Cryptolocker: Why Modern Computer Viruses Are More Dangerous Than Ever

crypt-messageToday’s computer viruses go beyond mere annoyance. How does holding your data for ransom sound? What about spying on you through your webcam, tracking your physical location, recording every keystroke you make? Welcome to the modern generation of computer threats, where infection means real-world consequences.

The latest virus making the rounds is Cryptolocker, a textbook example of all the truly nasty ways in which a modern computer virus can ruin your day. Cryptolocker encrypts your data with a one-way algorithm which mathematically cannot be reversed. If you don’t pay the ransom within the timeframe, the only key to your data is gone, kaput, goodbye.

You can’t restore your data by removing Cryptolocker, because removing the virus doesn’t decrypt the data. No tech support person in the world can decrypt it for you because it’s simply not possible without the key. Even police departments have paid the ransom, even as they recommend that consumers not do so.

Here are some resources on Cryptolocker so you can keep it from digging its sharp claws into your computer.

Cryptolocker started its initial spread via email attachments, which are fairly easy to avoid. But now it’s morphing into variants that can be transmitted via USB drive, and luring victims with fake software activation codes. Although it’s a Windows virus, like all viruses it can be transmitted via Macs and mobile devices. Following in the steps of other viruses, soon Cryptolocker will evolve into spreading via social media sites.

And this is just the start.

There are other viruses out there that can activate webcams – and yes, they can bypass the green light that tells you the webcam is on. They can listen through microphones. They can track your location via your mobile device. They can listen in on your conversations on social media.

Now, more than ever, it’s vital to protect yourself from computer viruses. Here are some Tech Tips resources to help:

Have you run into Cryptolocker or other similarly destructive viruses? Share in the comments, and don’t forget to subscribe to Tech Tips by email and follow on Facebook. You can also follow @trionaguidry on Twitter.

 

How To Protect Your Privacy On Social Media Sites Like Facebook And Twitter

socialmediaWhen was the last time you checked the privacy settings on your social media accounts? Once? Twice? Never? If you don’t check periodically, you run the risk of having your account hijacked by hackers.

Related article: Strong passwords key to social media privacy by Triona Guidry (The Northwest Herald)

What do you mean by “social media”?

Sites primarily used as a means of mass communication: Facebook, Twitter, LinkedIn, Pinterest, Instagram, Tumblr… You could also think of them as virtual communities, each with different rules and tendencies.

Why should I bother securing my social media accounts?

Because having your account hijacked stinks. At best, it’s inconvenient to reset your passwords and notify your friends. At worst, it results in data loss, identity theft, and financial ruin.

But aren’t these sites private?

Nope. They have privacy settings, most of which aren’t on by default. But anyone can sign up on these sites, and anyone can pretend to be anyone else on them. They’re designed to share information, not keep it private. Which is why the idea of people sharing their entire life stories and that of their kids gives me the screaming heebie-jeebies. Social media sites aren’t private photo albums and diaries. They’re publicly-accessible news sites (and data aggregators for advertisers).

Why do hackers want to hijack me?

In short: money. Cybercrime is a multi-billion dollar global industry. With economies tanking and people out of work, the idea of making tons of cash through Internet scams is hard to resist. Through commandeering your account, cybercriminals sell everything from Internet pharmaceuticals to fake antivirus programs to Twitter followers using your hijacked identity. It’s the go-to crime of the 21st Century.

Should everyone protect their social media accounts?

Yes. Absolutely. There’s no excuse not to.

How can I protect my social media accounts?

Use strong passwords that are unique on every site

Double-check your privacy settings

Report fake followers and inappropriate content

Verify links before sharing

Do you have questions about securing your social media account? Ask in the comments, and don’t forget to subscribe to Tech Tips by email and follow on Facebook. You can also follow @trionaguidry on Twitter.

 

Cyber Attacks Spell Trouble For Consumers

padlock-phoneDo you know what to do if your account is swept up in a cyber attack? In the last year many popular sites, including LinkedIn, Twitter, and Evernote, have been attacked and consumer information stolen. What can you do to protect yourself?

