Lallis and Higgins Blog

The 10 Worst Passwords of 2019

Joseph Coupal - Tuesday, May 26, 2020
Lallis and Higgins - Quincy, Weymouth, MA

POP QUIZ: What has been the most popular—and therefore least secure—password every year since 2013? If you answered “password,” you’d be close. “Qwerty” is another contender for the dubious distinction, but the champion is the most basic, obvious password imaginable: “123456.”

Yes, people still use “123456,” according to SplashData’s ranking of the most common passwords of 2019, which the security application company bases on its analysis of millions of passwords leaked on the internet.

“Disappointingly, there are no big differences between recent worst password lists and this year’s,” says Morgan Slain, SplashData’s CEO. That’s because consumers continue to stick with passwords that are simple and easy to remember—and therefore are far too easily hacked, he says.

Here are the 10 most popular, least secure passwords of 2019, per SplashData:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. llllll
  9. 123123

How to improve your own passwords:

1. Use a password manager app.

If you do, you’ll have only two passwords to remember: the password to the app and the password to the computer account you log into every day. (For work-owned devices, ask your employer’s IT team what they recommend.)

2. Use multifactor authentication (MFA) whenever possible.

MFA factors include what you know (a password), what you have (a device, such as a smartphone), and who you are (a fingerprint or facial recognition scan). Using MFA for verification, such as a code sent to a mobile device, in addition to strong, unique passwords, can give you better protection.

3. Don’t create passwords with real words.

In a so-called dictionary attack, a hacker uses software that systematically enters every word in a dictionary to figure out a password. To thwart such attacks, skip any words you’d find in Webster’s.

4. Don’t include personal details in your password.

Avoid using the name of a spouse, kid, pet, city of residence, birthplace or the like in a password, as a hacker could deduce that information from your social media accounts.

5. Use passwords that include all character types.

Go for a mix of upper- and lowercase letters, numbers and symbols.

Source: Security Smart Newsletter


RMV Implements Further License and Other Credential Extensions

Joseph Coupal - Friday, May 22, 2020
Lallis and Higgins Insurance

Many Expiring Licenses, Registrations, and Other Credentials Further Extended

The Massachusetts Registry of Motor Vehicles (RMV) has implemented further extensions to the renewal timelines for expiring motor vehicle inspection stickers, passenger plate registrations, professional credentials, and driver's licenses and learner's permits, including Commercial Driver’s Licenses and Commercial Permits (CDLs / CLPs).

While the RMV previously announced extensions for most credentials, passenger plate registrations, and inspection stickers expired or expiring in March, April, and May, an additional extension has been applied to those credentials, and an extension has been added to some credentials expiring in June, July, and August.

These extensions replicate the ongoing measures the RMV has taken to reduce the need for customers to physically visit an RMV Service Center or one of its business partners’ facilities, allowing for "social-distancing" by decreasing non-essential travel and customer volume. Additional longer-term extensions will also allow the RMV to ensure "social-distancing" guidelines are met as demand for in-person service and renewals resumes during the Commonwealth’s reopening phases.

The following new changes to expiration extensions are now effective:

