Are Your Mobile Apps Up To No Good?

Most of us have heard the saying “It’s 2am, what are your kids doing?” and you may know, but do you know what your mobile apps are doing? I know before I started working in the industry, I would not have given a second thought to this, but consider this.

Why would an app designed to monitor your mobile’s battery need to know your location via your GPS? How come some gaming applications ask users for their phone numbers? Mobile applications, especially free ones, require some level of your personal data in order to supplement development costs. This means “free” isn’t exactly free.

Unsurprisingly 97% of users don’t understand how permissions correspond to the risk of an app. The consequences of not knowing is once you share your personal data, it now can be use and sometimes abused and is out of your control forever.

If it’s digital then that means it’s also “repeatable” and can be copied, pasted, duplicated and sent an infinite amount of times. For example 18.3 million US adult Smartphone owners have looked up medical information.  32.5 million US adult Smartphone owners access banking information. Using applications that don’t care much about your privacy can expose this data.

Android applications can ask for 124 types of permissions and with these permissions someone can turn on your camera, monitor or modify or even kill outgoing calls, record images of your screen while you enter personal information, monitor and view texts or pictures and even scarier capture conversations in the room when no call is active!!

What’s troubling is 33% of apps ask for more permissions than they need, 42% of users don’t know what these permissions are and 83% of users don’t pay attention to permissions when installing an app. This all adds up to needing to know what your apps are doing.

To help you protect your privacy and identity when using apps you should:

•     Research apps by checking their ratings and reviews before you download
•     Only download apps from reputable apps stores
•     Read the Terms of Service (TOS) to determine what data the app is going to access on your mobile device.
•     Use comprehensive  mobile security app with app privacy features, such as McAfee Mobile Security, that will provide insight into the activity and safety of your apps

By Robert Siciliano

The Real Cost of Losing Your Phone

About four weeks ago, I lost my much loved BlackBerry at Sydney airport. I felt like my life was over – and you know what, it was for a few days.

I had lost years’ worth of contacts, apps and precious photos of my boys! I was shattered.

Now just because I am Cybermum doesn’t mean I am perfect. Far from it! So, I am confessing – I hadn’t backed up my phone, since Christmas! I hadn’t even had enough time to even download the pics of my kids. I was too busy – life got in the way.

So, as punishment, it took me days to get myself sorted out. And to be honest, I am still not quite back to normal. With research showing that around 28% of digital assets cannot be restored when smartphones are lost, I think I have to accept that life will never be the same.

But, this won’t happen again. Yes – there is an insurance policy available. I am in the throes of loading McAfee Mobile Security onto my new Android device which means if it happens again, my life will not go on hold. I will be able to locate and track my phone, remotely wipe the data if I need to and, backup and restore data if I was to lose it again! If only I had been more organised!!

Note to Self – never leave your phone at the airport again, continue to use a security password, get some mobile security software and don’t blow $1000 replacing your smartphone! Just imagine how far that could go at Westfield!

By Cybermum Australia

Keep Your Gadgets Secure During Summer Travel

Traveling isn’t at all fun. Vacationing is fun, but getting there and dealing with taxis, rental cars, airplanes, hotels and all the unfamiliarity can be unpleasant. And in the midst of all this, criminals are on the lookout for people vacationing. You tend to be more relaxed and your “guard” is down. You also may be in a unfamiliar place.

To make sure your vacation isn’t spoiled by cybercriminals and to make sure you travel with more ease, here’s some things to be aware of.

Taxis
From the moment you leave your home make sure your cab driver thinks you will be back that night and give the impression your home is alarmed, there is an attack dog there and your roommate Rocco will be home. You don’t want to let the taxi driver know your address and that no one is going to be home for a week.

We often leave stuff in cabs, such as mobile phones, tablets and flash drives. And usually, once it’s left, it’s lost for good. Create sticky labels with your contact information and stick them on the device. If the cabbie or the next person in the taxi is honest, you may get your devices back. You should also consider using a security product on your mobile devices that lets you remotely locate, lock and wipe them in case your mobile phone or tablet is permanently lost or stolen so no one can access all the personal data you have on the device.

