T Help

If you have some old tech you want to sell then eBay may be your first port of call. As much as I dislike the site and some of its practices, it still presents a means of putting unwanted goods in front of a huge number of eyeballs. But the problem with that it is it has generated a marketplace that appeals to a massive number of people, many of whom are not as security conscious as perhaps they could be.

I myself have bought a second-hand laptop in years gone by, only to discover that the previous owner had made absolutely no attempt whatsoever to clear their private data from the machine. I discovered his favourite websites (I hope he visited THAT site when his wife wasn’t around), I know who he banked with, I wasn’t partial to his taste in music, but I did agree strongly with the Liverpool FC background he left on it.

Ultimately, what I learned is that some people lack the security awareness, or are too lazy, to wipe their personal data from computers and other devices before disposing of them via an auction site or the local tip. Based upon hard drives I’ve been given by friends, it is a widespread problem which we can only hope to eradicate by raising the issue and educating people.

But sometimes education isn’t enough.

Take the Hudl tablet for example. Ken Munro of Pen Test Partners recently conducted an experiment, in conjunction with the BBC, in which he examined the data deletion systems on Android devices.

Purchasing second-hand Hudls from eBay, Munro discovered that even those previous owners who had wiped the device before shipping were at risk of having their confidential data accessed.

Munro found that the device retained information even after a factory reset due to a flaw in the Rockchip processor’s firmware. The known bug allowed him to read and write to the device using freely available software. Extracting information only took minutes but the analysis of the data typically took a couple of hours per machine. Once done, however, Munro was able to determine PIN codes, wi-fi keys, cookies and other browsing data that would have allowed him to spoof the original owner.

A Tesco spokesperson told the BBC that:

“Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program.”

The spokesperson went on to say that any Hudls returned to Tesco would be securely wiped by the company, but urged users to visit the Get Safe Online website if they have any further privacy-related concerns.

Marc Rogers, principal researcher at Lookout, explained further, saying that a secure wipe should be used before disposing of any data-storing device. Such a wipe will overwrite all onboard memory with ones and zeroes, rendering it useless to any third party that later tried to access it. Unfortunately though, most manufacturers have adopted a different approach to factory resets he said:

“There’s an Android function to wipe data and most manufacturers are using that. But all that does is remove the index of where data is and does not delete data at all.”

Lookout also revealed that police had revealed that the average underground price for a second-hand smartphone with personal data on it was around £600, which just goes to show the potential value of that data to the crook who ends up buying it.

As sales of smartphones and tablets increase, in part due to their convenience and portability, it is increasingly likely that owners will entrust more and more data to them. When those devices are subsequently sold on the selfies left in memory may provide the new owner with a few chuckles, but there is a chance that the banking data, credit card numbers and less than safe for work snaps may leave the original owner with something far more tangible than the thought of a stranger laughing at them.

So, if you are selling a Hudl, or any other device that has previously held your personal data, ensure that you wipe it securely before placing that listing.

Siri Forgoes Right To Remain Silent As iPhone Data Aids Case Against Murder Suspect

One of the foundations of law in most civilised countries is the right of the accused to remain silent in order to avoid incriminating themselves. Such a stance then leaves the onus on the authorities to prove the guilt or otherwise of the accused. Such an approach to criminal proceedings may have let a few bad guys get away with their crimes over the century but I think, on the whole, that it is a fair and workable situation that leads to a certain level of justice.

Of course no such rights belong to non-humans which seems equally sensible, though obviously problematic for a Florida man who stands accused of killing his roommate.

Pedro Bravo allegedly used his iPhone’s personal assistant Siri to help him dispose of Christian Aguilar’s body in 2012. According to prosecutors, Bravo invoked Siri’s assistance by saying “I need to hide my roommate” on the very day that Aguilar was said to have been murdered on.

The ever-helpful Apple assistant is said to have asked for clarification by saying “What kind of place are you looking for” before suggesting swamps, reservoirs, dumps and metal foundries.

Such a query, combined with further data from the iPhone which show that Bravo used the flashlight nine times that evening, between 11.31pm and 12.01am, make up part of the prosecution’s case against him. Furthermore, internal GPS data contradicts Bravo’s claims as to where he was on the night of the murder, according to the prosecution.

The ongoing trial sees prosecutors attempting to make a case that Bravo murdered Aguilar in his car after the pair went out together to purchase a CD. It is said that Aquilar had been dating Bravo’s ex-girlfriend.

Whilst the outcome of the case is obviously important to all those connected with it, it also send out a message to everyone else, whether they have criminal intentions or not – iPhones, iPads, Android devices, smart gear and all manner of other devices can and do record a huge volume of data about you, your actions and your movements. Even though you are not a murderer (I hope!), you do need to be aware of the fact that the data your devices log can be extremely significant, especially when all the minor details are put together to form a larger picture (here’s looking at you Mr. Government).

So what are you doing to ensure that your data remains safe? And what dumb questions have you asked of Siri today?

Passwords – Keep Them To Yourself

Coming up with a decent password can sometimes prove tricky, especially if you want said password to be secure and nigh on impossible to crack or, worse, guess.

But it is worth coming up with something strong, using tips like these, and then storing it in a password manager so that you can go on and make your other passwords just as secure too.

When you know that you have a strong and secure password for your computer or mobile device, or for the websites you visit online, you will have a sense of relief through knowing that, under normal circumstances, no-one but you will have access.

Circumstances are not always ideal though – things do go wrong. Sometimes companies are breached, as we’ve seen in the news lately, but at least in such a case you will know that it wasn’t your fault that the hackers got in.

But there is more you can do to keep your login credentials secure. It may seem obvious to say this but don’t give your secure password to anyone else because, if you do, it won’t be secure any longer. It pains me to say it but I’ve seen this simple piece of advice overlooked way too much recently.

Amongst family, friends and co-workers, I’ve seen email addresses, usernames and passwords shared around without a care in the world. On the face of it, that doesn’t sound so bad – after all, you would like to think that you can trust such people. But, equally, that trust can often be misplaced, either through the third party’s carelessness, or through malice.

Do you know anyone who has given their login credentials to a boyfriend or girlfriend, only to later split up and then find out that their accounts have been accessed by their ex because they forgot to change their passwords? I do. And it wasn’t pretty.

Worse, do you know anyone where you work who has shared their password around the office because it makes things ‘easier’? Dr. Jessica Barker does.

Or how about colleagues who have left the company and yet are still on the system and able to gain access months or even years later? That most certainly happens too.

So, whilst having a strong password, that is unique to every single account you use, is essential these days, it is only the beginning. Once you have come up with strong login credentials you need to keep them that way by not sharing them with anyone. Ever.

As has often been said, humans are generally the weak point when it comes to security and if there is one certainty about how they will act it is that they will do something unexpected at some point, including using someone else’s passwords for ease of use or more malicious purposes.

Yahoo Set To Enable Email Encryption For All Users By 2015

In the same week that Google announced that it will give a search ranking boost to security-conscious websites, Yahoo has now revealed that it too will take a proactive stance on encryption.

The company announced at Black Hat that it will apply end-to-end encryption to its email services before the end of 2015.

The move is likely in response to the Edward Snowden revelations about government surveillance that have prompted many tech firms to assess their stance on privacy and encryption.

Thus far, Google has taken the biggest strides, with the aforementioned ranking change following previous announcements of support for end-to-end encryption in its Mail, Drive and Search products.

The change will likely be welcomed by Yahoo’s 273 million email account holders who had previously been left behind as other email providers adopted encryption.

Yahoo’s encryption will not hide details such as who has emailed who, or the contents of the subject line, but the contents of the message will be covered by a version of PGP encryption which has so far not been cracked.

In an interview with the Wall Street Journal, Yahoo chief information security officer Alex Stamos said:

“We have to make it to clear to people it is not secret you’re emailing your priest. But the content of what you’re emailing him is secret.”

PGP relies upon both the sender and receiver of an email having their own encryption key which could potentially lead to similar problems as those experienced at Lavabit which closed down after being force to hand its keys over to the authorities.

Yahoo and Google, however, both claim that they will not hand keys over, not least because they are massive companies with the funds required to finance a large number of lawyers, with Stamos saying:

“That’s very different from a publicly traded multibillion dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court.”

Mark James, security specialist at ESET welcomed the news but pointed out that the average man in the street may not understand how to take advantage of the change:

“It’s great that two of the largest internet email providers will be offering us the ability to send end-to-end encrypted emails to each other. After Google announcing it was doing the same thing a few months ago it is good to see another leading email provider following suit.

It won’t mean a lot to the average user but anyone who wants to protect their emails when using these providers will be able to do so by using these browser extensions.

So what does it actually mean? Well once the browser extension is added and configured you will be able to send an email with the contents completely scrambled to anyone except the sender and receiver. No one will be able to read the content. There are many encryption tools available for those that want to install and use them but for the average user they are often scary to set up. I for one welcome any type of “easy” security.”

I personally hope that Yahoo and Google do make their email encryption easily understandable by the less savvy web users out there though because we seemingly live in a society where having nothing to hide doesn’t mean no-one will go looking anyway.