Internet scams

Why is Cyberhygiene So Hard?

This blog comprises show notes for my CoolTimeLife podcast entitled Why is Cyberhygiene So Hard?

Just a couple of days ago, I received a text from my 75-year old mother. It read literally as follows: “I just received a message from Netflix saying an error had occurred during my last payment. Please verify you [sic] payment method by following this link. I followed the link, but it is asking for information regarding my credit card. Do you think this is a scam?”

She followed up with a second text where she highlighted the fact she noticed the grammatical error of “you” instead of “your.”

Of course, I texted her back immediately and told her this was a scam. “You didn’t click on anything did you?” I asked.

“Yes,” she replied, “but I only entered my email address and password. Was that OK?”

And so, I spent the next hour on the phone showing her how to change her Netflix password, and admonishing her once again about the danger of clicking on these types of messages.

Why does this continue to happen? Why are people still being seduced by stories of millions of dollars belonging to a Nigerian prince that needs to be parked in your bank account? Why do people click on badly written notifications of frozen bank accounts, missed courier shipments or job applications? Why is the most common password in use still PASSWORD123?

It’s because criminals are getting progressively more sophisticated while honest people generally are not.

Bad guys relentlessly focus on devising new ways to steal. That’s their primary occupation in many cases. But ordinary people have other pressing matters to attend to. Emails. Meetings. Groceries. The Kids. Phishing is a distraction crime, and people have too many things occupying their minds. It’s still easy for the phishing emails to slip through no matter how badly they are spelled.

In the case of my aged mother, there is also the notion of trust. She comes from a generation in which there was some degree of trust based on a common and more localized culture. In the 1960s and 1970s, before voice mail and robocalls, it was likely that anyone who called your home phone had a direct relationship with you. To answer it was a common courtesy. A habit that is now exploited by scammers every day.

Some of them don’t even need you to answer the phone. Do you get mysterious hang-up calls from distant countries like Albania or Chad? These calls are intended to get you to call back, curious as to who the caller might be, and as soon as you do so, an elaborate long-distance chargeback scam kicks in.

Online, the key issue is data. Hackers will do anything to get in, because once they do they have access  data of all types.

Lot of end users dismiss the threat or go blissfully unaware that a threat even exists. Let’s look at both of those for a moment.

First, dismissing the threat. “My company is too small to get hacked,” you might say. Or “I’m just a junior employee, I don’t have anything of value.” There appears to be no motivation to get strict on password management or cyberhygiene when the stakes seem so low.

But they are not low. They are incredibly high.

Every company and person is connected to every other company and person through the internet. As a criminal, I could easily pair up a common password, like Password123 with low tech approaches such researching your mother’s maiden name on Facebook to correctly answer a challenge question. Or if I was more sophisticated, I could use more brute force attacks like credential stuffing to overwhelm a company’s IT defenses. Software based attacks often take place once something has been allowed into the system, through a phishing email or an infected USB drive.

Every additional piece of data that an organization can collect from you – a home address here, a challenge question answer there, a medical record all pull together to form a stronger and stronger collection of pieces of data about you, and also about people connected to you, which is basically anyone and everyone.

Humans should never dismiss a small indiscretion as being insignificant. For example, re-using a password that you used on a different account a couple of years ago might mean nothing to your busy, distracted mind, but data is data. Someone out there is busy hammering away at your accounts with every piece of data about you they have been able to obtain, and just like inheriting a collection of unlabeled door keys, if you try every one of them, the odds are, one will connect.

Complacency. Ignorance. Optimism. These are dangerous things to have when all of your security is at stake.

Even though you personally are obviously not a hospital or a nuclear power plant, a simple infected document inadvertently sent to an HVAC contractor – a contract for some work at your house, for example, can easily infect the contactor’s own systems. If this contractor’s next job is working on the HVAC system at a nuclear power plant, the infection propagates. Yes, these large places have extensive IT and cybersecurity resources, but it’s always a cat and mouse game, as frequent data breach stories in the news will attest.

When was the last time you change the password on your home Wi-Fi router? Do you know how much your home assistant software, your phone, or your new big screen TV are listening to you? Do you know how easy it is for hackers to gain access to your new smart doorbell or nannycam – not only to steal data but to listen in and in some cases communicate with family members?

