[This article is originally published in cba.ca - Uploaded by AIRS Member: Barbara Larson] 

Identity theft, or the theft of personal information, can be the starting point to a range of crimes — from financial fraud and forgery to abuse of government programs. The thief only needs a small amount of information, as little as your name and birthdate, to start building their new identity and committing fraud. That is why combating identity theft requires the cooperation and efforts of business, law enforcement, individual consumers and the government.

Banks have highly sophisticated security systems and experts in place to protect customers’ personal and financial information and to protect them from being the victims of financial fraud. They also work closely with law enforcement to help educate consumers about steps they can take to minimize the risk of becoming a victim. Consumers also have a role to play in protecting themselves, however, and must remain vigilant.

Signs of identity theft

You could be a victim of identity theft if:

  • You are contacted by a creditor because an application for credit that you did not apply for was received in your name and with your address.
  • You receive a phone call or letter informing you that you have been denied or approved by a creditor that you never applied to.
  • You receive credit card statements or other bills with your information that you never applied to.
  • You no longer receive your credit card statements or any of your mail.
  • You are contacted by a collection agency informing you that they are collecting for a defaulted account established with your identity that you never opened.

What to do if you are a victim

If you think you have been a victim of identity theft, here are some important actions to take:

  • Contact your bank or credit card issuer right away – the bank will take the appropriate steps to help prevent fraud in your accounts. These steps could include canceling and reissuing credit or debit cards, investigating and reversing fraudulent transactions and providing further advice to customers.
  • Contact local police – contact your local police force and file a report about the fraud.
  • Contact Canada’s credit reporting agencies – if you suspect that you may have been a victim of identity theft, contact both of Canada’s credit reporting agencies, Equifax Canada and TransUnion Canada, and obtain a copy of your credit report.  If there are creditors on the report that you have not done business with, contact those organizations and let them know you have been the victim of identity theft.
  • Consider a fraud alert for your credit files – Equifax Canada and TransUnion Canada can also put a fraud alert put on your credit files. With this fraud alert, creditors that have viewed your credit report will have to contact you before extending credit. This can help prevent someone else from taking out a loan or credit card in your name.
  • Contact other organizations as necessary – other organizations and government agencies may also need to know if your personal information has been stolen and used to commit fraud.  For example, you should contact government agencies such as Human Resources Development Canada (HRDC) if someone has used your Social Insurance Number to apply for government services.

Categorized in Internet Privacy

With so much of life lived online, it can be hard to remember passwords for every app and platform you're on, but re-using them is putting people at an ever-increasing risk of being hacked.

The recent data breach of food and restaurant search engine Zomato saw hackers steal 17 million users' data.

The company had to strike a deal with the hacker, who agreed to destroy all data and not sell it to someone over the dark web.

Cyber security researcher Troy Hunt said while the risk was mitigated by the company, it should be a wake-up call to users.

"If I've used that same password on Zomato and many other places, I would be quite concerned, because now someone literally has the key to get into my other services," he told 7.30.

He said the real risk is "credential stuffing": where hackers take credentials like emails and passwords from one system, and test them on a bunch of others.

"Last year we saw the LinkedIn data breach, about 158 million records were in there, they were selling that for thousands of dollars," Mr Hunt said.

"And people would buy that because then they can get the usernames and passwords and use them to break into other systems where people have re-used their credentials.

"So that might let them get into your eBay account for example, and buy things under your identity, which they can then go and sell at other places."

As they've become cheaper to make, the number of apps and websites has exploded.

But according to Chris Culnane from Melbourne University, security is often neglected.

"We're in an innovation-driven industry and you've got to be constantly innovating and constantly doing something new and security takes a long time and costs a lot of money," Professor Culnane said.

"Often the priority is getting a new app out there with a new feature and security comes as an after-thought."

What should you do if you've been hacked?

Mr Hunt, who runs a website that allows people to check whether accounts linked to their email addresses have been hacked, said there were a number of things people could do if their security information had been compromised.

"It really depends on what's happened," he said.

"My wife had her credit card exposed somewhere a couple of days ago, so obviously you cancel your credit card, change your direct debits.

"If it's been your password from a system, change your password, and take that opportunity to create different passwords everywhere, unique passwords everywhere.

"If it's been things like your personal address, and your gender and your birthdate or things that might be used for identity theft, have a look at identity protection services."

Professor Culnane agreed that passwords were key.

"The first priority is to change the passwords, to make sure that somebody can't use that information against that particular account," he said.

"Going forward, they should make sure that they're not using the same password on multiple accounts and they should try to use things like two fact authentication or any additional security measures that service providers give them."

What else can I do to stay safe online?

One measure available to consumers is password managers, which keep track of the many unique codes people would otherwise have to remember.

Mr Hunt admitted some had been subject to vulnerabilities in recent years but said they were still worth considering.

"Probably the worst we've seen in recent years is very strongly protected passwords being exposed for a small number of people for small amount of time," he said.

"And if you practised good password hygiene with that service — so you signed up to the password manager and you had a good, strong, unique master password — the chances of anything going wrong are actually very small.

"It's a risk trade-off, but as it stands you are much better off using a password manager and using it properly than trying to do it all in your head."

Professor Culnane believes people need to simply be less complacent about giving up their details online.

"It's become almost normal just to hand out your contact detail to any website or app and we're not really being made aware of exactly how that data's being used or how it's being stored," he said.

"[Consumers should] ask, does the app or company really need to know this information? If not, ask why they're collecting it.

"If you're not paying for the product, you probably are the product.

"Your data is becoming their revenue stream, so ask, 'should they be collecting it? Are you getting something in return for it?'"

Source: This article was published abc.net.au By Lauren Day

Categorized in Internet Privacy

CREDIT: Getty Images

Cloak & Dagger vulnerability uses Android's own features to fool users.

