Category Archives: security

My Heritage Suffers Data Breach

In October of 2017, MyHeritage suffered a data breach. Over 92 million customer records were exposed. This included email addresses and salted SHA-1 password hashes.

Since then, attackers have been able to crack majority of the password hashes. The list of email address and cracked passwords from the MyHeritage breach has recently come up for sale on the Dark Web.

How does this affect me?

Password reuse: Many people make the mistake of using the same password over many – or on all websites.

If you have used the same password for MyHeritage as you do for Email, Facebook, Banking, etc. An attacker can use this information to access those accounts.

What do I need to do?

Identify any service where you may have used the same password, and then request a password change. This can be done via the ‘forgot my password’ link on most websites.

Set the new password to something secure and unique. Write this down in a notebook stored securely at home, or better, use a password manager.

Two great password managers are 1Password, and KeePassXC.

Another important step in keeping secure is to use Two-Factor Authentication.

Check if you have been ‘Pwned’

HaveIBeenPwned.com is a service that allows you to see if your email or password has been seen in any data breaches where data has become public.

You can check your email at: https://haveibeenpwned.com/

You can check a password at: https://haveibeenpwned.com/Passwordss

I highly recommend you use this free service to help keep yourself secure.

What is salted and hashed?

When you sign up to a website you are required to enter a password. The password is then converted to a hash and stored in a database.

When you log into a website, the password is converted to a hash and compared with the stored hash. If they match, you are able to log in.

If your password is grenfell, and the website is using a SHA1 hashing algorithm (as was the case with MyHeritage), it will convert the text to 3EC63D4F11F08C81B448F922A316E44E0F1628E0

This is to help slow an attacker down that may have breached the service – but it is not impossible to reverse.

Using a password cracking program called Hashcat. I was able to reverse the SHA1 hash for grenfell in under a second. This was using a brute force on all lowercase letters and numbers.

A salted SHA1 hash looks a little different. Before a password hash is created a salt is added to the password.

If your password was grenfell, and the salt was 2019, the hash would be CEE02FF760DA4C0F8887AFDFA70EEF8AE1B70BC6

You can see the difference in the hashes for the same passwords. If done correctly, each users password will have a unique salt. This means users sharing the same password will still have unique password hashes.

Because the salt was known in my example, the password can also be cracked in under a second.

The attackers who have cracked the MyHeritage password hashes have been able to do some by discovering the salt that was used. and then using this information to crack the passwords.

In cases like this, simple passwords are the first that get ‘cracked’. Of the 92,283,889 accounts that were breached on MyHeritage, 91,991,358 were eventually cracked.

This potentially means 292,531 users were using passwords strong enough to withstand the cracking attempts. Using strong passwords will help you to be in this group of people.

Windows 7 End of Extended Support

Windows 7 was first released to the public on October 22nd, 2009. As with most software released by Microsoft, it’s life cycle is roughly 10 years.

Microsoft support their products for the first 5 years under mainstream support. The software will receive new features, complimentary phone support, and patches for vulnerabilities. Mainstream support ended for Windows 7 on January 13th, 2015. The product then moved into extended support.

With extended support, the product continues to receive patches for vulnerabilities to keep the device secure. The software no longer receives new features and users no longer receive complimentary phone support. Extended Support for Windows 7 will continue until January 12th, 2020 – which at time of writing is about 14 months.

Windows 7 will still work after extended support ends, but you will be left vulnerable to any zero-day vulnerabilities that are discovered after the support cut off.  A cyber criminal could exploit these vulnerabilities to gain access to your personal data, or use your device and bandwidth for illegal activities.

What should you do?

Plan to upgrade well before the extended support period ends. If you had opted in to receive Windows 10 upgrade when it was first released, installing this now would be your cheapest option to stay up-to-date.

Windows 10 can be purchased and installed via an in-place upgrade if you missed the free upgrade. This varies in price depending on the version you require.

