Lloyds Bank fake email “FW: Incoming BACs Documents”

Just received the email below – proporting to be from Lloyds Bank – looks genuine enough but clearly it is just another phishing email looking to grab some details off you or drop some malware or Virus on your PC. If you receive this email – delete it. Do not click on the PDF link in the email

If you have already done so – contact me and I can clean your PC for you. If you don’t have a decent anti-virus – I can help you there too as I resell BitDefender GravityZone – one of the best on the market.

The Worst Passwords of the last year

Everyone who uses a PC or Mac gets told not to use easy to guess passwords like “123456” or “password” . As it turns out – people obviously aren’t that bothered as they still use them.

Password management application provider SplashData on Tuesday released a list of the 100 Worst Passwords of 2017, compiled from more than 5 million passwords leaked during the year. For a fourth consecutive year, “123456” and “password” took the top two spots on the list.The list included plenty of other usual suspects like “qwerty” (No. 4), “football” (No. 9), “iloveyou” (No. 10) and “admin” (No. 11), along with some new additions, including “starwars,” which ranked as the 16th worst password of 2017.

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” SplashData CEO Morgan Slain said in a statement. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

Other new additions to the list this year included “letmein” (No. 7), “monkey” (No. 13), “123123” (No. 17), “hello” (No. 21), “freedom” (No. 22), “whatever” (No. 23) and “trustno1” (No. 25). SplashData warned that using any of the passwords on the top 100 list “would put users at grave risk for identity theft.”

The company recommends using passphrases instead of simple passwords, mirroring advice earlier this year from the National Institute of Standards and Technology. Passphrases should include at least 12 characters and a mix of characters, including upper and lower cases, SplashData recommended. Users should also be sure to set a unique password for each website, and consider using a password manager.

Without further ado, here’s SplashData’s list of the top 25 worst passwords of 2017. To see the full 100, click here.

1 – 123456
2 – password
3 – 12345678
4 – qwerty
5 – 12345
6 – 123456789
7 – letmein
8 – 1234567
9 – football
10 – iloveyou
11 – admin
12 – welcome
13 – monkey
14 – login
15 – abc123
16 – starwars
17 – 123123
18 – dragon
19 – passw0rd
20 – master
21 – hello
22 – freedom
23 – whatever
24 – qazwsx
25 – trustno1

Shame, confusion among office workers spur record numbers to give in to ransomware

Posted by : https://businessinsights.bitdefender.com/shame-confusion-among-office-workers-spur-record-numbers-to-give-in-to-ransomware

By Filip Truta on Nov 03, 2017

Despite considerable efforts to educate employees on ransomware, many organizations still don’t know what to do if they fall victim to an attack. According to part 2 of Intermedia’s Data Vulnerability Report, a record number of employees and their employers are paying ransom.

Intermedia examined the security habits of more than 1,000 office workers and found that many employees draw a blank when they fall victim to ransomware. About a third admit they aren’t even familiar with ransomware.

“This lack of awareness, paired with massive global attacks such as WannaCry and Petya (and new strains popping up all the time like Bad Rabbit), is resulting in both employees and employers paying ransoms in record numbers,” according to the report.

Although 70% of office workers say their organization regularly communicates about cyber threats, employees aren’t always told what exactly to do if hackers seize their computer. Because of this, employees hit by ransomware sometimes take matters into their own hands, which can dramatically undermine their organizations’ security efforts.

In fact, the study shockingly reveals that employees shoulder the costs of ransomware payments more often than their employers – 59% paid the ransom personally, and 37% said their employers handled the payment.

In organizations where WannaCry was named as part of the cybersecurity training, as many as 69% of employees paid a ransom themselves. Intermedia suggests shame, as well as lack of knowledge, may drive employees to pay ransom themselves.

