Sunday, December 17, 2017

Ransomware hits close to home

Ransomware hits close to home

The county government got infected with ransomware. It can happen in the best of families; it’s just a matter of time before someone gets bit. If you haven’t paid attention because you didn’t know anyone who got it, here’s a quick primer:

What is ransomware?
It’s malware that holds your data hostage unless you pay the perpetrators for the instructions to retrieve it.

I’ve got the best antivirus money can buy. How did I get it?
Usually it is delivered as an attachment or link in a phishing email or web ad. If you click on it, it may request a helper or update to an app like Flash or JAVA. Click again and instead of the helper, it installs the worst class of malware a user will typically encounter.

You were suckered into installing it and you gave it permission to bypass the antivirus.

Then what happens?
It contacts Central Control which gives it a unique identity for you. Then it starts to encrypt all the content accessible to you. That’s all your media, pictures, documents, spreadsheets, emails, financial records, and more. When you look at a file listing; all the files are still there with the correct name, extension, and date. But when you try to open them, they show as “corrupted.” But if you create a new document, all your programs still work.

If you’re on a network at home or at work it will encrypt files shared from other computers too. Not only do you lose everything you’ve done, but your family or coworkers do too. Some versions may also install themselves on other computers or infect attached portable media to share the pain.
Not to worry, though. Every folder contains a text document telling you that your data are safe, it’s just been encrypted. Just send a certain amount of Bitcoin and they’ll give you complete instructions and the key to unlock all your data. Oh, and send the money by this fast-approaching deadline.

Surely I can find a fix online.
Sorry. Killing your data is one thing the programmers did right. It’s as lost as the $100 bill that blew out the window at 60 MPH.

So what do I do?
First of all … If you are aware that you made a mistake hitting the link and something is happening to your files; turn off your computer! Don’t wait for a shut-down, pull the plug! Also, shut down any other computers on your network in case they also got infected.

Now check your other computers. First, turn off your router so they are not connected to each other or the internet. Turn one computer on and check any folder you had network access to for evidence that its files are corrupted. Then do that for each of the other computers on your network. If they all appear clean, you can probably restart your network and the other computers. Do not restart your computer. Disconnect it from the network by pulling the network cable or changing the master password on your WiFi before you do anything else.

What about my computer?
Your concern is your data. Once infected with destructive or particularly malicious malware, the computer can never be trusted again until the disc is wiped and Windows is reinstalled from scratch.
Many computers have a feature accessed from the manufacturer’s boot options screen or a special button at start-up to return to the factory-original operating system installation. If you’re running Windows 10, you can download the Windows Media Creation Tool to portable media for a clean install.

You’ll have to reinstall your applications from their original install media and with their original activation keys.

Then just restore your data from your recent good backup. If your backup is a continuous update, it may include some corrupted files and the original source of the malware. For those files, you will have to restore from a previous backup.
Read more about backups at

Err…; I made a Windows backup when I bought the computer.
At this point you may want to call in professional help. Remember, there is a clock ticking before it’s too late to give in and pay up to the “kidnappers.”

If you shut down your computer before the encryption process got too far along, you may be able to live with the partial loss. But you want to determine if you lost any critical files. And to do that, you need to check the files without starting Windows.

Start your computer from a Linux Live DVD (or flash drive) which should be able to read the files off the Windows drive. If you’re only concerned with standard Office files (such as Word or Excel docx or xlsx), pdfs, pictures and media; the live DVD may be able to display a preview of the standard format. Otherwise, you will have to copy the data to a portable drive to another computer to test whether or not it is corrupted.

If you don’t have the software to check out your files handy on another computer, there may be cloud services that can read your files well enough to ensure they are intact. This might be the case if you use programs like Photoshop, Quicken, or even Microsoft Word. Start with the publisher’s website or for Microsoft Office. Failing that, Google has apps for many file types and viewers for even more.

When everything else fails.
You don’t have a backup. You copied the critical files and they’re gibberish. And, they’re critical enough that you’re willing to pull out your checkbook.

Except you can’t write the hackers a check. Most likely they will demand payment in bitcoin. Bitcoin is an invented “currency” that allows the recipient to be totally anonymous and untraceable. It also has no fixed value. During 2017 (so far) the price to acquire one bitcoin has gone from less than $900 to more than $16,000. That’s over an 18,000% increase. Don’t worry; the cost to get your data back has typically been under $1,000 unless you are a high-profile individual, big company, or government.

There’s still a chance you’ll pay up and get a “dead baby” back. Most hackers absolutely want everything to work properly or they would lose credibility and no one would bother paying them. Unfortunately, the effort to distribute the malware such that it works as intended often exceeds the skill of the criminal who sees it as a get-rich-quick scheme and you still won't get your data back after paying.

Monday, September 11, 2017

The Social Security Number must die.

The Social Security Number must die.

It’s been evident for years, but recent publicly disclosed hacks makes it even more obvious. The 80-year-old Social Security number is no longer appropriate as a special identification document.

When an important device to exclusively identify me is available to just about anyone, it is not an exclusive identifier. If anyone can “prove” that they are me; I can no longer prove my identity, nor disprove what they claim.

The government needs to assign everyone a new Federal Identity Number for use only by people who have a direct tax or Social Security relationship with you. The restriction should include stiff penalties for anyone else who possesses an Identity Number not assigned to them.

Most of the reasons we gave out our SSN a generation ago were never valid. Present technology allows us to prove to someone else that a fact (our identity) is true without revealing that fact to them. Disconnected databases and encryption could allow authorized entities to “use” the identity without possessing it.

Everyone else just needs to find a way to trust that I am me without demanding a common unique secret from me. Marketers and web trackers sure have succeeded.

Update - (quite) a bit late

From:        my doctor’s office
Received:    12/28/2017  4:10 PM EST

Personal identity theft affects a large and growing number of seniors. People age 65 and older are increasingly the victims of this type of crime. This is why the Centers for Medicare and Medicaid Services (CMS) [ie: the federal government] have started a Fraud Prevention Initiative that removes Social Security numbers from Medicare Cards.

Starting April 2018, CMS will begin mailing new Medicare cards, which will include new Medicare numbers. The mailings will be staggered throughout the year, with completion expected by April 2019.

When you receive your new card, destroy your old card and begin using your new one. Present your new card to the office when you are checking in so our staff can enter your new number into our system and make a copy of the card.


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

Saturday, September 9, 2017

Wednesday, August 16, 2017

The deal about passwords

In August 2017, the National Institute of Standards and Technology (NIST) issued new recommendations on passwords that received significant play in the popular press.

The core of the reportage focused on two points:
• Scheduled change of a password should not be enforced.
• Passwords do not need to be complex if they are long.

That means you can use a password like “Now is the time for all good folk to come to the aid of their party.” instead of “Kk*Uw#eAsk ”. And you don’t have to change it ever.

But removing strict requirements does not mean you have to stop using them. The good practices you’ve already been following are still good.

Is a memorable phrase still memorable when you have a dozen of them for a dozen different sites? And is it really easier to enter 60 letters and spaces perfectly with your thumbs four or five times a day than 8-12 random characters?


We must remember that NIST writes standards for government agencies. If organizations outside the government find their standards useful (such as the amount of coffee in a pound), they are free to adopt them. But NIST password recommendations apply primarily to large organizations whose users log into a small number of services with unique identities.

In reality, most consumers of this news need passwords primarily in the course of business, research, commerce, or social networking on the internet. In a family there may be some sites (such as mail accounts) where every member has their own identity and others (such as a magazine subscription) where they all share a logon. For an active family, the number of identities could add up to hundreds.

Still the best recommendations

The old security rules still apply:
1.    Identify whether a site needs high security or low security.
2.    Identify whether a site’s password needs to be memorable or can be looked up in a secured list as needed. There may be other special needs depending on the use.
3.    Use a unique password for every site that deserves any security.
4.    Every high security password needs high entropy.
5.    Humans are very poor at creating good randomization.
6.    The best practice is to use a well rated password manager.

The “Technology Interpreted”

The popular press, for the most part, are getting it right … as far as they go.

• Requiring ordinary users to change their password every 180 or 90 – or even 60! – days has always been a boneheaded policy. These may be often-used passwords that the users must remember. In that case, the new password is frequently a derivative of past passwords easily deduced from social engineering.

