Tech Tip: Battling Adware That Redirects Your Browser


TECH TIP

If your browser is suddenly full of pop-up ads or taking you to sites you didn’t request, you probably have a malware infection.

Q. I keep getting pop-ups in my browser search bar and sent to a site I’ve never heard of. What is this, a scam?

A. If you are experiencing constant pop-up ads, trips to websites you didn’t intend to visit, a frequently changing home page, ads trying to sell you obscure security software or other odd browser behavior, your computer is probably infected with an aggressive adware program. These types of invasive programs — which can affect Macs along with PCs — often redirect your browser to certain pages so those sites can get revenue by showing advertisements to (unwilling) visitors.

The adware program may have been bundled with other software you installed on the computer, like a “free” tool bar extension or game. Visiting a web page rigged with malicious code can also infect a computer.

Using a malware-scanning app to locate and remove the adware hiding on your computer is probably the easiest way to get rid of the unwanted software. Wirecutter, a product review site owned by The New York Times, recommends the Malwarebytes program for both Windows and Mac computers; a free trial is available. HitmanPro is another anti-malware program for Windows that offers a free trial.

Image
Restoring your browser’s settings back to the default state can often flush out unwanted extensions that cause the program to behave erratically.CreditThe New York Times

Tech Tip: Become a Guest on Your Own Computer


TECH TIP

Using an account with limited powers may help protect the system from malicious software that is looking to dig deep.

Q. I have heard that making a guest account on the computer and using it yourself can help stop viruses. Why is this, and how would I go about making an extra account?

A. Administrator accounts on a Windows, Mac or Linux computer have the ability to adjust settings, install new programs, change passwords and perform other functions that affect the entire system. Accounts designated as “standard,” “limited” or “guest” have much less control over the entire system and can make only minor changes that are specific to that account, like changing the desktop wallpaper. Malicious software that invades a computer through the user logged in as the administrator can usually burrow in deeper to do more damage.

To set up a limited account for yourself (or a child) on a Windows 10 Home or Professional system, go to the Start menu and select the gear-shaped Settings icon. On the Settings screen, choose Accounts, then “Family & other people” to “Add someone else to this PC.” Follow the instructions on the screen to create the account. As with most account creation, you may need to enter the administrator password at some point.

Image
Visit the Windows Settings, top, or Mac System Preferences, bottom, to create a limited user account for the computer.CreditThe New York Times

Tech Tip: Stepping Up iOS Security


TECH TIP

Apple’s mobile gadgets may not need the same type of antivirus protection that desktop computers need these days, but there are other things you can do to protect your portable gear.

Q. Do iPhones and iPads need antivirus software?

A. The number of viruses specifically targeting iOS devices is still low compared with the number of malicious programs aimed at Windows computers, but that does not mean iPhone and iPad users should feel invincible, as hackers are always trying. Apple has built a lot of security into iOS to guard against traditional viruses that can infect an operating system, but users are still targeted by phishing scams and browser pop-ups with malicious intentions.

This is not to say iOS cannot be infiltrated, especially on “jail-broken” devices, in which the user has circumvented Apple’s original system to install software the company considers unauthorized. The iOS App Store offers a number of security programs, but many of them focus more on Wi-Fi safeguards, the encryption of personal files, identity protection, data backup, and the recovery of lost or stolen gadgets than on conventional antivirus defense.

Image
The iOS version of the Safari browser includes a few basic security settings you can use for slightly safer surfing.CreditThe New York Times

Although some security apps warn you of sketchy sites, you may not get much more protection from a third-party program than if you used all the built-in iOS tools. Make sure you have updated the device to Apple’s most current version of iOS (with all the latest bug fixes and security patches), use only App Store software, have a passcode and two-factor authentication enabled, back it up regularly and have configured the Find My iPhone service to find lost hardware.

Tech Tip: Guard Your Mac Against Malware


TECH TIP

Apple’s computers are usually less receptive to malicious software, but extra protection can provide more security on several levels.

