Let me tell you of an IT company. It had started off small so the director had chosen a favourite password ‘D0neit01‘
This was some time ago, so the fact that it had numbers in made it really secure. It wasn’t particularly long, but it was memorable. Much better than other familiar passwords, like ‘Password01’ or ‘letmein’.
There were five of them working for this company and they were all really good friends. Three directors and two minions. They were working with cleaning companies and whoever would take them on. They realised that their level of service was a cut above everyone else’s, so they realised they could aim higher.
With one of those flashes of inspiration that sometimes hits small companies they realised that they could start working with the finance industry. They already had some contacts in that area of business and, well, those clients had money. It was a sure-fire hit!
Success Breeds Success
A few years later and they had an impressive portfolio of clients. Around a hundred in the bespoke finance industry. Hedge-fund managers, bespoke bankers, investment companies. Their clients loved their high level of service. In part this was because an engineer visiting site knew what the top admin password would be. You’ve guessed it. By this point about a hundred of their clients were investing more than $1B each. (Yes, 100 x $1,000,000,000 = $0.1T). Which starts to look like a significant part of the UK’s GDP. Some of the companies demanded ’secure passwords’ with funny characters in. For those companies the password became ‘D0nit01!’. Engineers knew that if the ‘low security’ password didn’t work you could use the high security one. Simples!
One of the managers was tasked with looking for a password manager. This would be able to hold all types of password. It would be able to fill in passwords automatically. You could give different members of the company different levels of access.
It came back with a price-tag of £10,000.
That was a lot of money.
The directors were not convinced that it was necessary.
An Innocent Mistake
One day, one of the directors was logging into a client, let’s call them ‘securefinance’. Their website was ‘securefinance.com’. The director had not noticed that in their speed they had typed ‘securefinance.co’. The website looked EXACTLY like securefinance.com so why would they notice?
Over the coming months they started to notice that some of their clients were failing. In one bad incident a client lost $0.1B in a week! That client immediately started the process of winding down. It was sad – they were a difficult client, but they had been a good payer.
You are probably going to guess what had happened. That fake website had grabbed the entered username and password and was now beginning to use it on lots of websites. They were getting lucky. They were also trying password variations automatically. So they were picking off both the ‘low’ and ‘high’ security clients.
Bad Guys Collaborate
They had also submitted the successful usernames and passwords to a database that is maintained by hackers. (Yes, this really does exist.) So lots of other people were trying these passwords… but they were not using them themselves. They were getting computers infected with ‘malware’ to try them. That IS the job of a lot of malware. If the malware successfully logged in then they would update the database. If the password failed then the bad guys were untraceable. Either way the bad guys win.
By now, clients were getting picked off at an increasing rate.
It was looking very bad.
Several consequencies could have happened, including a significant impact on the UK economy, jail terms and collapse of the IT company. This is based on a true story. The directors were potentially negligent, so could have lost the shirts off their backs.
The Good News
A good password manager is available for FREE. It has greater capabilities than that old software costing more than £10,000.
There is an Enterprise version which has all the granular controls you require for a little bit more.
With a password manager, doesn’t that mean that I am committing all my passwords to a database protected with ONE password? Surely that is a really BAD idea? Yes, it would be UNLESS you set up 2 factor identification. This means that you have a code to type in that is sent to you or generated on an app on your phone in addition to the password. As a hacker will not have both access to your password AND your phone your database is safe. It is also highly encrypted and if you lose your phone or your admin dies there are very secure ways to recover the database.
Here is the manager we use: Lastpass It is not the only one out there, but it is very good. We manage more than 1,500 passwords with it. All our client’s passwords are unique, long and very complicated.
You might not be managing billions of dollars, but you wouldn’t want to lose what you have.
As part of my bid to live a healthier life, I have started to visit the gym regularly. It’s gets me into a good mood before work starts, it adds regularity and routine. It’s a good thing.
As I look around I am impressed by the years of commitment that the other folk have put in.1 I also noticed that some of them would put their weights and platforms and other bits in any convenient space, which is often just in front of the fire door.
It always reminds me of the phrase of a buildings inspector, ‘What time have you booked the fire?’ Obviously, you don’t know when the fire will be, so you should keep the fire exits clear at all times.
Similarly, with website security: you don’t know when the hackers or other disaster will strike. Your best defense is to ensure that your website software is all up-to-date with relevant patches, that you have security software installed and, in case all that fails, you have a backup stretching back six months (with a rapid restore option). You could do all that yourself, or you get us to manage it for you, as part of our ‘safe and secure websites’ package for WordPress. As added security, we have just added ‘noCaptcha re-Captcha’ (no more illegible text to decode, just simple questions and a tick-box) as a security option to both Woo Commerce and our website forms.
1Aside: I remember, when I joined the gym, that they showed me the range of health foods/food supplements that they had. I pointed out that if I could eat myself healthy I would be an Olympic athlete. Being in IT isn’t the best for ones physique.
Some of you may have heard about a massive flaw in the security of the internet.
This is really serious and everyone should be aware of the implications.
Heartbleed is the sort of flaw that gives systems admins huge nightmares.
On vulnerable websites there is a significant possibility that your passwords have been revealed to hackers making use of the bug. Worse than that, if a site has been compromised there is no evidence!
It would be good practice to change all the passwords you use on the internet. Now.
…unless you have evidence that the services you use are not part of the problem.
At Cloud Genius, we have performed a full review of the services we use.
- Services to back up websites/update plug-ins. For clients that subscribe to this services one was not vulnerable, the other service has been secured and we have taken steps necessary to prevent any problems. No action required on your part.
- Website hosting – our provider has informed us that they are vulnerable. Until they update all their systems you may wish to change the password on your account at http://webhost.cloud-genius.com. Once their patching process is complete you should change your password again on the account. We will endeavour to let you know when this is.
- Paypal – our understanding is that Paypal is not affected.
- Teamviewer – our remote control solution of choice is not affected.
- Salesforce – To the best of our knowledge is not affected.
- LastPass – our password management software of choice is not affected. (And helped a lot in fixing services that were affected.)
Here is a list of other networks that were affected – these include people like Google, Yahoo and many others.
This is really serious. Make sure you are not caught out!
One positive – LastPass was able to scan all the services we use, list the affected services and make password changing a doodle! Highly recommended… and much more secure than any other system we have come across.
As a child I came across the saying: Fire is a good servant but a poor master.
I think that saying rings true even more of computers.
Most people seem to be slave to their computers, rather than getting the computers to do the work.
An auto-responder is a great way to put computers to work. As any good person in marketing knows, you have to keep in contact with your ‘prospects’. People rarely buy from you the first time they talk to you. I know marketing gurus who have fantastic systems of sending out emails one after the other, ‘warming’ up the prospect ready for the ‘sales chat’. They reckon that six is the magic number of contacts.
Imagine the computer could do that for you. It is a process, so perfect for automation.
The person signs up to a list. They get a sequence of emails, starting from that day, that address their particular need. If they respond to an email, it comes to you, so you can deal with them personally.
With a bit of creativity you can use this as a service to them. Imagine they want a reminder to do something every day for a week. You can set up a series of emails that go out on the seven days following their sign-up. You check ‘the system’, in this case aWeber to see how far they are through the sequence.
Supposing that on day 3 they make a purchase. The sequence is no longer valid for them. You can make it so that when they sign up for your product they are automatically taken off the old list.
You have an event comes up. You want to send an email to all your lists. You want do avoid duplicates where people are on more than one list. No problem… or you want to send to all people on a particular list UNLESS they have already made a purchase. Easy!
You want emails to go down on particular days before an event, reminding people to book. Simple!
You want to integrate this data into your Salesforce leads. There is a free app for that!
Suddenly you have a lot more time for following up those personal contacts. The rest is on ‘auto’.
For more information about any of this, just contact me!
I am a patient man… for an IT professional. I have been using Google Apps for over two years. I had found it to be reliable and easy to use.
Recently I upgraded my Mac to Mavericks. (For Microsofties, Mavericks is the latest version of the operating system for Macs.) There are lots of features that I love about Mavericks, but it really broke Google Apps email. I keep getting errors, unread mail counts are wrong, email retrieval is erratic – the lot. In the end this comes down to the Google email (IMAP) protocol being non-standard. That’s OK, the old Apple Mail used to work around it, but I do not use the ‘additional functionality’ that Google has plastered onto the standard. And it is the extras that are breaking my email. (For a similar tale of woe, look at how Google broke its synchronisation with Outlook last year.) Apple have delivered a fix, but it does not fix everything and it seems as if Google have reduced the number of concurrent connections allowed, so I keep getting errors. Lots of them. It is driving me nuts!
So, what do I do?
Do I ditch the Macs that I love or the Google Apps that I tolerate and have more than a suspicion are using my emails to make bigger profits? I could just access Google Mail from the web interface, but I am a road warrior – I like to have my emails downloaded for when there is no internet. I could upgrade to Google Apps for business but, with 10 accounts that would cost Cloud Genius £33 pcm + VAT (£792 + VAT over 2 years). Or I could use my own hosting webhost.cloud-genius.com. That will give me proper IMAP compliant email (and it will work with all those mobile devices, too – even Androids). It will allow me to carry over the cloud-genius.com domain, and it comes with free calendars, unlimited email space and storage space. (Actually, as I purchased my domain through webhost.cloud-genius.com it sorts all that out for me.) If I want to use it, there is even a web interface. All this for £39.36+VAT for 10 accounts for 2 years which works out at 16.4p per account per month! The equivalent from Google would cost £792 (that’s £33 x 24 months). That makes Google Apps 20x the price.
It did take half an hour to switch over the accounts. The emails are flowing in nicely, even emails sent from other Google Apps accounts. I now have to decide what to do with my historic emails… import them or archive them. Decisions.
As a bonus, I know that Google will not be reading my emails any more. Calm has returned to the Cloud Genius office. (The webhost.cloud-genius.com email servers use proper SSL encrypted connections, have proper spam filtering and have no affiliation with Google. It also has proper 24×7 phone support on 020 3027 4996 and 99.9% uptime. They also work with Windows, Linux anything – because they stick to the IMAP standard. You can even use POP3, if you really want to.)
Any questions? Drop us a line!
I am writing about this particular scam because it is so plausible. (First, this does not originate from Microsoft, just people purporting to be from Microsoft.)
I have received a phone call. The person on the other end of the phone informs me that I have a problem with my computer. This is causing issues and may cause my computer to be blocked from the internet. Now, as someone who knows the capabilities of malware, this is not beyond the realms of possibility. The main slip-up was that they told me how to access Windows control panel. I did play along for a while before revealing that I do not use Windows.
Here is an article from someone who played along for a little longer before revealing his hand. He was blocked from the internet, because they deleted his network driver!
My expectation was that they would install a Trojan… I had not expected them to be so ‘hands-on’. Other scammers may try other ways to affect your computer. In the most recent call, I asked them who they were calling from – the line went dead.
Do you have experience of this type of scam? Let me know, as I am thinking of writing a tutorial, if enough people are interested.
By the way, the linked blog is from Malwarebytes. I have used their anti-malware software with Windows to great effect.