The United States Computer Emergency Readiness Team (US-CERT) has warned of multiple malware campaigns impersonating multiple U.S. government agencies, including the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI).

Once installed on a system, the malware displays a screen claiming that a Federal Government agency has identified the user’s computer as being associated with one or more crimes. The user is told to pay a fine to regain the use of the computer, usually through prepaid money card services.

Affected users should not follow the payment instructions. Instead, the computer should be scanned for malware with an appropriate antivirus program, and then measures taken to avoid the infection from re-occurring.

Note: This covers PAID antivirus programs. There are free antivirus programs that, because they are not under a time license, basically don’t expire.

What happens when your paid antivirus subscription expires? In a nutshell: Your antivirus program stops updating itself. But what does that mean and what are the ramifications?

To understand this, first you have to understand how traditional antivirus programs work. I’ve explained this before, but here’s the gist of it: Your antivirus program protects you from malware trying to infect your computer by keeping a list of all known malware. It then compares every file you open, every file you download, every email you get, and so on, to its master list of  “bad guys”.

Because malware creation is such a dynamic subject, the list of known malware grows daily. In order to be effective, your antivirus must have the latest additions to the list of “bad guys” to recognize them. To the degree that it doesn’t have the most recent additions, it won’t be able to detect the most recent infections.

So, a typical antivirus program updates its list at least once a day. Some are configurable and can be set so they update themselves several times a day.

Now, let’s say you have a yearly license in your antivirus and it’s about to expire. Typically you get warnings and pop-up windows that alert you to the fact that your license is about to expire. So what happens if it does? Does the program stop functioning?

No. Typically, your antivirus program still works even if your license has expired. BUT, your vendor will probably not allow updates to happen. So, as days, weeks go by, your antivirus program’s list become more and more outdated. To that degree it won’t be able to detect the latest infections. The more outdated, the less effective. You get the idea.

The above is so true, that an up-to-date,  free antivirus program is probably more effective than a paid expired one. Even if the paid one is fancier and has more features etc., it’s somewhat useless without an up-to-date definitions list.

Normally when your expired antivirus license is renewed, your antivirus will resume updating itself and you will stop getting warnings about it. Sometimes it requires asking the antivirus program to perform an update in order to bring the list up-to-date, and then it resumes doing it automatically from that point on.

Last article covered in what ways your email account can be hacked. Since it is related to the password strength your email account has, I thought we should now cover how to create a strong password.

A strong password is one that is hard to guess. Oversimplifying some might say, yet it’s the basic definition of it. Therefore having your password be ” joe” when your email account is “joeblow@yahoo.com” is not very hard to guess. That would be at the extreme end of weak. So what’s at the other end?

A good, strong password:

1. Contains uppercase and lowercase characters,

2. Contains at least one number,

3. Contains at least one of the characters over the numbers in your keyboard ( !@#$%^&*() ),

4. Does not contain a word that can be found in the dictionary, and

5. Is at least 8 characters long.

OK so now we know what a strong password is, but we have a problem. How do we craft one that can ALSO be remembered? I mean, “g5OmCU)k” might be a strong password by definition, but who the hell is going to remember it? This is where mnemonics – a memory tool, any device or technique that aids information retention –  comes in handy.

Rather than going on a lengthy written explanation of how this all works, let me give you a link to a video that explains it all very well in under 4 minutes. Watch it and then come back to finish reading this article. Here’s the link to the video:

http://www.youtube.com/watch?v=VYzguTdOmmU

As you might have noticed, the last problem posed in the video, how to remember multiple passwords when you use one per each different authentication required, is solved by the use of a password manager. I personally use RoboForm to keep my 90+ passwords secure, and it even has a feature that will generate random strong passwords for me when required, which can then be stored and thus does not need to be remembered.

May your email account remain secure.

Concerns over hacked email accounts seem to have increased as of late, mostly because, well, the number of hacked emails seem to have increased as of late.

Recently I covered how to proceed when you receive an email from a contact who obviously did not send it and might be the victim of a hack attack. But how do these attacks succeed and how many ways are there to perpetrate them? Knowing the answer would give you an understanding of what to do to stay safe.

