Can we trust our online project management tools?

Can we trust our online project management tools?

Posted: July 6, 2018 by  
Last updated: July 4, 2018

How would you feel about sharing confidential information about your company on Twitter or Facebook? That doesn’t sound right, does it? So, in a corporate life where we keep our work calendars online, and where we work together on projects using online flow-planners and online project management software, it might pay off to wonder whether the shared content is safe from prying eyes.

What are we looking at?

From the easy-to-use shared document on Google Drive to full-fledged Trello boards that we use to manage complicated projects—basically everything that uses the cloud as a server is our subject here. When evaluating your online project management tools, it is important from a security standpoint to have an overview of:

  • Which online project management platforms are you using?
  • Which data are you sharing on which platforms?
  • Who has access to those data?

Once you know this, you can move on to the main question:

  • Is the data that should stay confidential shielded well enough?

What are the risks?

The risks of using online project management tools are made up of several elements. Once again, a list of questions will help you gage this, including:

  • How secure is the platform you are using?
  • Do the people that have access to the data need to have access? And are they given access to see allthe information that is shared, or just a portion?

As you can see, we are not just worrying about outsiders getting ahold of information. Sometimes, we must keep secrets, even from our own co-workers. Not every company has an open salary policy, for example, so the information how much everyone makes might not be allowed outside of HR.

But the threat of a breach is the most important one. Having the competition know about the latest project your design team is working on can be deadly in some industries. And of course, any project that contains customer data and is not secured can be breached by a cybercriminal. Knowing this, it’s our job to help you find the safest possible tool to perform your job.

Does it make sense to share online?

Are we sharing information online because we need to do it online or just because we can? Sometimes being the cool kids that use an online project management platform that has all the bells and whistles is more a matter of convenience than it is strictly necessary. But if you are:

  • employing remote workers
  • cooperating between offices around the world
  • heavily relying on a BYOD strategy

then online tools maybe the only way to realize your project management goals.

Every ounce of prevention

What you don’t share can’t get lost. And control over what you do share (and with whom) is adamant.

  • Limit the amount of privileged information you are sharing. Make sure that only the information needed for the project is being shared with the appropriate team members.
  • Change the login credentials at a regular interval, and do this in a non-predictable way. Going from “passwordMay” to “passwordJune” at the end of the month will not stop nosy co-workers from digging. Do not post the new credentials on the platform, either.
  • Use 2FA where and if possible to enhance login security.
  • Update and patch the software as soon as possible. This limits the risk of anyone abusing a published vulnerability in the platform.
  • Keep tally of who is supposed to have access at all times, and check this against the connected devices when and if you can.

Breach management

Hardening your online tools against breaches is usually in the hands of toolmakers themselves—the software provider or the cloud service provider with whom you’ve partnered. Therefore, it makes sense to look into the project management tool’s reputation for security, as well as its ability to serve your company’s needs. While you can’t control the security of the tool itself, you can limit the consequences of a mishap, should it occur, by doing the following:

  • Don’t try to keep it a secret when credentials have been found in the wrong hands. Making participants aware of the situation helps them to change passwords and follow up with other appropriate actions.
  • Make sure there are backups of important data. Someone with unauthorized access may believe in burning the bridges behind them.
  • In case of a breach, try your best to find out exactly how it happened. Was there a vulnerability in the tool? Did a team member open up a malicious attachment? This will assist you in preventing similar attacks.

Controlling the risks

Working in the cloud can be useful for project management, but sometimes we need a reminder that there are risks involved. If you set up an online project management tool or other cloud-based project, it’s good to be aware of these risks and give some thought to the ways you can limit them.

When you’re working on a project for your company—whether it’s leading a team or participating in the project’s development—it’s important to make data losses as rare as possible, to learn from your mistakes, and to handle breaches and other security incidents responsibly.

Stay safe out there!

 

ABOUT THE AUTHOR

  
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Can we trust our online project management tools?

