An Australian Web Security Specialist, Troy Hunt, has compiled a database containing usernames that have been stolen in hacks and then published or sold. Some people use his site to look up their own email address or username.
His website is haveibeenpwned dot com. (In this case, Pwned refers to a condition of someone else having access to your login credentials.)

At his site, people enter their email address or any usernames they’ve used for online logins. Sometimes, they look up addresses of their family members. If there is a hit, the details of the breach are displayed on the site.

Even if not on the list, there is no guarantee that person’s credentials haven’t been stolen, but it still helps to know.

If you ever suspect that your login credentials to any website have been exposed, it is very important that you reset the password on that site, as well as any other sites where you may have used the same password.

There are other strategies to protect yourself. Enabling two-step-logon is very important these days since it can thwart attackers who know your username and password. Using a password manager, as opposed to letting your browser store passwords, can help make password security more convenient, but it still needs to be used carefully. These strategies are explained in detail elsewhere in this blog.

Forward this to anyone who might want to know if their username and password has been hacked.

The post More than 1 Billion Passwords Stolen – What to Do appeared first on Foster Institute.

This is the start of a new series called “What to ask your IT professionals.” This series will provide you, the busy executive, with quick and important questions to discuss with IT. This series empowers you, as an executive, to broach topics that don’t “come up” in ordinary conversation. The series addresses both security and best practices—and of course those two often go hand-in-hand already.

Here is what to ask your IT Professionals to help you protect your entire organization against “drive-by-download” attacks: “What security level is configured for the internet and for trusted web sites?”

Because web sites are one of the best ways for attackers to inject malicious software into your network, your users’ computers need as much protection as possible while still allowing them to effortlessly (effortlessly as related to their use of technology) do their jobs.

Modern browsers strive to make security settings easy and understandable by offering a few settings from which to choose. These are examples:

-High Security
-Medium-High Security
-Medium Security
-Pathetic Security but users will probably never complain

A really nice feature is that you can choose “High Security” by default and then make exceptions for specific sites that you trust.

When security is configured to high levels then, on occasion, users might receive a notice that “such and such web site is about to do a potentially bad thing. Is that okay with you?”

Though some won’t, every user who does heed the warning helps protect the security of your network.

Your IT Professionals know of strategies to reduce the number of “support calls” they would otherwise receive. Those strategies improve the users’ experience as well.

Too many IT security decisions are based upon the following notion: “Oh no! Will our users ever hear from their Guardian Angel? Let’s tranquilize her.” Because of this fear, by default from the manufacturer when the software is initially installed, most browsers use less-than-the-best security.

Ask your IT Professional to adjust, and at least discuss with you, the current settings on your organization’s browsers. The default security settings for untrusted sites are probably set too low.

Please forward this to your friends and post your comments below…

The post Is Your Guardian Angel Tranquilized? appeared first on Foster Institute.

An advertisement on Yahoo’s web site contained the malware. Yahoo removed the ad as soon as they were aware of the problem. The question to ask yourself is, “how many other sites contain malware?”

Striving to provide short newsletters is always a priority here, but in this case you may want to know more:

Having patches in place is always important. Please see: Single Biggest Way to Repel IT Attacks

Unfortunately, patches won’t help against zero-day attacks. Zero-day (also known as 0-day or “oh-day”) attacks exploit problems against which even the latest patch doesn’t protect.

A decision that would have stopped this attack from affecting you: Consider asking your IT department to disable Java on your network.

Your IT Pros may give you push-back on your request since, if your users constantly visit sites that utilize Java, IT Pros may get inundated with user complaints that some websites don’t work as expected. Notify your users ahead of time that you, as the executive, requested that IT implement this change.

Recently, when conducting an IT Vital Systems Review visit, I suggested to an IT Professional that he disable Java, and his initial response was, “No way. I might as well disable their ability to use the Internet entirely since almost all websites use Java!” As a result of the conversation that followed, he now knows that disabling Java won’t devastate users as much as he feared. But did he disable Java? No. His executives delegated decision making to him and that delegation “isn’t necessarily a bad thing.”

Even if this was brought to attention in the past, then an Executive, may decide to accept the risk of using Java. There are many risks and one of the big deliverables of partnering with an outside firm on security is that they can help your IT pros choose the best protection that costs the least money and doesn’t interfere with the user experience.

If you want to completely disable Java all by yourself on your own home computers, here are instructions: How do I Disable Java? Some of the instructions are out of date if you are using the latest browsers and OS (and I hope you are using the latest). Most of the errors related to only the first instruction about where you can find the settings:

-For Internet Explorer, depending on your configuration, you may find that the “Java Control Panel” is now called “Configure Java.”
-In Firefox, choose Tools > Add-ons.
-In Chrome, you access the Chrome menu by clicking on the icon that shows a stack of three horizontal bars. The icon is usually to the far right of the URL address bar.

Then follow the rest of the instructions.

In this attack, Windows Phones and Apple computers are not affected. If you run Windows on a Mac computer, you are still susceptible to the infection. Keep in mind that moving to Mac isn’t a panacea, and moving to a Mac may have consequences related to the interoperability with Windows machines at your office.

Additionally, it seems that European companies were the primary targets. That doesn’t “put you in the clear” and keep in mind that “visiting other sites besides Yahoo” isn’t safe either.

Yahoo is an example of a company that became aware of the problem. Many companies aren’t aware that their sites contain active infections.

There are other protections against these problems including:

-Content restrictions in browsers (we’ll deal with this next week)
-Using browsers only inside of virtual machines that reset each time you launch the virtual machine (complicates the user experience)
-Using application whitelisting Is Anti-Virus Obsolete?
-And more – and no protection is the cure-all.

Please post your comments below…

The post FYI: Were you online between 12/31/13 and 1/3/14? Your PC may be infected. appeared first on Foster Institute.