Ransomware

Over the weekend you may have seen various news reports of a worldwide ransomware attack hitting thousands of networks.

Ransomware is a form of malware (bad software designed from some  harmful or illegal purpose).  It encrypts all of the files on your computer then notifies you that if you want the description key, you must send the author money in exchange for the key.  Without that key, you will never be able to open any of the encrypted files again.

Most ransomware needs to be invited onto your computer.  Hackers do this by tricking you into clicking on a link and agreeing to install it on your computer.  This one was a little more dangerous since once it gets into a local network it can attack any computer that has not been updated with the most current Windows security updates.

All firm computers are configured to update themselves automatically.  This is why you occasionally get notices from your computer that it will need to restart to install updates.  It is very important that you don't disable this function, even if it is occasionally annoying.

If, at home, you are using an older XP computer, or a computer that does not have updates turned on, you are playing with fire.  You are vulnerable not only to this but other attacks as well.  It's a bit like leaving your front door unlocked when you leave for work each day.  Nothing may happen, but do you really want to take that chance?

The firm's primary defense against ransomware is a good backup system.  If our network gets hit with ransomware, we would have to delete all the current file and restore from backup.  Longer term, we hope to put in place a document management system that will protect our files from such attacks, even if some computers on the network become compromised.

To read more about the latest attack, check out these articles from the BBC, NPR, and the Verge.

Avoiding Cyber Attacks

For many years, hackers attempted to access networks and data with viruses that could automatically move, replicate, and embed themselves on new computers.  Today, network security, firewalls, and anti-virus software have rendered most of these attacks ineffective.  But that does not stop hackers.  They have moved on to the next weakest link -- you.

Most current system attacks trick unwitting users into allowing hackers and malware into the system.  Once embedded there, the hacker can invite in other malware and begin to do real damage to a network.  Therefore we must all be vigilant against potential threats to our network.  There are several issues that everyone should consider:

Email providers have gotten pretty good about preventing dangerous attachments from getting through.  But they are not foolproof.  If you get an attachment that looks suspicious, have someone from IT take a look at it.  Often, you can view a document without opening it.  If the sender or the document itself says that viewing it properly requires granting a permission, or enabling macros, that is a big red flag to stay away.

Because many email providers block dangerous attachments, hackers may include a link asking you to connect to a web site.  That site may be infected.  If a link looks suspicious or is even unfamiliar to you, question whether you should click on that link.  If the link has a "php" in the address, that means it is designed to run a script.  Sometimes this is legitimate, but often not.  It requires closer scrutiny.

Just because you know the sender, that does not mean the message is safe.  Many times, hackers will access the email account of an innocent party, then send emails to everyone in the address book.  We recently had one hacker who remained connected to the account, responding to questions about the email and saying it was legitimate and that the recipient should go ahead and click on the link.  Poor grammar is often a tip off, but not always.  If you are not sure, pick up the phone and call the sender.

If a site asks you to enter any name or password where you do not usually do so, that is a red flag. A Google site, for example, should see you are already logged in and not ask again.  Hackers often create sites that look like a legitimate site, just to steal your name and password.  If you must create an account at a new site, be sure to use a name and password different from what you use for other sites.

If you go to a site and something strange happens, let IT know about it.  Years ago, a hack would be obvious right away as you were bombarded with advertising or had other immediate problems.  Sophisticated hackers today put malware that has little impact on you, but can turn your computer into a "zombie" used for distributing malware to others.  It is often a good idea to have someone run a couple of scans on your PC to make sure all is well.

If you think your home computer or other device (yes, phones and tablets are vulnerable), please don't connect to our network via VPN or use the firm's WiFi.  Your device can act as a Trojan horse, bringing malware inside our firewall to be released on the network.  If you ask, we can recommend several anti-malware programs to run and check out your home computer.

Never give your password to anyone, either via email or over the phone, unless their names are Mike, Mary, Lucy, or Bode.  No one from Google will ever ask for your Gmail password.  No one from Microsoft, Apple, your bank, your broker, or any other outside company should ever request that sort of information. If an outside vendor requests that sort of information, get their name and say you will call them right back, call the company's main number and ask to be transferred to that person.  Do not just call a number that the caller gives you. Do not rely on caller ID, which is easily faked.

In short, stay alert, if something looks suspicious get a second opinion before acting.

Security Reminder - be careful with emails.

I am regularly asked about whether it is safe to open an email.  Today's blog explores what is safe and what is not.

Hackers Think Employees are the Weak Link

A great deal of malware can sneak into a network this way.  Hackers used to try to force their way through firewalls.  But security has gotten so strong there that the new preferred method is luring a gullible employee on the inside to let them in.  Don't be that employee.

