TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Password Security

Password Security: Lock Your Digital Doors Too

Mark Funchion is a network technician at Tech Experts.
Password security may not be on the forefront of everyone’s minds – but it’s more important and easier than ever.

Password security issues have been going on for a long time. Back in November 2014, a webpage started livestreaming security cameras from around the world that had not updated the default credentials. In the US alone, there were over 11,000 cameras livestreaming; a year later in December 2015, there were still almost 6,000 cameras live. [CSOonline.com]

Then in December 2019, many Ring camera accounts were hacked – not with default passwords this time, but actual hacks on accounts without two-factor authentication. [vice.com]

What exactly is two-factor authentication? Two-factor authentication means a second confirmation after your password. This second method is often sent to your cell phone as a text or through an app, which you then input or confirm. Many banks require this, but there are also lots of other sites which have it as an option, like Ring.

While many people see this as an inconvenience, it is a safety feature and it’s becoming the new standard for security.

A good analogy for this is a deadbolt on your door. Your door handle has a working lock, but it is not too hard to get through that lock.

As a second security method, you turn your deadbolt to make it much harder to access your home. That is your physical two-factor authentication – and if it is important enough for entry physically into your home, it should be important for virtual access as well.

Even if you do not have two-factor authentication, at least changing the default passwords and using different passwords across all your accounts are vital steps to more secure accounts. While it’s very convenient to have one password for all your accounts, it also means that if one account is compromised, they are all compromised.

If a hacker gains access to an account and you use the same password for your email, they can “verify” account ownership and change your passwords to lock you out.

That’s why your method of two-factor has to be secure too. If you have verification codes sent to your email and your email password is “password,” that second factor is not helping. It’s just a second “door” that a hacker can walk right through. Not much of a defense.

Going back to the importance of changing default passwords, most of us own a lot of devices in our house that are network-connected. And it is very easy to plug them in, take all the defaults, and go on with your day.

If you live in an area with a lot of neighbors nearby, take a look at the wireless networks you can see.

From my desk at work, I can see over ten networks that are outside of our office. The signals from unsecure devices aren’t kept within the walls of your own home.

A quick Google search can tell you the default username and password of almost anything, including unsecure devices that might be in your own home. In the Symantec Internet Security Threat Report for 2019 [https://docs.broadcom.com/doc/istr-24-2019-en], 60 percent of the IOT attacks (Internet of Things – meaning everything Internet-connected) used a username of “root” or “admin” and over 40 percent of the attacks used a password of “123456” or left that field blank. Not the work “blank” – an actual password of nothing.

People almost always worry about security in some form: we lock our cars, our houses, our cell phones. The same philosophy should be applied to our technology.

Take the time to change your passwords, use varying passwords, and change them periodically. It does not take much of a hacker if we don’t bother to lock our own doors.

Password Versus Passphrase… Which Is Best?

Passwords are something you use almost every day, from accessing your email or banking online to purchasing goods or accessing your smartphone.

However, passwords are also one of your weakest points; if someone learns or guesses your password they can access your accounts as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself.

However, passwords have typically been confusing, hard to remember, and difficult to type. In this newsletter, you will learn how to create strong passwords, called passphrases, that are easy for you to remember and simple to type.

Passphrases
Passphrases are a simpler way to create and remember strong passwords.

The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess.

An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type.

Instead, we recommend you use passphrases-a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack.
Here are two different examples:
Sustain-Easily-Imprison
Time for tea at 1:23

What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases are also easy to remember and type.

You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero.

If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.

Using Passphrases Securely
You must also be careful how you use passphrases. Using a passphrase won’t help if bad guys can easily steal or copy it.

Use a different passphrase for every account or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts, such as Facebook, YouTube, or Twitter. This way, if one of your accounts is hacked, your other accounts are still safe.

If you have too many passphrases to remember (which is very common), consider using a password manager.

This is a special program that securely stores all your passphrases for you. That way, the only passphrases you need to remember are the ones to your computer or device and the password manager program. Never share a passphrase or your strategy for creating them with anyone else, including coworkers or your supervisor. Remember, a passphrase is a secret; if anyone else knows your passphrase, it is no longer secure.

