Whew! At Least Hackers Didn’t Get My Yahoo Password… Or Did They?

When Yahoo admitted that the 2013 breach of their site exposed the personal information of all 3 billion users of its email service, many people in the cybersecurity community were probably not surprised. Yahoo has been periodically updating the extent of the breach ever since it occurred, and, if it weren’t for Verizon, which recently took over the company, we may have never known the full extent of the breach. Verizon deserves some credit for trying to start over with a clean slate, though it may take them a while to shake off the Yahoo legacy.

Many users, however, probably took solace in the information that their passwords were not stolen. There was probably a huge sigh of relief followed by the usual ‘it’s-only-some- personal-information-so-what’ defense. I have written elsewhere about the short-sightedness of such a defense. A criminal possessing your personal information could subject you to, at the very least, spamming attacks which, of themselves, could be used to compromise your device and network. At the highest level, you could lose your identity and the contents of your bank account.

Besides, it is not precisely true that passwords were not stolen in this breach. That’s actually a semantic construct. Passwords, in their pure, readable form, are stored on very few sites. Most passwords are ‘hashed’ before they are stored. An algorithm is applied to your password to transform it into a unique string of characters. It is this hashed string that is stored, not your password. When you sign into your account, the password you signed in with is again hashed and compared with the stored hashed password. If the two match with your username, you are allowed to proceed. A person who has only your hashed password cannot perform a reverse operation on it to get the original unhashed password. Sounds pretty good, right?

Yahoo claims that it stored passwords using the MD5 algorithm. Is this good or bad? It is better than the worst hashing algorithm but far from the best. When hackers get a hashed password, they can simply guess at the password it was based on. That’s why simple or often used passwords are easily guessed. Here is an example.

The MD5 hash of the password, ‘password’, is:

5f4dcc3b5aa765d61d8327deb882cf99

How do I know? Easy. I just go to this website, type in the password I want hashed, and get the hash created by the MD5 algorithm. Thus, I can use this information to search a list of hashed passwords to see how many accounts are using the password, ‘password’. You can imagine that hackers have already created lists of the most common passwords based on pre-computed hashes. These are referred to as “rainbow tables”.

So, if I take the hashed password I created above, I should be able to find it in a rainbow table. To test this out, I went to this site and typed in the hash. It returned this result,

hashed password

Apparently, the hash was correctly decoded.

Yahoo admitted that it was using MD5 hashing when it was hacked in 2013 but claimed that it soon after changed to bcrypt hashing, which is much more secure. However, if users have not changed their passwords since the original hack, it is possible that hackers already have access to their accounts. More disconcerting is the fact that experts think that between 800 and 900 million passwords could have been decoded within weeks of the breach and before bcrypt was implemented. In short, if you haven’t changed your password since the initial breach, you are still in danger. And remember, if you use the same password, or simple variations on it, on other accounts, those accounts, too, are in danger.

It is also important to note that, although bcrypt is much more secure, it is not foolproof. It adds a random string of code (salt) for each user’s password, which makes a rainbow table impossible to construct as each user has a different code even if the password they use is the same. Bcrypt’s secret is to use time against a hacker. They put in an encryption loop which would slow down a hacker trying to decrypt a large number of hashed passwords.

A bcrypt generator for the password, ‘password’ will give this much more complex result.

$2a$06$ULkSAs1GAVnw5cbySepKo.ouITCgQGYWfN10YPKEpd8gXtQT6hDOS

I can see if the hash matches the password by going to this site. If I compare a known or guessed password to a bcrypt hash, I get this result.

bcrypt

Sadly, this would only give me the password for one user, not for every user who uses the same password. However, if a hacker hacked a site and only found a database of bcrypt hashes, they could use this information to see if a password that they already know for a user (username) on one account is being used on another account. (Keep in mind that credit card information is also hashed on most sites, but that’s a different discussion.)

The other disconcerting news concerning the Yahoo hack is their admitting that “in some cases, encrypted or unencrypted security questions and answers” were compromised. It is easy to see that anyone obtaining the answers to your security questions could reset your password and take control of your account. Even if they didn’t have the answers directly, they may be able to use the personal information they stole to compromise your account.