Internet Safety Month: How to manage your child’s online presence

Internet Safety Month: How to manage your child’s online presence

Posted: June 28, 2018 by 

When you hear the term “reputation risk management,” you might think of a buzzword used in the business sector. Reputation risk management is a term used to describe how companies identify potential risks that may harm their reputation and mitigate them before they blow off.

As companies grow, so grows their public reputation. Heading potential PR disasters or credible crises off at the pass can keep organizations from losing revenue, confidence, and trust from their clients. Suffice it to say, putting your best foot forward and keeping it there is crucial.

Now, here’s a thought: If businesses know they have much to lose if their reputation is threatened, shouldn’t parents and guardians also consider that their children can lose out if their digital footprint is at risk?

To cap off Internet Safety Month, we’re going to ditch the buzzword in favor of a phrase that parents, teens, and young kids can easily grasp: You must manage your online presence. Before we delve into how parents and guardians can take charge, it is crucial that we first understand one thing when it comes to having a digital life:

Your online presence is your online reputation 

Our digital footprint starts the moment we or someone we know shares something about us online. This could be a solo or group photo, a Facebook status update, or a name mention in a Tweet. Even those who claim to be inactive on the Internet can still have an online presence, thanks to other people in their lives.

Our footprints don’t stop at our first “Hello, World!” though. The more we use the Internet, and the more we’re included in other people’s social media feeds, the more of our footprints are left for anyone online to see. These marks we leave behind can be collectively referred to as our online presence. How we present ourselves to and conduct ourselves in the digital world affects how people perceive us online—now and in the future.

Having an online presence, whether it’s a positive on negative one, affects our reputation—online and in the real world. If “Jane Doe” is known to exhibit behavior tantamount to bullying in a forum she frequents, she already has a bad reputation in that community. Who she is and how she behaves in that community can also spill over to other online forum communities as well.

There are consequences for bad behavior online. She may be blocked from those communities. Or worse, someone may Google her name and become aware of her bullying behavior online. She could feel the impact of her negative actions in the workplace or beyond when coworkers or friends become aware that Doe is engaged in bullying in forums, they can assume that she has the tendency to bully people in real life as well.

Leaving only negative digital footprints online, then, has no longer become an option.

What you can tell your kids to manage their online presence

“Google yourself.” Maybe it has been a while since your kid started using the Internet, or you and your child are just curious of what might come up. (Hint: type your name in quotes) Either way, it’s advisable to look up where your name, public posts, and/or photos end up every now and then.

If your child has a common name, you can further add modifiers (like the school they go to or city/state/town you live in). Just run many searches with varying modifier combinations and see what comes up. As for photos, you can use Google’s image and reverse image searches. To do the latter, go to the Google Image Search page and click the camera icon in the search bar. You can then paste the URL of an image you have of your child (in the first tab) or drag-and-drop to upload their picture (in the second tab), so Google can crawl the web in search for other copies of the one you just provided.

Google Image Search page processing the image you uploaded for reverse lock-up

Other things you can use to search for are email addresses, social media usernames, and phone numbers. You can also set up Google to alert you if other information about your child (like their name) pops up on the Internet at some point in the future.

“Watch out for information you don’t want made public.” It’s possible that you may have already stumbled upon a few pieces of information or pictures you or your child may not want online, or at least visible to the public. This information may have been put up years ago or yesterday.

Posts can be easily removed on sites you or your child can control, such as Facebook and Twitter. But for third-party sites, it may need a bit of legwork. For copyrighted material such as photos, you can contact the site owners and reference the Digital Millennium Copyright Act (DMCA) [PDF]. As the parent or responsible adult, you may also need to contact each website that has information about your child that you don’t want there.

It’s also time to review those security and privacy settings of your child’s accounts to see if there has been a policy update or if you need to modify additional settings.


