Here's a nice little tool that can keep you occupied this Friday afternoon and help you understand how hackers go about guessing passwords.
It uses real-world data — including passwords that have been made public by security breaches, and phrases commonly used online — to provide three 'best guesses' each time you enter a letter.
This reflects the kind of technique hackers might use when trying to guess passwords with brute force (basically, trying loads of passwords until they find one that works).
Once you've typed your whole password, you can see how many characters Telepathwords was able to guess. Five or more ticks above your password shows that it's reasonably strong.
Apple's iPhone 5s has one particularly striking new feature. There's a fingerprint reader built into the phone's home button, which means you can unlock the phone and authorise purchases using your fingerprint instead of having to tap in a code or password.
As with many of Apple's apparent innovations, this has been done before. Motorola's ATRIX handset has a fingerprint scanner and that launched in 2011. The only problem was reviews found it to be unreliable.
First impressions of the iPhone's fingerprint scanner, on the other hand, suggest that it works very well. If it proves reliable over time, then the new iPhone could be the first in a wave of products that bring fingerprint recognition to the masses.
At face value, this is A Good Thing. Who hasn't struggled to recall an impossible-to-remember password at some point or other? As we've said before on this very blog, 'passwords are fundamentally broken'.
Before we start using fingerprints for everything from mobile phones to internet banking, some experts reckon it would be an idea to think through the implications in a little more detail. After all, your fingerprint is very different to a password because it can't be changed.
Data protection expert Johannes Caspar put it well in a recent article for German newspaper Der Speigel:
"The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone."
In short, your fingerprint is a one-shot deal. Once it's compromised, that's it.
As if to back up his point, a hacker club already claims it's managed to fool the iPhone's fingerprint reader by taking a photo of a fingerprint and using it to create a fake finger.
But if that's the case, surely it's silly to rely on fingerprints to provide any sort of meaningful protection at all. Using a fingerprint to authorise a bank transfer? Forget it. Controlling building access via fingerprints alone? Probably a no-go.
Then — of course — there are other fringe concerns about relying on fingerprints. The Daily Mail (who else?) warns iPhone thieves might start lopping off people's fingers. And what do you do if you've hurt a finger (pictured)?
Ultimately, the arguments over the stength of fingerprint-based systems are likely to be trumped by the convenience factor. If using your finger to unlock your phone is easier and faster than tapping in a code then people will use it.
It's unlikely fingerprints will ever be used for authentication in more critical circumstances except when combined with something else. This 'two-factor' authentication usually requires something you have (your fingerprint) and something you know (perhaps a password or PIN).
So, get ready: the fingerprint revolution is on the way.
How much time do you spend thinking about IT security? Unless you have been affected by a security problem, you may have never given it much thought.
Your business probably has a number of people accessing its computer systems who are likely to manage their own passwords.
If they manage their own passwords, that means they are setting their own levels of security for your network. Beryl in accounts only comes in once a week, so she can’t be expected to remember anything complicated, can she? What’s wrong with ‘password’ anyway?
And Steve in the sales team dearly loves his fiancée, so why shouldn’t he have ‘Nicola’ as his password?
Passwords like these are a really bad idea because they’re easy to guess. In fact, ‘password’ is probably the worst you could possibly choose.
Not using effective passwords puts your entire system and company data at risk. Here’s how to come up with strong passwords.
Does every computer in your business have up-to-date security software? And do you assume that this is sufficient to protect them, no matter what they subsequently do online?
If you’ve answered ‘yes’ to both those questions, well done for having the software. But don’t think your job is done.
Staying safe isn’t just about having the right security software in place. The safest users are the ones who are well-informed, so help your staff to understand how your security software works, what spam, viruses and other threats look like … and how to spot a malware-infested website.
Make sure you have an IT security policy that explains what your people need to do to stay safe.
Firewalls act as a filter between your business network and the outside world. They allow safe traffic through, but block questionable connections before they can do harm.
Here’s a quick checklist to help you get your IT security basics right:
It is important your employees have safe, secure tools to go about their work with minimum risk to the business. Over and above that, they should be empowered and informed about security threats so they know how best to respond.
If you’re in any doubt about the security of your business, speak to an IT security specialist (perhaps your regular IT supplier) who can discuss your needs and the potential risks.
Adrian Case is technical director at Akita.
How often do you send confidential business documents via email? Weekly? Daily? Several times a day?
It's hardly surprising that we turn to business email when we need to send a document. It's quick, convenient and universal — pretty much everyone you need to contact has an email address.
