Category Archives: computer security

Are Lawyers the Best Judge of Cybersecurity?

I had to do a double-take when I read that Japan’s deputy chief of government cybersecurity strategy, Yoshitaka Sakurada said he has never used a computer. That pretty quickly became a

The post Are Lawyers the Best Judge of Cybersecurity? appeared first on The Cyber Security Place.

What Your Password Says About You

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is easy to remember rather than super secure.

The urge to pick simple passwords is understandable given the large number of passwords that are required in our modern lives—for banking, social media, and online services, to simply unlocking our phones. But choosing weak passwords can be a major mistake, opening you up to theft and identity fraud.

Even if you choose complicated passwords, the recent rash of corporate data breaches means you could be at even greater risk by repeating passwords across accounts. When you repeat passwords all a hacker needs to do is breach one service provider to obtain a password that can unlock a string of accounts, including your online banking services. These accounts often include identity information, leaving you open to impersonation. The bad guys could open up fraudulent accounts in your name, for example, or even collect your health benefits.

So, now that you know the risks of weak password security, let’s see what your password says about you. Take this quiz to find out, and don’t forget to review our password safety tips below!

Password Quiz – Answer “Yes” or “No”

  1. Your passwords don’t include your address, birthdate, anniversary, or pet’s name.
  2. You don’t repeat passwords.
  3. Your passwords are at least 8 characters long and include numbers, upper and lower case letters, and characters.
  4. You change default passwords on devices to something hard to guess.
  5. You routinely lock your phone and devices with a passcode or fingerprint.
  6. You don’t share your passwords with people you’re dating or friends.
  7. You use a password manager.
  8. If you write your passwords down, you keep them hidden in a safe place, where no one else can find them.
  9. You get creative with answers to security questions to make them harder to guess. For example, instead of naming the city where you grew up, you name your favorite city, so someone who simply reads your social media profile cannot guess the answer.
  10. You make sure no one is watching when you type in your passwords.
  11. You try to make your passwords memorable by including phrases that have meaning to you.
  12. You use multi-factor authentication.

Now, give yourself 1 point for each question you answered “yes” to, and 0 points for each question you answered “no” to. Add them up to see what your password says about you.

9-12 points:

You’re a Password Pro!

You take password security seriously and know the importance of using unique, complicated passwords for each account. Want to up your password game? Use multi-factor authentication, if you don’t already. This is when you use more than one method to authenticate your identity before logging in to an account, such as typing in a password, as well as a code that is sent to your phone via text message.

4-8 points

You’re a Passable Passworder

You go through the basics, but when it comes to making your accounts as secure as they can be you sometimes skip important steps. Instead of creating complicated passwords yourself—and struggling to remember them—you may want to use a password manager, and let it do the work for you. Soon, you’ll be a pro!

1-3 points

You’re a Hacker’s Helper

Uh oh! It looks like you’re not taking password security seriously enough to ensure that your accounts and data stay safe. Start by reading through the tips below. It’s never too late to upgrade your passwords, so set aside a little time to boost your security.

Key Tips to Become a Password Pro:

  • Always choose unique, complicated passwords—Try to make sure they are at least 8 characters long and include a combination of numbers, letters, and characters. Don’t repeat passwords for critical accounts, like financial and health services, and keep them to yourself.Also, consider using a password manager to help create and store unique passwords for you. This way you don’t have to write passwords down or memorize them. Password managers are sometimes offered as part of security software.
  • Make your password memorable—We know that people continue to choose simple passwords because they are easier to remember, but there are tricks to creating complicated and memorable passwords. For instance, you can string random words together that mean something to you, and intersperse them with numbers and characters. Or, you can choose random letters that comprise a pattern only know to you, such as the fist letter in each word of a sentence in your favorite book.
  • Use comprehensive security software—Remember, a strong password is just the first line of defense. Back it up with robust security softwarethat can detect and stop known threats, help you browse safely, and protect you from identity theft.

For more great password tips, go here.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Homeon Twitter, and like us on Facebook.

The post What Your Password Says About You appeared first on McAfee Blogs.

“League of Legends” YouTube Cheat Links: Nothing to “LOL” About

If you’re an avid gamer, you’ve probably come across a game that just seems impossible to complete. That’s because, thanks to the internet, it’s so simple to look for cheats to games on YouTube to help you level up. Most cheats exist in the form of software patches that execute files in order to activate the cheat. However, malware and PUP (short for “potentially unwanted program”) authors are using gaming cheats to trick users into downloading their malicious files in order to make a profit. And that’s exactly what YouTube channel owner “LoL Master” has been doing to “League of Legends” players.

