More weak passwords, a key to security and compromised web sites
Welcome to Cyber Security Today. It’s Monday April 15th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com. To hear the podcast click on the arrow below:
Trend Micro has discovered a new piece of malware that tries to install a hidden program on your computer to mine for cryptocurrency. So it secretly uses your computing power to benefit a criminal. The best ways for you to avoid being infected are to make sure all your software is regularly updated, be careful about the links you click on in email, the web sites you go to, and use strong, original passwords for logins. What I want to point out is the attack starts with the malware automatically trying to log in to your computer using a list of common, weak passwords. Here’s a few on the list, passwords you must avoid: 123456; password; football; welcome; login; hello; admin; abc123 and keyboard letters in a row, like qwerty. Now, if trying these and other commonly-used stolen passwords don’t work the malware tries more sophisticated login techniques. But if you make it easy for criminals they’ll take advantage of you. So instead of passwords create easier to remember passphrases. As I’ve said before, use a password manager and, where possible, two-factor authentication.
One way to increase protection is to use a security key fob for two-factor authentication. You insert the key into a USB port in your computer and it completes and verifies the login. The security is the key can’t be tampered with or copied. You can get keys like this from a number of suppliers. Or you’ll soon be able to use an Android phone. This week Google started a beta test letting smart phones running Android version 7 and up to be used as security keys for logging into Google services, like Gmail. However, it only works if the computer you have has Bluetooth. That’s because the confirmation signal travels from the phone wirelessly to the device. So if you have a desktop computer this isn’t a solution unless you add a Bluetooth dongle. Otherwise consider a key from Yubiki or Google’s Titan key. Here’s a link to an article on keys from The Verge that explains more.
Criminals have found infecting web sites is a good way to spread malware. Last week security vendor Doctor Web said it discovered the official web site of the free video editing software VSDC had been compromised. The result is people downloaded malware that could steal their bank login. Worse, after the company fixed the problem attackers found a different way to compromise the VSDC web site to spread the malware. Apparently everything has been fixed now, but listeners who have VSDC software should use good anti-malware software to scan their systems.
Here’s another recent example: According to Bleeping Computer, a security researcher discovered one of the websites of electronic products manufacturer Uniden had been hacked. The attacker deposited a malicious Microsoft Word file on the page. Anyone visiting the page could have been infected. If it was an infected Word file, victims might have seen a message asking them to turn on “Enable Content.” Unless you are absolutely certain where the file comes from refuse to do that. Then scan your computer with a good anti-malware software. Meanwhile, companies have to do a better job of locking down access to their web sites so they aren’t unwittingly spreading malware.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon.