Complete guide for SSL, TLS and certificates

Latest — Jul 5, 2024

The counterfeiting of well-known apps remains a popular tool for spreading malicious software. For instance, in 2022, a counterfeit version of the popular messaging app WhatsApp tricked thousands of users into downloading it from unofficial sources, leading to the harvesting of personal data and intrusive ads. 

Cybercriminals employ various tactics to deceive users into downloading fake apps through email, dangerous websites, and social media. This article will provide recommendations to help you identify a fake app before downloading and completely remove it from your smartphone. Let's take a look today at the dangers they pose, their prevalence, and the steps you can take to protect yourself against these threats.

The dangers they pose

Installing malicious software on your phone can expose you to numerous threats, ranging from slowing down your device to spying on you. One of the most common risks is the theft of confidential and personal data. Malicious apps can steal your private information, such as contacts, photos, and messages, which can then be sold to other fraudsters or used for identity theft. Another significant threat is financial theft, where cybercriminals can access your financial information, such as banking apps and cryptocurrency wallets, to steal your money.

Malicious apps can also cause performance issues on your device, leading to slower operation, overheating, or rapid battery drain due to background processes. Additionally, these fake apps may display a large number of ads, known as adware, which can be intrusive and significantly reduce the usability of your device.

Spying is another critical threat posed by malicious apps. These apps can eavesdrop on your conversations, read your messages, and monitor your activities, severely compromising your privacy. If you use your smartphone for work, malicious apps can engage in corporate espionage by stealing corporate data, which can lead to potential business losses and security breaches.

The prevalence of fake apps

In recent years, these threats have become increasingly common. Some target a wide range of users, while others are more specific. Notable examples of malicious fake apps include counterfeit versions of WhatsApp and Telegram, spread through dozens of fake websites. Once installed, these fake apps intercepted victims' chat messages to steal their confidential information and cryptocurrency.

Another example is the spread of BadBazaar spyware disguised as Signal and Telegram by hackers linked to China. Both types of fake apps passed official verification and were available on Google Play and the Samsung Galaxy Store.

How to prevent fake apps from reaching your device

To reduce the likelihood of installing threats on your device, it is crucial to take several preventive measures. Always install the latest versions of your operating system and software, as threats often exploit vulnerabilities in older versions. Before downloading any app, verify the developer's reputation online and check for any reviews of the app to ensure its legitimacy. It's also essential to use official app stores, as they have strict vetting processes to prevent threats from reaching the platform.

Removing any apps you don't use can help you monitor what is on your device more effectively. Be cautious about clicking on links or attachments, especially if they appear in unsolicited social media messages or emails and offer to download something from third-party sites. Similarly, avoid clicking on ads on the internet, as they may be part of a scam aimed at redirecting you to a counterfeit app.

When installing new apps, be cautious when granting permissions that are unrelated to the app's functions, as this could be a sign of malicious software trying to access your data. Using biometric data for login instead of simple passwords in your accounts can also enhance your security.

Lastly, employing security solutions that provide enhanced protection with effective threat detection, blocking malicious websites, safeguarding online payments, and managing passwords. By following these steps, you can significantly reduce the risk of installing fake apps on your device and protect your personal and financial information from cyber threats.

It's also important to monitor unusual activity on your device if malicious software does manage to infiltrate it. For example, be alert if your battery drains faster than usual. Also, if your device runs slower, it may be due to malicious software. Pay attention to persistent pop-up ads, as this could indicate that you have installed adware. Watch for any unusual icons appearing on your screen.

10 additional tips and tricks 

1. Educate Yourself on Common Threats
Understanding the various types of malware and how they typically operate can help you stay vigilant. Common types include trojans, spyware, adware, and ransomware. Each has distinct characteristics and signs that can alert you to their presence.

2. Regularly Update and Patch Software
Make sure all your apps, not just the operating system, are regularly updated. Developers often release patches for known vulnerabilities, so keeping your software current is crucial in preventing exploitation by malicious actors.

3. Monitor App Permissions
Review the permissions of apps already installed on your device. Apps should only have access to the information and functions necessary for their operation. For instance, a flashlight app should not need access to your contacts or messages.

4. Utilize Multi-Factor Authentication (MFA)
Wherever possible, enable MFA for your accounts. This adds an extra layer of security, making it harder for unauthorized users to gain access even if they obtain your password.

5. Backup Your Data Regularly
Ensure you have regular backups of your important data. This practice can save you from losing vital information if your device is compromised. Use cloud services or external storage devices for these backups.

6. Be Skeptical of Free Offers
If an app promises something that seems too good to be true, it probably is. Be cautious of free versions of popular apps that offer the same functionality without any apparent revenue model. These could be traps to lure you into installing malware.

7. Use Strong, Unique Passwords
For each of your accounts, use a unique password that combines letters, numbers, and symbols. Avoid using easily guessable information like birthdays or simple sequences. Password managers can help you keep track of your passwords securely.

8. Regularly Scan Your Device for Malware
Use reputable antivirus and anti-malware software to scan your device regularly. These tools can detect and remove many types of malware before they cause significant harm.

9. Stay Informed on the Latest Threats
Cybersecurity is an ever-evolving field. Stay informed about the latest threats and trends by following trusted sources. This knowledge can help you recognize and avoid new types of attacks.

10. Use Secure Networks
Avoid using public Wi-Fi for sensitive transactions, such as online banking. Public networks can be less secure, making it easier for attackers to intercept your data. Use a virtual private network (VPN) to add a layer of security when connecting to public Wi-Fi.

Conclusion

Today, smartphones and tablets are our gateways to the digital world. But this world must be protected from unwanted guests. By following these simple steps and additional measures, your finances and personal data will be better protected. Stay vigilant, stay informed, and take proactive steps to secure your digital life.

By incorporating these practices into your daily routine, you can create a robust defense against the ever-present threat of fake apps and other forms of cybercrime. Your digital safety is paramount, and with the right knowledge and tools, you can navigate the digital world securely and confidently.

