While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions.

What caused these vulnerable shopping carts?

Basically the bad guys are sneaking in via plugins to the websites. It was very similar to how crypto-currency mining code infiltrated UK government websites earlier this year. In the case of the vulnerable shopping carts of Newegg, they plugged their nasty code into the “Feedify” plugin. This plugin is used to gather feedback from customers.

So when a customer browsed to the Newegg site, the webserver loads up the website. It then goes and brings in the code from the plugins. The Feedify plugin that was compromised gets loaded and the malicious code starts monitoring. It’s waiting for credit card information to be typed in. Once it gets that, it sends it off to the evil doers, a hacking group called Magecart. This code was used to compromise the “Inbenta” customer service plugin with Ticketmaster and the “Modernizr” plugin for BA.

So how can I protect my website from this?

Well, you’ll need your web-person to do a couple of things.

1. Define a Content Security Policy (CSP) for your website
2. Set-up Sub Resource Integrity (SRI) verification of your website plug-ins

CSP will basically state the trusted locations that your website can load plugins from, so make sure these are set for your own site and that of your payment provider.

SRI is where you generate a “hash” (a unique code based on the content of an item) for your plugins when you create the site. When the plugin gets loaded by the browser of a customer, the plugin gets re-hashed and if the value does not match the original hash, then it has been altered.

You can get more details on CSP and SRI from Scott Helme’s blog.

In the meantime, #LetsBeCarefulOutThere.

#SecuritySimplified

The post Vulnerable Shopping Carts lead to Credit Card breaches appeared first on L2 Cyber Security Solutions.

First up though I did a short video recently explaining why loss of mobile devices (including laptops) is a Data Breach under #GDPR. Have a quick watch and then come back here.

Why was the laptop not encrypted?

They’ve not specified exactly what happened, but I surmise that eir use a third party package to secure their mobile devices and some of the many problematic monthly updates that Microsoft released in July caused them issues. It must have been bad for them to have to decrypt 1,500 laptops. In fairness to eir, they at least notified the Data Protection Commission (DPC) about this on the 10th of August.

What happened next?

At some point between 10th August and last weekend one of the 1,500 unsecured laptops was stolen outside. In other words an employee/contractor removed one of the laptops from eir’s premises and then fell victim to a thief.

What was on this eir laptop?

According to the report from the DPC – names, email addresses, mobile numbers & account numbers for 36,642 customers and names & contact details for 177 eir employees.

That doesn’t sound too bad … does it?

As I say to people in my training, it’s all about the context. If you are a florist and you lose a list of names and addresses of your customers, there may not be a significant risk to those individuals in respect to their rights and freedoms. So you probably won’t need to notify them about the breach. It might be a borderline call as to whether you would need to notify the DPC. I would say you should.

Now lets say that list of names and addresses are for clients of a sexually transmitted disease clinic. The context now shifts dramatically as there is now a significant risk to the individuals rights and freedoms. If that list became public, there would be much embarrassment to those people. So you would definitely be reporting to the DPC and also notifying the affected people.

In the eir laptop case, the fact there are emails and account numbers is quite concerning. If an evil doer uses all of the available information, they could craft an extremely plausible phishing e-mail, which they could con the victim into doing something that is not in their best interests.

Also, if the bad guys combined the detail from the eir laptop with some information they gleaned from answers to fun quizzes, they may be able to impersonate the eir customer to an eir customer service agent and effectively take over the customers account.

What should have happened?

Once eir were aware that all of these devices were unsecured, they should never have been allowed to leave the premises. They should have been locked to the employees/contractors desks and the keys stored in the kennel of a hungry rottweiler until the issue with the patch was rectified.

What have eir done?

Well they had been busily working away re-encrypting their laptops and according to the DPC’s statement they had all but 46 completed as of 22nd August.

They have also notified the affected customers, by email from a “no-reply” email address, which is pretty crappy. They really should have a specific email address and freephone telephone number for those impacted customers.

