If you have an email address, and you’ve ever used it to register for online services and sites, there’s a good chance you’ve received email that threatens you in some way, and some of it is downright creepy.
This email may refer to your name. It may include a password you’ve used in the past, or even currently. The email may appear to have been sent from your own email address, and may claim to have taken over that email account.
The good news is that very little of what these emails claim is actually true. The bad news is that you still have a problem.
But why does this happen?
It all starts when someone gets careless, or someone else decides that the IT budget is too high.
Imagine that you’re the person responsible for information security at any company that… uses computers (so basically, any company on the planet). Now imagine that you’re bad at your job. Or disgruntled. Or your manager keeps cutting your budget. Inevitably, things start to slide. Security updates don’t get installed. Software that isn’t properly checked for security implications gets installed on company computers. Users don’t get security training. Bad decisions are made, such as not properly encrypting user passwords. And so, the company’s computers, and the data they contain, become vulnerable. Eventually, malicious people figure this out, and through various means — many of which are trivially simple to carry out — gain access to your data. And that data includes information about your customers. That information is then sold online, to other, even less scrupulous people. Brian Krebs documents many of these breaches; here’s one example.
You can find these lists online if you know where to look. Some are only accessible from the dark web. Some are published more brazenly, on easily-accessed public web sites, including Facebook.
Sometimes these lists contain passwords. In really awful cases, the passwords aren’t even encrypted. But usually they are encrypted, which makes them slightly less useful. Only slightly, because many people still use terrible passwords: common passwords, like 1234; passwords that are used by the same person in multiple places; and passwords that are easy to crack.
Any password can be cracked, by which I mean converted from its encrypted form to its original, unencrypted form. Short and simple passwords can be cracked in nanoseconds. Longer, more complex passwords take longer. At any given point in time, passwords that are long and complex enough simply can’t be cracked quickly enough to be worth the attempt. This is a moving target. As computers get faster, the point at which a password becomes worth cracking gets nearer.
These shady lists of users, passwords, and email addresses can be used for lots of things, ranging from merely irritating to criminal. But there’s money to be made, as long as you don’t care about being a world-class asshole.
If you’re an asshole, and you’re looking for an easy way to make money and irritate people, just shell out a few bucks for one of these lists, and download a few scripts that turn that list into spam. Because computers are really good at things like this, you hardly have to do any actual work. Just feed a list into some crappy script, sit back, and watch the money pour in. If you had to do this with paper and snail mail, it clearly would not be worthwile.
A user’s story
Let’s look at this another way: from the perspective of Iam Notreal, an ordinary Internet user. Iam registered for an account at LinkedIn in 2011 using his real name and his NopeMail account, firstname.lastname@example.org. He also used the same password he uses everywhere else: banana1234.
In 2012, intruders gained access to LinkedIn servers and were able to download its user database. The database included usernames, email addresses, and poorly-encrypted passwords. Now Iam’s real name, real email address, and an encrypted form of his one and only password are on a list, and, beginning in 2016, that list is being sold on the dark web to anyone who has a few bucks to spare.
In 2016, Iam starts getting spam to his NopeMail account. Most of it is ordinary spam: poorly-worded appeals to click a link. Occasionally he receives spam that mentions his real name, which is alarming, but not particularly harmful. At some point, Bill tries to ‘unsubscribe’ from what he believes is a mailing list, by replying to one of these spam emails. Congratulations, Iam, you’ve just graduated to a new list, of confirmed, valid, active email addresses. This list will also be sold on the dark web, at a higher price than the original list.
Meanwhile, other dark forces are at work behind the scenes. Someone runs the original list through a widely-available password cracker. This software looks at each encrypted password and attempts to decrypt it based on a set of parameters, including lists of commonly-used passwords. Sadly, Iam’s password is rather short, and contains a common word, and it takes the software about a nanosecond to crack it. Now Iam is on an even more valuable list, which includes cracked passwords.
Fast forward to 2018, and now Iam is getting email that claims to have taken over his email account, or to have video from Iam’s own webcam showing him doing unmentionable things, and it also includes Iam’s one and only password, right there in plain text. Iam is panicked: if the sender knows his password, are the rest of the claims true? He doesn’t know it, but the sender’s claims are bullshit.
As scary as this sounds, it’s only the most common use of lists like these circa late 2018, early 2019. The same information could be used to take over Iam’s LinkedIn account (if he ignored warnings from LinkedIn to change his password, or if he changed it back to the same password), take over his NopeMail account (if he failed to change its password after the LinkedIn breach), or take over any other account that can be found on any other service he uses, once it’s discovered.
Why is that spam coming from my own email address or my own mail server?
