WeMo smart home devices can be used to spy on Android phones

By now, I’m sure we’re all familiar with the infamously insecure Internet of Things (IoT).

If it isn’t routers, web cameras and maybe even printers feeding into the Mirai botnet – the malware that delivered the most powerful distributed denial of service (DDoS) attack in recent history – then it’s a home automation kit from WeMo that could have let attackers get at its Android app and spy on phones.

Belkin has already issued a firmware update to fix the vulnerability.

But the bug finders – Invincea Lab researchers Scott Tenaglia and Joe Tanen – told Forbes that it’s possible to completely kill the update process on already infected devices, meaning that no fix can ever be delivered.

They’re planning to talk about that hack at Black Hat Europe in London this week.

They’ll also be detailing another vulnerability: an old-school SQL injection bug in WeMo remote management interfaces that could lead to getting root – as in, near-total control – of a device.

SQL injection is a popular technique for attacking websites. In this case, the website isn’t on some server somewhere out on the internet but is, rather, an interface provided by the device that allows users to control it (your router probably works the same way).

SQL injection is a very common and very serious form of attack that just refuses to die.

The databases targeted by the SQL injection attack contain rules that control the home automation devices, such as when to turn off a crockpot or specifying that a motion detector device turn on the lights between sunset and sunrise.

The researchers’ talk, scheduled for Friday, is titled Breaking BHAD: Abusing Belkin Home Automation Devices.

They said that the hacks are possible thanks to “vulnerabilities in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DoS attacks without rooting the device”.

The WeMo app lets the user assign names to their devices. Before the vulnerability was fixed, the researchers said an attacker on the same network could change that device name to include malicious JavaScript code.

Tenaglia gave ComputerWorld’s SecurityWeek this attack scenario:

The attacker emulates a WeMo device with a specially crafted name and follows the victim to a coffee shop.

When they both connect to the same WiFi, the WeMo app automatically queries the network for WeMo gadgets, and when it finds the malicious device set up by the attacker, the code inserted into the name field is executed on the victim’s smartphone.

Invincea Labs first reported the flaws to Belkin on 11 August. Belkin responded the same day and confirmed the vulnerabilities, Tenaglia told eWEEK.

The firmware update for the SQL injection vulnerability went live on Tuesday, said Leah Polk of Belkin. She told Forbes:

Users will see a firmware update notification when they open their app.

We’ve heard about WeMo device vulnerabilities before. In February 2014, IOactive reported that the Belkin devices could be remotely commandeered using the firmware update mechanism.

The day after the news came out, Belkin responded by saying that the issues had already been fixed.

This is one more example of how IoT insecurity so often amounts to vendors not treating their things sufficiently like computers.

Belkin has reacted swiftly to address vulnerabilities, but in this day and age, should we still be confronted with familiar and easily prevented flaws such as SQL injection?

Here once again is a summary of Chester Wisniewski’s take on what’s needed to secure the IoT, from his article about debunking some Mirai botnet myths:

What’s needed is industry standards and best practices, including thoroughly testing devices for security issues before shipping them to consumers, abiding by best practices and making sure that there is a clear mechanism for patching bugs – and that mechanism must include notifying the owner of the device.

Article by:




See How Sentree Systems, Corp. can Help!!

Learn More!


Posted in: Monthly Security Brief, Newsletter Topics, Tech News

Leave a Comment (0) →

Transient Security; How do you Secure Guests and Deal with Network Separation

Having your network locked down to a need to know bases creates a good feeling for security professionals, but one day someone in your company hosts a meeting with an outside vendor. This outside vendor needs access to the internet during the meeting. An instant feeling of panic rushes over you because you didn’t plan for this situation. How do you provide internet service for guests at your company, without compromising your networks treasures? The following are several different options to look into before making a decision. Some of these will apply to smaller companies, but it is better to hear all the options before going forward.

