Blog Blog

Massive Stolen Password Lists From LinkedIn and MySpace Put Over 500 Million Passwords in Hackers’ Clutches

Massive Password Lists Stolen and Shared

In the past few weeks, there has been a massive uptick in cyber attacks involving the use of stolen passwords to gain access to corporate email and other IT systems.  This increase can be traced to two recent events from May.  First, a hacker sold a list of 167 million LinkedIn account credentials (many including email addresses, usernames, and passwords) on the dark web.  Then, a few weeks later, the same hacker sold a bigger list containing 427 million MySpace usernames and passwords.  Very soon, both of these lists had been re-sold, copied, and shared around with hacker groups around the world.

Why These Password Thefts Matter   vicepwds

Now, most of us aren’t particularly worried about hackers getting into our LinkedIn or Myspace accounts as nothing critically important is kept there. However, the real impact of these breaches is due to the fact that millions of people re-use the same usernames and passwords for everything, and therefore this same list of usernames and passwords can be used to login to many corporate e-mail, IT, online banking, and other vital accounts.

What You Can Do About It

1. Make sure you never re-use old passwords

2. Periodically review and change all important passwords on your network

3. Use strong passwords

4. If you ever used a password on LinkedIn or Myspace or any other breached site, make extra sure that you have not reused that password for anything else.



Microsoft Sues Justice Department Over Spying

lawsuitbuttonOn April 14th, Microsoft filed a lawsuit against the Justice Department in the Federal District Court in Seattle.  The lawsuit alleges that federal law enforcement agencies have used an unconstitutional interpretation of the Electronic Communications Privacy Act of 1986 in order to access to thousands of Microsoft customers’ data that is stored in the cloud (primarily email such as Office 365 and Hotmail).  Microsoft claims that because this spying is so widespread, and because many of the orders also demand that the spying be kept secret, and have no end date (either for the spying or the secrecy), this violates the Fourth Amendment right to protection from unlawful search and seizures. Microsoft also claims that their First Amendment right to inform customers they are being spied on is also being violated.

“From September 2014 to March 2016, Microsoft received 5,624 federal demands in the United States for customer information or data. Nearly half — 2,576 — were accompanied by secrecy orders.”

Often, gag orders prevent companies from reporting government spying on their customers.  However, some companies use what is referred to as a “warrant canary” — which is a statement somewhere on their website/service that they have never been subject to any warrants/spying.  The idea is that when the government begins spying, the company can remove the canary notice from their site, so that users can realize the notice is gone and become aware that spying may have occurred, without the company specifically notifying the users in violation of the gag order. You can read more about warrant canaries at  

You can also read the coverage in the New York Times at


Hackers Impersonating CEOs In Wire Fraud Attempts


Local businesses are being targeted by a new category of phishing attacks, called BEC (Business Email Compromise) or CEO scams.  According to the FBI, the total losses from BEC scams is over 1.2 billion dollars.  BEC scammers impersonate CEOs by sending emails to business associates (such as attorneys, accountants, partners, assistants, etc) asking them to authorize a wire transfer. There are a few things that are different about these BEC scams compared to e-mail fraud we are used to:

  • The request for a wire transfer is usually very specific and well-written — customized for the particular target
  • Details about the targeted business and its employees from LinkedIn, Facebook, and other public websites are integrated into the email to make it seem more legitimate
  • Sometimes fake domain names are registered that are very very similar to real domain names as part of the scam, so that the attacker can send and receive email pretending to be someone else.  For instance, if your real business domain name was, the hackers might actually register so they could send and receive messages that look extremely similar to your real email address
  • Sometimes the hackers also might try to find publicly-posted emails from you or trick someone at your firm into sending an email so they can see what your standard signature / style of email is, so that the fake email they craft can have your real salutations and signatures.
  • In some cases they may use stolen passwords to actually gain access to an email account if possible


According to the FBI’s Internet Crime Complaint Center statistics, the average loss from successful BEC scams is around $100,000.  There are a few things you can do to protect your business:


  • Training, training, training.  The #1 most important step for security is to make sure your employees understand the risks and take them seriously.
  • Make sure your accountants and associates know to not authorize any wire transactions based only on e-mail
  • Use strong passwords and never re-use your corporate password for other sites
  • Remember never to click on unfamiliar or suspicious links or attachments in email


CFPB Update: Lender Audits Ongoing

Background: The CFPB is BornCFPB_2tone_Horiz_RGB

In 2010, President Obama signed the Dodd-Frank act into law, which changed financial and banking regulations and created a federal agency dedicated to consumer financial protection, the Consumer Financial Protection Bureau (CFPB). Much of the Dodd-Frank act has already taken effect, although the new disclosure forms (known as TRID, short for TILA RESPA Integrated Disclosure) weren’t finally adopted until October of 2015. Under the Dodd-Frank act, the CFPB is responsible for regulating the mortgage industry, which includes enforcing and maintaining regulations under the Truth In Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA) as well as the Dodd-Frank act. The CFPB has already begun auditing lenders and mortgage service providers; at first, it was much larger lenders that were primarily being audited by the CFPB, but now there has been some news of smaller lenders also being audited by CFPB examiners.

