Need to Pick a Password Manager? This Web Site Can Help

September 26, 2022 John Bennett

The site PasswordManager.com offers useful information about dozens of password managers.

As I noted in our book, Safety Net, passwords are a major security problem. Most security breaches involved weak or compromised passwords—and weak passwords are notoriously easy to compromise. Scripts used by hackers can crack easy passwords in just seconds. Even if you’ve chosen a difficult password with numbers, symbols, and a mix of upper- and lowercase letters, it can be dangerous to use that password on more than one site. If one site gets hacked, attackers will try all the username/password combinations they find on that site on other sites. They even have scripts to firing off lots of stolen username/password combinations on login pages in a kind of attack called credential stuffing.

To really protect your data and, ultimately, your money, you should use a unique, difficult password for every site. Of course, not many of us can memorize dozens of difficult passwords. Keeping track of them with pen and paper is problematic, especially if you’re on the go.

The best solution is to use a password manager, an application that stores your passwords in an encrypted database, an online vault for your secrets. With a password manager, you just have to remember one difficult password—the one that opens the vault. Then you can copy and paste or even autofill the difficult password you’ve already set up for whatever site you’re trying to access. You can also use a password manager to store other useful, confidential information such as credit card numbers, driver license numbers, and insurance policy numbers.

PasswordManager.com: A Site with Information about Password Managers for Every Platform

There are a bunch of password managers out there. You can look into them all yourself, but you might find that a new resource called PasswordManager.com saves you some time. The site offers summaries of password manager features and prices. For example, here’s their summary of the popular password manager LastPass.

An overview of the LastPass password manager from PasswordManager.com

They also offers lists of password managers that work with various operating systems and browsers. If you’re looking for password managers that run on Android, for example, you can just check out their page listing just the password managers that run on Android.

The site also has useful information about multi-factor authentication and other topics related to password security.

There’s no charge for using this site, but there is a commercial angle. Small print on the site notes: “PasswordManager.com earns a commission from referring visitors to some products and services using affiliate partnerships.” That doesn’t bother me personally. The team behind this site have done a nice job collecting information about lots of password managers and presenting it in a way that many people will find useful.

If you’re on the market for a password manager, I would check it out: www.passwordmanager.com

Beware of COVID-19 Phishing Emails and Bogus Mobile Apps

April 15, 2020 John Bennett

COVID-19 is a popular topic for phishing scams and dangerous mobile apps

Cyber criminals are taking advantage of the coronavirus 2019 (COVID-19) pandemic to trick people into clicking dangerous links and downloading dangerous files.

Beware of suspicious emails and new applications that purport to deliver information about COVID-19.

Phishing Emails about COVID-19

Be suspicious of any email you receive about COVID-19. You might get email pretending to be from a government agency or from your employer. But the email might be a phishing email with a dangerous attachment, such as a file containing ransomware, or a link to a site that will collect your login credentials and use them to break into one of your accounts. (Phishing emails are email messages that pretend to be from a legitimate sender in order to trick the recipient into taking some kind of dangerous action.)

Norton has shared examples of phishing emails they’ve detected that capitalize on the public’s interest in COVID-19. Their examples include:

A phony CDC announcement urging recipients to click on a link for information about the COVID-19 outbreak in their area.
A phony email about health advice, urging recipients to follow all the safety measures in a PDF attachment.
A phony email about company policies for working from home and staying safe.

Be on the lookout for emails like this. You’re bound to get a few.

Keep in mind:

There’s no reason for the CDC to have your email address.
You can get all the updates you need from the CDC and other websites, which you should navigate to in your browser. Don’t click on links in email to navigate to these sites.
You may work for a company that is emailing updates and policies, but scrutinize these email messages carefully to make they’re genuine.

Norton offers some good advice for detecting phishing email:

Look for generic greetings (“Dear Employee” or “Dear U.S. Citizen”).
Look for typos, which continue to be common in phishing emails.
Beware of messages asking for your Social Security number and other personal information. There’s no reason you should be sharing this information through email.
Inspect email addresses and links for anything that looks unusual.

You’ll find Norton’s blog post here.

A new website, Corona Virus Phishing, is compiling an ever-growing list of email and file-sharing scams related to COVID-19. Check out the site if you get an email or Dropbox request that you weren’t expecting about COVID-19.

The scams keep evolving. For example, a new phishing attack is spoofing the domain name splashmath.com to circumvent email security programs, so be on your guard if you see that domain name show up in an email about COVID-19.

My ebook Safety Net offers additional tips for inspecting suspicious email messages.

Reliable Sources of Information about COVID-19

You’ll find reliable information about COVID-19 here:

Dangerous Mobile Apps about COVID-19

Criminals have also created at least one dangerous mobile app that pretends to offer COVID-19 information, but that include malware that steals information from your computer.

