How to get rid of your old devices safely

Disposing of old tech isn’t a one-click solution; there are multiple things you have to consider before moving on to greener pastures

Black Friday, Cyber Monday and even Christmas are behind us. Which means some of us may have been fortunate enough to unwrap a shiny new laptop, smartphone or tablet. But what about our old devices?

Some of us keep our old devices as back-ups in case something goes amiss. On the other hand, the majority likes either to share the holiday cheer and gift their old devices or sell them. Whatever the case may be, there are some things you should do before you can pass the device along safely.

Mind you, if you’re more of a video person, we’ve got you covered, too. Otherwise just scroll down to read the main part of this article.



General advice

The one rule you should always adhere to is back up your data. Usually, if it involves your smartphone, you can back up your data to the cloud or your computer. If it involves your computer, you can use a combination of cloud and external drive. Whichever suits you better, but just make sure you do it so you will not lose any sensitive data you may need in the future.

Computers

Most computer users think that formatting their hard drive means that they have wiped their data from the drive, which simply put, is untrue. The data is still recoverable from your drive even after you format it. Wiping the drive on your computer differs from operating system to operating system.

If you have a Mac, the process is quite simple and straightforward. You can use the built-in Disk Utility feature to wipe your drive; it even allows you to determine how thoroughly you want to wipe it.

If you are running Windows, there is no built-in disk wiper, but there are a variety of options you can use. You can browse the web for the best reviewed tool to fit your needs, but the free versions of some may only work with mechanical hard drives.

If you have a solid-state drive (SSD), then we suggest referring to the manufacturer’s website for their drive utility. If you want to go above and beyond, then there is the nuclear option of destroying your drive. If you’re comfortable and are well versed in how drives work, you can destroy the necessary components yourself.

The other option is visiting a specialist service that has machines, such as shredders or crushers to dispose of your disk. Fair warning though, not all computers have easily removable drives. Macs, for example, have SSDs soldered to their motherboards.

Smartphones

Smartphones have their own utilities that are implemented in the system to make the process as streamlined as possible. If you’re getting rid of your old iPhone, first sign out of all your services such as iTunes, iCloud, App Store, etc. Then go through your Settings, enter the Reset menu, and tap on Erase All Content and Settings.

If you’re planning on passing along your Android device, the process may vary a bit from manufacturer to manufacturer, but the procedure should be roughly the same. Start by removing the security measures like the Lock screen, then move on to removing the accounts you are signed in with. To go the extra mile, encrypt the data on your phone and after that’s done run the Factory Data Reset on your phone. If you’re using an SD card, don’t forget to pop it out.

Recycle

Be environmentally responsible. If you plan to dispose of the device, don’t just throw it away. Look for places that recycle used electronic devices. They contain valuable resources that can be used in manufacturing future devices. If you’re not sure how to go about it, you can check with the manufacturer’s website or your government should have reasonable advice.

If you are not planning on handing a still functional device on to a relative or friend, consider donating it. One person’s trash is another’s treasure and after all, it is the season to be jolly, so why not share the cheer with someone less fortunate?

27 Dec 2019 – 11:30AM

How to secure your digital Christmas presents

What are some of the key things you should do with your shiny new device as soon as you unbox it?

It’s that time of year again, and chances are that new tech will be one of the gifts tucked under your Christmas tree. Whether it’s a smartphone, laptop or, say, an Internet-of-Things (IoT) gadget, there’s a number of things you should consider even before you begin to use your new device. Ensuring that your new tech is properly secured is more important than ever. Here are a couple of questions you should answer:

How should you lock it up? How do you ensure that your personal information remains secure even if your device is lost or stolen? Why stay current with regular security updates? Why should you plan for how to back up your data? How can dedicated security software help? Why should you take the time to read privacy policies?

Watch the video to find out.



23 Dec 2019 – 11:30AM

Week in security with Tony Anscombe

ESET’s free BlueKeep vulnerability checker – Dangerous PayPal-themed scam – This year’s worst passwords

ESET has released a free utility to enable users to check if their computers running Windows are susceptible to the BlueKeep vulnerability. Also this week, ESET researchers published details on an ongoing phishing scam that impersonates PayPal but preys on more than users’ login credentials to the payment service. Also this week, a list of this year’s worst 200 passwords was released. All this – and more – on WeLiveSecurity.com.

Ambitious scam wants far more than just PayPal logins

An ongoing phishing scam uncovered by ESET researchers seeks to wreak havoc on your money and digital life in one fell swoop

ESET researchers in Latin America have spotted fraudulent websites that impersonate PayPal and attempt to trick users into handing over considerably more than ‘only’ their access credentials to the payment service.