As I said in my tech column in this month’s The Northwest Herald:

Cybercriminals attack big companies for the big prize: user account information. With email addresses and passwords in hand, they go on an account-cracking spree across the Internet, hoping that some of the users in their massive heist are using the same weak passwords on multiple sites. Itʼs likely some of your accounts have already been swept up in data breaches like this.

There are a number of things you can do to reduce the possibility of being hacked. Here are my recommendations plus related Tech Tips articles to help you with each step.

If your account has been hacked, you need to reset it. Here is information on account security and resetting hijacked accounts for some of the major sites:

And here is information on the recent breaches I mentioned:

For the latest news on data breaches (something a little more reliable than mass media articles), try these IT security sites.

Do you have questions about cyber attacks and hijacked accounts? Ask in the comments!

Image courtesy of Stuart Miles / FreeDigitalPhotos.net

How To Create Secure Passwords (Revised Edition)

Computer SecurityMany people say to me, “I don’t need a secure password. I don’t have anything sensitive on my computer, so I don’t care if a hacker gets in.” You, my friends, are a hacker’s dream. Because it’s not necessarily your personal information they want, although they’ll happily steal your credit card info if they can. No, what they really want is control of your computer, your email address, your Facebook page… anything and everything that will let them do their dirty work from behind a smokescreen.

I originally posted this on Tech Tips in 2010, based on many years of teaching tech support clients about password safety. But some of the old rules no longer apply, so this is my newly revised edition. If you think you can still get away with slapping an exclamation mark on the end of a word, you need to read this revised advice.

Strong passwords must be:

Not in use on any other system
This is perhaps the biggest no-no in the password rulebook. When hackers nab passwords, they try the same account/password combinations on popular sites like Google, Facebook, Twitter. If you’re using the same password you just let them in. Do not ever, ever, ever use the same password anywhere. Before you despair, keep reading. There are tools to make it easier.

Changed regularly
Yes, you have to change your passwords. And yes, they still have to be different everywhere. Use a secure password management tool if you find it unmanageable (see below).

12 characters or longer
Think passphrase rather than password. We used to say 6-12 characters was enough, but we’ve found that the longer and more complex a password is, the less likely it can be cracked.

A mix of upper- and lowercase letters, numbers, and symbols
Some systems won’t allow you to use a range of characters in your password, in which case I suggest you reconsider using that site. Do you really trust someone who isn’t going to allow you to secure your account properly? Makes you wonder how secure everything else on the site is.

Not common words or proper nouns found in a dictionary
An analysis of the recent LinkedIn breach found that many people were using ridiculously simple passwords like “password” and “123456.” If your passwords sound like these, change them now.

Not the names of your spouse, kids, pets, or other personally identifying information
Presidential candidate Mitt Romney’s online accounts were hacked via the very simple expedient of answering security questions with information that had been made publicly available. Same thing happened to Sarah Palin. Don’t create passwords out of information that can be gleaned about you, and don’t share information that can be used to guess security questions.

Examples of good and bad passwords

Good passwords (but don’t use these!)

AP@ssw0rdIJustMADE!UP!4U
Here’sAnOtHeR1FOR$You

Bad passwords

password
password1
password!
123456
<blank>
mypassword
spouse’s name
pet’s name

Password Don’ts…

  • Don’t rotate between the same two or three passwords. It’s just as bad as using the same password everywhere.
  • Don’t send passwords via email, Facebook, Twitter. Use other means like text message or fax, which goes directly to the recipient. Or, even better, a phone call.
  • Don’t stick passwords on Post-It notes. Whether it’s under the keyboard or on a bulletin board, it’s exposed. Be like Gandalf: Keep it secret, keep it safe.
  • Don’t share passwords and accounts. This is especially prevalent in small businesses. Don’t create one account then share the password; create multiple accounts for each person who needs access. More time consuming? Sure. More secure? You bet.

Tools to manage your secure passwords

Feeling overwhelmed? Don’t worry, there are plenty of password management tools available. With a password management tool all you have to remember is one master password and the software takes care of the rest. I recommend KeePass, 1Password or LastPass. Even better, you can use the same password management tool on your computer and on your mobile devices.

Why not take this opportunity to change your passwords? It’s the best thing you can do to protect yourself against identity theft and cybercrime.

