Microsoft Bug “BlueKeep” May Affect Millions

Microsoft Bug "BlueKeep" May Affect Millions

Overview:

On May 14, Microsoft issued a software update patch for its Remote Desktop Protocol (RDP). These patches fixed RDP vulnerabilities in older Windows operating systems including Windows Server 2008, Windows Server 2003, Windows 7, Windows XP, and Windows Vista. A few weeks ago, the National Security Administration (NSA) put some heat on system admins to patch stating: “Microsoft Windows administrators and users [must] ensure they are using a patched and updated system in the face of growing threats”. The NSA revealed that there are around one million internet-facing machines still vulnerable to this threat, which is now being called “BlueKeep”. If the vulnerability were to be exploited, it would allow the hacker to launch a malware attack that would have the potential to spread through the network to all other vulnerable computers. This vulnerability is expected by many security experts to be wormable and weaponized quickly and in a similar vein to what happened with WannaCry in 2017, which lead to as much as 4 Billion dollars in losses.

Why is it Important?

It is very important to be aware of what systems in your business need to be updated or replaced. It is important to regularly run scans to determine where vulnerabilities are, however, the underlying issue here is that many businesses have old equipment that they believe works perfectly fine. The problem with these systems is that once they reach their End of Life (EOL) or End of Support (EOS), the vendor no longer puts out updates to support the product, resulting in critical unpatchable security vulnerabilities. In the case of the “BlueKeep” RDP vulnerability, Microsoft deemed it so bad, that they took the extra step of releasing patches for EOL and EOS operating systems.

Importance of Patch Management

It is critical for your business to maintain a strong patch management program. But patching may not be enough. The businesses that CyberHoot.com consults with gain access to a Vulnerability Alert Management Process (aka: VAMP) that outlines response priorities to critical patches and vulnerabilities like BlueKeep. Over half of attackers take advantage of the software vulnerabilities as a gateway to the information systems of companies. VAMP allows organizations to take a look at their vulnerabilities, weaknesses, and potential threats and mitigate them on a timetable that everyone has agreed to previously. It’s forced controls on timelines for plans and remediation and lines of responsibilities all codified prior to the pressure situation of a rampant worm or weaponized vulnerability like Wannacry attacking businesses all over the world.

Call to Action

CyberHoot helps businesses like yours build and enhance cybersecurity programs to include critical processes like VAMP and Patch Management, while also automating governing and training employees with robust cybersecurity policies and awareness programs.

As employers and resellers, we need to be perfect at protecting our critical accounts and critical data; hackers only have to succeed once for a costly cyber incident or breach. Improve your odds of success by visiting CyberHoot.com and signing up for a free 30-day trial to begin closing the Cybersecurity skills gap by training your employees. Our 5-min Cyber “Hoots” teach your staff about Passwords, Passphrases, Password Managers, Two-factor Authentication, WiFi Insecurities, and dozens of other important cybersecurity topics. Are you doing everything you can to reduce your risks?

Head over to our CyberHoot Website and sign up for a free 30 day trial.

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Cybersecurity Training is a School Curriculum Necessity

Cyber "Hoot" Wednesday: Cybersecurity Training is a School Curriculum Necessity

Editors Note:

This is a reprint of an article I wrote for New Hampshire Business Review in June 2017 outlining the need to make cybersecurity education part of our school curriculum.

With so many Cities and Towns across the US paying hefty ransoms this year and more than 1900 breaches reported as of May 31st, 2019 for this year alone, preparing our students with some rudimentary Cybersecurity skillsets has never been more critical and provided the potential for a strategic advantage. Historians will look back at the 21st century as a transitional period where traditional Brick and Morter businesses redefined themselves with eCommerce, online goods and services or they went the way of the buggy. Will the US be known for the quality of employees it produced prepared for the 21st century challenges we all face or will we be left behind as nothing more than a footnote to some other country that does better?

Finally, be sure to tune into the Enterprise Security Weekly podcast today when CyberHoot Co-Founder Craig Taylor is interviewed by Matt Alderman on the topic of Cybersecurity Awareness Training.

Students Must Learn How to Protect Themselves Online

Do you think about cybersecurity training in your son or daughter’s K-12 school? If not, you should be.

Take it from a cybersecurity veteran, we are not preparing our kids to spot and defend against online attacks, nor are we educating them on the best protective measures either.

Schools do a decent job teaching children about some cybersecurity topics including:

— The harm of cyber bullying

— Why you should never sext (send nude photos by text)

— Understanding important privacy issues on Facebook and other social media platforms

It is important to learn about these topics, but schools mostly fail to educate students on the fundamentals of 21st century online cybersecurity risks. Passwords, password management and password tools are rarely, if ever, discussed. Learning the fundamentals of a phishing or social engineering attack are woefully absent from our basic computer curriculum.

