Uninstall QuickTime for Windows

If you are a windows user and have the popular quick time application installed on your machine the time has come to part ways and you should uninstall it. The reason for this is the recent disclosure of two zero-day vulnerabilities that have been discovered in the application. The fact that the application contains a zero-day exploits isn't as bad as the fact that apple won't be releasing a patch to fix the vulnerability. This disclosure means that hackers will be actively targeting windows users looking for the quick time application and if you haven't it uninstalled well then you are vulnerable to an attack. Quick Time for Windows follows other software such as Microsoft Windows XP and Oracle Java 6, which are no longer being updated to fix vulnerabilities. That makes them subject to ever-increasing risk as more and more unpatched vulnerabilities are found and cybercriminals attempt to exploit them. The call for users and companies to uninstall Quick Time has been echoed across the security industry so get yourself over to the control panel > add remove programs > Quick Time> Uninstall. 

What is a DROWN attack?

If you have been online in the past few day's chances are that you have seen the headline "new vulnerability discovered in OpenSSL" or something along those lines. This new vulnerability has been dubbed as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), and it is said to effect over 11 million websites and email services worldwide.

DROWN is a cross-protocol attack that uses weaknesses in the SSLv2 implementation against transport layer security (TLS), and that can "decrypt passively collected TLS sessions from up-to-date clients." While latest versions don't allow SSLv2 connections by default, administrators sometimes, unintentionally override those settings in an attempt to optimize applications and this is where the problem lies. The DROWN attack could allow an attacker to decrypt HTTPS connections by sending specially crafted malicious packets to a server or if the certificate is shared on another server, potentially performing a successful Man-in-the-Middle (MitM) attack. It has been reported that more than 33% of all HTTPS servers are vulnerable to DROWN based MITM attacks. 

If you want to see if your website is vulnerable to this critical security hole you can check out https://drownattack.com/. If your website is vulnerable there is good news in the fact that an academic researchers uncovered the DROWN security hole and a patch for the vulnerability has already been made available with an OpenSSL update. And just in case you get to happy the Bad news is that the DROWN attack can be conducted in just under a minute and now that the bug has been disclosed, it may be actively used by hackers to attack servers. So really this isnt something that you want to be putting on the long finger, OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s. And if you are using another version of OpenSSL for security, you should move up to the newer versions 1.0.2g or 1.0.1s.

In order to protect yourself against the DROWN attack, you should ensure SSLv2 is disabled, as well as make sure that the private key isn’t shared across any other servers. Those already vulnerable to DROWN attack do not need to re-issue certificates but are recommended to take action in order to prevent the attack immediately. And remember the fact that this has been widely publicized you can be sure that hackers are actively targeting websites that have not implemented the above so get your IT team moving.

5 golden rules for staying safe online

If you have been reading my posts you will notice that a number of points keep popping up. The reason for this is of course that these particular points are vital to keeping yourself safe online. For the few out there who want to do the minimum in order to stay safe I am laying out 5 golden rules to follow.

1) Keep your software updated

Updating software, whether it be on your phone, laptop, or television, is extremely important. When hackers discover new ways to steal your data, gadget and software companies usually work quickly to release fixes for those vulnerabilities. Once a fix is in place an update becomes available and you should download this update, I try to set as many applications as possible to do automatic updates or in the case of my phone I set it running at night time when its not been used.

2) STOP using the same password everywhere

You are living in an age of big hacks and data breaches if you use the same password everywhere once your details are stolen once all your accounts are compromised. And you can be guaranteed that there is a high possibility your details have already been stolen from somewhere.  

3) Don't fall for phishing scams

These scams are getting more and more frequent and the attacks been used are becoming more professional. I recently received an email claiming to be a free password security tester, the email asked me to enter my password to test how strong it is and of course I deleted it as its purpose was of course to steal my password. Be smart when you receive phone calls and emails that you are not expecting and never open an application you receive in an email with the file extension .exe.

4) Add recovery contact information to your accounts

This is important you should always have two different contact methods on your accounts. The reason for this is if you forget your password and lose your phone well then your snookered and you may be locked out of that account forever, leaving your information hanging in cyber space. The second reason for this is If your account is compromised, companies will probably try to let you know. But that’s only possible if they have some means of getting in touch with you on file.

5) Enable two factor authentication 

Two-factor authentication adds an extra layer of security to your accounts by requiring another code in addition to your memorized password. That code can be sent to your smartphone via a text or generated by an app. With two-factor authentication, even if a hacker has your username and password, he or she won’t be able to access your account unless they also have your smartphone — not a likely scenario. I ask if you don't do any of the above at least do this one and give yourself some chance of staying protected.

