If U WaNT 2 SEe yOUr DaTA aGaIN…

The aptly named WannaCry malware caused havoc around the world; here are tips to protect yourself from being the next victim.

Ransonware has been in the news recently with the global attack of the WannaCry malware program that started on Friday May 12th.

You might be asking what is ransomware?

Ransomware is a specific type of malicious software (malware) that prevents you from using your computer or accessing your files until you may a fee to the person or group that released the malware.  Most often this is accomplished by encrypting your files with strong encryption (in other words, not something you can break).  You are typically given a limited amount of time to make the payment or the decryption keys will be deleted and lost forever.  Most often the payment must be in Bitcoins – a digital currency that is easy to exchange but difficult or impossible to track.

WannaCry was not the first example of ransonware but it has been one of the largest.  Estimates are over 230,000 computers in 150 countries were infected.

I’ll talk about how to protect yourself from ransomware but first I want to comment on what you should do if you find your system has been infected and someone is demanding payment from you to get your data back.

  1. The first step is to realize you are dealing with criminals; just like in typical ransom cases these are people who are not bothered by breaking the law, will not be swayed by emotional pleas, and in general don’t know or care about you – they just want money.
  2. Don’t pay the ransom, you have no way of knowing if the CRIMINAL on the other end will make good on their promise to give you back your data. They may raise the price or they may simply take your money and leave you with nothing.  Remember, if you pay them you are trusting in the code of ethics of a CRIMINAL.
  3. Prevent the spread of the malware to other systems – by removing it from the network. If it is using a wired connect simply remove the wire, if it is wireless you will need to change your wireless router configuration to block it.  If you are not sure how to do this call a friend.  As a last resort you can turn the system off but that may cause other problems
  4. Go to another, uninfected computer and start looking for solutions. Sometimes computer security experts find flaws in the malware that allows you to recover some or all your data.
  5. The last step is the hardest, accept the fact that you may lose your data – permanently.

OK, so that last one doesn’t sound like fun so what can you do to protect yourself?  Here is my list of recommendations – in order of importance.

  1. Only run legitimate copies of the software you use. Pirated copied of software – aside from being illegal – often can’t be patched, may contain viruses, or may contain flaws that allow other malware into your system.  This is not limited to just the Windows operating system but all the other software you run – games, financial software, photo software, etc.
  2. Keep your software up to date with patches. At least monthly you should check for patches (or updates) that the software vendor has released to correct flaws.  Again, this is not just for your operating system but all software.  Most software will do this automatically now.
  3. Run only current, supported operating systems, browsers, and other software. If you just can’t your Windows XP system go, at least take it off the network.
  4. Run a supported version of Anti-Virus software. There are many different A/V products available.  I’m not going to recommend one over another; the important thing is that you run one and you keep it up to date.
  5. Be aware of phishing attempts. Often the malware gets into your system when you click on a link in an email message that takes you to the malware site.  NEVER click a link without verifying where the link actually takes you.
  6. Configure your browser to prevent scripts from running automatically. This will protect you if you fall for a phishing attempt (it happens; don’t feel bad – see my post on phishing for tips to avoid it in the future).
  7. Stay away from questionable web sites. There are plenty of dangerous sites out there.  If you are visiting a computer hacking website it is likely your system will be attacked.  If you visit pirated software sites it is likely your system will be attacked.  Some adult sites also contain malware.  It is best to just avoid all these.
  8. Run frequent OFFLINE backups. What do I mean by offline?  If you are syncing all your files to a cloud provider (Dropbox, OneDrive, etc.) and your files are infected or encrypted that infection or encryption will replicate to your cloud provider.  That is not offline and will not help in this case.  You need a backup that will not be impacted by changes on your system – for example an external drive that you remove after the backup or a cloud backup that allows you to recover your files as of a given date (also known as versioning or version control).
  9. Lastly, if your computer suddenly starts acting strangely (windows opening or closing, very slow, error messages) turn it off.  This may be the first sign of malware.  Only you can determine is not normal for your system so you will need to use your own judgement with this one.  Depending on how strange it is acting you may want to pull the plug rather than do a proper shutdown.  Doing this can limit the damage the virus can do.  If you do this contact an IT friend and explain what happened.  They can remove the hard drive, connect it to another system and recover any files not already encrypted or otherwise damaged.

