- Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your backup copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
- Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
- Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
- Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
- Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
- If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.
How To Recover After Your Email Password Is Compromised
Your friends are reporting spam and pleas for money originating from your email account and some of your logins aren’t working; you’ve been compromised. Read on to see what to do right now and how to protect yourself in the future.
A compromised password is serious business. A security breach at a minor service you use can jeopardize your more serious accounts if you use weak passwords (or even the same one) across all of them and a security breach at a core service like your email account means it is time to batten the hatches and get your passwords under control.
This guide is full of useful tips for anyone who has to deal with the fall out of leaked password but we’ll be focusing specifically on dealing with the mother of all compromises: a compromised email account. Once someone has control of your email account they can easily gain control of the dozens of other services you use as, for better or worse, email functions as a major key-to-the-castle and qualifying identifier.
Secure Your Email Account
The absolute first thing you need to do at even the slightest hint that something is amiss is to lock down your account. The second your friend calls you and says “I just got an email from you claiming you’re in London and need me to wire you money” you need to get on your computer and get to work.
Resetting/recovering your password.
You may need to reset or recover your password. The process varies from email service to email service but we’ve gathered up the reset links for three popular email services here to help speed the process along if you’ve found this article via a panicked Google search. You can find the forms for Gmail, Hotmail, and Yahoo! Mail here. All three of the aforementioned services have an option for you to specify not just that you forgot your password but that you believe your account has been compromised.
Change your password to something completely different than your previous password. Make it a combination of alphanumeric characters and if need be temporarily write it down. The important thing is that you secure your email immediately with a strong password. While you are still logged into your email account complete the following steps.
Enable two-factor authentication.
Although your email service may not offer this feature, if it does turn it on. You likely won’t keep it on forever (two-factor verification is kind of a hassle) but while you’re in lock-down mode and attempting to get everything under control it’s nice to know that someone would need to, for example, have access to your mobile phone and your password in order to gain access to your email account. You can read about two-factor authentication for Gmail here.
Go through your email settings with a fine tooth comb.
In addition to changing your password and setting up two-factor authentication you need to go through the settings on your email account to make sure nothing is out of the ordinary. Here are several things you need to look at: check your recovery email and ensure that it is set to an email address you control, check your password hints and replace them with fresh questions only you know the answer to, check your email forwarding settings to ensure that however compromised your email hasn’t set it up so that all your future email will be forwarded to a 3rd party.
Regarding password hints: password recovery systems based on hints are notoriously easy to defeat as it isn’t particularly difficult to get basic information about a person like where they were born, what their cat’s name is, etc. (thank you frivolous Facebook quizzes). One easy way to radically increase the strength of hint questions is to make them about someone other than yourself. Answer the questions as though you are your father, a character in a comic book or novel you love, or any other third party that you have a significant degree of knowledge about.
Don’t neglect these three steps and make sure to look at all the settings on your email account to make sure there are no surprises tucked away!
Change Every Password Associated with Your Email Address
Email addresses function as the proverbial keys to the castle. If someone has access to your email account they also have access to nearly everything else you’ve ever used your email account for—your iTunes login, your Amazon.com account, your credit cards and banking institutions, social media accounts, discussion forums and so on. Now is the time to start changing passwords. We realize this isn’t fun and we realize it’s time consuming if you have lots and lots of accounts. The upside is that once you do it, you’ll have effectively inoculated yourself against this misery in the future.
Get a password manager.
Not everyone uses a password manager and lots of people have their reasons for not doing so including “I’ve got a good memory”, “I don’t trust password managers”, “I’ve got some straight up KGB algorithm in my brain to generate new and awesome passwords”, etc. We’ve heard it all before. If you want to play the “I’ll memorize all my passwords” game, that’s fine. You simply won’t have as strong and varied passwords as someone who uses a password manager. Not using a password manager is like refusing to use a calculator and solving all math problems long hand; there’s no good reason to forgo using a calculator and there’s no good reason to stick to juggling passwords in your head when there are better alternatives.
Whether you use LastPass, KeePass, or another respectable password manager that integrates with your web browser (and thus decreases your resistance to using it), you’ll have a system that allows you to use extremely strong and unique passwords for each distinct login.
Search your email for registration reminders.
It won’t be hard to remember your frequently used logins like Facebook and your bank but there are likely dozens of outlaying services that you may not even remember that you use your email to log into.
Use keyword searches like “welcome to”, “reset”, “recovery”, “verify”, “password”, “username”, “login”, “account” and combinations there of like “reset password” or “verify account”. Again, we know this is a hassle but once you’ve done this with a password manager at your side you have a master list of all your account and you’ll never have to this keyword hunt again.
Use strong passwords.
If you’re using a good password manager this won’t even be an issue. LastPass, for example, has a built in password generator. A click of a button is all that it takes to generate a password like “Myy0vNncg6dlYrbhVjo1”; add in another click and you can easily associate that extremely strong password with the account.
If you’re not using a password manager there are still some hard and fast rules you should live by when it comes to manually generating strong passwords:
- Passwords should always be longer than the minimum the service allows for. If the service in question allows for 6-20 character passwords go for the longest password you can remember.
- Do not use dictionary words as part of your password. Your password should never be so simple that a cursory scan with a dictionary file would reveal it. Never include your name, part of the login or email, or other easily identifiable items like your company name or street name. Also avoid using common keyboard combinations like “qwerty” or “asdf” as part of your password.
- Use passphrases instead of passwords. If you’re not using a password manager to remember really random passwords (yes, we realize we’re really harping on the idea of using a password manager) then you can remember stronger passwords by turning them into passphrases. For your Amazon account, for example, you could create the easily remember passphrase “I love to read books” and then crunch that into a password like “!luv2ReadBkz”. It’s easy to remember and it’s fairly strong.
Practice Good Password Hygiene Going Forward
It’s really easy to slip back into bad habits once the shock of security breach has passed. Call it the dentist-effect: you floss and brush like mad before the dentist, you promise yourself you’ll floss and brush after the visit, and three weeks later you find yourself falling asleep on the couch watching Archer with a mouthful of gummy bears.
Staying on top of password management is important and when done correctly protects you from the agony of having to do all this password fixing again (or, worse, losing significant sums of money or becoming embroiled in a legal battle because of what was done with your compromised account). Here’s what you need to do going forward with your old and new accounts:
Always use a unique password for each service.
Think of this policy like having fire suppression systems in every room of a building. If Lab 223 catches fire it doesn’t take the whole structure with it. If someone hacks a game site you visit they won’t also have access to your email (or any other logins associated with your email address).
Change your passwords.
Don’t be resistant to changing your passwords. If you use your email a lot at public Wi-Fi spots, internet cafes, etc. then you need to change it frequently as you are using it in locations where it can be easily sniffed, key logged, or otherwise compromised. If you use a master password manager this process is less painless as you really only need to remember a strong password for the password manager and a strong password for your email (everything else can be managed by the password manager).
Do not store your passwords insecurely.
However you store your passwords, do not store them insecurely. If you write them down on a notebook lock it in your firesafe. If you keep them in a password manager, use a very secure password for that manager. If you keep them on your computer in a text document then you must encrypt that text document and not simply leave it in your My Documents folder. Your password list, however it is stored, is the passport to your digital life.
Do not transmit passwords insecurely.
This is a combination of the previous rule and the next rule. Do not email yourself a plain text file of your passwords. It’s the equivalent of writing your passwords on a postcard and mailing them. Anyone who touches the postcard in transit can easily read the passwords. Never email or instant message your passwords for any reason.
Do not share your password.
As well as not sharing your password between services don’t share your passwords with other people. Your friends don’t need to know your password, your boss doesn’t need to know your password, no legitimate company employee from Google or Bank of America is ever going to call you up or email you and ask for your password. Your default stance on password sharing should always be “No.”
