IT Trends Milwaukee

How Safe Are Your Online Passwords?

Hey Happy Monday everyone! I'm sure you've heard about the Yahoo security breach (full article listed below).  If you have a Yahoo account, I highly recommend that you change your password just to be safe. 

It was about a month or so ago, that I made this same suggestion for your LinkedIn account when they were hacked. As a best practice, you should change your online passwords often and you shouldn't use the same password for every site. Create a password that is STRONG.  Some sites offer guidance to let you know how STRONG your password is, but if you use a site that doesn't offer that you can use Microsofts' quick password checker.

here are a few password suggestions from Microsoft.

Create STRONG passwords

A strong password is an important protection to help you have safer online transactions. Here are steps you can take to create a strong password. Some or all might help protect your online transactions:

• Length. Make your passwords long with eight or more characters.

• Complexity. Include letters, punctuation, symbols, and numbers. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. However, password hacking software automatically checks for common letter-to-symbol conversions, such as changing "and" to "&" or "to" to "2."

• Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.

• Variety. Don't use the same password for everything. Cybercriminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.

Yahoo Security Breach Shocks Experts

Company failed to take even basic precautions to stop 450,000 usernames and passwords from being exposed.

By Antone Gonsalves Jul 12, 2012 3:29 PM

A Yahoo security breach that exposed 450,000 usernames and passwordsfrom a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.

"It is definitely poor security," Marcus Carey, a security researcher at Rapid7, said. "It's not even security 101. It's basic application development 101."

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an "older file" containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo's massive network of Web sites.

Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo's 2010 acquisition of Associated Content.

Less than 5 percent of the stolen data had valid passwords, Yahoo said. "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the statement said.

The breach had ramifications far beyond Yahoo, because the portal allowed people registering with the Contributor Network to use credentials from other sites to log in. Carey identified some of the other sites as Google's Gmail, Microsoft's Hotmail, AOL, Comcast and Verizon.

A hacker group called D33Ds Companytook credit for the breach, and posted a statement on its website saying the attack was a warning. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the group said, according to media reports. "There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."

The hackers claimed to use a common attack method called a SQL injection to access the database that fed the server hosting the site. A SQL injection typically involves sending commands through a search field or a URL to break into a poorly secured site.

Tony Perez, chief operating officer for Sucuri, who used to work with defense contractors in developing secure applications, said Yahoo's overall security lapses were a disservice to its users. "It makes you wonder. If a property like Yahoo at that scale is doing that, and they did it for their Yahoo Voices, what's the probability of that also occurring in their other properties?"

The Yahoo breach occurred a month after professional social networking site LinkedIn acknowledged that 6.5 million usernames and passwords were stolen and posted on a Russian hacker forum. In that case, the passwords had been stored using a cryptographic method called hashing.

Computer Army Being Assembled and Awaiting Orders

The the purpose of this vast computer force is still not clear following August email malware surge

An enormous army of infected computers is being assembled, but it is unclear yet what purpose they will be put to.

Wave after wave of malicious email attachments has been sent out since August, and with average success rates for such mailings, millions of machines could be compromised, says internet security firm Commtouch.

Once infected, the computers can be loaded with additional malware that can perform a range of activities, including spamming, participating in DDoS attacks, stealing bank credentials and compromising email and social-network accounts.
But what this botnet will do remains a mystery. The purpose of this vast computing force is still not clear.

Since a record peak of 25 billion malicious attachments to emails being sent on a single day in mid-August, email-attached malware has peaked five times since, each spike smaller than the one before.

Each peak represents a surge in a particular scam used to dupe victims into opening the attack attachments. The first wave consisted mainly of phony notices from UPS or FedEx that a package has been misrouted. The second, called the Map of Love, is a PDF that purports to be a map of interesting destinations worldwide. The third is a false notice of an altered charge for a hotel room, the blog post says.

User forums indicate that the malware campaigns worked, with many users opening the attachments. While it doesn't have estimates of the number of machines compromised, Commtouch says that such campaigns have linear success, so the more attachments sent, the more opened.

If the purpose of the assembled botnet is to send spam, it hasn't had an impact on overall spam traffic, which has actually been trending a bit downward. However, if the purpose is for something much worse than to simply send spam, we’ll have to just wait and see.

Microsoft Warns of Password-cracking 'Morto' Worm

Various Internet security firms report a new Internet worm is spreading in the wild and taking advantage of weak passwords on Windows systems.

First reported Sunday, the Morto worm or Win32/Morto appears to be an old-school Internet worm, a rarity in recent years when Trojans and bots make up the majority of new malicious samples. Morto displays a mixture of sophistication and directness in its search for server prey.

