U.S. political institutions and American hospitals at risk from Russian hacker group
On August 26, 2020 Microsoft announced it had found a Russian operation affiliated with the Russian government under the military intelligence agency GRU, targeting U.S. political institutions. The GRU specializes in information warfare, hacking and disinformation operations. The Russian hacking group is known as APT28 (sometimes called Strontium or Fancy Bear) and had been linked to the Russian intelligence agency which actively interfered in the 2016 presidential election. “APT” refers to “advanced persistent threat”. The group created six phony websites, some related to public policy and the U.S. Senate; the goal being a phishing attempt to trick people into visiting those sites. Microsoft’s Digital Crimes Unit found and disabled the sites in its attempt to expand cybersecurity protection for political campaigns and election agencies which use Microsoft products.
Now it appears that hackers, the same group behind TrickBot, are seeking to hold more than 400 American hospitals hostage in exchange for ransom payments. Efforts by the U.S. Cyber Command and Microsoft to hack TrickBot’s infrastructure and take down their servers were sanctioned by a federal court order in the hopes of pre-empting ransomware attacks before the 2020 election. This comes during a pandemic while the number of COVID-19 cases and need for hospitalizations are exponentially increasing on a daily basis. Read more here.
Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backup. Read more here.
The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the C2 server and install it on the victim’s machine. Read more Threat Details.
2FA
(Two-Factor Authentication)
Two-step verification or two-step authentication is a method of confirming a user's identity by utilizing something you know (such as a password) and a second factor other than something you have (such as a hardware token or cell phone) or something you are (such as your fingerprint). An example of a second step is the user repeating back something that was sent to you through an out-of-band mechanism (activity outside a defined telecommunications frequency band, or, metaphorically, outside some other kind of activity). In most cases, the second step in authentication is a six digit numeric code which is either 1) sent to you via a text message on your phone which can only be used once, or 2) generated by an app that is common to the user and the authentication system. Two-factor means the system is using two of these options.
Codes generated by an authentication app are linked to and synced across your accounts, so you can scan a QR code on your phone and get your 6 digit access code on your browser if supported. The codes provided for each account by the authentication app rotate constantly and you do not have to be on the internet to use them. There are several authenticator apps available to perform digital authentication including Google Authenticator (free on Android and iOS), Authy, LastPass Authenticator and SASSPASS. These authenticators do the same thing on moble and some desktop platforms (such as Authy) and the majority of the most popular password managers such as 1Password and LastPass, have 2FA by default.
Data generated by authentication apps is encrypted and stored in the cloud; decryption takes place on your device. Guides can be found on many sites for which you want to set up authentication; Facebook, Yahoo, Gmail, Amazon, Twitter, Apple, Dropbox, Microsoft, Pinterest, etc.
The Two Factor Auth (2FA) website lists a number of websites and whether or not they support 2FA.
And last but not least, it is important to avoid phishing attempts. If you ever get an email asking you to reset your password immediately, do not click on any links in the email but instead go directly to the website account in question.
Facebook Two-Factor Authentication
On your Facebook page, go to Settings > Security and Login
Under Two-Factor Authentication, click edit on the right and turn on two-factor authentication. Choose how you would like to receive your second form of authentication; i.e., text message, authenticator app, or a physical security key.
On a desktop computer, after choosing the authenticator app, FB will produce a QR code. Open your authenticator app on your phone, select add and then hold your phone up to your computer screen so that you can capture the code. Next time you log in to Facebook, you will be requested to provide a six-digit code; open your authenticator app and retreive it from the Facebook account. (Remember, the authenticator apps can handle several accounts, such as Twitter, Microsoft, Google, Amazon, etc, so make sure you have selected the correct one.). For apps that don't work with 2FA when using your Facebook credentials to log on to their site, Facebook offers App Passwords, which is a one time password access to your Facebook account via a third-party app or service. You can find them in your Facebook Settings via Settings > Security and Login. Scroll down to Use two-factor authentication and click Edit. Go to App Passwords > Generate App Passwords.
Optional
Under Setting Up Extra Security, turn on
- Get alerts about unrecognized logins
- OPTIONAL: Choose 3 to 5 friends (family) to contact if you get locked out
iOS Content Blockers
Some ad blockers are free to download and try out, but to get a full list of features which enable the software more effective, you will need to pay via an in-app purchase.
How does an ad blocker work?
