Tuesday, 29 December 2015

Don't Get Hacked in 2016


Hackers are changing tactics in 2016 - and you’re in more danger than ever. Jane Hoskyn reveals next year's threats and what to do to stay safe

2015 was the most dangerous year in malware history. You already know that, because we told you in our article (The Worst Malware Ever). We also said “and 2016 will be worse", but you may have missed that bit - especially if you were in an understandable hurry to get on with reading the feature.

So let’s drag it up again, shall we? While you’re setting the table for Christmas dinner - or perhaps relaxing with your favourite magazine while you digest your figgy pudding - we’re here to remind you that 2016 will make 2015 look about as digitally dangerous as a festive game of charades.


Serving up trouble


You’d be forgiven for assuming your security troubles are over now that Windows 10 is here. New year, new operating system (OS), new instant automatic updates - and no unpatched security holes. Meanwhile antivirus (AV) software is more powerful than ever - with even the once-useless Microsoft Security Essentials performing brilliantly in our latest lab tests.

So what’s the problem? No offence, but cybercriminals are not as interested in your PC as they were. In 2016, they're going after company servers. That may sound like someone else's problem but it's potentially disastrous for you, and over the next couple of pages we'll explain why.

We can't see into the future, but the UK’s top security experts can - because they closely following the habits of cybercriminals every day. So for this feature, we spoke to several security specialists and discussed their predictions, most of which were frighteningly similar.

We’ll explain their predictions and how each of these threats may affect you. In the second half of the feature we’ll show you what you must do to avoid being one of the millions of people who will have their money and secrets stolen by hackers next year.

HACKERS' NEW TACTICS FOR 2016


Database burglary


PC malware is so 2015. OK, it’s not gone away - and one particular form, ransomware, is a bigger threat than ever - but in 2016, hackers will be playing a much bigger game.

Every single security expert we spoke to for this feature predicted that server attacks would be the cybercrime theme of 2016. That means hackers are now aiming to break into servers (essentially vast computers, such as those used by Google or Amazon to store and manage data) instead of people’s PCs.

So you’re off the hook, right? Wrong, very wrong. By breaking into servers instead of PCs, hackers can steal millions of people’s private data - passwords, bank details, emails and much more.

In our The Worst Malware Ever we briefly mentioned server bugs (also known as flaws or security holes) such as Heartbleed (http://heartbleed.com) and Shellshock (aka Bash, www.snipca.com/19010). Criminals look for these flaws in servers and, once they find them, they use them as a kind of cyber fishing net, harvesting huge bounties of people’s data.

Stealing card details


In early December, pub chain JD Wetherspoon revealed it had been hit by hackers who stole the card details of 100 customers, along with the personal details of around 650,000 database members, including names, dates of birth, email addresses and phone numbers.

The hack actually happened last June using the company’s old server - but Wetherspoon waited until early December to release details, possibly for legal reasons.

According to the pub chain, the stolen card details couldn’t be used on their own to steal money, and they're largely correct. You can’t use most debit or credit cards to withdraw money or buy anything without either having them in your hand and knowing the PIN or security code on the back.

Wetherspoon has emailed all affected customers and published an FAQ on its website (www.snipca.com/19011).

Exploiting weak website security


If a site's server is poorly protected, it might as well be a shop built out of cardboard with a hole in it. In November, hackers discovered a server flaw that easily allowed them to plunder the database of VTech (www.vtech.co.uk), a Hong Kong-based company that makes tablets and other gadgets for children. A large and lucrative market, as you’d expect - hence its 4.8 million-strong customer database.

But the site's security was so weak that hackers broke in easily and found a goldmine of sensitive information about customers, their children and their grandchildren. Shockingly, this information included the kids' home addresses, names and dates of birth, as well as all the registered customers’ security questions and passwords.

Despite being a popular and trusted company, VTech failed at basic security measures. For example, customers’ secret security questions and answers were stored in plain text. It’s a reminder that no matter how big and professional a company may seem, it may be far more vulnerable than you realise.

Encryption lock-picking


When hackers discovered the Heartbleed flaw in password manager LastPass last June (www.snipca.com/19004), they thought they'd hit the hacking jackpot. But they were foiled by the server’s security measures.

LastPass uses extremely robust encryption techniques that make all stored data undecipherable even to the most prodigious hacker. The only way to translate strongly encrypted gobbledegook into recognisable words and numbers is to unlock it using software that’s tied securely to your account. No other human, not even the boss of LastPass, can unlock and read your list of stored passwords.

If the LastPass attack had been successful, it would have been devastating. A LastPass haul of passwords is priceless. The Hatton Garden jewellery raid, which happened around the same time, would have looked like a child shoplifting sweets by comparison.

However, a hacker sees a short-term disappointment as a long-term challenge. As we speak, cybercriminals are working on ways to pick the most complex encryption locks - and 2016 may well to be the year they crack it.

If hackers steal hundreds of card details or passwords, what would you expect they’d do with them? Use them, right? Actually, no. In some cases they sell them on the black market to evade capture. But they’re much more likely to use them to blackmail the affected company into paying to get the stolen details back. And because those companies value your custom and their reputation, they often pay up.

Of course, blackmail is most effective when the stolen details are particularly sensitive or embarrassing. For example after stealing details of 480,000 customers of cosmetic surgery specialist Harley Medical Group, the hackers blackmailed the company to get the data back (www.snipca.com/19005).

What’s even more scary is when hackers blackmail you personally, as with the attack on Ashley Madison (www.ashleymadison.com), the infidelity dating service. Hackers plundered the server in August and stole the personal details of no fewer than 32 million registered users. Each user received an email from the criminals, threatening to expose them unless they paid an extortionate blackmail fee. Many users couldn’t afford to pay and, a month later, the hackers carried out their threat by posting users’ names online (www.snipca.com/19008).

Three months later, security expert Graham Cluley says: “I still get emails most days from people who were listed in Ashley Madison’s database that are worried after receiving demands for cash".

Ransomware on the rise


Ransomware is malware-meets-extortion, and it remains the biggest cyber-security threat we’ve ever seen. The number of ransomware attacks has risen “significantly’’ during the last three months of 2015, according to Simon Edwards, head of our security team at Dennis Technology Labs (DTL, www.dennistechnologylabs.com). "It’s not going anywhere soon, because it’s an effective way to get people to cough up cash," Edwards told us.

Unlike the ambitious server-pillaging strategies we’ve talked about so far, ransomware tends to infect smaller devices: typically your PC, tablet and phone. So far, hackers haven’t been able to infect a big company server with ransomware - but that’s their plan for 2016. So you could find your bank and card details held to ransom, with disastrous consequences.

Meanwhile, hackers are sticking with PC and mobile ransomware because it works. If you see a big notice on your PC screen telling you every file on your PC has been locked or encrypted and you have to pay £400 (often in the online currency bitcoin) by a certain date to get them back, you’d justifiably panic - and when people are panicking or scared they’ll often pay to make the problem go away. Ransomware hackers understand human nature and exploit it very well.

Ransomware that targets backups


The best defence against ransomware, or any type of data theft, is to keep your data backed up automatically using a NAS drive, or a paid online service such as Carbonite (www.carbonite.com), which Simon Edwards recommends.

Carbonite’s basic personal plan costs $47.99 (£31) per year to ensure you’ve got a secure second copy of all your data, all automatically up to date - and we think that’s good value to protect priceless data.

Now for the bad news. The more canny among you will have twigged already. Online backup services have to keep your backed-up data somew'here - on a server, of course. The servers of sites like Carbonite. and other security-focused backup services like SOS Online Backup (www.sosonlinebackup.com; $7.99/£5.28 per month), are fiercely protected by layers of the tightest encryption measures available, and would be extremely hard for a hacker to breach. But the hackers are working on it.

“We've already seen versions of ransomware that can affect NAS drives," says Simon Edwards. “Slowly corrupting backups over time, and then demanding a ransom to make them work again, may be a strategy we see in the future."

DDoS attacks


If your bank’s website is shut down for hours, it may have heen hit hy a DDoS (distributed denial-of-service) attack - and these are growing fast. They are sometimes pure vandalism, inflicted on sites to make a political point. Greek banks recently suffered a spate of DDoS attacks coupled with blackmail - the last thing the country’s banks need at the moment.

But criminals also use DDoS attacks to steal your money. In October, DDoS hackers plundered TalkTalk's server in an attack that affected 157,000 users. The stolen booty included 28,000 card details; 15,656 back account details; and 15.000 dates of birth, plus hundreds of thousands of names, phone numbers and email addresses.

If there’s any reassuring news here, it's that the card details were partially obscured, and therefore couldn’t be used for a spending spree. But the 15,656 bank details could be used in cyber theft.

Even if a DDoS attack simply kicks a site offline for hours, it could cause financial chaos. What if a vital mortgage payment was due to leave your account and it didn’t, because the site was down? Or you can’t access your pension or savings for days on end?

HOW TO BEAT HACKERS' NEW TRICKS


Back up, and back up again


Despite hackers’ attempts to crack encrypted backups, backing up all your data is still your best defence against server theft, ransomware or any type of malware that steals or corrupts your data. (Of course, it's also your best defence against a PC that conks out one day.)

The closest you’ll get to guaranteed peace of mind is to double-back up. As well as using an automatic back up service such as Carbonite to keep your backups up to date, also regularly back up your PC to an external hard drive. The hard drive backup should include your software licence numbers and an ISO of your OS. You can create an ISO for all current versions of Windows by using Microsoft’s Media Creation Tool (www.snipca.com/19028). Copy it all to another external drive for good measure and keep them in a safe place at home (just not next to a radiator, please).

Keep your software up to date


Windows XP is the best-known example of a product that’s well past its end-of-support date and is now dangerous to use, but it’s by no means the only one.

Hackers actively look for security holes in unsupported software, and use them to funnel ransomware into your PC, such as Trojans, worms and spyware. Indeed, an old banking Trojan that hackers first used in 2007 has re-emerged specifically to target Windows 10 users.

