If your Gmail is hacked there are some important steps you should take right away:

  1. Turn on gmail two factor authentication This will also require you to use an application specific password with some email clients (i.e. iphone and android) 
  2. Change your gmail password to something new (you don’t use it anywhere else) and more complex (12 characters or more)
  3. Check the trash and inbox in gmail to see if the bad guys are initiating password resets
  4. Review the access history for you google account, see if there are any odd access locations listed
  5. Double check that an alternate password notification has not been added to your gmail account
  6. Change the password on any account which uses your Gmail address as a user ID with that same password.  In priority order from the most to least important website (i.e. banking)
  7. Turn on  2 factor authentication on any sites that permit it.

They troll for passwords then use them to access other sites.  You probably have a bit of time, but not much…..

If you have not been hacked, but have a Gmail account, you should be sure to turn on two factor authentication ahead of time.  

Can’t log into your email account? Twitter? Want to look at your spouses email?  Need to get into an employees personal email account to see if he is stealing?  If you surf the web for “Black Hat Hackers” or “Hire a Hacker” you can find a long list of people willing to break into these accounts.  There are websites to “Crack Passwords”.  Hackers troll discussion boards, some here on this site, offering their services.  But should you hire them, or should you be worried someone else will hire them to get you?

Hiring a hacker to break into an online account is most likely illegal in every case.  There are a range of laws to protect online accounts from illegal access.  So, assume to begin with, if you hire one of these services you are most likely breaking the law.  Also assume any discussion posts talking about how some hacker helped catch a cheating spouse, that the post is likely from the hacker simple setting bait to get money from you.  In a rare case, you might have some rights to access data, but its best to talk to your lawyer first, and perhaps get a court order.

The first clue that a hacker is likely going to cheat you out of your money, is it is actually difficult to “Brute Force” guess a users password.  It can be done with time, though don’t bet on it.  But lets say you still go ahead.  Do you really want to know?  If you have ever had to read through another persons emails, perhaps as a manager in a company doing a forensic analysis, you know it’s an unpleasant process.  It is easy to misinterpret meaning in an email and reach incorrect conclusions.  It’s frankly rare for such an investigation to actually yield anything of value.  Once your done, you are going to feel like a creep.  Bottom line, do not break into other people’s accounts.

Perhaps more important, how do you protect yourself from a hacker for hire?

  • Use a good password, once per site.  Employ a password manager.
  • Delete old emails, both received and sent.  It is cool to keep every last email, but really is it worth it?
  • Turn on two-factor authentication for all your online services like Gmail and Dropbox
  • Close old accounts you no longer use, but delete all the content first so it’s flushed from the system
  • Where possible, use an alternate login in idea.  If everyone knows you online as jimmy@acme.com, get an alternate account like jimmyadmin@gmail.com for login purposes.  Never share the account id with anyone you know

There are White Hat or ethical hackers, who will help you analyze your  accounts and situation to protect yourself.  A key way to identify a good hacker is they will refuse to help you break into another persons account.  A white hat hacker will identify themselves, have a linked in profile, and other public presence that proves they are real.

Whether you use email for business affairs or illicit affairs, there are many lesson to learn from David Petraeus and his paramour.  This is not a morality site, so we will skip over the obvious issues there.  But, if you have been hunting terrorists for a while and are the chief spook at the CIA, you should know how to keep a secret.  So what does the news about Petraeus teach us about email and other discrete communication:

  • Data Mining: If the government wants to track you, they have more than enough means to take a single email, track it back to another person, unlock all that persons email accounts, search through those emails, then track back to you.
  • Content: Even if you leave out names in an email, by tracking the header meta data, its possible to infer meaning.  Best not tot talk about sex or other details that stoke media hype.
  • Encryption: Its hard to know for sure, but no one seemed to be using encryption.  This suggests Petraeus knows it is better to use disposable accounts, then try to encrypt a message.  This may tell us a lot about sources and methods.  Or perhaps General Petraeus is simply not IT savvy.
  • G-Mail: Apparently Petraeus and Broadwell used a technique Terrorists use to communicate.  They had a shared GMail account.  They edited a joint “Draft” email, communicating through the draft without ever sending it.  So there was no email to track, just the source IP address from logins.
  • Feds Can Track Drafts: With stories of 1000s of messages” between Petraeus and Broadwell, given they communicated through Drafts in Gmail, it suggests the feds can trace old versions of a draft document.