Do you like downloading and trying a wide range Android games and apps? You may want to rethink that habit, or at least proceed with caution. A newly disclosed Android vulnerability means miscreants can use apparently harmless apps to fool you into giving them "permission" to take control of your phone or tablet and watch everything you do with it.

Researchers at UC Santa Barbara and the Georgia Institute of Technology recently revealed a vulnerability they call Cloak & Dagger that can let miscreants use your phone's own permissions against you. It works like this: You download and run a new app. As so many apps do, it pops up an opening screen that asks you to to agree to something. That something could be almost anything: Click here to watch our tutorial video. Or proceed to the game. It doesn't really matter what the app appears to be asking you to do. What it's really doing is asking your permission for administrative powers that let it use your phone for...whatever it likes.

How does it manage to fool you? Using an Android feature called "Draw over other apps," in which an image or dialog box appears on top of anything else that might be on your device's screen. The "chat heads" used by Facebook Messenger are one example of how this works.

Google routinely grants apps the right to draw over other apps if they request it. They can be highly useful, but a cleverly crafted drawing could be laid on top of an Android warning about granting an app extensive permissions, while making it appear that you're saying OK to something completely different. One example is that it can activate accessibility functions. That allows the nefarious app to see and record your keystrokes, as some accessibility functions need to do in order to function.

This (silent) video shows how it works:


What can you do about it? Unfortunately current versions of Android do not ask for your permission for a newly installed app to draw over other apps. So to find out if you're affected, begin by going into Settings, clicking on apps, and then clicking on settings from the app listing (the gear in the upper right). At the bottom of the list that appears, you'll find "Special access." Click that to see which apps have the right to draw over other apps. You can get detailed information about this vulnerability and how to check your device here.

Google has known about this vulnerability for some time now--the researchers alerted the company months before telling the rest of us. And the company says it is able to detect and block Play Store apps that take advantage of it. So a good place to start would be to avoid downloading Android apps from anywhere other than the Play Store unless you know and trust the source. And hope that Google finds a way to close this security loophole soon.

Source: This article was published on inc.com by Minda Zetlin

Categorized in Internet Privacy

Think your password is secure? You may need to think again. People's perceptions of password strength may not always match reality, according to a recent study by CyLab, Carnegie Mellon's Security and Privacy Institute.

For example,  expected ieatkale88 to be roughly as secure as iloveyou88; one said "both are a combination of dictionary words and are appended by numbers." However, when researchers used a model to predict the number of guesses an attacker would need to crack each password, ieatkale88 would require four billion times more guesses to crack because the string "iloveyou" is one of the most common in passwords.

"Although participants generally had a good understanding on what makes passwords stronger or weaker, they also had some critical misunderstandings of how passwords are attacked and assumed incorrectly that their passwords need to withstand only a small number of guesses," said Blase Ur, the study's lead author and a Ph.D. student studying societal computing in Carnegie Mellon's School of Computer Science.

Participants, on average, also believed any password with numbers and symbols was a strong password, which is not always true. For example, [email protected] was thought to be more secure than pAsswOrd, but the researchers' attacker model predicted that it would take 4,000 times more guesses to crack pAsswOrd than [email protected] In modern day password-cracking tools, replacing letters with numbers or symbols is predictable.

"In order to help guide users to make stronger passwords, it is important for us to understand their perceptions and misperceptions so we know where interventions are needed," said Lujo Bauer, a co-author on the study and a professor in Carnegie Mellon's Department of Electrical and Computer Engineering and Institute for Software Research.

The CyLab researchers' study was presented and awarded an honorable mention at this week's Association for Computing Machinery (ACM) Conference on Human Factors in Computing Systems in San Jose, California.

The team of researchers, based in the CyLab Usable Privacy and Security (CUPS) Lab, asked 165 online participants—51% male, 49% female from 33 U.S. states ranging from 18 to 66 years of age—to rate the comparative security and memorability of 25 carefully juxtaposed password pairs. In addition, participants were asked to articulate how they would expect attackers to try to guess their passwords.

"As companies are designing tools that help people make passwords, they should not only be giving users real-time feedback on the strength of their , but also be providing data-driven feedback on how to make them stronger," Ur said.

The team will incorporate these findings into an open-source password feedback tool, which they aim to release before the end of the year.

Other authors of the study included Research Assistant Sean Segreti, Institute for Software Research and Engineering and Public Policy professor Lorrie Cranor, Electrical and Computer Engineering Assistant Research Professor Nicolas Christin and Penn State undergraduate engineering student Jonathan Bees.

Test your perceptions of password security through an online passwords quiz, produced by Nature

Source : This article was published in techxplore.com By Daniel Tkacik

Categorized in Internet Privacy

One of the most popular passwords in 2016 was "qwertyuiop," even though most password meters will tell you how weak that is. The problem is no existing meters offer any good advice to make it better—until now.

Researchers from Carnegie Mellon University and the University of Chicago have just unveiled a new, state-of-the-art  meter that offers real-time feedback and advice to help people create better passwords. To evaluate its performance, the team conducted an online study in which they asked 4,509 people to use it to create a password.

"Instead of just having a meter say, 'Your password is bad,' we thought it would be useful for the meter to say, 'Here's why it's bad and here's how you could do better,'" says CyLab Security and Privacy Institute faculty Nicolas Christin, a professor in the department of Engineering and Public Policy and the Institute for Software Research at Carnegie Mellon, and a co-author of the study.

The study will be presented at this week's CHI 2017 conference in Denver, Colorado, where it will also receive a "Best Paper Award." A demo of the meter can be viewed here.

"The key result is that providing the data-driven feedback actually makes a huge difference in security compared to just having a password labeled as weak or strong," says Blase Ur, lead author on the study, formerly a graduate student in CyLab and currently an assistant professor at the University of Chicago's Department of Computer Science. "Our new meter led users to create stronger passwords that were no harder to remember than passwords created without the feedback."

