Taking Facebook Quizzes Could Put You at Risk for Identity Theft

by Kirstin Fawcett

From phishing schemes to a thief pilfering your passport, there are plenty of ways to fall victim to identity theft. And now, participating in Facebook quizzes is one of them. As ABC News reports, the seemingly harmless surveys that populate your feed could wind up providing unscrupulous hackers with the answers to your online security questions.

Popular Facebook quizzes often ask users to answer a series of sharable personal questions, ranging from the name of their pet to their birth city. Some people see them as a fun way to bond with friends, or a way to make new ones. But as one local police department in Massachusetts recently noted on Facebook, many of these queries are similar—if not identical—to security questions used by banks and other institutions.

"Please be aware of some of the posts you comment on," the Sutton Police Department in Massachusetts wrote in a cautionary message. "The posts that ask what was your first grade teacher, who was your childhood best friend, your first car, the place you [were] born, your favorite place, your first pet, where did you go on your first flight … Those are the same questions asked when setting up accounts as security questions. You are giving out the answers to your security questions without realizing it."

Hackers can use these questions to build a profile and hack into your accounts or open lines of credit, the department said. They could also trick you into clicking on malicious links.

Experts say it's OK to take part in a Facebook quiz, but you should never reveal certain personal facts. Take quizzes only from respected websites, and always carefully vet ones that ask for your email address to access the poll or quiz. And while you're at it, consider steering clear of viral memes, like this one from 2017, which asked Facebook users to name memorable concerts (yet another common security question).

A Cute Toy Just Brought a Hacker Into Your Home

If anyone ordered any of these cute little dolls, you may want to reconsider. 

Originally written By SHEERA FRENKEL    DEC. 21, 2017

Earlier this year, Germany’s Federal Network Agency, the country’s regulatory office, said the My Friend Cayla doll was “an illegal espionage apparatus.” Credit Tony Cenicola/The New York Times

SAN FRANCISCO — My Friend Cayla, a doll with nearly waist-length golden hair that talks and responds to children’s questions, was designed to bring delight to households. But there’s something else that Cayla might bring into homes as well: hackers and identity thieves.

Earlier this year, Germany’s Federal Network Agency, the country’s regulatory office, labeled Cayla “an illegal espionage apparatus” and recommended that parents destroy it. Retailers there were told they could sell the doll only if they disconnected its ability to connect to the internet, the feature that also allows in hackers. And the Norwegian Consumer Council called Cayla a “failed toy.”

The doll is not alone. As the holiday shopping season enters its frantic last days, many manufacturers are promoting “connected” toys to keep children engaged. There’s also a smart watch for kids, a droid from the recent “Star Wars” movies and a furry little Furby. These gadgets can all connect with the internet to interact — a Cayla doll can whisper to children in several languages that she’s great at keeping secrets, while a plush Furby Connect doll can smile back and laugh when tickled.

But once anything is online, it is potentially exposed to hackers, who look for weaknesses to gain access to digitally connected devices. Then once hackers are in, they can use the toys’ cameras and microphones to potentially see and hear whatever the toy sees and hears. As a result, according to cybersecurity experts, the toys can be turned to spy on little ones or to track their location.

“Parents need to be aware of what they are buying and bringing home to their children,” said Javvad Malik, a researcher with cybersecurity company AlienVault. “Many of these internet-connected devices have trivial ways to bypass security, so people have to be aware of what they’re buying and how secure it is.”

The problem isn’t new, but it’s growing as manufacturers introduce a wider range of toys that can connect online, part of an overall trend of “smart” electronics. About 8.4 billion “connected things” will be in use worldwide this year, according to estimates from research firm Gartner, up 31 percent from 2016, with the number projected to rise to 20.4 billion by 2020.