Other findings include:

  • Over 73% of Millennial workers affected by ransomware report paying a work-related ransom
  • 68% of impacted owners / executive management said they personally paid a work-related ransom
  • Small and medium-sized businesses are particularly vulnerable to ransomware attacks as they lack the resources, tools and/or training that larger organizations use to recognize, prevent and protect themselves
  • Ransom paid by office workers averages $1,400
  • Growth in ransomware attacks is directly linked to the increased willingness of victims to cough up ransom money

To mitigate the risk of falling victim to a ransomware attack, companies would be smart to employ a proven enterprise security solution trained in sniffing out not just ransomware, but any kind of malware.

Regular backups are also a good idea. In case of an attack, organizations can restore from backup with little or no harm to their operations and, ultimately, their bottom line.

With ransomware damage costs predicted to exceed $5 billion in 2017 (up from $325 million in 2015), and the General Data Protection Regulation just around the corner, doing nothing is no longer an option – neither for big corporations nor for small businesses.

Hackers Distribute Malware-Infected Media Player to Hundreds of Mac Users

Yet another software supply-chain attack hits popular applications.
Lucian Constantin
Oct 20 2017, 3:52pm
https://motherboard.vice.com/en_us/article/bj789w/elmedia-player-malware-hack-mac-trojan

Hackers managed to compromise the website of a company that develops several popular apps for Apple computers, distributing malware-infected versions of those apps to hundreds of users. Security researchers from antivirus firm ESET reported Friday that the free version of Elmedia Player distributed from Eltima Software’s website contained a macOS information stealing trojan known as OSX/Proton. The same malware was distributed earlier this year through another trojanized version of a popular macOS application called HandBrake.

Eltima told me in an email that hackers also managed to trojanize one of the company’s other applications, an internet download manager called Folx that also acts as a BitTorrent client. The Proton malware is capable of stealing a lot of data from infected computers including history, cookies, bookmarks, and log-in data from browsers; cryptocurrency wallets; SSH authentication keys; macOS keychain data; Tunnelblick VPN configuration data; PGP encryption keys and data stored in 1Password, a password management application.

Elmedia Player has 1 million users as of August, according to Eltima. The company provides free and paid versions of its software programs and distributes them through its website and through the Mac App Store. Only the installers for Elmedia Player and Folx downloaded by users from the company’s website contained the Proton trojan, an Eltima spokeswoman told me. “The built-in automatic update mechanism [of the applications] seems to be unaffected.”

The security breach happened Thursday and was discovered relatively fast by ESET who reported the incident to the software developer. The malicious installers were available on Eltima’s website for around 24 hours and were downloaded by almost 1,000 users. “Users who downloaded and executed the software on October 19 before 3:15 PM EDT, are likely compromised,” the ESET researchers said. On Friday morning, Eltima announced that both apps are now “safe to install and malware-free.”

The attackers don’t appear to have compromised the company’s development infrastructure, as happened recently with the developer of a Windows application called CCleaner. Instead, the hackers just managed to hack into Eltima’s website through a vulnerability in a JavaScript-based library called TinyMCE. The malicious installers were not digitally signed with Eltima’s Apple developer certificate, but with a different developer ID under the name Clifton Grimm. It’s not clear if this certificate was obtained from Apple by using a fake identity or if it was stolen from another developer. Gatekeeper, Apple’s first line of defense against malware, allows signed binaries to execute without warning by default, Patrick Wardle, director of research at Synack and a macOS security expert, told me in a Twitter direct message. Because of this, most Mac malware is now signed with stolen or fraudulently obtained Apple developer IDs, with the latter being much more likely, he said. “It appears Apple has a problem with ensuring only legitimate developer IDs are given out,” Wardle said.

Apple revoked the misused Clifton Grimm certificate after being alerted by ESET and Eltima, but users who downloaded and executed the rogue Elmedia Player and Folx installers before this happened didn’t get a Gatekeeper warning. At installation, Proton displays a fake password authorization window in order to gain system administrator privileges. It’s not unusual for legitimate applications to request such access, so users might easily be tricked into inputting their password. There is some evidence that this new attack might have been perpetrated by the same attackers who compromised a legitimate download server for the HandBrake video converter application in May and distributed a malicious version of that program to macOS users.

