Gmail and Yahoo Mail 2FA thwarted by Iranian phishers

SMS 2FA used by Google and Yahoo by-passed

 

A phishing gang in Iran has managed to bypass the two Factor Authentication (2FA) that Gmail and Yahoo Mail users use to secure their accounts.

2FA helps users to protect their accounts by adding an extra layer of security. Using your username and password and then something extra like a single use password which is delivered via an SMS message.

In this case the gang were able to get the user to go to a fake website that looked exactly like the users Gmail or Yahoo Mail login page. Once the user had entered in their details to the fake site the gang then took those details and entered them in to the real site and then the fake site asked for the code which had just been sent to their mobile phone. Once they entered this in to the site the gang were able to take the code and enter it in to the real site and gain access to the users email accounts.

The attackers, working on behalf of the Iranian government, sent out emails targeting US Government officials, activists and journalists, specifically those involved in the US sanctions against Iran. First they found as much information about each victim and then crafted specially targeted emails at each of them. The emails had a secret hidden picture in them which notified the gang in real-time when the user was viewing the email so they could carry out the attack while the user was trying to login.

The attack was notable for other reasons also it used email addresses such as notifications.mailservices@gmail.com and noreply.customermails@gmail.com to make it look like they were official emails from Google.

We would urge all users of any service to ensure that they check very carefully the links in emails and if possible not to use links in emails at all. Keep yourself up-to-date with security issues by opening an account and signing up for our Security Alerts, Newsletters and Promotional emails.

Keep Safe

CritchCorp Computers Ltd

Google appeals record GDPR fine

Google GDPR fineGoogle is appealing the record breaking fine for GDPR violations in France. The new European Data protection law (adopted in to UK law as Data Protection Act 2018) sets out rules nd regulations for the way that personal data is collected and how people have a right to know what is collected and how it is being used and furthermore be able to see and opt out of data collection. It also imposes an Opt-out default stance which means that companies are supposed to presume you do not want them to collect or use your data, including for marketing emails unless you specifically give permission. In simple terms this means that the tick box asking if you want to be included in their marketing emails must be unticked by default until you tick it. It also means that they must keep and be able to prove for each person that they requested the communication or data retention and can opt out again as easily. It gives people the right to control over their personal data, something that was missing in Europe.

The latest fine imposed on Google is for a breach of this new law and the fact that they do not inform people correctly how they collect the data and how they are using it to serve them with advertising, something that anyone in the industry understands but now has to be explained to everyone so that they understand it. You can read more on What Google and other social media and FREE apps do with your data in our new article: http://cc-computers.com/why-pay-for-email-when-gmail-is-free/.

Google has recently been slapped with much larger fines, such as the $5 billion fine for anti-competitive Android practices and the $2.7 billion fine ever Google shopping, but this one is the largest to date for a GDPR breach.

To get your company, website and network checked for GDPR compliance, submit a support ticket.

EU Fines Google for GDPR breach

Stay Safe

CritchCorp Computers Ltd

Google Forces Sites to use SSL Certificates

***Notice to all Website owners***

That’s right, as of July 2018 Google Chrome will start reporting non-SSL sites (that is sites that don’t use https:// for access) as insecure. This is a major change from the current norm which is to highlight sites that use SSL certificates with a green SECURE next to the address and other browsers who use a green padlock. They will from July this year not show the green SECURE but they will show a NOT SECURE next to any site that does not have an SSL certificate. Making the norm to have an SSL certificate. That is going to be followed in the future by a warning screen that informs users that continuing to your site is not recommended. Though the warning wall is not being implemented right away it is planned for the future.

Google's July update, what it looks like

What the browser will report before and after July for sites that do not have an SSL certificate.

The new move forces website owners to have an SSL certificate and make their site secure, even if it is not required, or risk losing visitors that are scared away.

There are several different types of SSL certificate and the higher (more expensive) ones will still show the green bar in the address bar, but the norm will be to have one of the cheaper ones and if you don’t have any or it expires, the company backing the SSL cert (Cert provider not the retailer) goes out of business or has their master certificate rejected then you will be faced with a blocking screen when trying to get to your site which will prevent users from going there, with warnings that your site is insecure and should not be visited. This is obviously not good for business.

Google have also hinted that sites that use SSL certificates currently get a boost in the Google rankings over those who do not.

At CritchCorp Computers Ltd we have a quick and easy way for you to comply with this new Google rule for all our shared hosting customers you can purchase a fully managed SSL certificate from your yesDomains account or submit a support ticket here to get the ball rolling. It is quite an in-depth process but we will take care of it for you, with as little interaction as possible required by you. Please go here to get started.

The industry is working towards lowering the cost of SSL certificates to nothing and automating the install and renewal process, but that is still in development so for the time being you will need to purchase an SSL certificate in the normal way. If you want the users browser to light up in green then you need to select the Extended Validation (EV) certificate otherwise the cheaper normal one will suffice to prevent you being labelled as NOT SECURE. We have monthly or annual billing options to spread the cost but all certificates are annual commitments.

We use Comodo, DigiCert, Symantec, Thwarte, GeoTrust and Trustwave certificates  that are strong providers in this field and highly unlikely to go out of business or have their master certificates rejected. This provides you with stability and reassurance that your certificate will not become invalid before it expires as does happen from time to time with smaller SSL providers.