Identifying fake apps on your smartphone

Jun 28, 2024 — 4 min read

The world has grown accustomed to social media, where users upload millions of images and videos daily. However, not everyone realizes that an innocent-looking selfie at work could be used by malicious actors to break into a company or that a hotel photo might lead to blackmail.

With the advancement of technology and the expansion of geospatial information systems, cybersecurity threats have also increased, demanding more careful consideration of the data being published. This article explores what GEOINT is, how criminals use your photographs for their purposes, and why people scrutinize Google Maps.

What is GEOINT?

GEOINT, short for "Geospatial Intelligence," involves the analysis and use of imagery and geospatial information to gain insights into activities on Earth. It combines several disciplines: cartography, charting, image analysis, and imagery intelligence. While traditionally associated with the military, geospatial intelligence is increasingly utilized by civilian sectors, including telecommunications, transportation, public health, safety, and real estate, to enhance daily life quality. In broader applications, geospatial intelligence is used for emergency planning, crime and security monitoring, and protecting critical infrastructure.

Technological advancements have brought a new era in geospatial intelligence. The advent of powerful analytical software, ubiquitous geolocation data, far-reaching broadband connections, rapidly developing computational power, affordable cloud storage, advanced analytics, and artificial intelligence have all played a role in the revolution of geospatial intelligence.

GeoGuessing

In the context of geospatial intelligence, the phenomenon of geo guessing is worth mentioning. The term comes from the name of the browser game GeoGuessr, launched in 2013. The game uses Google Street View maps, requiring players to guess the location of a street/alley/highway worldwide by marking it on Google Maps. Since 2015, the game has also been available as an iOS app.

The game has become so popular that competitions and tournaments are held. In 2023, the GeoGuessr World Championship finals were held in Stockholm with a prize pool of $50,000. Clues include road markings, languages on signs and plaques, animals and people in the frame, and other details. The most professional players can recognize a location on the map by a 3D image within seconds, requiring extensive time studying maps.

How criminals use GEOINT

An example of careless handling of personal information is found in an interview with Michael Oren, a former Israeli ambassador to the U.S. Attentive viewers noticed a note with login credentials in the background during the shoot from his home. Imagine the damage a criminal could cause in such a situation. 

Be vigilant and cautious when sharing your photos on social media. Like any other information obtained through theft or leakage, data from open sources can be used by malicious actors. Here are some ways they exploit this information:

1. Phishing using geolocation
By determining your location, criminals can personalize phishing messages. For instance, if you're at a resort, you might not ignore a message supposedly from emergency services warning of dangerous weather conditions in the area.

2. Physical threats
Criminals can locate server centers or critical infrastructure and plan physical intrusions.

3. Espionage and surveillance
Malicious actors can use geodata to track people or organizations, monitor their movements, connections, habits, and even plans to exploit this information for their gain, such as crafting more convincing social engineering attacks or blackmail.

Overall, the use of geospatial intelligence by criminals poses a severe threat to data security, personal information, and critical infrastructure.

Law enforcement and GEOINT

On the flip-side, law enforcement agencies use GEOINT for investigations and apprehending criminals. For example, in 2019, Sacramento authorities arrested a drug dealer who sent potential buyers photos of marijuana on his hand. The fingerprints visible in the photo led to his identification. 

Photographs can indeed serve as evidence in criminal cases. In spring 2023, a data leak from the Pentagon put U.S. National Guard member Jack Teixeira under suspicion. An investigation revealed that the leaked photos were taken in his home, as the edges of the photographs matched the interior.

The most frequent method of geospatial intelligence is analyzing images or videos to determine their location. Almost anyone can conduct basic geospatial intelligence using the internet and various services. For example, a jealous wife might deduce from her husband's social media photos that he is not on a business trip but visiting a lover. 

Tools and services for GEOINT

Various services and tools are used for collecting data from open sources in geospatial intelligence. Here are some examples:

Google Maps. A web mapping platform from Google offering satellite photos, aerial photography, street maps, interactive street views in 360°, and real-time traffic conditions.

OpenStreetMap. An open collaborative project to create a free editable geographic database of the world.

Soar Earth. A service for collecting and exploring satellite images, aerial photographs, and drone images.

GeoHack Tools. This service provides a list of OSINT resources for the selected area on a map, including maps/satellite images, photographs, real-time weather, flight and maritime tracking, railways, peaks, and even fitness device data.

The range of geospatial intelligence tools is vast and continually expanding.

Final thoughts — protecting oneself 

As we have explored, even innocent photos shared on social media can be exploited by malicious actors, leading to severe consequences such as unauthorized access, blackmail, or even physical threats. To safeguard against these threats, it is essential to:

1. Be vigilant with personal information
Avoid sharing sensitive data in photos, such as login credentials or identifiable locations, that can be exploited by criminals.

2. Control privacy settings
Regularly review and adjust the privacy settings on social media platforms to limit the visibility of your posts to trusted individuals.

3. Use geotagging wisely
Disable geotagging on your devices when sharing photos publicly, as location data can be a significant security risk.

4. Leverage security tools
Utilize available security tools and services to monitor and protect against unauthorized use of geospatial data.

By taking these proactive steps, individuals and organizations can better defend themselves against the growing threats posed by the misuse of geospatial intelligence.

GEOINT and the Chamber of Secrets

Jun 21, 2024 — 4 min read

Every year, blockchain technology unveils new possibilities in the realm of digital transactions and decentralized applications. One of the latest additions to this ecosystem is the smart account—advanced accounts capable of automatically performing predefined functions and operations.

Imagine a digital wallet that automatically allocates funds among various investment portfolios based on predetermined rules or market conditions. Or consider a smart contract managing the supply of goods in real-time, based on demand and supply.

While smart accounts offer unprecedented flexibility and automation in managing cryptocurrencies, they also introduce unique security challenges that must be addressed to protect valuable digital assets and ensure the stability of decentralized systems.

What is a smart account?

Before delving into security issues, let’s clarify what smart accounts are and their role in the blockchain ecosystem. In traditional blockchains like Bitcoin, accounts are addresses linked to specific balances and transactions. However, smart accounts, as seen on platforms like Ethereum, have far broader functionality.

Smart accounts are unique accounts tied to executable code known as smart contracts. These contracts define the conditions under which the smart account can perform certain actions, such as transferring funds, performing computations, or interacting with other contracts. For instance, a smart account could be programmed to automatically send monthly rent payments from your cryptocurrency funds.

Unlike regular accounts that merely hold funds, smart accounts are autonomous agents capable of making decisions and performing complex operations based on embedded logic. It’s akin to a bank account that can independently transfer funds at specific intervals and under certain criteria.

Security issues of smart accounts

The unique security challenges of smart accounts are a significant concern, especially as protecting digital assets in the dynamic blockchain environment becomes critically important with the mass adoption of cryptocurrencies. Key security issues include code vulnerabilities, cyberattacks, and problems with access management and permissions. Any bugs or vulnerabilities in the code can have catastrophic consequences, such as the Genesis DAO project’s loss of $50 million in 2016 due to a smart contract vulnerability.

Several high-profile blockchain security breaches involving smart contracts have raised serious concerns, particularly among those actively engaged with blockchain technology. For instance, the infamous DAO hack led to the Ethereum network's hard fork, resulting in a new version of the blockchain—Ethereum Classic.

Once a smart contract is deployed on the blockchain, its code becomes immutable, making it extremely difficult to correct errors and vulnerabilities. This underscores the importance of thorough testing and code auditing before deployment. Otherwise, mistakes can lead to disastrous outcomes, as seen with CryptoKitties and Cryptozombies, where bugs in smart contracts resulted in the loss of valuable digital resources.

Best practices for smart account security

Given the risks associated with smart accounts, it’s crucial to follow best security practices throughout the lifecycle of smart contracts. Security should be an integral part of the smart contract design process, with careful consideration of contract logic, access structures, key management, and other critical aspects. For example, MakerDAO implemented a multi-tier permission structure and voting mechanism for managing its collateralized stablecoin system with security in mind.

Secure development of smart contracts involves using formal verification methods and proofs to ensure code correctness, engaging independent experts to audit the code before deployment, and applying secure programming patterns and standards, such as OpenZeppelin and Solidity Security Best Practices. Even after deployment, continuous monitoring of smart contract security is essential, as new threats and vulnerabilities can emerge at any time.

The future of smart account security

As blockchain and smart contract technologies evolve, new approaches and tools are emerging to enhance smart account security. AI and machine learning are being used for automatic vulnerability detection and error identification in smart contract code. Zero-Knowledge Proofs (ZKPs) are maintaining transaction privacy, and Secure Multi-Party Computation (MPC) is protecting confidential data by allowing computations on encrypted data without revealing the data itself. Formal verification provides mathematical proof of smart contract code correctness.

While quantum computers are still in early development stages, they may pose a future threat to the cryptographic algorithms used in blockchains. Malicious actors with sufficiently powerful quantum computers could potentially break traditional cryptographic systems used in blockchains. Smart contract developers should monitor this development and adapt their security systems using quantum-resistant algorithms.

Open-source communities play a crucial role in raising smart contract security standards. Collaboration, knowledge sharing, and tool improvement contribute to a more secure ecosystem. Examples of such communities include OpenZeppelin, the Ethereum Security Community, and Ethereum Cat Herders.

Education and awareness in smart account security

Ensuring the security of smart accounts involves education and awareness. This includes training developers, auditors, users, and other blockchain ecosystem participants on security best practices, threats, vulnerabilities, and prevention methods.

Smart contract developers should be well-versed in secure programming principles, security threats, and prevention techniques. This includes understanding common vulnerabilities like buffer overflows, coding errors, and access management issues, as well as using tools and methodologies for detecting and fixing such vulnerabilities.

Smart contract security auditors should be trained in using specialized tools and methodologies to analyze smart contract code, identify vulnerabilities, and recommend fixes. They should also stay updated on the latest threats and trends in blockchain security.

Users of smart accounts and decentralized applications also play a crucial role. They should be aware of security risks and best practices. This can include training on the secure storage and use of private keys, understanding phishing risks and other fraud types, and using tools and services to monitor the security of their smart accounts.

Conclusion

Smart account security is critically important in the era of digital transactions and decentralized applications. From secure development and auditing of smart contracts to education and awareness, compliance with regulatory requirements and security standards, and continuous monitoring and evaluation of security—all these aspects are key to ensuring the security of smart accounts.

Smart account security

Jun 14, 2024 — 5 min read

Cybersquatting, i.e., the registration of domain names similar to a trademark already owned by someone, has existed for about as long as the Internet itself. However, even today, many companies are new to encounters with individuals who want to make money from the similarity of domains.

To successfully combat cybersquatters, it's important to consider their possible interest before registering a domain name for your website. What should you think about and what actions should you take? We explain in this article.

What is cybersquatting?

A person who registers domains that are consistent with someone else's trademarks is called a cybersquatter. Their non-cybersquatter counterpart, the common squatter, occupies a vacant building and asserts rights to it.

The principle remains the same, while the object is the humble ‘Domain’. Is there a company or brand name, but the domain consonant with it is somehow free? Then it needs to be occupied, sat on comfortably, and held until the owner who needs this domain name pays a ransom for it.

Simply put, cybersquatting is a type of entrepreneurial activity. Its goal: to be the first to find a potentially needed domain, register it for a standard symbolic value, and then resell it at a much higher price.