If you accidentally share a passphrase with someone else, or believe your passphrase may have been compromised or stolen, change it immediately. The only exception is if you want to share your key personal passphrases with a highly trusted family member in case of an emergency.

Do not use public computers, such as those at hotels or Internet cafes, to log in to your accounts. Since anyone can use these computers, they may be infected and capture all your keystrokes. Only log in to your accounts on trusted computers or mobile devices.

Be careful of websites that require you to answer personal questions. These questions are used if you forget your passphrase and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even on your Facebook page.

Make sure that if you answer personal questions you use only information that is not publicly available or fictitious information you have made up.

Can’t remember all those answers to your security questions? Select a theme like a movie character and base your answers on that character. Another option is, once again, to use a password manager. Most of them also allow you to securely store this additional information.

Many online accounts offer something called two-factor authentication, also known as two-step verification.

This is where you need more than just your passphrase to log in, such as a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always enable and use these stronger methods of authentication.

Mobile devices often require a PIN to protect access to them. Remember that a PIN is nothing more than another password. The longer your PIN is, the more secure it is. Many mobile devices allow you to change your PIN number to an actual passphrase or use a biometric, such as your fingerprint.

If you are no longer using an account, be sure to close, delete, or disable it. (This article is reprinted with permission from the SANS Security Center OUCH! newsletter.)

How Google Password Checkup Can Protect Your Data

Jason Cooley is Support Services Manager for Tech Experts.

While the terminology between a data breach and data leak may not seem very important, being prepared to react to compromised data is. Let’s start with knowing the difference between a breach and a leak.

A data breach is an unauthorized intrusion into any private system to access any sensitive data. Data breaches are typically the work of hackers.

A data leak may result in the same end game scenario, but differs greatly in that a leak is data left exposed or accessible, often accidentally.

While the hope is that you are protected and that your passwords are all secure, this realistically isn’t the case. You can have the strongest password possible, but depending on what information may be sold or accessible, the security can be entirely out of your hands.

Worse, a breach or leak won’t always make national news or show signs of unauthorized access.

If you see an out of state charge on your debit card, you’ll have a good idea that you didn’t make the purchase and suspect that you’ve been compromised. In the case of seeing unauthorized charges, the issue is clear.

However, say your email is compromised. It isn’t so obvious.

Perhaps the person with your credentials will monitor for a time in order to find valuable information on you or others.

There are so many ways to be compromised and so many types of information that someone with access to your account may be looking for.
In the past, I have used a few different websites to periodically check. This is obviously problematic, as reputable sources for compiling breached information are not overly abundant.

Being an IT professional, I felt comfortable looking for these sources. I do not recommend the same for just anyone.

Luckily, you no longer have to search to find any potentially compromised accounts. Google’s new extension “Password Checkup” is here to help.

Google Password Checkup is a browser extension that alerts you to any potentially compromised accounts.

While the browser extension is installed and enabled, it checks any account you log into using Google Chrome.

Now, this is not a foolproof protection blanket. While this is a great tool, it only checks against any data breaches that Google is aware of.

These are the same type of searches I mentioned earlier. While I would have to search before, Google Chrome can handle the work here.

If there is potential that your account is compromised, you should ensure you take steps to recover the account and change the passwords.

While there is no surefire way to remain safe, stay diligent. Remember to make sure your computer isn’t compromised by regularly running your anti-virus software.

Much like you lock your door at home, make sure you are taking care of your personal information.

Using Google’s Password Checkup is a great start, but it’s only a start. Change your passwords regularly and keep them unique.

A passphrase is a great way to have a password that is easy to remember but difficult to guess.

Browser Battle: Why Chrome Continues To Take Over

Jason Cooley is Support Services Manager for Tech Experts.
Every day I see different browsers on different computers. There’s Chrome, Internet Explorer, Firefox, Vivaldi, Opera, and Apple’s Safari browser. Some people like to stick with what they know, and they use Internet Explorer or even Microsoft Edge on Windows 10.

There are those people that really love Mozilla’s Firefox browser and are loyal and comfortable using that. Apple users tend to stick with Safari, like how Windows users use Internet Explorer and Edge, because it’s the default they’ve used for years.

