Posted on

Five Ways to Avoid Hotel Phishing Scams

Seeing headlines about yet another hotel hacked have become commonplace and statistics are looking grim. A staggering 64% of US citizens have already had to deal with stolen data. Hotel phishing has become way too common.

Hotels are the perfect targets due to the amount of sensitive data they are processing each day and the tech they are using. Lots of high profile breaches that have happened lately signal that many of them do not have the right cybersecurity solutions in place. 

Hotel phishing scams are a common attack, and Verizon’s 2019 data breach report shows that out of all the data breaches detected, 32% involved phishing. 

What’s even more worrisome, 56% of those breaches weren’t discovered for months

Avoiding attempts of such scams is impossible, but lowering the risk of becoming a victim is. Here are five ways to detect and avoid phishing scams.  

#1 Staff Training 

Hotels often skip cybersecurity training because they wish to invest in other areas, yet a single successful phishing scam can lead to a breach that will tank their reputation and customer trust, which results in high fines.

Because emails are the primary trajectory attackers are using for their hotel phishing scams, it’s important that your employees are able to recognise such scam attempts right away. 

A single click is enough to infect the system. The same report from Verizon gives insight that internal actors were responsible for 34% of breaches. Every misclick will result in having your hotel hacked again and again.  

Cybersecurity training for the hotel staff must be a top priority. 

When staff members know how to detect a suspicious email, check the sender and double-check all domain names, the risk of them clicking on it becomes considerably lower. 

#2 Have an External Mail Warning System 

Creating a hotel phishing email is easier than ever, as people are more than willing to share their personal information online.

A well-constructed phishing email can look like a genuine company email from a well-known staff member.

An external email warning system helps identify suspicious emails by displaying a warning when the email originates from an external source. 

This will prompt the staff to double-check the sender and the actual address before opening the mail or clicking the link and report the suspicious email to the IT office. 

#3 Implement a Sandbox

Sandbox in IT is basically a completely isolated environment that fools malicious code into thinking it got access to actual systems. 

Sandboxes are used to test links and attachments and execute them without risking the security of your network. 

If the system detects malicious code or link, it will show a warning and remove the attachment/link so the user and systems stay safe. 

#4 Keep Your Network Secure 

Have antivirus, antispyware, and malware software on your network and all devices, as well as commercial firewalls. 

Keeping your main network inaccessible to outside devices will reduce the vectors of attack.

Have a different network for your guests, and keep all personal IT devices from your staff on a separate network too. 

#5 Stay Informed About Phishing Techniques & Have Procedures In Place

New phishing scams appear all the time, so make sure your IT department follows all new developments closely.  Ask them to regularly send internal newsletters on threats and distribute them to everyone.

Plus, make sure you have strict procedures in place when it comes to payments and authorising new transactions. For example, change of details must be confirmed by a vendor over the phone (rather than email), requests for money are escalated to a higher management level, and links aren’t clicked on unless they are expected.

Hotels Must Be Hypervigilant

The reason why so many hotels fall victim to hotel phishing attacks is the lack of updates to their systems, operations, and standards. 

When coupled with lack of staff training and monitoring solutions, a data breach might already be in progress without them having the slightest clue about it.

Posted on

Steps To Respond To a Ransomware Attack

steps after a ransomware attack

Cybersecurity is an important topic for any business now. In the last 12 months, 32% of businesses experienced some sort of cyber attack or data breach. That means that every third business had to deal with a cyber-attack, according to the Cyber Security Breaches Survey 2019 by the UK Department for Digital, Culture, Media, and Sport. It goes without saying that every business should prepare for a ransomware attack and other types of cyber-attacks.

Keeping your assets secure against cyberthreats needs much more than installing firewalls and anti-virus software. Today’s cyber threats are sophisticated and use every possible loophole in your security settings to get access.While there are different types of attacks, ransomware is one of the most malicious attacks businesses have to deal with. 