The meter works by employing an artificial : a large, complex map of information that resembles the way neurons behave in the brain. The team conducted a study about this neural network approach that received a Best Paper Award at the USENIX Security conference in August 2016. The network "learns" by scanning millions of existing passwords and identifying trends. If the meter detects a characteristic in your password that it knows attackers may guess, it'll tell you.

"The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords," says Ur. "For example, if you change Es to 3s in your password, that's not going to fool an attacker. The meter will explain about how prevalent that substitution is and offer advice on what to do instead."

This data-driven feedback is presented in real-time, as a user is typing their password out letter-by-letter.

The team has open-sourced their meter on GitHub.

"There's a lot of different tweaking that one could imagine doing for a specific application of the meter," says Ur. "We're hoping to do some of that ourselves and also engage other members of the security and privacy community to help contribute to the meter."

Source: This article was published on phys.org

Categorized in Internet Privacy
An unusually sophisticated identity phishing campaign appeared to target Google's roughly 1 billion Gmail users worldwide, seeking to gain control of their entire email histories and spread itself to all of their contacts, Google confirmed Wednesday.
 
The worm — which arrived in users' inboxes posing as an email from a trusted contact — asked users to check out an attached "Google Docs," or GDocs, file. Clicking on the link took them to a real Google security page, where users were asked to give permission for the fake app, posing as GDocs, to manage users' email account.
 
 
 
To make matters worse, the worm also sent itself out to all of the affected users' contacts — Gmail or otherwise — reproducing itself hundreds of times any time a single user fell for it.
Screenshot 3 
The strategy is a common one, but the worm that was released Wednesday caused havoc for millions of users because of its unusually sophisticated construction: Not only did the malicious link look remarkably realistic and trustworthy, but the email that delivered it also appeared to come from someone users already know — and the payload manipulated Google's real login system.
 
 
Google said it had "disabled" the malicious accounts and pushed updates to all users. The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night that it affected "fewer than 0.1 percent of Gmail users" — which would still be about 1 million.
 
"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," the spokesperson said.
 
It could have been a potential calamity for unsuspecting victims: With control of your Gmail account, scammers can harvest any personal data you've ever sent or received in an email. That can allow them to generate password-reset requests on scores of other services, potentially letting the hackers take over, for example, your Amazon, Facebook or online bank accounts.
View image on Twitter
View image on Twitter
Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
 
 
Employees and others connected to large companies, especially educational institutions and journalism organizations, began flooding social media about 2:30 p.m. ET reporting that they'd received the malicious email.
View image on Twitter
 
View image on Twitter
Be careful, Twitter people with Gmail accounts! Do not click on the "doc share" box. It's a solid attempt at phishing. 

What you can do

While the malicious email was a dead ringer for a real message from a trusted friend, there was one key giveaway: The mail was sent to a fake email address in the main recipient field — This email address is being protected from spambots. You need JavaScript enabled to view it.. Users' addresses were included in the BCC field.
 
If you received a Gmail message with the mailinator.com address as the main recipient, report it as phishing by clicking the down arrow beside the reply button and selecting "Report phishing." Then delete it.
 
If you do click on the malicious link, don't grant permission when the fake GDocs app asks for it.
 
If, unfortunately, you fell for the scam and granted permission to the hackers, go to your Google connected sites console and immediately revoke access to "Google Docs." (If you don't trust the embedded link here — which is generally a good thing — you can manually type the address into your browser: https://myaccount.google.com/security?pli=1#connectedapps)
 
While you're at it, it's a good idea to revoke permission for any app listed there that you don't recognize.
 
Finally, change your Google password.
 
Source : This article was published in cnbc.com By Alex Johnson
Categorized in Internet Privacy

Facebook is undoubtedly the biggest social media platform today, making it among other things, a target for hackers on darknet markets

Stolen data are a popular buy on various darknet markets for criminals looking for new identities to hide their clear web activities.

As such, data breaches like the theft of Facebook usernames and passwords are not uncommon.

In a bid to protect its users, Facebook employs more than just the use of secure software to keep out criminals who supply the darknet markets with stolen information.

Facebook buys the leaked passwords from the hackers in the various darknet markets, cross-reference them with existing user passwords, then sends an alert to their users to reset their passwords or make them a lot stronger to ensure their account’s safety.

Cross-referencing Process is Heavy

alex-stamos

Facebook purchases stolen passwords from hackers on various darknet markets and uses them to improve their users’ online safety.

Facebook’s Chief of Security Alex Stamos admits that the process is not easy at all, but is very effective.

He mentioned that the biggest threat to the safety of user accounts is weak passwords and the reusing of passwords.

He highlights that, despite the security team’s efforts to keep Facebook secure from hackers looking to make a coin on darknet markets, ensuring user accounts safety is an entirely different and notably more difficult aspect.

Facebook’s security team apparently began their data mining venture shortly after the massive data breach of Adobe in 2013.

Their primary goal was to seek out users with weak, reused passwords that were shared on the Facebook and the Adobe platform.

Since then, they have continued to purchase leaked passwords from the various darknet markets in a bid to ensure their users’ continued safety.

Passwords are Secure

For those who are concerned about their passwords being accessed by the Facebook security team, Facebook security incident response manager assures them that the method used to cross-reference the passwords to the respective owners’ accounts is in no way similar.

At the time they began buying the passwords from darknet markets, they ran the plaintext passwords using a one-way hashing code in order to link the passwords to their respective accounts.

The one-way hashing function compares the hashes of the recovered password using hashes that are already stored by Facebook.

If the two hashes are successfully matched using Facebook’s security process, then Facebook identifies the user and sends them a request to change their password in order to enhance account security.

Facebook’s Move May Be Encouraging Cyber-crime

As expected, there has been outcry concerning the morality of the whole situation.

