Author Archives: Graham CLULEY

Smashing Security #108: Hoaxes, Huawei and chatbots – with Mikko Hyppönen

Smashing Security #108: Hoaxes, Huawei and chatbots - with Mikko Hyppönen

The curious case of George Duke-Cohan, Huawei’s CFO finds herself in hot water, and the crazy world of mobile phone mental health apps.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guests Mikko Hyppönen from F-Secure and technology journalist Geoff White.

Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea

Computer users are being reminded once again to take care over the browser extensions they install after security experts discovered a hacking campaign that has been targeting academic institutions since at least May 2018.

The post Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea appeared first on The State of Security.

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Fitness apps exploit TouchID through a sneaky user interface trick, tech giants claim to have a plan to banish passwords, and you won’t believe who was behind a sextortion scam that targeted over 400 members of the US military.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by ferret-loving ethical hacker Zoë Rose.

Digitize and automate your customer agreement process for financial transactions. Download this free OneSpan guide.

Digitize and automate your customer agreement process for financial transactions. Download this free OneSpan guide.

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

OneSpan is now giving you the chance to download its Financial Agreement Automation RFP Guide for Account Opening, Digital Lending and Leasing Automation.

Trillions of dollars in financial transactions are processed each year. These include credit agreements, loans, new account openings, mortgages, pensions and annuities.

Today’s customer is looking for speed, ease and convenience. To meet these demands, financial institutions must offer fully digital experiences.

This guide is for financial institutions evaluating technology for agreement automation.

Agreement automation refers to the digitization of the customer agreement process for financial transactions – including application data validation, digital identity verification, agreement signing and storage, and audit trail capture.

This guide will assist you in:

  • Determining your agreement automation requirement
  • Deciding which stakeholders to involve in the RFP process
  • Developing RFP questions (14 pages of sample RFP questions provided)
  • Evaluating options for implementation

Download your copy of OneSpan’s guide now.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #106: Google Maps, Fed phishing, and Grinch bots

Smashing Security #106: Google Maps, Fed phishing, and Grinch bots

How are scammers stealing your money through Google Maps? Why did the FBI create a fake FedEx website? And how are US senators hoping to stop Grinch bots ruining Christmas?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

And don’t miss our special bonus interview about passwords with Rachael Stockton of LastPass.

School district fails to reclaim $120,000 wired by bank to scammer

A school district in Indiana which had $120,000 transferred from its bank account after its email account was hacked, has failed in attempt to reclaim the cash dismissed.

The problems for Lake Ridge Schools began in October 12 2016 when money earmarked for part of a seven million dollar construction project of an athletics complex at Calumet New Tech High School was fraudulently wired to parties unknown.

The email account of a business manager tasked with signing off payment requests had been hacked, and a request was made to the BNY Mellon banking giant, asking it to transfer $120,882.83 to several people listed as contractors on the project.

At the time, the school district’s business manager was on vacation – a fact not unknown to BNY Mellon as it had received an automated out-of-office email notification a few days earlier.

In addition, according to the lawsuit filed by Lake Ridge Schools, the payment request was different from those made previously – it was presented in a different font, contained some suspicious pixellation, and unlike past payments was a request for a wire transfer rather than a check.

And it’s not as though BNY Mellon wasn’t making any attempt at all to verify the payment requests it received via email from the school district’s email account. The first attempted fraudulent payment made by the email hacker was rejected, and had to be reissued the next day.

As media reports <a href=”https://www.chicagotribune.com/suburbs/post-tribune/news/ct-ptb-lake-ridge-lawsuit-st-1127-story.html” rel=”nofollow” title=”Link to Chicago Tribune”>recount</a>, the fraud was only discovered when the bank received a second payment request on October 18 2016, asking for more money to be moved. On that second occasion the bogus transfer request was intercepted by the bank before any more money could be stolen.

Remember – unlike a lot of the tales of business email compromise hitting the headlines this year, this is not the case of an employee being duped into believing their boss is ordering them to wire money to a supplier, or a bogus invoice that has been emailed into the accounts department.

