02/26/2016

The Ugly Truth About "Ransomware"




Hospital

On Feb 18, the entire computer system at Hollywood Presbyterian Medical Center was locked and held for ransom.

The hackers who easily infiltrated the hospital's system locked and encrypted all of the hospital's medical files and computers making it impossible to work and help patients. The hackers demanded $17,000 to unlock the hospital's computer system. The hospital staff had to resort to pen and paper to get anything done, and many critical patients had to be diverted to other hospitals for care.

And if you think you're not vulnerable to ransomware attacks, think again:

The Lockie ransomeware malware can be targeted at anyone, anytime. Whether you're a big company or a single person, Lockie makes it incredibly easy to infect and hold your PC... or many PCs... for ransom. Local resident Brandi C. was hit by Lockie at home.

Woman

Brandi had to pay $300 to the hackers so they would unlock and release her computer back to her.

300


How Does This Happen?

The Lockie ransomware is spread primarily through emails. Proofpoint CEO Gary Steele says their security firm saw 10 million messages go out in one day that contained the Lockie ransomware. 

Gary

Lockie is typically delivered via email as an attachment. By clicking open a simple Word document attached to your email, you could instantly infect your system with Lockie. Your entire computer would then be locked and encrypted with a demand from the hackers to pay hundreds or even thousands of dollars to unlock your computer.

How To Avoid Lockie and Other Ransomware

  1. Don't click on suspicious links or attachments in your emails. If you get an email from someone you don't know that has an attachment, you have two options:

    1. Delete the email immediately without opening. This is your best and safest option.

    2. Use your antivirus software to scan the file before opening it (most antivirus software has a feature that lets you right click a file and scan it. Caution: be extremely careful that you don't actually double click to open it. If you do, you could instantly infect your PC. If you do get infected with Lockie or any ransomware, try The FixMeStick to get rid of it.

  2. Backup all your data regularly. If you're not already backing up your files... you should be. A good backup software is a critical piece of online security that many people overlook. Backup always and often.

  3. Be sure you have a good antivirus or Internet Security software installed. We say it over and over, but people still get hit with ransomware and other malware all the time because they have poor antivirus software. A good antivirus program will scan attachments before they can do any damage.

 

In the end, the hospital paid the $17,000 ransom to get their files back. They panicked because they felt they had no other choice. They should've trained their staff to better identify suspicious email attachments, and they should've had better antivirus software running.

And Brandi, and thousands more like her, was an innocent bystander who got hit with this devious malware... and you could too. Be alert when you're online just like you would in a bad part of town. Keep your eyes and ears open and don't be too quick to click.

09/25/2015

How to Tell if Your Passwords Are Secure (Our Ultimate Guide to Passwords.)


7

How to go from this...   to this...1
 
1without giving up your sanity




Ah, the password.

Everyone has their own technique for making a password. Most suck.

Today you'll learn how to make passwords that:

  1. are easy to make
  2. are easy to remember
  3. help turn your PC into a steel-reinforced vault


Q. Is there a way to tell if I have a good password?

A. Yes. There are a few online tools, including one at Microsoft to check your password strength.

It's available for free here:

A better one in our view is this one:

The Microsoft one relies largely on the length of your password, which is in our view less important than its complexity.

Q. How do you make a good password?

A. There are a lot of good password tutorials out there. Here are a couple:

Microsoft has a fairly good tutorial here:


It's reasonably good, buuuut if you're interested in an even better way, here's an article from renowned security guru Bruce Schneier:


Here's our own short 3-step version of how to make a secure password:

  1. Start with a phrase or sentence that means something to you.
  2. Take the first letter of each word. Leave the punctuation.
  3. Swap out a letter or two with numbers, leaving everything else:

Here's what it looks like in action:

  1. That's a winner! A World Series winner for the Cardinals!
  2. Taw!AWSwftC!
  3. Taw!AWSw4tC!

First, it's memorable. It's a phrase important to you. Maybe it's a movie quote, like:

    "I made him an offer he couldn't refuse."

Whatever the case, since it's important to you, it's memorable.

Second, you have a password that's very hard to guess (or crack.)

Last, it has all of these things:

  • upper case 
  • lower case 
  • number
  • special characters
  • +8 characters

...which many passwords these days require.

Q. Now that I've made a good password, can I reuse it?

A. No. No. No. No. Aaaaand... No. Not if it's for anything the least bit important.

Most importantly, neverreusepasswords usedfor your email account(s). Ever.

And, don't store 'emin your browsers "autosave" feature either.

Why?

Reuse a password even once--or have it stolen from your browser's "autosave"--and you risk giving the bad guys access to everything.

Let's say you reuse it at a highlytrusted online merchant, perhaps Target, after all, they'll never get hacked, right?

(Oh, wait, they did, and sadly, millions of credit card numbers and other customer info were exposed.)

If you reuse your password, assume the bad guys will try to login to your email account with the same password they stole from the online store.

Mind you, they're notgoing to be testing email accounts by hand. They don't have time for that.

They have little programs to automatically test passwords. Sure, they're not going to get everyone, nor do they care.

They just need some to work, and they've now turned their initial break-in into even more.

Q. Should I use two-factor authentication?

A. Yes. A loud and thunderous, YES.

Two-factor authentication (sometimes called "2-Step Verification" or TFA) is an easy way to make your account security stronger... even if the bad guys have stolen your username AND password.

It's a bit like needing two different keys to open a safe deposit box. One key you have, one key you have to ask someone else for.

Without both, you can't access the box.

Same goes for the bad guys, if they only have one key (your password), they can't get in without the other key that you have.

Two-factor authentication can put the kibosh on someone breaking into your accounts.

Here's how it works at sites that support two-factor authentication:

  1. Enter in your username and password like normal.
  2. Upon seeing your username and password, the site sends a random secret code via text message to your cell phone.
  3. Enter this code into the site you're logging into.

Without that random secret code, you can't get in.

The other benefit: if someone tries hacking your account, you get text messages with the secret codes, letting you know someone is trying to muck with your account.

Sadly, not enough banks support two-factor authentication, but gmail, zoho, twitter, and a lot of other places do.

The bottom line with TFA: if you can use it, you should.

Here's Google's documentation on two-step verification:

https://www.google.com/landing/2step/

As always we welcome questions by email or phone.