Blog posts tagged security

Yes, you need to secure your smart phone too

Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)

New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?

Set a passcode

The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.

A thief will be unable to access your phone without the passcode.

• With an iPhone, set your passcode by tapping: Settings > General > Passcode Lock
• On an Android phone, tap Settings > Security > Screen Lock
• If you use a Windows Phone, tap Settings -> Lock + wallpaper

Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.

Keep your phone updated

Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.

Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.

You can search our website for details of security vulnerabilities affecting your particular model of phone.

Always be careful

All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.

Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.

Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.

If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.

• Where to start with mobile security
• How to protect your phone from theft
• The business risks of smart phone apps

Giri Sreenivas is vice president of Mobile at security specialists Rapid7.

How predictable is your PIN?

How secure is your personal identification number (PIN)? An enlightening study reveals many PINs are predictable and easy to guess. So, is it about time you changed your PIN?

The safest PIN of all?

The fascinating study, by Data Genetics, reveals the most commonly used PINs and therefore the ones most likely to be guessed.

It found that the most infrequently used PIN is 8068. Does that make it the safest? Well, perhaps, although now it's been revealed in this study, it might become a lot more popular!

What makes a poor PIN choice?

According to the stats, the most common PIN is 1234. Out of the 3.4 million numbers surveyed, it made up 11% - or 374,000. What little imagination some people have!

In fact, the top 20 PINs all fall into the category of 'easy to remember'. For instance:

• 1111
• 0000
• 1212
• 7777

It seems PINs with lots of repetition or a pattern to them are chosen most frequently. Interestingly, 2580 comes just outside of the top 20 at number 22. This looks like a random number until you realise these are the numbers down the centre of a telephone keypad.

Other easy to remember four-digit PINs come from years of birth. A disproportionate amount of PINs begin with 19. This is bound to change to 20 as the population ages. Day and month of birth also figure quite prominently.

Does it matter if your PIN is easy to guess?

Most devices, credit cards and locks that are protected by a PIN limit the number of times an incorrect number can be entered. So does it matter if you use a common PIN?

Well, let's think about it in more detail. If I'm a bad guy and I get hold of your bank card, I generally get three guesses before the card is locked.

Going from the statistics in the study, if I take the three most common PINs as my starting point, I have a one in five chance of getting yours right. Not bad and probably worth a gamble.

Won't my bank cover me?

Unless your bank can prove you have been grossly negligent with your PIN (sticking it to your credit card, for instance) the general rule is that you will be reimbursed for any financial loss if your card is stolen and your PIN used to extract money.

So, isn’t it simply a case of using the most convenient, easy to remember PIN and - should it get compromised - waiting for the banks to sort it out?

Well, even assuming you are able to reclaim your money, there's quite a kerfuffle involved in the process. Anyone who's gone through it will know that the inconvenience and lost time is enough to deter you from using a weak PIN.

In addition, you may highlight yourself as an easy target – if you did it once, why not again? Don’t bring unwanted attention on yourself just for the sake of four little numbers.

Dave James is managing director of Ascentor, a company which helps businesses manage information risk. You can also follow him on Twitter.

TOTW: send sensitive information in a self-destructing message

Image: creating a self-destructing message

Sending sensitive information through email: most of us know it's a bad idea, yet we've all done it at some time or another. Whether it's providing the password to access a protected file or confirming your mother's maiden name, email often seems like the easiest option.

Yet email is inherently insecure. Not only can emails be intercepted as they travel through cyberspace, but if the recipient isn't strict about deleting messages, your information could sit in their inbox for months or years. If their account ever gets hacked, your data is in the hands of the bad guys. Email hacking happens a lot, so it is a real risk.

So, for this Donut tip of the week, we wanted to show you a handy online tool that lets you send sensitive information in a form that self-destructs once it's been read. Sort of like Mission: Impossible, only with fewer pyrotechnics.

To get started, hop on over to Oneshar.es. Then it's really easy to create your one-time message:

1. Click the blue Create One Now button.
2. Type your message into the big box on the screen. You can use up to 1,000 characters.
3. The message will be deleted once it has been viewed by your recipient. However, in case they don't look at it, you can set the message to self-destruct after a period of time. Choose this from the drop-down menu.
4. Click the Create Link button.
5. You'll see a link to your message appear. You can copy this and paste it into an email before sending it to your recipient.

