SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same. By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack. Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is "123456," followed closely by the ubiquitous "password." These are unchanged from last year. The rest of the top 25 list contains a mix of the old and the new, including:
SplashData's CEO Morgan Slain had this to say on the topic: "Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, 'starwars' is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words." Do yourself a favor and use a password manager. I highly recommend LastPass. It will store all of your passwords and it even allows you to generate completely random passwords that no one can remember. Use a long secure password for LastPass, and it'll be the "Last Pass"word you will ever need to remember.
0 Comments
The new version of Firefox is out, and if you've moved away from the browser in recent years, it may be time to give it another look. Dubbed "Quantum," Firefox's latest offering has been completely redesigned, and has a lot to like, not the least of which is its raw speed. This latest version is twice as fast and now handily beats Google Chrome in speed tests, thanks in no small part to its next-gen CSS engine, and the fact that it is the first browser to fully utilize the power of multicore processors. It also consumes 30 percent less memory and positively sips battery power, making it a great choice for laptop and smartphone users. In addition to that, the revamped browser offers improved tracker blocking, built-in screenshot functionality and of particular interest, support for WebVR, which enables webmasters to take full advantage of the capabilities offered by virtual reality headsets. You can get Mozilla's latest offering from their website right now if you're a PC user, though you'll have to wait a bit if you're on a smartphone. The latest release is scheduled to appear on the Google Play Store in a matter of days, but there is, as yet, no ETA on when it will be appearing in Apple's App Store. Speed is life in business, and if you're looking to squeeze out a bit more efficiency and performance from the machines on your network, the new Firefox browser is definitely worth checking out. It's only a matter of time before the other major players catch up, but until they do, Firefox's Quantum browser looks to be the new reigning king of the hill and represents a big win for mobile users, given the power savings on offer. Kudos to Mozilla for an exceptional update! If you can't trust your friends, who can you trust? No one, apparently. There's a new scam on Facebook that's making waves, and it's one you should be mindful of. You may get an "urgent message" from someone you know, asking for your help in recovering their Facebook account. This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you're listed as one of their "Trusted Friends" and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn't instinctively respond? This is exactly what the scammers are hoping for. The message goes on to explain that they're sending an unlock code to your email address, and they just want you to reset the password for them. Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and "reset your friend's password," then reply back, helpfully telling him or her what the new password is, you've inadvertently given your own login information to the hackers. From there, the sky's the limit. What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you're using the same login credentials across multiple websites - one of the most basic and pervasive problems of user security in existence. There's no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your "trusted friend" genuinely needs help regaining control of their account, Facebook has resources to assist. “Fool me once, shame on you. Fool me twice, shame on me,” as the saying goes. Unfortunately, Google has now been fooled by the same trick twice. For the second time in recent years, Google has allowed a malicious variant of the popular extension “AdBlock Plus” onto its Chrome Web Store. It was noticed by a security researcher going by the alias “SwiftOnSecurity.” Before Google removed it, it had been installed more than 37,000 times by unsuspecting users. This incident underscores a serious flaw in the way that Chrome extensions are uploaded to the Web Store. The entire process is automated, and Google only intervenes if an extension is reported as being problematic. Unfortunately, given the automated nature of the process, it’s almost frighteningly easy to abuse, and since there are no significant checks on the front end, hackers can upload extensions bearing the same or highly similar names as extensions from legitimate developers. Unless a user clicks on the “reviews” tab to read what other users are saying about the extension, at first glance, they’d have no real way of knowing that there was a problem until they started experiencing it for themselves. As mentioned, this is actually the second time this very extension was abused, the first being back in 2015. As malware goes, this one is annoying, but not awful. Instead of blocking ads, it has a tendency to open multiple new windows, displaying a torrent of unwanted advertising. Fortunately, there don’t seem to be any other “hooks” built into the code, so it doesn’t install more destructive malware, but it’s still annoying. All that to say, if you’ve been experiencing a sudden flurry of advertising popups, you may have been one of the unlucky few to have grabbed a malicious variant of an otherwise excellent web extension. If you have, just uninstall it and go grab a new copy, and you should be all set. Be sure to contact me if you have any questions. Google Labs has produced some amazing ideas. Some of them have found their way to the market, and many others have not. The one thing they have in common, though, is that they’re all intriguing and exciting. That’s especially true of Google’s latest offering, Google Pixel Buds. If you’ve ever read “The Hitchhiker’s Guide To The Galaxy,” then you know the term “Bable Fish.” If you grew up watching Star