They claim that their Standard Fare Notices and Tax Saver Ticket pages are not affected and are still available. I wonder about this, as I went to the version of their website from last December and there is no other part of the site there that records personal data. So the data breached must be belonging to those types of people. We’ll hear soon enough about this. It’s not what I want to focus on.

The site has been down for a long time.

For a company as large as Transdev is, I’m surprised at how long the home page for their major operation in Ireland has been unavailable. If they were following best practice, then this is, at a high-level, what should have happened on Wednesday night last:

1. Ransomware compromises the web site.
2. IT team become aware – incident response effort commences – server, web and security teams scrambled.
3. Server(s) disconnected from all networks by physically pulling the network connectors out of the server(s), but they are left powered on.
4. Security team take a forensic snapshot of the affected server’s memory and disk. This is a long slow process.
5. Server team, bring up backup server or request a new server from service provider.
6. Web team commence restore of the website from most recent backup on that server. Tests that all the pages work.
7. Replacement server(s) put into production – website back online.
8. Once the security team have completed their snapshots of the affected servers, these machines can be wiped and put to use again.
9. Security team analyse the forensic images to discover source of the compromise and any loss of data. This process could take days and even weeks.

Given that the Luas site is pretty basic, step 7 above should easily have been achievable, I think, within 24 hours. Probably even faster if they had a backup server on stand-by, ready to take the restore.

Why is it taking so long?

I’m going out on a limb here. I’m guessing that they don’t have decent backups of their website. If they don’t have that, then they literally have to rebuild it from scratch and this will take time. Probably days.

Perhaps they thought they did have backups, but here’s the thing. You actually should test your backups occasionally to see if they are working OK. If they never tested that these backups work, they may have discovered that they weren’t backing up enough and they are going to have to rebuild it from scratch.

With good, tested backups this would not take much time at all.

How did the Luas Ransomware get in?

That’s a good question. We may never find out, but the likely cause is that they had a poorly secured website or webserver. It looks like they use WordPress and if you have a very old version of that, then it is trivial for a hacker to compromise it. The message from the bad guys was interesting:

This person states that he warned the company some time ago that they had vulnerabilities and they never responded. This could be a complete lie, but it’s also quite possibly true.

Based on the wording of the message above, if I received a similarly worded e-mail, warning me about something wrong on my website, I might dismiss that too. However, I take my website security seriously and keep it updated on a weekly basis. I also back it up daily and finally, I have tested those backups.

What can you do to avoid such a long outage?

You don’t want to be affected by something like the Luas Ransomware do you?

There’s some simple steps that you can take. Basically keep your website updated regularly and have good backups which get tested. There are more, but these two will give you a quick win.

You could also give us a call on 087-436-2675 or drop a line to info@L2CyberSecurity.com and we can have a chat about the service that I can provide. We also have some Cyber Security training coming up soon too, which you can book a place on.

Lets be careful out there.

#SecuritySimplified #GDPR

The post Luas Ransomware Incident – Offline a while now appeared first on L2 Cyber Security Solutions Ltd..

1. There will be another large scale incident on a similar scale to WannaCry

Every year there are really large attacks using different methods to cause problems. In 2016 we saw huge floods of data attacking online services. This flood was caused by poorly secured internet connected security cameras. 2017 saw Ransomware worms in WannaCry and Petya/NotPetya. The latter of these was quite ingenious in the way it worked, as it used different methods to move around networks, once it successfully infected a machine. I’m going to guess that we’ll see something of similar complexity being used, perhaps in a more targeted way – possibly by way of altering a widely used application’s source code and lying dormant until activated.

There was one huge, record breaking event, but it didn’t feature in most of the global news as it affected a US based service provider. It was a large distributed denial of service attack, which I reported here. Earlier in the year, there was a situation where websites that used a certain popular plug-in were “mining” virtual currency for the bad guys. In September, there was number of well known websites, like Ticket Master and British Airways, who had their payment pages compromised. People who used those sites had their credit card information stolen.

I’ll take a partial on this, as the stories above didn’t have the same kind of media frenzy or global awareness as previous incidents.

2. Past Data Breaches will impact victims financially on a large scale

With so many data breaches occurring throughout 2017 (and for years earlier), there is a huge amount of useful and usable data that the evil doers can, if they used some big-data methodologies, mine to extract and target individuals and hit them financially. It’s not credit card numbers I’d be worried about, as the issuers are fairly good at catching fraud and protecting the card holder. It’s all of the other information that could be used to craft a very convincing e-mail/letter/WhatsApp message that will cause the victim to send money to the bad guys.

I reckon I got this one. Old passwords that were breached a long time ago (possibly from the 2012 LinkedIn breach), were used to make a sextortion e-mail appear more credible and a lot of people fell for it. According to some reports, 1,000 people paid approximately $500,000. An earlier analysis of the payments showed that some people paid up to $4,900, with the average being $1,900.

3. GDPR will cause a big Facebook-type company to be fined

I suspect there are individuals out there waiting in the long grass for May 25th 2018 to roll around so they can launch all manner of subject access requests on various companies and government departments that they don’t like. Just to be a nuisance. I do, however, expect that some large global corporation, that has a lot of personal data on a huge number of people, will end up being investigated and, either in 2018 or 2019, be levied a massive, multi-million Euro fine. But they will fight back and hold up the imposition of the fine for a number of years. They may even expose flaws in the GDPR legislation.

The cases are still under investigation, so I’ll take a partial on this, but it’s not a Facebook-type company that is going to be fined, but Facebook themselves. They currently have multiple post-GDPR investigations underway with the Data Protection Commission.

4. Crypto-currency hack

If BitCoin is still a valuable thing in 2018 (and hasn’t crashed and burned), I expect the evil doers will be doing their best to hack the BitCoin block chain in order to steal some of that sweet, sweet virtual currency.

This was a miss. I’ve not heard of any successful block chain hacks and BitCoin’s value has fallen so low, it’s probably not worth the effort to attempt to hack it any more.

5. Data breaches will see a massive increase in reporting in Ireland

While there have been data breaches reported in Ireland, they are few and far between. However, I fully expect that the requirement to report data breaches to the Data Protection Commissioner under the GDPR, will cause an increase in the reports of data breaches occurring. I have a useful short video here showing that there are many different types of data breach that might need to be reported.

This was a kinda easy one to predict. In 2017, there were on average 230 data breaches reported to the Data Protection Commissioner each month. Two months after the GDPR had been implemented, the Data Protection Commission (as it is now known) had received nearly 600 data breach notifications per month.

Results for my 2018 predictions

2 correct, 2 partials and 1 incorrect. Not too bad.

I don’t plan on doing this again next year. However, if enough people ask me to do so, then I’ll reconsider. Send me an e-mail at info@L2CyberSecurity.com and let me know if you want to see a 2019 set of predictions.

Wishing you and yours a safe and secure 2019.

Lets be careful out there.

#SecuritySimplified

The post Review of my 2018 predictions. appeared first on L2 Cyber Security Solutions Ltd..

Haven’t we heard about this kind of behaviour from China before?

That was my first reaction to this story. Back in 2012, the US Government set out to ban any US telecommunications operator from using equipment supplied by Chinese companies Huawei and ZTE. This was after reports of communications equipment manufactured by them and supplied to US companies, were detected sending large packs of data back to China late at night.

But doesn’t the US do this as well?

Indeed thanks to the likes of Edward Snowden, we became aware that the NSA behaves similarly. In that story, they are shown to have intercepted the shipment of a new communications router. They then implanted some spying capability into it. It was then sent it on it’s way to it’s final destination.

So there’s nothing really new about the Chinese hacking server hardware?

Well this story from Bloomberg has stirred up quite a lot of controversy within the information security community. Apple and Amazon have been quick to categorically state that they have not been compromised. They claimed the story was completely false. Patrick Gray, an Australian information security journalist, interviewed one of the named sources in the Bloomberg story. Joe Fitzpatrick had been quite uncomfortable with the published story. Gray also raised the fact a previous story by the same journalists, quoting anonymous sources, turned out to be false. So he reckons it’s a bogus story.