What should we all learn from this?

The most important thing we should all learn from this eir laptop theft case is that, if you have a mobile device of any type, even if it doesn’t currently have personal data on it, encrypt the thing! If it’s not encrypted, keep it securely stored in your premises – don’t ever take it off premises.

If you want to learn more about good security practice send an e-mail to info@L2CyberSecurity.com and we can talk to you about training and practical steps to improve your cyber security set-up.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Eir laptop theft – could have been worse appeared first on L2 Cyber Security Solutions.

How will I know if my website will be marked “Not Secure”?

If the link to your website is https://www.mywebsite.ie (with mywebsite.ie being whatever your website name and domain is) then you will be OK. Close this article and get on with your life.

If however the link to your website is http://www.mywebsite.ie (no “s” after the http bit), then Chrome will highlight this in the address bar as being “Not Secure” like this:

What’s the difference between http and https?

http stands for HyperText Transport Protocol. It’s how web pages are transmitted around the internet. When your website is using http, it is transmitting all of the bits and pieces of data on your website to people browsing the site “in the clear” (i.e. exactly as it is seen). If anyone was to intercept the traffic, they would see exactly what it is that people are looking at on your website. They would also be able to add (or inject) data of their own into the traffic and thus make it appear that your website is serving advertisements (for example).

https adds the word “secure” to HyperText Transport Protocol. What happens now is that the data from your website will be encrypted (i.e. scrambled into meaningless gibberish) before it is transmitted to people browsing your website. If somebody intercepted the data, they would not be able to determine what it is that people are looking at on your website. The integrity of the data coming from your site is also maintained and nothing could be added to the traffic from your site.

My site is simple and boring. I don’t ask for peoples details or credit card information. Why is this happening?

A website that is using http only is very easily compromised and such a compromise could cause your business reputation damage. If you don’t believe me check out this video. If you want to watch the whole thing (it’s 24 minutes long) please do, but to see quickly just some of the compromises, watch from about 7:04 for about 5 minutes. I’m afraid he does talk very technically, but I think you will appreciate the consequences from seeing what happens to a plain, boring blog site.

The reason this is happening is because more than 50% of the websites on the internet are now being delivered by https. So we are all familiar with the sight of the word “Secure” in green along with the padlock:

What a lot of people would think is that this means the website is trustworthy … that is NOT THE CASE at all! All it means is the connection between the website and a person’s web browser is encrypted securely. Evil doers have lots of websites that have this “Secure” marker too.

So Google are switching the focus from highlighting sites using https to highlighting sites that don’t. So the green “Secure” with the padlock will disappear from “normal” sites. Then sites using http will be marked “Not Secure” in red. This will be an impetus to help drive the internet to being more secure.

My web person is saying that it will cost me money to get https on my website. This is just a rip-off!

Actually you can get https on your website for free, very easily. Your domain hosting provider may offer this service to you (my own host does so). If not, then Troy Hunt (the gentleman speaking in the video above) set up a website called HTTPS is easy on which he has 4 short videos on how you can set up your website to be https for free and in about 5-10 minutes (although there is one bit where you may have to wait 24 hours for the internet to work it’s magic).

Anything else?

If you want to get some more advice, drop an email with your questions to support@L2CyberSecurity.com and we’ll be happy to address them for you.

Also if you are interested in learning how to use the internet more safely, check out the training that we offer. If you want to find out more then call on 087-436-2675 or e-mail info@L2CyberSecurity.com.

In the meantime, watch those videos and see how you can stop your website be marked “Not Secure”.

The post Will your website be marked “Not Secure”? appeared first on L2 Cyber Security Solutions.

So how do I know these things? Where am I getting this figures from. Well just like November where I told you about the free Quad 9 service, which prevents you going to know evil sites or in December where I told you about the free Security Planner tool, which gave you simple advice on how best to protect your particular set-up, this month I give you the free Pwned Passwords tool, which was developed by highly respect security researcher Troy Hunt. Before you leap to the comments section highlighting my atrocious spelling – that’s how it is spelled – pwned is a computer gamer term for being completely dominated or compromised and is pronounced “powned” (to rhyme with “owned”).

