Privacy Archives - RealVNC®

AnyDesk security breach is a stark reminder of the imperative for truly secure remote access

RealVNC — Mon, 05 Feb 2024 14:12:54 +0000

AnyDesk has announced that, following a security audit, they found their production systems have been compromised. Here’s what this should tell you about why a truly secure remote access solution is an imperative.

The AnyDesk breach: What do we know so far?

According to an incident response by AnyDesk, a security audit found some of the company’s systems have been compromised. The incident is said to not be related to ransomware.

AnyDesk has downplayed the incident, claiming that the situation is under control. However, users have been urged to reset their passwords if also used elsewhere. The timing of maintenance in the days before the public announcement, as well as the late Friday afternoon press release from AnyDesk, would indicate that the breach occurred several days before public acknowledgment was given.

BleepingComputer has discovered that the attackers stole source code and private code signing keys.

To make things even worse, a recent report from Resecurity suggests that AnyDesk user credentials have made their way onto the Dark Web.

Why should you take the AnyDesk attack seriously?

If you’re an AnyDesk user, you should take this news very seriously. And even if you’re using another remote access solution, this needs to make you challenge its security credentials.

Unfortunately, this is not the first time that something like this has happened. As we said at the time of the GoTo security incident, when security is not the first priority, customers are the ones who end up suffering.

RealVNC: The commitment to security

At RealVNC, security is at the heart of everything we do. We do our best to mitigate such risks, and to keep your data as secure as possible. Here are some of the things we do to make sure that your data never ends up in the wrong hands.

RealVNC's ISO27001 certification: managing data security risks

Our security experts understand the implications of stringent security requirements.

Our ISO27001 certification is our commitment to uphold the highest standards of information security management. When we say that our systems are fortified, we are not speaking lightly. This certification means we engage in continuous risk assessment, employ comprehensive security controls throughout all areas of operations in our company, and ensure that our staff is trained in best practices for information security.

What sets an ISO27001 certified provider apart in today’s digital landscape? It shows that we have a proactive approach to data protection throughout the entire company. We don’t just respond to threats; we anticipate them and prepare for them.

If your remote access provider doesn’t have this certification, question them on it!

RealVNC's fundamental security principles

Our security principles are essential to the service we provide to you. They ensure that your data is as secure as possible, at all times:

High-trust services – this means that you don’t have to trust RealVNC as a company to trust our software and services.
Secure data storage – RealVNC doesn’t record your sessions. Your data can’t be decrypted, either. Not now, not ever.
Secure environment – we treat every connection as if it is made in an hostile environment.
Connection control – the one ultimately deciding who is able to connect is the owner of the remote computer.

These principles serve as a guideline for everything we do, ensuring the security of your data.

Here’s a quick example of how these principles work in practice. The username/password you use to log into our portal cannot by itself be used to gain access to remote machines.

Each remote machine will have a further, separate set of credentials (usually platform-native authentication, like Active Directory etc). You are required to enter this before taking control.

Having at least two sets of credentials required to make a connection does, admittedly, cause slight UI/UX friction. However, it’s something we hold dear, as it means that we don’t ever store the credentials that ultimately give you access to a remote device on our systems. Also, the portal credentials we do store are never stored in plaintext, and are one-way hashed.

The importance of independent security audits

This is another one of RealVNC’s many security initiatives, designed to keep your data secure. An extensive white-box security audit, done by respected Berlin-based firm Cure53, has confirmed RealVNC’s strong security stance.

We’ve urged the industry to confirm its software’s security with more than just words ever since. As we said numerous times, when this doesn’t happen, the end users are the ones paying the price.

Your data - in safe hands with RealVNC

We would also like to take this opportunity to confirm for our users that everything security-related at RealVNC is working as intended. We are unaffected by any data breaches and we can assure you that your data is in safe hands. We will continue to work hard to keep it that way.

This is what RealVNC CEO Adam Greenwood-Byrne had to say:

I’m proud of RealVNC’s unblemished security record, and we continue to invest in systems and services that ensure we remain on the strongest footing. Customers who have been with us for years, including government departments around the world, recognise the value of our security stance just as well as we recognise the trust they place in us as their remote access vendor of choice.
We value those relationships tremendously at RealVNC and our team works tirelessly to ensure our customers have what they need to feel safe. The Internet is a much more dangerous place than it was 20 years ago and we are committed to evolving and adapting accordingly.

Also, if the events of the last few days have made you considered switching to a truly secure remote access solution, get in touch!

The post AnyDesk security breach is a stark reminder of the imperative for truly secure remote access appeared first on RealVNC®.

The importance digital trust should have to your software provider

Bogdan Bele — Wed, 11 Jan 2023 14:51:32 +0000

Some things to consider when it comes to digital trust:

What is digital trust?
Why is digital trust important to consumers?
How to build digital trust
What makes RealVNC a digital trust leader?
What will the future bring?

What is digital trust?

Organizations which can build digital trust are more likely to see growth rates of at least 10% on their top and bottom lines. This is according to a recent McKinsey Digital survey. However, just a small number of companies in the survey can deliver on that promise. So, what exactly is digital trust? The same source defines digital trust as follows: confidence in an organization to protect consumer data, enact effective cybersecurity, offer trustworthy AI-powered products and services, and provide transparency around AI and data usage. With that definition in mind, let’s take a look at what this means to consumers, especially those of remote access software.