This is a scenario where hackers have hijacked the email account of a member of the organisation authorised to approve payments, and then ordered the bank to wire the money to the criminals. Other than having an employee’s email account hacked in the first place, no member of staff has been duped.

In the opinion of Lake Ridge Schools, it was the bank’s fault that such a large amount of money had been fraudulently wired on the first occasion to criminals believed to be based off-shore and out of the reach of the authorities. Their opinion was that the bank should have been more diligent, and checked with the school district (presumably using a method other than email) that the payment request was genuine.

That was not a view shared by US District Court Judge Theresa Springmann, however, who dismissed the school district’s lawsuit and said that the bank was not responsible for the loss under its contract.

According to the judge, the lawsuit from Lake Ridge Schools failed to demonstrate that BNY Mellon had been negligent or committed misconduct by not spotting the payment request was fraudulent.

The agreement between the school district and bank asserted that the district’s building corporation assumed “all risks” and that the bank was unable to “determine the identity of the actual sender of such instructions.”

This opinion falls on death ears of the likes of school superintendent Sharon Johnson-Shirley who still believes that BNY Mellon should have reimbursed the district:

“They are the largest bank in the world and they are insured. I cannot believe they fought me nail and tooth. What can we do? We don’t have money to continue to fight them.”

There is perhaps an important lesson for all of us here.

It has becoming more and more common for people and companies to lose money due to online fraud, and it is not uncommon for banks to recompense us for our losses, with a mind to keeping our business and avoiding unsympathetic headlines.

These days are numbered. As fraudsters steal ever larger amounts of money through techniques such as business email compromise, we shouldn’t be surprised to find banks increasingly unwilling to accept responsibility for what goes wrong.

Now is a good time to put proper processes and technology in place to ensure that only authorised staff are able to authorise payments, and crucially that they have a reliable way of authenticating their identity to the banks wiring the money.

Smashing Security #105: Facebook, Nietzsche, Tesla, and Nicole

Smashing Security #105: Facebook, Nietzsche, Tesla, and Nicole

Tesla takes customer service a step too far, is it a romantic gesture or stalking when you email 246 women called Nicole, and Carole finds herself in a Facebook dilemma.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

At Recorded Future, we believe every security team can benefit from threat intelligence. That’s why we’ve published “The Threat Intelligence Handbook.”

It’s aimed at helping security professionals realize the advantages of threat intelligence by offering practical steps for applying threat intelligence in any organization.

Download your free copy now.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #104: The world’s most evil phishing test, and cyborgs in the workplace

Smashing Security #104: The world's most evil phishing test, and cyborgs in the workplace

Does your employer want to turn you into a cyborg? Was this phishing test devised by an evil genius? And how did a cinema chain get scammed out of millions, time and time again…?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Scott Helme.

Apple says nothing as Apple ID accounts mysteriously locked down

Has someone been trying to hack into a large number of Apple ID accounts?

That’s one of the theories circulating after a significant number of iPhone owners woke up on Tuesday to discover that their handsets were displaying a message saying that their Apple ID had been locked.

All the indications are that Apple locked the accounts of an unknown number of customers, kicking them out of iCloud, iMessage, Apple Music, Apple TV and other services and – in some cases – demanding that they verify their identity to regain access.

As 9to5Mac reports, criticism has spilled out onto social media as frustrated users complained to Apple that their attempts to regain access resulted in failure.

Apple, typically, has been unforthcoming about why so many accounts appear to have been locked.

Of course, that hasn’t stopped people from speculating. Theories include that perhaps the problem lies at Apple’s end, and a bug in the code which decides if an account should be locked or not is triggering lockouts where they are not appropriate, or its systems are failing to correctly allow users to correctly verify their identity.

Another possibility is that the company has seen a spike in attempts to access accounts, perhaps using passwords gleaned from other online data breaches. Such leaks on other sites can pose a risk to Apple users if they had made the mistake of reusing passwords across multiple services.

Some locked out users, however, assert that the passwords they use to protect their iCloud accounts were not being used anywhere else on the net.

A further possibility is that Apple is simply proactively trying to protect users who it believes may be at risk of having their accounts breached. Apple, after all, does not know what password you have chosen to use on other websites (unless it also has access to a breached database), but if it is concerned that you *might* be amongst those who may have made a poor password choice, it’s not utterly impossible to imagine that they might take steps to ensure users have reset passwords rather than risk headlines of thousands of breached Apple accounts…

It should be noted that the risk associated with your Apple ID password falling into the wrong hands can be significantly reduced by adding the additional security layer of two-factor authentication (2FA) o your Apple ID account.

The nice thing about having 2FA protecting your Apple ID account, is not only that it may prevent an unauthorised party from gaining access but also that you will receive a warning of an attempt to break in.

For its part, in the immediate aftermath of the lockouts, Apple’s support team is pointing affected users to a knowledgebase article which describes actions users can take if they find their account is locked or disabled.

That won’t tell you why your account has been disabled, or what the security alert was about, but it does at least give you the steps you are normally required to take to regain access.

Meanwhile the rest of us will wait with interest to see if there is any official announcement from Apple – after all, we’re still in the dark as to whether there was a genuine security-related reason for users to have their accounts locked, or whether this was a problem with Apple’s systems.

FIDO2: The Passwordless web is coming, says OneSpan

FIDO2: The Passwordless web is coming, says OneSpan

Graham Cluley Security News is sponsored this week by the folks at OneSpan. Thanks to the great team there for their support!

More than 10,000 customers in 100 countries rely on OneSpan to secure access, manage identities, verify transactions, simplify document signing and protect high value assets and systems.

Often, the first hurdle in customer engagement is the login password. Not only is creating and managing passwords a major annoyance, the login password is also notoriously vulnerable to data breaches.

FIDO authentication solves this problem by replacing the traditional password with strong authentication options ranging from biometrics to software and hardware tokens.

In essence, FIDO authentication offers an interoperable and standardized ecosystem of authenticators for use with mobile and online applications. It enables organizations to deploy strong authentication for login and transaction validation, without the incremental cost of in-house development.

Recently, the FIDO Alliance (Fast Identity Online) announced the availability of its FIDO2 protocol. Read more on the OneSpan blog and discover:

  • What FIDO2 is
  • How it impacts the traditional login and password
  • Why financial institutions (FIs) should pay attention

To learn more, make sure to check out the full article on the OneSpan blog.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Chinese headmaster fired after setting up his own secret cryptomining rig at school

A Chinese headmaster has lost his job after it was discovered he was stealing the school’s electricity to power a secret cryptocurrency-mining rig.

As the South China Morning Post reports, Lei Hua, the head teacher of a school in the central province of Hunan, built a stack of eight servers that run day and night, mining for the Ethereum cryptocurrency.

According to the report, Lei paid 10,000 yuan (approximately US $1400) in June 2017 to buy his first cryptomining machine, which he set up at his home.

However, the headmaster soon discovered that his activities were consuming a significant amount of electricity – 21 kWH per day – and in an attempt to save himself money, Lei is said to have relocated the machine to his school’s computer room, where it was soon joined by more mining machines.

Astonishingly, the school’s deputy headmaster is also said to have joined the scheme, buying a mining machine with Lei’s help that also gobbled up the school’s power supply.

In all, a total of eight cryptomining machines were installed in the school between mid-2017 and the summer of 2018.

After one year, an electricity bill of 14,700 yuan (US $2120) had been racked up, causing a school employee to raise a concern with the headmaster about why the school might be using so much electricity. Lei, however, dismissed the question and blamed the increased bill on the cost of air conditioning and heaters.

It was only when fellow teachers at the school became suspicious of the continual sound of whirring computers that the rig of eight cryptomining devices was identified.

Both Lei and his deputy headmaster have had their cryptocurrency earnings seized by the authorities, although it is not known how much they might have earnt through their clandestine operation. Lei was dismissed last month, according to reports, and his deputy given an official warning.

It’s an amusing story, but there are genuine concerns for other organisations here.