 

Beyond Passwords

The time has come to move beyond passwords for protecting our accounts.

As a final comment in the password security series I have been doing I thought I would share something called Two Factor Authentication (2FA) or more generically Multi-Factor Authentication (MFA).

What is 2FA/MFA?  In non-technical terms is simply means that you need to provide two or more forms of identification (the factors) to prove who you are (the authentication).  The factor typical fall into three categories:

  • Something you know (knowledge factors) – such as a password
  • Something you have (possession factors) – such as your phone
  • Something you are (inherence factors) – such as your fingerprint

While 2FA/MFA sounds complicated, it isn’t.  Most people have used a form of 2FA without realizing it.  When you check into a hotel you are given a room key (something you have) and a told a room number (something you know).  Without both factors you cannot get into the room.  This protects you if you lose or forget your room key at the pool.  Sure, a criminal could try the key on every room until they found the right one but it would slow them down – hopefully long enough for you to realize the key is missing and notify the hotel office.

2FA/MFA for websites works in a similar way.  When logging in you typically provide your password as you normally would, then the website will text a code to your phone (or call you with the code).  You must enter that code to complete the login.  The password is the something you know and the phone with the code is something you have.  It is unlikely that a criminal would know your password AND have your phone.

There are variations on how this works where the “something you have” is a Smart Card or token provided by the website rather than your phone but these are typically not used for consumers due to the cost.  High security environments may use biometric scanners (fingerprint, retina scanners) in place of something you have or something you know or as a third factor – a fingerprint reader that requires a password and a code sent to your phone.

For more details on MFA please see: https://en.wikipedia.org/wiki/Multi-factor_authentication

A number of websites have started offering 2FA/MFA as an additional protection for your accounts.  If you are interested in using 2FA/MFA to protect your accounts see https://twofactorauth.org/ for a list of websites that support 2FA/MFA.  You can search by name or by category.  If the site you use doesn’t currently support 2FA/MFA you can click a button asking them to support it.

Give 2FA/MFA a try on few accounts and see if it is right for you.  Strong passwords, non-standard security questions, and 2FA/MFA are the foundation of on-line account / identity protection.

 

I forgot my password

The best password in the world can be defeated with the information you post on Facebook.

It happens.  It is hard to remember everywhere you have passwords not to mention remembering the passwords themselves.  This is why many people use a single password for everything.  If you missed it, see my previous post for why this is a bad idea.

Most sites have a “I forgot my password” link you can use to reset your password if you forget it.  Many sites require you to answer security questions before they will reset your password.  By answering these questions correctly you prove your identity.  These are questions you provided answers for when you created your account.  Common security questions are:

  • Who is your favorite actor, musician, or artist?
  • What is the name of your favorite pet?
  • In what city were you born?
  • What high school did you attend?
  • What is the name of your first school?
  • What is your favorite movie?
  • What is your mother’s maiden name?
  • What street did you grow up on?
  • What was the make of your first car?
  • When is your anniversary?
  • What is your favorite color?
  • What is your father’s middle name?
  • What was your high school mascot?

These questions allow you to gain access to your account the same as the password so you need to protect them as you would your password.  The idea behind these questions is that you are likely to remember the answer but someone else would have a hard time guessing the answer.

Unfortunately, that is not always the case.  According to the FTC 8.3 million people were victims of identity theft in 2005; 16% of those people reported that they knew the person who used their identity without permission.  The problem has only gotten worse since then.  Family members, friends, roommates are all likely to know the answers to at least some of these questions.

As bad as that is, complete strangers may be able to guess the answers to these questions.  People share a lot of personal information on social media.  Read the list of questions again and think about what you have shared.  Do you follow your favorite actor or musician on Facebook or Twitter?  Have you “liked” them?  Did you list where you went to school?  If you listed your home town a simple search will find the names of all the schools and their mascots in the area.  Have you listed your birthday or anniversary?  Are you friends with your parents?  If so, someone may find maiden or middle names easily.  What about posting a picture with your pet and including their name?

You get the idea.  Very little is truly private anymore.  It is either a public record that can be searched or we share it without thinking about the possible consequences.  By guessing the answers to your security questions criminals can hijack your account without knowing your password.