[Originally posted in 2010 as How To Create Secure Passwords. This version has been updated with the latest advice on secure passwords.]

Holiday Tech Gadgets: How To Choose A Mobile Device Platform

It’s an exciting time in mobile technology as three major vendors vie for our holiday shopping dollars. In this month’s The Northwest Herald I’m discussing the season’s hottest gadgets. From the article:

Mobile technology is hot this holiday season, and you’ll find gadgets to fit every interest and budget. I visited AT&T and Verizon to get the latest news. (read more)

Smart phones and tablets are this year’s top sellers, which begs the question: What’s the difference between the Big Three mobile platforms, iOS, Android, and Windows?

Apple iOS
Runs on: iPhone, iPad, iPod
You may not know iOS by name, but if you’re familiar with an iPhone screen, you know what it looks like. iOS is Apple’s proprietary system for its iDevices. iOS is known for its ease of use and its seamless compatibility across all your iPhones, iPads, and iPods.

Google Android
Runs on: Tablets and smart phones
When it comes to Android, Google makes the software and other manufacturers like Samsung make the hardware. Android is a powerful and flexible platform but may be too complex for the beginner. There’s also a rampant malware problem on Android because of lax standards in Google’s Marketplace plus a rash of lookalike app stores.

Windows Phone / Windows 8 / Windows RT
Runs on: Tablets and smart phones
If you don’t know what to call Windows on mobile devices, you’re not alone. Windows Phone is simple enough; it’s Windows on a phone. Windows RT is Windows 8 on ARM-based tablets, notably Microsoft’s own Surface. However, WinRT is not as flexible as the full Windows 8 on a PC.

How do you know which mobile platform is right for you? It depends on what you’re currently using. If you have a Windows Phone and love it, then it makes sense to stay with Windows for your mobile devices. If you adore your Samsung Galaxy, you’re an Android fan. All platforms offer similar features as far as email, web, and social media. As far as ease of use, I would say iOS is the easiest, followed closely by Windows 8 with Android last because of its complexity

What about other mobile platforms like Blackberry or Symbian? At this point, Blackberry manufacturer RIM is having so many problems they can barely compete – they released Blackberry 10, but the universe barely blinked. Symbian is still around but has been largely supplanted by Windows Phone.

What tech gadgets are you considering for the holidays? Find anything fun and exciting? Share in the comments and don’t forget to subscribe to Tech Tips by email and follow on Facebook. You can also follow @trionaguidry on Twitter.

 

 

Tools To Protect Your Smartphone From Malware

Do you run antivirus on your smartphone? This month in The Northwest Herald, I talk about the exponential increase in malware on smartphones and what you can do to protect yourself. From the article:

Yet if I were to ask if you run antivirus on your phone, you would probably say no. Nobody mentions malware when you buy a phone, they’re too busy extolling the fancy features. All those cool apps are fine until you realize some virus has been silently snooping on your activities.

Here are links to the latest options for mobile antivirus. The available options are changing all the time as new devices and systems are introduced. I’ve also included links to some of my previous Tech Tips articles which can help you secure your smartphone.

Tech Tips articles on smartphone security

 Mobile Antivirus Options

 Subscribe free to Tech Tips by email for more computer news, security tips and social media advice!

 

Stop Integrating My Computer With Social Media!

Tech companies need to remember that consumers are people with brains and don’t need to be force-fed technology through the virtual equivalent of a baby spoon. Mountain Lion, Apple’s latest operating system for Mac (OS X 10.8), boasts improved Facebook integration. In my mind that’s not a feature, it’s a reason to stay away.

I DON’T want my operating system to be integrated with social media. The operating system is the brains of my computer. It doesn’t need to check into Facebook or Twitter. I may run apps on top of it that do need to check into Facebook or Twitter, but that’s my decision. I don’t want my system software making that decision for me.

I want my system software stupid. I don’t want it to know a damn thing about the Internet except how to connect to it. To put it in IT terms, I don’t want my OS thinking past the lowest layers of the OSI model. I certainly don’t want it making decisions at the presentation and application layers. Let it merrily chat away via TCP/IP without bothering to look inside those data packets, and let the programs I choose do that work.

