Category Archives: Security

23 Million People Use 123456 as a Password



Despite all the warnings, 23 million people worldwide use the password “123456”. This is according the UK’s National Cyber Security Centre which analysed the Have I Been Pwned data set to produce a list of the top 100,000 passwords.

It’s frankly embarrassing – here’s the top 10. Anyone who uses any of these should have their computer, tablet and phone taken away from them immediately.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Looking through the full list, there’s a reasonable selection of expletives, and for Brits, variations on “Liverpool” appear twenty eight times. For non-Brits, Liverpool is not only a city in the North of England but a premier league football (soccer) team. James Bond 007 is rich pickings too, with variations into the teens. No matter how smart or unique you think you are, there’s someone else who thinks the same.

The NCSC recommends using three random words for passwords such as “tablehouseblue” and  not to re-use passwords between accounts. It particularly suggests to always have a different password for your email account.

Dr Ian Levy, NCSC Technical Director, said: “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.

You can read the full UK Cyber Survey and there’s more analysis on the password list in this article.

Photo by Kristina Flour on Unsplash


Alphabet’s Chronicle Launched Backstory



Chronicle, a new Alphabet company, announced the launch of Backstory. It is a global cloud service where companies can privately upload, store, and analyze their internal security telemetry to detect and investigate potential cyber threats.

Chronicle is focused entirely on enterprise cybersecurity. Their mission is: “Give Good the Advantage”. That mission is fueled by their ability to leverage significant resources to give security professionals an entirely new class of tools, perspectives, and abilities that aim to counter, and even leap ahead of, the capabilities of their antagonists.

Backstory compares your network activity against a continuous stream of threat intelligence signals, curated from a variety of sources, to detect potential threats instantly. It also continuously compares any new piece of information against your company’s historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats.

In short, Backstory is designed to be used by companies, not individuals. The purpose is to provide companies with data that they probably cannot get on their own so they can use it to detect breaches and to improve their security efforts.

Overall, I think Backstory sounds like a useful thing. In their Medium Post, Chronicle used the DNC hack as an example, and showed how easy it is to miss a data breach. In addition to noticing a breach, Backstory can give a company information about whether or not any of their computers communicated with that web domain.

It seems unlikely that nefarious entities will stop trying to access data and information that they have no right to steal. Hopefully, Backstory can make it harder for hackers to harm people.


Six Hundred and Twenty Two Advertising Partners



If you still think that privacy and data sharing isn’t an issue, then take a look at this…
The other day I was visiting a popular gaming website and up popped the the usual notice about use of cookies. Normally I would dismiss these without a second thought but I  was on a tablet and accidently tapped on the link to their privacy notice. Noodling around, I discovered on this page that they listed all their advertising partners…..and there were SIX HUNDRED AND TWENTY TWO of them.

Here’s just those that begin with “A”.
A1 Media Group, A1platform, Aarki, abilicom, Acuityads, Adacado, Adadyn, Adara Media, Adbalancer, Adblade, ADBOX,Adcash, AdClear, Adclouds, AdColony, Addictive Mobility, Addition Plus, Addroid, AdElement, Adello, ADEX, Adform, AdGibbon BV, adhood, Adikteev, AdKernel, AdLedge, adlocal.net, Adloox, Adludio, AdMaster/LnData, AdMaxim,Admedo, Admetrics, Admixer, Adnami ApS, adnanny.com, Adnetic, Adobe Advertising Cloud, AdPlay, AdPredictive, AdRetarget, Adriver, AdRoll Inc., adrule, Adsniper, Adssets, adTarget.me, Adtelligence, Adtelligent Inc., AdTrader, AdTriba, advanced STORE GmbH, Advanse, Adventive, Adventori, Adverline, Advertserve, Advmaker, advolution.control, Adways SAS, Adzerk, Adzymic, AE Media, Aedge Performance S.L. , AerServ, affilinet, Aidata, Airtory, Akamai, AKTYVUS SEKTORIUS, Alkemics, All In Views LTD, Alooma, Amazon, Amino Payments, Inc., Amobee, Analights, Aniview Inc., Answer Media, AntVoice, APNIC, AppGrowth Inc., Appier, AppLift, AppLovin Corp., AppNexus, Appreciate, appTV, Arbigo Inc., Arrivalist, Art of Click, Artsai, Audience2Media, AudienceProject, Audiencevalue, Aunica, Avocet, Azameo

Recognise many? Adobe, Amazon?

And from the website’s privacy policy, “We share your personal information with our affiliates and with exhibitors, sponsors, media partners, joint venture partners and other third parties.” which can be summarised as “We share your personal information with anyone we like.”

Let me get this straight. I visit one gaming website and my information could be shared with up to 622 other organisations that, really, I know nothing about. Who knows where this data will eventually land?

There’s something very wrong here.

Women Look at Security Cameras photo by Matthew Henry on Unsplash.


Equifax Hit With £500,000 Fine



The UK’s Information Commissioner’s Office (ICO) has hit credit reference agency Equifax with a GB£500,000 fine for the 2017 data breach.  Equivalent to US$660,000, the fine is the largest ever imposed by the ICO and is the maximum permitted under the legislation in force at the time. Under the newer GDPR laws, the fine could’ve been as high as $20 million.

