LinkedIn Archives - L2 Cyber Security Solutions Ltd.

#WeekendWisdom 074 Data Scraping or Data Breaches

Liam — Fri, 16 Apr 2021 01:15:34 +0000

Welcome to #WeekendWisdom number 74. This week we’re going to talk about Data Scraping or Data Breaches?

https://www.l2cybersecurity.com/wp-content/uploads/2021/04/WeekendWisdom-074-lo.mp4

Why am I asking the question “Data Scraping or Data Breaches”?

In recent weeks, three of the large social media companies have had lots and lots of personal data exposed online by cybercriminals. Now these social media companies are claiming that these were data that were scraped from their services. That this information that is already in the public domain.

These may have been Data Scraping

In the case of Clubhouse which had 1.3 million records exposed and LinkedIn which had 500 million records exposed. Yes all of the data that was exposed is stuff that you can see on their platforms. You can see this information very publicly on their platforms. That’s a reasonable expectation. That’s what you use these sites for.

But my issue here is that LinkedIn and Clubhouse should have done much more. They could prevent data being exposed and scraped like that, in such mass quantities. That stuff can be slowed down. It can be made non-economical.

So yes, that was data scraping, maybe not really a data breach but more should have been done.

But this one is definitely a Data Breach

Facebook, which had 533 million records exposed, this is a different situation. They had my mobile number and I had only given it to them for the purpose of authenticating my log on and I had set it to not expose that information to the public. My mobile number was exposed to the public. So therefore that is a data breach, simple as.

Facebook are being disingenuous with their claim that this was data scraping.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 074 Data Scraping or Data Breaches appeared first on L2 Cyber Security Solutions Ltd..

Take a 2-Minute Privacy check-up.

Liam — Fri, 12 May 2017 15:47:08 +0000

After last week’s brief shenanigans with GMail getting phished badly and the recommendation I made about how to help correct and protect yourself from that nasty piece of work, I went ahead and did something I had not done in some time. A privacy check-up and there is also a security or account check-up available too.

Most of the big on-line services have this facility buried in their settings somewhere, but when you find them, they are really easy to go through and it can be an eye-opening exercise. I discovered on my personal GMail account, that a phone I had on loan while my own was off getting repaired was still an authorised device on my account. I wasn’t too concerned, because I myself had carried out a factory reset on that phone before I handed the loaner back in.

However, most people would not think to do such a thing and, while you would expect the repair shop to do it as part of their procedures, this does not necessarily make it happen … and I’m not talking about the small phone repair shops that are dotted about the place either. A friend got a loaner phone from one of the big mobile companies while her’s was sent for repair. She took a few photos one day and was browsing them that evening and she came across a few dozen photos of some people she did not recognise. She mentioned this to the shop when she collected her repaired phone. They apologised profusely, immediately did a factory reset on the loaner and showed her the completely empty device when it restarted. That was OK for her. But what about the previous user of the device. What if she knew even one of the people in those photos? What if the photos were embarrassing or worse … incriminating?

Anyway, I’ve done a Billy Connolly and wandered wildly off-topic, so back to privacy check-ups.

You can do these all at once, if you want, or just take 2 minutes each day over the next few days and do a privacy check-up and security/account check-up on each account. I would also recommend you do this on a desktop/laptop, as the mobile apps may not have the full set of privacy settings to be checked. Finally don’t just be looking for authorised devices, keep an eye out for Apps which are authorised on your accounts, which you may no longer use. You should really remove their access.

GMail … has both privacy https://myaccount.google.com/privacy and security https://myaccount.google.com/security check-ups

LinkedIn … has privacy https://www.linkedin.com/psettings/privacy and account https://www.linkedin.com/psettings/account settings pages.

FaceBook … privacy https://www.facebook.com/settings?tab=privacy and security https://www.facebook.com/settings?tab=security

Twitter … Privacy https://twitter.com/settings/safety and account https://twitter.com/settings/account settings

Other online services that you use might have something similar. Just go into their settings and search for privacy and account or security tabs and simply go through each of them.

You might even pop a reminder into your calendar to come back in 6 months time and review these settings again because lets face it, something will have changed.

And hey … Let’s be careful out there.

The post Take a 2-Minute Privacy check-up. appeared first on L2 Cyber Security Solutions Ltd..

