Archive

Archive for the ‘Microsoft’ Category

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

A brief discourse on ‘Changing browsing experience’

In response to questions we’ve received from the software distribution and monetization industry, and following our blog announcing our browser modifier policy update, we’d like to provide some details on what we refer to in our policy as “changing browsing experience”.

For us, “changing browsing experience” means behaviors that modify the content of webpages.

We consider programs installed and running on a PC that make webpages look differently than they would on the same browser had those programs not been installed, to be programs that change browsing experience.  These programs are required to use the browsers’ extensibility models.

Browsers’ extensibility models ensure user choice and control.  Extensible browsers present consent prompts that ensure users are asked to grant permission for an extension to be enabled.  It is done using a consistent language and placement that is straightforward and clear.

By requiring programs that change browsing experience to use the extensibility models, we ensure that users are kept at the helm of their choice and control.  Programs can only make such alterations to webpages when users grant them the permission to do so, using the browsers’ consistent and reliable consent prompting.

Some programs modify browsing access in ways that don’t insert or change web content.  We don’t consider these as changing the browsing experience.

Examples of programs that modify browsing access include:

  • VPNs – software type that provides access
  • Parental control programs – software type that restricts access

If these programs don’t insert or change web content, then they are not changing browsing experiences. Therefore, they are not required to use the browsers’ extensibility models.

Our intent with this policy is clear: we are determined to protect our customers’ choice and browsing experience control.  The requirement to use the browsers’ supported extensibility models is an important pillar in achieving this goal.

 

Barak Shein and Michael Johnson

MMPC

No mas, Samas: What’s in this ransomware’s modus operandi?

March 18th, 2016 No comments

We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats,  Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.

 

How Samas is different from other ransomware?

 

Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade

 

The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as direct use of unsafe JNI with outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

  1. Look for certain file extensions that are related to backup files in the system.
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
  3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

 

So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:


Figure 3:  Version 1 – Ransom:MSIL/Samas.A

 

Figure 4: Version 2 – Ransom:MSIL/Samas.B

 

It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

 

Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

 

Marianne Mallen

MMPC

 

Cleaners ought to be clean (and clear)

February 24th, 2016 No comments

There are many programs that purport to clean up and optimize system performance. While Microsoft does not endorse the use of these tools with Windows, we do not view them as unwanted or malicious.

Many programs in this category have a practice of providing a free version of their software that scans your system, presents the number of errors it found, and offers you to purchase the full version to remove these errors.

However, some programs run on your system and display only an aggregated sum number of errors, without disclosing to you what the errors are, which items they stem from, and what benefit will you get as a result of correcting them. This lack of disclosure deprives you of the clarity and transparency you need to determine the validity of what is being called out as errors, and of the value you can expect from the action the program is proposing to be taken.

This becomes even more accentuated when a free version of a program calls out errors and warnings, doesn’t provide you with any clarity as to what is wrong, and offers you to buy a premium version in order to fix the errors the free version found on your machine – albeit not letting you know with clear specificity what value you can expect from the purchase of the premium version of the program. This makes your purchasing decision arbitrary, and fear-based, rather than rational.

Another example of an unwanted behavior is when system cleaner/optimizer programs present Windows-created prefetch files (.pf) as errors, or encourage you to remove them. Prefetch files are created by the Windows operating system to improve its performance by reducing the load times of programs. They are not errors (or ‘junk’ as some cleaner/optimizer programs refer to them).  Such programs should neither mislead you to think these are errors or junk files, nor should they encourage you to remove these operating system created files from your system.

Our criteria states that you must be able to expect that the actions a system maintenance or optimization program takes towards system performance are actually beneficial. Unwanted behaviors include displaying exaggerated claims about the system’s health.

Accordingly, to be compliant with our objective criteria, programs must provide details that back up their claims, so that you have the ability to assess what the program found and deems to be errors, and determine if you’d like to take the program’s recommended actions.

Microsoft security products, such as Windows Defender for Windows 10, will continue to classify optimization programs that do not provide details as unwanted software, detect and remove them.

Barak Shein
MMPC

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

Microsoft assists law enforcement to help disrupt Dorkbot botnets

December 3rd, 2015 No comments

Law enforcement agencies from around the globe, aided by Microsoft security researchers, have today announced the disruption of one of the most widely distributed malware families – Win32/Dorkbot. This malware family has infected more than one million PCs in over 190 countries.

