Fix for WannaCry

Megan Morrone talks to Iain Thomson about a possible fix for those infected with the Wannacry ransomware. Researchers have found a fix to unlock affected computers. The tool called wannakiwi allows you to avoid paying the bitcoin ransom, but only if you’re running Windows XP, Windows 7, and Windows 2003 AND if you haven’t rebooted your PC since the attack. The key is not magic, its math that works by finding all the prime numbers that are stored in the ransomware’s code. A different tool called WannaKey was released yesterday but only worked on Windows XP and required a second app.

This Week in Tech 614: $46 at the Piggly Wiggly

The WannaCry ransomware attack is far from over. Amazon introduces the Echo Show – will the touchscreen voice assistant/videophone flop? Microsoft announces their own voice assistant, the Cortana Speaker. The US plans to ban laptops on flights from Europe. Comcast and Charter agree not to compete on wireless. Russian hackers pwned by French presidential campaign

–Christina Warren needs friends in Seattle.
–Father Robert Ballecer just got back from Malta.
–Roberto Baldwin got hung up on by AT&T customer service.
–Alex Wilhelm’s name will not set off your Amazon Voice Assistant.

Here’s what you should know, and do, about the Yahoo breach

By Lucian Constantin | IDG News Service | PCWorld

Yahoo’s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale—it’s the largest data breach ever—and the potential security implications for users.

That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

An email compromise is one of the worst data breaches that a person could experience online, so here’s what you should know:

Fifty shades of hashing

Yahoo said that the “vast majority” of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation—this is called a hash.

Hashes are not supposed to be reversible, so they’re a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking “the vast majority” of Yahoo passwords is very low.

But here’s the problem: Yahoo’s wording suggests that most, but not all passwords were hashed with bcrypt. We don’t know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn’t been specified in Yahoo’s announcement or FAQ page suggests that it’s an algorithm that’s weaker than bcrypt and that the company didn’t want to give away that information to attackers.

In conclusion, there’s no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don’t keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won’t ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you’re among the people who don’t delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don’t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn’t even recommend using security questions anymore, so you can go into your account’s security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings that you never check and if it’s turned on there’s little to no indication that it’s active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It’s an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don’t reuse passwords; just don’t

There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of “verifying” their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.

This Android Trojan blocks victims from alerting banks

By Michael Kan | PCWorld

A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.

Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post.

Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.

The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.

The newer variants of Fakebank.B, however, will do more than just collect financial login data. They will also monitor whatever phone calls are made.

If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.

So far, this new Trojan has only been detected in Russia and South Korea. Symantec is advising users refrain from downloading apps from less trustworthy sources, like third-party app stores.

The call-barring function shows how banking Trojans are continuing to evolve. Earlier this year, Symantec detected another kind called Android.Bankosy that can bypass voice-based two-factor authentication systems.

To do this, the Trojan will secretly activate call forwarding on the victim’s phone. All calls will then be redirected to the hacker’s own number.

Myspace hack puts at least 360 million users at risk

By | TechSpot

Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years.

Time said earlier today that it first became aware shortly before Memorial Day weekend that stolen Myspace credentials were being made available in an online hacker forum. The data, which consists of usernames, passwords and e-mail addresses, was apparently swiped from the old Myspace platform – or in other words, prior to June 11, 2013, when the site was relaunched with strengthened security.

As of writing, Time says it doesn’t appear as though any financial data was compromised. What’s more, the breach does not impact any of Time’s other systems or subscribers.

Myspace is in the process of notifying affected users and is working with law enforcement in hopes of figuring out who was behind the attack. The site has also wiped all of the passwords of impacted users so at the very least, the data can’t be used to log into Myspace.

This is the second major security breach to surface this week in which the theft of data took place years earlier. Dated breaches like this may seem like less of a concern given their age but in fact, they present some unique challenges.

With data this old, it’s entirely possible that it has already been picked through before being made available on the black market. Furthermore, people weren’t quite as concerned with security and privacy in early 2013 as they are today meaning passwords were probably a bit less complex on average. Using the same password across multiple sites was also more common back then and it’s entirely possible that some haven’t gone back and changed passwords for older accounts they might not use as often these days, like Myspace.

The only real silver lining here is that yes, the data is old and is less likely to be up-to-date.

In a post on Myspace’s blog, the site says it suspects Russian hacker “Peace” is responsible for the attack, the same person that recently posted LinkedIn and Tumblr data on the underground market.

Neither Time nor Myspace would say how many accounts were compromised although a report from LeakedSource says the data set contains a whopping 360,213,024 records. Each “record” may contain a username, e-mail address, password and in some cases, a second password. The site notes that more than 68 million records had a second password attached.

The publication further reports that passwords were hashed and stored using SHA1 encryption without salting. As you may know, salting is a technique that makes it much more difficult to crack passwords. Worse yet, LeakedSource reports that very few passwords were over 10 characters in length and nearly none of them contained an upper case letter, making them even easier to decrypt.

This botnet has infected nearly a million devices since 2014

By | TechSpot

One of the many ways that cybercriminals earn income is through affiliate advertising programs like Google’s AdSense. Rather than generate traffic through content creation, hackers figure out ways to trick advertising platforms into thinking a partner is sending them legitimate traffic. Not knowing they’re being scammed, the advertising platform pays the partner for the referral.

