A Procrastinator’s Guide to Ransomware

by

It’s affecting our banks. It’s hurting our healthcare organizations. It’s in our pipelines! Let's break it down for those of you who keep meaning to Google the specifics, but to be honest it's all you can do to remember to look up what a "yeet" is.

RansomwareWhat Is Ransomware?

Ransom malware (ransomware) prevents users from accessing their system or files and demands ransom payment in order to regain access. In some cases, the attackers will also threaten to release or leak the data if the ransom is not paid. 

When Did This Become A Thing?

In 1989. This is an interesting story, but to be brief: floppy disks were mailed to 20,000 AIDS researchers in 90 countries under the guise of an AIDS risk survey from biologist Dr. Joseph Popp. Upon loading the disk, researchers’ computers were infected with a trojan horse virus (a type of malware that works exactly how it sounds - you think you’re downloading a fancy wooden horse, but really it’s a fancy wooden horse PLUS some malware). Poetically, the virus laid dormant until the 90th boot, when an angry red page replaced the users’ screen demanding payment of $189 (paid via snail mail) to unlock their files. Popp’s program was relatively rudimentary - it simply changed the users’ filenames and extensions. Once the encryption tables were known, the files could be restored. Popp was arrested, and while he claimed the profits from his crime were intended for AIDS research, no one believed him, and that’s still a crime. He was declared mentally unfit for trial - something about curlers in his beard and condoms on his nose. I think he sounds fun.

What Does Ransomware Look Like?

Scareware

The mildest of the bunch, scareware is named as such because it feeds on your fears. Anyone who has seen the flashing “Warning! This computer is infected!” pop-up has witnessed scareware. Usually it provides a phone number for “tech support,” where you can pay some criminals $80 to put additional malware on your computer. In this case, your data has likely been untouched, provided that you do not click anything or call anyone and give them your private data. If presented with scareware, ctrl-alt-delete yourself back to safety and run an anti-virus scan from your trusted AV.

Screen lockers

Slightly more worrisome than scareware is lock-screen ransomware. In this scenario, you might start up your computer to see a full-sized window accompanied by an FBI or US Department of Justice seal stating that criminal activity has been detected on your device and you must pay a fine. It probably doesn’t need to be said, but this is not how the FBI or the Department of Justice would contact you if they suspected you of illegal activity. While annoying, screen lockers can be bypassed without paying the attackers, provided you have a bit of technical experience.

Encrypting ransomware

Now you're in a pickle. In this type of attack, your locally stored files - and sometimes cloud backups, too - are taken hostage and encrypted. Payment, usually in the ballpark of a few hundred, but sometimes thousands (or, for larger companies, millions) of dollars is demanded in return for decryption and return. Crypto-ransomware uses the same sophisticated technology that encrypts our conversations, banking transactions, and military communication, so unscrambling isn’t possible without paying the ransom. Even worse, there’s no guarantee the criminals will hold up their end of the deal in the event you do pay. 

How do I get it?

Most of the time, it comes as an attachment or link in a carefully crafted phishing email. It can also be spread through "drive-by downloading," which can happen through no fault of your own. You may visit a legitimate site that has been compromised by malicious code. The malicious code hopes to identify software weaknesses on machines and web browsers to determine which systems are vulnerable.

How Do I Keep My Stuff Safe?

  • Most importantly, maintain offline backups. Many ransomware programs will look for connected backups, so this “offline” bit is important. This way if they take your data, you can restore from your backup. Test your backups periodically to be sure everything is working.
  • Keep your programs and operating system up to do date. Those patches are there for a reason - often that reason is security vulnerabilities.
  • Be suspicious of your emails. Even if the alias looks like it’s from someone you know, check the actual email address - is it correct?
  • Use an ad-blocker. Drive-by download attacks often use advertisements to upload infections. An ad blocker can help limit your exposure.
  • Use a reputable antivirus. Bitdefender is good (even if we hate them right now), but our favorite is Malwarebytes OneView.

Lastly, Some Good News

If you’re feeling down about all this crime, or that you didn’t get into the cybercriminal game because it’s great money and you love a hoodie, here’s some good news: In 2013, a man turned himself in to the police after being deceived by “FBI” ransomware claiming to know of illegal activity on his computer. It turned out there was in fact child pornography on the man’s computer, and the man was arrested. Silver linings! The world is an A-OK place, guys. 

If you have concerns about how to accomplish any of the above recommended actions, please reach out to your friendly specialists at Patient Computer Help, Inc. to set up a consultation.

Patient Computer Help, Inc. assists people with their Macs and PCs in the Chagrin Falls and Ohio City areas.