Dorkbot spreads through USB flash drives, instant messaging programs, and social networks. It steals user credentials and personal information, disabling security protection, and distributing several other prevalent malware families.

The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the Dorkbot malware in partnership with ESET and Computer Emergency Response Team Polska (CERT Polska, NASK).

We activated a Coordinated Malware Eradication (CME) campaign, performed deep research, and provided telemetry to partners and law enforcement such as CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission (CRTC), the Department of Homeland Security’s United States Computer Emergency Readiness Team (DHS/USCERT), Europol, the Federal Bureau of Investigation (FBI), Interpol, and the Royal Canadian Mounted Police (RCMP), to help take action against Dorkbot infrastructure.

The MMPC has closely monitored Dorkbot since its discovery in April 2011 and released our research in the following blogs:

Our real-time security software, such as Windows Defender for Windows 10, and standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can detect and remove Dorkbot. It’s important to keep your security software up-to-date to ensure you have the latest protection.

Dorkbot telemetry

During the past six months, Microsoft detected Dorkbot on an average of 100,000 infected machines each month. The top 10 countries shown in Figure 2 represent 61 percent of the total infections.

Dorkbot example  
Figure 1: Dorkbot infection trend for the past six months
 
Dorkbot example

Figure 2: Dorkbot detections by country for the past six months

Dorkbot example

Figure 3: Dorkbot machine detections heat map for past three months

Dorkbot is an Internet Relay Chat (IRC) based botnet. It is commercialized by its creator as a “crime kit” called NgrBot, which hackers can buy though underground online forums. The kit includes the bot-builder kits as well as documentation on how to create a Dorkbot botnet. Figure 4 and 5 show one of the builder interfaces for Dorkbot – illustrating all available functionalities that the operator can set through the kit, including the IRC server settings and the command settings.

Dorkbot example  
Figure 4: Dorkbot builder IRC server settings

Dorkbot example 

Figure 5: Dorkbot builder command settings

Distribution

Dorkbot malware has been distributed in various ways, including:

  • Removable drives (USB “thumb-drives”)
  • Instant messaging clients
  • Social networks
  • Drive-by downloads / Exploit kits
  • Spam emails

Dorkbot example

 
Figure 6: Dorkbot distribution methods

During a drive-by-download infection, a cybercriminal places specialized software known as an exploit kit on a website. An exploit kit is software that is designed to infect user computers that connect to the website using software vulnerabilities. These websites are known as exploit websites. Sometimes exploit websites are created by the botnet operator specifically for the purpose of spreading the infection, but in other cases they may be legitimate websites that have been hacked by the botnet operator. 

When a computer connects to an exploit website, the exploit kit tries to exploit unpatched software to install the Dorkbot worm.

Once a machine is infected with the bot, Dorkbot will distribute itself through removable drives, instant messaging clients and social networks.

Behaviors

Dorkbot’s primary goal is to steal online account user names and passwords, as well as other personally identifying information.

Dorkbot loader

Being sold online, there are several operators utilizing Dorkbot. In the most active campaign, Dorkbot was distributed within a loader module. This loader has its own code for updating itself and distributing other malware. It is also responsible for guiding Dorkbot’s connection to another command-and-control (C&C) server. The operator appears to be abusing the older IRC-based Dorkbot variant by disabling the self-check routine, changing IRC commands, and using the loader to force it to connect to the operator’s own C&C server.
 

Dorkbot example 

Figure 7: Original Dorkbot has self-check routine that was cracked by a recent operator

Dorkbot loader – update and download other malware

The loader module contains an encoded download URL in its binary. Currently the binaries hosted in these URLs are Dorkbot’s downloader component, self-update, and other malware families.
 
Dorkbot example

Figure 8: Decoded download URLs in the loader module

The Dorkbot worm can receive commands to download and install additional malware on the infected computer, causing users whose computers are infected with Dorkbot to be infected with other types of malware as well. Some of the malware families that we have seen downloaded by Dorkbot worms are listed in the below:

The Microsoft Malicious Software Removal Tool (MSRT) has detection for Dorkbot and most of these malware families.

Dorkbot loader – guide IRC module to real C&C

Since mid-2011, the IRC module version has remained the same and only had some byte patches performed by its operators. Patching the original C&C domain inside the IRC module has length limitations, so the operators put code inside the loader module to redirect the IRC module’s connection to a preferred C&C domain.

The loader creates a trap process (for example, mspaint.exe) and installs a code hook on a DNS-related API (DnsQuery_A, DnsFree). The hook code will compare if the query was on the old C&C server domain, and return the DNS query value of the preferred domain.

Dorkbot example

Figure 9: Overview of trap process guiding to real C&C
 
Dorkbot example

Figure 10: C&C server overriding
Dorkbot example  
Figure 11: List of C&C domains

After connecting to C&C server, the IRC module will start receiving commands.

Dorkbot – IRC module (aka NgrBot)

After a Dorkbot worm infects a computer, it connects to one of its pre-programmed C&C servers. Some variants communicate over IRC using encryption technology such as Secure Sockets Layer (SSL). In its first communication, the worm sends the C&C server its geolocation, the version of Windows running on the computer, and a unique computer identifier. At this point, it is ready to begin executing commands sent to it by the botnet operator. The commands available are shown in Figure 5.

Typically, after connecting to the C&C server, the infected computer will be instructed to download other malware or spread to other computers.
 
Dorkbot example

Figure 12: Dorkbot C&C communication via IRC

Operators keep patching string fragments such as IRC related commands (USER, PASS, NICK, PRIVMSG etc) or machine’s unique nickname format.
 
Dorkbot example

Figure 13: Comparison with the old (top) and new (bottom) version of Dorkbot

Stealing online user credentials

Dorkbot monitors Internet browser communications and intercepts communications with various websites. It does this by hooking network-related APIs such as the following:

  • HttpSendRequestA/W
  • InternetWriteFile
  • PR_Write

It then steals the user name and password used to log onto the website. Some of the websites that we have seen being targeted include:

  • AOL
  • eBay
  • Facebook
  • Gmail
  • Godaddy
  • OfficeBanking
  • Mediafire
  • Netflix
  • PayPal
  • Steam
  • Twitter
  • Yahoo
  • YouTube

Anti-security techniques

Blocking websites

Once connected to the C&C server, Dorkbot may be instructed to block certain security websites by blocking access to them. It does this through the hooked DnsQuery API in the IRC module. The main purpose is to prevent an infected machine from updating its antimalware definitions, thus preventing proper remediation of Dorkbot infections. The antimalware and security companies targeted by Dorkbot are listed in our Win32/Dorkbot description.

Anti-sandbox techniques

Whenever the loader runs on a system, it will record the time of its first execution in %TEMP%c731200 as UTC converted to seconds. Before downloading the newest Dorkbot variant and other malware, the loader will check if current time is at least 48 hours past the time recorded on installation. This way the loader can hide the download URLs from antimalware backend analysis system.

Remediation

To help prevent a Dorkbot infection, as well as other malware and unwanted software:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run antimalware software regularly.

Our real-time security software, such as Windows Defender for Windows 10 for Windows 10 with up-to-date AV definitions will to ensure you have the latest protection against Dorkbot threats.

Alternatively, standalone tools such as Microsoft Safety Scanner, and the Malicious Software Removal Tool (MSRT), can also detect and remove Dorkbot.

Microsoft is also continuing the collaborative effort to help clean Dorkbot-infected computers by providing a one-time package with samples (through the Microsoft Virus Initiative) to help organizations in protecting their customers.

If your security organization is interested in joining or initiating a malware eradication campaign, or you are just interested in participating in the CME program, see the CME program page. You can also reach out to us directly through our contact page for more information.

