Mobile Security – Android Edition

December 16, 2016

As we dive further into the holiday season, a time when many of us are busy catching up with friends and family, it is important to remember the little things. The way the snow drapes across the horizon can be especially frustrating at times, but it is also beautiful. Take some time to appreciate friends new and old; perform a random act of kindness for a stranger. Be a little selfish, too – enjoy a mug of hot cocoa, get cozy under your favorite blanket, and take some time to review the security options on your Android phone.

read more

avatar

Gary is a team member at Sephone, helping to design, build and maintain websites. He is also a web design student at the New England School of Communications of Husson University.

Two-Step and Apple Pay: the Future of Online Security

October 16, 2014

Apple PayWith the launch of Apple Pay, Apple’s new contactless payment method on the iPhone 6 and 6 Plus, I’ve heard a lot of people asking: what’s wrong with the payment process we have now? It doesn’t take that much time to pull out a credit card.

The real issue Apple Pay solves is security, not convenience. And it’s one member of a new generation of technologies to keep your personal information safe.

read more

avatar

Justin is a web and mobile developer at Sephone. He's interested in user-driven design, social media, and web services. He also enjoys learning and exploring new ways for businesses and people to use the web.

Online Security

December 9, 2016

With the holidays upon us and the increase in online sales, I wanted to take a few minutes to talk about online security.  Many online retailers take your security very seriously, but as we know, websites still get compromised every day (even sites as large as Yahoo & LinkedIn can be victimized).

So what are some things that you can do to keep your accounts and personal information secure online during this holiday shopping season and throughout the year?
read more

avatar

Brady is the voice on the other end of the phone line when you call Sephone. He graduated from the New England School of Communications in 2009 and assists Sephone in building and maintaining our sites.

What is an SSL? (Secure Socket Layer = Security?)

September 16, 2013

Our Very (Very) Basics series gives a high-level look at hot tech topics. We want these posts to be a way for people who don’t normally work with the web, mobile, and marketing to understand the basics without having to deal with all the geeky stuff. If you’d like more information about any of these topics, try searching our blog to find more posts.

IMAG0374

Have you ever heard a web company say something needs an SSL? What does that mean?

The internet is a big place. With close to 9 billion devices connecting, it can be hard to find some privacy. SSL encryption technologies are often used to facilitate a private line between two parties.

Why do you need privacy

Generally speaking, anytime a credit card or detailed personal information (like Social Security Number) is transmitted you need to use SSL encryption technology to protect that information from prying eyes.

If you didn’t use SSL technology to protect that data, there are many ways it could be exploited. If you are a wireless user, no matter if on a mobile phone, wifi, or satellite, that information is traveling in the air exposed. Anybody with the right equipment that is in range of your signal can intercept that data.

Even if you are on a wired network, you are not in that much better shape. As I write this article, I preformed a traceroute to amazon.com. It’s sort of like revealing the road-map my data traveled to arrive at Amazon. My packets touched ten different routers owned by five different companies en route to one of the largest retailers on the planet. Out of these five different companies, two I know, my own ISP and the other is Amazon. Three are an enigma to me. Never heard of them. Do I trust my credit card information totally naked in their hands? Do I know their networks are free of malware? Do I know the competence of their network security? No, I do not.

Additionally, there is another common way to harvest data, called a man in the middle attack. Though a bit harder to explain, it is one in widespread use. More or less, a website will masquerade itself as another site, likely one that already trust, like GoDaddy, PayPal, eBay, your bank, etc. People are tricked into submitting their information to these parties. Most are simple, like an email with links to a fake website, that looks like PayPal, but is actually not PayPal. Others are more complicated and far harder to explain, but the sum of it is, it will look like you are at Amazon (for example) and even though it says amazon.com in the address bar, that is not the real amazon.com.