Sarah Jamie Lewis, an independent cybersecurity researcher who tested toys ahead of the holiday season, said many of the products did not take basic steps to ensure their communications were secure and that a child’s information would be protected. She said the toys acted as “uncontrolled spy devices” because manufacturers failed to include a process that would allow the gadget to connect to the internet only through certain trusted devices.

Consider the Furby Connect doll made by Hasbro, a furry egg-shaped gadget that comes in teal, pink and purple. Researchers from Which?, a British charity, and the German consumer group Stiftung Warentest recently found that the Bluetooth feature of the Furby Connect could enable anyone within 100 feet of the doll to hijack the connection and use it to turn on the microphone and speak to children.

Researchers recently found the Furby Connect’s Bluetooth connection could be hijacked by hackers, letting them turn on the doll’s microphone and speak to children.Credit Tony Cenicola/The New York Times

Then there’s the Q50, a smart watch for children. Marketed as a way to help parents easily communicate with and keep track of their kids, bugs in the watch would allow hackers to “intercept all communications, remotely listen to the child’s surroundings and spoof the child’s location,” according to a report by Top10VPN, a consumer research company this month.

And the BB-8 droid, which was released with “The Last Jedi” this month, also had an insecure Bluetooth connection, according to Ms. Lewis’s tests.

SinoPro, the Chinese manufacturer of the Q50 watch, and Genesis, the maker of the Cayla doll, did not respond to requests for comment. Sphero, the maker of the BB-8 connected droid, said the toy is “adequately secure.” Hasbro said the Furby Connect complies with the United States Children’s Online Privacy Protection Act, and that it hired third-party testers to perform security testing on the toy and app.

Toy manufacturers have long searched for ways to bring toys alive for children. While microphones and cameras introduced some level of responsiveness, those interactions were generally limited to a canned response preset by a manufacturer. Internet connections opened up a new wealth of possibilities; now the toys can be paired with a computer or cellphone to allow children to constantly update their toys with new features.

The My Friend Cayla doll, for example, uses speech recognition software coupled with Google Translate. The doll’s microphone records speech and then transmits it over the internet, a function that leaves it open to hackers, according to cybersecurity researchers. If the doll’s owner does not designate a specific cellphone or tablet with which the doll should have an internet connection, anyone within 50 feet of the toy can use the Bluetooth connection to gain access to it. Security researchers have also raised concerns over what type of data the doll collects, and how the data is used.



Last year, a cyberattack on VTech Holdings, a digital toymaker, exposed the data of over 6.4 million people, including names, date of birth and gender, in what experts said was the largest known breach to date that targeted children.

For parents looking to fulfill their holiday wish-lists, the first step is knowing about the risks involved with internet-connected toys. Earlier this year, the F.B.I. issued a broad warning about such toys, advising parents to pay particular attention to how a toy connected to the internet. If a toy connects wirelessly through Bluetooth, it should require some type of unique pin or password, to make sure that connection is secure.

The F.B.I. also recommended that connected toys be able to receive updates from the manufacturers so they are kept up-to-date. And if the toy stores data, parents should investigate where that data is stored and how securely the company guards the data of its customers.

At a Target store this month in Emeryville, Calif., Sarah Lee, a 37-year-old mother of three, said she was rethinking her choices of presents for her children after hearing about the risks of connected toys.

“That’s so scary, I had no idea that was possible,” she said. “What’s the worst hackers can do? Wait, no, don’t tell me. I’d just rather get my kids an old-fashioned doll.”

Beware of this smartphone scam on Cyber Monday

Here is how to get deals without getting hacked

This Cyber Monday, nearly $11 billion in holiday shopping could be at risk of diversion and theft.

Black Friday and Cyber Monday is a busy time for scam artists.

American shoppers are gearing up for the biggest shopping week of the year, with revenue expected to surpass the $9.36 billion spent over the four-day Black Friday weekend in 2016 — and fraudsters are ready to cash in on it.

