It’s Time to Revisit Your Password Best Practices

Closeup of Password Box in Internet Browser

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional, but they do give valuable insights into how password best practices.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it or allowing for copy/paste will make the password more likely to be compromised. The truth is the opposite; ease of use does not compromise security, as people are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password-based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. AE Technology Group can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (516) 536-5006.

BlackRock Trojan: Aggressive Viral Menace For Android Device Users

blackrock trojan aggressive viral menace for android device users

A new attack on android applications known as the BlackRock trojan has already targeted over 300 applications on the android operating system, including banking, social media, and dating applications. Any application with payment features, which is most nowadays, has been targeted and users credit card information has been compromised. How does this all work though, and what implications will it have for the future of the android operating system?

The Mechanics of BlackRock

The essential approach that BlackRock takes to get access to your information is it sends out a false Google Update and requests accessibility privileges. After it is granted these privileges it develops its own autonomy and no longer needs further interaction from the user to operate, it does this through granting itself further permissions afterwards. 

Some abilities BlackRock has, are traditional of trojan attacks, and some are quite problematic. It can collect device information, it can perform overlay attacks, but even more concerning, it can prevent antivirus software and even prevent uninstalling, leading to a longer lifespan than most hacks and more damage being done to your device and more of your information being compromised.

The Network and History of BlackRock Malware

Information from the site ThreatFabric has concluded that BlackRock is based on banking malware known as Xerxes, which itself is a version of Lokibot malware, discovered in 2019. Lokibot is part of an underground network of rented malware which circulated in 2016 and 2017. What really caused it to be a ubiquitous problem is when the source code got leaked. 

Android tried to get out in front of the older malware by pushing their newer devices which, with their new hardware, had a natural adaptation curve for implementing the attacks on the new systems. This, unfortunately, didn’t last long. In 2018, MysteryBot dropped, which was an update on the Xerxes system to work with new Android systems. 

The ancestral history of BlackRock is inundated with Lokibot variants. Parasite was a brief problem, although after disappearing from the malware space, Xeres was the direct parent of BlackRock, with the former appearing in 2019 and now, here in 2020, we have BlackRock.

Top Apps That Have Been Threatened

Numerous applications have suffered the injection and compromise of BlackRock, but the most notable are:

  • Gmail
  • Google Play
  • Netflix
  • Wells Fargo
  • Twitter
  • Instagram
  • Facebook

Many others have been targeted as well, leading to an entire suite of applications being at risk. Millions of users could have been affected and had their financial and contact information now in the hands of hackers, which could be numerous themselves seeing as the above mentioned malware network is vast and diverse.

Implications for Android

Android, being a more open operating system, runs the risk of more of these said attacks if they don’t take a new approach to how they monitor their application base. Two futures exist for android after this latest breach.

One, they stay with the same approach they have now and hope that they can rely on a numbers game, praying that the majority of their apps stay solid with their own individual protection protocols, and hoping the majority of their users stay safe.

The other is they radically change how they monitor their operating system, implementing much more rigorous analysis of their potential apps and making the approval process contain much more scrutiny in their security requirements. 

Either way the future for android will remain risky if they simply ignore the growing underground network of malware. They desperately need to engage in research of this growing corner of the hacking world if they have any hope of maintaining a safe and secure user base.

Get more news, tips and tricks at our blog here.

Working Together, Apart: The Office Guide to Social Distancing

social distancing

As many companies move into the next stage of a phased reopening plan, it’s an exciting time to get the team back together and return to business as usual. In the wake of COVID-19 and the new normal, use our office guide to social distancing to adapt, excel, and succeed together.

AE Technology Group is here to support our business clients in a successful reopening with these key tips on creating social distancing in any office space.

Lean, Mean, and Sparkling Clean

Although our offices may be running at half capacity until we slowly transition into a full workplace, there’s never been a greater need for cleanliness. Think beyond the recycling bin and develop a rotating schedule for disinfecting common areas. Frequently disinfect surfaces such as conference room tables, kitchen spaces, and front desks.

Remember that COVID-19 can survive for 24 hours to three days on hard surfaces! Daily cleaning proactively eliminates viral germs before they have time to spread. Divide tasks between in house staff members, bearing in mind flexible schedules as teams continue to increase hours. 

Consider temporarily removing shared coffee stations, microwaves, and community cupboards. As an alternative, treat your staff to a weekly local business luncheon and offer a coffee perk card instead of the traditional water cooler. Not only is this a great way to show your team how valuable they are, but it’s a responsible strategy for minimizing the spread of COVID-19.