Petraeus could probably have used better technology.  Its however safe to assume if you write something in a digital realm, the Federal Government can find it if they want to find it.  If you need to be discreet, feel you deserve your privacy, or otherwise want the Government and others to stay away there are some good practices to follow:

  1. Content: Don’t communicate anything on line, in a document, or digitally that looks bad when observed by a 3rd party after the fact amidst a media frenzy. Delete all documents, emails, texts, etc after transmission.  Run CCleaner on a regular basis.  Better yet, put it on a schedule.
  2. Meta Data: Assume the government has means to look across meta data and see links in nodes.  This means if you log in from an IP address to look at a bank statement, and then log in to Gmail through a browser to use an anonymous email address, its easy to link your ID from the banking event to your anonymous email account.  Assume the feds have this technology and its turn key.  Key identifiers include: IP address, SimCard, MAC address, phone number, geo-location.  Reduce your meta data footprint:
  3. Encrypt Emails: Encryption may signal you are up to something wrong.  Given Petraeus did not seem to use encryption, it may suggest he knows all encryption is crap.  Its safe to assume, if needed, with enough resources encryption can be compromised.  However, it takes a lot of resources.  So as long as you are not doing something truly evil, encryption gives you some protection.  Good browser based email tools include Voltage, Hushmail, and 10Minute.  HushMail’s servers are in Canada, which limits non-specific subpoena’s reach (i.e. FBI could not have accessed Petraeus while researching the paramour cat fight)
  4. Drop Box: Drop box, google drive, etc are essentially insecure and easily accessed by blanket warrants.  They offer very limited ability to control access or view access.  If you are going to put data into these shared locations, use encryption tools like SecureZip.
  5. Texting: It’s a bit unsure, but with the volume of texting, its unclear text messages are easy to track.  Blackberry messenger is giving the Saudi’s fits because they have a hard time penetrating its peer-to-peer nature.  Some use of texting may be helpful for quick but low profile communication.
  6. Virtual Machines: As you wonder through the internet in your browser, you leave various traces behind on your computer.  For your more sensitive work, consider creating a virtual machine or loading Linux onto a USB stick.  If you encrypt the disk with the VM image, its very difficult for someone to get to the core data within the virtual machine.  Within your virtual machine, configure your session to always use TOR, private browsing etc. you can maintain a very low profile.
  7. USB Boot: There are various tools to create a bootable linux OS from a USB stick.  This bypasses many tracking/data access issues.  Someone would typically need to get to the actual USB stick to get access to your data history.  This is much like a Virtual Machine, just more secure.

Its important to note that in the end, the NSA can get whatever it wants from your online and computer activity.  If you are doing something criminal, the recommendations above will not protect you.  We do not advocate criminal activity.  If you want to protect your privacy, which is still legal in the United States, these recommendations can help protect you from others probing eyes.

Your username and password are the easiest tools a thief has to making money.  There are a range of easy and complex tools available to allow even the dumbest criminal to get into your online life.  New online “Cloud” systems provide infinite computing power to crack your password.  Smart “Cracking” systems try common words first, essentially testing every word in the dictionary.  Once they get into one of your accounts, they have your password and email address.  Assuming they are out to get you, they can then go after other common accounts like Twitter, Facebook, etc.  Practically though they are more interested in breaking into your credit card/bank account to access information that then gives them access to cash.  Credit card numbers sell on the open market for $0.50-$5.00/valid number.  Sometimes rather than buying a security alarm, people will simply put up a sign saying “This house protected by….”, because there are enough homes without a security alarm that a thief can steal from.  In a similar way, the tougher you make a password the more likely the bad guys will go somewhere else.

