Raise a Security Concern topics

File Sharing Email Scam - Multi Factor Authentication will help to protect you

IndikaWimalasiri — Fri, 28 Feb 2020 05:14:33 GMT

Dear Members,

Legal Practitioners Liability Committee (LPLC) recently published an article about an ongoing fraudulent document sharing email circulating among the legal community. They are essentially looking to steal your credentials to login to your email accounts by tricking you to click on a link. Highly recommend you are taking time to read the publication to increase your awareness and your staff on this matter.

This is a great reminder to implement two factor authentication on your email accounts (for that matter on all the online services you use where 2 factor authentication is offered) which will significantly reduce the risk of falling in to this type of scams.

Access to the LPLC article below or browsing to the LPC website.

FILE SHARING EMAIL SCAM – MULTI-FACTOR AUTHENTICATION WILL HELP PROTECT YOU

Few quick actions you can take to increase your cybersecurity awareness,

1.Take time to assess your online presence and enable two factor authentication on applications

2. Share the LPLC article with your staff and your colleagues in the industry to increase the awareness

3. Print the PDF in the article and leave them where everyone can see them. Example - on a common wall.

4.Generate and build a cyber risk aware culture by creating space for your staff to learn and stay safe about cyber risks and threats.

Thank you

(LPLC) Beware the risk that your clients email may have been compromised

DavidWillett — Thu, 20 Feb 2020 00:02:43 GMT

Hello

The Legal Practitioners Liability Committee has recently posted an insightful article that details a use case of email compromise leading to funds being transferred to a fraudster.

Be alert and get to know the warning signs that your client may have been compromised. A request to change account details at the last minute? This should always be followed up with a phone call to confirm it is legitimate.

Take a look at the LPLC article here to learn more!

Phishing Email Notification

IndikaWimalasiri — Tue, 18 Feb 2020 22:09:18 GMT

Dear members,

We are aware of an email phishing attempt targeting PEXA members, asking about the "PEXA Residential Seller Guarantee". Please be vigilant for similar emails and take time to validate before taking any action within emails. I have attached a sample email a member received on 12 February 2020 for your reference.

If you come across any or similar email notifications, please don't click on any links, inform your PDS/PEXA Partner and forward it to security@pexa.com.au.

----------------------------------

Phishing email capture below

End of image.

----------------------------------

Thank you.

PEXA Security Team

Reduce your risk of falling victim to cyber attacks

IndikaWimalasiri — Thu, 20 Feb 2020 03:36:44 GMT

Staying safe online has never been more important for individuals and business’ worldwide. In 2018 alone, Australian businesses lost more than $60 million to e-mail scams. It is also estimated that by the end of 2019, cyber-scam losses will exceed $532 million, surpassing half a billion dollars for the first time.

Understandably, it can be difficult to know where to begin to ensure you’re taking the appropriate steps to avoid falling victim to cybercrime. First, it’s important to get the basics right. Below is a checklist of 12 initial steps that you and your business can take to boost your safety while online.