So, should you be breathing that sigh of relief that your Yahoo password was not stolen? I would suggest you go to the Have I Been Pwned? website and type in your Yahoo email address. If your name shows up as having been pawned and you haven’t changed your password since 2014, change it. Make it 16 characters long (as in a phrase that’s easy for you to remember) and you don’t need to worry much. In fact, even if your account doesn’t appear as having been hacked and you use a shorter password, change your password for your own peace of mind.

Posted in Uncategorized | Tagged , , | 1 Comment

Recent DHS and FDIC Hacks Indicate the Need for More Innovative Security Solutions

The bigger the organization, the slower it adapts to changes and challenges, and no organization is bigger than the U.S government. So, when I hear news of the DHS or FDIC being hacked through careless or vindictive employees or that the White House’s Chief of Staff, John Kelly, had his smartphone compromised for months before it was discovered, I am no longer surprised.

The DHS was purportedly compromised when hackers used Kaspersky antivirus to steal top secret documents from an employee’s home computer; a computer he should not have been working on with such documents. We have no information on whether or not this computer was an endpoint on the DHS network, but if it was, then the DHS network could easily have been penetrated.

Kelly’s smartphone was compromised last December, which could go a long way towards explaining why leaks were emanating from the White House. It is highly likely that, if Kelly’s phone was accessed, it could have been turned on to record meetings, take photos, read emails, and listen in on phone calls, among other things.

Kelly phone

According to one source, “It’s not known which brand and model of phone is involved, but Kelly is seen using an iPhone in a number of photos, including the AP shot by Susan Walsh above.” There is a mistaken belief that iPhones are safe from attacks that employ remote access trojans (malware that can take full remote control of a device), but there is a good reason why the government prefers Android phones. Well, actually, there is only one good reason. Apple denied the U.S. government access to the details of its operating system while Android (Google) agreed to work with them. Nonetheless, both systems have been hacked and continue to offer bad agents portals through which government networks can be penetrated.

Adding to the bad news for government agencies is a new report from the Office of Inspector General that the FDIC had been hacked 54 times between 2015 and 2017 and the personal information of over 113,000 individuals was stolen. This information included “names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks”. What’s worse is that it took the FDIC an average of 9 months to inform those affected, if they were informed at all. According to a report on the incident by ZDNET, “at least seven of the incidents occurred when outgoing FDIC employees left the agency with downloaded files of personally identifiable information, including Social Security numbers and loan and banking information of US citizens.” Ugh.

There seems to be a common weak point underpinning all of these attacks; rogue or careless employees. Some were knowingly or unknowingly undermining instituted security policies while others were intentionally leveraging their insider position for personal or political gain. Some have yet to be discovered but, without a doubt, they are out there.

Worse yet is that even those who should know better have been hacked. You would think that the heads of major government agencies would be more wary of being attacked than others, since they hold the keys to the most sensitive information, but this simply does not seem to be true. Kelly is not alone in his careless or cybersecurity naïve behavior. Other major government leaders to be hacked include

Director of National Intelligence James Clapper
CIA Director John Brennan
Homeland Security Secretary Jeh Johnson
Former Secretaries of State Colin Powell and Hillary Clinton.
and let’s not forget all of the members of the DNC.

What this means is that government agencies will always be trapped between two unavoidable facts. First, there will always be rogue employees no matter what regulations are put in place. Some are wittingly malicious, like the leaker, Reality Winner, and some are unwitting victims, like John Kelly. The second unavoidable fact is that all personal devices, all agency endpoints can be hacked by skilled hackers. IT teams are then faced with a seemingly unresolvable dilemma; a dilemma that must understandably make many IT staffers want to give into despair and hopelessness.

The problem is that, no matter what the breach, government agencies respond with the same counter strategies which normally amount to more regulations on employee behavior, more device management, and more layers of software security. These will all work for a while, but they are all destined to fail over time. However, there is another way to look at this problem which may hold a solution.

