LastPass hacked

LastPass HackLastPass suffered a breach last week that involved losing email addresses, password hints, authentication hashes and server per user salts. It you use LastPass you should change your master password now. The corporate line from LastPass states “We are confident that our encryption measures are sufficient to protect the vast majority of users.” from the LastPass announcement.
The two troubling pieces of information lost are the authentication hashes and the server per user salts. With a large computer and this information it is possible to crack a passwords for the user accounts. This explains why LastPass is sure the vast majority of users will be protected. It would take an incredible amount of computing power to crack all of the passwords.

To keep you safe from a compromised LastPass account change your password and your password hint. LastPass also offers two factor identification for access to your password list. This can be done for free with the Google Authenicator application for android, iphone or ipad devices. With two factor identification enabled on your LastPass account you will need your password and a code from Google to unlock your passwords. A remote attack on your account would fail if your phone was not available with the second level of protection. LastPass Altura IT for a video of how to setup LastPass Multi Factor Identification.

Last pass is still a great way to protect and manage all of your account passwords. It is up to you to increase the security for LastPass using one of the eight ways to add a second level of protection. Five of these programs can be loaded for free to your smart phone. There are also two options to use a USB key for the second level of authentication support for LastPass. And there is an option that supports a finger print reader for the second level of authentication. Security is a group effort. Using more that just a password to keep you safe on the Internet just makes sense for everyone.

LastPass signup for your password management.

 

Gmail scanned my purchase documents

Gmail scannedThe realtor that we used to buy a new house sent all of the purchase documents through her Gmail account. So before the deal was done Google and its advertising partners had all of our information about our potential purchase. This will become public information when the title is transferred, but I was really disappointed to just give this information to Google. In a court document in 2013 a Google representative stated “Gmail users and their contacts have no reasonable expectation that their correspondences will not be scanned for the purpose of targeting advertising”.  Google had all of the transaction information before the seller had a chance to read the message. This is the world that we chose by wanting everything for free.

From the revised Google Privacy Policy on February 25, 2015 is says “When you share information with us, for example by creating a Google Account, we can make those services even better – to show you more relevant search results and ads”.  This applies to anyone that you send or receive information with through your Gmail account.  This applies to both parties in the message even if one does not have a Gmail account and has not agreed to the Google terms of service.

I know that I am more sensitive about this topic than most people because it is my job to help secure electronic information and intellectual property for people and businesses.

What options does a real estate professional have to protect client information from the big corporations providing email services? Not every email provider is as aggressive as Goggle to grab every bit of information about your business and personal transactions. Google does provide a free messaging system that is reliable and works across multiple types of devices, ie your iPhone, Microsoft desktop computer and your android tablet.  Microsoft, AOL, Yahoo and Zoho have free and paid email services that have similar features.  Many web hosting companies also provide email service with your own domain name for five dollars per month or less.

Microsoft Outlook gives you a choice between a free email account with unlimited email storage with advertising alongside the email message or a $20 per year account without any ads. Microsoft does not scan your email message to improve the ad placement for everything that you do online. This means the documents and messages to your clients are not spewed across that web to everyone that finds the information valuable.

America Online as an email provider is alive and well but dated like a house from the 80’s.  It has good bones, but needs a remodel.  AOL allows unlimited storage for your email messages, has spam protection and virus protection for your messages.  Ads are shown with the email messages.

Yahoo email is free, ad supported messaging that reads everything inside your message.  The Yahoo’s terms of service were changed in June, 2013 to allow content scanning and analyzing of your communications content to target ads, offer products and preform “abuse protection”. This is the same type of policy that Google is using for its email service.  At Yahoo you can store up to one terabyte of email information, many years of your life online.

Zoho creates online applications and is a source for free email.  The Zoho experience includes 5 gigabytes of online storage for your email, with no ads.  You can purchase your own domain name, sherrysazhomes.com to promote your brand.  Yes that domain is available for $10/year.  Zoho’s free account includes up to 10 accounts with the same domain name and use of their online office applications.

The last option is paying for a domain and web hosting. This is also an affordable way to promote your image.  You will pay more for business cards over the next three years than you will for web hosting and email with a domain name.  $130 gets three years of email and hosting for a web site for your business identity.

Logmein Phishing scam

I received an email message from Logmein in my inbox.  Fortunately I was out of the office and could not look at this until all of my tasks were complete.  The title of the message is “Automatic payment failed – Credit Card rejected”.  There is a Microsoft Word attachment to this message also. The anti-virus and malware companies were busy today with 32 out of 57 adding a signature for the Trojan that is embedded in the Word document. This message does not include a logo for Logmein in the message.

Checking the file tab, then the properties box in Outlook allowed me to view the header information in the message.  The sending mail server was located in the telecomitalia.it domain.  Logmein headquarters is in Boston, Massachusetts.  From the Logmein contact us page they do not have an office in Italy.  The message id field in the message has TOL70HFR.7609971@rogueapp.com showing that rogueapp.com generated the message.  Rogueapp.com was registered in August of 2000.  The web site proclaims that it is  the “Home of projects – literally numbering in the single digits – that languish in a place called ‘90% finished’.” These funny guys have yet to register iamacrook.com, this domain is still available.

The sender id result on the message header shows that it failed.  If you were using Office 365 for your email server this message could have been blocked.   In the exchange protection advanced setting you can mark all messages that fail the sender id test as spam.  This will cause ligament messages without SPF configured correctly to not reach your inbox.

When I downloaded the attached file to my computer Microsoft Security Essentials scanned the file and found the malware.  I only have the date the virus was detected by Microsoft not the time.  At the virus total  web site this file is also in email messages that claim to be from the IRS complaint department.

 

Sony Pictures lessons for Small Business

SonyPicturesThe Sony Pictures network breech has lessons to be learned for small business. Sony’s corporate network allowed access to Internet sites around the world. Malware that caused the problem communicated with control servers in Bolivia, university in Thailand and on a network at the St. Regis Bangkok. From the FBI press release about the Sony Investigation “the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.” Does your business attempt to stop communication between your network and North Korea?  Sony Pictures did not have this foresight. Having controls of where Internet traffic is allowed keeps your business information safer. Reviewing your Internet traffic also helps you understand what your employees are doing with their time at work.

High speed Internet connections allow you to find great information in seconds, but unlimited access to the whole world is not necessary to make your business run effectively. Everyone needs to process credit and debt card information, but do the machines that process card information talk only to the processor or do they talk to anyone that asks for a connection? Simple restrictions can make a big difference. If you have a retail Internet gateway the default installation will allow access from your network to any place in the world. Freedom is great but with the amount of Internet traffic significant information can be lost. Last year’s breech at Target had 60,000 alerts about the intrusion that were lost in the noise of information overload. Restricting where you can go on the Internet does cause some problems. On client could not order sugar free candy from Amazon because the web destination site was in Switzerland. This caused a few emails and phone calls, but this candy was ordered and the access was closed after the transaction.

Next generation firewalls can restrict, collect and summarize what is flowing in and out of your business. Microsoft’s free program EMET should be loaded on each Windows system to impede access to your computers. Keep your Mac and Windows machines up to date with software patches. Use protection software at the computer to fend off attacks. Do not open suspicious email or attachments. Use a password manager to keeps complex unique passwords for every site and application. Your sensitive information should be encrypted. Regular backups should be done and stored in multiple locations. Sony Pictures Entertainment was hit with a strain of malware designed to wipe all computer hard drives within the company’s network.  Restoring the information will occur after the investigation concludes.  What would this cost your business? All new machines to run the company until the forensic analysis is complete?

One ounce of prevention is worth a pound of cure. Jason Spaltro, currently Sony’s Senior VP of Information Security, told CIO Magazine following an earlier hack of Sony’s servers: “It’s a valid business decision to accept the risk…. I will not invest $10 million to avoid a possible $1 million loss.”  Sony Pictures had internal servers and computers taken over and gigabytes of information stolen. The $60 million dollar cyber insurance policy that Sony has may not cover the costs of this problem, How much cyber insurance does your business have?

IBM data loss study released this summer showed each lost record cost a small to medium business $62 in direct costs and $141 in indirect costs. This was for small business losses of less than 100,000 records. A Cyber insurance policy should only be necessary if your business is connect to the Internet.

Facebook Business Posts

Facebook Logo

According to a Facebook post in the Facebook for Business news feed new restrictions are being added to any business post.  Starting in January 2015 business posts that have these traits will see less distribution:

  1. Posts that solely push people to buy a product or install an app
  2. Posts that push people to enter promotions and sweepstakes with no real context
  3. Posts that reuse the exact same content from ad

Facebook will decide which posts meet this criteria. This will mean every business post made on Facebook will need to be crafted well to reach the 2% of the market that will see the content. The value of a business post to Facebook users continues to erode.  Is advertising in the classified section of the local newspaper now a better way to reach customers? If the word “sale” appears in the post this may be true.