According to multiple reports, Morto infects Windows workstations and servers, but spreads via the Windows Remote Desktop Protocol (RDP), an element of the Windows Remote Desktop Connection service that allows a Windows PC or server to be controlled remotely.

Once loading itself as a hard-to-detect service within the Windows svchost.exe, the malware opens a Remote Desktop Protocol (RDP) connection on port 3389, it cycles through IP addresses it detects on any subnets and tries to connect using a simple dictionary list of password possibilities.

Some of the passwords on its list include admin, admin123, user, test, *1234, letmein, password, server and 1234567890, according to an entry on Microsoft's Malware Protection Center (MMPC). Once the worm figures out the weak password, it connects to the remote system and copies itself. Several Morto variants have already been identified.

If the worm gets lucky and guesses a correct password on the server, it then copies itself to the victim system and tries to elevate its own process to gain Administrator control before downloading further components.

Microsoft confirmed the existence of the worm in a TechNet blog post Sunday, but it remains unclear which versions of Windows may be vulnerable and the extent to which it is spreading successfully.

In its post, Microsoft also advised the use of strong passwords, which should include 14 characters or more, and have a variety of letters, punctuations, symbols and numbers.

As Microsoft’s researchers point out, Morto needs no software exploit to perform its job, only weak passwords of the sort that plague even well-defended networks full of more devices that can easily be managed by the teams looking after them.

"This particular worm highlights the importance of setting strong system passwords," said Microsoft's Hil Gradascevic. "The ability of attackers to exploit weak passwords shouldn't be underestimated."

It is important to remember that this malware does not exploit a vulnerability, but instead relies on weak passwords. River Run encourages our readers to use strong passwords to help protect their systems. We also encourage users to enforce both strong passwords and regular password changes.

 

University of Wisconsin-Milwaukee Servers Hacked

A computer system at the University of Wisconsin-Milwaukee was hacked and bugged with malicious software. According to the Milwaukee Journal Sentinel, malicious code was discovered on a document management database server. The university contacted law enforcement and after a month-long investigation realized that the database on the system contained over 75,000 records that included social security numbers for both students and employees.

Although this breach, which was discovered back on May 25, could have exposed the names and Social Security numbers of some 75,000 students, faculty and staff, UWM officials told the newspaper that the university has no evidence that information was looked at or used.

Nobody is sure how long the malware was running on the server, but it was shut down once the breach was found.  UWM leaders are suggesting someone might have been trying to gain access to the university's computers for a different reason. It is suspected that the software was being used to identify cutting edge research that the school is working on, but that has yet to be confirmed.

"We are a research institution with a significant number of projects under way. It is theorized that this may have been an attempt to look at work being done," Tom Luljak, UWM's vice chancellor for university relations, told the newspaper. He added that the malicious software was installed remotely.

While the forensic investigation states that there is no evidence that the personal information was stolen, the school is still warning students to be vigilant by monitoring their credit history and putting a freeze on their credit report.  It is also interesting to note that although most companies that suffer data breaches end up offering one year of free credit monitoring to the victims, the University of Wisconsin says that since there was no evidence the data was stolen, they will not offer the free service.

It’s also good to know that while students may have had their identity stolen, the database contained no “academic information such as student grades,” so at least the attackers won’t be able to identify whether students passed their criminology courses.

For more information on the security breach, UWM has set up this website.

3 Ways Mobile Devices Become Infected with Malware

Social engineers have been using various dirty tricks to fool people for centuries. Social engineering, the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques, is as old as crime itself and has been used in many ways for decades.

For the past several years online, social engineers have been trying to fool unsuspecting users into clicking on malicious links and giving up sensitive information by pretending to be old friends or trusted authorities on email and social networks.
And now that mobile devices have taken over our lives, social engineering is an attack method of choice to gain access to a person's smartphone or tablet.

Here are three examples of current cons being used by criminals to get inside your mobile device.

Malicious apps that look like legitimate apps

One example is the case of a popular and legitimate application Android users were purchasing that caused a virtual "steam" to appear on the screen of a smartphone. You could move your finger to scrape the virtual steam off, people love this sort of thing, although it served no real purpose.

But a malicious application that looked exactly like the virtual-steam application was created and many were conned into purchasing that one, instead of the authentic application. From a users perspective it is very hard to distinguish between an app that is legitimate with an app that turns out to be malicious.
What users ended up with was an application with unwanted things behind it. In some cases, the malicious application activated an SMS message from the victim's phone that was sent to request premium services and the user was charged. The attacker, meanwhile, would delete any return SMS messages acknowledging the charges so the victims had no idea they were being billed.

The best advice, don't install applications that come from un-trusted sources.
 