Airplanes
Keep your devices with you or under the seat in front of you. You probably don’t want to check them in with your luggage and you should be wary when putting them in the overhead compartments. Make sure you check all the area behind you when you deplane and if you get up to use the restroom or walk around, take your device with you or make sure a traveling companion is watching it.

Hotel Rooms
Hotel rooms are not secure. More than once I’ve entered a hotel room with somebody else’s stuff laid out on the dresser and on the bed. Sometimes the clerk assigns the same room to two people, or the keys work in multiple rooms. Never ever leave anything of value in your room, including in the hotel safe.

Rental Cars
My wife traveled to Spain, got off the plane, and rented a car, and drove off the lot. At the first stop sign, a man knocked on her passenger window and pointed, saying, “Tire, tire.” She put the car in park and walked over to the passenger side. The tire was fine and the man was gone. When she got back in the car her purse had disappeared from the front seat. Her driver’s license, passport, cash, and credit cards were all gone. Don’t leave things unattended in the rental car and be sure to check everywhere before you return the car as mobile phones can easily slide under the seat or between the dashboards.

Wi-Fi
Wi-Fi connections are hotbeds for thieves, especially if they are unsecured, like most public hotspot or free Wi-Fi access locations are. When you’re a Wi-Fi connection in a hotel, café or wherever you are when traveling, make sure you don’t access financial sites or do online shopping. It’s easy for criminals to setup fake connections that appear legitimate but are traps to capture information from unknowing victims.

I hope these travel tips help keep your devices safe when you’re traveling so you can enjoy your vacation!


By Robert Siciliano

The ‘Other’ Kind of Healthcare Breach

What if a criminal held your healthcare information for ransom, so you and your doctor had no way of accessing critical medical records?

The adoption of electronic healthcare records has brought to light a plethora of security concerns. Worries about unauthorized access, information breaches, and questions about how the proliferation of sensitive data could impact a patient’s future are very real threats, and they must be addressed sooner rather than later. HIPAA goes a long way to help regulate how this sensitive data can be viewed and shared, but what happens when a hacker finds a weakness in the system?

We’ve seen this happen in other industries time and time again: a hacker finds a weakness and takes advantage. Unfortunately, this has now become a reality for the healthcare industry as well. Recently at a medical practice in Illinois, a hacker was able to encrypt the organization’s electronic records, then demand ransom for a password that would allow them to unlock the data. The organization responded appropriately, immediately turning off the server and contacting authorities.

The practice was then required to disclose the nature and scope of the breach to the Office of Civil Rights (OCR), to be added to what is known in the healthcare industry as The Wall of Shame. According to the OCR, the healthcare records of 20,970,222 people have been compromised since September 2009. In this case, the breach was listed under the category “other”. I guess there haven’t been many attempts at extortion via medical records so far, but as we approach nearly 21 million people affected, breaches like the Illinois extortion attempt could very well increase. Will “extortion” be a category in the future?

Let us know your thoughts on this topic in the comments below, and be sure to follow @McAfeeBusiness on Twitter for the latest updates on industry news and events.

By Kim Singletary

Shedding Light on Electronic Healthcare Record Outage

In my research, healthcare providers have rated their use and desire to use the cloud as relatively low compared to other industries. Since the HITECH Act of 2009 encouraged the adoption of electronic health records, many providers have been looking for a cost-effective way to support the infrastructure needed for electronic records. And while the cloud could provide a solution, many providers are still concerned about the privacy, security and availability of cloud environments.

Nevertheless, many of these healthcare providers regularly utilize the services of business partners who absolutely use cloud technology to stay competitive. And as with any partner that provides a high value service, these partners must be vetted for their service quality. In the healthcare industry, this means going beyond providing the standard set of marketed packages; it includes adherence to compliance, business rules, and escalated notification for possible service issues.