The ruse

As is commonly the case with phishing campaigns, the attackers use scare tactics that encourage you to take immediate action. The ploy here involves a spammed email alert of ‘unusual activity’ on your account, prompting you to secure it and avoid financial loss.

Figure 1. The phishing spam email bait

Should you click on the link in the phishing spam message, you are presented with a PayPal-branded page reiterating the claimed account compromise.

Figure 2. The page you’re presented after you take the bait

The manufactured sense of urgency is not the only telltale sign to tip you off that something is amiss. Other giveaways include the odd URL (though partly obfuscated here for security reasons), substandard English, chopped-off letters, and the use of a CAPTCHA.

If you do fall for the ploy, however, you’ll be taken to a login interface that was created to look the part of the genuine two-step PayPal login process.

Figure 3. The first part of the legitimate-looking, but nonetheless fake, login process

Figure 4. The second part of the login process mimicking PayPal’s

Once you’ve supplied your username and password, you’re asked to ‘verify your account’ by providing additional personal information.

Figure 5. The prompt asking you to verify your account

By this stage, you have already handed over your PayPal login credentials; nevertheless, the scammers attempt to collect far more than that. As Figures 6 to 9 show, in a series of steps you’re asked to surrender a range of sensitive information, including your credit or debit card data, access credentials to the bank account linked to the card and, lastly, the login to your email account.

Figure 6. The attempt to steal your home address

Figure 7. The fake form created to steal your credit/debit card data

Figure 8. The fake form asking for more details about your PayPal account

Figure 9. Purloining the login credentials to your email account

In the end, you’re told that access to your PayPal account has been restored. Nothing could be further from the truth now that a big chunk of your (digital) life is in the hands of the criminals, who can use it for identity theft and all manner of fraud, both on and off the internet.

Figure 10. The plot is consummated

The domain name

Despite being clearly distinguishable from the impersonated service, the names of the malicious websites seen in this scam seek to give a sense of being an actual touchpoint for PayPal users who are experiencing problems accessing their accounts. Several such fake domain names have been used – this discussion will focus on the first we saw and from which the screenshots here are taken.

Additionally, the presence of the green padlock to the left of the URL bears witness to a recent trend, where countless phishing sites use authentic SSL (Secure Sockets Layer) certificates in order to boost their aura of legitimacy. As shown in Figures 11 and 12, one of the domains hosting the scam was registered and received a valid SSL certificate earlier this month.

Figure 11. The domain’s SSL certificate

 Figure 12. Details on the domain’s registration

Conclusion

Much like other threats in cyberspace, phishing attacks come in various shapes and sizes and continue to evolve. As the example shows, however, social engineering tactics remain at the heart of such scams. After all, by preying on human weaknesses, cybercriminals usually take the path of least resistance. For the victims, even a momentary lapse in judgment or a short moment of distraction can have far-reaching and deleterious consequences.

It’s worth noting that we’ve found no evidence that this campaign results in the installation of malicious software on victims’ machines. And, as this scam starts with a phishing email, the usual precautions will go a long way towards helping you stay safe.

For starters, you should treat with utmost caution any out-of-the-blue notifications to input your sensitive information, and resist the urge to click on links or download attachments. Watch out for any irregularities in the URL where you enter your sensitive data. Indeed, for added reassurance, it never hurts to type the website’s name into the browser manually, or use a previously saved bookmark.

For more thorough takes on how to avoid falling victim to phishing attacks, please refer to these articles:

Phish Allergy – Recognizing Phishing Messages
5 simple ways you can protect yourself from phishing attacks
Phishing unravelled

20 Dec 2019 – 11:30AM

38,000 people forced to pick up email passwords in person

Malware and legal requirements force academics and students to join a near-endless line in order to pick up their passwords

Usually, if you forget your password or need to change it for other reasons, getting a new one is a straightforward process that involves a few clicks. Now imagine you would have to prove your identity and retrieve your password in person. Don’t rush to laugh this off as a bizarre fantasy, as thousands of students and faculty members at the Justus Liebig University Giessen in Germany were unlikely to be laughing when they learned that they would have to do just that.

According to the institution’s statement, 38,000 students and academics now have to stand in line, ID card in hand, so that they can receive new passwords to their university email accounts. The distribution of new passwords was prompted by a malware incident detected last week, with the university’s network being offline since December 8th. As for the unorthodox way of issuing new passwords in person, the staff are citing the legal requirements of the German National Research and Education Network (DFN).