I personally don’t think China would take the big risk of implanting “spy chips” in the all of the electronics that their own huge manufacturing companies produce. It would be a strange thing to do on such a massive scale as it would be more easily detected. They’ve been more targeted in the past, as has the US, so that’s probably more normal.

Certainly the supply chain is one of the weak points in a product’s creation. That’s how we ended up with Petya/Not Petya and also the compromise of CCleaner.

If you are in a top secret, research and development type operation, then you will need to have suitably vetted hardware, software and physical security experts on payroll or contract to be able to protect your business from these kind of efforts of the Chinese hacking server hardware.

For the rest of us mere mortals, there is little we can do to truly protect ourselves, without going to great expense. We just have to hope we have nothing the Chinese, the US, the UK, the Russians, the Israelis, etc., etc., etc. want. If they want it bad enough, they’ll get it.

Lets be careful out there.

#SecuritySimplified

The post The Chinese hacking server hardware appeared first on L2 Cyber Security Solutions Ltd..

What I’ve talked about above, is all prevention. However that doesn’t help you if you are staring at a monitor with a ransom demand on it. Let me give you a couple of examples of recently reported Ransomware incidents and how they were handled.

Bristol Airport recovers from Ransomware Incident

On the weekend of the 15th and 16th September, Bristol Airport suffered a Ransomware incident. This incident took their flight information screens off-line for much of the weekend. Luckily no other safety or flight systems were affected.

How did the authorities at Bristol Airport deal with Ransomware? They re-built the systems and restored backups. They did not pay the Ransom.

Scottish Brewery suffered a Ransomware incident from a job application.

In the last couple of weeks, the Arran Brewery in Scotland had all of it’s systems affected by Ransomware. They had been running a recruitment campaign, advertising for a role via their own website. The evil doers took that ad and posted it to some international recruitment websites. The brewery then started receiving several e-mails a day from interested candidates from all over the world. In among those e-mails the bad guys slipped in one with Ransomware. The CV got opened and their files got scrambled. Not only were their live files affected, but their recent backups were too. These were stored online, attached to their network. Their most recent offline backups were 90 days old.

How did the brewery deal with Ransomware? They also re-built their systems and restored what backups they had. In this case though, they did consider paying the (GBP) £9,600 ransom. They came to the determination that the value of the data they lost (90 days of sales data) was less than the cost of the Ransom demand. They also took into consideration that paying the Ransom does not guarantee they would get back their data.

The brewery then did something really sensible. They have kept a copy of the scrambled data.

Help may be available from the good guys.

There is a not-for-profit, freely available service called No More Ransom (https://www.nomoreransom.org). This is run by various Law Enforcement and Cyber Security firms around the world. They are constantly working on cracking the codes for the different Ransomware variants and enabling people to recover their data for free.

So the Arran Brewery is holding onto the scrambled data in the hope that someday they will be able to unscramble it.

So how should you deal with Ransomware?

Prevention is always better than a cure.

The first thing is to make sure you get your staff some security awareness training. This is something that I deliver. Details of the complete training is available here. We can do customised training to suit your organisation too. Call me on 087-436-2675 or e-mail on info@L2CyberSecurity.com to discuss your requirements.

Then ensure that you have your systems updated/patched regularly, have security appliances like Firewalls in place, Anti-Virus is generally helpful against malicious software and also you shouldn’t insert strange USB devices into your computers.

Finally, you should have a good data backup system in place. This can be a very simple set-up or more complicated depending on your business needs. Again, I offer advice and support on backup strategies and business continuity planning. I also have a commandment about backups.

That’s it! With all of the above in place, in the very unlikely event that you do subsequently suffer a Ransomware incident, you will be able to recover from it.

What if it would cost me less to pay the ransom?

This is a genuine struggle for a business owner, particularly small businesses. Recovering systems from a ransomware incident takes time, which costs money, and the business may be unable to operate while recovery is ongoing, so is not generating revenue. A good business continuity plan, should reduce such risks.

