Trying out DuckDuckGo.com

Did you know there are other search engines besides Google? It seems with Google being all over the place, we forget that there are others. There are others we may have forgotten or didn’t even know such as bing.com, yahoo.com, dogpile.com, yippy.com, webopedia.com (focusing on technical terms), ask.com (may have previously been known as askjeeves.com), wolframalpha.com (computational intelligence), to name a few.

We are currently trying out DuckDuckGo.com. I’ve switched over to using it for a couple weeks now. The one lure is they are “… setting the new standard of trust online, empowering people to take control of their information.” They say your searches are always private. So what does that matter? DuckDuckGo

Have you ever searched for something just out of curiosity and then received all sorts of spammy email all about that subject? Just look at your spam mailbox and you may see many spam emails about your search phrase. This would happen especially when you aren’t using private browsing mode in your browser. And it’s not just emails. You will start to see what you searched for on websites and in apps as well.

DuckDuckGo has been around since 2008. You can even download their browser with privacy from your app store.

Zero-Day Internet Explorer Vulnerability

First of all – what does zero-day mean? It is the day a vulnerability was found. If a bug was around for 10 days it would be a 10-day vulnerability. Usually a fix will be developed in the form of a patch or workaround.

A zero-day exploit means an attack takes place the day a vulnerability is discovered.

On March 30, 2019, two zero-day vulnerabilities were discovered in Microsoft EDGE and Internet Explorer. Without getting too technical, the behind the scenes code of the browser can occur when you visit a malicious site and some of the same origin policy code allows other sites to intervene. When working correctly, it would prevent other sites from accessing your information.

Another vulnerability is related to MHT files. Internet Explorer can still read MHT files. If you are using Outlook, you may see this above an email: “If there are problems with how this message is displayed, click here to view it in a web browser.” It will then open in IE even if you are using Windows 10 with Edge. If the MHT file is infected you will have problems.

To prevent programs from opening IE, you can go into “Programs and Features” in Control Panel and then to “Turn Windows features on or off” and uncheck Internet Explorer 11. Restart your computer.

Trend Micro Blog

Gmail

If you have a gmail account, did you know that your email address can also have dots in it and you’ll still get it? For example, if your address johndoe@gmail.com, it won’t matter if you send to john.doe@gmail.com. You can even send it to j.o.h.n.d.o.e@gmail.com and still get it. Most mail systems do not allow this. Apparently this has been like this for some time.

We found out recently when we saw an article from ZDNet about how scammers are exploiting this by registering for different websites under your email but adding the dots. It may be sites like Netflix, Amazon.com, or eBay. They would see the dotted account email as a different one.

One group has used a variation to obtain credit cards. They have filed tax returns, registered for trial accounts, USPS change address requests, collecting Social Security benefits, apply for unemployment benefits, and apply for FEMA disaster relief.

The article brought out two other things that could be exploited. First, Google allows + signs – you can send email to johndoe+someword@gmail.com and johndoe@gmail.com will get it. Second, before gmail.com it was googlemail.com and if you use johndoe@googlemail.com, johndoe@gmail.com will still get it. Yes this has been tested and confirmed.

Collection #1 Breach

There was a new breach found last week and reported by Troy Hunt on January 17, 2019. This one is a massive breach where a collection of emails and passwords of over 2.5 billion rows of combinations. There were over 1.1 billion of these as unique combinations found possibly due to emails being in both upper case and lowercase. There were a total of of over 700 million unique email address with passwords.

Perhaps you are no longer using a particular email that was found in the breach. Or maybe your password has been changed. Chances are you are or were a little lax about your passwords and re-used them on different sites.

You can use Troy’s site https://haveibeenpwned.com to check to see if your email has been found in any breaches. You can use this page to check to see if a password you are using has been in any breaches: https://haveibeenpwned.com/Passwords

We recommend you use a password manager and let it generate secure passwords for you. You would only have to remember that one password and can have access to all your passwords and sync them to your devices. Some managers even offer storage of sensitive documents.

