News

The holiday season often brings a rush of new gadgets—smartphones, tablets, laptops, and smart home devices—into households. One survey revealed that nearly 199 million U.S. adults planned to purchase tech products and services as gifts for the holiday season. For the tech-savvy among us, it also means becoming the go-to person for setting up, troubleshooting, and securing those shiny new devices. But while it’s great to help your loved ones get the most out of their tech, it’s just as important to ensure they’re protected from digital threats like malware, phishing, and privacy breaches.

This year, step up as the digital IT hero of the holidays by taking proactive measures to safeguard your family’s online life. Here’s a guide to help you create a safer digital environment for your loved ones by setting up their devices with robust cybersecurity protections.

1. Install a VPN for Secure Browsing

One of the first steps in protecting new devices is ensuring that internet connections are secure. A Virtual Private Network (VPN) is essential for safeguarding your family’s data, especially when using public Wi-Fi networks at coffee shops, airports, or hotels. Without a VPN, any data you send or receive—such as login details, personal information, or banking credentials—can be intercepted by cybercriminals using simple hacking tools. A VPN encrypts your internet connection, making it much harder for anyone to spy on or steal your information, even on public networks. This layer of security is crucial to protect your privacy and keep your data safe from potential threats.

How to help:

• • Choose a reliable VPN service that has a user-friendly app. The VPN should undergo independent reviews and audits to guarantee the security of your sensitive information.
  • Set it up on your family’s devices, ensuring it activates automatically when connecting to unsecured networks.
  • Walk your loved ones through how to enable the VPN and why it’s important, encouraging them to use the VPN for any online banking, shopping, or work-related tasks they perform while traveling.

2. Ensure Antivirus Software is Up to Date

Antivirus software plays a crucial role in protecting devices from malware, ransomware, and other cyber threats by continuously scanning for malicious activity and preventing harmful files from executing. It acts as a first line of defense, detecting and removing viruses before they can compromise your system or steal sensitive data.

How to help:

• Install or verify that their devices have a strong, reliable antivirus program that offers 24/7 identity monitoring and alerts and AI-powered security for real-time protection against viruses, hackers, and risky links.
• Look for a security suite that also includes protections on social media, like McAfee+ Social Privacy Manager, which can help you adjust 100+ privacy settings across your social media accounts in just a few clicks.
• Configure it for automatic scans and updates, so they don’t have to worry about remembering to run them manually.

3. Set Up Strong Passwords and Enable Multi-Factor Authentication

Passwords are the first and often most critical line of defense for online accounts, but unfortunately, many people still rely on weak or predictable combinations like “password123” or simple sequences of numbers. These easy-to-guess passwords leave accounts vulnerable to cybercriminals who use automated tools to crack them within minutes.

However, the threat doesn’t stop at weak passwords—data breaches pose an even greater risk. When large-scale breaches occur, they often expose millions of usernames and passwords to the public. Even strong, unique passwords can be compromised if they’ve been leaked in a breach, allowing attackers to use those credentials in credential-stuffing attacks, where they attempt to log in to multiple accounts using the same exposed password.

To counteract this, it’s critical to not only set strong, unique passwords for every account but also to enable multi-factor authentication (MFA) so that even if your password falls into the wrong hands, attackers can’t access your account without a second form of verification.

How to help:

• Choose a reputable password manager that offers features like end-to-end encryption and secure password sharing.
• Set up a master password that is long, memorable, and, most importantly, not shared with any other account. A phrase like “SunsetsOverTheBeach2024!” works well because it’s strong but easy to recall.
• Help your family by reviewing their most important accounts and updating them with newly generated, complex passwords through the password manager.
• Enable MFA on your family’s most critical accounts, especially banking and financial accounts, social media accounts, and email accounts, which are often the key to resetting passwords for other services, making them a high-value target for hackers.

4. Set Up Device and Data Backups

Data loss can be catastrophic, whether it’s due to a hardware failure, theft, or ransomware attack. Setting up automatic backups ensures that your family’s important data—such as photos, videos, and documents—is safe, no matter what happens.

How to help:

• Set up automatic cloud backups for their devices, ensuring critical files are backed up regularly. Most major platforms, like Apple and Google, offer built-in cloud backup services.
• Consider using an external hard drive for an additional layer of backup.
• Walk them through how to restore files from a backup in case of data loss and emphasize the peace of mind this brings.

5. Check for Sketchy Apps and Remove Unnecessary Ones

New devices often come pre-loaded with a myriad of apps, many of which your family members may never use. Some of these could be bloatware or even pose security risks by running in the background and collecting data.

