Young Hacker Infiltrates High School Database


We live in a world with multiple cyber threats, many coming from alias names from countries we have never been to. Within the United States, we have our fair share of hackers that cause major problems and confiscate sensitive data. It is sad and eye opening when it happens on the high school level.


Recently, a 16-year-old boy gained access to a school database that held personal information like grades and attendance. By gaining access to this database, the student was able to change multiple attendance records and grades.


According to Ashley Carmen’s SC Magazine article “Orange Public School district staff and authorities believe the student accessed the computer system through a teacher’s login credentials . . ., however, they aren’t sure of how he obtained access to the teacher’s password.” With the privacy and safety of students being top priority over the last decade or so, it is surprising that many K-12 schools have not deployed a second factor for account logins for both students and faculty.


With this account hacking comes “multiple counts of second-degree computer theft for unlawfully accessing and altering data and one count of hindering apprehension,” according to Carmen. This case is going to be handled in Family Court.


As K-12 schools begin to invest in identity solutions, many are turning to PortalGuard for education, giving them stronger security and increased usability.

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365



BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:


-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication


With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”


Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.


PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

From Hacktivist to Cybersleuth

Hacker Gone Hero


It’s just like something from out of the movies: criminal mastermind gets caught, turns from his wicked ways, and eventual unveils a piece of the criminal mastermind world to help out the good guys. There is something intriguing in being able to see into the criminal mastermind and get a behind the scenes look at the secret life of these hacktivist. In the hacktivists’ world, there is a network of secret groups and ominous aliases that threaten to breach and expose a multitude of private and personal data.


In August 2011, Hector Xavier Monsegur, also known by his hacker alias “Sabu,” pled guilty to numerous charges relating to multiple hacktivists actions. Monsegur then proceeded to help reveal the true identity to the alias names responsible for stolen identities and jeopardized corporations. According to The Daily Dot article LulzSec hacker-informant ‘Sabu’ set free, “After agreeing to help the FBI “immediately” after they busted him in his home on June 7, 2011, according to court documents, he proved extremely helpful to their investigations.” With the Monsegur turned cyberslueth, FBI officials were able to prevent many major cyber attacks from taking place.


Monsegur is also the foster parent of two kids, and this factor was what drove to Monsegur’s quick response of pleading guilty and full cooperation with the FBI.  According to USAToday, his attorneys stated “It was not a difficult choice for him. [. . .] his family came first.” Monsegur and his family are currently being relocated for safety purposed.

Press Release: Strengthening Web Authentication, Without Overcorrecting

PKlaunch 1

CLICK to View Video

BEDFORD, NH–(Marketwired – Jun 3, 2014) – Today, PistolStar, Inc. announced immediate availability of PortalGuard’s newest solution, PassiveKey. PortalGuard’s PassiveKey is a customer driven response to deliver the latest in innovative identity solutions. PassiveKey transparently enables two-factor authentication while allowing the user to login with the familiar username/password approach. This simultaneously strengthens authentication and eliminates the need for end-user training.

“Many think the correlation between strong security and identity logins is an unavoidable inconvenience to the end user. With PassiveKey, you can strengthen identity logins without ever impacting the end user,” says Thomas Hoey, founder and CEO of PistolStar, Inc. “Increasing security can be accomplished with many different second factor methods, but most stifle usability, negatively impacting the end user,” Hoey says. “Answering the need for both security and usability, PassiveKey cuts through all the hassle of second factors without ever compromising strong identity security.”




With PassiveKey enrolled on a user’s device, the user logs into the protected account like they normally would with their password while PassiveKey transparently generates and transmits a one-time token which is validated by the PortalGuard server based on a shared secret between the two. “It is clear that it is no longer enough to protect private information with just a password,” Hoey continues. “Authenticating the user today must be more than just a user’s password, but the login process must be as easy as using just a password.” Revolutionizing logins, PassiveKey is restoring the balance between security and usability.