Read: Internet Safety Month: How to protect your child’s privacy online


“Start cleaning up your online act.” A good starting point will be teaching them good computing and Internet practices, if you haven’t already. We have various references of how one can do this here on the Malwarebytes Labs blog. So to avoid reinventing the wheel, below are the links you may want to visit and read up on:

The work doesn’t stop here, though. Parents and guardians should also put great emphasis on kindness, understanding, and patience when they treat or deal with other Internet users. Hiding behind the screen shouldn’t merit one to forgo these values.

Lastly, impress in them the idea of thinking first before posting anything. Online, it’s easy enough for anyone to misconstrue what one is trying to say because cues like facial expressions and body language are non-existent. A flippant joke or a sarcastic remark could start a flame war. Even an innocent post can sometimes get someone else in trouble.

“Deactivate/Delete accounts you’re no longer using.” This may seem obvious, but at times, accounts that are no longer used are left active for an indefinite and extended period because your child may have decided to use another account, or wholly avoided people in a particular online community. The latter is one of the best reasons why your child’s account should be deactivated. This is especially helpful if, for example, your child was caught in a crossfire between warring parties and one group started targeting him or her via that account. Save everyone the headache (and the insanity) and deactivate the account.

In a perfect world…

…every Internet user would be sharing all of their achievements, and everyone would be applauding. Every Internet user would be encouraging everyone who needs encouraging. Every Internet user would be honest, civil, and tactful. Every Internet user would be sharing photos of only their best, wholesome selfies, their cats, and funny GIFs.

But this isn’t a perfect world. Someone will always say something that another may find offensive. Someone will put someone else down, talk in Caps Lock, and share photos of their wild partying or of a drunk friend who passed out on a sidewalk. In the end, realize that there is data online about someone that puts them in a bad light. Your child may not be exempted. So help them take control and guide them on how to be more responsible with what they share now and in the future.

Good luck!

 

ABOUT THE AUTHOR


Malware Intelligence Analyst

Technical writer, researcher, and marketing fellow fascinated by psychology, architecture, and supercars. A habitual night owl.

Internet Safety Month: How to manage your child’s online presence

Tips for safe summer travels: your cybersecurity checklist

Tips for safe summer travels: your cybersecurity checklist

Posted: June 8, 2018 by 
Last updated: June 7, 2018

Summer is just around the corner in the Northern Hemisphere, and with it comes vacation plans for many. Those looking to take some time away from work and home are likely making plans to secure their home, have their pets taken care of, and tie up loose ends at work. But how about securing your devices and your data while you’re away? Here are some things to take into consideration if you want to have a trip free of cyber worries.

Before you leave

Some of the things on your cybersecurity checklist can be taken care of before you leave. They include the following:

  • Make sure the operating systems and software on all the devices you are going to take along with you are up to date. Having to install updates while you are on the road can be a pain due to slow and unstable connections. Use your at-home Wi-Fi, which you know is secured with a password. (Right? If not—do that right away.)
  • You may want to take precautions to secure devices that you’ll be leaving behind in your workplace and home. If a burglar gets hold of your desktop, they should not be able to harvest any valuable data. All devices should be password protected (including the ones you are taking along with you).

  • Back up the valuable data on the devices you are bringing so that if you lose them, it won’t be a double disaster.
  • Do not announce the dates of your upcoming travel plans on social media. That’s a great way to alert criminals to case your house and break in during the time you’ll be gone. Post your travel pics when you get back. They will still be cool.
  • Disable the auto-connect options shortly before you leave and have your devices forget the network SSIDs in their lists. Threat actors can abuse these features for man-in-the-middle attacks.
  • If you have contactless debit and credit cards, get shields in which to store them so you can carry them around without leaking information.
  • Think twice about bringing a multitude of devices. The chances of anything getting damaged, stolen, or lost are much higher when you’re on the road.
  • Make sure your travel insurance covers all the devices and any other valuables you plan to take along.

