Danger:

Realize that using public networks via Wi-Fi or an Ethernet cable can be very dangerous. Your laptop is still exposed to network sweeps, vulnerability scans, and other network attacks. Threat actors don’t even need to be close to you; they can attack your laptop using other innocent people’s laptops.

Cellular Phones and Mobile Hotspots:

Instead of connecting to a public network at a hotel, coffee shop, or similar, use your phone’s data-sharing function to connect to the Internet while traveling. When you connect your laptop to your cellular network rather than the public Wi-Fi network, your laptop is not exposed to the dangers on the public network. Most phones permit you to connect your laptop to the Internet, and the connection speeds are usually very fast. Unless you are watching movies, the amount of data you consume may be less than you think.

Consider using a wireless hotspot from your phone provider. This option can be more convenient if you need to take your phone with you while stepping away, allowing you to leave your laptop connected to the internet.

What if a cell phone is connected to public Wi-Fi and then used as a hotspot?

If your phone allows you to connect it to public Wi-Fi and share that connection with your laptop, it could be beneficial. Your phone might act as a buffer, providing some protection for your laptop from direct exposure to the public Wi-Fi network. However, keep in mind that your phone would still be exposed to potential risks on the public network. Additionally, many phones do not support sharing a public Wi-Fi connection with a laptop; they typically only share the cellular connection.

Throttling:

Suppose you anticipate using lots of data, such as watching movies. In that case, your phone provider might slow your Internet connection to a crawl once you reach a specific data limit for that month, even if you have an unlimited data plan. They call this throttling your connection.

If you need a hotspot that will not get throttled in the USA, consider getting a hotspot by donating to https://calyxinstitute.org/ (We do not receive any compensation for mentioning them, and this is not an endorsement of Calyx Institute. We know many people who are very happy with their service, so it is important to tell you of a way to avoid throttling). Their website shows their coverage areas.

International Roaming:
If you are traveling outside your country, check with your phone service to see what International Roaming plans they offer. You can often use your phone and hotspot in other countries for a small monthly fee.

Portable Hardware Firewalls and Travel Routers:

If you are remote and away from your mobile phone providers’ coverage area, connecting to a public network might be your only option. Or perhaps you don’t want to use up minutes on your cellular data plan. You can help protect yourself on a public network by using a portable hardware firewall called a travel router.

Most travel routers have two radios to allow simultaneous Wi-Fi connections to your laptop and a public Wi-Fi network.

Note that some travel routers allow you to connect via Ethernet cables if you don’t want to use Wi-Fi. If you want to connect to the travel router via a cable, you will need an Ethernet port on your laptop or a USB to Ethernet adapter.

Here’s what to expect when setting up a travel router:

1. Connect your laptop to the travel router like any Wi-Fi or network cable connection.
2. Use your browser to put the router into “bridge mode.” Sometimes, the setting is named something similar. Then, connect the travel router to the public network at your hotel wirelessly or with a cable.
3. If required, log into the public network (e.g., entering your hotel room number and last name). If the public network has a login screen that doesn’t appear, you can try typing this address into a new tab in your browser: nossl dot com

The process usually takes about five minutes, even in new locations.

Remember, your connection speed depends on the speed of the public network and may vary throughout the day.

While travel routers can enhance security, proper configuration is crucial. Always consult with your IT team for setup, training, and best practices. The phone and hotspot recommendations are generally faster and simpler to connect.

If you plan to get a travel router, you should purchase it with a 30-day return policy and be sure to work on getting it up and running before you leave on your trip. Reliable travel routers are available for less than $100. I do not get any compensation for mentioning this brand, and this is not an endorsement: I have used the GL.iNet GL-MT3000 (Beryl AX) travel router successfully.

VPNs are Not a Shield:

This section is a bit technical, so feel free to skip it unless you believe a Virtual Private Network (VPN) is all you need to be secure on a public network.

Using a VPN is fine, but it does not shield your laptop from network sweeps, vulnerability scans, and other network attacks. You are still exposed to those attacks even if you use a VPN.

VPNs encrypt your data as it travels across the network. However, know that your data is encrypted anyway when you visit a website that starts with https:// whether you are using a VPN or not. The encryption may have been compromised or misconfigured on the site, but this is not common, especially on sites such as banks and other companies that are very careful about their site’s security.

A significant security advantage of using a VPN is that it helps protect against Adversary in The Middle (AiTM) attacks, where an attacker tries to insert themselves between you and the site you are visiting. These used to be called Man in The Middle (MiTM) attacks. Simplified, in an AiTM attack, the adversary convinces the bank that the adversary is you connecting to the bank. Then, the adversary tries to make your laptop believe the adversary is the bank. If the adversary is successful, they can read, change, insert, and delete data between you and the bank.

But keep in mind that if you are connecting via your phone or cellular hotspot, you needn’t be as concerned about an AiTM attack unless an attacker has compromised your phone carrier’s network, which is very unlikely. And, if you use a travel router as a firewall, many of them come with a VPN service if you want to enable it.

Outside of encrypting data in transit, the added benefits of using a personal VPN service, as opposed to your company’s, would be to hide what websites you visit, and you could disguise what country you’re in. However, many people avoid the VPN option since it doesn’t provide a shield against the attacks mentioned above, and using a VPN might make your data rate seem slower due to the VPN’s overhead and the network distance to the VPN server.

If your company uses a VPN, they might insist you use a VPN, or Secure Access Service Edge (SASE), to protect privacy.

