Yahoo’s Security Breach Grows Worse

In December 2016, Yahoo revealed it had been hacked back in 2013. It was reported at the time that this security breach by an “unauthorized third party” saw the user data associated with 1 billion accounts stolen. However, it turns out that this epic hack was even worse than Yahoo thought.

This hack didn’t just affect 1 billion random Yahoo users. Instead, it hit every single Yahoo account that existed in August 2013. And there were 3 billion of them at the time. Let that sink in for just a minute: 3. billion. accounts. Making it the largest data breach in history. That we know of…

The Most Epic Security Breach Ever Recorded

Since Yahoo first disclosed the hack Verizon has acquired the company. During that acquisition new intelligence was uncovered that clued Yahoo into the fact it had underestimated just how epic this hack was. Rather than “just” 1 billion users being affected, all 3 billion users were caught up in it.

Yahoo has subsequently sent out a notice revealing the truth. The company states it now believes that “all Yahoo user accounts were affected by the August 2013 theft”. And Yahoo, now called Oath, has drawn this conclusion “following an investigation with the assistance of outside forensic experts”.

Thankfully, although the size of the security breach has been scaled up significantly, the information stolen has remained the same. Which means that “names, email addresses, telephone numbers, dates of birth, hashed passwords […] and, in some cases, encrypted or unencrypted security questions and answers” were stolen.

However, Oath (formerly Yahoo) is ultra keen to stress that no “passwords in clear text, payment card data, or bank account information” was stolen from its servers. This should be of some comfort to anyone who had a Yahoo account in 2013. Which is probably most people reading this right now.

Please Follow Yahoo’s Common Sense Advice

Oath has created a full page of FAQs related to this data breach. And this provides the common sense advice the company suggests you follow in order to safeguard your information. Which basically amounts to changing your passwords and security questions and answers for any and all Yahoo accounts, and, crucially, all other accounts that share the same or similar information.

 

 

 

Mastering Password Managers

It goes without saying that everyone needs to use stronger passwords, and the best way to do that is with a password manager. The truth is, passwords that are hard to hack are very hard to remember, however you really do need long and complex passwords.

Top 3 Password Manager Apps for Android

That’s where password managers come in handy. There are all kinds of password managers out there, including some as basic as your browser’s rudimentary list of saved passwords list and some as elaborate as entire cloud systems that work across multiple devices and platforms.

All of these models have some basics in common: they store your passwords, they auto-fill details on login forms, and they keep your passwords encrypted in databases. The differences are where those databases are kept, the types of encryption and recovery options available.

Weaponized Math: Encrypted Passwords

Your browser can save passwords, but that often isn’t very secure. One of the main appeals of a password manager is that it saves all of your passwords behind one password in a single database.

Of course putting all your plain text passwords in one place isn’t much of a security measure in and of itself. Instead, your passwords must be encrypted, which secures your passwords. But since the amount of control over password databases can vary, you’ll want to figure out which model works best for you.

When boiled down, encryption is the use of math to disguise your data. The key used to transform the plaintext is randomly generated, the strength of the encryption is based on this key size in bits. In layman’s terms: the more bits, the more security. This is because the more compelx the key, the more complex the resulting output is.

Depending on the algorithm, that substitution is repeated. In certain cases, they key is transformed to further obscure the output. This process is creates what’s called a hash, which often has added salt—additional randomization added to the hashing process. This ensures the original value is completely obscured without the correct starting input, key, and salt.

There are additional factors like block size, initialization vectors, and other more advanced concepts. If you’re interested in the gory details, check out our detailed breakdown of encryption

Local Safes: Keeping Control

The best way to keep a secret is to never tell anyone. If you don’t want your passwords anywhere other than on your hard drive, a local password manager is your best option. This keeps your data on a device that you physically control, leaving your security directly in your own hands.

One of the more popular password managers is KeePass, an open source Windows solution with ports on Mac and Linux. It offers a lot of flexibility and control, including the ability to select between multiple encryption algorithms.

best password managers 2016 keepass

And if you’re looking for a complete escape from passwords, you can even use key files to unlock your passwords. (You put key files on a USB drive or other portable storage, then use the physical device as a key to authenticate with the machine.)

The downside to KeePass is the same as its strengths: you control the keys to the kingdom, so if you lose your key files or master password, you’re out of luck. In such a case, your only option would be to start over from scratch and set up every password again.

Your file is also limited to where you save it, so you’re responsible for any backups you want to maintain. If you want mobile sync, you’re going to need to do it manually (or with a separate syncing service like Dropbox) and a compatible reader on your tablet/phone. And if something goes wrong, you’re on your own.

Local managers give you a lot of security and control, but you lose a rescue plan and out-of-the-box portability.

Syncing Systems: Multiple Devices

If you’re juggling multiple devices with many passwords, keeping a master file locked on a PC somewhere is not the best solution — especially if you’re trying to log into Amazon on your phone or check your bank balance on your tablet. Don’t weaken the password just to make it more memorable!

That’s where hybrid approaches like 1Password come in, which uses Dropbox or your local network to automatically sync your password between devices. This gives you the ability to keep everything working across devices, but you are still the only one with the key to your data.

Image result for 1password logo

But you lose some of the crunchier options, such as multiple encryption algorithms and key file logins.

This fixes a lot of the downsides of the local-only option, as you can keep your phone, tablet, and computer all in sync. You’ll also need to trust Dropbox as a cloud host, though 1Password does add an extra layer of security on top with its own strong encryption, so you can rest assured of any security worries.

If you’re really worried about interceptors and other vectors of attack, you can just use your local network to synchronize your passwords across devices. You won’t have any hope of recovering a lost master password if you choose this route, but it does ensure that 1Password won’t have access either.

Cloud Services: Any Device, Anywhere

Keeping all of your passwords in the cloud requires a certain amount of trust in a company to do things the right way. My favorite choice here is LastPass.

LastPass keeps an encrypted copy of your password database in the cloud, making it available on almost every platform and browser imaginable. You will need a premium membership for several of their features, but the basics are there for free.

Image result for lastpass logo

Your devices do all of the encryption and decryption, ensuring that your master password is not on LastPass’s servers. If you don’t have access to the Web, a copy is cached locally so you can still unlock. There is an additional layer of protection in two-step verification as well.

You have to trust their security is as robust as promised, as LastPass makes for an obvious target for hackers. However, with a good master password and two-step verification enabled, you should be confident about the security of your password safe. And if you ever forget your password, you can recover your safe.

Literally the Least You Can Do

If you’re a Mac and/or iOS user, you already have access to a password manager built into your operating system: iCloud Keychain. This is an extension of the OS X keychain that uses iCloud to keep all of your passwords synced across devices.

Windows has a similar feature called Credential Manager, but it does not have the same cross-device syncing.

This is pretty comparable in terms of security to LastPass, but it’s limited to Apple devices. Unless you’re only running exclusively on Apple products, you’re going to be missing your passwords on some of your other devices, which can be a huge nuisance.

Yet even if you’re a big Apple fan, you still may not want to lock yourself into the platform because you never know what kind of other devices you may get in the future.

You Really Need a Password Manager

Unless you have an iron-clad memory, using different passwords across all of your accounts is going to prove difficult. Doing so with hard-to-crack passwords? Near impossible. Getting a password manager ensures that you can keep all of your accounts safe and secure using a single master password.

Find the model that works best with you and find the product that works best for your devices. Almost every manager has a free trial or free tier that you can try out. Once you’ve made your choice, go through all of your online accounts and update the passwords to be more complex.

That’s really all there is to it.

Has Your Password Been Exposed ?

You know by now that you should be changing your passwords regularly. I have have been strongly recommending password managers for several years now. This is because every day there seems to be another cyber security crisis. If you haven’t changed your passwords recently, it’s now officially time: a massive database containing login credentials is floating around the internet.

Image result for password hack

We don’t know who’s behind the breach, but over 560 million leaked emails and passwords — 243.6 million unique email addresses — are compromised. First uncovered by the Kromtech Security Research Center, the leak has been confirmed by security researcher Troy Hunt, who created the “Have I Been Pwned” website.

What kind of information does it have?

The good news is, there hasn’t been a new hack: the trove of credentials is a collection of data from previous breaches at LinkedIn, DropBox, LastFM, MySpace, Adobe, Neopets, Tumblr and others. Some of these breaches are years old.