So how does this pwned password tool answer the question is somebody else using your password? It’s quite simple, the Troy has got copies of online account information (including passwords) that has been breached from various sources over the last number of years. He has 500 million passwords on his database. Now he doesn’t have the passwords linked to their associated account, such that if he was hacked that somebody would get access to his juicy treasure trove of account information, it’s simply a database of passwords. He has used a certain very secure methodology to test the passwords, but there is no point in going into it here. If you’re a nerd with an itch to scratch, then you can read all about his methodology here.

So how should you use this tool? Simple go to the Pwned Passwords page and type in your various passwords. Here is the result for “123456”:

And the result for “LiamIsANiceHelpfulCyberSecurityPerson”:

So what should you do if your password has been used before, particularly where it has been used a LOT? It’s kind of obvious, but you need to change it. Yes, I know it’s a pain. Yes you might forget what you changed it to. Guess what? When you change it, write your new password down on a piece of paper and put it in your drawer or maybe your wallet/purse. ?

No I haven’t taken complete leave of my senses. But this is a case of risk reduction. Sure, you have an open copy of your password in a public-ish place, but it’s not going to be there forever. You will consult this piece of paper regularly in the first 3-4 days after changing your password. As your muscle memory starts to kick in, you will consult it less and less. After a week to 10 days you probably won’t be using the piece of paper anymore, so at that point you can destroy it.

Keeping this reminder of your password to hand will also enable you to do one more brilliant thing with your password and that is to make it LOOOOOONNNNNGGGGG. Don’t use “LiamIsANiceHelpfulCyberSecurityPerson” because that’s mine ? but either use a long passphrase (a sequence of words like my example) that is at least 15-20 characters long or use a password manager to generate a long nonsensical password which it has to remember, but you don’t. You only have to remember the master password, which you will have made it long and complicated. More details about passwords can be found under Commandment 8, including talk about password managers.

Actually, one of the other really cool things Troy has done was to enable developers to create plug-ins that can query his database of passwords. One of the password managers (1Password) has incorporated this functionality into it’s product, so if you chose a password that has been pwned, it will be flagged to you.

Finally, it would be remiss of me not to point out the main feature of Troy Hunt’s site. This has been around for many years and it’s the Have I been pwned? feature. All you do is put in your e-mail address(es) or User IDs and it will tell you if they were part of a data breach of some online service. He has details on nearly 5 billion breached accounts, so it’s pretty comprehensive.

The post Is somebody else using your password? appeared first on L2 Cyber Security Solutions.

As is usual, the vulnerability lies in the software that runs on these firewalls. This Adaptive Security Appliance (ASA) software is what has been found to be vulnerable by a researcher who was to present his findings at a security conference in Belgium last Friday. He hasn’t released all of the juicy details yet and there are no reported exploits in the wild, but that could all change.

The affected devices, according to Cisco, are:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual (FTDv)

If you have any of these devices in your network, you should be getting your IT support to patch it as soon as possible. There were reported issues with the initial patches, but Cisco have now rectified those too.

The big concern was to do with the Virtual Private Network (VPN) component on the firewall. If you are able to connect in remotely to your network by way of this VPN, then your entire network is at risk of being compromised.

Of course you’ve been following Commandment 3 and have a firewall in place. Now you’ve also got to employ Commandment 1 and keep it updated.

For the technical types who are reading this, you can get a much more in-depth view of the vulnerable Cisco firewall issues on a blog post by Omar Santos.

The post Vulnerable Cisco Firewalls appeared first on L2 Cyber Security Solutions.

This security planner was created by the good folk of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. It’s really, really, really easy to use and will guide you through everything from start to finish.

