ATTOG Technologies

Specializing in Small Business IT Security

Email Security Best Practices

by Leave a Comment

We all have multiple email accounts and many of us do always have the best plan in place to secure and recover those accounts. Let’s cover some basics and tips that I use to maintain my email infrastructure. The tips will vary depending on your email provider, but can be adapted to your unique situation.

I like to start form the end and work my way backwards when it comes to security. What I mean is, the recovery account will be configured first and then I will move back to my normal mail accounts.

My recovery email is with a provider such as Tutanota because I can recover that account with a “key”. When creating this account, try and create an address that is random and can not be traced back to you (not your name, nickname, pet’s name, etc). You will only use this account as a recovery address and it will only be used as a recovery in one place. Enable this account with a hardware security token such as a Yubikey. Use a long password from your password manager (I use LastPass). After creating and securing the account, save your recovery key in two places, a paper copy in your safe and an electronic copy in an encrypted container on a flash drive.

My next step back is to create an account with Protonmail (I like the Plus plan so I can create alias addresses) again using a unique username and strong password. The recovery for this account will be Tutanota. Secure Protonmail with Authy or something similar. Export your PGP key and store it in your encrypted container. Enable two-password mode.

Once I have my recovery pieces in place, I can then move to my daily use mailbox. I will assume your normal mail is with one of the major providers (Google, Yahoo, Microsoft), but if you are using something different you may not have all of the options.

Find your security and recovery settings and start by updating your recovery address to be your Protonmail account (use an alias for this). Verify your recovery phone number and make sure to add one if you have not. If your account has security questions, pick any of the options and using your password manager store your (made up) answers to these questions. Do not answer them truthfully as that information can be gathered easily (you have not been doing those Facebook quizzes, have you).

Once you have your recovery information in place, proceed to update your password to something long and secure (using your password manager). Then enable and configure your 2FA/MFA options. I suggest using the YubiKey as your primary and using Authy as your secondary options. This allows you to log in any mobile and desktop devices with ease while still providing for a high level of security. Make sure you are not using SMA as an option unless that is the only option your provider offers.

If your provider does not support secure passwords, recovery options, and 2FA/MFA then you should look for a different email provider.

Privacy and Security News and Tips 20160830

by Leave a Comment

Software is like Lego. You can make anything with it, but it may not be appropriate. — Stuart Sherman, CEO of IMC Worldwide

Weekly Tip

Protecting your Personally Identifiable Information

May you live in interesting times. When it come to technology and its impact on our daily lives, we have arrived at those interesting times. Every time you turn around we have a new “connected” device whether it be our toaster, refrigerator, TV, or light bulb, we have something new to think about when it comes to protecting our security and that of our family. The internet of things has arrived in all of its glorious geekness for us to secure and defend.

homenetwork

Think about your home network and how it has evolved over time form a simple dial-up connection on a single computer. We didn’t think about firewalls and security, but we also did not stay constantly connected to all that exists beyond our personal networks. Now, with everyone having an always on broadband connection, many of us rely on the “firewall” provided by our internet providers. Have your noticed they never need a password to work on it or update it, no matter who you work with at your provider. That is because they have hard coded back doors into your network. Can they be trusted? What about if someone else gets access to that information? What about the devices on your network, are they secure from the internet or each other? It is time to take matters into your own hands and think about adding some extra layers of protection to your network. The lengths you take this to will vary based on your needs, but you should consider using your own firewall inside of your network that blocks your provider getting to your computers. If you also have smart devices like cameras, lights, outlets, etc, you may want to think about a second firewall to keep all of those devices away from your computers and away from your internet provider. The image to the left shows a subset of my network, so you see 3 networks to segment different security zones. These are all set so the outside of each of my zones faces the inside of the provider and the outside of theirs goes to the internet. This can obviously be adjusted and expanded based on your needs, but in this configuration each segment allows for high levels of security and still gives you the ability to embrace the latest connected device (toothbrush).