What makes this database troublesome from a security standpoint is how accessible it makes sensitive information. It basically compiled private data from various prior hacks to create one convenient database for hackers to illegally access.

Who is at risk?

Essentially, anyone who never updated their credentials at the time of the original breach. If you haven’t stayed on top of every hack and checked your status each and every time, then you could be at risk.

How to check if your credentials are compromised

The easiest way to see if your credentials are vulnerable is to go to Hunt’s site — Have I Been Pwned. Here, you can type in your email and find out if your email and password are safe or not.

Image result for pwned

You may have changed your password at the time of a given breach, but let’s be real: you may not remember. If you scroll below the results, the site shows you which breaches you were impacted by. To view information on sensitive breaches, subscription is required. If this is your first time on the site and you get the dreaded “Oh no—pwned!”message, then it’s best take a screenshot of the result and change your password immediately.

Why a screenshot? The site tells you how many “breached sites” it’s on (in other words, how many unique incidents took your credentials) and if there are any “pastes” — a paste is when the information is shared on a public website. Saving this information (you can also jot it down somewhere safely) can let you know in the future if you’ve been breached again if the information in the results change.

Don’t understand what’s going on? It’s okay. Just go change your email password to be safe. And be sure to create a strong password.

Recent DDos Attack Exploits Internet of Things (IoT)

Last week I wrote about the cyber-attack that took out huge portions of the Internet has now led to a major product recall. Hangzhou Xiongmai Technology, a Chinese electronics company, has acknowledged that weak default passwords on many of its devices were partly to blame for the October 21 attack.

ddos

The components maker, which builds parts for everything from security cameras to digital recorders, said it would be recalling millions of Web-enabled cameras that were sold in the U.S. The company described the attack as a major blow to the Internet of Things movement, saying it has shaken customer confidence in the level of security of all Internet-capable devices.

Despite the surprise and devastation achieved during Friday’s attack, it was not inevitable. In fact, Hangzhou Xiongmai reported that it first became aware that some of its cameras had a security flaw last year. The company issued a firmware update to fix the issue last September and urged customers to change the password from the default setting.

Only devices that were sold before April 2015 failed to update their firmware. Those devices were still using the default password and were connected to the Internet when they were exploited.

Hangzhou Xiongmai has now agreed to recall up to 4 million products. While the company primarily makes components for industrial and commercial devices, such as surveillance equipment for banks, stores, and residential areas, most of the devices it sells in the U.S. are for personal and consumer use. That might explain why so many devices were running old firmware using the default password.

Dealing with the Internet of Things

Friday’s attack managed to take out huge parts of the Internet throughout the United States including popular sites such as Twitter and Netflix, by targeting Dyn Inc., a New Hampshire-based company responsible for providing much of the domain name service infrastructure in the US. The group responsible for the attack was able to overwhelm Dyn’s servers with a distributed denial of service attack.

To achieve their goal, the hackers used a malware tool known as Mirai to take control of IoT devices, such as security cameras, using Hangzhou Xiongmai’s hardware components to form a botnet. Once under the hackers’ control, the botnet was able to generate fake network traffic from tens of millions of IP addresses, overwhelming Dyn’s ability to respond.

This was one of the largest and most sophisticated attacks against a major Internet infrastructure provider in history. And the use of IoT devices, rather than laptops or desktops, may represent a chilling new development in the annals of cybercrime.

Such devices are expected to proliferate in the coming years, and many continue to lack sufficient security safeguards. Friday’s attack may prove to be only a glimpse of what’s to come.

DDoS Attack Exposes Growing Concerns

Early this morning, a large distributed denial of service attack (DDoS) directed at the Internet performance management company Dyn caused Web site outages for a number of its customers, including Twitter, Reddit, Spotify and SoundCloud.

Question – What is a DDoS?

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.

Why Are Reports Like This a Concern?

While today’s DDoS attack was resolved relatively quickly, a number of news sites described it as having shut down “half the Internet” for users on the East Coast. In addition to customers, such as Twitter and Reddit, Dyn’s client list includes large sites such as About.com, CNBC, Etsy, RedHat and Zillow.