The easiest way to steal a password is to use a face web page that looks like your Gmail account.  When you log in, the software grabs your password and sends it out to the bad guys.  So never put your password into a web page if you got there from a email link.  Security Beacon users should adhere to the following practices:

Basic User
  • Use the longest password you can – There are 94 “Printable characters” that can be used in most passwords, so having 9 rather than 8 letters in your password makes it as much as 94 times harder to crack your password.
  • Include letters, numbers, symbols, capitals, and lower case.
  • To improve memory use a combination of a few objects you can remember: chicagO#suzY%1029 (a place you know, your first girl friend, last 4 digits of your childhood phone number, plus some annoying symbols)
  • You might also include the service name to make it a bit more difficult “chicagO%twitter” for your twitter, “chicagO%facebook” for Facebook.
  • If you are logging into an online service in a public location, or any time for that matter, precede the web address with “https:” rather than “http:”
Advanced User
  • Change your user name, using a different email variation.  Gmail and other systems let you create Alias email addresses.  This can mitigate the damage if they get your password because they would need to get the username and password correct on your other accounts.
  • Tier your passwords – if you are logging on to a simple system that sends you news reports or such, use a basic password – one that you don’t care if someone gets it.  For your special accounts with financial data, use a totally different password scheme.
  • On each of your online accounts go to the security/account sections and be sure to turn on HTTPS:, 2 Factor authentication, backup password questions, etc.
  • For email, never use a web browser to get your email.  Setup all your email accounts to use Outlook, Thunderbird some other client.  Make sure your configure your email account to use SSL or TLS.
  • Never log in to an online account from someone’s computer.
  • Never log into an online account using your computer over a public wifi network.
  • Run CCleaner weekly to clear your browser cache
Paranoid User
  • Use a password keeper program (See IronKey Personal S200) to generate a random password for each important online account
  • Use a different username for important online accounts.
  • Some online services, like Facebook, will track you browser/IP address and only let you log on from certain locations – turn this feature on
  • Run CCleaner daily to clear your browser cache

With millions of USB memory sticks in use, often handed out for free at your local conference, a lot of mission critical data is showing up in a lot of unexpected locations.  The recent Stuxnet virus, credited with damaging the Iranian nuclear program, was propagated via a USB key. It is not uncommon to pull out an old USB key and find client presentations and data readily available, stored on the key months ago in a rush to get some work done.   No one in their right mind would leave their office door open, lights on, with a big sign glaring “Steal My Data”, but a USB key is almost the same.

What would happen if someone got hold of that USB key? Would it violate that Non Disclosure you signed? What would it do to your companies reputation?

Security on USB keys is critical, and finally some good companies are coming on line to provide a great solutions.  Security Beacon believes the following are critical features for a Secure USB memory solution:

  • Large storage capacity
  • AES 128bit or better security
  • Impervious to brute force attack
  • Durable to dropping, nicks, etc
  • Reputable vendor
  • Easy to support
  • Cross Platform

One company that tops the list is IronKey. The IronKey system includes a hardware based encryption key system. Most USB keys use a software based solution. Software based solutions are not as good because they become resident on the PC, which creates a Cache and various other memory stores that can be manipulated by Black Hats. With a hardware based solution, the data is decrypted in the key, and only the data being requested is transferred to the PC application.

IronKey uses AES-256 bit encryption (Best you can get right not).  And though Security Beacon believes all encryption ultimately can be cracked, the Iron Key has an added self destruct mechanism that destroys the encryption key stored in firmware if the user password is entered wrong 10 times in a row.  At that point it would take a very talented group with the resources of the NSA to maybe get the data.