Why is it Important?

Why is it important to educate young students about these threats and to teach them necessary habits of online protection? Learning online protective habits early matters a great deal. From a cybersecurity perspective, the internet is the great equalizer for all nations, peoples and groups. It is cheaper and easier than ever before in the history of the world for an anonymous attacker to target anyone, any business, located anywhere in the world.

Whether you’re a cybersecurity expert like myself, youngster playing online games or parent checking their bank account, the risks we all face come in many shapes and sizes. For all its conveniences and efficiencies, the internet has no borders or boundaries. For criminals it has become a revival of the Wild West – a frontier where policing and the law are usually one or two steps behind emboldened and very smart hackers.

A Pew Center study on cybersecurity in 2017 highlighted a troubling dichotomy among adults. The study found that while most Americans have directly experienced some form of data theft or fraud, many admit they “are failing to follow digital security best practices in their own personal lives, and a substantial majority expects that major cyberattacks will be a fact of life in the future.”

While teaching our children as early as possible is imperative, the good news is we’re not talking rocket science. The rules of cybersecurity are as easy to learn as it is to drive a car, and just as safe driving is tied to defensive driving, so too is the need to defensively operate our computers today.

Fortunately, schools and students are beginning to recognize this need. A series of investigative stories on the IT website FedScoop.com highlighted the challenges and opportunities of integrating cybersecurity literacy into school technology curriculum as early as possible. “Using technology is one of the three ‘Rs’ of the 21st century,” said Michael Kaiser, executive director of the National Cyber Security Alliance, referring to the traditional subjects of reading, writing and arithmetic. “If you don’t graduate from high school knowing how to use technology, it’s going to be a hindrance in the same way if you don’t know how to read.”

Making basic cybersecurity literacy a new ‘R’ in school curriculum will expose students to lessons that can last a lifetime and teach them critical steps to protect themselves. The time to create good cybersecurity habits is when children first begin operating a computer. Rather than trying to “unlearn” bad habits (as identified in the Pew study) we should build a strong foundation of cybersecurity literacy skills in our students as early as possible.

We can do a better job of preparing our students to enter the workforce with a strong set of cybersecurity literacy skills. We can begin with a focus on the topics mentioned earlier: passwords, their management and tools, as well as understanding social engineering and phishing attacks. Engaged and enlightened students with a modicum of cybersecurity literacy will make a huge difference in creating a workforce prepared to defend against the daily cyberattacks in our homes and businesses of today and tomorrow.

Craig, Co-Founder – CyberHoot

Editor’s Call to Action: two years on from my original article, the state of Cybersecurity in our Cities, Towns, and Business is no better; in fact it’s gotten much worse. If you’re a City, Town or Business Manager/Owner and you want a simple solution to attack this problem proactively, putting the odds in your favor instead of the hackers out there, sign-up for free training for 30 days at CyberHoot.com. Or, contact sales@cyberhoot.com if you have questions or want a reseller to setup and run your training program for you. We have both options available.

I encourage anyone who will listen to deal with this problem head-on – train your employees and take control of your destiny by improving your employee odds of recognizing an attack and avoiding it.

For the Month of July 2019, anyone who signs up for free training will get 2 months free. We’re so confident you’ll love our solution we’re willing to give it away free for 60 days to convince you! Try it to be certain. You’ll be glad you did.

Cyber “Hoot” Wednesday: Two-Factor Authentication

Cyber “Hoot” Wednesday: Two-Factor Authentication

We’re all familiar with using passwords and some are experienced with password managers, but they aren’t always the best way to secure your critical accounts. If you’re using a password manager you may be surprised that sometimes these unique, complex, randomly generated passwords are still not enough to secure your critical accounts. To protect your critical information and accounts you need something even stronger and more secure, something the technologists and IT professionals calls two-factor authentication, often abbreviated as 2FA.

What is Two-Factor Authentication?

Two-factor authentication is simply combining and using two of the following three identification factors:

Something you know – a password or passphrase on your account;

Something you have – your cell phone‘s ability to provide a random 6-digit code or to receive a code from a text message;

Something you are – your physical characteristics such as a fingerprint, facial recognition, voice recognition, or even an iris scan.

If you use two of these three identification factors, you are using 2FA to authenticate yourself, and your critical accounts and data will be properly secured. This is the gold standard of authentication and protection.

Why is 2FA Important on Critical Accounts?