Let’s make a wild, yet valid, assumption. Let’s just assume that employees will not follow all regulations to the letter. Let us also assume that all devices will be hacked. In fact, let’s not even worry about this at all. Just let employees be imperfect and hackers be, well…hackers. But let’s put one caveat into the mix. Suppose we design a device’s architecture in such a way that it has two separate operating systems that cannot directly communicate with each other. That’s right; two separate operating systems on the same device. This could be accomplished through hardware separation, not through pseudo-separation as can be found in numerous varieties of sandboxes, since these strategies are really software solutions that shares the same hardware architecture. It is no secret that sandbox mechanisms have been successfully hacked.

In true hardware separation, employees can do whatever they want on one side of a device but, if they want to work on sensitive material that may be connected to a government or corporate network, they must work on the other side of the same device. Here is such a technology as developed by InZero Systems. Notice that each side has its own kernel. In other words, it is true hardware separation.

workplay phone

Since malware is software, it must use available software resources on a device to begin an attack. If the hardware barrier is well-constructed, the malware will not be able to make the breach into the other operating system on the device. In fact, it may not even be able to detect that the device has another operating system. Here is what could happen if the normal user side of such a device was attacked. (Of course, most users would want to use good security on the open side of the device, but attacks can always happen.)

workplay system

The extent to which the work side of the device is exposed to attack depends on what network policies are instituted. The work side could be completely shut down with no internet access or it could be allowed to access trusted sites. The WorkPlay Technology shown above includes a hardware-connected virtual machine on the work side which prevents even the most sophisticated malware from communicating with its C&C servers, as always occurs in a remotely controlled attack.

The responses to breaches on government agencies have always followed a predictable pattern. Maybe it’s time for the government to seek solutions that are more unconventional, less predictable, and more up-to-date. After all, what have they got to lose that they haven’t already lost.

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

NFL Controversy Threatens Sponsors and Teams with Fake News and Cyber Attacks

The red line has been drawn. There seems to be no middle ground in the NFL-Anthem  controversy. And where there is controversy, there is Twitter. And where there is Twitter, there are trolls, hackers, and fake news generators.

The Washington Post has already echoed comments by Sen. James Lankford (R-Okla.) claiming that Russian trolls are “hash-tagging out ‘take a knee’ and also hash-tagging out ‘Boycott NFL’ ”. Lankford is a member of the Intelligence Committee so his remarks can’t be casually set aside. He’s right in asserting that Russian trolls like to ramp up controversy in the U.S. to either detract from other issues or simply to muddy the political waters and make the U.S. look bad. However, he is wrong in asserting that all such sites are Russian-based. In fact, #BoycotNFL seems legitimate. There are numerous Twitter accounts being formed in support of both sides in this debate, but, as of this writing, the anti-NFL sites have an overwhelming edge. Are some of these accounts fake? Probably, and it is probably in the range of 20-30%, if not more, but that still gives these anti-protest sites a decisive edge.

The official NFL Twitter account is, for the most part, acting like it’s just business as usual. The only exception being an anemic tweet on the Cowboys-Cardinals game, stating that the two teams, “shared a moment of unity on the field.” The tweet received far more criticism than support. Even tweets asking fans to vote for the “Air Player of the Week” received responses like, “Does it matter anymore?”

So, in this time of controversy, the fake news squad is bound to step in. Monetizing controversy is what fake news is all about. Fake news actors depend on clicks to get paid. They don’t really care if the news is fake or not as long as they get people clicking on it. They thrive on controversy so be careful of what news you click on, it may not be real, although it can often be designed to look like it is.

For example, a recent news story claimed that Budweiser had cancelled its advertising support for the NFL. The story was not true. However, when I visited the @budweiser site on Twitter, here is what I found.

bud twit

Seems suspicious to me, even though it is a verified account (note the blue check). Has the account been hacked? Well, either it has or Anheuser-Busch has made a novice marketing mistake by not claiming the @budweiser account for their own. The reason I believe it was purposely taken over can be seen in the link it gives to “budwesierUSA”. There is an official site called budweiserUSA but there is no site as the one they list. This seems like a clear attempt to try to legitimize a fake site. But why?

It’s possible that I stumbled upon this site before it could do what it is designed to do; tweet fake news. That said, a link to this fake site has already appeared in a recent Anheuser-Busch retweet.

anheuser ad

Checking the archives for this site shows that all references to it now point to the new fake site. This means that it was, at one time, a legitimate site associated with Budweiser. All tweets from this account, however, have been deleted. It is, therefore, ready to be deployed for nefarious purposes.