So, what can you do?  If the site lets you create your own security question consider doing that.  Think of a question that only you would know and is it not something you would post online.  For example:

Q: What color shirt was I wearing when I fell in the river?

A: White

If you are limited to pre-determined listed of questions you can do any of the following (assume the question was “What was your high school mascot”):

  • Add punctuation to the answer – Tiger!
  • Add numbers to the answer – Tiger88
  • Misspell the answer – Tyger
  • Spell the answer backwards – Regit
  • Do all the above – Regyt88!
  • Make up an answer – Green Mustache

Remember, the computer has no idea what the “right” answer is.  Whatever you provide is the “right” answer.  There is no rule that says it has be the real answer.  As long as the answer you give when you forget your password matches then answer you gave when you created the account you are good.

If you follow this approach you need to remember which method you used so you can reproduce it later; just what you needed, something else to remember.  You could use the same answer for every question so you can remember it but this is as bad as using the same password everywhere.  You could just make sure you use the same method, that would be more secure than giving the standard answer each time.  The best solution is to record the security question and your answer in the notes field of your password manager.  This gives you the best security without having to remember anything.

You may think this being paranoid or overkill.  First, I would remind you of one of my favorite sayings “Just because you are paranoid doesn’t mean they aren’t out to get you”.  Second, you need to think about this from the criminal’s mindset not yours.  Most people see a locked door and a sign that says “Authorized Persons Only” and move on, criminals see that and start thinking about how to get around it.  You need to protect yourself.

 

Password Please

You have enough to remember, passwords don’t have to be one of them. Free yourself AND be more secure by using a password manager.

In my previous post I talked about how to identify phishing attempts so you can avoid being a victim.  In that post I mentioned that one of the risks associated with phishing is since most people use the same password on multiple accounts a single phishing attempt can put all your accounts at risk.

The best way to prevent that risk is to use a different password for each account you have.  That is a lot of passwords, I get it.  Later I’ll talk about tools you can use to make it easier to maintain separate passwords but first I want to talk about passwords in general.

Do you have a “good” or “strong” password?  What makes a password “good”?  My definition of good is a password that is easy for you to remember but hard for someone else to guess.  There are a number of tools available on the Internet to guess or “crack” passwords.  If your password is based on word, a name, a date, etc. one of these passwords crackers will be able to guess your password in a few seconds.

In general, you want to use as long of a password as the site will allow up to 20 characters.  You should use both upper and lower case letters, numbers, and special characters (punctuation, shifted number keys, etc.).  You also want to avoid common passwords such as “password”, “letmein”, or “abc123”.  You can see a list of the 1000 most common passwords at http://www.passwordrandom.com/most-popular-passwords.

You test the strength of your password at https://howsecureismypassword.net/.  Disclaimer: While I believe this site is safe to use if you enter your real password into this site you may exposure yourself to identify theft or other forms of fraud.  Use it at your own risk.

Here are some sample results from https://howsecureismypassword.net/ of various passwords:

Password Time to Crack Comments
railroad Instantly Top 3175 most used passwords, based on a word, too short, only has letters
Railroad Instantly Top 3175 most used passwords, based on a word, too short, only has letters
Railroad1 4 days Based on a word and number, too short, no special characters.  Depending on the tool used this could be guessed in a few seconds.
Rail-road1 6 years Better, but depending on the tool used this could be guessed in a few minutes
Ride-the-Rails 29 million years Now we are getting somewhere, but if I know you are interested in trains or railroad history I might be able to guess it in hours or days.  How would I know you are interested in trains?  Your social media history (Facebook, Twitter, etc.) reveals a lot about your interests and hobbies.
Iahitgtlah:1937

 

34 billion years The first letter of each word in the first sentence of “The Hobbit” which was published in 1937.  Easy to remember very hard to guess.
rV9FfswCP9kLSmNSolRs

 

558 quadrillion years I know what you are saying, how in the world can I remember that?  Keep reading.

 

OK, so the last two are looking good.  They are essentially impossible for someone to guess.  Unfortunately, the last one is also impossible for most people to remember.  Also, I suggested that you use different passwords for every site: Facebook, Apple, Amazon, your bank, your email… that could be dozens of passwords.

That is where password managers come in.  Password managers are tools for SECURELY storing your passwords – please don’t create a Word document and put all your passwords in it; especially if you name it “passwords”.  There are many password managers available with many free options available.  I have used Keepass for years but you may want to check out others – here is a good starting point https://www.cnet.com/news/best-password-managers/.

