Sunday, April 26, 2020

Crazy Cloud Capability


Welcome back ready, this is another CYBR 650 post.  This post comes just one week after the last one where I talked about stolen account credentials and what you can do to protect your accounts in case your login info is stolen.  This week, I'm going to change it up a little bit and talk about something that is relatively new, the cloud.

tl;dr

Cloud technology has been around for several years, but personal use has not been practical until recently.  I'll talk about a few practical options for personal use, or even family use of cloud solutions and share some of my personal experiences.



What is the Cloud?
In the simplest terms, in the most convenient definitions, the cloud is a computer that belongs to someone else.  Systems providing cloud servers are generally owned by organizations like Google, Amazon, or Microsoft, and provide services to other organizations or individuals. 

Personally, I use cloud services from both Google and Microsoft.  Below is a handy-dandy table for showing the services I regularly use from each provider:
Google
Microsoft
E-mail (Gmail, personal)
E-mail (Outlook, education)
File storage (Drive)
File storage (OneDrive)
Calendar
Collaboration (Teams)
Lists (Google Keep)


Many people have had a free e-mail account from someone like Yahoo, Hotmail, or Gmail for years.  I remember when I started using Gmail, the storage was something like 500 megabytes.  But it continually kept growing.  Now, my Google account has 15 gigabytes of free storage spread across every G-Suite application.  Here's where it gets great...I get an e-mail with an attachment sent to my Gmail account.  I see that it is something I want to hang onto, but I need to make sure I know where it is and that it doesn't get buried in my e-mail account.  Conveniently, there is an icon on the attachment allowing me to save it to my Google Drive.  I leave my house to meet up with a coworker for lunch.  I think they might find the attachment I just saved useful, so I use the Drive app on my smartphone to show them.  They enjoy it, so I send it over to them using Gmail, or even the Hangouts (Google's instant messenger, also cloud) channel we have for just such an occasion.

Moving to Microsoft

While my primary e-mail is still my Gmail account provided by Google, I really don't use my Drive storage like I used to.  The main reason for this is my use of Microsoft 365, formerly Office 365.  Just in case you're unaware, Office 365 is a cloud-based productivity suite.  You've used Office products, right?  Imagine that, but now it's cloud based.  I remember when Office was very expensive, and I relied on my student discount to get the latest version.  Now, Microsoft 365 is a subscription service.  For about a $100 a year, I have full access to Office products, some of which I wouldn't normally because of different versions of Office (Home, Pro, etc.).  Not only do I have access to all the productivity software I need, I also have 1 terabyte of cloud storage at my disposal.  This is the best part...my 100 bucks allows me to share these same benefits with 5 people in my family!  See more about it here: https://www.microsoft.com/en-us/microsoft-365/explore-microsoft-365-for-home

Is it safe?

That answer is simple...it depends.  Keeping your cloud accounts safe is the same as keeping any other account safe.  I talked last week about multi-factor authentication.  Within OneDrive, there is an area called Personal Vault.  The Personal Vault is designed with added security, either stronger authentication or a second method to verify your identity (multi-factor).  The added layer of security is for more sensitive files, plus the secondary authentication is a way to make sure those files are only accessed by me.

In order to keep your files safe, Microsoft encrypts your data while it resides on the server.  Additionally, transportation security protocols are used while you access your data.  This keeps it secure both when in use and when you're not actively using it.  Here is some additional reading about how your information is protected: https://support.office.com/en-us/article/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1

Other providers...