So how exactly does this “LoL Master” trick these innocent users? The cybercriminal uploads videos to his or her YouTube channel that demonstrate how to use various cheat files, which also provide links pointing to websites that allegedly distribute cheats and stolen accounts. When players click on these links, however, they’re now exposed to cyberthreats.

When on these sites, players will be prompted to download the cheat files, but the files are actually bundled with other malicious files uploaded by wannabe cybercriminals. If users click download, PUP installers distribute the bundled files and push them onto a victim’s device. “LoL Master” makes a profit on these downloads while the victim’s device suffers from malware.

“League of Legends” players may not pick up on this scheme for a number of reasons. First, the file hosting site falsely claims that the malware analysis software VirusTotal scanned the file. Second, the site attempts to block antimalware scanners from detecting the malicious files by putting them in a password-protected zip file. If the player isn’t using antimalware software, the PUP installer will push adware or other malicious software onto the victim’s device once they unzip the file.

So, what steps can players take to avoid this malicious trick? Check out the following tips to help protect your online security:

  • Browse with caution. Although it may seem harmless to peruse YouTube comments and descriptions, malware and PUP authors use this as a vector to push their malicious downloads. Use discretion when clicking on any links included in these comments.
  • Don’t download something unless it comes from a trusted source. It is one thing to browse around YouTube comments, it is another entirely to download items from sketchy sites. Only download software from legitimate sources, and if you’re unsure if the site is trustworthy, it is best to just avoid it entirely.
  • Use security software to surf the web safely. It can be hard to identify which sites out there are malicious. Get some support by using a tool like McAfee WebAdvisor, which safeguards you from cyberthreats while you browse.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post “League of Legends” YouTube Cheat Links: Nothing to “LOL” About appeared first on McAfee Blogs.

Users Warned Against Unofficial Sites Pushing Notepad2 Adware Bundles





The users' anticipating to download the exceptionally well known Notepad substitution called Notepad2, are cautioned once more to be careful of sites made to look official, however really disseminate Notepad2 as an adware bundle.

The search result was for a site called Notepad2.com, when done as such through Bing, their insight card expressed that the official site is flos-freeware.ch. Now, while the site appeared to be unique and marketier, users' would simply assume that the developer made a committed site for it. The only odd thing to be observed was that the logo they were utilizing was one that was very similar to the one for Notepad++.

It isn't until the point when the user attempts to download the executable and ESET blocked the document from being downloaded then they understand that something isn't right. When they scroll to the very bottom of the page did they'll see an explanation this was an “unofficial website dedicated to the opensource software” this is the moment that they will realize that the site was plainly made to distribute adware bundles with the end goal to generate a couple of bucks for the developer.

Whenever downloaded, the installer has the genuine name of Notepad2-x64_1746715231.exe. Whenever executed, however, it is rapidly evident this is an adware bundle. When clicked next, the user will be demonstrated different offers. On the Windows 10 machine, the user will be possibly offered Opera and on an Any.Run install it very well may be the game War Thunder.

At the point when done installing the offers, it will download a zipped copy of Notepad2 and spare it in the Downloads folder.

That regardless of whether they user conceives that they know how to spot tricks and scams, have a great understanding about computer security and malware, and attempt to be diligent, they can even now get in trouble on the web.

So it is advised for the users to be extremely watchful out there, and accomplish more research before downloading softwares except if they know it's originating from a respectable source, which is ideally the developer's webpage.


IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle

Internet Of ThingsIf you took an inventory of your digital possessions chances are, most of your life — everything from phones to toys, to wearables, to appliances — has wholly transitioned from analog to digital (rotary to wireless). What you may not realize is that with this dramatic transition, comes a fair amount of risk.

Privacy for Progress

With this massive tech migration, an invisible exchange has happened: Privacy for progress. Here we are intentionally and happily immersed in the Internet of Things (IoT). IoT is defined as everyday objects with computing devices embedded in them that can send and receive data over the internet.

That’s right. Your favorite fitness tracking app may be collecting and giving away personal data. That smart toy, baby device, or video game may be monitoring your child’s behavior and gathering information to influence future purchases. And, that smart coffee maker may be transmitting more than just good morning vibes.

