Where is this coming from?

I met somebody earlier this week who had been in one of my training sessions earlier this year. They had been going on about the changes they had made as result of that training course. The main one he was delighted with was the use of an authenticator app for multi-factor authentication or two factor authentication.

He had put this on, on many of his accounts and he was delighted with it. Because when he had checked his email addresses on www.HaveIBeenPwned.com he found that he had been in a number of data breaches and that his passwords had been exposed in those data breaches. So he made absolutely certain put on multi-factor authentication on those accounts.

That sounds like a good course of action

Then I asked him “and you changed your passwords. Right?”

He said “No. No. I can never remember … I always forget my passwords when I change them. So I use the same password all the time. But now the accounts are fully protected sure with the MFA.”

What is wrong with that?

But I was explaining to him that if he continued to use the same password, that has been included in a data breach, then this is going to be in the public domain and criminals are going to be using that password to try and break into any other accounts that he might have, that he might not have protected with MFA.

So poor passwords and MFA is not a good idea

So really he needed to go and make an investment and get himself a password manager and I reiterated that and I will always keep saying you should use a password manager to generate unique long strong passwords for every single account that you have online. Let the password manager remember them. That’s it’s job.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 090 Poor Passwords and MFA appeared first on L2 Cyber Security Solutions Ltd..

What is this Zyxel Backdoor you are talking about?

Just after Christmas, Zyxel networks revealed that some of their firewalls and Wi-Fi access point controllers had been discovered to have a hard-coded user ID and password which would enable anybody who could connect to that device, to be able to sign into it and take control of it.

Now because it’s a hard coded user ID and password, it’s not possible to change that on the device itself. So since then Zyxel has released some updates for their firmware, for those devices. Here is the link to their website, so you can go and find out if you have a device that is affected.

https://www.zyxel.com/support/CVE-2020-29583.shtml

I’m not sure whether I have one of those?

But this then begs the question. Do you know if you have a Zyxel device on your network?

If you remember waaaaay back in #WeekendWisdom number 1, I talked about needing to have an inventory of all of your hardware so that you could quickly go and find, if you hear a report like this, you say “Do I have Zyxel equipment?” … check the inventory … and then if you do have it, you know you have to take action.

So it’s really important to know what devices you have connected to your network.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 061 Zyxel Backdoor appeared first on L2 Cyber Security Solutions Ltd..

Where is this coming from?

I have introduced the www.HaveIBeenPwned.com service to a number of people recently. They have gone on to the website. They have typed in their email addresses and in some cases they have found that they have been included in data breaches. When they’ve gone to look and see what was breached, in a number of cases they had at least their email address and password for that service were included in the data breach.

Also check out previous #WeekendWisdom 014, #WeekendWisdom 015 and #WeekendWisdom 016.

Data breaches are bad. What should they do?

So they asked me “What should I do?”. The first thing of course is always, they must change their password on that service or site or whatever it was that was breached. Then I ask “Do you use that password anywhere else?” And they say “Yeah. I use it on multiple sites” or “It’s my favourite password. I use it everywhere.”

So I said “Well you’re going to have to change that password on all of these other platforms.”

They say “That’s going to be an awful lot of effort. Why should I worry?”

Why did you call this post Credential Stuffing?

You worry because of a thing called Credential Stuffing. What happens is that the bad guys, they take these data breaches, say from LinkedIn back in 2012. They take those email addresses and passwords that they have cracked and they try to sign into Facebook, into Twitter, into Microsoft 365, into Google G Suite, into Gmail and many, many other services. The criminals will try all of these things automatically.

They are stuffing credentials into services to be able to try and break in. That is what credential stuffing is all about. That is why you should not use the same password across multiple platforms and services.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 056 Credential Stuffing appeared first on L2 Cyber Security Solutions Ltd..

Password Best Practices

This will be a simple week of do’s and don’ts around passwords.

Do use a unique password

Use a unique password for every single site, service and account that you may have.

Do use a long password

And do use long passwords for those sites, services and accounts. I’m talking about 15 characters or more for the passwords.

Now your probably thinking “How the hell am I going to remember long passwords like that, for the dozens and dozens of accounts that I have?”