The software on IronKey works well.  It has a very nice on board browser with a proxy anonimzer that spoofs your IP address when you are searching the web.  This sounds very “Black Hat”, but if you are searching your competitors website for information on the market, this extra tool makes it hard for your competitor to pin down your address.

The IronKey is offered in a range of platforms that fit well with Security Beacons User (Basic, Advanced and paranoid).  The product is available in a range of sizes and features.

The unit comes in a S200 or D200 model designation.  The S200 is a bit faster and robust.  The D200 is a slightly cheaper variation.  The S200/D200 can be bought in a Basic, Personal or Enterprise variant.  Our personal favourite is the 16gb version of the S200 which can be purchased on line at Amazon: IronKey Personal S200 16G  but other models include:

Basic User

Advanced User

Paranoid User

  • Product Name: Iron Key Enterprise
  • IronKey Personal + allows for centralized control and disablement of the IronKey.  This is better for Enterprise applications with 50 or more USB keys, but if you are paranoid you should be able to justify it even for a few users
  • Register for Evaluation copy

Disclaimer: Security Beacon makes some of its revenue based on Google advertising and links to Amazon.  So, if you end up purchasing a product based on a Security Beacon recommendation we may receive a referral fee from Google or Amazon.  This helps pay our hardworking staff and keeps our spouses happier.

 

 

 

 

Security Beacon and all small business leverage twitter to help customers learn about products, services, opinions and more.  Twitter is becoming a more important tool for marketing.  As twitter evolves, Security Beacon recommends you follow some key steps:

Always use a strong Password

  • We can’t say it enough – use a long password that includes numbers and text

Always us a secure internet connection: 

  • There are several ways that bad folks can intercept the internet connection between you computer and a service like Twitter.  Some of these tools can grab data from your wireless connections while you sit in your local coffee shop.  To secure your online connection (the information flow from your computer to the server) you want to use a connection type known as HTTPS: You can establish an HTTPS: connection often by typing HTTPS://www.twitter.com instead of HTTP://www.twitter.com.  You can make the selection more permanent by changing your account settings as follows:
    1. Log in to your Twitter account
    2. Click the drop-down menu on the right hand side of your screen
    3. Click Settings to visit your Accounts Settings Page
    4. Scroll down and check the box next to Always use HTTPS
    5. Click Save to save your changes

Twitter HTTPS

  • HTTPS may slow down your connection a bit, but since Twitter is light weight to begin with, this should not be a hassle
  • If you use twitter from your cell phone, pulling up a webpage, it appears you need to manually add https: (i.e. this twitter account setting does not work on cell phone).  Best thing to do is actually download the twitter application for your phone (Blackberry, Android or Iphone) and make sure its configuration is set to HTTPS:
Disable Location Based Tweets
  • Twitter will  embed your location data (from cell phone and other internet information) with your tweets.  This is normally off, but really you should always have it off.  It’s cool to tweet your location, but anyone in the world can see your tweets – do you want them to know where you live?
    1. Log in to your Twitter account
    2. Click the drop-down menu on the right hand side of your screen
    3. Click Settings to visit your Accounts Settings Page
    4. Scroll down and remove the check in the box next to Add a Location to your Tweets
    5. Click on Delete all location Information to remove existing data
    6. Click Save to save your changes
Twitter Location
Disable Applications
  • Twitter allows you to link applications to your twitter account.  Once these are linked, they have access to certain twitter information/posts even if you change your password.  To eliminate that access you need to revoke the application’s permissions
    1. Log in to your Twitter account
    2. Click the drop-down menu on the right hand side of your screen
    3. Click Settings to visit your Accounts Settings Page
    4. Click Applications in the menu bar
    5. Scroll down and click Revoke Access on applications you don’t want
    6. Click Save to save your changes

Application Revoke

 