Read Troy Hunt’s article here.

Logging into any Google service logs you into Chrome

As of version 69, the Chrome browser will log you in and sync when you visit any Google site like Gmail, YouTube, Google Docs, Google Maps, etc. For whatever reason, you may not want to be logged in, or you may not want them to keep track of everything you do. They are not giving you that choice anymore.

There was a discussion on Twitter about it with Adrienne Porter Felt, a Chrome engineer and manager.

Apparently after these discussions and feedback, Google is going to back down and make some changes come version 70 coming out in mid-October. They will allow sign-in without syncing. If you want to sync between devices, you will need to turn sync on. Signing into a Google owned website will not sign them into Chrome at the same time.

Facebook Breach

By now you’ve heard about last week’s Facebook breach in which 50 million user’s accounts were impacted. This time, attackers had the ability to directly take over user accounts. Facebook logged out 90 million users from their accounts – the 50 million affected and 40 million more that may have been. They also announced that other sites could be affected if you use your Facebook credentials to log into them.

The persons responsible, who haven’t been found yet, were able to get to the access tokens, kind of like session hijacking. The problem was found in the video uploader page. Find out more about it from How-to Geek.

Chrome Extension: PassProtect

There is a Chrome extension to help you pick better passwords. It is called PassProtect by okta. It will tell you right away if your password is in a list of data breaches. It doesn’t necessarily mean your username/email and password combination are in that list but if your password is already in a list of compromised passwords, you might want to rethink that password. You can add it to your Chrome browser.

They do not store or collect any information from you, they simply use the HaveIBeenPwned.com API to check against the list of known breaches. If you want to check a password on your own, you can check it here as well manually to see if it is in the list of breached passwords, because it is the same list. Hackers that have collected passwords will often use them to breach a site and try to guess people’s logins and if you are using a password from a breached list, and they know your email or username, you may find yourself hacked.

PassProtect

Robot Guards

A company based in Singapore, Oneberry Technologies, has developed RoboGuard. If you need surveillance, you can get a robot to do it. You would still have to man the system and watch whatever the robot found but this is an interesting concept in robotics and in surveillance.

Funny how things never change…

The Victor crew happened upon a an article about an article. TheVerge.com showed a clipping of a news article from a 1996 copy of the Wall Street Journal. The clipping shows that even back in 1996, there were privacy concerns.

Concerns with privacy about such things as cookies, encryption, junk email. We recently wrote about the blast of Terms of Service you’ve been seeing. Most of them address all these issues within them.

The only way to truly protect your privacy is to be aware of what is being collected. Don’t just shrug off all those terms and privacy legal pages. Read them. If they want something you don’t want to give, then just stop using that service, app, website, etc. If the site or app has privacy settings, go into them and limit your exposure. Limit who can see your posts, photos, or information. Sometimes you can even set it so you need to approve who can friend or follow you.

View the original full Wall Street Journal article here.

Does 2-Factor Authentication Keep You Safe?

Not always. The Victor crew found an article/video that demonstrates how you have to be very careful even if you use 2-factor authentication in place. The trouble can occur when a user clicks a link sent in a phishing attack. The email may look legitimate but it may have the real site name misspelled.

The most important take away it to stop and think before click a link even if you think it comes from a legitimate source. If you receive a message from a major site, most likely you can just go to that site, log in, and see any notifications someone may have sent rather than looking at emails that are generated.

You can see how it 2-factor authentication is bypassed in this demonstration by Kevin Mitnick from KnowBe4.com.

Windows Defender Browser Protection

There is an extension for the Chrome browser called Windows Defender Browser Protection. It extends your Defender protection to include your browser. It will keep you from accidentally clicking to phishing site. You can also turn the protection on or off. If you click to a link from an email it will help by reporting to you that the website is unsafe.