Gartner report estimated there were 8.4 billion connected “things” in 2017 and as many as 20 billion by 2020. The ability of some IoT devices is staggering and, frankly, a bit frightening. Data collection ability from smart devices and services on the market is far greater than most of us realize. Rooms, devices, and apps come equipped with sensors and controls that can gather and inform third parties about consumers.

Internet Of Things

Lockdown IoT devices:

  • Research product security. With so many cool products on the market, it’s easy to be impulsive and skip your research but don’t. Read reviews on a product’s security (or lack of). Going with a name brand that has a proven security track record and has worked out security gaps may be the better choice.
  • Create new passwords. Most every IoT device will come with a factory default password. Hackers know these passwords and will use them to break into your devices and gain access to your data. Take the time to go into the product settings (general and advanced) and create a unique, strong password.
  • Keep product software up-to-date. Manufacturers often release software updates to protect customers against vulnerabilities and new threats. Set your device to auto-update, if possible, so you always have the latest, safest upgrade.
  • Get an extra layer of security. Managing and protecting multiple devices in our already busy lives is not an easy task. To make sure you are protected consider investing in software that will give you antivirus, identity and privacy protection for your PCs, Macs, smartphones, and tablets—all in one subscription.
  • Stay informed. Think about it, crooks make it a point to stay current on IoT news, so shouldn’t we? Stay a step ahead by staying informed. Keep an eye out for any news that may affect your IoT security (or specific products) by setting up a Google alert.Internet Of Things

A connected life is a good life, no doubt. The only drawback is that criminals fully understand our growing dependence and affection for IoT devices and spend most of their time looking for vulnerabilities. Once they crack our network from one angle, they can and reach other data-rich devices and possibly access private and financial data.

As Yoda says, “with much power comes much responsibility.” Discuss with your family the risks that come with smart devices and how to work together to lock down your always-evolving, hyper-connected way of life.

Do you enjoy podcasts and wish you could find one that helps you keep up with digital trends and the latest gadgets? Then give McAfee’s podcast Hackable a try.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

 

The post IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle appeared first on McAfee Blogs.

Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware

scareware and ransomwareIt’s the middle of a workday. While researching a project, a random ad pops up on your computer screen alerting you of a virus. The scary-looking, flashing warning tells you to download an “anti-virus software” immediately. Impulsively, you do just that and download either the free or the $9.99 to get the critical download.

But here’s the catch: There’s no virus, no download needed, you’ve lost your money, and worse, you’ve shared your credit card number with a crook. Worse still, your computer screen is now frozen or sluggish as your new download (disguised malware) collects the data housed on your laptop and funnels it to a third party to be used or sold on the dark web.

Dreadful Downloads

This scenario is called scareware — a form of malware that scares users into fictitious downloads designed to gain access to your data. Scareware bombards you with flashing warnings to purchase a bogus commercial firewall, computer cleaning software, or anti-virus software. Cybercriminals are smart and package the suggested download in a way that mimics legitimate security software to dupe consumers. Don’t feel bad, a lot of intelligent people fall for scareware every day.

Sadly, a more sinister cousin to scareware is ransomware, which can unleash serious digital mayhem into your personal life or business. Ransomware scenarios vary and happen to more people than you may think.

Malicious Mayhem

Ransomware is a form of malicious software (also called malware) that is a lot more complicated than typical malware. A ransomware infection often starts with a computer user clicking on what looks like a standard email attachment only that attachment unlocks malware that will encrypt or lock computer files.

scareware and ransomware

A ransomware attack can cause incredible emotional and financial distress for individuals, businesses, or large companies or organizations. Criminals hold data ransom and demand a fee to release your files back to you. Many people think they have no choice but to pay the demanded fee. Ransomware can be large-scale such as the City of Atlanta, which is considered the largest, most expensive cyber disruption in city government to date or the WannaCry attack last year that affected some 200,000+ computers worldwide. Ransomware attacks can be aimed at any number of data-heavy targets such as labs, municipalities, banks, law firms, and hospitals.

Criminals can also get very personal with ransomware threats. Some reports of ransomware include teens and older adults receiving emails that falsely accuse them or browsing illegal websites. The notice demands payment or else the user will be exposed to everyone in his or her contact list. Many of these threats go unreported because victims are too embarrassed to do anything.

