Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

So, why is it so important to know whether your passwords are available to cyber criminals?

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match. And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”

Are we already at war?

Are we already at war?
This is the first (of two) articles taking a look at the hacking and cybercrime that’s taken place in 2015. Part 2, to be published soon, looks at the simple steps we can take to enhance our security and minimise the threats from cybercrime.

2015
Cost of Cyber Crime in 2014Although we’ve yet to reach the end of 2015, there’s already been an unprecedented number of data breaches and hacks compared to previous years, measured by both the number of breaches and the amount of data exposed.

The graphic on the right shows the estimated cost of cybercrime for 2014. In 2015 the cost has increased by 14% according to the “Cost of Cyber Crime Study: UK“, conducted by the Ponemon Institute and sponsored by HP.

The institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cybercrime for businesses. and the latest news is that the very recent TalkTalk hack has cost the company £35m so far

Major data breaches in 2015

FebruaryBillion dollar cyberheist
Up to 100 banks were penetrated and more than $1bn stolen
  US health insurer Anthem
80 million patient and employee records including date of birth, social security
numbers, home and email addresses, employee information and more
May 2015 – BlueCross, US Health Insurance provider
11.2 million names, birth dates, email addresses stolen
US office of Personnel Management
21.5m US Federal employees confidential data was accessed and presumed
stolen
June 2015Kasperski Labs (yes, the security vendor) was hacked
Technical information was stolen, thought to be industrial espionage by a
sovereign Nation State
July 2015 – Harvard University
One of 8 universities hacked in 2015 but it’s not known what information was
accessed (and stolen)
Hacking Team
Hacking Team develop spy tools for government agencies and the breach
exposed 1 million emails including those of a sensitive nature from a number
of security agencies around the world
US Army National Guard
850,000 social security numbers, home addresses, names and other
personal information stolen
August – Ashley Madison
32m member’s data stolen and posted on the dark web for sale. The
ramifications are ongoing
September – John Brennan
CIA Director had his personal AOL email account hacked
October – TalkTalk
Major hack of the TalkTalk website and a lot of user data was stolen

In the US it is a legal requirement that all hacked companies make a report to the appropriate government department, however similar legislation has yet to be enacted in Europe so the reported incidents may just be the tip of the iceberg – and that’s assuming that hacked companies know that they’ve been hacked.

So who was behind these hacks and what was their goal?
hacker at laptop?At the time of writing, 4 people had been arrested, and bailed, for the The TalkTalk hack – 3 teenagers and a young adult although no charges have been brought.

Some hacks might be carried out by the stereotypical spotty teenager in a bedroom just doing it for fun, however the majority are likely to be carried out by more worrying groups, ranging from organised crime to extort money to government organisations.

The Ashley Madison hack looks to have been for the purpose of extortion, of both Ashley Madison themselves and their members (pay us £xx or we’ll let your friends and family know where you spend your time etc).

Others will be industrial espionage, companies looking to gain a competitive advantage whilst the remainder might have been carried by departments acting for state security and it’s believed, although almost impossible to prove, that the Kasperski, US National Guard, US Office of Personnel Management & Hacking Team hacks were conducted by sovereign Nation States, believed to be North Korea and/or China.

These attacks by non-friendly sovereign nation states on infrastructure may even be attacks seen as acts of war.

Safer Internet DayWhy do hacks occur?
For some, it’s simply for fun, the challenge and the bragging rights.

However, there’s a lot of money to be made from the theft of intellectual property and business sensitive materials, and nations stand to learn a great deal about their friends and enemies. It’s widely believed, for example, that China has been inside US military design systems for many years which could explain why their military have made extremely rapid advances with the design and manufacture of new military equipment, including stealth planes, missile defence systems and drones in recent years.

Towards the end of 2015 we’re seeing that China is negotiating two way, anti-hacking, arrangements with a number of major economic partners, including the UK, USA and Germany, theoretically enshrining in law that the countries won’t attempt to hack China and China won’t try to hack them. However, even if the above is true they don’t need to hack any further if they already have access to core systems.

A cynic might also say that history indicates that China may not stick to it’s side of the deal, and even if they do – they can always ask their friends to do it for them.

Protecting your business and yourself.
Although I’ve mentioned high-profile attacks, SMEs are also at great risk and so in Part Two I’ll be looking at some simple steps that you can take to maximise your security and minimise the risk that you are exposed to.

Has Anti-Virus software reached its “Best Before” date?

CrowbarFor many years, the security mantra has been

  • Mac good – invulnerable to viruses and hacking.
  • Windows bad – very vulnerable to viruses and hacking

 The reason was two-fold, whilst it’s true that the Apple operating system IS harder to infect with a virus, the main reason was popularity (or lack thereof). When 97% of the world was using Windows, why bother writing viruses and other malware for the extreme minority.

