I’m not going to talk about the scary stuff that you see in movies about hackers taking control of vehicles and crashing them and that. No. I’m going to talk about something much more mundane than that.

Why am I asking the question about how safe are connected cars?

There are two stories that I’ve become aware of in recent times, which were quite similar though they were spaced many years apart.

The never ending lease

In the first case, there was a person who had leased a car from a particular manufacturer who had the car for a number years and then handed it back in 2016. Earlier this year (2020) they got a notification from that manufacturer about something to do with their car. And they thought “That was odd. I don’t own that car anymore.” So they thought they’d log into their online account for the car to see if their credentials were still valid. And they were.

They were able to see their car. Could see where it was located. They could turn on the engine. Could turn off the engine. They could open doors. Could lock the doors. So they still had access to their old car. Four years later!

An unexpected long term rental

Similarly another person late last year had rented a car for a period of time and they noticed that the manufacturer of that car had an App. So they set up the App which just needed the VIN number of the car and they were able to control car for the period that they had it rented for. 5 months later they still have access to the car and doing the same things. They could open doors, turn on the engine, etc. They notified the manufacturer about this but nothing had happened.

What do you need to do?

So if you’ve sold a car, traded in a car, gotten rid of a car, rented a car, make sure the damned thing gets reset. That nobody can gain access to your car after the fact.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom number 047 How Safe are Connected Cars appeared first on L2 Cyber Security Solutions Ltd..

Setting up an account is sooo easy

Cast your mind back to when you set up Whatsapp on your phone for the first time and you set up your account with them. Did you specify a User ID or Username? Did you give it a password? The answer is no. The only authentication was your telephone number, which your phone was giving the app.

Recycling is good for the planet, but not good for security

Mobile telephone numbers get recycled by telephone companies all the time. This is because they don’t have an unlimited amount of numbers that they can issue. If you watch enough crime programmes on the TV, you will see a lot of “burner” phones being used. These are basically a cheap phone and number that might only be used once or twice and then is disposed of forever. Also, people having affairs would sometimes have a second “secret” phone for communicating with their paramour. If the affair doesn’t last long, that phone number will be disposed of.

So phone companies that have old numbers, where a contract hasn’t been renewed or a prepaid number has not been topped up in some time, they will simply assign them to new SIM cards and push them out through their retail channels. Thus the number is recycled and reused.

This is what happened to Abby Fuller. She got a new number and when she installed Whatsapp, she had all of the messages from that telephone number’s previous owner restored onto her device. Because the number is the only means of identifying an account, this is why Whatsapp authentication sucks.

She took the correct course of action and deleted everything. However if she had a bad side, she could have downloaded all of the messages or even worse, she could have impersonated that number’s previous owner in those messages and caused all sorts of issues.

So Whatsapp authentication sucks. What can I do about it?

You can set up, what Whatsapp calls, two step verification. With this enabled, if you (or somebody else), try to setup Whatsapp with your number on a different phone, you (or they) will be asked for a PIN number, which only you should know.

It’s really easy to set up:

1. Go into your Whatsapp settings
2. Select Account -> Two step verification
3. It will have an explanation screen. Click Enable
4. Provide a 6 digit PIN number and then confirm it
5. Optionally (but recommended) you can provide an email address should you forget the PIN number, where a PIN reset request can be sent. You will need to confirm that email address
6. That’s it

If somebody gets your number or they try to take over your phone number, when they try to set up Whatsapp, they will need to input the PIN you just set up. It’s not really the best two step verification in the world, but it should be effective.

I must try and persuade the few Whatsapp groups that I am involved in to switch to something more secure like Signal.

Lets be careful out there.

#SecuritySimplified #GDPR #SimpleGDPR

The post Whatsapp Authentication Sucks appeared first on L2 Cyber Security Solutions Ltd..

This security planner was created by the good folk of the Citizen Lab, an interdisciplinary group based at the Munk School of Global Affairs at the University of Toronto. It’s really, really, really easy to use and will guide you through everything from start to finish.

1. It starts by asking what you use to handle private data (Windows computer, iThing, e-mail, etc.)
2. Then it asks what are your concerns (getting hacked,  infected, etc.)
3. Finally it asks if there is any particular reason for your concern (you’re being harrassed or dealing with a current issue, etc.)
4. Then it will give you an action list, with individual help on each thing that it recommends you to do.

What I really appreciated was the first step it seems to give for everything … it’s to do with two-factor-authentication:

Regular readers of my blog/newsletter will know I’m always going on and on and on about this. I don’t repeat myself often, unless it’s for a really, really, really good reason and two-factor-authentication is one such reason. It really does help protect your online accounts and so, where available, please, please, please use it.

So, for those of you reading this now, go ahead and use this security planner to help protect youself.

And then, when you go visiting your family over the Christmas period, particularly the more mature members of your nearest and dearest, why not sit down with them, fire up this website on their computer/tablet/phone and go through this fairly painless, simple process to get themselves as protected as you are. They’ll thank you for it and so will Santa. ?

Happy Christmas! ?

The post Simple Security Planner tool for EVERYONE! appeared first on L2 Cyber Security Solutions Ltd..

But do we really pay attention to these pop-ups that advise us what the app is looking to get permission to access? I would say no in most cases, because we just want to get the app and we trust the maker of said app, so let it have whatever it wants.

I’m raising this issue following:

1. the recent revelation about Snap Map, which is effectively Snapchat’s stalker mode, where you can see the current exact location of other Snapchat users.
2. a discussion with a colleague who uses an app that was developed for a small, rural community area and which she discovered showed the current exact location of any other user of the app.