I could say the same for my iDevices. I don’t want to use iCloud. I don’t want to use FourSquare. I don’t want to check in every five seconds. As I said in a previous rant er… post, I certainly don’t want all my data syncing to some unknown datacenter when all it needs to do is go two inches from device to computer.

There’s such a thing as too much integration. Everything doesn’t need to work seamlessly with everything else. If I wanted an operating system based on Facebook I would do all my work with Facebook apps. If I wanted to use cloud computing I would sign up for cloud computing. But if all I want is to work locally on my own computer, I should be able to do that too.

What I want is an operating system I can secure with third party tools (sayonara, Windows RT!), upon which I can run the programs of my choosing.

Of course, I could always run Mountain Lion and simply not give it my Facebook credentials, but that’s not the point. The point is that the capability of integration is there. The point is that if something happens – if I input my password in the wrong dialog box, if a virus presents me with a malicious login, if one of Apple’s preferences “accidentally” gets switched on – then suddenly I am sharing a whole lot of data with the world that really shouldn’t be shared.

As a computer expert, I know the best ways to avoid that. But most people don’t. The average person, right now, is streaming data to Facebook, Twitter, iCloud, and who knows what else, without even being aware of it. And that’s BEFORE the latest integrations between social media and our system software.

Stop sacrificing security for convenience, because it’s not the tech companies that pay the price, it’s the consumers. We’re the ones who get our bank accounts hacked, our email hijacked, our identities stolen, our lives ruined. That’s not exaggeration, that’s the result of a multi-billion-dollar cybercrime industry.

 Subscribe free to Tech Tips by email for computer news, security tips and more!

Don’t Use Facebook As Your Personal Planner

Those Facebook games that have you put in your mother’s maiden name or your grandfather’s birthday? They’re siphoning your info. It’s like waving a lollypop in front of a kid while you steal stuff out of their pockets. “Play our cool game! Oh, and thanks for all the personal details, sucker.”

Personally identifying information, or PII, is the data that identifies YOU as YOU. Birthday’s aren’t just birthdays anymore, they’re the keys that can unlock your bank accounts. So are maiden names, place of birth, the schools you went to, the people you’ve known.

Games People Play
Think about the security questions you’re asked to fill out on many web sites. If you’re answering the questions honestly (and there is something to be said for security through lying), the answers can be gleaned from your FB page.

Some of these “games” come in app form, while others are simply text-based chain letters: “Hey everybody, let’s play place of birth – post where you were born!” Consider the things you might share on Facebook: birthdays, calendar, contacts, vacation plans, photo album. That last one freaks me out the most. I do NOT use Facebook as a family photo album and I highly recommend that you don’t either, especially if you have kids. There are too many creeps out there.

Real-World Consequences
If you don’t believe this is a major problem, try these examples on for size:

Hackers Invade Accounts By Guessing Security Questions
This hack of Mitt Romney’s Hotmail email and Dropbox accounts is a great example of how answers to security questions can be gleaned. Amusement value: one of the questions was “pet’s name” which thanks to the infamous “car rooftop” incident is known to one and all as Seamus. Oops!

Similarly, Sarah Palin’s Yahoo! account got hacked during her campaign through correctly answering the security questions based on publicly available info.

Thieves Use Facebook To Rob Vacationers’ Homes
People posting their vacation plans to Facebook should do so after the fact. There are many instances of crooks using Facebook to scout vacant homes for theft. You can read about a few of them here and here.

If you think your Facebook friends would never do this to you, bear in mind that criminals create fake Facebook profiles that can be quite convincing. You might have a few ringers in your own friends list as we speak.

Facebook Doesn’t Delete Your Data
Even if you remove your information, there’s no guarantee it’s actually deleted. Facebook has long been criticized for not deleting data such as photos upon user request. Once you’ve posted something to Facebook, you can assume it’s there permanently.

Not only should you be concerned about what you are posting, but also what your friends are posting. If your friends add your birthday or other personal details without permission, ask them to remove it. While you’re at it, you could point them to this article and explain the dangers of too much online sharing.

