Ransomware Payments Explode Amid ‘Quadruple Extortion’

Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward.

The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

Obviously, these are just the major incidents. It is unclear from these reports if the threat to small sites or individual consumers’ computers has continued at the same rate as previously now that there are so many attacks occurring against “big payout” targets.

It’s important to continue to be vigilant on all levels: keep backups (both on site and off site), be careful about what you click on, watch for phishing and consent phishing, use 2-factor authentication where offered, etc.

Full article at https://threatpost.com/ransomware-payments-quadruple-extortion/168622/

Update: Comedian John Oliver (Last Week Tonight) did a piece on Ransomware on Aug 16. (NSFW, but quite well researched.)

Olympic-themed passwords put people at risk

Beyond using “tokyo” and “olympics” as their passwords, people have been turning to names of athletes, such as “kenny,” “williams,” and “asher,” says NordPass.

Devising passwords for your website accounts is always a challenge. That’s why many people look to current events for inspiration. But that strategy is a recipe for trouble as it often leads to simple and weak passwords, making you easy prey for cybercriminals. A report released Tuesday by password manager NordPass looks at the most popular and weak Olympic-themed passwords floating in cyberspace.

With the Tokyo 2020 Olympics finally being held in 2021 due to the pandemic, people have been cheering on their favorite sports and rooting for their favorite athletes. As the games have created a lot of buzz and excitement, people naturally draw inspiration from them. And apparently that factor carries over into cybersecurity.

The latest research from NordPass shows that people are creating passwords based on Olympic events and athletes despite warnings from cybersecurity experts not to use simple or weak passwords. Among the sporting events themselves, “football” scores the top goal by being used as a password more than 5.8 million times, according to NordPass’ analysis.

“Baseball” hits a run as a password in use more than 4.1 million times. “Golf” putts as a password more than 3.2 million times, followed by “hockey” at 2.6 million times, “tennis” at 1.5 million times and “basketball” at 1.4 million times.

The names of athletes competing in the Olympics also popped up as popular passwords in NordPass’ analysis. Among them, “kenny” appeared 1.3 million times, “williams” more than 1 million times, “asher” 1 million times and “riner” 265,971 times. Other go-to athlete-inspired passwords include “masse” at 261,997 times, “curry” at 196,0165 times, “gonzales” at 194,129 times, “osaka” at 87,725 times, “sindhu” at 84,261 times, “federer” at 82,897 times and “biles” at 57,331 times.

The word “tokyo” was used as a password 231,818 times and “olympics” was used 27,881 times.

Though Olympic fever is all well and good, a line should be drawn in the sand when it comes to celebrating the games through your own cybersecurity.

“These passwords can be cracked almost instantly—that’s the main issue,” said NordPass security experts Chad Hammond. “While it’s amazing to support your favorite sport or athlete, it’s not advisable to take that support to your passwords as it really compromises your security. In fact, even if you don’t support, let’s say, Kylie Masse, but have the same last name as her, don’t use that as your password, as 261,997 people already have.”

Relying on current events to devise your passwords is nothing new.

“Earlier this year, NordPass reported that such passwords as “corona,” “lockdown,” and other words or phrases that have defined our lives in the past year are also used as passwords quite often,” Hammond added. “We’ve also noticed that people often simply use their names, favorite sports teams, or the name of the service they’re registering for.”

To better protect your website accounts with strong passwords and security, Hammond offers the following advice:

  1. Update all your passwords and use unique and complex ones to secure your accounts. Try using a password generator to create passwords that are difficult or impossible to guess.
  2. Use a password manager. Such tools can generate and store passwords. More advanced password managers include data breach scanners that can tell you if any of your accounts may have been compromised.
  3. Use two-factor authentication (2FA) where possible. Whether you rely on 2FA through an app, biometric data, or a physical security key, your accounts will be safer with that extra layer of security.

Source: https://www.techrepublic.com/article/olympic-themed-passwords-put-people-at-risk/

Don’t Wanna Pay Ransom Gangs? Test Your Backups.

Important article from the ever-insightful Brian Krebs. Though it is geared more toward organizations than individuals, the important point is that it’s critical to know how to restore a damaged system – and how long it will typically take!

FYI, we can usually restore a website to the most recent backup within 10 min (depending on the size of the site, of course). And yes, we have tested! Not everyone’s site, of course, but we’ve done enough site restorations that we’re pretty confident about yours too.