At this point, if you’ve followed along, you have a set of unique, strong, and well managed passwords. You have one final task. Pull up your contact list and send an email to all the people who you previously spammed with “Help, I’m stuck in London and have no money…” messages and email them a link to this article. There’s a good chance that, like you were, they’re one bad break away from a password nightmare.
Credit for this post goes to the “How To Geek” website at http://www.howtogeek.com/ and:
Jason Fitzpatrick who is a warranty-voiding DIYer who spends his days cracking opening cases and wrestling with code so you don’t have to. If it can be modded, optimized, repurposed, or torn apart for fun he’s interested.
What is Malvertising and How Do You Protect Yourself?
Attackers are trying to compromise your web browser and its plug-ins. “Malvertising,” using third-party ad networks to embed attacks in legitimate websites, is becoming increasingly popular.
The real problem with malvertising isn’t ads — it’s vulnerable software on your system that could be compromised by just clicking a link to a malicious website. Even if all ads vanished from the web overnight, the core problem would remain.
You can certainly use Adblock to reduce your risk, but it doesn’t eliminate the risk. For instance, celebrity chef Jamie Oliver’s website was hacked not once, but 3 times with a malware exploit kit that targeted millions of visitors.
Websites are hacked every day, and assuming that your adblocker is going to protect you is a false sense of security. If you are vulnerable, and a ton of people are, even a single click can infect your system.
Web Browsers and Plug-ins Are Under Attack
There are two main ways attackers attempt to compromise your system. One is by attempting to trick you into downloading and running something malicious. The second is by attacking your web browser and related software like the Adobe Flash plug-in, Oracle Java plug-in, and Adobe PDF reader. These attacks use security holes in this software to force your computer to download and run malicious software.
If your system is vulnerable — either because an attacker knows a new “zero-day” vulnerabilityfor your software or because you haven’t installed security patches — just visiting a web page with malicious code on it would allow the attacker to compromise and infect your system. This often takes the form of a malicious Flash object of Java applet. Click a link to a shady website and you could be infected, even though it shouldn’t be possible for any website — even the most disreputable ones on the worst corners of the web — to compromise your system.
What is Malvertising?
Rather than attempting to trick you into visiting a malicious website, malvertising uses advertising networks to spread these malicious Flash objects and other bits of malicious code to other websites.
Attackers upload malicious Flash objects and other bits of malicious code to ad networks, paying the network to distribute them like they’re real advertisements.
You could visit a newspaper’s website and an advertising script on the website would download an ad from the ad network. The malicious advertisement would then attempt to compromise your web browser. That’s exactly how one recent attack that used Yahoo!’s ad network to serve malicious Flash ads worked.
That’s the core bit of malvertising — it takes advantage of flaws in software you’re using to infect you on “legitimate” websites, eliminating the need to trick you into visiting a malicious website. But, without malvertising, you could be infected in the same way after just clicking a link away from that newspaper’s website. Security flaws are the core problem here.
How to Protect Yourself From Malvertising
Even if your browser never loaded another ad again, you’d still want to use the below tricks to harden your web browser and protect yourself against the most common attacks online.
Enable Click-to-Play Plug-ins: Be sure to enable click-to-play plug-ins in your web browser. When you visit a web page containing a Flash or Java object, it won’t automatically run until you click it. Almost all malvertising uses these plug-ins, so this option should protect you from almost everything.
Use MalwareBytes Anti-Exploit: We keep banging on about MalwareBytes Anti-Exploit for a reason. It’s essentially a more user-friendly and complete alternative to Microsoft’s EMET security software, which is targeted more at enterprises. You could also use Microsoft’s EMET at home, but we recommend MalwareBytes Anti-Exploit as an anti-exploit program.
This software doesn’t function as an antivirus. Instead, it monitors your web browser and watches for techniques browser exploits use. If it notices such a technique, it will automatically stop it. MalwareBytes Anti-Exploit is free, can run alongside an antivirus, and will protect you from the vast majority of browser and plug-in exploits — even zero-days. It’s important protection every Windows user should have installed.
