Where is this coming from?

I have introduced the www.HaveIBeenPwned.com service to a number of people recently. They have gone on to the website. They have typed in their email addresses and in some cases they have found that they have been included in data breaches. When they’ve gone to look and see what was breached, in a number of cases they had at least their email address and password for that service were included in the data breach.

Also check out previous #WeekendWisdom 014, #WeekendWisdom 015 and #WeekendWisdom 016.

Data breaches are bad. What should they do?

So they asked me “What should I do?”. The first thing of course is always, they must change their password on that service or site or whatever it was that was breached. Then I ask “Do you use that password anywhere else?” And they say “Yeah. I use it on multiple sites” or “It’s my favourite password. I use it everywhere.”

So I said “Well you’re going to have to change that password on all of these other platforms.”

They say “That’s going to be an awful lot of effort. Why should I worry?”

Why did you call this post Credential Stuffing?

You worry because of a thing called Credential Stuffing. What happens is that the bad guys, they take these data breaches, say from LinkedIn back in 2012. They take those email addresses and passwords that they have cracked and they try to sign into Facebook, into Twitter, into Microsoft 365, into Google G Suite, into Gmail and many, many other services. The criminals will try all of these things automatically.

They are stuffing credentials into services to be able to try and break in. That is what credential stuffing is all about. That is why you should not use the same password across multiple platforms and services.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 056 Credential Stuffing appeared first on L2 Cyber Security Solutions Ltd..

1. There will be another large scale incident on a similar scale to WannaCry

Every year there are really large attacks using different methods to cause problems. In 2016 we saw huge floods of data attacking online services. This flood was caused by poorly secured internet connected security cameras. 2017 saw Ransomware worms in WannaCry and Petya/NotPetya. The latter of these was quite ingenious in the way it worked, as it used different methods to move around networks, once it successfully infected a machine. I’m going to guess that we’ll see something of similar complexity being used, perhaps in a more targeted way – possibly by way of altering a widely used application’s source code and lying dormant until activated.

There was one huge, record breaking event, but it didn’t feature in most of the global news as it affected a US based service provider. It was a large distributed denial of service attack, which I reported here. Earlier in the year, there was a situation where websites that used a certain popular plug-in were “mining” virtual currency for the bad guys. In September, there was number of well known websites, like Ticket Master and British Airways, who had their payment pages compromised. People who used those sites had their credit card information stolen.

I’ll take a partial on this, as the stories above didn’t have the same kind of media frenzy or global awareness as previous incidents.

2. Past Data Breaches will impact victims financially on a large scale

With so many data breaches occurring throughout 2017 (and for years earlier), there is a huge amount of useful and usable data that the evil doers can, if they used some big-data methodologies, mine to extract and target individuals and hit them financially. It’s not credit card numbers I’d be worried about, as the issuers are fairly good at catching fraud and protecting the card holder. It’s all of the other information that could be used to craft a very convincing e-mail/letter/WhatsApp message that will cause the victim to send money to the bad guys.

I reckon I got this one. Old passwords that were breached a long time ago (possibly from the 2012 LinkedIn breach), were used to make a sextortion e-mail appear more credible and a lot of people fell for it. According to some reports, 1,000 people paid approximately $500,000. An earlier analysis of the payments showed that some people paid up to $4,900, with the average being $1,900.

3. GDPR will cause a big Facebook-type company to be fined

I suspect there are individuals out there waiting in the long grass for May 25th 2018 to roll around so they can launch all manner of subject access requests on various companies and government departments that they don’t like. Just to be a nuisance. I do, however, expect that some large global corporation, that has a lot of personal data on a huge number of people, will end up being investigated and, either in 2018 or 2019, be levied a massive, multi-million Euro fine. But they will fight back and hold up the imposition of the fine for a number of years. They may even expose flaws in the GDPR legislation.

The cases are still under investigation, so I’ll take a partial on this, but it’s not a Facebook-type company that is going to be fined, but Facebook themselves. They currently have multiple post-GDPR investigations underway with the Data Protection Commission.