Conclusion:

Connecting to a public network can be very risky. You are more secure if you connect to the cellular network via phone or cellular hotspot. If you must connect to a public network, strongly consider using a portable hardware firewall, commonly called a travel router.

Wishing you cyber-safe travels!

The post Vacations: Connecting at Coffee Shops, Hotels, and Airports Can be Dangerous to Cybersecurity – Here are Alternatives appeared first on Foster Institute.

The Risk: When Convenience Becomes a Liability

Imagine this: You’ve visited a coffee shop and connected your smartphone to their Wi-Fi network. Your device remembers this network to connect automatically next time. Seems harmless, right? Here’s where the risk creeps in.

Once you tell a device to automatically reconnect to a remembered network in range, your device will continuously send out “probes” or signals looking for that network, typically one to four times a minute and more often when other events can trigger a probe. A threat actor can set up a Wi-Fi access point with a common SSID name, such as “home.” And what if your device is configured to automatically connect to a network you trust named “home?” When your device, say your smartphone or laptop, is within range, it might automatically connect to this rogue Wi-Fi network without your knowledge.

The Trap: A Deceptive Doppelgänger

This rogue network, set up by the threat actor, is a doppelgänger of your trusted network but with nefarious purposes.

Remember: Your device connects to the rogue access point automatically and often without alerting you at all. (see “what about passwords” below). This attack does not need you to make any mistakes to succeed, and it can happen without your knowledge.

Ten common network names threat actors can use that will often lure devices from unsuspecting users to connect include:

• xfinitywifi
• linksys
• Marriott_Guest
• Hyatt
• hhonors
• NETGEAR
• Guest
• dlink
• FreeWifi
• Home

To make it even easier to connect, there are commercially available devices that listen for the SSID name in a probe from an unsuspecting user’s device and then broadcast that name in an effort to capture the device’s connection. In that case, it doesn’t matter how unique your SSID is, an automated device can attempt to establish a connection without your knowledge. If you are technically minded, you can read the section at the bottom of this article for a detailed explanation of how probing works.

Once connected, the attacker can intercept your device’s data. This interception could be called a “Man-in-the-Middle” attack. Thanks to encryption technology, the attacks are more complicated than they used to be, but they are still possible in some circumstances. If the attacker successfully establishes the Man-in-the-Middle connection, imagine sending confidential emails, accessing your company’s financial data, or even logging into your personal banking app, all while an unseen cybercriminal is potentially recording every keystroke and data transfer.

Another serious concern is if threat actors know of undiscovered vulnerabilities that will allow them to hack into your device. This is one of the most important reasons to always apply security updates when they are released and always keep backups for the unlikely scenario of an update causing a problem on your device. Even if you applied all of your security updates, sometimes attackers know of ways to break in that haven’t been discovered by the device’s manufacturer, operating system producer, or app developer yet. Thus, there are no updates written. Bad actors can use tools to scan your device and exploit vulnerabilities quickly. Their ultimate goal would be to take control of, or pwn, your device. This isn’t always easy if you have all your updates in place, but it isn’t impossible either.

The Consequences: A Digital Pandora’s Box

The consequences from attackers successfully tricking your device into connecting to their rogue access point and exploiting vulnerabilities can range from private information exposure to significant breaches:

1. Personal Data Theft: Sensitive personal information can be stolen.
2. Corporate Espionage: Confidential business information could be compromised.
3. Identity Theft: Your digital identity could be used for fraudulent activities.
4. Network Infiltration: Once a device is compromised, it can serve as a gateway to your business’s entire network.

Prevention: Turning Awareness into Action

As executives, instructing your workers to implement security measures is crucial. Here are some actionable steps you can take in the Wi-Fi settings of your laptops, phones, and tablets:

1. Forget Networks: In your device’s Wi-Fi settings, examine the network names identified as “remembered” or “my networks.” Tell your device to ‘forget’ networks by removing them from the ‘my networks’ list, except those you use frequently. Were any of the ten listed above remembered on your device? To establish the unauthorized connection, the threat actor would need to use the name of one of the networks you leave remembered or use the device mentioned above that responds to probes for names your device sends.
2. Avoid a False Sense of Security: If your device has the “Ask to Join Networks” setting, read the fine print. The device will still join known network names without asking. The setting is usually more about asking before joining new or unknown networks, rather than known ones.
3. Turn off Wi-Fi When You Aren’t Using it: To reduce your exposure dramatically, disable Wi-Fi when you are not using it. Your device will stop probing, stop listening for access points broadcasting their name, and won’t connect to any Wi-Fi networks. Some devices have a quick shortcut to turn off Wi-Fi from an easily accessible menu, but they might turn Wi-Fi back on again after a while or when you move to a new location. On those devices, if you go into “Settings” to disable Wi-Fi, it should stay off until you manually change the setting to “on” again.

What about Wireless Passwords?

If the original remembered network you connected to, such as the coffee shop network, had no password, your device would join the network automatically and not alert you. This is a common risk with some remembered networks. You may have noticed that many hotels and some coffee shops and restaurants now require no Wi-Fi password; this is undoubtedly to reduce guest frustration and the number of calls from hotel rooms to the front desk asking for the password. The prevalence of public networks without passwords makes it especially important for you to tell your device to forget networks and be sure to forget the ones with no passwords.

However, if the “remembered” network did have a password, then to get your device to connect automatically without warning you, the threat actor will need to set the same password on the rogue access point. It is simple for an attacker to know the password for coffee shops and other networks that share the password with guests.

Many companies will set passwords on networks and hopefully don’t write the password on dry-erase boards in the meeting room. Even if the passwords are configured at the company, and users do not know the password since the IT Professionals configure their computers, if an attacker is able to access one computer, in-person or remotely, there is a chance they can run a script to find out the wireless password for the company. This is why some companies use enterprise-level Wi-Fi authentication that does not rely on a shared password.  Or, attackers can use social engineering to successfully trick a user into providing the network password. If a user’s device doesn’t detect any anomalies between the rogue access point and the access point it is used to connecting to, the user will not be alerted they are connecting to a rogue access point, and their device will connect automatically.

An exception that might generate an alert is when there is a discrepancy between the security settings of the known network and the one to which the device is trying to connect. An example is when the rogue access point does not have a password, but the remembered network does. In this case, some devices will prompt you: “Are you sure you want to join this network?” The default button, “join,” is preselected. Unless you are on the lookout for this kind of message and know the seriousness, you might click “join” and not think anything of it. Sometimes, the device will connect and not alert the user but will quietly list the word “open” or “insecure” under the network name on the list of networks under settings. Most people do not periodically look at the Wi-Fi settings, so the label often goes unnoticed. Even if a user does notice the label, there is a good chance the attacker already probed for weaknesses and exploited any vulnerabilities they discovered.

However, if you ever see a prompt asking you to re-enter a password, that is a huge red flag, and you need to assess the situation carefully to determine if your device is attempting to connect to a rogue access point with an inaccurate password.

And to be sure you don’t have a false sense of security, remember that devices do not prompt the user if the security settings of the new network match those of the remembered network, and the device will quietly automatically connect even if it’s a rogue access point.

What about a VPN?

A Virtual Private Network (VPN) is a technology that encrypts data as it moves to and from your device. This encryption can prevent attackers from reading your data. However, it’s important to note that a VPN doesn’t protect you from attackers who scan for unpatched vulnerabilities, search for open ports, and exploit weaknesses on your device. Even if you use a VPN, you’re still vulnerable to such attacks. Follow the instructions above to help ensure your online safety.

Final Thoughts: Balancing Convenience with Caution

In today’s fast-paced digital world, convenience often beats caution. However, in the realm of cybersecurity, this trade-off can have dire consequences. As leaders, our role extends beyond making decisions; it includes understanding and mitigating the risks associated with the technology we use every day. Stay safe, stay informed, and lead your organization confidently in this digital age.

Technical Details About the Probing Process

For the more technically minded, here is more information about the probing process. When we say that devices are constantly probing, they are, and the probing might be once every 15 to 60 seconds. The probing frequency can vary, for example, if you put your device in low battery mode.

In addition to devices probing, know that Wi-Fi access points, including rogue access points attackers use, broadcast their network name, a process called beaconing, sometimes as often as ten times every second. The rate of beaconing is usually configurable by your IT Professionals.

If you look at “available networks” in “settings” on your device, you might notice that the list takes a few seconds to build because your device is cycling through multiple Wi-Fi frequencies, listening for the beacons.

An interesting setting not everyone is familiar with on wireless access points is that you can instruct the access point to be “hidden.” If you do, then the access point will not send out beacons. However, hidden networks, while not broadcasting their SSID, will still respond to direct probes that contain their SSID name. So, as soon as your device sends out a probe looking for the remembered hidden network, which it does regularly, as described above, the access point will respond, and your device will connect. Just because a network you “remembered” is hidden at your home or office doesn’t affect a threat actor’s ability to lure your device into connecting to their rogue access point, even if the hacker’s access point is not hidden.

Additionally, to reduce the delay in connecting, your device will send immediate probes in certain circumstances, such as when it wakes from sleep, when you open your laptop’s lid, or if you just disabled airplane mode. Your device will quickly find access points, even rogue ones, especially if they are “remembered.”

A significant benefit to attackers of your device probing periodically, such as every 15 to 60 seconds, is when the attacker doesn’t already know the network names your device has remembered. The attacker tools wait for the probe, then know the name, and the rogue access point automatically claims to have that network’s name. This is a very powerful way for attackers to capture as many unsuspecting users as possible without needing to predict the names of remembered networks.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Outsmarting the Invisible Threat: How Cyber Attackers Hijack Your Wi-Fi Connections and How to Protect Yourself appeared first on Foster Institute.

To combat this, Apple’s iOS 17.3 introduces “Stolen Device Protection”. Here’s why activating it is crucial:

1. Face ID/Touch ID Requirement: Your iPhone will require your Face ID or Touch ID to turn off lost mode or erase the phone.
2. Time-Delay Security: Changes to your Apple ID password, iPhone passcode, and key settings now have a one-hour delay.

Settings for Theft Protection:

• Quick Tip to find specific settings: Open Settings, swipe down slightly, and use the search box that appears at the top. You will find all of the settings in bold text by searching in Settings:
• Software Update: iOS 17.3 enables Stolen Device Protection.*
• Backup: Check your backup status by searching for Backup in Settings.
• Use Face ID or Touch ID so potential thieves won’t see you enter your passcode.
• Activate Stolen Device Protection:This is the new setting that spurred me to write this blog for you
  
• Ensure “Find My” is enabled on Apple devices. Use iCloud.com/find or the Find My app to be sure tracking works.

Other Essential Steps:

• Have alternate login methods for resetting passwords for apps and websites that use multi-factor and two-step logins.
• If you use authentication apps, ensure you configure ways to generate codes or recover keys if you lose or erase your phone.