Password Manager

What brand of password manager are you using? Most people will look blankly at you when you ask them that question. To me that’s like someone saying, “What’s Ebola?” basically, as the expression goes, if you’re not part of this solution, you are part of the problem. And yes, Ebola can happen anywhere.

So, a lot of gloom and doom here? No not really. So much of this is eminently preventable. Criminals might be everywhere, but they are also very lazy. They want the easiest way to break into something, and basically, you are it.

One of the easiest ways to do this is to ensure the sanctity of your passwords by using two strong tools: a password manager and Two Factor Authentication.

A password manager is a software app like LastPass or Sticky Password, that generates passwords for you. These are long strings of characters, numbers and symbols that you could not possibly memorize and that bad actors could not possibly guess. Every time you log on to a website that requires a log on, the app will help you generate a password or replace the existing one. It will never create duplicates. Where do these passwords get stored? Not on your computer, and not on the servers at the app itself. Not even in transit on the wires of the internet. The password only reappears when you, as a logged-in user of the password go and visit a page where a password is needed. The password manager sends an encrypted message to an encrypted file on your computer, and only then will the actual password reconstitute itself from its encrypted state. It’s a little like alchemy and is more involved than the way I describe here, except to confirm that your passwords do not actually get stored anywhere. They get scrambled, like scrambled eggs and will only re-appear when your circumstances allow it.

The point here, as with much of what I write and speak about, is that the technology and techniques for effective cybersecurity exist. But it’s people that get in the way. Yes, it’s a hassle having to change your password every two weeks, but there’s a reason why that has to happen, and and app like LastPass makes it easy and effortless, and much more secure

The same applies to Two Factor Authentication or even Multi Factor Authentication. This technique is becoming just as vital as password management software since it broadens your defenses by an order of magnitude. IN short, Two Factor Authentication, called 2FA for short requires a second password sent to a second physical device that only you have. In most cases, that is your phone.

Whenever you are given the opportunity to use 2FA, take it. Yes, the few seconds of delay required waiting for the passcode to appear on your phone is worth it. It’s like putting a deadbolt on your door.

Why is Cyberhygiene so hard?

Cyberhygiene is a hard because it demands two things of you: time and comprehension. In a age of instant satisfaction, a delay of mere seconds can be enough to make an online consumer abandon a shopping cart or happily ignore the warnings and log on to public WiFi unprotected. Or click on “accept” to every Cookies warning that every website now presents. I mean have you ever read the terms of those things? Of course not.

Secondly, learning how to create secure passwords has a perceptual barrier. It appears difficult so it is passed by.

I it is easy to assume that as an individual you are too small, too insignificant to be of interest to a cybercriminal. But you would be wrong on two counts. Firstly, your personal data, including name, address, social security number and everything else, can be used by thieves open credit card accounts, buy houses, or create fake identities to be used in an infinite number of ways, and second, you, I, and everyone else is connected to everyone else in a global game of six degrees of separation, meaning we all become conduits to security breaches and crime at even the largest and highest levels.

If you want to boil it down to three simple rules, I would propose these three.

  1. Use a password manager for everything that you connect to, including home devices.
  2. Never answer the phone unless you know who it is. Phone scammers need you to answer.
  3. Never click on any link that comes to you through email, even if it looks legit. If it’s something that might be a real transaction, go to the source directly – log in to your account through the website and password you have on hand, but never through the email itself.

Cyberhygiene is both a learned physical skill and a mindset, and both are vital to your existence both on and offline. Just like stopping off to get gas for your car, it’s something you have to do in order to keep going.

If you have a comment about the show, or a question you would like answered in a future episode, please, let me know. You can drop me a line through the contact form at steveprentice.com, and you can follow me on Twitter @stevenprentice (spell out) and on LinkedIn – just search for CoolTimeLife – no spaces, just as just one word. If you like what you hear, please subscribe and leave a review.

The theme music for the CoolTimeLife was obtained through PodCastThemes.com.

Until next time, I’m Steve Prentice. Thanks for listening.