Purchasing stolen information from cyber-criminals in the various darknet markets could only promote their activities, especially now that they realize Facebook will simply pay them to return the stolen passwords.

Stamos admits that the use of passwords and usernames are more than a bit outdated.

Originally coined in the 70s by mainframe architectures, the security provided by them is less than sufficient.

This is mostly the reason why Facebook later adopted additional security measures such as the identification of Facebook friends alongside its original two-factor authentication process to determine whether an account had been compromised.

They have also enhanced the account recovery significantly by making it possible to allow close friends to help in the verification of your account recovery request.

Stamos insists that despite all the security measures they use to protect their users from cybercriminals, there is always the lot that will choose to skip these measures and as such, it is upon the security team to ensure their account security.

Author:  Darknet Markets

Source:  https://darkwebnews.com/darknet-markets/facebook-buys-leaked-passwords-darknet-markets

Categorized in Deep Web

When it comes to safeguarding your Internet security, installing an antivirus software or running a Secure Linux OS on your system does not mean you are safe enough from all kinds of cyber-threats.

Today majority of Internet users are vulnerable to cyber attacks, not because they aren't using any best antivirus software or other security measures, but because they are using weak passwords to secure their online accounts.

Passwords are your last lines of defense against online threats. Just look back to some recent data breaches and cyber attacks, including high-profile data breach at OPM (United States Office of Personnel Management) and the extra-marital affair site Ashley Madison, that led to the exposure of hundreds of millions of records online.

Although you can not control data breaches, it is still important to create strong passwords that can withstand dictionary and brute-force attacks.

You see, the longer and more complex your password is, the much harder it is crack.

How to Stay Secure Online?

Security researchers have always advised online users to create long, complex and different passwords for their various online accounts. So, if one site is breached, your other accounts on other websites are secure enough from being hacked.
 

Ideally, your strong password should be at least 16 characters long, should contain a combination of digits, symbols, uppercase letters and lowercase letters and most importantly the most secure password is one you don't even know.

The password should be free of repetition and not contain any dictionary word, pronoun, your username or ID, and any other predefined letter or number sequences.

I know this is a real pain to memorize such complex password strings and unless we are human supercomputers, remembering different passwords for several online accounts is not an easy task.

The issue is that today people subscribe to a lot of online sites and services, and it's usually hard to create and remember different passwords for every single account.

But, Luckily to make this whole process easy, there's a growing market for password managers for PCs and phones that can significantly reduce your password memorizing problem, along with the cure for your bad habit of setting weak passwords.

What is Password Manager?

best-password-manager-software

Password Manager software has come a very long way in the past few years and is an excellent system that both allows you to create complex passwords for different sites and remember them.

A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks.

Password managers that generate passwords and double as a form filler are also available in the market, which has the ability to enter your username and password automatically into login forms on websites.

So, if you want super secure passwords for your multiple online accounts, but you do not want to memorize them all, Password Manager is the way to go.

How does a Password Manager work?

Typically, Password Manager software works by generating long, complex, and, most importantly, unique password strings for you, and then stores them in encrypted form to protect the confidential data from hackers with physical access to your PC or mobile device.

The encrypted file is accessible only through a master password. So, all you need to do is remember just one master password to open your password manager or vault and unlock all your other passwords.?

However, you need to make sure your master password is extra-secure of at least 16 characters long.

Which is the Best Password Manager? How to Choose?

I've long recommended password managers, but most of our readers always ask:

  • Which password manager is best?
  • Which password manager is the most secure? Help!

So, today I'm introducing you some of the best Password Manager currently available in the market for Windows, Linux, Mac, Android, iOS and Enterprise.

Before choosing a good password manager for your devices, you should check these following features:

  • Cross-Platform Application
  • Works with zero-knowledge model
  • Offers two-factor authentication (multi-factor authentication)

Note: Once adopted, start relying on your password manager because if you are still using weak passwords for your important online accounts, nobody can save you from malicious hackers.

Best Password Managers for Windows

Best-Password-Manager-for-Windows

Windows users are most vulnerable to cyber attacks because Windows operating system has always been the favorite target of hackers. So, it is important for Windows users to make use of a good password manager.

Some other best password manager for windows: Keeper, Password Safe, LockCrypt, 1Password, and Dashlane.

1. Keeper Password Manager (Cross-Platform)

keeper-Password-Manager-for-mac-os-x

Keeper is a secure, easy-to-use and robust password manager for your Windows, Mac, iPhone, iPad, and iPod devices.

Using military-grade 256-bit AES encryption, Keeper password manager keeps your data safe from prying eyes.

It has a secure digital vault for protecting and managing your passwords, as well as other secret information. Keeper password manager application supports Two-factor authentication and available for every major operating system.

There is also an important security feature, called Self-destruct, which if enabled, will delete all records from your device if the incorrect master password is entered more than five times incorrectly.

But you don't need worry, as this action will not delete the backup records stored on Keeper's Cloud Security Vault.

Download Keeper Password Manager: Windows, Linux and Mac | iOS | Android | Kindle

2. Dashlane Password Manager (Cross-Platform)

Dashlane-Password-Manager-for-Android

DashLane Password Manager software is a little newer, but it offers great features for almost every platform.

DashLane password manager works by encrypting your personal info and accounts' passwords with AES-256 encryption on a local machine, and then syncs your details with its online server, so that you can access your accounts database from anywhere.

The best part of DashLane is that it has an automatic password changer that can change your accounts' passwords for you without having to deal with it yourself.

DashLane Password Manager app for Android gives you the secure password management tools right to your Android phone: your password vault and form auto-filler for online stores and other sites.

DashLane Password Manager app for Android is completely free to use on a single device and for accessing multiple devices, you can buy a premium version of the app.

Download DashLane Password Manager: Windows and Mac | iOS | Android

3. LastPass Password Manager (Cross-Platform)

LastPass-Password-Manager-for-Windows

LastPass is one of the best Password Manager for Windows users, though it comes with the extension, mobile app, and even desktop app support for all the browsers and operating systems.