Why is digital trust important to consumers?

Before buying, consumers want to know the company’s data policies (85%) and AI policies (72%). They will also go to another supplier if they don’t know how the company will use their data (46%). So, why is digital trust important and how can it help a consumer decide to use a product or not? Here are some numbers that make this very clear. 53% of consumers will only buy from companies known for protecting consumer data. They will stop doing business with companies that violate their trust – 40% of all respondents and 52% of B2B ones. What’s even more interesting is that this happened more than you’d imagine. Just in the last year, one in ten respondents did this. In the case of 14%, it was due to disagreeing principles; 10% did it after finding out about a breach. So, knowing this and the prevalence of attacks like ransomware, do companies make sure that digital trust is a given when it comes to their services? Well, they certainly think they do. And so do consumers, unfortunately. 77% of the latter believe that they’re taking appropriate data protection measures. Confidence grows as age decreases, and so does the likelihood of storing data online. As shown in one of our recent webinars, though, humans are usually the weakest link in the authentication chain.

How to build digital trust

Also, many companies claim that they’re doing a good job when it comes to avoiding digital risks. Namely, almost 90% of companies think of themselves as “at least somewhat effective” at this. However, many don’t seem to really know how to build digital trust. Three-quarters of responding ones do have policies on handling sensitive data. Almost all even have a moderate degree of confidence that employees follow them. Also, less than a quarter are mitigating many digital risks. However, this confidence seems even less founded when it comes to actual incidents. More than half of executives responding admit that their company has suffered at least one data breach in the past three years. There is a strong correlation between digital trust and data breaches. Digital trust leaders are less likely to suffer negative incidents. The same study has found that their chances to have revenue and EBIT increases over 10% are 1.6 times more.

What makes RealVNC a digital trust leader?

At RealVNC, we build software with security at its heart, starting with a shift-left development approach. This means that our four security principles are at the heart of everything we do. These principles are as follows:

You don’t have to trust RealVNC as a company to trust our software and services.
We do not record your sessions, and data cannot be decrypted now or in the future.
Every connection is treated as though it is made in a hostile environment.
The owner of the remote computer ultimately decides who can connect.

Looking at the data above, one thing stands out. Namely, a lot of companies claim they’re secure. Very few can prove that they’re doing something about it.

To do our part, we’ve challenged customers to ask their software providers to prove their security. And to show that for us security and trust are not empty words, we’ve opened our doors to a comprehensive white-box security audit by Cure53.

The respected German cybersecurity firm’s report has proved our strong security stance. You can look at a summary here.

What will the future bring?

RealVNC will continue to work towards the most secure remote access solution possible. At the same time, we’ll continue to ask for more, not just from remote access providers, but from every company that handles their data. And this is in the hope of a future in which digital trust will mean more to companies than some nice-sounding words.

And you don’t need to take our word for it. Get a free VNC Connect trial and see for yourself!

The post The importance digital trust should have to your software provider appeared first on RealVNC®.

All you need to know about remote desktop encryption

David — Wed, 09 Dec 2020 13:05:00 +0000

You must prevent unauthorized individuals with fraudulent or destructive intentions from gaining control of your corporate systems and resources.

Looking for remote access software that ticks every security box and meets industry compliance standards, (GDPR, HIPAA and PCI-DSS)? Take a free 14-day trial of VNC Connect here.

While absolute security can never be fully guaranteed, applying many layers of security features is an acknowledged best practice for creating strong defences. One security capability frequently associated with remote access is data encryption; sometime referred to as end-to-end encryption.

This blog explores the purpose, basic architecture of encryption and the practical differences between different levels of encryption.

The purpose of encryption for remote access

When a remote access session is established between two devices, screen image and control activities are passed back and forth, and this data must be protected to keep it confidential. You can think of this as a physical pipe through which the screen and control data is streamed.

This pipe requires a hard, external shell to stop someone from seeing what’s flowing inside and prevent them from changing it. Encryption is the mathematical shell that protects the data stream.

There are different levels of encryption that vendors refer to in their promotional materials such as 128 or 256-bit AES, which reflects the algorithm used to protect the data (AES) and how hard it is for an attacker to break in (128 or 256-bit).

To continue the pipe analogy, these different levels of encryption could be seen as pipes built to the same principles (e.g. ‘the AES technique’) but with different materials. While all the pipes are tough, some materials are more resistant than others, and will take longer and require more effort to breach.

Encryption basics

Encryption is a mathematical algorithm that is used to lock the data stream being passed between two devices (end-to-end) during a remote access session. The key to this lock is a secret number known only to the sender and receiver, and that changes with each session.

The level of encryption reflects the number of possible key combinations. The higher the number of bits of encryption the greater the number of possible keys, so the more difficult it is to compromise the encryption.

A 128-bit level of encryption has 2128 possible key combinations (340,282,366,920,938,463,463,374,607,431,768,211,456 – 39 digits long) and 256-bit AES encryption has 2256 possible key combinations (a number 78 digits long).

Because of the way the mathematics works, 256-bit encryption is not twice as hard to break in to or ‘crack’ as 128-bit encryption, but 340 billion-billion-billion-billion times harder.

