This will absolutely improve your on-line account protection by a huge amount. Particularly if you use an authenticator app like Google Authenticator. There is even an entire commandment dedicated to it, because it is that good!

Yes, we know it’s difficult to do this, but this is where the bad guys win. If you haven’t received the excellent training available from L2 Cyber Security Solutions, then use a Password manager.

If the evil doers have compromised your e-mail account, they may have done this in a very sneaky fashion by logging on once, and setting your account to automatically forward all received e-mail to them. This is a particularly stealthy way for them to spy on you. Go to your account settings now and check if there is any forwarding of mail going on.

When you sign-up to services or accounts, you provide your e-mail address and that service or account sends you a “are you the person who just signed up to us” type e-mail, followed by a “welcome to our service” type e-mail. You might also have forgotten your password for such accounts and requested a password reset which they helpfully send to you in an e-mail. 

Well you really should delete all such e-mails after you have read them, because these will lead the evil doers to these accounts, where they will do another password reset and then compromise that account too. If they don’t know what services you subscribe to, they can’t do anything to them.

This is an incredibly easy way for the evil doers to steal your GMail ID and GMail password. This one could even catch out security people like me! ?

So what happens is you receive an e-mail from somebody you know, who also had a GMail (note the emphasis on had). 

This e-mail will have a subject line of a previous e-mail conversation that you have had with that person and also, what appears to be an, attachment that had been attached in an earlier e-mail in that conversation. So far this e-mail is looking EXTREMELY legitimate.

That attachment, is actually an image in the e-mail with a link embedded in it and if you click on it, it will take you to, what appears to be, the GMail log-in screen, as follows:

Being asked to log-in like this would certainly trigger an alert in my mind that something was up. I would immediately check to see where this password page has come from, so I would look up at the address bar of the browser. This is what you would see:

 So that looks OK doesn’t it? https:// (nice and secure site) accounts.google.com (legitimate address) and the e-mail came from somebody I know, from an e-mail conversation I have had with them, that had an attachment, which was here again in this new e-mail. All very believable! So let me enter my GMail ID and password and … you’ve now given the hackers your credentials.

Within minutes, they will have taken over your GMail account and will be sending this nasty surprise e-mail to your friends, family and colleagues.

So how do I know it’s not a legitimate GMail login screen? Let’s take another look at that address bar:

That first part of the address (highlighted) looks a bit odd, don’t you think? It is very odd. It actually has a verrrrrrrrry long string of text, which stretches off beyond the end of what you can see in the address bar that executes a script, which brings up that log-in page.

Also, if you know your secure websites, you know that where there is proper https:// there is also a green padlock symbol like this:

That gives a high degree of confidence that the site is legitimate and properly secure.

I’ve said this numerous times. I tell everyone I know, that they must set this up to protect their accounts. 

It is known by many names – Two factor authentication or Two step verification or Login approvals.

I’ve a whole commandment dedicated to it, so please have a read and please implement it.

This protection, won’t prevent you falling for the scam outlined above. What it will do is prevent the bad guys from accessing your account, even though they have your GMail ID and GMail Password, they won’t have your smart phone and as such won’t be able to sign in as you.

Please implement Two factor authentication on all your on-line accounts. It really gives you the best possible protection.

h/t to the folks over on WordFence for the details on this.

As was widely reported at the weekend, Meath County Council were the victim of an attempted theft of some €4.3 million. A lot of the reportage was pointing to hackers and this being a cyber attack, but based on what is known, in my opinion, it’s not really.

This attempted theft was facilitated by the use of technology, but not necessarily the abuse of it. They’re no longer commenting about it now while the matter is investigated, so we’ll need to await the outcome of that before we know for sure.

However this sort of theft is incredibly common and is known variously as CEO fraud or Business Email Compromise (BEC). Basically what the bad guys do, is send an e-mail or even a text message that appears to come from the CEO, the MD, the Head Honcho, the Big Boss. This e-mail/text is sent to somebody in the finance department and it instructs them to urgently transfer or wire funds to some account that is outside of the EU area. If the transfer was within the EU area, it can be recalled under SEPA regulations, but outside of the area the money can be a taken and never seen again. 

If, in your business, you have a finance function (however big or small) that has a single person who is able to initiate a transfer of funds in any amount, on their own, then you could easily fall victim to this type of fraud. The thieves will have done research on your organisation and will know who is involved in the various departments and how you operate. This enables them to make their e-mail/text much more believable.

The FBI in the US have reported that this fraud has occurred in 80 countries. From October 2013 to February 2016, there have been over 17,600 victims with total losses amounting to over $2.3 billion – that’s an average of just over $130,000 from each victim. This whole area is increasing rapidly and this will happen more and more.

So what can you do to prevent it happening to you?

Well quite simply, have the banking set-up, such that at least two signatories are required for every transaction, no matter the size. Then follow this up with a strict policy on how money transfers can be requested – particularly where the target account is new. If you are simply transferring to a known, established account (belonging to a vendor you deal with for example), then this should be OK (as long as there is a supporting invoice of course). However, if an e-mail requests the transfer of funds to an unknown account, then certain due diligence should kick in. For example, the CEO/MD/Whatever should be contacted by phone and additional verification sought. If the CEO cannot be contacted, then there should be no further action taken until they are reached. Very importantly, the CEO needs to acknowledge this policy and never subvert it, no matter what.

As mentioned earlier, the thieves will have done their homework on the company. The true story I tell during the Internet Security Awareness and Safety Training is about the finance director of a company receiving an e-mail from his boss asking him to urgently transfer funds to a client account in order to secure a new contract. As it’s for a new contract, it’s to go to a new account. Also the amount of the funds is just within the Finance Directors approval range for a solo authorisation. The CEO concludes the e-mail saying that he is just getting onto a long haul flight, so he will now be incommunicado for several hours.

The CEO was indeed travelling long haul that day, which the Finance Director knew, so it all looked fine, so he sets up the transfer on the system and is about to process it when a niggle hits him. There was just something that wasn’t quite right, so he chanced calling the CEO, who answered from the departure lounge at the airport. Of course there had been no e-mail sent by the CEO – it was all a hoax. But if the Finance Director didn’t have that niggle to call, the money was gone, never to be seen again.

So put a strong policy in place and make sure your staff are instructed in it and are never criticised for adhering to the policy. This last part if critical, because if they do get criticised, then the policy won’t get enforced and the risk of theft will become greater.

I received two e-mails in recent days from online training provider Lynda.com customer care, this is because I have had two accounts with Lynda.com in the past. Both were set-up when they had a 30 day free trial offer, which I made use of.

I’m one of the 9.5 million customers/former customers of Lynda.com who have been contacted by them about a breach of their data security. They state that my contact information and courses taken were compromised, however they believe my password was not compromised. Here is the text of the e-mail:

So this doesn’t sound so bad. Right?

Nope. They have my contact information, so they have my name, e-mail address and mobile phone number. That means I could be targeted for phishing or even worse spear phishing. I tried to see if I could delete my Lynda.com account, but nothing obvious jumped out at me. I must check their online help and if there is nothing there, I will be contacting their “customer care” to try to get rid of these accounts.

There were 55,000 people who have been contacted by Lynda.com customer care telling them that their passwords have been compromised and so Lynda.com have forced a reset of their password.

I actually don’t care about my password, the hackers would be welcome to it, as that is unique to my Lynda.com account, I would not have used it anywhere else. However, to use their terms, out of an abundance of caution I have changed my passwords on the two accounts I have, to some complete gibberish that even I won’t remember. I’ve stored them in my password manager.

So what lessons can be learnt here: