I have covered this area before, where I talked about Mobile App permissions. It’s pretty easy to see what permissions a Mobile App is looking for and to make an educated decision about whether it should receive those permissions by you.

In this newly revealed situation, some third-party developers, who create add-on apps for your e-mail may have actually had real people reading your e-mail. ?

The apps in question are usually performing some useful function, like monitoring your mailbox for meeting invitations and then suggesting appropriate times for the meeting. Or itinerary/travel planning apps that look for flight/hotel booking e-mails and then package them up into a useful, coordinated scheduling pack.

According to this Sophos report, when you install these (usually free) add-ons:

Users had to agree to share that information first, granting explicit permission for an app to access your Gmail account or your broader Google account. However, what users may not have known is that this doesn’t only give the third party company’s software access to your email. It gives developers inside those companies the ability to manually access them too.

And as is also reported in that Sophos report, one of the companies did admit to allowing their staff to actually read people’s e-mails, supposedly to include new features that people might find useful. However what’s at play here is that most people weren’t aware that their actual e-mails are being read by another actual human.

Most people, myself included, went “Meh!” when we heard that Google’s advertising algorithms were scanning our e-mail content, because it is some non-human thing that is looking at the cold hard data.

However, the notion that another actual human may have been reading sensitive, private discussions in an e-mail chain would be quite concerning to most people and rightfully so.

How can you find out who’s been reading your Gmail?

Well you might not be able to find out if they have read your e-mail, but there’s something really easy you can do to find out what apps have got access to your Gmail.

Check the apps with access to your account page for your Google account and review any apps you have there. I’ve just done it and found there was an app that I previously used to look at Google Analytics, but have since stopped using and uninstalled. However the app developers still would have had permission to access any Google Analytics data I had (which I don’t any more as I have stopped using that too). I simply clicked on the app and removed it’s access. It’s that simple.

If you do have these apps that can enable somebody to read your Gmail, you need to consider a couple of things:

1. If this is your business e-mail account, have you considered the #GDPR aspects of giving an external third party access to view personal data? You will need to have a Data Processing Agreement in place with the third party and also declare their access to the individuals whose personal data you process.
2. If this is your personal e-mail account, then you have got to make the determination if the app is so useful to you that you are happy to allow some developer, somewhere in the world read your e-mail.

For me privacy wins out every time.

Let’s be careful out there!

The post Who’s been reading your Gmail? appeared first on L2 Cyber Security Solutions Ltd..

It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

Most of the big on-line services have this facility buried in their settings somewhere, but when you find them, they are really easy to go through and it can be an eye-opening exercise. I discovered on my personal GMail account, that a phone I had on loan while my own was off getting repaired was still an authorised device on my account. I wasn’t too concerned, because I myself had carried out a factory reset on that phone before I handed the loaner back in.

However, most people would not think to do such a thing and, while you would expect the repair shop to do it as part of their procedures, this does not necessarily make it happen … and I’m not talking about the small phone repair shops that are dotted about the place either. A friend got a loaner phone from one of the big mobile companies while her’s was sent for repair. She took a few photos one day and was browsing them that evening and she came across a few dozen photos of some people she did not recognise. She mentioned this to the shop when she collected her repaired phone. They apologised profusely, immediately did a factory reset on the loaner and showed her the completely empty device when it restarted. That was OK for her. But what about the previous user of the device. What if she knew even one of the people in those photos? What if the photos were embarrassing or worse … incriminating? 

Anyway, I’ve done a Billy Connolly and wandered wildly off-topic, so back to privacy check-ups.

You can do these all at once, if you want, or just take 2 minutes each day over the next few days and do a privacy check-up and security/account check-up on each account. I would also recommend you do this on a desktop/laptop, as the mobile apps may not have the full set of privacy settings to be checked. Finally don’t just be looking for authorised devices, keep an eye out for Apps which are authorised on your accounts, which you may no longer use. You should really remove their access.

GMail … has both privacy https://myaccount.google.com/privacy and security https://myaccount.google.com/security check-ups

LinkedIn … has privacy https://www.linkedin.com/psettings/privacy and account https://www.linkedin.com/psettings/account settings pages.

FaceBook … privacy https://www.facebook.com/settings?tab=privacy and security https://www.facebook.com/settings?tab=security

Twitter … Privacy https://twitter.com/settings/safety and account https://twitter.com/settings/account settings

Other online services that you use might have something similar. Just go into their settings and search for privacy and account or security tabs and simply go through each of them.

You might even pop a reminder into your calendar to come back in 6 months time and review these settings again because lets face it, something will have changed.

And hey … Let’s be careful out there.

The post Take a 2-Minute Privacy check-up. appeared first on L2 Cyber Security Solutions Ltd..

Fortunately there was nothing destructive in this phishing campaign, but it did cause quite a lot of consternation because it could have been very nasty. It was quite clever in how it fooled it’s victims.

What the evil doers did was to create an app called “Google Docs” … not to be confused with the official one from Google called … errrrr … “Google Docs” ?.

They then sent out their phishing e-mail, which looked like this:

In later occurrences of the phishing campaign, the blurred out name in the image above, was probably somebody you know or at least you were on their contact list. If you click on the “Open in Docs” button above, you launch the app called “Google Docs”, which sounds like the right kind of thing to happen – right? Then you get the following pop-up, which looks fairly legitimate, because it is:

The reason it’s legitimate is because this is the standard screen from Google in regards to this “new” app that you want to execute. The app developers (the bad guys) had to specify what permissions their app needed to carry out it’s nefarious deeds on your e-mail, and so Google helpfully popped up this window to ask you to give permission to the app for the parts of your GMail profile that it needed. Don’t freak out, there could be genuine reasons an app needs these particular permissions, so this would not have been a red-flag to Google … the app name on the other hand … ?.

Anyway, if you click “allow”, the app goes ahead and uses your contacts to e-mail a new copy of the phishing e-mail to all your contacts.

Fortunately Google resolved the issue reasonably quickly. If you think you might have been a victim of this attack, you can check very quickly by going to this link https://myaccount.google.com/permissions and if there is something in the list called “Google Docs”, then left-click on it and hit the “Remove” button. You’ll then be safe again, for now.

This was really clever because the evil doers were able to create a sneaky app, with a ridiculously trusty name, which then fooled people into granting seemingly required permissions in the platform (Google in this instance) to enable the app to do something bad. There are other platforms that use a similar set-up – Facebook and LinkedIn, so be on the lookout for any messages which try to execute apparently genuine “apps” that may try to give you a very bad day. Treat all messages that want you to do something that is out-of-the-ordinary with great suspicion. Or you could go all biblical on them and follow Commandment 5.

BTW – Google didn’t reveal the number of affected users, they just said less than 0.1% of the GMail accounts were affected – a tiny fraction, right? Well given they had over a billion users this time last year, means the not insubstantial figure of 1 million is how many were affected. ?

The post GMail had a bad case of the phishers. appeared first on L2 Cyber Security Solutions Ltd..