The UK news establishment is in full retreat with news suggesting reporters hacked officials cell phones to extract private data about a range of personal issues.  Even if you are not a government official being targeted by tabloid news, criminals, competitors and other bad people, these folks may have or now will leverage these same techniques to take advantage of you. Before everyone gets all worked up about downloading some new anti-virus software or such for your cell phones, here are some key tips you should take right now:

Basic Security (Average User)

  1. Never, ever, ever leave a detailed voice main about a sensitive issue.
  2. Implement a password/pin to access your cell phone/smart phone – the type that requires you to log into your cell phone if left unattended.  Use the longest password you can. Use the longest PIN that you can.
  3. Set your voicemail so that you must enter a pin number even if you are calling in from your cell phone.
  4. Check your cell phone plan to be sure the “Forward Messages” function has not been turned on somehow, redirecting your messages to some bad guy.
  5. Assume everything you say or do on a cell phone is being recorded.
  6. Keep your OS up-to-date and apply latest patches as soon as they are available.  In both iphone tracking and DroidDream malware an OS issue was exploited.  Both Apple and Google quickly fixed the issues and released patches.

Advanced (Business user with liability for protecting data)

  1. On your business related phone, go a step further and say in your voice mail message “Please do not leave any sensitive information in your voice mail”.
  2. Use Secure protocols when setting up your POP/IMAP on your Smartphone (often referred to as TLS). This encrypts the data moving from your phone to the server.
  3. If you use GMAIL, turn on 2-Factor authentication.  This creates a specific password for each of your devices.  If your smart phone goes missing, you can kill access just for that device without disrupting everything else.
  4. Set your smartphone data security encryption (the data stored on your data cards/phone) to high.  If someone steals your phone they may try to take out the memory card to get at your data, encryption slows them down.
  5. Do not download applications unless you are absolutely sure of their origin (i.e. they come from a name brand company whose reputation will be destroyed if they steal data)
  6. For companies with multiple cell phones or enterprise tools, limit users ability to load software (one thing that blackberry does better than anyone else is to lock down cell phone functions through its policy engine)
  7. Turn off the location based functions.  Turn them back on only when you need them (which frankly is not that often).
  8. Have two cell phones – one for general use, and the other for important/secure matters.
  9. Get a google voice or other voip type account that lets you automatically forward calls to you cell phone.  Then only give out your google voice number.  If a hacker knows your cell phone number they can hack your online account or call the cell phone provider, and sometimes change parameters of your account to give them access to your data.
  10. Be sure you have setup remote find/remote wipe on your cell phone/PDA.  Backup your cell phone.  Then test the remote wipe function so you are sure the remote wipe function works.  Reload your phone from the backup.
  11. Use the designated application for accessing your email – either an email client, or an application from that specific vendor.  Do not log on to a web page to get mail via a smartphone.  It is very easy for the bad guys to create a site that looks like google mail/yahoo mail to trick you into providing your user name/password.

Paranoid (Under major attack/threat)

  1. If you are outside the US, everything you say on your smartphone, transmit wireless via email, text, or view on a web page is being tracked by the host government.  Everything.
  2. Understand that there are a range of simple “Snoopware” programs that can be downloaded onto your cell phone, sometimes even remotely. These programs can record you even when you are not on the phone.
  3. Disable “password save” function on your cell phone applications (Facebook, Twitter, etc).  Type them in when you need them.  Better yet, if totally under attack, delete all these applications

http://www.techrepublic.com/blog/security/smartphone-security-and-the-phone-hacking-scandal/5771?tag=nl.e101

Security Beacon helps private individuals, small business owners, and others who can’t afford a large IT staff, find the key solutions needed for managing security on their computer systems, their home, their business, their cell phone, their credit cards, and more. Security Beacon takes the mystery out of confusing terms and technology. We will often select explicit software and tools that we think do a good job, are easy to understand, and for which we will monitor performance to assure you remain secure into the future while using the products.