After you install it on your browser, you will see a small defender icon on the top of your browser. You can click it and then you will see the dropdown (shown below). You can turn on or off temporarily.

Windows Defender Chrome Addon

Get the extension for Chrome here.

Learn more about how it works from Microsoft.

Cryptocurrency Mining

Cryptocurrency is the term given to currency such as bitcoin, ether, or any of the other digital currencies out there. So how does this work?

Cryptocurrency runs on what is called a blockchain, a ledger or document that is duplicated over networks of computers. As this is updated, it is made available to the holder of cryptocurrency. Every transaction is recorded of every cryptocurrency. The blockchain is run by miners. Their computers tally up the transactions. They update the transactions and also make sure of the authenticity of the information received. In payment, miners are paid fees for each transaction. The buyers and sellers agree on the value of the cryptocurrency as it fluctuates.

The transactions are made peer-to-peer without a mediator like a bank. The buyer and seller do not know who the other is, but everyone in the blockchain knows about the transaction as they are made public.

If I wanted to buy something that costs $10,000, and find a seller that accepts cryptocurrency, I would try to find out the current exchange rate get the public cryptocurrency address, say bitcoin, and we would stay anonymous to each other. I would then have my Bitcoin installed to his computer, say 10 bitcoins rated at $1000 each. My bitcoin client would sign the transaction with his private key. The transaction would be verified and transferred and recorded.

Cryptocurrency mining includes adding transaction to the blockchain and releasing new currency. They use special computers, hardware and software, to do this. Lately they’ve taken to using browsers and apps for cryptomining. There is a javascript that they can add to your website. Sometimes they will let you know they are using this, sometimes not. When it was first used it didn’t generate that much money for the miners but now that bitcoin rates have increased, it seems there has been another surge with it.

Coinhive is an alternative to browser ad revenue. They have a javascript for people to put on their website. They are using your computer to mine the bitcoin. Mining takes a lot of power so they look for other ways to use it. A good ad blocker can prevent you from using some of these types of sites. I just got the message from my adblocker when trying to get to coinhive.com. It is used to mine a cryptocurrency called Monero. The owners of the site get 70% of the currency and Coinhive gets the rest. You may never even know it is taking place if you visit a site using this, except maybe your computer runs a little slower. Users with WordPress can even get a plugin for using Coinhive.

One month last year, Malwarebytes blocked 248 million attempts to borrow resources from the Coinhive script. Many of the sites using Coinhive are porn sites or heavily covered with ads anyway. A good antivirus or ad blockers can help. You can also turn off javascript from your browser. Download and use Opera which will block cryptocurrencies.

Coinhive cryptomining scripts were found recently in 19 apps in the Google Playstore. One of the apps had over 100,000 users. They have since been removed from the store.

Here are some of our source articles to find out more:
https://www.benzinga.com/
https://www.symantec.com/
https://www.pcmag.com/
https://www.bleepingcomputer.com/
https://thenextweb.com/

Password security

We’ve talked about passwords before and yet it is such an important thing because of all the breaches we see. Some people say they don’t have anything that important so it doesn’t matter or they say they need to use the same password for everything.
This is a totally bad practice and attitude to have about this. Think about all your accounts where you have purchased items, or your banking or credit card accounts. Do you really want to use the same password for everything? Once they breach one account, say your email, they can look through that to find what other accounts you are subscribed to and have a field day. This is even how identities are stolen.

Here are some things you can do:
Go to HaveIBeenPwned.com and check your email for pwnage.
Also click on their password tab and check to see if your passwords are on any common lists.
Use a password manager like LastPass.
Use 2 step verification. Use an authenticator, too.

Once you download LastPass, set it up with a hard to hack easy to remember password (the first video below gives some suggestions on how to find one.) You can then import all the passwords saved to your browsers. Once you have LastPass you can also run a kind of audit check for recommendations on which passwords to change – it will show you duplicates or not so secure passwords you already have.