LastPass is an incredibly powerful cloud-based password manager software that encrypts your personal info and accounts' passwords with AES-256 bit encryption and even offers a variety of two-factor authentication options in order to ensure no one else can log into your password vault.

LastPass Password Manager comes for free as well as a premium with a fingerprint reader support.

Download LastPass Password Manager: Windows, Mac, and Linux | iOS | Android

Best Password Manager for Mac OS X

Best-Password-Manager-for-mac-os-x

People often say that Mac computers are more secure than Windows and that "Macs don't get viruses," but it is not entirely correct.

As proof, you can read our previous articles on cyber attacks against Mac and iOs users, and then decide yourself that you need a password manager or not.

Some other best password manager for Mac OS X:  1Password, Dashlane, LastPass, OneSafe, PwSafe.

1. LogMeOnce Password Manager (Cross-Platform)

LogMeOnce-Password-Manager-for-Mac-os-x

LogMeOnce Password Management Suite is one of the best password manager for Mac OS X, as well as syncs your passwords across Windows, iOS, and Android devices.

LogMeOnce is one of the best Premium and Enterprise Password Management Software that offers a wide variety of features and options, including Mugshot feature.

If your phone is ever stolen, LogMeOnce Mugshot feature tracks the location of the thief and also secretly takes a photo of the intruder when trying to gain access to your account without permission.

LogmeOnce protects your passwords with military-grade AES-256 encryption technology and offers Two-factor authentication to ensure that even with the master password in hand, a thief hacks your account.

Download LogMeOnce Password Manager: Windows and Mac | iOS | Android

2. KeePass Password Manager (Cross-Platform)

Keepass-Password-Manager-for-Windows

Although LastPass is one of the best password manager, some people are not comfortable with a cloud-based password manager.

KeePass is a popular password manager application for Windows, but there are browser extensions and mobile apps for KeePass as well.

KeePass password manager for Windows stores your accounts' passwords on your PC, so you remain in control of them, and also on Dropbox, so you can access it using multiple devices.

KeePass encrypts your passwords and login info using the most secure encryption algorithms currently known: AES 256-bit encryption by default, or optional, Twofish 256-bit encryption.

KeePass is not just free, but it is also open source, which means its code and integrity can be examined by anyone, adding a degree of confidence.

Download KeePass Password Manager: Windows and Linux | Mac | iOS | Android

3. Apple iCloud Keychain

Apple-iCloud-Keychain-Security

Apple introduced the iCloud Keychain password management system as a convenient way to store and automatically sync all your login credentials, Wi-Fi passwords, and credit card numbers securely across your approved Apple devices, including Mac OS X, iPhone, and iPad.

Your Secret Data in Keychain is encrypted with 256-bit AES (Advanced Encryption Standard) and secured with elliptic curve asymmetric cryptography and key wrapping.

Also, iCloud Keychain generates new, unique and strong passwords for you to use to protect your computer and accounts.

Major limitation: Keychain doesn't work with other browsers other than Apple Safari.

Also Read: How to Setup iCloud Keychain?

Best Password Manager for Linux

best-Password-Manager-for-linux

No doubt, some Linux distributions are the safest operating systems exist on the earth, but as I said above that adopting Linux doesn't completely protect your online accounts from hackers.

There are a number of cross-platform password managers available that sync all your accounts' passwords across all your devices, such as LastPass, KeePass, RoboForm password managers.

Here below I have listed two popular and secure open source password managers for Linux:

1. SpiderOak Encryptr Password Manager (Cross-Platform)

SpiderOak-Encryptr-Password-Manager-for-linux

SpiderOak's Encryptr Password Manager is a zero-knowledge cloud-based password manager that encrypts protect your passwords using Crypton JavaScript framework, developed by SpiderOak and recommended by Edward Snowden.

It is a cross-platform, open-Source and free password manager that uses end-to-end encryption and works perfectly for Ubuntu, Debian Linux Mint, and other Linux distributions.

Encryptr Password Manager application itself is very simple and comes with some basic features.

Encryptr software lets you encrypt three types of files: Passwords, Credit Card numbers and general any text/keys.

Download Encryptr Password Manager: Windows, Linux and Mac | iOS | Android

2. EnPass Password Manager (Cross-Platform)

EnPass-Password-Manager-for-Linux

Enpass is an excellent security oriented Linux password manager that works perfectly with other platforms too. Enpass offers you to backup and restores stored passwords with third-party cloud services, including Google Drive, Dropbox, OneDrive, or OwnCloud.

It makes sure to provide the high levels of security and protects your data by a master password and encrypted it with 256-bit AES using open-source encryption engine SQLCipher, before uploading backup onto the cloud.

"We do not host your Enpass data on our servers. So, no signup is required for us. Your data is only stored on your device," EnPass says.

Additionally, by default, Enpass locks itself every minute when you leave your computer unattended and clears clipboard memory every 30 seconds to prevent your passwords from being stolen by any other malicious software.

Download EnPass Password Manager: WindowsLinux | Mac | iOS | Android

3. RoboForm Password Manager (Cross-Platform)

Roboform-Password-Manager-for-Windows

You can easily find good password managers for Windows OS, but RoboForm Free Password Manager software goes a step further.

Besides creating complex passwords and remembering them for you, RoboForm also offers a smart form filler feature to save your time while browsing the Web.

RoboForm encrypts your login info and accounts' passwords using military grade AES encryption with the key that is obtained from your RoboForm Master Password.

RoboForm is available for browsers like Internet Explorer, Chrome, and Firefox as well as mobile platforms with apps available for iOS, Android, and Windows Phone.

Download RoboForm Password Manager: Windows and Mac | Linux | iOS | Android

Best Password Manager for Android

best-Password-Manager-for-android

More than half of the world's population today is using Android devices, so it becomes necessary for Android users to secure their online accounts from hackers who are always seeking access to these devices.

