Don’t Re-Use that Password!

A reprint from the PC410 Security Newsletter:

Password reset ahead!

There have been some big password thefts at sites like LinkedIn and Tumblr in the last few years. While those attacks are long over, over half a billion user names and passwords have become available online, and other companies are paying attention. Facebook and Netflix have been looking through the list, matching them up against their own users, and where they find a match, they ‘force a password reset’ at each of those users’ next logins. Yes, they are invalidating passwords, millions at a time.

So, no, when a site won’t let you log in, and you haven’t changed your password, it’s not because you’ve forgotten the password–it’s because the site thinks that someone besides you has it, or could get it from some hack, either recent or whatever they’ve gotten around to reacting to. If you use a unique password at every site, you’ll have fewer of these forced password changes, and your accounts will be more secure.

Yes, I hear you; my own list of passwords is well into the hundreds now, and I don’t even try to remember any but a handful of them–I have a list, and it has its own password to decrypt it locally. Another approach is to use software to manage those passwords; there are hundreds, and the only password manager program I will suggest, which has had outside testing and has been checked to confirm that not even the software publisher can read your passwords, is LastPass; free and premium versions are online at lastpass.com. Benefit: LastPass logs you into sites automatically, uses more complex passwords than you would use manually, and copies your passwords between all your computers.

Microsoft is Doing More:
Common Passwords are Banned

So not only do you have to change passwords, ‘123456′ is no longer going to work at Microsoft’s sites, including hotmail.com and outlook.com. For starters, there is now an 8-character minimum length. And they’re banning all the passwords from the published lists of the most common passwords, which always include gems like “qwerty” and “monkey”.

So what to do? Length is more important than complexity. “theBEARclimbsTREES” is a much safer password than the complex yet common (and now banned) “pa$$w0rd”. An automated attack on an 18-character password would take years, and it’s not possible at all online; no online service will let you work your way through “11111111″, “11111112″ all the way up to “myZEBRArunsFAST”.

Passwords are broken in these ways:

  • A hacker grabs your email address using a simple search for email addresses on any search engine. (NEVER post your email address on a public web page.) Then, using automation on thousands of malware-infected computers (a ‘bot-farm’), they try to log in at the most popular sites, like FaceBook or each of the top-50 banks, with the 100 most common passwords, spread out over weeks to avoid being blocked.
  • Malware on your computer captures your passwords, and sends them back to automated capture systems, which can then log into your online accounts on the first try.
  • Hackers simply try to log in as you, and answer the so-called “security questions” to reset your password. The standard questions asked for security are mostly publicly-available information, and all the answers they need may be on your Facebook page. Hint: Make stuff up. Your first-grade teacher could be “Mr. Wizard”. Write down what answers you give each site, and use nothing guessable or public for answers to security questions, ever.
  • Security holes, most recently at TeamViewer’s remote control software, allow a hacker into your system, where the passwords remembered in your browser make logging in easy, and that’s an easy step to emptying accounts at banks and Paypal.

Here’s more online about the TeamViewer attacks:
http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/

Computer Passwords

The software that I use to transfer stored passwords from an old computer to a new computer, along with your other settings and email, isn’t unique to hardware technicians. If I can log into your computer for 5 minutes, I can export every password you’ve set to ‘remember’ to a plain-English list.

Passwords on your computer are to keep honest people out. There’s no way to use passwords to keep anyone out of a computer that they have physical access to. Locks are more effective than passwords. Encryption is more effective than locks. Call if you need encryption or help with computer security; the options are scalable to fit your needs.

And a Special Note for Business Users with
Network-Enabled Copiers

Just as there is malware that attacks routers with default passwords, there is malware that attacks network printers and copiers. As copier technicians never change passwords, the password to your high-speed device is probably either admin, password, 123456 or 12345678. Change it to something else.

And if your printer has a feature to allow printing from the Internet, as in from your computer when you’re outside the office, remove the software–it usually has a name like ‘Web-Enabled Cloud Print’. It’s not secure, and there have already been incidents where thousands of printers at colleges have spontaneously printed hate literature. Always choose ‘custom install’ on printers, and uncheck every feature that you won’t use, especially if it allows use of the internet.



Should you Unsubscribe from SPAM?

A reprint from the PC410 Security Newsletter:

Sometimes, yes. Sometimes, no. Here’s how to tell the difference, and why.