Some $10.8 billion in 2017 holiday shopping could be at risk of diversion and theft, according to a study of five leading e-commerce retail brands from cybersecurity company RiskIQ. Think twice before you download the app for your favorite store: More than 32,000 malicious mobile apps are leveraging the names of those five brands to lure customers into scams, the research found, and 1 in 25 mobile apps found under a “Black Friday” search in app stores were unsafe to use.

Emails are already being sent from scammers impersonating brands including Amazon AMZN, +2.58% Walmart WMT, +0.22% Kohl’s KSS, +1.03% Ray-Ban, and Michael Kors offering huge discounts of up to 80% off, a separate report from security company Barracuda networks found.

With attacks becoming more pervasive and sophisticated, consumers have to be cautious when looking for deals online over the next week.

Here are five ways to protect yourself while shopping online:

1. Create unique usernames and passwords

If you are able to remember your password, it’s probably not a great one. Security experts suggest using complex passwords that include a variety of numbers and characters, or long strings of random words. The majority of internet users have dozens of accounts, making it difficult to remember every password. To keep track, use a password manager like LastPass or 1Password, or go the old school route and write passwords down on paper to be stored in a safe place.

Most consumers know by now that using the same password for every site is poor privacy practice, but many overlook the importance of username security, said Shaun Murphy, CEO of online security-focused social platform SNDR. “To keep your online history private from criminals, create a unique username for each website on which you shop. For example, YourName+StoreName is a better username than your name plus a few numbers.”

Consumers who choose to use a password manager should be sure to keep the master password in a safe place. Password managers aren't impervious to hackers (LastPass announced a hack in 2015) so be sure to change all passwords regularly.

2. Monitor your bank account

This time of year, consumers are often making an unusually high number of purchases, so they should be extra vigilant to make sure account activity is legitimate. “A lot of theft that occurs goes unnoticed, and once it is noticed often the goods and services have been delivered,” said Marc Boroditsky, vice president at security app Authy. He suggests turning on notifications to be alerted when purchases are made. “That kind of visibility gives me confidence I can confirm there is not fraud on my account and allows me to participate in the process.”


Many banking apps allow users to set mobile notifications for all account activity. Some vendor sites like Amazon AMZN, +2.58%   also offer the option to receive text message notifications when purchases are made, and the ability to receive status updates on shipments. The influx of alerts may be a nuisance at any other time of the year, but are worth the distraction around the holiday spending season.

3. Beware of odd links

Thousands of malicious mobile apps and misleading landing pages put users at risk of being hacked, according to the RiskIQ study. When shopping online, make sure you are shopping on a store’s actual website before inputting any personal information or a credit card number. Bad web design is a major red flag for scam webpages.

Users should make sure the URL is correct and begins with “HTTPS,” or has a lock symbol next to the web address, which means it is encrypted. Double check promotional emails that advertise deals to make sure the sender’s email routes to the website of the company it is claiming to be (something like info@walmart.com rather than info@walmart.co or info@wallmartcustomerservice.com, for example).

Nearly 30% of shopping is expected to be done on mobile devices this year, which aren’t as safe as once thought: in 2015 it was found that 85 applications had infected users with malware, according to RiskIQ. Nearly 1 million blacklisted apps used the name of one of the top five e-commerce brands in their app titles or descriptions to trick customers. Be sure to only download apps from the official Google GOOG, +0.45%   or Apple AAPL, +0.01%   app stores, and research them well before using them. Don’t rely on reviews alone, as they can be easily spoofed — your best bet is to download apps that are linked on the retailer’s official website if possible.

4. Don’t shop on public Wi-Fi

When making Cyber Monday purchases, be sure to shop on secure Wi-Fi at home, not a coffee shop, airport, or other public network. If you must shop while on the go, use a mobile device with a data plan or a personal hot spot created from your phone. Stand-alone mobile hot spots can also be purchased from phone providers like Verizon. Users shopping by laptop on public Wi-Fi can also implement a Virtual Private Network (VPN) like Private internet Access or Freedome to obscure and protect their web traffic and better ensure security.