Whaling Attacks

We recently came across the term “whaling” so of course, we needed to know more about it. Here is what the Victor crew found out. It is a form of phishing aimed at high-profile business executives, managers, CEOs, etc. They are going after the “big fish.” The emails sent to them are more official looking and target a particular person. A regular phishing attack usually goes out to a lot of people trying to lure anyone. Whaling is also considered “spear phishing” where it is an attempt to target an individual person or company.

As with phishing, whaling is used to get a person to reveal sensitive information, such as login credentials, to an account. They do this by trying to scare the individual into giving this information up.

Whaling goes so far as to make a web page or email that looks like the legitimate one. You may even be enticed into downloading a program in order to view a page or to get your information. It may come in the form of a false subpoena, message from the FBI, or some kind of legal complaint against you.

Be aware of what you are clicking. If you can, hover over the link and see where it is taking you. Try putting the URL in an analyzer, such as VirusTotal or TrendMicro to see if it is safe. If in doubt, don’t click or download anything you are unsure of.

Your Wi-Fi is probably vulnerable

It has recently been found that WPA2 protocol is vulnerable to hacking. They are known as Krack Attacks (Key Reinstallation AttaCKS) and there is a website where you can learn more about it. It is found that Android and Linux are most vulnerable to this exploit. They can be tricked into reinstalling an encryption key with all 0s that will allow them to enter your network and then get to sites you visit and capture your login credentials.

If you watch the video below you will see it is a rather involved process to actually crack into the network but that doesn’t stop someone who is intent on getting into your network.

There isn’t a whole lot you can do because this vulnerability bypasses any security measures. Some of the more simple things you can do is not use unsecure Wi-Fi. Ever. Keep your firmware to your router updated. Do not downgrade to even more insecure protocols like WPA or WEP.

Equifax Breach – What you can do

By now you’ve heard about the Equifax breach. Something you may want to do by November 21 is put a security freeze on your account. Until then, they are waiving fees to do this.

A security freeze is supposed to block outsiders from opening an account in your name. This is different from a fraud alert which will only notify you if someone opens an account in your name (even you).

A security freeze has you adding a PIN in order to make any changes. The three major credit monitors are TransUnion, Experian, and Equifax.
Right now you can only put the freeze on Equifax for free. TransUnion and Experian will charge $10 for each. Currently there is legislation pending on making this free. If you are planning to buy a car or house you don’t want to freeze your credit just yet.

Equifax will not be calling you so if you get a call saying it is from them, it is most likely a scam.

If you enroll in their monitoring program, you would waive rights to sue if you are impacted by the breach.

Here are some links:
Equifax blog with explanation of the problem
How to put on and remove a freeze from your account
Form to fill out to get a PIN to freeze account

Keep your browser extensions updated!

It is important to keep all software you use up to date. There are updates for a reason – most likely some of the code used was found to be vulnerable to attacks.

This past week, a popular extension was hijacked. The developer of the Web Developer for Chrome extension had his own account hijacked. The hijackers phished his Google account, then modified the code in his account and pushed it out to users. The version of Web Developer for Chrome that was pushed out is 0.4.9. You need to make sure you have the updated version 0.5 installed NOW!

The version the hijackers uploaded can force ads on pages, capture passwords, or other unreported problems. Consider changing passwords to pages visited during the time of the compromise. The date was August 2. The developer himself admits he fell for a phishing attack that started this. This effected over one million users.

The developer details the events in his blog. The bottom line is anyone can click on a bad link and it is important to have two-factor verification in place.

Passwords: should you use the one you want?

If you are looking for a password, you can check to see if the password you want to use has ever been used. Just go to the Have I Been Pwned website and look at the Passwords link. They now have a list of the passwords that have been breached. You can test your password against it and it will tell you if it’s been breached but it will also tell you it may not be a good password even if it’s not been breached.

