Tag Archives: Security

New ransomware method to worry about

Image Credit: makeuseof.com

(Header image credit: makeuseof.com)

Over on security blog Bleeping Computer, there is a post about a new type of ransomware that presents a triple threat. Known as RAA, what makes this one different is that instead of using an .exe attached to an email which would pop up an alert when a user tried to run it, this one is written entirely in JavaScript, a language often used to encode and provide functionality for web pages, and if a user runs something written in JS it likely would not pop up any alerts, and the damage would be done before you knew it.

Better change your passwords

1234

Seriously. I’m not just telling you this because it’s World Password Day (it is, though, and I don’t know what Betty White has to do with anything). I’m saying it because it has come out that a security pro at Hold Security discovered an absolutely massive theft of usernames and passwords from Russia’s largest email provider, mail.ru, about 275 million stolen records. Not only that, there was a significant amount of credentials stolen from Gmail, Hotmail, and Yahoo account holders as well. Incidentally, many reports are saying ‘Microsoft’ instead of ‘Hotmail,’ which is a Microsoft property, but they also have Outlook which hasn’t, as far as I can figure out, been hit.

Most surprising of all, even more than the fact this is one of the largest theft of electronic records in history, is that the teenage hacker who acquired them was willing to sell the whole multi-hundreds-of-millions record lot for the grand sum of $1. But wait, there’s more! The hacker was discovered via his bragging of the theft in an online hacking forum, and when the Hold Security employee who engaged offered to leave positive feedback for the hacker, the price was dropped to free. That’s right, free for the mere quid pro quo of a positive review.

Off topic, but that touches on the concept of what is known as the reputation economy, in which someone’s actual worth depends on what others say about them in public and think about them in private. You can read more about it here.

It’s no secret people use bad passwords all the time, and reuse them over and over for multiple functions and sites. Don’t do that! Use a passphrase – in class just today, my students suggested ‘sheturnedmeintoanewt,’ a line from Monty Python and the Holy Grail, which turns out to be a perfect passphrase. It’s long, complex, yet easy to remember. Plus, it would take 16 BILLION years to crack! How do I know? Because we plugged it into howsecureismypassword.net, and that was its estimate. Even if it’s off by a billion years or so, that’s still pretty good. If we capitalize just one letter, the ‘n’ in newt, it jumps up to 17 quadrillion years. This isn’t the be-all end-all for accurately determining password strength, but it’s a good estimator.

Pretty secure

Pretty secure

If you’d like to use a different password for each site or service, but are worried about keeping track of them all, you can use a password manager like KeyPass to manage them all. Some password managers even enter the passwords for you. I don’t know how I feel about that personally, but it is easier. Beware, password managers often have a master password and if you lose or forget that, you are screwed – you’ll be resetting passwords forever.

Everyone knows I hate passwords and especially the policies that go along with them, and I hope the scourge of passwords is one we can raze from this earth in the very near future, replaced with something more robust – but not 100% foolproof – like biometrics (fingerprint scanners, for example). Until then, just remember: It’s only a flesh wound.

Spam is at a 12-year low!

Or 10-year low, depending on who you talk to. The BBC states it’s 12 years. Either way it’s still a promising sign, although that still means it’s 49.7%, however that’s the first time since 2003 it’s been at levels under 50%.

It appears all email-based attacks including phishing emails, 419 scams (also known as Nigerian prince scams), fake products scams, and others have all fallen.

The reason for this is a concerted effort by private companies and governments to bring down botnets, which are networks of compromised machines – known as bots – that are used to send spam emails. We’ll learn all about all of this in our final class.

Curiously enough, Microsoft of all companies has been a leader in bringing down these networks. Whether working with U.S. Marshals to bring down the Zeus malware botnet, or the spam behemoth Rustock, or working with Symantec to shut down the Bamital botnet, which would corrupt users’ search results and direct them to malicious websites. Other times it just works on its own.

One thing to keep in mind about the reduction in spam overall, is that criminals aren’t going away, they are merely shifting their attentions elsewhere, mainly to malware; that’s software that does something bad. Keyloggers, drive-by downloads, Flash embeds, spam isn’t doing it for them anymore so they are developing new methods of attack. None of this means you can be less vigilant, if anything you should be moreso, be sure your anti-virus software is up to date, and be careful what you click on or agree to.

Uh, Hm. Well…

I’m not even sure what to say about the you-know-what-storm that could happen from this. It turns out that Ashley Madison, a site set up for people who are looking to have an affair, has been hacked and 37 million(!) names, credit card details, emails, even…well let’s just say people can upload not-suitable-for-public photos, and narratives about what they are looking for that should probably never see the light of day, have all been stolen. Irony on top of irony for a website that claims it is 100 percent secure; something we will learn in class is impossible.