If Your Phone is Stolen:

• Act Fast: Use iCloud.com/find or the Find My app to enable “lost mode” and track your phone.
• Consider Carrier Notification: They can disable phone calls and cellular data but might limit Find My functionality.
• Device Erasure: If you have backups, and ways to recover keys in authentication apps, use Find My to erase your device to help prevent data access.
• Password Resets: If not erasing your phone, consider resetting passwords for critical accounts if passwords are stored on the phone or if apps login automatically.

As always, threat actors will seek ways to bypass this protection. As of now, this feature is a huge leap forward to protect an iPhone and iPad from thieves who see the passcode. Congratulations, and thank you, Apple!

*If your phone or tablet is too old to update to iOS version 17.3 or newer, see https://fosterinstitute.com/be-prepared-know-the-impact-of-iphone-theft-and-what-to-do-right-now/. for recommendations.

Note: Testing the Stolen Device Protection feature at home may not work, as Apple devices might waive the strict requirements in familiar locations like home or work. You can read all of the details about Apple Stolen Device Protection for iPhone here: https://support.apple.com/en-us/HT212510

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Safeguard Your Apple iPhones and iPads: Activate the Latest Theft Protection Setting Now! appeared first on Foster Institute.

The race is on. They’ll step around a corner, unlock your phone with your passcode, click on settings, Apple ID, and reset your Apple ID password. All they need to know is your passcode to the phone. Your phone asks them, “Sign out other devices using your Apple ID?” Of course, they know to say yes.

Update on January 27, 2024: Apple has a new feature called Lost Device Protection released with iOS version 17.3 that helps solve this problem. Learn more here: https://fosterinstitute.com/safeguard-your-apple-iphones-and-ipads-activate-the-latest-theft-protection-setting-now/

They know that if you put the phone in Lost Mode, they have the passcode and can unlock the phone immediately. You might have your Apple ID protected with two-factor authentication; good work! But the second step of the verification process displays a verification code on your trusted devices. Unless you set your phone otherwise, the thief has a trusted device. Unless you posses a trusted device tied to your Apple ID, you won’t see the verification code, and your attempt to log in will fail.

At this point, only they can perform any functions that require you to enter your Apple ID and password.

Strive to Intervene:

The process only took seconds. It is unlikely you can stop their next moves quickly enough.

Perhaps your friend walked up as the thief was running away. Thinking you might win the race, you grab in a friendly way, of course, any device they have with Internet access and open https://appleid.apple.com. Enter your Apple ID and your password quickly! Remember, the bad guy is around the corner racing you. Then, guess what? Unless your friend’s device is a trusted device on your Apple ID account, you won’t see the secret code you need to log in. The thief will see the code on your stolen phone’s screen, and they’re laughing but admire your trying. You never had a chance in that race. Read more below about setting up Recovery Contacts and Recovery Keys.

But a way to win and be faster than the thief is if you have your second iPhone in your pocket booted up and connected to the Internet. If so, scramble to be the first to open settings, Apple ID, scroll down through the devices, and log out the stolen device. Reset your Apple ID password. Great job! You did it! They can use the phone and most apps, but at least they cannot take over your Apple ID. Keeping two iPhones connected to your Apple account with you will help if one gets stolen.

Or, a more likely scenario than having two phones, maybe you happen to have your Mac open on the table in front of you the moment the phone is stolen. Assuming you weren’t using the phone as your hotspot, quickly click on the apple symbol in the top left corner, choose system settings, Apple ID, password & security, change password, find the stolen device in the list at the bottom of the menu, log it out, and reset your Apple ID password. Whew! They’re not going to gain control over your Apple ID. But they can still use your apps, log in to bank accounts, and access your company email, so you’ll need to reset all those passwords too.

Will you win the race, or will they? Maybe you want to practice the process a few times.

More Things the Thief Can Do to Affect You:

As you read this, do not be terrified. You can relax and remember this scenario assumes a thief has stolen your phone after watching you enter your passcode and memorized it. Hopefully, that will never happen to you, and it is good to be aware of some consequences, your response, and some preventative measures so you can educate your friends.

Since the thief knows the phone’s passcode, they can reset the Apple ID password. Then they can log in to your Apple account and affect your other Apple devices, including Mac laptops and computers connected to your account.

Then the bad actor can access your device’s Keychain, Apple Pay, Apple Cash, and other sensitive information. They can reset the Apple account’s recovery key. The thief can turn off location services so the phone cannot be tracked. They can change the Apple ID account’s trusted phone number and email address to make it even more difficult for you to regain access to your Apple account. They can change Face ID and Touch ID to their face and finger. They devastated your digital world and will start to steal your money and wreak havoc in your life. And don’t blame Apple; blame the bad guys.

Chances are that most of the apps on your phone will still work even if you log the device out of your Apple account. If the apps remember your passwords for you, then the attacker can use the apps. If you have a password manager that automatically fills in passwords without asking you to prove you are you, the password manager will also fill in passwords for the thief.

And if any of your apps, bank, email, or other services send a text message to your phone to verify your identity, and the thief has your phone, they will get the text message to authenticate and can impersonate you.

And any tools you have that rely on Apple’s Face ID or Touch ID to confirm your identity, if the thief resets Face ID or Touch ID on your phone to their face or finger, they’ll have access to those tools too.

Continue Immediate Steps:

You’d better rush to reset passwords to financial and other sensitive services. See the section on multi-factor authentication below.

Contact your phone service provider and convince them to disable your stolen phone’s ability to call or receive text messages until you buy your new phone.

Reset Passwords on all your other accounts for email, online payment tools, social media, cloud storage, and more. Apple devices, including the stolen phone, are very powerful for running apps, accessing email, using web applications, and more, even if the thief does not know the password for your Apple ID. If a thief has your phone, you have many passwords to reset quickly.

Keep trying to regain control over your Apple ID account. You can download the Apple Support App on your friend’s Apple device and initiate a process that will allow you to set a different phone number for the Apple ID verification process. Still, you must have access to the email address associated with your Apple ID to receive an emailed verification code. If you pass that verification, then endure a waiting period of at least 24 hours. The recovery process is similar to recovering your account at https://iforgot.apple.com/. The thief can cause much trouble during the day or longer wait. Read more below about the preventative step of setting up Recovery Contacts and Recovery Keys. More information about the recovery process: support.apple.com/en-us/HT204921. Apple’s guidance if someone gains control of your Apple ID: support.apple.com/en-us/HT204145.

Some people would advise you to not remove the stolen phone from your Apple ID account. If you do, you will lock yourself out of many ways to recover the phone, although the thief can block many of the protections because they know the passcode.

Multi-Factor Authentication:

An essential protection strategy is configuring multi-factor authentication, such as facial recognition, on apps and websites that support MFA. However, many two-factor authentication techniques rely on you having access to your phone.

It can be complicated to reset passwords on your sites and apps using multi-factor authentication if the second factor goes to the stolen phone’s phone number or relies on you having your phone for some other step. If you set up the MFA to send a text message to the phone, and the thief has your phone, they will see the text message, and you will not.

That might spur you to get a new phone and transfer the phone number to your new phone ASAP before the attacker logs into your apps and sites and changes the verification phone number to a number only they can access, and locks you out.

For websites or services that only support text messages for the second step, consider having text messages go to a device other than your phone.  Consider investing in an inexpensive flip phone with a different phone number to receive text messages. If the website or app supports other options for the second factor besides only text messages, consider how a phone thief could bypass them.

For example, if MFA involves an email message, if the thief can easily access your email on your stolen phone, it defeats the purpose of MFA. If you set up email as the second step, use an email address that requires some other form of authentication or is unavailable on the phone. Ensure email messages do not pop up on the preview screen when received.

Or, do everything possible to prevent an attacker from stealing your phone and knowing its passcode.

If you use passkeys, be sure to see this blog posting: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Prevention:

To Apple’s credit, and they deserve a lot of credit, they are taking many steps to fight this problem. They must balance the phone’s usability with security, and their multiple advanced security controls are extraordinary, and their responses are highly effective. In the constant game of cat and mouse between those who want to protect you and those who wish to harm you, there might be better defenses when you read this. As of now, here are some essential steps to protect yourself:

One of the most helpful defenses is to be cautious about where and when you enter your passcode. Hence, attackers never find out your passcode. An attacker must know the passcode to the phone as part of resetting the Apple ID password. Using an alphanumeric passcode would be more difficult for a bad actor to read from a distance than a four or six-digit passcode.

Another strategy is to use facial or fingerprint recognition to unlock the phone. That would be Face ID, or Touch ID when available, on Apple devices. If the user doesn’t type their passcode into the phone, nobody can “watch the victim type their code” into the phone. If Face ID won’t work due to lighting conditions or some other factor, rather than entering the passcode, you could move somewhere safe where Face ID works.

Even if the attacker holds the phone in front of the victim’s face and the phone unlocks, the attacker still won’t know the passcode to reset the Apple ID account password. Furthermore, Apple’s Face ID settings have an option called “Attention Detection,” so if the user is unconscious or drugged, the facial recognition will refuse to unlock the phone. Unless the thief coerces the victim to tell them the passcode, the thief cannot reset the Apple ID password.

Consider using a password manager rather than the Keychain that is tied to the Apple ID. If the user doesn’t use the Keychain to store passwords and uses a password manager such as 1Password, LastPass, NordPass, or others, then the thief knowing the phone’s passcode does not give them access to passwords stored outside of the Keychain. Ensure your password manager’s settings force you to enter a passcode and do not use the same passcode as the phone.

Before everything seems hopeless, remember this disaster starts when a thief sees you enter your passcode and steals your phone.

Be Proactive:

Erase your SSN, NI, DL, Passport, or other sensitive information anywhere you’ve stored it, whether in text, contact records, photos, and everywhere else. The thief will search for that information and use it to open accounts, take out loans, and perform other identity theft compromises.

And obviously, don’t share your passcode with anyone other than, if you are going to share it, a family member or close friend you can trust with the key to your digital world.

If you’ve not done so recently, visit appleid.apple.com to update all of your personal or security info. Look for an email address that is not yours. Be sure you recognize the devices in your account.

While you are there, consider setting up someone you trust who has an Apple device as a Recovery Contact who can vouch for you and generate a code to help you recover your Apple ID. They cannot access your data, only verify your identity if you lose access to your Apple ID. Details: support.apple.com/en-us/HT212513

You could set up a 28-character Recovery Key to print out and store in multiple secure locations to help you recover your Apple ID. But be careful. If you choose to have a Recovery Key, and lose the 28-character key, even Apple cannot help you recover your Apple ID. Details: support.apple.com/en-us/HT208072

You’ll see an option to set up a Legacy Contact who, with access to your death certificate, can access your photos and text messages but not passwords. Details: support.apple.com/en-us/HT212360.

Stay current on updates. Rarely do updates create security issues; more often they provide protection against ways attackers find to bypass security.

If you lose access to your Apple ID, you could permanently lose access to your photos of you, your friends, and your family. This underscores how important it is to keep backups of your Apple photos and videos in case someone takes over your Apple account: https://support.apple.com/en-us/HT209454.

Reality Check:

Rather than go through life fearing what could happen, reduce the damage you can suffer and the likelihood of something terrible happening. Continue to recognize and avoid dangerous situations and locations. Keep your phone secure, never enter your passcode when someone can see you, and take the preventative and proactive steps above. Now that you know the risks, your subconscious will alert you to dangers more than before.

Examine your risk tolerance. Balance the likelihood of someone stealing your phone against the damage a phone thief can cause you. If you need to be super-secure, you can reevaluate your practices based on the information contained within. Some people might take some steps to reduce the danger and accept what risk is left. Others might leave their phone locked safely at home more often when they go out.

With the advent of AI, attackers will find new ways to steal, but AI will also help develop new ways to prevent attacks. Everything is changing so quickly on both sides. When you read this, perhaps additional protections are available to help keep you, your organization, and your loved ones safe.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Be Prepared: Know the Impact of iPhone Theft and What to Do Right Now appeared first on Foster Institute.

If you want to know more about passkeys: https://fosterinstitute.com/the-rise-of-passkeys-a-paradigm-shift-in-authentication-technology/

To gain the most value out of the information below, first review the details about how a stolen phone creates an authentication disaster: https://fosterinstitute.com/be-prepared-know-the-impact-of-iphone-theft-and-what-to-do-right-now/

As mentioned above, if your phone with passkeys is stolen, the thief can access your accounts and deny you access. Because passkey technology and strategies are constantly evolving, there might be more solutions when you read this. As of now:

One possible solution would be storing the passkeys in a password manager, not the Keychain. Then, as long as the attacker cannot unlock the password manager, the attacker will not have access to the passkeys. And if an attacker destroys the passkeys in the Keychain or blocks access to your Apple ID and thus Keychain, you would still be able to access your passkeys since the passkeys are stored in the password manager. The password manager NordPass advertises allowing users to create, store, and share passkeys between their devices. The password managers 1Password and LastPass have announced they will support storing passkeys soon. As you read this, other password managers might support storing passkeys too.

Without using a password manager to store passkeys, another way to protect passkeys would be to set up passkeys in multiple environments. Many iPhone users have a Windows desktop or laptop too. Or they might purchase an Android device where they could configure passkeys. Even if an attacker resets the Apple ID password or deletes the passkeys from the Keychain, thus blocking the victim’s access from all their Apple devices, the victim can still access their sites protected with a passkey generated using their Windows or Android device. Then they can revoke the passkeys created in their Apple ecosystem to prevent the attacker from authenticating from the stolen phone.

But unless users have them already, it is extra trouble and expense to buy a Windows computer or Android phone and remember to set up passkeys on two different devices. Someday, the technology created for convenience might allow the same passkey to function across Apple, Windows, and Android devices. That would render this strategy ineffective, but it could be a long time before such cooperation comes to fruition. A drawback of having more than one device is it gives thieves more opportunities to steal. Thus, using a password manager to store passkeys is a better option for many unless they distrust the security of password managers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post The Risk iPhone Theft Poses to Your Passkeys and What to Do Now appeared first on Foster Institute.

Passkey authentication can be configured to be very secure based on four conditions:

1. You must have your mobile device with you. (An attacker is unlikely to have the device with them.)
2. You must be able to log in to your mobile device using facial recognition, a fingerprint, PIN, pattern, USB token, etc. Some people call passkeys a “Face” or “Fingerprint” sign-in.
3. Your device must have a unique key assigned to you that ties to a unique key at the site or application.
4. If you log into a site or application from a computer, the mobile device must be physically close to the computer where you’re logging in.

Passkeys are new, and there is varying support for specific browsers, operating systems, and devices.

Tips for Using Passkeys:

1. Start setting passkeys up on your mobile device, such as a smartphone, before you use your computer.
2. If the website or application does not allow you to set up a passkey on your computer:
   • Look for and select an option on the computer that says, “Use a passkey to log in,” Your computer will display a QR code image.
   • Use your phone’s camera to scan the QR code image displayed on your computer.
   • After scanning the QR code, your phone completes the passkey login process.
3. It’s essential to confirm that passkeys work on all devices and browsers before disabling the old login method for each website or application. This way, you can avoid problems accessing your account if the passkey login method doesn’t work on some of your devices or browsers.

As the adoption is just starting, you might discover limitations or frustrations, but they’ll disappear soon. Some people have great luck experimenting with setting up their first passkey at best buy dot com even if they don’t shop there.

Apple uses the Apple Keychain to store a passkey that should work on all your Apple devices after enrolling one. Google uses the Google Password Manager in the Chrome browser and Android. Microsoft uses Microsoft Hello. Some password managers store keys.

Mobile device backups and some password managers are designed to back up the passkeys in case you lose your phone. If you do lose your phone, it is a good idea to go to the apps and sites to set up a new key and disable your old key. One concern is that, if an attacker can access your backups or the passkey manager and obtain a key from there, they might find a way to bypass passkey protection. But that doesn’t necessarily make passkeys less secure than other authentication methods; they may well be the best protection available when implemented properly since they offer so many benefits:

1. Users cannot be tricked into giving away passkey values they do not know in social engineering and phishing attacks.
2. Since passkeys come in unique pairs, users cannot re-use passwords, another user mistake that leads to compromised passwords.
3. Keyloggers cannot capture passwords since users are not typing passwords.