But there needs to be additional work on behalf of the healthcare provider. Whenever critical systems and services are co-managed by multiple parties, organizations must plan for contingency. A recent story from the LA Times tells about a 5-hour outage that left healthcare providers unable to access the electronic records of their patients. The providers have the ability to revert to paper-based record creation during the downtime, but what they lacked were relevant digital records like test results, past diagnoses and treatment protocols. The work-around for general practices might have caused an inconvenience, but in areas of critical care or triage situations, this data outage could have been a much larger and possibly life-threatening concern.

Unfortunately, healthcare IT providers have been working with very strong constraints as they balance business, privacy and infrastructure issues. In a recent conversation, one healthcare provider security leader pointed to the painful reality that doctors, clinicians, and workers assume everything will work just like turning on the lights. Setting up and paying for resilient electronic contingency plans for electronic health records and putting money aside for partner risk, security and compliance assessments of their infrastructure and cloud services just doesn’t happen today.

Yet as with all businesses, the healthcare industry is relying more and more on connected partners for the integrity and access of their data. As a result, these kinds of outages and security incidents will start to drive more sophisticated and risk-based business rules and time-sensitivity. In a situation where an unconscious 30-year-old enters the emergency room, what medical data would be more important? Would it be the fact that she’s allergic to penicillin, or that she broke her ankle when she was 25, which may play an important part in her treatment?

Healthcare is at the point where they are just dipping their big toe into digital records, with all of the business and patient ramifications that come with that technology. From physicians to customers, more awareness needs to happen to make this work in the long run, and of course some hard lessons will need to be learned along the way. After all, it wasn’t until after WWI that household electric lighting became widely available across the country, and there are still concerns today about protecting this critical infrastructure.

By Kim Singletary

Security In A Multitenant Cloud

One of the biggest conceptual barriers to enterprise public cloud use is mulitenancy. It’s difficult enough for IT to give up control of the infrastructure to a cloud provider, but the thought of sharing physical servers and storage with other organizations is a big stumbling block for enterprises considering running sensitive applications or storing sensitive data in the cloud.

If you’re terrified by the concept of multitenancy, consider a report released by Forrester in March, 2012 entitled Understanding Multitenancy. One of its conclusions is that a public cloud multitenant architecture can actually be more secure than the typical in-house IT infrastructure. Why?  IT security is mostly perimeter based, making organizations vulnerable to inside attacks. A properly architected multitenant service secures all assets at all times.

If you’re looking at potential public cloud providers to host your sensitive applications or data, here are some issues to consider.

•     What constitutes a tenant? With an infrastructure provider, a tenant is likely a collection of customer virtual machines (VM’s) sharing the providers’ physical servers with other customers’ virtual machines.  With a software as a service (SaaS) provider, a tenant may actually be sharing a single application instance or database with many other tenants. In one case you’ll want to know how VM’s are kept isolated, in another you’ll probably be more interested in how one tenant is prevented from accessing another tenant’s data.
•     Who are the tenants and who are the providers? The answer can be tricky. The multitenant software as a service provider (SaaS) you’re considering may be running its applications on one or more infrastructure as a service (IaaS) providers’ servers, or you may have multiple layers of SaaS, IaaS, and even Platform as a Service (PaaS) combining to produce a single service. You may have to consider the security implications of each.
•     How much security information does the provider offer?  Does it describe its security architecture on its Web site? If you’re talking with representatives of the service are they willing to discuss security architecture in depth? You’d be surprised at how many cloud services insist on remaining very vague about security.
•     What certifications does the provider have? ISO 27001 and, depending on your organization, HIPAA and PCI certification are reasonable indications that the provider is taking the right security measures to protect its tenants.
•     Sometimes the best security is simply living in a good neighborhood. Who are the provider’s other tenants? Are any of them security sensitive organizations in areas like government, finance, and health care? Does the provider accept anyone or does it have a process for weeding out potentially risky tenants? This is important, because a hacker sharing a server with you inside the perimeter firewall may have an easier path to your sensitive applications and data.
•     What measures does the provider take to isolate tenants? At minimum an IaaS provider should separate tenant traffic using VLAN’s and use hypervisor-based stateful inspection firewalls and intrusion detection or prevention to block potential interVM attacks. In the case of an SaaS provider, strong authentication and authorization are essential and data encryption is important. What measures does the provider take to liquidate data that has been released by a cloud tenant?
•     What security visibility does the cloud provider offer? Do you get security and incident reports at the end of the month? Do you get a portal that shows any security  and attack mitigation information? Does the provider have a policy for contacting the tenant if an attack moves past a certain risk or attack level?

