Category Archives: security

Office 2010 End of Support

Microsoft Office 2010 was first released on June 15, 2010. As with most products, Microsoft run their software under two support periods; mainstream support and extended support. Microsoft Office 2010 in currently running in extended support. This ends October 13, 2020.

Mainstream support runs roughly 5 years. During this period new features are added to the software, bugs are fixed, and security vulnerabilities are fixed. Mainstream support also offers complimentary telephone support for retails version of the software.

Extended support kicks in after mainstream support ends. This runs for another 5 years. In this period, bugs and vulnerabilities are fixed, but there is no longer telephone support or new features added to the software.

Security vulnerabilities in Microsoft software are often able to be exploited in older version of software. This is due to similarities in the code base. This is why it is important to upgrade software before the end of support ends. Not only that, vulnerabilities found in the software after end of support, will not receive a fix. This may allow an attacker to exploit a vulnerability and access your machine.

If you are still running Microsoft Office 2010; start planning your upgrade now. If you need assistance deciding what version you need, or assistance installing the software, feel free to contact us.

“But I don’t have anything a Hacker would want”

“But I don’t have anything a hacker would want”, is often the reply I hear when I’m explaining the importance of strong passwords, software updates, and other tasks to improve their cyber hygiene.

“I don’t do online banking” or “I don’t have personal information stored on my computer” come in as the follow up statements.

What this tells me is that many of us have a false sense of what a cyber criminal wants.

Sure, financial gain does appear to be the motivation for many cyber criminals. Draining a bank account would be a easy pay day, but it could also be risky.

Many cyber criminals are opportunistic. They may not be targeting you specifically but if you don’t take precautions you’ll end up one of the unlucky targets they happen across.

Think of the internet like a car park, and computers as the cars. If you haven’t patched your systems, or make a habit of using a single password, you’re leaving your car unlocked in a public place.

A criminal can walk around the car park trying to unlock each an every car, once inside he might be able to take the loose change in the centre console, or take a laptop sitting on the backseat.

You would notice your laptop missing. But would you notice if the criminal took a few coins from the centre console?

A cyber criminal can scan the internet looking for computers that haven’t had the latest patches installed. These patches fix vulnerabilities in software that could potentially leave your computer “unlocked”.

Passwords are like keys. How convenient would it be to have one key that opens your house, car, safety deposit box, and mailbox? Say you lose one of these keys. How convenient is it for a criminal to then go around and access all your things with the one key?

Sure, in real life you’re probably going to notice a missing key. But digital things work a little differently. You might lose a file, but have an exact copy stored in a backup. You could have a copy of a file, and someone else could have the exact same copy of the file at the same time.

Would you know if a service you use lost a copy of a password?

In a data breach, cyber criminals are able to steal data (lose a key), and the company still maintains a copy of their own. The cyber criminal who initially stole the data can then sell it to other cyber criminals.

If this data happens to hold copies of passwords, a cyber criminal can then use these password to access the account of those users. If you use the same password everywhere, well, you can see where we are going.

You’ve left the car unlocked, you use the same keys for everything, the dog walker lost a copy of your key and didn’t tell you about it. You might still be thinking “But I don’t have anything a hacker would want”.

I’m sorry, but you do.

A DDoS attack (or Denial of Service Attack) is where a cyber criminal floods a website with traffic in order to slow down a website and try and take it offline. This is often done in protest (perhaps the website has different views to the cyber criminal, and she is angry), for the lulz (or for fun as it is known), or even just to cover up a separate attack that the cyber criminal is undertaking on the same site.

Back to our car – perhaps the criminal is going to use it to damage the property of a big corporation in protest. Perhaps he is going to cruise around town doing burnouts and driving through the garden of a local park ‘for the lulz’, or perhaps he has found one of your lost keys and is going to wander in a steal the jewellery in your home, whilst at the exact same time doing a burnout, out the front of your house to keep you distracted. All because you inadvertently left the car unlocked.

While it seams silly that the the criminal is in two places at once, that’s exactly how things are online. A cyber criminal can be doing multiple nefarious activities simultaneously; she can be attacking a website with a DDoS while also stealing the customer database.

To count as a DDoS (Distributed Denial of Service), the attack has to come from multiple sources. Computers (or other devices) that an attacker has compromised will be added to what is known as a botnet. This network of thousands of computers can have their resources pooled together to undertake malicious activities.

Resources such as storage are also something a cyber criminal requires. Perhaps she has some questionable material and need somewhere to store it. Perhaps she is selling the data stolen from another website. Instead of hosting it on her own servers, she might provide access to your computer and the buyer can download the information from there.

The car analogy still works here. Your car (the vulnerable un-patched computer), that you think is safe and locked, is sitting in a car park (the internet), completely open for anyone to access.

Remember the dog walker that lost a copy of your key (passwords) earlier. We’ll apparently he lost a copy of all his clients keys. The criminal who found them is storing them in your car. He found a buyer who will pop by your car later on to collect them. It doesn’t even matter if your using the car when the buyer comes along, he’s almost invisible.

This is really convenient for the cyber criminal because its your computer and not tied directly to him.

The purchaser of these stolen passwords, can use your email and password combination to then attempt to log into other service you use online.

Remember before I mentioned how convenient it was that you had a single key that opened the car, house, mailbox, and everything else? Yep. Ouch.

You might be thinking again, “But I don’t have anything a hacker would want”.

Facebook is a trove of information and everyone likes to overshare. “Happy Birthday Grandma”. Grandma is pretty tech savvy these days. We only communicate over Facebook.

“Hi Grandma! I’m in a bit of a pickle, I’m overseas at the moment and I have just had my wallet and phone stolen. I’ve been able to setup a temporary bank account and was wondering if you could transfer a couple of hundred dollars to it. The details are xxxxx. Thanks Grandma, I’ll be back home (hopefully) in time to pop by and wish you happy Birthday. Love from your Grandson and definitely not the cyber criminal who just bought access to this account.”

Look at that, you had exactly what a cyber criminal wanted. Access to Grandmas money.

It might not go down exactly like that, but your accounts as well as your computer can be used to attack other unsuspecting people.

I mentioned before whether or not you would notice a few coins missing from your centre console. You probably wouldn’t at first glance, but perhaps down the track.

If this was a cyber criminal taking files (the coins) from your PC, you probably wouldn’t notice at all because you are left with a copy even when she takes a copy.

What files do you store on your PC? Photos? Is there something that could be used for blackmail?

Do you have data that could be used for identity theft?

What about the drivers licence you scanned and emailed to the car dealership that time? What about the bill that Telstra insists on sending digitally? It has your name, address, and phone number listed on it.

You might not be doing online banking, but that’s not the only way you can lose money. A cyber criminal can use these details for identity fraud and have an expenses paid online shopping experience on your dollar.

“But I don’t have anything a hacker would want”, except for everything.

How do you protect yourself?

Passwords are hard. This is why we are all using the same old Petsname1! or Farm2810$ for our passwords. Don’t use the same password for everything. Even a variation of the same password is a bad idea.

Use a unique passwords for every account you have. This can make it difficult to remember, but it is OK to have them written down in a notebook stored securely at home. A password manager would be an even better choice.

To increase your password security, enable 2FA (Two Factor authentication) on all accounts that support it. If you are not sure if a services offers 2FA you can look it up on Two Factor Auth List.

Update software and Operating Systems. Windows can be updated by holding the Windows Key and pressing R. In the run dialog box type in control update and then press enter. Click the button that says Check for Updates.

Running a Windows Operating System that is out of support means it is no longer being maintained and therefore not receiving any security patches. If you are running Windows Vista or XP you really need to upgrade. Vista has been out of support for almost two years. Windows XP a lot longer.

If you are running Windows 7, your should aim to upgrade before January 2020.

Other software can be updated via its own menus within the software. It can be hard to keep track of versions when we have multiple programs installed. PatchMyPC is a free program for home users to easily update all the software on their PC.

While these task aren’t going to make you 100% secure, it is a good start. I have written multiple articles in the past on how to stay secure online. Check out our Tech Tips articles for more information.

My Heritage Suffers Data Breach

In October of 2017, MyHeritage suffered a data breach. Over 92 million customer records were exposed. This included email addresses and salted SHA-1 password hashes.

Since then, attackers have been able to crack majority of the password hashes. The list of email address and cracked passwords from the MyHeritage breach has recently come up for sale on the Dark Web.

How does this affect me?

Password reuse: Many people make the mistake of using the same password over many – or on all websites.

If you have used the same password for MyHeritage as you do for Email, Facebook, Banking, etc. An attacker can use this information to access those accounts.

What do I need to do?

Identify any service where you may have used the same password, and then request a password change. This can be done via the ‘forgot my password’ link on most websites.

Set the new password to something secure and unique. Write this down in a notebook stored securely at home, or better, use a password manager.

Two great password managers are 1Password, and KeePassXC.

Another important step in keeping secure is to use Two-Factor Authentication.

Check if you have been ‘Pwned’

HaveIBeenPwned.com is a service that allows you to see if your email or password has been seen in any data breaches where data has become public.

You can check your email at: https://haveibeenpwned.com/

You can check a password at: https://haveibeenpwned.com/Passwordss

I highly recommend you use this free service to help keep yourself secure.

What is salted and hashed?

When you sign up to a website you are required to enter a password. The password is then converted to a hash and stored in a database.

When you log into a website, the password is converted to a hash and compared with the stored hash. If they match, you are able to log in.

If your password is grenfell, and the website is using a SHA1 hashing algorithm (as was the case with MyHeritage), it will convert the text to 3EC63D4F11F08C81B448F922A316E44E0F1628E0

This is to help slow an attacker down that may have breached the service – but it is not impossible to reverse.

Using a password cracking program called Hashcat. I was able to reverse the SHA1 hash for grenfell in under a second. This was using a brute force on all lowercase letters and numbers.

A salted SHA1 hash looks a little different. Before a password hash is created a salt is added to the password.

If your password was grenfell, and the salt was 2019, the hash would be CEE02FF760DA4C0F8887AFDFA70EEF8AE1B70BC6

You can see the difference in the hashes for the same passwords. If done correctly, each users password will have a unique salt. This means users sharing the same password will still have unique password hashes.

Because the salt was known in my example, the password can also be cracked in under a second.

The attackers who have cracked the MyHeritage password hashes have been able to do some by discovering the salt that was used. and then using this information to crack the passwords.

In cases like this, simple passwords are the first that get ‘cracked’. Of the 92,283,889 accounts that were breached on MyHeritage, 91,991,358 were eventually cracked.

This potentially means 292,531 users were using passwords strong enough to withstand the cracking attempts. Using strong passwords will help you to be in this group of people.