An Uncontrolled Experiment
The truth is that these companies have not proven that they can be trusted with our data. There’s no history for this, no fossil record of what happens when we entrust our lives to the Internet. We are collectively engaging in a new human experience and we have no idea how it’s going to shake out.

So my advice is caution. Don’t use Facebook as a personal planner. That’s not what it’s for and you are endangering yourself and your friends by using it that way. Facebook is for sharing things with people, and the company has no intention of keeping anything you put on there private. There are other online tools for that purpose, although I also have concerns about those too, considering recent incidents like the Apple/Amazon customer service hack… but I digress.

The good news is that you can take advantage of Facebook’s viral nature to spread the things you want known far and wide: your business, charities you believe in, causes you think are just… and of course LOLcats and, in my case, Doctor Who jokes. But don’t put anything on there that you wouldn’t want made public, or you may live to regret it.

Ten Ways To Tell If Your Computer Is Infected With A Virus

Ever get that sinking feeling that something’s wrong with your computer? Here are ten ways to tell if your computer is infected with a virus.

Run a virus scan
A bit obvious, isn’t it? While you’re at it, make sure your antivirus program has been updated recently. If you haven’t bought a new version in a few years, now’s the time.

Run a second virus scan with a different program
Antivirus programs sometimes come up with different results. It’s a good idea to scan with a second program to pick up anything the first one left behind. However, you shouldn’t try to run two antivirus programs concurrently; they’ll conflict with each other. I like free programs Malwarebytes for PC and Sophos Antivirus for Mac.

Watch your computer’s behavior
Is it slower than usual, crashing, having a hard time redrawing the screen? These can all be signs that viruses are running in the background.

Monitor active programs
If a virus is running in the background, it may show up in the list of active programs. You can then click on it and End Task (Windows) or Force Quit (Mac). Bear in mind, though, most viruses will restart on reboot, and some will even regenerate on the spot no matter how many times you quit them.

  • Windows XP
    Ctrl-Alt-Delete, then click Task Manager
  • Windows Vista/7
    Ctrl-Shift-Esc
    or right-click the taskbar and click Start Task Manager
  • Mac OS X
    Option-Cmd-Escape (the Force Quit menu)
    or open a Terminal window and type ps -aef

Check your Web browser extensions
Browser extensions provide additional functionality on the Web. Some are terrific tools while others are sneaky little devils that serve you ads, slurp your data, and otherwise spy on you. Here’s how you can check your browser extensions.

Check your Sent folder
If your email is spewing spam, it may show up in your Sent Items folder. Viruses often commandeer email accounts to send spam.

Check your Facebook and Twitter
If there are all sorts of weird links on your Facebook wall that you didn’t post, your account may have been hijacked. And if that’s the case, it may have happened through a virus infection on your computer.

Start in Safe Mode
If your computer is so confused it won’t work properly, you can boot into Safe Mode which may allow you to diagnose the problem.

  • Windows XP, Vista, 7
    Hold down F8 at reboot (before the Windows logo)
  • Mac OS X
    Hold down Shift at reboot

Ask the Internet
Fortunately we don’t have to compute in a vacuum. If you think you’re infected with a particular virus, do a Web search on it. You’ll often find removal instructions and links to tools (just make sure those tools are legit and not themselves viruses in disguise).

Inspect your other computers
If one is infected, it’s likely the others are, too. You need to keep all your computers secure, even if they’re old or you don’t use them often.

Want more? Sign up for Tech Tips free by email and receive computer news straight to your inbox.

Apple & Amazon Customer Service Hacked: Can The Cloud Be Trusted?

Once your data is in the cloud you lose all control of it. A journalist’s online persona was recently hijacked through hackers’ clever and scary manipulation of Apple and Amazon’s tech support. This could happen to any of us, at any time.

A description of the incident from the journalist, Mat Honan, who works for Wired:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

The Price Of Cloud Computing?
This, folks, is the kind of thing that terrifies me. Years ago I wrote a post called Cloud Computing For Consumers Makes Me Cringe, in which I expressed my concerns over the proliferation of consumer tech based on the cloud. I’m far from the only one; the tech industry has been at each others’ throats for years. Some see the cloud as too vulnerable, while others say it’s a vital (and inevitable) resource.

