If you’re struggling to juggle your passwords, the solution to your woes is a password manager. See our recommendations.

Password managers are a safe, secure way of logging into your various online accounts. In fact, they’re vastly preferable to the alternatives of either trying to remember multiple unique passwords or re-using the same password over and over.

According to Pew Research Centre, half of users have up to 25 password-protected accounts online. That’s far too many for the average person to remember, making it hard to stay secure. A secure password manager will automatically store all your logins, meaning that you’ll never have to remember one ever again, and can even generate passwords for you.

Given that even industry-leader LastPass was once the victim of a hack, concerns remain over using password managers. Besides, you may be questioning the wisdom of storing all your passwords in one place. These are legitimate concerns, but research has shown that using a password manager is far more secure than not using one. The risk of your business getting hacked is high, particularly during the pandemic, so we’d strongly recommend getting one yourself.

As for which password manager you should choose? We’ve tested some of the best password managers around, and while they’re all safe and secure, the best on test was LastPass. This stands out thanks to a simple interface, secure setup, and brilliant family-sharing options. Plus, you can try LastPass for free to see if you like it.

Is it Safe to Use a Password Manager?

Yes – a good quality password manager is a safe, trustworthy and highly recommended security tool. In fact, security experts almost uniformly believe that password managers are infinitely safer than virtually every alternative there is, for businesses and individuals alike.

Top password managers, such as 1PasswordDashlane or LastPass, can be trusted to protect your account logins thanks to secure encryption that keeps your passwords secret.

Here’s how it works in practice. You create an account with a password manager, then create a single “master password” to log into it. To keep your password manager safe to use, it’s essential that your master password isn’t anything obvious. So that’s no to “12345,” “qwerty,” or “passwd.” Instead, pick a longer phrase or mix and match cases and special characters – just ensure it’s unique and memorable.

Then, the password manager can get to work automatically generating complex, unique passwords for every service you log into online – one for your Amazon account, email account, Facebook account and so on. You won’t need to memorize these – whenever you login in, the password manager will automatically apply the password (and you enable the password manager via that single master password).

This entire process is far more secure than re-using the same password over and over on multiple sites – the single biggest risk you can take with you and your business’ online security. It’s also far easier than attempting to remember multiple unique passwords.

So, if it’s all win, why are there any questions around password manager safety? Largely, these come down to an understandable concern over the security of handing over your logins to a third-party service. That’s why we’d recommend only using a trustworthy, well-rated password manager. So which ones would we recommend?

Most Secure Password Manager

If you want a secure password manager, you should opt for a paid one. Free password managers tend to be restricted in some way, and are usually supported with adverts. Additionally, free password managers are simply not set up to handle a full business’ security needs, which means paid for is always the way to go.

In our testing, we found LastPass to be the most secure password manager. For a few dollars a month, it could save you a lot of headaches, as well as time spent waiting for password reminder emails to drop into your inbox.

Do Password Managers Get Hacked?

No online system is infallible. Password managers – just like any other online service you use, such as Amazon, Twitter or Facebook – run the risk of being hacked. In fact, some have been.

The best password managers, however, will take your security very seriously – after all, you’re paying for the service. If you lose trust in them, they lose your patronage, and with it, your payment.

When LastPass was hacked in 2015, users were right to be concerned – after all, if a hacker could get into the system, they could, in theory, have access to every password that LastPass users had stored there. However, even though its security was breached, hackers were unable to steal any information – all of the passwords were protected by the users’ Master Password, which is not stored on the LastPass servers. This meant that the encryption on the passwords stored by LastPass was unable to be cracked. And that is why you should pay for a password manager.

Password managers are also a common target for ‘ethical hackers’ — those who like to test the security of online systems to flex their coding muscles. Password managers are their white whale – crack one of these open, and they’ll win the acclaim of the industry.

This isn’t as scary as it sounds though. In fact, ethical hackers are offering a great service, finding exploits in online systems before more nefarious people do. Once they’ve found a vulnerability, these hacklers will make contact with the service and let them know, allowing the provider to then fix the issue.

Verdict – Should You Use a Password Manager?

We can’t state this clearly enough – a password manager is a safe, recommended way to secure your online logins. The alternatives are far, far riskier – in particular, that old habit of re-using the same old password again and again across multiple websites (please, just don’t).

No system is guaranteed bullet-proof, and as the LastPass hack showed, even password managers can be vulnerable. However, as that very incident showed, there are serious protections in place, and these prevented the LastPass hack from being a disaster for any customers.

In the age of hybrid work and vast security breaches, we’d strongly recommend getting up and running with a password manager for proper online peace of mind.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from Tech.co SOURCE

HTML files remain one of the most popular attachments used in phishing attacks for the first four months of 2022, showing that the technique remains effective against antispam engines and works well on the victims themselves.

HTML (HyperText Markup Language) is a language that defines the meaning and structure of web content. HTML files are interactive content documents designed specifically for digital viewing within web browsers.

In phishing emails, HTML files are commonly used to redirect users to malicious sites, download files, or to even display phishing forms locally within the browser.

As HTML is not malicious, attachments tend not to be detected by email security products, thus doing a good landing in recipients’ inboxes.

Statistical data from Kaspersky indicates that the trend of using HTML attachments in malicious emails is still going strong, as the security company detected 2 million emails of this kind targeting its customers in the first four months of the year.

The numbers culminated in March 2022, when Kaspersky’s telemetry data counted 851,000 detections, while a drop to 387,000 in April could be just a momentary shift.