For more details or a free demo of PassiveKey, visit the product page here.

To see our PassiveKey video click here.

About PistolStar, Inc.
PistolStar, Inc. was founded in 1999 and is located in Bedford, NH and provides multiple services through PortalGuard. PortalGuard is Your Ideal Identity Solutions Experience, providing dedicated services, innovative solutions, and proven value. For more information, visit our website.

Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!



Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!


Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.


Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!


With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.


In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!


So go ahead! Invest . . . the Llamas won’t mind.





Google Removes Ad Scanning for Apps within Education for Good

Google Logo 2010

Recently, Google made an announcement via their blog stating they will be permanently removing any form of ad scanning for applications associated with education users. Google was quick to point out that they never intended to collect data in education based Apps, and in the past, an Admin on campus would have had to enable the ad scanning. However, even if the admin had enabled ad scan, it will no longer be enabled within their environment.

To give you a brief overview of the ad scan, it is a blind algorithm that Google uses to scan your email and usage to provide you with more targeted advertisements based on your information.

 The new Google policy is as follows:

“Google Apps for Education services do not collect or use student data for advertising purposes or create advertising profiles.

Gmail for consumers and Google Apps for Education users runs on the same infrastructure, which helps us deliver high performance, reliability and security to all of our users. However, Google Apps is a separate offering that provides additional security, administrative and archiving controls for education, business and government customers.

Like many email providers, we do scanning in Gmail to keep our customers secure and to improve their product experience. In Gmail for Google Apps for Education, this includes virus and spam protection, spell check, relevant search results and features like Priority Inbox and auto-detection of calendar events.  Scanning to provide product features is done on all incoming emails and is 100% automated. We do NOT scan Google Apps for Education emails for advertising purposes.

Additionally, we do not collect or use any information stored in Apps for Education users’ Google Drive or Docs (or Sheets, Slides, Drawings, Forms) for any advertising purposes”

Great news for business based Google Apps users too: this policy will be carried over to these Apps in the near future. Google was quick to point out that it had permanently disabled this feature on all logged in K-12 users last year.


Alarmingly Low Rate of Employees Receive Security Awareness Training

exclamation point

With the state of the economy, it is not too shocking that only 43% of employees receive security awareness training. Many companies have been faced with reducing their workforce and running “leaner and meaner,” thus devoting all hours of the workday to improving the companies bottom-line. It is hard to believe that such an important element has gone the way of the Dodo bird. One would think that more time would be dedicated to security training given the recent and highly publicized security breaches at other companies.

However, the results of a recent survey by Enterprise Management Associates (EMA) show that 56% of corporate employees have not received any security awareness or policy training.

A recent article from SC Magazine explains EMA’s findings, “Security Awareness Training: It’s Not Just for Compliance, 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn’t effective.”

According to the report, the average cost of providing security training is only $50. This seems like a small price, but multiply that by a few hundred users and you start to see why this simple exercise in protecting their company may be overlooked. Yet, providing the staff with proper training could result in saving the organization from the far greater expense of a data breach.

“35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices.” White goes on, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”

While under-education of the population at large can seem startling, a best practice for increasing security within any environment is to have a strong password policy that includes specific password expiration increments. In order to deploy such a password policy, the company must first roll out a self-service password reset program. Many companies turn to the authentication experts at PortalGuard for their self-service password reset needs and other authentication solutions.

How to Mend a Broken Heart: The Heartbleed Bug and what you need to know to protect yourself

broken heart


The news broke this week that the Heartbleed Bug had attacked an undetermined amount of websites and their users worldwide. At this time it would seem that a large number of people are affected, however, the magnitude of this Bug may not be made clear for some time. Last year, the Adobe breach  numbers grew drastically as time moved forward.

So what is the Heartbleed Bug?

The researchers who uncovered the problem describe the Bug as a serious flaw within OpenSSL.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Currently affected sites:

Some of the popular websites that have been listed as vulnerable include the following:

Click here for a full list.