Have you seen the following news flash?

goodell resigns

Probably not, because I just made it up. I did have some help from a website called Break Your Own News, which gives you an easy template to work with. Not only that, you can distribute your news immediately as links to Facebook and Twitter are conveniently placed below your creation. Actually, there are many sites that will help in the dissemination of false news. I can almost guarantee fake news will proliferate. For example, did Michael Bennett of the Seahawks really burn the American flag as has been reported on some sites?

bennett flag

Actually, no. The picture was constructed from a picture of Michael Bennett doing a post game victory dance. Yeah, I’m not sure which one is more embarrassing.

bennett dance

It will also be just a matter of time before sponsors feel the brunt of this wrath in the form of hacks that will likely take the form of DDoS attacks. In other words, official NFL sponsor sites will be knocked offline by having their servers overwhelmed by requests. This could be very costly for these firms. It will take a while for hackers to organize such attacks, but they are looming. I say this because I have never seen such a tirade of abuse hitting these sponsors. (Note: Just after writing the above, the following story surfaced. “Anheuser Busch’s consumer help line temporarily went down Friday afternoon. A company representative says there was a high volume of calls from a social media campaign.”… Didn’t I tell you?)

But does it matter in the long run? Most sponsors are either keeping silent or voicing platitudes that try to put them into some middle-of-the-road position. Unfortunately, in this controversy, there really is no middle-of-the-road position. Most are hoping that the storm will blow over, as it usually does. One writer on market investing sweeps aside these initial protests. “Pro football is our nation’s most popular sport. I’m supposed to believe that Americans will tune out altogether and boycott NFL sponsors? Yeah, right!” This attitude seems to be flying in the face of recent polls like the one below from Yahoo Finance.

yahoo poll

I suspect the investment writer is only partially correct in his assessment of the climate surrounding this controversy. Fans may or may not continue to view games, but they are more likely to view them on TV. Some will not forget the protests and may make an effort to stop supporting NFL sponsors. Others will do so only temporarily. But these protests are likely to flare up again the next time an incident occurs that hints at an unjustified police action against a member of a minority group. If the time between such cycles decreases, sponsors could, indeed, be hurt by repeated boycotts, hacks, and fake news. It looks like tough times ahead for the NFL and its sponsors.

 

Posted in Uncategorized | Tagged , , , | Leave a comment

Has the Budweiser Twitter Account Been Hacked?

I was researching fake news related to the NFL-Anthem controversy today and decided to check in on tweets related to NFL sponsors. Most had taken a middle-of-the-road position in a conflict that is not allowing a middle-of-the-road position.

When I checked to see how Budweiser was responding to numerous attacks, this is what I found.

bud twit

Notice that the account is verified. So what’s the deal?

I checked an associated site, @BudweiserUSA and the latest tweet was this.

bud lyft

However, the @Budweiser link goes to the account shown above. Although not yet reported in the news, at least not that I could find, either their main account has been taken over or it is being set up to send out fake news. Just read the comments on this tweet to get an idea of what pressure Budweiser is coming under from irate NFL fans.

Their associated site, @Anheuser-Busch is operating but is under a similar attack. Their last tweet

anheuser diversity

produced a tirade of angry responses. Here is an example of one of the nicer ones.

anheuser

Well, you get the picture. I could not get the Budweiser to completely load, which could be a sign that they are experiencing heavy traffic.

I sent Budweiser a message but was told the reply would come in a week or more.

In the meantime, don’t trust any news you hear from Budweiser, especially negative news. This all may just blow over but, for now, all news emanating from sites related to NFL sponsors should be treated with caution.

A complete post on this situation will appear in the near future.

 

Posted in Uncategorized | Tagged , , | Leave a comment

The LinkedIn Job Scam

If I wanted to hack into a particular corporate network, I would begin by visiting LinkedIn. LinkedIn is like a menu for hackers. I simply type in the name of the company network I want to break into, and I will find a list of people who work for it. In other words, I’ll have information about an endpoint; a possible doorway into the network.

