Wonga Data Breach

Wonga Data Breach

Wonga have announced that 270,000 customer details may have been accessed in a data breach at Wonga, the Pay Day loan company. 245,000 UK customers could be affected.

What was taken?

Wonga says the data that parties unknown have accessed “may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.”

Advice?

To myself the advice on their incident page is a bit contradictory:

“We believe that your account is secure and you do not need to take any action.
However, if you are concerned then you may wish to change your Wonga.com password.”

I’d advise change your Wonga password at a minimum. They have not said the passwords were accessed, this is good. But I would check your bank statements a bit more closely, even for those small transactions. Question with your bank any that don’t add up. I’d change your passwords to other financial pages (certainly if you use the same password for multiple sites) if it has been 30 days since your last password change.

After Jermey Clarkson lost his money in this stunt: http://news.bbc.co.uk/1/hi/7174760.stm I’d keep a very close eye on your transactions.

They posed the question:

“Can someone take money from my card with the information that may have been obtained?

  • Full card details were not taken.”

Which is in my opinion is a very elusive and evasive answer to an important question.

Wonga official data breach page here: https://www.wonga.com/help/incident-faq

 

Letting people in (remote support)

The fake call

I want to start todays blog post off with what there are lots of videos and reports on the Internet of fake calls from someone claiming to be “Microsoft”. Microsoft technical support will not call you, unless you have specifically called them and requested a call back. A call from Mr or Mrs X telling you they’re from Microsoft or from your ISP are 99% fake. Be aware! And yes, they might be able to show you errors on your computer, every computer has them and they survive just fine with them. You probably won’t notice an error. I looked at my event viewer just now and I have 84 logged errors. I’m not worried at all about them.

But it’s so easy to let them take control, It’s only £45

It maybe, it may seem like you’re having errors fixed with a quick 20-minute call and remote session. Let’s just assume they have good intentions and get rid of some malware that’s been plaguing you. What guarantee have you got that it’s gone? What if they’ve attacked and gotten rid of only part of the malware? Are they going to charge you another £45 next time, so that’s £90 they’ve gotten from you, as well as your credit card details if they had bad intentions you could face some serious billing!

I have errors?

Every computer has errors; I have looked at my event viewer and selected the application log errors. I have an error back from October that says…

It doesn’t mean my PC is going to crash or die. It just means that an application I was running back in October had a problem. Computers can be attacked a lot

Be smart

If someone calls you and claims to be from Microsoft, ask yourself, have you requested their call? How did they get your number?

If you haven’t given your number to Microsoft, how are they calling you?

Have you reported any TICKET with Microsoft, this is when you call Microsoft support and get a ticket number? If no, then the call you’ve got ISN’T from Microsoft!

Yes, I’ve heard Microsoft do charge for support on their phone calls. But there is a big difference between using actual Microsoft compared with some people that just call you out of the blue.

 

Here is a youtuber who has encountered a scammer who claims to be from Microsoft.

https://www.youtube.com/watch?v=rbfLmFbXUyQ

How to stop them?

Be smart, don’t believe someone because they are on the phone to you!

Have you CALLED Microsoft for support recently? Remember, if you “send report” if your computer has an error this does NOT initiate a call from Microsoft!

Only let them in if you’ve called them and asked for support. Get the number from the vendors’ website, don’t just trust google. Type into the address bar www.microsoft.com and find their contact details.

Perhaps use a local and trusted computer company. Look for reviews of that company on yell.com. Speak to them and see if they will do a no fix, no fee service, the local touch is much better than that of a person who doesn’t get the whole picture as they are hundreds or thousands of miles away.

System builders must look at security

What is a system builder?

A person or a group of people who are building a computer program, website, server or a network for either their own company or a customer.

What type of security problems could there be?

Access is the major security problem that could be taken advantage of. Access to files, access to directories, access like this, must be locked down to specific users. Depending on the system, for example, a website can have folder security enabled to stop anyone going to thecomputersaint.com/blahfolderthatdoesntexist if there were secure documents in there then it’d be a first step to ensure they were not able to be stolen / downloaded.

The obvious security problem is when people access your data, files, pictures, memoirs or any file that could be sensitive.  The data they pull from that file could be used in a negative way. Especially if it matches up with some information they gleaned from social media accounts.

Who could take advantage?