Katrin Totcheva, Rodel Finones, HeungSoo Kang and Tanmay Ganacharya
MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 25th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn't necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don't encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that "unwanted" category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you're using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers' computers. However, its PE component is seen comparatively rarely, so it's quite difficult to source enough Jenxcus PE files for a test to equate to that family's ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don't line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn't have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family's partition (high, moderate, low, very low) to calculate each file's impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor's detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country's malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn't always line up with vendors that were co-located in the target region.  If you're interested in a specific country, be sure to check out AV-Comparative's regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 24th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn't necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don't encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that "unwanted" category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you're using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers' computers. However, its PE component is seen comparatively rarely, so it's quite difficult to source enough Jenxcus PE files for a test to equate to that family's ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don't line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn't have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family's partition (high, moderate, low, very low) to calculate each file's impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor's detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country's malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn't always line up with vendors that were co-located in the target region.  If you're interested in a specific country, be sure to check out AV-Comparative's regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

​​Does prevalence matter? A different approach to traditional antimalware test scoring

November 24th, 2015 No comments

Most well-known antimalware tests today focus on broad-spectrum malware.  In other words, tests include malware that is somewhat indiscriminate (isn’t necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Typically, tests are not focused on specialized threats that are highly targeted, and most avoid including programs that walk the line between good and evil, such as adware and other programs that we call unwanted software as opposed to malware.  Files that are in most test sets are files that antimalware vendors agree a customer would never want and are generally pervasive in the ecosystem.

The traditional test score counts each file equally. That is, if there are 100 files, each file is worth 1% of the test.  In the real world, however, people don’t encounter malware at exactly the same rate. Some malware is incredibly prevalent while other malware families are not as pervasive.  Likewise, some malware might focus on certain regional demographics or languages and not affect other parts of the world.  When it comes to real customer impact, not all malware has the same distribution or prevalence.  Yet, they are treated as such in traditionally scored tests.

Collaborating to create a more applicable scoring model

Microsoft has been partnering with AV-Comparatives to create a scoring model that incorporates prevalence to represent true customer impact.  At Virus Bulletin (VB) this year, Peter Stelzhammer (AV-Comparatives co-founder) and I presented this model.  Today, AV-Comparatives is releasing the prevalence-weighted results from the most recent file detection test in a PDF report and also on the impact section of their website.  This test compares detection rates of vendors against a very comprehensive malware set – 166k Portable Executable (PE) files.

After working with AV-Comparatives for many years, I have personally developed a great respect for the way they curate files for their tests. They work diligently to select files that are relevant, are not in that “unwanted” category (which vendors would lobby to dispute out of their test), and they are able to source hundreds of thousands of recent files for the test.  That said, one thing we found is that it is incredibly difficult, if you’re using a traditional scoring model, to attempt to source a perfect number of files that represent ecosystem prevalence. 

For one, many malware families rely on non-PE components to spread. Jenxcus is a good example – its VBS (Visual Basic script) component is one of the most frequently blocked files on our customers’ computers. However, its PE component is seen comparatively rarely, so it’s quite difficult to source enough Jenxcus PE files for a test to equate to that family’s ecosystem prevalence.  Samples from some families might be easier to source than others (more willing to be found or submitted to public sources).  These constraints make it practically impossible to select a test set that perfectly equates to the ecosystem.

Looking at the prevalence model

Enter the prevalence model.  AMTSO through the Realtime Threat List (RTTL) has been making strides lately to encourage vendors to share malware prevalence information with testers to help testers build better test sets.  While we have been moving toward critical mass and getting closer to the needed features to make that project work, Microsoft offered to sponsor AV-Comparatives and provide telemetry details from over 200 million computers in over 100 different countries to them to create a prevalence-weighted model.

The following chart shows how the test set stacks up to the ecosystem (# of files in comparison to ecosystem prevalence). 

 In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented

Figure 1:  In general, files selected for the most prevalent malware families (those in the high category) were underrepresented using the traditional method of scoring and those in the low category were overrepresented.

When you drill down a layer to the highly prevalent malware families, you can start to see why the numbers don’t line up.  Some of the file infector families, like Sality and Virut, had a very large sample set (a great representation of the family in fact). However, other prevalent families, like Gamarue, Dorv, Jenxcus, and Sventore were underrepresented.  Sventore was new – there was only one file to represent that family.  Gamarue, Dorv, and especially Jenxcus didn’t have nearly enough recent PE files available for the test to allow them to equate to their ecosystem prevalence.

A tabulated sample of the test score impact

 Figure 2:  Another example of the test scores not lining up.

The prevalence-weighted model takes into account the prevalence of the tested file, the malware family associated with the file, and the malware family’s partition (high, moderate, low, very low) to calculate each file’s impact to the test which balances the score with the actual customer impact in the ecosystem.