Here are a few things to look for in a password manager:

  • It should encrypt your stored passwords with a master password (you will need to remember the master password but this is the only password you need to remember)
  • It will work on all the computers and devices you use (Windows, Mac, Android, iPhone, etc.)
  • It does not limit the number of passwords you can store (or least a very large limit)
  • It will allow you to store the web site URL and some notes about the account (such as security questions).
  • It will allow you to copy and paste the URL, username, and password so you don’t have to type them (very useful feature, I wouldn’t use a password manager without)
  • It will maintain a password history of past passwords
  • It will let you print a copy of your passwords – this is helpful for storing in a safety deposit box or with a family member in case of an emergency

After you put all your passwords into a password manager make sure you back it up regularly.  If you accidentally delete your password file you don’t want to have to click “I forgot my password” on every website you use.  Lastly, only use a well-known password manager from a reputable site; you don’t want your password manager to secretly send all your passwords to the software developer.  Research whatever password manager you are thinking of using before downloading it.

It is an adjustment to start using a password manager and trusting it to remember your passwords for you but once you try it you won’t want to go back.

 

Gone Phishing

How spot email scams and phishing attempts. Don’t be a victim.

Phishing is an attempt by a scam artist to trick you into revealing personal information such as an account name, password or even your social security number.  It normally begins with an email; common phishing emails are:

  • Someone asks for your help to transfer money out of a foreign country. They need to use someone else’s bank account because theirs has been frozen by the foreign government.  If you let them deposit some large amount of money in your account you can keep 10% when you transfer the rest to an account they will provide.  In reality what will happen is they will take all the money out of your account.
  • A bank will contact you saying there is a problem with your account. For your protection they have frozen your account until you login and verify some information.  In reality you will be giving your bank account name and password to a criminal who will empty your account.
  • One of the popular social media networks will contact you saying you have a new friend, or follower, or something. If you click the link you will be giving your social media password to criminals who will try using that to access other accounts.

Most often these emails will direct you to a web site where you can take whatever action is needed to “address the problem”.  The real problem is the web site is fake and stealing your information.

Think you are too smart to fall for one of these scams?  Well, I have a test for you.  If you want to jump right to the test you can click either of these two links to take a phishing test offered by two reputable companies.  If you want to know what to look for before taking the test keep reading and come back to the links.

Here are common things to look for to spot a phishing attempt:

  • Poor grammar or misspelled words – the scammers are often from foreign countries and English is a second language
  • The letter is not addressed to you by name but rather to “Customer”, “User”, or simply to your email address
  • You are urged to act quickly because there is a problem, risk a loss, or face legal action
  • The email’s from address doesn’t match the business name – legitimate businesses (with a possible exception of small local business) do not send from Yahoo, Gmail, Hotmail, etc. accounts.
  • The email is from a business or social media service you do not use
  • Banks and social media companies will NEVER ask for personal information in email
  • The link in the email doesn’t go to where it suggests it does. Hover the mouse over the link WITHOUT clicking; at the bottom of your email or browser window you should see where the link will take you.  The text in the email is just for you to read – never trust it.  If what you see when you hover doesn’t match what you see in the email it is a phishing email.

Now that you know what to look for go back and take the tests.  How did you do?  Was it harder than you thought?  Share your results in the comments.  Here is my advice; when in doubt throw it out.  Never click the links in the email, instead login your account using the site’s published website name.  If you are really concerned call the business at their published phone number (not one in the email).  If you don’t know the publish website name or phone number use your favorite search engine to look it up.

So why is phishing so dangerous?  You might think it is no big deal if someone gets your password to Facebook.  They worse they could do is unfriend people, post something embarrassing, and so on; right?  Unfortunately no.  Most people use the same login name and password for all their accounts.  So if someone tricks you into logging into a fake Facebook page they use try that same username and password on Amazon, Apple’s iTunes, Paypal, and so on.  They can also use that username and password on any site that allows you to login with your Facebook account.

In my next post I will share how to come up with strong passwords (something hard to guess) and ways to protect your usernames and passwords so that if someone does get your information (from a data breach or you fall for phishing scam – it happens) you can limit the damage.  Stay tuned.