According to this Symantec Info-graphic “80% of data breaches could be eliminated by the use of two-factor authentication.” Hackers know most people have never been trained on creating strong passphrases, using password managers, or setting up two-factor authentication to protect their critical accounts and data. Consequently, hackers send millions of sophisticated Phishing Attacks trying to steal our usernames and passwords.  Once someone clicks on one of these phishing campaigns and attempts to log in to a real looking but fake website, the hacker has your credentials. If the hacker has hacked into one of your critical accounts such as your email, bank, or Virtual Private Networking (VPN) they can do some serious damage to you and your reputation or your company’s reputation.

Domino Attack Risk

In my Blog article on Domino Attacks, hackers target every single person you’ve corresponded with in that compromised email account with a sophisticated phishing attacks. The dominoes begin to fall as hackers break into your contact’s critical accounts person by person and company by company.

Account Reset Risk

If hackers breach your email account, this is also where all your other account resets emails go for approval. If your email account is compromised, besides the Domino Attack and the personal information hackers can sift through, this account breach can allows allow hackers to reset your other account passwords to grant them access to more of your digital life. However, if you’re using two-factor authentication on your email account, you can prevent this victimization.

“If I don’t click phishing links, do I need two-factor authentication?”

Yes. Hackers now find your credentials in several ways besides successful phishing attacks. Hackers can acquire your credentials from underground forums that trade stolen credentials from breaches websites. Other hackers use viruses like Trickbot or Emotet to steal credentials from infected machines you may be using. Using a second factor on your critical accounts is something hackers cannot get around, because to compromise your 2FA protected account, a hacker would need access to your cell phone and be able to unlock it to gain access to the randomly rotating unlock codes in your 2FA application.

“How hard is it to setup 2FA?”

Not hard at all. Setting up 2FA on all your critical accounts (you’re probably already doing this for your bank accounts) is easier than you may think. Most 2FA is already available, free to set up, and easily found within your online account’s “Password” or “Security” settings. Look for “Advanced Security”, “Advanced Settings” or search for “two-factor authentication” in the website’s help menus. Calling the website support line is another option to walk you through the set up quickly and easily. There’s even a website dedicated to listing websites that support 2FA or not.

Conclusion:

Don’t let hackers get the upper hand on your critical accounts. Protect yourself personally and professionally by setting up two-factor authentication today on all of your critical accounts. It’s the perfect example of “an ounce of prevention being worth a pound of cure”. You’ll be happy you did.

Call to Action:

As employers and resellers, we need to be perfect at protecting our critical accounts and critical data; hackers only have to succeed once for a costly cyber incident or breach. Improve your odds of success by visiting CyberHoot.com and signing up for a free 30-day trial to begin closing the Cybersecurity skills gap by training your employees. Our 5-min Cyber “Hoots” teach your staff about Passwords, Passphrases, Password Managers, Two-factor Authentication, WiFi Insecurities and dozens of other important cybersecurity topics. Are you doing everything you can to reduce your risks?

Craig, Co-Founder – CyberHoot

Quest Diagnostics Data Breach Affects 12 Million Customers

Quest Diagnostics Data Breach Affects 12 Million Customers

Overview

In May of 2019, medical testing company, Quest Diagnostics had their second data breach in three years, where 11.9 million customer’s personal information was compromised. The breach likely came through their third-party billing system, the American Medical Collection Agency (AMCA). The data compromise included customer’s medical and financial information, which contains social security numbers, credit card numbers, and bank information. The breach surfaced on May 19, when researchers found payment card details for 200,000 of Quest Diagnostics patients for sale on the dark web.

Then, on June 6th, LabCorp, a competitor of Quest Diagnostics, announced its own breach of nearly 7.7 million records and noted it was related to the same AMCA website that Quest reported.  That’s a total of 19.6 million financial and medical records suspected breached.

Man receiving a blood test

What may have happened…

The data breach likely came through the third-party vendor, the American Medical Collection Agency. The AMCA provides services to Optum360, a Quest billing contractor. Quest reported that they believe that the unauthorized activity took place on the “ACMA’s web payment page”, which may suggest that the intrusion came through skimming. Skimming on the Internet happens by someone maliciously injecting malware onto a website’s payment pages. This has happened many times in the past by a group that goes by the name of Magecart. Magecart is a group of hackers who are known for having stealthy and creative ways to inject malware onto webpages that is difficult to detect. Magecart was behind many high-profile breaches in the past including British Airways and TicketMaster.

There are three ways skimming typically occurs on a website: Keylogging, sniffing form submissions, and form jacking. All three steal information in different ways, but they all produce the same result. They all convince your browser to send your critical data (Credit Card for example) entered into the payment web page back to hackers without your knowledge.

Mitigating Controls for Web Applications:

There are a few ways companies can prevent something like this from happening to them. First, they could implement data encryption; encrypted data is useless to hackers as this data is unreadable without the decryption key.  Secondly, they could perform regular risk web application assessments and scan for vulnerabilities, identify risk sources, and remediate them in a timely fashion.  Thirdly, they could add another layer of protection by running different parts of the website under separate accounts and/or in front of a Web Application Protection solution that might identify data exfiltration as was reported here. Finally, businesses can implement fraud indicators (also known as red flags to some) which perform regular scans to identify when and if there has been a data breach of some kind.

Tips for Businesses with Web-facing Applications:

Businesses have never been under more sophisticated and frequent attacks.  Cybersecurity spending on defenses is set to top 1 Trillion dollars in aggregate by the end of 2021.  Web applications are one of the weak links hackers are exploiting.  You must consider implementing some of the mitigating controls above to protect you and your clients from Internet attacks and to discover attacks as quickly as possible when hackers exploit some error in your web application.

Tips for Businesses who Grant Critical Data Access to 3rd Parties:

In this case, neither Quest nor Lab Corp themselves were compromised. It doesn’t really matter though does it? The damage to their brand has been done. Their names will forever come up in Google searches of major security breaches and stolen data. If you outsource your critical data processing to a 3rd party, you need to examine them for cybersecurity preparedness. Do not assume they know what they’re doing. Directly inspect them with a site visit or audit. Really review their auditor reports if they have them. At a minimum, send them a 3rd Party Cybersecurity Awareness Questionnaire which is available to clients of CyberHoot.com.

Tips for Individuals whose data was potentially Breached:

Individuals whose personal medical and financial data was breached including social security numbers should follow the same advice provided for the Experion and Anthem breaches.  Freeze your Credit until you need to use it for your own purposes.  I have frozen my credit at ALL FOUR credit agencies and twice lifted the freeze for myself – once to buy a car and once to change Credit Cards at my bank.  Both times it was easy and painless… but I sleep better knowing I’ve made it as hard as possible for hackers to breach my personal credit with my compromised Social Security number, medical, and financial records.  Freeze yours as well. Here’s how.

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig, Co-Founder – CyberHoot

Sextortion Email Scam: Don’t Allow Yourself To Be Victimized

Sextortion Scam

Hackers are using new tricks to get information or money by blackmailing people through emails. In this latest blackmail scheme, hackers use an individual’s old password, found on the dark web, to add credence to their claims that they have compromised your computer, recorded images of you surfing pornography, and then demand a bitcoin payment to prevent public release.

Unlike many other real-world sextortion cases you may have heard about including revenge porn and the misuse of sexting, this latest threat is 100% a hoax.

But How Could a Hacker have my Password?

As documented in my CyberHoot Wed. piece on Passwords, Passphrases, and Password Managers, the website ‘https://HaveIBeenPwned.com’ is a legitimate and useful website you can visit to see if any of your email accounts and passwords are part of more than 8 Billion records of publicly disclosed breaches at Linked In, DropBox, Yahoo, and many others. The unfortunate truth is that this is just the tip of the iceberg when it comes to compromised credentials with many more accounts and passwords available on the “Dark Web” in private forums where cyber-criminals sell these credentials for profit. This is where your Sextortion email likely secured that “really old password” you barely remembered having!

In this Sextortion scheme, hackers mine the dark web for credential pairs (email and password) and craft the message (shown below) to induce panic and convince you to pay a bitcoin ransom to prevent the release of photos to your social media accounts.

I do know, [redacted], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct?

Actually, I placed a malware on the adult videos (porno) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. After that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. Fist part displays the video you were viewing (you’ve got a nice taste haha) and second part shows the recording of your webcam.

What exactly should you do?

Well, I believe, [insert various dollar amounts], is a reasonable price tag for our little secret. You’ll make the payment via Bitcoin. (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: [redacted(It is cAsE sensitive, so copy and paste it)

Important:

You have one day to make the payment. (I’ve a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive payment, I’ll erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

I’ve received many inquiries about this scam and whether hackers could really pull off this “Sextortion Attack”. Checking whether the identified password was part of a breach by visiting the HaveIBeenPwned.com site should provide you the relief you’re seeking.  If your password was part of a breach you can confidently ignore this extortion.  If on the other hand your password was reported in that site, you should probably think about whether you could have clicked on a phishing email or other attack recently.  Running a MalwareBytes scan on your computer and/or AV scan wouldn’t hurt.  Knowing that you don’t surf pornography, don’t have a web Camera, or cover your web camera with a cover should also provide you some automatic relief.  Technically, everything the hacker claims to have done could be done. But the presence of a password is usually a dead give-away that this hack is a HOAX. I have not know a single person to pay this scan… but given its prevalence someone must be paying!