5. Use two-step authentication


Nearly every email client now allows users to opt for two-step authentication, which works as a normal login with a username and password but requires a verification code sent through a separate device like a phone for access. This second layer of security is a great way to ensure the only person who signs into your account is you. In addition to setting up two-step authentication on email, Cyber Monday shoppers should check if the retailers they are purchasing from offer their own security measures. Vendors like Amazon and Etsy ETSY, +1.48%   offer two factor authentication -- check out TwoFactorAuth.org to see if the store you’re purchasing from does as well.

This article was written by KARI PAUL, REPORTER and appears at:  https://www.marketwatch.com/story/5-tips-for-safe-shopping-on-cyber-monday-2016-11-21

Key Windows 10 Anti-Malware Tech Critically Broken

Over a decade ago, Microsoft added support for a key malware mitigation technique that makes it harder for rogue applications to predict which code will be loaded into specific target addresses. This technique, called address space layout randomization (ASLR), stores data in different locations each and every time the application is run. If your code is riddled with security flaws, ASLR won’t secure it, but it will (hopefully) make it a little harder to find and therefore exploit. Or at least, that’s how it’s supposed to work — but Windows 10, it turns out, has a teensy little problem. It stores its supposedly randomized data in exactly the same place, each and every time.

To understand the magnitude of the failure, it may help to think of a loose analogy. Imagine you have an insecure mailbox that’s constantly being robbed. One hypothetical way to deal with this problem is to have many mailboxes scattered across your property. Each day, your long-suffering postal worker puts your mail (4-5 pieces) in a subset of available mailboxes (let’s say, 30 mailboxes total). A person could still search your property and find them, but it’s going to take longer and be more obvious.

Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME.

Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

— Will Dormann (@wdormann) November 15, 2017

Now, imagine that instead of putting your 4-5 pieces of mail in up to five different locations, your mailman stuck it in exactly the same locations, each and every time. That’s more or less what’s happening here and it’s a problem afflicting both Windows 8 and Windows 10. Without any entropy (randomness), there’s no protection offered at all.

There are two ways to enable ASLR. One is to use the /DYNAMICBASE flag provided by the Visual C++ linker. This method still works perfectly, as far as anyone can tell. But since relying on programmers or vendors to always keep their code properly secure is a recipe for disaster, Microsoft also provides tools to force applications to use ASLR whether they’re designed to do so or not. This capability is baked into the Fall Creators Update as the Windows Defender Exploit Guard and was previously available as Microsoft EMET (Enhanced Mitigation Experience Toolkit), a GUI for enabling security measures already baked into the OS. The screenshot below shows the newer Defender Exploit Guard baked into Windows 10 FCU.

The problem is this: Apparently Microsoft’s default ASLR implementation fails to activate a key sorting method of ASLR, known as “bottom-up ASLR.” Microsoft’s own technical documentation describes bottom-up ASLR as method of assigning a base address by searching “for a free region starting from the bottom of the address space (e.g. VirtualAlloc default).” Enabling ASLR without simultaneously enabling bottom-up ASLR means that memory values are stored in exactly the same location each and every time. Here’s how CERT describes the problem:

Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems. Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.

It finishes on the cheery note that there’s no practical solution to the problem currently available for deployment, but individuals can reenable the security ASLR is supposed to provide by importing the following registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

As always, we do not recommend mucking about in the registry unless you are certain you know what you’re doing. US-CERT has some additional details on both the problem and this fix available on its website. And yes, Windows 7 users, you get to preen a bit — this problem does not affect your operating system.

By Joel Hruska on November 20, 2017 at 3:12 pm

Microsoft Issues Black Friday Malware Warning: What You Need To Know

Microsoft Malware Protection Centre (MMPC) issued a warning Tuesday regarding a malware attack linked to  Black Friday. In a tweet, they termed a malicious document called “eMAG- Catalog Oferta Black Friday2017.doc” as the threat.

Apparently, this document would try to exploit DDE so that it could run a remote HTML application. DDE refers to Dynamic Data Exchange, a mode of interprocess communication used by the Windows operating systems. Using DDE, a program could access items made available by a different program. For instance, a program could access a single cell in an MS Excel spreadsheet used by another program. Using DDE, the first program could even get notified whenever a change is made in that particular cell.

Though other modes of interprocess communication, like Object Linking and Embedding (OLE), is also used in computing, DDE is frequently used because of its simplicity. This means the malware threat Microsoft issued could affect a wide digital landscape.

Microsoft clarified that the use of HTA (HTML Application) in the new malware is different from previous a DDE-based malware that used Powershell.(Powershell refers to the task automation and configuration framework created by Microsoft. It also has an allied coding language that was made open source in August 2016.)

But the new malware uses a different strategy: it links to a URL that has the word “test” in it. According to MMPC, this link currently remains inaccessible. Microsoft’s current theory is that cybercriminals would distribute a functional version of the malware using a spam campaign in the days immediately prior to Black Friday. The company said that the Windows Defender AV would detect the malware as “Exploit:097M/DDEDownloader.E.” but it said nothing about whether other antivirus programs would be able to spot it too.

So, come Black Friday, shop to your heart’s content but be on the lookout for this particular threat in your digital devices.

BY DHINOJ DINGS ON 11/21/17 AT 11:36 PM

How to lock down your web browser security

They shall not pass.

BY DAVID NIELD 7 DAYS AGO

These days we all spend a lot of our computing time peering through web browser windows, which means these programs are some of the biggest targets for hackers and malware. The good news is, keeping your browser safe and secure isn't too difficult a task.

You don't have to spend a whole afternoon or evening putting up the defences in your browser of choice, but it is worth spending a few minutes to make sure everything is locked down - follow these guidelines to minimise your risk of getting caught out online.

UPDATE YOUR BROWSER

You might not have realised it, but modern browsers are packed with security features designed to stop you from visiting dodgy websites and to prevent sites from taking control of your computer. To make sure these features are always present and correct, and guarding against the latest threats, keep your browser software updated.

Applying updates is in fact so important that most browsers make it very hard not to be running the latest version of the software, with patches and bug fixes applied in the background most of the time.

If you want to make sure you're running the latest version of your browser, open up the browser menu and choose Help then About Google Chrome (Chrome) or Help then About Firefox (Firefox). Updates for Microsoft Edge and Apple Safari are handled together with updates for the OS as a whole.

LOOK FOR THE GREEN PADLOCK

When you see a green padlock in the address bar of your browser, that means you've opened a site that uses HTTPS - simple speaking, the more secure version of the HTTP standard that most websites use.

Among the extra security measures that HTTPS brings with it is a method for checking that you really are connected to the site that you think you are. What's more, it encrypts data as it travels between your computer and the website, so someone sat behind you in a coffee shop can't intercept the information being sent.

You should make sure you can see the HTTPS green padlock whenever you're entering sensitive information into your web browser, and many sites, from banking sites to social networks, now use it by default.

CUT DOWN ON THE EXTENSIONS

Browser extensions can be very useful, but they also tend to be granted some pretty sweeping permissions regarding what they can do with the websites you visit and anything you type into your browser.

Most of the browser add-ons you've installed are probably perfectly safe, but it's a good idea to stick to the ones you're use regularly and trust, and get rid of the extensions that have become outdated or that you don't open much any more. There should be an option to do this somewhere inside your browser's settings screen.

As an added bonus, you might find your browser running that little bit more smoothly and more quickly once you've got rid of a few add-ons that were just taking up space.

PROTECT YOUR ONLINE ACCOUNTS

This isn't specifically related to your browser, but there are a host of ways you can keep your online accounts safe, from making sure you use different passwords on each one, to always logging off when using public computers.

