Ransom Ware Upgraded with Powerful Password Stealer

A type of malware called Reveton, which falsely warns users they’ve broken the law and demands payment of a fine, has been upgraded with powerful password stealing functions, according to Avast.

Reveton is in a class of nasty programs known as “ransomware,” which includes the notorious Cryptolocker program that encrypts a computer’s files. The FBI issued a warning about Reveton in August 2012 after its Internet Crime Complaint Center was flooded with complaints.
 The malware often infects computers via drive-by download when a person visits a website rigged to automatically exploit software vulnerabilities. Users are helpless after the computer is locked, with Reveton demanding a few hundred dollars as ransom payable various web-money services.

Avast analyzed a version of Reveton that has a module containing the Pony password stealer, which can also steal virtual currency stored on a computer such as bitcoin.

Pony can pluck and decrypt encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs.

The version of Reveton analyzed by Avast also has another password stealer from the Papras family of malware. It’s not as effective as Pony but can disable security programs, the company wrote on its blog.

This particular sample of Reveton was pre-programmed to search a web browser’s history and cookies to see if the user had visited online sites of 17 German banks, the company wrote.

Avast speculated the capabilities may have been added to Reveton due to falling profits from merely locking computers in an attempt to extract a ransom. Its authors have “decided to enter into a new black business area,” it wrote.

Around February 2013, an ethnic Russian man was arrested in Dubai upon request of Spanish police for allegedly coordinating Reveton campaigns, netting €1 million (US$1.3 million).

Ten other people were also arrested on money laundering charges for allegedly laundering the proceeds and transferring funds to Russia, according to Trend Micro.

This story, “‘Reveton’ ransomware upgraded with powerful password stealer” was originally published by  IDG News Service .

So XP Support Is Off the Table
Now What?

This is a simple question that everyone is making way to much of. The equation is simple.

Choice one:
Stay with XP

Positives:

  • Everything still works as is. Software, hardware, peripherals, and users all continue as usual.
  • Users and IT support staff all stay nice and comfy in what they are used to.
  • Custom programs continue without modification
  • No immediate additional costs to IT budget

Negatives:

  • Everything will slowly cease to function as new hardware is added for which there is no legacy support.
  • Everything will cease to function immediately upon the ingestion of a virus, malware, or malicious behavior internally
  • BYODs will not be fully supported
  • Increasing training costs as new workers are added who are not familiar with legacy systems
  •  Increasing IT costs relating to procurement of outside vendors with pay for use patches and security solutions to protect XP
  • Increasing, or possibly catastrophic system failures, and no way to patch or fix them
  • Increasing IT costs to hire legacy experts
  • Employee/personal dissatisfaction with systems performance against an evolving internet, BYODs, and high speed processing demands of newer software.
  • Corporate/Personal identity theft increases due to unknown and unpatched security holes.

Upgrade to WIn 7 or 8

Positives:

  • Cures the negatives above

Negatives:

  • Upgrade costs (minimal with 7)
  • Custom Software retooling
  • Very old hardware support issues
  • Training on systems (minimal with 7)

We just had a client tell us “Gee, we’ll just wait till something happens and deal with it then”. That seems to be the reaction generally to the XP obsolescence question. There are a few things wrong with that approach.

First and foremost are the costs. If you have to do something because you are forced to, for whatever reason. It moves that activity from planned, organized, and budgeted to unplanned, chaotic, and expensive as hell.

Second, if you loose your systems be it personal or business what is the net impact per hour on you or your bottom line. A very real risk with XP

Third security, Even if you are fully backed up, if you loose all your systems and are backed up from XP systems you will now have to restore to newer operating systems That is problematic at best and again, expensive as hell.

So we don’t really understand why anyone would not take proactive measures to protect that which is a major pillar of their business process or possibly contains much of what they have saved and accomplished over years or even decades. The fix is simple and can be accomplished at any time. As we told the client quoted earlier.

If you wait till it happens you are way to late.

We are here to help you. http://www.itsupportsolution.com for support on this and our sister company http://www.cyrss.com for security issues.

Email Insanity

Page 1 of 2

Sensitive Information by Email?

 

As a personal note, I just had this happen. Not only was I encouraged to send sensitive personal information by email I was told it was secure. When we encrypted the Email attachments they did not know how to open them even using the detailed instruction given them. There was no secure portal or other means of electronically transmitting the information except by good old fax. Even then we made sure the responsible person was standing by the fax machine as we transmitted and confirmed receipt of documents.

Read on about what was found in the industry as a whole. It’s NUTS. Hold your ground here and NEVER, NEVER transmit any sensitive or protected (PHI) material by unencrypted email. NEVER!

A recent study by HALOCK labs found many of the nation’s large and small mortgage lenders allow for information sharing practices that may put applicants’ personal and financial data at risk during transmission from the applicant to the lender.

HALOCK investigated 63 U.S. mortgage lenders and found that over 45 (70%) permitted applicants to send personal and financial information over unencrypted email as email attachments. This information includes tax documents and W-2′s. Eight out of the eleven top U.S. lenders were found to allow for the same unsecure practices as smaller lenders. Additionally, nearly 70% of the surveyed lenders encourage faxing sensitive data, which may reduce risks of breach, but are still not as secure as encryption. Over 40% of lenders provided a postal mail option, while only 12% offered a secure email portal. When asked why a secure email portal was not offered to applicants several of the surveyed lenders responded that it was a matter of what the customer was “most comfortable with.”

While these responses suggest that lenders prioritize their customers’ ease-of-use over their security, they also suggest an unawareness that their customers are losing confidence in their banks’ commitment to customer privacy. A study by the Ponemon Institute published on October 10, 2013 shows a ten-year decline in customer confidence in their banks’ commitment to privacy, approximately 65% of respondents disagreeing with the statement, “My bank is committed to ensuring the privacy of my personal information is protected.”