I made the switch to Google Chrome for good about 5 or 6 years ago, and I continue to use it as my browser of choice.

There are preference issues and everyone likes what they like, but there is definitely more to why I use Google Chrome over the other browsers. There are even reasons why I think you should probably use Chrome too.

Let’s start by acknowledging that there are certain websites that only have full functionality in a certain browser and that’s OK. Maybe you need to use Internet Explorer for something. Use what you need to for certain tasks. When you have a choice, use Chrome.

Chrome is celebrating its 10th birthday with a nice updated look, but that’s just the surface. It continues to add features that not only improve your user experience, but also help make things a little more secure.

Chrome now will auto-generate and suggest strong passwords for new accounts created, keeping them unique and therefore significantly more secure.

Google also made sure that the mobile integration for Chrome is second to none. Just make sure you are signed in on your computer and your phone to keep all of your bookmarks and browsing synced.

While a browser like Firefox may meet some of the standards set by Google, there are areas other browsers just can’t stack up.

Mozilla has updated and launched a new and improved mobile app. It is now faster than it was ever before. Want to sync your data between your phone and computer browser with Mozilla? Sure, just create a completely separate account, link them, and hope for the best. Mozilla’s ability to share bookmarks is fair, but it can’t keep the settings streamlined.

These are the areas that Google Chrome excels in, making your browsing experience seamless.

The password manager will also make using your account on multiple devices much easier, as you can use the manager to store passwords and use them on any device you are signed in to.

If you own an Android phone or use the Google Play store but don’t use Chrome, you are missing out on great app integration.

Another reason Chrome pulls ahead in the battle is because of its amazing app library and easy integration and updates. Other browsers can’t begin to offer the things that Google does.

If you need more reason, consider that most of the major browsers use Google’s safe browsing programming to detect potentially dangerous sites.

Consider that these companies are using someone else’s programming to keep you safe… and that programming is from the clear leader in the browser battle: Google Chrome.

How Can You Improve Your Online Privacy?

Frank DeLuca is a field technician for Tech Experts.

You have probably heard about the myriad of security blunders that have plagued the business and IT worlds. We’ve seen considerable security and privacy miscues from some of the world’s biggest businesses, organizations, and government agencies.

This includes data breaches, attacks from hackers, privacy concerns, and theft where massive amounts of private user data were lost and/or misplaced. If major institutions can fall victim to these privacy and security lapses, then so can individuals and society at large.

The Internet can certainly be a scary, confusing place, especially for the uninitiated, but there are many ways in which you can protect yourself, mitigate risk, and increase your privacy while having an online presence.

Use Strong Passwords For Your Sensitive Accounts
Using strong, unique passwords (symbols, long phrases, capitalization, punctuation) can help you avoid that gut-wrenching feeling that you get when you realize that someone has hacked your account and has access to your personal information. Not knowing what’s going to happen to your work or your memories is something no one wants to experience.

Creating strong and unique passwords for each of your online accounts is a smart practice. The reason is quite simple: if one of your online accounts is hacked, then the others will soon follow. Consider a password manager like LastPass or Keeper to create, store, and manage your passwords.

Don’t Allow Or Accept Cookies From Third Parties
The purpose of the computer cookie is to help websites keep track of your visits and activity for convenience. Under normal circumstances, cookies cannot transfer viruses or malware to your computer.

However, some viruses and malware may try to disguise themselves as cookies, replicating after deletion or making it easier for parties you can’t identify to watch where you are going and what you are doing online.

Because cookies are stored in your web browser, the first step is to open your browser. Each browser manages cookies in a different location. For example, in Internet Explorer, you can find them by clicking “Tools” and then “Internet Options.” From there, select “General” and “Browsing history” and “Settings.”

In Chrome, choose “Preferences” from the Chrome menu in the navigation bar, which will display your settings. Then expand the “Advanced” option to display “Privacy and security.” From there, open “Content settings” and “Cookies.”

Use A VPN Or VPN Provider
A virtual private network, or VPN, can help you secure your web traffic and protect your anonymity online from snoops, spies, and anyone else who wants to steal or monetize your data.