Such is the case with a clickbot known as Redirector.Paco which Bitdefender Labs detailed on Monday.

According to the security firm, Redirector.Paco has been active in the wild since September 2014. On an infected system, whenever you perform a query on a popular search engine like Bing, Google or Yahoo, the search results are replaced with affiliate links which, when clicked, generate revenue for the hacker.

Bitdefender Labs says the malware is able to redirect traffic by making a few simple registry tweaks on the infected system which tells the browser to send the traffic to a different address. The malware attempts to make the search results look authentic although there are signs – like messages in the status bar referencing a proxy – that indicate something is amiss.

Lengthy load times are also an indicator of infection, Bitdefender Labs said.

The malware has infected more than 900,000 IPs worldwide, most of which are located in Algeria, Brazil, Greece, India, Italy, Malaysia, Pakistan and the US. The payload is typically injected into modified installers for trusted programs including Connectify, WinRAR, KMSPico, Start8, Stardock and YouTube Downloader.

Tech support scammers now utilizing ransomware-like lock screens to threaten people

By Justin Luna | Neowin

Some of us may be very well aware of the classic tech support scam stories, where a man randomly calls people, and informs them that they are from “Windows company” and that the call recipient’s computer has been detected full of viruses. These cold callers then use fake Blue Screen of Deaths, and make the victim think there really is something wrong with their PC.

Tactics like these can be easily terminated, with the use of a few built-in Windows tools, as well as a few keystrokes. However, scammers have been seen improving their game, and are now incorporating lock screens, in order to threaten a user even more.

This technique can be attributed to the infamous ransomware, where a malicious program encrypts a user’s computer files, and sets a PC to be stuck on a lock screen prompting them to pay up.

As for this one, the scammers trick the victims into thinking that their Windows’ license has expired, and then removes any ability for the user to control their computer. “This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it,” according to Jérôme Segura of Malwarebytes Labs.

There is an entire ecosystem on how these malware are being distributed, one of which includes bundling them into Pay Per Install applications. “What you thought was a PC optimizer or Flash Player update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers,” said Segura.

A security researcher, @TheWack0lian has shared a sample on how the new tech support scam tactic works. Through a genuine-looking Microsoft program, which installs without any particular incident, the malware waits for the user to restart their system. Upon rebooting, a user will be welcomed by what looks like Windows configuring updates, though this is already the malware kicking in.

Once its “process” is done, it displays an error screen saying that the user’s Windows license is expired. It even takes the time to display the user’s current license key and computer name, to make it look more legitimate.

Now, to be able to unlock the system, the only choice a user has is to dial the number flashed on the screen, leading them into the said cold tech support scammers who are eager to steal victims’ personal information, as well as their credit card number. Calling the number, it was discovered by the researchers that there is a hidden functionality to the locker. Pressing Ctrl+Shift+T will display an installer for TeamViewer, a remote access computer program. However, the scammer refused to proceed with unlocking the computer unless a payment of $250 is made.

Fortunately, the researchers were able to find a way to bypass the lock screen. Victims of the said issue can press Ctrl+Shift and then the S key. Alternatively, a user can enter either “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” into the “Product Key” field to be able to unlock the PC. This however, might only work for some versions of the rogue program.

With these kinds of programs rapidly evolving right before our eyes, it is very alarming to see how much these kinds of malware can take many innocent and susceptible people hostage, and play on their fears in addition to stealing money from them.

It always pays to be wary of where we always go on the internet, as well as what links we click on. Also, a good security software is always handy, to be able to block out the malware that can possibly not only ruin our computers, but also possibly a part of our lives.

Facebook pays $10,000 to 10-year-old for finding Instagram flaw that allowed comments to be deleted

By | TechSpot

You have to be at least 13 years old to have an account on Instagram, but this didn’t stop one 10-year-old Finnish boy from exposing a vulnerability in the Facebook-owned photo-sharing application and winning $10,000 for his work.

Helsinki-based Jani (his parents didn’t reveal his last name) discovered that he could erase any written content on Instagram by altering code on its servers. Facebook told Forbes that he verified this by deleting a comment the company posted on a test account.

The Facebook spokesperson added that the problem came from a private application program interface not properly checking that the person deleting the comment was the same one who posted it.

“I tested whether the comments section of Instagram can handle harmful code. Turns out it can’t. I noticed that I can delete other people’s comments from there,” Jani told Helskini-based newspaper Iltalehti. “I could have deleted anyone’s – like Justin Bieber’s for example.”

Facebook’s bug bounty program rewards people who identify and report security issues. In the five years since it launched, it has paid $4.3 million to more than 800 researchers for over 2400 submissions. Instagram was added to the program in 2014.

Payouts vary based on the level of risk a bug poses. Considering the average reward last year was only $1780, Jani’s $10,000 shows that Facebook regarded it as a fairly high-level threat.

Jani, who learned his skills by watching YouTube instructional videos, is now the youngest person to receive a reward from the program, beating the record set by a 13-year-old back in 2013. He said he plans to buy a football and new bicycle with some of the money.