Here is what you get if your password has been used before and found on a breach list:

Have I been pwned Pwned Passwords - yes

Here is what it looks like if it hasn’t:

Have I been pwned Pwned Passwords - no

Ransomware

The Victor crew has heard a lot of news lately about a cyber attack nicknamed WannaCry using ransomware. Ransomware is holds an infected computer hostage until a ransom is paid, usually in bitcoin, money that is virtually untraceable. This latest attack has caused global problems. In the UK, hospitals have been attacked. In the US, FedEx fell victim. If you use a Macintosh computer you are most likely safe as these attacks are targeted at PC users. If you are still running Windows XP you are even more vulnerable as there are no more patches being made for these systems.

Here are some things you can to do to prevent this from happening to you:

Keep your computer up to date. Do the patches for your operating system.
Make sure to do security updates for your security service.
Only open attachments from the person you know and trust.
Be careful of programs or other items you may want to download.
Back up your computer to an external hard drive.
Keep copies of your files on cloud services.

If you do get infected and don’t want to pay the ransom, which has been about $300-$600, you will have to flatten your machine (reinstall your OS). If you have kept your files on a cloud service or on an external hard drive, you will have defeated them. You will need to reinstall all your programs if you haven’t backed up the entire system.

The predictions are that today there will be even more as people turn on their computers if they haven’t been kept up to date.

Sources:
http://www.foxnews.com/tech/2017/05/15/ransomware-how-to-protect-yourself.html
http://abcnews.go.com/US/simple-things-protect-ransomware-attacks/story?id=47410339

Mobile Phone Number Hijacking

We’ve written a few times about password security. But what if your phone number gets hijacked? This is not having your phone stolen but rather having your phone number taken from you. You no longer can use the two-step verification because someone else has the number they have on file for it. So how does a phone number get hijacked in the first place? The Victor crew wanted to learn more.

It can start with a text that looks like it came from your carrier. It may have a number or a login page for you to enter some information. All they need is your call-in pin and they can start the process of porting your number over to their phone. You actually think you are talking to a representative of your carrier. Once they have your number, they can use the “forgot password” function of all your apps and get a code sent to them to reset the passwords. Think of all the apps you have – your bank, your email, your wallet. So what can you do?

Here are some ideas from Forbes:

  • Put a passcode on your account with your carrier. Make sure whoever you are talking to uses that passcode with you. If a hacker tries to use it, hopefully the representative is on the ball and asks for the passcode.
  • Use the mobile carrier specific email address to access the account. Forbes suggests you have an address as your current primary one, one just for a mobile carrier, and one for all your sensitive accounts like banking. This way your primary account can’t be used to steal your phone number.
  • Disable online access to your wireless account. You will have to go the store to make changes but it won’t get hacked.
  • Ask your carrier to make changes with photo ID required.

Some other thoughts:

  • Use a password manager and let it generate passwords.
  • Don’t have the same security questions on all sites and don’t answer them truthfully.
  • Do not connect your mobile number to sensitive accounts. Create a new Gmail email address and don’t connect a phone number to it. Use Google Authenticator with one-time passcode generator to use it. They suggest using a Google Voice number.
  • Use a security key. Yubikey is a physical security key device. There are also devices you use a USB port for.
  • Use biometric authentication – fingerprint for example.

Gmail Alert

If you use Gmail, like many others, the Victor crew wants you to be aware of a new phishing attack going around. This one is even fooling tech-savvy and security conscious people. They are trying to steal usernames and passwords for Gmail.

It starts as an email that appears to come from someone you know and may even have an image of an attachment you might think is from the sender. If you click on it, it will give a preview, like Gmail normally does but instead, a new tab will open and want you sign in to your Gmail account again. Make sure you look at the address bar and see only https://accounts.google.com… If you see “data:text/html,” before it, (data:text/html,https://accounts.google.com/ServiceLogin?service=mail), DO NOT ENTER YOUR LOGIN!