A former mortgage lender commented anonymously that, “Oftentimes it was easier to have my clients send documents like W-2′s through email because everyone has access to an email account. Most of us [lenders] didn’t want to take the time to explain what a secure portal was and how to use it. Everyone understands what email is.” The comment underscores the lack of security knowledge surrounding email pervasive in the mortgage industry.

According to internationally recognized security expert Graham Cluley, publisher of Graham Cluley Security News, it’s worth the extra effort to go through the paces of using a secure portal because it’s a commonly accessible way to transmit documents safely. “Email by its very nature is unsecure: 99.9 % of it is sent unencrypted. If it was invented today no one would use it. Emailing unencrypted documents ‘in the clear’ creates a potential chain of issues.”

Methods to transfer files securely are prevalent today but are underutilized by businesses and their employees. “We understand the business need to smooth the way for our customers, but there are

Page 2 of 2

many secure file transfer technologies that are both easy for customers to use, and safe from network snooping. And as the public becomes more demanding of their banks to ensure privacy and security, it’s no longer feasible to rely on unsecure email for the transfer of financial documents” says Terry Kurzynski, Senior Partner at HALOCK Security Labs. “Any type of weak link in a system involving sensitive information exposes people to unnecessary risk. It takes months to recover from an identity theft and minutes to log into a secure portal. Do the math.”

Yahoo attack places spotlight on identity management

By Antone Gonsalves, CSO
February 03, 2014 11:37 AM ET

Yahoo reported Thursday that attackers using computer software used the stolen credentials to log into Yahoo Mail accounts and search for names and email addresses on sent emails. Upon discovering the attack, Yahoo shutdown access to the affected accounts, alerted users and asked that they reset their passwords.

Yahoo, which did not disclose how many webmail accounts were affected, said it had no evidence that the usernames and passwords came from its own systems.

The attack on Yahoo that started with the theft of user credentials from a third-party database highlights the risk of sharing usernames and passwords across multiple websites.

Yahoo reported Thursday that attackers using computer software used the stolen credentials to log into Yahoo Mail accounts and search for names and email addresses on sent emails. Upon discovering the attack, Yahoo shutdown access to the affected accounts, alerted users and asked that they reset their passwords.

Yahoo, which did not disclose how many webmail accounts were affected, said it had no evidence that the usernames and passwords came from its own systems.

“Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise,” Yahoo said.

While no details on the third party were revealed, if users had willingly shared credentials with the operators of the database, then the incident is an example of the dangers people face when using the same credentials for multiple sites. Businesses can also be affected if the same usernames and passwords are used at work.

In reporting the attack, Yahoo warned that “using the same password on multiple sites or services makes users particularly vulnerable to these types of attacks.”

During the registration process for many sites, people are given the option of using their usernames and passwords for other services, such as Facebook or Twitter. The reason is for convenience to the user and to share information about the person with the other site for advertising purposes.

This scenario is dangerous for two reasons: People do not know the kind of security that will be used to protect the data and they have no idea what personal information will be collected, how it will be used and who will have access to it.

“You have to understand that you have to trust each actor when you make those kinds of linkages,” Joni Brennan, executive director of the Kantara Initiative, said. Kantara is a nonprofit professional association developing frameworks for digital identity management.

For businesses, the attack is a reminder of the importance of having additional layers of protection when using an identity management system that provides single sign-on across multiple Web services.

First, the system should not actually share the same username and password across services and should require multiple types of authentication, such as recognizing the system being used or requiring a token or one-time password.

Brennan recommends that companies should step back and decide whether they should manage employee’s identities across multiple sites and services or outsource it to another company or to a cloud service, such as Ping Identity and CA Technologies.

Many organizations are afraid to outsource something as important as identity management for their staff, clients and customers, Brennan said.

“But at the same time, they are assuming a risk by running those types of systems,” she said. “It may be the case that it’s better placed in a service provider or vender who actually has running that kind of service as their main core focus.”

 

Password Peril: The Frontline Security Challenge in the Cloud Age

“The average user types in an average of eight passwords every day. They have six or more passwords, each of which is shared across four or more sites or apps that require passwords.”

 

“Weak and default passwords continue to be a notable risk. If this first line of defense fails, it leaves an organization vulnerable to a complete compromise.”

 

“40% of users write passwords down or store them in a simple text file. Despite this, nearly 80% of users had to reset a forgotten password at least once in the past 6 months, and 25% of users forget 3 passwords every month.”

 “The sad truth is that passwords are a problem that nobody really wants to solve.  Users want to do whatever is easiest… System owners lack the will to enforce an unpopular mechanism on users.”  

 Sound Familiar? At CYRSS we help you formulate security that makes sense.

 Introduction: System and Information Security

 As enterprises large and small shift their information to the cloud, an explosion of SaaS tools are making it easier than ever for employees to collaborate and innovate. Much of this sharing is being done across time zones and physical locations, by workers who are telecommuting, working in shared or public spaces, and from open networks. Information is stored on central, third-party servers that are accessible across the company and the world by anyone with an internet connection.   

 As a result, online security is increasingly being pushed to the forefront as a major corporate expense. Yet, 89% of the global information workforce lack clarity on how security applies to the cloud. A recent article in Britain’s Guardian newspaper lays out the basic problem in this way: “Data is suddenly everywhere, and so are the number of people, access points and administrators who can control – or worse, copy – the data.”

A few other trends are also compounding the problem:

  1. The democratization of information technology, with the growing usage of enterprise SaaS applications like Salesforce or Box that are pushed out at the central level;
  2. The need for companies – especially newcomers eager to carve out an industry niche – to be fast, nimble and permeable in today’s market; 
  3. Highly distributed workforces comprised of full-time employees, long-term contractors and outsourced support services scattered across the world;
  4. BYOD – bring your own device – work environments, which allow employees to share enterprise-level access controls across less secure personal environments; 
  5. The rise of cloud-based environments, over which companies lack complete control; and 
  6. Confusion about how to best manage insider threats, mobile access and compliance issues.

All this makes information security more important and difficult than ever. 