Create a VLAN (Virtual Local Area Network)

Creating a VLAN to separate out guest access from employee access is a viable solution for enterprise level companies, to effectively partition out your network the broadcast traffic needs to be sent to its own appropriate VLAN ports on your switches. This is essentially creating a secure channel that is only specific to traffic over the selected ports. This method is one of the best, cost efficient ways to satisfy a guest account internet connection.

Create a second network

By creating a separate network for guest you can fully ensure that they will not have access to information that they shouldn’t. This can be accomplished fairly easily for smaller companies but it may be a bit more of a challenge at the enterprise level. By connecting additional routers off of your main router, you can specifically dedicate them for guest login. Both parties will be connecting to the same network, but based on the routers configuration, you can set it to only allow basic internet options for guests.

Install a wireless network just for your guests

This last option is a more expensive one, but it is fool proof. Creating a whole new network just like yours with a different password to confirm separation. This approach will require you to purchase access points and possibly a wireless LAN controller based on the size of your company. If you are a smaller company, connecting your new access points to your existing modem should suffice. If you find yourself in need of a separate wireless LAN controller to create a new partition, the Cisco 2100 series is a great starting point as it can manage up to 6 access points.

No matter how you do it, it is important to create that separation between your business and the general public. Keeping guests off your internal network as best as possible will better protect your company from unwanted data leaks, compliance troubles and network breaches. It is a smart option to implement this and it would be silly not to as most of the time it is a cost efficient change to make the adjustment. In the long run, the expense and effort it would take is worth the damage that could be done by attackers if you allow unregistered accounts access to your internal network services.

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?

Get Your Data Security Audit


Posted in: Monthly Security Brief, Newsletter Topics, Tech News

Leave a Comment (0) →

Top Cloud Computing Security Risks for SMB

Small and medium-sized businesses (SMBs) are turning to the cloud for the mobility and affordability it provides. However, SMBs can fall victim to cloud security risks if they aren’t vigilant enough. According to Trend Micro, one of the biggest threats for SMBs when using the cloud is data breach which can be caused by either stolen or hacked devices. Data can be lost — or worse, leaked into the wrong hands — in this scenario. Fortunately, there is a way to combat this cloud security risk, and that’s to choose cloud service providers that offer remote wipe of data in case a device gets compromised.

Another cloud security risk is loss of control over one’s own data, as pointed out by IBM on their Security Intelligence portal. Transitioning to the cloud comes with standardization, but this doesn’t mean entrepreneurs should lose control over their SMBs‘ data. When entering a contract with cloud service providers, entrepreneurs should ensure the terms and conditions explicitly state who has access to which information, and to what level. Most importantly, data ownership should remain with the client, and not the third-party vendor. also weighs in with their input. The UK’s leading technology website warned SMBs of the use of different cloud storage services because it poses a cloud security risk. More and more people have been using Dropbox, Box, SharePoint, OneDrive and other similar services to store their personal and professional files, not realizing that these are popular targets for cyber attacks. Stopping employees from using such services is counterproductive (and maybe even impractical), but entrepreneurs can lessen the cloud security risk by applying fine-grained and role-based access control. This means only authorized staff can access specific sections of the cloud storage or use certain features of the cloud service the business is using.

The identification of major cloud security risks should not be a hindrance to SMBs‘ move to the cloud. Rather, these should serve as clear warnings for entrepreneurs to make the transition only when they have done the necessary preparations for it. The cloud is still a practical solution for SMBs with no budget for infrastructure or IT personnel, so it can’t be pushed aside as a less viable option compared to an on-premise solution. In the end, the good does outweigh the bad once the proper security measures are in place.

Is your Network REALLY Secure, why not know for sure, Get your FREE Vulnerability Assessment Today!!!

Get Your FREE Assessment Today!


Posted in: Uncategorized

Leave a Comment (0) →

A Single Spear Phishing Click Caused The Yahoo Data Breach

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo’s network and potentially the email messages and private information of as many as 1.5 Billion people.

The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI Russian major Dmitry Dokuchaevindicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations.  (The FSB is the successor to the KGB). 

Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld

One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.

The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of  the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.

Here’s how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened. Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.

It was all over the press, but CSO had the best story about, with more detail, background and even video:


Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

[ALERT] New Massive Wave Of CryptoLocker Ransomware Infections

We all thought that evil genius Evgeniy Bogachev had retired at the Black Sea with his tens of millions of ill-gotten gains after he became the FBI’s #1 Most Wanted cybercriminal. Well, perhaps he ran out of money.evgeniy-mikhailovich-bogachev.jpg

CryptoLocker is back big time. Researchers have spotted a sudden resurgence this year, specifically identifying clusters of attacks in Europe and the U.S.

For people new to the ransomware racket, Russian cybercrime gangs tend to test and debug their campaigns in Europe, and then attack America in full force. CryptoLocker is ransomware’s still very potent granddaddy, and pioneered this highly successful criminal business model in September 2013, hundreds of copycats followed

In a blog post our friend Larry Abrams from BleepingComputer wrote that the strain — also known as Torrentlocker and Teerac — started its comeback toward the end of January 2017, after being quiet the second half of 2016.

Larry pointed to stats from the ID-Ransomware website which show CryptoLocker infections jumped from a just handful to nearly 100 per day to more than 400 per day by February.


He also confirmed CryptoLocker’s recent tsunami with Microsoft’s Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. The phishing emails are designed to look secure and official because they are digitally signed, but it is all just social engineering to trick the recipient and get them to open attached .JS files that download and install CryptoLocker.idr-chart.jpg

Check Point Software Technologies confirmed with SC Media that its researchers also observed a sudden rise in CryptoLocker attacks. The phishing emails attempt to trick recipients into opening a zipped HTML file. “The HTML contains JS file, which pulls a second JS file from an Amazon server, which executes the first one on memory,” said Lotem
Finklesteen, threat intelligence researcher at Check Point.

“Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed. The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany,” said Finklesteen.

Ransomware as a global threat

Microsoft’s Malware Protection Center blog stated: “Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters. Here is their geographic distribution chart. 




For help in stopping Ransomware in its tracks contact us today, 317-939-3282


See How Sentree Systems, Corp. can Help!!

Learn More!


Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

CRYSIS Ransomware Is Back And Uses RDP Brute Force To Attack U.S. Healthcare Orgs

CRYSIS Ransomware Is Back And Uses RDP Brute Force To Attack U.S. Healthcare Orgs


rdp-attacks-2017.png Picture Courtesy Trend MicroRemember the CRYSIS ransomware? The attacks started up again, mostly targeting US healthcare orgs. using brute force attacks via Remote Desktop Protocol (RDP).

The number of attacks has more than doubled in volume in January 2017 over that same timeframe in 2016. This most recent wave included a wide variety of sectors worldwide, but the U.S. healthcare sector was hit the hardest.

Security researchers at Trend Micro observed that the same cyber mafia that perpetrated the 2016 CRYSIS attacks are behind this recent wave of ransomware attacks, evidenced by the very same file names and malware placement as were used earlier.

The problem: User accounts with weak credentials, open RDP ports

The bad guys try to log in to the system using common username and password combos, and once the system is accessed they return multiple times to quickly compromise the machine. Trend Micro found that these repeated attempts were generally successful in a matter of minutes.

A typical infection goes through the following steps. An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

Once he purchased or gained access to a computer by brute-forcing the RDP connection with basic username-password combos, the attacker downloads and then manually executes a version of the Crysis ransomware on each of the hacked computer.


In one case it was observed that CRYSIS was deployed six times, packed in different ways on a single endpoint within ten minutes. The attackers copied over several files and appeared to be experimenting with different payloads to find the best option.

Because there are no default restrictions on shared folders of clipboards, unless the network administrator applies controls, these features may be exposed to the internet and accessible by a malicious individual.

What To Do About It:

Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.

Is your Network REALLY Secure, why not know for sure, Get your FREE Vulnerability Assessment Today!!!

Get Your FREE Assessment Today!


Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

How Hacking Became Russia’s Weapon of Choice

A Study by the World Bank stated that Russia boasts more than 1 million software specialists involved in research and development.