While you are traveling

Travel plans can range from road trips to a nearby camping spot to flights to five-star beach resorts. Because of the wide range of travel options, some of the following advice may or may not apply:

  • If you park your car at the airport, obviously make sure no valuable devices are left behind. This is also a good time to disable the Bluetooth of your phone, because the car is probably the only useful Bluetooth connection you need. And when Bluetooth is off, it can’t be abused.
  • Airports and other waypoints on your travels will often offer public, free, and unprotected Wi-Fi. Consider the risks associated with them when you use them, or use a VPN to enhance the security by encrypting your connection.
  • If you need to use Wi-Fi at your hotel, make sure their connections are secured with passwords. And if you need to access sensitive material for work, set up VPN on your laptop beforehand.

  • Privacy screens make sure that only the person sitting straight in front of the screen can read what is on it. This can stop people from secretly watching what you are doing. Good privacy screens are easy to apply and are available for laptops and many handheld devices.
  • Don’t use public computers for sensitive Internet traffic. This certainly includes online shopping and any other financial transactions. While you are traveling, it’s safer to spend money at your destination instead of online.
  • If you use webmail to read your mail when you are away from home, keep in mind that this may be less secure then reading the mail in your favorite email client. Some webmail services have html enabled by default.
  • Use a fully updated anti-malware solution for all your devices. Malwarebytes has solutions for many operating systems and types of devices.
  • Since you may not want to take your laptop and every other device with you as you go sightseeing, make sure there is a safe place to keep the items left behind. Not every hotel safe is big enough for a laptop. Ask your hotel concierge if they have other options for securing devices. Simply leaving them behind in your room is not the safest move.

If you travel abroad

Some extra attention to detail may be required when you travel abroad.

  • Make sure you leave your country with the devices fully charged. You may need to use them for a while before you get another chance to re-charge. It may require different cables, power plugs, and adapters to charge your devices at your destination or checkpoints along the way. Come prepared.
  • Not only the US, but also some other countries will look at your social media accounts to find any information that could make you a less welcome guest. It might be prudent to remove any questionable comments to thwart further investigations.
  • If traveling into the US from abroad, be prepared that you might be asked to hand over your device and your password to get in. Make sure there is nothing to be found on it that you don’t want to be found.

When you get back

Back home safe and sound? Don’t rest yet. Check a few more things and then you can start posting online about your relaxing, fun, and incident-free vacation.

  • Update your anti-malware solution and run manual scans on your devices to check for any uninvited guests you may have picked up on the road.
  • If you bought devices abroad, check them for compliance and whether they are compromised. In some countries, devices are sold with monitoring software pre-installed.
  • Check your bank account for any unexpected withdrawals or spending. Warn your bank or credit card provider if you suspect foul play or if you have lost sight of your credit card at some point. it’s especially important to do this if you suspect your login credentials may have been stolen.
  • As an extra precaution, you may want to change the passwords that you used during your time away. If someone managed to get ahold of one during your trip, you’ll stop them from doing any damage with a changed password.

Don’t let all this ruin the fun

While most of the things mentioned above are precautions we (should) take every day, they are not the first ones that come to mind when you are planning that awesome trip you have worked for all year. But as always, it’s better to be safe than sorry.

Recommended reading: 7 tips to stay cyber safe this summer

Safe travels!

ABOUT THE AUTHOR


Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Tips for safe summer travels: your cybersecurity checklist

 

HTTPS: why the green padlock is not enough

HTTPS: why the green padlock is not enough

Posted: May 9, 2018 by 

When goods get sold in large quantities, the price goes down. This might not be the first law of economics, but it’s applicable. An extrapolation of this is that if there are practically no production costs and no raw materials involved, prices of such goods will drop to zero. Usually, they will be offered as free gifts to promote the sale of other, more costly goods.

Something like this has happened to SSL certificates. They are offered for free with web hosting packages by several companies, including those that don’t do a thorough check into the identity of the buyer. Better said: They couldn’t care less who buys the package as long as they pay the bills.

So, while users can now expect to see the green padlock on every site, especially the ones where they make financial transactions, the trust that we can put into the underlying certificates is going down.

Definitions

To clarify what we are talking about, let’s have a look at the definitions of the protocols we are about to discuss.