• Choosing a memorable sentence instead of complexity is merely trading the method to achieve the same level of entropy.

There’s that word again: “entropy.” In the context of stealing a password, the assumption is that the only way to crack a logon is by brute force. This is the measure that is given in the discussion of password haystacks ( That is, try every possible combination of passwords from “a ”, “b ”, to “z ”, and then “aa ”, etc.

In fact, a brute force password crack starts with “123456 ”, “password ”, “12345678 ”, etc. It continues through a dictionary of words, sorted by their frequency of use from previous cracks. As the new guidelines and examples come into use, you can be sure the dictionaries will add combinations of words and common phrases to the list. Soon, “now is the time for all good men to come to the aid of their country ” will be in the test right after “monkey ”.

What we really need in passwords

Effective use of a password depends on who’s using it and the effort to enter it. A skilled typist on a full keyboard could enter a 15-word passphrase in 10 seconds. On a phone that same phrase could take excruciating minutes with every character and capitalization another opportunity for error. Worse, in most cases, characters are blacked out so there’s no way to discover and edit errors.

Some logons require a memorable password while others only need to be available for a look up. You want the code to abort the bomb on the tip of your thoughts. But you can trust your video device to remember your streaming account and only reenter the password when the power blinks.

It is critical that every high-value site have a unique, strong password. Ideally, low-value sites should also be unique. The reason not to share passwords is because sites have been known to be sloppy about protecting your password. If a blogging site loses its database and hackers see that has the password 1qaz2wsx (the #15 most common password for 2015 – where’d that come from?); they might also try those credentials at banks and stores.

Two-factor authentication is a system where you enter a second, one-time credential in addition to or in lieu of a password. The most common form of second factor is for a website to send a code to a previously verified text, email, or voice account. You then enter the code to proceed. If you choose to use two-factor regularly, the least secure method is to receive an SMS message on your phone. The best method is with a time-based system such as Google Authenticator.

Final recommendations

• Short or long, choose a password that is appropriate to what you’re protecting.
• Never reuse a password you’re actively using elsewhere.
• If you hear that a site has been hacked or otherwise think a password has been compromised – change it now.
• Use a well-rated password manager and take advantage of all its features.

There are more notes on this topic. Download the document at:


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

Sunday, August 6, 2017

"Your connection is not secure"

A user asks …
« From time to time I update my notebook, Windows 10, with the usual Windows random updates and some others like Firefox and now I seem to be locked out of accessing most of my favorite sites by Firefox. I can get to them through Internet Explorer and Edge, but I don’t know how to move my favorites file over to either of those two browsers. Anyway, I want to correct my Firefox if I can. I have attached a print screen file to show you what I am getting. »

--- Techy alert – How we know a connection is secure ---
First, some background. More and more websites are available with https secure connections. This is good. At its most basic level it prevents anyone (such as your ISP or the government) between you and the website from seeing what you send out (a search on a touchy topic) or getting back (the newest unreleased tune or TV episode). This is desirable because it protects the privacy of good people as well as bad. It’s even better because when you’re communicating with financial, shopping, medical, legal, and other sites; the enhanced version of https verifies not only that no one can eavesdrop on your conversation, but that the owner of the website is who they claim to be.

Some browsers have announced that they will soon flag any non-https website as potentially risky. They also will scare you if some component, such as a picture, of a truly secure site is not delivered by https. This is a nuisance for many websites, such as my blog, that are not dealing in money matters or confidential information. Fortunately most servers are now able to install basic https with no cost and minimal skill.

When you connect to an https site, you receive a certificate from the site that is validated by a Certificate Authority. If the CA is not built in to your browser from when the browser was installed, you will get a message that the certificate is not recognized. The certificate also has to match specifics to the web page and have appropriate valid dates. For example, if the certificate is issued to and you browsed to, it may not be accepted. Similarly, if it expired yesterday, it may be appropriate but not valid.

