How Secure Is Your Password?

Do you change it often? Do you use the same password across the board, or multiple ones? Do you use a variety of letters, numbers and punctuation characters ?  How about your phone, do you use a password lock at all? Or do you stick to the simple screen swipe? How about your business? Do you make sure passwords are changed often? That they are not simple or easy to crack? That employees are maintaining strong passwords that change often?

A simple internet search brings up a slew of free downloads, instructional pages and videos on creating and using password hacking software.  Some so basic, it has been said an 11 year old could use them! There is a constant threat from opportunistic criminals, who scan for accounts with default and weak passwords, plus the threat of more targeted attacks looking to fool users into revealing details.

Most businesses are aware that password security is important, but are they aware that one compromised computer on a network can bring the whole community to its knees?  Just one hacked terminal can spread a crippling virus throughout the network, effects ranging from halting all business to harvesting or wiping critical data.

In today’s evolving world more and more employees are using their own devices for business.  From mobiles to laptops, business is moving further and further away from the office based devices where most companies focus their security practices.  If your employee is using his mobile, tablet or laptop for business use, how sure are you that the data they have stored there is protected? A stolen device with no, or a very basic, password can have just as serious an impact as allowing access to your office machines.

So, how can we minimise the risks? Firstly, and most importantly, ensuring different passwords are used for different accounts/devices.  This is a basic, often unenforced practice that can lessen the damage should an attack occur.  Imagine giving someone a single key that will unlock any door in your home, office, car, garage…….

Once this simple practice is established, it is then wise to look at the complexity of the passwords themselves.  Certain things should be avoided, amongst them use of names, company names and dates of birth.  Matching usernames and passwords are a big no-no, as is using any word that appears in the dictionary!

A minimum length of eight characters is a good place to start, the longer your password the harder it will be to break. Mixing in letters with numbers and punctuation characters, surrounding the password with random punctuation characters(@&$ etc), and breaking it up with these, will increase the security of your password.  If the system allows use of a pass phrase, this is often harder to crack and easier to remember.

One of the easiest ways to create a strong, apparently completely random password is to create an acronym from a phrase.  Again, substituting letters for numbers and adding punctuation characters will further increase the password strength.

Ideally, no passwords would be written down anywhere, but for those who must write their passwords to remember them: don’t have a list, don’t write them with their corresponding usernames or which account/device they relate to and do keep them in a safe place.

Any mobile device used should have the most secure password system it allows.  For example, where a device allows a numbered pin, opt for the 6 or 8 number version over the basic 4, if there is an option for a written password, always take this.  Don’t be afraid to ensure your employees are protecting your data, even if that data is on their own device.

Changing passwords on a regular basis will also increase your security.  When making changes, ensure the new password in no way relates to the previous ones.

With increasing hacker activity, more companies adopting BYOD, it is vital we do everything we can to protect our systems from malicious attack as diligently as possible, adopting good password procedures is often the best way to start.

Dutch Pirate Bay Ruling To Influence UK Ban?

Citing the ban as ineffective, a Dutch court has overturned the ruling on restricting access to The Pirate Bay site.  With a similar ban in place for British ISPs, we look at why the ban was first imposed, the reasons the Dutch court has taken this decision and the implications this carries for UK ISPs.

Launched in Sweden in 2003 by a group of friends, The Pirate Bay became one of the largest file sharing sites on the net.  The site hosts links to downloads of mostly pirated free music and video content.

In early 2012, the High Court in London ruled that The Pirate Bay facilitated copyright infringement, and ordered ISP’s to block access to the site.

The British Phonographic Industry stated “Sites like The Pirate Bay destroy jobs in the UK and undermine investment in new British Artists….Its operators line their pockets by commercially exploiting music and other creative works without paying a penny to the people who created them.  This is wrong – musicians, sound engineers and video editors deserve to be paid for their work just like everyone else”

At the time of the ban, Virgin Media warned such measures were only part of the solution, “Virgin Media complies with court orders addressed to the company, but strongly believes that changing consumer behaviour to tackle copyright infringement also needs compelling legal alternatives, such as our agreement with Spotify, to give consumers access to great content at the right price”

Being relatively easy to circumvent, by use of VPNs or proxy servers, many claimed the ban was having little to no effect on P2P traffic .

In the months immediately after the ban, ISP data suggested P2P traffic in the UK had dipped 11%, but this quickly recovered to almost match the level before the ban.  The Pirate Bay also reported it received 12 million more visitors on the day after the ban than ever before.

In the Netherlands, the appeal against the ban was brought by Ziggo and XS4ALL, two local ISPs, who argued that the measure denied their users free access to information.  Although evidence indicated Dutch traffic to The Pirate Bay had declined, the amount of torrenting had not.  “This blockade imposed a violation of the basic freedom of commercial activity of the providers with insufficient justification” The court’s ruling said.  “It is of great significance that the providers themselves were not violating the copyrights”

Although ISPs affected by the ban in the UK, such as Virgin Media, said they will be looking into the implications of the ruling for British ISPs, a law expert thinks the ruling unlikely to be overturned here.

“Recently the EU advocate general decided that under EU law you cannot issue a site-blocking injunction which is expressed in general terms, but you can require ISPs to take specific measures to prevent users accessing a website with illegal content, even if those measures can be circumvented,” he said.

“Other courts in Europe will certainly have to take into account relevant EU directives, this opinion of the advocate general and decisions of other EU courts such as this one in the Hague Appeals Court, but ultimately each nation can make its own decision based on the facts of the individual case and as to the terms of any site-blocking injunction which it issues.”

So, whilst the Dutch may have overturned their ban, it looks as though for the time being UK ISPs will continue to restrict access.

App Data – To Share Or Not To Share? Do We Have a Choice?

With the recent revelations from the Edward Snowden leaks on the harvesting of private data, and the use of analytics data from mobile apps in its collection, how aware are you of the extent downloading and using an app can affect your security?

Many mobile app developers use analytics to help improve their products. They provide the developer the ability to see how often their app is used, which sections users visit most often and for how long.  This information is essential in making improvements and developing further apps.  Alongside developmental advantages, app developers also collect data for another reason – with free games ever increasing, developers need this information to help in targeted advertising, and to sell on to third parties, meaning the information is another revenue generator.

But Snowden’s leaks have revealed many apps, such as Angry Birds, are collecting far more detailed information than originally thought, from phone model and screen size to much more personal details such as age, gender, location and even sexual orientation.  Many will be shocked to learn of the extent of information collected, and the fact intelligence agencies are harvesting it.

Apps that require you to log in via social media platforms, and access your GPS can easily track where and when you play the game, as well as your full identity and all personal information you have on your social media account.  If this information is then transmitted without being encrypted, any third party with basic know- how has open access to your information.

So, next time you download an app that asks your permission to access certain data, think about the information this could release if the data is transmitted without encryption, and if this is the information you want being studied by everyone from advertising companies to the NSA!