What’s a Ransomware Attack? 

Ransomware is a type of attack where malicious software (malware) takes over a computer or whole systems and denies any type of access until you pay a ransom. The ransom demand usually requires payment in cryptocurrency like Bitcoin, as it’s impossible to trace it. 

It is one of the most dangerous types of attacks, as it can stop a business dead in its tracks. In case the ransom is not paid, all data will be deleted from the system. 

This is bad enough if it happens to an individual. Imagine this happening to your company – you will lose all business and operational data, and you’ll have to start all over again. Some businesses never recover.

Preparing for a Ransomware Attack

The bad news with ransomware attacks? It can happen to anyone, and once it does, there’s not much you can do. 

But you can prepare for it. Here’s how: 

Data backup should be your number one priority.

It can save you thousands and millions, but it has to be done right by protecting your data storage properly. Ransomware attacks are carefully executed and attackers will often have access to your systems for months before they attack. 

Why? Because they want to make sure they hijack everything, including any possible backups you might have. 

This is why you should keep backups on another location. It would be best to have backups in the cloud but also have at least one backup offline – completely disconnected from any network – as even cloud backups can sometimes be affected.  

Make sure IT keeps all systems and software up to date.

Although updates are often a hassle, they exist for a reason. Most updates are released to take care of security vulnerabilities. When software and operating systems are not updated, you are basically inviting hackers to access your systems. Your IT department should ensure every device is up to date. 

Start implementing user restrictions.

Not all of your employees need access to all your data. Ask your IT provider to implement user restrictions so that your employees have access only to data they need. In case they need more, they can request special and temporary access that is revoked as soon as they don’t need it anymore. This way, in case their accounts are compromised, the breach will be limited. 

Invest in monitoring software. 

You can get powerful software solutions that can monitor your whole systems for suspicious activity. This goes beyond the regular antivirus monitoring – it can monitor what users are doing, what data they are accessing, and alert you in case something is out of the ordinary. 

Don’t forget about employee training.

No matter what type of security software and solutions you utilise, if your employees are not aware of best practices on cybersecurity, you’re always just one bad click away from a ransomware attack. Make sure your employees know how to spot suspicious email, and know that they should never click on the links in such emails or download attachments.  

Work on your BYOD policies.

Many businesses, especially small- and medium-sized ones, often allow employees to bring their own devices (BYOD) to work. Without a good policy in place, however, this becomes a security issue. 

If an employee brings an infected device and connects it to the same network, you’re looking at a possible spread of infection – and ransomware – to all other devices and the whole system. Because of this, any device connecting to your system should be up to date, have antivirus software, and be cleared by the IT department regularly. This goes for smartphones too.

First Steps After a Ransomware Attack 

1. Take a photo of the note

This will help the IT determine what type of ransomware you’re dealing with. 

2. Determine the extent of the attack 

Your IT provider should be able to determine whether the ransomware has infected a single device, or if the infection is spreading through your network.

3. Isolate infected devices and disable sharing

All infected devices should be removed from the network to stop the spread. Any type of sharing that’s active should be shut off immediately. 

4. Notify employees

Send an email to all employees so that they can report whether their devices are working. Those who can work can continue, but those affected can help in other areas while IT deals with the issue. 

5. Let IT remove ransomware from infected devices 

IT should scrub the devices that were infected completely. Sometimes, a local backup on the device can solve the issue, but oftentimes, even that will be unavailable. 

6. Restore data from backups

Once you reinstall the operating systems, your IT can restore data on affected devices from a cloud or offline backup.

To Pay or Not to Pay? 

If you’re not prepared and have no backups, you might be tempted to pay. Take this year’s ransomware attack on the City of Baltimore’s government. Their systems were infected by ransomware that stopped numerous important systems: ATMs, airports, even hospitals. 