A VPN creates a virtual encrypted tunnel between you and a remote server operated by a VPN service. All external Internet traffic is routed through this tunnel, so your data is secure from prying eyes. Best of all, your computer appears to have the IP address of the VPN server, masking your identity.

To understand the value of a VPN, it helps to think of some specific scenarios in which a VPN might be used. Consider the public Wi-Fi network, perhaps at a coffee shop or airport.

Normally, you might connect without a second thought. But do you know who might be watching the traffic on that network? If you connect to that same public Wi-Fi network using a VPN, you can rest assured that no one on that network will be able to intercept your data.

Additional tips: keep your Windows operating system and your applications such as Microsoft Office up to date at all times, don’t post private information on your social media accounts, and use browser ad/tracking blockers.

What Is Credential Management And Should I Have It?

Ron Cochran is a senior help desk technician for Tech Experts.

In the world today, we have many things to remember and passwords are one of those. We have alarm codes, website logins, usernames, passwords, passphrases, bank account information, and everything in between. However, if you’re on top of your password game, then none of your passwords match and that can be quite the chore to keep up on.

This brings me to a product called Passportal.

Passportal eliminates the need to remember all those different passwords, websites, and passphrases. With Passportal, once you have your account set up – and have entered your websites, usernames, passwords, and passphrases – you will only need to remember one password to sign into anything. There is also an extension for one of the most popular web browsers.

Once you create your account with Passportal, you’ll be able to enter your website of choice, username, and password; then, when you revisit that site, you will be notified that Passportal has saved your credentials for that site. You’ll click one button and Passportal will automatically enter your information in, then you’re logged in to your favorite websites, social media, or message boards.

While it may sound like you’re putting all of your eggs in one basket, Passportal’s main focus is password security. The website, application, and process was created with military-grade password data security in mind while maintaining ease of use for the end user.

In the event of a mugging or break-in, you can lock your Passportal account and disable your usernames and passwords, instead of trying to remember everything you need to change. It’s one less thing to worry about when recovering from identity theft.

Let’s say your credit card and bank information have been compromised. Once you receive your new card and password, you revisit the website. Passportal remembers your password, but it doesn’t work. You will be able to seamlessly add the new password to the Passportal extension with just a couple clicks and keystrokes. Passportal has saved many users countless extra clicks, time, and hassle by keeping their valuable personal information secure.

If you are the owner of a company, you can utilize Passportal and have control over the passwords and when/if they expire. If you have an employee that quits or is terminated, you can lock that username out of your company information with just ONE click of a button. This feature saves valuable time that a human resource manager would have used to track down all the user information, gain access to their workstation or laptop, and remove their profile, or gain access to the server to remove their Active Directory profile.

Passportal also has two-way syncing with Active Directory for Windows Server. With Passportal, there is even a mobile app and phone number you can text to get a password reset. This feature will save employees who are locked out of their accounts – and allow your IT department to focus on more in-depth issues.

If you’re the human resource manager, general manager, or owner of a company, your company will most likely be able to benefit. Ask your IT department or managed service provider about Passportal and how you can implement it within your company.

Five Simple Year-End Technology Tasks To Start 2017 Right

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

If you want to get 2017 off to the right start as far as your technology is concerned, do a little end-of-year cleaning with these five simple tasks.

Update all of your passwords
If 2016 taught us anything, it’s that security and data infringement threats are at an all-time high. Most people don’t bother to change their passwords until after they have been hacked, which beats the purpose.

Now is the right time to change your passwords. The longer your password is, the better. For added security, use a combination of upper and lowercase letters, numbers, and symbols.

Clean up your hard drive
Get rid of any files you no longer need. Not only will this step reduce the number of files you store on your computer, but it will also make finding needed files much easier.

It will also free up your storage space. If you’re not sure whether you need a file or not, archive it so that you can access it at a later time, if the need arises.

Reorganize your file structure
Once you have ditched the stuff you don’t need, invest some time creating a robust and intuitive file structure so that you’ll spend less time in 2017 searching for documents you know are there somewhere but just can’t seem to find.

Ditch the applications you no longer use
No doubt you have downloaded a whole host of applications that you never use or that have since been replaced by better versions.

Uninstall any programs you are not using to free up space and declutter your computer or mobile device.