English version of #JLUoffline: pic.twitter.com/YrpgnDW69F

— Universität Gießen (@jlugiessen) December 9, 2019

Arguably, in a way the university can be lauded for its incident response. Since the incident was noticed, the servers and machines were taken offline. USB flash drives loaded with security software were handed out to faculty members, institutes and departments to carry out scans of all machines connected to the university’s network. The devices that passed the first wave of checks were labeled with green stickers.

A second wave of scans then followed, and included, to use the university’s own words, a “specialized scan for the new virus type”. A total of 1,200 USBs were prepared for the second wave, which has been underway since December 18th. Computers that passed both scans are immediately cleared for use. Students were assured that their private machines were free of any risks since they use a separate university network to the one that was compromised.

The University in Gießen, Germany had a security incident that required resetting the passwords of 38000 students. Students are lining up to get their new passwords on paper, after identity verification. More about the incident on the bottom of this page: https://t.co/uMBOi2MpJr pic.twitter.com/QEKcPMZ2Sk

— svbl (@svblxyz) December 17, 2019

Nevertheless, the university’s IT Service center decided to assign new passwords to everyone since they suspected that the malware hit their e-mail servers as well. The whole process was designed to be as precise and orderly as possible, and the students and faculty were separated into groups based on their date of birth and can pick up their passwords during allotted timeslots.

Prospective students were affected as well. The website through which they could apply is currently offline as well. This means that they will have to apply through more “analog” ways, such as submitting applications in person or sending them by traditional mail.

19 Dec 2019 – 04:12PM

It’s time to disconnect RDP from the internet

Brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connections; ESET releases a tool to test your Windows machines for vulnerable versions

While the BlueKeep (CVE-2019-0708) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable.

Sometimes, you have to say something about things that “go without saying” and it seems the best way to start this post is by mentioning just that, because this is not a subject I expected to have to write about in this day and age. Before we dive in, let’s begin by looking at an old maxim.

There is an old saying in the information security field that if an adversary has physical access to your computer then it is not your computer anymore. The reason for this is quite simple: once the attackers have their hands on a computer, they can change anything they want. Installing devices such as hardware keyloggers, removing disk drives and copying them, and otherwise deleting, altering or adding anything they want on the system all become exponentially easier when you can walk right up to the computer. This is not a particularly surprising turn of events, nor a particularly clever one. Rather, it is an unavoidable truth. For the adversaries, it’s just part of their job description.

Businesses and schools and all sorts of organizations are not blind to this, though. None of these kinds of places put their servers at the front desk in the lobby, reception area, visitor center, waiting room or other locations where the public or, conceivably, any employee, faculty, student, or staff may enter and gain physical access to them. Or, at least, no business that wants to remain in business allows this. Usually, there’s some separation of the servers, whether they be in their own dedicated room, or even tucked away in some back corner that is off-limits to most personnel.

Yet for all this common knowledge, the lessons learned about security in the physical world do not always transfer well (or correctly) into the internet world. There are a large number of servers running various versions of Microsoft Windows server operating systems that are directly connected to the internet with what amounts to little or no practical security around who can access them. And that brings us to the discussion of RDP.

What is RDP?

RDP, short for Remote Desktop Protocol, allows one computer to connect to another computer over a network in order to use it remotely. In a domain, computers running a Windows Client operating system, such as Windows XP or Windows 10 come with RDP client software preinstalled as part of the operating system, which allows them to connect to other computers on the network, including the organization’s server(s). A connection to a server in this case means it could be directly to the server’s operating system, or it could be to an operating system running inside a virtual machine on that server. From that connection, a person can open directories, download and upload files, and run programs, just as if they were using the keyboard and monitor connected to that server.

RDP was invented by Citrix in 1995 and sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, Microsoft added RDP to Windows NT 4.0 Terminal Server Edition. Since then, the protocol has been a part of all versions of Microsoft’s line of Windows Server operating systems, as well as being included with all non-home user editions of Windows Client operating systems since Windows XP was released in 2001. Today, common users of RDP include system administrators doing remote administration of servers from their cubicles without having to go into the server room, as well as remote workers who can connect to virtualized desktop machines inside their organization’s domain.

What do attackers do with RDP?

For the past couple of years, ESET has seen an increasing number of incidents where the attackers have connected remotely to a Windows Server from the internet using RDP and logged on as the computer’s administrator. Once the attackers are logged into the server as administrator, they will typically perform some reconnaissance to determine what the server is used for, by whom, and when it is being used.