It seems our fears have been realized. Like everyone else I want the fun new features of today’s devices, but I don’t trust the cloud, especially when I hear about incidents like the Apple+Amazon debacle.

I’ve been in tech support far too long to be fooled. I know other incidents are happening that we aren’t hearing about. I know my data is residing in places I don’t intend. I know that in some ways I’m helpless to stop that, but I can also choose which technology to embrace and which to reject. And I reject the idea that I need a distant datacenter for even the most minute of daily tasks.

Is It Too Late?
Of course that’s a largely symbolic statement. In reality, I’m already using the cloud in ways I don’t like, but was forced to. We all are. What scares me is that most people don’t know how cloud-dependent the world is becoming. They think they’re not using the cloud even when they are.

Apple leads the pack with iCloud. You can’t sneeze on an Apple device without it asking if you want to use iCloud. Soon you’ll have to use Apple’s cloud service even if all you want is to sync the basics like calendar and contacts. But once transferred, our data is not necessarily protected, as our poor Wired journalist learned. From an article about the incident:

On Aug. 3, an “epic hack” compromised technology journalist Mat Honan’s Twitter account. Along the way, the attacker–known as “Phobia”–also managed to remotely erase Honan’s Apple laptop, iPhone, and iPad. Furthermore, Phobia did it by socially engineering–as in, tricking–customer service representatives at Amazon and Apple, allowing him to gain sufficient information to first access Honan’s iCloud and Gmail accounts.

Manufacturers Need To Step Up Security
Granted, Honan did a few things that aided the criminal. He linked accounts together (notably Twitter), he didn’t activate all the security available on his devices, and he didn’t have good backups. But, in my opinion, that’s as much the fault of the manufacturers as it is the consumer.

We’re encouraged to link accounts. We’re encouraged to take advantage of all the shiny new features. There is never any fine print that says, “oh, by the way, if a hacker makes it this far, enabling this feature means you’re screwed.” And it’s not always clear that “turn this feature on” means “your data will be transmitted”.

I also lay blame at the manufacturers’ feet for their EpicFail on internal security practices that would have prevented the criminal from gaming the system to gain the information needed to break in.

The journalist was technically savvy and this still happened. Imagine how much harder for the average person! I know because I’ve spent most of my career helping small businesses and consumers with just this sort of problem, and there are few good solutions.

It’s not just Apple and Amazon. This is an industry-wide problem that the industry hasn’t addressed. Vendors are quick to point out new features: more speed, more memory, bigger, better, faster… but the consequences are not always recognized until after the technology has been embraced by the public.

How You Can Protect Yourself
Which means you, dear consumer, are on your own in deciding which technology is safe or unsafe. This is harder than it sounds. Like everything else in our advertising-driven world, some of the information you’ll read is sponsored by the people who sell the products. You have to sift, filter, and decide for yourself. (This blog, for the record, is sponsored solely by me.)

Personally I think it’s absolutely stupid that my modern iPad can’t do what my creaky old PalmPilot still can: sync data via a physical cable. Tech manufacturers need to GIVE US AN OFFLINE OPTION instead of forcing us to use the cloud because they obviously can’t secure the cloud.

I’m also looking at you, video game manufacturers. I chose not to play Diablo III specifically because it requires an always-on connection to the servers. Gee, now Blizzard is telling the Diablo and World of Warcraft players that those servers were hacked and their personal info was stolen. I like a good fantasy RPG as much as the next geek but not at that cost.

The industry is throwing us at the cloud because cloud computing makes it easier for them to write the programs and provide support for them. If everything’s in the cloud they don’t have to deal with multiple computer configurations, multiple devices, and tons of tech support headaches. “Hi, I’ve got a Palm V connecting via serial to a Pentium II running Windows 98, and somehow it won’t also connect to my new Windows 7 laptop…”

It’s my firm belief that every device should have a setup wizard that walks you through securing that device. This might not stop people gaming the system but it makes it a lot harder for them to get very far with your data, even if they do manage to break into your accounts.

The cloud may be easier for vendors, but not always so for consumers. My advice is to use it at your own risk.

Image: FreeDigitalPhotos.net