How you can protect yourself.

There a couple of different steps you can take to proactively protect yourself. The first step would be to change your passwords on all of the effected sites that are listed above. It would also be good practice to change all of your passwords in general, just to play it safe. The other, more drastic option would be to avoid using the identified sites entirely. However, this may not be a possible option if you are an active member of the sites affected.

Although many websites do not require password resets to occur on a regular basis, the authentication experts at PortalGuard highly recommend changing your password every 90 days. If you take this simple action, it can possibly save you from a lot of frustration and heartache.

Are You Only a Hacktivists Away from Chaos?


Data security is a hot topic right now with Target, Michaels, and other large companies reporting data breaches. After all the time, money, and publicity from the breaches, I am sure they wish they could turn back time and deploy a stronger authentication to guard against the black market hacktivists that caused the chaos.


In Cameron Shilling’s article “Is Your Business a Data Breach Away from Disaster?,” Shilling states, “data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical ad insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni.” If your company is housing private information, you are a target for the hacktivists. No matter how small or how large, your company is at risk.


Even though this is a serious problem, we take these warnings and disregard them with thoughts like “it could never happen to me” or “that takes too much time and money.” But it could happen to you, and a serious data breach is just one hacktivists away, resulting in losing personal information and creditability with your customers.


Many companies do not realize that the cost of a data breach can cost hundreds of thousands of dollars.


Shilling also points out that there are unforeseen costs to a companies data breach; “costs include direct expenses to investigate, provide notifications and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialist, credit monitoring services and price concessions,” these make up about 40% of the total costs for “fixing” a data breach. Shilling goes on to point out that “the greater losses, which are often hidden to most businesses, arise from indirect costs, like diminishing revenue and profits from lost customer business, and diminishing employee productivity from time spent addressing the breach and its aftermath.” Without a doubt, it is more cost effective and efficient to deploy a strong authentication solution before the breach takes place.


Everyone should take the necessary steps to secure their systems and private information. It is well worth the effort to protect against breaches. Many companies and organizations are turning to the affordable, strong, hassle-free two-factor authentication like PassiveKey, created by the authentication experts at PortalGuard.


Don’t be at high risk anymore!




Shilling, Cameron G. “Is Your Business a Data Breach Away from Disaster?” Business Magazine Mar. 2014: 26-27. Print.

Ransomed Beauty: Is Your Identity Being Held for Ransom?


As a woman, I know all too well how much time and money we spend on beauty supplies. Whether buying the “next best thing” in the cosmetic department or trying the newest home remedy from your favorite blog, it all requires you to spend some cash or use a credit/debit card. But how much are you willing to pay: ten, twenty, fifty dollars? What about your identity? With the growing number of businesses reporting breaches in their databases, it is no surprise that Sally Beauty became a target to the black market hacktivists.


The breach at Sally Beauty happened sometime in late February, but according to Consumerist, Sally Beauty “had detected a network intrusion in late February, but neither Sally’s IT folks nor an outside forensics firm could find evidence that customer card data had been stolen.” But alas, Sally Beauty’s customer card data had been stolen, and not long after, a large amount of credit card information showed up on the black market.  According to KrebsonSecurity, “On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store.” After that, the banks of the corresponding credit cards bought back the stolen cards of the black market. Once cards and banks were reunited, the banks could then determine where the breach had taken place based on what they call a “common point of interest purchase” (a test that checks whether there is a common store/website purchased from within a same time period across the ransomed cards).


There is no doubt that many identities as of late have been ransomed on the black market, and besides using cash and checking your card activity often, there is not much that you as an individual can do. On the other hand though, companies and websites can implement a stronger turnkey authentication to protect the personal information of their customers from the black market hacktivists. That is why many have secured the identity of their customers by turning to the authentication experts at PortalGuard: an affordable, all-in-one, turnkey solution.