Unfortunately, it remains trvially easy to spoof almost all information contained in an email message. Current anti-spam efforts like SPF, DKIM, and DMARC are focused on validation, and there’s nothing stopping anyone from spewing out email with mostly-forged headers. That includes the FROM header, which means scammers can make email look like it came from just about any address they want. Only close inspection of all the headers reveals the actual source.
Why does that spam contain my password?
If a scammer has access to a purloined user list that includes plaintext or cracked passwords, it’s a simple matter of customizing the content of their malicious spam so that the username and/or password vary, depending on the unlucky recipient.
What you should do
Stop using crappy passwords. If you’re not sure how crappy your password is, check it at howsecureismypassword.net. You can also install this extension in your Chrome browser; it will warn you if your password is too weak.
Stop re-using passwords. If site A is hacked, and your password for site A is the same as for site B, you’ll have to change your password on both sites.
Use a password manager. Yes, it’s annoying to have an extra step whenever you want to log in somewhere, but using a password manager means that you only ever have to remember one password. They can also generate passwords for you, saving you the trouble.
Check Have I been pwned to see how many breaches have included your email addresses and passwords.
Sign up at Spycloud to continuously monitor your email address for inclusion in breaches.
Although there are ways to use purloined user lists besides spam, most of the damage we see is related to email.
Despite being really old technology, email has continually improved in terms of security. Newer technologies like SPF, DKIM, and DMARC make it much easier for email providers to determine which email is legitimate and which is not.
You can help by making sure any email domains you manage use SPF, DKIM, and DMARC. If your mail provider doesn’t use these technologies, lean on them to start. If they resist, find another provider. I have several clients who use the business mail service provided by telecom giant Telus here in Canada. Telus farms this work out to a provider in the USA called Megamailservers. The Megamailservers service does not currently support DKIM or DMARC, and there’s nothing on their web site (or that of Telus) about any plans to change that.
Password Management Software
So, everyone should use a password manager. But wait, didn’t I just read that all the most popular password managers can be bypassed very easily? Yup. Opinions vary as to whether the risk of such exploits is significant. From my perspective, the risk is this: yes, a malicious actor needs physical, remote, or programmatic access to your computer to use these exploits. But once they have access, they no longer have to waste time looking for interesting information. All they need to do is look for password manager data and sent it to themselves. That makes their job MUCH easier.
But using a password manager is still much safer than not using one.
Update 2018Jun11: According to the latest report from security researchers at Talos, the list of routers affected by VPNFilter is now much larger. The malware’s capabilities are now better understood, and include the ability to intercept and modify network traffic passing through affected devices. To see the updated list of devices known to be affected by VPNFilter, scroll to the bottom of this page and look for the heading Known Affected Devices.Bruce Schneier weighs in.
Over the last week or so, you’ve probably noticed several stories about some malware called VPNFilter. For most people — and for a number of reasons — VPNFilter doesn’t pose a significant risk. But it’s a good idea to make sure. Here’s what you need to know:
VPNFilter is designed to infect SOHO (Small Office / Home Office, aka consumer-grade) network routers and Network Attached Storage (NAS) devices. It appears to have been active since 2016, and is known to have infected hundreds of thousands of devices worldwide.
Only a few specific router models are known to be vulnerable to VPNFilter, but there may be more. The list of vulnerable devices includes several models from Linksys, Mikrotik, Netgear, QNAP, and TP-Link. If you know (or can find) the make and model of your router, check to see whether it’s on the list.
On May 23, the US Justice Department announced that they had effectively neutered VPNFilter by taking over one of its command and control domains. But VPNFilter remains on many infected devices, as do the vulnerabilities that allowed infection in the first place.
The FBI is asking everyone on Earth who manages or is responsible for any consumer-grade router, to restart it. This will remove the second stage of a VPNFilter infection from a router. It may seem like overkill, but until we have a complete list of vulnerable devices, it’s a risk-free way to disrupt VPNFilter’s activities.
If you think your device has been infected — perhaps because it’s on the list of known affected devices — the only way to fully remove the infection is to reset the device to its factory settings. This sounds simple but can actually be problematic. Resetting a router can cause connected devices to lose access to the Internet, and things gets worse from there. If you want to attempt this, you should first log into your device’s web interface and document all important settings, because you’ll need to reconfigure the device after it’s been reset. Disconnect the device from the Internet before resetting it, because its administration password will be reset to a known default. Change that password as soon as possible after the reset.
If you manage your own router or NAS device, it’s critically important to configure it sensibly. That means changing its default password, and disabling any features that allow for remote (i.e. from the Internet) administration.
A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:
2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.
EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.
Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.
January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.
Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.
February 14, 2017:Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.”
Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.
May 12, 2017:WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.
It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.
Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.
According to Kaspersky Labs, almost all of the computers infected with WannaCry (WCry, WannaCrypt) were running Windows 7. A small percentage (less than 1%) were running Windows XP.
Microsoft released updates in March 2017 which — if installed — protect Windows 7 computers from WannaCry infections. So all those Windows 7 WannaCry infections were only possible because users failed to install updates. This is a good argument for either enabling automatic updates, or being extremely diligent about installing updates as soon as they become available.
Building on the discoveries of Quarkslab, researchers at Comae Technologies and elsewhere developed a tool that can decrypt files encrypted by WannaCry on Windows 7 as well as XP. The new tool — dubbed wanakiwi by its developers — uses the same technique as its predecessor and has the same limitation: it doesn’t work if the infected computer has been restarted since encryption occurred.
The Register points out that while the NSA was hoarding exploits, Microsoft was doing something similar with patches. Microsoft is in fact still creating security updates for Windows XP and other ‘unsupported’ software; they just don’t normally make those updates available to the general public. Instead, they are only provided to enterprise customers, which pay substantial fees for the privilege. When Microsoft released the Windows XP patch in response to the WannaCry threat, the patch was already developed; all Microsoft had to do was make it available to the general public. Sure, developing updates costs money, and Microsoft wants to recover those costs somehow, but it seems clear that we would all be better off if they made all updates available to everyone.
Bruce Schneier provides a useful overview of WannaCry, and how best to protect yourself. From the article: “Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware.”
Update 2017May21:Analysts have confirmed that WannaCry’s initial infections were accomplished by scanning the Internet for computers with open Server Message Block ports, then using the EternalBlue SMB exploit to install the ransomware. Once installed on any computer, WannaCry spread to other vulnerable computers on the same local network (LAN). Earlier assumptions about WannaCry using spam and phishing emails to spread were not accurate.
Our advice remains the same: make sure all your Windows computers have the relevant updates installed, including Windows XP. Microsoft’s Customer Guidance for WannaCrypt attacks is a good place to start; there are links to the updates at the bottom of that page. For more information about the exploit used by WannaCrypt, see Microsoft’s MS17-010 bulletin from March 14.
The flaw WannaCrypt uses to infect Windows computers was patched by Microsoft in March, but unpatched computers and those running unsupported versions of Windows were left unprotected.
Microsoft has long since stopped releasing security updates for Windows XP, but WannaCrypt is spreading quickly, and Windows XP computers are essentially defenseless against it. So Microsoft has taken the unprecedented step of publicly releasing an update that protects Windows XP computers from the flaw that WannaCrypt uses to spread.
Techdirt points out that the flaw WannaCrypt exploits was exposed in the recent NSA tool leaks. Which is exactly the problem when security organizations hoard flaws instead of reporting them responsibly.
Update 2017May14: Apparently a security researcher at MalwareTech registered a (previously unregistered) domain used by WannaCrypt as part of his investigation into the ransomware. This is standard practice, because it often allows researchers to gain a better understanding of their subject. Surprisingly, this move stopped WannaCrypt from doing any further damage.
The scourge of ransomware shows no signs of slowing down. A single careless click on a link in an email is all that’s necessary for one of the many varieties of ransomware to install itself and quietly start encrypting data files on your computer, and on any others it can reach. Warning screens like the one above announce the dreadful news: your files are now effectively garbage. Pay the ransom or you’ll never see those files (intact) again.
Assuming you’ve managed to avoid this nightmare, you’re either using strong anti-malware software, or you’ve trained yourself not to indiscriminately click links on the web and in email (hopefully both). Otherwise, you’re probably just lucky. So far, my only encounter with ransomware was a partial infestation of a client PC; the malware was prevented from doing any real damage by antivirus software (Trend Micro’s Worry-Free Business Security for anyone wondering).
The Mirai worm has compromised thousands of IoT devices that were subsequently used in several recent, massive DDoS attacks, including one against the web site of Brian Krebs, well-known security researcher and blogger.
In an appropriately-lengthy post, Krebs describes the process by which he tracked down the identity of the author of the Mirai worm. It’s a fascinating read.
Krebs has published the results of similar investigations in the past, which is why he’s become a target for DDoS attacks, Swatting, and other despicable acts. It remains to be seen whether he will be the target of any new attacks in the wake of his Mirai investigation.
I applaud Krebs’ persistence and dedication in the face of these attacks. Here’s hoping he keeps fighting the good fight, for the benefit of Internet users everywhere.
By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.
Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.
When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.
Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.
The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.
Hovering over the fake attachment in these phishing emails shows what looks sort of like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.
This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.