 Password Proliferation

Passwords, the keys to most online information, are at the forefront of electronic security. Designed as a generic way to establish and authenticate identity, passwords have today become the most vulnerable piece of electronic security. Corporations tend to use passwords because they have no other choice. Most current systems – from billing to reservations to sales databases – employ passwords as the default method of restricting access. Despite numerous studies and policies that indicate that using a single password across multiple apps is a security risk, a 2013 survey by Ping Identity showed that 83% of the tech security officers they surveyed did exactly that. Expand this practice to include every corporate employee that accesses enterprise information on their mobile phones, tablets or home computers and the scale of the problem becomes evident. 

Passwords are everywhere in a typical modern enterprise environment. In addition to basic network logins, there are a plentitude of applications running on a multitude of systems that staff may need to access on a daily basis things like groupware, CRM, accounting and finance, HR and benefits management, dashboards, analytics, project management, content management and more. These applications may be internally developed and hosted, licensed and hosted onsite, or increasingly, a service-based app that is accessed over the Internet. There are also the physical servers and hardware, typically maintained by an IT staff, used for network routing, telephony and printing.

 Password Pain in the Modern Company

 In an ideal world, users could access all of these apps and systems by signing on when they start their workday with a single set of credentials (and confirming later in the day, when relevant, for security). But in most modern businesses – especially small- to mid-sized ones – users typically have to remember multiple usernames and passwords to access various systems throughout their day. SaaS applications, increasingly leveraged by almost all companies today, are built as strict silos; they don’t talk to each other, nor are they aware of the surrounding corporate software environment. So even if your company is running the most advanced operating system, your daily platform – and the passwords used to access it – tends not to be integrated at all.

 According to a report published by Microsoft Research, the average computer user types in an average of eight passwords every day. Their research also found that the average user has six or more passwords, each of which is shared across four or more sites or apps that require passwords. A similar study by Norton found that one-third of users have more than ten passwords to keep track of. It is no wonder then, that workers tend to (a) pick weak, common passwords; (b) reuse them; (c) guard them insecurely and/or forget them; and (d) share them with colleagues. 

A. Users Select Weak Passwords 

In their 2013 Global Security Report, information security consulting company Trustwave sampled nearly 3.1 million passwords, mostly from compromised enterprise Active Directory servers. They found barely one-third of the passwords to be unique. Fifty percent of users are using bare minimum passwords, consisting of upper/lower/number combinations; over 88% of passwords did not contain a special character. “Password1″ is still the most common password used by global businesses. Basic combinations of “password”, “welcome”, “hello”, and common names combined with simple numbers round out the list of the most common passwords. These commonly used, easily guessed passwords provide minimal defense against even the laziest of would-be hackers.

“Analysis reiterates the weakness of passwords in general, and the general failure of user education in good password creation and management,” wrote Rick Wanner, Technical Analyst for SaskTel, in his analysis of the passwords revealed in the leak of 860,000 hashes from Stratfor. “The weakest link in security is the user,” added Wanner. 

 Somewhat surprisingly, the “lions at the gate” – the corporate IT administrators – are not immune to this plague of poor password selection and management. Weak administrative credentials were at fault in eighty percent of the enterprise security incidents studied by Trustwave in their 2012 report. “The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation,” the report observes. “This is true for both large and small organizations, and largely due to poor administration.” Additionally, default passwords were used across a range of servers, network equipment, and client devices. Other common password combinations were “pitifully simple,” such as administrator:password, guest:guest, and admin:admin.

Trustwave’s findings led them to the clear conclusion: “Weak and default passwords continue to be a notable risk. If this first line of defense fails, it leaves an organization vulnerable to a complete compromise.”

 Unfortunately, the rise of pervasive mobile computing and BYOD means users are now even more likely to choose simple, short passwords, given the less efficient input methods on mobile devices. Typing “strong,” complex passwords to log in to an application from a smartphone or tablet typically requires a user to switch between multiple on-screen keyboards in order to enter the required upper and lower case letters, numbers and symbols. This can be a tedious and error-prone process. To ease the frustration, users generally choose short, simple passwords, or leave their device and its applications unlocked. Even worse, in their 2011 poll, authentication technology provider Confident Technologies found that more than half of users do not use a password or PIN to lock their smartphone or tablet. Twothirds said they leave applications permanently logged in unless they are required by the application to log in every time. 

B. Password Reuse

Remembering which password—even a weak one—goes with which account can be challenging. So most users reuse the same password across multiple sites or apps. CIO Magazine reported that “the typical Internet surfer reuses the same password at an average of 49 websites.” Similarly, a 2012 Harris Interactive Poll found that 62 percent of online adults reuse the same password for more than one of their online accounts, and more than half don’t change passwords regularly.

Password reuse becomes a major security issue when sites or applications are hacked, and their user databases are stolen. Hackers then have access to potentially millions of username/e-mail and password combinations, which can be tried on other sites, or even against corporate networks. Recent high-profile breaches include LivingSocial, RockYou, LinkedIn, Dropbox, eHarmony, and Gawker Media, each losing in excess of 1.5 million user passwords or hashes. Twitter, Yahoo, Google and AOL have also had user data breaches in recent months. Since 2012, “more than 280 million ‘hashes’ (i.e., encrypted but readily crackable passwords) have been dumped online for everyone to see,” reports Wired Magazine. And in what may be the largest ever leak of user credentials, in September of 2013, Adobe lost 130 million email and password hash combinations (along with plain-text password hints, and other personally identifying information).

In the recent case where LinkedIn’s 6.4 million password database was leaked, a man sitting at home, running a high-end gaming machine he put together that could make 15.5 billion guesses per second, was able to crack 20 percent of the LinkedIn database’s user passwords in 30 seconds and 55 percent within two hours. After five days he had decoded more than 80 percent of the passwords in the LinkedIn database.

This password-cracking expert has recently unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It’s an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours.

Once hackers have deciphered a user’s password, using readily available “script-kiddie” utilities, they can easily try logging into various sites or apps using those credentials. And if a user has registered for a hacked service using their work email address – which likely maps back to their network user name – and the same password they use at work (which happens all too frequently), the corporate pain can be immense.