When it comes to our security, we have to weigh the need for security and connectivity and make the most informed choices that will protect our data, devices, and privacy. Without the knowledge of what your devices will do, you may be sharing your nanny cam with the world, or allowing your neighbor access to unlock your doors and control your lights. You may be giving your passwords and voice recording to some overseas group. Embrace the technology, but make sure you go in with your eyes wide open to the probability that security was the last thing they thought of if that.

Interesting News

How to prevent your IoT devices from being forced into botnet bondage

Opera warns sync users to change passwords for every website after hack

Fantom Ransomware Poses As Windows Update, Encrypts Your Files For Fun

WhatsApp to start sharing data with Facebook

Disable WPAD now or have your accounts and private data compromised

Privacy and Security News and Tips 20160726

by Leave a Comment

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.Clifford Stoll

Weekly Tip

We all have numerous passwords that we count on in our daily lives, but how safe and secure is that password? Have you shared it with anyone? Were you aware that a federal court has made sharing passwords illegal? Do you use a password manager? Today I saw news of a zero-day vulnerability on Lastpass.

Protecting your Personally Identifiable Information

We must be ever-vigilant with our passwords and password managers as well as two-factor authentication (2FA) (see links for more). Despite a federal ruling on sharing passwords, one of our presidential candidates asked their potential VP and his entire family, including grown children, to share all of their social media passwords with the campaign. California has ruled in favor of employers demanding the social media passwords of employees (long-standing ruling). There are numerous other examples of overreaching attempts at circumventing your privacy and security, so we all must be fully aware of what is and is not legal as well as what we will and will not allow when it comes to our data and privacy. It is best practice to use a password manager, 2FA, secure passwords, unique passwords for each and every location that requires a password, and to change passwords on a regular schedule based on the data that is being protected. It is also a good idea to make sure you are aware of the latest issues and/or updates for your password manager of choice.

It is your security that is at stake and you must take every reasonable step to protect it in this ever-changing digital landscape.

Interesting News

NIST Says SMS-Based Two-Factor Authentication Isn’t Secure

ACCESS TO SOCIAL MEDIA USERNAMES AND PASSWORDS

Privacy and Security News and Tips 20160712

by Leave a Comment

Nobody can hurt me without my permission.Mahatma Gandhi

Weekly Tip

As I read this week’s news about Pokemon Go and how it has full access to your Google Account on your phone and subsequently online it caused me to re-examine the access that I have granted to applications on my phone. When you do this, you will be surprised at what they want to access.

Protecting your Personally Identifiable Information

Our phones each have a different way of granting privileges to applications and some give us more control over each piece than others. The scary piece is when an application wants to access your call records or to be able to make a phone call when it has no business even interfacing with that section of your device. I have seen and read about applications accessing every part of the phone in what can only be seen as poor coding on the part of the developer, a blatant attempt to infect and control your device, or a lack of knowledge on the part of the developer with regards to the actual needs of the application. If you have the access to limit what rights are given, it is in your best interest to do so. Turn off access to contacts, sms, phone calls, gps, photos, etc if the application does not need access. This will make your phone more secure and efficient, and therefore will protect your privacy and increase your level of security. It is also a good idea to periodically look at these settings in case an update changes them.

We all use our phones for contact, news, entertainment, and more. What we need to do is be aware of how someone might corrupt that process to their benefit or to our detriment. Be safe, be smart, and be aware.