That's it! The link uses SSL encryption, which means the message itself is protected from interception when the link is viewed.

Obviously, anyone with access to your link can click it to see the message - but as messages self-destruct once viewed, you don't have to worry about who sees the link once your recipient has used it. Certainly, Oneshar.es deals with the problem of having important information sitting in inboxes.

Now there's no excuse for putting your password in an email ever again.

• Essential Windows 8 keyboard shortcuts
• How to shake away a cluttered desktop
• Enable hot corners on your Mac

Why CAPTCHAs are bad for your website

If you want to find a way to immediately annoy potential customers and drive visitors away from your website, look no further than the humble CAPTCHA.

We've written about these squint-worthy, hard-to-interpret messed-up bits of text before, but today I stumbled upon one that goes beyond a joke.

It popped up this morning on the Ticketmaster website. I had a fair stab at the image on the right side, but I still have no idea what's going on with the left image. Any ideas at all?

I'm convinced the days of the CAPTCHA are numbered. They're designed to guard against targeted hacking attempts and automated 'bots' that fill in online forms automatically.

But really, unless you're running some sort of super high security website, they cause far more problems than they solve.

When you've taken time to create a nice clear website that makes it really easy for people to buy from you or send you a message, then making them fill in a CAPTCHA is like asking them to complete a fiendish puzzle before they can go any further.

Imagine what would happen if the local corner shop asked you to solve a Rubik's Cube before letting you buy a pint of milk. Wouldn't get much custom, would they?

When you use CAPTCHAs on your website, you risk having the same effect.

• Four innovative alternatives to using a CAPTCHA
• Five key website security checks
• Video: how to meet the needs of your website visitors

Five ways to create passwords that are hard to crack

Hardly a week goes by without one company or another being hacked and user passwords being made public on the internet. Do we have any hope of keeping our passwords safe?

Actually we do have some hope, but we all have to play our part and choose strong passwords.

Hopefully, the websites we have online accounts with are doing their utmost to protect our personal information, and in particular our passwords. But even if they are, that’s not the end of the story as simple passwords can be cracked quite easily by hackers.

We need to do our bit by making sure we have strong passwords that are hard to crack. Here are five ways.

1. Think of a word and a number

Word: Olympics

Number:  1066

All you need to do is mix these up a bit to come up with a good password. For example:

 10Olympics66

Olym10pics66

1Ol0ym6pi6cs

Top tip: make sure you mix it up. The password Olympics1066 is not as strong as the others.

2. Think of a lyric, name and a number

Lyric: She was more like a beauty queen from a movie scene

Name: Michael Jackson

Number: 1983 (Song released in this year)

Choose the first letter from the phrase and mix the initials and number in. For example:

SwmlabqfamsMJ1983

MJSwmlabqfams3891

M19Swmlabqfams83J

Top tip: once you decide how you want to mix it up, stick with it. If the mixing it up part could confuse you then you could write down a memory jogger – read on to find out how.

3. It doesn’t have to be too long

Phrase: Just like that

Name: Tommy Cooper

Number: 1921 (his birth year)

Password:

JltTC1921

You get the idea!

4. Write down a memory jogger

We all need help remembering things so why not write down something to help jog your memory? It is very unlikely that someone will be able to decipher a decent memory jogger, because you can write things down in a way that makes perfect sense to you but is useless to anyone else.

Lets take the Tommy Cooper example. You could have ‘Tommy’ written down in your address book, followed by a memory jogger, like this:

Tommy: Idp-pdI

In this case the memory jogger stands for initial-date-phrase-date-initial

Using this would give a password of:

T19jlt21C

5. And finally…

Remember, that really need to change your passwords every so often, because you can never be quite certain if your password is in the wrong hands.

The biggest problem most of us face is that we have so many online accounts that we forget what they are. Give yourself a fighting chance and keep a list somewhere. As you join new shopping sites, social sites and other sites, add them to the list. If you want to change a password, you will at least know where to look! 

• How hackers target your passwords
• When did you last change your password?
• Simple IT security for smaller businesses

Friday Donut tip: free tools to delete files forever

Not even emptying your computer's recycle bin guarantees your files are gone for good.