In the case of Snapchat, they are a large corporation with a huge number of end users and the revelation about the Snap Map feature has gotten quite a lot of media attention. Therefore a lot of people will have become aware of it and for those people who are concerned for their privacy, there is a means of disabling it, while still using the app for it’s original intended purpose.

In the second case above, there is probably only a hundred or so end users of this app, which was supposedly a simple community noticeboard. The discovery of the map containing the location of current users was made by accident and caused great concern for my colleague, who is now going to speak with the app developer. There is no way to disable the location tracking without uninstalling the app.

That app, when it was being installed, obviously asked for permission to the person’s identity and location (amongst other things), but like most people, anybody downloading the app would have trusted their local app developer and just accepted whatever permission was requested by the app, without question.

I tend to be more careful about what permissions apps are looking for, before I let an app install or update (with new permissions). For example, I have an old Android phone (not my primary device), which is no longer receiving updates from Google. So there probably exists vulnerabilities which are not being patched (if you wonder why this is important, you obviously haven’t read Commandment 1 ).

I therefore downloaded the free Avast Anti-Virus app to give me an additional layer of protection (in keeping with Commandment 2). Initially it looked for permissions to in-app purchases, Device & App History, Identity, Contacts, Location, SMS, Phone, Photos/Media/Files, Wi-Fi Connection information and Device ID. I was a little cagey about it needing access to location. Avast is a large company with a good reputation, so I took the decision to allow it access.

Then several weeks ago it looked to update the app and needed some additional permission granted. Now it wanted the following:

I can see no justifiable reason for an Anti-Virus application to need permission to access the camera and microphone, let alone Bluetooth connection information. Viruses do not come through by the phone looking at or listening to something. So I have not allowed it to be updated.

Everyone really needs to be more careful when installing or updating apps, particularly when presented with the permissions pop-up. Just think “What is this app going to do for me?” and then go through each of the permissions it is asking for and say “Why does it need access to …?”. If you are really unsure, then please ask somebody who knows about such things (and not your pre-teen or teenager). If you want, you can reach us at support@L2CyberSecurity.com.

The post Permission to spy on you? appeared first on L2 Cyber Security Solutions Ltd..

The first occurred on Friday, late afternoon. I was speaking with a client on my business phone, when a call came in on my personal phone. It was a UK number +44-141-846-1617. I didn’t answer and let it go to voicemail, which a minute or so later showed that I had a message. When I finished speaking with my client I dialed 171 and listened to it.

There was silence for a long time and then “Hi. A free Euromillions Lottery ticket is waiting for you at the upcoming 45 million Euro jackpot draw. To redeem, press 1.”. This was repeated until the voicemail cut out. Here is a recording:

There was probably some sort of auto-dialler that was cycling through a set of numbers and playing the message at them. Presumably if somebody pressed 1, they would be connected to an “agent” who would kick off the sales-pitch, with “Oh good news, you have won a thousand Euro in a special draw, just give me all of your bank account details and PIN number and we can transfer that money for you.” and then proceed to empty your account. 

There were some reports in May about these calls coming from an Irish number, but this week it was a UK number.

The second of the phone scams came yesterday and was the old SMS text message with a link to a photo (apparently), and here is said offender:

It would be so easy to click on that link, but as I am a firm believer in Commandment 5, I resisted the temptation to click and instead fired up a sacrificial machine and typed the link into that instead .  After a moment of the web address changing in the browser (also known as a redirect) I was presented with, what appears to be, the start of a movie trailer and then this message:

So like a good sucker, I clicked on OK and was presented with:

Anybody who read last week’s post, will know that these kind of sign-ups, will usually mean entering a credit card number somewhere, which will then be milked dry by the evil doers. I traced the original link to a company based in the Seychelles, so at least the money would be going somewhere nice 

So, please don’t fall for these phone scams. There are many others, so if in doubt, just remember “If it sounds too good to be true, then it probably is.” and follow Commandment 5 for unsolicited e-mails, texts or social media messages with links.

The post Phone scams – some current examples appeared first on L2 Cyber Security Solutions Ltd..

As I outlined here, if you are using on-line accounts for e-mail, social media, etc. then one of the strongest means of protecting yourself from the evil doers is to use, what is called, two factor authentication. If you are not doing this now, you really should be as it improves your protection massively.

Well, if they have your LinkedIn details, they may also have your mobile phone number (or they have it from other means). So as soon as they try to access your e-mail and a text message is sent to you from your e-mail provider, they follow it up immediately with a text from themselves to say somebody is trying to access your account and to reply to them with the 6 digit code that you just received. If you do this, they immediately access your account and lock you out of it. You can see how this works on this short video from Symantec.

1. Beware of unsolicited text messages
2. If unsure, check with your account provider
3. Password recovery text services never require a response via text or other e-mail

The post Protect your on-line accounts, but not with text messages. appeared first on L2 Cyber Security Solutions Ltd..

When I was a teenager, watching slasher flicks like A Nightmare on Elm Street (the original 1984 version) and Halloween, in order to look like a “tough guy” I developed a sort of movie watching buffer whereby when any startling occurrence happened (e.g. the scary guy leaps out of the shadows), I would simply sit there all cool-like while all around me leaped out of their seats. I would mentally take a moment to let the occurrence happen and then internally say “Yep! That thing that happens in every scary movie happened” and just continue watching. I just don’t react to the situation the instant it happens.

The post A Nightmare on Quadrooter Street. appeared first on L2 Cyber Security Solutions Ltd..