Interesting News

Pokemon Go Has Full Access Permissions to Your Emails and Documents

Google to change app permissions for ‘Pokémon Go’ after security concerns

Senator voices concerns about ‘Pokemon GO’ data privacy

Privacy and Security News and Tips 20160705

by Leave a Comment

On the soft bed of luxury many kingdoms have expired.Andrew Young

Weekly Tip

Protecting your Personally Identifiable Information

As time progresses and smartphone technology advances, we become ever more reliant on the power and presence of the computer we carry in our pockets. With everything it does and contains it is truly indispensable in so many ways that if we were to lose it or have it compromised we would be in dire straights.
Beyond the standard ideas of a secure pin or passcode of at least six characters and locking your device when you are not using it, there are other things to consider. One piece that many people do not think about is the authenticity and reliability of the software they install. Do you? All of the different phone platforms have an app store, and their own standards and rules for getting an app in the store. This does not always protect you as the user, and some platforms allow you to add apps from alternative sources. All of this opens us up to the chance of getting infected with malware. An application I have been happy with and been using for years is Lookout. They were recently featured on 60 minutes in a great piece about cell phone hacking. They watch and protect against malware, offer a tracking and alert option, and also a backup option for your contacts, all in the free version (iOS and Android).

There are many options and settings for protecting your phones no matter the platform or data you store and consume, so make sure to research and determine your particular needs. Remember, it is your privacy and your security at stake so it is your responsibility to make sure that anyone that wants to affect that is hindered to the best of your ability or those you enlist to aid you in this important endeavor.

Interesting News

How to Crack Android Full Disk Encryption on Qualcomm Devices

Apple iOS App Store riddled with malware — XcodeGhost haunts hundreds of apps

BlackBerry to Stop Making Classic Smartphone, Shares Fall

Privacy and Security News and Tips 20160628

by Leave a Comment

Law-abiding citizens value privacy. Terrorists require invisibility. The two are not the same, and they should not be confused.Richard Perle

Weekly Tip

Protecting your Personally Identifiable Information

In this ever changing time, and with the constant influx of social media platforms to choose from, everyone is likely to find something that intrigues them. We have Twitter for short thoughts, Facebook for long ones, Periscope for videos, Instagram for photos, and numerous other for everything under the sun.

If you are one to flock to a certain platform, or even multiple platforms, be aware and ever vigilant with your privacy, security, and safety as well as that of your family. Each and every platform has some level of privacy and security setting that will allow you to control what information is used and shared with other users, the platform, and possibly their affiliates. This information can be your location, your shopping and/or browsing habits and history, your posts, your photos, your personal information such as name, address, phone numbers, and email address(es). If you do use social media, put some thought into what you do want to share, and make sure to fully explore all of the settings and options for the platform(s) you choose so that you can remain as safe and secure as possible while still participating in the social expanse.

As always, your privacy and security are up to you to control. And while it takes time now, and on a regular schedule to maintain said privacy and security, the peace of mind and the knowledge that you and your family are less likely to be a victim is well worth it.

Interesting News

Social media apps are tracking your location in shocking detail

Location Tracking: 6 Social App Settings To Check

Social Networking Privacy: How to be Safe, Secure and Social

How Social Media Privacy Settings Could Affect Your Future

Privacy and Security News and Tips 20160621

by Leave a Comment

There’s no harm in hoping for the best as long as you’re prepared for the worst.Stephen King, Different Seasons

Weekly Tip

With the summer travel season in full swing and the current state of our world it is wise to be prepared for problems,which brings us to a tip I read some time ago and have had in practice since then with minor adjustments for changing technology and environments.

Protecting your Personally Identifiable Information

Think about the contents of your wallet or purse. How many credit and debit cards, id cards, medical information, passports, etc do you have or take when you travel? What happens if you lose them or they are stolen? Do you have medical issues, severe allergies, medical devices? What would you do if you were in a foreign country and had to replace the cards, prove who you are, or needed medical attention after having your wallet or purse stolen? Have you ever thought about making an emergency flash drive to carry your important information securely. I have, and that is today’s tip. To make this drive you will need a few items.

  • A physically small flash drive that is at least 2 GB formatted with exFat for maximum compatibility
  • A copy of VeraCrypt
  • Access to a scanner

The basic layout is as follows.