Anti-Virus — As your first line of defence, ensure you have antivirus protection on all of your devices, including mobile devices.
Two Factor Authentication(2FA) for e-mail — Most email providers, such as Google and Hotmail, provide 2FA to protect user accounts. This significantly reduces the threat of intrusion by a hacker if your password is compromised, as your account is secured by an additional layer of protection (the passcode that you receive through SMS or the mobile app).
PEXA members must use Multi-factor authentication (MFA) to access the platform, providing an extra layer of security when logging into your account.
(Note: It is recommended to use an app-based security PIN generator for 2FA, such as Google Authenticator, rather than SMS).
Phishing — E-mail phishing is the number one avenue used in cybercrime. The typical phishing email will contain a false and/or mimicked story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. Learn how to identify a phishing e-mail with the help of this interactive tool.
Password — Do not use the same passwords on multiple systems. If your password is compromised, then hackers can access all of your other services as well. Use a password manager to maintain your varying passwords or pin codes.
Additionally, instead of passwords, use passphrases. Passphrases can be a minimum of three words combined that are easy to remember with numbers and special characters e.g. UniverseAthletic4!
Use host-based firewalls — Both Windows and Apple OS offer firewall capability. These are not difficult to set up and easy to follow help videos are easily found online.
Update operating systems and applications — Operating systems (OS) and application vendors frequently release security updates to address vulnerabilities. We highly recommend you have automatic updates enabled so it all happens in the background without waiting for your intervention.
Review applications — Spend 5-10 minutes inspecting your system and applications. If there are unwanted applications in your program list, uninstall them. This is because third party apps can contain vulnerabilities that hackers may then exploit.
Email Rules — Email providers offer the capability to create rules. If your email is compromised, there is a possibility that the hacker created rules in your email system to forward mail to a hacker managed email account without you knowing it. Go in to the e-mail rules section of your account and make sure that only the rules you’ve created are present. We recommend you complete this action at least once per month.
If you find that there are rules you have not created, delete these rules before immediately changing your password.
Back-up — Backing up all of your data is paramount. Ensure your back up solution is on a separate device and is accessible if you cannot or are denied access to your files’ original location.
Removable Storage — Do you use removable media such as USB drives? If yes, we recommend using a Cloud file storage instead, as removable media is easily corrupted or infected with malware.
Browser Security — There are a few important tips to remember here, including:
a. Do not save password/passphrases on browsers
b. Frequently update your web browsers
c. Lookout for duplicate or unsecure web pages
Social Media and App Privacy/Security settings – Do you use your social media, such as Facebook, to access third party services? If so, we highly recommend you review the privacy settings on your social media apps to determine what it has access to. Again, 2FA is your friend here. Other privacy tips include:

a. Check settings to ensure you're not providing unnecessary access to your information to apps you've installed.

b. Switch off Bluetooth when it’s not being used.

c. Do not connect to Free Wi-Fi access points no matter how secure it claims to be. If you have no option, then use a VPN service to secure your communications.

d. Don’t let others including family members, use your device without your supervision. They may unknowingly click on links and pop-ups which will expose your device to the hackers. Where possible use parental controls.

Finally, maintain your cyber security awareness. A great place to refer to is the Australian governments’ Staysmartonline resource and, of course, PEXA’s dedicated security page on the e-Conveyancing Community.

Indika Wimalasiri

FAQs | Microsoft to cease Windows 7 support by January 2020

Jarrod_McAleese — Fri, 06 Dec 2019 05:05:08 GMT

Hi Community,

Microsoft has announced that support for Windows 7 will end on 14 January 2020. Its notice to consumers can be accessed here.

Following this milestone, key software updates from Microsoft will no longer be released for Windows 7. Users who continue to use this operating system, or other unsupported operated systems, place their IT security at risk.

Updating your operating system to supported software is important best practice to ensure your business is suitably protected.

In order to comply with the PEXA Subscriber Security Policy, Windows 7 users will need to upgrade to a supported operating system, such as Windows 10, as soon as possible.

To help you navigate this change, we’ve compiled the below FAQ thread.

Why is Windows 7 no longer being supported by Microsoft?: Microsoft’s notice to users can be accessed here.

Why is it important to not use unsupported software?

Unsupported software will not receive updates or security fixes which are vital in maintaining your system’s security. This leaves your system vulnerable to hackers who actively target unsupported systems.

In addition, as per your obligations as stated in the PEXA Subscriber Security Policy: ‘Subscribers are required to maintain the security of their computer systems and keep them up to date, including taking reasonable steps to install patches and operating system updates’.

When using unsupported software, this obligation can no longer be met as these products are not supported. In addition, running unsupported software may impact performance when using the PEXA platform, including your signing capabilities.

What software, other than Windows 7, is no longer supported?

The below software is no longer supported by Windows and Apple:

Windows XP
Windows Vista
Mac OS X (Snow Leopard)
Mac OS X (Mavericks)
Mac OS X (Yosemite)
Mac OS X (El Capitan)

How can I upgrade my software?

It is advised to upgrade directly to a supported operating system, such as Windows 10. Windows 10 can be purchased from the Microsoft Store or from leading technology retailers.

PEXA also recommends reaching out to your IT professional or industry body to assist you with this upgrade.

