Tag: password-vault programs

The coronavirus plague is having us at home, inside and online more….
(iStock by Getty Images)

The Covid-19 coronavirus plague is changing our habits more and more as we stay at home to avoid the virus or avoid spreading it onwards. Now we are strongly relying on our home networks and the Internet to perform our work, continue studying and connect with others in our social circles.

But this state of affairs is drawing out its own cyber-security risks, with computing devices being vulnerable to malware and the existence of hastily-written software being preferred of tasks like videoconferencing. Not to mention the risk of an increasing flow of fake news and disinformation about this disease.

What can we do?

General IT security

But we need to be extra vigilant about our data security and personal privacy

The general IT security measures are very important even in this coronavirus age. Here, you need to make sure that all the software on your computing devices, including their operating systems are up-to-date and have the latest patches. It also applies to your network, TV set-top and Internet-of-Things hardware where you need to make sure the firmware is up-to-date. The best way to achieve this is to have the devices automatically download and install the revised software themselves.

As well, managing the passwords for our online services and our devices properly prevents the risk of data and identity theft. It may even be a good idea to use a password vault program to manage our passwords which may prevent us from reusing them across services.  Similarly using a word processor to keep a list of your passwords which is saved on removeable media and printed out, with both the hard and electronic copy kept in a secure location may also work wonders here.

Make sure that your computer is running a desktop / endpoint security program, even if it is the one that is part of the operating system. Similarly, using an on-demand scanning tool like Malwarebytes can work as a way to check for questionable software. As well, you may have to check the software that is installed on all of the computing devices is what you are using and even verify with multiple knowledgeable people if that program that is the “talk of the town” should be on your computer.

If you are signing up with new online services, it may even be a better idea to implement social sign-on with established credential pools like Google, Facebook or Microsoft. These setups implement a token between the credential pool and the online service as the authentication factor rather than a separate username and password that you create.

As well, you will be using the Webcam more frequently on your computing devices. The security issue with the Webcam and microphone is more important with computing setups that have the Webcam integrated in the computer or monitor, like with portable computing devices, “all-in-one” computers or monitors equipped with Webcams.

Here, you need to be careful of which programs are having access to the Webcam and microphone on your device. Here, if newly-installed software asks for use of your camera or microphone and it is out of touch with the way the software works, deny access to the camera or microphone when it asks for their use.

If you install a health-department-supplied tracking app as part of your government’s contact-tracing and disease-management efforts, remember to remove this app as soon as the coronavirus crisis is over. Doing this will protect your privacy once there is no real need to manage the disease.

Email and messaging security

Your email and messaging platforms will become an increased security risk at this time thanks to phishing including business email compromise. I have covered this issue in a previous article after helping someone reclaim their email service account after a successful phishing attempt.

An email or message would be a phishing attempt if the email isn’t commensurate with proper business writing standards for your country, has a sense of urgency about it and is too good to be true. Once you receive these emails, it is prudent to report them then delete them forthwith.

In the case of email addresses from official organisations, make sure that the domain name represents the organisation’s proper domain name. This is something that is exactly like the domain name they would use for their Web presence, although email addresses may have the domain name part of the address following the “ @ “ symbol prepended with a server identifier like “mail” or “email”. As well, there should be nothing appended to the domain name.

Also, be familiar with particular domain-name structures for official organisation clusters like the civil / public service, international organisations and academia when you open email or surf the Web. These will typically use protected high-level domain name suffixes like “.gov”, “.int” or “.edu” and won’t use common domain name suffixes like “ .com “. This will help with identifying whether a site or a sender is the proper authority or not.

Messaging and video-conferencing

Increasingly as we stay home due to the risk of catching or spreading the coronavirus plague, we are relying on messaging and video-conferencing software more frequently to communicate with each other. For example, families and communities are using video-conferencing software like Zoom or Skype to make a virtual “get-together” with each other thanks to these platforms’ support for many-to-many videocalls.

But as we rely on this software more, we need to make sure that our privacy, business confidentiality and data security is protected. This is becoming more important as we engage with our doctors, whether they be general practitioners or specialists, “over the wire” and reveal our medical issues to them that way.

If you value privacy, look towards using an online communications platform that implements end-to-end encryption. Infact, most of the respected “over-the-top” communications platforms like WhatsApp, Viber, Skype and iMessage offer this feature for 1:1 conversations between users on the same platform. Some, like WhatsApp and Viber offer this same feature for group conversations between users on that same platform.

Video-conferencing software like Zoom and Skype

When you are hosting a video-conference using Zoom, Skype or similar platforms, be familiar with any meeting-setup and meeting-management features that the platform offers. If the platform uses a Weblink to join a video-conference that you can share, use email or a messaging platform to share that link with potential participants. Avoid posting this on the Social Web so you keep gatecrashers from your meeting or class.

As well, if the platform supports password-protected meeting entry, use this feature to limit who can join the meeting. Here, it is also a good idea to send the password as a separate message from the meeting’s Weblink.

Some platforms like Zoom offer a waiting-room function which requires potential participants to wait and be vetted by the conference’s moderator before they can participate. As well these platforms may have a meeting-lockout so no more people can participate in the video-conference. Here, you use this function when all the participants that you expect are present in the meeting.

You need to regulate the screen sharing feature that your platform offers which allows meeting participants to share currently-running app or desktop user interfaces. Here, you may have the ability to limit this function to the moderator’s computer or a specified participant’s computer. Here this will prevent people from showing offensive imagery or videos to all the meeting’s participants. As well, you may also need to regulate access to any file-sharing functionality that the platform offers in order to prevent the video conference becoming a vector for spreading malware or offensive material.

Fake news and disinformation

Just like with the elections that count, the coronavirus issue has brought about its fair share of fake news and disinformation.

Here, I would recommend that you use trusted news sources like the respected public-service broadcasters for information about this plague. As well, I would recommend that you visit respected health-information sites including those offered “from the horse’s mouth” by local, regional or national government agencies for the latest information.

As well, trust your “gut reaction” when it comes to material that is posted online about the coronavirus plague, including the availability of necessary food or medical supplies. Here, he careful of content that is “out of reality” or plays on your emotions. The same attitude should also apply when it comes to buying essential supplies online and you are concerned about the availability and price of these supplies.

Conclusion

As we spend more time indoors and online thanks to the coronavirus, we need to keep our computing equipment including our tablets and smartphones running securely to protect our data and our privacy.

As I was reviewing the Fujitsu Lifebook SH771 business ultraportable computer lately, I had a chance to use the Fujitsu-supplied Softex Omnipass password vault that came with this computer. It worked with the Fujitsu laptop’s fingerprint reader to permit a “login-with-fingerprint” experience for the sites I regularly visit. For example, I was simply logging in to Facebook, this site’s admin panel, LinkedIn, ProBlogger forum and the like simply by swiping my finger acrss that laptop’s fingerprint sensor.

What is a password-vault program

A password-vault program stores the passwords you need for various applications and online services in an encrypted local file which I would describe as a “keyring file” and inserts the correct usernames and passwords in to the login forms for the applications and Web sites. You can only get to this password list if you log in using a master password or similar credentials.

This works well with a security-preferred arrangement where you create separate passwords for each online service that you use and avoid using single-sign-on options of the kind that Facebook and Google offer with other sites. Some of these programs work with varying authentication setups such as a fingerprint reader or a smart card. They can even support two-factor authentication arrangements like using your fingerprint or a Trusted Platform Module token as well as you keying in your master password  for a high-security operating environment.

Some of these programs also have a password-generation module so that you can insert a random high-security password string in to the “New Password” and “Confirm New Password” fields of a password-change form.

The login experience with these programs

When a password-vault program is running, it works with the browser or some applications to detect login screens. Then, you can set them to capture your user credentials from the login screen, typically by invoking a “Remember Password” function.

Then, when you subsequently log in to the Website, you authenticate yourself to the password vault with your Master Password, fingerprint or whatever you set up and the program logs you in to that site with the correct username and password for that site. Some programs may require you to authenticate when you log in to the computer or start the Web browser and persist the authentication while you are browsing the Web.

You can have a situation where the behaviour of these programs can be very inconsistent with capturing or supplying passwords. For example, it can happen with single-sign-on user experiences, admin-level / user-level setups or some newspaper paywalls that show the extra information after you log in. The same situation can occur with applications that the password-vault program doesn’t understand like some content-creation tools that allow uploading of content to a Website.

When can they be handy

The password-vault program can be handy if you maintain many different passwords for many different applications and Web sites; and you want to log in to them without trying to recall different passwords for different sites.

They also come in to their own if you are using a computer setup that uses advanced authentication setups like like most business laptops and you want to exploit these features.

What needs to be done

An improved user experience for these programs could be provided in a few ways. For example, there could be a standard “hook” interface that allows a password vault to link with the login experience without it looking for “username-password” forms when catching or supplying user credentials. This can deal with the way paywall setups expose the full article on the same screen after you log in; or other difficult login environments. Similarly, the standard API could also work with desktop applications that require the user credentials.

Similarly, there could be support for a standard file format and public-key / public-key encryption setup to allow a “keyring” file to be used with different password-vault programs. This could also cater for transporting authentication parameters between the two different programs; and could allow the “keyring” to be used on different computers. It is more so if you offload the “keyring” file to a USB memory key that is on the same physical keyring as your house keys for example.

Conclusion

I would like to see further innovation occurring with “password-vault” programs, whether as third-party software or as part of an operating system, browser or desktop-security program. This is to encourage us to keep our computing and online experience very secure as it should be.