A Critical Look at Your Cyber Security Hygiene

by

Many years in the future, when today’s 30-somethings are old and gray, taking a break from virtual reality deep sea diving in their space retirement homes, they’ll tell visiting great-great-great-great grandchildren about how they are the last generation to remember life before the ubiquity of the Internet. Maybe they’ll recall humorously how naive and adorable we all were in the early 2000s, generally trusting the email in our inboxes, reusing passwords across multiple accounts, believing the videos that we saw on the internet were real. At this point in time, we’re mostly still learning this stuff. We’re still wrapping our heads around the fact that the Internet IS the real world, and our digital lives require as much protection as our physical ones.

Let’s spend a moment critically evaluating what we are doing to protect ourselves, and how we can potentially do better.

1. Keep Everything Up to Date

When possible, keep your operating software up to date with the latest release (provided you’ve waited a couple of weeks to let the guinea pigs report back with any issues and solutions). Using outdated operating systems leaves you vulnerable to malicious attacks. Along the same vein, make sure your antivirus software and browsers are kept up to date as well.

2. Encrypt Your Data 

On a Mac, go to the Apple Menu -> System Preferences -> Security & Privacy -> FileVault. Turn this on. This encrypts the startup disk, keeping your files safe if a thief were to steal your device. As you will be warned when you go to turn it on, be sure to remember the password to your device and/or the recovery key it asks you to set up – otherwise your data could be lost.

On Windows, BitLocker is a program that can accomplish something similar. To enable it, go to the Control Panel, locate the BitLocker Drive Encryption system preferences, and click the link to Turn On BitLocker.

3. Store File Backups Offsite in a Secure Location

In recent years, ransomware has grown to be one of the biggest threats on the web. It’s a type of malware wherein cyber criminals encrypt a victim’s data and charge a ransom for its release. One of the best protections against this is having an offsite backup of your data. Carbonite is a good one we recommend, but do your research (or let us help you) to decide what’s best for you.

4. Create Strong, Unique Passwords

As we’ve recently discussed, the password situation is becoming dire for some. A great solution is to use a trusted password manager. Use it to keep all of your passwords, change them regularly, and enable TFA (two-factor authentication) when possible.

5. Monitor Your Online Presence

Check to see what non-friends/followers can see of your social media accounts. If your birthday, address, and mother’s name are all linked to your profile and easily found by a stranger, it’s time to consider changing your privacy settings. It’s also not a bad idea to Google yourself every so often to see what comes up. Create a Google Alert to automatically let you know as soon as your name appears online.

6. Stay Off Public WiFi

Unless absolutely necessary, we recommend never connecting to public WiFi. Public WiFi is inherently less secure than your private network because you don’t know who else is connecting to it. A better option is to use your phone as a hotspot and connect to the internet that way.

7. Watch for Phishing Attempts

Cyber criminals have gotten quite sophisticated in posing as reputable companies that you might otherwise trust. If you receive an email or a phone call from someone claiming to be from a company you have an account with, be very cautious of giving them any information. If they do need something from you (and they are who they say they are), they’ll be okay with you navigating to their webpage yourself and signing in that way.

8. Get an Annual Checkup

By law, you are allowed a free copy of your credit report from each of the three major credit reporting companies per year. Take advantage of that and ensure that the information on your credit reports is correct and up to date.
Additionally, we recommend you face the music and get a dark web scan report on your email address or domain name. An annual or twice yearly scan can alert you to any major personal data compromises before they get any worse. Give us a call and we can send you your report.

As mentioned, cyber security is still a relatively new concept for a lot of people. Unfortunately, its necessity is only growing and it won’t be going away anytime soon. With the adoption of a comprehensive cyber security approach incorporating some small, manageable habits, it is very much possible to keep yourself safe. If anything mentioned in the list above was unfamiliar to you, please reach out to your friendly Patient Computer Help team to set up a consultation.

The Word on Password Managers

by

The vast majority of us are using weak (or potentially even worse – reusing) passwords across our many online accounts. This behavior makes a great target for cyber attacks. Criminals can use your compromised information to open bank accounts in your name, take out loans, ruin your credit rating, lock you out of your own data…it’s a real grab bag of nightmare scenarios! I know safety and diligence are boring and tedious, but the reality is cyber crime is on the rise – and these criminals are only getting more sophisticated. If you haven’t taken your cyber security seriously before, now is the time.

A huge step in securing your information online is taking a good hard look at your password habits. Last week, we talked about why you probably shouldn’t save your passwords in your internet browser. As an alternative, most security experts recommend using a standalone password manager. Let’s dig into the details of these services to help decide whether they’re right for you.

The Basics

A password manager is a type of software application that stores and manages your online login IDs, passwords, credit card numbers, PINs, answers to security questions, etc. These types of applications can even generate super strong passwords for you – since you won’t be tasked with remembering them, you can afford to get a little wild with the special characters and random letters/numbers. In addition to storing your passwords behind extremely strong encryption, the password manager itself does not have access to your passwords. Only you have the master password to access them (also meaning if you forget your master password, you’re out of luck).