Securing your android (the basics)

I have been asked a bit lately about securing android devices as I tend to focus on the apple side of things as I myself use the iPhone. There is a myth out there that android is inherently insecure and this really isn't true, android out of the box is pretty good its the user that make the device insecure. The real issue with android is anyone can make an app and upload it to their store they don't check first to see if you are a potential cyber criminal. I think from memory that at one stage in the past few years the top 5 apps in the android store were in fact trojan horses this might be wrong but I am pretty sure their is some truth their I need to go back and double check this. So to minimize the waffle you ask "what do I need to do to secure my android?" Well I have put together a number of steps that if followed will definitely help you get to a place where you can feel "secure".

1) Do not save all of your passwords in your device! I don't know why I need to say this but people naturally tend to save their passwords for easy access of whatever the reason on their devices. This is a very bad practice and you should avoid this, think of memorizing your passwords of a way to delaying Alzheimer's and not getting ripped off by cyber criminals.

2) Use your devices inbuilt security features, If you are running on Jelly Bean, you can have a screen lock and encryption enabled to further enhance your security. Use these features they will help you keep your device safe.

3) Androids allow you to lock your apps you should use this feature especially for apps that hold sensitive information. Their is a free app that you can download to enable this feature called App Lock.

4) If you are installing an app read what permissions the app want's!!! If you are downloading some recipe app it doesn't need access to your camera, microphone and contacts. This should be common sense but for some reason people download apps and click ok to everything.

5)  Download a mobile security app, androids are very much open to virus's and malware in comparison to their i0S counterparts. An app I think is pretty good is avast!mobile security.

6) One of the most important things you can do to secure your android is secure your network. I know you wont listen but try to avoid using public networks. You can protect your information by using apps like Hideninja VPN so that your outgoing connection is always encrypted, making it harder for anyone to sabotage your data. If you suspect that your device is being attacked, WiFi Protector can help fend off these attackers. To further enhance your network security you can apply settings from SecDroid but note that this app is only for rooted phones.

Steps to take after the Vtech Hack

In the last week the figures released from toymaker VTech surrounding the massive hack they have suffered is startling. The worst part about this hack is it shows that children are not immune to cyber crime. It is important to first realise the scale of this attack and just how many children have been affected worldwide. Below are statistics detailing how many individuals data has been leaked and in what countries along with if the data was that of an adult or a child. As you can see from the statistics below I have highlighted Ireland, the only reason for this is that I am Irish.

Country                         Parent Accounts                             Child Profiles

United States                  2,212,863                                             2,894,091

France                             868,650                                                1,173,497

United Kingdom             560,487                                                727,155

Germany                         390,985                                                508,806

Canada                            237,949                                                316,482

Others                             168,394                                                223,943

Spain                               115,155                                                138,847

Belgium                          102,119                                                133,179

Netherlands                    100,828                                                124,730

Republic of Ireland      40,244                                                  55,102

Latin America                28,105                                                  36,716

Australia                        18,151                                                   23,096

Denmark                        4,504                                                     5,547

Luxembourg                  4,190                                                     5,014

New Zealand                 1,585                                                     2,304

What I find the most frighting about all of this is that a particular VTech service known as Kid Connect was hacked and the information stolen. You may ask why is this frighting and I am going to explain why. Kid Connect is set-up to allow parents and their kids to communicate. That information includes kids head-shots and chat logs between parents and children. Most, if not all, of these cases, the logs, pictures, and recordings can be traced back to specific usernames, allowing anyone in possession of the hacked data to identify the people chatting as well as those in the pictures.

This may lead to a lot more unforeseen problems down the road but as it stands is just a very uncomfortable situation for parents to be in, and yet again starkly highlights the dangers for children in the digital age.

If you have been affected by this attack you might want to know what steps do you need to take now.

Luckily for you its coming up to Christmas so the VTech spin doctors are in full flight trying to somehow roll out reassuring and efficient damage control to save what's left of the companies reputation. In response to the attacks they have posted a very detailed breakdown of all of the events and the VTech response that can be found here. If you just want the main points I have pulled them out and you can find the below. 

What kind of information are stored in the database?

Parent account information including name, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password.
Kids profiles include name, genders and birthdates.
Encrypted Learning Lodge’s contents including, Kid Connect’s profile photos, undelivered Kid Connect messages, bulletin board postings and Learning Lodge content (ebooks, apps, games etc).
Download sales report logs.
Progress logs to track kids games, for parents’ reference.
It does not contain any credit card information. VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.
It does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).

