Tuesday, February 16, 2016

4 things you should be doing right now so you won't get hacked

4 things you should be doing right now so you won't get hacked

Cybercrime is a multi billion-dollar racket that affects corporations and individuals alike, but there are a few simple steps everyone can implement to protect against it.
“If you’re a target, which honestly most companies are, then you really have to depend on taking some basic measures," says Kyle Lady, a research and development engineer with Duo Security.
Tech Insider spoke with Lady recently about how hackers infiltrate systems and what the best methods are for stopping them. Here's what he recommends.

Use passwords with at least 14 characters that can't be found in the dictionary.

The 25 worst passwords of 2015 include entries like "123456," "football," and "password," and these can all be easily guessed by an attacker. And we're not talking about a hacker typing in different passwords until they get it right; most have software that can guess hundreds and thousands of passwords a minute.
So it's best to use something much stronger. "If I can find your password in a dictionary, so can an attacker," Lady says.
Lady recommends using a password with at least 14 characters (he uses at least 24) which has a number of uppercase and lowercase letters, and symbols in it. A password like "SYd#2n3l_!p4ss" — that has no real meaning and plenty of symbols to throw off a hacker — is going to be a lot better to use. But even using a phrase, like "this password security thing works," is going to be stronger than most.
"It’s going to be real hard [for an attacker]," Lady said. "Someone is going to expend a lot of resources just to guess that password by trying over and over."
But there's also a problem for the user: Memorizing that password full of hard-to-remember characters.

Use a password manager so you won't have to remember all of them.

A password manager like LastPass or 1Password can securely store all of your passwords for everything from your email to bank account in one spot, so you don't need to remember each one. Which is great, since Lady recommends using different passwords for your various accounts.
Instead of coming up with a strong password filled with various symbols and letters yourself, most password managers can generate very strong passwords for you, encrypt them, and keep it on file, "so you don’t have to have them written down," Lady says.
Then, you only need to come up with one really strong master password.
lastpassLastPass

Turn on two-factor authentication and your account will remain secure even if your password is hacked.

“Even weak passwords aren’t the end of the world, if you’re using two-factor authentication," Lady says.
Two-factor authentication is becoming standard for password security. With two-factor, a user enters their password, then goes through a second round of screening, usually by entering in a code they received in a text message. For the most part, this second step would stop most hackers in their tracks, since they'd have to steal your phone in order to proceed.
“It’s becoming a standard option, but most people don’t enable it," Lady says, noting that most people are too lazy to do so. You can usually find two-step authorization in your account settings. It's available on Facebook, Twitter, Gmail, Snapchat, and a ton of other services — just make sure you actually turn it on.
two step 
Google A screenshot of Google's two-step authentication

Be especially wary of emails asking you to do something, or phone calls about the security of your accounts.

About 91% of targeted cyber attacks begin with a "spear-phishing" email, a trick designed to get a specific person to click on a link, give up their password, or download malware. These types of emails are designed to look like the real thing, and are really hard to judge at first glance.
A scammer might email saying your PayPal account has been hacked, and you need to update your password. But once you click the link, you are actually giving them your password, not changing it. Lady says the key is to make sure you are on a legitimate page like paypal.com, and not a scam site with an address like www.paypalsecurity.xyz.
"If there’s any doubt in your mind, essentially, trust but verify," Lady said.
The same goes for suspicious phone calls. Hackers often use "social engineering" to convince a person to help them. So it's important to remain skeptical of calls from people claiming to be customer service representatives, since most companies don't call out, and almost all will never ask for passwords.
“I could be tech support with a cell phone in ten minutes and go around asking for passwords," Lady said.

Android: Smartphones hit with Mazar Bot malware that can 'erase everything'

Android: Smartphones hit with Mazar Bot malware that can 'erase everything'

Android Marshmallow
Android has been hit with Mazar Bot malware that gives attackers control over the entire phone Google
Android users are being warned about a new strain of malware called Mazar Bot that is hitting smartphones, giving attackers full administrative rights to monitor and control nearly every aspect of the phone.
The manipulative and persistent piece of malware, found to be in active use by researchers at Heimdal Security, takes hold via a malware-ridden SMS/MMS message that, once clicked, spreads a torrent of alarming exploits such as sending malicious text messages, anonymously accessing the web, putting the phone into sleep mode and even fully erasing all content from the device.
Unlike the typical Android exploit, Mazar Bot targets users with a direct message and is not downloaded through a third-party application store. Until now, the malware was advertised as being for sale on the dark web however this is the first known case of it being exploited in active attacks.
Once on a device, the malware covertly downloads Tor that allows it to connect anonymously to the internet to ping a server that effectively acts like a beacon to alert the attacker that a fresh device has been compromised. What's worse, it can install the Android-based Polipo Proxy application which lets the owner of the malware intercept and spy on all internet traffic passing through the smartphone.
According to Andra Zaharia, security specialist at Heimdal Security, this could lead to Man-in-the-Middle (MITM) attacks which are often used to steal sensitive details such as email account logins, social media credentials and banking information.
MazarBotmalware
Mazar Bot malware hits Android smartphones, giving attackers access to a range of exploits (Pictured)
Who is behind Mazar Bot?
While it's not 100% certain, security experts claim that evidence suggests the attackers operating the malware are Russian. When Mazar Bot was first discovered last year by researchers from Recorded Security, it was revealed the malware was being advertised on a Russian-language dark web-hosted website.
Additionally, the malware is coded not to work on Russian handsets. "Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option," said Zaharia. "Mazar Bot will check the phone to identify the victim's country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user."
And unfortunately, according to Heimdal Security, the malware is only likely to evolve in the coming months. "Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money," added Zaharia. "We can expect this malware to expand its reach."
The Android mobile operating system has faced a number of major security concerns over the past 12 months, including the notorious Stagefright malware which at the time was said to have impacted up to 95% of all Android devices.