The cryptocurrency ‘gold rush’ has encouraged many people to break rules and even the law, motivated by the dream of earning themselves a fortune.

We’ve often seen this exhibited through the use of cryptomining malware impacting internet-connected PCs, but it’s equally an issue inside companies and organisations where staff might be tempted to sneak in a few computers to mine away under a desk, or in a seldom-visited server room.

Perhaps the most notorious example of this was the arrest earlier this year of a group of Russian nuclear scientists, who hijacked their own supercomputer at a top-secret nuclear weapon facility to allegedly mine for cryptocurrencies.

With the huge amount of energy and great computational power required to mine cryptocurrencies, having a supercomputer at your disposal gives you something of an advantage. Especially when someone else is paying for the electricity…

Organisations need to keep a close eye on what is happening on their network, and whether someone might have sneaked in additional computing equipment for their own purposes without permission.

After all, if you don’t have tight control over what is running in your organisation, you might have more problems than just a high electricity bill.

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

One travel blogger finds you don’t have to be Kylie Jenner to be targeted by an Instagram hacker. When 40 iPhones at a hospital mysteriously die, what could be the explanation? And, surprise surprise, political parties in the USA are throwing around hacking accusations.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Mark Stockley.

Police crack encrypted chat service IronChat and read 258,000 messages from suspected criminals

Dutch police have revealed that they were able to spy on the communications of more than 100 suspected criminals, watching live as over a quarter of a million chat messages were exchanged.

The encrypted messages were sent using IronChat, a supposedly secure encrypted messaging service available on BlackBox IronPhones.

The website of Blackbox Security used to prominently boast a quote from a certain Edward Snowden:

“I use PGP to say hi and hello but use IronChat(OTR) to have a serious conversation”

You won’t see that quote on Blackbox Security’s website today, though, as its server has been seized by Dutch law enforcement.

Criminals were amongst those who purchased the IronPhones, and used the IronChat app to communicate openly about their activities, believing that they were safe as they paid up US $1500 for a six month subscription to the service. What they did not realise was that the app had been compromised by police.

Police haven’t described how they made the breakthrough of managing to crack the IronChat system, and snoop upon encrypted messages, but the suspicion will be that the encrypted chat app had a weakness – such as its reliance on a central server.

In a statement, police in the Netherlands explained that as a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.

In addition, a number of suspects are also said to have already been arrested, with multiple searches taking place in various locations around the country.

“This operation has given us a unique insight into the criminal world in which people communicated openly about crimes,” said Aart Garssen, Head of the Regional Crime investigation Unit in the east of the Netherlands.

Police only decided to shut down the service after they became aware that criminals were beginning to suspect each other of leaking information to the police, introducing a very real risk that there could be a threat to individuals’ safety. For this same reason, Dutch authorities decided to go public about their access to the chat system at a press conference.

The owner of Blackbox Security, a 46-year-old man from Lingewaard, and his partner, a 52-year-old man from Boxtel, have been arrested on suspicion of money laundering and participation in a criminal organisation. Their homes and company premises have also been searched.

Take this short Recorded Future survey to assess your organization’s threat intelligence maturity

Recorded Future. Take this short survey to assess your organization's threat intelligence maturity.

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

Recorded Future believes that every security team can benefit from threat intelligence. That’s why it has launched its new Threat Intelligence Grader — so you can quickly assess your organization’s threat intelligence maturity and get best practices for improving it.

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. It empowers organizations to reveal unknown threats before they impact business, and enables teams to respond to alerts 10 times faster.

To supercharge the efforts of security teams, Recorded Future’s technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies.

91 percent of the Fortune 100 use Recorded Future.

Try out Recorded Future’s Threat Intelligence Grader for yourself now!


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

Smashing Security #102: Ethical dilemmas, Girl Scouts, and porn-loving US officials

Smashing Security #102: Ethical dilemmas, Girl Scouts, and porn-loving US officials

Who deserves to die in a driverless car crash? Who has been sniffing around the Girl Scouts’ email account? And just how long would it take for a geologist to visit 9,000 adult web pages?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist and “Friends” fan Dan Raywood.