A blocker does not allow a browser to download unwanted elements such as banners, ads, videos, pop-ups and blocks analytical trackers and/or social network widgets. Basically, ad blockers have a list of rules or “filters” which
detect ads and undesired content and separates it from the desired content (based on the settings you have chosen in the ad blocker application). It is important, that the filters are updated, much like virus or malware software
so that publishers and advertisers cannot circumvent the ad blocker filters. Although some ad blocker developers compile their own filters, many use publicly available filter lists. And finally, some apps have additional functions
such as cybercrime protection and parental controls.
Purify ($1.99 at iTunes) is a favorite which I have
used on my iPhone and iPad for some time. It boasts improved battery life and browsing speed by blocking unwanted content, allows for customized content blocking options (social media buttons, comments, online scripts, images)
and allows whitelisting in Safari. Purify allows you to approve website ads or make changes on the fly without leaving Safari, making it very user friendly. Purify has their own custom filter list which is specifically designed
for mobile devices and therefore is optimized for smooth and fast iOS performance.
Another ad blocker for mobile devices is Ghostery which I discussed in a previous article as a good choice for desktop
browsers Firefox, Cliqz (a privacy-focused browser backed by Mozilla), Chrome, Opera, Safari, Edge and Internet Explorer. Ghostery’s mobile ad blocker features a standalone browser for iPhone, iPad and iPod as well as Android
devices. Ghostery also works inside Firefox on Android phones. I have used Ghostery for about a year now on my Mac and Windows units and find it to be very good at blocking content. Ghostery has implemented artificially intelligent
tech to identify whether a web page tracker is sending your personal information to an advertiser and if so, overwrites that information with random data so that your data cannot be provided. To my knowledge, Ghostery has a
blocklist of around 2,000 entries.
Ad Blockers
- Purify Ad Blocker for iOS on iTunes
- Crystal is a content blocker for iPhone, IPad and Samsung Devices and can be found on iTunes and
on Google Play
- Freedom for iOS (Version 9-11) can be found on iTunes. Freedom also works on Mac OS X and Windows
- 1Blocker Content Blocker for iOS and macOS
- Ghostery Ad Blocker for iOS can be found on iTunes and for the Android on Google Play
Additional reading: How trackers are tracking you and what you can do to protect yourself
Financial institutions and your personal data
If you think your personal data is safe when visiting financial institutions, think again.
According to the German company, eBlocker, which manufactures online privacy tools there are more than 110 third party trackers snooping on visitors each time they visit 10 of the top financial institutions. Banks are likely to
use this data (salary and other personal information entered into forms) in customer risk assessments. Since Congress killed a FCC regulation this year regulating internet providers to ask customers for permission before collecting
and possibly selling information obtained from their web browsing habits, VPNís (virtual private network) have become increasingly popular. However, once logged into a site, the VPN may mask the IP address, but will still allow
the company to track identifiable personal data.
Protect yourself and your data
This infographic shows 8 ways to protect yourself from cybercrime (spam, hacking and ransomeware)
Ghostery Privacy Browser Extension
Browser plugins work to help circumvent identity and block trackers. Ghostery is a (free) plugin available for
popular browsers including Safari, Firefox, Chrome, Internet Explorer, Opera, iOS and Android which identifies and can block over 2,000 online tracking services included in its' database. Ad blockers and privacy extensions
are also recommended aids in blocking and restricting collection of data by ad networks which enables visitor targeting, tracking and reporting of impressions.
Choosing a Password Manager for your Data Security
We live in a fast moving digital world filled with a plethora of electronic devices which we have come to depend upon to record personal information, house our photos, compose and receive email, prepare work documents, create
art and use online services to connect to our banks and favorite shopping sites. But this convenience comes with a downside: the risk of compromising our data. It makes sense to spend some time determining what kind of
protection plan we need to put into place to keep our data secure.
Gone are the days when we can write a password or two on a Post-it Note for later retrieval. We are faced with securing a multitude of passwords which we use on a daily basis to log on to our devices as well as websites we
visit and data we need to keep secure. The best solution for this task is a digital password manager which can generate strong random passwords and sync them
securely across browsers and devices, making them easily accessible and automatically filling in forms and logging onto websites when needed. These digital password managers are able to manage bank account information,
calling cards, credit card credentials, insurance policy information (medical, auto, etc.), email accounts, emergency numbers, combination locks, internet settings, website logon, prescriptions, and software serial numbers,
to name a few. Many managers support notes and attachments including images and PDF's. One important feature of the password manager you choose is the capability to generate passwords which are encrypted and accessible
solely by you, which makes the master password for your manager an important aspect of your security system.