4. Crypto-currency hack

If BitCoin is still a valuable thing in 2018 (and hasn’t crashed and burned), I expect the evil doers will be doing their best to hack the BitCoin block chain in order to steal some of that sweet, sweet virtual currency.

This was a miss. I’ve not heard of any successful block chain hacks and BitCoin’s value has fallen so low, it’s probably not worth the effort to attempt to hack it any more.

5. Data breaches will see a massive increase in reporting in Ireland

While there have been data breaches reported in Ireland, they are few and far between. However, I fully expect that the requirement to report data breaches to the Data Protection Commissioner under the GDPR, will cause an increase in the reports of data breaches occurring. I have a useful short video here showing that there are many different types of data breach that might need to be reported.

This was a kinda easy one to predict. In 2017, there were on average 230 data breaches reported to the Data Protection Commissioner each month. Two months after the GDPR had been implemented, the Data Protection Commission (as it is now known) had received nearly 600 data breach notifications per month.

Results for my 2018 predictions

2 correct, 2 partials and 1 incorrect. Not too bad.

I don’t plan on doing this again next year. However, if enough people ask me to do so, then I’ll reconsider. Send me an e-mail at info@L2CyberSecurity.com and let me know if you want to see a 2019 set of predictions.

Wishing you and yours a safe and secure 2019.

Lets be careful out there.

#SecuritySimplified

The post Review of my 2018 predictions. appeared first on L2 Cyber Security Solutions Ltd..

Updated 05/12/18: To include the Dell, potential breach.

Last Wednesday, Dell announced a potential cybersecurity incident. This was followed on Friday when it was revealed that Marriott International Hotels had a massive 500m  records stolen. These were all forgotten by Monday for most normal people and then later on Monday Quora, an online question and answer forum had 100m records stolen. A couple of weeks ago, Amazon notified an unknown number of customers that their name and e-mail address were exposed. Earlier in the month, VisionDirect in the UK had lost payment card data for an undisclosed number of customers.

That’s just 5 companies that you probably have heard of. I covered the NUI Galway breach separately a couple of weeks ago. There were lots more breached last month. I’ll give a synopsis on each one of the five and then discuss what can happen.

Quora have some questions to answer

So Quora had ~100m records accessed by persons unknown. They detected the issue on Friday 30th November and on Monday 3rd December they endeavoured to contain the issue. They logged out the impacted individuals and forced them to reset their passwords when they log back in. What was taken by the bad guys?

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users

• Public content and actions, e.g. questions, answers, comments, upvotes

• Non-public content and actions, e.g. answer requests, downvotes, direct messages

They claim not many subscribers used the direct messages features, so really the most important items lost here was the account information.

Marriott reserve second place in the data breach tables

I actually missed this story on Friday the 30th November, as I had promised a customer a security assessment report by the end of the week. So I stayed off social media for the day, while I completed it. There were a LOT of tweets to get through that night! ? This is currently the second biggest data breach in history after Yahoo!’s almost impossible to match record breaking 3 billion accounts breach as revealed in October 2017. So what did Marriott lose? The contents of the Starwood guest reservation database, going back as far as 2014, containing:

• For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

• For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

• For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

Some of the data lost is genuinely concerning. Particularly the payment card information.

Bad guys try to ding dong Dell

This may or may not have been a breach. Dell haven’t given away too much information. Their security measures detected unauthorised activity that was …

… attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords.

Dell couldn’t say at this point whether these details were actually extracted from their systems by the bad guys. But even if they were unsuccessful in taking data, this just demonstrates that even massive companies like Dell can be broken into. Massive companies like … ⬇⬇⬇

Prime example of poor communication from Amazon

The Amazon data breach on 21st November doesn’t seem too bad. All that might have been compromised was name and e-mail address. However their notification to affected customers was pretty poor.