 Now that I know this is a hoax, what should I Do?

A good response is to delete the message and never give it another thought, however, the best response, would be to read my article on Passwords, Passphrases, and Password Managers (link above). Learn how to use a Password Manager, Pass Phrases, and then slowly begin to replace all your old passwords with strong, long, random passwords generated and managed by your Password Manager. You’ll be more confident, secure, and productive!

Follow our LinkedIn page for other updates: CyberHoot LinkedIn

Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Passwords, Passphrases, and Password Managers

Cyber "Hoot" Wednesday: Passwords, Passphrases, and Password Managers

Welcome to Cyber “Hoot” Wednesday. On Wed. Cyber Al will be publishing a series of cybersecurity articles outlining the most important concepts you need to understand and skills you need to learn to protect yourself personally and professionally. Grab a cup of coffee, sit back, relax, and read on! We’re glad you’re here.

How secure are your Passwords?

According to the 2018 Verizon Data Breach Incident Report (aka: DBIR), nearly 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years or more. Unsurprisingly, about 40 percent of those surveyed say they had “a security incident” in the past year, meaning they had an account hacked, password stolen, or were given notice that their personal information had been compromised”.

It’s no secret that passwords are a pain. Using them safely and effectively is even harder. Read on to learn about the best practices you may not know you didn’t know.

Have my Passwords been Breached?

Unless you’ve invested the time to learn a password manager, then you’re probably like most people and are re-using passwords everywhere you go online. More than 8 Billion passwords have been publicly reported breached. And that’s just the tip of the iceberg as many more passwords and credentials have been breached but not publicly reported! As a result you may be surprised to learn that your favorite passwords are likely to have already been breached! You can check here to find out where, when, and what was breached: https://haveIbeenpwned.com

Cyber "Hoot" Wednesday: Passwords, Passphrases, and Password Managers
July 2019: 8+ Billion breached passwords publicly disclosed.

Are you using a Password Manager?

Password Managers are purpose built applications that are installed on your phone and inside your browser as a “plugin” and they encrypt your critical passwords, passphrases and other data such as credit cards and even drivers licenses for easy but secure reference. When it comes time to log into a website, they will fill your username and password into that website if they find a match in your database of stored accounts based upon the domain name or website name you are visiting. I find them to be the single best productivity solution I’ve learned in the last 20 years. However, Password Managers must be protected with a 16-20 character passphrase that you carefully create and practice so that you never, ever, EVER, forget it! Don’t write your Password Manager Passphrase down. Learn it and practice typing it 10 times before you commit to using it. If you lose or forget your Master Passphrase, your data will be lost!

Pro TIP: Password Managers can sometimes save you from being compromised by a phishing attack. They simply won’t provide your credentials to log into a bogus website. Let’s say your being phished and you click a link to log into GMAIL, but the website you actually visit is GMA1l.com (the i is a 1). If you’re using a password manager, it will remain mute and not give up your password because it cannot be fooled by the incorrect domain name. If you are a professional Password Manager user, you won’t even know your password to the site to type it in manually, because pro users leverage the Random Password generator for each of their logins providing even more protection. Cool right?!

Password Security

Even with Password Managers, passwords just aren’t going away any time soon. Consequently, you need to know how to create a strong password (or better yet a strong passphrase)to protect yourself. The remainder of this article will show you easy ways to create super-strong passphrases and why learning how to use a Password Manager is the best way to protect your critical information, accounts, and identity!

How to create a super-strong passphrases

1. Think of a multi-word phrase: you can use your favorite song lyrics, poem, book phrase, or your imagination to create idea statements (passphrases) that will be memorable to you but hard to guess by hackers.

Here are some examples to get you thinking:

  • People like 2 phish!
  • Ham windows smell.
  • Tiger fins R not real.

The above are considered super-strong passphrases. They are much harder for hackers to breach than even a randomly generated “9-character” password like this: x&3h10_!E.  This is due to the enormous gains in entropy that come with the length of each phrase.  The longer the passphrase, the stronger and more difficult it is to hack. With today’s computer hardware advances, a sub-$2000 machine can crack your randomly generated 9-character password in less than 5 days via brute force attack. Here’s a free password strength meter to see what I mean and to test your own passwords with.

Password TIPS:

1. Make sure you use 15-20 (or more) characters in your passphrase.

2. Use a Passphrase to unlock your Password Manager.

3. Let your Password Manager generate, fill and store randomly generated passwords for the rest of your online accounts.

4. Don’t write passwords down or store them in a spreadsheet or electronic document unless you encrypt it with 256 bit AES encryption.

5. Use unique passphrases to unlock your computer desktop or laptop.

6. Convince your IT Director to migrate to 14+ character non-complex, non-expiring passphrases at your workplace and stop changing them every 90 days.  Adopt these NEW NIST password standards. You’ll be happy you did; especially if you also learned how to use a Password Manager.

7. Many Password Managers are free for personal use. Learning to use a password manager is like learning to type. Difficult at first, but once you get the basics down you’re way more productive and in this case, much better more protected personally and professionally.

8. For really critical accounts (Banking, Email, remote access to your company on a Virtual Private Network) you must enable two-factor authentication. Most often this is a text message to your cell phone that you pair with your username and password creating two things that you must provide to authenticate. Thus it is called two-factor authentication. Two-factor (aka Multi-Factor) authentication will be the subject of next weeks CyberHoot Wed. article so come back next Wed. for another installment of Cyber Al’s Wed. Cyber Hoots!

Please take a moment to like us on Facebook and Follow us on our Linked In page. It will ensure we’re here supporting Small to Medium-sized businesses for the long run. Thanks!

Craig, Co-Founder – CyberHoot

How to Recover a Hacked Email Account

How to Recover a Hacked Email Account

It’s Friday before a long weekend and hackers are up to their old tricks! Hackers just love to hack into our email accounts before a long weekend to give themselves an extra day or two of trolling your network, your email, and your data for juicy information.

This article outlines steps to take (do them now!) if your email account has been compromised.

Step #1: Change your password (immediately!)

The very first thing you should do is keep the hacker from getting back into your email account by changing your password to a strong password or better yet, a pass phrase (see below). Make sure it’s not related to your prior password; if your last password was SpotBeagle2, don’t pick SpotBeagle3 —and if your dog Spot is a Beagle, you shouldn’t have been using your dog’s name and breed as your password in the first place. Better yet, read the suggestions below and choose to use the strongest password mechanism you can stomach!

Level 1 Passwords (strong): Try using a meaningful sentence as the basis of your new password. For example, “I go swimming twice a day in my pool” turns into “Igs2AdimP” using the first letter of each word in the sentence, mixing uppercase and lowercase letters and replacing the word “twice” with “2.” 

Weakness: length; 9 characters can be cracked by any modern computer in about 5 days.

Level 2 Passwords (stronger): Use a full sentence or a set of words without abbreviating them to create a Pass-phrase. “Jelly is yum!” is nonsensical, memorable, arguably easy to type, but certainly easy to remember and difficult to hack using brute force at 13 characters in length. Hackers absolutely hate you when you do this! Even Edward Snowden agrees in this post. 

Weakness: your ability to memorize one of these for each and every account you own.

Level 3 Passwords (strongest): Level 3 is not for the faint of heart. It involves beginning the journey into adopting, learning, practicing, and using a Password Manager. I recommend LastPass as a great commercial grade password manager that integrates well with personal users at businesses. Other options include DashLane and 1Password. Password Managers allow you to move to 15-30 character random passwords without sweating it. I no longer know any of my passwords except my Master Pass Phrase that unlocks my password manager. All Password Managers can generate random passwords for you like these: $4tV$mrWcVqj2X8oY3p or uQ2d@L9xRglLIcn*ZY0 or 4#4r8FFzz6Bi7@i0BR7. 

Weakness: your master password must be super strong – I recommend using a Level 2 pass-phase of at least 16 – 20 characters in length. But do NOT forget this or write it down. Practice it many times before committing to it. Make sure you can type it well. If you lose this Master Pass Phrase, you lose everything in your password manager!

Whichever method you choose, you need to do this step quickly to boot the hacker out of your account before they do other damage such as resetting your accounts elsewhere online (remember the Password Recovery links go to your personal email account which has just been compromised). Time is of the essence!

Step #2: Recover access to your email account

If you’re lucky, the hacker only logged into your account to send a mass email to all your contacts. If you’re not so lucky, the hacker changed your password too, locking you out of your account. If that’s the case, you’ll need to reclaim your account, which is usually a matter of using the “forgot your password” link and answering your security questions, using your backup email address, or receiving a text message to your phone. Hopefully the hacker did not change your password recovery questions as well.

Check out the specific recommendations for reclaiming possession of your account for GmailOutlook.com and Hotmail, and AOL.