Communication is always key to everyone’s business.  Being clear and concise in social media posts makes your information “likeable”.  Even in personal interactions with your clients efficiently passing information makes you a trusted resource. Giving away free information to anyone liking my Facebook for Business page should continue to be posted in news feeds.  Leading new clients and keeping current clients connected via a Facebook post is the challenge.

Facebook’s ongoing survey of users prompted this policy change.  The post states “Our goal with News Feed has always been to show people the things they want to see. When people see content that’s relevant to them, they’re more likely to be engaged with News Feed, including stories from businesses”. Any business post should contain relevant information that your client base would like, but now sales or promotional posts will not be added to users’ news feeds. The key phrase in the Facebook post is “pages users care about”.  This is the new focus for business post in Facebook.

People go to Facebook for a good laugh, to find out what friends are doing or what they can add to their life.  Facebook has not yet become the world or local news feed. But is is the best personal news feed that is available.  Personal connections tied to your business or community are the best fit for Facebook posts.  Tracking what topics resonate with your clients can help guide you to create responsive posts to get more exposure. For more business professionals that means more time invested in social media.

But with the changes is the time worth spending on a business Facebook page? According to Facebook in October 2014 over 1 billion visits were made to business pages. Sheer numbers are always a good thing, but finding the right people to like your page is still a key component of success for your Facebook business page. Having a core group that want to read and comment on your posted information is better than hundreds of likes from all over the globe. The adage of dominate locally and expand globally is very apparent in Facebook for business posts.  Analyzing who reads or comments on your posts now can help you build a profile of the perfect person to like your business page.

You have until January 2015 to perfect your posts and your audience.  Then new user surveys may change your plan again.

Microsoft EMET 5.0 released

Microsoft may not be the most respected name in secure software products, but if you do Microsoft EMET 5.0not use EMET on all of your machines you miss the best free mitigation available for Windows operating systems. EMET is classified as a utility by Microsoft. The purpose of the utility is to make it harder for any attack of a known software vulnerability in any program. This gives you another security buffer for Adobe, Java, Office products or the custom program that you need to run your business.

These defenses are not available in any of the current Microsoft operating systems.  You must use the EMET utility to provide this extra layer of protection. The cost of adding EMET is always less than remediation of an infected system or the loss of sensitive information.

Attack Surface Reduction (ASR) and Export Address Table Filtering Plus (EATF+) are two new features added to EMET 5.0.  ASR can prevent modules or plug-ins in programs from automatically executing code.  This feature protects Microsoft Word, Excel and PowerPoint from loading the Adobe Flash player.  EATF+ can help detect and disrupt some current techniques used to execute code when a vulnerability is exploited.  EMET 5.0 can also terminate an Internet browsing SSL connection, https:, that has a untrusted certificate without sending session data to the source internet site. This keeps your identity safe from anyone that is using a suspicious certificate online.

Microsoft’s EMET should be tested with your software before you deploy this utility in a production environment.

Microsoft EMET 5.0
How many ways do you protect your software programs?

The EMET 5.5 utility is available at the Microsoft download center.

Your Android Phone Data

Android PhoneTwenty used Android phones contained over 40,000 recoverable pictures and user data.  Avast Software researchers purchased twenty used Android phones from eBay that were sold as wiped clean of user data.  Since the file format in the user data area on the Android OS only marks the areas as available for use the pictures, emails, text messages and contact names were still available on the phones.  A standard device reset does not clear you user data area on your Android based phone.  You need to write over the data to erase the contents of the pictures, text messages and emails.

Avast’s free Anti-Theft app can securely wipe data off of your phone and help you locate your phone if it is lost.  Your phone data can be erased remotely from a computer or another smart phone.  The premium version of this app can mark the device as stolen if the wrong password is entered three times.  The premium app will cost you $14.99 per year.

Secure Bulldozer is another app that can clear you phone of all of the user data.  This app is tested using a legal restoration tool and confirmed that the deleted information could not be restored. This software is a patented solution to erase all of the data in your smart phone or tablet.  Two versions of the Bulldozer app are available for your use.  The free app cannot clear documents from your smart device, but the paid app for $9.31 can erase everything from your phone.

When I checked for used Android phone I found 11,000 on eBay, 850 on Amazon and 120 on Craig’s List in Phoenix, AZ.  How many people knew how to correctly erase data on these phones?  On average there seems to be about 2,000 pictures on each used smart phone.