Let me give you an example. Suppose I want to get into the IBM network. (I chose this completely at random.) First, I would find a list of IBM employees on LinkedIn. Next, I’d have to vet this group. I don’t want to attack someone in security. I want to find someone who has a better chance at not being so knowledgeable about cybersecurity. Sure, I may be wrong, but I have to play percentages here. Using these parameters, I found an IBM marketer (who I will not name here). She gave me a lot of information about herself including the places she used to work and people who worked with her and endorsed her.

Through a Google search, I learned that IBM has an online employee information finder and, from her LinkedIn information, I knew enough about her to use it.

ibm search

Since LinkedIn had told me the geographical location where she worked, I typed in the information and received an email address and a phone number.

ibm results

A reverse phone number search confirmed that this was a personal phone which means I could use the phone number to reset her password on some social media sites that use two-factor authentication (2fa). However, that was not what I wanted to do. (See this post to see how this is done.)

My priority was to find as many contacts as I could. Of course, I could use those people who worked with her and endorsed her on LinkedIn, but Google helped me find her Twitter account and a list of followers. I also found her address, interests, and her political affiliations and donations. I found her instagram account and her blogs. In short, I now had enough information to design a good spearphishing email. I could make it look like it came from one of her friends or co-workers. Since Instagram and Twitter showed me where she was and what she was recently doing, I could refer to this information in the email to make it seem even more valid. I could then attach a link to some ‘photos’ or an attachment of some photos or documents. Of course, this would get her to install malware on her computer and, hopefully, get me into the IBM network.

My biggest problem would be for IBM to allow my email onto its network through her IBM email address. This would not be a problem if I could install malware directly on her phone, since it is apparently connected to the IBM network. There are numerous ways to install malware on any phone that I already know the number for, but they are too many to outline here. Those interested can check out this article.

The LinkedIn Job Scam

If you’ve ever been down and out and looking for a job, you’ll grasp at any straw that comes along. If someone gives you a job offer that looks even close to legitimate, you’ll do whatever it takes to get it. Well, if I were a hacker, I could take advantage of this state of mind. Imagine if I could get a list of people who want jobs. Imagine what I could make them do to get a job. I could ask for personal details. I could lead them to websites to fill out forms. I could get all kinds of personal information because these are desperate people and desperate people will readily give up security concerns for subsistence.

But does LinkedIn have a database of people who are actively seeking employment? Yes, but it’s not easy to find. First of all, the job seeker has to make it clear that they are actively seeking work. To do this, they have to go to the main ‘Jobs’ page. Near the top of the page is an option to “Update career interests”. Doing this will lead you to the “Career interests” page, where you will see the following.

linkedin recruiters

 When you slide the button to ‘On’, recruiters will see that you are open to receiving job offers. LinkedIn arranges it so that your current employer and those connected to it do not see that you are openly seeking new employment.

The catch is that, for recruiters to see people openly seeking employment, they have to use the paid service called, LinkedIn Recruiter. However, the cost is not prohibitive (and it is occasionally offered as a free trial) and nothing would stop a dedicated hacker, especially if they have the backing of a nation-state, to set up a fake account as a recruiter and pay the small fee to have a list of good hacking targets. Others have claimed that hackers will use other job seeking websites to find names and then cross-reference them on LinkedIn as preliminary preparation for a LinkedIn-based attack.

The latest job scam uses fake recruiter profiles that look exactly like the profiles of real recruiters. The reason that they may look exactly like real profiles is because they have copied the profiles of actual recruiters. In other words, checking the profiles of the people who send you job offers won’t help. They will even use corporate logos and other information to make their profiles look legitimate. In any event, the fake recruiter will tell you that you should send them a resume or visit a site where you can fill in a form. The form will ask you for a lot of personal information which may even include your social security number. Some will ask that you send them a training or application fee. (To learn more about fake recruiter profiles, read my post, How Many of Your LinkedIn Contacts are Fake and What Do They Want From You?)

So if fake recruiters are so difficult to spot, what can you do? The Better Business Bureau suggests you ask for a phone interview or, at least, a chance to talk with them via phone. Most fake recruiters will avoid all phone contact and will make repeated excuses as to why this cannot happen. Phoning them would put you in control and they may not be able to answer any more technical questions you may ask. If you have connections in common, (and this is likely) check with these connections to see what they know about the recruiter. Don’t pay any money up front, even if the job seems legitimate. This includes any affirmation that you will be reimbursed later.