California’s kill-switch law goes in to effect today

KillSwitch

Sometimes I just can’t figure out why an obviously great – and necessary – idea doesn’t immediately become a law, even if it adds a miniscule extra step on the manufacturing end.

In this case, I’m referring to a “kill-switch,” a feature that would allow the owner of a smartphone to remotely render the device unusable in the case of loss or theft. Today in California, a law goes into effect statewide that mandates all smartphones have kill-switch functionality implemented and on by default (something I suspect will not be the case universally). Minnesota is the only other state with a mandatory kill-switch law, however their version does not require the feature to be enabled by default.

Beware of the Rombertik virus

A vicious, yet serendipitously topical computer virus is making the rounds, and it has an added capability that can cause you great difficulty and lost data.

Known as Rombertik, it does what most viruses do: Infects your machine, steals data, remains hidden, that sort of thing. Mundane, in the parlance of malware.

But it has an additional capability that makes it infinitely more insidious:

Would you notice this?

There are countless news stories about credit card numbers being stolen by hackers, and people having thousands of dollars of fraudulent charges levied against their accounts. Target is paying out $10 million to compensate for a data breach in their system, however everyone from Sony to multiple financial institutions has been attacked recently.

Unbeknownst to many, there is another way that criminals are able to get hold of credit and debit card info that many of us would never notice – skimmers and keypad overlays.

A skimmer is a device that fits over the card slot on an ATM or gas pump or other device, and when you slide your card into the slot, you slide it into the skimmer as well as the ATM slot itself. You’ll still get your money, but the criminals will get your information and you’ll never know it happened, at least until you get robbed. Keypad overlays are the same, except they sit over the keypad of a machine and when you enter your PIN, it’s recorded on the overlay as well as in the ATM. Again, you’ll still get your money, but you’ll also have unknowingly given your information to some unscrupulous people.

Haven’t seen one of these in a while

I usually get a few spam emails daily, some are clearly phishing or attempting to get me to install malicious software. But the ‘Nigerian Prince’ scam (or 419 scam as it is more commonly known) hasn’t been popping up as often as I like. They’re entertaining to read, and I wish I got more of them. If you want to experience some Schadenfreude, there are even websites set up to turn the tables on the scammers.

Anyway, I just got one! So I’ll share it with you, let you know the ‘.co’ extension represents Colombia, and hopefully you all know not to respond to messages like this. As usual, we’ll talk about it more in class.

From: “Thomas Kohler” <[email protected]>
Subject: Greetings and Good news
Date: Fri, February 20, 2015 3:28 pm
To: undisclosed-recipients:;

Greetings,

My name is Dr Thomas Kohler. I am an independent external auditor for the World Bank
handling the Foreign Banks Debt Management Office.

I have in front of me an abandoned transfer file containing details to an escrow
account setup in your name. The file shows that you have correctly made application
to have your funds released to you. It is also clearly noted on the file that the
beneficiary could not handle the financial commitment required of him. Due to this
the funds were pegged and abandoned.As an international independent external auditor
i think it is very absurd to abandon ones funds for this simple reason. 

To tell you the truth i do not believe this to be true and my reason is simply
because of the irregularities i noticed while compiling the audit report for the end
of the financial year.

I have perfected plans to have this funds transferred to you within the next 24hrs.
Upon your confirmation i will give you further directives.


Regards,
Dr Thomas Kohler
Tel/Fax: +44 709 287 5848

What’s the best antivirus program?

I don’t think I need to tell anyone reading this that digital security is a big issue at all levels: Personal, corporate, government, and international. On your PC, at the very least, an antivirus program is mandatory, although many people feel they don’t need one. Take my word for it, you do.

But there are many options, and for something like that you want the program that performs the best, detecting the most viruses and other malware compared to the competition. To offer some clarification, antivirus programs have a list of what are called ‘virus definitions,’ which is just what it sounds like: it provides characteristics of the viruses known to the antivirus package that it uses to determine if you have been infected (whenever you update your AV program, you’re downloading virus definition files).

What smartphone apps really want

It’s no secret that when you install an app on your smartphone, it asks you for certain permissions. Well, perhaps ‘asks’ is the wrong term – it tells you what it will do, and if you don’t like it you can just not use the app, there’s no real choice involved. The problem is, many of us install apps without checking what the app will be doing at all, a holdover from our approach to privacy policies.

Source: Welivesecurity.com

Source: Welivesecurity.com

Some permissions seem nefarious but really aren’t. For example, if an app says it needs to ‘monitor your phone state,’ that would be understandably concerning, however all that means is that the app needs to be able to determine is you’re receiving a call and hand control back to the phone so the phone can tell you there’s a call coming in and allow you to answer.