Trek, then you know all about the Universal Translator. Well, Google has built the version 1.0 of that very device. The new earbuds are able to translate forty different languages in something close to real time. Close enough, in any case, to be useful in day to day conversation. Obviously there are some glitches and limitations at this point, just as there were in the first smartphones and computers, but the fact that this new technology exists at all, in any form, is nothing short of amazing. The potential applications are limitless, and the number will only grow as the technology matures. We can see the possibility of seamless global communications that cut across language barriers. It boggles the mind. If you do business with vendors all over the globe, imagine how much simpler this is going to make your life. As mentioned, it’s a given that early adopters will face certain limitations and no doubt chafe under the shortcomings of the early versions of the device, but that’s been true of just about every invention we’ve ever seen enter the marketplace. Consider speech-to-text technology, for example. The early versions were quite buggy and you could count yourself lucky if they successfully interpreted 40 percent of your words, translating them into text. These days, that percentage is closer to 98. The best way to help this new product succeed is to jump in and start using it, bugs, flaws, shortcomings and all. Kudos to Google Labs! Security researchers have found a new critical security flaw dubbed "Krack" (Key Reinstallation Attacks) that affects literally every WiFi router and smart phone in use today. The reason? The security flaw resides in the WiFi standard itself, rather than in a third-party product. In addition to being vast in scope and scale, Krack is a particularly nasty, versatile flaw, allowing hackers to intercept credit card numbers, passwords, photos and a whole host of sensitive personal information. It works like this: A hacker finds a vulnerable WPA2 network, and then makes an exact copy of it, including impersonating the MAC address. This clone then serves as a "man in the middle" allowing the hacker who controls it to intercept everything passing through it. WPA2 encryption requires a unique key to encrypt each block of plain text, but because Krack attacks make a copy that's indistinguishable from the original, they're able to use the same encryption key. As bad as that is, it gets worse for Android and Linux users. Thanks to a bug in the WPA2 standard, these devices don't force the client to demand a unique encryption key with each use. Instead, they allow the key to be "zeroed out," literally creating an encryption key containing all zeroes, which interferes with a key part of the handshake process. In addition to that, hackers can deploy specialized scripts that can cause the connection to bypass HTTPS, which leaves passwords and other normally protected data exposed. If there's a silver lining, it is that the attack can't be used to target routers directly, but honestly, that's not much of a silver lining, because the potential damage this new vector could cause is virtually without limit. Unfortunately, until a patch is released, there's not much you can do, short of turning off WiFi altogether. This may work for smartphone users, but it is simply impractical for routers. There's some good news, though. The fix should be relatively easy to implement, although no ETA has been given at this point. Equifax's problems just keep getting worse. Not long ago, the company suffered a major data breach that ultimately resulted in the CEO stepping down and a painful congressional grilling. Initial estimates placed the number of impacted users at some 143 million, but as the investigation has continued, it turns out that the numbers are even higher than initially feared. Based on the forensic teams final report, as many as 145.5 million users were impacted. In our modern society, there are many who would argue that your credit score is as important, if not more important than your social security number. To arrive at your score, the Big Three credit reporting agencies necessarily have to collect a large amount of sensitive information about people, so when they suffer from a breach, it's bad, and in Equifax's case, it just keeps getting worse. Based on the latest information, the compromised data included names, social security numbers, birthdays, and addresses. If that wasn't bad enough, some 200,000 customers saw their credit card information exposed, along with an unknown number of electronic documents containing Personally Identifiable Information (PII). To put these numbers in full context, Equifax maintains files on more than 800 million people around the world, along with more than 90 million businesses, so the breach, while catastrophic in size, wasn't nearly as bad as it could have been. That's a small consolation to the millions who have been impacted, but it's important to understand that as bad as the breach was, it was quite far from the worst case scenario. In the aftermath of the breach, the company has come under fire by the US Government, which has charged that the company actually stands to profit from it by selling a credit monitoring service after giving impacted consumers one year free. In light of the recent congressional hearings on the matter, the future of that program is unclear, but this breach, and its root cause (an unpatched Apache Struts 2 vulnerability) serves to underscore how easy it is for even big multinational companies to fall victim to a determined hacker. Late last year, Yahoo announced that it was the victim of the largest data breach in history. It impacted, by their initial estimates, fully one third of their user base, some one billion users. As it turns out, Yahoo’s estimates were wildly inaccurate. Literally every person who had a Yahoo account in 2013 was impacted, making the total in the neighborhood of three billion accounts (yes, that’s billion, with a “B”). If you’re a Yahoo user, and have had your account since 2013 or before, then your account was impacted, regardless of if you received a notification from