Ransomware Spreads Across The Globe: How To Protect Your Computer

A ransomware worm is rapidly taking over computers around the world. Here’s what you need to know to protect your computers and networks.

This particular worm, known by several names including WannaCry and WCry, is a type of computer virus called ransomware. Ransomware, as regular Tech Tips readers know, is especially nasty because it hijacks your computer and encrypts your data, then demands a ransom to decrypt it. A worm is a virus that worms its way through computer networks. Therefore, as you can imagine, a ransomware worm has the potential to wreak havoc worldwide. And that’s exactly what WannaCry and its variants are doing.

Your best protection is prevention. While this virus can be removed, the data it encrypts CANNOT be decrypted. Experts typically recommend not paying the ransom, as there is no guarantee you will recover your data even if you do. A current offline backup is the only way to preserve your information in the event of a ransomware attack.

Windows users, update NOW. If you’re on an old version of Windows and can’t update (anything except Win7, Win8.1, and Win10), this is your wake-up call to upgrade to a newer version. Yes, they released an XP patch. No, that doesn’t mean XP is safe. It means they had to patch XP because it’s used so widely in critical environments like hospitals. And that was an unprecedented move, as Microsoft had previously declared that XP would receive no further security updates. That indicates how serious the situation is. Microsoft has more information about supported versions of Windows on their Windows end-of-support page.

And, everyone – BACK UP YOUR DATA. Seriously. Back it up. Right now. Mac users, you too, you’re not immune to ransomware. Everybody BACK UP YOUR DATA ON A SEPARATE NON-NETWORKED DRIVE AND KEEP IT OFFLINE.

RIGHT. NOW. (Here’s my latest Tech Tips article on backups for Windows and Mac.)

Spread the word. Tell everyone: business associates, friends, family, neighbors, random strangers. Send them a link to this article and remind them to back up and update their computers immediately.

If you’ve already been affected by the WannaCry worm, here’s some information that can help.

Ransomware: A Dangerous Threat To Your Computer

Computer SecurityRansomware is a particularly nasty form of computer virus that encrypts your data, then demands an electronic ransom for the encryption key. Why is ransomware so hazardous, and how can you remove it?

Ransomware is vicious because it doesn’t just render your computer unusable. It encrypts all of your files, including those on networked computers, removable drives, and server volumes. To get the key to unlock the encryption, cyber-criminals demand that you pay. Ransomware has decimated businesses and consumers alike. It’s been around on Windows for ages (see my writeup of Cryptolocker from a few years ago), but recently the first Mac-based ransomware has appeared in the wild.

Should You Pay?
There’s some debate amongst computer security experts as to whether it is better to pay the ransom or not. Sophos’ Naked Security blog has a good overview of the discussion. They also have an excellent article on what you can do if you are infected by ransomware.

How To Avoid Ransomware
You are far better off avoiding ransomware in the first place. Start by making sure you have multiple sets of known good backups. A clean backup is one of your best protections against ransomware and other viruses. Below you’ll find my guide on backup options for Windows and Mac, including how to test your backups to make sure they work when you need them.

All of my usual security recommendations apply as well. Use a top-quality antivirus program, and keep your computer up to date. If you’re on an obsolete version of Windows or Mac, now’s the time to upgrade. Check your default security settings, and use strong, unique passwords on every site.

Here are some Tech Tips articles to help. You can also sign up to receive Tech Tips by email and follow Tech Tips on Facebook for the latest tech support advice for Windows and Mac.

How To Back Up Your Computer (For Windows And Mac)

How To Create Strong Passwords (2016 Edition)

How To Configure Security Settings For Windows, Mac, iOS, and Android

Security Basics For Mac Users

How To Protect Your Web Browser

How To Create Strong Passwords (2016 Edition)

Computer SecurityTime once again for my updated guidelines on creating passwords. The short version: use passphrases that are at least 12 characters long and different on every site, plus two-factor authentication where possible. And for pity’s sake, stop using weak passwords!