In both cases, the trojanized installers infected computers with Proton and in both cases the malware’s command-and-control servers used domain names similar to those of the compromised software. The difference is that the rogue HandBrake installer was not digitally signed, meaning that users would have had to override Gatekeeper manually in order to install it.

To determine if they’ve been infected users can search their systems for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist, /Library/.rand/ and /Library/.rand/updateragent.app/. If any of them exist, Proton was installed, according to ESET.

“As with any compromise with an administrator account, a full OS reinstall is the only sure way to get rid of the malware,” the ESET researchers said. “Victims should also assume that the secrets outlined in the previous section are compromised and take appropriate measures to invalidate them.”

Software supply-chain attacks pose a very serious danger because they abuse the existing trust relationship between users and software developers. These attacks can happen in several ways and can be very hard to detect and prevent. Attackers recently managed to distribute infected versions of CCleaner—a Windows system optimization tool—to over 2.2 million users after hacking into the program developer’s infrastructure. Last year, attackers hacked into the website of popular open-source Transmission BitTorrent client on two separate occasions and distributed infected installers to macOS users.

In order to compromise Macs, attackers need a way to get malicious applications onto them, and hacking into a legitimate developer’s website to surreptitiously trojanize a popular app is a great way to achieve this, Wardle said. We’ve seen attackers use this mechanism before, so it won’t be surprising if they continue to rely on this attack vector, he said.

KRACK attacks – is your Wi-Fi at risk ?

Here’s what its all about and what to do

The latest bug to hit with its own logo called the KRACK Attack. KRACK attacks mean that most encrypted Wi-Fi networks are not as secure as you think.
KRACK works against networks using WPA and WPA2 encryption, which these days covers most wireless access points where encryption has been turned on.
An attacker within Wi-Fi range could, in theory, sniff out some of the encrypted traffic sent to some of the computers in your organisation or home. Even if an attacker can only “bleed off” small amounts of traffic, in dribs and drabs, the end result could be very serious.

KRACK explained

KRACK is short for Key Reinstallation Attack, which is a curious name that probably leaves you as confused as we felt when we heard about it, so here’s our extremely simplified explanation of what happens (please note this explanation covers just one of numerous flavours of similar attack). At various times during an encrypted wireless connection, you (the client) and the access point (the AP) need to agree on security keys.
To do so, a protocol known as the “four-way handshake” is used, which goes something like this:
(AP to client) Let’s agree on a session key. Here’s some one-time random data to help compute it.
(Client to AP) OK, here’s some one-time random data from me to use as well.
At this point, both sides can mix together the Wi-Fi network password (the so-called Pre-Shared Key or PSK) and the two random blobs of data to generate a one-time key for this session.
This avoids using the PSK directly in encrypting wireless data, and ensures a unique key for each session.
(AP to client) I’m confirming we’ve agreed on enough data to construct a key for this session.
(Client to AP) You’re right, we have.

The KRACK Attacks (with numerous variations) use the fact that although this four-way protocol was shown to be mathematically sound, it could be – and in many cases, was – implemented insecurely. In particular, an attacker with a rogue access point that pretends to have the same network number (MAC address) as the real one can divert message 4 and prevent it reaching the real AP. During this hiatus in the handshake, the client may already have started communicating with the AP, because the two sides already have a session key they can use, albeit that they haven’t finalised the handshake. This means that the client will already be churning out cryptographic material, known as the keystream, to encrypt the data it transmits.

To ensure a keystream that never repeats, the client uses the session key plus a nonce, or “number used once”, to encrypt each network frame; the nonce is incremented after each frame so that the keystream is different each time. As far as we can determine, all the KRACK attacks involve reused keystream material accessed by “rewinding” crypto settings and thus encrypting different data with the same keystream. If you know one set of data you can figure out the other – that’s the best case; some cases are worse than that because you can as good as take over the connection both ways.

