3 Rules for Smartphones

Your Smartphone is vulnerable to crime like all other computers, but the danger points are a little different.

Basic rules for Smartphone safety

These are the basics. Following these rules will drastically reduce your vulnerability.

  1. Don’t lose it. Losing your phone is the most likely way to compromise your phone security. Using PIN, password, or fingerprint authentication for entry provides some protection. Combining authentication with encryption is stronger yet. But not losing you phone is the strongest of all.
  2. Add new apps with caution. A new app is the most likely source of malware on your phone. Malware does occasionally make it through the app store testing processes. Check out your sources and the app’s reputation before you download. Don’t rely exclusively on the app store reviews. If you must side load, be ultra-cautious.
  3. Scrape off the cruft. Remove any apps that you have never used or no longer use. New vulnerabilities appear all the time, so minimize your exposure. Bonus: a lean machine usually performs better. You can always reinstall if you find you need an app.

If you have the basics, there are further steps you can take.

Supplementary rules

These apply to situations that don’t happen as often, but you want to avoid.

  1. If your phone is set up to automatically use Wi-Fi instead of cellular connections when Wi-Fi is available, be aware that it may automatically connect to an insecure public Wi-Fi site.
  2. There are more ways to hack a cellular wireless connection than a wired connection. If you must exchange ultra-private information that you suspect a skilled intruder may be after, use a temporary phone or a land line that is not associated with you.
  3. The contents of your cell conversations may be secure, but who you called, when you called, the length of the connection, and sometimes phone GPS coordinates are routinely recorded both on your phone’s SIMM Card and on your cellular carrier’s equipment. This “metadata” does not have special legal protection and may be obtainable without a search warrant or even sold by your carrier. Check your carrier’s Terms of Service and Privacy Policy.

Tax Refund Cyber Fraud

I’ve been thinking about tax refund fraud a lot this month. I was resolved that we would get our tax return in early this year so it would be harder for a scammer to rip off our refund, but not all the required documents have wandered in yet and so I sit and fret.

The FBI and the IRS are expecting more fraud than last year, and last year set records. I thought maybe folks would be interested in how the tax refund fraud business works. It is simple: a scammer sends in a fraudulent tax return in your name that nets a big tax refund. The scammer arranges to have the refund wired to his account instead of yours. Then the money vanishes and so does the scammer. When you file your genuine return, the IRS shows its unpleasant side until you can prove that you are the real Clem Kaddidlehopper.

How can the hackers do this? Tax refund fraud is big business. Like all big business, the work is divided up among specialists. Before the tax fraud can occur, the criminals have to steal your identity and steal or manufacture the documents to substantiate a refund that is worth the scammer’s effort and risk. Gathering the documents is the most difficult because it requires the most special knowledge and skill. If scammers have a genuine W-2 form for a victim, they are set. Those W-2s have everything they need.

But how do they get a person’s W-2? The old-school method was to steal them from mail boxes. Modern crooks reject stealing paper mail as risky and inefficient. Stealing W-2s electronically requires more skills, but risk is lower and the take is higher. This year, there have been a number of exploits recorded in which an employee in the financial or human resources department gets an emergency email request from what appears to be the CEO or other higher up in the organization. The request is for the electronic copy of all the W-2s for a department or the entire company. The employee complies and sends the files. Then they discover that the CEO’s email account has been hacked, or on close examination, the email was actually sent by an outside impostor who now has hundreds of juicy W-2s. This outside impostor could be operating from anywhere— onshore, offshore, makes no difference.

What happens then? The impostor might be a tax fraudster, although chances are good that the impostor is an accomplished social engineer who does not dirty his hands with tax fraud. Instead, the impostor goes to a dark net criminal sales site and sells the W-2s for prices that vary based on the amount earned. More money can be extracted from high-earning W-2s, so they sell for more.

The tax fraudster purchases W-2s that suit his fancy on the dark net, then fabricates deductions to extract a large refund from the IRS and files the return electronically. The fraudster’s job is to put together a return that is plausible enough to trick the IRS into believing it is genuine. Although there is word that the IRS has taken steps to clamp down on refund fraud this year, the service is also under pressure to get refunds out speedily, which limits the intensity of the vetting before a check is cut. The growing fraud numbers suggest it is not too hard for a fraudster to fool the IRS.

Good luck! And get those returns in early.

Personal Cybersecurity Published

Last week, Apress released my latest book, Personal Cybersecurity.