The scope and increasing frequency of major breaches should be a wake-up call to anyone still using identical logins for different services. “Users have two options,” noted Mikko Hypponen, Chief Research Officer at security advisers FSecureOne. “Either remember a variety of passwords or use a password management tool – software that manages your passwords for you so you only need to remember one master password for the tool, and it then recalls and enters the credentials for you – I recommend the latter.” 

C.    Password Lifecycle: Select, Scribble, Forget and Request Reset

Corporate password policies commonly require users to choose a new password every 90 days. While this policy typically does not lead to users selecting better passwords, it does make it harder for users to remember them, and contributes to password fatigue. Studies by McAfee and Norton show that more than 40% of users write their passwords down, or store them in a simple text file. And despite this practice (which can lead to passwords being stolen via lifted sticky notes), nearly 80% of users had to reset a forgotten password at least once in the past 6 months, and 25% of users forget three or more passwords every month.

Forgotten passwords are costly for companies, as users and IT staff lose productivity during the reset process. According to the Gartner Group, between 20% to 50% of all help desk calls are for password resets. Forrester Research states that the average help desk labor cost for a single password reset is about $70. IT research group Info-Tech estimates that enterprises spend roughly $118 per user/per year on password-related help desk support and lost employee productivity.

 While password reset costs vary across by organization, the results of more complex password policies are consistent: an increased number of password reset calls. For the user, a forgotten password represents frustration and lost productivity while they wait for support; for the IT organization, it is mundane and time-consuming work, which is also the leading cause of high turnover in technical support positions. 

 Shared Passwords, Shared Pain                                                         

In today’s SaaS-dependent work environment, it is common for workers to need to share access to documents or apps with co-workers, temporary staff or vendors. Teams may also need to share a single account in certain apps or services, like Twitter or Facebook. These shared accounts can be a serious challenge for the company’s audit and IT regulatory compliance requirements.         

And what happens when a team member leaves the organization, and their access needs to be revoked to this shared, single account? Most organizations lack a clear, consistent process for creating a new password when a member is “offboarded.” Managing frequent password changes in a large, distributed team environment can be a nightmare. But nothing compared to the backlash of a jilted ex-employee or contractor posting inappropriate rantings through the company’s official account, or accessing sensitive corporate data through a SaaS that wasn’t locked down after they left.

Summarizing the sad state of passwords in practice, Jay Heiser, VP of IT Risk Management and Security Policy at Gartner Group, in his article “Passwords are Dead; Long Live the Password” wrote:

 “The sad truth is that passwords are a problem that nobody really wants to solve.  Users want to do whatever is easiest, and don’t want to be burdened by the inconvenience of strong authentication. System owners don’t want to spend any money on stronger authentication, and lack the will to enforce an unpopular mechanism on users.”  

Enter Single Sign-On Solutions

 One potential solution for the password pain points is a single sign-on (SSO) system. The Open Group concisely defines SSO as “[a] mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords.” 

From a technical perspective, a single sign-on solution eliminates the redundant entry of ID and password information by providing seamless and rapid entry into multiple applications and resources, regardless of network or domain. The SSO will provide or connect to a centralized authentication repository, and will store and service requests for authentication and authorization for the varied applications and systems that a user needs to access. 

The Open Group goes on to highlight some of the benefits of a modern SSO solution to enterprises: “A service that provides [coordination and integration between user sign-on functions and user account management across domains] can provide real cost benefits to an enterprise through:

  • reduction in the time taken by users in sign-on operations to individual domains, including reducing the possibility of such sign-on operations failing.
  • improved security through the reduced need for a user to handle and remember multiple sets of authentication information.
  • reduction in the time taken, and improved response, by system administrators in adding and removing users to the system or modifying their access rights.
  • improved security through the enhanced ability of system administrators to maintain the integrity of user account configuration including the ability to inhibit or remove an individual user’s access to all system resources in a coordinated and consistent manner.”

 From the end-user’s perspective, an SSO solution is password fatigue relief; they need only one username and password combination, which they might enter as infrequently as once per day, to gain access to all the protected apps and services they need to perform their jobs. They no longer need to remember and juggle multiple username and password combinations. Among many benefits offered by a modern SSO solution, for example, they are also able to more easily collaborate with co-workers and suppliers, as they can delegate and share access, without having to share actual passwords. Modern SSO solutions can also offer valuable cross-application usage reports that can aid in regulatory compliance tracking.

An alternative solution to many of the password pain points raised above is multi-factor authentication (MFA). In MFA, two or more items are required to authenticate a user:

  • something the users knows (e.g., password, PIN, pattern);
  • something the user has (e.g., keycard, mobile phone, token/fob); and
  • something the user is (e.g., biometric characteristic, such as a fingerprint, iris print, voice signal)

 

Multi-factor authentication offers superior security versus systems secured with only a password. However, the initial and ongoing maintenance for MFA systems are typically an issue for small and medium-sized businesses. For those businesses with sufficient resources available, the good news is that many single sign-on solutions also support multifactor authentication schemes, providing what is likely the best of both worlds.  

Conclusion

Though passwords are not an ideal solution for an enterprise-level endeavor, companies large and small will be stuck with them for some time to come. In the meantime, single sign-on and strong password policies are most companies’ best solution. 

As Rick Wanner concluded in his Internet Storm Center post, “It is clear that we need to continue to work on educating users. The minimum we need to instill in our users is: 

  • reiterate good password creation and management processes
  • discourage password reuse
  • promote the use of [password vault & SSO] tools.”

 

                                                                                                                                                                                      

How to Prevent Cryptolocker

Cryptolocker

Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.

Just last month, antivirus companies discovered a new ransom ware known as Cryptolocker. This ransom ware is particularly nasty because infected users are in danger of losing their personal files forever. 

Spread through email attachments, this ransom ware has been seen targeting companies through phishing attacks.  Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

 

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay $300 USD to receive this private key. Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this.