Last but not least, please emphasize that everyone — yes, everyone — must wash their hands. 

Personal Space and the No Contact Bubble

Social distancing in the workplace is a simple matter of making the most of any space available. This may entail rearranging desks and cubicles to allow for the appropriate distancing of 6-feet apart. Considering establishing a sign-up sheet for conference rooms and limiting capacity to under ten individuals. Providing masks is a great idea to protect vulnerable workers, as well as utilizing plexiglass and other barriers to avoid direct peer-to-peer or client contact.

Small businesses may need to think outside the cubicle box and “create space” by employing back-to-back or side-to-side stations rather than front-facing ones whenever possible. Another tactic for reducing the number of people each person has contact with is to divide your staff into teams or partners so that each individual only works with 3-5 other individuals.

Provide hand sanitizer at all workstations and minimize shared devices such as phones by encouraging the use of headsets instead. Consider staggering shifts to avoid a crowd during the opening and closing hours. With a little teamwork, your company can enjoy a seamless reopening while doing your part to protect our staff and our clients.

Viruses: Not Just for People

Once you’ve implemented a germ proof social distancing plan, it’s time to take a look at technology considerations while returning to a new normal. Many staff members will likely still be working remotely for some portion of their workweek. Support your team by ensuring your network is encrypted with a strong firewall and confidential client information is well protected. Discourage the use of personal devices such as laptops, tablets, and phones for work purposes as these are often easily compromised and prone to viruses of the digital kind. Instead, assign laptops to each key member along with a list of available IT resources for training, troubleshooting, and more.

Stay connected with seamless all-in-one communication and project management software. Microsoft Teams is the number one choice for collaboration from conference calls to client meetings. Securely access and share files through SharePoint and OneDrive for added efficiency from home or anywhere in the office.

Technology Etiquette

Lastly, remember to be polite and mindful of your co-workers. With many employees working remotely for some time now, a lot of these behaviors may have slipped.

Need a little extra help migrating to a socially distant workspace?

Our experts are here to help with practical strategies for meeting your business’ technology needs and keeping everyone healthy, happy, and ready to crush that 9 to 5 grind.

iPhone Update: COVID-19 Face Mask Detection and Contact Tracing

iphone update covid 19 face mask detection and contact tracing

Major tech companies are always on the lookout for ways to add new features to their products and/or services. In its recent 13.5 OS release for iPhone and iPad products, Apple incorporated a new feature designed to help users with contact tracing in the event they contract COVID-19.  In this article, we will outline how the new face mask detection and contact tracing feature works, and how to enable or disable it.

Contact Tracing with Apple

The new contact tracing features actually uses Bluetooth data sharing rather than GPS location. When the feature is enabled, Apple securely shares a random ID associated with a user’s device with the devices of nearby users, as well as collecting their IDs. After a period of 14 days, which is considered the maximum incubation period for COVID-19, any IDs collected on devices will be deleted. If an iPhone or iPad user does contract the virus, health officials now have a way to trace individuals they may have come in contact with. In addition, if the infected individual chooses to, they can anonymously share their diagnosis with those in which they came into contact. Notified individuals can then contact their own health care provider for further instructions on what to do about their exposure to the virus.

To enable the feature, one must be using the recently released 13.5 version of Apple’s operating system. To find the new feature, follow these instructions:

  1. Open the “Settings” app.
  2. Tap on “Privacy.”
  3. Under Privacy, tap on “Health”.
  4. Under Health, tap on “COVID-19 Exposure Notifications”.

The COVID-19 Exposure Notifications can be toggled on or off (enabled or disabled) in the same manner as all of Apple’s other Settings features.

Changes With Face ID

With the advent of COVID-19, many individuals are choosing to wear a mask to cover their mouth and nose to help prevent the spread of the virus. In many areas of the country, individuals are actually required to wear some type of facial covering when out in public. This presents a challenge to Apple’s Face ID feature since partially covering one’s face will make it more challenging for Face ID to recognize a user. To combat this, Apple revamped their Face ID feature to immediately prompt the user for their PIN if it fails to recognize the user’s face, rather than forcing the user to jump through multiple hoops before eventually allowing the user to enter their PIN. 

Some Caveats

In order for Apple’s new feature to fully function, users must also locate and download an app from a health authority that can actually make use of the feature. The availability of such an app, along with support of health authorities can vary depending upon which countries and states the user resides in or travels through. The health support may vary as the virus travels throughout various regions, although in general, it is likely that major metropolitan areas will have more timely access to the feature rather than areas with low population levels.