Your IT team might choose to eliminate your existing Multi-Factor authentication process since using passkeys involves multiple factors already. Unlike SMS text messages, passkeys cannot be redirected to attackers. Passkeys are immune to MFA Fatigue addressed here https://fosterinstitute.com/mfa-fatigue-the-hidden-danger-and-how-to-combat-it/

Please forward this to your friends so they can explore eliminating passwords and eventually start adopting passkeys as Passkey support expands.

Prepare yourself for what would happen if an attacker steals a phone containing passkeys: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Technical Details – If You are Interested

You do not need to know this to use passkeys. But if you wonder how these keys can be so secure, read on.

Passkeys are much more secure because passkeys come in key pairs. When you use one key of the pair to lock something, you must use the paired key to unlock it. Only the paired key can unlock what the first key locked.

So for each site or application you set up to use a passkey, your mobile device generates a pair of keys:
– A unique private key for that site or application is stored on your device.
– A paired key that your device sends to the site or application which stores the key just for you.

If you have a passkey set up for 100 sites or applications, your device will store 100 keys. Sites that have 100 million users will have 100 million keys. Each key is half of a pair. The private key must be kept secret on your device to be secure. Even if attackers access all the keys for a site or application, your account is still protected since they won’t have the second key stored solely on your device.

If you want to get more technical and understand why passkeys are so resistant to person-in-the-middle attacks: Websites that start with https:// and most web applications use PKI encryption to protect data during transit. SSL (deprecated) and TLS (use the newest version) protocols use public-private key pairs to initiate a multi-step process to secure traffic to websites or web applications. Attackers can use person-in-the-middle attacks to defeat that encryption. They generate key pairs to make the user’s connection think the attacker is the website and make the website believe the attacker is the user’s connection. Bad actors insert themselves between the user and the website and can access the data as it goes through their connection.

When a user creates a passkey, the user’s device generates a key pair. It stores one key locally on the device and sends the other to the site or application for passkey authentication. The site or web application stores a unique key for each passkey a user generates. The secret key never leaves the user’s device during the authentication process, and the unique paired key is stored at the website or application. Hence, passkeys are extremely resistant to person-in-the-middle attacks.

Where supported, consider using passkeys. Hopefully they’ll be the common standard soon.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post The Rise of Passkeys: A Paradigm Shift in Authentication Technology appeared first on Foster Institute.

When you eliminate passwords:
– You don’t need to worry about creating, forgetting, or re-using passwords because you don’t use passwords.
– IT Helpdesk Professionals save time since they don’t have to help users who forget their passwords.
– Hackers will not try to trick users into disclosing passwords because the user won’t know passwords.

Microsoft, and others, continue to make their big push for people to go passwordless.

Alternatives to Passwords:

Today, determine where and how you can eliminate passwords from your life. Focus on using:

Something you have:
– A USB Token such as a YubiKey
– A proximity badge you wear around your neck or carry in your pocket
– An authenticator app on your smartphone or tablet
– A text message, phone call, or email with a one-time code

Or, something you are:
– A fingerprint scan
– Facial recognition
– Eye recognition

And the real magic is when you combine two for multi-factor authentication (MFA) without passwords.

Note that USB tokens can include fingerprint scanners for built-in MFA. Your IT Team might need to get creative using mobile phone technology to accomplish both. If you decide to use push notifications, be sure to refer to https://fosterinstitute.com/mfa-fatigue-the-hidden-danger-and-how-to-combat-it/

There are few ways attackers can exploit some of these login methods, and your IT Team can help you shore up weaknesses. Visit with your IT Team about ways you can eliminate passwords. Be sure they’ve seen this post: https://fosterinstitute.com/the-risk-iphone-theft-poses-to-your-passkeys-and-what-to-do-now/

Know About Passkeys:

Be sure you, and your IT team, know about passkeys. Passkeys are the future, and the future is arriving now: https://fosterinstitute.com/the-rise-of-passkeys-a-paradigm-shift-in-authentication-technology/

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Ditch Passwords for Good: The Ultimate Guide to Passkeys and Passwordless Authentication appeared first on Foster Institute.

If you have malware on your phone, tablet, or computer, it could be recording images of your screen as you type. If the malware can only see dots, your password is safe from “shoulder surfers” looking at your screen from thousands of miles away.

Additionally, if you use language translation or other browser plug-ins that read your screen, your browsers could be “reading” the text on your screen. If web applications or websites display your actual password, it might get transmitted to strangers without you realizing it.

It can be frustrating not to see your password as you type, but there is a good reason beyond knowing the person next to you isn’t watching your screen.

For information about preventing malware on your systems, please visit the Foster Institute Blog at fosterinstitute.com/blog

The post Know Why Web Application Providers Show Dots when You Type Your Passwords appeared first on Foster Institute.

If you know what MFA is, you can skip this paragraph. The most common first step of MFA is for users to enter their username and password. They receive a text message with a code to complete the login process. Alternatively, the user might have an authenticator app on their phone that provides a code. Another option is for the user to receive a “push” notification asking the user to approve the login through the app. The latter is sometimes referred to as one-tap login. There are other options for the factors, including approving specific computers, geo-location, USB hardware keys, and biometrics, including fingerprints, facial recognition, and iris scans. There are pros and cons to each.

Summarized steps you can take to help protect yourself from attackers bypassing multi-factor authentication:

= Know how to protect yourself against a thief stealing a phone if MFA uses text or email messages as the second step.
= If supported, instead of a code number from a text message or authenticator app, consider using a USB token, fingerprint, or facial recognition for the second factor.
= Reduce the duration a code is valid. For example, perhaps change the code every 60 seconds so an older code won’t work.
= Limit the number of failed login attempts in a specific period.
= Implement web content filtering to help protect users from being exposed to fake login screens.
= Limit logins to specific countries.
= If users primarily use the same device, restrict logins to specific devices.
= Train users to beware of fraudulent login prompts.