Gmail Provides Some Protection

Fortunately, there are a number of things in place to protect you.  With Gmail, you cannot be infected simply by opening and reading an email.  Gmail does not allow any scripts to run in emails.  You also cannot be infected simply by viewing an attachment.  The Gmail viewer prevents scripts and executable files from running in an attachment.  In fact, Gmail even prevents someone from sending you an exe file.

That said, you can receive a dangerous email attachment, download it, run it, and then infect your computer.  Hackers can send attachments with dangerous macros, or scripts, or hide an executable file inside an encrypted Zip file.  Do not download and run attachments unless you are sure of the sender and what is being sent.  Even a Word Document can contain macros that can harm your computer if you download it and try to load it in MS Word. If you have any doubt, run it by the help desk.

Links are Risky

Hackers are nothing if not inventive.  Because it is difficult to infect a users via email, many hackers might send you a link in an email to go to another site. This site could very well be infected by malware that can install itself on your computer.  DO NOT CLICK ON A LINK UNLESS YOU ARE SURE OF WHERE IT LEADS.

If you put your mouse over a link, it will show you the address where it leads.  This may be different from the address in the text of the link.  If it is different, that is a big red flag.  Also, if the address has "php" in the address, that is an indication that the site will attempt to run a script.  Again, that is a big red flag that usually means stay away.  Again, the help desk can check out a link if you are the least bit suspicious.

You may get an email that is what is known as a fishing attack.  This is where a hacker is fishing for information that will help him get into our network through other means.  For example, say you get an email from PNC bank that leads back to a link like this:  

http://www.pnc-support.com/login

You click on the link and see a login for your PNC account.  You enter your name and password.  You have just given the name and password of your bank account to a hacker.  Why?  www.pnc-support.com is not a valid domain.  Notice the hyphen between "PNC" and "support".  That means it is all part of the same word, not broken up by a dot.  Anyone could register such a domain and put a fake clone of the PNC web site there.  You enter a name and password, which is collected, then they say you entered it wrong and re-route you to the real web site.  You log in and are none the wiser. Hours later, or maybe minutes later, someone withdraws all the money from your account and transfers it to Russia.  Good luck getting it back. (The link in this example is one I just made up.  It does not really lead anywhere and will not harm your computer).

This is why email links can be very dangerous.  If you are not 100% certain of the sender, don't click on anything.  Even a sender you know could have its email hacked in order to send you dangerous link.  This does happen regularly. Even if you know the sender, if the wording of the message seems odd, or a link seems suspicious, don't fall for it.

ABA Article on Ransomware

The ABA Journal recently wrote an article about Ransomware, a trend where hackers introduce malware to encrypt all the files on your computer (or the entire network) then demand payment to unencrypt them again.  This is a serious threat.  Many companies have been hit by this.  If you care to read the full article, you may do so at this link.  (I promise this is a valid and safe link.  I'm not trying to trick you).  At the end of the article is a link to a quiz, which you might find interesting.  That link is also valid and safe.

Lenovo Malware Concerns

In a rare "weekend edition" of my blog, I want to address concerns about recent news reports that Lenovo has been pre-installing malware known as Superfish.

Superfish is an intrusive program that can alter search results to provide you with advertiser funded results when you do a search in your browser.  The program also installs a trusted root certificate that is, well, untrustworthy.  It essentially opens a back door into your computer that could in some circumstances allow hackers to steal sensitive information.

Many malware programs have been doing things like this for years.  What makes this recent issue so newsworthy is that Lenovo has been installing this program at the factory, meaning your computer is infected before you even get it.

Fortunately, this does not seem to cause a problem for the firm.  According to Lenovo, only a certain limited line of consumer devices were outfitted with Superfish.  None of them were Thinkcentres or Thinkpads, and they all appear to be Windows 8 devices, not Windows 7 as the firm uses.  Also, Lenovo only began doing this in September 2014. Virtually all firm computers in use are older than that.

Despite all these assurances, we have been checking sample models of the new lines of laptops and desktops purchased by the firm to make sure there are no indications of Superfish.  None have been found.

Both Microsoft and Lenovo have responded to this problem by releasing security programs through Windows Updates and Lenovo Updates which will detect and remove Superfish, so all computers will be scanned by these updates when they are automatically downloaded and run.

As I hope I have made clear, there does not appear to be any danger that any work computers have been affected by this.  But if you have a home computer that you purchased from Lenovo in the last few months, and don't trust the automatic security tools in Windows updates, you can check your computer yourself.  Lenovo has made available detection and removal tools, which you can access through this Lenovo Link.

Computer security is always a top concern for the IT Department.  At this point, we are confident that this Superfish issue poses no threat to firm devices.