Privacy Concerns

It’s normal to have concerns about privacy when tech companies handle information, especially personal information that relates to one’s health. In their collaboration efforts with Google to help prevent the spread of the virus, Apple has taken several measures to address privacy concerns. The random IDs used to share between devices change every 10-20 minutes to help increase security. Both Google and Apple have pledged not to collect COVID-19 related data and they will not share it with any government entity, nor will they monetize any process associated with the transfer of the data. Any data collected will only be shared through apps associated with the proper health authorities. To address all privacy concerns, Apple and Google have created a FAQ page to answer any questions users may have. 

If you would like further information about Apple’s recent changes that include a COVID-19 contact tracing feature, please contact us.

6 Cyber Security Tips for Remote Workers

cyber security tips

As we transition into the #WorkFromHome life, staying safe remains our top priority. Don’t forget to consider data security and cyber threats while working remote. Viruses of a different kind can throw a wrench in productivity and compromise core systems and information. Stay safe at home with these 6 Cyber Security Tips for Remote Workers.

Best Practices for The Best Remote Office Experience

Transitions are the perfect opportunity to review best practices and ensure your company is operating at maximum efficiency. Preventing cyber attacks begins with a thorough review of your organization’s security and compliance. 

Review employee password requirements and ensure your company is following the recommended security protocol to keep your sensitive information from slipping into the wrong hands. Protect your clients and your team by requiring two-factor authentication and passwords that consistent of a phrase or sentence with capitals, numbers, and special characters.

Ensure employees have logged out of all devices aside from their designated work computer. Be clear with your team that personal devices should not be used for work purposes. These devices are unsecured and may compromise integral security. This includes transferring files with confidential information between work and personal devices.

Support your crew with sufficient resources such as tablets, work phones, and laptops for on-the-go business instead. For easy data transfer, opt for convenient and secured Cloud storage solutions.

Secure Wi-Fi Networks

Portals, email, and CRM’s aren’t the only platforms that require strong security. Remote work should always be conducted via a secured Wi-Fi network. This ensures that sensitive information is not transmitted through compromised channels. For staff that are currently working from home, offer a DIY IT workshop to get them started. 

Change the router password to meet best practice standards and consider installing firmware updates and cracking down on encryption levels. 

Protect Privacy

Cyberspace is a dangerous realm. You never know who may be viewing your information and tracking your supposedly private IP address. From advertisers to phishing scams, accessing sensitive information and demographics is surprisingly easy.

Get your team outfitted with the protection of a virtual private network or VPN. A company wide VPN supports secured browsing by masking the IP address (or digital footprint) of each user. These helpful tools encrypt internet traffic, keeping company data protected and private information secured.

Check for Updates

Good anti-virus software is only as good as its last update. Think twice before hitting the “later” button on daily or weekly updates. Although keeping software and applications in top shape can seem like an extra annoyance in your busy day, these updates contain essential information and patches for vulnerabilities.

Firewalls, anti-malware, and anti-virus software are the most critical components to prioritize. These programs are constantly adapting to capture and quarantine new, evolving threats. Ensure an automatic update schedule has been enabled. Taking a few minutes to streamline applications will save you a lot of grief in the event of a cyber attack.

Don’t Be a Victim of Cyber Crooks

There’s no better time for a company refresher on the importance of cyber safety. Phishing scams are on the rise since the increase in remote workers. These devious cyber crooks typically operate by sending scam emails, calls, or texts in order to gain personal and financial information on their target. Make your team aware of recent scams and threats while keeping each member up to speed on what they can do to prevent a data breach.

A few SOP’s for remote work might include a cheatsheet of information you should never give out via phone, text, or email, as well as helpful tips on how to spot a phishing scheme.

Be Prepared

One positive element to the ongoing COVID-19 crisis is that the current situation underscores the value of preparedness. Data loss can happen to anyone, whether by human error or cyber breach. Be sure your company is prepared with a backup plan in case the unexpected happens.

Investing in a robust Cloud storage system provides a sufficient backup in case of disaster. This simple solution is typically the most convenient and cost effective for small to mid-sized businesses. If all else fails, AETechnology Group has your back(up) with disaster recovery options for our Long Island and New York business clients.

Contact our experts today for all your remote work needs as we continue to empower businesses to prioritize safety alongside productivity.