First, definitions: SPAM is unsolicited, untargeted email, generally selling something. It’s named after an old Monty Python’s Flying Circus sketch that featured a restaurant with vikings that repeatedly burst into song, singing about Spam, the meat product. They’re still doing it here:


The Monty Python SPAM sketech on YouTube
(And as the Monty Python credits would say: now for something completely different…)

Spam HamThere’s also HAM, which is targeted commercial email, or email that is pointed at someone who is a possible purchaser. A lot of this is completely legitimate, difficult to filter out, and safe to unsubscribe from. Most junk mail that gets past spam filters is ham, and much of the ham can be removed from your daily email.

Don’t Try to Unsubscribe from Everything

If the sender’s email in a spam is an address that has nothing to do with the product, it was probably sent out from a BotFarm of infected computers using stolen email services. Any reply to that just goes to the email server used by the infected computer. Don’t send replies; the owners of those systems have enough problems already–thousands of bounces and “I’m out of the office until…” messages are already clogging their systems. And don’t click any unsubscribe links in those messages, either; they’re either confirming that you read the message, so they can send more spam, or they will go nowhere. Just delete these messages.

If the sender is an actual company that you’ve done business with, and the unsubscribe link is to their own web address, or to a known good newsletter company, yes, click the link and unsubscribe. The best-known newsletter companies are Constant Contact, MailChimp, and MadMimi, and they take spam very seriously, and will honor your unsubscribe requests.

Some of the worst offenders are retail stores, and these are safe to try and unsubscribe from, but unless they’re using a service, their actual removal process may take weeks, or may not actually succeed. Resorting to a phone call is unlikely to work; contact your email provider for a block if the volume of HAM from any one company is annoying.

And a reminder: Float the mouse over a link, without clicking, and the destination should appear at the bottom of the screen. If it’s not going where you expect it should, it’s either evil, or it was sent by someone who doesn’t care about security. Just delete it and move on.

Fake Web Charge DOC is a Social Engineering Attack

And today’s hoax email is a social engineering attack, arriving as a fake web charge DOC file. It wants me to open a DOC file and enable macros, and no, I didn’t do that.

Subject: Re: filetiger.com charge on my card

WTF is this $263.48 charge on my card?
I never ordered anything from filetiger.com.
I have attached a screenshot of my statement.
WTF is this about?

Thank you
Attachment: ss_filetiger.com_47155.doc

OK, I know what the transaction sizes are for my FileTiger file management software on my FileTiger.com site, and if there was a $263 site license sale for a product that sells for $9.90, I would have been notified when it happened. So it’s suspicious. There’s no signature, and the sending address has the email address as the name, like this:
abe@b.com <abe@b.com>
(I won’t show the original email addresses, as they’re both fake and variable, and likely stolen from an infected computer’s address book.)

Next, there are carbon copies to three other addresses, on three different domains. One of them is at Ford.com. Really. Another goes to a domain with no web site.

And, of course, it’s all blandly generic. The domain name is there, and it was sent to the email address associated with that domain, publicly available from the records at my domain registrar.

OK, well, I’m clearly not going to open a suspicious doc file in Word; it’s a stupid thing to do; Word has auto-run macros, and there are constant patches to force Word to ask permission before launching the macros, and workarounds for the bad guys to avoid that permission, especially if your version of Word is not the newest edition. Instead, I open it in the vastly-safer WordPerfect, which won’t run embedded macros without permission, ever, and couldn’t run a Microsoft Word macro in any case. This image is inside:  (Note that the logo for Office is wrong–it’s not a Microsoft message.)

“This document was created with an older version of Microsoft Office”
“This document was created with an older version of Microsoft Office”

Wow. Brazen. It asks me to “Enable editing” and then to “Enable content”.

OK, next, I take the file and submit it VirusTotal.com, which runs it against (currently) 55 antivirus products. I did this only 10 minutes after it arrived, so there are only 3 ‘infected’ diagnosis, but it’s clearly evil:

Virus DOC file scan result

 

Note that VirusTotal recognized the file with another domain name, but scanned the same day as I received it, one minute ago, in fact.

I also looked inside the file with a pure text editor; there are a lot of totally random phrases in there, so it’s probably being re-generated regularly to stay ahead of AV detection software.

As always, the defense against these social-engineering attacks is the same: Don’t open attachments you didn’t ask for.

 


UPDATE, Later in the same day:

Apparently, I’m ripping off a lot people and should expect chargebacks. I have just received an identical message, but now from an email address in Japan. The filename has changed to “ss_filetiger.com_197472.doc”, and VirusTotal says it’s a different file, but it’s now recognized as malware by 6 of the 54 scanning programs, although it’s still not detected by the AV software I’m running locally. In other words, AV can’t keep up.