Digital Terrorists

According to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at a yearly rate of 350% and, according to Microsoft,  accounted for roughly $325 million in damages in 2015. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

Cybercriminals are fulltime digital terrorists and know that a majority of people know little or nothing about their schemes. And, unfortunately, as long as our devices are connected to a network, our data is vulnerable. But rather than living anxiously about the possibility of a scareware or ransomware attack, your family can take steps to reduce the threat.

Tips to keep your family’s data secure:

Talk about it. Education is first, and action follows. So, share information on the realities of scareware and ransomware with your family. Just discussing the threats that exist, sharing resources, and keeping the issue of cybercrime in the conversation helps everyone be more aware and ready to make wise decisions online.

Back up everything! A cybercriminal’s primary goal is to get his or her hands on your data, and either use it or sell it on the dark web (scareware) or access it and lock it down for a price (ransomware). So, back up your data every chance you get on an external hard drive or in the cloud. If a ransomware attack hits your family, you may panic about your family photos, original art, writing, or music, and other valuable content. While backing up data helps you retrieve and restore files lost in potential malware attack, it won’t keep someone from stealing what’s on your laptop.scareware and ransomware

Be careful with each click. By being aware and mindful of the links and attachments you’re clicking on can reduce your chances of malware attacks in general. However, crooks are getting sophisticated and linking ransomware to emails from seemingly friendly sources. So, if you get an unexpected email with an attachment or random link from a friend or colleague, pause before opening the email attachment. Only click on emails from a trusted source. 

Update devices.  Making sure your operating system is current is at the top of the list when it comes to guarding against malware attacks. Why? Because nearly every software update contains security improvements that help secure your computer from new threats. Better yet, go into your computer settings and schedule automatic updates. If you are a window user, immediately apply any Windows security patches that Microsoft sends you. 

Add a layer of security. It’s easy to ignore the idea of a malware attack — until one happens to you. Avoid this crisis by adding an extra layer of protection with a consumer product specifically designed to protect your home computer against malware and viruses. Once you’ve installed the software, be sure to keep it updated since new variants of malware arise all the time.

If infected: Worst case scenario, if you find yourself with a ransomware notice, immediately disconnect everything from the Internet. Hackers need an active connection to mobilize the ransomware and monitor your system. Once you disconnect from the Internet, follow these next critical steps. Most security experts advise against paying any ransoms since paying the ransom is no guarantee you’ll get your files back and may encourage a second attack.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

 

The post Ghouls of the Internet: Protecting Your Family from Scareware and Ransomware appeared first on McAfee Blogs.

Have You Talked to Your Kids About a Career in Cybersecurity?

career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

Job Security

According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

Cybersecurity skills/traits:

Problem-solving
Critical thinking
Flexible/creative problem solving
Collaborative, team player
Continual learner
Gaming fan
A sense of duty, justice
Persistent, determined
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications

Education

Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

Conversation Starters

First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

Additional resources*

CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

*Resource list courtesy of Stay Safe Online.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack

Turns out, it’s a lot harder for a website to get blacklisted than one might think. A new study found that while the number of bot malware infected websites remained steady in Q2 of 2018, search engines like Google and Bing are only blacklisting 17 percent of infected websites they identify. The study analyzed more than six million websites with malware scanners to arrive at this figure, noting that there was also a six percent decrease in websites being blacklisted over the previous year.

Many internet users rely on these search engines to flag malicious websites and protect them as they surf the web, but this decline in blacklisting sites is leaving many users just one click away from a potential attack. This disregard of a spam attack kit on search engine results for these infected sites can lead to serious disruption, including a sharp decline in customer trust. Internet users need to be more vigilant than ever now that search engines are dropping the ball on blacklisting infected sites, especially considering that total malware went up to an all-time high in Q2, representing the second highest attack vector from 2017-2018, according to the recent McAfee Labs Threats Report.

Another unsettling finding from the report was that incidents of cryptojacking have doubled in Q2 as well, with cybercriminals continuing to carry out both new and traditional malware attacks. Cryptojacking, the method of hijacking a browser to mine cryptocurrency, saw quite a sizable resurgence in late 2017 and has continued to be a looming threat ever since. McAfee’s Blockchain Threat Report discovered that almost 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent—and that’s just from non-obfuscated sites.