What would it take to break in?

To crack either of these encryption levels would be extremely time consuming given the total number of possible key combinations and the current state of computer processing.

‘Extremely time consuming’ is in fact a gross understatement – even if you build a world-wide network of super-computers designed just for the purpose of trying combinations as fast as possible, it would still take more than 100 billion years on average to stumble on the right one. For comparison, the universe has only been around for 13.8 billion years.

This also assumes that you could afford the astronomical energy bills required to run the system for that long – a significant fraction of the total energy use of the planet each year, for 100 billion years. A 256-bit key would be 340 billion-billion-billion-billion times as impossible.

Is 256-bit the maximum level of encryption for remote access software?

So why are some vendors starting to promote 512-bit encryption? They rely on busy people assuming that 512-bit is ‘twice as good’ as 256-bit, however the original AES standard only specified 3 key sizes – 128, 192 and 256 bits.

These key sizes have been proven to be cryptographically secure, so although 512-bit AES could be theoretically created, it wouldn’t be tried and tested.

They may argue that as processor technology advances, it becomes more feasible to crack existing levels of encryption. Until we see widespread adoption of cheap, powerful and reliable quantum computers, we cannot even begin to contemplate such a scenario, which is why most experts agree that 128 and 256-bit AES encryption are sufficiently complex to remain extremely robust for many years to come.

Which encryption level is best for remote connections?

So, after all this explanation, which level of encryption is appropriate for your specific environment? The answer depends on the needs of your environment, but one very important point worth making is that encryption is essential.

Be aware that there is free, open-source remote access software, which provides no encryption out of the box. Using unencrypted remote access software within a business environment is simply a bad idea – it allows anyone to view and modify your remote control session, without any indication of it occurring.

The price you will pay for a commercial remote access software subscription is minor compared to the risks you will introduce to your business by using “free” unencrypted product. A single successful attack could cost your business tens of thousands of dollars in compromised bank accounts, lost data, blackmail or reputational damage. Don’t take this risk.

Choosing the best level for your needs

128-bit AES encryption
• Highly robust
• Nearly impossible to crack
• Still the strong default choice for all traditional commercial applications
• Accepted as providing a very high level of security

256-bit AES encryption
• Current gold standard for futureproofing against new technology
• Even harder to compromise than 128-bit
• Takes more processing power to encrypt and decrypt data, can lower performance
• No reason to deploy it unless it is truly needed e.g. military/government

256-bit encryption is sufficient to protect against sustained attacks from very sophisticated criminal gangs or the resources associated with rogue state entities. Given the quality of this level of encryption, it is often mandated by standard bodies associated with the financial, medical and security industries.

In particular, it’s considered safe enough to protect TOP-SECRET classified information. You should insist on 256-bit AES encryption if you have very high security requirements or if it is specified in a standard that is essential to your industry.

So, what’s the verdict?

End-to-end data encryption is essential for any commercial deployment of remote access software. In combination with additional security features such as multi-factor authentication and controlled teams and groups, you can create a highly secure remote access strategy.

The question of choosing between 128-bit and 256-bit AES encryption for remote desktop connections must be addressed individually, and the answer largely depends on the sensitivity of your data and the requirements and standards defined by your industry.

Of course, whichever level of encryption you go for, it’s not the only thing to consider when ensuring your data stays safe during a remote desktop session. Making sure you have unique passwords, staying off public Wi-Fi, and keeping track of your old accounts all contribute to your overall security. If you are interested in learning more, read our Remote Access Security Checklist

With VNC Connect Professional, every connection is end-to-end 128-bit AES encrypted. Or, with an Enterprise subscription, you can increase this to 256-bit AES encryption. Give it a try with a 14-day free trial of VNC Connect.

The post All you need to know about remote desktop encryption appeared first on RealVNC®.

Why schools and universities should adopt a consolidated remote access policy

David — Tue, 09 Jul 2019 18:22:00 +0000

Across the world the fundamental importance of digital learning has been embraced by schools and colleges, and this is only set to continue.

The UK has just unveiled a £10 million technology education strategy which they say will hail a new era for IT in schools. Globally, Edtech spend by schools and universities is expected to reach $252 billion by 2020.

For various reasons, though, the scale of IT support available in schools and higher education settings has been slow to catch up with the actual proliferation of devices, apps and software that are being used inside and outside the classroom to support learning.

Into this vacuum has stepped the specter of ‘Shadow IT’

What is Shadow IT?

Shadow IT is the term for hardware, software and applications acquired and deployed by an organisation’s users without the knowledge or consent of its central IT function.

Shadow IT has, historically, been a major challenge for the education sector and its battle to maintain appropriate levels of cyber security and tech support among a diverse set of users.

In budget-constrained schools where IT support may be insufficient or over centralized, enterprising teachers might bring in their own devices to plug resource gaps. Similarly, they may take it upon themselves to download free software solutions onto school computers to fix problems or improve utility.

In higher education settings, departments staffed with bright, technically adept and free-thinking individuals might work in silos to procure and design IT solutions that will meet their particular departmental needs.

In the same way, students working on university equipment may also download software at will to fix an issue, finding workarounds to evade blocks – all in order to get equipment working in the way they want.

When Shadow IT stores up future trouble

Where IT support has been decentralized or otherwise fragmented across a group of schools or even across local or international campuses, these problems may be even more acute.

In these cases different IT initiatives, including different remote access solutions (either paid for or open source), may have been used by students, staff and IT functions over time.

One result of this kind of fragmentation can be a final day of reckoning where a previously silo-ed, self-sufficient department or group of users suddenly find themselves unable to access systems in the way they have become used to. This is the point at which they may contact an organization’s central IT function who will finally need to unravel a mess that may have been years in the making.

As Larry Ladd, director at consulting firm Grant Thornton pointed out in a recent blog for the Centre of Digital Education:

“Departments think they are independent and they don’t need [help], but then something goes wrong and they call the university IT people, who don’t know how the system works and don’t know how to help them”

The benefits of Remote Access for school, colleges and universities

With a growing emphasis on facilitating digital learning in education systems, a greater number of devices and Edtech applications to support, plus a need to drive greater efficiencies, there is now a powerful case for consolidating remote access solutions with one provider to enhance customer service and reduce the need for Shadow IT.

Here are just a few benefits such a consolidation policy could bring to every part of the education sector:

Building better help desks

A central IT help desk function powered by a single remote access provider could promise standardized IT support for everyone in an organization, whenever and wherever they need it. Instead of time-consuming and expensive desk-side visits to resolve problems, a centralized IT function can answer calls from users and access their desktops or devices remotely to solve their issues. This approach makes IT support more accessible, allowing a help desk to deal with a greater volume of tickets more quickly, reducing the frustration of waiting users and their likelihood to self-solve issues with downloaded patches or illicit SaaS.

Remote access supports different functions

This same remote access software used by your IT help desks could be made available to staff and students who need constant access to the shared files and resources on your servers. Remote access gives users safe and secure access, 24/7, to an institution’s computer networks without having to give direct access to an un-vetted device or keep buildings open after hours.

Fewer security risks

Shadow IT clearly presents security risks. Poor quality tools and services can do untold damage to business systems, opening the door to malicious access, data breaches and more -and that’s without considering the productivity losses and lack of integration with your core business systems. Many organisations end up with multiple open source remote access software downloads on their systems, put there for reasons unknown by individuals long since gone. One solution – sourced from a single trusted provider, is easier to maintain and protects your cybersecurity more effectively than maintaining multiple points of entry.

Only one solution to maintain

One solution carries one cost. Multiple solutions run by separate functions can carry multiple costs and/or increased security risks.

Used properly and in an organised and strategic way across your business functions, a consolidated remote access policy can bring real value to an organization, offering better and more cost effective help desk support to all your users. Ultimately, it can help teachers, students and admin staff work more flexibly, productively and securely.

If you want to know more about how remote access can support your business needs, download the eBook below.

The post Why schools and universities should adopt a consolidated remote access policy appeared first on RealVNC®.

Is security worth the headache?

David — Thu, 15 Nov 2018 13:30:00 +0000

It all started with the Big Yahoo Hack of 2013, the biggest data breach of the 21^st century, which compromised over 3 billion user accounts in a one-year period. The Yahoo data breach went down in history for its scale, the extensive TV coverage, and for reminding people all over the world of the existence of old email addresses created during their teenage years and abandoned later in adulthood.

Then, plenty more breaches followed: Adobe, eBay, Dropbox, and, more recently, British Airways and Facebook. These days, a week rarely goes by without a major data breach making the news. And, unfortunately, people are bored of it.

The overload of security warnings mixed with the tech jargon that comes with it means that people are becoming victims of cybersecurity fatigue. As a result, people are getting overwhelmed and desensitized to IT security, and by doing so they are at an even greater risk of lowering their guard and falling for the latest security threat.

But what can be done to fight cybersecurity fatigue?

A recent study conducted by the National Institute of Standards and Technology (NIST) found that a majority of the people who they interviewed reported some form of cybersecurity fatigue, which was getting in the way of safe computer behavior, both at home and in a working environment.

The research started as a qualitative study about the perception computer users have of cybersecurity and online privacy. While the researchers were not looking specifically for fatigue-related problem, these spontaneously emerged from the interviews as issues experienced by more than half of the participants.

One of the drivers of the feeling of fatigue was reported to be the struggle to remember an increasing number of PINs and passwords. The older generations are the ones most affected by this problem, as years ago one or two passwords were enough to restrict access to sensitive data at work or at home.

These days, users have on average 23 personal password-protected accounts to keep up with, and 31% of them only uses two or three passwords across the board, a practice that weakens the security process dramatically. And hackers are making the most of it.

It’s becoming clear that the omnipresence of threats means that “keeping an eye out” alone is no longer enough. And here’s how users can overcome the most common fatigue-related problems:

Make your life (and your authentication) easier

If having way too many passwords to remember triggers the feeling of fatigue, the first step to overcome this issue should be making them easier to recall.

And by this, we don’t mean that you should pick the name of your Miniature Dachshund as the password to access your bank account, nor that you should write them all down in your favourite notepad to make sure you don’t forget them.

What you should do, instead, is to get yourself a password manager. With a password manager, you can safely create and store random, unique passwords featuring a combination of letters, digits, and special characters.

Password management tools can normally be accessed with one “master” password that unlocks all of the credentials stored in the database, so instead of trying to remember two dozen mediocre passwords, you can get away with keeping in mind a single, strong one, as in the good old, more cyber-secure, times.

Keep yourself informed, but avoid information overload

We are all about cybersecurity awareness – in fact, we have written a number of blog posts about it. But it’s also true that information overload can do more damage than good, as it might make people feel tired, burned out, or overwhelmed.

So here’s what we suggest: make a compromise. Allow yourself the time to read a good article or news story on the subject once or twice a week, to ensure you know enough about what’s going on in the cybersecurity world to avoid falling for the latest scam. But it’s perfectly fine, every once in a while, to tune these news stories out and give yourself a break (unless you are a CISO, or a cybersecurity expert. In that case it’s called a holiday).

You will find that keeping up with a smaller selection of high quality information from reputable sources will work out better in the long run and will not make you want to scream every time a TV reporter utters the words “high-profile data breach”.

Enable automatic virus scan

If the option is not already enabled by default, you’ll want to schedule regular and automatic virus scans on your devices. Most reputable antivirus applications will also allow you to enable automatic software updates, to ensure you’re always protected against the latest malware.

You can decide to schedule different levels of virus scans on a regular basis (say daily, weekly, or monthly) at the time that is most convenient for you. Knowing that your antivirus software will do some of the hard work for you is a good way to provide some peace of mind.

Similarly, it might be worth scheduling automatic data backups, so if anything happens to your device or anyone gains access to it, a copy of all your valuable files will be stored safely

Once and for all, let go of your old accounts

You know when we mentioned the Yahoo breach reminding people of their old accounts from their teenage years? While nobody wants to be reminded of being the owner of an email address along the lines of iLuvNickelback94@xyz.com (no offense – we’ve all been there), this is a perfect example of why you should always deactivate the accounts you’re not using.

The reason is simple: the more active accounts you have, the higher the chances of being hacked, especially if you have re-used your passwords. There are a few handy tools out there to help you track down all the accounts associated with each of your email addresses, so you can narrow them down to the ones you actually need with just a few clicks (we’re a fan of Deseat.me).

Reviewing and closing your old accounts is one of those tasks that might take you an hour of your time once every few months in return for much-needed peace of mind. In our opinion, it’s definitely worth the trade-off.

Share the burden

When it comes to major data breaches hitting large corporations, many employees wrongly assume that the job of keeping everyone safe from cyber threats should fall on the shoulders of a specific person or team within the organization. This is a very dangerous misconception, as security is and always will be a shared responsibility.

For this reason, it’s important that organizations encourage a culture mindful of security, educating all employees about basic cybersecurity best practices that enable them to be in control of their data.

Knowing that each of your colleagues and family members are also doing their part watching out for cyber threats will relieve some of the burden, making it much harder for the hackers to breach your defences.

———————————————————————————————-

Cybersecurity fatigue is a real, collective issue fueled by the omnipresence of insidious cyber threats. While we can’t just make it go away by remaining blissfully oblivious to security menaces and data breaches, there are a few measures you can take to remain vigilant without feeling overwhelmed.

And if you’re a user of VNC® Connect remote access software, you’ll be happy to know our Engineering Team has developed cybersecurity fatigue immunity and worked hard to make our software as secure as possible, so you have one less thing to worry about.

(The proof is in our Security Whitepaper, but if you’re not up to reading it just yet we’ll understand – just know that it’s there if you need it!)

The post Is security worth the headache? appeared first on RealVNC®.

Infographic: top 5 spookiest cybersecurity threats

David — Wed, 31 Oct 2018 14:54:00 +0000

And people get tricked all the time.

A report published by Norton confirmed that last year 978 million people have been victim of cybercrime, with hackers stealing an astonishing total of $166bn from customers. And often, victims don’t just end up losing money but also valuable working time, as dealing with each cybercrime typically results in two full working days spent dealing with the aftermath.

These eerie numbers mean that each of us should always keep an eye out for the latest cyber threats skulking in the shadow. And the best way to protect yourself is to exorcise exercise common sense and learn about the techniques used by hackers and fiends to haunt their victims.

We made a Halloween-themed infographic to talk about some of the spookiest cybersecurity threats.

If you want to know more about RealVNC’s security strategy and the measures we take to ensure VNC Connect remote access connections are as secure as possible, check out our Security page.

The post Infographic: top 5 spookiest cybersecurity threats appeared first on RealVNC®.

7 ways social engineering can get you hacked

David — Tue, 30 Oct 2018 14:41:00 +0000

This is because, unlike (some) machines, humans are inherently flawed: they have cognitive bias, they make unpredictable mistakes, and they aren’t always able to tell a lie from the truth.

Social engineering is one of the most efficient means of cyber attack, and it’s particularly popular among cyber criminals because it exploits our inner weaknesses. Hackers use social engineering to manipulate people and trick them into disclosing or volunteering confidential information, or to take certain actions.

Cyber criminals have developed a range of attack techniques and commonly operate online, offline, and over the phone. In this post, we will provide an overview of these techniques, and a few tips on how to recognize them and make sure your data doesn’t fall into the wrong hands.

Phishing attacks

By reading this article, you’ll notice that whoever coined some of the most popular social engineering terms must have really been into catching fish (see also below: baiting). The term “phishing”, in fact, is a metaphorical spin on the word “fishing”, as this type of attack is based on casting a digital “lure” hoping that someone out there will “bite”, sharing sensitive information, or downloading malware.

There is a broad range of phishing emails out there, with varying degrees of sophistication and complexity. The simpler ones are very low-effort and deliberately written in poor English to attract only the most vulnerable people. The cleverest are quite complex, imitating almost perfectly the design and email style of legitimate organizations.

A more refined version of phishing is a technique called “spear phishing” (of course!), which is adopted by criminals looking to obtain specific information by sending highly-targeted, customized emails. This technique is particularly effective, as attackers research their targets in advance trying to understand their profile and weaknesses in order to trick the victims, resulting in a link-click success rate of up to 50%. The professional social network LinkedIn in particular is favoured by ill-intentioned, as it can provide plenty of valuable information about the target.

Every person who owns an email address should familiarize themselves with the few, simple tricks they can use to spot phishing emails, from looking for a generic recipient rather than the addressee’s real name, to being suspicious of bad grammar, to hovering with the mouse on links to verify their legitimacy.

If you want to know more about the most common types of phishing scams, we suggest you read this excellent Tripwire article on the subject.

Baiting

“Baiting” is a social engineering technique as old as time. If fact, you might have heard about a classic example back in school in the form of the tale of the Trojan Horse: the massive wooden statue that the Greeks built to sneak into the city of Troy.

Modern world baiting attacks can also rely on physical objects (for example USB drives containing malware or a keylogger) that are abandoned in the hope that a naïve passer-by will pick one up and plug it into a device.

The strongest defence against baiting is educating yourself – never trust equipment found “lost” in the world such as USB drives and avoid using any public charging stations to charge devices. It is also important raising awareness of this and other types of social engineering scams in the work environment as part of the corporate security training plan.

Watering hole

Moving on to another water-related metaphor, this type of attack is often used to target a specific group or people interested in a certain topic. Attackers will look for weaknesses in the security of websites that are popular within that group and attempt to infect those with malware.

The name “watering hole” comes from a specific behavior observed in the natural world: a lion hiding in wait at a watering hole, waiting for unsuspecting prey.

In this case, the attackers know that a certain website is likely to be visited by a user interested in the subject or niche, and that the user trust the website – a combination which means that the victims are more likely to trust the malware being served by the site.

The best line of defense against watering hole attacks is ensuring you have a good general computer security hygiene. A good starting point is to keep up to date with anti-virus updates and being skeptical, even with sites you usually trust.

Pretexting

We’re sure you’ve met one or two Nigerian princes at some point in your life. After all, who hasn’t received an email written in questionable English by self-declared African royalty promising you a large sum of money in return for a little financial help?

Well, this classic online scam, also known as “Nigerian 419” (from the section of Nigeria’s Criminal Code which condemns the practice), is an example of a social engineering technique called “pretexting”.

Pretexting attacks are used to acquire confidential information by creating a “pretext”, a fake scenario where the attacker pretends to be someone else, to trick people into giving away information (or money) voluntarily.

For example, attackers could pose as recruiters for a modelling agency offering attractive compensation for new glamour models. In order to be officially signed up, the unsuspecting victims are asked to provide a nude shot of themselves that they would normally keep private. Attackers also often pose as support agents, asking to be given access credentials in order to provide their fictitious services.

A good way to avoiding pretexting attacks is to always verify the identity of unsolicited callers requiring access to your accounts, or to your premises. The first step could be consulting the company directory to verify that the caller is an approved support agent, or a vendor affiliated with the business. It’s also helpful to keep in mind that support technicians or inspectors very rarely “volunteer” their services without first scheduling an appointment, as they are often too busy to spontaneously offer assistance.

Once again, a healthy dose of skepticism and a few minutes’ research may go a long way in avoiding these types of attacks.

Piggybacking

“Piggybacking”, also known as “tailgating”, is an offline engineering technique targeting companies, primarily small and medium businesses (SMEs).

The main goal of piggybackers is to acquire physical access to a business’ premises without proper authentication. To do so, they often pose as delivery drivers or contractors, waiting for an oblivious employee to follow (“piggyback”) inside the building. The unauthorized visitor will wait for a member of staff to use their access card or obtain security’s approval and will use this to their advantage by asking the employee to hold the door.

Smaller businesses are particularly vulnerable to this attack, as security measures tend to not be as strict, and there is often only one door to separate the attacker from the company’s restricted areas. That doesn’t mean, however, that larger businesses will not be targeted.

Tailgating can be prevented by instructing all employees not to let any visitors into the building unless authorized, regardless of how friendly and professional they appear.

Pattern learning

We hope that the influx of cybersecurity-related news in 2018 prompted you to take a hard look at your password list (just kidding: you shouldn’t have one, it’s very dangerous. Use a password manager instead!).

In a previous blog post, we discussed how to create a strong, unique password as a starting point to protect your data. Using more than 10 characters, including numerals and special characters, and avoiding any reference to important dates or the names of beloved pets are all good practices to minimize the risk of getting hacked.

The hard truth is, if you don’t follow this advice and decide that you’d rather have a password that’s easy to remember rather than a more complex one, you are also making it easier for hackers to predict your future behaviour. Hackers can use what they already know about your passwords and creation patterns to predict your routine, guessing your new passwords based on past formats.

As a company that sells remote access software, we are very keen on educating the people that we interact with about cybersecurity. Overall, when it comes to protecting your data, it’s always worth the hassle of investing a little bit of time to comply with best practices to avoid future regrets.

Dark Patterns

Have you ever tried to buy an item online, and found out that one or more additional items have been added to your basket by default? Or have you tried to unsubscribe from a newsletter, only to find yourself navigating through deceiving, strangely-worded tick boxes trying to figure out which combination of clicks will finally get you removed from the contact list? If the answer is yes, you have fallen victim to dark patterns.

Unlike most of the previous examples, dark patterns are not necessarily a mean of stealing your data, but more a way to make you take (or not take) a certain action. Dark patterns are a manipulation tactic that doesn’t involve interaction or communication between the parties, but applies social engineering to a user interface in order to funnel the victims in a particular direction.

Airlines, especially those who label themselves as “low cost”, seem to be a particular offender, trying to get customers to agree to small upgrades such as priority boarding and travel insurance, by making these options look like part of their standard offers.

Social media platforms are also guilty of adopting dark patterns to gain access to the user’s contact list (LinkedIn, we’re looking at you!), or to make you agree to unnecessary terms and conditions in order to use the app. These terms and conditions might include access to your location, contact list, and other personal information that the service provider should not need.

Dark patterns might be particularly tricky to avoid, especially because they change over time once users become more aware of them. A bit of education, however, goes a long way. Here is a really good Lifehacker article about how to spot and dodge dark patterns.

Social engineering attacks are constantly evolving and changing shape, so there is no one-fits-all strategy to prevent becoming a victim. Overall, the most useful preventative measure appears to be common sense.

Refusing to give away your username and password should be standard practice, regardless of the alleged job title of the person who is requesting it. Remember that real support agents should already have legitimate means to access your accounts without having to ask for credentials.

Always use antivirus software, and if you have doubts about the legitimacy of a file, ask a member of your IT staff to check it for you: they should be able to let you know whether it’s corrupt, so you can avoid taking any risk. After all, it’s better to be safe than sorry.

The post 7 ways social engineering can get you hacked appeared first on RealVNC®.

7 simple actions you can take to keep your data private

David — Thu, 04 Oct 2018 14:19:00 +0000

This year, notable controversies such as the Facebook-Cambridge Analytica scandal and a number of major data breaches made many people realise that our online personal data is less… personal than we thought.

For some of us, being concerned about data security is part of our job. Preventing individuals with fraudulent intentions from gaining control of our company’s data is a personal and professional mission for many IT professionals, so it becomes the norm to treat every connection, download, or sign-up as if we were entering a hostile environment. Keeping business and customer information protected and confidential is at the heart of protecting the future and the reputation of the company for who you work.

On the other hand, more casual internet users often fall into the trap of thinking that they have nothing to hide, so there isn’t that much to worry about. But that’s just wishful thinking.

According to the “nothing to hide” argument, it doesn’t matter if a government or a third-party wants to track and collect a person’s data, such as location, photos, and text messages, because they will not find anything compromising.

After all, who cares if anyone reads the messages sent to our college friends living overseas, or intercepts the pumpkin pie recipes we emailed our auntie in preparation for Thanksgiving?

Well, the issue is lot more complicated than that. Privacy is a key part of all our lives, and while offline boundaries are often enforced and well defined, we spend an increasing portion of our life online where these become a lot more blurred. And just because we live our lives morally without breaking the law, it doesn’t mean we shouldn’t find privacy precious and valuable.

Apart from privacy issues, having most of our personal data available online makes us a target for spam, identity theft, and burglaries, and having our accounts compromised by hackers could put our credit card information in the wrong hands.

It is safe to say that every individual should be aware of what they share online and ensure that their personal data is protected by taking some simple precautions.

Here are a few easy steps you can take to keep control of your private data:

1 – Go for strong, unique passwords

Let’s make it clear: passwords are a pretty vulnerable security measure. If a password is the only tool you are using to protect your accounts, you are at a greater risk of being hacked compared to users who adopt additional security precautions (but more on this later).

Having said that, not all passwords are created equal, and there are definitely some rules you should follow to make yours stronger. A password longer than 10 characters including letters, numerals, and special characters is the best way to go. It’s also important to use a different password for each account, so if one of them gets compromised the others will still be safe.

It’s good practice to never use personal information in your password, like the names of your loved ones, pets, or significant dates. This is not only because it will make the password easy to guess in itself, but it will also provide the hackers with information about your password creation patterns: for example, if you included your dog’s name in one of your passwords, the hacker might try and guess your other ones by starting with the name of your cat.

The best option is a password too long and complex for you to remember, and using a password management software will help you create and store strong, unique passwords for all your accounts.

2 – Use Multi-Factor Authentication (MFA)

On this note, you should add at least one more layer of security to ensure that your password is not the only thing that stands between you and unwanted attention. Most accounts will offer the option to set-up two-factor authentication (2FA) or multi-factor authentication (MFA), so once you have entered your password you will be texted a code to your mobile phone to ensure you are the account’s legitimate owner.

While texting a code is the most common second factor adopted in MFA procedures, it isn’t the only option. Multi-factor authentication can combine multiple credentials that are unique to the user and fall into three categories:

Something the user knows, like a password or the answer to a pre-set question
Something the user has, like a card or the device the code is texted to in the example above
Something the user is, like a fingerprint or facial recognition.

The benefit of adding a second layer of security is that a hacker who manages to identify a password will have to overcome a new obstacle of entirely different nature to access the account. If you want to know more about MFA and how it works, you can take a look at a more in-depth blog post we wrote on this subject.

3 – Avoid public wi-fi

The Internet has become such an important part of human life that, in 2016, the UN has accepted internet access as a basic human right. In 2017, the Indian State of Kerala has backed up the resolution by declaring that every citizen should be able to access free wi-fi, and agreeing to extend broadband connectivity to every house within its borders, in addition to public wi-fi hotspots.

Public wi-fi has indeed become extremely popular, as millions of people routinely connect to public networks from coffee shops, commuter trains, and hotels. If you are concerned about your privacy, however, browsing the web while sipping a latte at the local Starbucks might not be a great idea.

When it comes to public wi-fi, there is no way of knowing who may be monitoring your session. if you are planning on exchanging any personal information you may want to switch to your mobile data, or wait until you’re back home.

4 – Encrypt, encrypt, encrypt!

A great way to keep your data safe is encrypting it. Encryption is a process that uses a mathematical algorithm to convert data into unintelligible information, making it impossible to read. The data can only be decrypted with a key, and the encryption algorithm aims to make it as hard as possible to decrypt the information without using the key.

Two important areas where your data can be protected with encryption is when the data is travelling over the Internet (data in motion) and when it’s stored locally on your hard drive (data at rest).

Ensuring you always visit the SSL (Secure Sockets Layer) encrypted version of a website, which has https:// at the start in the URL, means that the data sent to and from that website cannot be viewed whilst in transit. To fully protect all your network traffic, a VPN can be used to create an encrypted tunnel, ensuring that all traffic is kept from prying eyes. There are many different VPN services out there to choose from.

Data stored locally on Windows is best secured via Bitlocker encrypting your hard drive. This means that even if your laptop is stolen, the data cannot be read without knowing your key.

If you want to know more about how to protect your data with encryption, here is useful article that explains how to do just that by making the most of existing encryption functionality.

5 – Delete your old accounts

If you have old accounts you never use, go ahead and delete them now. The more accounts you have open, the more you are exposed to risks, especially if they go back to a time where your password-creation approach was a bit lax.

While it may be difficult to recall all the accounts you have opened over the years, there are some tools out there to help you.

One of these solutions is a clever website called Deseat.me. By signing in with your Google credentials, you will be presented with a list of all your accounts, and you can choose to delete the unwanted ones with just a couple of clicks.

Websites such as AccountKiller and JustDelete.me can also provide useful information on how to close accounts on many mainstream and more niche platforms, and how difficult it really is to leave those services for good.

6 – Be mindful of what you install

Whenever you’re installing anything on your device, whether it’s new software or an app, make sure that the provider is a trusted, reputable company.

Look up a product on popular review platforms, such as G2 Crowd or TrustRadius, and read what other users have to say prior to downloading an app on Google Play or the App Store. And be mindful of fake reviews.

If the reviews are overwhelmingly positive, ask yourself if they sound like they are coming from someone who has legitimately used the product. Are the reviewers verified? Does the language used seem genuine? Is the review a generic one-liner, or is the user experience described in details, showing that the reviewer has genuinely used the product?

Ultimately, it’s important to know where the software comes from to be confident that it’s safe for you to use. A quick online search should also be able to tell you more about the vendor’s security profile (does the company value security? Do they provide additional security options like multi-factor authentication?), to make sure their priorities match yours.

We also try to practice what we preach by being transparent about our remote access software architecture, our security principles, and what actions we take to make our product as secure as possible.

7 – Make sure you haven’t been hacked before

Hopefully, if you haven’t been on top of your security game until now, this article will provide you with enough motivation to spend a few minutes changing your passwords and enabling 2FA on all your important accounts so nobody else will be able to gain access. But what if it’s too late?

The truth is, it’s very possible that one of your accounts might have been compromised in the past without you even noticing. Fortunately, there is one helpful website that will let you know exactly which of your accounts have been hacked in the past and when.

“Have I Been Pwned” allows the users to enter their email address that will be checked against those that have been leaked in data breaches, and if a match is found it will tell you which data specifically has been compromised.

If it turns out that you have been victim of a data breach, you really want to get that password changed as soon as possible, together with any other password that was created using the same or a similar pattern, especially if it includes personal information.

Unfortunately, there is no such thing as “bulletproof security”, but each of the basic security measures discussed in this article will contribute to make your data considerably safer.

A few minutes spent creating longer, more complex passwords and deleting obsolete accounts are a small price to pay to ensure that your online personal information will stay that way: personal, and out of a stranger’s reach.

The post 7 simple actions you can take to keep your data private appeared first on RealVNC®.