Worse yet, there are numerous reports of usage of credit card numbers used to purchase the private keys to unlock files for other uses.

Removal:

Anti-Malware and Anti-Virus programs detect Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.  

While Anti-Malware programs such as Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.

Best Practice Defenses:

Training
Information is the first line of defense. I everyone knows threats exist and how to avoid them your systems are better protected.

Policies
Published Policies relating to the usage of computer systems foils many would be attacks.

Anti-Virus/Malware and Systems Monitoring
Up to date anti-virus and malware detection software will help stop most known attacks. Systems monitoring systems are inexpensive and can eliminate most attacks even zero-day attacks not yet known.  

Backups
The existence of malware such as Cryptolocker reinforces the need to back up files. However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.

Cloud-based backup solutions are advisable for business professionals and consumers alike. 

.

_________________________________________________________________

 

HIPAA in High Gear (Now it gets serious)

Leon Rodriguez, director of the Office for Civil Rights at the U.S. Department of Health & Human Services, is a serious looking guy. It would be no stretch to say intimidating, even, as the tall, broad-shouldered director represents the face of the more-stringent-than-ever HIPAA Omnibus Rule – compliance date of Sept. 23. The new rule promises to bring hefty fines, more audits and added enforcement pertaining to the issue of patients’ protected health information.

In reality, however, although Rodriguez has affirmed that organizations will indeed be held accountable for violating HIPAA privacy and security rules, he has also proved himself to be industry-conscious, practical and fair.

Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an interview with Healthcare IT News.

“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.

Don’t let that cloud your judgment or start shirking your privacy and security obligations, however. Fines imposed on organizations that grossly violate HIPAA privacy and security rules are now on the upward trend, says Rodriguez, and that’s most likely going to continue.

“It’s going to continue to be a small but very important part of the story,” he said. “I think it’s important because it very powerfully articulates what our expectations are for covered entities, what risk analysis steps, what training steps, what disciplinary steps, what safeguard steps we expect of them.”

[See also: Behemoth breach sounds alarm for 4M and At $1.2M, photocopy breach proves costly.]

And although an official and permanent audit program is not yet fully established – and most likely won’t be until 2014 – breach investigations are, as some organizations can attest to, at full force.

Breach blunders

WellPoint, one of the nation’s largest health insurers, is one among 16 organizations thus far that has come to better understand what’s expected in regards to HIPAA privacy and security rules.

Just this July following an investigation, OCR ordered WellPoint to hand over $1.7 million after leaving the protected health information of 612,402 individuals accessible over the Internet. The data compromised included patient names, dates of birth, Social Security numbers, telephone numbers and health information.

According to the report, WellPoint established no safeguards verifying the person or entity seeking access to the electronic protected health information, and it failed to perform technical evaluation following an IT system software upgrade.

[See also: Another data breach for Sutter Health and Kaiser Permanente sends out breach letters after email gaffe.]

 

“I think all these cases really powerfully articulate those expectations and the fact that we will be holding people accountable,” Rodriguez said.

When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,” he said.

Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.

Case in point is what transpired at Idaho State University’s Pocatello Family Medicine Clinic two years ago, when clinic officials notified the Department of Health and Human Services of a breach involving electronic protected health information for some 17,500 patients.

Following an investigation, OCR determined that the PHI of those 17,500 patients was left unsecure for 10 months due to the disabling of an ISU firewall.

Furthermore, the ISU clinic failed to conduct risk analysis of the confidentiality of the ePHI for more than five years. As a result, this May, ISU agreed to pay $400,000 to HHS to settle HIPAA breach allegations.

Ted KobusTed Kobus, New York-based attorney for BakerHostetler who specializes in privacy issues and data breaches, said another area where covered entities and business associates are failing in privacy and security arenas pertain to the issue of properly handling old data. The “forgotten data, old data that the organization hasn’t accounted for,” proves a frequent reason for a breach, says Kobus.

This reality resonates with New York-based Affinity Health Plan, which just this August agreed to pay OCR $1.2 million after failing to clean patient data from a photocopier hard drive. CBS News then purchased the photocopier, previously leased by Affinity, and discovered it contained the protected health information for 344,579 patients.

Following an investigation, OCR officials found Affinity neglected to include the electronic photocopier data in any of its risk analyses.

The HIPAA Security Rule requires CEs and BAs to clear, purge or destroy the devices containing ePHI before the devices are available for re-use, but that’s just not happening at the level it should, says Sean Magann, vice president of California-based Sims Recycling Solutions. “What’s happened over the past five or six years is that bad guys got really smart,” he told Healthcare IT News‘ Mike Miliard last month. “They realized there’s more value in the information than in the actual commodities. It’s a numbers game. You buy 100 hard drives, 99 of them will be erased and done properly. But the one that you do get contains a treasure trove of information: Social Security numbers, patient data, everything a bad guy needs.”

And this time around when a BA or CE break the rules, they’re going to be paying much heftier fines than what was originally set forth in the interim rule.

Whereas organizations only faced penalties up to $25,000 for identical violations per calendar year under the interim rule, the final rule increases that amount to $1.5 million for a repeating violation per year.

For willful neglect breaches – meaning the organization failed to correct the issue – each individual violation is pegged at $50,000. The smallest penalty amount organizations could face is $100 per violation.

What’s new?

One of the first changes to note in the final rules pertains to the very definition of breach. The interim rule originally stipulated that a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual – often called the harm standard.

In the Omnibus final rule, not only was the harm standard removed but also a breach is now defined as “impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised.”

“There are two changes there,” said Robert Belfort, healthcare attorney at Manatt, Phelps & Phillips, in an interview with Government Health IT earlier this year. “First, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, second, the burden of proof is clearly on the covered entity so if that can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Also among the most significant changes in the final rule is that business associates are now accountable for violating specific privacy and security rules.

This should have come as no surprise to BAs, said Rodriguez. “We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations,” he said.

