The Heartbleed Bug and Password Reuse, Recipe for Disaster

Posted by Posted on by
0

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
If you have the habit of using the same password everywhere, you are at risk for identity theft and a breach in post Heartbleed scenario.
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

The ‘Heartbleed bug* is perhaps the hottest topic in all types of media – print, electronic, social, and others. This serious flaw in OpenSSL’s TLS implementation is perhaps the biggest vulnerability in Internet history and has sent panic waves throughout IT and consumer communities alike.

During the past few days, you have probably come across information about the Heartbleed bug many times and been swamped by vendor advisories prompting you to change your passwords. The Heartbleed bug had been around for nearly two years unidentified, and it is not immediately known if the bug had been exploited against any web application anywhere. So as a precautionary measure, vendors are suggesting you reset your passwords after patching their applications and fixing the vulnerability.

Heartbleed bug and password reuse 

heartbleed-bug

When you receive an advisory on the Heartbleed bug from a software application provider, you’re likely to promptly change the password in that application or site and feel secure. But the harsh truth is that your entire online life could be at risk. This is because most of us tend to use the same password on all websites and applications.

So if a hacker succeeded in cracking your password exploiting the Heartbleed vulnerability in one site or application, the hacker actually obtained the ‘master key’ to access all your accounts – even those that are not vulnerable to Heartbleed. Read more

Identity thefts through social media platforms: Is your password secure?

Posted by Posted on by
1

Social media platforms are fast emerging as the most convenient platforms for malware delivery. To combat cyber threats, proper password management should ideally become a way of life.

Over 13 per cent of the world population is on social network and the number keeps growing exponentially. Those who do not own an account in Facebook or Twitter are now being viewed as those living in prehistoric times.

password-reuse

No doubt, social media is wonderful in helping you stay connected with friends, but the sheer popularity of social media attracts the attention of cyber-criminals looking for ways to harvest identities. Recent surveys by IT security analysts clearly indicate that social media is fast emerging the most convenient platform for malware delivery by hackers. Clickjacking, phishing, identity sniffing are all continuing unabated and are growing at a faster pace. Despite untiring awareness campaigns by the social media giants, even tech-savvy users are falling prey to attacks perpetrated through the social media. Read more

Introducing New Features in Zoho Vault: Powerful Password Sharing, Wider Storing

Posted by Posted on by
0
Ever since we launched Zoho Vault, an online password manager for teams, we have been receiving constant feedback from our customers – appreciations, concerns, comments, pain-points and constructive criticisms. We are giving sincere attention to all the feedback. We have now given shape to some of the feature requests and here is the summary of recent enhancements:

Securely store and share files, documents

store-files
You can securely store not just passwords, but also documents, files, images, digital certificates and licenses in Zoho Vault. Files can be stored as individual entities or along with secrets. You can add multiple files with a single secret and retrieve them from anywhere, even through your mobile devices. The file attachments are also treated like passwords – they can be shared with users and user groups and are encrypted in your browser itself. The encryption key is never stored anywhere. So, complete data privacy is ensured.

Read more

Announcing Two Factor Authentication for Better Security

Posted by Posted on by
1

With over 8 Million users working online on our services, ensuring information security is an important priority for us. Your Zoho.com account is the entry point for a bunch of collaboration, productivity and business apps from Zoho that not only help run your business, but also hold your data. Obviously, you would want to keep that entry point safe.

zoho-two-factor-authentication1

Keeping this in mind, we have added support for two step authentication to get into your Zoho account. In this age of phishing attacks and identity thefts, relying on login password alone does not guarantee security. No matter how strong or complex your primary password might be, your account stands the risk of a breach if your password happens to fall into the wrong hands.

Two Factor Authentication (TFA) provides an additional layer of security around your account. As it requires two successive factors – ‘something you know’ (your password) and ‘something you have access to’ (your mobile phone, for example), it helps greatly reduce account compromises due to phishing attacks and other online frauds.