Do use a password manager

Get yourself a password manager which will do the remembering for you. All you need to do is remember a single master password, for the password manager. Now make that one password nice and long, like 20 characters or more. But that is the only password that you need to remember. The password manager can then generate really long, complicated passwords for all of your accounts for you. And it will just remember them for you.

Don’t share your passwords

Don’t share your password with anybody else, because sharing a password with other people might be considered a data breach. Because they may suddenly have access to data that they shouldn’t do.

Don’t regularly change your passwords

And finally don’t change your passwords on a regular basis. Passwords that are changed on a regular basis usually end up with numbers at the end of them which get incremented each time the password is changed and that is really, really poor. You should only change your password if you suspect it has been compromised.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

www.L2CyberSecurity.com

www.twitter.com/L2Cyber

The post #WeekendWisdom 016 Password Best Practices appeared first on L2 Cyber Security Solutions Ltd..

What is an extension?

These are little pieces of software that are available for internet browsers to provide some type of add-on or extra functionality. There are thousands of these kind of things out there and you might have some installed without realising it. One quick way is to look at the top of your browser window, on the right-hand-side of the address bar, there may be a few icons. Here is an example from my Chrome browser:

These extensions are:

1. LastPass (password manager)
2. Privacy Badger (blocks tracking cookies)
3. F-Secure Browser Protection (adds security for online banking pages)
4. HTTPS Everywhere (forces browser to use HTTPS version of websites where possible)

All security related for some reason. ?

Not all installed extensions may be shown on the browser bar. They may also be hidden, but still enabled. In order to find out what extensions you have, do the following:

• Google Chrome – paste the following address into a new tab chrome://extensions/
• Firefox – paste the following address into a new tab about:addons
• Edge – Click the three horizontal dots (top right of the browser) -> Extensions

If you have a lot of extensions, then you have a greater chance of falling victim to the bad guys.

How do we get dodgy extensions?

Most of the extensions you have are probably all legitimate and from a reliable source … originally. However, over time the developers of these extensions may sell them on or even just give up on them and somebody else takes control of the extension. In the case of the Mega.nz extension, the person responsible for the software was compromised. The extension was then infected for a period of time and it joined the ranks of the dodgy extensions.

The software started stealing users log-in IDs & passwords and sending them onto the criminals. To do this, it required additional permissions on the users browser, which unwary people granted. If you’ve used an extension that is actively being enhanced, you will regularly sees notifications that it has been updated. In the Mega.nz case, when the notification was issued, there was also a notice about the additional permissions that the evil doers needed to be granted in order to steal passwords.

Here is an example of the permissions needed by LastPass:

Those are already pretty extensive. If that suddenly required additional permissions, most people might tend to just click OK to “get on with it” and not stop to think “Why is this asking for enhanced permissions?”

What should I do?

If you have been using your computer for a while, you may have accumulated more and more extensions. So review all of the extensions you have. Remove those that you no longer use or don’t need.

You should also put in place controls on your staff, to prevent them from installing dodgy extensions. You don’t want them causing any kind of data breach which might fall into the auspices of the #GDPR.

If and when an extension gets updated, if it asks for additional permissions, always deny them. Then seek an expert opinion. An actual expert and not your 15 year old computer mad niece/nephew. You could send us details of the extension and what permissions it wants at info@L2CyberSecurity.com and we will answer free of charge.

If you would prefer a security review of your set-up we would be happy to arrange that too. Call us on 087-436-2675.

The post Dodgy extensions and not a builder in sight. appeared first on L2 Cyber Security Solutions Ltd..

The first thing to highlight is that the evil doers are now using partial telephone numbers in this sextortion scam instead of old passwords. This can be more effective than the old password ruse that was used last month. This could be because many people may have changed passwords since. However not too many of us regularly change our mobile number.

New development of the sextortion scam

We may also be quite used to seeing our number appear in a partially redacted manner.

So in this example, the victim sees the number +XX XXXXXX6074 instead of an old password. They have confirmed to the good folks over at the Internet Storm Centre (ISC) that those last 4 digits match their number. So that can really make people sit up and take notice.