Despite this, many BAs are still lagging behind in many regards, said Kobus. From his line of work, he sees many business associates much less prepared than covered entities. “We see them asking for help with compliance issues, business associate agreements, questions about cloud computing and general compliance questions,” he explained.

Kobus said that between 30 to 70 percent of privacy and security breaches involve a vendor, which gives the government tremendous pressure to also make BAs liable and follow up with investigations.

But, it’s not only that the BAs are often lagging behind. Many covered entities are assuming they’re more off the hook than before.

Kobus sees a lot of covered entities that have questions over whether or not they’re off the hook and don’t have to worry as much as they did in the past now that business associates will be held directly liable for violations. “The answer really is ‘no,’” said Kobus. “We still have to keep in mind the covered entities are still responsible for their own violations of the HIPAA privacy and security rules, and business associates are going to be responsible for their violations.”

The final Omnibus Rule also expands the definition of business associate to include; health information organizations, e-Prescribing Gateways, certain PHR providers, patient safety organizations, data transmission service providers with access to PHI and contractors involved with PHI.

Additionally, the rule also stipulates that a contract between BA and subcontractor is required and it must be as stringent as the contract between a CE and a BA.

As far as patient control goes, in many ways, the rule imposed tighter restrictions on what organizations can do with patient data without their consent. Patients can now insist their health data is not shared with other groups if they pay for the specific medical services out of pocket, and certain patient information cannot be sold without that patient’s consent.

BA Agreements

Lynn SessionsLynn Sessions, Houston-based healthcare and privacy attorney with Baker Hostetler, works with many healthcare providers as they’re updating their business associate agreements, primarily with the larger, more sophisticated BAs. What she’s seeing are protracted, lengthy negotiations around BA agreements, particularly with respect to limitations of liability and indemnification. “We’re encouraging our healthcare clients to include indemnification and perhaps even insurance requirements as part of their business associate agreements so they’ve got protection should a breach take place or if there is a regulatory inquiry,” said Sessions.

Some of the business associates are expecting it, she added, as they understand they’re doing business in the healthcare arena. Others, however, who are new to the party, such as providers who thought they were never BAs in the first place are playing catch up. “And so, what used to be in some instances, just kind of the cursory, ‘Sure I’ll sign your business associate agreement,’ has become a much more detailed negotiation where some covered entities have had to hire counsel,” said Sessions.

Now that this piece is more stringent, “I think OCR has gotten covered entities and now business associates’ attention with the fines that have been levied over the last several years,” she added.

Jeffrey Brown, chief information officer at the 178-bed Lawrence General Hospital in Lawrence, Mass., said the hospital’s contracts with BAs haven’t changed at this point, but they are in in the process of cataloguing all their third-party associates. “We’re going back, doing a detailed review and analysis of the verbiage within those BAAs,” he said. He estimates they have about 75 to 125 business associates at a minimum from an IS perspective. From an organizational perspective, that number is much higher, he says.

In many cases, however, he has noticed these third-party vendors are starting to be proactive, and so Brown is seeing addendums coming through.

Doing it right

Lawrence General Hospital has never experienced a HIPAA breach – for good reason.

“I wouldn’t say (we’re) lucky,” said Brown. “Privacy and security and compliance are something that is at the top of our priority list.”

Hospital employees are not allowed to bring their own devices to use for clinical purposes; rather, the hospital provides cellphones and laptops to specific employees. All devices are password protected and updated with the latest encryption technology.

If someone loses a cellphone or an employee is terminated, officials have the ability to go in and wipe that cellphone clean of any kind of data. And they do.

Moreover, Lawrence General brings in consulting firms to conduct regular risk analyses and assessments, and a hospital committee meets monthly to discuss the ever-changing nature of privacy and security issues.

This element proves crucial, he says, as the matter is far from static. “Privacy and security in the old days was kind of looked at as a once-and- done deal,” said Brown. “It was something that you did yearly or every two years. Risks and mitigations were presented to the organizations, and you kind of checked the box. And I think now what’s happened is it really is a program and a process that organizationally, and I think culturally, needs to become part of the fabric of what all healthcare entities need to practice,” he explained.

Brown admits there’s an upfront cost to comply with these rules, but views it as a real return on investment. “When you update kind of this triad of people, process and technology, it not only puts the consumer in a better place to be protected but also the organization.”

Kobus agrees. He says some of the biggest mistakes by CEs and BAs are lack of education and employee awareness, “people not understanding why it’s critical to protect this type of information,” he said.

But it’s not always a clear cut procedure, especially for larger institutions, added Sessions, who said healthcare organizations notoriously have a lot of policies and procedures in place. “What I can see is that policies and procedures get implemented, and there may be an area in the hospital that wasn’t thought about,” she explained. “There is so much information about patients that are used in healthcare organizations that to be able to ensure education to everybody, that they understand the policy and procedures that are in place and frankly that the drafters of the policy and procedures understand all the data out there can be difficult.”

Micky Tripathi, chief executive officer of the Massachusetts eHealth Collaborative, also offered insight into how to handle a breach properly when it occurs from the perspective of someone who has been through one.

Back in 2011, Tripathi reported that an unencrypted MAeHC laptop containing 14,475 patient medical records was stolen from an employee’s locked car. After going through the process of notifying patients, contacting attorneys, changing policies and working to rectify the situation transparently, Tripathi learned a few things.

No one, he said, is immune from data breaches. But, an organization can be immune from much of the aftermath depending on how it’s handled.

“We tried to be very transparent about everything we did,” he said at the HIMSSMedia and Healthcare IT News 2012 Privacy and Security Forum. In addition to the legal responsibilities, “we had a certain ethical responsibility,” said Tripathi. “We came clean with the whole thing…we were standing up for our mistake and we were going to do whatever we had to do to rectify the situation.”

Despite not getting slapped with state or federal fines, MAeHC did pay up. The total costs of the data breach reached $228,808, which is no nominal number for a nonprofit. Tripathi said $150,000 of that went to legal fees, and more than $6,000 went to credit monitoring for patients.