The attackers demanded the city pays about $76,000 in Bitcoin. The city refused to pay, only to realise many of their systems weren’t backed up. They lost huge amounts of data, and the attack ended up costing them $18 million

It seems that in the case of Baltimore, it would have been much better if they simply paid the ransom. Well, not really. 

Why? 

You’re dealing with criminals. Even if the city paid the ransom, there’s no guarantee that they would have gotten the access back. If they did, they would have become a prime target for future attacks too, since they paid the ransom already. This is why it’s so important to prepare – it will minimise damages.

Conclusion

Everyone’s at risk of a ransomware attack. Preventing it is next to impossible, but preparing for it is more than possible. Your IT provider should back up your data regularly, and you should make sure your employees know how to spot suspicious phishing attacks. When you prepare for a ransomware attack properly, you can minimise the impact of such an attack and save you from monetary and reputation damage. 

Posted on

IT Managed Service Providers vs In-house IT Teams For Hospitality

IT Managed Service Providers vs In-house IT Teams For Hospitality feature image

As businesses are undergoing digital transformations, IT is becoming a critical part of their business success. With consumers expecting hospitality to match the digital era with new customer experiences, it’s often one of the things that are left behind!

So whilst basic IT knowledge goes a long way in hospitality, having a dedicated IT expert is still the best solution. Most business owners are now faced with a critical decision: to choose between an IT managed service provider vs in-house IT team.  How are they different? Which one is better? How safe is it to let someone else take care of your IT needs?

The choice between an IT managed service provider vs in-house IT team often boils down to the size of the company and its specific needs. Here’s a rundown of the pros and cons of each option.

In-House IT Team: Pros and Cons

In-house IT staff usually handle day-to-day IT operations and requirements. Startups and small and medium businesses will often start with a single IT expert who will handle their IT needs. As they grow, however, they will also need more than one IT expert to keep track of everything.

Pros

It’s not that in-house teams are without benefits:  

  • They will have intimate knowledge of your operations and know your infrastructure in and out.
  • They can be immediately available when you need them.

On the other hand, having a full in-house IT team is often limited to large enterprises only. A full IT team when you’re a small or middle-sized business is just not possible financially. Not only would they eat up resources but you need a place to put them day-to-day too!

Cons

The cons of in-house teams seem to be more prevalent when it comes to IT requirements of most hospitality businesses:

  • The costs run high: They will be your full-time employees, meaning you will have to cover their salaries, benefits, training, NI, and other expenses.
  • The emergencies increase costs even more: The cost of intervention often goes up considerably in case of emergencies that happen overnight, and you have to pay overtime.
  • Team members are not bound to your company: If they decide to leave for what they think is a better opportunity, they are free to do so. When they leave, they will take all their expertise with them and you’re stuck with tech you don’t know how to run, unless you employ a team – which is even more expensive!
  • In-house teams can rarely keep up with all the latest IT developments or industry trends, meaning that parts of your IT infrastructure will inadvertently become outdated. It’s their job to keep things running, not constantly innovate!
  • Often limited to reactive interventions instead of proactive IT strategy development.

Is an IT managed service provider better than in-house IT teams? Let’s see what they can offer.

IT Managed Service Providers: Pros and Cons

Business owners are often wondering how is an IT managed service provider better than in-house IT teams. It seems logical that hiring a third-party provider to take care of your IT needs would be less efficient.

But this is a common misconception.

Managed service providers actually improve efficiency. They deliver higher quality services because IT is their speciality; it’s all they do. They are experts who continuously improve their knowledge by following the latest developments.

Pros

When a business hires an IT managed service provider, they will reap the following benefits:

  • Paying a lower price for hiring them than you would for keeping an in-house team. Their services are available for a flat monthly rate, which makes budgeting for IT super easy. You benefit from economies of scale here, because ultimately, you won’t be the service provider’s only client – but that means they are more affordable!  
  • They are available around the clock and can monitor your systems at all times.
  • Your operations will rarely be disrupted: Managed service providers have service level agreements (SLAs) that are legally binding. They guarantee to provide the highest possible uptime and service quality. It also means that should you move to someone else, they should provide you with all the procedures and documentation necessary to ‘hand-over’ your day-to-day.
  • Managed service providers also have access to the latest technological solutions, software, and industry contact. This means that all your IT needs will be up to date as soon as there’s one available.