Someone who is looking to attack you electronically, maybe they are looking for a password to an email account. Maybe they’re looking for information to gain a better understanding of what you do. Perhaps you work for a company where their data is commercially sensitive. If the competitor got their hands on the data, it could spell disaster for your company if the competitor got your information and could get to market before your company.

Maybe your company has an old server no-one looks after. You might have 30 old employees with active accounts after years. 29 might not use them but the 30th might want to log on and take data that they’re not allowed access to.

 

How to stop them?

Access must be controlled with a username and password. That is the first step in securing data. That password must not be written down and must not be shared. Change the password every so often, your own password policies should be every 30 days – 6 months. Use a secure password, check out our other blog posts for how to choose a secure password.

Keep track of old user accounts to files and change passwords to VPN’s or old user accounts when someone leaves the company. Make it policy, don’t let staff get complacent.

Do you need that old file in that location? Why not move it once it’s not needed or delete it. If you have a lot of files that only 1 person or a group of people need access to then maybe have it on small NAS box or its own LUN on the SAN, this is so Finance can’t see Design’s files and Design can’t see the Finance files.

Passwords: Strong and weak. How to choose a strong password?

What is a weak password?

It seems obvious, but a weak password can be 1 word, or even 2 words. It could be a password that is your mother’s maiden name or something equally personal to you. For example, in the film War Games the password for a massive government machine was “Joshua” who was the son of the inventor of said machine. In the film, it’s fair to the inventor that he didn’t know the machine had been plugged into the Internet or was even being used.

If you used your wife’s name as a password, this is information anyone could ask you and just try to login any account. Email account, online storage, bank account, they don’t need to be at your computer. They can simply be at their own computer.

Don’t choose a password that is obviously personal to you and don’t use 1 word from the dictionary!

What is a strong password? And Methods for choosing a strong password

For this you need to understand there are 2 main ways to get around password security that are easy: Guess the password if this is someone you specifically know or targeting to get into their email account or some other account.

The other method for getting into a system is a brute force attack, this is where a system will have a list of words (from a dictionary) and then it will try each word in turn, so if your password is “Zoo” then it’ll take a while but you will lose your account security.

There are more advanced tools that hackers and crackers can use to break account security, so even by using 2 words like “ZooApocolypse” is better, still bad practice.

A strong password is something that can’t be guessed as it might look like a word, but it might not be a word. For example: “pa55word” looks like password (don’t use this as it’s a common password) but maybe take your wife name: Sophie and replace the letters with numbers, so “5oph13”

But it’s still just numbers and letters. To be sure no-one will guess your password you want to make it longer and adding some symbols. Maybe add another word onto the password, maybe your favourite kitchen appliance so “5oph!3Bl3nd3r”

I’ve added in an exclamation mark; this is to throw off any of the more advanced password creation and guess tools hackers have access to. With the more complex password, the more time it would take for an attacker to gain access to your system and if it is a secure enough password they’ll probably give up.

It’s best to add in a few symbols if your password allows it as well as numbers. If your passwords require to be changed every 30 days, 6 months etc, you could suffix or prefix your password with a number and increment or decrement that number in the password each time you need to change it, although this can be bad security practice only to do this. Maybe add an additional 16 to the number each time. This way you know the increment and it isn’t just a 1. It’s still best to change your password entirely however.

You should always change your passwords to each system you log into on a periodic basis, whether it be social media, email or an important company server with sensitive details, at the least every 6 months is a good plan.

Security questions

A lot of websites require security questions, such as “what town were you born in?” or “what was the name of your first pet?” These are good second stage security, after the password login, as they give that little extra security. This 2nd stage of security is good; however, you need to be aware of people that do and don’t know the information who are trying to access your system. A while ago there was stories of people who had their Hotmail accounts broken into as they had met some random person on the internet chat room. They then gave out information that Hotmail asks as a “recover account” option and this way the attacker could break into the account, with this they could send spam to your entire contact list and it appears the attacker was being a new friend, asking questions that made him or her seem interested in you.

The lesson here is you need to be careful of new friends especially and don’t give them too much information.

 

Disclaimer: This document isn’t a solution to password security. This advice is about how to better understand the risks and how to mitigate them. There will always be people / organisations who want to steal your data and break into certain systems. You must think of the possible security risks and mitigate these. From this series of security blog notices you’ll learn that there are more.

If you require security services, please contact us at sales@thecomputersaint.com

DNS Disaster after DDoS on Dyn!

Since Friday a lot of websites have either been slow or unreachable. This is because of a DDoS attack on Dyn (A DNS provider)

 

What is DNS?

All websites have atleast 1 IP address. If you wanted to go to eBay.com (without DNS) you’d need to remember the IP address of the site, along with all your favorite sites. Basically like remembering each phone number in your phones address book. The DNS server is exactly that, a phone book that looks up ebay.com and translates it into an IP. The IP is sent back to your computer and your website is then downloaded.

What is a DDoS attack?

A Distributed Denial of Service attack is when lots of coordinated nodes, bots, machines will attack a certain IP (or range of IPs) they do this by flooding the service with requests for information normally. They are bogus requests but enough of them from enough “attackers” will be enough to bring a service to its knees and slow the internet for the rest of us, or effectively take the site down as our DNS requests wont work.

As the attacks can come from anywhere on the internet it can be difficult to manage the attacks or mitigate the attacks as there are so many of them.

I’ve put attackers in quotes a the attackers could be computers of devices that don’t even know about being an attacker, they probably are not actual people.

Now that we’ve covered the basics quickly, So what has been happening?

Dyn, a DNS provider have been attacked by a massive DDoS attack perpertrated by a botnet and this has been suspected to be coming from IoT (Internet of Things) devices, such as CCTV cameras that connect to the internet.

Normally it’s a DDoS attack against a certain company, for various reasons, ie a specific website. This is against a service and gives a good example that DNS is not secure and is more vulnerable to attack than most think.

A good quote I have seen is:

Richard Meeus, VP of technology at NSFOCUS, which specializes in handling DDoS attacks noted: “DNS has often been neglected in terms of its security and availability from an enterprise perspective – it is treated as if it will always be there in the same way that water comes out of the tap and electricity is there when you switch it on.

Are you having problems?

…connecting to websites, you should use OpenDNS’s resolvers at 208.67.222.222 and 208.67.220.220

15.36 TB SSD enough for you?

Samsung are now shipping the 15.36TB SSD hard drive in the form of a 2.5″ drive.

Certainly, in the world of home computing 15TB is a bloody lot of data storage. For a business, not so much. But in a SAN along with 10 more of these you’ve got yourself some very fast storage for a small business. I think I would have a mechanical array that is of the same size (in TB) so I can back the SSD back to a mech drive. Not that I don’t trust the SSD, far from it, my main machine has 2 of them. Backup data is a must.

Flashpoints for the PM1633a:
12Gb/s Serial Attached SCSI (SAS)
“3D” storage
The 15.36TB PM1633a drive supports 1 DWPD (drive writes per day
Sequential read and write speeds of up to 1,200MB/s.
Random read and write speeds of up to 200,000 and 32,000 IOPS respectively

From the news release:

The unprecedented 15.36TB of data storage on a single SSD is enabled by combining 512 of Samsung’s 256Gb V-NAND memory chips. The 256Gb dies are stacked in 16 layers to form a single 512GB package, with a total of 32 NAND flash packages in the 15.36TB drive. Utilizing Samsung’s 3rd generation, 256-gigabit (Gb) V-NAND technology which stacks cell-arrays in 48 layers, the PM1633a line-up provides significant performance and reliability upgrades from its predecessor, the PM1633, which used Samsung’s 2nd generation, 32-layer, 128Gb V-NAND memory.

Impressive tech! It’ll be great to see this in a commercial setting.

The problem with Ad-blocker software

So, we are quite happy to watch free content. Oh no, a little overlaid image comes up showing us an image for a new perfume, job site or some new car offered to us by various companies. Or maybe we’re distracted by an advert for 20 seconds while we wait for our program to start.
This is how the free content platforms make their money. They show us adverts and then they get revenue. If we all start using ad-blockers then the companies like youtube will lose revenue as the ROI on the advertising campaigns will be a longer period of time or lower monetary value.
This is the problem, if Youtube and other video sites didn’t have that income the free content we take for granted now will dry up, disappear, shrink and we’ll need to start paying for content. Or they’ll invent a new way of putting adverts into the content we watch.
I don’t use ad-blocker software as I do see an advert that is useful from time to time. But I do believe we should just watch them and as long as they don’t become to overbearing then it’s OK.
I do like 4OD now and again, but I do find the adverts on there to be a little too long.
So, don’t use ad-blocker software, unless you really are the impatient type who can’t wait 5 seconds to skip to the video.