MSN has reported on an app that relays information from the virus-tracking dashboard from Johns Hopkins University but that also includes malware that collects user IDs, passwords, browsing histories, and cryptocurrency keys.

My advice: Don’t download any mobile apps about COVID-19. Public health authorities, including state and local health agencies, will make all information available to the public through websites and news bulletins. (If Apple and Google develop new apps for contact tracing, I’ll reconsider this advice.)

Apple is removing any COVID-19 apps from their App Store if they’re not from a verified health organization. Myself, I’m sticking to websites rather than apps for sources of information, all the same.

Be healthy, be safe online, and take care.

Tips for Protecting Your Mobile Phone

January 30, 2020 John Bennett

By John Bennett and Mark K. Mellis, CISM

The news that Amazon CEO Jeff Bezos’ mobile phone was most likely hacked by the Saudi Arabian government is a sobering reminder of the security vulnerabilities of the mobile devices we depend on every day. If Bezos, who has access to some of the top security experts in the world, could be hacked, is there hope for the rest of us?

Yes, there is hope, if you consider that mobile security best practices can help protect you from the most common types of mobile security threats—the kind that your devices are most likely to be exposed to, assuming that you haven’t personally been deemed a high-value target by a major nation-state.

In the “Protect Your Mobile Phone” section of Safety Net, our ebook on IT security, we present some basic guidelines for keeping your mobile phone safe.

Here’s a more thorough list of tips for anyone interested in applying even more rigorous security to their mobile phone.

Update the apps and operating systems on your mobile devices.
As Safety Net points out, most security attacks take advantage of vulnerabilities that have already been fixed in software updates. But you can’t take advantage of those fixes if you don’t apply the updates.
Encrypt your mobile device.
iPhone and iPads are encrypted automatically, as are Google Pixel phones and some models of Google Nexus devices. If you have some other kind of Android mobile device, check your device’s documentation to learn if it automatically encrypts its data and how to turn on encryption if it doesn’t.
Turn on “Find My iPhone” or an equivalent service.
Millions of smartphones are stolen every year. Services like “Find My iPhone” allow you to track down lost or stolen devices, to remotely wipe all the data off of them, and to prevent thieves from taking them over as their own.
Put a label on the outside of the device with your name and contact information.
This will allow a Good Samaritan to get it back to you even if the battery is dead when they find it. It also helps if you inadvertently leave it at an airport security checkpoint or on the counter at your favorite coffee house. “Will Ms. Smith please return to the Concourse C Security Checkpoint for a lost belonging?"
Never plug your device into a public charger.
Use your own charger or bring an external battery along. The charging cable makes a data connection as well as a power connection and can be used to steal your data or load malware onto your device. Hackers can even create custom charging cables that can be used to load malware onto your device.
Make sure rental cars “forget” your contacts.
If you pair your device with your rental car when traveling so that you can use hands-free calling or blast your music through the vehicle’s speakers, make sure you tell the car to “forget” the phone when you return the car to the rental agency. Otherwise you may unintentionally leave a copy of all your contacts in the car radio.
Make cloud backups.
Back up your mobile device or synchronize it with a cloud service like iCloud, so that if you should lose it or have it stolen, you won’t lose your contacts or photos.
Set your screen to lock automatically after a short period of time.
Thirty seconds, two minutes, whatever – you get to pick based on how you use your device. But do set a timeout for some period of time, or you’ll leave your device vulnerable to whoever finds it. Setting a timeout also helps your battery keep its charge.
Only download apps from trusted sources: the official app store for your device.
This is easier to do on Apple devices, because you have to work hard to load an app from anywhere other than the Apple App Store. On Android devices, it’s easier to download apps from unreliable app stores. Some of the most dangerous mobile apps –apps that pretend to be just a game or a financial services app but that secretly steal your data – are distributed primarily through third-party, “off-brand” apps stores. Stick to official app stores, and you’ll be much safer.
Don’t “jailbreak” your device.
Jailbreaking means breaking the manufacturer’s operating system on a device, so that the operating system (such as iOS or Android) can be replaced or altered. Sometimes smartphone users jailbreak devices to run apps not approved by the manufacturer’s app store. But this is incredibly risky: you’re disabling all the technical expertise that the manufacturer has invested in keeping your device safe. You might be tempted to jailbreak your device to get a particular game or app. Resist the temptation. No app or game is worth losing your personal data and possibly becoming a victim to identity theft.

The recent 10-year anniversary of the iPad reminds us how important mobile devices have become in our lives. Follow the tips listed above to keep your devices safe.

Photo credit: JÉSHOOTS

7 Tips for Avoiding Fraud in the Holiday Season

December 2, 2019 John Bennett

To avoid falling prey to criminals and their latest tricks on Black Friday, Cyber Monday, or any other shopping day this holiday season, follow these tips.