If two-step authentication is offered, where you need a username, a password and a mobile code to gain access on a new device, take advantage of it. It's available on most major online accounts, including those from Apple, Google, Microsoft and Facebook.

Many accounts also have a feature where you can review recent logins for suspicious activity. On the Facebook site, for example, click Settings from the drop-down menu on the toolbar, then pick Security and login from the menu on the left.

PROTECT YOUR WINDOWS AND MAC OS ACCOUNTS

You probably have your browser set to remember all your passwords and other login details, and there's nothing wrong with that, but it also means that anyone who opens up your browser can then jump straight into Facebook, Twitter and so on.

To stop this from happening, make sure you and anyone else who uses the computer are given separate, password-protected user accounts. That should be enough to stop anyone from casually wandering by, picking up your laptop, and making off with access to all of your personal accounts.

Make sure the password lock screen appears after a set period of inactivity too - on Windows you need to open Settings then go to Accounts and Sign-in options (to force a password prompt); and then System and Power & sleep (to set the sleep time-out). On macOS, head to Security & privacy from System Preferences.

INSTALL A VPN

VPNs, or Virtual Private Networks, add an extra layer of security to your browser, essentially creating a secure, encrypted tunnel between you and the websites you visit. They're especially useful when you're on public Wi-Fi in coffee shops and hotels.

We don't have space for a full VPN round-up here but this article should give you a few ideas. It's worth paying a small fee every month for your service, as free options tend to be slow and not quite as secure as premium-level ones.

VPNs are less important on a home network, but wherever you use your computer, they make it harder for hackers to intercept the sites you're visiting and to spy on the data you're entering into your browser.

Windows 8 and Later Fail to Properly Apply ASLR, Here's How to Fix It

Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.

Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.

Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.

With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & Browser control and then Exploit protection settings).

While looking into a recently disclosed 17-years-old vulnerability affecting the Microsoft Office equation editor, CERT/CC vulnerability analyst Will Dormann discovered that ASLR was not randomizing the memory code locations of application binaries in specific conditions.

ASLR fails because of a modified registry value

According to Dormann, when users turned on system-wide ASLR protection, a bug in the feature's implementation on Windows 8 and later would not generate enough entropy (random data) to start application binaries in random memory locations.

"The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems," Dormann said today in a CERT alert he wrote on the topic.

"Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME."

Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ

— Will Dormann (@wdormann) November 15, 2017

This is the equivalent of ASLR not being enabled at all, which means users are open to banal code reuse attacks that read an application's memory space and tailor malicious code to target that location every time.

The researcher says this issue affects only Windows 8 and later because Microsoft changed the registry values through which it started ASLR.

Workaround available

Dorman says that users must enable ASLR in a system-wide bottom-up configuration in order for ASLR to work properly.

While Microsoft is expected to fix the issue in a future patch, currently, the only way of starting ASLR in the proper configuration is by tinkering with the Windows Registry. US CERT/CC provided the following workaround.

Step 1: Create a blank text file and enter the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00


Step 2: Save the file with a .reg extension, for example, ASLR.reg.
Step 3: Open the Windows Registry Editor by searching for "regedit" in your Start menu.
Step 4: Select the File menu option and choose to import the .reg file you just created above.

Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click.

How to delete downloaded Windows Update files

Windows Update works for the most part pretty reliably. It is an automated system of Microsoft's Windows operating system that handles the downloading and installing of updates for the operating system.

At best, it is a silent service that runs in the background; it may ask you to restart the PC every now and then though as that is still required for many updates.

When you run into issues though with updates, you may spend hours or even days figuring out what is going wrong.

I cannot update one of my PCs to the Windows 10 Fall Creators Update for instance because of a bluescreen that I get whenever I try.

One of the things that you can try when it comes to updates, is to delete downloaded Windows Update files to start over.