How does SSL technology protect me

Now that you know some of the dangers of unencrypted data, let’s see what SSL encryption can do for us. When you are at your favorite reputable merchant’s website, your desire is to let them have your credit card information to charge for the agreed amount. SSL encryption gives you a private line to the merchant’s webserver. Though others may still intercept the transmission of your data, it’s going to look like trash, and it will be undecipherable as a credit card number. Additionally, SSL technologies ensure you that you are indeed speaking with the merchant you think you are, not an impostor.

But how does it work

It’s somewhat complicated as to “how” it works exactly, but I will offer a brief description.

The server administrator makes a private key. This is very long string of random characters, including lower letters, upper letters, numbers, and special characters (like + or /). This private key is never shared with anybody, but a public key (called CSR) is derived from it. This public key can encrypt data, but can not decrypt information. This public key is shared with a certificate authority (CA), like Thawte, VeriSign, Network Solutions or GoDaddy.  Once the CA has validated the business, they will issue a certificate. The private key, public key, and certificate are all a trio that can only work together and are not interchangeable.

When your browser goes to a website over a secure https connection, the webserver will send back the certificate and public key. The browser will validate this as legitimate from the CA. Once the browser knows the certificate is good, it will use the public key to encrypt the data it’s about to transmit, such as credit card. The webserver will be able to decrypt this  information with the private key. Only the private key will decrypt it. If this is all happening right, most browsers will show a lock in the address bar.

lock

What about the NSA

Recently, much news has been released surrounding the NSA (and a few other agencies) and its ability to peak into various services and technologies to access information previously thought to be secret.  At this time, it’s unknown what exactly they have access to, it does seem the NSA has direct access to Facebook, mobile phone data, Hotmail and Google services.

They may also have access to SSL connections. The actual encryption ciphers that Sephone uses for SSLs are AES-256 with RSA key generation. Those are by far the most common in current use. The other common encryption ciphers are RC4 and SHA.  To break a AES-256 cipher would take the world’s largest super computers around 149 trillion years. Seems like a safe bet, but it may be that the NSA may have built a back door directly into the SSL protocol. It’s unknown at this time exactly.

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

Good Passwords for Good Security

February 17, 2012

Now a days, there are so many passwords to remember: Facebook, Twitter, YouTube, Gmail, sephone’s datAvenger CMS, custom applications, email and so on. One of the most common security problems that we run into here at Sephone, is that somebody picked a weak password and somebody else guessed it. This posts aims to help you pick secure passwords.

Security FenceGuidelines

In general, passwords should be hard to guess and elusive to figure out. Here are some guidelines that I like to use

  • 8 chars at least in length
  • includes numbers
  • mixed case (upper and lower case)
  • contains some special characters (“*!/’ etc)

In addition, you should try not to use the same passwords at every site. Lets say, your twitter account email is test@gmail.com and your password is test. Bad password, but just an example. If Twitter gets hacked and somebody has a list of logins, you know they try other sites with that list.

Also, it comes without saying (I hope), don’t store your password where people can get it. This means not saving it on the computer you are using, unless you have a fair degree of physical security for that machine, meaning somebody can’t use it or steal it easily. Don’t write passwords down where people can see them. And also, don’t tell your password to anybody.

Bad Passwords

Here are commonly used passwords that are bad.

  • 12345
  • password
  • same as the username
  • your birthday or child’s birthday
  • pet’s name
  • a simple dictionary word like “fence”
  • keyboard patterns like qwerty, asdf or rfv

Good Passwords

Here is a list of some good passwords, but don’t actually use these ones. This gives you the idea.

  • f45D9a2$-z,e)
  • c@tS[are]Not*c3Wl
  • 3!tatlworz3

Yes, these are harder to remember, but once you get them, it will not be an issue. Most of the passwords that I have, I don’t know them mentally, my fingers have learned them and I can type them automatically, but struggle to know what the actually password is. It’s surprising how quick your fingers will learn them.

Thanks to Graham Richardson for sharing the photo in this post with a Creative Commons license!

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

A few security related notes

June 7, 2012

Lately, there has been a lot of stuff in the news related to internet security. Linkedin and eHarmony have had passwords stolen, Facebook and Google have made announcements about DNSChanger, and we would like to make an announcement about our password security.