Certificates also could be counterfeited, giving you confidence in your session while it’s being managed by a Man In The Middle. The MITM would typically involve malicious action starting at the first connection between you and the internet. For example, an ISP, a business, or a bogus “free WiFi” connection could be reading your session while the lock on your screen is for their own certificate. Protect against this potential privacy leakage by checking the certificate fingerprint you get against a known unspoofable fingerprint from GRC at

--- end Techy Alert – Back to your question ---

Funny thing about that. Welcome to nanny computing. Software from Windows to Notepad to my new car all want to tell you what to do and protect you from skinning your knees. Of course, the first thing they’re going to do is put squirrel guards up so you can’t climb any trees.

I had no problems getting into the website with Firefox 54.0.1 (32-bit) by typing the exact address you had. I also got to their secure (https) homepage by typing in the address bar and hitting Enter. Try starting from that point and working your way to the signin screen. You may need to re-save your bookmark to the screen before signin because for many sites that is not a real web destination, but created on-the-fly for your environment.

By the way, if you click Advanced on the blocked page, you may be able to see why Firefox thinks this site is not good and decide to override their restriction. You want to override only if it shows a trivial error. I consider “trivial” to be something like a recently expired certificate if you trusted it previously or a slightly different domain name such as connecting to and the cert is for Do not trust it if you’re looking for and the cert is for a different extension like!

You can also double-check the cert fingerprint to protect from a Man In The Middle. Go to and enter the exact address between “https://” and the next “/”. Read the details on the page to learn how to find the fingerprint from your session. Sadly Edge does not have an interface to show details of the certificate. Microsoft’s “solution” is to view the cert with Internet Explorer on the same computer. (Opera and Google Chrome use the same certificate store as Edge/IE so, if they say it’s OK, it’s OK in Edge.)

1a) All browsers have some means to export and import bookmarks (favorites), and possibly history and cookies, to and from a file. When you first install them, most browsers will also grab bookmarks directly from another browser in the same session without your needing to export them. Check your browser’s Help pages or your favorite search engine for instructions (always start at the publisher’s site before you go to third-party advisors).

However, most browser settings are user specific. If you’re moving to another computer or a different user on the same computer, you will have to go through the export to file process. Some browsers will sync their settings to other devices – if you’re willing to give a lot of personal information to the publisher.

1b)    While you’re playing with your browsers’ settings, go on and look through the privacy settings. In particular, enable Do Not Track (many browsers leave it off by default) and disable 3rd party cookies and allowing your browser to save passwords. Tracking and 3rd party cookies are just cowardly ways for browsers and websites to make money off you. Browsers have historically poor control over protecting stored passwords. Instead, opt to use a recommended password manager such as LastPass or PasswordSafe.

Open links:
Last Pass


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2017- Bill Barnes - Disclaimer - Home Page - Blogs Home

Tuesday, May 16, 2017

The most basic protections

If you haven’t done so since details about the WannaCry ransomware attack started dominating the news cycle, go right now and verify that all your computers have their current software update. That’s not just the computer you’re sitting at, but the rest of your family’s computers, your office mates’, and especially the 10-year-old computer in the spare room that you use to download pictures off the old video camera.

Start with any updates for your operating system. Microsoft sends updates the second Tuesday of every month and occasionally a special update in between. These automatic updates frequently require an irritating computer reboot that comes just as you’re completing a critical project. Search for “Windows update” from the Windows search bar in or near the Start button to verify you're up-to-date. Do not use web search as those may include ads that may give you malicious results. Always install all important updates and any Microsoft Office, Defender, or Security Essentials updates that apply to you (you don’t need to install language packs or other unusual accessories).

Now check that your other software is up-to-date, starting with your web browsers and document viewers. Many programs include a “check for updates” link under the Help menu. Unfortunately, few notify you or install updates automatically. Some may even want to charge for an update or new version.

If you find that you have Java from Oracle installed, be sure it is up-to-date. If you find Flash or Shockwave from Adobe, uninstall it now. Flash has officially been declared obsolete and will be abandoned by Adobe. Any computer that still has it will be vulnerable far into the future.

Other details

If you leave your computer running all the time the Windows and antimalware updates will usually be installed automatically including automatically rebooting. But still verify the installation monthly.