If you are tempted to pay, I just have two things I want you to consider:

1. There is no guarantee that you will get your data back. Figures vary wildly from 50% to 100% failure to recover data. If you pay and don’t get your data back, you will then have to pay the full cost of recovery anyway.
2. You are funding organised crime. You are paying criminals who not only do cyber crime, but human trafficking, drugs, weapons, etc. People think I am being jokey or have my tongue in cheek when I refer to Evil Doers. I’m not. This is an accurate description of these people. They! Are! Evil!

If you pay once, then the bad guys reckon you might pay again, so you will be a bigger target. My advice to deal with Ransomware is to implement preventative measures (call me on 087-436-2675 or e-mail info@L2CyberSecurity.com to have a no obligation chat) and never pay these evil doers.

What else do you need to consider?

Don’t forget that if the data that gets scrambled contains personal data, then you have a data breach on your hands, which may be notifiable under the new Data Protection Act 2018 which incorporates the General Data Protection Regulation (GDPR). I’ve a short video here:

Finally, if you do suffer a Ransomware incident, a crime has been committed, so please report it to local Law Enforcement. They may not be able to do much about it, but it needs to be reported for statistical purposes if nothing else. If it can be shown that Cyber crime is as big a problem, as I know it to be, then the more reports to Law Enforcement will mean they will get more resources to be able to tackle it’s root cause.

#LetsBeCarefulOutThere and #StaySafe

#SecuritySimplified #GDPR

The post How to deal with Ransomware. appeared first on L2 Cyber Security Solutions Ltd..

The first thing to highlight is that the evil doers are now using partial telephone numbers in this sextortion scam instead of old passwords. This can be more effective than the old password ruse that was used last month. This could be because many people may have changed passwords since. However not too many of us regularly change our mobile number.

New development of the sextortion scam

We may also be quite used to seeing our number appear in a partially redacted manner.

So in this example, the victim sees the number +XX XXXXXX6074 instead of an old password. They have confirmed to the good folks over at the Internet Storm Centre (ISC) that those last 4 digits match their number. So that can really make people sit up and take notice.

The question arises though – why are they partially redacting the number? It’s not like these guys are reputable and are trying to protect your privacy by not emailing the full number. If they truly had your full information from a hack or a data breach, why not just put the whole thing in there? It would be very much more effective.

No, they don’t have your full number at all and as surmised by the team over at the ISC, they are probably getting the information from password reset forms. This is where the like of Google and Amazon will send you a text message with a code as part of the reset process. Or as part of a two-factor authentication step such as the following:

So the bad guys have upped their game here. Just don’t fall for it.

Are they making any money?

The other update in relation to this is about the money they have actually made from this sextortion scam. A couple of weeks ago the fine people at the ISC did an analysis of the bitcoin wallets that were included in the scam emails. These are the long string of characters and numbers that I redacted in the email example above.

“Wait a second” I hear you say, “Bitcoin is untraceable, anonymous money.”. Actually it’s not really untraceable as by the very nature of the blockchain on which bitcoin is based, each transaction is fully public. It would be more appropriate to say that it is unregulated money.

Anyway, their analysis revealed that of the many wallets they were monitoring:

• 123 payments were received
• $235,000 in total was paid to those wallets
• $4,900 was the biggest payment, with an average payment of $1,900

This was probably a subset of all the wallets in use across the whole campaign. However you can see that people were fooled into parting with their money in reasonably large numbers.

So you now want to easily protect you and your staff from these kind of scams, right? I do some pretty awesome security awareness training. If you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Sextortion scam – a follow up. appeared first on L2 Cyber Security Solutions Ltd..

We don’t do VPN logs … often

BolehVPN clearly states on their main site that they have a No logs policy. There for all the world to see in green and white:

And yet, if you mosey on over to their privacy policy, that changes things:

This might seem a reasonable process to allow. After all nobody likes people who are abusing a service. However they are saying they turn on VPN logs to capture enough information to be able to identify a user and find out what they are up to that is causing the alleged abuse. Now bear with me on this one. It’s not as far fetched as you might think.