Many people say to me, “I don’t need a secure password. I don’t have anything sensitive on my computer, so I don’t care if a hacker gets in.” You, my friends, are a hacker’s dream. Because it’s not necessarily your personal information they want, although they’ll happily steal your credit card info if they can. No, what they really want is control of your computer, your email address, your Facebook page… anything and everything that will let them do their dirty work from behind a smokescreen.

Strong passwords must be:

  • Not in use on any other system
    This is perhaps the biggest no-no in the password rulebook. When hackers nab passwords, they try the same account/password combinations on popular sites like Google, Facebook, Twitter. If you’re using the same password you just let them in. Do not ever, ever, ever use the same password anywhere. Before you despair, keep reading. There are tools to make it easier.
  • Changed regularly
    Yes, you have to change your passwords. And yes, they still have to be different everywhere. In fact this is one of the best things you can do to secure your passwords. Use a password management tool if you need help keeping track of everything (see below).
  • 12 characters or longer
    Think passphrase rather than password. The longer and more complex a password is, the less likely it can be cracked.
  • A mix of upper- and lowercase letters, numbers, and symbols
    Some systems won’t allow you to use a range of characters in your password, in which case I suggest you reconsider using that site. Do you really trust someone who isn’t going to allow you to secure your account properly? Makes you wonder how secure everything else on the site is.
  • Not common words or proper nouns found in a dictionary
    Here’s a list of the 25 worst passwords of 2015. If your passwords sound like these, change them now.
  • Not the names of your spouse, kids, pets, or other personally identifying information
    Don’t create passwords out of information that can be gleaned about you, and don’t share information that can be used to guess security questions. For example, if you have pictures of your dog Fido on Facebook, and you also answer your bank’s security question “What’s your dog’s name?” with “Fido,” guess what? You have just given a hacker potential access to your bank account.

Examples of good and bad passwords

Good passwords (but don’t use these!)

AP@ssw0rdIJustMADE!UP!4U
Here’sAnOtHeR1FOR$You

Bad passwords

password
password1
password!
123456
<blank>
mypassword
spouse’s name
pet’s name

Password Don’ts…

  • Don’t rotate between the same two or three passwords. It’s just as bad as using the same password everywhere.
  • Don’t send passwords via sites like email, Facebook, Twitter. Use another means like text message, which goes directly to the recipient. Or even better, a phone call.
  • Don’t stick passwords on Post-It notes. Whether it’s under the keyboard or on a bulletin board, it’s exposed. Be like Gandalf: Keep it secret, keep it safe.
  • Don’t share passwords and accounts. This is especially prevalent in small businesses. Don’t create one account then share the password; create multiple accounts for each person who needs access. More time consuming? Sure. More secure? You bet.

Tools to manage your secure passwords

With a password management tool such as 1PasswordLastPass, or KeePass, all you have to remember is one master password and the software takes care of the rest. You can use the same password management tool on your computer and on your mobile devices.

But there’s a catch. Unfortunately any company can be breached by hackers and password management firms are no exception, as was demonstrated by a recent LastPass breach. In other words, passwords stored in management tools can be swept up in data breaches just like any other kind of data.

The good news is that most password managers encrypt your data, so even if hackers get hold of it, they will hopefully be hard-pressed to recover your actual passwords. That being said, you need to safeguard your master password with more vigilance than any other password you use. Please do NOT re-use your master password anywhere else! And be sure to keep another copy of your passwords somewhere safe in case you lose access to your password management tool.

Two-factor authentication

Two-factor authentication (2FA) uses a password plus another unique identifier, like a passcode messaged to your phone. This is much safer than a password alone because the second identifier is constantly changing, making it much harder to break into an account. If a site offers 2FA, you should consider using it.

However, 2FA does not make a weak password safe. Your best bet is 2FA plus an excellent password. As with a password manager’s master password, you need to make absolutely sure you have copies of your 2FA backup codes, because that’s what’s going to get you into your account if you have trouble.

Password harvesting scams

Password harvesters are everywhere. For example, you might get a spam email saying you need to update your account. This message contains links to a page that looks like the real login, but it’s really just a fake designed to steal your credentials. Similarly, password-harvesting scams can be distributed via Facebook, Twitter, and other social media sites. When in doubt, type the address for the site into your Web browser manually rather than clicking on a link.