Types of cybersquatting

With many people wanting to make money on your website's domain or another company’s web resource, several types of cybersquatting exist:

Typosquatting or counting on user error involves registering a name one letter different from the original. If there’s a website example.com, registering exemple.com means some visitors will land there due to the typo. By displaying ads before they realize their mistake, you can make money.

Branded cybersquatting or counting on fame. A company has registered the domain example.ru, but it didn’t use example.com or example.biz. These will be registered by a cybersquatter.

Unsuccessful cybersquatting. An entrepreneur wants to launch a new product and announces his plans on social networks without registering the domain. The cybersquatter will get there first and the entrepreneur will have to pay more for the domain.

Cybersquatting with a trademark, which by law is worth more than the registered domain name. A site without a registered trademark finds a cybersquatter, who registers the TM for himself and, voilà, can now legally take away the domain through the court.

Drop domain cybersquatting involves domains not renewed in time by the rightful holder. Such a domain falls into a special section of the registrar's site, where the most promising quickly pass into the hands of entrepreneurs. When the owner remembers that the domain has not been renewed, it already belongs to another person.

Another phenomenon often confused with cybersquatting is called domaining. In this case, entrepreneurs use popular words in various industries without claiming a specific unique domain name. This is done expecting that someone wanting to create a new site will buy a favorable and easy-to-promote domain at a higher price.

For domains, words like business, photo, market, shop, and others are often used in various combinations. They also often take the surnames of famous people and names of settlements. The domain ivanivanov.ru could interest an entrepreneur with this name. Cityname.com with the name of a particular city is suitable for the site of its administrative structures or tourist portal.

How cybersquatters choose domains

Registering hundreds and thousands of unique domains with all kinds of typos and similar names is expensive. To keep his business afloat, it's important for a cybersquatter to choose successful combinations. To do this, entrepreneurs specializing in the resale of domain names often:

• Monitor situations in companies. For example, rumors of a merger between companies A and B. Therefore, a name containing fragments of each of their names is likely needed. Cybersquatters can register these before employees of the new large organization.

• Look for companies that already exist but don't have their own website yet. For example, those finding customers through social networks and other marketing channels. Domains consonant with their names are also bought for the future.

• Check the registration of a trademark on the company's domain name. The scheme of taking the domain from the owner is not always possible, but it still works.

Cybersquatting is real

Companies often believe those wanting to register a domain and resell it more favorably exist in a parallel universe. However, companies all over the world regularly encounter them.

Not all disputes over a domain arise for personal gain and fit the definition of cybersquatting. Sometimes the reason is the consonance in the names of two companies. For example, in 2014, the recruitment portal HeadHunter sued the Russia-based company HH&HR over the use of the domain hh-hr.ru. The court sided with the portal and ruled to seize the domain name in its favor. At that time, HeadHunter had no intention of using the domain name for commercial purposes.

But in 2017, Google sued Vitaly Popov over a case more akin to cybersquatting. The domain secret.ɢoogle.com was used to send messages saying "Vote for Trump" during the US election. The name differed from Google by just one letter. It started with an uppercase but small Latin "G", i.e., "ɢ", which in Unicode is denoted by the symbol 0262.

The battle between Italian clothing brand Lotto Sports Italy and Canadian David Dent for the domains LottoStore.com and LottoWorks.com ended with the latter winning. However, it was an epic two-part duel. The Canadian resident bought the two domains and planned to create gaming-themed websites. The clothing brand sued Dent and initially won. The court ordered the transfer of the domain names to the company. The Canadian appealed, and Lotto Sports Italy was eventually found guilty of reverse domain seizure. The company paid $237,000.

Cybersquatters and the law

No matter how dubious the activity of some squatters may seem, it doesn't negate the fact: cybersquatting is entirely within the legal field. It's not illegal to register domains and trademark names.

Yet the world is trying to combat cybersquatters. The main arbiter of domain disputes is the WIPO (World Intellectual Property Organisation), which unites 157 member countries. It has developed the UDRP — Uniform Domain Dispute Resolution Policy.

There are two ways for companies and brands that have faced domain name seizure: pay the amount demanded by the cybersquatter or go to court, where it's necessary to provide justification for their claims to the domain. For those slow to act, there's a third option: wait. If the domain name is rare and doesn't cause other market participants particular interest, the cybersquatter might eventually reduce the price. However, this is a path with unpredictable results.

Summing up: How to fight cybersquatting

It's important not only to know what cybersquatting is but also to think in advance about how to protect yourself from this phenomenon. A few simple rules will help:

• Check for a domain that matches the name of the company or brand before finalizing the name. Using an original, "off-the-beaten-path" name reduces the risk of domain disputes due to conflicts of interest.

• Don't publicize the brand or company name before the domain name is officially registered. Cybersquatters don't sleep! — Don't limit yourself to one domain when registering. It's better to choose several similar ones in different popular domain zones. This reduces the risk of someone creating dubious content on a similar domain.

• Register a trademark on the selected domain name immediately. This isn't a panacea, but in most domain disputes, its presence becomes a decisive argument for the court.

• Make timely payments for domain renewal to avoid dealing with squatters who quickly re-register drop domains to themselves.

If you can do all of this — it’s safe to say that you’ll be safe from the squatters!

Your domain is my domain: How to protect yourself from cybersquatting

Jun 4, 2024 — 3 min read

Passwork 6.4, we have introduced a number of changes which enhance our browser extension security, make user permissions settings more flexible, and improve the logging of settings related changes:

  • Mandatory extension PIN code
  • Logging of all changes related to settings
  • User access to history of actions with passwords
  • Automatic updating of LDAP group lists

Mandatory extension PIN code

With the new setting ‘Mandatory PIN code in extension’, administrators can set a mandatory browser extension PIN code for all users, minimizing potential unauthorized access. Once enabled, users who have not yet set a PIN code will be prompted to do so upon their next login to the extension. Users will be able to configure their auto-lock timeout and change the PIN code, but they cannot disable these functions.

