While the University is unclear on the contents of the portable device, it may have held a file containing names of approximately 5% of the student body, their student number and exam results.

It’s the uncertainty that is most worrying to me. Also their claim that they have strict policies in place relating to portable devices is a bit disingenuous. I’ve been through the policies and also looked at their data protection section and found some conflicting direction with regard to data handling and USB memory sticks.

The Data Handling Policy states the following about “NUI Galway Highly Restricted” data:

Storage of this data outside of the source system, for example on a laptop or memory stick; must be approved by the data owner. Where data is held outside the source system it must be encrypted.

That seems quite sensible, as approval would mean that somebody would know exactly what data is on there and it would then be encrypted. However their Encryption policy, has something else to say on USB memory sticks:

Portable storage capability such as DVD’s, CD’s and USB flash drives should not be utilised for classified data storage or transfer, even in an encrypted format.

So the handling policy says it’s fine, but the encryption policy says no. It’s obvious that the data handling policy wasn’t followed with this data breach.

I thought it interesting that they have plenty on their site for how to use USB memory sticks and the protections they have in place.

ISS have disabled Autorun on the all computers in the PC Suites as a precautionary measure to prevent the spread of viruses.  When autorun is disabled, a USB memory stick or software on a CD or DVD will no longer automatically start when inserted.

So that’s great … lots of protection there … or maybe not. What if the USB device impersonated a keyboard? It could inject keystrokes that open up a command line, execute a command to download dodgy software and execute it. I’m not making this up. The USB stick could also fry the electronics on your computer. Again this is something that happens.

These USB memory sticks are such a problem from a data breach perspective that I always recommend companies and organisations to either block them completely or put in place a solution that automatically encrypts all data on them.

I did dedicate an entire commandment to USB memory sticks. So you can get my deeply held views in there.

The NUI Galway data breach was an embarrassment for the University. I don’t think the exam results could be classified as sensitive personal data (special category). But I’m sure students wouldn’t like these been released publicly. As long as the powers that be learn a lesson from this sorry situation and implement more rigorous technical solutions, then it will hopefully prevent future, larger and more sanction-worthy breaches.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post NUI Galway Data Breach – Lessons learned? appeared first on L2 Cyber Security Solutions Ltd..

What I’ve talked about above, is all prevention. However that doesn’t help you if you are staring at a monitor with a ransom demand on it. Let me give you a couple of examples of recently reported Ransomware incidents and how they were handled.

Bristol Airport recovers from Ransomware Incident

On the weekend of the 15th and 16th September, Bristol Airport suffered a Ransomware incident. This incident took their flight information screens off-line for much of the weekend. Luckily no other safety or flight systems were affected.

How did the authorities at Bristol Airport deal with Ransomware? They re-built the systems and restored backups. They did not pay the Ransom.

Scottish Brewery suffered a Ransomware incident from a job application.

In the last couple of weeks, the Arran Brewery in Scotland had all of it’s systems affected by Ransomware. They had been running a recruitment campaign, advertising for a role via their own website. The evil doers took that ad and posted it to some international recruitment websites. The brewery then started receiving several e-mails a day from interested candidates from all over the world. In among those e-mails the bad guys slipped in one with Ransomware. The CV got opened and their files got scrambled. Not only were their live files affected, but their recent backups were too. These were stored online, attached to their network. Their most recent offline backups were 90 days old.

How did the brewery deal with Ransomware? They also re-built their systems and restored what backups they had. In this case though, they did consider paying the (GBP) £9,600 ransom. They came to the determination that the value of the data they lost (90 days of sales data) was less than the cost of the Ransom demand. They also took into consideration that paying the Ransom does not guarantee they would get back their data.

The brewery then did something really sensible. They have kept a copy of the scrambled data.

Help may be available from the good guys.

There is a not-for-profit, freely available service called No More Ransom (https://www.nomoreransom.org). This is run by various Law Enforcement and Cyber Security firms around the world. They are constantly working on cracking the codes for the different Ransomware variants and enabling people to recover their data for free.