the company. You may be tempted to simply delete your account, especially if it’s one you no longer use on a regular basis, but don’t. Yahoo’s policy is to recycle defunct accounts after thirty days, meaning your account can be hijacked by anyone if you delete it. The best bet is to change your password immediately and enable two-factor authentication to provide an added layer of protection. Also, if you’re in the habit of using the same password across multiple websites, be sure to change any that share your Yahoo.com account’s password. One of the first things a hacker will try is to use compromised credentials on other accounts. If you don’t take immediate action, you’re essentially handing the hackers the keys to your digital kingdom and opening yourself up to identity theft, compromised bank accounts and credit cards and more. In fact, this would be a great time to simply get out of the habit of using the same password across multiple web properties. It’s a bad habit, and if it’s one you’ve developed, then it’s time to make a change. True, it’s not as convenient, and having to remember multiple passwords can sometimes be annoying, but isn’t your digital security worth it? And the best way to maintain different passwords for each site is to use a password manager. I recommend LastPass. Click the link for a free month of premium. For a time, it seemed we had reached the high-water mark where Locky Ransomware was concerned. After the big, global attack earlier this year, interest in that particular strain of ransomware seemed to wane as hackers went off in search of the “next new thing” to deploy against the unwitting public. Unfortunately, rumors of Locky’s death may have been highly exaggerated. A massive new email campaign is underway, using Amazon as a cover, and the infected emails come bearing Locky as a “gift” to anyone who opens them and downloads the attachment. While no one knows who is behind the Locky software itself, this new email campaign is being run through a large botnet-for-hire called Necurs, which is currently made up of more than five million devices from all over the world. These devices have been sending out a million emails an hour that appear to come from Amazon and contain downloadable attachments with their malicious payload. The hackers are being quite savvy about the operation too, timing the sending of their emails so that they arrive during normal working hours, which makes them seem more legitimate. As ever, anyone unfortunate enough to download the attachment contained in one of these emails will soon find all the files on their system encrypted, and get a notification that they must pay a ransom in BitCoin if they want the unlock code to get their files back. It gets even worse, though. This latest attack does more than just install Locky. It also installs a program called “FakeGlobe,” which appears to be another variant of ransomware that’s designed to trigger after files are unlocked. So, even if you pay the ransom, you may find yourself immediately facing newly encrypted files and having to pay a second one. As ever, the keys to avoiding scams like these are vigilance, employee/family education and a robust backup and file recovery plan, in the event that someone in your organization or household does open one of these emails. And be sure to contact PC Tech for Hire for assistance in establishing your plan. You've probably seen the news today about the Montgomery County government being hit with ransomware. Local news has this article about it.
But what is ransomware? Ransomware is a form of malicious software that locks up the files on your computer, encrypts them, and demands that you pay to get your files back. Wanna Decryptor, or WannaCry, is a form of ransomware that affects Microsoft’s Windows operating system. The variant that hit Montgomery County is known as the SamSam ransomware. When a system is infected, a pop up window appears, prompting you to pay to recover all your files within three to seven days, with a countdown timer on the left of the window. It adds that if you fail to pay within that time, the fee will be doubled, and if you don’t pay within seven days, you will lose the files forever. Payment is accepted only with Bitcoin. How does it spread? According to the US Computer Emergency Readiness Team (USCRT), under the Department of Homeland Security, ransomware spreads easily when it encounters unpatched or outdated software. Experts say that WannaCry is spread by an internet worm -- software that spreads copies of itself by hacking into other computers on a network, rather than the usual case of prompting unsuspecting users to open attachments. It is believe that the cyber attack was carried out with the help of tools stolen from the National Security Agency (NSA) of the United States. Some forms of malware can lock the computer entirely, or set off a series of pop-ups that are nearly impossible to close, thereby hindering your work. What can be done to prevent this? The best way to protect your computer is to create regular backups of your files. The malware only affects files that exist in the computer. If you have created a thorough backup and your machine is infected with ransomware, you can reset your machine to begin on a clean slate, reinstall the software and restore your files from the backup. According to Microsoft’s Malware Protection Center, other precautions include regularly updating your anti-virus program; enabling pop-up blockers; updating all software periodically; ensure the smart screen (in Internet Explorer) is turned on, which helps identify reported phishing and malware websites; avoid opening attachments that may appear suspicious. If you are not sure if you're protected, I offer services that can help you determine your risk. My ProActive Care Services can help prevent ransomware from getting into your system. Contact me to discuss your concerns and let me help you protect your files. |
Ronnie MorganHi! I'm Ronnie, your PC Tech for Hire for the Montgomery, AL area! Let me know if you need my 25+ years of experience to help you with your computer needs. Archives
January 2018
Categories
All
|