Why not take this opportunity to change your passwords? It’s the best thing you can do to protect yourself against identity theft and cybercrime.

[Originally posted in 2010 as How To Create Secure Passwords. This version has been updated with the latest advice on secure passwords.]

Cryptolocker: Why Modern Computer Viruses Are More Dangerous Than Ever

crypt-messageToday’s computer viruses go beyond mere annoyance. How does holding your data for ransom sound? What about spying on you through your webcam, tracking your physical location, recording every keystroke you make? Welcome to the modern generation of computer threats, where infection means real-world consequences.

The latest virus making the rounds is Cryptolocker, a textbook example of all the truly nasty ways in which a modern computer virus can ruin your day. Cryptolocker encrypts your data with a one-way algorithm which mathematically cannot be reversed. If you don’t pay the ransom within the timeframe, the only key to your data is gone, kaput, goodbye.

You can’t restore your data by removing Cryptolocker, because removing the virus doesn’t decrypt the data. No tech support person in the world can decrypt it for you because it’s simply not possible without the key. Even police departments have paid the ransom, even as they recommend that consumers not do so.

Here are some resources on Cryptolocker so you can keep it from digging its sharp claws into your computer.

Cryptolocker started its initial spread via email attachments, which are fairly easy to avoid. But now it’s morphing into variants that can be transmitted via USB drive, and luring victims with fake software activation codes. Although it’s a Windows virus, like all viruses it can be transmitted via Macs and mobile devices. Following in the steps of other viruses, soon Cryptolocker will evolve into spreading via social media sites.

And this is just the start.

There are other viruses out there that can activate webcams – and yes, they can bypass the green light that tells you the webcam is on. They can listen through microphones. They can track your location via your mobile device. They can listen in on your conversations on social media.

Now, more than ever, it’s vital to protect yourself from computer viruses. Here are some Tech Tips resources to help:

Have you run into Cryptolocker or other similarly destructive viruses? Share in the comments, and don’t forget to subscribe to Tech Tips by email and follow on Facebook. You can also follow @trionaguidry on Twitter.

 

How To Backup And Restore Files On Your PC Or Mac

backuprestoreEveryone knows you’re supposed to make backups, but choosing a method can be confusing. Here’s a rundown of your choices for Windows and Mac.

Built-In Backups
All modern computers come with utilities which you can use to back up to an external hard drive. The hard drives themselves often come with user-friendly utilities as well.

Third-Party Backups
If you don’t like the built-in options you can choose a third party backup – but watch out for lookalike viruses that pretend to be backup or “computer cleaner” programs. Your best bet is a solution from a reliable software vendor.

Cloud-Based Backups
Cloud backups are convenient because all you have to do is let the utility lurk in the background. Your backups are always current because the software is always running, always backing up changed files.

The danger with cloud backups is that you don’t know who has access to them behind the scenes, or whether the backups will remain available to you if the service goes down or bankrupt. If you’re going to store backups on the Internet, make sure you keep a copy on a local hard drive.

Encrypting Backups
The best way to secure your data when using cloud backups is to encrypt it. Mac users, there’s an easy trick you can pull with Disk Utility: creating a protected disk image.

Windows users, you’ll have to find a third party utility like TrueCrypt. But bear in mind, most encryption utilities were developed for tech professionals so they’re not always the most user-friendly. Also, any utility that works with files at a fundamental level runs the risk of damaging those files. Run your encryption on copies, not originals. I also recommend against encrypting your entire hard drive unless you really know what you’re doing.

Testing And Restoring Backups
Backups don’t do much good if you can’t restore the data on them. You should periodically run a test restore, to make sure you can before an emergency strikes. You should also maintain multiple backups in case one backup device fails.

Another way you can back up your files is with a drive imaging program that takes a snapshot of your entire disk. I’ll post about that in a separate article. Want a head’s up? Subscribe to Tech Tips by email and follow on Facebook. You can also follow @trionaguidry on Twitter.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net