So the Arran Brewery is holding onto the scrambled data in the hope that someday they will be able to unscramble it.

So how should you deal with Ransomware?

Prevention is always better than a cure.

The first thing is to make sure you get your staff some security awareness training. This is something that I deliver. Details of the complete training is available here. We can do customised training to suit your organisation too. Call me on 087-436-2675 or e-mail on info@L2CyberSecurity.com to discuss your requirements.

Then ensure that you have your systems updated/patched regularly, have security appliances like Firewalls in place, Anti-Virus is generally helpful against malicious software and also you shouldn’t insert strange USB devices into your computers.

Finally, you should have a good data backup system in place. This can be a very simple set-up or more complicated depending on your business needs. Again, I offer advice and support on backup strategies and business continuity planning. I also have a commandment about backups.

That’s it! With all of the above in place, in the very unlikely event that you do subsequently suffer a Ransomware incident, you will be able to recover from it.

What if it would cost me less to pay the ransom?

This is a genuine struggle for a business owner, particularly small businesses. Recovering systems from a ransomware incident takes time, which costs money, and the business may be unable to operate while recovery is ongoing, so is not generating revenue. A good business continuity plan, should reduce such risks.

If you are tempted to pay, I just have two things I want you to consider:

1. There is no guarantee that you will get your data back. Figures vary wildly from 50% to 100% failure to recover data. If you pay and don’t get your data back, you will then have to pay the full cost of recovery anyway.
2. You are funding organised crime. You are paying criminals who not only do cyber crime, but human trafficking, drugs, weapons, etc. People think I am being jokey or have my tongue in cheek when I refer to Evil Doers. I’m not. This is an accurate description of these people. They! Are! Evil!

If you pay once, then the bad guys reckon you might pay again, so you will be a bigger target. My advice to deal with Ransomware is to implement preventative measures (call me on 087-436-2675 or e-mail info@L2CyberSecurity.com to have a no obligation chat) and never pay these evil doers.

What else do you need to consider?

Don’t forget that if the data that gets scrambled contains personal data, then you have a data breach on your hands, which may be notifiable under the new Data Protection Act 2018 which incorporates the General Data Protection Regulation (GDPR). I’ve a short video here:

Finally, if you do suffer a Ransomware incident, a crime has been committed, so please report it to local Law Enforcement. They may not be able to do much about it, but it needs to be reported for statistical purposes if nothing else. If it can be shown that Cyber crime is as big a problem, as I know it to be, then the more reports to Law Enforcement will mean they will get more resources to be able to tackle it’s root cause.

#LetsBeCarefulOutThere and #StaySafe

#SecuritySimplified #GDPR

The post How to deal with Ransomware. appeared first on L2 Cyber Security Solutions Ltd..

Basically the evil doers implanted malicious software on the Point of Sale (POS) terminals in the upmarket stores in the USA. For nearly a year (between May 2017 to March 2018) this malware was capturing customers credit/debit card details and passing this back to the bad guys. The crooks claimed to have gathered up to 5 million cards as a result of this hack and they have been selling off batches of them on the internet.

We are quite familiar with Chip & PIN usage in Ireland as we have had it for quite some time. This does offer a great deal of protection as your card information is stored in an encrypted form on the chip. However in the US, they are only at the early stages of rolling out Chip & PIN, so most people are still swiping their cards at the terminals. The magnetic stripes that are swiped do not have the data encrypted, and so the information can be accessed and passed on quite easily.

It’s not been revealed how the malicious software got onto their POS terminals, but it seems that the POS was compromised at all of their bricks and mortar stores in the US. Their online store was not affected.

Credit Card issuers are usually fairly good at detecting fraud by knowing their customers usual buying habits. So if somebody who usually spends €20-€50 on shopping items, suddenly attempts to buy high-end phones, tablets or televisions this should trigger an alert. However for the customers of Saks or Lord & Taylor, such behaviour is much less likely to trigger an alert. So the crooks might be able to make away with a lot of goodies as a result.