If you want to read the Google blog entry about this; with their advertising spin on it then click here. What this does do is add further costs to businesses. Whilst we absolutely agree that any site that accepts payments or collects user data should be secure, there are still many sites that do not and so forcing them to have this does seem unfair to us, but that is what the mighty Google has decided and so it shall unfortunately be.

There has been some discussion about the colour of the NOT SECURE. The current SECURE label is green and it is understood that the new NOT SECURE is going to be Red, although some discussions at Google say it will be more neutral, which ever it is it isn’t good for business.

Keep safe

CritchCorp Computers Ltd

About Mat Honan’s Epic Hacking

I am sure that you have all heard about Mat Honan’s very bad weekend by now, But just in-case you have not, here is an overview of what happened. There is a very good podcast that you can listen to if you want the full story or read the transcripts: http://www.grc.com/sn/sn-364.txt or you can read Mat’s story : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

If you regularly keep up-to-date with security news then you will have heard all about this story. This is intended for those who do not keep up with the news or find it too complicated or technical to follow, or just don’t have time to keep up to date with this stuff. As this is an important story, I have written this brief article about here.

Firstly, who is Mat Honan? He is reporter for Wired magazine and former senior reporter for Gizmodo. He knows a thing or two about technology.

This is a brief sumary about what happened to him a couple of weeks ago. Just so you can be aware and not make the same mistakes as he did. He thought he was safe because he used secure long gibberish passwords, but that did not help him in this case.

In the space of one hour Mat’s entire digital life was destroyed. Here is the order of things that were done:

  1. Google account taken over, then deleted
  2. Twitter account taken over
  3. Apple ID taken over and remotely erased his iPhone, iPad and MacBook

Here is how they did it and what you need to watch out for.

The hackers were only after his Twitter account as he has a nice handle (@mat). To get to this they destroyed his digital life. Firstly, they noticed that his Twitter account was connected to his personal website. On his personal website they found his GMail.com address. Using Google Mails account recovery they discovered that he had a @me.com address, which he used as the backup to receive password resets to.They also had his name and address, which they obtained form his website but could be obtained in a number of ways. Lets face it every time you order pizza you give your name and address, you probably chuck out lots of junk mail with your name and address on it. There are also numerous ways on line to get that information. So, with this information they phoned, yes phoned Amazon. Claiming to be Mat they said that they wanted to add a credit card to their account. With the Name and billing address they were able to do this and using a credit card number made up by a website devoted to generating numbers that conform to the algorithms used they added a card to his account. They then hung up and phoned back and said that they could not get in to their account (Mat’s account). They were then asked for their name, billing address and a credit card on file. Using the credit card they had just added they were then able to add a new email address to the account. They then went to the Amazon website and preformed a password reset to the new email address that they had just added.

They can now see all the credit cards that had been previously added to the account, including the real card that Mat uses. Granted it is only the last four digits of the card as that is what Amazon considers safe to show you (as do a lot of other companies). They now called Apple Care and said that they had lost access to their (Mat’s) @me.com account. Apple kindly helped this fake Mat to recover his password using a temporary password which they issue over the phone which you can then use to access the account and to change the password to the account. This was issued despite the fact that the hackers could not answer any of the security questions on file!! In the end all they needed was his name address and yes, you guessed it the last four digits of a credit card on file.

Once they had hacked in to his @me.com account they could send a password reset from his Twitter account which went to his @me.com address and they quickly reset his twitter account password. This was there intended goal as they could now tweet in his name and upset his followers, just for the fun of it!

Here is the horrible bit: In order to stop Mat from regaining control over his account, they did the following. Deleted his GMail account. Preformed a wipe on his iPhone, iPad and MacBook, thus deleting his entire and only copies of his daughters first year and a half pictures and pictures of relative who are no longer in this word. It was not the intention of the hackers to delete these things but just collateral damage to the main goal, his Twitter account.

You need to be aware of where your accounts lead to and what information you leak out on them. Information these days is very easy to get to because people do not protect it well enough.

Amazon has since confirmed that it will no longer accept information over the phone in this way. Apple has not confirmed yet that it has closed these obvious loop holes, however it did make immediate temporary message and stopped issuing temporary password over the phone, we are still waiting to see what their permanent fix will be.

It is important to note that the companies followed their procedures and the procedures let the customer down. We make it easy from a customer service point of view and that lets the bad guys get in too. It is a shame that we need to have any security at all, it would be nice if we could just have username and no need for a password, but we need passwords and we need to make sure that they are secure and the problem that most companies face is keeping the customer happy, wand secure and that is a tall order as most of the time convenience is the enemy of security. The easiest way to thin of it is a sliding scale with security on one side and convenience on the other. The more convenient we make it the less secure we make it.

Keep your personal data private and do not exposes it unnecessarily. As I have always said, best to have your own domain name and email address and not to use a free generic one for any of your key services, one that you can maintain complete control of and cannot be taken over in anyway by use of social engineering attacks, such as this one. Don’t get me wrong, there are uses for the free accounts but not as your main email address and not as password recovery addresses as these free accounts are constantly hacked in to by this and other methods. They are far too liable to this kind of attack.

 

CritchCorp.