Malicious mobile apps that come from ads

In some cases, legitimate applications on a smartphone run bad advertisements. If the user clicked on the ad, they are taken to a web site that tricks the victim into thinking their battery is inefficient. The person is then asked to install an application to optimize the battery consumption, which is instead a malicious application.

Our advice is the same as with PC’s, be leery of any advertisement that is asking you to install an application.

Apps that claim to be for "security"

Another new mobile attack vector is a ZeuS malware variant that actually originates with an infected PC. When a user visits a banking site from an infected computer, they are prompted to download an authentication or security component onto their mobile device in order to complete the login process.

The attackers realize that users are using two-factor authentication. In many cases that second factor is implemented as a one-time password sent to the user's phone by the banking provider. Attackers were thinking: 'How can we get access to those credentials?' Their answer is: 'Attack the user's phone.'
The way this ruse works is once the PC is infected, the person logs onto their bank account and is told to download an application onto their phone in order to receive security messages, such as login credentials. But it is actually a malicious application from the same entity that is controlling the user's PC. Now they have access to not only the user's regular banking logon credentials, but also the second authentication factor sent to the victim via SMS. In many cases, people thought they simply were installing security applications, or in some cases, a security certificate.

Mobile devices, pure and simple, are hand-held computers and should be treated as such. The best way to protect yourself is to be cautious of not only the applications you install, but the links you click on in the web browser. If asked to download a file, application or security certificate, be leery and only download from trusted sources.

Beware: Fake Google + Invitations

Whenever people desperately want something, criminals have always come up with ways to rip people off.  It's a practice as old as time.

The Google+ invite frenzy has prompted some devious spammers to send out fake invitations.  Sophos, a cyber securities firm, first reported this spam.

Gmail users would receive a Google+ invite that looks like the real thing.  Except when you click on the link to the Google+ invite, it leads you to a completely different website, riddled with malware.

This isn't the first time that insane demand for Google products spawned scams.  Back when Gmail membership was an exclusive club and a hot item, spammers sent existing Gmail users a notice that Google had just given them 50 extra invites.

All they have to do is fill out a form with their Gmail password.

Apple, was also used as bait.  Back before the iPad was released, bogus Facebook pages were set up to ask users to be beta testers; they would get the iPad in advance and then keep it for free.

All these Apple fans had to do was provide their personal information and cell phone number.  Their cell phone number was subsequently enrolled in an expensive premium service.

For active Internet users, scams and spams are a fact of life.  Abiding by the following guidelines, however, will lessen the pain.

• Don't respond to sweet offers that you didn't pursue or don't know the origin of, whether it's a Google+ invite or a millionaire trying to give away his fortunes.

• Don't ever give out your personal information to email requests from scammers posing as legitimate entities.  Legitimate entities will never ask you that; the only time they might prompt you for personal information is when you approach them do something.

• Too good to be true offers do not exist. For example, somebody looking to share the wealth of somebody who has no "next of kin"...does not happen in real life. If you're not sure, don't go for it, especially if you have to provide your personal information or grant access to your computer in exchange for it.

The best way to prevent this is to pay attention and be aware of what sites you are visiting and links you are clicking on. When you enter in password, personal, account, or credit card information, double check to make sure you are on a reputable website. Double check the URL and make sure the URL address is what you think it is. Double check the website you are on to make sure there is nothing suspicious so you won’t fall prey to these scams.

River Run Tech Blog: New Malware Released

In the last couple of years, we’ve seen the most active and persistent viruses coming out masked as anti-virus programs under names like Internet Security, AntiVirus Pro 2009, Anti Spyware 2010, etc. Apparently, users are getting wise to this ploy because we’ve seen a new variation on these malicious programs that attempt to extract money from you. The new variation claims to be a hard drive defragmentation and repair utility called “HDD Plus”. It is NOT a legitimate program!

If you see a popup for HDD Plus, whether it looks like the screen shot below, or not, do NOT click on anything within the popup window!

Manually power off your computer by holding in the power button for 6 seconds. If this new variant behaves like the earlier ones, powering off without clicking the window may let you ‘dodge the bullet’ and be free of the virus once you’re powered back on.

If, after powering off, waiting 30 seconds and powering back on, these popups recur, then please call River Run Support immediately. We can address this issue, either over the phone or in person, to get your workstation back in business as quickly as possible.

It is always best to KNOW YOUR SOFTWARE! If you know what antivirus program you have it’s a lot easier to recognize a false program popup. Likewise, if you know the legitimate software that runs on your system, you’ll immediately be suspicious of something like HDD Plus and whatever the next version of it calls itself, and won’t be suckered into clicking the window or buying the ‘program’.

Be aware and be safe!