There are many good password managers available for mobile devices, desktop and laptop computers, some providing an accompanying browser extension, which makes logging on to secure websites easy.
Password Managers
LastPass is probably one of the best password managers for most people since it has all the essential features including usernames and passwords, nurse contact information, software licenses,
credit cards, secure notes and supports image and PDF attachments.
LastPass uses AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure security in the cloud, works with most browsers on any device (Chrome, Firefox, Safari, Opera and
Internet Explorer), has desktop and mobile applications available for Mac OS, mobile iOS and Windows and offers a premium version for $12 a year with advanced security features, shared folders (with friends and family)
and additional tools. LastPass also offers a Cloud Manager for Business, Teams & Enterprise.
One of the unique features of LastPass is that it can create passwords on the fly and can capture credentials you enter on a form, save it to a new file and then auto fill those credentials when you revisit that site at
a later date. This password manager can also fill in credit card credentials. LastPass does offer two-factor authentication, but this must be enabled in LastPass settings when you log into your account and you will
need to download the LastPass Authenticator application in order to use this feature. Please note that the LastPass Authenticator application
is separate from the LastPass Password Manager application, so you might want to consider the two-factor authenticator, Authy, which I will discuss
at another time. And last but not least, with a click of your mouse you can use a feature called Auto Change Password to change your password on both the site and in LastPass.
LastPass for the Apple Watch is full featured, allowing you quick access to your passwords without having to take your iPhone out
of your purse or pocket and is one of the best Apple Watch applications I've used.
A memorable passphrase is said to be the easiest way to create a strong password. The LastPass blog has tips on How to make a Strong Master Password.
1Password
1Password is another very good password manager particularly for the Mac and iOS. It is available for Windows but does not work on all Chrome books. 1Password costs $36 per year
for individuals, $60 per year for families up to five and additionally, you can make a one time purchase of $65 that will work on any number of devices or platforms for one user. Family and business subscriptions
have sharing capabilities with more options.
As with most password managers, your data is protected behind one master password using strong AES-256 encryption. Choose to unlock 1Password on your mobile device with a fingerprint or a PIN code. There is a variety
of syncing options, some that bypass the cloud entirely; available options include iCloud, Dropbox, WLAN server and Local folder.
1Password has the ability to store two-factor authentication codes (substituting for Google Authentication, LastPass Authentication and Authy), view attachments (photos, PDF's and receipts),
setup custom fields, tags, multiple fields and URL's, multiple vaults and categories, as well as an Apple Watch application (to look up credit cards, garage door codes, etc.). There are 1Password browser extensions
for Safari, Chrome, Firefox and Internet Explorer.
If you have used another password manager previous to moving to 1Password, you have the ability to move your data from other applications using 1Password's built-in import options or by using community-created 1Password
utilities.
eWallet
eWallet password manager was available for several years before smart phones as we know them now. I remember using eWallet on my Palm Pilot and later on my Pocket PC, and
in fact, it is still one of the password managers in my digital protection toolkit. eWallet supports Windows, Mac OS, iOS mobile devices (iPhone, iPod touch and iPad), Android, some Blackberry's and Amazon Kindle
Fire devices and uses strong 256-bit AES encryption and a master password to protect your data. Mac and Windows PC versions include SyncPro to synchronize to mobile devices via local WIFI or the cloud. eWallet grants
access to your data with Touch ID or your master password.
eWallet provides a plethora of categories and cards for your stored data including credit and debit card information, bank accounts, insurance cards, membership cards, website passwords, software serial numbers, prescriptions,
and you can add notes for each to include verification questions. eWallet uses a feature called AutoPass which enables you to automatically connect and log on to websites by clicking the URL link within the eWallet
application.
eWallet has a built-in PassBuilder generates secure, complex passwords with a choice of advanced options and a choice of a memory aid if desired, and saves the password to your card.
This digital wallet cannot be used to tap and pay at retail locations.
eWallet mobile platforms (iOS, Android, Blackberry 10) is priced at $9.99. If you purchase eWallet for you iPhone or iPod touch, you can also use the license on your iPad. The Mac OS X and Windows PC version is $19.99.
In conclusion it is estimated over 2 million people still use "123456" for their password. Did you know that? Pixel Privacy has put together a huge guide that rounds up everything you can imagine on account security and put it all into one comprehensive guide, packed full of sources and actionable information.