In recent days, there have been several major security incidents with more than one remote access software provider. While the exact nature of these malicious attacks is not totally clear, there is some evidence to suggest that users with common passwords across services may have been targeted.
While the methods used have not been fully disclosed, the intent of the attacks could not be more clear. These criminals are looking to compromise the personal security of individuals in order to empty bank accounts and execute fraudulent online transactions using common passwords and those saved in browsers.
It would be foolish to suggest that you can ever guarantee 100 per cent online security, but there are some clear techniques you can use to mitigate risk. The first and most important of these is to reduce the number of links in the security chain by choosing a remote access product that allows you control which machines are accessible from outside your network.
Vendors that manage user accounts on cloud-based servers have a particularly high duty-of-care to ensure that these servers cannot be breached and wholesale customer account information stolen. Additional security on internet-facing accounts and mandating separate accounts for administration and remote access can also greatly increase overall security.
For example, existing market-leading technologies do not hold any online account information so the type of attack we’ve seen recently simply isn’t possible. However, this is only one link in the chain and individuals must also be extremely careful with their choice of passwords and management of account information. Below you will find our recommendation for best practice in password management.
Create strong passwords
The best way to create a strong password is to not create one at all. Instead, let a password manager do the hard work for you. These can create a random password and then store it securely. This means that you don’t need to remember them or manually type it out. When using a password generator, be sure to keep the password length long and use multiple character sets (uppercase, lowercase, digits, special characters etc.).
If you do need to create a password yourself, there are a few different techniques you can use, including stringing together words to form a passphrase, mixing character sets and avoiding commonly used words, phrases and passwords. The best approach is to create a password which is long, complex and unique. There are many places on the Internet that offer great advice on creating strong passwords. Seek out this advice and develop a technique that works for you.
Do not reuse passwords
Never reuse or share passwords between your online accounts. If you do, you’re creating a master key for a criminal and once broken, they could have access to your entire online world.
Do not store passwords in any browser
Answer 'no' if your browser asks to store your login credentials or credit card data. Criminals can easily view account information stored in your browser if they get access to your computer. Play it safe and re-enter your account details each time you login.
Do not store your password in plain text on your computer
If you’re following best practice by creating unique passwords and not using a password manager, you may be tempted to store them in a plain text file on your PC. For obvious reasons, this is not a good idea. If you have to record your passwords somewhere you may consider going old-school and write them down. Hackers may be good, but they can’t read a piece of paper stored in a secure location.
Reset passwords periodically
Criminals will pray on the fact that we are all creatures of habit. So if you’re not using a password manager, mix things up and change your passwords from time to time.
Be notified if your account information is leaked
You can sign up to services that will notify you via email if your username (email address) appears in a data breach. Services like these increase the likeliness of you being able to change your password before an attacker has a chance to access your account.
Do not use password strength measuring services
There are online services that allow you to enter your password in order to measure its strength. They typically grade your password and tell you how long it would take an attacker to crack it. However, there’s no guarantee that your password won’t be logged and stored when using sites like these. As a matter of best practice, it’s best to avoid these sites all together.
Keep your environment secure
Running an up-to-date anti-virus programme will help protect you against keyloggers, and detect phishing websites and other malicious activities that could be trying to steal your password. In response to criminal activity these vendors provide frequent updates so make sure you have the latest protection.
Creating strong passwords that you manually re-enter or installing and using a password manager may seem like a hassle, but it’s an even bigger hassle and could be financially devastating if your personal security is breached. When it comes to security, there is no such thing as a free lunch. You will have to make an extra effort to benefit for better security.
Remote access software solutions provide enormous value to both private users and organisations. The ability to access attended and unattended devices can save time, reduce risk, increase uptime and even create new business opportunities. Like most technology, however, it can also cause damage if used incorrectly or hijacked by criminals.
All the more reason you must educate yourself when selecting a remote access product to meet your specific needs. Aside from considering key features, be sure to ask questions about the security architecture. Avoid product designs with systemic weaknesses and vendors that are difficult to work with. A good understanding of the product design will help you plan how best to reinforce the inherent security of the product. Well-designed product, best-practice security and a strong relationship with the vendor are all critical links in the security chain.
Adam Byrne is Chief Operating Officer at RealVNC