They could have paid a lot more, however, and Tripathi realized that. And the lesson that went along with the experience was invaluable. Encryption is key, and the failure to encrypt devices “was a big miss from a management perspective,” he said.

Kobus also explained the significance of notifying patients in the proper manner and without jumping the gun. BAs and CEs should only notify individuals affected and the public once they know exactly what happened, how it happened, what they’re doing to protect patients in the future and what they’re doing to prevent a breach like this from happening again.

“If you answer them, they’re not going to be happy about what happened, but they’re going to understand that you have control over the situation, you understand the seriousness of the situation and that you’re trying to make yourself better,” he said.

Omnibus Opinions

Overall industry reactions to the final rule have been decidedly mixed.

Brown, for one, thinks it’s a benefit for the industry, although he concedes that difficulties do exist.

“There are going to be some challenges organizationally, in terms of just wrapping your head around the complexities,” he said. “I’m always an advocate for the patient and the consumer, and I think what these updated rules are doing further protects (them)… this really should give them a greater level of confidence in the overall ecosystem around how their health information is going to be protected now and in the future.”

Russ Branzell, chief executive officer of CHIME, says naturally there are pros and cons. And the cons really pertain to the sheer amount of process and policies that CEs have to follow and implement, and that can really strap down CIOs who already have lengthy to do lists. “I think there are parts of the rule that I’m sure most CIOs would say were needed and required,” Branzell said to HealthInfoSecurity. “There are also parts in there that they would say, ‘Wow, there’s just so much more I’ve got to do.”

Many privacy advocates have also weighed in on the final rule. Deborah Peel, MD, chair of Patient Privacy Rights advocacy group, who bills herself as a “privacy warrior,” said there are privacy improvements, but the rule still didn’t go far enough.

Peel pointed to the example pertaining to patients who pay for services out of pocket who can request that their health information isn’t shared with other groups. “HHS did not require segmentation technologies so that (patient health information) can be protected and selectively shared. Instead, the information should be ‘flagged’ so only the ‘minimum necessary’ information is disclosed,” she said to amednews.

Peel went on to say that rules and contracts don’t guarantee they’ll be followed or enforced properly.

Others see considerable limitations to the final rule. Kobus, for example, thinks the language complicates things by eliminating the harm standard. “It makes things more subjective,” he said, taking “away the ability at least in some part for the organization to take a look at individualized harm and places the emphasis elsewhere, and I think that can be problematic because in reality, isn’t this about protecting patients and making sure patients can protect themselves if they’re at risk, and over notification does no one any good.”

From Sessions’ perspective, many BAs and CEs are actually going beyond what they are required to do by law in terms of reporting – clients who would rather be safe than sorry. “We think there’s going to be over-reporting with the final rule,” she said.

However, according to Rodriguez, overall, the number of entities over- reporting is nominal. “There’s a little bit of that, but mostly not,” he said, adding that the general pace of reporting has remained relatively consistent. “I think for the most part, we’re getting appropriate reports. You know, in other words, we’re not having folks reporting that don’t need to be reporting.”

Rodriguez says that the feedback he’s heard from industry officials is generally positive. “I would say for the most part, and certainly within the traditional covered entity community, I think this rule is very much welcome,” he said. “There have been questions about narrow, specific requirements in the new rule, and we’re certainly working with all the stakeholders to provide clarification, to provide training material, to provide guidance as these issues come up. But as a whole, my sense is that both industry and consumers are pretty comfortable with where we’ve gone in the final rule.”

Top HIPAA breaches of 2013

1.  Texas Health Harris Methodist Fort Worth – 277,014

In May, local residents found several hospital microfilms – that were supposed to be destroyed – in various public locations. The records on the microfiche contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance data and, in many cases, Social Security numbers.

2.  Indiana Family and Social Services Administration – 187,533

Officials announced in July that the HIPAA breach after an agency contractor, RCR Technology Corp., experienced a software glitch with a document management system, which resulted in clients receiving personal and private documents belonging to other clients. Patient clinical and financial data and, in some cases, Social Security numbers were compromised.

3.  Orthopedics & Adult Reconstructive Surgery – 22,000

The Texas-based center’s business associate AssuranceMD allegedly lost an unencrypted portable electronic device containing patient protected health information back in March.

4.  Our Lady of the Lake Regional Medical Center – 17,339

Back in March, an unencrypted hospital laptop containing the protected health information of intensive care unit patients went missing from a physician’s office. Patient names, ages, race, discharge data and treatment results were compromised.

5.  Raleigh Orthopedic Clinic – 17,300

The clinic provided patient X-rays to a third-party vendor, which sold the films to an Ohio-based recycling company that harvested the silver from the X-rays. Raleigh Ortho discovered the arrangement had been a scam.

6.  Henry Ford Hospital – 15,416

The five-hospital Henry Ford Health System notified 15,416 patients in July that their protected health information was compromised after hospital X-ray films stored in a warehouse were stolen. This is the health system’s fourth big HIPAA data breach within a three-year period. A warehouse employee has been arrested in connection with the theft, but the files remain missing.

7.  Delta Dental of Pennsylvania – 14,829

Mechanicsburg, Pa.-based Delta Dental contracted with ZDI, which announced March 20 that it lost patients’ paper records.

8.  United HomeCare Services – 13,617

Miami, Fla.-based UHCS notified patients in April of a HIPAA breach that occurred in January after an unencrypted company laptop was stolen from an employee’s car. The laptop contained patients’ names, addresses, Social Security numbers, health plan numbers and clinical data.

9.  Stanford University Lucile Packard Children’s Hospital – 12,900

LPCH officials announced their fifth HIPAA breach in June after notifying patients that their protected health information was compromised following the theft of an unencrypted hospital laptop. The laptop contained patient names, ages, medical record numbers, surgical procedures, names of physicians involved in the procedures and telephone numbers.

10.  Indiana University Health Arnett

IUH at Arnett began notifying patients in May after an unencrypted company laptop was stolen from an employee’s car back in April. Patient names, dates of birth, medical record number, physicians, dates of service and diagnoses data was contained on the laptop.