• What if the “abusive user” was actually law enforcement in a totalitarian regime?
• What if they had compromised BolehVPN’s servers and were trying to locate “rebel activists” within their borders?
• What if they start overloading the servers, prompting BolehVPN to initiate logging to identify the offenders?
• If the “rebel activists” were connected at that time, then law enforcement should be able to gain access to those logs and be able to identify them.

I’ll now toss in the GDPR aspect here. That privacy policy doesn’t specify what personal data is being logged, which would actually be a requirement for any EU resident using the BolehVPN service. So they would be in breach of the regulation here.

Careful wording

Some providers use very carefully chosen language. For example Astrill VPN says clearly on their main website page “No Logs kept” and then in their privacy policy they indicate that they have logging in place, but only while the connection is active. So the logs are not kept, but they still exist for the duration of the connection.

At least Astrill specify what data they have in the “temporary” log.

Excessive VPN Logs

Other providers are quite open about the information they log on you, but in some cases the amount of information they log is actually quite concerning. HideMyAss VPN keeps a record of the following for at least 30 days (though it could be longer):

For a company that sells a product that supposedly improves your online privacy, that is quite a lot of information about you that they are holding onto. The other concern here is that HideMyAss is a UK based company. The United Kingdom has in recent years passed what is known as the Snoopers Charter. This gave government ministers powers to access peoples personal data without there being a suspicion of law breaking.  Also the UK is a member of the Five Eyes Countries. These countries regularly ask for and are provided with intelligence about individuals, ostensibly for national security purposes.

With the amount of data logged by HideMyAss and easy access to it by the powers that be, you won’t be browsing the internet as privately as you may think. They have, in the past, handed over information to the US FBI about a hacker.

I’ve broken no laws. Why should I be concerned?

You may have broken no laws now. But what if the government introduced a law that you didn’t like and you could bypass this law by use of a VPN. You might value the fact that a good private VPN doesn’t give law enforcement enough data to convict you.

While this might be an unlikely scenario (though with the way things are going in the US right now, who knows), it probably isn’t something that should directly concern you. Flip this around though. There are countless people (e.g. journalists, human rights advocates), living in countries that are effectively police states, who are trying to get the truth out about what is happening in those countries and they absolutely need every bit of anonymity that they can get.

VPNs are absolutely essential to these type of people, but also for people who value their online privacy and security. I typically will never connect to a public Wi-Fi internet connection (e.g. in a coffee shop) as I simply do not trust how they have been set-up. I also cannot be certain that the access point to which I would connect is actually the one being provided, as an evil doer can have their Laptop “impersonate” (spoof) the coffee shop’s Wi-Fi and then record all of the data that is sent and received from my laptop.

Instead, I will typically use the hot-spot facility on my phone to connect to the internet. However if my signal is terrible and I really need to get on the internet, I will connect to the Wi-Fi, but then immediately establish a VPN connection, thus encrypting my connection and making all of the data meaningless to any bad guy intercepting my traffic.

The bottom line here is, if you value privacy, then get yourself a VPN that does not log any data about you or your activity on their service. You’ll have to read the privacy policies closely though to ensure that this is the case and that VPN logs are not recorded.

Let’s be careful out there.

The post VPN Logs. Should you be concerned? appeared first on L2 Cyber Security Solutions Ltd..

How will I know if my website will be marked “Not Secure”?

If the link to your website is https://www.mywebsite.ie (with mywebsite.ie being whatever your website name and domain is) then you will be OK. Close this article and get on with your life.

If however the link to your website is http://www.mywebsite.ie (no “s” after the http bit), then Chrome will highlight this in the address bar as being “Not Secure” like this:

What’s the difference between http and https?

http stands for HyperText Transport Protocol. It’s how web pages are transmitted around the internet. When your website is using http, it is transmitting all of the bits and pieces of data on your website to people browsing the site “in the clear” (i.e. exactly as it is seen). If anyone was to intercept the traffic, they would see exactly what it is that people are looking at on your website. They would also be able to add (or inject) data of their own into the traffic and thus make it appear that your website is serving advertisements (for example).

https adds the word “secure” to HyperText Transport Protocol. What happens now is that the data from your website will be encrypted (i.e. scrambled into meaningless gibberish) before it is transmitted to people browsing your website. If somebody intercepted the data, they would not be able to determine what it is that people are looking at on your website. The integrity of the data coming from your site is also maintained and nothing could be added to the traffic from your site.