  1. Format the drive exFat
  2. In the root of the flash drive you will have a text file (MUST BE PLAIN TEXT) with some basic information (name, address, phone, “I AM AN AMERICAN CITIZEN”, “I HAVE INSURANCE”, include emergency contacts also) Title this file EMERGENCY.
  3. A file titled “Medical” that lists your medications, and allergies to drugs, foods, or bugs, as well as your primary care physician’s contact information. This document says “I HAVE HEALTH INSURANCE” at the top of it, so that you don’t run the risk of being denied treatment. If you have traveler’s insurance, put that info in here as well.
  4. A file of “credit card contact info” with details for each card you carry. Use this to quickly cancel your cards if your wallet is lost or stolen. Do not include the CC number, CVV, or expiration date. That data is in the secured partition of the drive.
  5. A scanned image copy or digital photo of your insurance card, front and back.
  6. A web browser. You can get portable versions of Chrome, Firefox, and other browsers that will run directly from the drive—more secure than using a public terminal loaded with who-knows-what snoopware.
  7. Install VeraCrypt and create a portable install on the flash drive
  8. Create an encrypted container on the flash drive approx 1GB in size and make sure to use a memorable but highly secure password
  9. In the container you will have the following items:
    1. Scanned copies of each of your credit and debit cards, front and back. (jpg format)
    1. A file titled “CCNs” that lists the account numbers, expiration dates, and CVVs of your cards as well as the toll-free contact numbers and international collect call numbers for each company. (plain text)
    2. The routing and account number for bank accounts, phone numbers to your local bank’s branch office. Be ready to have money wired or to freeze accounts. (plain text)
    3. Scanned copies or digital photos of your passport, your driver’s license, and at least one other form of state-issued photo identification. (jpg format)

Now that you have this drive, you will need to determine the best means of transport and security for the location and environment. There are drives that are “rugged” and will be fine on their own in most environments, but if you will be in a rainy location you may consider a watertight container. The drive should be on you at all times while traveling and should not be on your keys in case of theft. I carry mine in a “go tube” inside my clothing, but you can wear it as a necklace under your clothes or secure it to the inside of your clothes somehow. The idea is to have it not be subject to a pickpocket or being lost.

Interesting News

Facebook begins tracking non-users around the internet

Stop Facebook From Following You Around the Web

Secret Text in Senate Bill Would Give FBI Warrantless Access to Email Records

Web developers, meet WebGazer: software that turns webcams into eye-trackers

Privacy and Security News and Tips 20160614

by Leave a Comment

Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.Kevin Mitnick

Weekly Tip

Protecting your Personally Identifiable Information

The past few weeks brought news of a rush of new hacks and old ones brought back to light. We saw LinkedIn, Tumbler, and Twitter with breaches in the tens of millions of accounts. We saw major celebrities get hacked from Mark Zuckerberg and Lana Del Rey, Katy Perry, the NFL, and DeRay Mckesson.

The story of DeRay Mckesson (see links) is the ultimate motivation for this tip. While most of the celebrity hacks were achieved due to poor security practices such as reused passwords across platforms, weak passwords, and not using two factor authentication (2FA) where available, DeRay was following all of the best practices and was still hacked. When you consider 2FA uses your cell number to send you a text in many cases, have you secured your carrier account with all of the available security measures they offer? In many cases someone can call in and have a new phone assigned to your number which will allow them to receive your 2FA codes and bypass your security. You should visit you cellular account and make sure to enable a security pin right away. It is free and easy and will give you that extra layer of protection that could be the difference between security and insecurity despite all of you other efforts.

As always I do suggest strong, unique passwords for every account as well as unique usernames when feasible. I also suggest unique disposable email addresses for each account if possible. To make this manageable a good password manager is also recommended.

Interesting News

DeRay Mckesson, activist, disavows Trump endorsement after being ‘super hacked’

Mark Zuckerberg’s Twitter and Pinterest accounts hacked, LinkedIn password dump likely to blame

Check your BITS, because deleting malware might not be enough

Researchers Turn Smartphone Vibration Motor into Microphone to Spy on You