But have you considered security? Any sensitive information contained in or attached to your emails will be stored on your company's email server. Often, this isn't scrambled or protected in any way.
If your server was hacked, for example, it would be trivial for online criminals to access this important information.
What's more, unless you take steps to hold on to it, the data on your email server won't stick around for ever. It might get automatically deleted after 30, 60 or 90 days.
If your company ever faces legal action, information about when you sent an email and what it contained can play a significant role in your defence. But only if you still have it, and can prove that it's not been tampered with.
An archiving system can help you address the security issues, while also ensuring you have a complete record of all emails sent and received by your company.
In fact, a proficient and advanced email archival program will keep all your emails and attached data safe, such as PDFs and Word documents.
You can be sued for breach of contract or unfair dismissal years after the event itself, so it may be a good idea to keep your email archive for six years or so. If you choose a good archiving system, that data will be stored in encrypted form and be easily searchable, so you can quickly find what you want.
If you've decided the time is right to store your confidential company data, you can outsource the work to a company that specialises in document archiving.
They will be able to offer a range of options to copy all your data and store it in a secure archive. And — of course — you'll benefit from their specialist knowledge and experience.
Alternatively, it is possible to create your data archive in-house. Doing this requires significant knowledge and effort, because you need to maintain your archive on an ongoing basis.
Whichever option you choose, you need to make sure it does the job it is supposed to do. That way you can avoid data breaches and external tampering, as well as having the necessary data to hand if you need it.
Leilah Osher is a small business consultant who specialises in writing about business storage services and document archiving.
We said PHISHING, not fishing.
In 2013, most of us are now aware of the online threat known as 'phishing', where cyber criminals use various techniques to gain access to your email or social media accounts or, worse, get hold of your bank account or credit card details.
However, you might not realise that phishing has evolved. Criminals now use increasingly sophisticated con tricks and scare tactics to dupe unsuspecting victims into handing over their sensitive data.
These days, phishing emails are less likely to come from fictitious foreign royalty and more likely to come from one of your social media connections or a trusted business contact – at least, that’s who the email will appear to come from
In reality, the sender will be a skilled confidence trickster prepared to spend time and effort slowly reeling you in.
Last year, the German Federal Court ruled that where people had fallen for phishing scams that appeared to originate from their banks, the victims were responsible for the losses, rather than the banks. This ruling may set an international precedent, which means protecting yourself against phishing could become even more important.
Here are my top three tips to avoid being hooked:
A common technique among phishing emails is to try to panic you into a kneejerk reaction.
For example, you may receive an official-looking email telling you that one of your online accounts has been compromised and urging you to update your password via a link provided.
Or you might be told your computer has a virus and that you need to download a new piece of software to repair it.
Don’t bite – these are very likely to be phishing scams.
Most reputable companies will never send emails asking for sensitive information such usernames, passwords, National Insurance numbers, bank or credit card details.
In the digital age, we’ve become accustomed to doing things quickly, often in a couple of clicks. A key to avoiding phishing is to slow things down.
If you receive an email that alarms you for any reason, treat it as highly suspicious and, above all, don’t click any links it contains.
Many phishing emails link to spoof websites that are practically identical to the real sites they are trying to mimic, such as your bank.
Some of these sites will collect your login information and then do nothing (alerting you to a problem) but others will link you back to the genuine site, covering their tracks.
If you receive an email containing a link, hover over it without clicking to reveal the web address that it will take you to.
If it contains long strings of numbers or looks different from the usual web address of the sender (e.g. if ‘Twitter’ is spelled ‘Tvvittler’), it’s dodgy. Note the address, then contact the company involved directly to find out if the email is genuine or not.
However, be aware it's not always easy to spot dubious links. It's always safer to type in the correct website address manually, then sign in yourself.
The rise of social networking has been a gift to cyber criminals. Most social network users willingly share masses of personal information on their public profiles. This often includes the names of spouses and children or family birthdays.
Unfortunately, the same people often use this information as the basis of their passwords. Scammers can also use this information to impersonate a trusted contact via an online message or email.
If you use social media, check your account settings to ensure your personal information can only be viewed by those in your network or, better still, be sensible about the information you post in the first place.
Also, never use the same password on multiple online accounts. Use a strong, unique password for each, protecting against a domino-effect where one account after another is hacked using the same password
Norman Begg works for online security company my1login.
Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.
SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.
The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.
Here are the top 10 worst passwords of 2012:
See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.
Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.
For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:
DDoS stands for distributed denial of service. A DDoS attack sees hackers coordinate a network of computers in order to overload a web server with requests.
The result is that the server can become unavailable - taking down any websites or services that run on it.
An enormous DDoS attack hit the headlines earlier this year, sparked by a row between a spam fighting company and a web hosting firm. But it's not only high-tech firms and big companies that are at risk.
Online criminals are a far cry from what they were - in recent years they've become more sophisticated, more strategic and more debilitating to smaller businesses. In fact, they can leave your company devastated by stealing data and causing downtime.
You can be hit with a DDoS attack for all manner of reasons, including:
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
And if you think your business is too small or insignificant to be worthy of a hacker's attention, here's what security firm Symantec had to say in its Internet Security Threat Report, released earlier this year:
“While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less prepared in their cyber defenses.”
But before you panic, there are weapons you can use to protect your site and online services.
Many web hosts and internet service providers have begun to offer DDoS protection. These services monitor for unusual internet traffic and attempt to fend off DDoS attacks targeted at your site,
If you're not sure how well-protected your website is then it's worth taking some time to investigate further - especially if you rely on your website to bring in business or sell online.
Ask your web hosting firm what defences they have in place, and, if they offer a DDoS protection service, consider adding it to your account. Your web designer or IT supplier may also be able to advise on what would be the right level of protection for your company.
Would being more cyber secure help grow your business or add value for your customers and partners?
If so, you could be in line for £5,000 to spend on working with an external security expert for the first time.
These grants are available in the form of vouchers from the Technology Strategy Board. The aim is to support small companies, entrepreneurs and start-ups that see value in protecting and growing their online business by having effective cyber security.
This isn't 'free money' - the grant is paid to your business only once you show the Technology Strategy Board that you've finished the project in line with your original application and paid the supplier. (They do approve the project and supplier in advance, so as long as you stick to the plan you shouldn't be in for any unwelcome payment issues.)
It sounds like a great opportunity to improve your security if your business fits the criteria. The official website reckons you might be suitable for a voucher if you're looking to:
There's plenty of advice and guidance on the voucher website itself. A good place to start is probably this flyer (PDF link) that explains the voucher scheme and how to determine if you're eligible. The next deadline for applications is 24 July.
Unsurprisingly, UK IT suppliers are also keen to promote the voucher scheme. It was brought to our attention in a press release from security company Espion, which says it's happy to help companies with the application process.
Email firstname.lastname@example.org to find out more.
Even if cyber-security isn't where you need to invest at the moment, it may be worth having a quick look over the categories on the voucher website. Under the scheme, you can also apply for funding in areas like open data, energy and the built environment.
Sepp Blatter had his Twitter hacked this year. (Image: AsianFC on Flickr.)
Social networks. Once you've got your head round them, they can be a good way to find new customers, and a great way to build the profile of your business. Our sister site, Marketing Donut, is packed with social network advice if you need it.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
But over here on IT Donut, we like to take a more cautious view and think about the risks involved in these new channels.
Unfortunately, there are security risks attached to most aspects of business IT. And while you can certainly use tools like Twitter successfully without knowing about these concerns, if you do know about them then you're far less likely to come to any harm.
A few weeks ago, for instance, Sepp Blatter was targeted on Twitter, though given the Head of FIFA's tendency to make controversial statements, some might argue it was hard to tell. And lots of businesses have fallen victim to social network hacks, including The Telegraph, McDonalds and Jeep.
It happens to other individuals and companies all the time too, often via phishing attacks that trick people into giving away their credentials. Symantec’s Internet Security Threat Report found the number of phishing sites that spoofed social network sites increased 123% last year.
If you use Twitter - or other social networks - for your business, it's a good idea to get clued up about social network phishing attempts. Here are some tips to keep you safe:
Have you suffered any social media security problems? Leave a comment and let us know.
Do your staff understand the full risks involved if they lose their business smart phone or another mobile device that contains company data?
Quite possibly not, according to new research carried out on behalf of Kaspersky Lab. It found that over three-quarters of people working in European small and medium-sized businesses would wait more than an hour before telling the company about the theft or loss of a business-owned device.
An hour doesn't sound long, but if a company smart phone falls into the wrong hands, 60 minutes is time enough to do a whole lot of damage. Racking up call charges to premium rate or international numbers is the least of your worries. Being slow to report a stolen device could see your valuable company data being siphoned off.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
Customer and employee contact details, financial information, confidential emails, access to company Twitter and Facebook accounts ... these days a smart phone is as powerful as a computer, only harder to secure and easier to lose. You need to treat it with the same amount of care.
What's more, the research questioned IT managers too. 29% of them reckoned it would take a whole day for employees to tell them about a lost or stolen device.
David Emm, senior security researcher at Kaspersky Lab, has some good advice for companies that want to take better care of their mobile devices.
“The ever-growing abilities of mobile devices make our lives much easier," he confirms. "However, what we don’t always consider is the ease with which such tools can be stolen, leaving a wealth of business critical information in the hands of thieves."
"To a seasoned cybercriminal, it will take only a matter of minutes to bypass the four digit password protection used on most devices, especially smart phones. If your mobile device is lost or stolen, it is critical that the IT department is informed as fast as possible. They can then block access of this device to the corporate network and, in the best case, wipe all of its data.”
Of course, you can't remotely wipe a device unless you've put in place systems to let you do this. If you're a sole trader or run a very small company, it's probably enough to take steps to back up each individual device and install a remote wipe app. Read our advice here.
Larger businesses will want to look into mobile device management (MDM) solutions. MDM software gives you much greater visibility and control of the mobile devices in your business, so you can restrict how they're used, what's stored on them and - crucially - scrub them clean and lock them out of the company network.
Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)
New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?
The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.
A thief will be unable to access your phone without the passcode.
Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.
Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.
Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.
You can search our website for details of security vulnerabilities affecting your particular model of phone.
All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.
Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.
Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.
If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.
Giri Sreenivas is vice president of Mobile at security specialists Rapid7.
Distributed denial of service attack. DDoS for short. Four letters that are can strike terror into the heart of anyone who's been on the receiving end of one.
DDoS attacks aim to take websites offline by overwhelming them with requests for information. Typically, they involve hundreds or thousands of computers, all coordinated to bombard the site simultaneously.
Often, the owners of these computers don't even know what's going on, because the source of the attack is malware that's infected their machines.
DDoS attacks have hit the news regularly in 2012. Last month, Teresa May and the Home Office were targeted. Back in May, Webfusion - one of the UK's largest web hosts - was on the receiving end of a sustained attack (the firm produced an interesting white paper explaining what happened).
The motives for DDoS attacks vary. Sometimes they're random. Sometimes they're political. But there's often a financial aspect. They can come from your competitors, or they can be blackmail, pure and simple. Pay up, or your website stays offline.
And although it's only big name brands that hit the news, online criminals are increasingly turning their attention to smaller companies. Without the resources to deflect attacks, they're softer targets.
As security expert Don Smith told us recently:
"More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
If you're not prepared, combating a DDoS attack can be tricky. When your website's overwhelmed by spurious traffic, you may find you're unable to even log in yourself.
In fact, the possibility of a DDoS attack is something you should consider when choosing a web host, because the way they handle them can vary remarkably.
Some hosting companies will simply take your website offline completely so that their other customers aren't affected. Worse, you might get a bill for the extra traffic the attack generated.
Other web hosts will provide far more constructive assistance. Ask if they can give you examples of how they've fended off attacks in the past, and look for security features that come as part of your package, like DDoS protection.
Also make sure they keep their servers and apps up-to-date, because often the latest versions of ecommerce and content management tools are more resistant to DDoS attacks.
Looking for a new web hosting firm?
Here are some firms you might like to consider:
Have you ever suffered a DDoS attack? How did you cope?
How secure is your personal identification number (PIN)? An enlightening study reveals many PINs are predictable and easy to guess. So, is it about time you changed your PIN?
The fascinating study, by Data Genetics, reveals the most commonly used PINs and therefore the ones most likely to be guessed.
It found that the most infrequently used PIN is 8068. Does that make it the safest? Well, perhaps, although now it's been revealed in this study, it might become a lot more popular!
According to the stats, the most common PIN is 1234. Out of the 3.4 million numbers surveyed, it made up 11% - or 374,000. What little imagination some people have!
In fact, the top 20 PINs all fall into the category of 'easy to remember'. For instance:
It seems PINs with lots of repetition or a pattern to them are chosen most frequently. Interestingly, 2580 comes just outside of the top 20 at number 22. This looks like a random number until you realise these are the numbers down the centre of a telephone keypad.
Other easy to remember four-digit PINs come from years of birth. A disproportionate amount of PINs begin with 19. This is bound to change to 20 as the population ages. Day and month of birth also figure quite prominently.
Most devices, credit cards and locks that are protected by a PIN limit the number of times an incorrect number can be entered. So does it matter if you use a common PIN?
Well, let's think about it in more detail. If I'm a bad guy and I get hold of your bank card, I generally get three guesses before the card is locked.
Going from the statistics in the study, if I take the three most common PINs as my starting point, I have a one in five chance of getting yours right. Not bad and probably worth a gamble.
Unless your bank can prove you have been grossly negligent with your PIN (sticking it to your credit card, for instance) the general rule is that you will be reimbursed for any financial loss if your card is stolen and your PIN used to extract money.
So, isn’t it simply a case of using the most convenient, easy to remember PIN and - should it get compromised - waiting for the banks to sort it out?
Well, even assuming you are able to reclaim your money, there's quite a kerfuffle involved in the process. Anyone who's gone through it will know that the inconvenience and lost time is enough to deter you from using a weak PIN.
In addition, you may highlight yourself as an easy target – if you did it once, why not again? Don’t bring unwanted attention on yourself just for the sake of four little numbers.
If government statistics are accurate, even the smallest companies need to give serious thought to IT security. That's because official figures show 76% of small businesses have reported a cyber-breach in the last year alone.
You can tell the government is alarmed by the statistics, because it has decided to establish a 'Cyber Reserve' force to deal with the security threats posed by online crime. It's uncertain what this means in practice, as the details won't be revealed until next year.
However, it should signal a more co-ordinated approach to combating cyber-crime, with the goverment recruiting experts to fight back against sophisticated hackers and fraudsters.
Although things have moved on considerably since this 2006 report found internet fraud was slipping through policing procedures, it still sometimes seems like online criminals are several steps ahead of the authorities.
Just in case the message hasn't sunk in yet, let's make it absolutely clear: your business could be a target for online criminals.
We recently spoke to security expert Don Smith who explained that smaller companies often find themselves singled out in online attacks because they're seen as soft targets:
“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
"If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the intellectual property of big clients, for example, a creative agency working on a big account."
“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”
Clearly, that begs the question: what should you do about it? Hopefully, you'll have got the basics right. You'll be protecting your network with a firewall, and each individual computer and server in your business will have its own firewall too.
But to really get a grip on your IT security, you need to spend a little time on security planning. The first stage is to identify your most valuable data, so you can find ways to protec it.
It's worth reading the full interview with Don to understand a bit more about the security issues your company could face. We also have some really useful information about putting a security plan together and assessing the risks your business faces.
With just a little preparation, you can reduce the chance of your business becoming another IT security statistic.
(Police lantern image: conner395 on Flickr.)
Image: creating a self-destructing message
Sending sensitive information through email: most of us know it's a bad idea, yet we've all done it at some time or another. Whether it's providing the password to access a protected file or confirming your mother's maiden name, email often seems like the easiest option.
Yet email is inherently insecure. Not only can emails be intercepted as they travel through cyberspace, but if the recipient isn't strict about deleting messages, your information could sit in their inbox for months or years. If their account ever gets hacked, your data is in the hands of the bad guys. Email hacking happens a lot, so it is a real risk.
So, for this Donut tip of the week, we wanted to show you a handy online tool that lets you send sensitive information in a form that self-destructs once it's been read. Sort of like Mission: Impossible, only with fewer pyrotechnics.
To get started, hop on over to Oneshar.es. Then it's really easy to create your one-time message:
That's it! The link uses SSL encryption, which means the message itself is protected from interception when the link is viewed.
Obviously, anyone with access to your link can click it to see the message - but as messages self-destruct once viewed, you don't have to worry about who sees the link once your recipient has used it. Certainly, Oneshar.es deals with the problem of having important information sitting in inboxes.
Now there's no excuse for putting your password in an email ever again.
Smart phone applications could pose a significant threat to your company’s IT system in terms of security, availability or mobile data costs if left unchecked.
In a worst-case scenario, valuable and sensitive data could be at risk if you allow employees to download and install apps at will to their personal and work devices.
While smart phone settings can vary from device to device, all potentially leave a company open to abuse. Every time you install an app, it's important to check what resources and data the app is requesting permission to use.
At some point, everyone has skipped through lengthy terms and conditions to save time. It's these terms and conditions which often explain what data the app will use and how it will use it - so not reading them could mean unwittingly giving an app control over sensitive data, or even the phone itself.
Although an app may appear to be a harmless game or a useful productivity tool, there is nothing to stop it from including code to send a text message, make a phone call or even read data stored on the phone and upload it to an external server.
To minimise these risks, your business and its employees should consider some simple steps:
How sure can you be that a company promoting an app has not included hidden features or a developer has not included some malicious code? Software vendors with a track record of delivering solutions to businesses generally have the development disciplines in place to protect you from these risks, so beware the unproven startup or one man band developer.
