About IndikaWimalasiri

  The threat of cyber-attacks are real but there is something you can do about it.      The Australian Government’s Cyber Security Center has released a critical security advisory to individuals and business organizations using older versions of Microsoft Windows operating systems (Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008) to apply security update/upgrade to newer operating system version to avoid being compromised for the vulnerability named as “Bluekeep”.   What is Bluekeep ? Bluekeep is a vulnerability in the Windows operating system’s Remote Desktop Protocol (RDP – service use to connect to another computer/network remotely) which allows an attacker to execute commands to compromise your computer. BlueKeep exploit has the potential to spread in a virus fashion and self-replicate without requiring any user interaction.   An unpatched system gives criminals a front door to break into your computer or network and steal your corporate and customer information. The threat of cyber-attacks are real but there is something you can do about it.   How to protect my systems? It is critical that organisations and individuals operating older versions of Windows systems  immediately install Windows BlueKeep vulnerability patch , available at Microsoft website.   Recommendations   Identify the Computer Systems operating older version of Windows Operating Systems. ( Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems) Confirm you have backup of data available if needed. Apply the updates through Windows Update or manually by downloading it from Microsoft website. Reach out to your IT service support team and ask them to address the Bluekeep if not already.   Mitigation activities until patch is applied.   Practice due diligence and be alerted around what happens in your computer. If any unusual activities observed, engage your IT personnel to look in to it. Avoid using Remote Desktop Services from internet. (If needed use it only over a Virtual Private Network and with multi-factor authentication.) Always keep operating systems and application up to date. Backup your data to a secure location. (Cloud storage/offsite volume)   More Info - https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability ... View more

What is phishing and different variants attached to it?   An email appears to come from a someone you trust, such as your bank, online store, credit card company or a popular website. At first it all appears normal, but it will try to trick you in to giving away sensitive information, installing malware on your device or open an attachment while indicating an urgency.   Phishing is one of the easiest and very successful avenue for hackers to gain access to your organization's information. Security researchers say more than 90% of the data breaches worldwide are started with a phishing email. For us to defend against this malicious attack type we need to be able to identify the threat as there are multiple variants of methods used by hackers.           Key indicators of a phishing email. What to look for? Article below showcase what you need to look for in an email to make sure it is not part of a phishing campaign. This will help to increase your awareness both in and out of work place.     Thank you.   - Indika Wimalasiri -       ... View more

Con artists have been constant figures throughout our society’s evolution. From ‘short-cons’, like the Three-Card Monte to ‘long-cons’, when Victor Lustig sold the Eiffel Tower as scrap metal back in 1925. They use their smarts and charisma to gain the trust of unexpectant victims, all for financial gain. Over the past 20-30 years, the world has evolved dramatically, with advances in technology taking precedence. This has given rise to the modern-day con artist; hackers or cyber-criminals. Since the emergence of e-mail, it has been one of the most prominent and successful mediums for fraud world-wide, including the conveyancing industry; as an entry way to more elaborate scams. For us, the every-day person, employee or business owner, it is essential that we are aware of the real risks of cyber-crime. The following scenario is one example of a hacker at large, trying to ‘con’ their way into the conveyancing industry with a duplicate website.   The Hacker Elliot has been dabbling in cyber-crime for some time. It’s quite a lucrative career – if you know what you’re doing – which he and his team do. He is involved in penetrating computer systems, collecting passwords and then selling them to other cyber-criminals for profit.  However, this time, Elliott decided to do something more elaborate than simply selling these credentials.   “One of these usernames and passwords has landed me a gold-mine. I noticed a few ‘PEXA’ e-mails in this person’s inbox. I did my research and figured it could be a big win for the team. The username and password I have doesn’t match his PEXA account, but I have another way in. The team and I set about duplicating the PEXA login page. In the end it looked almost identical to the original and we placed it on a hosting service based in Belize. Next step, we sent the link via a duplicate PEXA e-mail and waited for our victim, Barry, to enter his details into the fake website. Once we capture his credentials, we’ll have easy access to his account, and his client’s money! The Victim Barry’s firm keeps its staff up-to-date with the latest cyber-security trends. They complete security awareness training to maintain the firm's security posture and the integrity of its service. Barry considers himself to be security-savvy, so he had no worries that morning when he opened his inbox.   “I scrolled through my e-mails and noticed a PEXA workspace notification which I opened straight away. I have a million-dollar settlement today and want it to go smoothly. I clicked on the link in the e-mail and instantly thought twice about my decision – it’s unusual for any company to send you a link to their login page. However, the PEXA login page looks legitimate. Although, before I progress any further, I’d better ensure the web page is secure… I look up at the address bar to check for a padlock symbol – no joy. Instead there’s a red triangle with a white exclamation mark inside. Next, I check the URL begins with ‘https’. It didn’t - Oh no! I exit the page immediately and sigh a breath of relief that I hadn’t entered my credentials into the page. I’d better let PEXA know, other practitioners might not check the website’s security level…”   The Hacker On the other side of the world, Elliot checks if Barry has fallen for his scam.   “It looks like Barry is more tech-savvy than we expected. He didn’t enter his details into our fake website. But not to worry, we’ve sent it to multiple others in his industry. Someone is bound to fall for it. Hold on. The website has been removed, Barry must have also informed PEXA. **bleep** it, all that time and money wasted…”  Elliot and his team quickly bounce back from their failed website scam and start planning their next con. “We didn’t fool them this time, but wait until they see what else we have up our sleeves…”       To learn more about how to identify duplicate websites, please refer to the article " How to identify duplicate or unsafe websites"   ... View more