And then, of course, there are just certain search terms that are more dangerous and leave you more vulnerable to malware than others. For all of you pop culture aficionados, be careful which celebrities you digitally dig up gossip around. For the twelfth year in a row, McAfee researched famous individuals to assess their online risk and which search results could expose people to malicious sites, with this year’s Most Dangerous Celebrity to search for being “Orange is the New Black’s” Ruby Rose.

So, how can internet users protect themselves when searching for the knowledge they crave online, especially considering many of the most popular search engines simply aren’t blacklisting as many bot malware infected sites as they should be? Keep these tips in mind:

  • Turn on safe search settings. Most browsers and search engines have a safe search setting that filters out any inappropriate or malicious content from showing up in search results. Other popular websites like iTunes and YouTube have a safety mode to further protect users from potential harm.
  • Update your browsers consistently. A crucial security rule of thumb is always updating your browsers whenever an update is available, as security patches are usually included with each new version. If you tend to forget to update your browser, an easy hack is to just turn on the automatic update feature.
  • Be vigilant of suspicious-looking sites. It can be challenging to successfully identify malicious sites when you’re using search engines but trusting your gut when something doesn’t look right to you is a great way of playing it safe.
  • Check a website’s safety rating. There are online search tools available that will analyze a given URL in order to ascertain whether it’s a genuinely safe site to browse or a potentially malicious one infected with bot malware and other threats.
  • Browse with security protection. Utilizing solutions like McAfee WebAdvisor, which keeps you safe from threats while you search and browse the web, or McAfee Total Protection, a comprehensive security solution that protects devices against malware and other threats, will safeguard you without impacting your browsing performance or experience.

To keep abreast of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post As Search Engines Blacklist Fewer Sites, Users More Vulnerable to Attack appeared first on McAfee Blogs.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

5 Reasons Why Strong Digital Parenting Matters More than Ever

digital parentingAs a parent raising kids in a digital culture, it’s easy to feel at times as if you have a tiger by the tail and that technology is leading your family rather than the other way around.

But that familiar feeling — the feeling of being overwhelmed, outsmarted, and always a step or two behind the tech curve — is just a feeling, it’s not a fact.

Digital Parenting Matters

The fact is, you are the parent. That is a position of authority, honor, and privilege in your child’s life. No other person (device, app, or friend group) can take your place. No other voice is more influential or audible in your child’s mind and heart than yours.

It’s true that technology has added several critical skills to our parenting job description. It’s true that screens have become an integral part of daily life and that digital conversation can now shape our child’s self-image and perspective of his or her place in the world. All of this digital dominance has made issues such as mental health, anxiety, and cyberbullying significant concerns for parents.digital parenting

What’s also true is that we still have a lot of control over our kids’ screen time and the role technology plays in our families. Whether we choose to exercise that influence, is up to us but the choice remains ours.

Here are just a few reasons why strong digital parenting matters more than ever. And, some practical tools to help you take back any of the influence you feel you may have lost in your child’s life.

5 Digital Skills to Teach to Your Kids

Resilience

According to the American Psychological Association, resilience building is the ability to adapt well to adversity, trauma, tragedy, threats or even significant sources of stress. Resilience isn’t something you are born with. Kids become resilient over time and more so with an intentional parent. Being subject to the digital spotlight each day is a road no child should have to walk alone. September is National Suicide Prevention Month and an excellent opportunity to talk to your kids about resilience building. Digital Parenting Skills: Helping kids understand concepts like conflict-management, self-awareness, self-management, and responsible decision-making, is one of the most critical areas of parenting today. Start the conversations, highlight examples of resilience in everyday life, model resilence, and keep this critical conversation going.

Empathy

digital parentingEmpathy is the ability to understand and share the feelings of another person. Unfortunately, in the online space, empathy isn’t always abundant, so it’s up to parents to introduce, model, and teach this character trait. Digital Parenting Skills: According to Dr. Michele Borba, author of #UnSelfie: Why Empathetic Kids Succeed in Our All-About-Me World, there are 9 empathy-building habits parents can nurture in their kids including Emotional Literacy, Moral Identity, Perspective Taking, Moral Imagination, Self Regulation, Practicing Kindness, Collaboration, Moral Courage, and Altruistic Leadership Abilities.