This is the transcript of the CoolTimeLife podcast entitled Why is Cyberhygiene So Hard? If you would like to listen to it, you can check it out at our podcast site here. If you would like to review other podcasts in this series, visit my podcast page at stevenprentice.com/podcast.html

Your Customer’s Experience During a Hack Attack

Post Sponsor

In addition to my own posts, I also write for CloudTweaks, an authority on cloud computing. My most recent post forcuses on the need for cloud service providers to truly know what their customers feel, especially when under attack. Here is an excerpt:

One of the more dramatic and visible aspects of computing in the age of the cloud is the “attack.” Banks, governments, retailers and other high-profile organizations are hit regularly, in many cases daily, by hackers seeking either to steal data, as happened to Target and Tesco very recently, or to sabotage a site, as best illustrated by the Distributed Denial of Service (DDoS) attacks experienced by NATO and the freelancing website Elance.com just this week. Hacker attacks serve as a wakeup call to companies of any size, reminding IT managers and executives of the risks involved in doing business on a globally connected network.

For IT companies, another wake-up call comes from these stories: no matter which letter precedes their “aaS” moniker, as in SaaS, PaaS, DaaS, IaaS or even ITMaas, customers need to feel that they and their industry are understood. Take website design, for example. Websites have grown in sophistication and complexity in the two decades since CERN revealed the very first one  in 1995, but very often the designers of these sites forget the end user experience in favor of a sleek look and feel. Complicated forms, for example as might be offered by a mass transit company, incorporate data from Google Earth into a their own scheduling software in order to assist patrons in choosing the correct bus or train route. But if these forms do not work correctly on a particular device, an iPad or smartphone, for example, then the functionality and convenience is lost. Website designers worth their salt will incorporate a cast of “user profiles” in designing a site, including the student, the grandma, the busy executive, the newly arrived immigrant – all with a different approach to using technology, and with different challenges in understanding commands and procedures for using the site. They will also factor in the variety of user platforms, from old PCs through to the newest phones. Such awareness of a customer’s experience is crucial during both the design and testing phase and can make the difference between success and failure.

To read the full post, please visit CloudTweaks here.

CloudTweaks

 

Unshorten those URLs

Post Sponsor

It happens so easily. You are browsing away on Twitter, and a person you follow posts something interesting. “Ha ha” it says, what an epic photo of you,” followed by a shortened URL. Curiosity and impetuousness take the better of you and you find yourself snared on a phishing hook. Too late! All of the addresses in your own contact list have now been captured, and all of the people who follow you are now receiving the same badly worded, intentionally vague snare.

Phishing scams happen all the time. Emails purportedly from the Canada Revenue Agency, the IRS or PayPal, all asking for you to click on a link to download a file. Fear, shock and surprise are all reflexes and as such they prompt people to act without thinking. When trust is factored into the mix, as in an apparently trustworthy source, all defences are grounded, and that’s where the trouble begins.

Phishing is the modern variant on distraction theft; the pickpocket or cutpurse of old who distracts victims while stealing their money. In this modern version the distraction can lead to far worse consequences than the loss of pocket money or credit cards. Data from your computer can be stolen, certainly, but your computer itself runs the risk of being infected and converted into a zombie, a bot that is then called upon remotely to assist in much larger crimes, such as Distributed Denial of Service attacks.

An up-to-date internet security application from suppliers such as Kaspersky, Norton or McAfee are essential, of course, but consider also taking one extra step. If a link appears in an email from the IRS, especially one that does not mention you by name, or which addresses you as “Dear tax payer,” and you are curious as to its validity, carelfully hover the mouse over the URL without clicking, and it wil reveal the real address of the perpetrator. If you have misgivings but wantto ensure that a notice from PayPal is really legitimate, delete the email and log into PayPal directly. Any account information or alerts that you need to know about will be there. Go through the front door as a legitimate customer, rather than through a back door provided by an unknown.

And finally, when you’re curious about a link, especially given that Twitter links are intentionally shortened anyway, get hold of a link unshortener, which are available as add-ons to all major browsers (search for “link unshortener” plus the name of your preferred browser to locate one). It only takes a second or two to right-mouse click/tap on a link to make sure it goes somewhere safe, but that second invested pays off in terms of many hours or weeks of damage control avoided later.

