CyberVor

As you may have heard, earlier this week it was reported that a Russian cybergang had stolen 1.2 billion user name and passwords as well as 500 million email addresses. These astounding numbers were discovered by a Milwaukee security firm, Hold Security, as reported in the New York Times. You may remember Hold Security as those who identified and tracked the Target breach back in February.

While it is still an ongoing investigation, and some may be skeptical of the details of the massive breach, Hold Security released a blog post on August 5th stating that the cybergang, being referred to as “CyberVor,” “is currently in possession of the largest cache of stolen data,” and that “as long as your data is somewhere on the World Wide Web, you may be affected by this breach.”

What does this mean for you?

We would like to take this time to remind you of a few password-safety best practices and how you can protect yourself in a situation such as the “CyberVor breach.”

1. Use Unique and Strong Passwords for every site.

Make sure that you are using unique passwords so that you can minimize your damages from future hacks. Also, if you have used your RoboForm Master Password on other sites, we recommend that you change your Master Password immediately. You can do so via your RoboForm Online Account portal: https://online.roboform.com/login

2. Change your passwords regularly.

It is extremely important to change all of your passwords on a regular basis. Out of precaution, you may want to change your online banking passwords and passwords on any financial or other sensitive sites. RoboForm users can use RoboForm’s Password Generator to quickly generate new passwords for their logins (you’re welcome!).

3. Use a Password Manager to safely store your online login information.

We had to say it-, if you’re not using RoboForm’s password manager already, we highly recommend that you start to now. Having a password manager allows you to easily follow online security best practices. RoboForm will remember all of your passwords for you and safely encrypt them all behind your one Master Password. RoboForm also allows you to use strong and unique passwords for every site. That way, if a hacker has one password, they don’t have them all.

Be sure to follow RoboForm on Facebook and Twitter for updates on the “CyberVor breach,” as well as other critical, online security news.

8 Tips for Keeping Your Passwords Safe This Summer

The Sun Isn’t the Only Way to Get Burned

The summer is a great time to relax, whether it’s on a beach or on your front porch. Unfortunately, while enjoying picnics and barbeques, online security is the last thing on most peoples’ minds. Therefore, we at RoboForm Password Manager have assembled these 8 simple tips for keeping yourself safe this summer.

1. Always log off of websites - This is especially important when travelling or using a shared computer.

2. Update your software- Although sometimes annoying, these software updates often contain important security upgrades.

3. Monitor your bank accounts/ credit cards- We recommend checking them weekly to look for fraudulent charges.

4. Don’t use duplicate passwords- Duplicating passwords is like men wearing Speedos, it should never happen! You should be using a unique password for every website that you login to.

5. Protect your mobile phone with a PIN- Simple, but many people do not do this.

6. Don’t keep a list of logins/ passwords- You’d be surprised how many people carry around a list of passwords in their wallets or purses!

7. If you see a shark fin in the water, go back to shore- It’s likely just a kid messing with you, but better to be safe than sorry.

8. You got a new puppy? Great! Just don’t use its name in any of your passwords- Never use personal information like names, birthdays, etc. in your passwords.

Have any password security tips of your own for the summer? Please share them with us using the hasgtag #RoboTips and you could see them featured on our Facebook or Twitter pages! And remember, hackers don’t take summer vacations!

Has Your Android Device Been Hacked via Heartbleed?

According to a post on Gizmodo on April 15, not only is Heartbleed causing heartache on hundreds of servers all over the internet, but security researchers have also warned that the bug could allow direct hacks of Android, too. The Gizmodo post recommends that you install Heartbleed Detector, a free app developed by Lookout Mobile, to determine if your device is at risk. For more details visit Gizmodo.

RoboForm Not Affected by the Heartbleed bug

What is the Heartbleed Bug?

The Heartbleed Bug was disclosed Monday night and can occur in open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where most sensitive data is stored.

The bug appears in OpenSSL versions 1.0.1 to 1.0.1f. Version 1.0.1g fixes the bug.

How Does the Heartbeat Vulnerability Affect RoboForm?

It doesn't.

RoboForm servers used OpenSSL ver 1.0.0 and 0.9.8 which were not affected by the Heartbleed Bug.

Upon learning of the bug, we updated all our OpenSSL versions to the 1.0.1g which is published fix for the Heartbleed bug.

What should you do next?

Your Master Password has always been secure, so you do not need to change it.

However, this bug has been out there for a long time and it's possible that sites you regularly visit would be susceptible the vulnerability.

You can check whether or not sites are susceptible using this tool: http://filippo.io/Heartbleed/

We recommend you generate new passwords for any website in which you store sensitive information, such as email, banking, etc. However, you should wait until these sites have updated their OpenSSL version and replaced their certificates with new certificates being issued on 4/8/2014 or later.

Phishing- What It Is and How to Avoid It

What is Phishing?

Phishing is website link that appears to be from a legitimate company, but actually attempts to collect sensitive and private information from you. While Facebook phishing is popular (see below), phishers also target bank sites, credit card sites, email accounts, PayPal, and other social networking sites. They attempt to access many different types of information and phish links can present themselves in many ways. RoboForm would like to share some ways you can identify a phishing website (if your browser is not able to detect it), as well as how to avoid them altogether. From a quick glance, the page below appears to be the Facebook login page. Same design, logo, language options- everything down to the font is exact. However there is one little, yet extremely important difference. Look at the URL. What in the world is flashpuddle.com?

RoboForm’s Safe Identifiers and Tips:

The first thing that RoboForm always recommends is not giving out your email to a website unless you are absolutely sure that it is legitimate. Some phishing links come in the form of a website’s administrative mass emails. We’ll use a Facebook phishing email as an example:

Everything about this seems legitimate, right down to the logo. But with a closer look, it's not actually from Facebook. Major social networking websites and online companies will never ask for sensitive information via e-mail. Facebook states it right here. Next, Facebook email notifications have a personalization feature that includes your name. Phishing emails are general and such as this one only identify you as “Facebook User”. This will be the same with bank or credit card emails. As a final check, hover over the link the email wants you to click to see the URL. Make sure that it has the full website name with no misspellings or additional letters added on. With our Facebook example, Facebook pages have straightforward URLs such as facebook.com/messages or facebook.com/photo and after this part there is an identifier for the message conversation or photo. This is similar for other major companies and social networking sites, so make sure to check links before you click on them! If you are still unsure about the email, open a new browser page and go on to the website directly to see if there’s the same update or offer there- this is the safest way to ensure that the email is legitimate. If you are able to identify this as a phishing email, be sure to mark it as spam in your email.

Another way phishers get through to people is directly on Facebook. You see them as posts or messages that have tempting titles and links to open. Some recent and common ones have been “I cant believe this video”, or, “I got my teeth professionally whitened for 70% off!!” or my personal favorite, “Justin Beiber STABBED By CRAZED Fan Outside N.Y.C. NightClub!”

Don’t get fooled by these offers or posts. The phishing website will appear to log you out of Facebook so you have to put your information in again to view the content, but it’s just another way they collect your information. Facebook directly identifies the link as a ridiculous website. Hover over the link to also identify the website URL. If you can’t identify it's safety, message your Facebook friend who posted it and ask them if it’s legit. If the Facebook friend has been deceived, message them to report the link to Facebook and delete it to prevent it from spreading. Overall, remember to be smart when handling your own information to protect yourself from phishing. The main thing RoboForm wants you to remember is to never send or enter sensitive info over email. Keep it in RoboForm’s protected form manager or SafeNotes, and only enter it on trusted websites. The rest is easy. Stay safe out there!