Read the full article here: https://krebsonsecurity.com/2021/07/dont-wanna-pay-ransom-gangs-test-your-backups/

Amazon’s Ring is the largest civilian surveillance network the US has ever seen

Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone, and that was before the across-the-board boom in online retail sales during the pandemic. Amazon is cagey about how many Ring cameras are active at any one point in time, but estimates drawn from Amazon’s sales data place yearly sales in the hundreds of millions. The always-on video surveillance network extends even further when you consider the millions of users on Ring’s affiliated crime reporting app, Neighbors, which allows people to upload content from Ring and non-Ring devices.

Then there’s this: since Amazon bought Ring in 2018, it has brokered more than 1,800 partnerships with local law enforcement agencies, who can request recorded video content from Ring users without a warrant. That is, in as little as three years, Ring connected around one in 10 police departments across the US with the ability to access recorded content from millions of privately owned home security cameras. These partnerships are growing at an alarming rate.

Because Ring cameras are owned by civilians, law enforcement are given a backdoor entry into private video recordings of people in residential and public space that would otherwise be protected under the fourth amendment. By partnering with Amazon, law enforcement circumvents these constitutional and statutory protections, as noted by the attorney Yesenia Flores. In doing so, Ring blurs the line between police work and civilian surveillance and turns your neighbor’s home security system into an informant. Except, unlike an informant, it’s always watching.

Full article: https://www.theguardian.com/commentisfree/2021/may/18/amazon-ring-largest-civilian-surveillance-network-us

Definition: Credential Stuffing

A hacking technique where login credentials are obtained (often stolen) from one site and used to attempt to log into one or more other services – typically higher value sites like banks, credit cards, etc.

This is why we recommend that you never re-use passwords.

The video below gives a pretty clear explanation of the problem, and offers some ways around it (password managers, multi-factor authentication, passwordless login). We’ll be covering passwordless login soon…

The Value of a Testing or Staging Site

A well accepted practice in the software development world is to run major software updates through a series of tests before running them on the live site. This allows the developer to catch as many bugs as possible before putting the changes in front of users. Unfortunately, that’s not a practice that many WordPress site owners employ.

Most WordPress updates come with the standard warning that you insure you have a fresh backup of the site before running them. But the support forums are full of panicking site owners asking for help: “I just updated <WordPress, a theme, or a plugin> and now <some function> is not working! How do I get it back?” so it’s pretty obvious that even that level of caution is often ignored.

Many site hosts (SiteGround, some GoDaddy plans, etc) offer the ability to create a staging site – essentially a mirror copy of the live site with a different web address – with just a click or two, at no extra cost. Ask your host if that’s available for yours. If your host doesn’t offer staging sites we can set you up with one for a fee – contact us for details.

Ideally, you’ll upgrade your staging site and give it a run through to make sure everything looks right and functions correctly. Check things like menu drop-downs, contact forms, product ordering pages (have a cheap test product as a draft – or use a real product and cancel the purchase afterwards), embedded videos, site banners, as well as the general layout. If anything is broken, get it fixed and re-tested before moving forward. If possible, make those same fixes on the live site before upgrading it.

Once everything checks out OK on the testing/staging site, take a full backup of the live site, then perform the upgrade there and re-test. Sometimes there are bugs which only show up on the live site, despite your having passed all the tests on the staging site!

Upcoming API Change Will Break Facebook and Instagram oEmbed Links Across the Web Beginning October 24, 2020

On October 24th, 2020, Facebook will institute a change which removes the ability to easily embed “link previews” on WordPress and many other sites using the popular oEmbed protocol.

oEmbed is what allows you to enter a link in your blog or site and present a preview of the target page.

Possible solutions include plugins such as  https://wordpress.org/plugins/oembed-plus/, https://wordpress.org/plugins/instagram-feed/
and  https://wordpress.org/plugins/custom-facebook-feed/

Source: https://wptavern.com/upcoming-api-change-will-break-facebook-and-instagram-oembed-links-across-the-web-beginning-october-24

How to Keep Your Stuff Safe While You’re at College (or anywhere, really)

There’s a well written article by iFixIt.com aimed at college students, but really it’s applicable to everyone who ever does anything in public space. Granted, that’s not happening as much with Covid19 precautions, but these suggestions should be part of your regular routine anyway.

Of particular note is the section on USB chargers and thumb drives. Many are not aware of the potential dangers, and some good tips are given on how to protect yourself.

See the article at https://www.ifixit.com/News/43770/how-to-keep-your-stuff-safe-while-youre-at-college