So, I’m glad you asked. I’ll try to keep the answers simple. First, it wouldn’t hurt to understand how email works.

When you look at the simplest way to break it down, an email account’s password can only be hacked at two different points: 1) At the point where the user handles emails (his/her computer, phone, tablet, etc) and at the server, where all the information on usernames and passwords are kept.

The common user does not have control over his/her email server, so if a hack attack occurs at the server, there’s not much he/she can do about it. Pray maybe, or be careful as to what email provider he/she chooses. A definite measure he/she can take is change his/her password periodically, and of course make sure they’re all strong passwords.

Unfortunately, much too often a) Users don’t change their passwords periodically, b) The passwords are weak and c) The same password is used for many things, including their online banking identity and whatnot! The reason for these three factors is the basic drive of the user to remember his password. a) Changing it periodically makes it hard to remember which is your current one b) Using familiar words or numbers make a password weak but easy to remember and c) Who wants to remember 10 passwords when using the same password for everything is so much easier?

We’ll circle back to that. The point is, the server-side aspects of things is not much under the control of the normal user, and that’s a potential hack attack point. How those attacks occur become irrelevant, so we’ll leave it at that.

The second point at which the password can be hacked is more under the control of the user, mostly because is within arm’s lengths and he/she is for the most part in control of it. This is of course  his/her computer/phone/tablet.

So now, how many ways are there to figure out a password? Exactly two:

The first one is under the category of guessing. A specific type of a “brute force attack”. This consists mainly of feeding passwords from a list, often a dictionary. A computer program can do this very fast, so if the password is weak, the probabilities of guessing it that way are not too bad.

the second one is under the category of stealing/sniffing/recording. Basically a tool is installed in your computer that will record key strokes, or steal your password from known stored locations and transmit it over the internet to a place the hacker has access to. So in this case, changing your password, making it complex and unique will not accomplish anything, since the moment you use your computer to change it, it will be stolen/sniffed/recorded again.

Therefore when one’s email account has been hacked, one should

a) Change the password to a strong, TEMPORARY one. This is just in case the way it was figured out was a brute force attack and not just stolen. Then

b) You have to make sure there is no malicious software in your computer that is stealing/sniffing/recording your passwords. That is, of course, easier said than done. But it must be done. Ask an expert for help as needed. Finally,

c) Once there’s an assurance that there is no data leak active, the password should be changed again to a strong, more permanent one. Even if there is no malicious software found, it never hurts to change the password again, so it should be done regardless.

Hope I’ve been able to increase your understanding of the subject.

This is a real example of why just relying on an antivirus to detect all malware will fail. Today I got, for the nth time, a few of those scam emails that have an infected attachment and a message enticing me to open it. Since I hate to disappoint, I went ahead and opened one, just to see what my antivirus would do (But also having fail-safe measures in place).

I’m currently using Kaspersky Internet Security 2012, one of the top security suites and my current favorite. Normally upon receipt of the email Kaspersky would quarantine the suspicious attachment… if it detects it as malicious. But it didn’t. The attachment was compressed in a file, so I thought maybe that’s why and went ahead and extracted the file from it. Nothing. No response from Kaspersky. So I forced a scan of the object, and still was not detected as malicious!

I then went to a website where individual files can be scanned by many scan engines. This particular one scans the file against 42 different engines. Kaspersky, Avast, Symantec, VIPRE, McAfee, you name it. All the big brands and more. Well, only 4 out of the 42 detected the file as malicious!

Why is that? Because the creation of different malware samples outdoes by far the updating of signature files (the files that tell your antivirus program which files are good and which ones malicious). Signature files are what antivirus scanners mostly depend on to detect malware.

I said it in 2009, and I’ll reiterate it today. Want to have a better chance at staying malware-free? Follow the model I laid out back then, in my pivotal article on the subject.

P.S.: 4/12/12: It’s the morning after, and I decided to analyze that piece of malware in detail, so I tried to fetch it from the trash folder in my email… Wasn’t able to. Kaspersky beat me to the punch and deleted it. In re-analyzing the file (from an alternate source) against the 42 scan engines, the count had changed to 7 out of 42 recognizing it as malware. Kaspersky was one of them. So relatively good.