For more details about the exact calculation method, you can see the AV-Comparatives report released today.

The charts above show how the prevalence model balanced test scores to make them more accurately represent a vendor’s detection capabilities.  In essence, missed files were scored to represent the malware people were more likely to encounter, which is good information for consumers.  However, prevalence-weighting the score can mean that vendors (at least those who monitor malware prevalence) might have very similar test scores.  Therefore, additional context is probably needed to help consumers make decisions.

Geolocation is one context we analyzed. In the report, we broke down vendor test scores by country using each country’s malware prevalence profile. There are some examples of vendors that did great in some countries and not so great in others. Scores didn’t always line up with vendors that were co-located in the target region.  If you’re interested in a specific country, be sure to check out AV-Comparative’s regional maps in the report.

Organizations, especially those that might have special security concerns, might need other differentiation.  After Peter and I presented at VB this year, we got lots of great feedback from people at the conference.  One of the ideas we discussed was differentiating malware prevalence specifically affecting enterprises and even showing the differences between verticals.  Other discussions centered around showing detection differences by type of threat – ransomware in comparison to information stealers, etc.

Prevalence is but one model that provides additional insight to help people make better-informed decisions when choosing their protection provider. Through partnerships like this one with AV-Comparatives and others in the industry, productive discussions and innovative models result in even better antimalware testing and provide greater benefits to consumers and enterprises alike. 

Holly Stewart

MMPC

VOTE for Microsoft Crowdsourced RSA Sessions

March 18th, 2015 No comments

RSA Conference is trying something a little different this year to form a full track of sessions that are voted on directly by you. Anyone can vote, but registered delegate votes count a bit more. Microsoft has proposed seven additional sessions – so click on the title below and vote!


A pragmatic approach to evaluate cloud security

Placing data in the cloud doesn’t have be same as losing control over the data. How can I approach risk evaluation of a cloud service?

Speaker: Vikas Malhotra, Senior Solution Architect, Microsoft


Data Driven Cyber-Offense Data driven offense

Big data and machine learning aren’t just for defenders.

Speaker: Sacha Faust, Senior Security Developer, Microsoft


Dropping the hammer on malware threats with Windows 10’s Device Guard

The tables have been turned. Device Guard is the “zero day” threat to malware on Windows. Come join us to learn more.

Speaker: Chris Hallum, Senior Product Manager, Microsoft


Love Thy Attacker: Bounties, Red Teams and Getting Cozy with Maliciousness

When you treat your attacker as a precious information resource, you will find yourself happily funding constructive maliciousness.

Speaker: Travis Rhodes, Senior Security Software Engineer Manager, Microsoft


Responding to Security Threats @ Cloud Scale

Responding to Security Threats @ Cloud Scale digs into the business of security response for a large cloud service provider.

Speaker: Jerry Cochran, Principal Security Engineering Manager, Microsoft


Windows 10-Disrupting the Revolution of Threats with Revolutionary Security

Windows 10 includes revolutionary features that decisively address the biggest challenges faced on devices today. Join us to learn more.

Speaker: Chris Hallum, Senior Product Manager, Microsoft


Windows 10 – The End Game for Passwords and Credential Theft?

Windows 10 delivers the end game solution for passwords, one that’s easy to deploy, multi-factor, and phish proof. Join us to learn more.

Speaker: Chris Hallum, Senior Product Manager, Microsoft


Hope to see you there, Jeff (@securityjones)

HOW TO: Report the Microsoft phone scam

September 18th, 2014 No comments

If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world. 

HOW TO: Report the Microsoft phone scam

September 18th, 2014 No comments

If someone calls you from Microsoft technical support and offers to help you fix your computer, mobile phone, or tablet, this is a scam designed to install malicious software on your computer, steal your personal information, or both.

Do not trust unsolicited calls. Do not provide any personal information.

You can report this scam to the following authorities:

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at the Microsoft Answer Desk. Or you can simply call us at 1-800-426-9400 or one of our customer service phone numbers for people located around the world.

What to do if your antivirus subscription has expired

September 16th, 2014 No comments

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

  1. Fully uninstall the non-Microsoft security software that came with your computer.
  2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

  1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
  2. In the Search box, type Windows Defender.
  3. Tap or click the Windows Defender icon.
  4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
  5. Tap or click Save Changes.