How to help:

• Go through the new device’s installed apps with your family. Uninstall any that aren’t necessary, especially those that seem unfamiliar or have poor ratings.
• Warn your family about downloading apps from unofficial app stores, which often harbor malicious software.
• Encourage them to stick to apps from trusted sources like Google Play or the Apple App Store, and show them how to check app permissions.

By helping your family with these key cybersecurity steps, you’re not just setting up their devices—you’re providing them with the tools and knowledge to stay safe online. As the digital IT hero of the holidays, you’ll empower your loved ones to enjoy their new tech with confidence, knowing their data and privacy are protected.

The post How to Be Your Family’s Digital IT Hero for the Holidays appeared first on McAfee Blog.

The security provider has elevated its warning about a vulnerability affecting firewall management interfaces after observing active exploitation

Ilya Lichtenstein hacked into the cryptocurrency exchange in 2016 and stole around 120,000 bitcoins

The new vulnerability was named “FortiJump Higher” due to its similarity with the “FortiJump” vulnerability discovered in October

SentinelOne described some of ransomware groups’ favorite techniques for targeting cloud services

Fantastic video of a female Gonatus onyx squid swimming while carrying her egg sack.

An earlier related post.

Blog moderation policy.

Stuart Schechter makes some good points on the history of bad password policies:

Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.

First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be something strong. After implementing a requirement that password have multiple characters sets or more total characters, they wrote:

These improvements make it exceedingly difficult to find any individual password. The user is warned of the risks and if he cooperates, he is very safe indeed.

As should be obvious now, a user who chooses “p@ssword” to comply with policies such as those proposed by Morris and Thompson is not very safe indeed. Morris and Thompson assumed their intervention would be effective without testing its efficacy, considering its unintended consequences, or even defining a metric of success to test against. Not only did their hunch turn out to be wrong, but their second mistake prevented anyone from proving them wrong.

That second mistake was convincing sysadmins to hash passwords, so there was no way to evaluate how secure anyone’s password actually was. And it wasn’t until hackers started stealing and publishing large troves of actual passwords that we got the data: people are terrible at generating secure passwords, even with rules.

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

Mr. Shefel, who recently changed his legal surname to Lenin, was the star of last year’s story, Ten Years Later, New Clues in the Target Breach. That investigation detailed how the 38-year-old Shefel adopted the nickname Rescator while working as vice president of payments at ChronoPay, a Russian financial company that paid spammers to advertise fake antivirus scams, male enhancement drugs and knockoff pharmaceuticals.

Mr. Shefel did not respond to requests for comment in advance of that December 2023 profile. Nor did he respond to reporting here in January 2024 that he ran an IT company with a 34-year-old Russian man named Aleksandr Ermakov, who was sanctioned by authorities in Australia, the U.K. and U.S. for stealing data on nearly 10 million customers of the Australian health insurance giant Medibank.

But not long after KrebsOnSecurity reported in April that Shefel/Rescator also was behind the theft of Social Security and tax information from a majority of South Carolina residents in 2012, Mr. Shefel began contacting this author with the pretense of setting the record straight on his alleged criminal hacking activities.

In a series of live video chats and text messages, Mr. Shefel confirmed he indeed went by the Rescator identity for several years, and that he did operate a slew of websites between 2013 and 2015 that sold payment card data stolen from Target, Home Depot and a number of other nationwide retail chains.

Shefel claims the true mastermind behind the Target and other retail breaches was Dmitri Golubov, an infamous Ukrainian hacker known as the co-founder of Carderplanet, among the earliest Russian-language cybercrime forums focused on payment card fraud. Mr. Golubov could not be reached for comment, and Shefel says he no longer has the laptop containing evidence to support that claim.

Shefel asserts he and his team were responsible for developing the card-stealing malware that Golubov’s hackers installed on Target and Home Depot payment terminals, and that at the time he was technical director of a long-running Russian cybercrime community called Lampeduza.

“My nickname was MikeMike, and I worked with Dmitri Golubov and made technologies for him,” Shefel said. “I’m also godfather of his second son.”

A week after breaking the story about the 2013 data breach at Target, KrebsOnSecurity published Who’s Selling Cards from Target?, which identified a Ukrainian man who went by the nickname Helkern as Rescator’s original identity. But Shefel claims Helkern was subordinate to Golubov, and that he was responsible for introducing the two men more than a decade ago.

“Helkern was my friend, I [set up a] meeting with Golubov and him in 2013,” Shefel said. “That was in Odessa, Ukraine. I was often in that city, and [it’s where] I met my second wife.”