Once TFA is enabled, you need to first login to your Zoho account with usual credentials. You will then receive a uniquely generated verification code to your phone either as a voice call or as an SMS text, which you should attend/enter to complete the login process. Alternatively, you can use the Google Authenticator app on your smart phones to generate the second factor code.

Immediately available 

TFA is immediately available to all the users of Zoho and setting it up is quite straightforward. Access https://accounts.zoho.com/ and navigate to ‘Two Factor Authentication’ section and then follow the instructions available to carry out the set up process. If your Zoho account is part of ‘Zoho Business Organization’, the TFA can  be enforced / controlled only by the organization administrator.

Optional, but highly recommended 

Two Factor Authentication is completely optional. But, from security standpoint it is highly recommended. Security benefits of TFA far outweigh the minor inconvenience of having to authenticate through two successive stages.

Read more

Password Sharing Gone Wrong: How You Can Safeguard Your Business from a Snowden Security Breach

Posted by Posted on by
0

Edward_Snowden-2

When Edward Snowden, the former NSA Contractor started disclosing the classified details of several top secret surveillance programs of the US intelligence agencies during June this year, all were wondering how he gained access to those highly confidential information.

Five months later, an exclusive report in the Reuters now reveals that Snowden has used perhaps the easiest possible way to gain unauthorized access to the secrets. Misusing his position as a system administrator, he had reportedly persuaded nearly 20 of his colleagues to share their login credentials with him in the pretext of doing his job. They had unwittingly provided him the credentials, which led to the worst breach of information security in NSA’s history. They thought they were giving out the credentials to a trusted insider unaware of Snowden’s real intent.

This report reminded me of a funny campaign titled “Passwords are like underwear” ran by the Information Technology Central Services at the University of Michigan a few years back to create awareness on protecting passwords.

True, passwords are like underwear – obviously not meant to be shared with others. Unfortunately, practical needs are mostly the opposite. Business requirements demand selective sharing of passwords with others. In most of the organizations, users often tend to reveal administrative passwords of sensitive IT resources to their colleagues for some reason or other.

Read more

Petition against them, hate them, or wish them dead; passwords are here to stay for long!

Posted by Posted on by
5

In the last two weeks, the Petition Against Passwords movement launched by a group of US-based companies that sell password-less technology has been gaining widespread media attention across the world. Their mission is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.

In the RSA conference in San Francisco early this year, James DeLuccia’s Passwords are dead created quite a buzz. At the conference, Zoho’s sister division ManageEngine demonstrated its Enterprise Password Management Solution, Password Manager Pro, and almost all the  visitors to our stand quipped: “They are talking about the death of passwords and you are demonstrating password management!

death-of-passwordsSo, we hear the vox populi loud and clear: Clearly, people are fed up with passwords. With the proliferation of online applications, a variety of passwords occupy each aspect of our life. Remembering dozens of passwords is impossible; storing them only invites trouble and managing them manually is a pain. With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. So, when someone talks about replacing  passwords, it’s only natural for people to get interested.

But, the million-dollar question is: Do we have viable alternatives if the passwords die finally?

Before going any further, here is some history on ‘death of passwords’:

For over a decade now, people have been discussing the death of passwords. In the same RSA conference in 2004, Bill Gates, the Chairman of Microsoft predicted the death of passwords. In 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the death of passwords.

However, in reality, the predictions haven’t yet materialized. Passwords are still the most prominent method of authentication till date. Alternatives to passwords, such as biometric authentication, iris authentication, facial  authentication, various forms of multi-factor authentications, and even  authentication through items like watches, jewellery, and  electronic tattoos, are all being discussed. Active research is also on to formulate better alternatives.

However, none of the alternative approaches have been viable for various reasons. Firstly,  passwords are very easy to create and are absolutely free.  Whereas, the alternate models are mostly expensive, require  additional hardware  components, are difficult to integrate with the  existing environment, and are not easy to use.