Q. What is the best antivirus software for a Mac laptop?

A. Macs, with built-in protections and fewer users than Windows systems, have traditionally been less of a target for virus makers — but these factors do not make Apple’s computers invulnerable. Macs have been targeted by ransomware and other malware before, and bad browser extensions, phishing sites and socially engineered fraud schemes are cross-platform problems.

Given the general security features of the operating system, Wirecutter, a product review and testing site owned by The New York Times, recommends Malwarebytes Premium ($40 a year) to shore up the Mac’s own defenses against malicious software. Some security programs can slow down your system, but Malwarebytes Premium was selected for its effectiveness while being relatively nonintrusive.

Image
Malwarebytes for Mac bolsters the operating system’s own defenses against malicious software. You can test a trial version before you buy it.CreditThe New York Times

Tech Tip: Finding Privacy for Email


TECH TIP

Companies that offer free mail accounts typically do so in exchange for the use of your personal data, but you can find providers offering secure, private services.

Q. After reading recently updated privacy policies — are there any web-based mail providers out there that do not scan your mail, mine your data or stick ads on your messages? If I wanted to leave Yahoo for a more secure mail provider, how do I move my mail and address book?

A. Free email services are generally free because those companies make money by selling advertising based on the data you generate. That is the trade-off.

Using an encryption tool, such as OpenPGP, is an option for more secure mail, but another option is to use a web-based mail service that builds in privacy. Most secure mail providers charge a fee, but some have free accounts with limited features and reduced storage capacity.

Image
ProtonMail is one of the many web-based providers offering secure and private email services.CreditThe New York Times

Many of the more popular secure mail providers are based overseas and are subject to the privacy laws in their particular country of incorporation, so read up before signing up. Services include Countermail (Sweden), FastMail (Australia), Hushmail (Canada), ProtonMail (Switzerland), RunBox (Norway) and Tutanota (Germany).

Tech Tip: Staying Safer on Public Networks


TECH TIP

When using an open wireless network at a hotel or coffee shop, make sure that sites getting any of your personal information have their security certificates in order.

Q. When I use an unsecured network and log into a website, does S.S.L. (https://) prevent anyone from capturing my password?

A. Secure Sockets Layer, also known as S.S.L., is a worldwide technology standard that creates a private, encrypted link between the web browser on your computer and the web server you are communicating with online. Using a S.S.L. connection lowers the risk that someone on a public network could intercept sensitive information like credit card numbers or passwords transmitted between you and the site you are using.

Sites that have S.S.L. enabled typically have an U.R.L. that starts with https:// and display a padlock icon in the address bar; some browsers show the site’s name in green as well. However, just because a site is using S.S.L. technology does not mean you are fully protected from internet ills.

Image
You can usually see a website’s verified security information by clicking the padlock icon in the browser’s address bar.CreditThe New York Times

But just because the connection to the site is secure, it does not mean the site itself is safe — so avoid giving personal information to websites you are not familiar with, even if it shows a secure connection. A Certificate Authority can sell certificates to all kinds of sites, including ones that may be quietly slipping malicious software onto your computer when you visit. (In past years, fraudsters have even set up fake S. S. L. certificates and have tried to break the encryption, so the technology itself is a target.)

Sites can also purchase security certificates with different levels of validation from trusted authorities. These levels include the basic Domain Validation for standard encryption and verification, and go up to Extended Validation, which has the highest level of security because the site goes through a more thorough level of vetting before the certificate is issued. In theory, a sinister site wanting to appear secure could quickly get a simple Domain Validation certificate and set up shop.

So while a S.S.L. connection indicates your communications with a website are encrypted even on public networks, you can increase your safety level for all your browsing by using virtual private network software to encrypt all your internet traffic on open Wi-Fi networks — if you are not able to use your own secured home network for financial matters and other sensitive business. The Federal Trade Commission’s site has a general guide for using public wireless networks, as well as a guide for keeping your own home wireless network secure.


Personal Tech invites questions about computer-based technology to techtip@nytimes.com. This column will answer questions of general interest, but letters cannot be answered individually.

Russian Court Bans Telegram App After 18-Minute Hearing


Photo

The messaging app Telegram has 200,000 monthly active users around the world.

Credit
Alexander Nemenov/Agence France-Presse — Getty Images

MOSCOW — A Moscow court cleared the way on Friday for the government to ban Telegram, the messaging app, over its failure to give Russian security services the ability to read users’ encrypted messages.

Roskomnadzor, the Russian communications and technology watchdog, had asked the court for the authority to block the app, and for the ban to take immediate effect. It took the court all of 18 minutes to grant the request, after scheduling the hearing just one day before. Telegram had ordered its lawyers to skip the hearing in protest of the hurried process.

The ruling came a month after Telegram lost a lawsuit it brought against the Federal Security Service, or F.S.B., Russia’s powerful and secretive security agency, which had demanded access to messages. The Kremlin pushed through a sweeping antiterrorism law in 2016 that mandated providing the security services backdoor access to encrypted applications, among other measures.

Telegram said last month that it now has 200 million active monthly users, many of them in the lands of the former Soviet Union and the Middle East. Because of its strong privacy protections, it has long been a favorite of the Islamic State and other extremist groups.

There was no immediate comment from Pavel Durov, the Telegram founder, a Russian who fled the country in 2014 after losing control of the Russian social network Vkontakte, which he had also created.

Continue reading the main story

Hard Choice for Cities Under Cyberattack: Whether to Pay Ransom


Anyone hit with a ransomware attack must reckon with the dollars and cents: Will it cost more to pay up, or to try to eradicate the malware and restore the data without giving in? But government victims must also grapple with the dubious propriety — and dubious legality — of rewarding crime with taxpayers’ money.

The episodes are at once familiar and frightening. Hackers with no apparent motive other than curiosity and avarice indiscriminately scan the web for vulnerable servers and networks, and all too often find them.

Cybersecurity experts say local government agencies and universities tend to be at a particular disadvantage because they manage many public-facing web services and servers and employ many people who must have access.

Antivirus software tools can ward off some kinds of malicious attacks, but they often fail to stop ransomware because cybercriminals have found too many ways around them — whether by exploiting a security hole in a vulnerable server or tricking a naïve employee into opening a malicious email attachment.

“In cybersecurity, the more places you have where your door is sort of open — which it has to be in local government — the higher your risk is,” said Scott Smith, a former mayor of Mesa, Ariz.

In 2013, the year Mr. Smith became president of the United States Conference of Mayors, the group adopted a resolution identifying cybersecurity as “a critical public safety issue of concern to mayors and cities.”

But local governments are often working with antiquated systems, tight budgets and short-handed I.T. staffs. According to a 2016 survey of chief information officers for jurisdictions across the country, 38 percent of local governments were relying on technology that was at least one generation out of date, and fewer than half had bought cybersecurity insurance, which can help cover the costs of responding to a major attack.

The survey, by the International City/County Management Association and the University of Maryland, Baltimore County, found that extorting ransom was the most common purpose of cyberattacks on city or county governments, accounting for nearly one-third of all attacks. (Mischief and theft of private information were the next most common.)

Local governments were not always high on the ransom target list. In recent years, security experts say, criminal groups like SamSam, the shadowy hacking crew implicated in the Atlanta episode, had been zeroing in on health care providers, particularly hospitals, which they knew could ill afford to lose patient records or wait for weeks to restore normal operations. More than seven-eighths of all recorded ransomware attacks in the United States in 2016 were aimed at the health care industry, according to NTT Security.