Back to the handshake

At some point, the real AP will send another copy of message 3, possibly several times, until the rogue AP finally lets the message get through to the client.
The mathematical certainty in the protocol now meets cryptographic sloppiness in its implementation.
The client finalises the handshake at last, and resets its keystream by “reinstalling” the session key (thus the name of the attack), and resetting the nonce to what it was immediately after stage 2 of the handshake.
This means the keystream starts repeating itself – and re-using the keystream in a network encryption cipher of this sort is a big no-no.
If you know the contents of the network frames that were encrypted the first time, you can recover the keystream used to encrypt them; if you have the keystream from the first bunch of network frames, you can use it to decrypt the frames encrypted the second time when the keystream gets re-used.
Even if attackers are only able to recover a few frames of the data in any session, they still come out ahead.
Gold dust sounds less valuable than a gold ingot – but if you collect enough gold dust, you get to the same value in the end.

What to do

Changing your Wi-Fi password won’t help: this attack doesn’t recover the password (PSK) itself, but instead allows an attacker to decrypt some of the content of some sessions.
Changing routers probably won’t help either, because there are numerous variants of the KRACK Attacks that affect most Wi-Fi software implementations in most operating systems.

Here’s what you can do:

Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.

Apply KRACK patches for your clients (and access points) as soon as they are available.

Simply put, if you ever use open Wi-Fi access points (or Wi-Fi access points where the password is widely known, e.g. printed on the menu or handed out by the barista), you are already living in a world where at least some of your network traffic could be sniffed out at will by anyone. The precautions that you take in those cases – why not take them all the time? If you always encrypt everything yourself, in a way that you get to choose and can control, you never have to worry what you might have forgotten about.

 

Unifi Networks were one of the first to release patches for their routers and firewalls – if you are interested in upgrading your wireless network to Unifi Enterprise grade – speak to me http://prpcs.co.uk/services/wifi-optimisation

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

By Catalin Cimpanu at www.bleepingcomputer.com
June 27, 2017 05:46 PM 63

Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers.

The ransomware has been wreaking havoc across the globe today, locking hard drive MFT and MBR sections and preventing computers from booting. Unless victims opted to pay a ransom (which is now pointless and not recommended), there was no way to recover their systems.

In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya.

Researchers flocked to find killswitch mechanism

Because of the ransomware’s global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.

While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.

This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.

While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because each computer user must independently create this file, compared to a “switch” that the ransomware developer could turn on to globally prevent all ransomware infections.

How to Enable the NotPetya/Petna/Petya Vaccine

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

Please note that he batch file will also create two addition vaccination files called perfc.dat and perfc.dll. While my tests did not indicate that these additional files are needed, I added them for thoroughness based on the replies to this tweet.

This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat (PR PC Support takes no responsibility for use of this batch file – although it has been checked out )

For those who wish to vaccinate their computer manually, you can do so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.

First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.

Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.

Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C ( Ctrl+C Button) to copy and then Ctrl+V ( Ctrl+V Button) to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.

Press the Continue button and the file will be created as notepad – Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad – Copy.exe file name and type perfc as shown below.

Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.

Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.

Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.

The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.

Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.

Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.

Beware new WhatsApp Scam

A scam text message has been doing the rounds stating that WhatsApp is about to start charging people to use the service. It is not true.

The text message invites people to click on a link and pay 99p for a lifetime subscription to the service because their current subscription has come to an end.

However, it is a scam and anyone who receives it should delete it immediately, do not click in the link and certainly don’t hand over your bank details.

If you have clicked the link then you’re probably wise to run antivirus software.

When it was launched, WhatsApp did charge 99p after the first year but that was later scrapped.

It was not immediately clear where the scammers had got people’s telephone numbers from.

Google Phishing Scam : Beware new scam targeting Googlemail

A huge scam is sweeping the web and anyone with a Gmail account may be vulnerable.

