source: wired.com

YOU ARE, WE hope, already protecting your phone with a PIN, a fingerprint, or a face (or all three), but sometimes you’ll want to add an extra barrier to particular apps—if you’re lending your phone to a friend, say, or if your kids or partner are always borrowing your phone for whatever reason.

How you want to apply this additional protection is up to you. Some apps come with it built in; in other cases you’ll need to enlist the help of a third-party app. The process is also different depending on whether you’re using Android or iOS, and so we’ve split our guide up into two sections.

Locking Apps on iOS

Apple doesn’t give third-party apps quite as much leeway on iOS as Google does on Android, so you won’t find any general-purpose locking tools in the App Store. Instead, you’re relying on the individual apps themselves—many apps that can hold sensitive information will give you additional options.

Apple’s own Notes app for the iPhone is one example. You can lock individual notes by tapping the Share button (inside a note) or long-pressing on a note (on the notes list) and then choosing Lock Note. Notes are locked using Face ID, Touch ID, or a PIN code, and you can set this via Notes in the iOS Settings app.

screenshot from Dropbox

You can lock Apple Notes individually on an iPhone.DAVID NIELD VIA APPLE

WhatsApp has protections in place as well to keep prying eyes out of your messages. From the main screen, you need to tap Settings, Account, Privacy, and Screen Lock—you’ll then be able to set up Touch ID or Face ID to guard access to your conversations. If either of those methods fail, you’ll get pushed back to your phone’s lock screen passcode.

Another third-party app with this same security measure is Dropbox, which is handy if you don’t want your toddler accidentally wiping all your files with an ill-judged finger push. Tap Account, then the cog icon (top left), then Turn Passcode On. When you’ve set a passcode, you’ll also be given the option to use Touch ID or Face ID as well.

We can’t guide you through every app on iOS, but have a look inside your favorite ones to see if an extra security layer has been included. Evernote, Amazon, and PayPal are three other apps that can be locked with Touch ID or Face ID, and many banking apps now have the same feature too, so even if someone gets access to your phone (with or without your permission), they can’t access all of your apps.

screenshot from iphone

Dropbox is one of the apps that supports Face ID and Touch ID on iOS.DAVID NIELD VIA APPLE

You have a couple of other tools you can turn to in iOS: They weren’t primarily intended for securing apps, but they can do the same job. The first is Screen Time, which you can access from Settings: If you tap Use Screen Time Passcode to set a passcode, then select App Limits and set the daily limit for an app to zero hours zero minutes, you’re effectively locking other people out of the app without the passcode.

Your second option is Guided Access, which you’ll find in the Accessibility menu in Settings. Once you’ve enabled it, open an app and triple-tap the side button or home button—you then won’t be able to switch to any other app without entering the phone’s passcode. It’s ideal if you want to let one of the kids play a game, but don’t want them to venture onto any other apps.

 

Locking Apps on Android

Android does let third-party apps control access to other apps, so you can install one of these app lockers and block access to any apps you don’t want other people snooping around inside. A passcode is usually required to gain access, though some locking tools can work with fingerprint sensors or face recognition.

Continue reading “HOW TO PASSCODE-LOCK ANY APP ON YOUR PHONE”

source: securityweek.com

 

image - phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.

According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks? 

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

Continue reading “PHISHING ATTACKS: BEST PRACTICES FOR NOT TAKING THE BAIT”

source:  defenseone.com

The crypto agency has a list of questions for federal employees and contractors to ask as they choose a collaboration tool.

Video conferencing platforms Zoom and Microsoft Teams are both FedRamp approved, but while Zoom offers end-to-end encryption, Microsoft Teams does not, according to the National Security Agency. 

These are just two of nine factors the NSA cites in creating a guide to help federal workers choose commercial telework tools for “safely using collaboration services,” as necessitated by the coronavirus pandemic.

The guide, which NSA released Friday, applies only to commercial applications, and one strong recommendation from the agency is that, when possible, workers use U.S. government services such as Defense Collaboration Services, Intelink Services and others, which were designed specifically for secure government communications. But government workers still need to interact with external entities which might be sending them invitations via commercial applications, and the NSA has detailed a number of factors for them to weigh in deciding which ones to facilitate:

  • Does the service implement end-to-end encryption?
  • Are strong, well-known, testable encryption standards used?
  • Is multi-factor authentication (MFA) used to validate users’ identities?
  • Can users see and control who connects to collaboration sessions?
  • Does the service privacy policy allow the vendor to share data with third parties or affiliates?
  • Do users have the ability to securely delete data from the service and its repositories as needed?
  • Has the collaboration service’s source code been shared publicly (e.g. open source)? 
  • Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body? 
  • Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?