If you suspect that something is wrong with the files, or if you want Windows Update to run a new check for updates to download new versions of updates that were released by Microsoft, then you may find the following tip useful for that.

If you run Windows Insider builds on a PC for instance, you may skip an already downloaded update to a new build to download a newer build and avoid having to update the system multiple times.

How to delete downloaded Windows Update files

It is thankfully pretty easy to delete all cached update files. This works on all supported versions of Windows, including Windows 7, Windows 8.1 and Windows 10.

• Go to C:\WINDOWS\SoftwareDistribution\Download using Explorer or any third-party file browser. If you navigate to the folder manually, you may need to enable the showing of hidden files first.
• Select all files of the folder. The easiest way to do that is to use Ctrl-A while the folder is active.
• Hit the Delete-key on the computer keyboard.
• Windows may need administrator privileges to delete certain files. Select "do this for all current items" and click continue to grant the permissions.

Ransomware-spreading hackers sneak in through RDP – Naked Security

by Mark Stockley



Thanks to Sophos security experts Peter Mackenzie and Paul Ducklin for their behind-the-scenes work on this article.



If there’s an unexploited niche caused by insecure software or behaviour then sooner or later a crook is going to wiggle into it and attempt to use it as a way to make money from someone else’s misery.



Sophos has recently uncovered a new ecological niche in the great internet hack-o-sphere that’s equal parts low-cunning and directness: crooks who are breaking into computers one at a time and running ransomware on them manually – clickety click – in the same way that you might run Word, Notepad or Solitaire.

Let me do that!

We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass distribution.



For example, the criminals behind WannaCry and NotPetya used a stolen NSA exploit to create worms that copied themselves from one computer to another, encrypting files, demanding ransoms and creating mayhem as they zig-zagged through and between networks.



More common still is phishing. Why bother with worms and exploits when you can simply sign up for crimeware online and click a button to crank out booby-trapped email attachments?



Phishing is a numbers game: most of your emails won’t get through, many of those that do will go unread, and even those that get opened may find themselves hitting a brick wall – a patched system, for example, or a user who realises that something phishy is going on and stops just short of getting infected.



The phishing crooks only make money if they can repeatedly find new ways to persuade users to open emails and do things their IT team have warned them about, such as saving attachments to disk and then launching them, or opening Office documents and deliberately enabling macros.



For this reason, some cybercriminals have decided that if you want something doing properly, you have to do it yourself.

The attack

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.



These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.



To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.

RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.



When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.



RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.



In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.



So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.



Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.



Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.



That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

What next?

Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:

• The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool.

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.

• The crooks turn off or reconfigure anti-malware software, using the newly-installed tweaking tools.

The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.



EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.

• The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware.

Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

• The crooks turn off Volume Shadow Copy (the Windows live backup service) and delete any existing backup files.

Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.



You can guess what happens next.

• The crooks upload and run ransomware of their choice.

Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.



The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.



In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.

How much is the ransom?

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.



But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.



Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:

At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.

Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.

The victims

The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.

With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

What to do?

• If you don’t need RDP, make sure it’s turned off. Remember to check every computer on the network: RDP can be used to connect to servers, desktops and laptops.

• Consider using a Virtual Private Network (VPN) for connections from outside your network. A VPN such as the one in Sophos XG Firewall and Sophos UTM requires outsiders to authenticate with the firewall first, and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.

• Use two-factor authentication (2FA) wherever you can. Sophos XG Firewall and Sophos UTM support 2FA, so that you need a one-time logon code every time. If crooks steal or guess your password, it’s no use on its own.

• Patch early, patch often. This prevents crooks exploiting vulnerabilities against your network as quickly as possible, thus reducing your exposure to danger.

• After an attack, check to see what the crooks have changed. Don’t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly-created user accounts.

• Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 x 3 = 36 passwords an hour, which makes a brute force attack impractical.

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.

Ransomware-spreading hackers sneak in through RDP – Naked Security