My site is simple and boring. I don’t ask for peoples details or credit card information. Why is this happening?

A website that is using http only is very easily compromised and such a compromise could cause your business reputation damage. If you don’t believe me check out this video. If you want to watch the whole thing (it’s 24 minutes long) please do, but to see quickly just some of the compromises, watch from about 7:04 for about 5 minutes. I’m afraid he does talk very technically, but I think you will appreciate the consequences from seeing what happens to a plain, boring blog site.

The reason this is happening is because more than 50% of the websites on the internet are now being delivered by https. So we are all familiar with the sight of the word “Secure” in green along with the padlock:

What a lot of people would think is that this means the website is trustworthy … that is NOT THE CASE at all! All it means is the connection between the website and a person’s web browser is encrypted securely. Evil doers have lots of websites that have this “Secure” marker too.

So Google are switching the focus from highlighting sites using https to highlighting sites that don’t. So the green “Secure” with the padlock will disappear from “normal” sites. Then sites using http will be marked “Not Secure” in red. This will be an impetus to help drive the internet to being more secure.

My web person is saying that it will cost me money to get https on my website. This is just a rip-off!

Actually you can get https on your website for free, very easily. Your domain hosting provider may offer this service to you (my own host does so). If not, then Troy Hunt (the gentleman speaking in the video above) set up a website called HTTPS is easy on which he has 4 short videos on how you can set up your website to be https for free and in about 5-10 minutes (although there is one bit where you may have to wait 24 hours for the internet to work it’s magic).

Anything else?

If you want to get some more advice, drop an email with your questions to support@L2CyberSecurity.com and we’ll be happy to address them for you.

Also if you are interested in learning how to use the internet more safely, check out the training that we offer. If you want to find out more then call on 087-436-2675 or e-mail info@L2CyberSecurity.com.

In the meantime, watch those videos and see how you can stop your website be marked “Not Secure”.

The post Will your website be marked “Not Secure”? appeared first on L2 Cyber Security Solutions Ltd..

It is of course a scam, but having an old User ID and Password on the e-mail does seem to give it a sort of legitimacy, in that they may just have hacked your computer. If you happened to be somebody who recently viewed porn on that computer, one which has a webcam, then you may just fall victim to this sextortion scam. This is what a typical e-mail looks like:

The amount payable varies between the various e-mails, as does the Bitcoin wallet address (both circled above). There may also be a number of random words towards the end of the e-mail, which are used to defeat spam filters.

The bottom line here is, these people did NOT hack into your machine and record you watching porn. If they did, why wouldn’t they include a frame from said footage to prove that they had something on you.

The old User ID and Password that they included will have been picked up by the bad guys from a data breach sometime in the past. This stuff has been knocking around the internet for a loooonnng time. I did mention this last year when I talked about another scam e-mail that knew your name. They will have used other indexing techniques to associate the old account with your current e-mail address and then send you the scam e-mail.

Well known security reporter Brian Krebs, reckons that the evil doers may refine their technique and use more recent accounts that were part of a data breach.

As I always do in these e-mails I refer you to my fifth commandment. I’ll also throw in a shameless plug for the security awareness training that I provide, which, if you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

Let’s be careful out there.

The post A Sextortion Scam appeared first on L2 Cyber Security Solutions Ltd..

Basically the evil doers implanted malicious software on the Point of Sale (POS) terminals in the upmarket stores in the USA. For nearly a year (between May 2017 to March 2018) this malware was capturing customers credit/debit card details and passing this back to the bad guys. The crooks claimed to have gathered up to 5 million cards as a result of this hack and they have been selling off batches of them on the internet.

We are quite familiar with Chip & PIN usage in Ireland as we have had it for quite some time. This does offer a great deal of protection as your card information is stored in an encrypted form on the chip. However in the US, they are only at the early stages of rolling out Chip & PIN, so most people are still swiping their cards at the terminals. The magnetic stripes that are swiped do not have the data encrypted, and so the information can be accessed and passed on quite easily.