The parent group, HBC, needs to put in place better segmentation and monitoring on their network, so if one store gets compromised, the malicious software cannot find it’s way easily to another store. They should also apply Commandments 1 (automatic updates), 2 (anti-virus), 3 (firewall) and 9 (control use of USB sticks) to their POS network.

The post Posh POS was Compromised appeared first on L2 Cyber Security Solutions Ltd..

So how do I know these things? Where am I getting this figures from. Well just like November where I told you about the free Quad 9 service, which prevents you going to know evil sites or in December where I told you about the free Security Planner tool, which gave you simple advice on how best to protect your particular set-up, this month I give you the free Pwned Passwords tool, which was developed by highly respect security researcher Troy Hunt. Before you leap to the comments section highlighting my atrocious spelling – that’s how it is spelled – pwned is a computer gamer term for being completely dominated or compromised and is pronounced “powned” (to rhyme with “owned”).

So how does this pwned password tool answer the question is somebody else using your password? It’s quite simple, the Troy has got copies of online account information (including passwords) that has been breached from various sources over the last number of years. He has 500 million passwords on his database. Now he doesn’t have the passwords linked to their associated account, such that if he was hacked that somebody would get access to his juicy treasure trove of account information, it’s simply a database of passwords. He has used a certain very secure methodology to test the passwords, but there is no point in going into it here. If you’re a nerd with an itch to scratch, then you can read all about his methodology here.

So how should you use this tool? Simple go to the Pwned Passwords page and type in your various passwords. Here is the result for “123456”:

And the result for “LiamIsANiceHelpfulCyberSecurityPerson”:

So what should you do if your password has been used before, particularly where it has been used a LOT? It’s kind of obvious, but you need to change it. Yes, I know it’s a pain. Yes you might forget what you changed it to. Guess what? When you change it, write your new password down on a piece of paper and put it in your drawer or maybe your wallet/purse. ?

No I haven’t taken complete leave of my senses. But this is a case of risk reduction. Sure, you have an open copy of your password in a public-ish place, but it’s not going to be there forever. You will consult this piece of paper regularly in the first 3-4 days after changing your password. As your muscle memory starts to kick in, you will consult it less and less. After a week to 10 days you probably won’t be using the piece of paper anymore, so at that point you can destroy it.

Keeping this reminder of your password to hand will also enable you to do one more brilliant thing with your password and that is to make it LOOOOOONNNNNGGGGG. Don’t use “LiamIsANiceHelpfulCyberSecurityPerson” because that’s mine ? but either use a long passphrase (a sequence of words like my example) that is at least 15-20 characters long or use a password manager to generate a long nonsensical password which it has to remember, but you don’t. You only have to remember the master password, which you will have made it long and complicated. More details about passwords can be found under Commandment 8, including talk about password managers.

Actually, one of the other really cool things Troy has done was to enable developers to create plug-ins that can query his database of passwords. One of the password managers (1Password) has incorporated this functionality into it’s product, so if you chose a password that has been pwned, it will be flagged to you.

Finally, it would be remiss of me not to point out the main feature of Troy Hunt’s site. This has been around for many years and it’s the Have I been pwned? feature. All you do is put in your e-mail address(es) or User IDs and it will tell you if they were part of a data breach of some online service. He has details on nearly 5 billion breached accounts, so it’s pretty comprehensive.

The post Is somebody else using your password? appeared first on L2 Cyber Security Solutions Ltd..

Calm yourself, it’s not the website doing the money generation and you are not the beneficiary. The bad guys are! ?