Disable or Uninstall Plug-ins You Don’t Frequently Use, Including Java: If you don’t need a browser plug-in, uninstall it. This will “reduce your attack surface,” giving attackers less potentially vulnerable software to target. You shouldn’t need many plug-ins these days. You probably don’t need the Java browser plug-in, which has been an unending source of vulnerabilities and is used by few websites. Microsoft’s Silverlight is no longer used by Netflix, so you may be able to uninstall that too.
You could also disable all your browser plug-ins and use a separate web browser with plug-ins enabled just for web pages that need it, although that will require a bit more work.
If Adobe Flash is successfully erased from the web — along with Java — malvertising will become much more difficult to pull off.
Keep Your Plug-ins Updated: Whatever plug-ins you leave installed, you need to ensure they’re kept up-to-date with the latest security patches. Google Chrome automatically updates Adobe Flash, and so does Microsoft Edge. Internet Explorer on Windows 8, 8.1, and 10 automatically updates Flash, too. If you’re using Internet Explorer on Windows 7, Mozilla Firefox, Opera, or Safari, ensure Adobe Flash is set to automatically update. You’ll find Adobe Flash options in your control panel or in the System Preferences window on a Mac.
Keep Your Web Browser Updated: Keep your web browser updated, too. Web browsers should automatically update themselves these days — just don’t go out of you way to disable automatic updates and you should be okay. If you’re using Internet Explorer, ensure Windows Update is activated and regularly installing updates.
While most malvertising attacks take place against plug-ins, a few have attacked holes in web browsers themselves.
Consider Avoiding Firefox Until Electrolysis is Done: Here’s a controversial piece of advice. While Firefox is still beloved by some, Firefox is behind other web browsers in an important way. Other browsers like Google Chrome, Internet Explorer, and Microsoft Edge all take advantage ofsandboxing technology to prevent browser exploits from escaping the browser and doing damage to your system.
Firefox has no such sandbox, although other browsers have had one for several years. A recent malvertising exploit targeted Firefox itself using a zero-day. Sandboxing techniques built into Firefox could have helped prevented this. However, if you do use Firefox, using MalwareBytes Anti-Exploit would have protected you.
Sandboxing is set to arrive in Firefox after years of delays as part of the Electrolysis project, which will also make Firefox multi-process. The “multi-process” feature is scheduled to be part of the stable version of Firefox “by the end of 2015,” and is already part of the unstable versions. Until then, Mozilla Firefox is arguably the least secure modern web browser. Even Internet Explorer has employed some sandboxing since Internet Explorer 7 on Windows Vista.
Currently, almost all malvertising attacks take place against Windows computers. However, users of other operating systems shouldn’t get too cocky. The recent malvertising attack against Firefox targeted Firefox on Windows, Linux, and Mac.
As we’ve seen with crapware moving over to Apple’s operating system, Macs aren’t immune. An attack on a specific web browser or a plug-in like Flash or Java usually works the same way across Windows, Mac, and Linux.
As posted on How To Geek
Security breaches and password leaks happen constantly on today’s Internet. LinkedIn, Yahoo, Last.fm, eHarmony – the list of compromised websites is long. If you want to know whether your account information was leaked, there are some tools you can use.
These leaks often lead to many compromised accounts on other websites. However, you can protect yourself by using unique passwords everywhere – if you do, password leaks won’t be a threat to you.
Image Credit: Johan Larsson on Flickr
Why Password Leaks Are Dangerous
Password leaks are so dangerous because many people use the same password for multiple websites. If you register for a website with your email address and provide the same password you use for your email account, that email/password combination may be present on a list somewhere.
Crackers can then use this email/password combination to gain access to your email account. Even if you use a different password for your email account, they may try the email or account name and password combination on other websites to gain access to your other accounts.
For example, crackers recently compromised over 11,000 Guild Wars 2 accounts. They didn’t use keyloggers or compromise the game’s servers – they just tried logging in using email address and password combinations found on lists of leaked passwords. Players who reused a password that had already been leaked were compromised. The same will happen for other services that crackers want to gain access to.
How To Protect Yourself
To protect yourself against future leaks, ensure you use different passwords on each website – and ensure they’re long, strong passwords. Otherwise, a compromise at one website could lead to your accounts elsewhere being compromised. While compromised websites will generally inform you of the leak and have you change your password immediately, this won’t help much if you’re using the same password on many other websites.
Remembering unique passwords for all the different websites we use can be difficult, which is why password managers can be so useful. We like LastPass, but many people swear by KeePass, which keeps you in control of your data.
Checking If Your Password Was Leaked
If you’re curious whether your email address appears on one of these leaked password lists, you don’t have to find a shady download site and download the lists yourself. Instead, you can use a tool that quickly checks for you.
PwnedList is a good one. LastPass now uses PwnedList to monitor whether LastPass account email addresses become compromised. For example, if your LastPass account email address is email@example.com, you’ll get a notification if firstname.lastname@example.org appears on any lists of leaked email addresses and passwords. This only applies to the single email address you use for your LastPass account, not every address you have in your LastPass vault.
If you want to check an email address manually, you can use PwnedList’s website. Plug in an email address and PwnedList will tell you whether it appears on any leaked lists. (Note that you can also enter SHA-512 hashes of your email address if you don’t trust PwnedList with your email address – you can use a tool such as this one to generate a SHA-512 hash.)
If your email address does appear on a list, don’t panic – this just means you should ensure you’re not reusing the same passwords on multiple websites. If you use the same password everywhere and your email address appears on one (or more) of these lists, you have a problem – you should change your passwords immediately.
LastPass also hosts some tools that allow you to see whether a specific password appears on the leaked lists of LinkedIn or Last.fm passwords. You can actually plug passwords in and see if someone was using them. The results show how weak many passwords are – plug in “password123” and you can see that at least one person was using it as their LinkedIn password.
Your email account is the center of your online security – websites generally allow you to change your password as long as you can click a link in an email. If someone else gains access to your email account, it can be game over for your other accounts. Read How To Recover After Your Email Password Is Compromised for more tips on protecting yourself.
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.
LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.
According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.
We’ve talked about what happens if LastPass gets hacked before. As it stands, it doesn’t seem that this hack resulted in any significant data losses for users. However, it’s still important to take steps necessary to protect your account as soon as you can.
Note: It sounds like LastPass’ servers are getting hammered right now, so if your password change doesn’t go through, check back frequently through the day until it does.
LastPass Security Notice | LastPass Hacked
Do advertisements annoy you ?
Are you concerned about your privacy when you surf the Internet ?
If you answered yes to either of these questions then this list is for you !
Please feel free to click and follow these links to start a whole new Internet experience the way it was meant to be. Using these browser add-ons will protect your privacy and rid you of unwanted advertisements leaving only the content you wish to view.
Happy Surfing !
Resources to help prevent advertisements & block websites:
How To Block advertisements in Firefox, Internet Explorer, Chrome, and Opera
BlockSite for Firefox
NoScript – NoScript FAQs
NotScripts for Chrome
Karma Blocker for Firefox <- intended for advanced users
Flashblock for Firefox
Block Unwanted Ads with Custom MVPS Hosts File
How to Block a Specific Website Without Software
Resources to help protect privacy:
The Best Browser Extensions that Protect Your Privacy
How to Start Your Browser in Private Mode
DoNotTrackMe <- for Firefox, Chrome, Safari, Internet Explorer on both Mac and Windows
Ghostery <- for Firefox, Chrome, Safari, Internet Explorer and Opera on both Mac and Windows
Free Hide IP
Ghostery is a browser tool which allows you to block beacons, trackers, advertising, analytics and widgets.
– Ghostery download
– Ghostery – How It Works
– Ghostery General Options
– Ghostery FAQs
– How to configure Ghostery to stop Trackers
– Ghostery Community Forum