When choosing a password manager, you will likely choose between a local/desktop-based system and a cloud-based one. The main difference between these two systems is how and where your information is stored. Local applications store your encrypted database in a local “vault,” which lives only on your device (and isn’t accessible over the web). Cloud-based systems store your information in the password manager’s servers, meaning you can access it from any device with the proper login information and authentication. The local application is the most secure, but it sacrifices some convenience and usability. Cloud-based is more user-friendly, but requires a level of comfort with having less control over where your information is stored.

The Good

  • The features that make for good passwords – at least 12 characters made up of a random variety of letters, numbers, and special characters – also make them very difficult to remember. A password manager generates strong passwords and remembers them for you.
  • Many password managers offer to scan your passwords and provide a security checkup. You’ll receive alerts if you are reusing passwords anywhere, if any of your passwords aren’t up to snuff, and if you have accounts on sites known to have had security breaches.
  • Some password managers offer a password auto change feature. The application will log in to your accounts with your saved credentials, update your password and save the new login information. Security experts recommend that we update our passwords at least once per year – a very time-consuming process to do manually. Password managers take a lot of the work out of this task.

The Bad

  • Switching to a password manager takes significant effort on the front end. Depending on how many online accounts you have, it could be a decent time commitment to get all of your online credentials saved to the application. The good news is that once you’ve done it, you’re set (and likely much safer) for a while.
  • Putting all of your password eggs in one basket can be a tough pill to swallow for some. If there is a security breach (not unheard of), the worry is that all of your passwords could be compromised. That being said, password managers are extremely secure baskets. We mentioned last week that browsers don’t make the best password managers because their chief concern is not security. The same logic applies to standalone password managers – these companies are in the business of cyber security first. As long as you choose a reputable company and create an extremely strong master password, you’re likely a lot safer than you would be without a manager.

The How

  • Do your research. You will first want to pick a reputable password manager. Experts recommend any of the big name applications (LastPass, Dashlane, and 1Password have the best reviews), but from there it will be depend on your preferences and needs. Wirecutter recently published a great review to help you decide.
  • Create a master password to end all master passwords. Your account is only as secure as your master password is strong. Go crazy with this one – it’s the only one you’ll need to remember. Once you’ve created an account, you’ll need to install any browser extensions and/or mobile applications.
  • Clear your schedule. You’ll need to work your way through adding all of your online accounts to the application. This is the time consuming bit. It may be helpful to keep a running list of your accounts as you think of them. I highly recommend using the password generator to change all of your passwords as you go.
  • Destroy the evidence. Purge your phone/browsers/desktop of any saved passwords. Throw out the post-its stuck to your monitor, delete the notes file in your phone, turn off password saving in your browser. If your application doesn’t offer it, set a reminder in your calendar to change your passwords again in a year (it’ll be a lot easier next time!).

Patient Computer Help for Grown Ups assists people with their Macs and PCs in the Chagrin Falls and Ohio City areas.

Should You Save Your Passwords in Your Browser?

by

If you’re ready to pull your hair out over password management frustrations, rest assured you’re not alone. The average user in the US has over 130 online accounts. Since we all know never to reuse the same password across multiple accounts (right?), that’s 130 unique, complex passwords to remember! I won’t speak for you, but my brain wasn’t built for that kind of task. Consequently, for many of us, storing our passwords is a necessity. One popular option that has cropped up in recent years is browser password management. Whichever browser you use, you likely have been asked the question Would you like us to save your password? If you answered yes, the next time you visited that website it may have autofilled your password for you. How convenient! But is it safe?

Let’s break it down…

Encryption is Key

Browsers often save your passwords in a plaintext list, frequently accessible with only the password to your device (and other times through no password at all), and commonly with fairly weak encryption. Even if the data is strongly encrypted, the cryptography and implementation specifics often aren’t publicly reported, leaving the user at the mercy of the company’s claims and reputation.

Security is Secondary

You might trust a babysitter to make your kid dinner every now and then, but would you hire him as a full time chef? Probably not. Your babysitter’s job is (hopefully) taking care of your kid! Browser companies’ chief focus will always be providing the best browsing experience. Firefox, Chrome, Safari, and Edge are all locked in a battle to win our hearts, and they know what 98% of us care about – an attractive interface and an intuitive user experience. Protecting their users’ login credentials will always be secondary, if that.

Convenience is Costly

On top of potentially weak encryption and subpar security measures, the most convenient feature of a browser password manager – autofill – is inherently dangerous. Most people using a browser password manager are not opening the browser’s vault every time they need a password and copy-pasting it into the login box. Most users allow the browser to autofill login information for them. Unfortunately, recent research by the cybersecurity company Proofpoint discovered that some digital ad companies have been scraping this autofill data to collect email addresses. This methodology could easily be applied to any saved data – including passwords.

It’s Not All Bad News

There is another (slightly less) convenient, vastly more secure option – dedicated password managers. Next week we’ll go into detail on these and help you decide what’s best for you.

Patient Computer Help for Grown Ups assists people with their Macs and PCs in the Chagrin Falls and Ohio City areas.