Although they may not be susceptible to this attack, don’t forget about the computers in your purse or pocket. Apple is pretty reliable at getting the latest software to i-devices as soon as it’s available. Android users aren’t as lucky since updates have to be mediated through Android, the device manufacturer, and then the carrier before they get to you. Apps may get updated frequently or never and can have less-than-desirable actions even when functioning as intended.

Many devices that users don’t think about as “computers” also need frequent updates. If you have a computer professional, they should be aware of the risks posed by equipment such as routers and WiFi. At home you may find that equipment such as DVRs, streaming media, security systems, and personal assistants also pose a risk to your personal information or the internet.

Thursday, April 13, 2017

Protecting your data in transit

Data In Transit – Data At Rest

I recently received this question from a user:

Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.

Someone mentioned a VPN. I have one for work. Is it worth getting a VPN for personal use to guard my privacy?

Here's my response:

First of all, congratulations on being aware of these issues.

Second question first:
Protecting your data in transit.

The world as of 1/1/17:

When you interact with websites over HTTPS (such as financial, shopping, legal, and more every day), your communications are encrypted both ways between your browser and the remote servers. The encryption is good (and evolves as the attacks grow more capable) such that anyone tapping the communication can’t read your credit card number. This is why some industries such as health care and legal, by their professional ethics rules, can use email only to alert you to go to your account on a secure portal to read any substantive communication.

The risk is if an untrusted party controls a segment of the communication pathway between you and your destination. This “Man In The Middle” can then feed you a bogus certificate that encrypts your data so he can read it as it goes by. The most common scenario for the MITM is to offer public WiFi in a situation that you should be expecting it. He could create his own hotspot named “coffeeshop” or “hotel” sitting at the next table or nearby room and induce you to use it rather than the authentic hotspot.

The world today:

Recent rumblings in Washington imply that any US internet provider (ISP) will be allowed to act as an MITM. Previously they have at least been on their honor to read and record only the information required to pass your communication on its way towards its destination. Now they may track the contents of your communication and sell what they learn about you to whatever market is interested in it. This can be particularly valuable, or noxious, depending on your viewpoint because they already have a lot of personal information about you such as your name, address, telephone, and creditworthiness and can attach that to your browsing details.

Even worse, they could attach to their terms of service that you must install their master certificate to your system so they can even look into your HTTPS communications. Presumably, you could opt out of this tracking for an additional cost.

This is where the VPN comes into play. When you install a VPN on your computer, you originally received their certificate through a reliable channel. By contrast, when you browse to an HTTPS site you receive a certificate on the fly and would have to examine it in detail every time to ensure its validity. Updated browsers will alert you if there seems to be a problem with the cert, but few people understand what the problem might be or how to validate it so they just accept it anyway.

Having made a verified connection to the VPN, you then send your data directly through an encrypted link to the VPN’s connection to the internet whence it continues to its destination. This method is comparable to handing a letter to the agent in the post office rather than clipping it to your door and hoping that the person who picks it up is a trusted mail carrier. (When you use a VPN to your office, the endpoint is the office network and you are able to function as though you were sitting at your desk in the office.)

The Opera browser includes the ability to connect directly to a VPN for all your browsing. (Enable it from the Settings menu in the Privacy & security section. You then turn it on or off and choose the location of the exit point from a button in the address bar.) This VPN only protects your data that is going through the Opera browser. If you use another browser, an email client, or other app such as messaging, file sharing, or media streaming; you are not protected.

To protect all your internet traffic you need to use a VPN that is installed in the operating system like any other program. You may set it to start at your computer’s boot up or turn it on whenever you are away from a trusted internet connection. If you have a company VPN you can probably access the internet through it and not need another installed VPN. (Be aware, though, that the company VPN, especially from a company computer, means they are a trusted MITM if you use it for personal communications. Even if they don’t decrypt all of your traffic [which is the case frequently to protect their computers and network from malware], they are still seeing your metadata such as that a large file was transmitted to their competitor.)

Using a VPN may impose a degradation of your communication speed or latency. This would be most noticeable when transferring large files or with real-time applications such as gaming, voice or video chat, or remote computing. Such issues should be less significant with a paid service. The only installed VPN I’m familiar with, which came highly recommended, is proXPN at

Aren’t you glad I answered the easy question first?

Next comes …
Protecting your data at rest.