Cons

Of course, there are also some disadvantages of managed service providers:

  • Finding the right fit for your business needs takes time. Sometimes, trial and error is the only option to find a managed service provider who has everything you need.
  • Sometimes, service packages can be arranged in such a way that you might need to pay for some services you don’t really need. Still, many managed service providers will happily let you make a fully custom package.
  • The biggest concern is their on-site availability. Your MSP should always be able to provide some level of physicality! Particularly for 1st line support which often involves users directly.

IT Managed Service Provider vs In-House IT Team: Who Wins?

Is an IT managed service provider better than in-house IT teams? Our verdict is a big fat YES because they can offer everything an in-house IT team does, and more! Ultimately, you pay for a ‘service’ rather than a person when it comes to an IT managed service provider and therefore you know you’re always covered!

Comparing an IT managed service provider to an in-house IT team shows that you will ultimately save more money by opting for a managed service provider.

Having up-to-date software is also a crucial point – it ensures you are well protected against cybersecurity threats and attacks that are becoming more elaborate over time. Your IT managed service provider will make sure all your security definitions are up to date, that they never expire, and that your business and customer data is secure.

IT managed service providers free up the time you would otherwise spend on the challenging tasks related to your IT. They are not just your IT support, they are the technological catalyst for your business. Working with you to develop the right strategies to acheive your your long-term goals.

Posted on

How to Make Technical Staff Training More Engaging

How to make technical staff training more engaging feature image

Technical staff training is crucial to keeping personnel up-to-date on the latest technological solutions you plan to implement in your business.

But.

When staff training is technical in nature, it can turn into a nightmare for both managers who organise it and staff members who attend it.

It’s hard to hold training on technical topics because they are often very dry and complex.

One of the common issues of holding technical staff training is that attendees often can’t grasp the topic so they don’t follow the lessons or they get bored and trail off easily. To efficiently battle these issues, you need to keep staff actively engaged.

Here’s some of the ways you can do this:

Include Multimedia

Your staff members have various learning styles, so, have an even mix of lessons that will accommodate each.

  • Visual learners will benefit from visual additions such as Powerpoint presentations, images, or videos.
  • Auditory learners will enjoy your presentations and engaging in conversation or sound clips.
  • Kinesthetic learners will benefit most from activities, testing or writing formats.

Gamification

Use game design elements to engage staff by applying game elements such as challenges (learning objectives), feedback (helps with progress), collaboration to achieve goals (a sense of community), competition (to keep staff motivated), and rewards for achieving them (gratification and sense of accomplishment).

Demonstrations

Using props or demonstrations are an easy way to make technical subjects more ‘real’. Often users can’t relate to new technical solutions and therefore don’t connect. If you can’t offer a tangible demonstration, show off benefits and changes in operations that they can relate to. 

Have Breaks

The more technical the training, the more breaks you need. The brain can’t process too much at once and it will actually hinder learning to try and cram everything in at the same time. Keep your lessons to 20 minutes max and then offer a breather by having a quick Q&A, telling a story, having an activity or giving free time. 

Real-Life Examples

Stories stick with people. If you use a compelling story to explain any concept of the new tech it makes it more memorable. Use real people, real examples and specific situations to engage with your staff. 

Role Play

When explaining concepts during your technical staff training, assign roles to your staff and help them explain the lesson through simple role play. They will interact with each other and remember new operations easier. Questions are also more likely to pop up and be dealt with on the spot when you’re acting things out. 

Blended Learning

A combination of digital and in-person learning can help all members. Not all staff members will be able to attend all lessons every time – the workload often doesn’t allow it. Allow members to learn remotely too, and make sure to keep tabs on their progress. Then, compliment their learning with meetings or in-person support. 