Some of the best Password Manager apps for Android include 1Password, Keeper, DashLane, EnPass, OneSafe, mSecure and SplashID Safe.

1. 1Password Password Manager (Cross-Platform)

1password-Password-Manager-for-android

1Password Password Manager app for Android is one of the best apps for managing all your accounts' passwords.

1Password password manager app creates strong, unique and secure passwords for every account, remembers them all for you, and logs you in with just a single tap.

1Password password manager software secures your logins and passwords with AES-256 bit encryption, and syncs them to all of your devices via your Dropbox account or stores locally for any other application to sync if you choose.

Recently, the Android version of 1Password password manager app has added Fingerprint support for unlocking all of your passwords instead of using your master password.

Download 1Password Password Manager: Windows and Mac | iOS | Android

2. mSecure Password Manager (Cross-Platform)

mSecure-password-manager-for-android

Like other popular password manager solutions, mSecure Password Manager for Android automatically generates secure passwords for you and stores them using 256-bit Blowfish encryption.

The catchy and unique feature mSecure Password Manager software provides its ability to self-destruct database after 5, 10, or 20 failed attempts (as per your preference) to input the right password.

You can also sync all of your devices with Dropbox, or via a private Wi-Fi network. In either case, all your data is transmitted safely and securely between devices regardless of the security of your cloud account.

Download mSecure Password Manager software: Windows and Mac | iOS | Android

Best Password Manager for iOS

best-Password-Manager-for-ios-iphone

As I said, Apple's iOS is also prone to cyber attacks, so you can use some of the best password manager apps for iOS to secure your online accounts, including Keeper, OneSafe, Enpass, mSecure, LastPass, RoboForm, SplashID Safe and LoginBox Pro.

1. OneSafe Password Manager (Cross-Platform)

onesafe-password-manager-for-ios

OneSafe is one of the best Password Manager apps for iOS devices that lets you store not only your accounts' passwords but also sensitive documents, credit card details, photos, and more.

OneSafe password manager app for iOS encrypts your data behind a master password, with AES-256 encryption — the highest level available on mobile — and Touch ID. There is also an option for additional passwords for given folders.

OneSafe password manager for iOS also offers an in-app browser that supports autofill of logins, so that you don't need to enter your login details every time.

Besides this, OneSafe also provides advanced security for your accounts' passwords with features like auto-lock, intrusion detection, self-destruct mode, decoy safe and double protection.

Download OneSafe Password Manager: iOS | Mac | Android | Windows

2. SplashID Safe Password Manager (Cross-Platform)

SplashID-Safe-password-manager-for-ios

SplashID Safe is one of the oldest and best password manager tools for iOS that allows users to securely store their login data and other sensitive information in an encrypted record.

All your information, including website logins, credit card and social security data, photos and file attachments, are protected with 256-bit encryption.

SplashID Safe Password Manager app for iOS also provides web autofill option, meaning you will not have to bother copy-pasting your passwords in login.

The free version of SplashID Safe app comes with basic record storage functionality, though you can opt for premium subscriptions that provide cross-device syncing among other premium features.

Download SplashID Safe Password Manager: Windows and Mac | iOS | Android

3. LoginBox Pro Password Manager

LoginBox-Pro-Password-Manager-for-ios

LoginBox Pro is another great password manager app for iOS devices. The app provides a single tap login to any website you visit, making the password manager app as the safest and fastest way to sign in to password-protected internet sites.

LoginBox Password Manager app for iOS combines a password manager as well as a browser.

From the moment you download it, all your login actions, including entering information, tapping buttons, checking boxes, or answering security questions, automatically completes by the LoginBox Password Manager app.

For security, LoginBox Password Manager app uses hardware-accelerated AES encryption and passcode to encrypt your data and save it on your device itself.

Download LoginBox Password Manager: iOS | Android

Best Online Password Managers

Using an online password manager tool is the easiest way to keep your personal and private information safe and secure from hackers and people with malicious intents.

Here I have listed some of the best online password managers that you can rely on to keep yourself safe online:

1. Google Online Password Manager

google-online-password-manager

Did you know Google has its homebrew dedicated password manager?

Google Chrome has a built-in password manager tool that offers you an option to save your password whenever you sign in to a website or web service using Chrome.

All of your stored accounts' passwords are synced with your Google Account, making them available across all of your devices using the same Google Account.

Chrome password manager lets you manage all your accounts' passwords from the Web.

So, if you prefer using a different browser, like Microsoft Edge on Windows 10 or Safari on iPhone, just visit passwords.google.com, and you'll see a list of all your passwords you have saved with Chrome. Google's two-factor authentication protects this list.

2. Clipperz Online Password Manager

Clipperz-Online-Password-Manager

Clipperz is a free, cross-platform best online password manager that does not require you to download any software. Clipperz online password manager uses a bookmarklet or sidebar to create and use direct logins.

Clipperz also offers an offline password manager version of its software that allows you to download your passwords to an encrypted disk or a USB drive so you can take them with you while traveling and access your accounts' passwords when you are offline.

Some features of Clipperz online password manager also includes password strength indicator, application locking, SSL secure connection, one-time password and a password generator.

Clipperz online password manager can work on any computer that runs a browser with a JavaScript browser.

3. Passpack Online Password Manager

Passpack-Free-Online-Password-Manager

Passpack is an excellent online password manager with a competitive collection of features that creates, stores and manages passwords for your different online accounts.

PassPack online password manager also allows you to share your passwords safely with your family or coworkers for managing multiple projects, team members, clients, and employees easily.

Your usernames and passwords for different accounts are encrypted with AES-256 Encryption on PassPack's servers that even hackers access to its server can not read your login information.