As Forrester points out, the multitenancy in a private cloud is not an insurmountable issue for the enterprise, but it is one that you should research very carefully when choosing a provider.

By Leon Erlanger

On the Road to True Connected Security

Here’s a quick summary of my webcast yesterday on next-generation network security.

There’s a lot of hype about the changing threat landscape and challenges to traditional security strategies. The reality is that we need both familiar and new tools as we evolve the conversation from point-based solutions, which typically protect one stage in an attack sequence, to integrated, connected solutions – the best way to protect against next-generation attacks.

Some hard truths about security today:

•     Borderless networks are more susceptible. Data in transit is data exposed; losing physical boundaries has serious security implications. Everything is connected, therefore potentially vulnerable to takeover. Concentration of data in warehouses promises a possible bigger payoff from a single hack.
•     Attacks are growing more sophisticated. Remote procedure calls and SQL injections are increasing. Hackers are getting smarter about evading traditional defenses.
•     The stakes are getting higher. We’ve just seen a massive electric failure in India which, due to malicious action or not, illustrated the potential fallout from a system attack. Loss of electric grids or phone or transit networks can have massive impact on a country’s security.
•     IT is growing more complex. By 2015 Cisco predicts we’ll have 15 billion mobile devices in use. Each is a potential target. But we aren’t growing the ranks of network or security administrators at nearly the same pace, so security tools have to get smarter.

In the face of all this complexity, firewalls are a powerful but not total solution. Firewalls place an emphasis on enforcing policy and limiting and controlling access. They’re more effective at deterring broad-scale attacks than smaller, targeted ones. Security is an ongoing battle that can’t be won with a single weapon; you need a concert of weapons and individuals. The best approach is a framework that facilitates a connected approach to security.

We haven’t always referred to it this way, but McAfee has had a “next-generation” IPS (intrusion protection system) in place for some time. It combines traditional IPS with more advanced elements like behavior analysis, application awareness, and network visibility.

More and more, the threat prevention paying field is going to focus on anomaly detection heuristics – behavior analysis – in addition to the traditional safeguards.

With a platform approach that spans an entire network, using the same tools throughout the infrastructure and coordinating threat response, we now have heightened “context awareness” that highlights anomalies. We can tell when a machine starts behaving in unexpected ways – when a computer known to be someone’s personal device starts acting like a mail server, for example. We can tell when a user’s browsing or protocol behavior changes.

As for content awareness, nearly all security vendors still use signature detection as a baseline defense – it’s not true that those strategies are “dead,” as some claim – but we increasingly use reputation data, measuring a current file or IP address against past data, and file anomaly detection. (If a PDF seems to be running an executable, for example, it begs for attention.) Botnet detection is as big an issue as ever; we can look a dozens of heuristics to identify a bot on the network. When a system reaches out to many IP addresses in rapid-fire fashion, for example, that profile says “bot” very quickly.

It adds up to more accurate, timely threat detection; these additions improve security defenses by up to 30 percent compared to signature defense alone.