Life Balance

Screentime is on the rise, and there’s no indication that trend is going to change. If we want kids that know the value of building an emotionally and physically healthy life, then teaching (and modeling) balance is imperative today. Digital Parenting Skills: Model screentime balance in your life. Be proactive in planning device-free activities for the whole family, and use software that will help you establish time limits on all devices. You might be surprised how just a few small shifts in your family’s tech balance can influence the entire vibe of your home.

Reputation Management

digital parenting

Most kids work reasonably hard to curate and present a specific image on their social profiles to impress their peers. Few recognize that within just a few years, colleges and employers will also be paying attention to those profiles. One study shows that 70% of employers use search engines and social media to screen candidates. Your child’s digital footprint includes everything he or she says or does online. A digital footprint includes everything from posts to casual “likes,” silly photos, and comments. Digital Parenting Skills: Know where your kids go online. Monitor their online conversations (without commenting publically). Don’t apologize for demanding they take down inappropriate or insensitive photos, comments, or retweets. The most important part of monitoring is explaining why the post has to come down. Simply saying “because I said so,” or “that’s crude,” isn’t enough. Take the time to discuss the reasons behind the rules.

Security and Safetydigital parenting

It’s human nature: Most us aren’t proactive. We don’t get security systems for our homes or cars until a break-in occurs to us or a close friend. Often, we don’t act until it gets personal. The same is true for taking specific steps to guard our digital lives. Digital Parenting Skills: Talk to your kids about online risks including scams, viruses and malware, identity fraud, predators, and catfishing. Go one step further and teach them about specific tools that will help keep them safe online. The fundamentals of digital safety are similar to teaching kids habits such as locking the doors, wearing a seatbelt or avoiding dangerous neighborhoods.

Your kids may be getting older and may even shrug off your advice and guidance more than they used to but don’t be fooled, parents. Kids need aware, digitally savvy parents more than ever to navigate and stay safe — both emotionally and physically — in the online arena. Press into those hard conversations and be consistent in your digital parenting to protect the things that truly matter.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online. Also, join the digital security conversation on Facebook.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post 5 Reasons Why Strong Digital Parenting Matters More than Ever appeared first on McAfee Blogs.

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

Microsoft Cortana Allows Browser Navigation Without Login: CVE-2018-8253

A locked Windows 10 device with Cortana enabled on the lock screen allows an attacker with physical access to the device to do two kinds of unauthorized browsing. In the first case, the attacker can force Microsoft Edge to navigate to an attacker-controlled URL; in the second, the attacker can use a limited version of Internet Explorer 11 using the saved credentials of the victim.

In June we published our analysis of a full login bypass mechanism for all Windows 10 devices for which Cortana is enabled on the lock screen. (This is still the default option.) The discovery of the full login bypass was part of a wider research effort into what access the digital assistant Cortana might offer to an adversary when the device is locked. This post details these two additional issues; we reported them to Microsoft at the same time we reported the login bypass. The two new flaws have now been addressed as part of Microsoft’s August update. Some of the issues are also partially mitigated by modifying the answer obtained from a Bing search query.

In the first scenario, a Cortana privilege escalation leads to forced navigation on a lock screen. The vulnerability does not allow an attacker to unlock the device, but it does allow someone with physical access to force Edge to navigate to a page of the attacker’s choosing while the device is still locked. This is not a case of BadUSB, man in the middle, or rogue Wi-Fi, just simple voice commands and interacting with the device’s touchscreen or mouse.

Several months ago, researchers from Israel demonstrated a similar attack using a BadUSB device, masquerading as a network interface card to inject content into trusted HTTP sites while using Cortana to force navigation. Microsoft has since removed this ability to navigate directly to a domain and instead now opens a search in Bing over HTTPS to the domain in question. Some of our findings could also be combined with a BadUSB approach.

We explored whether one could still force navigation to an attacker-controlled page. In short, yes, one can, but it does take some extra effort.

Cortana is very helpful when it comes to defining terms, or looking up corporations, movies, artists, or athletes. She can even do math. However, Cortana’s behavior and the answers she gives are affected by the way you ask a question. For example, if you were to ask the colloquial question “Hey Cortana, what is McAfee?” you would get a quick answer directly from a Bing search. If, however, you asked only “Hey Cortana, McAfee,” you would receive a more detailed response, including links to various trusted sites. These include Wikipedia, Twitter, Facebook, LinkedIn, and the “official website” (more later on this important link).

Cortana’s answers to similar but not identical queries about “McAfee.”