Last weekend a security researcher called Scott Helme noticed that when he visited some government websites, the processor usage on his machine would suddenly spike. If he went to a normal site (like YouTube) the processor usage would be more normal. Some of the sites that were shown to cause this spike in processor usage were:

• The United States Court information portal www.uscourts.gov
• The UK’s Student Loans Company www.slc.co.uk
• The UK’s data protection body, The Information Commissioner’s Office www.ico.org.uk
• The Financial Ombudsman Service www.financial-ombudsman.org.uk
• Also some of the UK NHS services

Then some detective work revealed that these sites had one thing in common. They were all WordPress sites, but not only that, they all used a specific plug-in called BrowseAloud. This plug-in, created by a company called Texthelp, can be used by vision impaired people. It will speak the text on webpages to such individuals. There were over 4,000 sites shown to be affected by this compromise.

So what happened was, the evil doers compromised the plug-in software. When a web user browsed to an affected website and opened it in their browser, even without asking for the page to be read out to them, the plug-in would execute code which would “mine for monero cryptocurrency” or in normal language, it would generate money by using the web users processing power to carry out the complex calculations needed to create the cryptocurrency.

You might not think this is a big deal, but it is. Somebody is doing something illegal and using your machine to help them. It’s not your fault, but it is something to be concerned about. What if, instead of having plug-in execute code to generate money, that they used the processing power of your machine to send spam e-mail or target a particular web site to take it offline?

In fairness to Texthelp, as soon as they became aware of the issue, they took the plug-in offline until they resolved all issues with it. This kind of incident is similar to the Petya/NotPetya Ransomware outbreak last year, in that the software that is in use was compromised at it’s source (also known as a supply-chain attack).

It’s hard to protect against these types of incidents, particularly where you are browsing a reputable website, which might be using a plug-in that has been compromised. As always I would suggest using an updated anti-virus, keep your software fully updated and also use an ad-blocking extension/add-in on your browser.

The post Websites compromised to generate money appeared first on L2 Cyber Security Solutions Ltd..

As is usual, the vulnerability lies in the software that runs on these firewalls. This Adaptive Security Appliance (ASA) software is what has been found to be vulnerable by a researcher who was to present his findings at a security conference in Belgium last Friday. He hasn’t released all of the juicy details yet and there are no reported exploits in the wild, but that could all change.

The affected devices, according to Cisco, are:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4110 Security Appliance
• Firepower 4120 Security Appliance
• Firepower 4140 Security Appliance
• Firepower 4150 Security Appliance
• Firepower 9300 ASA Security Module
• Firepower Threat Defense Software (FTD)
• FTD Virtual (FTDv)

If you have any of these devices in your network, you should be getting your IT support to patch it as soon as possible. There were reported issues with the initial patches, but Cisco have now rectified those too.

The big concern was to do with the Virtual Private Network (VPN) component on the firewall. If you are able to connect in remotely to your network by way of this VPN, then your entire network is at risk of being compromised.

Of course you’ve been following Commandment 3 and have a firewall in place. Now you’ve also got to employ Commandment 1 and keep it updated.

For the technical types who are reading this, you can get a much more in-depth view of the vulnerable Cisco firewall issues on a blog post by Omar Santos.

The post Vulnerable Cisco Firewalls appeared first on L2 Cyber Security Solutions Ltd..

It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

This security planner was created by the good folk of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. It’s really, really, really easy to use and will guide you through everything from start to finish.

1. It starts by asking what you use to handle private data (Windows computer, iThing, e-mail, etc.)
2. Then it asks what are your concerns (getting hacked,  infected, etc.)
3. Finally it asks if there is any particular reason for your concern (you’re being harrassed or dealing with a current issue, etc.)
4. Then it will give you an action list, with individual help on each thing that it recommends you to do.

What I really appreciated was the first step it seems to give for everything … it’s to do with two-factor-authentication:

Regular readers of my blog/newsletter will know I’m always going on and on and on about this. I don’t repeat myself often, unless it’s for a really, really, really good reason and two-factor-authentication is one such reason. It really does help protect your online accounts and so, where available, please, please, please use it.

So, for those of you reading this now, go ahead and use this security planner to help protect youself.