1. It starts by asking what you use to handle private data (Windows computer, iThing, e-mail, etc.)
2. Then it asks what are your concerns (getting hacked,  infected, etc.)
3. Finally it asks if there is any particular reason for your concern (you’re being harrassed or dealing with a current issue, etc.)
4. Then it will give you an action list, with individual help on each thing that it recommends you to do.

What I really appreciated was the first step it seems to give for everything … it’s to do with two-factor-authentication:

Regular readers of my blog/newsletter will know I’m always going on and on and on about this. I don’t repeat myself often, unless it’s for a really, really, really good reason and two-factor-authentication is one such reason. It really does help protect your online accounts and so, where available, please, please, please use it.

So, for those of you reading this now, go ahead and use this security planner to help protect youself.

And then, when you go visiting your family over the Christmas period, particularly the more mature members of your nearest and dearest, why not sit down with them, fire up this website on their computer/tablet/phone and go through this fairly painless, simple process to get themselves as protected as you are. They’ll thank you for it and so will Santa. ?

Happy Christmas! ?

The post Simple Security Planner tool for EVERYONE! appeared first on L2 Cyber Security Solutions.

On further reflection, this is actually an extremely worrisome scenario. As an MP, Ms. Dorries would receive e-mail correspondence from her constituents on a daily basis. I wouldn’t expect all of them would be telling her she is doing a great job (though a small few might).

Most people contact their government representatives when they have a problem or concern. These problems or concerns are usually in respect to some dealing that they have with a government department, which they are hoping their elected representative can sort out for them.

The fact that an intern has full access to the representatives email because of password sharing, is staggering. Because they have Ms. Dorries password, when they use her e-mail, THEY are Ms. Dorries (in a virtual sense). So let’s for argument just say, this intern is a neighbour of the person who has e-mailed Ms. Dorries about a problem they have in accessing mental health services with the Department of Health.

The person sending the e-mail, sent it to Ms. Dorries … not to their neighbour … they would be justifiably horrified that their neighbour now knows they have issues with mental health. That information is sensitive personal data and must be protected at all costs.

Nadine Dorries has a very real operational issue to handle. She receives a lot of e-mail which she cannot be expected to process all on her own. However, the information she receives should always be considered sensitive personal data, so this needs protection (always has needed it and most definitely will continue to need it under the GDPR).

There is a facility in e-mail, that allows somebody to “delegate” access to their mailbox to others. Ms. Dorries should use this facility to delegate access to her mailbox to her “trusted” assistants. These trusted assistants should have some level of clearance and received data privacy/protection training, so they can then determine whether

1. they should pass the e-mail to Ms. Dorries for direct resolution on a most sensitive matter.
2. handle the matter themselves, in confidence.
3. or pass a minor, non-sensitive issue to an intern to handle.

The delegation function in e-mail will show an audit trail of what the delegate did with the e-mail, so there will be trace-ability if they do something naughty. By having the boss’ password, there can be no trace-ability.

Therefore, sharing your password where you handle sensitive personal data is a data breach, plain and simple. This is because others have unrestricted, unauthorised, untraceable access to this personal data, which means you’ve lost control of it. As summary punishment, you should be made to wear the underwear of this post’s featured image on the outside of your clothes while you await a judgement from the Data Protection Commissioner.

And may Helen Dixon have mercy on your password sharing soul. ?

The post Password Sharing = Data Breach appeared first on L2 Cyber Security Solutions.

What is DNS?

A Domain Name Service is the backbone of addressing, as every website is stored on a server located somewhere on the internet. Your favourite security website (www.L2CyberSecurity.com) is sitting on a server in Dublin. That server has an Internet address of 217.78.11.90. You don’t need to know that long-winded number. You just need to know the nice, friendly name L2CyberSecurity.com. When you type that address, or click a link to that address in your browser, your PC/Laptop will pass the friendly name to some DNS server (whichever one it is configured to use), that will then return the long-winded number to the browser, so off it goes to that server and dishes up the webpage to you.

How does the existing DNS fail to protect me?