The scale and scope of DDoS attacks have been growing dramatically over the past year or so. Last month, for example, the KrebsOnSecurity Web site was temporarily brought down by a recording-breaking DDoS attack generating traffic levels of up to 620 Gbps. Shortly afterward, the France-based hosting company OVH sustained a DDoS attack that was nearly twice as massive as the one on Krebs’ site.

A Growing Concern

Security experts are blaming the rise of increasingly massive DDoS attacks on the rapidly expanding number of network-connected devices on the Internet of Things (IoT). Earlier this month, researchers identified a 12-year-old vulnerability in the OpenSSH security utilities suite, noted that weak protections on IoT devices has helped to create the “Internet of Unpatchable Things.”

The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices which often include poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers.

What all these connected devices have in common is the existence of security vulnerabilities caused by a flawed software design or gross negligence on the part of their manufacturers that all often use the same factory passwords for all their devices.

internet-of-things

Question – What is The Internet of Things? 

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

A thing, in the Internet of Things, can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low — or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network.

IoT has evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), microservices and the internet. The convergence has helped tear down the silo walls between operational technology (OT) and information technology (IT), allowing unstructured machine-generated data to be analyzed for insights that will drive improvements.

The security of the internet is a complex and often overwhelming challenge. What at one time was simply computers connected together via the internet is now smartphones, mobile devices and technologies of every type from your refrigerator, HVAC system and medical devices such as heart pacers.

The Case for Password Managers

Here is something that probably drives you crazy. Passwords. How many times do you have to reset your password? How much time do you lose trying to figure out just what your password is for a particular website? Do you panic when you hear about another security breach and have you ever feared that your personal information has been stolen?

We are live in a digital world and there is nothing we can do about that. Passwords and security are simply going to continue to become more difficult and harder for us to manage. I believe that the best way for you to safely and efficiently manage your online security is by investing your time (and sometimes a little cash) in a good password manager.

Using a password manager will address these problems that most of us face as we travel through the digital universe.

  1. Error messages galore – It’s annoying to type out a password, especially as password requirements get more complex. And many times, we type them in wrong. This is even more of a problem using the small keyboards on a smartphone or tablet. With a password manager, your password is automatically filled in for you when it detects the login screen, or you can easily tap the password for entry into a mobile app.
  1. The forgotten password lock-out – Enter that password one too many times, and boom – you’re locked out. Again. That’s the last thing you want to deal with when you’re logging in to pay your credit card on time or need to respond to an email quickly. Password managers never forget the stuff you’ve stored in them, and that stuff includes your passwords. Never get locked out again with a password manager.
  1. The reset (the aftermath of the lock-out) – Once you’ve finally admitted that you can’t remember your password, you have to go through the painful and usually time-consuming password reset process. Will the link to reset your password come through immediately? Or in a few hours? No one knows, and no one has time for that.
  1. Creating a tough as $%!t password – With the increased frequency of breaches, many sites are implementing stronger password requirements – 35 characters, 6 symbols, uppercase, lowercase – who can remember all that?! Thankfully, we have the technology of a password manager for that. Not only can it create that complicated password in one click, it remembers it without any work on your part.
  1. What’s your Wi-Fi, again? – You have friends over for game night and everyone wants to control the music from their own phone. But before they can do that, you get the age-old question, “What’s your Wi-Fi password?” And a 15-minute delay ensues as you try to track it down again. Ah! But with a password manager like LastPass, you’ll have it right where you want it. Simply store your Wi-Fi credentials in a Secure Note, and share that Note with your friends so you don’t ever have to dig up and spell out your Wi-Fi password again.
  1. Your billing address is not correct – You’re shopping online, just buying a new pair of shoes, but as soon as you enter your name, the browser populates your billing and shipping information with your office address. As much as you’d love to charge those new shoes to work, that won’t fly. With LastPass, you can create profiles for your credit cards so you don’t need to enter the information each time – LastPass just fills it in for you automatically.
  1. Post-breach password changes – The modern reality is that passwords are a hot commodity and hackers are going to keep trying to steal them. After each new breach, we as consumers run around changing this password or that one, which can be a hassle and quite time-consuming. But password managers like LastPass can help you figure out where you’ve reused the same password that was breached, and will even automatically change passwords for you making it extremely easy to be extremely secure.
  1. Not having a password when you need it – It’s happened to everyone. You’re on the go – running errands, away for the weekend – and you get an email that your electric bill is due – today! Normally that’s not a problem, but the password for your electric company account is stored in your browser or on a sticky note next to your computer, which isn’t helpful now. With a password manager you have access to your passwords wherever you are, from any device. So paying your electric bill from a rest stop on the side of the highway is no big deal.

Take a look back at this list. How many of these frustrations have you dealt with just in the last month? Passwords aren’t going away; they’re actually becoming more of a pain, but they don’t have to be.

My favorite password manager is LastPass but there are others out there as well. You can learn about many of the best password managers by checking out this PC Magazine article.

Outlawing Ransomware?

Legislation has yet to catch up with technology. Perhaps – finally legislators will begin to understand that they have some power to actually protect consumers where new technologies are concerned. There is hope coming out of California where tech law is concerned.

State legislation to outlaw ransomware is drawing broad support from tech leaders and lawmakers, spurred by an uptick in that type of cybercrime and a series of recent attacks on hospitals in Southern California.

The bill, authored by state Sen. Bob Hertzberg (D-Van Nuys), would update the state’s penal code, making it a felony to knowingly use ransomware, a type of malware or intrusive software that is injected into a computer or network and allows a hacker to hold data hostage until money is paid.

Ransomware has become a lucrative industry over the last three years, affecting schools, police departments and healthcare businesses. Trojans that work like viruses, such as CryptoLocker — which began appearing in 2013 — can be unleashed by users with few technical skills and reel in profits.

Proponents say the proposed ransomware law is the right step to counter attacks difficult to prosecute under existing statutes that are not tailored to combat computer crime. But some question just who will get caught in the dragnet, as such incidents are tough to trace and culprits are often overseas.

Victims nationwide lost more than $209 million in ransomware payments in the first three months of 2016 alone, compared with $25 million in all of 2015, according to the FBI.

But no arrests were made. Nor were arrests made in more than half a dozen of ransomware incidents investigated by the Cyber Investigation Response Team of the Los Angeles County district attorney’s office, which is a co-sponsor of the bill.

 

Ransomware Defined

Ransomware attacks are instigated when a person clicks on a compromised website or opens an infected email. The programs encrypt files, such as photographs, videos or documents, and they cannot be accessed without an encryption key.

Security researchers first saw similar attacks in 1989, when the so-called AIDS Trojan virus locked people out of their files if they clicked through a quiz about their sexual and drug habits. Ransomware has evolved over the last decade with the creation of “police screen lockers,” pop-up screens that appear to be created by law enforcement agencies that fraudulently order people to pay fines after accusing them of downloading pirated movies or child pornography.

At the federal level, prosecutors can use the Computer Fraud and Abuse Act to target ransomware. But state prosecutors typically must pursue such cases under laws against extortion, or those that target threats to injure a person or property that have not been acted upon.

Android Users Beware “Godless”

If you are an Android user – you have have reason to fear “Godless”, a new
family of malware targeting Android mobile devices that has been detected by digital security firm Trend Micro. The malware, named after the ANDROIDOS_GODLESS.HRX filename it uses, uses multiple exploits to root users’ devices.

New 'Godless' Malware Targets Android Mobile Devices

Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. Today almost 90 percent of Android devices run on Android 5.1 or earlier. Apparently malicious apps related to this threat can be found in all over Android app stores, including Google Play, and has affected over 850,000 devices worldwide.

Godless is similar to an exploit kit. Both use a type of open source rooting framework called android-rooting-tools. The framework has various exploits in its arsenal that it can use to root a number of different Android-based devices. The two most prominent vulnerabilities targeted by the rooting kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit).

By gaining root privilege, Godless can connect to a command-and-control (C&C) server capable of delivering remote instructions that force the device to download and install additional apps without the user’s knowledge. At best, an iunfected user receives unwanted apps on the phones. At worst, the same technique can be used to install a backdoor on the phone in order to spy on the user.

Google is apparently aware of the threat, and has stated that they are taking “appropriate actions”. I would recommend that should review the developers listed for apps whenever you download new programs from any app store. You should also be suspicious about unknown developers. All apps should also be downloaded from trusted stores such as Google or Amazon.

Netflix & Amazon Urge Users to Change Their Passwords

Both Netflix and Amazon are warning some customers that their accounts may be at risk and are urging them to change their passwords. This appears to be the first major effects of the massive database breaches that have surfaced during the past month.

The emails, which have started to surface in more and more inboxes recently, warn the recipient that their credentials may have been found in a cache of passwords and emails that made their way online. Both Amazon and Netflix assure their customers that neither company was directly breached.

In both the cases of Netflix and Amazon, the services have created temporary passwords for users who have been caught in the leaks. The security step was taken because “many customers reuse their passwords on multiple websites,” according to the email delivered by Amazon.

The belief that users have reused passwords is probably a correct one. Many people still use the same password across many accounts, which is a major problem and why Amazon and Netflix are moving forward with there urging of their customers to change their password.

This precautions taken by Netflix and Amazon follows several weeks of an unprecedented amount of usernames and passwords stolen from major sites and services.

Recent History of Large Services Hacked

A total of 167 million accounts from LinkedIn, the result of a 2012 breach, surfaced in May after appearing available for sale on a dark net marketplace. Just weeks later, 427 million credentials from MySpace appeared online, the result of an apparently unreported breach of the social network’s databases. Sixty-five million Tumblr accounts that were stolen in 2013 were acquired at the end of May. In June, 32 million credentials from Twitter users were put up for sale on the dark web, though Twitter denies it was ever the victim of a hack.

Screenshot of Netflix’s Password Change Notification

Change Your Passwords

Even if you don’t get an email from Netflix or Amazon—or any other company taking extra steps to protect their customers—suggesting a password change, now is the perfect opportunity to do it.

First, you can check to see if your account appears in any of the recent breaches by using the free tools offered by LeakedSource, an online database of stolen credentials, or Have I Been Pwned, a collection of compromised usernames and passwords maintained by security expert Troy Hunt. Regardless if you appear on either list, it never hurts to refresh your current protection.

When filling out the password form, make sure to use a unique combination that isn’t in use for any other account belonging to you; a breach of one service can create a domino effect and compromise you later.

Make sure to use a combination of words, numbers, symbols, and upper and lowercase letters. Try to avoid anything easily guessable—anything on the list of most common passwords is a nonstarter—and keep away from publicly available personal information like your birthday.

Use a Password Manager

I have suggested this countless times here, on this fine technology blog as well as to my workmates, friends and family. Invest in a Password Manager like “LastPass”. Password Managers can take a daunting job (like having strong, encrypted and unique passwords) and making is very easy. Those of us using a password manager have very little to fear from security hacks like the ones mentioned here.

Consider Two-Factor Authentication

Consider using “two-factor authentication” for your important online accounts, especially financial accounts. These are becoming easier to use. The one I recommend is Google’s Authentication.

Beware Locky

The internet can be a very scary place.

Over the past week, computers throughout Europe and other places have been hit by a massive email spam campaign carrying malicious JavaScript attachments that install the Locky ransomware program.

Antivirus firm ESET has reported a spike in detections of JS/Danger.ScriptAttachment, a malware downloader written in JavaScript that started on May 22 and peaked on May 25.

Many countries in Europe have been affected. The company’s telemetry data also showed significant detection rates for this threat in Canada and the U.S.

JS/Danger.ScriptAttachment can download various malware programs, but recently it has been used to primarily distribute Locky, a widespread, malicious program that uses strong encryption to hold users’ files hostage.

While Locky doesn’t have any known flaws that would allow users to decrypt their files for free, security researchers from Bitdefender have developed a free tool that can prevent Locky infections in the first place. The tool makes the computer appear as if it’s already infected by Locky by adding certain harmless flags, which tricks the malware into skipping it.

The use of JavaScript-based attachments to distribute Locky began earlier this year, prompting Microsoft to post an alertabout it in April.

The attachments are usually .zip archive files that contain .js or .jse files inside. These files with will execute directly on Windows without the need for additional applications.

However, it is very uncommon for people to send legitimate applications written in JavaScript via email, so users should avoid opening this kind of file.

Will Locky make it to the United States in a big way? I hope not. However be sure to be aware of it and use all of the security tips we have recommended in the past.

1 2 3 14