Mobile Security – Android Edition

December 16, 2016

As we dive further into the holiday season, a time when many of us are busy catching up with friends and family, it is important to remember the little things. The way the snow drapes across the horizon can be especially frustrating at times, but it is also beautiful. Take some time to appreciate friends new and old; perform a random act of kindness for a stranger. Be a little selfish, too – enjoy a mug of hot cocoa, get cozy under your favorite blanket, and take some time to review the security options on your Android phone.

read more

avatar

Gary is a team member at Sephone, helping to design, build and maintain websites. He is also a web design student at the New England School of Communications of Husson University.

Two-Step and Apple Pay: the Future of Online Security

October 16, 2014

Apple PayWith the launch of Apple Pay, Apple’s new contactless payment method on the iPhone 6 and 6 Plus, I’ve heard a lot of people asking: what’s wrong with the payment process we have now? It doesn’t take that much time to pull out a credit card.

The real issue Apple Pay solves is security, not convenience. And it’s one member of a new generation of technologies to keep your personal information safe.

read more

avatar

Justin is a web and mobile developer at Sephone. He’s interested in user-driven design, social media, and web services. He also enjoys learning and exploring new ways for businesses and people to use the web.

Online Security

December 9, 2016

With the holidays upon us and the increase in online sales, I wanted to take a few minutes to talk about online security.  Many online retailers take your security very seriously, but as we know, websites still get compromised every day (even sites as large as Yahoo & LinkedIn can be victimized).

So what are some things that you can do to keep your accounts and personal information secure online during this holiday shopping season and throughout the year?
read more

avatar

Brady is the voice on the other end of the phone line when you call Sephone. He graduated from the New England School of Communications in 2009 and assists Sephone in building and maintaining our sites.

What is an SSL? (Secure Socket Layer = Security?)

September 16, 2013

Our Very (Very) Basics series gives a high-level look at hot tech topics. We want these posts to be a way for people who don’t normally work with the web, mobile, and marketing to understand the basics without having to deal with all the geeky stuff. If you’d like more information about any of these topics, try searching our blog to find more posts.

IMAG0374

Have you ever heard a web company say something needs an SSL? What does that mean?

The internet is a big place. With close to 9 billion devices connecting, it can be hard to find some privacy. SSL encryption technologies are often used to facilitate a private line between two parties.

Why do you need privacy

Generally speaking, anytime a credit card or detailed personal information (like Social Security Number) is transmitted you need to use SSL encryption technology to protect that information from prying eyes.

If you didn’t use SSL technology to protect that data, there are many ways it could be exploited. If you are a wireless user, no matter if on a mobile phone, wifi, or satellite, that information is traveling in the air exposed. Anybody with the right equipment that is in range of your signal can intercept that data.

Even if you are on a wired network, you are not in that much better shape. As I write this article, I preformed a traceroute to amazon.com. It’s sort of like revealing the road-map my data traveled to arrive at Amazon. My packets touched ten different routers owned by five different companies en route to one of the largest retailers on the planet. Out of these five different companies, two I know, my own ISP and the other is Amazon. Three are an enigma to me. Never heard of them. Do I trust my credit card information totally naked in their hands? Do I know their networks are free of malware? Do I know the competence of their network security? No, I do not.

Additionally, there is another common way to harvest data, called a man in the middle attack. Though a bit harder to explain, it is one in widespread use. More or less, a website will masquerade itself as another site, likely one that already trust, like GoDaddy, PayPal, eBay, your bank, etc. People are tricked into submitting their information to these parties. Most are simple, like an email with links to a fake website, that looks like PayPal, but is actually not PayPal. Others are more complicated and far harder to explain, but the sum of it is, it will look like you are at Amazon (for example) and even though it says amazon.com in the address bar, that is not the real amazon.com.

How does SSL technology protect me

Now that you know some of the dangers of unencrypted data, let’s see what SSL encryption can do for us. When you are at your favorite reputable merchant’s website, your desire is to let them have your credit card information to charge for the agreed amount. SSL encryption gives you a private line to the merchant’s webserver. Though others may still intercept the transmission of your data, it’s going to look like trash, and it will be undecipherable as a credit card number. Additionally, SSL technologies ensure you that you are indeed speaking with the merchant you think you are, not an impostor.

But how does it work

It’s somewhat complicated as to “how” it works exactly, but I will offer a brief description.

The server administrator makes a private key. This is very long string of random characters, including lower letters, upper letters, numbers, and special characters (like + or /). This private key is never shared with anybody, but a public key (called CSR) is derived from it. This public key can encrypt data, but can not decrypt information. This public key is shared with a certificate authority (CA), like Thawte, VeriSign, Network Solutions or GoDaddy.  Once the CA has validated the business, they will issue a certificate. The private key, public key, and certificate are all a trio that can only work together and are not interchangeable.

When your browser goes to a website over a secure https connection, the webserver will send back the certificate and public key. The browser will validate this as legitimate from the CA. Once the browser knows the certificate is good, it will use the public key to encrypt the data it’s about to transmit, such as credit card. The webserver will be able to decrypt this  information with the private key. Only the private key will decrypt it. If this is all happening right, most browsers will show a lock in the address bar.

lock

What about the NSA

Recently, much news has been released surrounding the NSA (and a few other agencies) and its ability to peak into various services and technologies to access information previously thought to be secret.  At this time, it’s unknown what exactly they have access to, it does seem the NSA has direct access to Facebook, mobile phone data, Hotmail and Google services.

They may also have access to SSL connections. The actual encryption ciphers that Sephone uses for SSLs are AES-256 with RSA key generation. Those are by far the most common in current use. The other common encryption ciphers are RC4 and SHA.  To break a AES-256 cipher would take the world’s largest super computers around 149 trillion years. Seems like a safe bet, but it may be that the NSA may have built a back door directly into the SSL protocol. It’s unknown at this time exactly.

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

Email Verification: Spam, Self-Signing, and Security

June 9, 2017

Here at Sephone, we’ll occasionally get inquiries concerning email safety and security. These can range from topics like “Should I trust this suspicious-looking email?” to “Why is all my mail getting marked as spam?” In today’s blog post, I’d like to begin tackling some of these issues in-depth. I’ll do so by starting with the topic of Email Verification.

read more

avatar

Gary is a team member at Sephone, helping to design, build and maintain websites. He is also a web design student at the New England School of Communications of Husson University.

Good Passwords for Good Security

February 17, 2012

Now a days, there are so many passwords to remember: Facebook, Twitter, YouTube, Gmail, sephone’s datAvenger CMS, custom applications, email and so on. One of the most common security problems that we run into here at Sephone, is that somebody picked a weak password and somebody else guessed it. This posts aims to help you pick secure passwords.

Security FenceGuidelines

In general, passwords should be hard to guess and elusive to figure out. Here are some guidelines that I like to use

  • 8 chars at least in length
  • includes numbers
  • mixed case (upper and lower case)
  • contains some special characters (“*!/’ etc)

In addition, you should try not to use the same passwords at every site. Lets say, your twitter account email is test@gmail.com and your password is test. Bad password, but just an example. If Twitter gets hacked and somebody has a list of logins, you know they try other sites with that list.

Also, it comes without saying (I hope), don’t store your password where people can get it. This means not saving it on the computer you are using, unless you have a fair degree of physical security for that machine, meaning somebody can’t use it or steal it easily. Don’t write passwords down where people can see them. And also, don’t tell your password to anybody.

Bad Passwords

Here are commonly used passwords that are bad.

  • 12345
  • password
  • same as the username
  • your birthday or child’s birthday
  • pet’s name
  • a simple dictionary word like “fence”
  • keyboard patterns like qwerty, asdf or rfv

Good Passwords

Here is a list of some good passwords, but don’t actually use these ones. This gives you the idea.

  • f45D9a2$-z,e)
  • c@tS[are]Not*c3Wl
  • 3!tatlworz3

Yes, these are harder to remember, but once you get them, it will not be an issue. Most of the passwords that I have, I don’t know them mentally, my fingers have learned them and I can type them automatically, but struggle to know what the actually password is. It’s surprising how quick your fingers will learn them.

Thanks to Graham Richardson for sharing the photo in this post with a Creative Commons license!

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.

A few security related notes

June 7, 2012

Lately, there has been a lot of stuff in the news related to internet security. Linkedin and eHarmony have had passwords stolen, Facebook and Google have made announcements about DNSChanger, and we would like to make an announcement about our password security.

Linkedin and eHarmony

6.46 million passwords were compromised on Linkedin. If you use the same password/email combination on other sites, these compromised passwords will be used to login as you there too. Linkedin made a statement on their blog.

In what may be related to the Linkedin compromise, 1.5 million passwords were stolen from eHarmony. If you use this site, check out their blog post about it.

DNSChanger

DNSChanger is a a piece of malware that will prevent you from using the internet after July 9. The DNS Changer Working Group have a website with more information. Both google and facebook are putting warnings on the top of their sites for users with the malware.

How we store passwords

We store passwords encrypted in databases. Our internal password storage tools all use a high grade of encryption. Rarely are passwords stored on our end desktop machines (of iPads, laptops, etc). We try hard to keep your passwords secure and encourage good passwords.

avatar

Alan has been creating websites since CompuServe was huge. Today he still is developing websites using technologies such as CSS3, HTML5, jQuery and CakePHP.