Interestingly, some of these alternative authentication methods have been cracked  even before they could be adopted widely.  Few years ago, a group  of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.

As  on date, a viable replacement for traditional passwords is not in sight! We may get one in the future, though. But, it will require considerable time for the new mechanism to be accepted and adopted. That means, traditional passwords are not going to die anytime soon; they are going to be around for  a while.

Passwords are not the problem; their management is

While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. Users store passwords in text files and post-it notes; share credentials  among the team members; and pass them over emails or by word of mouth. Real access controls do not exist and passwords of sensitive resources and  applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.

Use a password manager

While  the research to find an alternative to passwords continues, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a  centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.

If you are wondering which password manager to use, take a look at Zoho Vault.

Passwords or Pulcinella’s Secrets?

Posted by Posted on by
0

What is the purpose of a password? If we pose this question to any group of users, we will get a variety of responses. In simple terms, the purpose of a password is to keep your data/information secure, secret and private. Essentially, passwords have to be kept secrets to serve the purpose. Ironically, due to lack of proper password management, we tend to make our passwords much like ‘Pulcinella’s Secrets’!

Yes, you read it right – Pulcinella’s Secrets! If you wonder whether you got the meaning correct, let me explain:

pulcinella-secrets

Pulcinella is an illustrious comic character in Commedia dell’Arte, a form of theater that
began in Italy in the mid-16th century. The very character of Pulcinella is his inability to keep secrets. Any confidential information conveyed to him would become an open secret in no time. The secret will reach far and wide, but everyone will pretend not to be knowing. In reality, Pulcinella’s secrets are not secrets at all.

Passwords in Text Files, Post-Its or Spreadsheets are Pulcinella’s Secrets, Literally!

With the proliferation of password protected online accounts and IT assets, businesses are drowning in a pile of passwords. But, many organizations and business establishments do not have any effective password management procedure in place at all. Employees adopt their own, haphazard way of maintaining the passwords. Following are some typical scenarios:

  • Sensitive passwords are stored in volatile sources such as text files, spread sheets, post-its and the like
  • Many copies of the passwords are circulated among the people who require them for their job functions. There is generally no trace on ‘who’ accessed ‘what’ passwords and ‘when’. This creates lack of accountability for actions
  • When one user changes a password, it should be updated in all the ‘copies’; otherwise, at the most needed time, one would be trying to login with an outdated or old password. As a result, the passwords mostly remain unchanged for ages for fear of inviting such lockout issues
  • There is rarely any internal control on password access or usage in many organizations. Users freely get access to the passwords
  • When other members of the organization require access to an online application / an online account, passwords are generally transmitted over word of mouth
  • If an employee leaves the organization, it is quite possible that he/she may be getting out with a copy of all the passwords

So, if you follow the traditional style of storing the business passwords as described above, your passwords would have probably turned Pulcinella’s Secrets! Many in your organization might be accessing the passwords, while you would be thinking otherwise. Obviously, this practice leaves the organizations open to security attacks and identity thefts.

Deploying a Password Manager – The Best Practice Approach

One of the effective ways to keep your passwords secure (and really secrets) is to store them in a central, secure, digital vault and automate password management tasks. Deploying a password manager like Zoho Vault can help you in taking total control of your passwords. You can store all your online identities – passwords of web applications, PINs, registration numbers, access codes, bank account details – anything sensitive or confidential in the online vault and access them from anywhere. Password changes can be updated at the central vault.

You can selectively share common passwords on need basis among the members of your organization with fine-grained access privileges. Your users will get access only to the required passwords, not all. You will also get comprehensive audit trails on ‘who’ accessed ‘what’ passwords and easily trace activities to individuals. You can completely eliminate the insecure, cumbersome practice of storing passwords in volatile sources like post-its, text files, print-outs and spreadsheets. Try Zoho Vault, now!