Linkedin and eHarmony

6.46 million passwords were compromised on Linkedin. If you use the same password/email combination on other sites, these compromised passwords will be used to login as you there too. Linkedin made a statement on their blog.

In what may be related to the Linkedin compromise, 1.5 million passwords were stolen from eHarmony. If you use this site, check out their blog post about it.

DNSChanger

DNSChanger is a a piece of malware that will prevent you from using the internet after July 9. The DNS Changer Working Group have a website with more information. Both google and facebook are putting warnings on the top of their sites for users with the malware.

How we store passwords

We store passwords encrypted in databases. Our internal password storage tools all use a high grade of encryption. Rarely are passwords stored on our end desktop machines (of iPads, laptops, etc). We try hard to keep your passwords secure and encourage good passwords.

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

Hacked! Or Not?

April 9, 2015

“I was hacked!”

As people continue to spend more of their time online doing more of their day to day work, I hear people talk about hacking more than ever. But that raises the question: what is “hacking”? And do people use the term correctly?

Depending on who you ask, hacking can have a couple of definitions. Some attacks can be considered hacking without a doubt, while others… not so much. In this post we’ll give an overview of some of the cases when people or businesses might say they were “hacked”.

Security vulnerabilities

The classic form of hacking often has to do with security problems in software or operating systems. By exploiting these flaws cybercriminals can access data that isn’t intended to be public. This is why it’s important to keep your software up to date! These kinds of attacks are often called “cracking” by the technology community to distinguish them from other forms of hacking.

Viruses, worms, and Trojan horses

Instead of formatting your computer or displaying messages on your screen, today’s malicious software often sits invisibly in the background, using your computer to carry out attacks. A computer might be used to send out spam, cause a denial of service attack (see below), or other crime. Good anti-virus and computer security software helps defend your computer against these kinds of attacks.

Phishing

Phishing happens when a criminal tries to trick you into sending your personal information – whether it’s a login to a site, your credit card information, or something else – to a criminal. This can happen if you click on a link in a forged email, on a bad website, or sometimes even on social media. Always be sure to check the validity of a site before you enter your login or other personal information on it, and never send your personal information to anyone unless you know they’re authorized to request it. We’ve covered phishing a number of times before on the blog.

Unauthorized access

Sometimes “hacks” don’t have anything to do with login information or security problems with software; they happen because a person who isn’t supposed to have access to an account finds a way in. This can happen if you leave a device open on a table without a password or if you use a public computer (for example, at a library) and forget to log out of a site like Facebook or your bank. It’s important to make sure employees who are no longer employed from a company don’t have access to the company’s social media or other administrative accounts, too.

Denial of service

A denial of service attack (and its big brother, the distributed denial of service attack, or DDoS) happens when a criminal overloads a site with requests to view pages. This bogs down the server and essentially creates a traffic jam, preventing other people from accessing the site. Typically in these cases no user data is at risk. Read more about DDoS attacks on our blog post, “Why a Site Doesn’t Load“.

Saying something stupid

Of course, saying an account was hacked can be a convenient excuse as a cover for saying something stupid. “I would never say something like that,” someone may say. “It must have been an old employee with the password, or someone hacked our site!” In these cases being cautious with what you say before you post is your best bet.

Building and creating

The unfortunate part about the word “hacking” is that it is so often associated with criminal acts. In fact hacking is a much broader field than just trying to steal personal information; it’s a desire to make something work in an unconventional way. If you’d like to learn more about the benefits of positive hacking, including the expanding field of civic hacking, listen to Catherine Bracy’s great TED Talk, “Why good hackers make good citizens“.

When you hear about a site or person being hacked, it’s important to remember that not all “hacking” is the same. It’s important to ask if your user data or other personal information was compromised. And do your part by making sure your software is updated, your passwords are strong, and you’re being cautious about the email and messages you receive!

avatar

Justin is a web and mobile developer at Sephone. He's interested in user-driven design, social media, and web services. He also enjoys learning and exploring new ways for businesses and people to use the web.