Once the attackers know the kind of server they have control of, they can begin performing malicious actions. Common malicious activities we have seen include:

clearing log files containing evidence of their presence on the system disabling scheduled backups and shadow copies disabling security software or setting up exclusions in it (which is allowed for administrators) downloading and installing various programs onto the server erasing or overwriting old backups, if they are accessible exfiltrating data from the server

This is not a complete list of all the things an attacker can do, nor is an attacker necessarily going to perform all of these activities. Attackers may connect multiple times over days or just once, if they have a predetermined agenda. While the exact nature of what attackers will do varies greatly, two of the most common are:

installing coin-mining programs in order to generate cryptocurrency, such as Monero installing ransomware in order to extort money from the organization, often to be paid using cryptocurrency, such as bitcoin

In some cases, attackers might install additional remote-control software to maintain access (persistence) to a compromised server in case their RDP activity is discovered and terminated.

We have not seen any servers that were compromised both to extort via ransomware and to mine cryptocurrency, but we have seen instances where a server was compromised by one attacker to mine cryptocurrency, then later compromised by other attackers who changed the coin

The worst passwords of 2019: Did yours make the list?

These passwords may win the popularity contest but lose flat out in security

Year after year, analyses show that millions of people make, to put it mildly, questionable choices when it comes to the passwords they use to protect their accounts. And fresh statistics for the year that is drawing to a close confirm that bad habits do die hard and many people willingly put themselves in the firing line of account-takeover attacks.

Drawing on an analysis of a total of 500 million passwords that were leaked in various data breaches in 2019, NordPass found that ‘12345’, ‘123456’ and ‘123456789’ reigned supreme in order of frequency. Between them, these numerical strings were used to ‘secure’ a total of 6.3 million accounts. It doesn’t get much more optimistic further down the list, however, as these three choices were followed by ‘test1’ and, the one and only, ‘password’.

Somewhat predictably, the chart is overall replete with many usual suspects among the most common passwords – think ‘asdf’, ‘qwerty’, ‘iloveyou’ and various other stalwart choices. Other supremely hackable passwords – including simple numerical strings, common names, and rows of keys – also abound. Much the same picture is painted annually by SplashData’s lists of the most-used passwords, such as last year, the year before that, and so on.

The entire list of the 200 most popular passwords is available in the linked blog post, but here’s at least the top 25. Let that sink in.

Rank Password 1 12345 2 123456 3 123456789 4 test1 5 password 6 12345678 7 zinch 8 g_czechout 9 asdf 10 qwerty 11 1234567890 12 1234567 13 Aa123456. 14 iloveyou 15 1234 16 abc123 17 111111 18 123123 19 dubsmash 20 test 21 princess 22 qwertyuiop 23 sunshine 24 BvtTest123 25 11111 Eerily familiar?

If you recognize any of the above as your own, then fixing your passwords is almost certainly one of the things that deserve a place on your laundry list of New Year’s resolutions. For starters, fixing here means not having the exact same idea as millions of other people when you’re signing up to a service and are asked to create your password.

One way to go about this is opt for a passphrase, which, if done right, is generally a tougher nut to crack as well as easier to remember. The latter is especially useful if you don’t use password management software, which, somewhat unsurprisingly, has been shown to benefit both password strength and uniqueness. Yes, that passphrase should, of course, be unique for each of your online accounts, as recycling your passwords across various services is tantamount to asking for trouble.

You may also want to watch out for password leaks. There are a number of services these days where you can check if your login credentials may have been caught up in a known data breach. Some of them even offer you the option to sign up for alerts if your login information is compromised in a known breach.

In fact, as ours is an era where login data are compromised by the millions, why settle for one line of defense if you can have two? At the risk of repeating ourselves, two-factor authentication is a highly valuable way to add an additional layer of security to online accounts on top of your password.

16 Dec 2019 – 05:36PM

Week in security with Tony Anscombe

ESET’s Cybersecurity Trends 2020 report is out – New Chrome feature boosts account security – Hundreds of thousands of birth certificate applications leaked online

ESET releases its Cybersecurity Trends 2020 report, with experts reflecting on security topics that are set to figure prominently in the upcoming year. Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a breach. Over 750,000 birth certificate applications have been exposed online by an unnamed company that enables people to obtain copies of birth and death records from state governments in the United States.

2FA: Double down on your security

The second authentication factor might be a minor inconvenience, but it provides a major security boost

With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. The usual way to secure most of your digital accounts is by using a password, no question about it. The problem is you have tens – even hundreds – of accounts you need to secure. How do you go about it? Do you have a unique password for every service you use?

Perhaps, a significant number of you will answer “no”, which would not come as much of a surprise. Far too often people tend to keep their passwords simple, so they can be easily remembered. Nothing can underline this more than the fact that “123456” was ranked as the most commonly used password of 2018. If we adhere to the established (although now recognized as seriously flawed) practice of creating strong passwords such as including uppercase and lowercase letters, numbers, special characters and so on, we still tend to recycle our passwords or use minor variations of them. That being said, passwords have their limitations. They are only a single barrier between your account and a hacker.