Don’t ignore that e-mail from Lynda.com

Liam — Wed, 21 Dec 2016 11:48:36 +0000

I received two e-mails in recent days from online training provider Lynda.com customer care, this is because I have had two accounts with Lynda.com in the past. Both were set-up when they had a 30 day free trial offer, which I made use of.

I’m one of the 9.5 million customers/former customers of Lynda.com who have been contacted by them about a breach of their data security. They state that my contact information and courses taken were compromised, however they believe my password was not compromised. Here is the text of the e-mail:

We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

So this doesn’t sound so bad. Right?

Nope. They have my contact information, so they have my name, e-mail address and mobile phone number. That means I could be targeted for phishing or even worse spear phishing. I tried to see if I could delete my Lynda.com account, but nothing obvious jumped out at me. I must check their online help and if there is nothing there, I will be contacting their “customer care” to try to get rid of these accounts.

There were 55,000 people who have been contacted by Lynda.com customer care telling them that their passwords have been compromised and so Lynda.com have forced a reset of their password.

I actually don’t care about my password, the hackers would be welcome to it, as that is unique to my Lynda.com account, I would not have used it anywhere else. However, to use their terms, out of an abundance of caution I have changed my passwords on the two accounts I have, to some complete gibberish that even I won’t remember. I’ve stored them in my password manager.

So what lessons can be learnt here:

Don’t re-use passwords … Get training from L2 Cyber Security Solutions or use a password manager.
If you sign up for free trials of services, but don’t continue with them, then have your account deleted/removed after you finished.
If they don’t allow that (they may need to hold on to your e-mail address in order to make sure you don’t sign up again and again with the same e-mail), then try to have as much other personal information as possible removed from their site (name, address, date of birth, telephone numbers, etc.)
Again, if you cannot remove the account, then before you stop using it, set the password to something completely nonsensical and don’t bother with it ever again.

The post Don’t ignore that e-mail from Lynda.com appeared first on L2 Cyber Security Solutions Ltd..

Here is a worrying aspect of the Yahoo breach.

Liam — Fri, 23 Sep 2016 16:48:06 +0000

Everyone has heard about the personal information related to 500 million Yahoo accounts being stolen from Yahoo in 2014. There’s lots of helpful tips out there (and some here too), but some people may not realise that they have a Yahoo account.

Yahoo provides e-mail services to some big internet service providers (ISPs), over in the US AT&T, Rogers and Frontier.com. Over on this side of the Atlantic Sky and BT are large ISPs operating in Ireland and the UK. Their e-mail services are powered by Yahoo.

There are reports that Sky and BT are contacting their customers, so that at least should hopefully highlight to those people that, yes, you do have a Yahoo account too, it’s just by a different name.

Helpful tip #1

A large amount of the Yahoo accounts will no doubt be dormant and no longer in use by their owners. I certainly had a Yahoo account quite some time ago, but I never associated it with myself (shock/horror – I lied on the Internet ?) or with any other account. The bad guys are welcome to it, as I know it can’t connect to me.

However if you used the same user name on a Yahoo account (dormant or not) on some other accounts (GMail, Facebook, LinkedIn, Microsoft, etc.) then the Yahoo account details could be tried by the evil doers against these other services.

Of course, you will have used the same password on them all, so that’ll make their life so much easier to ruin yours. ?

So the first tip is to change your Yahoo account password now. You should also change this password on all of the other online accounts that you use it on. However this time you might take the sensible decision and give every account a unique password. You can learn how to do this easily at the Internet Safety Training which L2 Cyber Security Solutions deliver. However if you struggle to come up with the means to do this, then you should invest in a Password Manager. This can do the hard work for you.

Helpful tip #2

On any on-line service that you use, if it has a means to implement, what is called, Two Factor Authentication, then turn it on NOW! I cannot stress how much this improves your security position just by turning this feature on.

I go into in more detail here, but briefly, if you are using Facebook or Dropbox (to name but two, there are dozens that subscribe to this method) you can download the Google Authenticator App onto your smart phone (available on Android and Apple). Then inside in the account security settings of your on-line service, activate the Two Factor Authentication, telling it you use Google Authenticator. It will put up a QR code on screen, which you show to the App and it will then start generating a 6 digit code that changes every 30 seconds.

So now what happens is that if you (or some evil doer) tries to sign on to your account from a different device or location, even if they have your password they will also now need the 6 digit code that is showing up on your Google Authenticator App. Without it, they get nowhere.

If the on-line service does not support Google Authenticator, then they might send you a text message instead. This is not quite as secure as the App, but it is better than nothing.