Any device that runs Windows 7, should run Windows 10. If you find your devices is getting slow it may be a good time to look at upgrading your device to something with higher specs that already has Windows 10 installed.

If buying a new device is out of your range, there are plenty of lightweight Linux distributions available. Linux Mint, or Lubuntu are both easy to use and work well on older hardware. Linux distributions come packed with plenty of software, so you can hit the ground running.

Whatever route you take, don’t leave it to the last minute. Start planning your upgrade now to ensure that you are going to keep your devices secure and safe from malware or cyber criminals.

Tech Support Scam (Update September 2018)

Tech support scams have made a resurgence in Grenfell. The scam is nothing new, and the same old scare tactics are being implemented.

Usually, an unsolicited call from a person claiming to be a representative of Telstra, or another well-known company, will claim that your computer has been hacked.

Another tactic being used is an automated call advising you that your “internet has been compromised” and that it will be cut off if you don’t act promptly. You are then required to call the scammer yourself.

The first thing to note here is that Telstra, Microsoft, or any of the other companies that the caller claims to be, will not call you out of the blue to help with your “hacked” device.

Often with these calls, you will notice a delay before you can hear the person on the other end. This can be an indication that the caller may be a scammer.

The scammer will talk you through the steps to open Windows Event Viewer. Event Viewer keeps logs of what is happening on your machine. This includes a section that shows all the errors that have occurred on your device.

It is a simple program to open; hold the windows key and press R, type in eventvwr and press enter.

To the end user, the number of errors in event viewer looks to be of concern – and that is what scammer is praying on.

Unless you are having noticeable trouble with your device. The errors should not be of any concern.

They are not “hacking attempts” as the scammer will try to tell you.

If, so far, the scammer has convinced you that he is legitimate, you will be talked through installing a remote access tool such as Team Viewer.

There are many other remote access tools that have been used.

These remote access tools are legitimate programs and will not be flagged as malicious by your antivirus. The scammer is just using the tool for malicious purposes. Much like a brick is used to build a house, it can also be used as a “tool” to break into a house.

The scammers tactics vary from this point onward.

In some cases the scammer will ask for access to the victims bank account. The premise being that hackers are trying to hack in. Once the victim logs in on behalf of the scammer, the scammer is then able to transfer funds to his own accounts.

Other scammers have installed free software to “fix” the device, after which they charge a fee – in some cases up to $1200.

Once you have allowed remote access to your machine, there is nothing stopping the scammer from setting up a backdoor, stealing personal data, or from simply deleting files.

Whatever the outcome, it is all bad for the victim.

What can you do to avoid these scams

Caller ID: If your phone supports caller ID, screen your calls. If you do not recognize the number, or the number is private, don’t answer the phone.

Of course, use this to your discretion. If you are expecting a call this week from the doctors, you may need to answer that private caller.

Don’t call back: Ignore the automated message advising you to call back on a certain number. This tactic makes the scammers work a lot easier because you have called them and essentially lowered your guard. Sometime the numbers can be a premium service, meaning you may be paying per minute to talk to them.

Call a Friend: If you do get a call and you are not sure, use your mobile (if you have one) and call a trusted friend or family member. Sometimes just talking out loud to someone else will help the scam stand out.

Obtain a Silent Number: Telstra have removed fees associated in having a silent number. This keeps your details out of the White Pages and online directories.  Fees may still apply for other telephone providers. To activate this, call your telephone provider.

Register on the Do Not Call: This isn’t going to stop a malicious caller, but it will prevent some of the legitimate (but still annoying) telemarketing calls.

Educate your friends and family: Share this article with your friends and family. The more we talk about the scams going around, the less likely we are to fall for them.

Scamwatch is run by the ACCC. It provides information to consumers and small businesses about how to recognise, avoid, and report scams.

Our Tech Tips articles also have great tips on protecting yourself online, so do check them out as well.