  • Driver’s licenses and ID cards, including Commercial Driver’s Licenses (CDLs), that expired or will expire in March, April, and May 2020, will now expire in September 2020 and do not need to be renewed at this time.
  • Driver’s licenses and ID cards that will expire in June have been extended until October 2020; those that will expire in July have been extended until November 2020; and those that will expire in August have been extended until December 2020 and do not need to be renewed at this time.
    • The specific expiration date typically coincides with an individual’s birth date. Customers holding an RMV credential marked “Limited-Term” that has expired or will expire between March 1 and August 31, 2020 should visit Mass.Gov/RMV for more information and to check the validity of their credential.
  • The RMV also recently introduced an online renewal option for CDL holders if they are self-certified in the Non-Excepted Interstate (NI) category for medical certification.
  • Learner’s permits, including Commercial Learner’s Permits (CLPs), that expired or will expire in March, April, and May 2020, will now expire in December 2020. Learner’s permits that will expire in June, July, and August will also be extended until December 2020. This extension will allow additional time for permit students and driving schools to complete in-car instruction and a road test when those functions are authorized to restart safely.
    • Road tests for CDLs are still being conducted during the state of emergency. Massachusetts State Police manage CDL road tests, and require anyone taking a CDL road test to bring and wear a face covering for the entirety of the road test.
  • In accordance with updated guidance from the Federal Motor Carrier Safety Administration (FMCSA), all CDL Medical Certificates expiring between March 1 and May 31, 2020, have previously been extended until June 30, 2020 and no additional extension will be applied. However, all CDL Medical Certificates expiring between June 1 and August 31 have been extended until September 30, 2020 and do not need to be renewed at this time. Extensions to CDL Medical Certificates are intended to prevent license downgrades and elective medical visits, as well as alleviate demand on medical providers, during the State of Emergency.
  • The annual motor vehicle safety and emissions inspection stickers that have expired or will expire in March, April, and May 2020 have been extended until July 31, 2020. No additional extensions will be applied and inspection stations are open at their discretion within the public health guidelines to perform this work.
  • All passenger plate registrations that have expired or will expire in March, April, and May 2020 have been extended until July 31, 2020. The RMV has also applied a 30-day extension to registrations that expire in June, which will now expire on July 31, 2020. Registration renewals can continue to be performed online at Mass.Gov/RMV during this time.
  • All school bus, school pupil (7D), and bus registrations that will expire in June have been extended 30 days until July 2020.
  • Professional credentials for School Bus Certificates, School Pupil Transport Licenses (7D), Inspector Licenses, Inspection Station Licenses, Driving Instructor Licenses and Driving School Licenses that have expired or will expire in March, April, and May have previously been extended until 90 days after the state of emergency is lifted. The RMV has added June expirations to the previous extension and professional credentials that expire in June have 90 days after the state of emergency is lifted to renew.

Details on all of these extensions and additional information on RMV services and the RMV’s response to COVID-19 can be found here.

The RMV Business Partner Website has been updated to include details and recordings from recently held webinars hosted by the RMV to address issues arising as a result of the pandemic.


3 Ways Cybercriminals Are Exploiting the COVID-19 Crisis

Joseph Coupal - Monday, May 18, 2020
Lallis & Higgins Insurance - Quincy, Weymouth, MA

Cybercriminals are taking advantage of the coronavirus crisis to spread mal- ware, disrupt operations, sow doubt and, as always, make a quick buck, via virus-themed emails, apps, websites and social media. Here are some of the techniques you need to watch out for:

1. Phishing emails

Sending unsuspecting recipients emails related to current tragic events is a classic tactic cybercriminals use to snag victims, and this pandemic is no exception.

Themes in these emails include analyst reports specific to certain industries, details of official government health advice, requests for donations, and offers of facemasks or other assistance regarding operations and logistics. These emails often contain malicious links or attachments, or requests for sensitive information. Delete them, and never click on the links or open the attachments.

“Our threat research team has observed numerous COVID-19 malicious email campaigns, with many using fear to try and convince potential victims to click,” says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. She says around 70 percent of the emails the threat team has uncovered deliver malware, with most of the rest aiming to steal victims’ credentials through fake landing pages like Gmail or Office 365.

2. Malicious apps

Although Apple has placed limits on COVID19-related apps in its App Store and Google has removed some apps from the Play store, malicious apps can still pose a threat to users. One site, for example, urged users to download an Android app that provides tracking and statistical information about COVID-19, including heat map visuals. However, the app was actually loaded with an Android targeting ransomware now known as COVIDLock. The ransom note demanded $100 in bitcoin in 48 hours and threatened to erase contacts, pictures and videos, as well as the phone’s memory.

3. Bad domains

New websites are springing up that purport to disseminate information relating to the pandemic. In fact, many of them are traps for unsuspecting victims. Re- corded Future, a company that analyzes threat data, has found that hundreds of COVID-19-related domains are being registered every day. The UK’s National Cyber Security Centre has reported fake sites that are impersonating the U.S. Centers for Disease Control (CDC) and creating domain names similar to the CDC’s web address to request passwords and bitcoin donations to fund a fake vaccine.

Source: Security Smart Newsletter


Do’s and Don’ts of Secure Videoconferencing

Joseph Coupal - Tuesday, May 12, 2020
Lallis & Higgins Insurance - Quincy, Weymouth, MA

When the popularity of any technology increases quickly, the number of bad actors taking advantage of new and untrained users also grows. During the current pandemic, this has been happening with videoconferencing services and applications—for example, multiple reports surfaced recently of conferences being disrupted by intruders who inserted pornographic and/or hate images and threatening language into meetings.