Two-factor authentication (2FA), also known as multifactor authentication (MFA), is a simple way to add an extra layer of security to your accounts. What do we mean by the two factors? To understand that, you need to know the three classic authentication factors, often referred to as “something you know, something you have, and something you are”. The first are things like passwords, PINs and lock screen patterns. The second are things like physical keys (brass or RFID), electronic tokens and SMS codes, while the third are biometrics such as fingerprints, retinas and faces.

You have now probably guessed that a 2FA system requires you to pass authentication challenges that require responses from two different factors. That could be a PIN code (something you know) and a fingerprint scan (something you are), or a retina scan (something you are) followed by entering a code from a security token (something you have). As passwords have traditionally been used for online services, they tend to be one of the factors still required in 2FA schemes for such services. Hence, a 2FA system combining a password and the possession of another factor makes it difficult for hackers to access your account since they will be missing one of the pieces of the puzzle.

There is a variety of 2FA systems for services to use. What most of them have in common is that a one-time code is generated on, or sent to, an authentication device so you can input it together with your password, thus providing you with access to your account. The most common 2FA method used by popular online services is a text message with an authentication code sent to your phone. It is not the best and most secure method, but it is still better than not having one at all.

Then there are authenticator apps that you can use that can be paired with your accounts. These apps keep on generating authentication codes that are valid for only a limited period of time. For example, each code is valid for only one minute. Google, for instance, has been experimenting with a new form of 2FA that does away with the need to enter keys manually, transforming your phone into a security key itself. Alternatively, some companies provide hardware solutions of their own that you can use for 2FA purposes. The choices are many; just choose the one that suits your needs the best.

Most popular sites offer two-factor authentication options, but few require 2FA for login. Generally, you will have to locate a site’s 2FA options and enable them for yourself. They can be usually found in the settings or privacy sections of the website. The sites will walk you through setting up a 2FA method, sometimes offering more than one option. If you’re not sure if a website or service offers 2FA you can check for it here.

If you’re wondering if 2FA is bulletproof, there have been rare occasions when it has been bypassed. But in most cases, it provides a great extra layer of security against various attacks that attempt to scam you into revealing your login credentials.

13 Dec 2019 – 11:30AM

Chrome now warns you if your password has been stolen

The browser’s latest version also aims to up the ante in phishing protection

Google has added a new feature to its Chrome web browser that will alert users if their login credentials have been compromised in a security breach, according to the company’s announcement.

This may sound familiar, and with good reason. The functionality builds on Chrome’s Password Checkup browser extension, which was rolled out in February of this year and has since been downloaded a little over a million times. In October, Google integrated the feature into Google Accounts, giving users an easy way of checking if their saved passwords may have been leaked or stolen, as well as determine if their login credentials are weak or reused in multiple accounts.

Now, however, the company is making it even easier to find out if your username/password combinations may have been exposed. The feature – which is part of the release of Chrome 79 to the stable channel for Windows, Mac, Linux, Android, and iOS – has been made available for everyone who’s logged into Chrome.

In a separate blog post, Google gave assurances that the usernames and passwords are hashed and encrypted and that nobody, including the company itself, is able to derive the username or password from the encrypted copy.

As an aside, if you don’t use Chrome, there are other ways to find out if your login details have been exposed in a known security incident. Our recent article sums up some of the most common options.

Source: Google

Phish me not

Recognizing a phishing attack isn’t always easy, and Google has sought to help people stay safe from this pervasive online con. Earlier this year, for example, the company rolled out a quiz that, drawing on real-life techniques deployed by scammers, tested users’ phish-spotting prowess.

Coming back to the present, on top of the integrated leaked-password checker, Chrome’s latest update includes real-time phishing protection. This security enhancement also builds on an existing functionality, as the browser has for some time displayed warnings to people when they attempted to navigate to sites known to pilfer logins.

The feature, which can be controlled in the ‘Settings’ tab under ‘Sync and Google services’, relies on Google’s service known as Safe Browsing, which contains a database of unsafe web resources that updates every 30 minutes. According to the company, however, many phishing sites slipped through the time window. Google says that the expansion of its phishing protection and real-time scanning on desktop has been shown to create alerts for an extra 30 percent of phishing sites.

Beyond that, the latest Chrome update also fixes 51 vulnerabilities, including two rated as ‘critical’.

12 Dec 2019 – 01:11PM