That onslaught, experts say, prompted many in the industry to shore up their digital defenses — and the hackers to turn to new targets. “As health care has spent more on their security, we’ve seen attackers moving to local governments,” said Allan Liska, a senior intelligence analyst at Recorded Future, a security firm.

The past 16 months have seen high-profile ransomware attacks at public agencies ranging from a fire department in Ohio to the Bay Area Rapid Transit system, which offered free rides after attackers took down their ticketing systems. Recently, Mr. Liska said, cybercriminals who call themselves “The Dark Overlord” have said in an underground web forum that they had begun to attack state and local governments because their security is so poor.

Photo

This month’s cyberattack in Atlanta has curbed the operations of municipal government, causing police officers to prepare reports by hand.

Credit
David Goldman/Associated Press

In Atlanta, the attack apparently mounted by the SamSam group brought down many (though not all) city systems on the morning of March 22. Among other effects, residents have not been able to pay water bills or traffic tickets online, the court schedule has been upended, and police officers have had to file reports on paper. For days, city workers were not allowed even to turn on their computers.

Through a spokeswoman, Mayor Keisha Lance Bottoms of Atlanta declined to be interviewed about the ransom demanded by SamSam to end the attack: the Bitcoin equivalent of about $51,000.

But Atlanta’s leaders are likely to have weighed a host of concerns, including whether the SamSam hackers would keep their end of the bargain. Security experts said the city also had to decide whether it was willing, in effect, to finance a criminal enterprise, and whether it could stomach a reputation as an easy mark.

“Local governments often don’t feel comfortable using taxpayer funds to pay a criminal, especially when they consider where those funds may be going,” said Jason Rebholz, a vice president at Icebrg, a security firm. “On the other hand, they have to weigh a $51,000 ransom demand with the fact that they are likely going to pay a lot more to resume operations.”

Ransomware attacks used to be low-odds propositions. In 2012, by one estimate, only 2.9 percent of victims paid. But these days, the rate is as high as 48 percent, according the Ponemon Institute, a privacy research group.

Those who pay — from a Massachusetts town and police department to the Hancock Health hospital group — generally calculate that it is the cheapest way out. Mr. Rebholz estimated that the total cost for Atlanta to rebuild all its affected systems could run from “several hundred thousand dollars easily into millions of dollars.”

Though many of their concerns are the same, business leaders hit by cyberattacks are often able to respond more nimbly than politicians can.

Corporate executives “can compare and contrast different options in a much freer way,” said Mike Rawlings, the mayor of Dallas and a former president of Pizza Hut.

In the public sector, he said, “It’s not as simple as cost-benefit analysis — you are gambling the trust and the perception of what the city stands for at the same time.”

The Ponemon Institute found that the decision often turns on whether the victim has access to a full and accurate backup for the seized data. The hackers know it: Victims are finding that the first thing intruders like SamSam do is to search the compromised system for “back up” or the names of popular backup services, and delete those files.

“They now go out of their way to force you to pay,” Mr. Rebholz said. “It’s increasingly rare that victims can fully recover.”

The Colorado Department of Transportation awoke late last month to discover that SamSam had locked its employees out of their computers, email and timecard systems; encrypted the agency’s most important databases; and renamed files with the words “i’m sorry.”

Deborah Blyth, the state’s chief information security officer, said in an interview Wednesday that it was an easy decision not to pay. For one thing, the state has a policy forbidding ransom payments. For another, the data had been backed up offline, out of the attackers’ reach, making the department better prepared than most targets.

The department had everything back to normal in a little over a week — but the story was not over. SamSam’s attackers had planted some undetected digital footholds during the first attack that opened the door for a second attack with improved ransomware as soon as the systems came back online.

Three weeks later, Ms. Blyth said, the second restoration job is about 80 percent complete. She is scheduled to brief other state and local governments on Friday about the double whammy.

“I feel terrible for Atlanta,” she said. “I know exactly where they’re at. We need to give other local governments information on SamSam so it doesn’t happen to them. I’m really worried that other state agencies are at risk.”

Officials have been slow to awaken to that danger. After the mayors’ conference adopted its warning resolution in 2013, it tried to hold a cybersecurity forum in Washington for city officials. It was canceled for lack of interest.

“If you had a cybersecurity summit now,” Mr. Smith said this week, “it would be oversubscribed.”

Continue reading the main story

Equifax Picks Private Equity Executive as New C.E.O.


Photo

Equifax, one of the so-called big three credit reporting bureaus, is based in Atlanta. Last year it disclosed a data breach that exposed information of 148 million people.

Credit
Tami Chappell/Reuters

Equifax on Wednesday named Mark Begor, a private equity executive who once led General Electric’s credit card business, as its new chief executive.

Mr. Begor, 59, takes over for Paulino do Rego Barros Jr., who has filled the role on an interim basis since September, when Richard F. Smith stepped down after a data breach exposed sensitive personal information, including Social Security numbers, of 148 million people.

Mr. Begor, a managing director at the private equity firm Warburg Pincus, will start at Equifax on April 16. He is also a member of the board at the credit-scoring company FICO, a position h e plans to give up before joining Equifax.

Equifax said it would give Mr. Begor stock and options valued at $17 million this year and an annual salary and bonus of up to $4.5 million.

Mr. Barros will stay through the transition and retire early next year, Equifax said.

Equifax, which is based in Atlanta, is one of the country’s so-called big three credit reporting bureaus. It maintains files on about 220 million Americans.

After the data breach — and a response by the company that was widely criticized as inadequate — Equifax has continued to stumble. In January, an app it released that was meant to let people lock their credit files was riddled with glitches. This month, a former company executive was charged with insider trading for selling Equifax shares after the breach but before it was publicly disclosed.

“The team has made meaningful progress in the last several months to address a number of well-publicized issues,” Mr. Begor said in a statement. “I will prioritize continuing our team’s efforts to communicate transparently and restore confidence with consumers, customers, shareholders and policymakers.”

Continue reading the main story

Justice Dept. Revives Push to Mandate a Way to Unlock Phones


The issue repeatedly flared without resolution under the Obama administration, peaking in 2016, when the government tried to force Apple to help it break into the iPhone of one of the attackers in the terrorist assault in San Bernardino, Calif.

The debate receded when the Trump administration took office, but in recent months top officials like Rod J. Rosenstein, the deputy attorney general, and Christopher A. Wray, the F.B.I. director, have begun talking publicly about the “going dark” problem.

The National Security Council and the Justice Department declined to comment about the internal deliberations. The people familiar with the talks spoke on the condition of anonymity, cautioning that they were at a preliminary stage and that no request for legislation was imminent.

But the renewed push is certain to be met with resistance.

“Building an exceptional access system is a complicated engineering problem with many parts that all have to work perfectly in order for it to be secure, and no one has a solution to it,” said Susan Landau, a Tufts University computer security professor. “Any of the options people are talking about now would heighten the danger that your phone or your laptop could be hacked and data taken off of it.”

Craig Federighi, the senior vice president of software engineering at Apple, stressed the importance of strengthening — not weakening — security protections for products like the iPhone, saying threats to data security were increasing every day and arguing that it was a question of “security versus security” rather than security versus privacy.

“Proposals that involve giving the keys to customers’ device data to anyone but the customer inject new and dangerous weaknesses into product security,” he said in a statement. “Weakening security makes no sense when you consider that customers rely on our products to keep their personal information safe, run their businesses or even manage vital infrastructure like power grids and transportation systems.”

But some computer security researchers believe the problem might be solvable with an acceptable level of new risks.

A National Academy of Sciences committee completed an 18-month study of the encryption debate, publishing a report last month. While it largely described challenges to solving the problem, one section cited presentations by several technologists who are developing potential approaches.