It is surprising that links are offered and clickable when the device is locked. If you start your favorite network sniffer or man-in-the-middle proxy, you will see that the links are visited as soon as the user clicks on them, irrespective of the device’s locked status.

This means we can force navigation to a website (though not yet the one we want) when the device is locked. However, we have seen that Cortana can be picky in how she offers results. Bing must already know these results, and most links are known trusted sites.

That leaves us with the official website. You might recognize this terminology: It is a common link presented by Wikipedia. If you look at the bottom of a Wikipedia article, you will often find a link to an official website.

Could Cortana just use Wikipedia as a trusted source? After a few delightful conversations with her, we can confirm that the official website for items she refers from Wikipedia is indeed the same as the Official Website link on Wikipedia. There is no one-to-one correlation on Wikipedia’s official website for Cortana to display the corresponding link. We assume there is some possible weighting of the domain name or logic in the Bing output that influences Cortana’s displayed links.

We can leverage this information to craft a fake Wikipedia entry, add enough content to get the review to succeed, add an official website link, and see what Cortana presents. Wikipedia reviewers do a pretty good job of vetting content, but we also need Bing to become aware of the entry so that Cortana could offer the answer and the link. Because of the time-dependent factor of the approach (and the ethical aspect of tampering with Wikipedia content in a malicious way), we decided to take a different path—although others could use this attack vector.

Instead of creating an entry in Wikipedia, making sure that Bing indexes it and that Cortana provides the official website link, we opted for an alternative. We can instead hunt Wikipedia for unmaintained or dead official website links. Fortunately for us, Wikipedia maintains a list of “dead links” and “permanent dead links.” A search for “Xbox Linux” looks like this:

To aid in our hunt, Wikipedia has a fairly robust search engine that accepts regular expressions.

With just a little bit of tinkering we come up with the following search:

insource:/\{official (website)?\|https?\:\/\/[^}]+\.com\/[^}]\}\}\{\{dead link/

This is neither an exhaustive list, nor the most efficient regular expression, but it does find some candidates without triggering the Wikipedia query timeout.

The next step is to write a script to parse the output, grab a list of domains, and check whether they are actually vacant. Many of them are still registered but do not serve any content; others are live despite the “dead link” tag. We end up with a list of domains, some more expensive than others, that are vacant.

What will Cortana display for each of these Wikipedia entries? One after another, we ask. Retrospectively, writing a text-to-speech script would have been faster. Cortana answers surprisingly well to other digital speech synthesizers.

Many of the entries do not provide the official website link, but some do. It is annoying that the way you ask the question interferes with the results. Not only is the phrasing of the question important; the decision of whether to dictate a word or spell it out may change the answer. To obtain the answer you want from Cortana, you may have to combine both approaches.

For example, we asked “Hey Cortana, what is Miss Aruba?” We saw, while the device was locked, the following answer:

The official website link points to “hxxp://www.missaruba.aw.” A quick search shows the domain is still available.

In conclusion, we now have Wikipedia articles for which Cortana will display an official website link, and for which the domain is available for purchase. After spending $11.99 for a cheaper domain, we own one.

Although it took some regular-expression authoring, some scripting, and buying a domain, this method was faster and more satisfying than waiting for Bing to publish and index a new Wikipedia entry.

After this setup, what can we accomplish? We can ask Cortana (either via the interactive icon or vocal command “Hey Cortana”) to conduct a search while the device is locked. When she replies, we can click on the official website link and observe as Edge retrieves the content while the device remains locked.  To put a malicious spin on this unauthorized access, we have at least one straightforward option. We could install the latest exploit kit on our newly acquired domain and infect any locked Windows 10 PC with Cortana enabled without ever logging in. This attack could occur at a coffee shop, retailer, bank, or against targeted individuals. This configuration is the default on Windows, and our research has shown that many users never disable Cortana from the lock screen.

Digital voice assistants can be useful, but they must also be considered an attack vector. Although some may think this is a “noisy” vector, not applicable when stealth is required, you can employ techniques such as the DolphinAttack, which uses inaudible voice commands to close an air gap. Or if you have physical access to the device, a $5 3.5mm-jack cable will do as well.

An inexpensive 3.5mm-jack cable for silent interaction.

How can we protect against this attack vector? You can disable Cortana on your lock screen. Microsoft should not allow navigation to untrusted websites until it receives permission from the authenticated user, confirming on login that the user wants to visit a site.