Download the PassPack online password manager toolbar to your web browser and navigate the web normally. Whenever you log into any password-protected site, PassPack saves your login data so that you do not have to save your username and password manually on its site.

Best Enterprise Password Manager

Over the course of last 12 months, we've seen some of the biggest data breaches in the history of the Internet and year-over-year the growth is heating up.

According to statistics, a majority of employees even don't know how to protect themselves online, which led company’s business at risk.

To keep password sharing mechanism secure in an organization, there exist some password management tools specially designed for enterprises use, such as Vaultier, CommonKey, Meldium, PassWork, and Zoho Vault.

1. Meldium Enterprise Password Manager Software

Meldium-Enterprise-Password-Manager

LogMeIn's Meldium password management tool comes with a one-click single sign-on solution that helps businesses access to web apps securely and quickly.

It automatically logs users into apps and websites without typing usernames and passwords and also tracks password usage within your organization.

Meldium password manager is perfect for sharing accounts within your team member without sharing the actual password, which helps organizations to protect themselves from phishing attacks.

2. Zoho Vault Password Management Software
Zoho Vault Password Management Software

Zoho Vault is one of the best Password Manager for Enterprise users that helps your team share passwords and other sensitive information fast and securely while monitoring each user's usage.

All your team members need to download is the Zoho browser extension. Zoho Vault password manager will automatically fill passwords from your team's shared vault.

Zoho Vault also provides features that let you monitor your team's password usage and security level so that you can know who is using which login.

The Zoho Vault enterprise-level package even alerts you whenever a password is changed or accessed.

For Extra Security, Use 2-Factor Authentication

two-factor-authentication-password-security

No matter how strong your password is, there still remains a possibility for hackers to find some or the other way to hack into your account.

Two-factor authentication is designed to fight this issue. Instead of just one password, it requires you to enter the second passcode which is sent either to your mobile number via an SMS or to your email address via an email.

So, I recommend you to enable two-factor authentication now along with using a password manager software to secure your online accounts and sensitive information from hackers.

Author:  Swati Khandelwal

Source:  http://thehackernews.com/

Categorized in Science & Tech

Choosing and managing passwords is the fundamental security measure in client’s control. Even if the application and it’s server is impenetrable, it means absolutely nothing if your password can be cracked by an average Joe.

You would think that all security conscious people would know how to protect themselves, but I frequently see cases like this:

CaliConnect’s Private PGP Key & Account Password Was “asshole209

Twitter– Launched & Hacked in 2 Hours (Password was: 123123123…)

Cantina Marketplace PWND: Admin Password was: “Password1” ?!

This tutorial contains explanations of password cracking when the server and client side are protected. These methods’ effectiveness highly depend on attacker’s processing power which we’ll analyze after attack methods.

If you just want to know easy way to be safe, jump to the ‘Easy way to manage strong passwords’.

Brute Force Attack

Brute-force attack is a technique of enumerating all possible password candidates and checking each one. This is no elegant attacking method, but sometimes it’s all that’s needed. This attack is feasible only for very weak passwords.

Dictionary Attack

Dictionary attack is a variant of brute force attack in which the attacker gathers all information about targeted password(s) and creates a ‘dictionary’. Dictionary is a customized list of password candidates, typically including a list of most common passwords first, dictionary words that are frequently used and some combinations. Next, the dictionary often contains all those words with common prefixes and suffixes such as numbers and punctuation signs.

Dictionary attacks are relatively easy to defeat by choosing a password that is not a simple variant of a word found in any dictionary. Many password cracking tools have built-in dictionaries. This page contains information on most popular tools, their dictionaries and collections of leaked password for analysis in one place.

fQnT1d0c{E}+p[;

Rainbow Tables

This attack is used when attacker owns the password database. It’s worth mentioning here because the complexity of your password will protect you even if the server is compromised. Protection wise, it’s enough to know that a strong password will do the trick here as well.

Skip this part if you just want to secure yourself without bothering with hashing, rainbow tables and salting.

Databases don’t contain plaintext passwords, but password hashes. Hash is the result of time-consuming function that obfuscates the input. When you enter your password, server calculates the hash of the entered value and compares it to the one stored in the database for the confirmation.

Very simple hash function example: take number 4 as the input: square it (16), take natural log (2.7725), multiply by pi (8.7103) and take factorial (gamma function) -> 189843.119. Now ask your friend how is 189843.119 related to 4. Chances are, no one can figure it out.

Password hashes often look like this one: qiyh4XPJGsOZ2MEAyLkfWqeQ

So, when an attacker compromises the password database he won’t be able to figure out your password (or will he?, read on). Here’s when rainbow table comes in – it’s a pre-computed table of passwords and their hashes. Attacker then compares the rainbow table hashes to those in the database. If hashes match, the password is discovered. Here’s a short example:

This is what we can find in a database:

User Password
RegularUser1 HgkHJgKHgKhKGhjfhgKvkGjKG
Administrator qiyh4XPJGsOZ2MEAyLkfWqeQ

Lets try to find this hash in the rainbow table:

Password Hash
password asdh4DFGsOZ2MEAyLkfWqES
qwerty qi8H8R7OM4xMfdMPuRAZxlY
pass1234 GsOZ2MEAM4xPuRAZxlqiyAFiy
passw0rd qiyh4XPJGsOZ2MEAyLkfWqeQ
abcdefgh nKv3LvrdAVtOcE5EcsGIpYBtniN


That’s why some servers ‘salt’ the hash by adding random value into the equation so the attacker can’t just download finished rainbow table, he needs to create a custom one for that salt and that requires a lot of time because hash functions are time-consuming. If different salt is used for each password, attacker needs to create a custom table for each password which is not feasible. Salt is stored next to the password, it’s no secret since it’s just making the attacker’s computer do a lot of ‘work’.

There’s only that much server side can do for you, it’s up to you to choose a strong password. If the attacker targets you specifically, he may create a rainbow table for your salt. It’s up to you to have a password that will not be in his table.