If you think you may have already fallen for this attack, change your Google password.

https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
http://www.pcmag.com/news/351113/dont-fall-for-this-sophisticated-gmail-phishing-scam

Another Data Breach

By now you have heard there was another data breach reported … from Yahoo. This is the biggest breach to date. A while ago they reported a breach of 500 million accounts after which they had contacted people asking them to change their passwords. It turns out there were more than a billion accounts hacked. This included names, usernames, passwords, phone numbers, emails, security questions/answers, backup emails.

If you haven’t already after the breach reported in September, you need to change your password. NOW. If you are using this email account for any other account, you need to change the other accounts as well. People tend to use the same username/email/password combinations. The Victor crew also advises you to turn on 2-step verification. That way if anyone does get into your account, you can be notified.

Bottom line, if your identity and information means anything to you, make sure to keep your information secure as you possibly can. Use a password manager. Use a different password for every site.

Here is what the latest email from Yahoo looked like:

NOTICE OF DATA BREACH

Dear [Name of User],
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

What We Are Doing
We are taking action to protect our users:
• We are requiring potentially affected users to change their passwords.
• We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
• We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do
We encourage you to follow these security recommendations:
• Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
• Review all of your accounts for suspicious activity.
• Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
• Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information
For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo

DDoS attack

Last week (Friday) you may or may not have been affected by a DDoS attack. DDoS stands for Distributed Denial of Service. It is an attempt to overwhelm a site with traffic from many sources to bring a site offline. They can use malicious software to bring this about as well through emails, websites, and social media.

This happened to several sites this past Friday. There were attacks in the morning, at noon, and in the afternoon. Dyn is a DNS (domain name server) company that provides services to many of the sites that were brought down on Friday. DNS servers are located throughout the world and are what allows you to find a website when you type it in your address bar.

Some of the affected sites were Amazon, Twitter, Netflix, Etsy, Github, and Spotify. In answer to the attacks GitHub moved to an unaffected DNS provider on Friday. For those unfamiliar with GitHub, it is a service for people to upload their open source code for others to freely use.

The Victor Crew

TOR networks and the deep web

You may have watched some crime dramas or other shows where the resident geek goes on the deep web or Tor network. Anyone can access this but you need a special browser. Here’s what the Victor crew found out:

Tor stands for “the onion router”. The web addresses will end in “.onion”. You will need to be careful because some of these sites can be nasty and contain scams. It works by anonymizing your activity so it can’t be detected. People in other countries use this if websites are blocked in their country. For instance, they may need to go to “https://facebookcorewwwi.onion/” to access facebook.com/ or “http://3g2upl4pq6kufc4m.onion/” to access DuckDuckGo search engine. you can search the web for more sites. Here is a directory we found: https://thehiddenwiki.org/ that lists some sites.

The Tor browser is slower than your usual browser but people use it to bypass censorship. The Tor Browser is a modified Firefox version that you can download here. Remember to be careful of the sites you visit.

http://www.howtogeek.com/272049/how-to-access-.onion-sites-also-known-as-tor-hidden-services/

Passwords

Yes, another article about passwords. There seems to be new breaches every week of major sites where passwords are compromised. The Victor crew wants to bring home some information about this.

Only 29 percent of consumers change their password for security. The reason most people change their password is because they forgot it. In an interesting study, Type A and Type B personalities offer different insights.

Type A
Bad password behavior stems from their needing to be in control. They believe they are organized but this puts them at risk. 35% of them reuse passwords because they want to remember them all. Detail oriented people have a system to remember passwords (maybe not such a bad thing).

Type B
Their bad password behavior comes from convincing themselves that their accounts matter little to hackers. They prefer a password easy to remember.

Many people know their password is bad yet they use it anyway. Many were found to include initials, names, pet’s names, important dates, and other information readily available on social media sites.

The longer and more complex the password, the harder it is to crack.

The Victor crew

https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/