It’s important to be aware of how to identify a duplicate or unsafe website. You can easily check the security certificate beside the web address (URL). You’ll see one of the following three symbols.     Tips If a website does not display the first symbol above (padlock), this confirms that it is not secure and everything you do is susceptible to a cyber-attack. We recommend you close the browser without completing any further actions such as inserting your login credentials etc. Check if the address begins with "https” (not "http)". This will be another indicator of a website’s security level. If you see "http", this means that there is no encryption in place, and information you provide on that page is at risk of being seen by unauthorized personnel.   If you’d like more information about website safety or other aspects of cyber security, the Australian Government’s Stay Safe Online website provides practical tips to assist everyone in staying secure while online.    Regards, Indika Wimalasiri (PEXA Security Team) ... View more

Dear PEXA Community, This advisory applies to Microsoft Outlook App installed on Android devices. New vulnerability in the Microsoft Outlook App for Android has been discovered. Attackers could use this vulnerability to gain access to your emails and phone by inviting you to click on a crafted link. Microsoft has released an update to its Outlook app through the Android Google Play Store. PEXA Security advises its members using Outlook app for emails on Android devices to update the app at your earliest window.   How do I get the update for Outlook for Android? 1. Tap the Google Play icon on your home screen. 2. Swipe in from the left edge of the screen. 3. Tap My apps & games. 4. Tap the Update box next to the Outlook app.   Note - Security always recommends keeping your mobile device OS and Apps up to-date by applying updates as soon as they are available.   PEXA Security Team   ... View more

  Dear PEXA Community,   This security vulnerability notice only applies to members using an ASUS branded laptop device.   Security researchers have discovered a critical vulnerability with ASUS laptop computers relating to its “Live Update” software component. Live Update is functionality on ASUS laptop computers that keeps your ASUS laptop software up-to-date .   As a user, you are required to update the “Live Update” software component to Version 3.6.8 or higher at your earliest window to ensure your device is secure.   The article linked below, published by the vendor, outlines the steps you are required follow to make your device secure. To ensure your device is safe please follow the details here.   PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.   PEXA Security Team ... View more

Dear PEXA Community,   High severity vulnerability has been discovered in the Google Chrome Internet browser. Attackers can use this unpatched vulnerability to steal information from your computer. Google has issued an update to the Chrome Internet browser to address the vulnerability. PEXA Security strongly recommend PEXA members check the version of the Chrome browser used and make sure it is up to date.    Please follow the steps and figure shown below.   Open Chrome browser -> Click on settings -> Help -> Click on “About Google Chrome” Check your version number to make sure it’s 72.0.3626.121 or later.   PEXA Security Team ... View more

This week is # StaySmartOnline Week. The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security. Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.   ... View more