I’m surprised how many sensitive web services allow having weak password.

Practical analysis of these attacks

Analyzed time represents offline attack speed, online attacks are much slower than this, but it’s logical to seek for a password strong enough for offline attacks because it’s the maximum speed and it’s just a few characters away.

Password complexity depends on 2 characteristics: length and number of different characters. For example, if you use 8 digit password (only numbers – 10 characters): _ _ _ _ _ _ _ _ each field can contain 10 different characters, so there are 10*10*10*10*10*10*10*10 = 108 possible combinations. If attacker has a Pentium 4D, 3.2 Ghz processor he can try 2 million passwords per second. That means the password can be broken in 108 / (2*106) = 50 seconds.

Formula for the number of combinations the attacker need to try:

Awhere: A – number of different possible characters

B – password length

If password length is unknown, the attacker will usually try only the shortest ones. Let’s say he wants to try all 8,9,10 characters long passwords, the number of combinations is: A+ A9 + A10 .

Exponential growth

Luckily for us, password complexity rises exponentially when length increases. In the example above (only 10 digits) each extra character adds 10 times more possible combinations.

Here’s a table for passwords that contain only lower-case letters from English alphabet and digits – 36 different characters (Combinations = 36 ^ length):

Length (B) Combinations (36B) Individual capability 5000x individual
1 34 < 1 second < 1 second
2 1 296 < 1 second < 1 second
3 46 656 < 1 second < 1 second
4 1 679 616 < 1 second < 1 second
5 60 466 176 30 seconds < 1 second
6 21 76 782 336 18 minutes 1 second
7 78 364 164 096 10 hours 55 seconds
8 2 821 109 907 456 16 days 33 minutes
9 101 559 956 668 416 1 year 20 hours
10 3 656 158 440 062 976 60 years 30 days
11 131 621 703 842 267 136 2140 years 3 years
12 4 738 381 338 321 616 896 77025 years 110 years


X axis – password length in for 36 charset (letters and numbers)

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

We can see length 12 is sweet, it’s even more safe if we expand the character set to uppercase and lowercase letters, numbers and punctuation signs. Number of possible characters is 126:

Length (B) Combinations (126B) Individual capability 5000x individual
1 126 < 1 second < 1 second
2 15 876 < 1 second < 1 second
3 20 00 376 1 second < 1 second
4 252 047 376 2 minutes < 1 second
5 31 757 969 376 4 hours 22 seconds
6 4 001 504 141 376 23 days 47 minutes
7 504 189 521 813 376 8 years 4 days
8 63 527 879 748 485 376 1 032 years 2 years
9 8 004 512 848 309 157 376 130 000+years 184 years


X axis – password length in 126 charset

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

Conclusion

Using only lowercase or only uppercase letters and numbers, you need 11 characters long password.

If you’re using both lowercase and uppercase letters, numbers and punctuation signs you need 8 characters long password.

Neither should be predictable enough to be part of a dictionary attack list. I would recommend using 12 characters long password and wide charset.

Easy way to Manage Strong Passwords

Different password should be used for each sensitive account because attackers often check all your accounts for password they compromised.

Password should be at least 12 characters long and include uppercase and lowercase letter, number and a punctuation sign. You can easily meet those requirements by rambling on the keyboard, but it would be difficult to remember passwords.

Password Manager

Password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere).

Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.

To generate 1 strong password that’s easy to remember you can use a great source of entropy – your mind. Think of a sentence or two. Something like: ‘any sentence will do the trick, Just Make Sure It’s Over 12 Words’. Password would be: aswdtt,JMSIO12W (first letters in each word). You can remember the sentence easily and recreate the password later. Ideally, the sentence would include a sign and number.

There are many similar tricks out there if you don’t like this one.

Pattern

So you don’t like installing a manager? Think of a good pattern that will not be obvious. An example would be: pick 2 numbers: 6,7 and surround your password with 67 and shift+6 = &, shift+7 = /. Also, uppercase 6thand 7th letter. If your password right now is password -> 67passwORd&/ is easy to remember and strong. The word can be something you can remember for each site, but stay away from obvious like domain name.

Avoid common letter-number substitutions like o – 0, I – 1. Here’s the same link once again, I highly recommend taking a look at common dictionaries and tools attackers may try to use against you.

Source:  deepdotweb.com

Categorized in News & Politics

A responsibility that Facebook has with its users is that it needs to ensure that your account is not easily hackable. This means creating security systems, but there is always a problem: the most vulnerable point of any online system is the user who does not care right to their own information.

This usually comes in the form of insecure and repeated passwords. Then, no matter if the company built the Fort Knox; if someone has your email address and the password is "123456", your only chance of not being hacked is to have two-step authentication enabled. Face it: if your password really is "123456", you probably also have not activated the second verification step.

However, Facebook has taken a very unorthodox place to deal with this problem. Alex Stamos, chief security officer in the company, told CNET today the company negotiates directly with cybercrime in the deep web to buy databases with passwords stolen by hackers.

The fact is that these databases stolen end up revealing enough of human behavior on the Internet. By analyzing a huge amount of passwords, you can see patterns of which are those most recurrent, and therefore more fragile. On a bench 1 million keywords, imagine how many "123456" will not arise. Suddenly, you can see that many people are using the password "kittens", and it became dangerous.

By purchasing these stolen banks, Facebook can do this analysis and compare it with your own database (encrypted, it is true) passwords. Stamos reveals that to make this work, which is quite heavy for company computers, the social network was able to alert tens of millions of users that their passwords were not safe.

The executive explains that Facebook has the tools to offer more security to users, such as the aforementioned two-step authentication. It is the person's prerogative to use these tools or not, but the company says it is his responsibility to take care of those who choose not to activate the features.

Source:  olhardigital.uol.com.br

Categorized in Science & Tech
Page 1 of 2

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now