Step #3: Enable two-factor authentication

One of the best methods to prevent your email account from being taken over again (and hackers who were in once, often try hard to return), is to set your email account to require a second form of authentication in addition to your password whenever you log into your email account from a new device. When you log in, you’ll also need to enter a special one-time use code the site will text to your phone or generated via an app.

Check out two-step authentication setup instructions for Gmail, Microsoft’s Outlook.com and Hotmail, and AOL. And for a full list, check out twofactorauth.org

Step #4: Check your email settings

Sometimes hackers change your email settings to forward a copy of every email you receive to themselves so that they can watch for any emails containing login information for other sites. Check your mail forwarding settings (including RSS Feeds!) to ensure no unexpected email addresses have been added.

Next, check your email signature to see if the hacker added a signature that will continue to advertise their malware even after they’ve been locked out.

Next, check your “reply to” email address. Sometimes hackers will change your “reply to” email address to one they’ve created that looks similar to yours. When someone replies to your email, it goes to the hacker’s account, not yours.

Lastly, check to make sure the hackers haven’t turned on an auto-responder, turning your out-of-office notification into a spam machine.

Step #5: Scan your computer for malware

Run a full scan with your anti-malware program. You do have an anti-malware program on your computer, right? If not, download the free version of Malwarebytes and run a full scan with it. I recommend running Malwarebytes even if you already have another anti-malware program; if the problem is malware, your original program obviously didn’t stop it, and Malwarebytes has resolved problems for me that other anti-malware software wasn’t able to resolve. Scan other computers you log in from, such as your work computer, as well.

If any of your scans detect malware, fix it and then go back and change your email password again (because when you changed it in step #1, the malware was still on your computer).

Tip: if you have restore points on your computer, can you restore your computer to a previous restore point before the infection began? This is an effective way to eliminate the virus. Just be sure to remove any infected downloads by Shift-Deleting them (Delete the file while holding the Shift Key to skip the recycle bin).

Step #6: Find out what else has been compromised

Some computer users have been known to store usernames and passwords for accounts in obvious places inside their email. One user I’ve seen had a folder called “Sign-ups” while another simply called it “Passwords”. Considering the hacker was inside your email, what could they easily discovered about your other logins? 

Tip: search for the word “password” in your mailbox to determine what other accounts might have become compromised. Change these passwords immediately; if they include critical accounts such as a bank or credit card account, check your statements to make sure there are no suspicious transactions.

It’s also a good idea to change any other accounts that use the same username and password as your compromised email. Spammers are savvy enough to know that many people reuse passwords for multiple accounts, so they may try your login info in other email applications and on PayPal and other common sites.

Step #7: Humbly beg for forgiveness from your friends

Let your contacts know that your email was hacked and that they should not open any suspicious emails or click on any links in any email(s) they recently received from you. Many people will realize that the 0365, Gmail, Yahoo, or Hotmail login page your email directed them to was hosted at a very suspicious looking URL that has nothing to do with those sites, but there might have been someone who clicked and entered their credentials to the hacker.

Tip: If your compromised email account was a work email, the hackers may be plotting a Domino Attack against the vendors and clients in your email archive. Would your clients and vendors click on a link or open an invoice from you if all they saw was your name in an email from a Look-Alike domain? Read my Blog on the Domino Attack here to learn about this nastiness!

If the hacker was lazy, they may have left your sent messages alone and you can see all the SPAM messages your account sent out in your sent items folder. Alternatively, you could check your deleted or trash folder. However, most average-skilled hackers know to delete sent and trash history to avoid detection for as long as possible.

Step #8: Prevent it from happening again

While large-scale breaches are one way your login information could be stolen, many cases are due to careless creation or protection of login information. Setting up two-factor authentication (aka: 2FA) is your best protection from this type of hacking. I use 2FA on all my critical accounts. If your email account provider doesn’t support 2FA, change providers (as painful as that sounds). Also, remember it is vitally important to use a different password for each account, or, at the very least, use a unique password for your email account, your bank account and any other critical accounts. If you’re concerned about keeping track of your passwords, find a password management program to do the work for you.

Password management programs have some interesting advantages you might not be aware of. One advantage is when you accidentally land on a malicious website that is going to stealing your username and password (perhaps it was made to look exactly like O365, Linked In, or DropBox), your Password Manager is wicked smart and will refuse to enter your credentials into that bogus website because Password Managers monitor what website you’re on. Phishing sites that look like another login portal will have a bogus domain name and your Password managers will not be fooled! This saved me one-time when I thought I was logging into Linked In and my password Manager refused to input my credentials. When I checked the domain, it was a website in Italy! Even security professionals are sometimes duped!