Russian illegal cyber warriors are among the most proficient in the world with around 40 large criminal cyber rings operating within the country’s borders.Russia_Keboard_Flag.jpg

The Russian government has long been known to source its technology, world-class hacking talent and even some intelligence information from local cyber crime rings.

Hacking activities include the penetration of national infrastructure systems, and money markets, and the stealing of state secrets and intellectual property. All of these destabilizing attacks can be considered as preparation for any future conflict. Russian hackers made repeated attempts during 2016 to stage cyber break-ins into major US institutions, including the White House and the State Department.

Read more about this in an article at The Conversation by Professor of Electrical and Electronic Engineering and Director of Electronic Warfare Research, City, University of London

Very often, Russian hacking starts with a phishing attack.  As one of his last actions in office, President Obama expelled 35 Russian diplomats spies in retaliation for Russia interfering with the U.S. election process, after intelligence agencies lined up their stories and all pointed at Putin.

Bloomberg wrote: “The attack against U.S. democracy began in the summer of 2015 with a simple trick: Hackers working for Russia’s civilian intelligence service sent e-mails with hidden malware to more than 1,000 people working for the American government and political groups. U.S. intelligence agencies say that was the modest start of  ‘Grizzly Steppe,’ their name for what they say developed into a far-reaching Russian operation to interfere with this year’s presidential election.”


See How Sentree Systems, Corp. can Help!!

Learn More!




Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Scam Of The Week Blends CEO Fraud And W-2 Phishing

[ALERT] The bad guys are starting their tax scams early this season! They are now combining two scams-in-one. First, they ask you to send them the W-2 forms of all employees, with the email looking like it comes from the CEO or a C-level executive. Next, they follow up with an urgent request to transfer a large sum of money to a bank account controlled by these cyber criminals.


Remember that when you receive sudden requests like this, they may be spoofed emails and that you should double check by picking up the phone and verify that this is a legit request coming from that executive. In these cases, it’s “OK to say NO to the CEO”.


This tax season, stay alert for scams like this, and Think Before You Click!


Is your Home Internet Connection Secure???

Are you worried about what your child is seeing or doing on the Internet? Well look no further the MDS Personal Internet Security device, from Sentree Systems, Corp., is what you need.

Secure Your Home Internet Today!!!


Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

When are you going to die? Ubisoft tool uses Facebook data to tell you

When are you going to die? Ubisoft tool uses Facebook data to tell you

What can a powerful, all-seeing algorithm predict about you, based on your online footprint, publicly available information and Facebook Likes?

I, whom you can henceforth refer to as Human #1067494, have found out.

To do so, I’ve engaged with an online environment called Predictive World: an interface to process users’ data that was recently released by videogame publisher Ubisoft.

To partake, you either have to agree to let the program access your Facebook profile (for the most accurate profiling) or to hand over basic information on your own.

The game-maker developed Predictive World in collaboration with the Psychometrics Centre of the University of Cambridge.

Based on their research, the thinking goes, it can generate accurate predictions of who we are, how many pints we put away every week, how much we weigh, how tall we are, how much we smoke, and when we’re going to die, among many other variables.

The game-maker has delved into the dangers of big data and predictive algorithms as one of the themes of its action-adventure game Watch Dogs 2: a game in which hero Marcus Holloway is wrongly profiled as a main suspect for a crime he didn’t commit by a city-wide operating system that collects and analyzes data on all citizens.

Ubisoft assures us that this is where fiction meets reality. Predictive World is all about demonstrating how seemingly trivial data about us can be pulled together and processed into profiles and patterns:

Each day, we leave a trail of more than 5 billion gigabytes of data behind us. This information comes from billions of collection points: from online transactions of course, to GPS signals, social media likes, texts we exchange, or even parking tickets, soda dispensers, etc.

They are then sold, bought, and analysed through different touch points in order to create strong and accurate probabilities on who we are or what we’re most likely to do.

As we often write about on Naked Security, Big Data covers many categories.

It’s not necessarily the photos you snap of your cat, for example.