Helpful tip #3

It wasn’t just user name and passwords that were stolen, but details like date-of-birth, mobile phone number and answers to security questions.

Details like date-of-birth and mobile number are kinda hard to change, but the security questions are another concern. If you have some other on-line accounts that use the same security questions, now would be a good time to go and change these.

A much simpler solution would be to implement Two Factor Authentication, as outlined above.

Conclusion

The internet is a wonderful but dangerous place and there are a lot of bad guys who are making a lot of money from your accounts. So …

The post Here is a worrying aspect of the Yahoo breach. appeared first on L2 Cyber Security Solutions Ltd..

Protect your on-line accounts, but not with text messages.

Liam — Mon, 12 Sep 2016 15:01:28 +0000

As I outlined here, if you are using on-line accounts for e-mail, social media, etc. then one of the strongest means of protecting yourself from the evil doers is to use, what is called, two factor authentication. If you are not doing this now, you really should be as it improves your protection massively.

This is where you can set your on-line accounts to not only request your user ID and password (something you know) but also using your phone (something you have) by way of an app or sending you a text message with a code that you enter on the site to confirm you are you.

If you have this set-up to authenticate by a SMS Text message, then a bad guy who has access to your LinkedIn details from the 2012 hack should not be able to access your e-mail account using the password that they have recovered from there, because as soon as they try to access your e-mail account, you will be sent a text message. So you’re safe … right?

Well, if they have your LinkedIn details, they may also have your mobile phone number (or they have it from other means). So as soon as they try to access your e-mail and a text message is sent to you from your e-mail provider, they follow it up immediately with a text from themselves to say somebody is trying to access your account and to reply to them with the 6 digit code that you just received. If you do this, they immediately access your account and lock you out of it. You can see how this works on this short video from Symantec.

The three tips on that video at the end are very pertinent:

Beware of unsolicited text messages
If unsure, check with your account provider
Password recovery text services never require a response via text or other e-mail

So really, the best way to secure your account is to use an app on your smart phone like Google Authenticator, Authy or Duo. These are constantly generating random 6 digit codes which you can use to authorise your access to an account. These will work even in flight mode. So if you receive a text message asking for your code, you can simply ignore it. Here’s an example from Google Authenticator:

The training that L2 Cyber Security Solutions delivers, will give you a better understanding of the threats that are out there and show you how you can easily protect yourself from them.

The post Protect your on-line accounts, but not with text messages. appeared first on L2 Cyber Security Solutions Ltd..

A slew of fake LinkedIn connection requests.

Liam — Sat, 04 Jun 2016 11:46:44 +0000

For somebody who normally receives a LinkedIn connection request about once a week, yesterday I suddenly received 6! Wow, am I popular or what???

Well in this case I am popular … for the scammers. Each one was a fake profile.

Firstly none of them had a connection in common with any of my contacts. This always makes me question why are they trying to connect with me.

I then Googled the names and companies.

The first was “Adline matter”, apparently a doctor from the photo. Google reckoned I wanted Adelaide Matter. Ignore & Report as Spam!

The next was “James Freeman, of Sailer Benefit”. Google reckoned this was a Texan who had been executed for murder earlier this year. Deeper searching on the Sailer Benefit side showed no connection with a James Freeman. Ignore & Report as Spam!

The third was a “William Parker, of Barclays”. Lots of hits here, all indicating it was a scammer. Ignore & Report as Spam!

The next one was a real person! It was “Ayesha Gadaffi, of AYG Group”, the daughter of a certain Libyan Dictator. When the company name was included in the Google search, this highlighted it as a scam account. Ignore & Report as Spam!

The fifth was again a real person. Goes by the name “Asare Akuffo, of Bank Atlantec”. It shows that he is a banker, but there was no association with Bank Atlantec. Ignore & Report as Spam!

Finally, “Hesham Abdulla Al Qassim, Vice Chariman of the Board” is also a real person, but his Real LinkedIn (which was the first search result) shows him as CEO. Ignore & Report as Spam!

So folks, you should be wary of any connection request for people you do not know. It’s the same rule we should apply to receiving e-mails from strangers. Don’t accept connection requests from strangers, even if they have a common connection. If you are tempted, just spend a few extra seconds and Google them and their company or position and see what shows up.

Lets be careful out there.

The post A slew of fake LinkedIn connection requests. appeared first on L2 Cyber Security Solutions Ltd..