Other helpful links:

Upgrading FAQs

https://support.microsoft.com/en-au/help/12435/windows-10-upgrade-faq

Windows Vista end of support

https://support.microsoft.com/en-au/help/22882/windows-vista-end-of-support

How to upgrade (macOS)

https://www.apple.com/au/macos/how-to-upgrade/

A web browser, the internet, and PEXA walk into a bar...

wesleylacy — Wed, 16 Oct 2019 04:34:36 GMT

While at the bar the web browser asks the internet to talk to PEXA. The internet says, “sure, web browser not a problem, but first you must tell PEXA who you are.”

The web browser responds, “tell PEXA I am

Mozilla/5.02520(Macintosh;2520Intel2520Mac2520OS2520X252010_13_6)2520AppleWebKit/537.362520(KHTML,2520like2520Gecko)2520Chrome/61.0.3163.1002520Safari/537.36”

Not much of a punchline I know, but it’s an important part of how your web browser (such as Google Chrome or Mozilla Firefox) connects to PEXA. The web browser’s description of itself in this case is actually called a ‘user agent’. 

What is a user agent?

The short version is that it’s a line of text that tells PEXA (and other services you access on the internet) which browsers and operating systems are being used to connect to them. E.g. Mozilla Firefox or Google Chrome.

Recently PEXA identified which browsers, and versions of these browsers, were connecting to PEXA for the month of August and we found some interesting results. The majority of our members are connecting to PEXA with up-to-date web browsers however there is a small percentage connecting with outdated browsers, some dating back to 2013.

How do I update my web browser?

Like any software, web browsers are constantly being updated with patches and other updates. They commonly include updates to important security features which are pivotal to staying safe on the internet, especially when using platforms like PEXA to manage your client’s information.

How can you address this?

If you are one of the few that are using an outdated web browser, it’s time to update! By updating your browser, you are one step closer to having a more secure system.

If you are using Google Chrome as your web browser, you can follow this link

https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en

If you are using Mozilla Firefox as your web browser, you can follow this link

https://support.mozilla.org/en-US/kb/update-firefox-latest-release

For users using Microsoft Edge and Internet Explorer, Windows updates will update the browser when the Operating system updates are installed

Why does Community need 3rd party trackers to operate full capacity?

DMc — Mon, 22 Jul 2019 04:56:58 GMT

Why is it needed to allow these 3rd party trackers for posting and liking?

merely curious since not really discussed anywhere...

un-hackable network.

DMc — Wed, 20 Feb 2019 05:30:35 GMT

Is this a unicorn?

https://www.dailymail.co.uk/sciencetech/article-4727572/China-launching-unhackable-computer-network.html

Overseas login to PEXA

SRJ — Mon, 09 Apr 2018 00:57:07 GMT

I am going on leave for 2 weeks and have 2 PEXA settlements due while I am away. Is there any limitation on logging in to PEXA from an overseas location? I ask because some sites, such as ASIC, will not allow login from outside Australia.

Obviously I need to take my Licence key with me, but is there any other issue you can think of?

PEXA Digital Certificate Software not correctly digitally signed

Andrew_GC — Wed, 05 Sep 2018 12:10:15 GMT

PEXA's digitial certificate software download is signed with a certificate issued to 'pexa.net.au'. Why should anyone trust software signed by a website? Especially one that is not in use? It is trivial to register website names, and numerous 'pexa.' domains are available for registration now by anyone. How are we to discern whether pexa.net.au is actually owned by the Property Exchange Australia Limited? How then, are we to determine whether to trust the signer and install this software?

The software should be signed with a certificate issued to PROPERTY EXCHANGE AUSTRALIA LIMITED.

Surely PEXA does not think that users should ignore incorrect security certification of its software? Or that we should trust anything with 'PEXA' in it somewhere? This is EXACTLY how fake (malicious) software is promulgated.

Here is a snip of what the digital signatures look like on correctly signed software by two other well known software companies (left hand side) and on the right-hand side, a snip of the PEXA software signature. (Red markup added by me for emphasis)

I posted about this in the general forum section, but received no response.