What can I do to protect the financial and personal data that I gave a company that I no longer want them to have?

Last year due to a complicated tax scenario (for my skills), I used an online tax website recommended by a friend to do my taxes. They were efficient in their job and I wanted to use their services again this year to save time. I had forgotten my password so tried to reset it. Turns out, they stored my password in plain text. Apparently that was to enable their staff to update any information that I provided in case it was incorrect.

I am worried about the financial data that I have already provided to them. I think as a user I have to consider it compromised. But I am a bit optimist so wondering if I can do anything to protect my data.

They don’t seem to be GDPR compliant so I don’t think they will simply delete my data but I definitely am going to request for it.

dnd 5e – Does Tiny Hut protect from Dream?

Leomund’s Tiny Hut spell states

Spells and other magical effects can’t extend through the dome or be cast through it.

Dream states

Choose a creature known to you as the target of this spell. The target must be on the same plane of existence as you.

Can Dream reach a target sleeping in Leomund’s Tiny Hut?

The points giving me doubt are:

  • “Extend through the dome” seems to exclude the floor/ground.
  • Does “Target must be on the same plane of existence” override any protection offered by the dome, or is it just a requirement of Dream, and doesn’t override any other existing limitations?

How to protect my code from “insider” threats when hiring my first employee?

For the most part this is not a technical problem but a human problem. So while technology has a role to play it has limits.

If the employee will be working from home supervision is more difficult. If you’ll be monitoring his/her activity you don’t want to be in breach of applicable privacy laws.

The computer has to be secured obviously but the rest of the environment is important too. If you have a corporate LAN there should be adequate protections like an IDS/firewall. But the equipment is often useless without somebody keeping an eye on the logs and the alerts.

Since you mentioned Visual Studio, the developer may need to be at least a local admin to work in optimal conditions. If you cripple their environment they may be tempted and even forced to find workarounds and defeat your security measures which is what you want to avoid.

I’m afraid we all have to trust other people and take risks. The more you monitor your employees, the more you make it obvious to them that you don’t trust them and make them feel untrustworthy. At some point the surveillance effort becomes counter-productive because you frustrate and demotivate them. They may become less productive, less loyal.

Security training may be beneficial too. The employee could be honest and acting in good faith but vulnerable to social engineering, and unwittingly jeopardize the company and its assets. Naïveté can be as dangerous as malicious intent. I would say that many developers lack cybersecurity awareness.

Perhaps you should order a penetration test against your company and learn from it. Thus your security posture will improve and you’ll be better equipped to fend off attacks.

Employees are often the weakest link but you should also consider the threat of hackers and unethical competitors. In other words don’t focus too much on your employees, but develop a 360° security approach for your company.

Physical security is important too. A lost laptop should be no big deal if the hard drive is encrypted and has a strong password. But your backups should be in a safe place. Consider the risk of burglary.

Yes backups are extremely important. Make sure you have a solid backup plan in place, test it from time. Prepare a disaster recovery plan. What would happen if your office burns with all your computer equipment ? You need to protect your source code but also plan for business continuity. Hint: insurance.

If you have valuable IP you could consider applying for patents. Again, this is a lawyer’s job here.

Probably you can find insurance to cover the risk. The question is whether it’s worth paying for a low risk.

I would also offer shares or some equity in the company. Then your employees have less incentive to go rogue and sabotage your enterprise.

To sum up: there are so many possible risks, I think you are putting too much emphasis on the insider threat. You are more likely to get hacked, than sack someone for misconduct.
Your employees must be your allies and considered as such – not as potential foes.

Order Swissns GmbH Cyber Protect – Turn key solution for protecting your systems | Proxies-free

At swissns GmbH, we strive to drive innovation and excellence in service in our core markets with the focus being on security, infrastructure and big data. We know just where we want to go, and we are getting there! At swissns GmbH, we are working to make IT more secure. swissns GmbH offers a comprehensive range of IT and security related solutions and services that allow organizations to fully realize their aspirations for a safe and secure network and data infrastructure. swissns GmbH was formed in 2013. Alexander Baltazzis is the CEO and Managing Director of the company, with 20+ years experience in the IT, Telecommunications, ISP and Security Industry.

===>> Coupon code: YVHVN55NFL – gives 20% discount, valid till July 31st!

Check out our Cyber Protect services:

Acronis Protect Cloud – Turn key solution for protecting your systems with real-time protection against viruses and malware as well as backup and restore on the cloud (CH) or your premises. Great DR solutions and more! ==>> READ MORE!

Acronis Backup Cloud – State of the art backup & restoration software for any type of device along with active protection from malware which identifies and blocks any ransomware encryption attempt on the fly! ==>> READ MORE!

End User Backup – The basic yet essential protection for End Users includes backup of PC / laptop, phone & tablet as well as Active Protection against ransomware. A must have to protect our digital lives! ==>> READ MORE!

Mobile Backup from CHF 2.30 Per Month
Mobile Devices (1 included)
Cloud Storage (5GB included)
==> Build your plan

End User Backup from CHF 8.60 Per Month (Recommended)
Workstations (1 included)
Mobile devices (1 included)
Office 365 seats
Gmail
Website
Cloud Storage (10GB included)
==> Build your plan

Workstation Backup from CHF 6.60 Per Month
Workstations (1 included)
Cloud Storage (10GB included)
==> Build your plan

Contact Info:
swissns GmbH
Hofstrasse 1
6004 Luzern – Switzerland
+41 41 588 0270
(email protected)

Please contact us if you need any further information!

You can Like our Facebook Page: https://www.facebook.com/swissns.ch
Besides, you can follow us via Twitter Account: https://twitter.com/swissns

swissns GmbH Team

passwords – Does overlaying the mouse on a virtual numeric keyboard really protect against keyloggers?

Such protection mechanism you’re describing could possibly be exploited by the IE mouse tracking flaw, an Internet Explorer vulnerability that allows an attacker to track your mouse cursor anywhere on the screen, even if the browser is not being actively used, and to me seems such password protection would be more at risk of being compromised than your average run-of-the-mill solutions involving keyboard input, as it wouldn’t even require of attackers to hack their way into end user’s machine and install a key logger.

All it would take is for exploiters to hide an IE window (easy enough, say a pop-under would make most users unaware of it), or displaying third-party advert that’s running a script recording mouse movements. Without wanting to give away too much information on how such exploits could be made to work (for obvious reasons), suffice it say mouse movement patterns can be matched against a use of a keypad like the one posted in your example, especially since the user is first required to click on a statically positioned access button and the keypad positions relative to the window (centered horizontally and vertically), through which the keypad’s absolute position can be easily calculated.

Simply tracking mouse movement alone can as well, that’s true for most users, tell you when a mouse button was clicked. But even without tracking mouse clicks, recording mouse movement alone can be enough to calculate if a user is indeed logging into a mentioned bank’s account, and use subsequent mouse movement to calculate what his/her PIN was.

To cut things short, my 2 cents: I would advise against such mechanisms until ALL user agents (browsers) accessing it are considered secure enough in regard to it’s function. 😉

UPDATE: Developer has by now updated the keypad display code and its layout is now randomized. Individual keys are shuffled between each other, which of course effectively prevents this particular exploit that I’ve mentioned, by using external browser window JavaScript alone.

It is still far from being a perfect solution and is not safe, not even by a long shot;

Keys are dynamically drawn through an external CGI application and identified by URI parameter string and a unique session key stored in a cookie, however they’re accessible through this same URL address even when request fields change, e.g. have no referrer and are opened directly. They only appear to be sensitive to a session cookie value, and maybe user-agent string, but I haven’t checked for the latter as –

It does not even matter:

A single malicious browser plug-in could easily read user’s input by tracking mouse movement, mouse clicks, and reading glyph URLs used (or attaching glyphs themselves in a POST response) and send all this information to an external or remote processor. The entered PIN itself is also stored in plain text in a hidden form field (conveniently named password) which makes it even easier to retrieve its value through a simple JavaScript call than if a build-in password field type would be used. This fact is hidden from a normal user by displaying meaningless bullet glyphs in a display box below the keypad. Who is that supposed to fool? It took me less than 5 seconds to find a relevant hidden field, and I’m not even a security analyst! It would take me additional 15 seconds to write those 2 lines of JavaScript to read it and send to a remote location.

So there we have it:

A lot of work has gone into make believe and cheaply buying end-user’s false sense of security, while at the same time this very same end-user has gained absolutely nothing. Both versions (previous static, and the new shuffled layout) effectively prevent simple keyloggers merely doing what their name suggest – logging keystrokes (well done for getting the meaning this one!), but the layout randomization does nothing to prevent a plethora of other JavaScript/browser plug-in exploits. And under certain conditions the user’s entered PIN (especially such a low hanging fruit as one stored in clear-text) can be read by malware, even if browser and OS are doing their best to prevent this. Certain browsers would, of course, be a lot easier to exploit and read active memory data from than what’s described in that answer, but I wanted a strong case against storing clear-text passwords in memory.

Conclusion:

Storing passwords/PINs in clear-text in a hidden form field and employing loads of JavaScript obfuscation trickery simply isn’t what any bank should be considering as a safe mechanism, and in the end fools no one that it’s any safer, except possibly the very same ones it’s supposed to protect. Oh, and obviously also whoever it was that approved these changes, their developer(s), and pretty much anyone else working in the mentioned bank.

Dear Banque Postale, for the sake of your clients and your future existence, please stop with these lame attempts at reinventing the wheel and hire a proper IT security expert!

Is using a firewall debit card a good solution to protect my main credit card?

I’m using Curve, a physical debit card that connects all your credit and debit cards in one and let you decide which one to use at each transaction by using its own app.

I’ve used it with my lower limit credit cards and I really enjoy its features (like instant notifications etc).
I recently managed to get a premium credit card from my bank and I wanted to ask you if you think it’s a good idea to link it to this service (or similar ones) in a way to protect my main premium credit card data to be exposed online and in real life. I would store my premium credit card in a safe place and spend with this curve card.

Is this a good idea from a security standpoint?