If You're Not Afraid of Ransomware (or Other Cyberattacks), You Are Crazy

Computer_data
A man types on a computer keyboard in Warsaw, Poland, in this February 28, 2013, illustration file picture. Kacper Pempel/Reuters

During my reporting on how the recent ransomware epidemic is targeting schools, churches and hospitals in the United States, multiple cybersecurity experts repeatedly relayed the same message: Of the people on the internet in 2016, there are those who have been breached by hackers and those who just don’t know it yet. It’s terrifying to realize your sense of security is more like an illusion than a guarantee.

In a world where hackers break into banks or post a database of user information almost daily (Vice Motherboard now runs a series called “Another Day, Another Hack”), it is hard not to get nervous about almost everything on the internet. But on the internet, fear—in healthy doses—is good.

Experts nowadays preach the idea of "cyberhygiene," equating the protection of passwords and credit card information with washing one’s hands before eating or brushing one’s teeth. Newsweek talked with four cybersecurity experts about where to begin adding protection against hacker attacks to find more peace of mind. 

It seems malware, adware and hordes of viruses are everywhere. What's the safest way to surf the internet without being phished or clicking into malware?

Chris Doggett, senior vice president at Carbonite: Typically, malware-laden content is poorly written and riddled with spelling and grammatical errors. Individuals encountering a “fishy” situation like this should take the extra step to ensure that what they’re clicking is safe.

For web links, this can be achieved by copying a web address and pasting it into a URL checker, such as VirusTotal.com. This will verify the authenticity and safety of the site.

Cory Kennedy, lead information security engineer at CenturyLink: Attackers will use tools that will identify common typos for popular domains and then purchase them as a delivery mechanism for malware. For example, using your domain, Newsweek.com, I was able to identify (in part): Neewsweek.com, Newsweeek.com, Newsweel.com.

I am not suggesting the above are malicious, but rather examples of domains that are similar that can be used in phishing attacks to deliver malware.

James Scott, senior fellow at the Institute for Critical Infrastructure Technology: A layered defense is your best defense, so there is no silver bullet application that can singularly protect you from all threats.

Doggett: Always be suspicious and take the necessary steps to ensure what you’re clicking is clean.

Do you have any virtual street-smart tips you can recommend to avoid confronting possible viruses?

Scott: If you click on a link and there is an ad, fake antivirus or ransomware that seems to lock your screen, one thing you can try is to click Ctrl+Alt+Delete, go into your task manager and "end" the various instances of your browser that may be open. Never click on the ad or pop-up.

And some additional ad-blockers, privacy and anti-tracker browser extensions that I would suggest are: uBlock Origin, Adblock Plus, Privacy Badger, Disconnect, WOT (Web of Trust).

Kennedy: Macintosh users can leverage “Little Snitch” to notify users of unauthorized connections. This will alert you if your Mac is infected with malicious software and is trying to communicate with attacker command-and-control servers.

So you guys have been preaching the catchphrase “it's not a matter of if or when your data was hacked—it's if you know your data was hacked.” If that is the case, what is the best way for consumers to ensure against further leaks of personal information?

Rob Roy, federal chief technology officer at HP Enterprise Security Products: For financial protection, I believe in applying a credit lock at the top three credit reporting agencies. They charge a nominal fee to lock but can prevent someone from opening credit on your behalf. It’s important to closely monitor your financial accounts and notify your bank if something looks odd.

Doggett: The website Have I Been Pwned allows you to enter your email address and see if you have online accounts for which your credentials have shown up in hacker circles. You can also search for a list of companies that have been breached at the Privacy Rights Clearinghouse, which I recommend you do for any online account that shares the same password as your important accounts (e.g., your bank account).

Kennedy: Set up automated and recurring Google searches to notify you if your name shows up somewhere you don’t expect. I would highly recommend setting up alerts for your non-tech-savvy friends and family as well.

Scott: [But still] short of downloading the Tor browser, spending five years establishing a pedigree behind a handle used in multiple dark web forums where stolen PII (personally identifiable information) is sold, this is about all you can do to protect yourself from further victimization.

Let’s say you are still hit by a ransomware attack or your data is compromised. What’s your escape route then?

Doggett: You’d be amazed at how many people keep their passwords posted somewhere that others can find, or listed in a file that can be accessed by others without a password, or stored in an online account that can be accessed from anywhere. End users should be using a few different levels or groups of passwords, depending on the type of account.

Don’t ever send a password over email. Don’t log in to any website whose address doesn’t begin with https:// (the is the secure part). Don’t use public computers when logging into your sensitive accounts, and if you do, be sure to log out (and ideally to reboot the computer) when you’re done.

Roy: I believe there are two very important ones to address: apply patches from the most broadly used systems and applications quickly—automatically if offered, like in the operating system—and keep offline backups of your most important files.

Think of ransomware as akin to a hard disk failure. If you have backups of your important files, you are in a much better position.

Kennedy: In relation to ransomware, my personal opinion: Do not pay the ransom. Ensure you have a backup solution in place and make sure the backups are not stored on the same computer system you are backing up.

Visit your local security community meetings such as SecKC.org and familiarize yourself with the FBI Cyber Task Force program.  You may find yourself in a situation where you need to contact experts if you are a victim of a cyberattack with business or financial impact.