Continue reading “ZOOM OR NOT? NSA OFFERS GUIDANCE”

source: darkreading.com

 

Mobile security experts share their go-to advice for protecting iPhones from hackers, thieves, and fraudsters

 

Now more than ever, we depend on smartphones to keep us connected to each other, to our employers, to our finances and healthcare providers. We use our phones to shop, bank, and access corporate applications and information. But are our iPhones as secure as they could be?

“iPhone owners tend to feel more confident in the security of their phones than Android owners, and for good reason,” says Randy Pargman, former FBI computer scientist and senior director of threat hunting and counterintelligence at Binary Defense.  

But that doesn’t mean iOS is immune to security issues. Back in April, we learned attackers has been exploiting two unpatched iOS vulnerabilities since at least January 2018. Last year, researchers discovered more than 20,000 iOS apps were published without App Transport Security (ATS), a set of rules and app extensions Apple built as part of the Swift development platform. ATS is turned on by default; without it, critical information was being transported without encryption.

“It’s true that iPhones and the whole Apple ecosystem keep customers safer from malicious apps, but that doesn’t mean that all the data stored in the apps is safe from theft,” Pargman continues. “Many apps store sensitive information on servers operated by the app developer or transfer the information unencrypted over the Internet. As soon as your information leaves your iPhone, it is outside of your control to protect it.” 

Continue reading “10 IOS SECURITY TIPS TO LOCK DOWN YOUR IPHONE”

source: cnet.com

 

Ditch the sticky notes and get peace of mind. Our favorite password managers will be your first defense against getting hacked.

 

post-coronavirus has only made it a more difficult task for your brain to keep track of all of your various passwords, so it’s time to consider a password manager, if you don’t already have one to handle your business. A password manager will allow you to oversee and handle the login credentials of all your devices, auto-fill forms in your web browsers, and sync your data across Macs and Windows PCs, iPhones ($699 at Apple), iPads ($419 at eBay), Android phones, and more.

A password manager is essentially an encrypted digital vault that stores the login information you use to access apps on mobile devices, websites and other services. Besides keeping your identity, credentials and sensitive data safe, a password manager can generate strong, unique passwords to ensure you aren’t reusing them across your devices and services. With all the recent news of security breaches and identity theft, using unique passwords can go a long way to ensuring that if one site gets hacked, your stolen password can’t be used on other sites.

How does a password manager work? 

To get started, a password manager will record the username and password you use when you first sign in to a website or service. Then the next time you visit the website, it will autofill forms with your stored user login information. For those websites and services that don’t handle automatic filling, a password manager lets you copy the password to paste into the password field.

If you’re stuck picking a good password, the manager can generate a strong password for you and watch that you aren’t reusing it any across services. And if you use more than one device, you want a manager that is available across all your devices and browsers, so you can access your passwords and login information — including credit-card and shipping information — from anywhere through the manager app or its browser extension. Some provide secure storage so you can store other items too, such as documents or an electronic copy of your passport or will.

Take note: Many password managers keep the master password you use to unlock the manager locally and not on a remote server. Or if it’s on a server, it’s encrypted and not readable by the company. 

This ensures your account stays secure in case of a data breach. It also means that if you forget your master password, there may not be a way to recover your account through the company. Because of that, a few password managers offer DIY kits to help you recover your account on your own. Worse case scenario, you start over with a new account and manually reset your passwords at each specific destination site and account and start again.

What makes for a secure password?  

A good password should be a long string of capital and lowercase letters, numbers, punctuation and other nonalphanumeric characters — something that’s difficult for others to guess, but a snap for a password manager to keep track of. And despite what you may have heard, once you select a good password or passphrase, you don’t really need to change it periodically.

Can I use a web browser to manage my passwords and login information? 

You can certainly use Chrome, Safari or Firefox to manage your passwords, addresses and other login data. You can even set up a master password to unlock your credentials within a browser. And while using an online browser’s password tool is certainly better than not using a password keeper at all, you can’t easily access your passwords and other login info outside of the browser or share login info with others you trust. 

What about iCloud Keychain? 

Through iCloud Keychain, you can access your Safari website usernames and passwords, credit card information and Wi-Fi network information from your Mac and iOS devices. It’s great if you live in Apple’s world. But if you venture outside and have a Windows or Android device or use the Chrome or Firefox browser, iCloud Keychain comes up short.

Continue reading “BEST PASSWORD MANAGER IN 2020”

source: securitymagazine.com

 

A new study from FICO found a large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online.

As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics.

The study found that a large percentage of Americans are not taking the necessary precautions to secure their information online. For example, only 42 percent are using separate passwords to access multiple accounts; 17 percent of respondents have between two to five passwords they reuse across accounts; and four percent use a single password across all accounts. Additionally, less than a quarter (23 percent) of respondents use an encrypted password manager which many consider best practice; 30 percent are using high-risk strategies such as writing their passwords down in a notebook.

“We’re seeing more cyber criminals targeting consumers with COVID-19 related phishing and social engineering,” said Liz Lasher, vice president of fraud portfolio marketing at FICO. “Because of the current situation, many consumers are only able to access their finances digitally, so it’s vital to remain vigilant against such scams and take the right precautions to protect themselves digitally.”

Continue reading “PROTECTION WHEN BANKING ONLINE”

source: the collaborative fund, courtesy of Bob Wallace

Big takeaways about how, and why, people do what they do.

 

The most important lessons from history are the takeaways that are so broad they can apply to other fields, other eras, and other people. That’s where lessons have leverage and are most likely to apply to your own life.

But those things take some digging to find, often sitting layers below the main story.

***

The Great Depression began with a stock market crash. October 24th, 1929. That’s the story, at least.

It makes for a good story because it’s a specific event on a specific day. But if you were to go back to October 1929, during the crash, the average American might seem unfazed. Only 2.5% of Americans owned stocks in 1929.

The huge majority of Americans watched in amazement as the market collapsed, and perhaps lost a sense of hope that they, too, might someday cash in on Wall Street. But that was all they lost: a dream. They did not lose any money because they had no money invested.

The real pain came nearly two years later, when the banks started to fail.

Just over 500 U.S. banks failed in 1929. Twenty-three hundred failed in 1931.

When banks fail, people lose their savings. When they lose their savings they stop spending. When they stop spending businesses fail. When businesses fail, banks fail. When banks fail people lose their savings. And so on endlessly.

The stock market crash wasn’t a relevant lesson to the vast majority of Americans who didn’t own stocks in 1929 and likely never would for the rest of their lives. But the bank failures upended the day-to-day lives of tens of millions of Americans. That’s the real story of how the Depression began.

As we look back at the Depression 90 years later, you might think the main lesson is “don’t let the banks fail.” And it’s a good lesson.

But it’s also a lesson that’s not useful to many people today.

I don’t know.

And does it even apply to bank regulators in 2019, when things like FDIC insurance now lower the odds of repeating the kind of consumer bank runs we saw in the 1930s?

Only a little, I’d say.

The point is that the more specific a lesson of history is, the less relevant it becomes. That doesn’t mean it’s irrelevant. But the most important lessons from history are things that are so fundamental to the behaviors of so many people that they’re likely to apply to you and situations you’ll face in your own lifetime.

Let me offer one of those lessons from the Great Depression. I think it’s one of the most important lessons of history:

Lesson #1: People suffering from sudden, unexpected hardship are likely to adopt views they previously thought unthinkable.

One of the most fascinating parts of the Great Depressions isn’t just that the economy collapsed, but how quickly and dramatically people’s views changed when it did.

Continue reading “FIVE LESSONS FROM HISTORY”

source: fastcompany.com

We’re four weeks into the massive time-out forced on us by coronavirus. Many of us have spent much of that time trying to get used to the radical lifestyle change the virus has brought. But we’re also beginning to think about the end of the crisis, and what the world will look like afterward.

So it’s a good time to round up some opinions about how the pandemic might change how we think about various aspects of life and work. We asked some executives, venture capitalists, and analysts for thoughts on the specific changes they expected to see in their worlds.

Naturally, many of them tended to see the aftermath of the COVID-19 crisis in optimistic terms, at least when it comes to their own products, ideas, and causes. And at least some of them are probably right. But the general themes in their comments add up to preview of what might be ahead for tech companies and consumers once the virus is no longer the biggest news story in the world.

The responses below have been edited for publication.