Craig, Co-Founder – CyberHoot

Below is a link to our blog on Domino Breaches, an issue that goes hand in hand with email account hacks.

Domino Breaches: Get Ahead of this Breach ASAP to stop the Falling Dominos

Domino Breaches: Get Ahead of this Breach ASAP to stop the Falling Dominos

This article attempts to articulate the steps to take immediately when you’re under attack from this form of attack… something I’ve nicknamed the “Domino Attack”.  This attack has distinct phases which the hackers exploit in sequence.  Interrupt the sequence as early as possible with evasive action and good training by employees using tools like CyberHoot to help them spot phishing attacks, and to help them protect their passwords religiously! If you’re interested in training your employees visit the CyberHoot.com training website and we’ll connect you to one of our resellers.

Phase 1 of the ‘Domino Breach’:

A client, Finance@IronCladCookware.com received an email from a vendor they regularly deal with that asked them to review a password protected invoice in Google Docs, Drop Box, or other online location.  While unusual, the vendor was an important one we deal with regularly so we dutifully complied.  Come to find out the vendor’s email domain was off by just one letter (for example: Twirlstool.com email may come from Twrlstool.com – missing an i).  The website that we logged into stole one of our employee’s username and password credentials.  The hackers now scanned for every unique email address in every folder of that compromised mailbox at our company.

Phase 2: The second Domino to Fall (a look-alike Domain Name is Registered)

In the screen shot below, hackers today registered a look-alike domain name to use in Phase 3.  This domain looks very similar to the targeted company’s domain and will be used as home base for these attacks.

Phase 3: The third Domino – Exploiting Trust Relationships

The hacker then constructs a variety of innocuous but effective emails designed to exploit the trust relationship you have with your vendors, clients, family, and friends by sending it from the imposter email account.  In my fictional example: Finance@IroncldCookware.com is used instead of Finance@IroncladCookware.com to email credential stealing attacks to email addresses found within the original compromised email account at IroncladCookware.com. The effectiveness of this attack is found in the fact that the name of the sender is more than likely recognized and accepted by the recipient as a legitimate user.  The payload of the attack has a higher likelihood of success because of this implied trust.

Phase 4: Multiple Dominoes begin to Fall across your Contacts

The hackers won’t stop there.  Let the email account breaches begin…most people will quickly click on a look-alike email from someone they recognize without a second thought.  Fewer will provide credentials to look at an invoice, or outstanding balance or any other plausible financial transaction… leading to ever more companies being breached and ever more companies being targeted.  This is known as the Domino Breach effect.

How to Prevent this within Your Company (various Levels of Protection):

Here is some practical advice on how to protect yourself and how to get in front of the domino’s when your company is part of one of these events!

Step #1: Draw up a quick response email and send to all contacts immediately informing them of the bogus domain and the targeted attacks.

Step #2: Research the ISP of the newly registered domain name and send an abuse complaint about a phishing attack from a look-alike domain name and ask that it be taken down immediately.

Time is of the essence.  In the real world, the moment a Look-Alike domain is registered and ready to go, the attack emails begin flowing to all your vendors, clients, friends and family.  The domino’s begin to fall as the people who trust you and your name click on the bogus invoice or login request and find themselves compromised.

Sending that warning note to everyone you can think of is a critical and time-sensitive first step.

The rest of these steps need to be taken in increasing order of protection (and sometimes cost).

Basic Protection:

  • Train your users to be vigilant in looking at the sender name of emails.
  • Test your users with phishing emails randomly and regularly.
  • Govern your users with policies that outline requirements for training, information handling, mobile device management and more.

Enhanced Protection:

  • Establish financial safeguard policies and processes that require verbal confirmation of all ACH and Wire Transfer instructions over the phone.  Changed instructions can never be accepted via email.
  • Make sure you’re leveraging a purpose built SPAM filter that can examine emails and block SPAM like this when it is designed to breach credentials.

Advanced Protection:

  • If possible, enable the following email filters (SPAM provider dependent):
    • Look-alike domain blocks (hold emails from domain names with 3 or fewer letter differences from your domain name);
    • Reject Email from Domains less than N days old: where N is typically less than 2 weeks or 14 days but could be as much as 30 to 45 days.
    • Reject Email sent from foreign countries: if your business only deals with North American vendors and clients block email from anywhere else in the world.

Call to Action:

The basic protection is something all companies need to have in place.  Contact CyberHoot today to be connected to a reseller to put your employees through the necessary training to hold the Domino Attack at bay.  An ounce of protection is worth a pound of cure. To learn how to protect against similar threats via an email hack, click here

Craig, Co-Founder – CyberHoot