Don’t discount the motive of revenge lurking behind such offers. One victim reported that he quit his well-paid job because he was offered a better job though LinkedIn. He later found out that a former colleague was behind the scam. That said, however, most scammers are just out to get your personal information, doing so can allow them to monetize that information or use it to infiltrate a corporate network as I outlined at the beginning of this article.

Common sense often fails when that perfect job offer comes along. However, if your instincts tell you something just doesn’t sound right, be skeptical. Check out the company. Check any links. Do an image search on Google to see if the person’s profile picture isn’t used in other locations. And finally, don’t give up any personal information without a fight.

 

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Watch Out For the Dangerous UPS/FedEx Delivery Scam  

Scams targeting the delivery chain have been around for as long as people have ordered merchandise on the internet. They vary mainly in the part of the chain they target and the severity of their goals. Some scams, sent by spammers, simply trick you into visiting a client’s website in the hope that you’ll buy their product. Others, sent by more malicious actors, will financially wipe you off the map. The goal of the current round of delivery-focused malware is to do the latter.

This particular malware (or malspam as some call it) is called, Hancitor. It’s been around for a while but continually updates its tactics. Its current tactics must be working because there has been a spike in infected computers this year, especially in the last few weeks. Hancitor is bad. If released on your computer, it will steal all of your passwords and banking information. If released on a corporate network, it will take whatever it wants.

But all malware has to start somewhere and most malware follows the same, well-trodden path. It all begins with a phishing trip. At this stage, it doesn’t appear the malware is targeting specific individuals, but that could change depending on who controls it. The attack appears to start with randomly sent spam messages that are made to look legitimate. The current version pretends to be a message from UPS but FedEx has been targeted in the recent past. It begins with an email message from “UPS Quantum View” <ups@piercerx.com> or from “FedEx” <tracking@afedex.com>. Both addresses link to fringe, poorly protected sites which have been compromised, but they are only two examples among hundreds that are controlled by the spam. UPS does have a service for tracking called Quantum View. The subject line for the UPS phishing email is “Delivery stopped for shipment #142384”. The delivery numbers are randomized. For the FedEx scam, the subject will be “FedEx Tracking 715715163815 Notification”, again, with the numbers randomized. The template for both scams is copied from actual templates.

Here are the templates as analyzed by the Malware-Traffic-Analysis.net website.

ups email

Clicking ‘here’ as directed, will take the victim to the site shown in the graphic. Attached to that site is a document, the name of which is coded in a base64 string. Notice the odd phrasing and ungrammatical construction of the message which indicates a foreign origin.

But why put the document name in base64 code? This serves two purposes. Base64 encoding sometimes goes undetected by spam filters. Remember that the key goal of all attackers and spammers is to bypass the spam filters and get the malicious email into the victim’s inbox. Getting into the inbox is not as necessary as many think, however, because many people will check their spam folder from time to time and may be attracted by a good subject line. In any event, legitimate marketers try to do much the same thing and there are websites dedicated to getting the marketer’s message into a potential client’s inbox.

If the victim clicks on the link, they will be taken to a compromised website and then offered the ‘opportunity’ to download a document. The base64 code will be decoded once the victim clicks on the link and will produce a document name which includes the email username of the victim.

You can encode information in base64 on a number of online sites. For example, I encoded the fake email address joesmith@yahoo.com into am9lc21pdGhAeWFob28uY29t. With a little manipulation, I could have the malicious website produce a document that said, “UPS Delivery joesmith”. That code would be

VVBTIERlbGl2ZXJ5IGpvZXNtaXRo

If you don’t believe me, copy the code and check it out here. The point is that I can hide the document name until I need it to produce the browser-based message that says something like, “Do you want to open or save UPS Delivery joesmith.doc from (website name)?” Of course, in the original scam, the “UPS Delivery” segment would be hard coded.

ups download1

FYI, the FedEx message will look like this.

fedex email

In both cases, accepting the download will present you with an option screen which will look something like this. Hoping you will be frightened into enabling macros.

ups office

FireEye found a more creative API that looks like the one below, but in all cases, you will have to enable macros before the malware continues on its mission.

firefox enable macro

Enabling macros in Word will install Zloader which will connect via the internet to a command and control center and retrieve Zbot malware. Zbot is related to the notorious ZeuS banking trojan.  The malware will install itself into the browser as a man-in-the-middle and ‘watch’ for visitations to any banking sites. It will also create fake certificates to make fake sites look legitimate. The malware is not limited to stealing banking information but can be used for all manner of spying and information theft.