They included Ray Ozzie, a former chief software architect at Microsoft; Stefan Savage, a computer science professor at the University of California, San Diego; and Ernie Brickell, a former chief security officer at Intel.

Photo

Craig Federighi, the senior vice president of software engineering at Apple, stressed the importance of strengthening — not weakening — security protections for products like the iPhone.

Credit
Ralph Orlowski/Reuters

According to several people familiar with the new round of deliberations, those three men have been participating in a series of workshops convened at the Massachusetts Institute of Technology by Daniel Weitzner, a computer science professor. They have discussed their research with government officials, including Valerie Cofield, a senior F.B.I. science and technology official working on “going dark” issues.

The researchers, Mr. Ozzie said, recognized that “this issue is not going away,” and were trying to foster “constructive dialogue” rather than declaring that no solution is possible.

Mr. Savage said the talks had focused on trying to create a safe enough way to unlock data on encrypted devices, as opposed to the separate matter of decoding intercepted messages sent via encrypted communications services, like Signal and WhatsApp.

“The stuff I’ve been thinking about is entirely the device problem,” he said. “I think that is where the action is. Data in motion and the cloud are much harder to deal with.”

The deliberations shed new light on public remarks by Trump administration officials in recent months. In October, Mr. Rosenstein, the deputy attorney general, argued in a speech that permitting technology companies to create “warrant-proof encryption” was endangering society.

“Technology companies almost certainly will not develop responsible encryption if left to their own devices,” he said. “Competition will fuel a mind-set that leads them to produce products that are more and more impregnable. That will give criminals and terrorists more opportunities to cause harm with impunity.”

And Mr. Wray, the F.B.I. director, has twice given speeches this year in which he pointed to Symphony, an encrypted messaging system for banks. Pushed by a state regulator, several banks agreed to give copies of their Symphony keys to law firms. Because Symphony keeps a copy of encrypted data on its servers, that arrangement created a backup means for investigators to gain access to the messages if necessary.

“At the end, the data in Symphony was still secure, still encrypted, but also accessible to the regulators so they could do their jobs,” Mr. Wray told a cybersecurity conference in Boston this month. “I’m confident that by working together and finding similar areas to agree and compromise, we can come up with solutions to the ‘going dark’ problem.”

The Symphony approach, however, would not work for millions of ordinary smartphone users. But one alternative being worked on by Mr. Ozzie and others is receiving particular attention inside the government.

The idea is that when devices encrypt themselves, they would generate a special access key that could unlock their data without the owner’s passcode. This electronic key would be stored on the device itself, inside part of its hard drive that would be separately encrypted — so that only the manufacturer, in response to a court order, could open it.

Law enforcement officials see that idea as attractive in part because companies like Apple are already trusted to securely hold special keys permitting them to push operating system updates to devices like iPhones.

Still, Ms. Landau argued that creating such a system would create significant additional security risks. She noted, among other things, that updates are relatively rare but police would want seized phones opened every day — so many more tech company employees would need access to the powerful new keys, increasing the risk of theft or abuse.

The Obama administration never agreed on asking for legislation mandating access mechanisms. Military and cybersecurity agencies worried that weakening security would create new problems, and commerce officials worried about quashing innovation and making American tech products less competitive.

Still, in 2016, the Obama administration’s deliberations also came to focus on the idea of access keys on devices, a participant said, but stalled because of difficult technical questions about the details. They included how to prevent criminals from deleting the access keys on their devices or from using phones that do not have the mechanism because they run on outdated software or were built for foreign markets.

But one Justice Department official familiar with the deliberations contended that it might not be necessary to come up with a foolproof system, arguing that a solution that would work for ordinary, less-savvy criminals was still worth pursuing.

Mr. Brickell, the former Intel official, echoed that view. Enforcing compliance with a rule that devices must have access mechanisms to function “is a difficult problem,” he said. “Let’s keep working on it. But let’s not let the desire for a perfect solution get in the way of one that would help.”

Continue reading the main story