But the term most certainly includes a collection of a million different cats, organized by location as precise as street address, that you may have contributed to by making your photo APIs publicly available on sites like Flickr, Twitpic, Instagram or the like.

You can take that scenario and replicate it on all the sites where our data is amassed: Automatic Number Plate Recognition (ANPR) cameras are another good example of how we can be tracked, given that our plate numbers stay the same while our locations change.

In fact, the US Drug Enforcement Administration (DEA) has been building a national license plate reader (LPR) database over several years that it shares with federal and local authorities, with no clarity on whether the network is subject to court oversight.

Then too, there’s the giant database of Wi-Fi access points from Google’s StreetView cars that it was using to aid and abet its geolocation services.

Predictive World is far from the first online tool to crunch our online selves to show us how all those Big Data players come up with profiles. Those profiles can be used, for example, to pass us over for jobs, given that most recruiters nowadays pore over our social network profiles before they decide whether to call us in for an interview.

One example of the tools used to demonstrate the data trails we leave behind was a site called “We know what you’re doing”. It aggregated some of our choicer social media content for us, delivered courtesy of Facebook via its Graph API.

Another was Please Rob Me. When it launched in 2010, it was using check-in data from the location-based Foursquare social network that was subsequently posted to Twitter.

When the information becomes publicly available on Twitter, it makes it theoretically possible for a robber to know when you’re away from home.

Well, maybe it was theoretical when they launched the site, but it sure didn’t stay theoretical for long. One set of burglars put the theory to the test by breaking into the home of friends after reading their Facebook updates to find out when they’d be away.

But back to Predictive World. After you sign in (I allowed it access to my Facebook profile to see how well it would do when spoon-fed), it collects data such as your gender, age, and pages you’ve liked, and combines them with local demographics to generate a profile of who you are.

How did it do?

Wow, the details that can be gleaned about you from Facebook!

Wow, how wrong they can be!

Predictive World believes that I’m tall, fat, have a 12.8% chance of smoking pot, make about double the minimum wage, have a conscientiousness factor of something like 43%, and will die at the age of 84.9 years.

Wrong, wrong, wrong, wrong.

So let’s reframe the initial question: what can a powerful algorithm that corporations or police may well consider to be all-seeing but is in actuality peering through cracked glasses with severe myopia guess about you based on your online footprint?

In my case, it guessed that I’m 4″ taller than I am, that I weigh 49 lbs. more than I do, that I make 31% of what I actually earn, that I drink two pints of beer a week (are you kidding?! I’m gluten intolerant!), and that my “risk” of smoking marijuana is 12.8%

How much do those, and myriad other inaccuracies, affect predictive analytics?

A lot, if Predictive World is indicative: my life expectancy shot up from 84.9 years to 95.1 when I corrected those variables.

While it’s easy to see where big data can siphon concrete personal information such as our age or our location from Facebook (if we’ve made such data public and haven’t lied about it), it’s worth asking how it guesses at more subjective things, such as our level of satisfaction with life.

Predictive World is happy to tell you. You can click on each one of a series of rays that emanates from a throbbing circular graphic to get details on how a particular variable is derived.

For instance, people who like the same things as I do on Facebook tend to describe themselves as loving life. It can’t be all about the likes, though: my 94.13% satisfaction level shot up from 63% after I told the tool I wasn’t as poor as it initially assumed.


It isn’t, in fact, all about the likes. Predictive World is based on an algorithm developed by the Psychometrics Centre using a wide range of data sources, such as psychological and social media data from more than 6 million research participants, along with a bespoke infrastructure designed for the project that contains 6.3 billion data points.

That enables Predictive World to visualize the relationships between gender and salary, location and crime risk, personality and longevity, and much more.

Collecting and processing users’ digital footprints and combining predictions with open data, the system is able to make 70 data-driven predictions about an individual, from personality traits and intelligence to life expectancy and even financial risk propensity.

But does it really matter if it’s accurate or not?

What’s worth noting is that this kind of information can be, and is being, used to build up detailed profiles of us. Not necessarily accurate, mind you, but highly detailed nonetheless.