Self-service Internet Explorer from the Windows lock screen

When we investigate a technology, we sometimes find that our initial findings are less substantial than what we learn after further investigation. Our research into Cortana and this attack surface was no different. What if one could surf the web freely with a full-fledged browser such as Internet Explorer 11, with access to cached credentials and autocomplete on a locked Windows 10 device? All thanks to Cortana? That could be much more impactful than browsing to just one URL.

That is possible with Cortana’s skills. It makes sense that Cortana offers skills similar to those of Amazon’s Alexa or Google Assistant. But it does not make sense to offer these skills directly from the lock screen when they are not yet configured.

One example is the “Real Estate Search” skill. While conversing with Cortana to analyze the capabilities she could offer an attacker, we found that she occasionally offered to try skills, including Real Estate Search.

One easy trigger is to ask “Hey Cortana, I want to sell my house.” This leads to the following screen:

If we click “Real Estate Search,” we get a login screen. Instead of logging in, let’s look at the other links offered by the interface. In the current case, the “Privacy Policy” link seems interesting:

Cortana’s skill login screen with a link to Privacy Policy.

Opening the link, we see a lengthy policy. If we scroll to the bottom of the page, we discover a few social media icons:

Privacy policy screen with links to social media sites.

These icons are indeed links, allowing us to reach Facebook or YouTube, and from there the rest of the Internet:

Reaching Facebook from the lock screen of a Windows 10 system.

Let’s summarize. You left for lunch with your new Windows Surface Book locked on your desk. Cortana is on by default on your lock screen. Your disk is encrypted. What could go wrong?

Anybody who has physical access to your locked device can start browsing the web. What if someone were to navigate to a work-unfriendly website from your device, or post inflammatory comments in a public forum that could be attributed to your device’s IP address?

A device-specific attribution would be bad, but could you use the same method to post or access something from a real person’s name or account? We next investigated which browser is being used? Is it a Cortana custom browser? Is it a sandboxed Microsoft Edge? It is actually a customized Internet Explorer 11 restricted engine running in the context of AuthHost.exe. (We will publish another analysis on this limited “browser” because its properties and lack of security mechanisms could become handy for red teams.)

This is the Internet Explorer engine and not the full browser, though both JavaScript and cookies are enabled. Worse, this incarnation shares the autocomplete and credentials saved in the context of the current user’s Internet Explorer session.

Thus in addition to posting a comment on a public forum from another user’s device while the device is locked, you can also impersonate the user thanks to its cached credentials.

One potential attack scenario arises if a corporation offers a mechanism to reset Windows credentials via a web server but does not require users to reenter the old password. One could simply navigate to the reset link, input a new password, exit the limited navigator, and unlock the device with the newly set password, all from a locked computer.

We have explored a couple of attack scenarios and security issues in this post, and we will continue our investigation into Cortana and other digital assistants as an attack vector. Your best mitigation at this point is to turn off Cortana on the lock screen. Here is a good tutorial on how to do so.

 

The post Microsoft Cortana Allows Browser Navigation Without Login: CVE-2018-8253 appeared first on McAfee Blogs.

Computer Security Tips: Stay Safe Online

In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to […]

Code Injection and API Hooking Techniques

Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different […]

Advanced Malware Analysis Training Session 11 – (Part 2) Dissecting the HeartBeat RAT Functionalities

Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat […]

Advanced Malware Analysis Training Session 10 – (Part 1) Reversing & Decrypting Communications of HeartBeat RAT

  Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 1) Reversing & Decrypting Communications of HeartBeat RAT This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting The […]

Our Local Security Meet [19th October 2013] – Bangalore

Talks: 09:30 – 10:00:  WebSockets for Beginners – Prasanna K WebSockets is definitely one of the brighter features of HTML5. It allows for easy and efficient real-time communication with the server,. It’s very useful when you’re developing an interactive application like chat, game, real time reporting system etc. From a security standpoint there are many […]

Using PEB to Get Base Address of Kernelbase.dll

Process Environment Block (PEB) is a user mode data structure which applies over a whole process. It is designed to be used by the application-mode code in the operating system libraries, such as NTDLL.dll, Kernel32.dll. Through the use of PEB one can obtain the list of loaded modules, process startup arguments, ImageBaseAddress, heap address, check […]