Getting back to security basics
The Covid-19 pandemic has changed the way we live, work, and study — and has created new digital security and privacy issues as well.
But as they say, sometimes the more things change, the more they stay the same.
In this short piece, we’ll share three recent news stories about cybersecurity threats brought on by the coronavirus crisis. Then we’ll explain how following “the basics” of good personal security can keep you safe from these threats (and others like them).
More people than ever are working from home — many of them for the first time — and are thus using remote work tools that they may not be too familiar with. Hackers know this, and are attempting to exploit the situation.
One recent phishing attack came in the form of a fake Microsoft Teams notification. The bad actors sent out emails that used Microsoft branding and imagery, and contained links that took victims to a fraudulent Microsoft Office 365 login page. The phishing emails were extremely convincing: Someone who was new to Microsoft Teams might very well be fooled by the fake notification. If the user entered his or her credentials, it was game over: The hackers would have direct access to all of that person’s Microsoft services. They could then go on to steal confidential company information or engage in other malicious activity.
The Basics: Phishing is a major threat to the enterprise. It can lead to data breaches, ransomware infections, and other serious consequences. The best way to prevent phishing attacks is to learn how to spot them:
Always be cautious when opening unsolicited emails or emails from unknown senders. If the email is purportedly from a large, well-known company, inspect the email header to make sure it’s originating from a genuine domain, and not a “lookalike” (e.g. microsoftonline.com, not microsoft-online.com.info or something like that).
If possible, avoid clicking on links that come via email, especially if you’re being asked to enter login credentials. Instead, navigate to the website directly in your browser and log in there.
Enable two-factor authentication on your accounts and services. If the worst happens and some hacker manages to steal your username and password, 2FA can keep you safe — without that second authentication factor, the bad guys still won’t be able to use your credentials to log in.
Security researchers have discovered thousands of Zoom credentials being shared on hacker forums, along with detailed discussions of how to leverage them for malicious purposes — clearly a response to the surge in remote workers using Zoom.
As for how the bad guys compiled these extensive lists of usernames and passwords, the researchers suspect a time-tested tactic: credential stuffing. Here’s how credential stuffing works. Hackers start with a list of credentials, perhaps gleaned from a public data breach, even an older one. They then create an automated program to test these credentials out on various sites, or on one specific site that they’re targeting.
They do this because they know that people tend to reuse credentials across sites — for example, they will use the same username and password for their Marriott rewards account, their Gmail account, and their Zoom account. The bad guys don’t expect every username and password pair to work on other sites. In fact, they realize that most of them probably won’t work. But because so many people reuse passwords, they know that they’ll get enough “hits” to generate a big list of valid credentials — which they can then use to do all kinds of damage.
The Basics: Creating good passwords is one of the foundations of personal cybersecurity. And although many people get it wrong, it’s actually pretty simple to get it right:
Create strong, unique passwords. Strong passwords are long; contain a mix of uppercase and lowercase letters, numbers, and special characters; and don’t use publicly available personal information like birthdays, pet names, and so on. Unique passwords are passwords that aren’t used on any other site, and have never been used before.
Never use compromised credentials. Seems like a no-brainer, but there are lots of people out there still using credentials that were leaked in a data breach — often because they’re unaware that the website or service in question was hacked. To see if one of your accounts has been involved in a known data breach, you can use a free service called Have I Been Pwned. If you find that you’ve been caught up in a breach, make sure to change that password!
Use a password manager. Password managers like Dashlane, 1Password, and LastPass will create, store, and automatically enter strong, unique passwords for all of your sites and services. Powerful, safe, and surprisingly easy to use, password managers have been called “the single best thing you can do for your security posture” by data breach expert Troy Hunt. Best of all, setting up a password manager can be done in minutes (meaning there’s no reason to go another day without one).
Remote workers beware! Security researchers have discovered fake Zoom downloaders that contain malicious software — software that could give hackers remote access to your system.
The bad actors are using a technique known as “bundling”, which means that they’re packaging several programs together in the same software installer. They create an installation file with the actual Zoom client app — but they also include the RevCode WebMonitor RAT, a remote administration tool that gives the hackers a backdoor to an infected machine. The fraudulent downloads are distributed through malicious websites; users are most likely guided to these websites through links sent out in phishing emails.
If everything goes according to plan, victims will install a fully functioning version of Zoom … and be unaware that they have also downloaded malware onto their system.
The Basics: Bundled malware is very common, and a favorite tactic of hackers who specialize in attacking macOS. But avoiding it is fairly simple, as long as you follow best practices for download safety.
Don’t download apps from third-party websites, especially filesharing sites, forums, adult-themed sites, or sites reached by clicking on an email link.
If possible, download software through the official app distribution platform for your operating system. For most people, this will mean the App Store, the Microsoft Store, or Google Play.
If an app isn’t available from the App Store or another official distribution platform, download the software installation package directly from the developer’s own website. Provided that you know and trust the software developer, this should be fairly low-risk.
Beyond the basics
Whenever there’s a crisis, trend, or social change, hackers will be first in line to take advantage of it. But while their targets may change, most of them use the same old tricks again and again. By following basic security best practices, you can vastly improve your personal security — and the security of your friends, family, and coworkers.
If you’re looking for added protection, consider running a reputable malware detection solution on your system — and take steps to keep your cybersecurity knowledge sharp by reading blogs like this one or listening to security-themed podcasts.