WORKING FROM HOME BECOMES THE NEW NORMAL

Matthew Prince, CEO of Cloudflare
The pandemic has resulted in what is effectively the largest “work from home” experiment ever conducted in human history . . . We’re seeing the effect on the internet, in terms of traffic patterns that are shifting. People are accessing more educational resources online for their kids; finding unconventional ways to connect with coworkers, friends, and family; and employers are being more flexible in how they respond to employee needs through more dynamic, cloud-based technology. I think we’ll see these shifts last well beyond the immediate fallout of the COVID-19 outbreak.

Jared Spataro, corporate vice president, Microsoft 365
This time will go down as a turning point for the way people work and learn. We have a time machine as China navigates its return back to work—and we’re not seeing usage of Microsoft Teams dip. People are carrying what they learned and experienced from remote work back to their “new normal.” We’re learning so much about sustained remote work during this time.

REMOTE HIRING OF TECHNICAL TALENT WILL BECOME THE NORM.”

VIVEK RAVISANKAR, HACKERRANK

Jeff Richards, partner at the venture capital firm GGV Capital
I travel over 200,000 miles per year for work. Now that doing board meetings, interviews, and other mission-critical meetings via video chat has been normalized, will I reduce my travel? I don’t know, but I definitely think it’s a behavior shift that will stick. In the past, if you joined via video, you were thought of as “mailing it in.” Now it’s become an accepted form of participation. Net/net, I still think we’ll see corporate travel [come back], as nothing is better than an in-person meeting with a customer or exec hire candidate. But for routine meetings, I think we are going to see a lot more video. I also think Zoom has crossed the rubicon from “corporate” to “consumer” as everyone in my family age 5-75 now knows how to use it. That’s a game-changer.

Tim Bajarin, principal analyst at Creative Strategies
We talked to CIOs recently, and they told us that they are becoming more comfortable with at least some of their staff working from home. Two CIOs even quantified it by saying they might consider letting as much as 25% of their staff work from home. That would mean less people in the office, and in turn, possibly less demand for office space. I believe that this could signal the death of open space work environments. The experience with COVID-19 will for years make people more aware of working in shoulder-to-shoulder open offices where it is easy for viruses to spread.

Continue reading “ALL THE THINGS COVID-19 WILL CHANGE FOREVER…”

source: defenseone.com

New guidance recommends immediate contract modifications to allow some contractors to remain at home during the COVID-19 pandemic.

The Office of the Director of National Intelligenceissued guidance this week directing the intelligence community to allow some contractor personnel to remain home in a “ready state” during the novel coronavirus outbreak. 

The guidance calls for “immediate implementation” of Section 3610 of the Coronavirus Aid, Relief, and Economic Security Act, the $2 trillion stimulus package President Trump signedin late March.

Section 3610 authorizes federal agencies to modify contracts when contractors are unable to access authorized work sites or unable to work remotely due to COVID-19.

ODNI strongly encourages IC agencies to make full use of the flexibility provided by this act, and in other existing contracting tools, to enable contract personnel to stay home in a ‘ready state’ during the national effort to mitigate the spread of the COVID-19 pandemic,” ODNIsaid in a statement Thursday.

The guidance followscalls from lawmakers for the Trump administration to address concerns over how coronavirus spread affects national security contractors. These contractors face unique challenges due to the sensitivity of their missions, and many are unable to work.

In the guidance, ODNI said it will “support agency decisions” to slip acquisition and development milestones as agencies limit staffing during pandemic mitigation. In addition, the guidance addresses how contractors should submit requests for equitable readjustment, and sets reimbursement levels at 40 hours per week per employee.

source:  cnet.com

Commentary: Don’t be me.

Deep breath. I did something really stupid with some of the most important data in my life. And I don’t know how I did it.

I took today’s basic security advice: use a password manager and then have it create different passwords for each site. I chose the 1Password password manager and after installing it, upgraded to a subscription so I could access my passwords across multiple devices.

Then came the weekend that I tried logging into the app and found my password wasn’t working.

I typed it in a few times. Slowly. Then with cut and paste. Nothing registered. It had been working smoothly with my iPhone’s Face ID to unlock access to my passwords, but that stopped working after a phone reboot. And I realized suddenly that the master password being asked for wasn’t the same as the password I had been using previously, before I added the subscription. Bewildering? Yes. My fault? Absolutely. Can I explain how I entered this fugue state of password confusion? Not at all

At some point I fumbled my passwords. I have mismanaged my supposedly careful management of my passwords. I feel like I’m in an utter nightmare.

This could happen to you. I hope it doesn’t.

Continue reading “PASSWORD MANAGERS ARE GREAT — UNTIL…”