The Equifax data breach involved the records of 146 million people, with nearly 15 mlllion being UK nationals. The ICO was scathing in its comments about Equifax, saying, “The ICO found that measures that should have been in place to manage the personal information were inadequate and ineffective. Investigators found significant problems with data retention, IT system patching, and audit procedures. Our investigation also found that the US Department of Homeland Security had warned Equifax Inc about a critical vulnerability as far back as March 2017. Sufficient steps to address the vulnerability were not taken meaning a consumer facing portal was not appropriately patched.”

During the cyber attack last year, a range of personal information was taking including, names, dates of birth, addresses, passwords, driving licences and financial data.

The Information Commissioner herself, Elizabeth Denham, went on to say, “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”

Equifax’s approach to data protection and the care of our personal data was negligent, and frankly, I don’t think they deserve to be in business. The full judgement is here pdf.

Money photo by Sharon McCutcheon on Unsplash.


Business Values Our Data. Why Don’t We?



Organisations love information about you. Everywhere you go, it’s sign up here, tell us about this and what do you think about that? Trust me, businesses aren’t interested in you for altruistic reasons: they either want to sell you stuff, or sell your information to other businesses who want to sell you stuff. Your information has value to them and they want it.

An email from a major UK hotel chain arrived in my inbox the other day, offering me an annual birthday gift in exchange for updating my profile with my date of birth. I imagine the gift will be a discount on a hotel stay around the time of my birthday but the email didn’t say. Perhaps not to be sniffed at but birth dates are often used as part of security procedures around bank accounts so it’s worth being cautious.

I think we’ve all become aware over the past few years how easily it is for big names to be hit with a data breach – Equifax, Yahoo, British Airways – and a hotel chain seems like a juicy target too. Wouldn’t be the first either. Lots of lovely customer information with credit card numbers.

Consider too that factual personal information like dates of birth can’t be changed. If a password is stolen as part of a data breach, the solution is to change the password. Credit card number lifted? A new credit card arrives in the post. There’s nothing you can do if your date of birth is taken. It’s on your birth certificate.

It’s not worth it. If the hotel chain wants my age band and month of birth, I’ll happily give it up for a discount, but when it comes to day, month and year, I think I’ll pass. You should too.

Photo by Rene Böhmer on Unsplash.


Robocalls are Interfering with my Business



Robocalls are at a point where they are now interfering with my business largely because my team is on cell phones. Yesterday I received 14 business calls and 32 Robocalls and the volume is only increasing. My blocked number list has now grown to an ungodly size and due to number spoofing, they just spoof a new number. I can now detect a robocall with seconds of answering my phone. The high majority of these calls originate overseas and they always have some service to sell my business.

I have to watch myself as I answer the phone because when I pick it up I am assuming its a robocall and not a new or existing customer. With the ability of these marketers to spoof a telephone number it is nearly impossible to screen for them. When a call comes in from +100000000000 you know its a robocall, but when the number comes in from a normal number it’s really hard. With people refusing to leave a voicemail these days I have no choice but to answer every call.

It’s really driving me crazy because we have a distributed work-force the high majority of my team are on cellphones. It gets worse the marketers are now even targeting our 800 number which gets a handful of these calls a day. I am not alone, talking with other business owners their frustration has grown as well. Today I looked at the iOS App Store and of course, all the Robo blockers are premium. Makes you wonder if they are not in cahoots.  In a future article, I will discuss whether the app I found and am paying for has helped or not. The only way to fight fire is with fire using the tech at our disposal to try and get the upper hand on these bad characters.

The National do not call list only really works on legitimate companies that are following the rules. The bigger issue is the off-shore folks that have 1000’s of people in phone centers who are trying to get you on the line long enough to do their pitch. I am sure it’s a numbers game to them but it sure drives me insane.


Encrypted Storage with SecureDrive at CES 2018



Encrypted external hard drives and USB memory sticks have been around for at least a decade, but most of the time it’s either locked or unlocked: if you have the password, you’re in. Sergey from SecureDrive shows Scott their security solution to this common problem.

SecureDrive specialise in hardware encrypted data storage. They’ve three product ranges with varying capacity (1 – 5 TB) to address different security and storage requirements.
– SecureDrive BT, which uses Bluetooth and an app for authentication
– SecureDrive KP, which uses keypad authentication
– BackupDrive, which backs up files and encrypts them with built-in anti-malware
For the rapid transfer of large files, all the devices use USB 3.0, and for security, it’s pending FIPS 140-2 level 3. That’s pretty secure.

The unique part of the SecureDrive solution focuses on the BT model, which uses Bluetooth and an authentication app. Instead of the drive only being locked or unlocked, the solution allows additional controls for geo-fencing and time schedules. For example, the SecureDrive BT can be set to only unlock between 9-5 M-F or only if the unit is within company premises. In addition, there’s remote management so authorisations can be revoked and the drive remotely wiped.

The drives are assembled in Ohio, USA, and they’re available for purchase priced at  US$299-$499. The remote management feature is a subscription service.

Scott Ertz is a software developer and video producer at F5 Live: Refreshing Technology.

Become a GNC Insider today!

Support my CES 2018 Sponsor:
30% off on New GoDaddy Orders cjcgeek30
$.99 for a New or Transferred .com cjcgeek99 @ GoDaddy.com
$1.00 / mo Economy Hosting with a free domain. Promo Code: cjcgeek1h
$1.00 / mo Managed WordPress Hosting with free Domain. Promo Code: cjcgeek1w
Become a GNC Insider: Support this podcast