The ‘Mandatory PIN code in extension’ setting is located in the ‘API, extension and mobile app’ section of the System settings

Now all changes in the Account settings, User management, LDAP settings, SSO settings, License info, and Background tasks are displayed in the Activity log.

All changes related to settings logged in the Activity log in the Settings and users

History of actions with passwords

The new setting ‘Who can view the history of actions with passwords’ makes it possible for vault administrators to let other users view password history, password editions, and receive notifications related to their changes. Previously, these features were available only to vault administrators.

You can customize this feature in the Vaults section of the System settings

Automatic updating of LDAP group lists

Automatic updating of LDAP group lists can now be configured on the Groups tab in the LDAP settings. The update is performed through background tasks with a selected time interval.

To configure LDAP group list updates, select LDAP server, go to the Groups tab, and click the Edit settings button

Other improvements

  • Added pop-up notifications when exporting data or moving data to the Bin
  • Improved display of dropdown lists on the Activity log page
  • Changed time display format of the ‘Automatic logout when inactive’ and ‘Maximum lifetime of the session when inactive’ settings
  • Changed the Enabled / Disabled dropdown lists on the System settings and LDAP settings pages with toggles
  • Increased minimum length of generated passwords to six characters

Bug fixes

  • Fixed an issue in the Password generator where selected characters were sometimes missing in the generated password
  • Fixed an issue where local users could not independently recover their account password when an LDAP server was enabled
  • Fixed an issue where local users could not register in Passwork when an LDAP server was enabled
  • Fixed an issue which occurred after moving a folder with shortcuts to another vault and shortcuts not being displayed in the new vault
  • Fixed an issue that occurred when trying to move a shortcut found in search results without opening any vaults right after logging into Passwork
  • Fixed an issue that occurred when trying to copy a password found in search results without opening any vaults right after logging into Passwork
  • Fixed an issue that occurred when a password was sent to another user and remained on the recipient's Recents and Starred pages after the initial password was moved to the Bin
  • Fixed the value in the time field for the ‘API key rotation period (in hours)’ setting which was reset to zero after disabling it
  • Fixed incorrect event logging in the Activity log after changing folder permissions
  • Fixed incorrect text notification about assigning access rights to a user through a role
  • Fixed incorrect tooltip text when hovering over the username of a recently created user
  • Fixed incorrect display of long invitation titles
  • Removed the local registration page when the LDAP server is enabled

Passwork 6.4

May 28, 2024 — 3 min read

A simple file or photograph shared with a colleague might encompass data that the sender didn't plan to divulge. For instance, a snapshot of a cat, besides the visible content, might inform the recipient about the location and time it was captured, and even the gadget utilized.

This holds true for social media platforms — an image uploaded online harbors details that might not only jeopardize the user but also disclose, perhaps, their whereabouts. Moreover, e-commerce transactions and various online actions create such digital traces. However, not everyone is acquainted with the concept of file metadata at present.

In this piece, we will elucidate the potential hazards of file metadata, ways to safeguard it, and how to individually eliminate undesired data embedded in transmitted images and other files.

The dangers of metadata

All our online activities — sharing images, and files, posting articles, curating music playlists, shopping, and so forth — create so-called digital traces besides the conveyed information. These are generated mainly due to metadata. Frequently, this reality is overlooked by the general populace, escalating the risk of unauthorized activities.

By analyzing, say, images on social platforms, a malefactor can deduce a victim's regular routes, favorite spots, and preferences. Utilizing this data, they might orchestrate a phishing scheme or employ social engineering tactics.

It's vital to note that corporations are equally, if not more, vulnerable compared to individual users when metadata falls into the wrong hands. Metadata can often assist criminals in decoding pilfered data. Hence, without comprehending the file's content and its potential use, cyber criminals resort to metadata, facilitating a quicker comprehension and monetization of the stolen assets. Alternatively, they might exploit metadata to ascertain the software utilized by a firm and plan a more targeted assault.

Metadata is generated automatically, without user intervention. Typically, it encompasses details about the creation time and place, attributes, author's remarks (if added to the file), and information about the software version used during creation. This data is quite personal and sensitive, given that in certain scenarios, metadata can narrate the history of file transfers and modifications.

The purpose of metadata

Primarily, metadata facilitates license restriction implementation and author identification. Furthermore, it aids websites and apps in organizing and recognizing content. And, for telecom operators, it helps in monitoring user engagement on specific platforms.

Any targeted marketing, audience segmentation based on preferences, location, habits, and professional sphere, stems from analyzing user metadata, or more precisely, the digital imprints left on social platforms and the broader internet. Metadata enables marketers to discern not only your smartphone model but also alarmingly accurate search queries.

Securing and erasing metadata 

Metadata is safeguarded similarly to conventional data, particularly concerning organizations rather than individual users. For the layman, the optimal approach is to erase metadata prior to file transmission to prevent the dissemination of unnecessary data and avoid leaving digital traces.

On an iPhone, it's straightforward to remove photo metadata:
• Launch the Photos application and choose the image you wish to strip of metadata
• Tap the "Share" symbol at the lower right corner and opt for the "Do not retain metadata" feature
• Press the "Done" button

To view a file's metadata on Android, Google Photos needs to be downloaded, and for deletion, a third-party application is required. Numerous choices are available in the store; it's advisable to scrutinize the description and additional features while selecting.

Additional tools and tips

Also, websites offering metadata removal services are excellent tools where you can effortlessly upload files prior to sending them, without the necessity to download anything or alter device settings. It should be noted that free versions impose file size restrictions, generally up to 5MB.

As per experts, the supreme strategy for metadata protection is to eliminate any metadata that might disclose sensitive details before dispatching a document anywhere. Moreover, if required, app software can be pre-configured to prevent metadata storage in documents altogether.

In the context of work-related files, metadata can be discarded when sharing them externally, but internally and when collaborating with contractors, metadata serves as a crucial component. Metadata functions as a historical record, aiding in understanding the preceding data, especially if older datasets are preserved.