Hypertext Transfer Protocol Secure (HTTPS) is a variant of the standard web transfer protocol (HTTP) that adds a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection.

Secure Sockets Layer (SSL) is a computer networking protocol for securing connections between network application clients and servers over an insecure network, such as the Internet.

Transport Layer Security (TLS) replaced SSL when it was deprecated, but TLS is backwards-compatible with SSL 3.0.

So, basically TLS is a computer networking protocol that provides privacy and data integrity between two communicating applications. It’s used for web browsers and other applications that require data to be securely exchanged over a network.

PayPal CA Symantec

The green padlock

So, where does the green padlock come into play? The green padlock simply means that traffic to and from the website is encrypted. A certificate, provided by a certificate provider (Certificate Authority or CA), is used to set up this encryption. Sounds good, right? But the only thing you can actually be sure of when you see such a padlock is that your computer is connected to the site that you see in the address bar.

Let’s use the example above to explain some of this. A right-click on the padlock shows us some more information about the secure connection.

details PayPal certificate

So, we have a secure connection to the domain paypal.com owned by PayPal, Inc. and the Certificate Authority is Symantec.

Let us compare this authentic one to the one in use by a known PayPal phishing site:

PayPal phishing site

As you can see, the phishers have a green padlock on their site as well. But when we have a look at the details:

phishing certificate

It is easy to see, from the browser address bar alone, that we are not connected to paypal.com. And in the additional information, we can see that the phishers used a free certificate from the CA Let’s Encrypt.

I do realize that in this example it was easy to see the wrong address in the browser’s address bar, but typosquatted domains can be a lot harder to spot, as they purposely use domain names that look similar to the legitimate site. PayPal has registered many such typosquatted domains to protect their customers.

So, we’ve established that the green padlock alone is not enough. In fact, over a million new phishing sites surface every month. Given how many new sites—not just phishing sites—are created every day, and knowing that hosting deals include free certificates and are cheap as dirt, we can easily assume that hosting providers do not have the resources to check each and every new site. Even if they did perform these checks, who is going to check whether the site does not get changed once it has gone live?

So, since the visitor is the one facing the consequences of entering his credentials on a phishing site, it looks like the ball is in his court.

But there is help

You do not need to feel helpless. The cavalry comes to the rescue in many shapes and forms. Some browsers warn you before they let you visit known phishing or other malicious sites. This method is based on blacklisting, so if you are among the first visitors, you could still wind up on such a site without a warning.

Firefox warns deceptive site

Some security software, including Malwarebytes, blocks known phishing and other malicious sites. These methods can be based both on blacklisting and behavioral analysis.

blocked for phishing

And there are certificates that do get issued only after extended checks. These are called EV (Extended Validation) certificates. To show the difference, we need to double back a bit.

difference EV and OV certs

The bottom screenshot is the original PayPal certificate, and it is an extended one. The top screenshot is a regular Domain Validation (DV) certificate (which was used by the phishing site). As you may notice, the EV certificates are displayed differently from the DV certificates. The difference in how they are displayed varies per browser, so you might want to familiarize yourself with the way that these are displayed in your browser of choice.

Check, check, triple-check

Since HTTPS and TLS are becoming commonplace and cheap, phishers are no longer barred in any way from using the green padlocks on their deceptive sites. As a consequence, users are under advise to pay attention to the kind of certificate behind the padlock.

The best practice is to have shortcuts for the websites that you use to transmit personal or financial data, rather then clicking on links sent to you by mail or found by other means. At first contact, the things to check on a website that require entering personal information or credentials are the following:

  • Is there a green padlock in the address bar?
  • Does the address in the browser’s address bar match your expectations?
  • Is there an EV certificate or not?

Only when you are satisfied that the website belongs to the domain of the company that you wished to pay a visit, enter your credentials or personal data.

Stay safe!

ABOUT THE AUTHOR


Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

HTTPS: why the green padlock is not enough

 

Pin It on Pinterest

Shares
Share This