 

A huge scam is sweeping the web and anyone with a Gmail account may be vulnerable. Huge numbers of people may have been compromised by the phishing scam that allows hackers to take over people’s email accounts. It’s not clear who is running the quickly spreading scam or why. But it gives people access to people’s most personal details and information, and so the damage may be massive.

The scam works by sending users an innocent looking Google Doc link, which appears to have come from someone you might know. But if it’s clicked then it will give over access to your Gmail account — and turn it into a tool for spreading the hack further.
As such, experts have advised people to only click on Google Doc links they are absolutely sure about. If you have already clicked on such a link, or may have done, inform your workplace IT staff as the account may have been compromised. The hack doesn’t only appear to be affecting Gmail accounts but a range of corporate and business ones that use Google’s email service too.

If you think you may have clicked on it, you should head to Google’s My Account page. Head to the permissions option and remove the “Google Doc” app, which appears the same as any other.
You’ll be able to tell if it is the malicious app if it has a recent authorisation time. That app has full access to a person’s Google account as well as being able to send emails that appear to be from them, making the attack especially dangerous. The email itself comes addressed to hhhhhhhhhhhhhhhh@mailinator.com — which is the only way to know that the email is malicious. They otherwise look completely legitimate, including the account in the “from” field.

Don’t fall for the re-hashed Facebook scam

A lot of people are sharing this on their Facebook status

“Deadline tomorrow !!! Everything you’ve ever posted becomes public from tomorrow. Even messages that have been deleted or the photos not allowed. It costs nothing for a simple copy and paste, better safe than sorry. Channel 13 News talked about the change in Facebook’s privacy policy. I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, messages or posts, both past and future. With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308- 1 1 308-103 and the Rome Statute). NOTE: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once it will be tactically allowing the use of your photos, as well as the information contained in the profile status updates. DO NOT SHARE. Copy and paste.”

Don’t be fooled …its a hoax… if you are concerned, follow the guide below on how to protect your Facebook privacy:

  1. See what your profile looks like to a stranger
    From your Facebook homepage, click your name on the blue bar on the top of the page. Click the three dots next to “View Activity Log” and then select “View As…” By default you’ll be able to see what your profile looks like to members, and can click through to sections such as photos to see what they can see. You can also select a certain friend to see what your profile looks like to them.
  2. Make all your posts private
    If you find that to your horror, hundreds of statuses and photos are public, there’s a quick way to make everything visible to just your friends. Click the drop down arrow on the right hand side of the blue bar, go to Settings and then Privacy, and then select “limit past posts”. It’s a move that’s not easily undone, so you’ll be asked to confirm that you want your posts made more private.
  3. Make yourself difficult to be found on Google and with phone numbers
    Facebook accounts can be found in all sorts of ways: They can be searched for, or if someone has your email address or phone number, they can find you – even if they don’t know your name. On the “Privacy” section of Settings you can choose to be invisible to search engines by answering “no” to “Do you want search engines outside of Facebook to link to your profile?” You can also select whether friends, friends of friends or everyone can find you with your email and phone number.
  4. Adjust what apps are showing your Facebook friends
    Many of the most popular apps now connect to your Facebook profile, meaning that your activity on those apps might be posted on your Facebook profile. But to do this, the apps have to get permission, which is where you can step in. In Settings, go to the Apps section and click “Select All” to see what permissions apps have. You may want some of these to be able to post on your behalf – Instagram for example – but you may not want your dating apps to do so, for example. Click an app to adjust privacy settings.
  5. Approve tags before they appear
    When people write on your wall or tag you in a status or photo, you might not want some people to see it. Facebook allows you to review any posts with you tagged in them before they appear on your timeline, although you’d have to report a status or photo for it to disappear. To turn approval on, go to “Timeline and Tagging” in your settings and turn “Review posts friends tag you in before they appear on your timeline” on.