Although you can't see or open them on your desktop, the information is still there on your computer's hard drive, which makes it relatively easy to recover if you know what you're doing.

Obviously, that's good if you delete something by accident. But it's very bad if you're trying to delete sensitive information, like financial details or personal information. If your computer falls into the wrong hands, so could your data.

Thankfully, it's easy enough to scrub data off your hard disk for good. Here are three options for you to consider:

• Delete individual files for good with software like Freeraser or Eraser. These programs work by overwriting the files again and again with random data, eliminating any trace of the original files.
• If you want to scrub an entire PC securely - for disposal or resale - you can use CCleaner, which also has lots of other useful cleanup features too. Alternatively, copy Darik's Boot and Nuke onto a CD, put it in your PC, restart, and then type autonuke when prompted.
• Using a Mac? To permanently delete everything in your trash, click and hold the trash folder. When the menu appears, hold the command key, then move your mouse up to select Secure Empty Trash. Easy!

Of course, if you can't be bothered with all that and you don't need to keep your computer in working order, there's an option that's much more fun. Unplug your computer, rip out the hard drive and drill some holes in it. Satisfying.

• Protecting your phone from theft
• Stay focused while you work
• Generate unique, memorable passwords

You'll miss me when I'm gone

“You’ll miss me when I’m gone” is a phrase I've heard various (older) family members say to me, usually as I roll my eyes at the latest bit of wisdom they've decided to impart.

However, it’s apt for business IT. In the last couple of weeks we've seen how a seemingly small 'software update' resulted in a broad outage of NatWest’s banking systems. It even led to an unheard of step: bank branches opening on a Sunday.

If, like NatWest, IT is at the heart of your business then what are the implications of such a problem if it happens to you? What should you do to maintain reliability?

We take IT for granted

IT has become a hidden service that we take for granted. The internet, once derided as a fad, is now a key service in our lives. From shopping and booking travel to connecting with friends and researching school projects, it’s essential.

What’s more, people have started to view broadband as a basic human right, almost in the same league as water, food and sanitation. This is the level to which the internet has risen in just over 15 years. It demonstrates how important IT is to our everyday lives.

If you run a business then this trend will have spread into your world too. It was not that long ago that IT was the preserve of the accounts department who used it to process payroll. But today it’s used by every member of staff for almost everything they do.

If your business depends on IT, do you give it the attention required to keep it beating at the heart of your company? There are four simple steps you can take to make sure your IT provides good service – day in and day out:

1.  Buy the right equipment

I recently visited a prospective client who wanted to set up a call centre. Staff would use their computers as the base from which to make calls and update their customer relationship management (CRM) database. They told me they were planning to buy refurbished (second-hand) computers to keep costs down.

My advice? If you plan to base your company on a database that requires reliable IT, second-hand equipment is a false economy.

That doesn’t mean you have to buy super-expensive business computers. But most well-known brands offer PCs with a three-year warranty and next-day help if you need it. What’s more, buy business-grade IT, not computers designed for domestic use. There’s a difference – and it could mean you get a PC that lasts four years instead of two.

2.  Monitor your systems

There are many free or cheap services out there that can monitor your systems for problems like low disk space, a failing networking connection or high memory use. These services are simple to install and can be combined to create a single web page that puts a green, amber or red dot next to each IT asset to show its status.

Two good tools are GFI and CentraStage – they’re free for the first 30 days, and can give you a valuable glimpse of how your IT is operating (or not).

3.  Audit your equipment

This one’s easy. The main aim of auditing is to stay ahead of the IT age curve. A computer’s average lifespan is three to five years, so it makes sense to look at replacing each computer once it’s four years old. If you don’t know how old your equipment is then you can’t make that assessment.

The simplest approach is to note the purchase date of all assets in your business. Then rank them in order, newest at the top, oldest at the bottom. If any computers are over five years old, replace them immediately. Put any over four years old on a list for replacement soon. Keep updating your list and you’ll stay on top of your hardware replacement (this helps spread the costs too).

4.  Take security seriously

I see too many companies that don’t take their IT security seriously. They think staff will self-manage things like spending hours on Facebook or emailing friends from a work computer. Of course, they don’t – so you need to manage this through a policy or software.