Customise For Your Business Specifically 

Whatever your company culture is, include elements so that your technical staff training feels part of the organisation itself. This way it can show employees that the business has adapted to this tech already, making it more likely they will engage. 

Offer Choices

While you might have planned every detail of how training will go, give attendees some breathing room as well. Give them the freedom to rearrange the lessons to an extent. By having a say in how technical staff training is conducted, they will be more interested in actually attending.

Hopefully this has given you more insight into how to make technical staff training engaging. Check out our IT Staff training courses at The TowerWatch Academy Here for easy training courses that can relate to your employees. 

Posted on

Top 10 Software and Tech Solutions for Small Businesses

Don’t shy away from technology in your business! It’s time to get acquainted with some of the best software and tech solutions for small businesses at the moment.

1. Encrypt emails for free with My Protected Mail

Of course we’re going to start with one of our own products! The introduction of GDPR has placed a renewed emphasis on email security. All small businesses have a duty to protect the data of their customers, clients, and employees. A reliable, straightforward way to protect data sent electronically is to use encryption.

Encrypted emails can only be viewed by the sender and specified receivers; they are protected from interception, even when an email is forwarded.

My Protected Mail is a tech solutions for small businesses that does this for free. There’s no software to install; simply send your email to a dedicated mailbox, and the platform will issue a Microsoft Protected Email that can be accessed only by the intended recipient. There’s also scope to add enhanced features for a reasonable monthly fee for developers to encrypt web portal or app communication. Try My Protected Mail here.

2. Defend your business from online attacks with Acronis Ransomware Protection

Ransomware attacks, in which malicious software blocks access to devices with the aim of extorting money from the owner, can completely devastate a small business. Not to mention the risk of a data breach. It’s critically important to proactively prepare; you can find out more by clicking here.

Ransomware protection software mitigates this risk, and it doesn’t have to cost the earth! Acronis Ransomware Protection monitors suspicious behaviour, blocks malicious applications, encrypts files, and recovers damaged data; all for free.

3. Organise every aspect of your business with Asana

Asana is a project management platform that helps your entire team to stay organised and efficient. It allows you to create projects and tasks, assign team members, set deadlines, allocate documents, run reports, and myriad other jobs. It’s suitable for use on computers and mobile devices; even when travelling, you can keep on top of your business!

Asana also interacts seamlessly with 100 other platforms, helping to manage emails, files, calendars, workflows, and dozens of other tasks from one place, simplifying your business processes.

4. Take storage to the cloud! 

Cloud-based storage has proven itself to be a reliable and economical alternative to traditional hard drives and servers. The key benefits to small businesses include cost-effectiveness, automatic backup and recovery, remote accessibility from all devices, and no ongoing server maintenance.

There are countless services to choose from, but our favourites are Dropbox, OneDrive, and Google Drive. All have common features, such as free storage (although the amount varies; 2GB for Dropbox, 5GB for OneDrive, and a whopping 15GB for Google Drive), document collaboration, link sharing, and file privacy. You can also upgrade to a monthly plan for expanded storage.

5. Automatically guard sensitive information with Azure Information Protection

Azure Information Protection (AIP) from Microsoft is a cloud-based tech solutions for small businesses that automatically encrypts emails and files. The system is managed across all Office applications using labels, which are configured to detect sensitive data and protect it. For example, if a credit card number is entered into an Excel spreadsheet, a rule can be set up to prompt the user to protect the information automatically.

Traditionally this can be quite difficult to set up for small businesses, but we created an Azure Information Protection for Small businesses online course to make it easy for you, regardless of whether or not you’re a techie!

6. Bring the team together with Zoom video conferencing

No matter how scattered your team is, video conferencing fosters the collaborative spirit that can otherwise be absent when working remotely. You needn’t be together to succeed together.