A lot of security professionals have said that this looks very “scammy”. While I would tend to agree as it’s very light on any details, there’s no suggestion that the recipient should take some urgent action. If that had been the case, I would fully agree.

Is there short-sighted security in place at VisionDirect?

Back on the 19th November, VisionDirect in the UK issued a statement about a data breach. The breach affected customers who updated their details or placed orders between the 3rd November and 8th November. What data was accessed by the evil doers?

The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

In fairness to them, they were very specific about the timeframe when the website was compromised. “Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November 2018.” This was repeated ad nauseam.

What can happen when there are data breaches everywhere?

A common feature of all the above breaches are names and email addresses. While you might not think these are worth anything, 50,000 valid email addresses can be sold for up to $50 on criminal exchanges on the “dark web”. I hate that term by the way. It’s so “hackery”. Anyway, your email address has a small, but material value.

Payment card data is the next thing that is of immediate value, particularly where the bad guys have the CVV/3 digit security number. These can be immediately put to work purchasing vouchers which are then immediately spent. The card numbers are also valuable on their own and sell for up to $60 each. While Marriott had the credit card numbers encrypted, they were not sure if the required information to decrypt them again was also exposed. So I would assume that it was.

Passwords are the next concern. Quora had “hashed” passwords which is good. These are hard (but not impossible) to crack. They also forced a password reset on affected subscribers, so that’s another mitigation. With VisionDirect, the password was totally compromised. This is because it was captured when a user was signing on to the site. They forced password changes on people who were impacted. However, if the password is used on ANY other account, particularly email, banking and social media, then you must change them all.

The rest of the data that was breached is still incredibly useful to the criminals. In particular from the Marriott breach. They have reservation details, probably into the future. So they know the future likely movements of people. They have loyalty card information, which, along with other data points, can be used to compromise a person’s Starwood’s Preferred Guest account and re-direct the rewards elsewhere.

The amount of data leaked, over such a long time at Marriott is pretty bad. This can be merged with lots of other data breaches and the evil doers can build quite a profile on each individual. I’ve discussed before how breached data from multiple sources can be put to evil use.

Data breaches everywhere indeed.

How can we help?

As the saying goes, preparation is half the battle. If you’ve not prepared to handle a data breach, it will be a much bigger struggle. We can help you prepare, both for a breach and handling the aftermath.

If you want to discuss further, please call on 087-436-2675 or send an e-mail to info@L2CyberSecurity.com and somebody will get in touch. We will make it straightforward and easy for you to be ready for an incident.

Lets be careful out there.

#SecuritySimplified

#GDPR #SimpleGDPR

The post Data Breaches Everywhere appeared first on L2 Cyber Security Solutions Ltd..

While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions Ltd..

The first GDPR fine has been issued

The first GDPR fine in Europe has just been issued in Austria. Their data protection authority (DSB) has fined the owner of a business €4,800 for having a CCTV camera that was monitoring too large an area of the public footpath outside the premises. Large scale monitoring of public places is not permitted for private individuals or businesses under GDPR. There was also inadequate signage for the camera. Anybody who comes to my training gets told that sign makers will be making fortunes out of the GDPR.

What was also notable in that report, is that there are 36 post-GDPR fine proceedings pending with the DSB. So to reiterate – The GDPR hasn’t gone away you know.

And the GDPR hasn’t gone away in Ireland either

We know that the Data Protection Commission (DPC) have a number of investigations underway. Most publicly is the Facebook data breach. That has only just happened, so don’t expect to hear much on that until sometime next year probably. But there are a number of other investigations with prosecutions pending with the DPC right now. Once these come to light, I think we shall see an increase in interest from businesses wanting to get compliant.

Quick update on a previous story

A quick update on a previous data breach story. This is the USB stick that got mislaid from Heathrow Airport in October 2017. The UK’s Information Commissioners Office (ICO) has just hit Heathrow Airport with a £120,000 fine for that breach. Now the amount of personal data on that stick was limited enough. However the ICO decided to hit harshly due to poor corporate standards and staff training which led to the breach. This fine was brought under the old legislation, pre-GDPR. The maximum fine available under that law was £500,000. As the GDPR puts much more responsibility on companies to protect personal data, if they were to have the same thing happen now, they would get a much larger fine.

If there’s one take away from all of this – the GDPR hasn’t gone away. ? If you want to find out the type of training that I deliver, I’ve got my normal GDPR Awareness training and my ***ALL NEW*** GDPR Practical training is now available. Get in touch on info@L2CyberSecurity.com or call 087-436-2675 to discuss further.

The post GDPR hasn’t gone away. appeared first on L2 Cyber Security Solutions Ltd..

What caused these vulnerable shopping carts?

Basically the bad guys are sneaking in via plugins to the websites. It was very similar to how crypto-currency mining code infiltrated UK government websites earlier this year. In the case of the vulnerable shopping carts of Newegg, they plugged their nasty code into the “Feedify” plugin. This plugin is used to gather feedback from customers.

So when a customer browsed to the Newegg site, the webserver loads up the website. It then goes and brings in the code from the plugins. The Feedify plugin that was compromised gets loaded and the malicious code starts monitoring. It’s waiting for credit card information to be typed in. Once it gets that, it sends it off to the evil doers, a hacking group called Magecart. This code was used to compromise the “Inbenta” customer service plugin with Ticketmaster and the “Modernizr” plugin for BA.

So how can I protect my website from this?

Well, you’ll need your web-person to do a couple of things.

1. Define a Content Security Policy (CSP) for your website
2. Set-up Sub Resource Integrity (SRI) verification of your website plug-ins

CSP will basically state the trusted locations that your website can load plugins from, so make sure these are set for your own site and that of your payment provider.

SRI is where you generate a “hash” (a unique code based on the content of an item) for your plugins when you create the site. When the plugin gets loaded by the browser of a customer, the plugin gets re-hashed and if the value does not match the original hash, then it has been altered.

You can get more details on CSP and SRI from Scott Helme’s blog.

In the meantime, #LetsBeCarefulOutThere.

#SecuritySimplified

The post Vulnerable Shopping Carts lead to Credit Card breaches appeared first on L2 Cyber Security Solutions Ltd..

What is an extension?

These are little pieces of software that are available for internet browsers to provide some type of add-on or extra functionality. There are thousands of these kind of things out there and you might have some installed without realising it. One quick way is to look at the top of your browser window, on the right-hand-side of the address bar, there may be a few icons. Here is an example from my Chrome browser:

These extensions are:

1. LastPass (password manager)
2. Privacy Badger (blocks tracking cookies)
3. F-Secure Browser Protection (adds security for online banking pages)
4. HTTPS Everywhere (forces browser to use HTTPS version of websites where possible)

All security related for some reason. ?

Not all installed extensions may be shown on the browser bar. They may also be hidden, but still enabled. In order to find out what extensions you have, do the following:

• Google Chrome – paste the following address into a new tab chrome://extensions/
• Firefox – paste the following address into a new tab about:addons
• Edge – Click the three horizontal dots (top right of the browser) -> Extensions

If you have a lot of extensions, then you have a greater chance of falling victim to the bad guys.

How do we get dodgy extensions?

Most of the extensions you have are probably all legitimate and from a reliable source … originally. However, over time the developers of these extensions may sell them on or even just give up on them and somebody else takes control of the extension. In the case of the Mega.nz extension, the person responsible for the software was compromised. The extension was then infected for a period of time and it joined the ranks of the dodgy extensions.

The software started stealing users log-in IDs & passwords and sending them onto the criminals. To do this, it required additional permissions on the users browser, which unwary people granted. If you’ve used an extension that is actively being enhanced, you will regularly sees notifications that it has been updated. In the Mega.nz case, when the notification was issued, there was also a notice about the additional permissions that the evil doers needed to be granted in order to steal passwords.

Here is an example of the permissions needed by LastPass:

Those are already pretty extensive. If that suddenly required additional permissions, most people might tend to just click OK to “get on with it” and not stop to think “Why is this asking for enhanced permissions?”

What should I do?

If you have been using your computer for a while, you may have accumulated more and more extensions. So review all of the extensions you have. Remove those that you no longer use or don’t need.

You should also put in place controls on your staff, to prevent them from installing dodgy extensions. You don’t want them causing any kind of data breach which might fall into the auspices of the #GDPR.

If and when an extension gets updated, if it asks for additional permissions, always deny them. Then seek an expert opinion. An actual expert and not your 15 year old computer mad niece/nephew. You could send us details of the extension and what permissions it wants at info@L2CyberSecurity.com and we will answer free of charge.

If you would prefer a security review of your set-up we would be happy to arrange that too. Call us on 087-436-2675.

The post Dodgy extensions and not a builder in sight. appeared first on L2 Cyber Security Solutions Ltd..

I wasn’t deliberately going looking for data breaches or other data privacy concerns. However these two examples just leapt out at me. Please note that I have redacted sections of these pictures where there were potentially identifying features. I’ve also removed individual’s names, just in case you could make them out.

Staff roster and holiday plans on public display

I ate and drank in quite a few different establishments on my holiday, but this one had the staff roster and a holiday planner in plain sight, over one of the tills.

Because it was dark, the camera struggled to pick it out very clearly, but I could read the names clearly on the holiday planner (on the left). This had the staff names down the left hand side. Then the columns were for June, July and August and this is where the staff obviously noted their holiday plans.

The weekly roster is on the right, where again the staff names were down the left hand side. Then what shifts they were working each day was in the columns. I couldn’t make this out myself at the distance I was from it – approximately 2m.

If I had a better camera or better light, there is no doubt I could easily have got the complete staff list, their holiday plans and their work schedule for the coming week.

This is a breach of the staff’s right to privacy. Any member of the public could see when they were going to be on holiday or when they were going to be at work. This could lead to their home being broken into, as the bad guys know when they are going to be away. Or how about an abusive ex-partner? How much would they love to have this kind of information available to them.

The real shame about this … this place had a large back-of-house (kitchen and office) that all the staff had access to, but not the public. Why not post these things back there?

Staff surveillance

CCTV is used extensively in pubs and restaurants mainly for crime prevention and health and safety purposes. In this pub there was this ONE camera that only had eyes for one thing … this till

So obviously they were using this camera to keep an eye on staff to see if they were fiddling the till. This was a very obvious placement of a camera. This would not be considered “covert” by any means or standards. That’s me talking as somebody who notices this stuff for a living. If I was still in school, starting out on my first pub job, I may not notice such things.

Surveillance of staff needs to be declared by the employer. In this instance there should be a point in the staff manual noting that the tills are monitored by cameras. If an employer was to use secret cameras to monitor staff, they should also declare this. They should state that from time-to-time covert surveillance of employees, in the performance of their work, may be implemented.

Have you any holiday data breach snaps?

In both of the above situations, I have anonymously (I was on holiday, so I’m not hunting sales leads) notified the owners of the establishments about my observations.

When you are looking through your photos from your vacation, can you find any holiday data breach pictures? If you think you have, send them in confidence to info@L2CyberSecurity.com and I’ll let you know, but please don’t tell me the name of the place or the location.

If you would like to know more about different data breaches under the GDPR, check out the videos available on the GDPR section of my website.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Holiday Data Breach Photos. appeared first on L2 Cyber Security Solutions Ltd..

First up though I did a short video recently explaining why loss of mobile devices (including laptops) is a Data Breach under #GDPR. Have a quick watch and then come back here.

Why was the laptop not encrypted?