Yahoo Password Theft: A reminder to keep passwords safe

On January 31, Yahoo announced that a major theft of password data  – from a third party database – had compromised an undisclosed number of accounts. This link takes you to a blog I posted at CloudTweaks.com, an authority on all things cloud. Here is an excerpt:

With technology getting increasingly more sophisticated and instantaneous, it remains a permanent horserace between those who wish to use the Internet for business, entertainment and life, and those who wish to use it to create destruction, or to fuel crime. To the bad guys, everything is an opportunity. Consider online payments, for example. Most ordinary online consumers, when preparing to pay with their credit card, carefully check to ensure the presence of the “https://” marker at the beginning of a page’s address, which signifies sufficient encryption, and they then carefully type their credit card number into the panel reserved for just such a purpose.

Bad guys, however, see that credit card number window as something much more: it’s an open channel to a much bigger matrix. By entering a different set of code into that same space, they are able to convince the computers on the other side that they should be let in to distribute their payload. It’s known as an SQL injection. Where most people see a single-purpose form, they see a doorway. That is the difference, and it is something that must remain top of mind for all managers, not just those in IT. Passwords, much like bicycle locks, tend only to keep the good guys and amateur thieves away.

Click here to read the full post.

Are You a Speaker or Entertainer? Watch for Scams.

Beware the red herring!

Beware the red herring!

Yesterday I received the following email. I am including the full body of the letter in the hopes that it serves a purpose in being found in a Google search by wary speakers who are rightfully suspicious of things that appear too good to be true:

Blessings to you from the United Kingdom , I am Bishop Allan  Wilson,The Presiding Minister of The New Covenant Church ,Bracknell United Kingdom. We are pleased to inform you that we would like to engage you to perform and motivate  our church congregation and members of our community at an event scheduled to be held here in New Covenant Church,It also  coincides with the Church’s annual conference and launching of the Church’s new auditorium .

This event is coming up on the 28th 29th and 30th of May 2013. The conference is tagged: ‘Big things: How to start small’. We heard about you from a church member of ours who is also a member of the YMF outreach , she told us you can perform at this event and also will be a huge impact and this fit-in for our event ,we also checked out your website and are impressed by the things we saw .

Please we would like you to convey to us your availability for one of the dates as it can fit in your schedule.  Also, please we would as well appreciate if you get back in-touch  with us in ample time so we can start corresponding the details.

Thank you and expecting to hear from you soon.

 NOTE : We are aware you are NOT based here in the United Kingdom and we will be responsible for your flight and other expenses

 Remain Blessed.

Bishop Allan Wilson
+44 7023011679

http://www.newcovenantbracknell.com
Crowthorne Road North
Bracknell
Berks
RG12 7AU

But you are a chosen race, a royal priesthood, a holy nation, a people
for his own possession, that you may proclaim the excellencies of him
who called you out of
darkness into his marvelous light.
1 Peter 2:9

If you are a speaker or performer, you are likely always hungry for new leads and business, and it is precisely this hunger that scammers prey on, taking advantage of that one moment of weakness that can occur, especially for anyone in the speaking/entertainment business as a “new gig.”

The poor punctuation and vagueness of the letter intrigued me, since at no point in the letter did the writer mention what I might be speaking about. I googled the name. There was no Bishop Allan Wilson, but there was a Bishop Alan Wilson – he even has a Wikipedia entry. Surely someone as educated as this would not misspell his own name.

I next googled the phone number, 7023011679, and that’s where things came apart. It became apparent pretty quickly that I was by no means the first speaker to have been approached. A travelling comedian by the name of Dwight York describes in his blog how his correspondence with this organization would have eventually led to the release of his bank account information by way of a blank cheque needed to assist in the wire transfer of the speaking fee.

It is sad that these criminals exist. From old-school pickpockets to internet scammers, they prey on those who actually work hard to generate an honest income.

The good that comes from this is that it helps reinforce the age-old adage, “if it sounds too good to be true, it probably is.”

Be careful out there.