The question arises though – why are they partially redacting the number? It’s not like these guys are reputable and are trying to protect your privacy by not emailing the full number. If they truly had your full information from a hack or a data breach, why not just put the whole thing in there? It would be very much more effective.

No, they don’t have your full number at all and as surmised by the team over at the ISC, they are probably getting the information from password reset forms. This is where the like of Google and Amazon will send you a text message with a code as part of the reset process. Or as part of a two-factor authentication step such as the following:

So the bad guys have upped their game here. Just don’t fall for it.

Are they making any money?

The other update in relation to this is about the money they have actually made from this sextortion scam. A couple of weeks ago the fine people at the ISC did an analysis of the bitcoin wallets that were included in the scam emails. These are the long string of characters and numbers that I redacted in the email example above.

“Wait a second” I hear you say, “Bitcoin is untraceable, anonymous money.”. Actually it’s not really untraceable as by the very nature of the blockchain on which bitcoin is based, each transaction is fully public. It would be more appropriate to say that it is unregulated money.

Anyway, their analysis revealed that of the many wallets they were monitoring:

• 123 payments were received
• $235,000 in total was paid to those wallets
• $4,900 was the biggest payment, with an average payment of $1,900

This was probably a subset of all the wallets in use across the whole campaign. However you can see that people were fooled into parting with their money in reasonably large numbers.

So you now want to easily protect you and your staff from these kind of scams, right? I do some pretty awesome security awareness training. If you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Sextortion scam – a follow up. appeared first on L2 Cyber Security Solutions Ltd..

It is of course a scam, but having an old User ID and Password on the e-mail does seem to give it a sort of legitimacy, in that they may just have hacked your computer. If you happened to be somebody who recently viewed porn on that computer, one which has a webcam, then you may just fall victim to this sextortion scam. This is what a typical e-mail looks like:

The amount payable varies between the various e-mails, as does the Bitcoin wallet address (both circled above). There may also be a number of random words towards the end of the e-mail, which are used to defeat spam filters.

The bottom line here is, these people did NOT hack into your machine and record you watching porn. If they did, why wouldn’t they include a frame from said footage to prove that they had something on you.

The old User ID and Password that they included will have been picked up by the bad guys from a data breach sometime in the past. This stuff has been knocking around the internet for a loooonnng time. I did mention this last year when I talked about another scam e-mail that knew your name. They will have used other indexing techniques to associate the old account with your current e-mail address and then send you the scam e-mail.

Well known security reporter Brian Krebs, reckons that the evil doers may refine their technique and use more recent accounts that were part of a data breach.

As I always do in these e-mails I refer you to my fifth commandment. I’ll also throw in a shameless plug for the security awareness training that I provide, which, if you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

Let’s be careful out there.

The post A Sextortion Scam appeared first on L2 Cyber Security Solutions Ltd..

So how do I know these things? Where am I getting this figures from. Well just like November where I told you about the free Quad 9 service, which prevents you going to know evil sites or in December where I told you about the free Security Planner tool, which gave you simple advice on how best to protect your particular set-up, this month I give you the free Pwned Passwords tool, which was developed by highly respect security researcher Troy Hunt. Before you leap to the comments section highlighting my atrocious spelling – that’s how it is spelled – pwned is a computer gamer term for being completely dominated or compromised and is pronounced “powned” (to rhyme with “owned”).

So how does this pwned password tool answer the question is somebody else using your password? It’s quite simple, the Troy has got copies of online account information (including passwords) that has been breached from various sources over the last number of years. He has 500 million passwords on his database. Now he doesn’t have the passwords linked to their associated account, such that if he was hacked that somebody would get access to his juicy treasure trove of account information, it’s simply a database of passwords. He has used a certain very secure methodology to test the passwords, but there is no point in going into it here. If you’re a nerd with an itch to scratch, then you can read all about his methodology here.