The traditional Windows solution was to install an anti-virus program from one of the many vendors and, for real “belt and braces” safety, protect your internet connection with a firewall. Hopefully all would be well and good, so long as you paid your annual anti-virus subscriptions and ensured that the virus definitions were regularly updated so your anti-virus program could identify the threats and keep you safe. (Free anti-virus programs for home users did a similar job, again provided they were kept up to date)

Crypto-LockerSignificantly Increased Risk of Infection

However, the upsurge in Apple popularity over recent years means that Apple devices are also targets of the cyber-criminals. And it’s not just Apple computers and iDevices that are at risk, the virus writers are also targeting Android devices, Microsoft phones and tablets and devices running Linux devices.

Anti-Virus is dead!

Brian DyeLast year, Brian Dye, Senior Vice-President for Information Security at Symantec (the company behind Norton Anti-Virus solutions) said, in an interview with The Wall Street Journal, that “Anti-Virus is dead”. What he meant was that cyber criminals were now able to write malicious software faster than Norton could be updated.

Whilst Norton, and all the other anti-virus programs, are not yet ready for the scrapheap they only detect around 45% of all attacks. As well as that rather disturbing stat, research by FireEye (A cyber-security provider)  indicated that 82% of malware detected by their security solutions stays active for just one hour and 70% of threats surface just once before disappearing and being re-written to avoid detection by the AV companies.

So, what should you be doing?

Security-padlockWell, I’ve said it before, but it’s always worth reiterating, security starts with education. Then you add as many layers of additional protection as you feel necessary, depending on how you use your devices and the level risk you feel you are faced with.

  • Never open an attachment unless you are expecting one and you know, and trust, where it came from.
  • Keep your Anti-Virus software up to date and continue to renew your subscriptions, it may only block 45% but that’s nearly half of all threats stopped before they have a chance to install.
  • Install a security App on your phone and tablet
  • Explore the new offerings from the traditional anti-virus vendors that look to protect your web browsing and protect you against spam, phishing attacks and other cyber crime threats.
  • Be alert for anything that doesn’t feel “right” and if something looks too good to be true – that offer of a full version of Microsoft Office on CD for £50.00 for example – remember, it probably is!
  • Use a different, complex, password for each website that you have to log in to. An App such as LastPass will help you create passwords, securely store them and “auto complete” the log-ins when you log in to those websites. (other password tools are available)
  • Ensure your Social Media accounts privacy settings are set to an appropriate level
  • Look at Bitdefender Safego,a free anti-scam service for Facebook and Twitter
  • Remain cautious when using any internet connected device

Safer Internet Day 2015

2014 Top Passwords1,2,3,4 is the start of The Beatles “I saw her standing there”, it’s the way you “declare a thumb war” and it’s also the 7th most popular password of 2014, up from 16th the year before.

10th February 2015 is the 12th “Safer Internet Day” and we’d like to make it a day where people change their simple passwords for something much more secure.

Why is it important?
Safer Internet DayEvery day millions of websites come under attack, ranging from simple personal sites to complex e-commerce sites and online email service providers.

Just think about your information that’s “out there” and what could happen if your business or personal security was breached.

What’s in your Gmail, Hotmail, Outlook.com mailbox, how valuable would that be to a cybercriminal? What if they hacked your email account and sent emails to your contacts and connections, as you, then tried to use your email address for more nefarious purposes?

How about if, after hacking your email account, they used your credentials to try to break into your bank account, your building society account, your credit card account  or use them to set up fake accounts that they can then use to steal your identity, borrow money in your name and have it sent to their bank accounts, buy products online that are delivered to them and billed to your address – the list goes on and becomes even worse if it’s business data that has been stolen.

Business bank accounts typically have more money in them with longer lines of credit, your servers may contain enough information for the cyber criminals to target your customers, there may even be ideas, designs and other pieces of Intellectual Property that could be sold or misused in a  variety of other ways, all to your disadvantage.

You know it makes sense to have stronger passwords but a lot of people, as evidenced by this list, obviously can’t be bothered – maybe they deserve what comes their way?

We don’t think they do, which is why I’ve published this blog post as part of “Safer Internet Day” and we’d ask you to review your password policy, both internally and personally and follow these simple tips and guidelines to minimise your risk.

Password BoxWhat should you do?

Don’t use the same password on every site you log in to, ideally, each site that you have an account with should have its own, unique, password. We know that sounds hard but it’s remarkably easy if you use one of the many, secure, password creation and storage sites such as KeePass, LastPass or PasswordBox. These will automatically create strong and unique passwords and save them in your databank and automatically fill in the boxes whenever you are on one of your sites that require secure access.

Many also come as Apps for installation on your phones and tablets so that you can always access the sites you need to, whenever and wherever you are.

They run in your browser so that you can access your passwords and other log-in data from any internet connected computer, at home or abroad, on holiday or business trip – just make sure you remember to logout if you’re using a public computer.hacking.jpg

If you don’t want to use an App then make sure your passwords are at least 8 characters long and are comprised of a mix of UppEr cAse and loweR case, 1nclud3 a numb3r or 2 and m@ke use of spec!al character$ wherever possible. You can check the strength of your password at HowSecureIsMyPassword

If you are concerned about any of the security aspects for your business, then send me an email, andy@enterprise-oms.co.uk  or give me a call on 01793 238020 for a hack free, zero obligation chat and I’ll be delighted to see whether I can help secure your business from cyber criminals and make sure that you don’t become a victim, like Sony did at the end of 2014.