Beyond heuristic analysis, the next big value-add is generation and analysis of an enterprise-wide data layer with the help of external intelligence. Part of McAfee’s Security Connected framework  is McAfee Event Reporter, a log management tool that collects and correlates millions of events from across the organization. A correlation engine analyzes them against reputation data from the cloud, isolates threatening trends, and even identifies particular events based on historical data. This turns a simple log manager or event manager into a security solution and generates a global, company-wide view of your risk posture. It doesn’t even require an all-McAfee technology landscape across the organization; the big idea here is to strive for a connected approach.

To get on the road to a true connected security posture, I think you need a construct that lets you leverage “next-generation” benefits like these without forgetting about traditional safeguards. You may have a stack of individually effective one-off security solutions, but the changing threat landscape and the available streamlining potential say it’s time to combine them into a single, connected approach.  In a world of more genuine threats and mushrooming network complexity, it’s the best way to stay ahead.

By Tyler Carter

Your Next Breath May Be Compromised By Malware

For some, breathing requires the assistance and support of healthcare providers and medical respiratory equipment. But as a patient or caretaker of a loved one who relies on these devices, would you be concerned about receiving updates from the manufacturer through the Internet?

We often take for granted how connected our lives are and how the things we rely on are constantly updated. We have become accustomed to updating our applications without hesitation – from downloading updates to mobile devices to regularly checking for Microsoft patches on your laptop to avoid Trojans and malware.

This is NOT the proper reaction when it comes to devices that are critical to health and life support, even if they are connected and able to do so.

Recently, the support website for a respiratory manufacturer’s updates was repeatedly found guilty of proliferating malware. Viruses may have been streamed to patients’ devices via automatic software updates, raising concerns about how many devices were compromised and what should be the next steps for both patients and manufacturers. There is no easy solution, and devices that are integral to patient health present unique IT challenges. Updates need to be tested and verified to make sure that the process of delivery does not cause any issues with the performance, availability or the integrity of the device.

Registered mail ensures that a letter is delivered without being tampered with, and it requires the signature of the recipient completing the delivery. Connected medical devices can leverage a similar business process that ensures delivery without compromise. It takes a few more steps and technologies like McAfee’s Embedded Control, which uses application whitelisting with digital certificate updater support, but it can provide the verification and protection needed to manage updates to critical devices.

No one wants to hinder innovations in healthcare technology, but patients don’t want their next breath to be compromised by malware either. By choosing the right security solutions for connected medical devices, we can all breathe easier.

By Kim Singletary

Will The Tech Industry Ever Fix Passwords?

Recently, CIO magazine published an article “Will Tech Industry Ever Fix Passwords?”, pointing out that “…in this age of cloud computing, SaaS and increased mobility, users are spreading their credentials everywhere. Passwords are inherently weak. Dictionary attacks are standard and rainbow tables can be used to crack more sophisticated passwords.”

Rather than trying to come up with more complicated and difficult-to-manage password management rules and procedures, the industry needs to come up with an approach to eliminate the need for passwords altogether – that approach is single sign-on (SSO). Standards-based federated SSO that depends on the exchange of tokens between an identity provider and a service provider has proven itself as the best alternative to user ID/password-based authentication.

SAML (Security Assertion Markup Language) is a widely used federated SSO industry standard, but it is typically used for B2B access management. OpenID has become popular for reusing credentials from social media providers (e.g., Facebook and Google), but, as the article points out, it contains some security holes that need to be plugged.

While there is no single panacea available today—especially for consumers—eventually the industry will settle on a single, widely accepted standard, such as SAML, as the basis for authentication. Two-factor authentication will also achieve greater prominence as a way of securely identifying an individual using more than a user ID/password combination. The good news is that 2-factor authentication, using a variety of approaches, such as delivering a one-time password to a mobile device, or facial recognition using standard webcams and mobile cameras, is readily available today and is becoming increasingly consumer-friendly.

Businesses are already deploying SSO portals, either inside the firewall or in the cloud as a service, for their employees, contractors, business partners and customers. It is likely that a consumer-oriented service will emerge that provides a personalized portal that will allow consumers to create a customized web page—protected by 2-factor authentication tools—that they can use to quickly and easily federate their identity with all the various SaaS apps and web sites they want to access.