Zoom is a complete video conferencing service that includes high-definition online meetings, webinars, instant messaging, document sharing, whiteboards, virtual breakout rooms, calendar integration, and analytic data for meeting organisers. It can be accessed from computers and smart devices; so travelling team members can still participate!

There’s a free version of this tech solutions for small businesses with essential functionality that may be suitable for some small businesses, or there are monthly packages that include expanded features.

7. Protect your business with ESET antivirus

Malware attacks can be extremely disruptive to small businesses; leading to potential loss of files, equipment, and revenue. A high-quality antivirus is therefore essential.

ESET has a strong reputation for keeping computer equipment safe from malware, including viruses, ransomware, rootkits, worms and spyware. It’s easy to use, low in power-consumption, and backed by 30 years of experience and 110 million global users. A free trial is available, with the full version priced from £29.99 per year for one user.

8. Clean up your computer with MyDefrag

When we create files on a computer, they are broken up by a process called fragmentation; this is completely normal, and helps files to fit on a hard disk. However, repeated fragmentation makes reading and writing files a chore for your computer. Defragmentation is essentially a spring clean; a process that puts files back together, boosting your computer’s onward performance.

Windows comes with a built-in defragmentation program, but there are more efficient alternatives. MyDefrag is the best of the bunch; it works quickly and can accommodate external storage. Ultimately, this nifty little program helps your business to avoid slow equipment, repairs, and replacements. For more ways to speed up your computer’s performance, check out our free course here.

9. Cut your phone costs with VoIP

Voice over Internet Protocol, or VoIP, is the technology that facilitates phone calls via the internet. It’s cheaper to make calls by VoIP than a standard landline, and you’ll notice a huge improvement in sound clarity.

The best VoIP service for small businesses in the UK is VoipFone; it’s easy to set up, with excellent customer support, reasonable prices, and a free trial. Global businesses looking for similar features are recommended to try Ring Central or Vonage.

10. Keep on top of your finances with online invoicing

Invoicing is a critical aspect of small business management; online solutions make the process efficient by collating due payments, generating invoices, sending them, and overseeing the collection process.

Invoices contain sensitive information, so it’s important to work only with a trusted platform. Check out this post to find out how small businesses should protect their financial security when using online invoicing.

The most reputable platforms are Freshbooks, Due, Invoicera, And Co. and Harvest. All have at least one free option, whether a trial or essential version, and each has paid subscriptions, which vary in price according to the features you need.

Need help with your IT or tech solutions for small businesses or have a question on software to suit your small business? Join our free support community here.

Posted on

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on

The True Cost of a Data Breach to Your Business

GDPR has placed renewed focus on the issue of information security, and the potential impact and cost of a data breach on involved organisations.

Obviously, a data breach can have substantial financial consequences. Depending on the severity of the GDPR infringement, administrative fines can reach up to €20 million, or 4% of annual global turnover, whichever is higher. Plus, it also leaves you liable to pay damages to individuals or businesses as a result of the breach. 

However, fines are not the only cost to a business; reputational damage can be devastating to long-term viability.

In this article, we’ll take a closer look at the wide-ranging costs that can be incurred in response to a data breach.

Bad PR

It is said that all PR is good PR, but it’s not always the case. Data security is intrinsically linked with an individual’s sense of personal safety, and any infringement of that will prompt a fiercely negative response from affected individuals. A business’ reputation can be destroyed by a data breach incident.

Trust is the foundation of customer loyalty. If that trust is compromised, your business may not be able to recover its former standing.

Loss of Revenue & Company Value

Reputational damage as a result of a GDPR breach will almost inevitably lead to a dip in sales. For service providers, such as lawyers or accountants, a breach can result in a loss of retainers or diminished customer loyalty. Larger corporations may find that their company value takes a hit.

In 2013 and 2014, Yahoo experienced several data breaches, which affected large swathes of customer accounts. At the time, they were in the process of being bought out by Verizon. After the breaches took place, Yahoo’s value was slashed by $300 million, which had a significant impact on its shareholders.