How much did your last cup of coffee cost?

Nice cup of coffee

Imagine the scene, you’re between meetings and decide to drop in to your favourite coffee shop for a steaming hot cup of your favourite coffee, a cake and to tap into their Wi-Fi to read your emails, refresh your knowledge in time for your next meeting or simply to surf the web.

Then the urge hits, you look around and see that everybody seems respectable enough so you you head off to the toilet thinking that your laptop is safe on the table. After all, nobody would lift it in sight of all those customers, staff and CCTV cameras would they?

Laptop tracking service provider, Prey, found that areas offering free Wi-Fi were the second most common target for opportunistic laptop thefts, the only riskier place being left in a visible place in your car.

Open Laptop

If stolen, it’s not only the inconvenience of replacing the laptop, re-installing your applications and copying back your data [you do back-up your data don’t you?] it’s the additional costs that are not covered by your insurance.

The Ponemon Institute, a US cyber crime consultancy, put the real cost of the loss of a laptop and it’s data at nearly £31,000. This was broken down in to £4,000 for the loss of Intellectual Property, forensics and legal bills adding around £1,500 with a staggering £24,500 attributable to the loss of income, customers and competitive advantage associated with a data breach

SPOOF HOTSPOT


When you sit down and try to log-on to the Wi-Fi there’s often a selection of hotspots to choose from. How do you know which is the free service provided by the venue and which is a spoof.

It’s very easy to set up a Wi-Fi hotspot using a mobile phone, Mi-Fi type of device or laptop and allow other users to connect through this free connection. However, all of the traffic can then be intercepted by the person providing the spoof account. What sort of important information is passed from your laptop through this connection? It could be your details to access your online banking, the log-in to your company network or the necessary information required to access your corporate email account.

So, the next time you stop off for a cup of coffee and decide to log-on using their free Wi-Fi, just make sure you know which network that you’re connecting to and that you don’t leave your laptop unattended.

And if you’re in need of help, then just give me a call on 01793 238020 or send an email to andy@enterprise-oms.co.uk

123456 is not an exercise in counting

We are only 2 months in to 2014 and there have already been a significant number of major news stories about data theft and online security so I thought I’d round some up and give some tips that will help you to stay safe.

  • February 25th 2014, cyber security company Hold Security LLC said that it had uncovered 360 million sets of customer account data available for sale through cyber black-markets. These are new discoveries and represent a fresh risk to security.

Typical data includes email addresses, user names and passwords.

Hold Security LLC believe that these thefts are yet to be publically reported by the organisations who were hacked.

  • February 14th 2014 Tesco announce that the details of more than 2,200 Club Card accounts were published on the internet and a number of Club Card points had been stolen.

It’s important to understand that Tesco has not been hacked. Rather, criminals purchasing data related to other security leaks will simply run email address and passwords combinations against websites such as Tesco’s Club Card site to see which of them work. A small number obviously do and have permitted unauthorised access to user accounts.

  • February 14th 2014 Barclays announce the theft of 25,000 customer files, including sensitive information such as passport and National Insurance numbers as well as account data.

Popular PasswordsIt’s going to get worse before it gets better!

How do we know? Well, a number of companies have looked at stolen data and it’s been revealed that the No.1 password in use during 2013 was “123456”. The No.2 password was “password”, No.3 “12345678”, No.4 “Qwerty” and No.5 “abc123”

So how do you minimise the risk to yourself.

Well, it’s really easy – you just need to use a different password for every different website and account that you have. I know the message is old but it’s becoming increasingly clear that the message is not getting across and people are getting hit.

Of course, it’s challenging to remember the tens or hundreds of passwords that we use on a daily/weekly basis so you need a tool to make the task easier.

The two most popular approaches are either to use a Password Vault – a piece of software that runs on your computer/phone/tablet which securely stores all your vital information and, in some cases, can be used to produce a really strong password every time you need one or you could use a “Seed” word or phrase that you amend every time you need a new password.

For a seed you could think of a line from your favourite song, perhaps the first line of Bridge Over Troubled Water – “When you’re weary, feeling small” for example. Take the first letter from each word – Wywfs and substitute a letter with a number, 5 for s for example, so your seed is Wywf5.

Now let’s image that you want a password for Tesco, take “Tesco”, substitute numbers for letters  – T3sc0, split it and add the letters to be beginning and end of your seed,  T3Wywfs5c0. Now have a password that will take 6 years for an average PC to crack. Add a symbol, such as “!” to the end, T3Wywfs5c0! and it will take 4 million years for the average desktop PC to crack.

That’s your personal security dealt with. If you are worried about security for your business, I can help there too. To learn more please give me a call on 01793 238020 or email andy@enterprise-oms.co.uk to start the ball rolling.

 PS. Just make sure that you have a remote wipe utility installed on your phone/tablet so that you can remotely erase the data should your phone be lost or stolen.