Security Advisory   Every now and again we come across security issues that can impact you at home. There is one that is making some noise in the security world. The new virus/malware discovered can infect your home or small business router (the box that connects to the Internet). It’s called “VPNFilter” and the estimated number of infected devices is around 500,000; in at least 54 countries.   Read on to see if this affects your internet box (router/modem) and what to do to protect yourself.           1. How does this affect you? If you have a router/modem from the following companies, it’s suggested you review your vendor’s update steps. Vendor Action to take Telstra No action – Telstra reports that your modem is updated automatically Linksys Follow the vendor directions Netgear Follow the vendor directions MikroTik Follow the vendor directions TP-Link (TP-R600VPN model only) Follow the vendor directions QNAP Systems Follow the vendor directions            2. Can I learn more about the VPNFilter issue? If you would like to get into the details, follow this link (https://blog.talosintelligence.com/2018/05/VPNFilter.html)          3. Is there anything we can do to be secure? A few helpful tips to keep your home devices secure are: Always change the default password. Put a password on your home wireless network. Use a strong password with at least 8 characters, a combination of upper and lower case, include numbers and special characters such as @, #,and !. Use a different password on your PC, to your email, to your work, and so on. Make sure you update your software regularly so that security patching occurs.   If you still have questions, email security@pexa.com.au ... View more

Dear Members,   Below is an example of an actual phishing email for awareness purposes. Please take a moment to look at the pointers to understand how you can be misguided by a hacker. Being on top of this can help you to stay safe online. Remember, one click is all that matters to open the door to whole new level of issues.       Here are few helpful steps and questions to try/ask yourselves before clicking on any suspicious/unknown email. Reputable & legitimate organizations:   Don't request your sensitive information via email - Legitimate organisations do not send you emails asking you to download certain content e.g. utility bills, gift card link etc. or request you to verify your account details by clicking on a link.   Don't call or address you by a common greeting - Most of the time it will not include generic greetings e.g. "PayPal User", unless it’s advisory and openly available information.   Have their own email domains - Don't just look at the person's name sending the email. Check the full email address including the domain to make sure it is actually from the organisation represented, as most of the time they'll have their own domain. Hover your mouse over the email to verify this and make sure there's no additional numbers or special characters attached to the address. If there are, it is most likely a phishing e-mail.    Don't make grammatical errors - Spelling mistakes and bad grammar are key giveaways that it's phishing.   Don’t force you to their website - Most of the phishing emails contain multiple hyperlinks to maximize their chances of you clicking on one of them.   Don't send unsolicited attachments in the emails - Attractive attachment headings are another giveaway that it is a phishing scam. Another common case is utility bills or any other public event happening around the same time. Scammers use these events or news items to grab your attention and potentially to get you click on the links.   Send legitimate URLs - It may look like it is but it may send you somewhere else. Hover your mouse on the link (do not click) to check the link is actually legitimate and does not represent a different suspicious name. Always type the URL into your browser rather than using links on emails if you want to access the website. Don’t trust the email, instead call the sender to validate the request.   I clicked on it... Now what happens?   If you click on a phishing link accidentally, it does certain actions behind the scenes which you cannot see. These actions could be anything from a simple add popup on your screen to a stealing of your personal/customer data. So, if you fall into this category, speak up and seek help by contacting your internal security professionals or IT partners. Sending phishing emails and inviting people to click on these links are by far the most successful way for organisations to experience data breaches.     if you find any phishing/spam material referring to PEXA, please forward it to security@pexa.com.au     ... View more

Dear Members,   Forwarding suspicious emails to security@pexa.com.au   We have made changes to our security configurations when you forward a phishing/suspicious email to PEXA via security@pexa.com.au Previously when you forward an email to security@pexa.com.au with potential malicious content it denied successful delivery and often you would have received a delivery fail/bounce back message. But not any more.... Now you can click the forward button on the actual malicious/phishing email and send directly to us via security@pexa.com.au without the email being blocked.   It is important members forward us the actual email to PEXA instead of trying to send it as PDF or a Screenshot of the email.      Thank You.   PEXA Cyber Security Team       ... View more

How to Spot a Phishing Email    The typical phishing email will contain a concocted story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. In an email, there will be links or buttons that take you to a fraudulent website. The fraudulent website will also mimic the appearance of a popular website or company (in this case PEXA). The scam site will present you almost identical login page looks like PEXA waiting for you to login with your actual PEXA login credentials. Where malicious party able to collect your credentials and then they can re-use this to login to PEXA or sell them on the internet. If you felt you have accidentally just did that then your next best option to change the PEXA password immediately.   How to Protect Yourselves? Whenever you get an email about your PEXA account, or a workspace needs action the safest and easiest course of action is to open a new browser, type https://www.pexa.com.au/ OR https://workspaces.pexa.com.au , and log in to your PEXA account directly. Also you can call your known contact which appears to be sent the email to validate. Do not click on any link in an email that requests personal information.   How to report a phishing email ? Follow these steps:   Forward the entire email to security@pexa.com.au .  (Refer to "How to forward a phishing email to PEXA") Do not alter the subject line OR forward the message as an attachment. Delete the suspicious email from your email account. We’ll let you know quickly if the email is legitimate. Your vigilance helps protect other PEXA users.   A genuine PEXA email will never ask you for Credit and debit card numbers      Bank account numbers Driver's license numbers Email addresses Passwords Your full name Further steps to protect you from Phishing   Monitor your PEXA account. Check your account periodically for suspicious activity. If you notice unauthorized use, report it to us. Be smart about your password.Change passwords often and use unique passwords that include letters, numbers, and symbols. Keep security software current. Update your firewalls and security patches frequently.           Below is an identical looking malicious PEXA website.   ---  END --- ... View more

Risky behavior exposing you to data leakage   Here’s an simple opportunity to check whether you’re exposed to data leakage.   Do you find yourself guilty of the following?   I don’t keep my software (apps, browsers, etc.) and my operating system up to date by installing updates as soon as they’re released. I don’t use antivirus and additional layers of security that can protect me against second-generation malware. I don’t pay attention to password security and I reuse passwords. I use public Wi-Fi networks for online banking and online shopping. I frequently share personal details on social media or in emails. I don’t use two-factor authentication. I don’t have anything to hide or nothing valuable that cyber criminals may want. I open emails from unknown senders. (Remember your emails have pretty much the full digital print of your life. You have your Driver’s License, Passport, Bank Account details sent to an authority or another business. Don’t you?) I download and open attachments from unknown senders. I am just a small business and no one is interested in what I do.   This is not meant to be an incriminatory interrogatory, but rather a way to evaluate your own cyber security practices. You may find out that your online safety measures are inadequate, but that doesn’t mean you can’t make a change for the better. ... View more

Dear Community Members,   Staying secure online has never been as challenging as it is today. There is so much at stake as we all embrace more of the digital revolution everywhere around us. Cyber Security has been well thought out from beginning here at PEXA and we're extending some of our handy tips to our members through this space.   Visit the new space created for Online Security in the Help Centre where we collect and publish all our cyber security related materials. Please feel free to browse the content and apply them to your everyday work. We will keep adding materials of interest to keep our the community up to date with Online Security.   Enjoy.     Indika Wimlasiri Senior Security Advisor at PEXA.     ... View more

  Spam and what is it? Spam or spamming is big business and a mechanism criminals use as well as marketing companies to get your attention, or to convince you to click on a malicious link. Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email.  See below for a few tips  to reduce the number of spam emails you get.   Enable filters on your email programs Most internet service providers (ISPs) and email providers offer spam filters, however, depending on the level you set, you may end up blocking emails you want. It’s a good idea to occasionally check your junk folder to ensure the filters are working properly.   Report spam Most email clients offer ways to mark an email as spam or report instances of spam. Reporting spam will also help to prevent the messages from being directly delivered to your inbox.   Own your online presence Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information.   ... View more