If you currently use the DNS server that your provider gives you, or perhaps OpenDNS or Google’s DNS, then if you get infected with malicious software, this will probably try to “phone home”, i.e.- connect with a server controlled by the evil doers. It will look to connect to the server by referencing a friendly name (e.g.- www.scaryevilhackersoftware.co) and the usual DNS servers will resolve that to the bad guys server and facilitate the connection.

IT’S NOT THEIR FAULT! This is how the internet is supposed to work.

How does Quad9 protect me?

The good people over at IBM, the Packet Clearing House (PCH) and Global Cyber Alliance came together and set-up this global service. They have made it genuinely free to use, without any sneaky monitoring of what you do. When you have it set-up, Quad 9 will check a site you are trying to connect to against the IBM X-Force threat intelligence database of over 40 billion analysed web pages and images. it also uses feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike. If the site you are trying to connect with is a known evil site, Quad9 will NOT resolve the friendly address to the long winded number. It will effectively return a “domain/site does not exist”.

That sounds great. How do I set it up?

For a business environment, please contact your IT Department or IT Service Provider. There could be internal DNS server dependencies which, if you implemented Quad9, might break an application. IT will need to make a determination on whether it can be implemented or not.

For home users, on the Quad 9 home page there are videos and instructions for configuring Mac and Windows desktops/laptops.

However, for the best possible coverage, I would recommend you have this setting applied to the router or modem that your service provider installed with your connection. It should be noted that some internet providers do not allow changes to be made to their router (Imagine and Sky are two examples). You may need to log a support request to have the change applied to your router.

If you are, or know somebody who is technically competent (and game-playing teenagers may not fit this criteria ?), the change is as easy as logging into the router and changing, whats called, the DHCP settings. Before anything is changed, you should make a note of what the current DNS settings are. Then all you have to do is change the primary DNS server to 9.9.9.9 (4 nines … Quad9 … get it now? ?). The secondary address can be set to whatever was previously the primary address. Be sure to save the setting and reboot the router.

When the router comes back up, any device that connects to it (laptop, desktop, tablet, phone, smart toaster, etc.) will receive the protection of Quad9 automatically.

If you have any connectivity issues after the change, then simply log back into the router and put back the DNS settings under DHCP that had been there before, save the setting and reboot the router again.

One thing I had concerns about was performance. I previously used Google’s DNS (8.8.8.8) which was always pretty responsive. So when I tested it’s performance against Quad9’s I found that Quad9 was generally faster than Google. They are improving the service all the time as demand increases, so it should always be very quick.

So for me it’s a ??.

The post Quad9 – Safer addressing on the internet appeared first on L2 Cyber Security Solutions.

I bring this up as a real-life scenario came to my attention this week. I was giving a training session and during a break one of the attendees asked me about a strange WhatsApp message that she received.

She showed me the message, which reportedly came from Apple, about a transaction on her account, that occurred in Mexico, which they blocked. There was a link for her to check her account. She told me that she had clicked on the link, and after signing into her iTunes account nothing else happened. Before I could say anything, she clicked on the link again and there was the sign-in page.

I have to say, that the WhatsApp message and sign-in page looked very plausible and legitimate. There were no spelling mistakes or lousy formatting. I had to break the news to her that she had given her iTunes ID and password to the bad guys and she needed to change her password as quickly as possible. So I took her through the process on her iPhone. When we got as far as here, I breathed a sigh of relief.

With this Two-Factor Authentication turned on, the evil doers would not be able to access her iTunes, without access to her phone. That’s because Two-Factor Authentication is like a double check. When you sign in to an account with an ID and password, the service does a double check and sends a code to your phone as a text message, which you then type in to complete the sign in.

While we were reassured that her iTunes account was reasonably safe from being immediately hacked, I still got her to change her password to something new. I also advised her to change any other account that used that password as well.

This Two Factor Authentication malarkey is such a good idea, I’d even created it’s own commandment.

The post Double check your security. appeared first on L2 Cyber Security Solutions.