The technology exists today to provide both business users and consumers with secure access to any web app, from any device, without needing to remember dozens of user ID/password combinations. Now, it’s mostly a question of defining the business model and making a solution available that ordinary consumers will find useful. To find out more, visit McAfee.com or intelcloudsso.com and be sure to follow @McAfeeBusiness on Twitter.

By Robert Craig

Scams Are a Sport This Summer

Scammers tend to follow an editorial calendar much like journalists do. For example when the holiday season is coming journalists often write about bargains to be had while scammers use the season as an opportunity to try and entice users with deals that are “too good to be true.”

This same practice is also used for high-value news items such as a natural disasters, celebrities and high-profile sporting events. Many of us are not aware of the risks and threats associated with such high-profile sporting events and the impact this could have on you, your devices and your personal data. In fact, in a recent survey done by OnePoll for McAfee, only 13% of Brits are worried about a cyber threat spoiling their enjoyment of the summer’s sporting events.

As the world descends into a sporting frenzy this summer, it can be easy to become a little sloppy about keeping your mobile devices safe and secure. However, now is the time when we need to be more cautious.

McAfee has recently identified several scams related to sports which encourage consumers to share their personal details. These can take the form of text messages, social network spam or emails offering fake tickets or lottery wins.

In order to help you keep your mobile devices protected during this summer of sport, you should:

•     Heed the advice of too good to be true
•     Be wary of phony websites, emails, texts and pop-ads offering “too good to be true” deals on tickets to sporting events, autographed merchandise, and “winning” a trip to events.
•     Back-up your data
•     Before you leave on a vacation to a major sporting event, make sure you’ve made a replica of your data from your smartphone, tablet, laptop or any other devices you’re taking with you. That way in case your device is lost or stolen, you still have all our data. Also consider deleting any personal information on the device that isn’t absolutely necessary.
•     Disable location services
•     Before posting photos on sites like Facebook, turn off GPS to avoid having your location information falling into the wrong hands.
•     Don’t let your apps remember your user names and passwords: Also make sure you don’t store credit card information or passwords on websites. If your smartphone or laptop is lost criminals can easily access these accounts
•     Be careful when using Wi-Fi networks
•     Avoid using public or free Wi-Fi networks when trying to access information online. Your information could easily be stolen without your knowledge and you should log in to any financial or shopping sites.
•     Use “safe search” technology
•     Make sure that install software the alerts you to risky sites that you may receive via email, texts, IMs or social networking sites. This will prevent you from going to a site that could download malicious software on your mobile device that could steal your identity and financial information.

The world’s biggest sporting event is something to be enjoyed by all and by following these tips, you can stay safe and just enjoy the event!

By Robert Siciliano

Yahoo! Hacked: 15 Tips To Better Password Security

In light of the Yahoo Voices hack where 450,000 passwords have been compromised, it’s time again to let the world know what they are doing wrong when it comes to passwords. CNET pointed out that:

2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.

160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

Common Ways Hacks Happen

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

Tips to Make Your Passwords Secure

•     Make sure you use different passwords for each of your accounts.
•     Be sure no one watches when you enter your password.
•     Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
•     Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
•     Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
•     Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
•     Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
•     Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
•     Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.
•     Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.
•     Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy
•     Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”
•     It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.
•     You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”
•     Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

In the end, it’s the responsibility to the public to protect themselves. This disclosure now requires those currently exposed to change their password. The rule of thumb is to change your passwords frequently, every six months. It’s a cliché, but true, passwords need to be strong. Let the keyboard be your palate and be creative. A common mistake people make is that they use dictionary or slang terms. Beware. Dictionary attacks use software that automatically plugs common words into password fields making password cracking effortless for various tools.



By Robert Siciliano

Robert Siciliano is an Online Security Expert to McAfee. See him discussing identity theft on YouTube. (Disclosures)