Even a giant like Yahoo is susceptible to the effects of a data breach. For smaller companies, this can be catastrophic.

The Pareto Principle

In business management theory, the Pareto Principle states that 80% of a company’s revenue comes from 20% of its customers. These tend to be long-term client relationships, allowing an organisation to take advantage of regular, repeat business.

If a data breach were to damage the trust of this crucial 20% of customers, which is feasible in such circumstances, it could jeopardise 80% of revenue. This can have a devastating impact on long-term business survival.

Future Business

Small businesses are particularly vulnerable to the long-lasting negative effects of a GDPR breach. They tend to rely on referrals, recommendations, and word-of-mouth marketing. After a data breach, the reputational damage may prove insurmountable.

Don’t forget; if a customer has a positive experience, they will probably tell a handful of people. If they have a negative experience, they will tell everyone they can.

The true cost

Ultimately, the true cost of a data breach to your business may be the business itself. That’s why it’s important to be well-trained in the best practices to protect the personal data you handle. 

Have any questions on how you can avoid a data breach? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

How Easy It Is To Steal Your Outlook & 365 Password

*This article originally appeared here on LinkedIn* How Easy It Is To Steal Your Outlook & 365 Password

During a penetration testing project, I was working on finding the weak spots in the IT system of the company and finding the best solutions to patch them up.

The client had most of the traditional security solutions such as firewalls and external penetration was not useful / efficient.

But when we did an internal penetration test  I saw something very disturbing in the way that Outlook works, and how due to poor design in Outlook’s security warning it’s easy to obtain a user’s password.

The same method allowed us to obtain outlook password outside the company perimeter as well.

It’s quite easy to steal your Outlook & 365 password.

Case study:

Environment:

·      Windows 7 Pro computers

o  Tested on Windows 10 Pro as well

·      Outlook 2016 connected to Microsoft 365

o  Tested on outlook 2013 connected to Microsoft 365 as well

Penetration testing:

We used a classic “Men in the Middle Attack” between the client and the gateway, see Diagram 1.

Diagram 1

Results:

Outlook’s behavior was very problematic,

Once we started poising the ARP the following Prompt, (See prompt 1) was shown to the user:

Prompt 1.

The advanced users who decided to push the “View Certificate” have seen the following screen,(prompt 2.)

Prompt 2.

The “injected certificate” is an outlook.com which is not trusted but to most users outlook.com is “good enough”

Most of the users didn’t give this small prompt a lot of thought and pressed YES to proceed:

 This caused outlook to send information on a non-encrypted method and any sniffing tool instantly showed us the Outlook password (Which is also the main active directory computer/domain login)

This exercise was done within the company network, later we decided to follow one of the users to a meeting at a coffee shop where is connected to a public WIFI which we have also joined, and we managed to do the same process outside the company perimeter.

Analysis:

1.   Outlook’s security prompt is very small, hardly noticeable, none alarming and doesn’t deliver the severity of the issue

  • Compare it with the prompt the Google Chrome provides when you try to send information at a non-encrypted method – the Google Chrome is “Scary” and makes the users stop and think

2.   Most of the users don’t understand the security prompt at all

3.   Most of the users will automatically press yes on this prompt to continue working

Is it a user behavior error – No! – the security prompt is poorly showed that only IT users are expected to understand the severity

Resolving the issue:

1.   We implemented a GPO settings that doesn’t allow outlook to work on non-secure layer at all

2.   We did user awareness cyber security training to show to the users how risky this little prompt is.

3.   We reported this vulnerability was reported to Microsoft  – Microsoft responded that it isn’t a real vulnerability because the user gets a prompt!, i think the prompt itself is not designed correctly and allows a big room for user error.

How to protect your outlook against this type of attack:

We deal with protecting yourself in our next article on How To Protect Your Password From Hackers

Written by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!