How HTML evades detection

The phishing forms, redirection mechanisms, and data-stealing elements in HTML attachments are typically implemented using various methods, ranging from simple redirects to obfuscating JavaScript to hide phishing forms.

Attachments are base64 encoded when present in email messages, allowing secure email gateways and antivirus software to easily scan attachments for malicious URLs, scripts, or other behavior.

To evade detection, threat actors commonly use JavaScript in the HTML attachments that will be used to generate the malicious phishing form or redirect.

The use of JavaScript in HTML attachments to hide malicious URLs and behavior is called HTML smuggling and has become a very popular technique over the past few years.

To make it even harder to detect malicious scripts, threat actors obfuscate them using freely-available tools that can accept custom configuration for a unique, and thus less likely to be detected, result and thus evade detection.

For example, in November, we reported that threat actors used morse code in their HTML attachment to obfuscate a phishing form that the HTML attachment would display when opened.

Kaspersky notes that in some cases, the threat actors use encoding methods involving deprecated functions like the “unescape()”, which substitutes “%xx” character sequences in the string with their ASCII equivalents.

While this function has been replaced by decodeURI() and decodeURIComponent() today, most modern browsers still support it. Still, it might be ignored by security tools and antispam engines that focus more on current methods.

Conclusion

HTML attachment distribution was first seen spiking in 2019, but they remain a common technique in 2022 phishing campaigns, so they should be seen as red flags.

Remember, merely opening these files is often enough to have JavaScript run on your system, which may lead to automatic malware assembly on the disk and the bypassing of security software.

As the security software doesn’t detect an attachment as malicious, recipients may be more likely to open them and become infected.

Even if your email security solution doesn’t generate any warnings, you should always treat HTML attachments as highly suspicious.

Are you interested in learning more about cybersecurity? Call us today and discover how our wide array of tech services can safeguard your business.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from bleepingcomputer.com SOURCE

With remote work becoming the new normal for many businesses, employers can’t help but worry about how much work their employees are getting done. One way to determine this is by monitoring employees online. However, this practice can raise privacy concerns. This article will shed light on what employee monitoring is and how it can help your business.

What is employee monitoring?

Employee monitoring is the practice of using digital tools to track employee activity and performance, and the progress of their tasks. The data collected can be used to identify patterns, trends, and correlations across different teams allowing managers to gain insight into various work processes, and how they can be improved.

What are the benefits of employee monitoring?

Here are the key benefits of monitoring your employees online:

1. Improved productivity
Using employee monitoring tools can help you track how much time employees spend visiting non-work-related websites or chatting with friends. If an employee’s productivity goes down significantly because of these activities, you can address the issue by reminding that specific employee about the company’s policy regarding visiting non-work-related websites and/or limiting his/her internet access.

When employees know that their activities are being monitored, they’re more likely to focus on their tasks and avoid inappropriate internet use.

2. Better security
According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches reported in 2020 were due to human error. Monitoring the online habits of employees can help employers track and flag instant messages and emails containing sensitive and private information. In addition, managers can block employees from visiting phishing sites or websites that automatically download malware onto unprotected computers and mobile devices.

3. More efficient project management
Monitoring employee activity provides managers with continuous reports on workers’ progress, allowing them to stay on top of multiple projects. These reports can help managers delegate tasks and adjust schedules to meet deadlines.

What are the disadvantages of monitoring your employees online?

Despite its benefits, employee monitoring also comes with some drawbacks, such as:

1. Trust issues
Employees may feel that their privacy is being violated. This can lead to low employee morale and reduced productivity, as well as distrust between and among colleagues.

2. Legal issues
States and countries may have varying policies on employee monitoring, but one thing is constant ⁠— an employee’s consent is needed before any type of monitoring can be done.Without the consent of an employee, an employer can be charged with privacy violations and discrimination if the information collected is used to harm that employee.

To avoid potential problems that can arise from employee monitoring, employers should explain why monitoring is needed. A written policy should be created explaining how employees will be monitored, what information will be collected, and how that information will be protected.

If you want to learn more about employee monitoring, give us a call today.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021.

From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946.

“Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds,” the FBI said.

“China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore.”

This was revealed in a new public service announcement published on the Internet Crime Complaint Center (IC3) site as an update to a previous PSA from September 2019, when the FBI said losses to BEC attacks reported by victims between June 2016 and July 2019 reached a total of over $26 billion.

According to the IC3 2021 Internet Crime Report [PDF], BEC scams were the cybercrime type with the highest reported total victim losses last year.

Victims reported losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses.

BEC scam?

BEC scammers are employing various tactics — including social engineering, phishing, and hacking — to compromise business email accounts which will get used to redirect payments to attacker-controlled bank accounts.

In this type of scam (also known as EAC or Email Account Compromise), the crooks will commonly target small, medium, and large businesses. Still, they’re also attacking individuals if the payout is worth it.

Their success rate is also very high, given that they generally impersonate someone who has the target’s trust, such as business partners or company executives.

However, “the scam is not always associated with a transfer-of-funds request,” as the FBI explained in the PSA alert.

“One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.”

BEC defense guidance

The FBI also provided guidance on how to defend against BEC scam attempts:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

The federal law enforcement agency advises those who fall victim to BEC fraud to immediately reach out to their bank to request a recall of funds.

They’re also urged to file a complaint with the FBI at BEC.ic3.gov, regardless of the lost amount, and as soon as possible.

Published with consideration from BleepingComputer  SOURCE