Smart phone apps are extremely attractive, but it’s important not to forget that under the veneer of simplicity, IT is extremely complex. Your systems can be manipulated by people who understand that complexity, if they are left unchecked.
Paul Ridden is Managing Director of Skillweb, a privately owned, UK based business that provides technology solutions designed to help organisations manage their mobile workforces and track the movement of their goods.
If you want to find a way to immediately annoy potential customers and drive visitors away from your website, look no further than the humble CAPTCHA.
We've written about these squint-worthy, hard-to-interpret messed-up bits of text before, but today I stumbled upon one that goes beyond a joke.
It popped up this morning on the Ticketmaster website. I had a fair stab at the image on the right side, but I still have no idea what's going on with the left image. Any ideas at all?
I'm convinced the days of the CAPTCHA are numbered. They're designed to guard against targeted hacking attempts and automated 'bots' that fill in online forms automatically.
But really, unless you're running some sort of super high security website, they cause far more problems than they solve.
When you've taken time to create a nice clear website that makes it really easy for people to buy from you or send you a message, then making them fill in a CAPTCHA is like asking them to complete a fiendish puzzle before they can go any further.
Imagine what would happen if the local corner shop asked you to solve a Rubik's Cube before letting you buy a pint of milk. Wouldn't get much custom, would they?
When you use CAPTCHAs on your website, you risk having the same effect.
While the world's attention is diverted by a story involving a member of the Royal Family and partial nudity, don't let your guard down. Although the Duchess of Cambridge may be in the headlines today, there's a far more urgent threat to your IT systems out there: Emma Watson.
Security firm McAfee reckons the Harry Potter star is 2012's most dangerous celebrity. And it's not because she's particularly adept at hacking into Windows XP or an expert at guessing passwords (although who knows what damage a few well-placed spells could wreak?).
No, according to McAfee's research, anyone searching online using terms like 'Emma Watson and nude pictures' runs a high risk of landing on a dangerous website that's infected with malware. As the firm explains:
"McAfee research found that searching for the latest Emma Watson pictures and downloads yields more than a 12.6% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware."
Now, you might justifiably argue that anyone searching for things like that deserves everything they get from the web's seedy underbelly. But if they're doing it on work time, using your company computers, you should be worried.
Sure, you can discipline the employee responsible, but if your server's infected with a virus or a trojan has stolen your customer list then you'll have bigger problems to worry about than whether your staff member actually found what they were looking for.
Your company policies should - of course - make it clear that this sort of thing is not allowed, but that's not much use either once your computers are infected. And that's why every single PC in your company should have security software installed and up-to-date.
Packages like McAfee's own All Access software (£74.99) will guard against viruses, trojans and spyware, and show a warning screen when you try to visit a dodgy website. Alternatives include AVG Internet Security (£97.99) or Kaspersky's Small Office Security package (possibly best value of the lot because it covers five computers for £159.99).
While packages like these won't entirely guard against employee mistakes, stupidity or bad luck, they do provide a strong line of defence for your company. Even if you're not in the habit of searching for nude pictures of Harry Potter actors.
Image of Emma Watson: Flickr user david_shankbone under Creative Commons.
Hardly a week goes by without one company or another being hacked and user passwords being made public on the internet. Do we have any hope of keeping our passwords safe?
Actually we do have some hope, but we all have to play our part and choose strong passwords.
Hopefully, the websites we have online accounts with are doing their utmost to protect our personal information, and in particular our passwords. But even if they are, that’s not the end of the story as simple passwords can be cracked quite easily by hackers.
We need to do our bit by making sure we have strong passwords that are hard to crack. Here are five ways.
All you need to do is mix these up a bit to come up with a good password. For example:
Top tip: make sure you mix it up. The password Olympics1066 is not as strong as the others.
Lyric: She was more like a beauty queen from a movie scene
Name: Michael Jackson
Number: 1983 (Song released in this year)
Choose the first letter from the phrase and mix the initials and number in. For example:
Top tip: once you decide how you want to mix it up, stick with it. If the mixing it up part could confuse you then you could write down a memory jogger – read on to find out how.
Phrase: Just like that
Name: Tommy Cooper
Number: 1921 (his birth year)
You get the idea!
We all need help remembering things so why not write down something to help jog your memory? It is very unlikely that someone will be able to decipher a decent memory jogger, because you can write things down in a way that makes perfect sense to you but is useless to anyone else.
Lets take the Tommy Cooper example. You could have ‘Tommy’ written down in your address book, followed by a memory jogger, like this:
In this case the memory jogger stands for initial-date-phrase-date-initial
Using this would give a password of:
Remember, that really need to change your passwords every so often, because you can never be quite certain if your password is in the wrong hands.
The biggest problem most of us face is that we have so many online accounts that we forget what they are. Give yourself a fighting chance and keep a list somewhere. As you join new shopping sites, social sites and other sites, add them to the list. If you want to change a password, you will at least know where to look!
Who poses the biggest threat to your company data? You've probably thought about external security threats, but have you stopped to consider the damage your employees could do?
Information risk management specialist Ascentor reckons nearly 15.9m people are ready to damage their employer's business, and says over two million already have. These statistics and more are summarised in this infographic, and you can see the full version over on the Ascentor website.
Not even emptying your computer's recycle bin guarantees your files are gone for good.
Although you can't see or open them on your desktop, the information is still there on your computer's hard drive, which makes it relatively easy to recover if you know what you're doing.
Obviously, that's good if you delete something by accident. But it's very bad if you're trying to delete sensitive information, like financial details or personal information. If your computer falls into the wrong hands, so could your data.
Thankfully, it's easy enough to scrub data off your hard disk for good. Here are three options for you to consider:
Of course, if you can't be bothered with all that and you don't need to keep your computer in working order, there's an option that's much more fun. Unplug your computer, rip out the hard drive and drill some holes in it. Satisfying.
Smart phones are portable and valuable, making them prime targets for theft. Some reports suggest that 20,000 mobile phones are lost or stolen in the UK every day. And with the Olympics expected to attract extra opportunistic thieves, now's not a bad time to give your smart phone security the once-over.
Quite apart from the cost of replacing a phone (Apple's top-of-the-range iPhone costs £700!), you need to think about the value of the data stored on it too. All those contact details, emails, files, photos ... could you afford to lose them? That's why this Friday, we have three crucial security tips every smart phone owner should follow:
Most smart phones come with software to copy data to your computer, creating a backup of everything on your phone in case it gets lost or stolen. iPhone users will be familiar with iTunes. Android handsets usually come with something similar, like Samsung's Kies software.
Be careful though - if you keep your phone and laptop in a bag which gets stolen, you could lose your backup too. Perhaps it's better to back the data up online. Again, most smart phones offer this option: Apple has iCloud, and MyBackup Pro is a good option for Android phones. If you use a BlackBerry, check out the BlackBerry Protect app.
Keylock is the first line of defence when a thief gets their hands on your phone. It prevents them from accessing any of the phone's functions without entering a PIN code or drawing a certain pattern on the screen.
Every smart phone offers a keylock and you should definitely use it. Many handsets also have an auto-erase option, which wipes everything from the phone if an incorrect PIN is entered too many times.
Mobile apps can help you fight back against mobile phone thieves. GPS functions can pinpoint where a stolen phone is. And - as news stories show - the police are becoming increasingly switched on about how to use these tools to recover stolen property.
The best-known is Apple's Find my iPhone. But other platforms are catered for too. Windows Phone handsets have tracking functions built in. Android users can try Plan B, and BlackBerry Protect includes tracking functions too.
Some tracking tools let you remotely wipe the phone too, but the key is to install one now. Because once your phone's gone, it's too late to do anything about it!
Previous Friday tips:
Image: Flickr user JAK SIE MASZ.
“You’ll miss me when I’m gone” is a phrase I've heard various (older) family members say to me, usually as I roll my eyes at the latest bit of wisdom they've decided to impart.
However, it’s apt for business IT. In the last couple of weeks we've seen how a seemingly small 'software update' resulted in a broad outage of NatWest’s banking systems. It even led to an unheard of step: bank branches opening on a Sunday.
If, like NatWest, IT is at the heart of your business then what are the implications of such a problem if it happens to you? What should you do to maintain reliability?
IT has become a hidden service that we take for granted. The internet, once derided as a fad, is now a key service in our lives. From shopping and booking travel to connecting with friends and researching school projects, it’s essential.
What’s more, people have started to view broadband as a basic human right, almost in the same league as water, food and sanitation. This is the level to which the internet has risen in just over 15 years. It demonstrates how important IT is to our everyday lives.
If you run a business then this trend will have spread into your world too. It was not that long ago that IT was the preserve of the accounts department who used it to process payroll. But today it’s used by every member of staff for almost everything they do.