Internet security is a large and growing problem. Simply going to the wrong website can result in malware, spyware and unwanted software ending up on your computers. Stop this, and you’ll significantly reduce the chance of system failure.

Following these simple steps will help ensure your IT systems stay working to the best of their ability: as a vital business tool that helps to generate revenue. As my old Gran always used to say, "you'll miss me when I'm gone".

Craig Sharp is Managing Director of Abussi Ltd

• Simple IT security for smaller businesses
• Asset tracking: keep tabs on your IT
• Choose and use IT suppliers

Friday Donut tip: securing LinkedIn passwords

This week, online services LinkedIn, eHarmony and Last.fm all suffered security breaches which saw users' passwords fall into the hands of hackers. It's not the first time something like this has happened and it won't be the last: previous victims have included Gawker and Twitter.

I've mentioned before that I think passwords are broken. But they're here to stay, at least for the foreseeable future. So for this Friday's Donut tip, we explain what you should do if you have an account with one of the affected services.

Secure your account

To begin with, be wary of any emails you receive warning that your password has been leaked. They might be genuine, but there are lots of phishing attempts going round too, so you're better off just deleting them.

The next step is easy: PANIC!

Actually, I'm just joking. You definitely don't need to panic. It's counterproductive and unnecessary, because it's actually pretty easy to secure your accounts:

1. Go to the website of the service you use (LinkedIn, eHarmony or Last.fm)
2. Log in using your normal username and password
3. Use the change password option to make your password something completely new
   (Don't just change a single letter or number of your old password - use something totally different. At this stage it's a good idea to make sure your password is nice and strong. I've put some tips below)

That's it, unless - like most people - you use the same or a similar password for other things. You see, scammers aren't stupid, and they know that if you use that password for your LinkedIn account, perhaps you also use it - or something similar - for more important services, like your email.

This means you also need to change any identical or similar passwords that you use on other services. You should really have a different password for each one.

Creating strong passwords

You've probably seen the usual advice about creating strong passwords. Use upper and lowercase letters, numbers and symbols, don't use words you'd find in the dictionary, and so on. But these passwords can be devilishly hard to remember.

I like the song lyrics trick: take a memorable line from a song, pull out the first letters of each word, then wrap it in a number that you can remember.

For instance, a Rolling Stones fan might choose the first line from Sympathy for the Devil: 'Please allow me to introduce myself'. And he might be able to remember 1960, because that's the year he was born.

Shortened, it becomes 19Pamtim60. Not bad.

Alternatively, you can use a tool like LastPass to generate and remember super-strong passwords for you. John Sollars talked more about keeping passwords safe in a recent post over on Startup Donut.

Previous Friday Donut tips:

• Increase laptop battery life
• Delay sending emails in Outlook
• Three keyboard shortcuts I use a hundred times a day

Shopping list: what you need to back up your data

Backing up your data doesn’t have to be that difficult. It doesn’t even have to involve expensive-sounding ‘backup solutions’ or wrestling with 300 individual CDs, each of which contains a small but crucial portion of your company’s data.

Here are some straightforward ways to get started. Obviously, they’re not your only options – so it’s a good idea to chat to your IT supplier to make sure you’re backing up everything you need to.

After all, there’s nothing worse than smugly telling everyone you’re all backed up, then realising you’ve lost your ground-breaking 400-slide PowerPoint presentation.

The cheap and cheerful option for home-based businesses

Sure, it might be cheap and cheerful, but this approach will get the job done for you.

Buy yourself two external hard drives. These can be attached to your PC, allowing you to copy data to and from them. Do this regularly. Daily if you can.

Copy all your important data, including accounting data, word processing and spreadsheet files, plus your email, calendar and contacts.

Some hard drives come with software to make this a bit easier for you. If you use Windows, you can get Microsoft’s free SyncToy software to automatically copy selected folders across to a second hard drive.

Why two hard drives? It covers you against the risk of fire, theft and other physical damage (like dinosaurs attacking your house). Keep one drive on the premises and keep the other one somewhere else – like with a friend or family member you trust. You’ll probably need to back up to that drive less regularly, but doing so weekly will ensure you can get most of your data back.