Earlier in the month, for example, before Facebook called off the plan, a UK car insurer was going to use young drivers’ data to analyze their personalities and offer quotes based on their profiles.

Predictive World posed this question: do I want my insurance company to have this type of information about me?

No, I can’t say that I do.

I don’t know which would be worse: having insurance companies think I’m going to die at 85 so they can offer me long-term care and not go broke; have them find out I’m diabetic (Predictive World doesn’t seem to know that; if it did, it would probably have guessed, based on average life expectancy of diabetics, that I had already kicked the bucket); or having insurers construct a more accurate profile of me so they can drop me like a hot potato when they find out that diabetes thing.

I don’t know whether I want to sharpen the accuracy of Predictive World’s, or insurance companies’ or banks’, vision of who I am. I’m leaning toward keeping my Facebook profile nice and fuzzy.

What’s your plan?


Article by:





Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?

Get Your Data Security Audit


Posted in: Newsletter Topics, Tech News, Uncategorized

Leave a Comment (0) →

The 1 Billion Yahoo Hack

The 1 Billion Yahoo Hack

yahboohoo-580x314.pngThis is getting old. It’s all over the press… again. Here is a Reuters article where I am quoted, which covers the most recent billion-record Yahoo hack.

Some people asked me after our Flash announcement last week: “Stu, really, these hacks happened a few years ago, closing down my whole Yahoo account, or blocking Yahoo at the firewall… aren’t you going a bit overboard here?”

Good question. Here is my take:
Well, that whole 1B database was sold on the dark web by a group of professional blackhats from Eastern Europe for 300K, (and is still for sale at a much lower price right now) which means that a ton of bad guys now have these credentials, but worse, they have answers to security questions like “your mother’s maiden name” which do not change like passwords, and and backup email addresses that could help with resetting forgotten passwords.

Bloomberg reported that 150,000 U.S. government and military employees are among the victims in the latest breach.

My position is that all Yahoo accounts need to be considered compromised. They are sitting ducks for spam, phishing and malware attacks. If employees check their Yahoo account on their lunch break, do you want to expose your company network to that?

It looks like Yahoo has not learned their lessons, so new hacks can happen any time. There has been an exodus of qualified Yahoo staff and they seem to be unable to apply best security practices. They are now forcing all users (link to WSJ article) to change their password, but that’s too little, too late. I simply have lost trust.

So, I recommend you warn your users, friends and family… again. We have been here before on September 23rd when the 500 million record hack was first announced.

In September, Yahoo did not force people to change passwords, but now they are forcing a password change, and the bad guys are (again) all over this — the ones that own the Yahoo database but also the ones that do not, because news like this is a phishing paradise.

This is a phishing paradise with significant fallout

Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will continue to happen is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames, passwords and possibly the answers to security questions into a website until they find a match using the stolen Yahoo username and passwords.

The bad guys will continue to exploit this, so remind your users

Remind your users, friends and family. They will be likely be confronted with Yahoo-related scams in their inbox. The bad guys are going to leverage this in a variety of ways, starting with bogus password reset phishing attacks, but also with masked links so that if you click on it you wind up on a compromised site which could steal personal information and/or infect the computer. The variations are infinite, but the defense against it is relatively simple.

I suggest you send them the following reminder – feel free to copy/paste/edit:

“Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.

  • If you do not use your Yahoo account a lot. Close it down because it’s a risk. If you use it every day:
  • Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
  • If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
  • At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
  • Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Yahoo Breach Phishing TemplateIf you are a KnowBe4 customer, we have a template in the Current Events Campaign which I suggest you send to all your users immediately as a reminder.

This is the largest hack ever, below is a graph fresh from an article in the Wall Street Journal that puts it in perspective. I suggest you send this to your management.

This is exactly the kind of thing that they want to prevent from happening and security awareness training is the number one thing that makes your organization more hack-resistant since your users are your weakest IT security link.




Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?

Get Your Data Security Audit


Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →
Page 4 of 27 «...23456...»
Real Time Web Analytics