Personal Cybersecurity is available directly from Apress and on Amazon.

A lot of people helped me with this book, many of whom I mentioned in the Acknowledgements, but there is a large group whom I did not mention. These are the people who attended the talks I gave at the Ferndale Public Library last winter. They have helped get me a real sense of what non-IT professionals need to know and how computing must be explained in order for someone without a professional background to understand the issues. They all get a big thanks from me.

With the help of my audiences, I hope I succeeded in writing a book that has enough technical depth that folks can understand the issues and make intelligent decisions rather than follow a set of rules by rote.

For those who are interested, I am giving the same series of talks at the Lynden Public Library. The remaining two talks are at 1:00p on Saturday January 28, 2017, and Saturday February 4.

Relabel the Email Send Button “Make Public”

Email is not private. Ever.

We’ve heard a lot about email security during this election year and I am afraid people may have gotten some wrong impressions from the discussion. Most of the debate has been over the use of secure email servers. People may get the impression that using a secure email server makes the information on email private. Securing an email server makes it difficult to snoop into email stored on the server, but that is only a fragment of the picture.

Using email for critical private information is unwise under any circumstances. I fear this point is lost in the discussion. An email server is only one vulnerability in the chain of vulnerabilities from sender to receiver. You can never be certain, even reasonably sure, they are all safe.

Sending information in an email exposes the information to unauthorized access that you will not be able to control. In addition to unauthorized snooping, any email sent or received on company email is open to both the employer of the sender and the receiver. A business may be legally required to make their email public in court. An additional danger is the email message you receive may not be the message your correspondent sent to you. The sender in the email header may not be the real sender. Email was designed for convenience, not for integrity or privacy of communications.

My attitude, and that of a few other software and network architects with whom I have discussed it with recently, is to treat an email as a postcard, open to anyone who cares to snoop.

How email snooping works

To understand email security, you have to know a little about the email system architecture. There are five components: the email sending client, the receiving client, the connecting infrastructure, and the sending and receiving servers. Usually the sending and receiving clients are a single piece of software, like Outlook or Thunderbird, but the sender and receiver each has their own. In addition, unless you are sending email to someone in your own domain (the right side of the “@” in both addresses are the same) the email will go from the sender’s client to the sender’s email service to the receiver’s email service to the receiver’s client. The connecting infrastructure is usually the Internet, and it is often the most vulnerable part of the process.

As an email sender, you can protect your email client by choosing a reputable email service, managing your email account passwords carefully, and following good security practices on the devices you use for sending and receiving email, but you do not control the receiver’s elements in the chain. Steps can be taken to increase the security of email, but there is no way to tell if they have been taken at the links you do not control in the chain. In other words, no matter how careful you are, there are still many opportunities for tampering with the email you send and receive.

Email encryption

However, you can do something to protect your privacy: you can send encrypted messages that you encrypt yourself and your recipients must decrypt themselves. Independent encryption that is controlled by you and your recipient eliminates most of the issues. The problem is that you can’t send an encrypted message to just anyone because you and your recipient have to share some secret key to the encryption. This is the method behind PGP (Pretty Good Privacy) that technical types have used for a long time for email privacy. Many off-the-shelf products require less technical skill to use than PGP, but senders and recipients still have to share some secret information before communication can take place. Off the shelf products can hide the sharing and lessen the pain, but you and your correspondents will still have to agree on tools and keys before you can exchange messages privately.

Encrypted email is the only kind that I consider secure. But I also keep in mind that encryption-based systems are still fallible. What is safe today may be vulnerable tomorrow because all encryption can be broken if sufficient computing power is applied. Today, breaking the most secure encryption requires decades of computer time, but tomorrow’s computers are likely to be much more powerful. Emails that are securely encrypted today will be easy to hack in a few years.  Also, if an encryption key gets into the wrong hands, the message is no longer private. If a careless recipient saves an unencrypted copy of a message, it is no longer private. Also, a strong but poorly implemented encryption is still weak. Encryption products that ought to have been secure have turned out to be insecure through implementation errors. Always keep in mind that email places whatever you send into the hands of strangers.

Email was, like the Internet, designed for flexible and open communications. Its complex and sprawling structure changes slowly. Computer and network security in general has improved greatly in recent years, but the criminals have gotten better too.

The upshot is that secure email servers do not secure email. I, and many other software engineers and architects, regard all email as insecure. Period. Always assume that hitting the send button makes the message public.

Email is fast and convenient, but not private.