Jun 7, 2013

LinkedIn and Evernote Add Multifactor Authentication

Popular note-keeping app Evernote and professional network LinkedIn have both announced within the last week that they now support multifactor authentication. These additions come as part of an increasing industry trend of popular sites and services offering multifactor (or two factor) authentication for users to increase protection of their accounts.

For Evernote, users with the Premium or Business-level service can enable the new multifactor authentication option in their Evernote Web Account Settings. After entering their account username and email address to login, a six-digit code will be sent to their phone via text message that they must also enter before gaining access to the account. Alternatively, users can utilize Google Authenticator to generate the codes. See their recent Evernote Talk episode for more details.
For LinkedIn users, multifactor authentication, or two step authentication, can be enabled in account settings. A six-digit code is sent via SMS to the designated phone, which must then be entered after the username and password before a user can gain access to the account. Their slides on their recent blog post provide more in-depth set-up instructions.

Unlike Twitter, the implementation of multifactor authentication will be easier for brands on LinkedIn because they allow individual users with their own personal accounts to be "admins" of a company page, rather than restricting a company page to a single user login.

Nonetheless, we applaud these companies for releasing two step authentication. And while it's commendable that these services are being proactive and responsive, brands and individuals also have a responsibility to follow best security practices, which includes the use of a password manager and following through on enabling available security options. There is now a growing list of services implementing improved security options for their users, and we hope companies and individuals alike take advantage of these new features to better protect their accounts - and their critical data. If you haven't already, be sure to check out the multifactor options that are also available for your LastPass account.

Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!

Jun 3, 2013

Common Online Threats and How to Protect Yourself

We discuss online threats and breaches a fair bit on the LastPass blog, but we wanted to take a step back and dive into more detail on the types of threats you may encounter. We throw around a lot of technical terms (phishing, malware, viruses, hashing, salting, and more) but want to provide more information on what some of those terms mean, and how they can potentially affect you. Some of these “attacks” attempt to “spy” on you or steal information from your computer, while others install faulty programs to your desktop, but they all have one thing in common: they pose a security risk to consumers and businesses alike. These just scratch the surface, but are the ones that the average user is most likely to encounter.

The Most Common Threats


Malware, or “Malicious Software”, are types of adware or spyware programmed by attackers trying to infect your computer, steal your data, or even gain access to your network. A total of 91.9 million URLs serving malicious code were detected in the fall of 2012. Malware is a generic term for many different types of “infections” that may be downloaded to your computer.

Phishing is a scam where an attacker uses fake or partial information to try to trick someone into revealing passwords and other confidential information, typically via email or social media. LastPass helps protect you against fake-website phishing attacks by not filling your credentials when it does not see a URL or field match.

Viruses are programs that infect software on your computer. When you run this software, it causes the virus to spread throughout your computer. Basically, the virus can replicate itself and continue spreading to other computers (much like a biological virus), causing hardware and software issues.

Worms are programs that replicate and spread through a network, infecting multiple devices. Unlike a virus, a worm does not need to attach itself to an existing software. Worms cause harm to a network, while viruses cause harm to a targeted computer.

Trojans are software that “appear” genuine, and invites the user to run it, but instead, it releases a malicious load that deletes your files and harms your computer. 49% of all Kaspersky Lab threat detections in Q2 of 2012 were multi-functional Trojans.

A backdoor is a method of bypassing normal authentication to illegally gain remote access to the machine and the data on it. It can be installed to computers by Trojans or worms.
Spyware is a software that gathers a users information without their knowledge, and sends this data to third parties.

KeyLogger software captures the keystrokes entered on your computer keyboard. The keylogger software is then able to transmit these keystrokes where they can be viewed. As a prevention against keyloggers, when using a public or “untrusted” computer, LastPass offers the option to input your master password with a 'Virtual Keyboard’, allowing you to login without using the keyboard to type your master password.
Adware are programs that send advertisements or “pop-ups,” to users based on their internet usage, which can display annoying ads or link you to more malicious software.

Scareware is malware trying to pose as a viable solution to a “fake” virus on your computer. The idea behind Scareware is to “scare” you into installing an antivirus software directly to your computer, which in reality is the virus, and then may hold your data ransom.

Rootkits modify a user’s operating system so a malware can stay hidden.

Spam are bulk emails sent without any consent from the receivers. According to the Electronic Commerce in Canada, 80% of emails sent today are spam.

Apps are a relatively new threat, but their popularity extends the risk they may pose (over 50 billion apps are available for download from the iTunes App Store). Many users believe that apps are safe because they are sold from “trusted” providers, like the iTunes App Store or Google Play Store. However, legitimate apps may be infected and sold through these locations. An example, the Dougalek malicious program, which tens of thousands of people downloaded, led to one of the biggest data breaches ever caused as a result of mobile devices. Also, free apps from unofficial providers are frequently compromised as well.

How Can You Stay Safe?


We want to emphasize that using LastPass makes you safer and that following these practices will further help to improve your security:
  1. Never tell your LastPass master password to anyone for any reason.
  2. Always use and make sure your anti-virus, anti-malware, and firewall software are up-to-date.
  3. Never click on any links in emails unless you specifically requested that the email be sent to you. Even then, if it seems out of character, double-check with the sender before opening a link or attachment.
  4. Never assume that any email you receive was actually sent by the recipient listed as the sender.
  5. Avoid using untrusted computers or untrusted computer networks.
  6. Do not trust any communications claiming to be from LastPass that reveal any personal or confidential information about you whatsoever.
  7. Use LastPass to automatically fill login credentials for websites you visit to avoid the risk of phishing attacks.
  8. Always click on the LastPass browser plugin icon to access your LastPass vault, rather than links in any suspicious emails.
  9. Only download apps from trusted companies, and check all permissions before completing the download. 
  10. Use multifactor authentication for increased security.
In the end, good security is about being proactive and vigilant. What other tips and tricks would you recommend?

Have a question you'd like to see answered by the LastPass team in a blog post? Let us know in comments or send us a note at marketing[at]lastpass.com. If we choose your question, you'll get a Tshirt!