Friday, September 23, 2016

Monster DDoS, Yahoo woes, malware by mail - the week in review


Here is a recap of some more notable cyber security stories this week, along with short and simple things you can do.

Monster DDoS attack knocks Brian Krebs offline!

The story: Brian Krebs was a security writer for The Washington Post before hanging out his own shingle out as an investigative journalist. He is now renowned for his investigative work into cyber crime. To that end, he wrote "Spam Nation: The Inside Story of Organized Cybercrime," an eye-opening dive into the world of spam, malvertising, and grey-market pharmaceuticals last year. 

A few weeks ago Brian wrote a story exposing a "DDoS for hire" business, and a few days later, of the arrest of the newly-revealed masterminds. In grossly oversimplified terms, a DDoS (distributed denial of service) involves a huge number of systems simultaneously accessing a website, creating so much traffic that the site crashes. The attackers use malware to build a "botnet" of systems they control, and then use those systems to attack a victim.

This week, an as-yet unidentified attacker launched what is believed to be one of the largest distributed denial of service attacks ever seen against krebsonsecurity.com, ultimately knocking his web site offline Thursday afternoon.

* The links to Krebs' articles above lead to a mirror of his site, as the original site is still offline as of this writing.

What you should do: There is little an individual can do to prevent or counter a DDoS attack. On the other hand, individuals typically are not the target - Brian was targeted because of the reputation he has as a cyber crime sleuth (and perhaps in direct retaliation for the article he wrote).

You can, however, reduce the chances of your computers (or wifi router, or TV, or fridge, or light bulbs... sadly anything connected to the Internet can potentially be conscripted into a botnet) being part of the problem. 

  • Change the default passwords on anything you connect 
  • Use unique passwords for anything you care about
  • Turn off unnecessary browser plugins
  • Pay attention to the mobile apps you install
  • Download apps only from the well-known app stores (i.e. Google Play Store, Apple App Store, or Amazon App Store)
  • Set your computers up to use a domain name server (DNS) that blocks known malicious content. 
Don't worry if this sounds overwhelming - I've explained how to do this in plain English on my Cyber Tips page.


A half billion Yahoo! accounts leaked!

The story: Yahoo! confirmed Thursday afternoon that over 500 million accounts with names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were stolen in late 2014.

The latter is a particular problem because, in many cases "security questions" are things that are not easily changed - what street did you grow up on, where did you meet your spouse, etc. For better or for worse (in my opinion, worse), these questions are commonly asked by many websites, and used to verify your identity if you forget your password and wish to reset it.

Having answers to these questions, a scammer may be able to gain access to other websites, even though they do not know the password.

Even if you do not have a Yahoo Mail account, you may still be affected: 
  • Photo sharing site Flickr is owned by Yahoo, and its accounts are Yahoo accounts. 
  • AT&T (and the former regional telephone companies - SBC Global, Southwestern Bell, etc.) has a long and tangled history with Yahoo, and many accounts are shared between them.
  • Some Frontier Mail accounts are hosted by Yahoo.
  • British telecommunications company BT at one time used Yahoo as its mail service and is advising its customers to change their passwords. 
  • Ditto for UK company Sky and its "Sky Yahoo Mail."
  • The list undoubtably goes on.

What you should do: In the last year or so, a huge number of email and account breaches have come to light. Most occurred in 2012, but this one happened at the end of 2014. I suggest assuming that any password created prior to 2016 has somehow been compromised. So...
  • Change any passwords, anywhere that matters to you, more than a year old
  • Avoid using the same password everywhere. This protects you in that if a password is stolen, it only unlocks that one account.
  • Remembering hundreds of passwords is a fool's errand, so don't. Use a password manager instead.
  • Where possible, enable two-factor authentication (where logging into a new or unrecognized device requires the password, plus a code provided by your phone or another trusted device)
  • Consider lying on security questions - or better yet, since you are using a password manager, let the password manager create and remember random answers to the security questions.

Malware in the mailbox!

The story: An Australian police department warned this week of homeowners finding USB flash drives in their letterboxes (mailboxes, for my US readers). Upon inserting the drives into their PCs, they encounter malware and fraudulent streaming media service offers. It's a twist on an old standby - hackers dropping malicious USB drives in a parking lot, in the hopes that an employee will plug into a company PC and give the hacker entrance to the company.

I can't help but remember the old AOL and Prodigy CD-ROM discs delivered as bulk mail long ago!

What you should do: If you find an unexpected USB device - whether in the mailbox, in the parking lot, or on your desk - don't plug it in! Remember the question every airline baggage handler in the world asks over and over again: has your luggage been out of your control? Just as a crook can slip something into unattended luggage, a cyber criminal can slip something onto an unattended USB drive. If you are not sure of the origin of a flash drive, just don't use it.

Hacker can take over any Facebook Page!

The story: Facebook Pages are similar to personal profiles, but for a business, organization, or cause. Indian researcher Arun Sureshkumar found a flaw in Facebook's Business Manager, that would allow a scammer to take over any Facebook Page in just a few seconds.

This story however has a happy ending: Arun reported his discovery to Facebook, who quickly confirmed and fixed the flaw. Facebook also paid Arun a $16,000 "bug bounty" - a reward for finding and reporting a significant flaw!

What you should do: Nothing! Facebook fixed the problem before anyone disclosed it publicly.