Was any credit card information stolen?

No, our Learning Lodge website database does not contain any credit card information and VTech does not process or store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway.

Why do you need this customer information?

Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products. Customers need to set up an account for such transactions. The information is used to identify the customer and track their downloads. As customer safety and privacy are of utmost importance to us, we are making all necessary adjustments to our system security, which will include only storing such information as is required for our customers to download and enjoy our services. All other information will be deleted from our servers.

Is there anything I can do to better protect myself?

Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers, so we are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.

What is VTech doing to protect data stored on Kid Connect?

The Kid Connect service has been temporarily suspended. We are reviewing our security protocols and will delete all unsent messages before we restart the service.

How can I change my password or delete my Learning Lodge account and personal data stored on your servers?

As an precautionary measure, we have temporarily suspended Learning Lodge and Kid Connect service along with a number of other websites to conduct a thorough security assessment and whilst we implement additional security protocols. We will advise our customers of further action when the websites are ready to be reactivated.

When can we expect that Learning Lodge will be online again? Should I then register again?

We are working as fast as possible to resume our service. We will advise our customers of further action when the websites are ready to be reactivated.

Is it safe for my kids to play with the toys with Learning Lodge app? Could the hacker reach my kids through the devices, trace their activity or location?

Our investigation to date suggests the breach is on the server, not on the device itself. There is no evidence to suggest the toys are not safe at this time. We will continue to investigate and share more information as it becomes available.

Has there been any customer data found leaked on the internet?

We have no evidence that any of the data has been used or distributed criminally. Whilst all personal customer passwords are encrypted, even encrypted data can be susceptible to skilled hackers, so we are advising you to immediately change your passwords on any other sites that may use the same email, secret question and answer, and password combination.

Protecting against phishing

Phishing (pronounced fishing) scams are among the most prevalent forms of cybercrime, targeting unsuspecting victims. Although phishing is widespread, it is possible to identify and prevent. Apart from ensuring you install security software, the best way to combat scams is to educate yourself to what these scams are and how to identify them. I found the below video from Meridian Banking that explains phishing very well, and even though its aimed at Meridian customers you should get the idea.

Now that you have an idea of what phishing is and what forms it can take lets go through some addition steps you can take to protect yourself. 

1) Be wary of emails asking for confidential information - especially information of a financial nature. Legitimate organisations never look for this information over email or the phone, if you get such a call or an email you should contact that organisation independently using know contact information from previous correspondence such as a statement or contract.

2) Make sure you when signing up to a new website's that you read there privacy policy. The majority of commercial websites have a privacy policy, which is usually accessible at the foot of the page. In this policy look for the website's policy on whether it will or will not sell its mailing list. If the site in question does sell its mailing list see do they have a policy that allows you to sign up and opt out of this feature if not you might want to consider do you really need to join the site in question. The majority of spam and potentially dangerous phishing emails you receive come from sites you have signed up to that have sold your mailing information to another company or companies.

3) Make sure you maintain effective software to combat phishing. Most Internet Security suites automatically detect and block fake websites. Some will also authenticate major banking and shopping sites. I have also stated in another blog how you can add security plugins to your browser that will help identify dodgy sites and links.

4) Never use links in an email to connect to a website unless you are absolutely sure they are authentic. It is very easy to add a fake link or hyperlink text that will bring you to a fake site or similar looking website. To avoid this open a new browsers and type in the url subtle differences could bring you to a fake site (eg) ww.aib.ie is the AIB banking site what if the link you received was www.aibbank.ie would you know the difference?

5) Never submit confidential information via forms embedded within email messages. This is not a secure practice and all reputable companies know this. If the form is part of a phishing attack the senders are often able to track all information entered.

6) Think twice about opening attachments from senders you are not familiar with eg. getting an email off an unknown address with an attachment labelled as "invoice". If you are not expecting an invoice and you don't recognize the sender chances are the attachment is carrying a malicious payload delete it!

7) I will end with my pet hate, clicking articles on social media that are clearly made up just so you will click on them. eg  BREAKING NEWS: Pamela Anderson shoots president Obama over views on healthcare! This is clearly a bullshit article don't click on it, you can be guaranteed you are entering a world of spam and malware.

I recently came across a bluebird care campaign surrounding cybercrime and the elderly. As part of that campaign they had an infograph that I think is a super informative and can be viewed by clicking here.