As you may know, many companies, local councils and banks still run Window's XP, which makes it much easier for hackers to break into their servers. Microsoft extended support for the special Windows XP Embedded OS - used by many of the UK’s 70.000 cash machines - until 16 January 2016 (www.snipca.com/19034). Banks must upgrade their systems before then. Write to your bank, your council and your MP demanding to know what OS they’re using and pointing out that your security is at dire risk if they're still using XP.

Windows 10 patches itself automatically, of course. It is possible to switch off these automatic updates using Registry hacks, and defer them if you’re part of the Insider Program, but please don’t. You may feel that you’re having patches forced down your throat, but they are designed to keep your PC safer than ever. Criminals are getting more and more sophisticated, and it only takes a second for a hacker to exploit a flaw and infect your PC with ransomware.

Look at your other installed programs and plug-ins as well, whatever version of Window's you're using. If you're near their end-of-support dates, it’s time to update, upgrade or uninstall completely.

Don't be caught by a phish


Phishing will remain a huge threat in 2016. Most of the scammers’ attempts to trick you will take the form of what’s known as ‘clickbait’ - links, attachments, headlines, photos and adverts on websites that you just can’t resist clicking.

Clickbait isn’t all dangerous - some of it just leads to substandard online content. But if you click a tempting link or download an enticing attachment that’s actually a phishing attack, it could be deadly for your PC. Click or open it, and it’ll automatically download and install malware, including ransomware and Trojans.

Phishing will soon become just as much of a threat to company servers as it is to individuals’ PCs. If any worker in a company falls victim to a phishing attack, it could give cybercriminals access to a huge database of company data and customers' personal and financial details.

Clickbait doesn't have to be a fake advert promising a £1 iPad. Criminals also exploit global events. In November, security researchers at Symantec, maker of the excellent Norton Security antivirus (AV) suite, discovered spoof ‘terror alert' emails that claimed to come from the Dubai Police Force. The emails tricked people into downloading the Jsocket Trojan, which gave hackers remote access to PCs (or, in the worst case, the PC’s network server).

Less alarming, Google founder Larry Page (yes, ‘signed’ by Larry himself) sent an unknown number of people a ‘Google Official Notification Letter’ in early December, congratulating them on winning £950,000. Unfortunately, of course, it wasn’t Larry at all, and there was no £950,000 windfall, just a PDF attachment that downloaded malware to victims’ PCs.

Double-lock your passwords and keep them safe


Many people understandably grew wary of using password managers after the (albeit unsuccessful) attack on LastPass. Even experts got nervous. “I’d rather w'rite mine dow'n than store them on someone's server," said one security expert whose name wre won’t reveal, to save his home from a ransacking.

Other experts remain open-minded. LastPass was attacked by very determined hackers who didn't get away with a single password. Hackers may be ramping up their efforts, but so are LastPass and other free password managers like Dashlane (https://www.dashlane.com) and PasswordBox (www.passwordbox.com), who employ the world’s best security-software developers. Using them, and backing up your passwords in an encrypted file (see next tip), is all much safer than writing your passwords on bits of paper.

If web-based password managers still make you nervous, use an installable program instead, such as the free, open-source tool KeePass (http://keepass.info) or the more sophisticated but somewhat more expensive 1Password.

You can make your passwords safer by coupling them with a secondary security code (which works like a PIN) sent to your phone. This is known as two-factor authentication, and you can find a list of sites that support it at https://twofactorauth.org

Encrypt your data


Windows 10 has built-in tools that encrypt that by default encrypt some of your stored files and other data. This means if someone breaks into your PC or server they won’t be able to read the data.

However, you’ll notice we said “some” of your files. If you want to encrypt all your data, you’ll need to shell out for Windows 10 Professional edition. Other modern systems, including Android, iOS, Chrome OS and Mac OS X, offer full, free integrated encryption tools for all users.

What's more, Windows 10 only encrypts your data if you sign in using your Microsoft account. Your recovery key is then uploaded to Microsoft’s servers, so you can recover your files if you're ever locked out of your PC. But if all our talk of server-raiding hackers has made you wary, there are third-party options - and they work with Windows 7 and 8/8.1, too.

The most popular third-party encryption tool has long been TrueCrypt (http://truecrypt.sourceforge.net), but its makers have withdrawn it for now while they work on improving the program’s code.

So we’ve moved on to the free, open-source tool DiskCryptor (www.snipca.com/19040), which claims to be the only available tool that lets you encrypt all your drive partitions, including the system (‘boot’) partition (Microsoft explains system partitions here: www.snipea.com/19039).

To get the program, click the grey Download button and then click ‘installer’. Save and run the installer, accept the agreement and then click Next. There’s no adware to worry about, but there are further options, such as adding a Start menu shortcut and Desktop icon, neither of which is necessary. To complete installation you have to restart your PC - this is common in programs that let you control your system so deeply. The DiskCryptor site has a Forum and a particularly useful FAQ to help you get started and give your files the highest level of protection, for free.