Interview with Jim Simpson, Director of Product Management at Duo

Published: April 26th, 2017

Back in 2011, LuxSci integrated Duo.com‘s advanced two-factor authentication into our WebMail service. Any LuxSci customer can use Duo.com to protect their WebMail, as well as their admin access to LuxSci. This all comes at no extra cost.

We even use Duo’s authentication ourselves. It’s great for administrative actions both at the server command line and through the web interface. An advanced two-factor authentication system such as Duo.com is excellent for enhancing a system’s security. It is a requirement for PCI compliance and can be helpful for HIPAA compliance as well.

Duo.com

The new Duo Access service is an innovative way to enforce corporate security policies, helping businesses to drastically cut their risks. Duo’s Jim Simpson has taken some time out of his schedule to answer some questions for us and discuss the details of their service.

Read the rest of this post »

Tighten Up Your Security with a VPN: LuxSci’s Guide to Choosing One that Works for You

Published: April 24th, 2017

As online crime figures continue to grow and government spying moves forward unabated, many people are becoming worried about their privacy and security. With the US Government striking down a set of privacy laws that were set to boost individual rights on the internet, things are getting pretty grim.

In recent years, VPNs have become more popular for personal use as individuals attempt to reclaim some sense of anonymity online. Given how many entities could be looking at your activity – governments, advertisers, your ISP and criminals – a VPN is one of many tools you can use to help protect yourself. VPNs can also be useful for circumventing censorship or accessing geo-restricted content.VPN Security

A VPN can be excellent for helping you stay safe online, but you also need to be aware of the limitations. Unfortunately, VPNs aren’t some magic technology that immediately makes you impenetrable – they are merely something that enhances your security.

You also need to be aware that not all VPNs are created equal. In fact, the VPN industry is incredibly messy and the dodgy operators far outnumber the good. There is a huge disparity in the services and protection level that are on offer. This ranges from the free VPNs, which are poorly regarded, to the scammy companies that are just in it to make a buck, to the more trusted options that generally have good reputations. Finding a reliable VPN isn’t the end of the battle. You also have to set it up and use it properly.

Read the rest of this post »

The Latest Leaks From The Shadow Brokers: Where Do We Stand?

Published: April 19th, 2017

The Shadow Brokers have been trickling out leaks since late last year. Their April 8 release was somewhat lackluster, but the exploits released on April 14 had the infosec world on edge. This latest set of tools includes what was initially thought to be a bunch of zero-day exploits, as well as code that seems to enable access to the SWIFT international banking system.

Shadow Brokers Impact as of August 2016.

Read the rest of this post »

Does Your Website Have Grown Up Security?

Published: April 14th, 2017

Website security used to be simple – configure a few settings and call it a day.

That’s not enough to secure your company’s online presence today. First, reducing website security to a single technology oversimplifies the security threats you face. Second, you also need to give thought to the full range of security risks you face.

Read the rest of this post »

Data Privacy Laws: How Does the US Stack Up Against the EU?

Published: April 12th, 2017

by Josh Lake

As the media attention surrounding the repeal of the data privacy framework begins to calm down, now is the perfect time to examine where the USA stands with our current laws. As one of the most culturally and economically similar parts of the world, comparing our laws against Europe’s can provide a good frame of reference.

While the US government is focusing on stripping back red tape in a bid to kickstart business, the European Union has gone in the other direction and is stepping up its bureaucracy with the General Data Protection Regulation (GDPR). These new laws come into play in May 2018, so businesses are hard at work to make sure they will be compliant when the date swings around.

Read the rest of this post »

What is really protected by SSL and TLS?

Published: April 8th, 2017

This question came in via Ask Erik:

Hi Erik,

I stumbled upon your blog while trying to learn a little about SSL/TLS in the context of client/server e-mail sessions, i.e. not web mail which I understand to be an HTTP session.  I am just an ordinary user with no special security needs but I find all this news about corporate and government surveillance to be troubling for both philosophical and practical reasons.  In any case my questions is quite simple.

My e-mail client, apple mail, and my e-mail service provider both support SSL so my e-mail exchanges between my computer and the server are encrypted.  I understand that I can’t control what happens with other e-mail servers.  What I am trying to understand is what does it mean to be encrypted?  When an e-mail leaves my computer how much of the message is encrypted?   Are the e-mail headers encrypted including the sender and recipient e-mail addresses.  I would assume so but nobody talks about the details.  What metadata trail does a user leave when using SSL/TLS.  Is it is as simple as the destination and sending IP address with everything else encrypted?  Reading Data and Goliath right now by Bruce Schneider which talks about a lot of this stuff but again doesn’t give quite enough detail.  At the end of the day I am trying to understand how much protection SSL really provides.

SSL (now TLS) protects data as it travels across the Internet. To understand in detail how SSL works, we recommend reading: How does Secure Socket Layer (SSL andTLS) work?  However, looking at how the protocol works can leave answers to some of these fundamental questions a little unclear.  Lets address them one by one.

SSL and TLS Security

Read the rest of this post »

Phishing or for Real? Why Companies Need to Take a Closer Look at Their Email Marketing

Published: April 7th, 2017

 

In July 2016, Hilton HHonors loyalty program members received an email asking them to log into their Hilton HHonors account to confirm their correct email address, mailing address, and other personal details.

The email set off alarm bells for a number of customers. One tweeted a screenshot of the email to the Hilton HHonors Twitter account, asking, “… is this legit? Looks very much like a phishing email…”Phishing

Hilton’s support team responded, “This is not an email from the HHonors team. Please do not share your account details.”

The only problem? It was a legitimate email from Hilton HHonors, but it so closely resembled a phishing email it fooled Hilton’s own IT team.

Hilton is not the only company to inadvertently send customer emails that are nearly indistinguishable from phishing emails. Many companies send emails asking their customers to log in to confirm account information or confirm payment details. Sometimes, cautious customers will reach out to the digital community for feedback on whether an email is real or fake.

These emails are a problem because not only do customers believe them to be phishing emails, but they normalize emails that ask for personal information—making people more vulnerable to real phishing scams in the future.

Marketers need to understand email marketing best practices to send secure customer messages that don’t endanger customer privacy and data. Here’s everything you need to know from a technical and content perspective to make sure your email isn’t mistaken for a phishing scam.

Read the rest of this post »

The US Online Privacy Law Repeal: How It Will Affect You

Published: April 5th, 2017

As with any politicized issue, there is a lot of misinformation surrounding the repeal of the data privacy framework. Regardless of whether you are a Republican or a Democrat, your online security and privacy rights are going to be affected, so let’s just get the story straight.

This whole issue began back in February 2015, when the Federal Communication Commission (FCC) set up an Open Internet Order. This established net neutrality rules and also reclassified ISPs as carriers under Title II of the Communications Act. This meant that ISPs would be subjected to a new set of regulations.

Read the rest of this post »

Secure Text Message Marketing: Step By Step

Published: March 31st, 2017

Many marketers are engaged in a mad scramble to make the most of social media platforms. Unfortunately, these channels have some major drawbacks. Unlike email and text messaging, social media communications generally lack the security and oversight controls required in regulated industries like health care. Secure text message marketing is an excellent addition to boost your marketing results even if you have to operate under heavy regulations.

Text Messaging

Read the rest of this post »

Google to Strip Trust from Symantec SSL Certificates

Published: March 28th, 2017

Last Thursday, a Google developer announced that Chrome will be reducing its levels of trust in Symantec issued SSL certificates, as well as those issued by its subsidiaries. This comes after a two year skirmish between the two companies, with Google asserting that Symantec has continually failed to follow appropriate verification practices.

Under Google’s proposal, the Extended Validation status from Symantec issued certificates will be removed, the validity period of newly issued Symantec certificates will be gradually reduced to a maximum of nine months, and current Symantec certificates will be incrementally distrusted with each Google Chrome release up to 64. These measures aim to balance out compatibility problems alongside the security risks.

Symantec SSL Certificate

Read the rest of this post »