I have only told you about 2 cloud providers for personal use, Google and Microsoft.  Others include Dropbox, Apple iCloud, and Bitcasa.  One I would like to tell you about for sure is Amazon.  If you are an Amazon Prime subscriber, you get unlimited photo storage.  That is a pretty fantastic benefit along with everything else Prime provides.  Read more here: https://www.amazon.com/Amazon-Photos/b?ie=UTF8&node=13234696011


Sunday, April 19, 2020

ZOOM! Slow Down, Your Info was Stolen

Welcome back readers!  It has been about a month, but it is time for another CYBR 650 course post.  Just to recap, last month I gave you some information about those jerks capitalizing on the COVID-19 pandemic by sending Coronavirus spam and phishing messages and setting up bogus websites, all trying to steal your information.  That leads us to the related, but not new topic of stolen account credentials.

tl;dr

Social distancing has changed the way we do business and interact with our friends and family.  Software designed to help bring us closer together while far apart is a bigger target than ever.  How can you keep your account secure, even if it is part of a breach?  A strong, complex password is the first step to keeping your account safe.

Working and Being with Family While Socially Distanced

If you are anything like me lately, you have been working from home and rely on collaboration and video conferencing software to interact with coworkers, friends, and family.  In this time of social distancing, we use software to “feel” close to those we need to interact with.  The video conferencing software provider Zoom recently suffered a breach where more than half a million account credentials were stolen.  On April 13, Forbes reported credentials for more than 530,000 Zoom accounts were being sold on an underground hacking forum.  These 530,000 accounts were purchased by Cyble, a group of cyber risk assessment experts.  The thing I find most shocking about their purchase is that they did it for next to nothing.  Basically, the account information was being sold for extremely cheap, less than a penny each or, in some cases, given away for free.  These accounts were stolen and then sold for less than $5,000.

Part of the problem with these credentials is the same with any other time an account has been stolen, people tend to reuse the same passwords for multiple accounts.  I won’t preach about the importance of creating a strong, complex password…I’ve already done that and you can read all about it here: http://cyberschopp.blogspot.com/2016/03/pesky-passwords.html.  Take a read, and then start changing your password 😊


Ensuring you have a strong password is a critical way to keep your accounts safe.  One other thing you should do is to check if the e-mail addressed used to register for accounts has been flagged as a stolen account.  The site haveibeenpwned.com can help you check that.  Checking my e-mail address, the site tells me that I have accounts on 11 breached sites.  Fortunately, I already knew this an changed the passwords associated with those breaches.  Some of the breaches my e-mail has been affected by are the 2013 Adobe breach, Collection #1 in 2019, and Lord of the Rings Online (don’t judge me).

Password Manager

One recommendation I did not give in 2016 when I jumped on my password soapbox is the use of a password manager.  A password manager keeps track of login information, including username and passwords, for sites and services you have accounts for.  Google Chrome has this built in, as well as the nicety of suggesting a complex password when creating a new account or changing your password on an existing account.  The advantage of this is the creation of an incredibly complex password that will make your account very secure.  The disadvantage of this is that the password is usually so complex and does not make sense, so remembering it would be next to impossible.  This is okay as long as you have access to your password manager, or are willing to change it often when you need to access the account from a different system.

Multi-factor Authentication

Another option for securing accounts is to use multi-factor authentication.  You are probably already using this to some extent but let me creak it down for you.  You login to your bank account with your username and password.  Your bank website then prompts you to select either your e-mail or phone to receive a message with a one-time PIN to get into your account.  Since you have your phone right next to you, you select text message and wait for a moment.  Sure enough, you just got a text with a number you need to enter into the bank website.  Once you do, you no have access to all your monies!  That is multi-factor, using information from two or more devices to access one site.

Hopefully this hasn’t left you feeling hopeless.  The first step after finding out your information has been stolen is to change your password.  You should also really consider if you actually need that account.  If not, change the password to something complex and meaningless that you’ll never use again, then disable or delete the account.  This ensures that if the account information is stolen later, the credentials cannot be used on another site.

Be safe out there!


REFERENCES:
https://www.cyble.io/
https://www.forbes.com/sites/leemathews/2020/04/13/500000-hacked-zoom-accounts-given-away-for-free-on-the-dark-web/#7ef72e6758c5
https://haveibeenpwned.com/