What to do if your antivirus subscription has expired

September 16th, 2014 No comments

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

  1. Fully uninstall the non-Microsoft security software that came with your computer.
  2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

  1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
  2. In the Search box, type Windows Defender.
  3. Tap or click the Windows Defender icon.
  4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
  5. Tap or click Save Changes.

What to do if your antivirus subscription has expired

September 16th, 2014 No comments

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

  1. Fully uninstall the non-Microsoft security software that came with your computer.
  2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

  1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
  2. In the Search box, type Windows Defender.
  3. Tap or click the Windows Defender icon.
  4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
  5. Tap or click Save Changes.

Get security updates for September 2014

September 9th, 2014 No comments

Microsoft releases security updates on the second Tuesday of every month.

How to check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Office, and other programs.

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.


 

 

 

Get security updates for September 2014

September 9th, 2014 No comments

Microsoft releases security updates on the second Tuesday of every month.

How to check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Office, and other programs.

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.

 

 

 

 

5 passwords you should never use

August 29th, 2014 No comments

This is part three of three posts on stronger passwords.

Part 1: Create stronger passwords and protect them

Part 2: Do you know your kids’ passwords?

The news is filled with stories about hackers cracking passwords. You can help avoid being a victim by never, ever using these passwords:

  1. Password. Believe it or not, this is still a common password. Don’t use it.

  2. Letmein. We recommend that you use passphrases that are memorable. Just don’t use this one. It ranks high on several lists of the most-used passwords.

  3. Monkey. This common word appears on many lists of popular passwords. It’s also too short. Make passwords at least eight characters—the longer the better.

  4. Your pet’s name. While you’re at it, don’t use any passwords that can be easily guessed, such as the name of your spouse or partner, your nickname, birth date, address, or driver’s license number.

  5. 12345678. Avoid this and other sequences or repeated characters such as 222222, abcdefg, or adjacent letters on your keyboard (such as qwerty).

Bonus password tips

Don’t use the same password for multiple sites. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

Change your passwords regularly, particularly those that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data.

For more password guidance, see Create strong passwords.

 

5 passwords you should never use

August 29th, 2014 No comments

This is part three of three posts on stronger passwords.

Part 1: Create stronger passwords and protect them

Part 2: Do you know your kids’ passwords?

The news is filled with stories about hackers cracking passwords. You can help avoid being a victim by never, ever using these passwords:

  1. Password. Believe it or not, this is still a common password. Don’t use it.
  2. Letmein. We recommend that you use passphrases that are memorable. Just don’t use this one. It ranks high on several lists of the most-used passwords.
  3. Monkey. This common word appears on many lists of popular passwords. It’s also too short. Make passwords at least eight characters—the longer the better.
  4. Your pet’s name. While you’re at it, don’t use any passwords that can be easily guessed, such as the name of your spouse or partner, your nickname, birth date, address, or driver’s license number.
  5. 12345678. Avoid this and other sequences or repeated characters such as 222222, abcdefg, or adjacent letters on your keyboard (such as qwerty).

Bonus password tips

Don’t use the same password for multiple sites. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

Change your passwords regularly, particularly those that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data.

For more password guidance, see Create strong passwords.

 

Do you know your kids’ passwords?

August 27th, 2014 No comments

This is the second of two blog posts on password protection. Read Part 1: Create strong passwords and protect them.

Whether or not you should know all of your kids’ passwords depends on their age, how responsible they are, and your parenting values.

However, kids of any age and responsibility level need to know how to create strong passwords and how to protect those passwords.

Sharing is great, but not with passwords

Your kids should never give their friends their passwords or let them log on to their accounts. Also, be careful sharing your passwords with your kids.

3 strategies for strong passwords

  • Length. Make your passwords at least eight (8) characters long.

  • Complexity. Include a combination of at least three (3) uppercase and/or lowercase letters, punctuation, symbols, and numerals. The more variety of characters in your password, the better.

  • Variety. Don’t use the same password for everything. Cybercriminals can steal passwords from websites that have poor security and then use those same passwords to target more secure environments, such as banking websites.

For more information, see Help kids create and protect their passwords.