It’s not been revealed how the malicious software got onto their POS terminals, but it seems that the POS was compromised at all of their bricks and mortar stores in the US. Their online store was not affected.

Credit Card issuers are usually fairly good at detecting fraud by knowing their customers usual buying habits. So if somebody who usually spends €20-€50 on shopping items, suddenly attempts to buy high-end phones, tablets or televisions this should trigger an alert. However for the customers of Saks or Lord & Taylor, such behaviour is much less likely to trigger an alert. So the crooks might be able to make away with a lot of goodies as a result.

The parent group, HBC, needs to put in place better segmentation and monitoring on their network, so if one store gets compromised, the malicious software cannot find it’s way easily to another store. They should also apply Commandments 1 (automatic updates), 2 (anti-virus), 3 (firewall) and 9 (control use of USB sticks) to their POS network.

The post Posh POS was Compromised appeared first on L2 Cyber Security Solutions Ltd..

So how do I know these things? Where am I getting this figures from. Well just like November where I told you about the free Quad 9 service, which prevents you going to know evil sites or in December where I told you about the free Security Planner tool, which gave you simple advice on how best to protect your particular set-up, this month I give you the free Pwned Passwords tool, which was developed by highly respect security researcher Troy Hunt. Before you leap to the comments section highlighting my atrocious spelling – that’s how it is spelled – pwned is a computer gamer term for being completely dominated or compromised and is pronounced “powned” (to rhyme with “owned”).

So how does this pwned password tool answer the question is somebody else using your password? It’s quite simple, the Troy has got copies of online account information (including passwords) that has been breached from various sources over the last number of years. He has 500 million passwords on his database. Now he doesn’t have the passwords linked to their associated account, such that if he was hacked that somebody would get access to his juicy treasure trove of account information, it’s simply a database of passwords. He has used a certain very secure methodology to test the passwords, but there is no point in going into it here. If you’re a nerd with an itch to scratch, then you can read all about his methodology here.

So how should you use this tool? Simple go to the Pwned Passwords page and type in your various passwords. Here is the result for “123456”:

And the result for “LiamIsANiceHelpfulCyberSecurityPerson”:

So what should you do if your password has been used before, particularly where it has been used a LOT? It’s kind of obvious, but you need to change it. Yes, I know it’s a pain. Yes you might forget what you changed it to. Guess what? When you change it, write your new password down on a piece of paper and put it in your drawer or maybe your wallet/purse. ?

No I haven’t taken complete leave of my senses. But this is a case of risk reduction. Sure, you have an open copy of your password in a public-ish place, but it’s not going to be there forever. You will consult this piece of paper regularly in the first 3-4 days after changing your password. As your muscle memory starts to kick in, you will consult it less and less. After a week to 10 days you probably won’t be using the piece of paper anymore, so at that point you can destroy it.

Keeping this reminder of your password to hand will also enable you to do one more brilliant thing with your password and that is to make it LOOOOOONNNNNGGGGG. Don’t use “LiamIsANiceHelpfulCyberSecurityPerson” because that’s mine ? but either use a long passphrase (a sequence of words like my example) that is at least 15-20 characters long or use a password manager to generate a long nonsensical password which it has to remember, but you don’t. You only have to remember the master password, which you will have made it long and complicated. More details about passwords can be found under Commandment 8, including talk about password managers.

Actually, one of the other really cool things Troy has done was to enable developers to create plug-ins that can query his database of passwords. One of the password managers (1Password) has incorporated this functionality into it’s product, so if you chose a password that has been pwned, it will be flagged to you.

Finally, it would be remiss of me not to point out the main feature of Troy Hunt’s site. This has been around for many years and it’s the Have I been pwned? feature. All you do is put in your e-mail address(es) or User IDs and it will tell you if they were part of a data breach of some online service. He has details on nearly 5 billion breached accounts, so it’s pretty comprehensive.

The post Is somebody else using your password? appeared first on L2 Cyber Security Solutions Ltd..