I received an email from HaveIBeenPowned this morning – the incredibly useful service that lets you know if your username and password was released in a data breach. This time around it was last.fm – a streaming radio station that was pretty popular a long, long time ago. I went to log into the system and checked my gmail account for email from last.fm to see if I had my membership confirmation email – nothing. I had 1 email from last.fm back in 2008 when I had received a friend request (I am so popular!) – that was actually a spam request.
Obviously I had not used the service for a very, very long time. The data breach occurred in 2012, was known about in 2012 and yet they had done nothing about it then. They had also not done anything about it recently after the data breach was leaked as I had not received an email lfrom them etting me know my account had been breached.
To add insult to injury, the old password was still active and I was able to log in with it. I can understand a small pokey geocaching website not understanding security correctly and leaving passwords the same after a data breach with only a small notification on the website, but even they reacted after I sent them an email to say they need to do something better and at least inform their visitors and ideally change their password. Last.fm really have no excuse as they are big enough that they should know better and all of the accounts should have had their passwords changed once the breach was public or better yet, when they knew about the breach.
Instead, the list of usernames and passwords are still out there for people to search and log in with.
I guess the argument for not changing the account password is to let the subscriber log in with their original password that they know about. If the email address was now invalid and the password was changed by last.fm then the user would not be able to get into their account anymore….on the other hand if last.fm does not change the password, anyone could log into the account,reset the password, have access to all the data (including the persons email address) and the account holder would not be able to gain access. The hacker will not be able to change the email address though as they have put protection in place to prevent the email address being changed without a verification email link being clicked on so I guess that is something…..
This is also yet another reminder to use a password manager to “remember” all of your passwords for each site – don’t use the same one at each location. I highly recommend LastPass (unless you are a user with multiple accounts at Office365). At $12 a year for syncing between all of your devices it is well worth the cost and if you sign up with the link above we both get an extra month for free. I used to use the free KeePass software which is standalone and doesn’t hook into your browser like LastPass but it can also sync between devices (with a bit of finagling.
What do you think – should last.fm have changed users passwords when the data breach went public? Have you signed up for HaveIGotPowned? If not – what are you waiting for – it’s free and a great first response tool to keep your accounts more secure.
We had an interesting ticket come in today where an antispam system had let through a file compressed with the arj format. This immediately brought back memories of compressing files back at university – in the very early 90’s and a format that used to be very popular but nowadays most people, including the rest of our techs had never even heard of.
I am guessing the spammers were hoping that their recipients have winzip, winrar or 7zip installed so they will be able to open the infected file and that as the file format is so old, av scanners will not check them.
Anyone else out there remember Arj files and anyone (dare to admit that they) still use it?
I received my new Key Smart extended quite a while back and forgot I hadn’t reviewed it online.
Here is the before mess of all my jumbled keys:-
and then my after neat and tidy stack of keys and loyalty cards.
I did remove about 3 loyalty cards and trimmed the rest of them so they fit nicely in the device and also removed a couple of keychains, but the end result is a lot tidier and much easier on my pocket. I also splurged and got the USB key fob (the larger silver device at the bottom right of the third picture so I always have some data storage handy. This new version of the keysmart seems to be sturdy with the expansion pins holding up well (too well – I had to use two pliers to pull two apart when I made it too big). At first I was concerned about how easy it would be to get the required key out, but they rotate very easily (possibly a little too easily) and as long as your keys have distinguishing features you can tell them apart easily. If they don’t – get some permanent markers or nail polish. I kept my work keys on one end at the top and my house keys on the other end at the top so they are the easiest to get to and I know where they are.
Starting at $21 for the extended version I have here you can also get 15% off at getKeysmart.com (affiliate link). Note that I did buy my own KeySmart and also purchased one for Brandi too.
I used to use Keyring on the android for all my loyalty cards but had issues with the lasers being unable to scan the cards on the phone. Nowadays most places also just ask you for your phone number or alternate id, so it is rare that I even use a loyalty card – I think the last time was at the Gas station to get my 3c off at Shell as like most gas stations, it does not have NFC for card payment and no barcode scanner (although the shell one doesn’t even have a barcode anyway.
I’ve spent most of the day fighting a WordPress install at work as it has been slow and sending various out of memory issues on a 16GB of memory VPS – so should really have enough memory to run a WordPress site. Therefore it was quite a surprise to see that 4.6 was released today for me to spend yet more time in WordPress today.
However, on this personal site, the upgrade went through smoothly with no issues (as far as I know).
It was an interesting week at work with several malware infections making it through the various av protections that we have in place which proves that end user education should be your primary line of defense in the fight against virus’. It is amazing how often people will click on random emails that have been sent to them with random filenames just because the email arrived in their inbox (or in another mailbox that they happen to have access to), even if it was not addressed to them.
I was lucky enough to get one of these emails through to my corporate mailbox on Tuesday this week, evading detection by McAfee email protection and Forefront on the desktop. (Using another av solution would not have prevented this as you will see later)
This was obviously some scam with the description of the user not even matching the email address of the user. Being curious, I naturally saved the file to my hard drive and then uploaded it to virustotal. On Tuesday, only 1 of 58 av engines recognised this as a virus – kudos goes to Quihoo-360 for being the sole detector. I must admit that I’ve never even heard of this software and I was very surprised to see that only 1 av vendor recognised the file.
I submitted the file to McAfee for scanning by zipping the file up with 7-zip and password protecting it with the phrase infected and sending it to their response team at email@example.com. Incidentally, McAfee’s instructions for doing this are very outdated as Windows10 no longer has the option to password protect a zip file. McAfee immediately came back saying that their analysis was inconclusive and the file had been submitted for further research. This was an improvement on the previous sample I had submitted on Friday for a cryptolocker variant that came back as no virus found!
Wednesday morning I uploaded the file to virustotal again to see what the state of detection was.
This time the detection rate was slightly better – 9 products including Sophos that I use at home, but neither of the products in use at the office.
Thursday morning, two days after receiving the virus I received a response back from McAfee that confirmed the file was malicious. They included an extra.dat that would detect the file.
By this time, virustotal was showing 25 out of 53 products detecting the virus so it is getting better. Microsoft’s product was listed as detecting the file, yet Forefront was still passing it through as clean. Although virustotal has the definition date of 7/28, my computer was showing “defs of 7/26, update on 7/27”. Not sure why there is this discrepancy of the definition dates.
Yesterday, my laptop at home still had old definitions as it was not connected to the corporate lan and was still showing the file as clean which is pretty scary.
This morning I downloaded the file to my personal laptop, saving the file with a .txt extension so I would not accidentally open it – something that is easier to do on a touch screen tablet. Interestingly Sophos did not detect anything wrong with the file. Launching the file in notepad, it starts with the letters PK which implies the file is actually a zip file and there are several strings referring to HP printers and Adobe Photoshop.
At this point I’m not going to risk my machine further by opening it with 7zip to see what happens.
However when I copied the file to .zip or to .rtf Sophos did spring into action and quarantine the file. This is really handy as it protects the file from being saved to the machine in an executable form, but also allows you to save the file to the hard drive for further analysis in your debugger of choice. Other applications will quarantine the file no matter what the extension is, making it harder to retrieve. On the other hand, you now have an infected file on the machine that av is not discovering.
This Sunday morning, I uploaded the file to virustotal again. This time we’re slightly better at 29/54 detections. However, Comodo, Malwarebytes, Panda, SuperAntiSpyware,Symantec, TrendMicro and Vipre (among others) do not detect the file as malicious.
Malware bytes is an interesting discovery as it’s not usually regarded as an av product as it typically protects you from software being installed into suspicious locations such as autorun, startup, browser toolbars etc as opposed to traditional av that scans every file being written or read to the hard drive. However in this case and my recent cryptolocker, MalwareBytes failed to find anything malicious although HitManPro did find the Cryptolocker exe file on the machine (but MalwareBytes and McAfee did not).
The best av is the human kind that recognises a file is suspicious or unexpected and does not open it – although even this kind of av can fail (and some are more prone than others!)
Incidentally, one of my favourite solutions for the Cryptolocker variant, in theory at least, is pretty drastic and requires the permissions of file shares to be changed so that files can be created but they can’t be edited. Users (and software) would be able to write new files to the file share, but any edits to the file would not be allowed unless the changes are written to a new file. This forces users to do Save-As all the time, may break Office documents that insist on modifying the original file, but would stop Cryptolocker from overwriting files on the drive. Obviously this takes up a lot more disk space and would not be suitable for shares holding Autocad documents.
*Please note that this post is not meant to denigrate any one particular av product in particular as I understand that definitions take time to produce but av software that does not detect infections 5 days later should probably be evaluated to see if it is safe for continued use. I do reserve the right to moderate comments on this post if they are not helpful and just say “Product XYZ is useless”