So how should you use this tool? Simple go to the Pwned Passwords page and type in your various passwords. Here is the result for “123456”:

And the result for “LiamIsANiceHelpfulCyberSecurityPerson”:

So what should you do if your password has been used before, particularly where it has been used a LOT? It’s kind of obvious, but you need to change it. Yes, I know it’s a pain. Yes you might forget what you changed it to. Guess what? When you change it, write your new password down on a piece of paper and put it in your drawer or maybe your wallet/purse. ?

No I haven’t taken complete leave of my senses. But this is a case of risk reduction. Sure, you have an open copy of your password in a public-ish place, but it’s not going to be there forever. You will consult this piece of paper regularly in the first 3-4 days after changing your password. As your muscle memory starts to kick in, you will consult it less and less. After a week to 10 days you probably won’t be using the piece of paper anymore, so at that point you can destroy it.

Keeping this reminder of your password to hand will also enable you to do one more brilliant thing with your password and that is to make it LOOOOOONNNNNGGGGG. Don’t use “LiamIsANiceHelpfulCyberSecurityPerson” because that’s mine ? but either use a long passphrase (a sequence of words like my example) that is at least 15-20 characters long or use a password manager to generate a long nonsensical password which it has to remember, but you don’t. You only have to remember the master password, which you will have made it long and complicated. More details about passwords can be found under Commandment 8, including talk about password managers.

Actually, one of the other really cool things Troy has done was to enable developers to create plug-ins that can query his database of passwords. One of the password managers (1Password) has incorporated this functionality into it’s product, so if you chose a password that has been pwned, it will be flagged to you.

Finally, it would be remiss of me not to point out the main feature of Troy Hunt’s site. This has been around for many years and it’s the Have I been pwned? feature. All you do is put in your e-mail address(es) or User IDs and it will tell you if they were part of a data breach of some online service. He has details on nearly 5 billion breached accounts, so it’s pretty comprehensive.

The post Is somebody else using your password? appeared first on L2 Cyber Security Solutions Ltd..

It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

On further reflection, this is actually an extremely worrisome scenario. As an MP, Ms. Dorries would receive e-mail correspondence from her constituents on a daily basis. I wouldn’t expect all of them would be telling her she is doing a great job (though a small few might).

Most people contact their government representatives when they have a problem or concern. These problems or concerns are usually in respect to some dealing that they have with a government department, which they are hoping their elected representative can sort out for them.

The fact that an intern has full access to the representatives email because of password sharing, is staggering. Because they have Ms. Dorries password, when they use her e-mail, THEY are Ms. Dorries (in a virtual sense). So let’s for argument just say, this intern is a neighbour of the person who has e-mailed Ms. Dorries about a problem they have in accessing mental health services with the Department of Health.

The person sending the e-mail, sent it to Ms. Dorries … not to their neighbour … they would be justifiably horrified that their neighbour now knows they have issues with mental health. That information is sensitive personal data and must be protected at all costs.

Nadine Dorries has a very real operational issue to handle. She receives a lot of e-mail which she cannot be expected to process all on her own. However, the information she receives should always be considered sensitive personal data, so this needs protection (always has needed it and most definitely will continue to need it under the GDPR).

There is a facility in e-mail, that allows somebody to “delegate” access to their mailbox to others. Ms. Dorries should use this facility to delegate access to her mailbox to her “trusted” assistants. These trusted assistants should have some level of clearance and received data privacy/protection training, so they can then determine whether

1. they should pass the e-mail to Ms. Dorries for direct resolution on a most sensitive matter.
2. handle the matter themselves, in confidence.
3. or pass a minor, non-sensitive issue to an intern to handle.

The delegation function in e-mail will show an audit trail of what the delegate did with the e-mail, so there will be trace-ability if they do something naughty. By having the boss’ password, there can be no trace-ability.

Therefore, sharing your password where you handle sensitive personal data is a data breach, plain and simple. This is because others have unrestricted, unauthorised, untraceable access to this personal data, which means you’ve lost control of it. As summary punishment, you should be made to wear the underwear of this post’s featured image on the outside of your clothes while you await a judgement from the Data Protection Commissioner.

And may Helen Dixon have mercy on your password sharing soul. ?

The post Password Sharing = Data Breach appeared first on L2 Cyber Security Solutions Ltd..