Please see the details below:

If MFA to sends a text message to a stolen phone, the thief might see the text message. For websites or services that only support text messages for the second step, consider investing in an inexpensive flip phone with a different phone number to receive text messages. Similarly, if MFA involves an email, and the thief can easily access your email on the stolen phone, it defeats the purpose of MFA. Therefore, if you set up the two-step login with email as the second step, use an email address that requires some other form of authentication on the phone to access email messages. Ensure email messages do not pop up on the preview screen when received.

Another way attackers bypass MFA:
Step 1: Trick the user into clicking a link that takes the user to a fake login screen for Microsoft 365, LinkedIn, or any other valuable site.
Step 2: The user enters their username and password into the fake login form. Now the attacker knows the user’s login name and password.
Step 3: The attacker’s computer pulls up the genuine login form and enters the username and password the victim just provided.
Step 4: The legitimate website sends the user the text message, sends a push notification, or performs another second factor the user is used to. The user expects this, and the process seems normal to them.
Step 5: The attacker can create a fake form for the user to enter the code from their text message or app. When the victim enters the data, the attacker’s computer inserts the data into the genuine website. If the user received a push notification, they could approve the login because the user believes they are indeed logging into the site.
Step 6: The attacker is logged in and has the user’s full access. The attacker needed no previous knowledge of the user’s username, password, or text key.

One strategy to fight his kind of attack is to use a second factor that isn’t a text code. For example, a user doesn’t need to enter a code if the second factor is a fingerprint or USB token plugged into the computer. The user cannot enter that information into a fraudulent login screen.

Another common strategy attackers use to bypass MFA is to reduce the time an OTP (One Time Password) code can work without the user requesting and receiving a new text message or generating a new code in the authenticator app. Shorter expiration times mean the attackers must use the stolen credentials and second factor to log in more quickly.

Another strategy, though slightly less effective but can be used in conjunction, is to limit the number of failed login attempts within a period. An example rule is if there is a failed login attempt for a user account three times in a row within five minutes, lock their account so they cannot try logging in again for ten minutes.

A useful cybersecurity control that is underutilized is conditional access by country. If your users will always log in from specific countries, block logins from all other countries. That will make it more difficult for foreign adversaries to compromise your users’ accounts. Identifying a user’s location is sometimes referred to as geolocation.

Another method to bypass MFA is to use social engineering to trick the user into disclosing their username, password, and code or another second factor. A typical example is for a bad actor to contact a user, impersonate a technical support person, and ask the user to provide the information to help prevent some fake problem that doesn’t exist. Some trusting users walk the attacker through the login process, bypassing the protection of MFA.

Another strategy bad actors use is called MFA fatigue. The hacker will make so many attempts to log on that the user finally tires of receiving push notification alerts. The fatigued user approves the login to make their phone be quiet, and the attacker is in the system.

Attackers could use SIM Swapping to reroute calls and text messages to their phones. Therefore, text and callbacks can be less secure than other second factors. However, many sites only offer those two options.

As your IT team can tell you, there are more technical ways for attackers to bypass MFA by creating person-in-the-middle attacks using something called a proxy. Another strategy attackers can utilize is captured authentication cookies or tokens. Authentication can rely on digital key values that must be kept secret inside servers. If attackers get access to the keys, they can gain access.

Your IT Team can implement some form of web content filtering and configure it to block communications with known malicious sites and attacker command-and-control servers. This isn’t perfect because attackers frequently change command servers, but it helps.

Using SSO (Single Sign On) reduces the number of opportunities an attacker has to trick the user. Of course, the flip side is that if an attacker successfully gains access to the single sign-on, the attacker won’t need any other credentials to access everything the user can access.

User training is essential, as is keeping the computer safe.

As you can see, using MFA does not mean your authentication process is secure. Whenever a new security control is invented, someone finds a way to break it. The strategies above will help you be more secure.

Alert your friends to some of the ways attackers can bypass MFA. They might decide to consider using USB keys, biometrics, or cryptographic codes stored in a computer or hardware.

The post How Attackers Break Your Multi-Factor Authentication Protection and 7 Strategies to Protect Yourself appeared first on Foster Institute.

This so-called cyber-flashing is a growing problem with Apple’s AirDrop feature and Android’s Nearby Share feature that allow you to send and receive images, videos, and files from other users nearby.

Yes, you get prompted to decline or accept the image, but you cannot unsee the preview image in the prompt.

To protect yourself on your Apple device, Click on Settings, General, and AirDrop to choose Receiving Off, Contacts Only, or Everyone. I recommend you select Receiving Off. Temporarily enable receiving when you wish to exchange photos. Apple provides a detailed explanation of AirDrop at https://support.apple.com/en-us/HT204144

To protect yourself on an Android device, choose Hidden your Nearby Share settings. The steps will differ depending on your device and version: Settings, Connected Devices, Connection preferences, Nearby Share, and choose Hidden. Or your device might have you go to Settings, Google, Devices & Sharing, Nearby Share, and set Use Nearby Share to Off. You can learn more about Nearby Share at https://support.google.com/android/answer/9286773?hl=en

Bad actors strive to find ways to affect users of any brand and type of device and service. Please forward this to your friends, so they don’t receive shocking images via AirDrop or Nearby Share!

The post How to Avoid Receiving Disturbing Photos via Apple AirDrop and Android Nearby appeared first on Foster Institute.