Shefel claims he made several hundred thousand dollars selling cards stolen by Golubov’s Ukraine-based hacking crew, but that not long after Russia annexed Crimea in 2014 Golubov cut him out of the business and replaced Shefel’s malware coding team with programmers in Ukraine.

Golubov was arrested in Ukraine in 2005 as part of a joint investigation with multiple U.S. federal law enforcement agencies, but his political connections in the country ensured his case went nowhere. Golubov later earned immunity from prosecution by becoming an elected politician and founding the Internet Party of Ukraine, which called for free internet for all, the creation of country-wide “hacker schools” and the “computerization of the entire economy.”

Mr. Shefel says he stopped selling stolen payment cards after being pushed out of the business, and invested his earnings in a now-defunct Russian search engine called tf[.]org. He also apparently ran a business called click2dad[.]net that paid people to click on ads for Russian government employment opportunities.

When those enterprises fizzled out, Shefel reverted to selling malware coding services for hire under the nickname “Getsend“; this claim checks out, as Getsend for many years advertised the same Telegram handle that Shefel used in our recent chats and video calls.

Shefel acknowledged that his outreach was motivated by a desire to publicize several new business ventures. None of those will be mentioned here because Shefel is already using my December 2023 profile of him to advertise what appears to be a pyramid scheme, and to remind others within the Russian hacker community of his skills and accomplishments.

Shefel says he is now flat broke, and that he currently has little to show for a storied hacking career. The Moscow native said he recently heard from his ex-wife, who had read last year’s story about him and was suddenly wondering where he’d hidden all of his earnings.

More urgently, Shefel needs money to stay out of prison. In February, he and Ermakov were arrested on charges of operating a short-lived ransomware affiliate program in 2021 called Sugar (a.k.a. Sugar Locker), which targeted single computers and end-users instead of corporations. Shefel is due to face those charges in a Moscow court on Friday, Nov. 15, 2024. Ermakov was recently found guilty and given two years probation.

Shefel claims his Sugar ransomware affiliate program was a bust, and never generated any profits. Russia is known for not prosecuting criminal hackers within its borders who scrupulously avoid attacking Russian businesses and consumers. When asked why he now faces prosecution over Sugar, Shefel said he’s certain the investigation was instigated by  Pyotr “Peter” Vrublevsky — the son of his former boss at ChronoPay.

ChronoPay founder and CEO Pavel Vrublevsky was the key subject of my 2014 book Spam Nation, which described his role as head of one of Russia’s most notorious criminal spam operations.

Vrublevsky Sr. recently declared bankruptcy, and is currently in prison on fraud charges. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes. They also accused Vrublevsky of facilitating money laundering for Hydra, the largest Russian darknet market at the time. Hydra trafficked in illegal drugs and financial services, including cryptocurrency tumbling for money laundering, exchange services between cryptocurrency and Russian rubles, and the sale of falsified documents and hacking services.

However, in 2022 KrebsOnSecurity reported on a more likely reason for Vrublevsky’s latest criminal charges: He’d been extensively documenting the nicknames, real names and criminal exploits of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), and operating a Telegram channel that threatened to expose alleged nefarious dealings by Russian financial executives.

Shefel believes Vrublevsky’s son Peter paid corrupt cops to levy criminal charges against him after reporting the youth to Moscow police, allegedly for walking around in public with a loaded firearm. Shefel says the Russian authorities told the younger Vrublevsky that he had lodged the firearms complaint.

In July 2024, the Russian news outlet Izvestia published a lengthy investigation into Peter Vrublevsky, alleging that the younger son took up his father’s mantle and was responsible for advertising Sprut, a Russian-language narcotics bazaar that sprang to life after the Hydra darknet market was shut down by international law enforcement agencies in 2022.

Izvestia reports that Peter Vrublevsky is currently living in Switzerland, where he reportedly fled in 2022 after being “arrested in absentia” in Russia on charges of running a violent group that could be hired via Telegram to conduct a range of physical attacks in real life, including firebombings and muggings.

Shefel claims his former partner Golubov was involved in the development and dissemination of early ransomware strains, including Cryptolocker, and that Golubov remains active in the cybercrime community.

Meanwhile, Mr. Shefel portrays himself as someone who is barely scraping by with the few odd coding jobs that come his way each month. Incredibly, the day after our initial interview via Telegram, Shefel proposed going into business together.

By way of example, he suggested maybe a company centered around recovering lost passwords for cryptocurrency accounts, or perhaps a series of online retail stores that sold cheap Chinese goods at a steep markup in the United States.

“Hi, how are you?” he inquired. “Maybe we can open business?”

Over 1 million domains are vulnerable to “Sitting Ducks” attack, which exploits DNS misconfigurations