Check that your software is up to date
The start of the year is a great time to make sure all the applications and software programs that you use are fully up to date.

In addition to protecting your security by ensuring you have the latest secure versions of an app, keeping your software up to date will also help you to make sure you are not missing out on any great new features.

Should Your Small Business Use A Domain Network?

Luke Gruden is a help desk technician for Tech Experts.

If you have 5 or more computers that are sharing files and are constantly being worked with, a domain network would be in your best interest.

A domain network using a server has many benefits to a work area, a work building, or even multiple buildings using VPN. The flexibility, security, and convenience of a domain is, in most companies, invaluable. Sign into your account from any computer that is a part of the domain and you no longer need to use only your personal computer to access files.

If something were to happen to your computer, you could just use another computer to sign into your account and continue working without much downtime. This is also a far more secure way for users to access other computers as they have to use their credentials and only have the permissions that their credentials provide, not those of the computer itself. As long as users are not sharing passwords, you can have every user accounted for, policies implemented, and control what they can and cannot access when it comes to Internet, files, and programs.

Secure file-sharing is an easy and basic function of a domain server with Active Directory, which all the computers connected to the domain have access to. If you wanted only certain users to have access to certain files, you can have folders set up that prevent unauthorized editing, but still could be read — or even not be seen at all.

Having 5+ workers able to access the same set of files to edit as needed is an amazing way to save time and improve project efficiency. Everyone can see the file as it is saved or changed and they can continue to edit records as necessary without ever having to go on the Internet or transfer the file. Just get on any computer on the domain and you have instant access to the files that you need without a second thought.

Active Directory is your IT department’s best friend when it comes to handling large or small groups of computers as IT can access the domain server to make adjustments to other computers without ever stopping the work flow.

Forgot your password? Your IT can very easily use the server and reset your password for you without having to go to your computer. Setting up a new computer that needs certain printers and drivers installed? IT can set up the server to push those standard programs and drivers without having to install each individual program. Need to set up a new user account? It’s created on the server and the user can be accessed on all computers. There are so many possibilities that open up when you have a server domain available for your workstations.

We have only scratched the surface of what’s possible with a domain server and the amount of time and effort it can save for everyone in the company. I believe every business that is looking to grow should have a domain server early on as it will be easier to set up and can evolve to your needs as your company grows.

If your company needs help setting up a domain network, you can count on Tech Experts to take care of it.

Major Password Breach Uncovered

Some people collect antique trinkets while others collect more abstract things like adventures. There’s someone out there, however, collecting passwords to email accounts, and yours just might be part of that collection. To date, it has been estimated that over 273 million email account passwords have been stolen by a person or entity now called “The Collector.” This criminal feat is one of the largest security breaches ever, and the passwords have been amassed from popular email services, including Gmail, Yahoo!, and AOL.

It is unclear exactly why “The Collector” has procured so many email passwords, aside from the fact that the individual is trying to sell them on the dark web. The puzzling part of this, however, is that the asking price is just $1. So, the hacker may only be seeking fame for achieving such a large-scale feat.

The email account credentials may have more value in being used in an email phishing scam, but it’s impossible to know the cybercriminal’s intentions as this point. While potentially having your email hacked doesn’t sound like that big of a threat, there are multiple ways in which this information could be used for harm.

The most notable risk is that the login information may be used to access other accounts; many people use the same username and password for their emails accounts as other ones, such as for online banking. So, there is far more value in this large collection than just the asking price of $1. To protect yourself, security experts advise you change your password immediately.

Wire Fraud: How An Email Password Can Cost You $100,000

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Wire fraud is one of the most financially damaging threats to people and businesses today. Victims can lose hundreds of thousands of dollars in the blink of an eye.

What is wire fraud? Let’s start with the basics:

A wire transfer is an electronic transfer of funds between entities, usually a bank and someone else.Wire fraud utilizes this system to steal money. Typically, this is done by fooling a financial institution into wiring money to a fraudulent account.

The process often begins with the theft of personal data or email credentials, which means data security is paramount to preventing this threat.

Here’s an overview of wire fraud so you can better protect your business and clients. [Read more…] about Wire Fraud: How An Email Password Can Cost You $100,000