How to Avoid Becoming a Victim

 There is probably a good reason why your spam filter put an email into the spam folder. Be careful about clicking on any link in such emails and hover the cursor over the link to see the site that it is connected to.

When presented with a document to download, check the website that it is being downloaded from. Notice that it is given in the download option message seen previously.

ups download

If a UPS document is linked to a site that seems to have no connection with UPS, such as the impacthealthnow.org example shown above, do not waste your time downloading it. If, however, you have gone so far as to download a Word document, do not use the suggestion to enable macros or editing.

If you end up with Hancitor malware on your computer, it is very difficult to remove. Some suggestions are given here and here but be aware that this malware has the ability to regenerate itself even after an apparent removal.

Zbot/ZeuS malware is considered by many experts to be the most dangerous malware on the internet. Attackers are refining it all the time and using it more and more to spearphish victims with emails that appear to come from valid sources. Take all precautions or some day you may find that you have been financially destroyed or have lost important corporate information. I will update any new attack vectors when I discover them.

Update 9-21-17 New Hancitor Tactic

According to Malware-Traffic Analysis, Hancitor has recently been found phishing with an email disguised as a request for an invoice. It’s not clear if the sender mentioned in the ‘From’ field is known to the victim.

Four security firms have identified the connected site as malicious.

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The New Generation, Gen Z: “We don’t want to end up like Millennials”

Gen Z (a.k.a. iGen) refers to those individuals born around 1995. It’s the generation composed mostly of today’s teenagers. They were born with the internet firmly in place and with smartphone use becoming mainstream. They have no substantive recollection of 9/11, unlike Millennials (ages 21 to 37).

Although Millennials welcome the arrival of the tech-dependent Gen Zs and see them, more or less, as an extension of their own generation, there are clear differences developing between the two groups. The Millennials sparked the widespread use of social media, while Gen Zs take it for granted. Social media is far more important to them than it is for any other generation, and many Gen Zs believe that their happiness and self-esteem depend on it.

genz self worth

2016 The Center for Generational Kinetics

 Gen Zs also differ on their choice of social media. You may be surprised to see which platform is their favorite, since few other generations have even heard of it (65% of boomers).

genz social media

For those who don’t know, Vine is a site that allows members to share short, looped videos. Although only 13% think that Facebook is an appropriate social media platform for their generation, they do feel that it serves a purpose (57%). Sadly, 34% of Gen Z-ers have never heard of LinkedIn, but this could change as they reach employment age.

The Smartphone Generation

Gen Z is the first generation to live with a smartphone as an integral part of their body. The idea of living without a smartphone is unthinkable. There is even a psychological condition which occurs if this happens. It’s called, phone separation anxiety. This is, perhaps, why Gen Zs believe it is appropriate for 13-year-olds to have a smartphone, while Millennials believe this is too young, with the majority of them feeling 18 is a more appropriate age. I doubted this statistic because I’ve noticed my Gen Z son and his friends seem more liberal than this. In fact, another report found that the mean age for receiving a first smartphone is 10.3. I expect this age will continue to lower.

genz kids

Keep in mind that these stats come from a 2016 study, and that opinions linked to technology are changing more quickly with each generation. Exponential changes in technology surround the Gen Zs, which lead them to accept ideas that older generations find unacceptable. For example, Gen Zs think it is acceptable to use a smartphone during religious services, during a job interview, and even during their own wedding ceremonies. Older generations would probably find these behaviors shocking, hence, future generational clashes are inevitable.

Although child-unfriendly content abounds on the internet, parental monitoring of their children’s smartphone use has declined. Only 25% monitor their use with special apps. Only 15% monitor their children’s whereabouts through GPS. The technology gap is separating parents from their children and it is not uncommon for children to be more tech-savvy than their parents. This is why, even when parents install parental control apps on their children’s smartphones, most teenagers know how to work around them.