And then, when you go visiting your family over the Christmas period, particularly the more mature members of your nearest and dearest, why not sit down with them, fire up this website on their computer/tablet/phone and go through this fairly painless, simple process to get themselves as protected as you are. They’ll thank you for it and so will Santa. ?

Happy Christmas! ?

The post Simple Security Planner tool for EVERYONE! appeared first on L2 Cyber Security Solutions Ltd..

Here is the offending dodgy e-mail:

To me, there are a number of obvious indicators that this is a dodgy e-mail:

1. The sending address (the bit after “UPS View”) was not a UPS address.
2. The two links in the e-mail did not go to a UPS website.
3. Most obviously … I wasn’t expecting a delivery!

So lets take them one at a time:

• Some e-mail clients don’t actually show you the whole e-mail address of the sender. They just show the Display Name, which in this case is “UPS View”. So if you were using such a client, then it would appear to be a legitimate UPS e-mail address. However in my case, there was this @aol.com e-mail address, which is not associated with UPS.
• When you see a link in an e-mail or website, you can hover the mouse over it. Somewhere towards the bottom of your browser window, you should be able to see where the link is going to take you. In this e-mail’s case it was going here, which is not a UPS site:

• In my case I wasn’t expecting any delivery. But what if I was? What if I was an under pressure procurement clerk in a large organisation? I’d be getting deliveries on a regular basis. I’d be very inclined to click on those links.

Please note I carried out the following action on a sacrificial machine, so please do not be tempted to ever click on links to see what happens next. It could end very badly for you.

So what would have happened if I did click on the link? A word document, with a name that started “Tracking-3154631…” was downloaded. This document, if opened, would persuade me to click on “Enable Editing” and then click on “Enable Content”. Once I had taken those actions, macros (a set of instructions for a computer) in the word document would have downloaded a really nasty piece of software. Then all of my files would have been scrambled and I would be presented with a ransom demand to get my data back.

If I was that under pressure procurement clerk, it would not have stopped at just the files on my computer, but any files that I could access on the company’s network. That could be very, very disruptive to the organisation.

Out of curiosity, I checked the website (the bit before the “/UPS/16-Nov….”) that hosted that document. It appears to be a legitimate business website. However, they’ve probably been hacked by the bad guys, who are now using their site to host their malicious downloads.

UPS offer advice on fraudulent e-mails.

As usual, we’ve even got a commandment that covers dodgy e-mails too. So have a read to see what you can do to protect yourself.

The post Dodgy e-mail that looks legit. appeared first on L2 Cyber Security Solutions Ltd..

I bring this up as a real-life scenario came to my attention this week. I was giving a training session and during a break one of the attendees asked me about a strange WhatsApp message that she received.

She showed me the message, which reportedly came from Apple, about a transaction on her account, that occurred in Mexico, which they blocked. There was a link for her to check her account. She told me that she had clicked on the link, and after signing into her iTunes account nothing else happened. Before I could say anything, she clicked on the link again and there was the sign-in page.

I have to say, that the WhatsApp message and sign-in page looked very plausible and legitimate. There were no spelling mistakes or lousy formatting. I had to break the news to her that she had given her iTunes ID and password to the bad guys and she needed to change her password as quickly as possible. So I took her through the process on her iPhone. When we got as far as here, I breathed a sigh of relief.

With this Two-Factor Authentication turned on, the evil doers would not be able to access her iTunes, without access to her phone. That’s because Two-Factor Authentication is like a double check. When you sign in to an account with an ID and password, the service does a double check and sends a code to your phone as a text message, which you then type in to complete the sign in.

While we were reassured that her iTunes account was reasonably safe from being immediately hacked, I still got her to change her password to something new. I also advised her to change any other account that used that password as well.

This Two Factor Authentication malarkey is such a good idea, I’d even created it’s own commandment.

The post Double check your security. appeared first on L2 Cyber Security Solutions Ltd..