If your business depends on IT, do you give it the attention required to keep it beating at the heart of your company? There are four simple steps you can take to make sure your IT provides good service – day in and day out:
1. Buy the right equipment
I recently visited a prospective client who wanted to set up a call centre. Staff would use their computers as the base from which to make calls and update their customer relationship management (CRM) database. They told me they were planning to buy refurbished (second-hand) computers to keep costs down.
My advice? If you plan to base your company on a database that requires reliable IT, second-hand equipment is a false economy.
That doesn’t mean you have to buy super-expensive business computers. But most well-known brands offer PCs with a three-year warranty and next-day help if you need it. What’s more, buy business-grade IT, not computers designed for domestic use. There’s a difference – and it could mean you get a PC that lasts four years instead of two.
2. Monitor your systems
There are many free or cheap services out there that can monitor your systems for problems like low disk space, a failing networking connection or high memory use. These services are simple to install and can be combined to create a single web page that puts a green, amber or red dot next to each IT asset to show its status.
3. Audit your equipment
This one’s easy. The main aim of auditing is to stay ahead of the IT age curve. A computer’s average lifespan is three to five years, so it makes sense to look at replacing each computer once it’s four years old. If you don’t know how old your equipment is then you can’t make that assessment.
The simplest approach is to note the purchase date of all assets in your business. Then rank them in order, newest at the top, oldest at the bottom. If any computers are over five years old, replace them immediately. Put any over four years old on a list for replacement soon. Keep updating your list and you’ll stay on top of your hardware replacement (this helps spread the costs too).
4. Take security seriously
I see too many companies that don’t take their IT security seriously. They think staff will self-manage things like spending hours on Facebook or emailing friends from a work computer. Of course, they don’t – so you need to manage this through a policy or software.
Internet security is a large and growing problem. Simply going to the wrong website can result in malware, spyware and unwanted software ending up on your computers. Stop this, and you’ll significantly reduce the chance of system failure.
Following these simple steps will help ensure your IT systems stay working to the best of their ability: as a vital business tool that helps to generate revenue. As my old Gran always used to say, "you'll miss me when I'm gone".
Craig Sharp is Managing Director of Abussi Ltd
Keeping your IT system secure and protecting your data can be a complex task. A secure IT system has many elements, from a firewall and anti-virus software to strong passwords and physical security.
Then there's the human factor. It's no good having the strongest passwords imaginable if your staff write them down or share them with each other.
For all but the smallest businesses, it's usually a good idea to seek expert IT security advice. Remote data access, cloud services and mobile devices are creating more fragmented IT systems - and with less centralisation, it's hard to keep everything under lock and key.
To help businesses get to grips with the different elements of their IT security, the Information Commissioner's Office has released a new guide. It's a little light on specifics, but it does contain a very useful checklist to help you cover all major areas of your IT system.
It's excellent reading if you want a good overview of the IT security challenges you face, or want to brief yourself before you speak to your IT supplier or security consultant.
Download the guide from the ICO website >> (PDF, 300K)
This week, online services LinkedIn, eHarmony and Last.fm all suffered security breaches which saw users' passwords fall into the hands of hackers. It's not the first time something like this has happened and it won't be the last: previous victims have included Gawker and Twitter.
I've mentioned before that I think passwords are broken. But they're here to stay, at least for the foreseeable future. So for this Friday's Donut tip, we explain what you should do if you have an account with one of the affected services.
To begin with, be wary of any emails you receive warning that your password has been leaked. They might be genuine, but there are lots of phishing attempts going round too, so you're better off just deleting them.
The next step is easy: PANIC!
Actually, I'm just joking. You definitely don't need to panic. It's counterproductive and unnecessary, because it's actually pretty easy to secure your accounts:
That's it, unless - like most people - you use the same or a similar password for other things. You see, scammers aren't stupid, and they know that if you use that password for your LinkedIn account, perhaps you also use it - or something similar - for more important services, like your email.
This means you also need to change any identical or similar passwords that you use on other services. You should really have a different password for each one.
You've probably seen the usual advice about creating strong passwords. Use upper and lowercase letters, numbers and symbols, don't use words you'd find in the dictionary, and so on. But these passwords can be devilishly hard to remember.
I like the song lyrics trick: take a memorable line from a song, pull out the first letters of each word, then wrap it in a number that you can remember.
For instance, a Rolling Stones fan might choose the first line from Sympathy for the Devil: 'Please allow me to introduce myself'. And he might be able to remember 1960, because that's the year he was born.
Shortened, it becomes 19Pamtim60. Not bad.
Previous Friday Donut tips: