What your organization can do to avoid getting phished

As you are probably well aware, phishing attacks are on the rise all around the world. Organizations must take extra steps to make sure that they protect themselves as well as their customers against this threat.

As Attila mentioned in his post earlier this week, LogMeIn employs SPF, DKIM and DMARC on every email it sends from a @logmein.com address.

The combination of these three technologies allows the recipient server to validate that:

  1. The email was sent from a server authorized by LogMeIn
  2. The contents of the email has not been manipulated

The key point is that the check is done on your organization’s email servers. They have to support DMARC, SPF and SKIM in order to filter out phishing emails.

Most major email providers, including Gmail, Yahoo mail, and Outlook.com checks for these records and will put phishing emails appearing to come from a @logmein.com address into the Spam folder. Be wary of slighter variations of the domain part. If you see an email from logme.in.com or logmeein.com or some other variation of our domain, you can safely delete it.

If your organization maintains its own email servers, and you receive these phishing emails please ask your email administrator to set up SPF, DKIM and DMARC. You are going to save yourself from a lot of headache.

And as always, follow the best practices for email.

Does your organization use DMARC? If it does not, what is the reason?  Please leave a comment and share your thoughts.

         

POODLE and LogMeIn: What You Need to Know

The security community recently identified a new vulnerability in the SSLv3 protocol, known as POODLE (Padding Oracle On Downgraded Legacy Encryption). This article helps you understand POODLE and the steps you should take to protect your systems. We also discuss steps we are taking at LogMeIn to protect you against POODLE and similar vulnerabilities now and into the future.

Are LogMeIn Products vulnerable?
The latest versions of LogMeIn products and services are not impacted by POODLE. Since the vast majority of our customers receive auto-updates, most users can rest assured that they are protected against such attacks. We’ve included the latest version numbers below and have provided an easy way to check your version and update if required.

How about your browser?
It’s important to understand that only the older SSLv3 protocol is vulnerable. Most modern browsers support protocols other than SSLv3, so unless you are using Internet Explorer 6 (IE 6), you’re in good shape. If you are using IE 6, we strongly recommend that you upgrade to Internet Explorer 7 (or above) or choose an alternative browser, such as Firefox, Opera or Chrome.

Use this third-party service to check your browser for vulnerability: https://www.poodletest.com/

If you remain on IE 6, keep in mind that IE 6 is NOT SUPPORTED and you will experience problems:

  • From any LogMeIn website, you will receive the following message:  “Internet Explorer cannot display the webpage”
  • When attempting to use the LogMeIn Client, you will be unable to login or connect

But there’s a slight catch…
Even modern browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. Even when both sides of the connection support higher, more secure protocols, an active man-in-the-middle POODLE attack can utilize the one-sided weakness and downgrade the connection to SSLv3 and exploit the protocol’s vulnerability to gain access to the encrypted connection.

And a solution!
If either side of the connection explicitly disallows SSLv3 then the vulnerability cannot be exploited.

  • As a browser user, it’s best to disable SSLv3 in your browser. This will actually be done for you in the next versions of most popular browsers, such as Firefox and Chrome.
  • As someone running a webserver (like LogMeIn), the best thing to do is totally disable SSLv3 on the server side. And that’s just what LogMeIn will do. To ensure security of all users, we will disable SSLv3 support on our webservers starting today (20th October). The only small downside to this change is that anyone still using Internet Explorer 6 (which does not support the latest protocols) will no longer be able to communicate with any LogMeIn websites.
  • Going above and beyond what’s needed to respond to POODLE, we will disable SSLv3 support on all other servers from in coming weeks. This will impact all older versions of LogMeIn products : After this update, only the versions listed below (or newer) will able to access LogMeIn services.

Addition detail about how POODLE works
POODLE represents a broad vulnerability that can potentially allow an attacker to gain access to the contents of encrypted communications. As discussed above, browsers are sometimes set to work around interoperability bugs in older servers by connecting using a downgraded protocol. By simulating a failure when establishing a connection to server, an adversary can trick a browser and server into renegotiating their connection via an older protocol (SSLv3). Since the POODLE vulnerability is inherent to the protocol itself, not the server, the problem cannot be patched out like ShellShock and HeartBleed.

Latest LogMeIn product versions

The latest versions of LogMeIn products are NOT affected by the POODLE vulnerability. Here is a list of the latest versions, as well as instructions on how to quickly determine which version you are running and how to manually upgrade, if necessary.

  • LogMeIn Pro (LogMeIn Host v4.1.0.4408 and above on Windows or v4.1.0.4405 and above on Mac)(LogMeIn Client version 1.3.422 for Windows and 4.1.4587 for Mac) – How to check
  • Rescue Technician Console, Calling Card 7.4 or newer — How to check: Technician Console Options > About LogMeIn Rescue; Calling Card Settings > About
  • Cubby 1.0.0.12648 – How to check
  • join.me 1.17.0.156 – How to check
  • RemotelyAnywhere 11.3.2821 – Latest available here
  • AppGuru – Not impacted by POODLE due to LogMeIn webserver updates
  • Xively – Not impacted by POODLE due to LogMeIn webserver updates
  • Hamachi – Not impacted by POODLE
  • Backup 3.0.789 – How to check
  • Meldium — Not impacted by POODLE

 


         

Update on Bash Shell Vulnerability (aka ‘Shellshock’) and LogMeIn Products

You may have heard about the CVE-2014-6271 and CVE-2014-7168 bash shell vulnerability, aka Shellshock. As part of our commitment to security, we wanted to provide an update on what this means for our customers. After investigating this issue, we can confirm that LogMeIn services are NOT affected by Shellshock, and for many customers, no additional action is required to protect against this vulnerability.

Important note for Mac OS X users:

Mac OS X itself is potentially impacted by the Shellshock vulnerability. Like many Mac applications, LogMeIn ‘client’ applications on Mac OS – including LogMeIn Pro Host, LogMeIn Pro Client, Rescue Technician Console Desktop App and Rescue Applet – do use bash to run scripts. Please note that this vulnerability is not in our products. It will have to be addressed through patches for OS X itself. We do not plan to release any of our own product updates related to this issue.

We do recommend that customers running LogMeIn ‘client’ applications on Macs upgrade their Bash versions on Mac OS X, as soon as Apple makes these available. [updates now available. please see UPDATE section at end of post]

If you’re worried, though, there is a way to manually update your GNU bash version to a more secure one: http://mac-how-to.wonderhowto.com/how-to/every-mac-is-vulnerable-shellshock-bash-exploit-heres-patch-os-x-0157606/

We will continue to monitor and will provide an update to this post as soon as a Mac OS X patch is available.

[UPDATE]

As pointed out by Stuart Bryant in the comments below, Apple has just released an update to address the Shellshock vulnerability.

For users running OS X Mavericks (OS X 10.9) , you can download the update here: http://support.apple.com/kb/DL1769

If you’re running an older version of OS X 10.8 or before, you can get the Mountain Lion version here: http://support.apple.com/kb/DL1768 or the Lion version here: http://support.apple.com/kb/DL1767

 

 

         

New Government Advisory of PoS Malware Serves as a Security Reminder

The US government today posted an advisory regarding newly identified malware, dubbed Backoff, that has been tied to recent PoS (point-of-sale) data breach investigations.  Many of the findings and recommendations reinforce our ongoing commitment to — and stance on — security when it comes to remote access technology.  We encourage all of our PoS customers to take a look at the advisory.  And if nothing else, it should serve as another important reminder when it comes to password best practices and phishing.

As part of our ongoing commitment to customer security, we provide a wide variety of built-in features that our customers can employ to further secure their environments, and we continue to take steps to educate all of our customers on how to best protect themselves from security threats like phishing and malware.

You can learn more about the security best practices we recommend when it comes to passwords here, including how you can take advantage of our built-in security features like two-factor authentication – additional steps/details can be found on our help site, for example here and here.

We also encourage sharing our tips on how to identify and protect yourself against phishing attempts.

         

Customer Security Tips

As part of our ongoing commitment to customer security, we’d like to offer our customers some advice on IT security and user password best practices, and how to better utilize the multiple layers of security that are built into LogMeIn products.

Some important user password best practices include:

  • Use two-factor authentication that is simple, free and available on all LogMeIn products
  • Create a unique, complex password for every account, device and system
  • Consider using a password safe application to generate secure passwords and store them safely
  • Never use simple passwords like “password” or “12345”
  • Always use complex passwords of at least eight characters in length, including upper- and lower-case letters, numbers and symbols

The above tips are especially relevant in efforts to protect against scam “phishing” tactics. For more detailed information on how to identify and avoid fraudulent emails,  click here.

         

Avoiding Phishing Attacks

What is Phishing?

Phishing is an email scam designed for identity theft. The most successful phishing emails are typically disguised to look like they come from a known or reputable source. These emails usually contain attachments or download links to malicious software, such as keystroke loggers, banking trojans, spywares, and rootkits. A keystroke logger is one of the most dangerous threats. An attacker can use a keystroke logger to steal user names and passwords as you type, including credentials to your emails, remote computers, HR systems, etc.

Tips on how to identify a fraudulent email

Legitimate organizations typically do not request sensitive information via email. LogMeIn will never email you for any of the following sensitive information:

  • Verify your account information – except to verify your email address after registration.
  • Ask for your password.
  • Confirm personal information such as age, social security number, or home address.
  • To provide information of a financial nature.
  • Download a new product or SSL certificate from a provided link.

If you receive a suspicious email purporting to be from a LogMeIn address, we recommend the following actions:

  • Do not reply
  • Do not open any attachments
  • Do not click on any links
  • Contact LogMeIn’s technical support team

Tips on how to identify phishing scams

  • Threats and Calls to Action – Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Most phishing campaigns include a call to action. If the content places any kind of urgency as far as “you must click into your account now”, it is potentially a scam.
  • Too generic – Watch out for generic-looking requests for information. Fraudulent emails are often not personalized.
  • Bad grammar – Scammers are not known for Grade A grammar and spelling.  This is a common trait among many fraudulent email scams. Some of these messages have been poorly translated from other languages, or use letters from the alphabet to substitute certain symbols (which is a common tactic meant to evade spam filters).
  • Links in email – If you see a link in a suspicious email message, don’t click on it. Hover your mouse over the link (without actually clicking on the link) to reveal whether the real address matches the URL that was typed in the message. In the example below, the link reveals the real web address that the user will be routed to, as shown in the red box. Notice that the URL string in the text looks nothing like the web address to which the user will be directed.

links in email

  • Email body as an image – It is a common tactic of many spammers to make the whole message body an image so as to track the user and evade spam filters.
  • IP reputation – You can look up the sender IP’s reputation through the Return Path’s Sender Score (www.senderscore.org) website. The lower the score, the more likely the email is a phishing attempt.

Tips on what to do in your LogMeIn account if you think you’ve been phished

  • Clean your computer system of possible malware (including key loggers) – Immediately clean your system to remove any malware and key loggers that may have been installed.
  • Change passwords – Once your device is clean, change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
  • Enable Two-Step Verification – With two-step verification, after entering your LogMeIn ID and password, you will also be required to enter a one-time code that you get from either a mobile authenticator app or via email. The following links provide additional information on this feature:
  •    http://help.logmein.com/SelfServiceKnowledgeRenderer?type=FAQ&id=kA030000000DGF0CAO
  •    http://help.logmein.com/SelfServiceKnowledgeRenderer?type=FAQ&id=kA0a0000000shEiCAI
  • Do not fill embedded forms with sensitive information – Never submit sensitive, personal or confidential information via forms embedded within email messages. Senders are often able to track all information entered.
  • Be careful with URLs – Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but be aware that the URL may use a variation in spelling or a different domain.
  • Protect your computer – Make sure you maintain effective anti-virus, anti-spyware and Internet Security software to help combat phishing.
  • Think twice before opening an attachment – Be careful about opening or saving any document or attachment that come with spam mails.
  • Don’t disclose personal information – Never ever send any information about your account in an email. LogMeIn’s technical support team is available by phone at 1-866-478-1805 should you require assistance.
  • Make sure your receiving mail server does a Sender Policy Framework (SPF) check – SPF allows recipients to verify sender identity (at the organizational level) by allowing domain owners to publish, via DNS, the IP addresses that are authorized to send emails from the specified domains. Ask your mail server administrator to configure SPF validation – this is usually done in the spam filter.
  • Resources:
  •    http://www.openspf.org/FAQ/Testing_and_validating
  •    https://support.microsoft.com/kb/2640313

Ways to report a suspected phishing scam

  • The Anti-Phishing Working Group is an organization tasked to help to fight phishing scams. You can report phishing at http://www.antiphishing.org/report-phishing/
  • Call the LogMeIn support line FIRST, and note that they might ask you to forward the email to a specific address.