CFPB Now Auditing Smaller Companies

There are a number of accounts of the CFPB auditing smaller lenders, and sometimes taking further actions. It’s difficult to find statistics about CFPB audits, although there is a lot of information about audit processes and specific enforcement actions. Michigan’s Lighthouse Title was recently fined because of RESPA-violating marketing services agreements. In May of 2013, the CFPB took a similar enforcement action against Paul Taylor Homes and Benchmark Bank of Dallas, TX.

How Has Dodd-Frank Changed the Real Estate Closing Process?

  • The HUD-1, TIL, and GFE forms replaced by TRID/KBYO Integrated Disclosure
  • New standards and time limits for mortgage statements, disclosures, and notices
  • Lenders now take all liability for mistakes made by mortgage servicers
  • The CFPB has taken over some of the enforcement authority from the FDIC
  • Part of the CFPB’s audit checklist is to confirm that the lender or mortgage service provider is following the data privacy rules of the Gramm-Leech-Bliley act (which requires a written security plan)

What Does This Mean For Real Estate Closers?

  • We’re seeing more compliance and data security pressure from lenders. Because of the liability shift to lenders and because of the CFPB’s ongoing auditing and enforcement processes, lenders are under a lot of regulatory pressure which is being passed on to settlement services and other third-party service providers. The CFPB’s 2012-03 Bulletin explains that it will expect lenders to “review[] the service providers’ policies, procedures, internal controls, and training materials”, and also that lenders must “establish internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law…”
  • Be ready to take data security rules more seriously. Data security regulations (especially Gramm-Leech-Bliley) have applied for years to anyone even remotely involved in the mortgage process; however, now there is a regulatory agency actively enforcing these for settlement services.
  • You can now be audited by the CFPB in person. Although the CFPB is currently focusing more on auditing larger lenders, their mandate requires them to audit mortgage servicers and lenders of all sizes. From the CFPB’s 2012-03 Bulletin, they stated very clearly that “Title X [] grants the CFPB supervisory and enforcement authority over supervised service providers, which includes the authority to examine the operations of service providers on site.”

Where Can You Get Help With Compliance Management?

  • Direct iT’s compliance team is very experienced at helping with the IT and technology side of the compliance process. We can perform technical risk assessments and help you establish a written information security plan (as required by the CFPB as well as state data security regulations).
  • ALTA’s Best Practices 2.0 is a set of policies and procedures developed by ALTA (American Land Title Association); while not officially endorsed by the CFPB, ALTA has been very involved with the CFPB rule-making process and has developed their Best Practices with compliance in mind.
  • An ongoing network maintenance and monitoring program like Direct iT’s RemoteNet program is essential for ensuring that the minimum standard of data security required by Gramm-Leach-Bliley is met.

Where Can You Read More About The CFPB And Dodd-Frank?

16 CFR 314.4 (data privacy rules authorized by Gramm-Leech-Bliley act)

CFPB Examination Procedures for Mortgage Servicers

ALTA Best Practices

CFPB Bulletin 2012-03

CFPB Auditing Small Texas Builder


Windows 10 Free Upgrade – Should I Upgrade My PC?

Windows users who keep their PCs updated may have noticed a new icon in the system tray in  the last few days — this icon shows Microsoft’s offer for a free upgrade to Windows 10.  Not every PC will have this upgrade icon — most PCs on business networks do not currently have the Windows 10 upgrade icon.  According to Microsoft, over 14 million people already took advantage of the free upgrade on the very first day it was available. The Windows 10 upgrade icon looks something like this:




For business users, Direct iT strongly recommends against upgrading at this time for the following reasons:

  • Many business applications have not yet been fully verified or may need to be updated to support Windows 10
  • New versions of Windows typically have many bugfixes and security updates in the first six months after they are released

In order to make sure your business PC does not get upgraded to Windows 10, follow these steps:

1. Click on the upgrade flag

2. From the “Get Windows 10” window that pops up, click on the 3 line menu button in the top left









3. Click on the “View confirmation” button in the menu that appears







4.  Then click “Cancel Reservation” to cancel your Windows 10 upgrade. Don’t worry, you can still go back and upgrade later (for at least the next year) if you change your mind.









Call Direct iT Today!


One of our IT specialists is waiting to talk to you.

About Direct iT

Direct iT, Inc. is a New England based IT services firm offering products and services for small businesses in Greater Boston, New Hampshire, Rhode Island, and the rest of New England. Cloud, compliance, and document management services are also available worldwide. Many of our customers are along the Route 128 technology corridor.

Direct iT, Inc. Main Offices

39 Emerson Rd. Suite 215
Waltham, MA 02451
Sales: 781-890-4400
Support 781-890-1907