The other good option is some sort of online backup service. Over time these services usually work out more expensive than buying a couple of hard drives, but they are convenient. Try Dropbox, Mozy or Carbonite.

Something suitable for office-based companies

Ok, so you’re a business with its own premises and maybe a few employees. You’re right to think that you need something a little more advanced. But don’t worry – you still have a number of choices.

Again, online backup can be a really good place to start. But you have to be careful. You want a company you can rely on (because backups are the things you turn to as a last resort). And check the costs carefully. Many online backup services copy non-essential files, pushing up your monthly bill.

The main in-house option is – again – hard drives or tape drives. Tape drives have traditionally been used by companies to back up large amounts of data, but we tend not to recommend them so much these days because hard drives are so cheap.

A good set up is to have seven hard drives. Five of them do your daily backups during the week (Monday – Friday). Use the other two to take regular archives, but make sure at least one is off the premises all the time. Keeping it at your home is the obvious thing to do.

Again, software is available to make this process more straightforward. I usually recommend BackupAssist, because it can back up all your email, calendar and contact folders, and it’s reliable. Which, let’s face it, important

Here’s the most important thing…

From unlikely dinosaur attacks to the more plausible floods, fires, virus attack, hackers, computer crashes and accidental deletion, there are plenty of threats to your company data.

So the most important thing to do after reading this article is to act on it. Otherwise, by the time you realise you really need a backup system, it’ll be too late to do anything about it.

• Writing your disaster recovery plan
• Find the right backup options
• Five IT security mistakes

Craig Sharp is managing director of Abussi, an IT company based in Birmingham.

Information is the lifeblood of business, so why don't small companies protect it?

Information is the lifeblood of a business. Without it, everything else you need to make a business tick - like sales, customers or profit – stalls permanently. So making that information easily accessible is vital.

As it’s so important, you’d expect the information to be easily available to the people who need it, and protected from those who don’t. However, the reality is different: at last year’s IP Expo, 60% of people surveyed by my company City Lifeline said they had lost access to their company’s IT system following an unexpected incident. Oops.

In 40% of these cases systems were down for six hours or more, bringing the business to a halt for an entire working day. Just think of all the things your business uses IT for in just one day. Imagine not being able to access your email, check customer documents or view essential data.

Losing access to your data hurts your pocket too. Symantec’s 2011 SMB Disaster Preparedness Survey found that losing access to data and electronic communication systems costs small companies an average of £7,500 a day in lost business and productivity.

Prepare for the very worst

Unplanned downtime can stem from something as innocent as a workman cutting through a power cable or as sinister as a malicious cyber attack. Whatever the cause, they all have one thing in common: the element of surprise.

The best business owners not only prepare for the things that are going to happen, but also for things that could happen. “I didn’t know it was going to happen,” is not much of an excuse when faced with an angry customer or an office full of staff who can’t get their work done.

If your business’s information is adequately backed-up, the chances are good that your IT systems will be working by the end of the day. But if not, the consequences can be disastrous.  In a worst case scenario the lost data can never be recovered, and neither can the business.

Some research suggests up to 70% of small businesses that lose data in a major incident are forced to shut within a year. Yet the Symantec report mentioned above also shows that less than half of smaller businesses bother to back up data every week. A mere 23% take daily backups.

Risks are part of business, but...

Taking the odd risk is part and parcel of being in business, but risking the safety of your information is equivalent to cutting off your oxygen supply. Huge corporations often have the money, expertise and resources to escape from a tricky IT gaffe. Quite often, smaller businesses do not.

This vulnerability makes investing in off-site data backup vital. It only takes a one-off incident to disable access to your IT systems. And it only takes one major incident to cripple your business forever.

If you lack the time and resources to create a backup strategy from scratch, it may be worth working with an IT supplier which can store your data securely in a different location. Some suppliers operate or have space in colocation data centres, highly secure buildings specifically designed to keep your information safe. (The company I work for, City Lifeline, offers colocation services.)

Do your business justice by investing in your information in the same way you would invest in a new computer or member of staff. Your information is key to your company’s viability, so return the favour and look after it just as well.

• Continuity planning and backup options
• Find the right backup methods
• Five mistakes you may be making with your IT security

Roger Keenan is MD of City Lifeline.