While hijacked meetings are disruptive and disturbing for participants, a more insidious threat is intruders who lurk without revealing their presence—a nightmare for corporate security and individual privacy alike.

The good news is that many videoconferencing products include security settings that can prevent such incidents—but it’s up to the host to configure those settings, and attendees need to follow best practices as well. Here’s a list of videoconferencing security do’s and don'ts:

For Hosts

Do enable password protection.

Zoom, for example, now auto-generates a password in addition to a meeting room ID. Make sure your service uses both a meeting ID number and a string, and that it also has a separate password or PIN.

Do use waiting room features.

These put participants in a separate virtual room before the meeting and allow hosts to admit only those people they want to have attend.

Don’t record meetings unless it's absolutely necessary.

If you do record a meeting, make sure all participants know they are being recorded (the software should indicate this, but it’s good practice to tell them, too) and give the recording a unique name when you save it.

Don’t allow participants to screen share by default.

Your software should offer settings that allow hosts to manage screen sharing. Once a meeting has begun, the host can allow specific participants to share their screens when appropriate.

Do lock a meeting once all the participants have joined the call.

However, if a valid participant drops out temporarily, be sure to unlock the meeting to let them back in and then re-lock it after they return.

Do eject participants from meetings if an intruder is able to get in or becomes unruly.

This prevents them from rejoining. Do make sure that if you host work meetings, you know the specific steps you should take in the software your company uses to ensure your conferences are secure.

For Hosts and Participants

Don’t post links to conferences on social media.

Hosts should invite attendees from within the conferencing software—and invitees should not share the links.

Don’t use video unless you need to.

Turning off your webcam and listening in via audio prevents possible social engineering efforts to learn more about you through background objects. Audio only also saves network bandwidth on an internet connection, improving the overall audio and visual quality of the meeting.

Do use the latest version of the software.

Security vulnerabilities are likely to be exploited more often on older software versions. Double-check that you are using the most up-to-date version available.

Security Smart Newsletter


What to Check Before Your First Spring Classic Car Drive

Joseph Coupal - Monday, May 04, 2020
Lallis & Higgins Insurance - Quincy, Weymouth, MA

If you’re reading this, you almost certainly have a non-daily-driven classic car somewhere in a locked garage.

But you need to check a few things first.

Assuming the antique car has been sitting over the winter, say three to six months, the list below should be pretty good.

Tires

If, when you roll open the garage door for the first time in months, one of your car’s tires is wheel-on-the-cement flat, you kind of have to start with the tires, so let’s. Obviously, if that’s the case, you need to air that tire up before you can move the car. If you don’t have a compressor in the garage, buy a portable compressor that runs off the cigarette lighter socket, or better yet, runs off 12V DC or a 120VAC adapter. I’ll air up the tire and then see what it’s going to do. If you immediately hear it hissing from a puncture or a bad valve stem, then you need to stop everything, jack up the car, pull the wheel off, and either swap on another wheel and tire or get this one fixed. But if you don’t, you can see whether the leak deflates the tire over hours or days. Just remember that it deflated over the winter, so it’s going to do it again.

Then, check the pressure of all four tires. While you’re doing that, it’s a good idea to inspect the tire sidewalls for cracking. Odds are that if the car is stored indoors, the tires aren’t going to get much worse over a single winter, but it’s easy for 10 years to go by one winter at a time and the tires to cross from old-but-OK to sheeh-I-don’t-want-to-drive-farther-than-to-the-gas-station-on-those.

Battery

If the battery has been on a tender or trickle-charger for the winter, it’s probably fine. But if not, you can take a multimeter, set it to measure voltage, and put the two probes on the battery terminals. If it reads 12.6 volts, or near it, the battery is fully charged, and if it’s in good health and the cable connections are good, it should turn the engine over. But with every 0.2-volt drop, the battery loses about 25 percent of its cranking power, so if it’s reading closer to 12 volts than 12.6, it’s unlikely to crank the engine over without being connected to a good three-stage battery charger for several hours. So measure it, and if you need to charge it, charge it.

Fluids inside

Check the oil, coolant, and brake fluid levels. If the oil looks black, make a note to change it soon. Give a quick look inside the radiator or expansion tank to both check the level and see if there’s any oil in there indicating a weakening head gasket.

Fluids outside

Next, look under the engine compartment for evidence of leaks. Hopefully all you find is a few dots of oil from where the car’s been leaking out the front timing cover for the last 40 years and nothing more. Anything green is antifreeze, and its source should be identified before you drive the car, as a minor leak can quickly mushroom into a gusher. Blue liquid can be either antifreeze or washer fluid. Clear liquids are usually power steering or brake fluid.

Move to the back of the car where the fuel tank is, skooch under, look, and sniff. Vintage cars have metal fuel tanks, and they can leak from age, particularly with Ethanol’s propensity for attracting water. Since it’s good practice to store a car with a full tank of gas (this eliminates the chance for humid air to get into the tank and contaminate the gas with water), if you find the tank leaking, it ruins your day, since you now need to drain it. Gas can also leak from rotted or cracked rubber fuel lines. Gasoline isn’t like oil or antifreeze; there should be a zero-tolerance policy for any amount of fuel leakage. You should also sniff in the engine compartment to be certain gas isn’t leaking there.

The critter check

If your garage has an affinity for rodents and they’ve made your car home, they can deposit a lot of material in the air cleaner in a short amount of time. It’s good insurance to pop the top off the air cleaner and have a quick look. Hoses and belts

Give the hoses and belts a quick inspection. Squeeze the hoses. If any of them are pillow-y soft, order replacements. Inspect the belts for cracks and cuts and put a thumb on each of them to check the tension. If they’re obviously loose, take a moment and tighten them.

The crank-over

If the car has passed the above checks, the engine is ready to be cranked. If the battery is fully charged and registering about 12.6 volts, it should crank when you turn the key. If it doesn’t crank, clean the battery and cable terminals and try again. If the voltage is a little low, you can jump-start the car, but if the battery is deeply drained (turn the key and you get a click of the starter but that’s all), or worse, flatlined (less than 10.5 volts, or the car’s dash lights barely even turn on), it’s best to replace it before you drive the car. Alternators aren’t designed to charge deeply discharged batteries. Although old analog cars often don’t seem to mind, post-OBDII cars with a proliferation of electronic control modules can do very odd things, including bucking and dying, if a deeply discharged battery is jump-started and the car is driven.

If the car is fuel injected, it will likely start in just a few seconds when the starter is cranked. If it doesn’t, the fuel pump may not be running, either due to a popped fuse, stuck relay, or the pump itself. Carbureted cars often take much longer to start due to the lower fuel pump pressure, the need to refill the float bowls, the far less precise air/fuel metering, and the lack of direct spray into the cylinders. A short blast of starting fluid into the carburetor throat can coax the engine to life. If a carbureted car still won’t start after sitting, the problem is often that an old fuel line has become dry-rotted and is sucking air rather than fuel.

The eyeballs-on idle

Once the engine is running, let it idle for about a minute. Then shut it off and look under the engine for any fluid dripping or streaming out.

Twice around the block

It’s common for brake pads to stick to rotors from sitting. If the car has been stored indoors, the rotors probably won’t have rusted much, but still you want to scope it out. Take the car for an easy lap around the block. Brake gently to verify that the brake pedal is firm and functional, then more firmly. Pick up speed and do it again. Note any brake pedal shudder (pulsation), pulling to one side, and steering wheel shimmy. Pull back into the driveway and check again for any fluid leakage.

A real test drive

Take the car up onto the highway or other road where you can build speed. Verify that it comes up to operating temperature in about the middle of the gauge and stays there. Continue to test the brakes for shuddering or pulling. If the brake pedal is still pulsating, there are still unwiped deposits on it. A series of hard braking exercises (first verifying that no one is behind you) may wipe the rotors clean, or you may find that it doesn’t go away and you need to buy new rotors. If there’s steering wheel shimmy that wasn’t there in the fall, it’s likely the tires are flat-spotted from sitting. It may go away. It may not. Come home, recheck for fluid leakage, and check again the next morning.

If the car passes these tests,it’s in about the same condition it was in when put away in the fall and ready to enjoy in the spring. But keep in mind that it doesn’t mean that the car has been healed of any known problems. Cars are not biological systems; they don’t mend themselves with a good long sleep.

hagerty.com



Get an insurance quote &
see how much you can save.