I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
One of the most effective malware infection vectors in use on the internet is what’s known as the “fake antivirus attack”. Upon visiting a compromised website, even one that is supposedly legitimate like the DailyMotion (not linked for obvious reasons), a pop-up is displayed that warns the user that their computer is infected, and offers to clean up the infection. Clicking on that button typically leads to the actual infection, which usually starts out as an annoying infestation of adware and popups, and will typically escalate into a barrage of more malware, up to the incredibly vicious rootkits and ransomware which will render your computer inoperable, your data irrecoverable and your identity, bank accounts and credit rating at serious risk.
How do you spot the fakes? Unfortunately, it’s becoming increasingly more difficult, as the cybercriminals are now investing more effort into making these counterfeit warnings look like the real thing. In the case of the DailyMotion vector, the pop-ups were designed to look like Microsoft’s own widely-used and competent Security Essentials antivirus software, a product that I install on many of my clients computers. At first glance, the pop-up does a passable rendition of the real software, and someone not paying attention could easily be fooled. If you want to see what this type of pop-up looks like, and the resulting infection, watch this short video produced by Invincea, a security software company based in Fairfax, VA.
What this means for you:
Even hardened internet travelers might be taken in by well-crafted popups, but there are certain ways to tell if it’s a fake:
- Your antivirus software won’t require you to install an EXE to perform the scan. It’s already installed. If it was a legitimate warning, clicking the button would start the scan, and not a download of software. Windows Vista and up will stop and ask permission to run any executable, even ones from legitimate companies, so if you see your OS asking if it’s OK to install this program, stop what you are doing immediately.
- Close your browser and any windows associated with it. Close any open programs. Manually start your installed antimalware software by selecting it from the Start Menu, or from the System Tray in the lower right of your screen. Run a full scan. Even if everything comes up good, remain vigilant!
- Fake pop-ups also come in the “Your software needs to be updated to view this website” variety. The most common variant of this is Adobe Flash. Again, close all windows, manually relaunch a web browser and visit the software manufacturer’s website to find out if an update is available for your software.
Still unsure? Note the website URL that triggered the questionable pop-up, take a screenshot if you can, and call your IT professional for further advice.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Hackers are now taking advantage of conscientious users who have been repeatedly warned by folks like myself to keep their software, specifically their browsers, up to date. If a user happens to surf to a website hosting this new style of attack, they will be presented with a realistic-looking warning that asserts their browser is out of date, but if they click the convenient link to update the browser, they instead be infected with a trojan that will forcibly change the browser homepage to a site that will deliver a full payload of malware. If the user is unfortunate enough to have his or her anti-malware software overrun, they will quickly have a severely compromised computer.
What this means for you:
You should only ever download updates for your software from the manufacturer’s website, as it’s extremely unlikely for manufacturers to use third-party hosts for software updates. In the above example, users were directed to download an update from a domain “securebrowserupdate” which is something Microsoft, Google, Mozilla or Apple would never do for their browsers. If you happen across a pop-up warning that an update is available for your browser, and you aren’t sure it’s legitimate, close it, then check your update status through the browser’s built into the interface, usually under the “Help” menu. Still not sure? Why not call an expert like C2?
Image courtesy of Stuart Miles / FreeDigitalPhotos.net