The Troubling Influence of Social Media

 As mentioned above, for the Gen Zs, social media largely determines their sense of self worth. By the age of 12, most Gen Zs have social media accounts and interactions on these accounts largely influence the way they see themselves. Keep in mind that social media includes online gaming, which has a strong social interaction component. The graphic below shows the influence social media has on Gen Z as compared to older generations.

genz old young social media

This dependence on unknown others for self-affirmation has created a whole new set of concerns for the Gen Zs. According to Childline, a support service for children and teens, the main concern of the Gen Zs is low self-esteem and unhappiness. The chart below shows how Gen Z’s concerns have changed from those of the Millennials when they were younger.

genz jobs

Notice that the main concerns for Millennials were concrete, even physical, while those of the Gen Zs tend to be more psychological. This shift can largely be attributed to the influence of social media. More so than any other generation, this could be the generation of psychological problems. At this time, however, it is impossible to say how these concerns will play out as this generation ages. One thing is certain, though; social media will come under increasing scrutiny.

A Return to More Traditional Values

Several studies have shown a tendency for Gen Zs to be more like Boomers than Millennials in their values, but it’s not an across the board agreement. This values shift has been traced to the alarm the Gen Zs see when viewing the dilemmas faced by Millennials, especially when it comes to employment and education. As one Gen Z-er commented in the CGK study, “We don’t want to end up like Millennials”

The Millennials, having been raised by relatively well-off Boomers, assumed life would be relatively easy and were not prepared to encounter diversity. Gen Zs, on the other hand, were raised mainly by a generation that saw the economy plunge and who, subsequently, developed the mindset that they were living on the edge of economic uncertainty. Thus, Gen Zs show a tendency to be more cautious or realistic. Seventy-seven percent of Gen Zs feel they will have to work harder than Millennials to be successful.

Gen Zs tend to be more independent and individualistic than previous generations. Where Millennials believed that it was safe to share any personal information online, Gen Zs tend to be more careful and selective about what they share. They have seen the problems Millennials and older generations have encountered by giving up too much personal information without proper concern for security.

Gen Zs also see the financial abyss that many Millennials faced in attempting to recover the debt they acquired by paying for education. The idea of living at home with their parents is not something Gen Zs would like. Recent surveys show that about 40% of Millennials live either with their parents or other relatives. According to a Federal Reserve study, the underemployment rate for recent college graduates is around 44%. One in ten young college graduates are neither employed nor pursuing more education. They are part of the growing number of the educated idle. This all makes Gen Zs wonder if paying so much for an education is worth the investment.

There is also the shadow cast by technology’s impermanence. What is today’s must-have tech is tomorrow’s old school. Why choose to be educated for a career when that career may become obsolete? Why spend oneself into debt to prepare for an unknowable future? Notice in the chart below from the Federal Reserve report that the once highly-sought-after business management degree left over 60% of graduates underemployed. Note also that the more practical degrees offered the best chance for post graduate success.

genz underemployment

Only 32% of current college-age Gen Zs believe they are being properly prepared for future careers. This mindset may lead Gen Zs to pursue alternative forms of education.

Conclusions

 Gen Zs face a future that is more unpredictable than it has ever been. This uncertainty forces them to live in the present more than any other generation. They believe in hard work, they’re pragmatic and realize the value of face-to-face communication, but within limits. Seventy-one percent of Generation Z said they believe the phrase “if you want it done right, then do it yourself.” And 69% would rather work in a private rather than a shared work space.

However, there is a disclaimer behind all of these statistics. That is, how will these attitudes change when they enter universities and companies? What do teenagers really know of the workings of the ‘real world’? Like most teenagers, the Gen Zs are optimistic and believe in the American Dream (78%). Their independent attitudes and their belief in on-demand technology may make them difficult employees, especially in terms of cyber security. They may be more willing to challenge educational norms and opinions professors try to thrust upon them because they have probably been doing this on social networks. Nonetheless, predicting how they will fit into mainstream life is as difficult as predicting the future of technology.

Posted in Uncategorized | Leave a comment