        1. MAKE YOUR PASSWORDS STRONG Short and simple passwords might be easy for you to remember, but unfortunately they are also easier for cyber criminals to crack. Strong passwords have a minimum of 10 characters and use a mix of: Uppercase and lowercase letters Numbers Special characters like!, &, and *. # (Using a special character in your password will increase the difficulty of breaking it significantly) Use passphrases Criminals often perform password brute force attacks, in which a computer program tries to guess every possible password combination to match your password. Using passphrases will significantly reduce this attempt.  What is a passphrase? A passphrase is collection of words that is meaningful to you, but not to someone else. For example: "horseswimminghigh#" is 18 characters long. Depending on the systems you access, you may be limited to a defined number of characters.   2. CREATE PASSWORDS HARD TO GUESS   Avoid using personal information such as your children, partner or pets name, favorite football team or date of birth as your password, as they can be easy for others to guess and for computer programs criminals use to guess passwords.  When trying to hack into an online account, cyber criminals start with commonly found words and number combinations. Here are some things to avoid using: Dictionary words A keyboard pattern like qwerty Repeated characters ( ex : aaaaa) Personal information such as your date of birth or driver’s license number   3. CREATE UNIQUE PASSWORDS EVERY TIME If you need to reset a password, don’t just change one part of it. Instead of changing a number at the beginning or end, create something completely new you’ve never used before. Get into the practice of changing your password often, ideally every few months.   4. DON’T SHARE PASSWORDS, EVER. Never share your password with someone, not even with someone you trust or in the family. What if a business or company I know asks for my password? Reputable companies won’t ask you to give them your password over the phone, via emails, or SMS messages. This might be a warning sign of phishing or a scam. PEXA will never ask you for your password or PIN; either by email, SMS, over the phone or at a branch.   5. DO NOT USE SAME PASSWORD FOR ALL THE ACCOUNTS AND SERVICES This is a common mistake a lot of people make. Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password. If a criminal has access to several of your online accounts, it increases the chance that they may impersonate you to your online friends, or businesses you deal with.   6. STORE PASSWORDS SAFELY As your online presence grows you may have many accounts with different passwords. You can store these passwords in a password manager. There are many password manager apps available. Almost all of these password manager solution allows PIN access method to make it more secure. If a web browser you are visiting asking you to save your password think twice whether you want to do that. This is not a good practice. Do not allow web browser to save your PEXA account passwords.   ... View more

Keep Up to Date with Software and Applications – "Known as Patching"   No matter which phones, tablets, laptops or computers your organisation uses, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Doing so is quick, easy, and free.  Smart Phones/Tablet Manufacturers and developer owners frequently release new updates to their products. The purpose of updates are to update the device with new features and to also fix newly found vulnerabilities. Staying up to date with updates is critical to staying safe online. If you don’t apply these regular patches to you computers, tablets and other smart devices then you are at high risk of being a victim of online scams and frauds. All devices have a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement. If you don’t wish to manually update there is an option to set it to “automatic update” which will require no action from you when a new update is available.   Happy Updating ......     ... View more

  Our lives are increasingly dependent on the internet and our digital devices. Digital copy of our lives always lives on these devices. Our personal data is a big business for some organizations. On top of that cyber criminals are increasingly interested in your personal data so they can impersonate you and use your details to carry out illegal activities. This is the main reason why we should think twice and take effective actions to secure our digital devices.   This article provides few tips how you can be on top of this. Set up a password, pass-code, PIN or fingerprint/face-id to lock your devices especially mobile devices. Keep your devices up to date at all time. Think about setting automatic updates. Enable automatic screen lockout after a set period of time. Develop a habit of deleting your web browsing history regularly on your mobile devices and other browsers. Enable remote locking and remote wipe capabilities on your devices. This will greatly help to take action in case you have lost the possession and control of your device. Be vary of public Wi-Fi spots specially the free offers. – Wi-Fi is a great tool for criminals to lure you in to traps so they can get easy access to your data. Switch off your Bluetooth when not used. If you don’t use Bluetooth regularly it is recommended you switch this capability off on your device. Be mindful operating your device in crowded places. Shoulder surfing is a good technique cyber criminals use. Shoulder surfing refers to looking over your shoulder as you type in our password/PIN/financial details to try and capture them. ... View more

  Video provides information security awareness in and around your workplace. Simple tips how you can create a secure working environment for yourself and colleagues around you without any technical controls. Video runs just over 2 minutes.   ... View more