 

IRS seizes 60M records without warrant

SAN DIEGO – The Internal Revenue Service has found itself at the center of one of the largest healthcare privacy breaches in history, after allegedly stealing and improperly accessing the medical records of 10 million Americans, including health records of California state judges, members of the Screen Actors Guild and Major League Baseball players.

 

A California HIPAA-covered entity, identified as John Doe Company, filed a complaint with the Superior Court of California against the agency in March accusing 15 IRS agents of seizing 60 million medical records from 10 million patients. The protected health information taken by the agents included psychological and gynecological counseling data, sexual/drug treatment and other medical treatment data.

 

According to the filed complaint, “No search warrant authorized the seizure of these records; no subpoena authorized the seizure of these records; none of the 10,000,000 Americans were under any kind of known criminal or civil investigation and their medical records had no relevance whatsoever to the IRS search.”

$150,000 Resolution to a $200 Problem

An unencrypted USB drive has ended up costing one dermatology practice, which has settled with the Department of Health and Human Services for failing to address HITECH’s breach notification provisions.

Adult & Pediatric Dermatology (known as APDerm), which provides dermatology services in Massachusetts and New Hampshire, agreed on a settlement of $150,000 for privacy and security violations, and will be required to put a corrective action plan in place to fix deficiencies in its HIPAA compliance program, according to a notice posted Dec. 26 on the HHS website.

It’s the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act, say officicials from HHS’ Office for Civil Rights.

OCR launched its investigation of APDerm after being tipped off that an unencrypted thumb drive containing the protected health information of some 2,200 people was stolen from a vehicle of one its staff members. The drive was never recovered.

The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, officials say.

Moreover, APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train workforce members.

In addition to the $150,000 resolution amount, AP Derm’s settlement includes a corrective action plan requiring development of a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. The practice will also be required to provide an implementation report to OCR.

“As we say in healthcare, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez, in a press statement. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

This was so preventable. At CYRSS we make prevention of this sort of thing easy and affordable. We Watch So You Don’t Have To.

HIPAA Violations an Ounce of Cure……….

In the world of HIPAA privacy and security breaches, 2013 was a big year, and the last days of December proved no exception.

The five-hospital Riverside Health System in southeast Virginia announced earlier this week that close to 1,000 of its patients are being notified of a privacy breach that continued for four years.

From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. Reportedly, the employee was a licensed practical nurse, according to a Daily Press account. The breach wasn’t discovered until Nov. 1 following a random company audit.

“Riverside would like to apologize for this incident,” said Riverside Spokesperson Peter Glagola, in a Dec. 29 notice. “We are truly sorry this happened. We have a robust compliance program and ongoing monitoring in place, and that’s how we were able to identify this breach. We are looking at ways to improve our monitoring program with more automatic flags to protect our patients.”

The practical nurse who inappropriately accessed the records has had their employment terminated, according to Riverside officials.

HIPAA covered entities and, more recently, business associates can be slapped with up to $50,000 fines per HIPAA violation due to willful neglect that goes uncorrected. Entities could face $10,000 per violation due to willful neglect when the violation is properly addressed.

Just this past month, the Department of Health and Human Services settled with Adult & Pediatric Dermatology of Concord, Mass., for $150,000 over alleged violtion of HIPAA privacy, security and breach notification rules.

According to an HHS press release, an unencrypted thumb drive containing the protected health information of 2,200 individuals was stolen from an employee’s car. However, when HHS’ Office for Civil Rights conducted an investigation, it was discovered the practice had failed to conduct adequate risk analyses and did not comply with breach notification requirements.

When Healthcare IT News spoke with OCR Director Leon Rodriguez back in August about where HIPAA-covered entities most often make their biggest misstep, he pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis,” he said.

2013 also brought with it some of the biggest HIPAA privacy and security breaches to date. Advocate Health Care, for example, reported the second largest HIPAA breach, compromising the PHI of more than 4 million individuals after four unencrypted laptops were stolen from one of its facilities back in July.

Out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far. This does not mean that in the rest of the cases the costs to the breached organizations was nil, it was not. Each reported breach carries with it all of the costs of publication, reporting, reparation, damage to reputation, and costs of remedies. Proving once again, an ounce of prevention is worth a ton of cure.

Fraudulent Support Call Scams Persist Despite FTC Crackdown

Computerworld has warned of ongoing scams in which criminals are fraudulently posing as support personnel, typically from Microsoft but also from security companies like Symantec and McAfee (or manufacturers like Dell).The alleged support personnel will typically call victims to inform them that their computer is infected or malfunctioning in order to sell them fraudulent and unnecessary software or services and/or gain remote access to their computer. In the latter case, the fraudsters will then steal sensitive data or install malware. These fraudsters can be fairly convincing, using a variety of tactics. For example, in some cases they have demonstrated supposed evidence by directing victims to open Windows system logs, and highlighted errors messages, which are, in fact, typical system errors that occur regularly.

Computerworld’s warning comes over a year after the FTC acknowledged and addressed this exact problem, eventually shuttering six firms responsible for these sorts support scams. However, these scams may be a fairly permanent fixture in the threat landscape.

Last week, our office received a call that fit Computerworld’s warning to a tee. The caller, who claimed to be calling from Microsoft, even provided step-by-step instructions for navigating to system logs, in order to demonstrate supposed evidence of infections and malfunctions. The caller ultimately sought to convince victims to install software, which would then allow him to remotely access and control their computer.

As Computerworld highlights, these scams persist because of “the difficulty regulators have in playing Whac-a-Mole, where for every suppressed fraudster, one or more new operators pop up.” Clearly, it is important that users be aware of these attacks, and follow the appropriate best practices. Most importantly, never give away personal information or control of your computer to any unsolicited caller. If a caller pressures you to purchase or pay for any goods or services, just hang up. If you believe you may need tech support, call the appropriate vendor directly using contact information from the vendor’s official website, or from a software package or receipt.