Sensitive EXIF data encapsulates vital technical specifics about an image. It can reveal the camera or phone's brand and model, the creation time, and even the camera and flash configurations.

This data can be effortlessly deleted in Windows via Explorer. You need to launch it, navigate to the desired image, right-click on it, and choose "Properties," followed by the "Details" tab, where properties and personal information can be easily removed.

Conclusion

You can remove metadata using applications, online utilities, fundamental device configurations, and settings during transmission. However, remember that metadata can be beneficial, particularly concerning work-related matters. For instance, metadata can assist in identifying the software and editor used to create a file, its initial title, and creation date. This might facilitate file conversion or its utilization in a new system. Moreover, even a regular user might need to recall the time and place of file creation or image capture.

But it's essential to remember that if metadata isn't safeguarded, the same details can be accessed by an adversary and used against you. For instance, knowledge about the software version and other device specifics can be highly valuable for cyber criminals when choosing tools for.

Metadata 101

May 13, 2024 — 3 min read

2023 was characterized by an evolving array of cyber threats and a significantly broadened spectrum of digital vulnerabilities, pushing organizations to reassess and strengthen their cybersecurity infrastructures. Despite a widespread yearning for a break from the relentless tide of phishing, ransomware, and credential stuffing incidents, cybercriminals are gearing up to use their proven strategies from this period to orchestrate even more intricate and damaging campaigns in 2024. It’s become increasingly imperative for those in the cybersecurity realm to forecast and brace for the predominant challenges and trends that will define the cybersecurity landscape in 2024.

The following are key prognostications intended to serve as vital strategic insights for IT and cybersecurity professionals, aiding them in effectively prioritizing their efforts to navigate and mitigate the rapidly evolving threat landscape

Compromised credentials

The ongoing reliance on traditional usernames and passwords for access control and authentication has perpetuated the issue of compromised credentials. This has been a consistent weak spot, often exploited in cyberattacks. Detailed analyses of data breaches repeatedly pinpoint compromised credentials as a principal attack vector. Intriguingly, a study by the Identity Defined Security Alliance (IDSA) highlights that identity-related cyberattacks are both widespread (with 94% of respondents experiencing such attacks) and largely preventable (with a 99% prevention rate). Despite these alarming statistics, a significant number of organizations remain underprepared, lacking crucial identity-related security measures. This is particularly concerning given the rise of non-human identities stemming from digital transformations, such as in DevOps, cloud computing, and IoT (Internet of Things). Therefore, the expectation for 2024 is a continued emphasis on enhancing identity security, with organizations encouraged to intensify their implementation of Zero Trust models and decrease their dependency on traditional password-based systems.

Ransomware

Ransomware has proven to be a lucrative venture for cybercriminals, who exploit vulnerabilities within organizations to execute devastating attacks. Examples of these include high-profile breaches involving entities like the Kansas Court System, Yamaha Motors, and Western Digital. The emergence of Ransomware-as-a-Service has simplified the process of launching such attacks. Over the past year, ransomware tactics have evolved into complex extortion schemes, involving not just data encryption but also data exfiltration and threats of public disclosure if ransoms aren't paid. This trend was exemplified by the Alphv/BlackCat ransomware group's SEC complaint against MeridianLink. With new SEC disclosure regulations mandating prompt reporting of major cybersecurity incidents, such tactics are expected to gain even more traction. Therefore, enterprises are advised to enhance their ransomware preparedness, with a specific focus on the recovery of endpoints and essential infrastructure like Active Directory.

Hacktivism amidst global conflicts

The intersection of global conflicts and the upcoming 2024 Presidential elections in the United States is expected to create a fertile environment for hacktivism. Hacktivists, often self-identified as defenders of free speech, may seek to disrupt the controlled flow of information during times of conflict or elections by exposing sensitive data or initiating cyberattacks. This could lead to a blurring of lines between state-sponsored hacking and independent hacktivist activities. The role of hacktivists in influencing public opinion through various cyber operations, including the potential use of deepfake technologies, is expected to be significant in 2024.

Vulnerability management 

In response to the increasing exploitation of zero-day vulnerabilities by cyber adversaries, the White House's National Cybersecurity Strategy, released in March 2023, has redirected focus towards organizations' responsibility to secure their software. This strategy underscores the importance of comprehensive vulnerability management, which involves identifying, assessing, prioritizing, and mitigating security vulnerabilities. This increased emphasis on liability for independent software vendors is anticipated to drive technological advancements in vulnerability management tools and bring renewed attention to this critical aspect of cybersecurity.

Transformation in security awareness training

The realm of security awareness training is poised for a significant transformation in 2024. With the widespread adoption of generative artificial intelligence in the sphere of cyber threats, traditional training methods are becoming obsolete. Future training programs are expected to integrate continuous breach and attack simulations (BAS) to test and enhance the effectiveness of user-focused controls. These programs will also likely focus on equipping software developers with secure coding practices to preemptively address vulnerabilities.

Conclusion

In summary, the year 2024 emphasizes the crucial need for a delicate balance between robust cybersecurity measures and the resilience to adapt to cyber threats. As IT and security professionals prepare for the challenges ahead, prioritizing the continuous visibility, protection, and management of the entire digital attack surface is paramount. Protecting mission-critical assets and developing the capability to anticipate, withstand, recover from, and adapt to various cyberattacks will remain at the forefront of effective organizational cybersecurity strategies.

Five cybersecurity predictions for 2024

May 5, 2024 — 5 min read

Of course, losing access to your Google or Gmail account is going to be upsetting. If you've forgotten your password, or if someone has hacked into your account and changed it, Google provides a list of actions that you may take to regain access to your account. Indeed, they may come in handy at times, but the methods of password recovery for Google accounts tend to change from time to time and relying on them as a fallback is never a good idea.

Not only have we provided all the necessary links in the “Password recovery” section down below for those who have lost access to certain accounts, but we’ll today be focusing on what can be done to ensure you never lose access to your account again. Here are some things to consider:

Regularly backup your data

If you have a current backup of your data, it will be less of a blow if you ever lose access to your account. Takeout is the name Google has given to the feature that allows you to download your data. You may download all of the data from all of your Google applications, or just part of the data from some of them. You might even decide to download the data from a single app, such as Gmail, from your Google account.

For each sort of data, the download formats are different. For example, MBOX files may be imported to Gmail or most other email services and applications.

Keep your old passwords

Keep a copy of your old passwords in case you forget your current one. Google uses this method to verify your identity if you ever lose your password. In the event that you haven't updated your password in a while, you may not be able to recall your old password. It's a good idea to maintain a copy of your previous Google passwords in a secure place when you change your password.

When using a password manager such as Passwork, you can keep track of your previous passwords. Because of that, we strongly recommend using one. When you establish a new password on an app or website, most password managers only allow you to update the current entry; however, with a password manager, you may create a new password and then go back and change the name of the old one to something like "Gmail — old password". By the way, this is also a problem with Apple Keychain — when you change your password, it asks whether you would like to update your old password. You’ll obviously press “Update”, and bam, your previous password is lost in the void. So keep an eye on that.

Why is this important? Well, as we’ve hinted at, Google asks you to enter the previous password in some cases as a fallback plan.

Fill in the recovery info

Google provides you with many ways to recover your password:

  1. Go to your Google account and choose "Security" from the left-hand column
  2. Scroll all the way down to "Ways that we can verify that it’s you"
  3. Fill them in
  4. PROFIT

Now, Google will use those options to recover your password when needed, or just to verify it’s you when weird login behaviour is detected. Among all the options, the ‘Recovery phone’ is the most convenient one — trust me, you’ll forget that ‘Security Question’ in just a few days. ‘Recovery email’, to be honest, isn't secure enough — we, Earthlings, tend to use weak passwords, so your account might be compromised if a hacker manages to guess your ‘NicknameDateOFBirth’ password.

Remember the day you registered

If everything else fails, Google may ask you to provide an estimated date of when you created the account. The best way to get this date is by searching for a Gmail welcome email.

To locate the welcome email, go to the ‘All Mail’ folder on your computer (to see it, you may need to click ‘More’ to expand the folders). You may also hover your cursor over the page information in the upper right-hand corner and choose ‘Oldest’.

This will move the email you received first to the top of the list. If, on the other hand, you imported non-Gmail emails into your inbox from before 2004, the welcome email will not appear at the top of the inbox hierarchy. Also, if you haven’t imported all of your emails, you’ll encounter some problems.

The email may also be found by searching for "welcome," "Gmail team," "[email protected]," or "[email protected]," among other similar words and phrases.

However, when I personally tried it, I couldn't find it. This is because I delete all the mail on my account once a year. For people like myself, there’s a weird hack — your POP settings might show the date on which you created your Gmail account.
To access them, click the gear icon in the top right-hand corner, select See all settings, then click Forwarding and POP/IMAP.

Look for the Status line in the POP download section. If you're fortunate, you'll come upon the following information:

Status: POP is enabled for all mail that has arrived since [Here is your date]”

Important:

If you’ve ever changed your POP settings, the date on which you created your Gmail account won’t be shown.

Password recovery

There’s only one place where you can recover your password — it’s this “Google Recovery” page. Everything else is likely phishing scams. The only other alternative option, in case of an adversary like losing your password, is the “Can’t sign into your Google Account” page.

Basically, you should follow the instructions on screen and pray to Google's mothership that hope shall be restored.

If your prayers haven’t been heard, and all pages cycle through a loop with a “Please try again” message, visit the “Tips to complete account recovery steps” page — it helped me several times to understand exactly what Google wants from me.

The last page you can visit, if everything else fails, is “Create a replacement Google Account”.

Conclusion

If you have important data stored on any cloud: Gmail, Google Drive, Docs, etc. — back them up using offline storage. Use two-factor authentication to always keep your mobile phone as a recovery option. Keep hold of your password change history and remember the date you registered your account.

I forgot my GMail password!

May 1, 2024 — 4 min read

If you’ve ever set up a wireless router on your own, you’ve probably heard of WPS. You might come across this term in the router’s configuration menus or see it on the backside of your router — but do you know what WPS actually means and how it works? If you can’t answer these questions yourself, then you’re in the right place.

What is WPS?

WPS stands for WiFi Protected Setup. It’s effectively a wireless network security standard that speeds up and simplifies the process of connecting your device with a router. It helps to do it quickly without entering a Wi-Fi password. To enable WPS you should find a tactile button located on the backside of your router or switch it on in the configurations menu of the router. When you turn it on, WPS mode allows you to connect your various devices to your router using the WPS password, also known as the WPA-PSA key.

In fact, WPS is not responsible for the Wi-Fi connection at all. It’s designed solely to send the connection data between the router and the wireless device. Remember, that’s an important distinction.

WPS was an idea of the nonprofit ‘Wi-Fi Alliance’. The alliance is effectively an association of the largest companies that create computers and Wi-Fi devices. More than 600 members take part, including companies such as Microsoft, Samsung, and Intel. Alliance was founded in 1999 to promote Wi-Fi technologies and certificate Wi-Fi products around the world. This standard was created in 2007 to simplify the connection process and since that time, most Wi-Fi systems around the world have adopted it.

How does WPS work?

If you want to connect your wireless device, you have to know the password to the Wi-Fi network. This process isn’t difficult but it takes some time to get the essential data. WPS makes it easier and a bit quicker.

There are some different ways to do it. First of all, WPS can be a workaround for connecting to Wi-Fi without a password. To do so, you should hit the WPS button on your router to enable device detection. Then, take your device and choose the network you need to connect to. The connection will be immediately available and the system won’t ask you to enter the password.

Some wireless electronic equipment like printers also has a WPS button that can be used to make rapid connections. All you have to do is to push both buttons, on the device and on the router, to get access to the wireless network. You don’t need to enter any data here, as the WPS delivers the password automatically. Also, that device will be able to connect to the same Wi-Fi router without pushing WPS buttons in the future as the password will be remembered.

The other option requires one to use the eight-digit PIN code. When WPS is enabled on a router, a PIN code is produced automatically. The WPS PIN can be found on the WPS setup page. Some devices that lack a WPS button will require the PIN. If you enter the wireless network, they verify themselves and connect to it.

The last option also can be done by using that eight-digit PIN. Some devices do not have the WPS button but also support WPS, so they will produce a client PIN that will be used by the router to connect the device to the network. You should just enter the PIN in the settings of your router to get access.

Unfortunately, methods that require using a PIN code don’t have any benefits in the speed of the connection process. You spend the same amount of time entering the router’s password and the WPS PIN, so you should just choose the way that’s more comfortable for you.

Which devices work with WPS?

WPS is supported by a wide range of devices, most commonly, wireless routers. However, you can also find a WPS button on wireless printers, Wi-Fi Range Extenders and Repeaters, which commonly provide WPS capabilities as well. Finally, the WPS functionality is available on a few higher-end laptops, tablets, smartphones, and 2-in-1 devices, where it’s usually implemented via software rather than physical buttons.

What are the advantages and disadvantages of WPS?

Despite the fact that WPS is embedded in most Wi-Fi equipment, the benefit of this standard is still a controversial issue. Some professionals opt for using it as it makes the connection to the router easier and quicker while others opt against it as WPS mitigates the security of the connection process.

Advantages:

1. It's quick, especially if both the router and the client device have the WPS button.

2. It's simple and requires no technical knowledge. There is no more primitive way of connecting Wi-Fi than pressing the WPS button on both the router and the client device.

3. Support is relatively strong. WPS is supported by all routers and most networking devices. WPS can also be used to establish rapid Wi-Fi network connections on the most common operating systems like Windows, Android, and Linux.

Disadvantages:

1. It isn't really safe. WPS connections using PINs appear to be particularly sensitive to brute-force attacks. A successful WPS attack allows an attacker to obtain access to your Wi-Fi network, and disabling WPS is the only viable remedy.

2. WPS can be used by anyone who has physical access to the router. So any person who is aware of the router’s location can connect it without your permission.

3. WPS is not supported by Apple. You can't connect to Wi-Fi using WPS if you have a Mac, an iPhone, or an iPad. This is because Apple has determined that WPS is insufficiently secure, and thus WPS isn’t not supported by any of the devices.

Conclusion

As we’ve found out, the WPS network’s security standard has both benefits and limitations. On the one hand, it helps us to avoid remembering the Wi-Fi password and connect quickly. On the other hand, WPS is not secure enough to foster user confidence across the board. So, it’s up to you to decide on using WPS or not. In any case, you can disable the function at any time you want by simply switching off the WPS button.

WPS – What is it, and how does it work?

Feb 14, 2024 — 3 min read

In Passwork 6.3, we have implemented numerous changes that significantly improve organization management efficiency, provide more flexible user permission settings, and increase security:

  • Administrative rights
  • Hidden vaults
  • Improved private vaults
  • Improved settings interface

Administrative rights

Available with the Advanced license

Now there is no need to make users administrators in order to grant them specific administrative rights. This option is a response to one of the most frequent requests from our customers.

Administrators can grant only those rights or permissions that are necessary for users to fulfill their duties and flexibly customize access to settings sections and manage Passwork. For instance, you can grant employees the right to create and edit new users, view the history of user activity, track settings changes, while restricting access to organization vaults and System settings.

You can configure additional rights on the Administrative rights tab in User management. There are four settings sections to flexibly customize Passwork for your business:

General

In this section, you can grant users access rights to manage all existing and new organization vaults, view the history of actions with settings and users, access license info and upload license keys, view and modify the parameters of SSO settings and Background tasks.

User management

In this section, you can grant users access rights to view and modify User management parameters. This includes performing any necessary actions with users and roles, such as creating, deleting, and editing users, changing their authorization type and sending invitations.

System settings

In this section of settings, you can grant users the right to view and modify specific groups of System settings.

LDAP settings

In this section, you can grant users the right to view and modify LDAP parameters which include adding and deleting servers, registering new users, managing group lists, viewing and configuring synchronization settings.

Activity log

The event of changing user administrative rights has been added to the Activity log. All changes are now recorded in the Activity log, that includes the users who initiated such changes as well as each setting that was modified with its previous and current values.

Interface improvements

Users with additional administrative rights are marked with a special icon next to their user status.

Some items remain unavailable until the necessary settings have been activated. When hovering your cursor over such items, a tooltip with information regarding dependent settings will be displayed.

Hidden vaults

In the previous versions of Passwork only organization administrators were able to hide vaults. Also, only organization vaults could be hidden. In this new version, all users can hide any vaults. Hiding makes vaults invisible only to the users who choose to do it and does not affect others.

Hidden vault management is now carried out in a new window, which is available directly from the list of vaults. You can view the list of all available vaults and customize their visibility there.

Private vault improvements

Displaying private vaults in User management

Besides hiding private vaults, employees with User management access can now see all vaults which they administer (including private vaults). The new feature which makes it possible to add users to private vaults has also been added to User management.

Logging of events in private vaults

Private vault administrators can view all events related to their vaults in the Activity log.

Other changes

  • Fixed an issue which prevented users from changing their temporary master password
  • Fixed an issue which prevented users from setting the minimum length for authorization and master passwords
  • Fixed an issue in User management which made administrator self-deletion possible
  • Minor improvements to the settings interface

Introducing Passwork 6.3