They’ve not specified exactly what happened, but I surmise that eir use a third party package to secure their mobile devices and some of the many problematic monthly updates that Microsoft released in July caused them issues. It must have been bad for them to have to decrypt 1,500 laptops. In fairness to eir, they at least notified the Data Protection Commission (DPC) about this on the 10th of August.

What happened next?

At some point between 10th August and last weekend one of the 1,500 unsecured laptops was stolen outside. In other words an employee/contractor removed one of the laptops from eir’s premises and then fell victim to a thief.

What was on this eir laptop?

According to the report from the DPC – names, email addresses, mobile numbers & account numbers for 36,642 customers and names & contact details for 177 eir employees.

That doesn’t sound too bad … does it?

As I say to people in my training, it’s all about the context. If you are a florist and you lose a list of names and addresses of your customers, there may not be a significant risk to those individuals in respect to their rights and freedoms. So you probably won’t need to notify them about the breach. It might be a borderline call as to whether you would need to notify the DPC. I would say you should.

Now lets say that list of names and addresses are for clients of a sexually transmitted disease clinic. The context now shifts dramatically as there is now a significant risk to the individuals rights and freedoms. If that list became public, there would be much embarrassment to those people. So you would definitely be reporting to the DPC and also notifying the affected people.

In the eir laptop case, the fact there are emails and account numbers is quite concerning. If an evil doer uses all of the available information, they could craft an extremely plausible phishing e-mail, which they could con the victim into doing something that is not in their best interests.

Also, if the bad guys combined the detail from the eir laptop with some information they gleaned from answers to fun quizzes, they may be able to impersonate the eir customer to an eir customer service agent and effectively take over the customers account.

What should have happened?

Once eir were aware that all of these devices were unsecured, they should never have been allowed to leave the premises. They should have been locked to the employees/contractors desks and the keys stored in the kennel of a hungry rottweiler until the issue with the patch was rectified.

What have eir done?

Well they had been busily working away re-encrypting their laptops and according to the DPC’s statement they had all but 46 completed as of 22nd August.

They have also notified the affected customers, by email from a “no-reply” email address, which is pretty crappy. They really should have a specific email address and freephone telephone number for those impacted customers.

What should we all learn from this?

The most important thing we should all learn from this eir laptop theft case is that, if you have a mobile device of any type, even if it doesn’t currently have personal data on it, encrypt the thing! If it’s not encrypted, keep it securely stored in your premises – don’t ever take it off premises.

If you want to learn more about good security practice send an e-mail to info@L2CyberSecurity.com and we can talk to you about training and practical steps to improve your cyber security set-up.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Eir laptop theft – could have been worse appeared first on L2 Cyber Security Solutions Ltd..

Under Armour report that the MyFitnessPal breach included user names, e-mail addresses and hashed passwords (hashing is the way to scramble passwords).

This breach was detected last weekend, on 25th March. The data itself had been last accessed by the evil doers in February.

As part of the notification, Under Armour stated that they:

• are notifying MyFitnessPal users to provide information on how they can protect their data
• will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately
• will continue to monitor for suspicious activity and to coordinate with law enforcement authorities
• will continue to make enhancements to their systems to detect and prevent unauthorised access to user information

All good steps to be taken. I particularly applaud the engagement with law enforcement. As I stated in the post about the overwhelming attack which was detected earlier this month, businesses need to start reporting these criminal activities, so our own Garda Síochána can get better statistics which will support more funding for the Garda Cyber Crime Bureau.

Under Armour also provided the affected users with good advice:

• Change your password for any other account on which you used the same or similar information used for your MyFitnessPal account
• Review your accounts for suspicious activity
• Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data
• Avoid clicking on links or downloading attachments from suspicious emails

I suppose it was too much to hope that they would give a suggestion that users should also start using two-factor authentication where possible. Hopefully one of the enhancements that they will make to their systems will be to introduce such a feature.

Have a watch of my short 10 minute video which tells you all you need to know about two-factor authentication:

The post MyFitnessPal Breach – Bigger than Equifax appeared first on L2 Cyber Security Solutions Ltd..